[FFmpeg-cvslog] nuv: sanitize negative fps rate

[Andreas Cadhalpun]

ffmpeg | branch: master | Andreas Cadhalpun  
| Wed Dec 16 20:52:39 2015 +0100| [f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce] | 
committer: Andreas Cadhalpun

nuv: sanitize negative fps rate

Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce
---

 libavformat/nuv.c |9 +
 1 file changed, 9 insertions(+)

diff --git a/libavformat/nuv.c b/libavformat/nuv.c
index 2a1b70f..c30da60 100644
--- a/libavformat/nuv.c
+++ b/libavformat/nuv.c
@@ -172,6 +172,15 @@ static int nuv_header(AVFormatContext *s)
 if (aspect > 0. && aspect < 1.0001)
 aspect = 4.0 / 3.0;
 fps = av_int2double(avio_rl64(pb));
+if (fps < 0.0f) {
+if (s->error_recognition & AV_EF_EXPLODE) {
+av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps);
+return AVERROR_INVALIDDATA;
+} else {
+av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 
0.\n", fps);
+fps = 0.0f;
+}
+}
 
 // number of packets per stream type, -1 means unknown, e.g. streaming
 v_packs = avio_rl32(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] nutdec: only copy the header if it exists

[Andreas Cadhalpun]

ffmpeg | branch: release/2.8 | Andreas Cadhalpun 
 | Fri Dec 18 15:18:47 2015 +0100| 
[38f8c80901033042488579c8975efb39ab153793] | committer: Andreas Cadhalpun

nutdec: only copy the header if it exists

Fixes ubsan runtime error: null pointer passed as argument 2, which is
declared to never be null

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 9f82506c79874edd7b09707ab63d9e72078de8f9)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=38f8c80901033042488579c8975efb39ab153793
---

 libavformat/nutdec.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index 63b0cd2..201c34e 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -1126,7 +1126,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, 
int frame_code)
 ret = av_new_packet(pkt, size + nut->header_len[header_idx]);
 if (ret < 0)
 return ret;
-memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]);
+if (nut->header[header_idx])
+memcpy(pkt->data, nut->header[header_idx], 
nut->header_len[header_idx]);
 pkt->pos = avio_tell(bc); // FIXME
 if (stc->last_flags & FLAG_SM_DATA) {
 int sm_size;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] exr: fix out of bounds read in get_code

[Andreas Cadhalpun]

ffmpeg | branch: release/2.8 | Andreas Cadhalpun 
 | Sun Dec 13 23:17:09 2015 +0100| 
[945ae04fab4513ee724751d908e87a3447c3e609] | committer: Andreas Cadhalpun

exr: fix out of bounds read in get_code

This macro unconditionally used out[-1], which causes an out of bounds
read, if out is the very beginning of the buffer.

Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 90b99a81071d10e6b5efe86a4602d54d4f45bbcb)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=945ae04fab4513ee724751d908e87a3447c3e609
---

 libavcodec/exr.c |   10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index b9de7c1..8feb9bd 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -459,7 +459,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int 
im,
 lc += 8;  \
 }
 
-#define get_code(po, rlc, c, lc, gb, out, oe) \
+#define get_code(po, rlc, c, lc, gb, out, oe, outb)   \
 { \
 if (po == rlc) {  \
 if (lc < 8)   \
@@ -468,7 +468,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int 
im,
   \
 cs = c >> lc; \
   \
-if (out + cs > oe)\
+if (out + cs > oe || out == outb) \
 return AVERROR_INVALIDDATA;   \
   \
 s = out[-1];  \
@@ -501,7 +501,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec 
*hdecod,
 
 if (pl.len) {
 lc -= pl.len;
-get_code(pl.lit, rlc, c, lc, gb, out, oe);
+get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
 } else {
 int j;
 
@@ -518,7 +518,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec 
*hdecod,
 if ((hcode[pl.p[j]] >> 6) ==
 ((c >> (lc - l)) & ((1LL << l) - 1))) {
 lc -= l;
-get_code(pl.p[j], rlc, c, lc, gb, out, oe);
+get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb);
 break;
 }
 }
@@ -539,7 +539,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec 
*hdecod,
 
 if (pl.len) {
 lc -= pl.len;
-get_code(pl.lit, rlc, c, lc, gb, out, oe);
+get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
 } else {
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] on2avc: limit number of bits to 30 in get_egolomb

[Andreas Cadhalpun]

ffmpeg | branch: release/2.8 | Andreas Cadhalpun 
 | Wed Dec 16 16:48:19 2015 +0100| 
[6d7b4dbcb4103a0c54d486d3a51aa3122a4914b6] | committer: Andreas Cadhalpun

on2avc: limit number of bits to 30 in get_egolomb

More don't fit into the integer output.

Also use get_bits_long, since get_bits only supports reading up to 25
bits, while get_bits_long supports the full integer range.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 4d5c3b02e9d2c9a630ca433fabca43285879e0b8)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6d7b4dbcb4103a0c54d486d3a51aa3122a4914b6
---

 libavcodec/on2avc.c |   11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c
index 15f4dd1..04c8e41 100644
--- a/libavcodec/on2avc.c
+++ b/libavcodec/on2avc.c
@@ -211,9 +211,16 @@ static inline int get_egolomb(GetBitContext *gb)
 {
 int v = 4;
 
-while (get_bits1(gb)) v++;
+while (get_bits1(gb)) {
+v++;
+if (v > 30) {
+av_log(NULL, AV_LOG_WARNING, "Too large golomb code in 
get_egolomb.\n");
+v = 30;
+break;
+}
+}
 
-return (1 << v) + get_bits(gb, v);
+return (1 << v) + get_bits_long(gb, v);
 }
 
 static int on2avc_decode_pairs(On2AVCContext *c, GetBitContext *gb, float *dst,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] nuv: sanitize negative fps rate

[Andreas Cadhalpun]

ffmpeg | branch: release/2.8 | Andreas Cadhalpun 
 | Wed Dec 16 20:52:39 2015 +0100| 
[79f407b79a825c3123aff65cef64b383eca5a95e] | committer: Andreas Cadhalpun

nuv: sanitize negative fps rate

Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79f407b79a825c3123aff65cef64b383eca5a95e
---

 libavformat/nuv.c |9 +
 1 file changed, 9 insertions(+)

diff --git a/libavformat/nuv.c b/libavformat/nuv.c
index 001d9c8..cb51511 100644
--- a/libavformat/nuv.c
+++ b/libavformat/nuv.c
@@ -172,6 +172,15 @@ static int nuv_header(AVFormatContext *s)
 if (aspect > 0. && aspect < 1.0001)
 aspect = 4.0 / 3.0;
 fps = av_int2double(avio_rl64(pb));
+if (fps < 0.0f) {
+if (s->error_recognition & AV_EF_EXPLODE) {
+av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps);
+return AVERROR_INVALIDDATA;
+} else {
+av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 
0.\n", fps);
+fps = 0.0f;
+}
+}
 
 // number of packets per stream type, -1 means unknown, e.g. streaming
 v_packs = avio_rl32(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] xwddec: prevent overflow of lsize * avctx->height

[Andreas Cadhalpun]

ffmpeg | branch: release/2.8 | Andreas Cadhalpun 
 | Fri Dec 18 19:28:51 2015 +0100| 
[778c8de40f2c8d8bdbdf9a52306c59b6a425d401] | committer: Andreas Cadhalpun

xwddec: prevent overflow of lsize * avctx->height

This is used to check if the input buffer is large enough, so if this
overflows it can cause a false negative leading to a segmentation fault
in bytestream2_get_bufferu.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 9d38f06d05efbb9d6196c27668eb943e934943ae)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=778c8de40f2c8d8bdbdf9a52306c59b6a425d401
---

 libavcodec/xwddec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c
index 2febedc..64cd841 100644
--- a/libavcodec/xwddec.c
+++ b/libavcodec/xwddec.c
@@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void 
*data,
 return AVERROR_INVALIDDATA;
 }
 
-if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + 
avctx->height * lsize) {
+if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + 
(uint64_t)avctx->height * lsize) {
 av_log(avctx, AV_LOG_ERROR, "input buffer too small\n");
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter/avf_showfreqs: make it possible to split channels

[Paul B Mahol]

ffmpeg | branch: master | Paul B Mahol  | Sun Dec 20 19:52:51 
2015 +0100| [9e569abe995dc41a3e8fb30fb6d9c4d002b8ba4d] | committer: Paul B Mahol

avfilter/avf_showfreqs: make it possible to split channels

Signed-off-by: Paul B Mahol 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9e569abe995dc41a3e8fb30fb6d9c4d002b8ba4d
---

 doc/filters.texi|   11 +++
 libavfilter/avf_showfreqs.c |   19 +--
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/doc/filters.texi b/doc/filters.texi
index ba81dc7..a55cad4 100644
--- a/doc/filters.texi
+++ b/doc/filters.texi
@@ -14438,6 +14438,17 @@ Default is @code{1}, which means time averaging is 
disabled.
 Specify list of colors separated by space or by '|' which will be used to
 draw channel frequencies. Unrecognized or missing colors will be replaced
 by white color.
+
+@item cmode
+Set channel display mode.
+
+It accepts the following values:
+@table @samp
+@item combined
+@item separate
+@end table
+Default is @code{combined}.
+
 @end table
 
 @section showspectrum
diff --git a/libavfilter/avf_showfreqs.c b/libavfilter/avf_showfreqs.c
index 3ed0155..df3fcd1 100644
--- a/libavfilter/avf_showfreqs.c
+++ b/libavfilter/avf_showfreqs.c
@@ -34,6 +34,7 @@
 #include "internal.h"
 
 enum DisplayMode{ LINE, BAR, DOT, NB_MODES };
+enum ChannelMode{ COMBINED, SEPARATE, NB_CMODES };
 enum FrequencyScale { FS_LINEAR, FS_LOG, FS_RLOG, NB_FSCALES };
 enum AmplitudeScale { AS_LINEAR, AS_SQRT, AS_CBRT, AS_LOG, NB_ASCALES };
 enum WindowFunc { WFUNC_RECT, WFUNC_HANNING, WFUNC_HAMMING, WFUNC_BLACKMAN,
@@ -45,6 +46,7 @@ typedef struct ShowFreqsContext {
 const AVClass *class;
 int w, h;
 int mode;
+int cmode;
 int fft_bits;
 int ascale, fscale;
 int avg;
@@ -115,6 +117,9 @@ static const AVOption showfreqs_options[] = {
 { "overlap",  "set window overlap", OFFSET(overlap), AV_OPT_TYPE_FLOAT, 
{.dbl=1.}, 0., 1., FLAGS },
 { "averaging", "set time averaging", OFFSET(avg), AV_OPT_TYPE_INT, 
{.i64=1}, 0, INT32_MAX, FLAGS },
 { "colors", "set channels colors", OFFSET(colors), AV_OPT_TYPE_STRING, 
{.str = "red|green|blue|yellow|orange|lime|pink|magenta|brown" }, 0, 0, FLAGS },
+{ "cmode", "set channel mode", OFFSET(cmode), AV_OPT_TYPE_INT, 
{.i64=COMBINED}, 0, NB_CMODES-1, FLAGS, "cmode" },
+{ "combined", "show all channels in same window",  0, 
AV_OPT_TYPE_CONST, {.i64=COMBINED}, 0, 0, FLAGS, "cmode" },
+{ "separate", "show each channel in own window",   0, 
AV_OPT_TYPE_CONST, {.i64=SEPARATE}, 0, 0, FLAGS, "cmode" },
 { NULL }
 };
 
@@ -358,6 +363,7 @@ static inline void plot_freq(ShowFreqsContext *s, int ch,
 const float avg = s->avg_data[ch][f];
 const float bsize = get_bsize(s, f);
 const int sx = get_sx(s, f);
+int end = outlink->h;
 int x, y, i;
 
 switch(s->ascale) {
@@ -374,7 +380,16 @@ static inline void plot_freq(ShowFreqsContext *s, int ch,
 a = 1.0 - a;
 break;
 }
-y = a * outlink->h - 1;
+
+switch (s->cmode) {
+case COMBINED:
+y = a * outlink->h - 1;
+break;
+case SEPARATE:
+end = (outlink->h / s->nb_channels) * (ch + 1);
+y = (outlink->h / s->nb_channels) * ch + a * (outlink->h / 
s->nb_channels) - 1;
+break;
+}
 if (y < 0)
 return;
 
@@ -410,7 +425,7 @@ static inline void plot_freq(ShowFreqsContext *s, int ch,
 break;
 case BAR:
 for (x = sx; x < sx + bsize && x < w; x++)
-for (i = y; i < outlink->h; i++)
+for (i = y; i < end; i++)
 draw_dot(out, x, i, fg);
 break;
 case DOT:

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] rawdec: only exempt BIT0 with need_copy from buffer sanity check

[Andreas Cadhalpun]

ffmpeg | branch: master | Andreas Cadhalpun  
| Sat Dec 19 23:45:06 2015 +0100| [699e68371ec7e381e5cc48e3d96e29c669261af7] | 
committer: Andreas Cadhalpun

rawdec: only exempt BIT0 with need_copy from buffer sanity check

Otherwise the too small buffer is directly used in the frame, causing
segmentation faults, when trying to use the frame.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=699e68371ec7e381e5cc48e3d96e29c669261af7
---

 libavcodec/rawdec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c
index 611178f..50cee39 100644
--- a/libavcodec/rawdec.c
+++ b/libavcodec/rawdec.c
@@ -257,7 +257,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, 
int *got_frame,
 buf += buf_size - context->frame_size;
 
 len = context->frame_size - (avctx->pix_fmt==AV_PIX_FMT_PAL8 ? 
AVPALETTE_SIZE : 0);
-if (buf_size < len && (avctx->codec_tag & 0xFF) != MKTAG('B','I','T', 
0)) {
+if (buf_size < len && ((avctx->codec_tag & 0xFF) != MKTAG('B','I','T', 
0) || !need_copy)) {
 av_log(avctx, AV_LOG_ERROR, "Invalid buffer size, packet size %d < 
expected frame_size %d\n", buf_size, len);
 av_buffer_unref(>buf[0]);
 return AVERROR(EINVAL);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_parser: Fix potential overflows in pointer checks

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Sat Dec  5 17:11:54 2015 +0100| [cc88d7a640884e29490b1adb598643ab1365d747] | 
committer: Michael Niedermayer

avcodec/dirac_parser: Fix potential overflows in pointer checks

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 79798f7c57b098c78e0bbc6becd64b9888b013d1)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cc88d7a640884e29490b1adb598643ab1365d747
---

 libavcodec/dirac_parser.c |8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c
index 61a978d..36674d7 100644
--- a/libavcodec/dirac_parser.c
+++ b/libavcodec/dirac_parser.c
@@ -100,10 +100,12 @@ typedef struct DiracParseUnit {
 static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc,
  int offset)
 {
-uint8_t *start = pc->buffer + offset;
-uint8_t *end   = pc->buffer + pc->index;
-if (start < pc->buffer || (start + 13 > end))
+int8_t *start;
+
+if (offset < 0 || pc->index - 13 < offset)
 return 0;
+
+start = pc->buffer + offset;
 pu->pu_type = start[4];
 
 pu->next_pu_offset = AV_RB32(start + 5);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/smacker: fix integer overflow with pts_inc

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Sat Dec  5 13:06:16 2015 +0100| [354fa47018e333baeb3a6979d13cce8703bc19c8] | 
committer: Michael Niedermayer

avformat/smacker: fix integer overflow with pts_inc

Fixes: 
ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7ed47e97297fd5ef473d0cc93f0455adbadaac83)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=354fa47018e333baeb3a6979d13cce8703bc19c8
---

 libavformat/smacker.c |5 +
 1 file changed, 5 insertions(+)

diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 5dcf4ad..de8bbdb 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -120,6 +120,11 @@ static int smacker_read_header(AVFormatContext *s)
 smk->height = avio_rl32(pb);
 smk->frames = avio_rl32(pb);
 smk->pts_inc = (int32_t)avio_rl32(pb);
+if (smk->pts_inc > INT_MAX / 100) {
+av_log(s, AV_LOG_ERROR, "pts_inc %d is too large\n", smk->pts_inc);
+return AVERROR_INVALIDDATA;
+}
+
 smk->flags = avio_rl32(pb);
 if(smk->flags & SMACKER_FLAG_RING_FRAME)
 smk->frames++;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*()

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Fri Nov 27 20:52:39 2015 +0100| [20a96b9d8c71b77761b82edd1971dc54354c175f] | 
committer: Michael Niedermayer

avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*()

Fixes out of array access
Fixes: 
01859c9a9ac6cd60a008274123275574/asan_heap-oob_1dff571_8250_50d3d1611e294c3519fd1fa82198b69b.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 75422280fbcdfbe9dc56bde5525b4d8b280f1bc5)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=20a96b9d8c71b77761b82edd1971dc54354c175f
---

 libavcodec/jpeg2000dwt.c |3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c
index ceceda3..015a4fe 100644
--- a/libavcodec/jpeg2000dwt.c
+++ b/libavcodec/jpeg2000dwt.c
@@ -555,6 +555,9 @@ int ff_dwt_encode(DWTContext *s, void *t)
 
 int ff_dwt_decode(DWTContext *s, void *t)
 {
+if (s->ndeclevels == 0)
+return 0;
+
 switch (s->type) {
 case FF_DWT97:
 dwt_decode97_float(s, t);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/mathematics: Fix division by 0

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Wed Dec  9 17:39:38 2015 +0100| [f821441795c4131ba638216ea92f0cb9f660fdbf] | 
committer: Michael Niedermayer

avutil/mathematics: Fix division by 0

Fixes: CID1341571

Signed-off-by: Michael Niedermayer 
(cherry picked from commit bc8b1e694cc395fdf5e2917377ef11263c937d85)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f821441795c4131ba638216ea92f0cb9f660fdbf
---

 libavutil/mathematics.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c
index 4d8467b..78a87d8 100644
--- a/libavutil/mathematics.c
+++ b/libavutil/mathematics.c
@@ -90,7 +90,7 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum 
AVRounding rnd)
 else {
 int64_t ad = a / c;
 int64_t a2 = (a % c * b + r) / c;
-if (ad >= INT32_MAX && ad > (INT64_MAX - a2) / b)
+if (ad >= INT32_MAX && b && ad > (INT64_MAX - a2) / b)
 return INT64_MIN;
 return ad * b + a2;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vp3: ensure header is parsed successfully before tables

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Wed Dec  2 22:59:56 2015 +0100| [63c50350b6e5038e3acf95a56fe58d43e3db5422] | 
committer: Michael Niedermayer

avcodec/vp3: ensure header is parsed successfully before tables

Fixes assertion failure
Fixes: 
266ee543812e934f7b4a72923a2701d4/signal_sigabrt_76ae7cc9_7322_85218d61759d461bdf7387180e8000c9.ogg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 26379d4fddc17cac853ef297ff327b58c44edbad)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=63c50350b6e5038e3acf95a56fe58d43e3db5422
---

 libavcodec/vp3.c |7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index c6f83dd..3b19db9 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -131,7 +131,7 @@ static const uint8_t hilbert_offset[16][2] = {
 
 typedef struct Vp3DecodeContext {
 AVCodecContext *avctx;
-int theora, theora_tables;
+int theora, theora_tables, theora_header;
 int version;
 int width, height;
 int chroma_x_shift, chroma_y_shift;
@@ -2251,6 +2251,7 @@ static int theora_decode_header(AVCodecContext *avctx, 
GetBitContext *gb)
 int ret;
 AVRational fps, aspect;
 
+s->theora_header = 0;
 s->theora = get_bits_long(gb, 24);
 av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora);
 
@@ -2356,6 +2357,7 @@ static int theora_decode_header(AVCodecContext *avctx, 
GetBitContext *gb)
 avctx->color_trc  = AVCOL_TRC_BT709;
 }
 
+s->theora_header = 1;
 return 0;
 }
 
@@ -2364,6 +2366,9 @@ static int theora_decode_tables(AVCodecContext *avctx, 
GetBitContext *gb)
 Vp3DecodeContext *s = avctx->priv_data;
 int i, n, matrices, inter, plane;
 
+if (!s->theora_header)
+return AVERROR_INVALIDDATA;
+
 if (s->theora >= 0x030200) {
 n = get_bits(gb, 3);
 /* loop filter limit values table */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Wed Sep 30 13:10:48 2015 +0200| [292842a0ed80afc0ad80626397100fed5e9595f4] | 
committer: Michael Niedermayer

avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup

The variable is not a constant and can lead to race conditions

Fixes: repro.webm (not reproducable with FFmpeg alone)

Found-by: Dale Curtis 
Tested-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit dabea74d0e82ea80cd344f630497cafcb3ef872c)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=292842a0ed80afc0ad80626397100fed5e9595f4
---

 libavcodec/vp8.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
index 0dae1b2..7cea034 100644
--- a/libavcodec/vp8.c
+++ b/libavcodec/vp8.c
@@ -164,7 +164,7 @@ int update_dimensions(VP8Context *s, int width, int height, 
int is_vp7)
 s->mb_height = (s->avctx->coded_height + 15) / 16;
 
 s->mb_layout = is_vp7 || avctx->active_thread_type == FF_THREAD_SLICE &&
-   FFMIN(s->num_coeff_partitions, avctx->thread_count) > 1;
+   avctx->thread_count > 1;
 if (!s->mb_layout) { // Frame threading and one thread
 s->macroblocks_base   = av_mallocz((s->mb_width + s->mb_height * 2 
+ 1) *
sizeof(*s->macroblocks));

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/cabac_functions: Fix "left shift of negative value -31767"

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Fri Nov 27 12:11:29 2015 +0100| [2da8c533869afc5836d144571fb5e8b824f15e03] | 
committer: Michael Niedermayer

avcodec/cabac_functions: Fix "left shift of negative value -31767"

Fixes: 
1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Found-by: xiedingbao (Ticket4727)
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a1f6b05f5228979dab0e149deca7a30d22e98af5)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2da8c533869afc5836d144571fb5e8b824f15e03
---

 libavcodec/cabac_functions.h |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h
index 15dba29..4e13253 100644
--- a/libavcodec/cabac_functions.h
+++ b/libavcodec/cabac_functions.h
@@ -74,7 +74,8 @@ static inline void renorm_cabac_decoder_once(CABACContext *c){
 
 #ifndef get_cabac_inline
 static void refill2(CABACContext *c){
-int i, x;
+int i;
+unsigned x;
 
 x= c->low ^ (c->low-1);
 i= 7 - ff_h264_norm_shift[x>>(CABAC_BITS-1)];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/timecode: Fix fps check

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Thu Dec  3 03:14:11 2015 +0100| [2e77ab8f100946d2467e3800a7964e2d94eae288] | 
committer: Michael Niedermayer

avutil/timecode: Fix fps check

The fps variable is explicitly set to -1 in case of some errors, the check must
thus be signed or the code setting it needs to use 0 as error code
the type of the field could be changed as well but its in an installed header

Fixes: integer overflow
Fixes: 
9982cc157b1ea90429435640a989122f/asan_generic_3ad004a_3799_22cf198d9cd09928e2d9ad250474fa58.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b46dcd5209a77254345ae098b83a872634c5591b)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2e77ab8f100946d2467e3800a7964e2d94eae288
---

 libavutil/timecode.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavutil/timecode.c b/libavutil/timecode.c
index 1dfd040..bf463ed 100644
--- a/libavutil/timecode.c
+++ b/libavutil/timecode.c
@@ -151,7 +151,7 @@ static int check_fps(int fps)
 
 static int check_timecode(void *log_ctx, AVTimecode *tc)
 {
-if (tc->fps <= 0) {
+if ((int)tc->fps <= 0) {
 av_log(log_ctx, AV_LOG_ERROR, "Timecode frame rate must be 
specified\n");
 return AVERROR(EINVAL);
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/apedec: Check length in long_filter_high_3800()

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Wed Dec  2 21:16:27 2015 +0100| [0350f373f7f0eebc2f49a5144511ba4a7b718c1b] | 
committer: Michael Niedermayer

avcodec/apedec: Check length in long_filter_high_3800()

Fixes out of array read
Fixes: 
0a7ff0c1d93da9cef28a315ec91b692a/asan_heap-oob_4a52e5_3604_9c56dbb20e308f4faeef7b35f688521a.ape

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit cd7524fdd13dc8d0cf22e2cfd8300a245542b13a)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0350f373f7f0eebc2f49a5144511ba4a7b718c1b
---

 libavcodec/apedec.c |3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index 03afd75..9984b40 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -892,6 +892,9 @@ static void long_filter_high_3800(int32_t *buffer, int 
order, int shift, int len
 int32_t dotprod, sign;
 int32_t coeffs[256], delay[256];
 
+if (order >= length)
+return;
+
 memset(coeffs, 0, order * sizeof(*coeffs));
 for (i = 0; i < order; i++)
 delay[i] = buffer[i];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vp3: Fix "runtime error: left shift of negative value"

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Fri Dec  4 12:47:20 2015 +0100| [ad09bebe0cad7eaeda0c09eea00c68197c2a8e65] | 
committer: Michael Niedermayer

avcodec/vp3: Fix "runtime error: left shift of negative value"

Fixes: 
5c6129154b356b80bcab86f9e3ee5d29/signal_sigabrt_76ae7cc9_7322_d26ac6d7cb6567db1b8be0159b387d0b.ogg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 18268f761bffb37552f59f87542fef3d5c80618c)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ad09bebe0cad7eaeda0c09eea00c68197c2a8e65
---

 libavcodec/vp3.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index fbacedf..c6f83dd 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -209,8 +209,8 @@ typedef struct Vp3DecodeContext {
 int16_t *dct_tokens[3][64];
 int16_t *dct_tokens_base;
 #define TOKEN_EOB(eob_run)  ((eob_run) << 2)
-#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) << 9) + ((zero_run) << 2) + 
1)
-#define TOKEN_COEFF(coeff)  (((coeff) << 2) + 2)
+#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) * 512) + ((zero_run) << 2) + 
1)
+#define TOKEN_COEFF(coeff)  (((coeff) * 4) + 2)
 
 /**
  * number of blocks that contain DCT coefficients at

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_cabac: Fix multiple integer overflows

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Fri Nov 27 22:45:46 2015 +0100| [4916aa2383153745d2ca54c7f8ea6cbc75f1c00e] | 
committer: Michael Niedermayer

avcodec/hevc_cabac: Fix multiple integer overflows

Fixes: 
04ec80eefa77aecd7a49a442cc02baea/asan_heap-oob_19544fa_3303_1905796cd9d8e15f86d664332caabc00.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d5028f61e44b7607b6a547f218f7d85217490a5b)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4916aa2383153745d2ca54c7f8ea6cbc75f1c00e
---

 libavcodec/hevc_cabac.c |   10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c
index 3862df7..9fe99da 100644
--- a/libavcodec/hevc_cabac.c
+++ b/libavcodec/hevc_cabac.c
@@ -883,11 +883,13 @@ static av_always_inline int mvd_decode(HEVCContext *s)
 int k = 1;
 
 while (k < CABAC_MAX_BIN && get_cabac_bypass(>HEVClc->cc)) {
-ret += 1 << k;
+ret += 1U << k;
 k++;
 }
-if (k == CABAC_MAX_BIN)
+if (k == CABAC_MAX_BIN) {
 av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k);
+return 0;
+}
 while (k--)
 ret += get_cabac_bypass(>HEVClc->cc) << k;
 return get_cabac_bypass_sign(>HEVClc->cc, -ret);
@@ -1025,8 +1027,10 @@ static av_always_inline int 
coeff_abs_level_remaining_decode(HEVCContext *s, int
 
 while (prefix < CABAC_MAX_BIN && get_cabac_bypass(>HEVClc->cc))
 prefix++;
-if (prefix == CABAC_MAX_BIN)
+if (prefix == CABAC_MAX_BIN) {
 av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
+return 0;
+}
 if (prefix < 3) {
 for (i = 0; i < rc_rice_param; i++)
 suffix = (suffix << 1) | get_cabac_bypass(>HEVClc->cc);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*()

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Fri Nov 27 21:02:13 2015 +0100| [40d5f570d8aa42ab54e2f30cded7b257ee8797f5] | 
committer: Michael Niedermayer

avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit feb3f39614b88c113211a98dda1bc2fe5c3c6957)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=40d5f570d8aa42ab54e2f30cded7b257ee8797f5
---

 libavcodec/jpeg2000dwt.c |3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c
index 015a4fe..925adea 100644
--- a/libavcodec/jpeg2000dwt.c
+++ b/libavcodec/jpeg2000dwt.c
@@ -540,6 +540,9 @@ int ff_jpeg2000_dwt_init(DWTContext *s, uint16_t 
border[2][2],
 
 int ff_dwt_encode(DWTContext *s, void *t)
 {
+if (s->ndeclevels == 0)
+return 0;
+
 switch(s->type){
 case FF_DWT97:
 dwt_encode97_float(s, t); break;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/cabac: Check initial cabac decoder state

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Fri Nov 27 13:37:50 2015 +0100| [1f6aea2cc4e379346d0b5b67e9ce775e12b39def] | 
committer: Michael Niedermayer

avcodec/cabac: Check initial cabac decoder state

Fixes integer overflows
Fixes: 
1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Found-by: xiedingbao (Ticket4727)
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8000d484b83aafa752d84fbdbfb352ffe0dc64f8)

Conflicts:

libavcodec/cabac.h

Conflicts:

libavcodec/h264_cabac.c
libavcodec/h264_slice.c

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1f6aea2cc4e379346d0b5b67e9ce775e12b39def
---

 libavcodec/cabac.c   |5 -
 libavcodec/cabac.h   |2 +-
 libavcodec/cabac_functions.h |3 ++-
 libavcodec/h264_cabac.c  |5 -
 libavcodec/h264_slice.c  |5 -
 5 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c
index 81a75dd..48f70ca 100644
--- a/libavcodec/cabac.c
+++ b/libavcodec/cabac.c
@@ -51,7 +51,7 @@ void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int 
buf_size){
  *
  * @param buf_size size of buf in bits
  */
-void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){
+int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){
 c->bytestream_start=
 c->bytestream= buf;
 c->bytestream_end= buf + buf_size;
@@ -64,6 +64,9 @@ void ff_init_cabac_decoder(CABACContext *c, const uint8_t 
*buf, int buf_size){
 #endif
 c->low+= ((*c->bytestream++)<<2) + 2;
 c->range= 0x1FE;
+if ((c->range<<(CABAC_BITS+1)) < c->low)
+return AVERROR_INVALIDDATA;
+return 0;
 }
 
 void ff_init_cabac_states(void)
diff --git a/libavcodec/cabac.h b/libavcodec/cabac.h
index f9eafed..857211c 100644
--- a/libavcodec/cabac.h
+++ b/libavcodec/cabac.h
@@ -56,7 +56,7 @@ typedef struct CABACContext{
 }CABACContext;
 
 void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size);
-void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size);
+int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size);
 void ff_init_cabac_states(void);
 
 #endif /* AVCODEC_CABAC_H */
diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h
index 4e13253..2d1d2a6 100644
--- a/libavcodec/cabac_functions.h
+++ b/libavcodec/cabac_functions.h
@@ -191,7 +191,8 @@ static av_unused const uint8_t* skip_bytes(CABACContext *c, 
int n) {
 #endif
 if ((int) (c->bytestream_end - ptr) < n)
 return NULL;
-ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n);
+if (ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n) < 0)
+return NULL;
 
 return ptr;
 }
diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c
index 41e0f86..397b070 100644
--- a/libavcodec/h264_cabac.c
+++ b/libavcodec/h264_cabac.c
@@ -2000,6 +2000,7 @@ decode_intra_mb:
 const int mb_size = ff_h264_mb_sizes[h->sps.chroma_format_idc] *
 h->sps.bit_depth_luma >> 3;
 const uint8_t *ptr;
+int ret;
 
 // We assume these blocks are very rare so we do not optimize it.
 // FIXME The two following lines get the bitstream position in the 
cabac
@@ -2016,7 +2017,9 @@ decode_intra_mb:
 h->intra_pcm_ptr = ptr;
 ptr += mb_size;
 
-ff_init_cabac_decoder(>cabac, ptr, h->cabac.bytestream_end - ptr);
+ret = ff_init_cabac_decoder(>cabac, ptr, h->cabac.bytestream_end - 
ptr);
+if (ret < 0)
+return ret;
 
 // All blocks are present
 h->cbp_table[mb_xy] = 0xf7ef;
diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index 3501be3..b0b4060 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -2422,13 +2422,16 @@ static int decode_slice(struct AVCodecContext *avctx, 
void *arg)
 }
 
 if (h->pps.cabac) {
+int ret;
 /* realign */
 align_get_bits(>gb);
 
 /* init cabac */
-ff_init_cabac_decoder(>cabac,
+ret = ff_init_cabac_decoder(>cabac,
   h->gb.buffer + get_bits_count(>gb) / 8,
   (get_bits_left(>gb) + 7) / 8);
+if (ret < 0)
+return ret;
 
 ff_h264_init_cabac_states(h);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc: allocate entries unconditionally

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Fri Nov 27 23:33:03 2015 +0100| [c84ec8d5c93887c2a97c3da514848f5fbb5ba3e6] | 
committer: Michael Niedermayer

avcodec/hevc: allocate entries unconditionally

Fixes out of array access
Fixes: 
08664a2a7921ef48172f26495c7455be/asan_heap-oob_23036c6_3301_523388ef84285a0270caf67a43247b59.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d85aa76115214183e7e3b7d65e950da61474959a)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c84ec8d5c93887c2a97c3da514848f5fbb5ba3e6
---

 libavcodec/hevc.c |4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index a2c602a..66ebf3d 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -2430,11 +2430,9 @@ static int hls_slice_data_wpp(HEVCContext *s, const 
uint8_t *nal, int length)
 return AVERROR(ENOMEM);
 }
 
+ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1);
 
 if (!s->sList[1]) {
-ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1);
-
-
 for (i = 1; i < s->threads_number; i++) {
 s->sList[i] = av_malloc(sizeof(HEVCContext));
 memcpy(s->sList[i], s, sizeof(HEVCContext));

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Tue Dec  1 12:44:23 2015 +0100| [100dbe1bf007024224c7ae2bb5d1aa956d979722] | 
committer: Michael Niedermayer

avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd

The code expects actual positive numbers and gives completely wrong
results if INT64_MIN is treated as positive
Instead clip it into the valid range that is add 1 and treat it as
negative

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 25e37f5ea92d4201976a59ae306ce848d257a7e6)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=100dbe1bf007024224c7ae2bb5d1aa956d979722
---

 libavutil/mathematics.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c
index 126cffc..b1ffd65 100644
--- a/libavutil/mathematics.c
+++ b/libavutil/mathematics.c
@@ -76,8 +76,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum 
AVRounding rnd)
 rnd -= AV_ROUND_PASS_MINMAX;
 }
 
-if (a < 0 && a != INT64_MIN)
-return -av_rescale_rnd(-a, b, c, rnd ^ ((rnd >> 1) & 1));
+if (a < 0)
+return -av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) 
& 1));
 
 if (rnd == AV_ROUND_NEAR_INF)
 r = c / 2;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_parser: Add basic validity checks for next_pu_offset and prev_pu_offset

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Sat Dec  5 17:14:36 2015 +0100| [09305dca59fd36509b593292a78ef7e7cf8220fd] | 
committer: Michael Niedermayer

avcodec/dirac_parser: Add basic validity checks for next_pu_offset and 
prev_pu_offset

Signed-off-by: Michael Niedermayer 
(cherry picked from commit c7d6ec947c053699950af90f695413a5640b3872)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=09305dca59fd36509b593292a78ef7e7cf8220fd
---

 libavcodec/dirac_parser.c |9 +
 1 file changed, 9 insertions(+)

diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c
index 36674d7..1ca7e31 100644
--- a/libavcodec/dirac_parser.c
+++ b/libavcodec/dirac_parser.c
@@ -114,6 +114,15 @@ static int unpack_parse_unit(DiracParseUnit *pu, 
DiracParseContext *pc,
 if (pu->pu_type == 0x10 && pu->next_pu_offset == 0)
 pu->next_pu_offset = 13;
 
+if (pu->next_pu_offset && pu->next_pu_offset < 13) {
+av_log(NULL, AV_LOG_ERROR, "next_pu_offset %d is invalid\n", 
pu->next_pu_offset);
+return 0;
+}
+if (pu->prev_pu_offset && pu->prev_pu_offset < 13) {
+av_log(NULL, AV_LOG_ERROR, "prev_pu_offset %d is invalid\n", 
pu->prev_pu_offset);
+return 0;
+}
+
 return 1;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc: Check entry_point_offsets

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Fri Nov 27 18:30:05 2015 +0100| [6157938408a020d973b9e80c11d3e3e00899bea7] | 
committer: Michael Niedermayer

avcodec/hevc: Check entry_point_offsets

Fixes out of array read
Fixes: 
007c4a36608ebdf27ee260ad60a81184/asan_heap-oob_32076b4_2243_116b1cb29d91cc4974d6680e3d10bd91.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit ef9f7bbfa47317f9d46bf46982a394d2be78503c)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6157938408a020d973b9e80c11d3e3e00899bea7
---

 libavcodec/hevc.c |8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index 2ebb7e2..a2c602a 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -2420,7 +2420,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const 
uint8_t *nal, int length)
 HEVCLocalContext *lc = s->HEVClc;
 int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
 int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
-int offset;
+int64_t offset;
 int startheader, cmpt = 0;
 int i, j, res = 0;
 
@@ -2467,6 +2467,11 @@ static int hls_slice_data_wpp(HEVCContext *s, const 
uint8_t *nal, int length)
 }
 if (s->sh.num_entry_point_offsets != 0) {
 offset += s->sh.entry_point_offset[s->sh.num_entry_point_offsets - 1] 
- cmpt;
+if (length < offset) {
+av_log(s->avctx, AV_LOG_ERROR, "entry_point_offset table is 
corrupted\n");
+res = AVERROR_INVALIDDATA;
+goto error;
+}
 s->sh.size[s->sh.num_entry_point_offsets - 1] = length - offset;
 s->sh.offset[s->sh.num_entry_point_offsets - 1] = offset;
 
@@ -2493,6 +2498,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const 
uint8_t *nal, int length)
 
 for (i = 0; i <= s->sh.num_entry_point_offsets; i++)
 res += ret[i];
+error:
 av_free(ret);
 av_free(arg);
 return res;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/utils: Clear dimensions in ff_get_buffer() on failure

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Sat Nov 28 20:08:46 2015 +0100| [a0a2bfbfd876571344df2b7fe5fd781791ec02a3] | 
committer: Michael Niedermayer

avcodec/utils: Clear dimensions in ff_get_buffer() on failure

Fixes out of array access
Fixes: 
482d8f2fd17c9f532b586458a33f267c/asan_heap-oob_4a52b6_7417_1d08d477736d66cdadd833d146bb8bae.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit abee0a1c60612e8638640a8a3738fffb65e16dbf)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a0a2bfbfd876571344df2b7fe5fd781791ec02a3
---

 libavcodec/utils.c |4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index d5b01d6..a83b0ba 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -1032,8 +1032,10 @@ end:
 int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame, int flags)
 {
 int ret = get_buffer_internal(avctx, frame, flags);
-if (ret < 0)
+if (ret < 0) {
 av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
+frame->width = frame->height = 0;
+}
 return ret;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc: Fix integer overflow of entry_point_offset

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Sat Dec  5 22:08:59 2015 +0100| [929fd61602710211ccfd3c7fd8093fb6b032ad86] | 
committer: Michael Niedermayer

avcodec/hevc: Fix integer overflow of entry_point_offset

Fixes out of array read
Fixes: 
d41d8cd98f00b204e9800998ecf8427e/signal_sigsegv_321165b_7641_077dfcd8cbc80b1c0b470c8554cd6ffb.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 214085852491448631dcecb008b5d172c11b8892)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=929fd61602710211ccfd3c7fd8093fb6b032ad86
---

 libavcodec/hevc.c |4 ++--
 libavcodec/hevc.h |2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index 66ebf3d..a8643d0 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -716,7 +716,7 @@ static int hls_slice_header(HEVCContext *s)
 av_freep(>entry_point_offset);
 av_freep(>offset);
 av_freep(>size);
-sh->entry_point_offset = 
av_malloc_array(sh->num_entry_point_offsets, sizeof(int));
+sh->entry_point_offset = 
av_malloc_array(sh->num_entry_point_offsets, sizeof(unsigned));
 sh->offset = av_malloc_array(sh->num_entry_point_offsets, 
sizeof(int));
 sh->size = av_malloc_array(sh->num_entry_point_offsets, 
sizeof(int));
 if (!sh->entry_point_offset || !sh->offset || !sh->size) {
@@ -2421,7 +2421,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const 
uint8_t *nal, int length)
 int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
 int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
 int64_t offset;
-int startheader, cmpt = 0;
+int64_t startheader, cmpt = 0;
 int i, j, res = 0;
 
 if (!ret || !arg) {
diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h
index 22d6989..9e183b7 100644
--- a/libavcodec/hevc.h
+++ b/libavcodec/hevc.h
@@ -609,7 +609,7 @@ typedef struct SliceHeader {
 
 unsigned int max_num_merge_cand; ///< 5 - 5_minus_max_num_merge_cand
 
-int *entry_point_offset;
+unsigned *entry_point_offset;
 int * offset;
 int * size;
 int num_entry_point_offsets;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd () for overflows

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Tue Dec  1 13:32:31 2015 +0100| [00fde782a10902270c3d92d92427297683fb911b] | 
committer: Michael Niedermayer

avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() 
for overflows

Fixes integer overflow
Fixes: mozilla bug 1229167

Found-by: Tyson Smith
Signed-off-by: Michael Niedermayer 
(cherry picked from commit f03c2ceec174877e03bb302f5971fbe9ffbe4856)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=00fde782a10902270c3d92d92427297683fb911b
---

 libavutil/mathematics.c |   13 ++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c
index b1ffd65..4d8467b 100644
--- a/libavutil/mathematics.c
+++ b/libavutil/mathematics.c
@@ -77,7 +77,7 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum 
AVRounding rnd)
 }
 
 if (a < 0)
-return -av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) 
& 1));
+return -(uint64_t)av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ 
((rnd >> 1) & 1));
 
 if (rnd == AV_ROUND_NEAR_INF)
 r = c / 2;
@@ -87,8 +87,13 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum 
AVRounding rnd)
 if (b <= INT_MAX && c <= INT_MAX) {
 if (a <= INT_MAX)
 return (a * b + r) / c;
-else
-return a / c * b + (a % c * b + r) / c;
+else {
+int64_t ad = a / c;
+int64_t a2 = (a % c * b + r) / c;
+if (ad >= INT32_MAX && ad > (INT64_MAX - a2) / b)
+return INT64_MIN;
+return ad * b + a2;
+}
 } else {
 #if 1
 uint64_t a0  = a & 0x;
@@ -112,6 +117,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, 
enum AVRounding rnd)
 t1++;
 }
 }
+if (t1 > INT64_MAX)
+return INT64_MIN;
 return t1;
 }
 #else

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vp3: Clear context on reinitialization failure

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Sat Nov 28 00:23:54 2015 +0100| [67b29888f4dc03a45dd060fbb785481ac91b0219] | 
committer: Michael Niedermayer

avcodec/vp3: Clear context on reinitialization failure

Fixes null pointer dereference
Fixes: 
1536b9b096a8f95b742bae9d3d761cc6/signal_sigsegv_294aaed_2039_8d1797aeb823ea43858d0fa45c9eb899.ogv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6105b7219a90438deae71b0dc5a034c71ee30fc0)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=67b29888f4dc03a45dd060fbb785481ac91b0219
---

 libavcodec/vp3.c |   10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index b728bbc..a0845e4 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -2014,17 +2014,19 @@ static int vp3_decode_frame(AVCodecContext *avctx,
 vp3_decode_end(avctx);
 ret = theora_decode_header(avctx, );
 
+if (ret >= 0)
+ret = vp3_decode_init(avctx);
 if (ret < 0) {
 vp3_decode_end(avctx);
-} else
-ret = vp3_decode_init(avctx);
+}
 return ret;
 } else if (type == 2) {
 ret = theora_decode_tables(avctx, );
+if (ret >= 0)
+ret = vp3_decode_init(avctx);
 if (ret < 0) {
 vp3_decode_end(avctx);
-} else
-ret = vp3_decode_init(avctx);
+}
 return ret;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/matroskaenc: Check codecdelay before use

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Wed Dec  9 16:16:46 2015 +0100| [8e053f61f5622feff12609e21847f33342f556f5] | 
committer: Michael Niedermayer

avformat/matroskaenc: Check codecdelay before use

Fixes CID1238790

Signed-off-by: Michael Niedermayer 
(cherry picked from commit e6971db12b8ae49712b77378fa8141de4904082b)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8e053f61f5622feff12609e21847f33342f556f5
---

 libavformat/matroskaenc.c |   12 
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c
index 66b4555..2867c06b 100644
--- a/libavformat/matroskaenc.c
+++ b/libavformat/matroskaenc.c
@@ -896,14 +896,18 @@ static int mkv_write_track(AVFormatContext *s, 
MatroskaMuxContext *mkv,
 }
 
 if (codec->codec_type == AVMEDIA_TYPE_AUDIO && codec->initial_padding && 
codec->codec_id == AV_CODEC_ID_OPUS) {
+int64_t codecdelay = av_rescale_q(codec->initial_padding,
+  (AVRational){ 1, codec->sample_rate 
},
+  (AVRational){ 1, 10 });
+if (codecdelay < 0) {
+av_log(s, AV_LOG_ERROR, "Initial padding is invalid\n");
+return AVERROR(EINVAL);
+}
 // mkv->tracks[i].ts_offset = av_rescale_q(codec->initial_padding,
 // (AVRational){ 1, 
codec->sample_rate },
 // st->time_base);
 
-put_ebml_uint(pb, MATROSKA_ID_CODECDELAY,
-  av_rescale_q(codec->initial_padding,
-   (AVRational){ 1, codec->sample_rate },
-   (AVRational){ 1, 10 }));
+put_ebml_uint(pb, MATROSKA_ID_CODECDELAY, codecdelay);
 }
 if (codec->codec_id == AV_CODEC_ID_OPUS) {
 put_ebml_uint(pb, MATROSKA_ID_SEEKPREROLL, OPUS_SEEK_PREROLL);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid duration for ts files with hevc codec

[Rainer Hochecker]

ffmpeg | branch: release/2.6 | Rainer Hochecker  | Sun 
Nov 15 13:58:50 2015 +0100| [bc264004e081db584bdac811536ad8154e07066b] | 
committer: Michael Niedermayer

avformat/utils: estimate_timings_from_pts - increase retry counter, fixes 
invalid duration for ts files with hevc codec

Fixes a mpegts file with hevc that fails estimating duration. Increasing number 
of
retries fixes the issue.

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2d8c2f1a28073d451c7db31291c333cb15ca3d0b)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bc264004e081db584bdac811536ad8154e07066b
---

 libavformat/utils.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index e5b1c58..bdcbd72 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -2383,7 +2383,7 @@ static void 
estimate_timings_from_bit_rate(AVFormatContext *ic)
 }
 
 #define DURATION_MAX_READ_SIZE 25LL
-#define DURATION_MAX_RETRY 4
+#define DURATION_MAX_RETRY 6
 
 /* only usable for MPEG-PS streams */
 static void estimate_timings_from_pts(AVFormatContext *ic, int64_t old_offset)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/dump: Fix integer overflow in av_dump_format()

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Tue Dec  1 12:40:32 2015 +0100| [93e168705dbe306ad040d56d4c3ac8a8567143ab] | 
committer: Michael Niedermayer

avformat/dump: Fix integer overflow in av_dump_format()

Fixes part of mozilla bug 1229167

Found-by: Tyson Smith
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8e7f4520226d2d9ad6a58ad6c32d1455a8b244b2)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=93e168705dbe306ad040d56d4c3ac8a8567143ab
---

 libavformat/dump.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/dump.c b/libavformat/dump.c
index df102e6..71bb5bd 100644
--- a/libavformat/dump.c
+++ b/libavformat/dump.c
@@ -444,7 +444,7 @@ void av_dump_format(AVFormatContext *ic, int index,
 av_log(NULL, AV_LOG_INFO, "  Duration: ");
 if (ic->duration != AV_NOPTS_VALUE) {
 int hours, mins, secs, us;
-int64_t duration = ic->duration + 5000;
+int64_t duration = ic->duration + (ic->duration <= INT64_MAX - 
5000 ? 5000 : 0);
 secs  = duration / AV_TIME_BASE;
 us= duration % AV_TIME_BASE;
 mins  = secs / 60;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Tue Nov 24 22:12:37 2015 +0100| [dd4c2fe74afe76868a279fd96fbc56eeffa5] | 
committer: Michael Niedermayer

avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized

Fixes out of array access
Fixes: 
1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2049_f2192b6829ab6e0eefcb035329c03c60.264

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4ea4d2f438c9a7eba37980c9a87be4b34943e4d5)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dd4c2fe74afe76868a279fd96fbc56eeffa5
---

 libavcodec/h264_slice.c |1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index 15700a8..3501be3 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1194,6 +1194,7 @@ static int h264_slice_header_init(H264Context *h, int 
reinit)
 nb_slices = max_slices;
 }
 h->slice_context_count = nb_slices;
+h->max_contexts = FFMIN(h->max_contexts, nb_slices);
 
 if (!HAVE_THREADS || !(h->avctx->active_thread_type & FF_THREAD_SLICE)) {
 ret = ff_h264_context_init(h);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/integer: Fix av_mod_i() with negative dividend

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Tue Dec  1 12:41:43 2015 +0100| [d8a66a150ae1ef88b6d9a43905de0f90f4a1385f] | 
committer: Michael Niedermayer

avutil/integer: Fix av_mod_i() with negative dividend

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3a9cb18855d29c96a5d9d2f5ad30448cae3a2ddf)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d8a66a150ae1ef88b6d9a43905de0f90f4a1385f
---

 libavutil/integer.c |8 
 1 file changed, 8 insertions(+)

diff --git a/libavutil/integer.c b/libavutil/integer.c
index 5bcde0d..6d6855f 100644
--- a/libavutil/integer.c
+++ b/libavutil/integer.c
@@ -29,6 +29,8 @@
 #include "integer.h"
 #include "avassert.h"
 
+static const AVInteger zero_i;
+
 AVInteger av_add_i(AVInteger a, AVInteger b){
 int i, carry=0;
 
@@ -111,6 +113,12 @@ AVInteger av_mod_i(AVInteger *quot, AVInteger a, AVInteger 
b){
 AVInteger quot_temp;
 if(!quot) quot = _temp;
 
+if ((int16_t)a.v[AV_INTEGER_SIZE-1] < 0) {
+a = av_mod_i(quot, av_sub_i(zero_i, a), b);
+*quot = av_sub_i(zero_i, *quot);
+return av_sub_i(zero_i, a);
+}
+
 av_assert2((int16_t)a.v[AV_INTEGER_SIZE-1] >= 0 && 
(int16_t)b.v[AV_INTEGER_SIZE-1] >= 0);
 av_assert2(av_log2_i(b)>=0);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vp3: always set pix_fmt in theora_decode_header()

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Mon Nov 30 03:32:36 2015 +0100| [4d8d2f1991cd7514a3ccd6e4ad5e62bb8f1fba57] | 
committer: Michael Niedermayer

avcodec/vp3: always set pix_fmt in theora_decode_header()

Fixes assertion failure
Fixes: 
d0bb0662da342ec65f8f2a081222e6b9/signal_sigabrt_76ae7cc9_5471_82964f0a9ac2f4d3d59390c15473f6f7.ogg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a814f1d364ba912adf61adef158168c5f7604e93)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4d8d2f1991cd7514a3ccd6e4ad5e62bb8f1fba57
---

 libavcodec/vp3.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index a0845e4..fbacedf 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -2321,7 +2321,8 @@ static int theora_decode_header(AVCodecContext *avctx, 
GetBitContext *gb)
 return AVERROR_INVALIDDATA;
 }
 skip_bits(gb, 3); /* reserved */
-}
+} else
+avctx->pix_fmt = AV_PIX_FMT_YUV420P;
 
 ret = ff_set_dimensions(avctx, s->width, s->height);
 if (ret < 0)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/wmaprodec: Fix overflow of cutoff

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Sat Dec  5 13:11:23 2015 +0100| [5164067861ed3fc5311a12b7a197f23ba546b629] | 
committer: Michael Niedermayer

avcodec/wmaprodec: Fix overflow of cutoff

Fixes: 
129ca3e28d73af7b1e24a9d4118e7a2d/signal_sigabrt_76ae7cc9_836_762b310fc3ef6087bd7771e5d8e90b9b.asf

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0c56f8303e676556ea09bfac73d881c6c9057259)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5164067861ed3fc5311a12b7a197f23ba546b629
---

 libavcodec/wmaprodec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c
index 8083b73..0049a80 100644
--- a/libavcodec/wmaprodec.c
+++ b/libavcodec/wmaprodec.c
@@ -477,7 +477,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
 /** calculate subwoofer cutoff values */
 for (i = 0; i < num_possible_block_sizes; i++) {
 int block_size = s->samples_per_frame >> i;
-int cutoff = (440*block_size + 3 * (s->avctx->sample_rate >> 1) - 1)
+int cutoff = (440*block_size + 3LL * (s->avctx->sample_rate >> 1) - 1)
  / s->avctx->sample_rate;
 s->subwoofer_cutoffs[i] = av_clip(cutoff, 4, block_size);
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mxfenc: Do not crash if there is no packet in the first stream

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Sun Dec 13 16:13:22 2015 +0100| [10395b4738df2c312293460c84b72c13fa0eac70] | 
committer: Michael Niedermayer

avformat/mxfenc: Do not crash if there is no packet in the first stream

Fixes: Ticket4914

Signed-off-by: Michael Niedermayer 
(cherry picked from commit b51e7554e74cbf007a1cab83c7bed3ad9fa2793a)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=10395b4738df2c312293460c84b72c13fa0eac70
---

 libavformat/mxfenc.c |4 
 1 file changed, 4 insertions(+)

diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c
index f2fc093..5e7a8b8 100644
--- a/libavformat/mxfenc.c
+++ b/libavformat/mxfenc.c
@@ -2211,6 +2211,10 @@ static int mxf_write_packet(AVFormatContext *s, AVPacket 
*pkt)
 }
 mxf->edit_units_count++;
 } else if (!mxf->edit_unit_byte_count && st->index == 1) {
+if (!mxf->edit_units_count) {
+av_log(s, AV_LOG_ERROR, "No packets in first stream\n");
+return AVERROR_PATCHWELCOME;
+}
 mxf->index_entries[mxf->edit_units_count-1].slice_offset =
 mxf->body_offset - 
mxf->index_entries[mxf->edit_units_count-1].offset;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dec: Check bpno in decode_cblk()

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Fri Dec  4 16:23:24 2015 +0100| [7294d95689f9d70f565cb3aa8f485bed1d79928b] | 
committer: Michael Niedermayer

avcodec/jpeg2000dec: Check bpno in decode_cblk()

Fixes: undefined shift
Fixes: 
c409ef86f892335a0a164b5871174d5a/asan_heap-oob_1dff564_2159_162b7234616deab02b544410455eb07b.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a85b02dcf70f62a6a433a607143f1f78fa5648bb)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7294d95689f9d70f565cb3aa8f485bed1d79928b
---

 libavcodec/jpeg2000dec.c |4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 66f126f..1f71afd 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1081,6 +1081,10 @@ static int decode_cblk(Jpeg2000DecoderContext *s, 
Jpeg2000CodingStyle *codsty,
 ff_mqc_initdec(>mqc, cblk->data);
 
 while (passno--) {
+if (bpno < 0) {
+av_log(s->avctx, AV_LOG_ERROR, "bpno became negative\n");
+return AVERROR_INVALIDDATA;
+}
 switch(pass_t) {
 case 0:
 decode_sigpass(t1, width, height, bpno + 1, bandpos,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] mpegencts: Fix overflow in cbr mode period calculations

[Timo Teräs]

ffmpeg | branch: release/2.6 | Timo Teräs  | Sat Nov 28 
08:27:39 2015 +0200| [e8fa0e3ec633f716a53ba78aa5ebe37dd69694cb] | committer: 
Michael Niedermayer

mpegencts: Fix overflow in cbr mode period calculations

ts->mux_rate is int (signed 32-bit) type. The period calculations
will start to overflow when mux_rate > 5mbps. This fixes overflows
by converting first to 64-bit type.

Fixes #5044.

Signed-off-by: Timo Teräs 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 64f7db554ee83846f207e82a08946a6a5a6acfe2)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e8fa0e3ec633f716a53ba78aa5ebe37dd69694cb
---

 libavformat/mpegtsenc.c |6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c
index cc650bb..4440932 100644
--- a/libavformat/mpegtsenc.c
+++ b/libavformat/mpegtsenc.c
@@ -751,11 +751,11 @@ static int mpegts_write_header(AVFormatContext *s)
 ts_st = pcr_st->priv_data;
 
 if (ts->mux_rate > 1) {
-service->pcr_packet_period = (ts->mux_rate * ts->pcr_period) /
+service->pcr_packet_period = (int64_t)ts->mux_rate * ts->pcr_period /
  (TS_PACKET_SIZE * 8 * 1000);
-ts->sdt_packet_period  = (ts->mux_rate * SDT_RETRANS_TIME) /
+ts->sdt_packet_period  = (int64_t)ts->mux_rate * SDT_RETRANS_TIME /
  (TS_PACKET_SIZE * 8 * 1000);
-ts->pat_packet_period  = (ts->mux_rate * PAT_RETRANS_TIME) /
+ts->pat_packet_period  = (int64_t)ts->mux_rate * PAT_RETRANS_TIME /
  (TS_PACKET_SIZE * 8 * 1000);
 
 if (ts->copyts < 1)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string()

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Sat Nov 28 17:26:05 2015 +0100| [80a24e88e3db27d3604584069122e359dda4a340] | 
committer: Michael Niedermayer

avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string()

Fixes integer overflow
Fixes: 
3a45b2ae02f2cf12b7bd99543cdcdae5/asan_heap-oob_1dff502_8022_899f75e1e81046ebd7b6c2394a1419f4.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4f03bebc79f76df3a3e5bb9e1bc32baabfb7797c)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=80a24e88e3db27d3604584069122e359dda4a340
---

 libavcodec/utils.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index f7d049b..d5b01d6 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -3092,8 +3092,8 @@ void avcodec_string(char *buf, int buf_size, 
AVCodecContext *enc, int encode)
 
 if (enc->sample_aspect_ratio.num) {
 av_reduce(_aspect_ratio.num, _aspect_ratio.den,
-  enc->width * enc->sample_aspect_ratio.num,
-  enc->height * enc->sample_aspect_ratio.den,
+  enc->width * (int64_t)enc->sample_aspect_ratio.num,
+  enc->height * (int64_t)enc->sample_aspect_ratio.den,
   1024 * 1024);
 snprintf(buf + strlen(buf), buf_size - strlen(buf),
  " [SAR %d:%d DAR %d:%d]",

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/wmaprodec: Check bits per sample to be within the range not causing integer overflows

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Sat Dec  5 13:48:06 2015 +0100| [e12f07b4751cc4b09b85c8d19b5c7a0b16c07556] | 
committer: Michael Niedermayer

avcodec/wmaprodec: Check bits per sample to be within the range not causing 
integer overflows

Fixes: 
549d5aab1480d10f2a775ed90b0342f1/signal_sigabrt_76ae7cc9_5643_96bbb0cfe3e28be1dadfce1075016345.wma

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 66e05f6ff5e5c105bdd7bf3a49234ddac1b592c5)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e12f07b4751cc4b09b85c8d19b5c7a0b16c07556
---

 libavcodec/wmaprodec.c |6 ++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c
index 0049a80..4ea61c0 100644
--- a/libavcodec/wmaprodec.c
+++ b/libavcodec/wmaprodec.c
@@ -300,6 +300,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
 s->decode_flags= AV_RL16(edata_ptr+14);
 channel_mask   = AV_RL32(edata_ptr+2);
 s->bits_per_sample = AV_RL16(edata_ptr);
+
+if (s->bits_per_sample > 32 || s->bits_per_sample < 1) {
+avpriv_request_sample(avctx, "bits per sample is %d", 
s->bits_per_sample);
+return AVERROR_PATCHWELCOME;
+}
+
 /** dump the extradata */
 for (i = 0; i < avctx->extradata_size; i++)
 av_dlog(avctx, "[%x] ", avctx->extradata[i]);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_refs: Fix long_idx check

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Sat Dec 19 21:59:42 2015 +0100| [d0d9fad2ba5a0d53f59f69f780e3fb6f8ad97dff] | 
committer: Michael Niedermayer

avcodec/h264_refs: Fix long_idx check

Fixes out of array read
Fixes mozilla bug 1233606

Found-by: Tyson Smith
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b92b4775a0d07cacfdd2b4be6511f3cb362c977b)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d0d9fad2ba5a0d53f59f69f780e3fb6f8ad97dff
---

 libavcodec/h264_refs.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c
index 826b2ca..353412d 100644
--- a/libavcodec/h264_refs.c
+++ b/libavcodec/h264_refs.c
@@ -276,7 +276,7 @@ int ff_h264_decode_ref_pic_list_reordering(H264Context *h)
 
 long_idx = pic_num_extract(h, pic_id, _structure);
 
-if (long_idx > 31) {
+if (long_idx > 31U) {
 av_log(h->avctx, AV_LOG_ERROR,
"long_term_pic_idx overflow\n");
 return AVERROR_INVALIDDATA;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] swscale/utils: Fix for runtime error: left shift of negative value -1

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Fri Dec  4 21:44:05 2015 +0100| [0fa22a42d6b2d5fe3a0f84c72395ea404421e9da] | 
committer: Michael Niedermayer

swscale/utils: Fix for runtime error: left shift of negative value -1

Fixes: 
c106b36fa36db8ff8f3ed0c82be7bea2/asan_heap-oob_32699f0_6321_467b9a1d7e03d7cfd310b7e65dc53bcc.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 325b59368dae3c3f2f5cc39873002b4cf133ccbc)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0fa22a42d6b2d5fe3a0f84c72395ea404421e9da
---

 libswscale/utils.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libswscale/utils.c b/libswscale/utils.c
index e7b5fa5..71456db 100644
--- a/libswscale/utils.c
+++ b/libswscale/utils.c
@@ -380,7 +380,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t 
**filterPos,
 
 xDstInSrc = ((dstPos*(int64_t)xInc)>>7) - ((srcPos*0x1LL)>>7);
 for (i = 0; i < dstW; i++) {
-int xx = (xDstInSrc - ((int64_t)(filterSize - 2) << 16)) / (1 << 
17);
+int xx = (xDstInSrc - (filterSize - 2) * (1LL<<16)) / (1 << 17);
 int j;
 (*filterPos)[i] = xx;
 for (j = 0; j < filterSize; j++) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter/vf_mpdecimate: Add missing emms_c()

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Mon Dec 14 18:56:13 2015 +0100| [3f7bbb0ded3f16c9c8c5de96bbc1b71b6979274b] | 
committer: Michael Niedermayer

avfilter/vf_mpdecimate: Add missing emms_c()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 997de2e8107cc4256e50611463d609b18fe9619f)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3f7bbb0ded3f16c9c8c5de96bbc1b71b6979274b
---

 libavfilter/vf_mpdecimate.c |5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavfilter/vf_mpdecimate.c b/libavfilter/vf_mpdecimate.c
index 3ed9602..94c9e0b 100644
--- a/libavfilter/vf_mpdecimate.c
+++ b/libavfilter/vf_mpdecimate.c
@@ -120,10 +120,13 @@ static int decimate_frame(AVFilterContext *ctx,
 cur->data[plane], cur->linesize[plane],
 ref->data[plane], ref->linesize[plane],
 FF_CEIL_RSHIFT(ref->width,  hsub),
-FF_CEIL_RSHIFT(ref->height, vsub)))
+FF_CEIL_RSHIFT(ref->height, vsub))) {
+emms_c();
 return 0;
+}
 }
 
+emms_c();
 return 1;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc: Check max ctb addresses for WPP

[Michael Niedermayer]

ffmpeg | branch: release/2.6 | Michael Niedermayer  | 
Sat Nov 28 13:42:05 2015 +0100| [3e8d9eade6557aa98813e4c2ae7dc9bc33d0727e] | 
committer: Michael Niedermayer

avcodec/hevc: Check max ctb addresses for WPP

Fixes out of array read
Fixes: 
2f95ddd996db8a6281d2e18c184595a7/asan_heap-oob_192fe91_3330_58e4441181e30a66c19f743dcb392347.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer 
(cherry picked from commit dad354f38ddc9bfc834bc21358a1d0ad41532ca0)

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3e8d9eade6557aa98813e4c2ae7dc9bc33d0727e
---

 libavcodec/hevc.c |9 +
 1 file changed, 9 insertions(+)

diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index a8643d0..061ea41 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -2430,6 +2430,15 @@ static int hls_slice_data_wpp(HEVCContext *s, const 
uint8_t *nal, int length)
 return AVERROR(ENOMEM);
 }
 
+if (s->sh.slice_ctb_addr_rs + s->sh.num_entry_point_offsets * 
s->sps->ctb_width >= s->sps->ctb_width * s->sps->ctb_height) {
+av_log(s->avctx, AV_LOG_ERROR, "WPP ctb addresses are wrong (%d %d %d 
%d)\n",
+s->sh.slice_ctb_addr_rs, s->sh.num_entry_point_offsets,
+s->sps->ctb_width, s->sps->ctb_height
+);
+res = AVERROR_INVALIDDATA;
+goto error;
+}
+
 ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1);
 
 if (!s->sList[1]) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] nuv: sanitize negative fps rate

[Andreas Cadhalpun]

ffmpeg | branch: release/2.7 | Andreas Cadhalpun 
 | Wed Dec 16 20:52:39 2015 +0100| 
[7ad058168665a74c8975a2bb1bd4286d37280218] | committer: Andreas Cadhalpun

nuv: sanitize negative fps rate

Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7ad058168665a74c8975a2bb1bd4286d37280218
---

 libavformat/nuv.c |9 +
 1 file changed, 9 insertions(+)

diff --git a/libavformat/nuv.c b/libavformat/nuv.c
index 001d9c8..cb51511 100644
--- a/libavformat/nuv.c
+++ b/libavformat/nuv.c
@@ -172,6 +172,15 @@ static int nuv_header(AVFormatContext *s)
 if (aspect > 0. && aspect < 1.0001)
 aspect = 4.0 / 3.0;
 fps = av_int2double(avio_rl64(pb));
+if (fps < 0.0f) {
+if (s->error_recognition & AV_EF_EXPLODE) {
+av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps);
+return AVERROR_INVALIDDATA;
+} else {
+av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 
0.\n", fps);
+fps = 0.0f;
+}
+}
 
 // number of packets per stream type, -1 means unknown, e.g. streaming
 v_packs = avio_rl32(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] exr: fix out of bounds read in get_code

[Andreas Cadhalpun]

ffmpeg | branch: release/2.7 | Andreas Cadhalpun 
 | Sun Dec 13 23:17:09 2015 +0100| 
[5b88d24f241f1ae31d86d2987b17a1db7547a509] | committer: Andreas Cadhalpun

exr: fix out of bounds read in get_code

This macro unconditionally used out[-1], which causes an out of bounds
read, if out is the very beginning of the buffer.

Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 90b99a81071d10e6b5efe86a4602d54d4f45bbcb)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5b88d24f241f1ae31d86d2987b17a1db7547a509
---

 libavcodec/exr.c |   10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 9308ae0..29cb403 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -459,7 +459,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int 
im,
 lc += 8;  \
 }
 
-#define get_code(po, rlc, c, lc, gb, out, oe) \
+#define get_code(po, rlc, c, lc, gb, out, oe, outb)   \
 { \
 if (po == rlc) {  \
 if (lc < 8)   \
@@ -468,7 +468,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int 
im,
   \
 cs = c >> lc; \
   \
-if (out + cs > oe)\
+if (out + cs > oe || out == outb) \
 return AVERROR_INVALIDDATA;   \
   \
 s = out[-1];  \
@@ -501,7 +501,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec 
*hdecod,
 
 if (pl.len) {
 lc -= pl.len;
-get_code(pl.lit, rlc, c, lc, gb, out, oe);
+get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
 } else {
 int j;
 
@@ -518,7 +518,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec 
*hdecod,
 if ((hcode[pl.p[j]] >> 6) ==
 ((c >> (lc - l)) & ((1LL << l) - 1))) {
 lc -= l;
-get_code(pl.p[j], rlc, c, lc, gb, out, oe);
+get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb);
 break;
 }
 }
@@ -539,7 +539,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec 
*hdecod,
 
 if (pl.len) {
 lc -= pl.len;
-get_code(pl.lit, rlc, c, lc, gb, out, oe);
+get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
 } else {
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] on2avc: limit number of bits to 30 in get_egolomb

[Andreas Cadhalpun]

ffmpeg | branch: release/2.7 | Andreas Cadhalpun 
 | Wed Dec 16 16:48:19 2015 +0100| 
[3e187a9a2dfacea0d76df90dd88d957938f9d33c] | committer: Andreas Cadhalpun

on2avc: limit number of bits to 30 in get_egolomb

More don't fit into the integer output.

Also use get_bits_long, since get_bits only supports reading up to 25
bits, while get_bits_long supports the full integer range.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 4d5c3b02e9d2c9a630ca433fabca43285879e0b8)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3e187a9a2dfacea0d76df90dd88d957938f9d33c
---

 libavcodec/on2avc.c |   11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c
index 1d8fcbc..9ca716c 100644
--- a/libavcodec/on2avc.c
+++ b/libavcodec/on2avc.c
@@ -211,9 +211,16 @@ static inline int get_egolomb(GetBitContext *gb)
 {
 int v = 4;
 
-while (get_bits1(gb)) v++;
+while (get_bits1(gb)) {
+v++;
+if (v > 30) {
+av_log(NULL, AV_LOG_WARNING, "Too large golomb code in 
get_egolomb.\n");
+v = 30;
+break;
+}
+}
 
-return (1 << v) + get_bits(gb, v);
+return (1 << v) + get_bits_long(gb, v);
 }
 
 static int on2avc_decode_pairs(On2AVCContext *c, GetBitContext *gb, float *dst,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] nutdec: reject negative value_len in read_sm_data

[Andreas Cadhalpun]

ffmpeg | branch: release/2.7 | Andreas Cadhalpun 
 | Sat Dec 19 12:02:56 2015 +0100| 
[1dc135e03d83d14274e3049011396a5bcb36e464] | committer: Andreas Cadhalpun

nutdec: reject negative value_len in read_sm_data

If it is negative, it can cause the byte position to move backwards in
avio_skip, which in turn makes sm_size negative and thus size larger
than the size of the packet buffer, causing invalid writes in avio_read.

Also fix potential overflow of avio_tell(bc) + value_len.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit ce10f572c12b0d172c72d31d8c979afce602bf0c)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1dc135e03d83d14274e3049011396a5bcb36e464
---

 libavformat/nutdec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index 41c9689..2be52e4 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -927,7 +927,7 @@ static int read_sm_data(AVFormatContext *s, AVIOContext 
*bc, AVPacket *pkt, int
 return ret;
 }
 value_len = ffio_read_varlen(bc);
-if (avio_tell(bc) + value_len >= maxpos)
+if (value_len < 0 || value_len >= maxpos - avio_tell(bc))
 return AVERROR_INVALIDDATA;
 if (!strcmp(name, "Palette")) {
 dst = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, 
value_len);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] nutdec: only copy the header if it exists

[Andreas Cadhalpun]

ffmpeg | branch: release/2.7 | Andreas Cadhalpun 
 | Fri Dec 18 15:18:47 2015 +0100| 
[7f320ed15d7ba4c4c84764888eb126daea932d7b] | committer: Andreas Cadhalpun

nutdec: only copy the header if it exists

Fixes ubsan runtime error: null pointer passed as argument 2, which is
declared to never be null

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 9f82506c79874edd7b09707ab63d9e72078de8f9)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7f320ed15d7ba4c4c84764888eb126daea932d7b
---

 libavformat/nutdec.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index 606deaa..41c9689 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -1126,7 +1126,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, 
int frame_code)
 ret = av_new_packet(pkt, size + nut->header_len[header_idx]);
 if (ret < 0)
 return ret;
-memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]);
+if (nut->header[header_idx])
+memcpy(pkt->data, nut->header[header_idx], 
nut->header_len[header_idx]);
 pkt->pos = avio_tell(bc); // FIXME
 if (stc->last_flags & FLAG_SM_DATA) {
 int sm_size;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] rawdec: only exempt BIT0 with need_copy from buffer sanity check

[Andreas Cadhalpun]

ffmpeg | branch: release/2.7 | Andreas Cadhalpun 
 | Sat Dec 19 23:45:06 2015 +0100| 
[3219de21f4e9e9bcd09df9dbc5eab63492dd05a4] | committer: Andreas Cadhalpun

rawdec: only exempt BIT0 with need_copy from buffer sanity check

Otherwise the too small buffer is directly used in the frame, causing
segmentation faults, when trying to use the frame.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 699e68371ec7e381e5cc48e3d96e29c669261af7)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3219de21f4e9e9bcd09df9dbc5eab63492dd05a4
---

 libavcodec/rawdec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c
index 647dfa9..5685539 100644
--- a/libavcodec/rawdec.c
+++ b/libavcodec/rawdec.c
@@ -258,7 +258,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, 
int *got_frame,
 buf += buf_size - context->frame_size;
 
 len = context->frame_size - (avctx->pix_fmt==AV_PIX_FMT_PAL8 ? 
AVPALETTE_SIZE : 0);
-if (buf_size < len && (avctx->codec_tag & 0xFF) != MKTAG('B','I','T', 
0)) {
+if (buf_size < len && ((avctx->codec_tag & 0xFF) != MKTAG('B','I','T', 
0) || !need_copy)) {
 av_log(avctx, AV_LOG_ERROR, "Invalid buffer size, packet size %d < 
expected frame_size %d\n", buf_size, len);
 av_buffer_unref(>buf[0]);
 return AVERROR(EINVAL);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] xwddec: prevent overflow of lsize * avctx->height

[Andreas Cadhalpun]

ffmpeg | branch: release/2.7 | Andreas Cadhalpun 
 | Fri Dec 18 19:28:51 2015 +0100| 
[f040f3e5d5abfe4f59036e7b671d7b03eda244e7] | committer: Andreas Cadhalpun

xwddec: prevent overflow of lsize * avctx->height

This is used to check if the input buffer is large enough, so if this
overflows it can cause a false negative leading to a segmentation fault
in bytestream2_get_bufferu.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 9d38f06d05efbb9d6196c27668eb943e934943ae)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f040f3e5d5abfe4f59036e7b671d7b03eda244e7
---

 libavcodec/xwddec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c
index 62dfdac..18b1f93 100644
--- a/libavcodec/xwddec.c
+++ b/libavcodec/xwddec.c
@@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void 
*data,
 return AVERROR_INVALIDDATA;
 }
 
-if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + 
avctx->height * lsize) {
+if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + 
(uint64_t)avctx->height * lsize) {
 av_log(avctx, AV_LOG_ERROR, "input buffer too small\n");
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] nutdec: only copy the header if it exists

[Andreas Cadhalpun]

ffmpeg | branch: release/2.6 | Andreas Cadhalpun 
 | Fri Dec 18 15:18:47 2015 +0100| 
[ea5ac146cd94c781136abd2ff3e39daea9994516] | committer: Andreas Cadhalpun

nutdec: only copy the header if it exists

Fixes ubsan runtime error: null pointer passed as argument 2, which is
declared to never be null

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 9f82506c79874edd7b09707ab63d9e72078de8f9)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ea5ac146cd94c781136abd2ff3e39daea9994516
---

 libavformat/nutdec.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index 056f1f2..cdcce64 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -1069,7 +1069,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, 
int frame_code)
 ret = av_new_packet(pkt, size + nut->header_len[header_idx]);
 if (ret < 0)
 return ret;
-memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]);
+if (nut->header[header_idx])
+memcpy(pkt->data, nut->header[header_idx], 
nut->header_len[header_idx]);
 pkt->pos = avio_tell(bc); // FIXME
 if (stc->last_flags & FLAG_SM_DATA) {
 int sm_size;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] exr: fix out of bounds read in get_code

[Andreas Cadhalpun]

ffmpeg | branch: release/2.6 | Andreas Cadhalpun 
 | Sun Dec 13 23:17:09 2015 +0100| 
[350f1f4919a13555167f378ef8f8f38f39db1a80] | committer: Andreas Cadhalpun

exr: fix out of bounds read in get_code

This macro unconditionally used out[-1], which causes an out of bounds
read, if out is the very beginning of the buffer.

Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 90b99a81071d10e6b5efe86a4602d54d4f45bbcb)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=350f1f4919a13555167f378ef8f8f38f39db1a80
---

 libavcodec/exr.c |   10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 9308ae0..29cb403 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -459,7 +459,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int 
im,
 lc += 8;  \
 }
 
-#define get_code(po, rlc, c, lc, gb, out, oe) \
+#define get_code(po, rlc, c, lc, gb, out, oe, outb)   \
 { \
 if (po == rlc) {  \
 if (lc < 8)   \
@@ -468,7 +468,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int 
im,
   \
 cs = c >> lc; \
   \
-if (out + cs > oe)\
+if (out + cs > oe || out == outb) \
 return AVERROR_INVALIDDATA;   \
   \
 s = out[-1];  \
@@ -501,7 +501,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec 
*hdecod,
 
 if (pl.len) {
 lc -= pl.len;
-get_code(pl.lit, rlc, c, lc, gb, out, oe);
+get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
 } else {
 int j;
 
@@ -518,7 +518,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec 
*hdecod,
 if ((hcode[pl.p[j]] >> 6) ==
 ((c >> (lc - l)) & ((1LL << l) - 1))) {
 lc -= l;
-get_code(pl.p[j], rlc, c, lc, gb, out, oe);
+get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb);
 break;
 }
 }
@@ -539,7 +539,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec 
*hdecod,
 
 if (pl.len) {
 lc -= pl.len;
-get_code(pl.lit, rlc, c, lc, gb, out, oe);
+get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
 } else {
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] nuv: sanitize negative fps rate

[Andreas Cadhalpun]

ffmpeg | branch: release/2.6 | Andreas Cadhalpun 
 | Wed Dec 16 20:52:39 2015 +0100| 
[b2cb7db14f82737f0d25602336c7f0ba9bbffdab] | committer: Andreas Cadhalpun

nuv: sanitize negative fps rate

Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b2cb7db14f82737f0d25602336c7f0ba9bbffdab
---

 libavformat/nuv.c |9 +
 1 file changed, 9 insertions(+)

diff --git a/libavformat/nuv.c b/libavformat/nuv.c
index 001d9c8..cb51511 100644
--- a/libavformat/nuv.c
+++ b/libavformat/nuv.c
@@ -172,6 +172,15 @@ static int nuv_header(AVFormatContext *s)
 if (aspect > 0. && aspect < 1.0001)
 aspect = 4.0 / 3.0;
 fps = av_int2double(avio_rl64(pb));
+if (fps < 0.0f) {
+if (s->error_recognition & AV_EF_EXPLODE) {
+av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps);
+return AVERROR_INVALIDDATA;
+} else {
+av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 
0.\n", fps);
+fps = 0.0f;
+}
+}
 
 // number of packets per stream type, -1 means unknown, e.g. streaming
 v_packs = avio_rl32(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] xwddec: prevent overflow of lsize * avctx->height

[Andreas Cadhalpun]

ffmpeg | branch: release/2.6 | Andreas Cadhalpun 
 | Fri Dec 18 19:28:51 2015 +0100| 
[c4b2985d9ab0eaac9e8b454b693570ef80f41175] | committer: Andreas Cadhalpun

xwddec: prevent overflow of lsize * avctx->height

This is used to check if the input buffer is large enough, so if this
overflows it can cause a false negative leading to a segmentation fault
in bytestream2_get_bufferu.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 9d38f06d05efbb9d6196c27668eb943e934943ae)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c4b2985d9ab0eaac9e8b454b693570ef80f41175
---

 libavcodec/xwddec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c
index 62dfdac..18b1f93 100644
--- a/libavcodec/xwddec.c
+++ b/libavcodec/xwddec.c
@@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void 
*data,
 return AVERROR_INVALIDDATA;
 }
 
-if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + 
avctx->height * lsize) {
+if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + 
(uint64_t)avctx->height * lsize) {
 av_log(avctx, AV_LOG_ERROR, "input buffer too small\n");
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] mlvdec: check that index_entries exist

[Andreas Cadhalpun]

ffmpeg | branch: release/2.6 | Andreas Cadhalpun 
 | Sat Dec 19 23:44:53 2015 +0100| 
[c51800d324a9a86dcc84a57d29fff8f9d8f5b1e3] | committer: Andreas Cadhalpun

mlvdec: check that index_entries exist

This fixes NULL pointer dereferencing.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 9fcfe4a3cdf9a5af0c37758b178965b7b99582d4)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c51800d324a9a86dcc84a57d29fff8f9d8f5b1e3
---

 libavformat/mlvdec.c |5 +
 1 file changed, 5 insertions(+)

diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
index 4ab08e5..4416814 100644
--- a/libavformat/mlvdec.c
+++ b/libavformat/mlvdec.c
@@ -358,6 +358,11 @@ static int read_header(AVFormatContext *avctx)
 if (ast)
 ast->duration = ast->nb_index_entries;
 
+if ((vst && !vst->nb_index_entries) || (ast && !ast->nb_index_entries)) {
+av_log(avctx, AV_LOG_ERROR, "no index entries found\n");
+return AVERROR_INVALIDDATA;
+}
+
 if (vst && ast)
 avio_seek(pb, FFMIN(vst->index_entries[0].pos, 
ast->index_entries[0].pos), SEEK_SET);
 else if (vst)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] nutdec: reject negative value_len in read_sm_data

[Andreas Cadhalpun]

ffmpeg | branch: release/2.6 | Andreas Cadhalpun 
 | Sat Dec 19 12:02:56 2015 +0100| 
[4d2f9368034353037ae4fb96c1156848fe0ebe7a] | committer: Andreas Cadhalpun

nutdec: reject negative value_len in read_sm_data

If it is negative, it can cause the byte position to move backwards in
avio_skip, which in turn makes sm_size negative and thus size larger
than the size of the packet buffer, causing invalid writes in avio_read.

Also fix potential overflow of avio_tell(bc) + value_len.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit ce10f572c12b0d172c72d31d8c979afce602bf0c)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4d2f9368034353037ae4fb96c1156848fe0ebe7a
---

 libavformat/nutdec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index cdcce64..e0f106a 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -872,7 +872,7 @@ static int read_sm_data(AVFormatContext *s, AVIOContext 
*bc, AVPacket *pkt, int
 
 get_str(bc, type_str, sizeof(type_str));
 value_len = ffio_read_varlen(bc);
-if (avio_tell(bc) + value_len >= maxpos)
+if (value_len < 0 || value_len >= maxpos - avio_tell(bc))
 return AVERROR_INVALIDDATA;
 if (!strcmp(name, "Palette")) {
 dst = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, 
value_len);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] rawdec: only exempt BIT0 with need_copy from buffer sanity check

[Andreas Cadhalpun]

ffmpeg | branch: release/2.6 | Andreas Cadhalpun 
 | Sat Dec 19 23:45:06 2015 +0100| 
[462afe5d00c815aef20ee33aaabcf1d30e4455c8] | committer: Andreas Cadhalpun

rawdec: only exempt BIT0 with need_copy from buffer sanity check

Otherwise the too small buffer is directly used in the frame, causing
segmentation faults, when trying to use the frame.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 699e68371ec7e381e5cc48e3d96e29c669261af7)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=462afe5d00c815aef20ee33aaabcf1d30e4455c8
---

 libavcodec/rawdec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c
index 647dfa9..5685539 100644
--- a/libavcodec/rawdec.c
+++ b/libavcodec/rawdec.c
@@ -258,7 +258,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, 
int *got_frame,
 buf += buf_size - context->frame_size;
 
 len = context->frame_size - (avctx->pix_fmt==AV_PIX_FMT_PAL8 ? 
AVPALETTE_SIZE : 0);
-if (buf_size < len && (avctx->codec_tag & 0xFF) != MKTAG('B','I','T', 
0)) {
+if (buf_size < len && ((avctx->codec_tag & 0xFF) != MKTAG('B','I','T', 
0) || !need_copy)) {
 av_log(avctx, AV_LOG_ERROR, "Invalid buffer size, packet size %d < 
expected frame_size %d\n", buf_size, len);
 av_buffer_unref(>buf[0]);
 return AVERROR(EINVAL);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] exr: fix out of bounds read in get_code

[Andreas Cadhalpun]

ffmpeg | branch: release/2.5 | Andreas Cadhalpun 
 | Sun Dec 13 23:17:09 2015 +0100| 
[79d75f1554de110d020a8035c86458a80dd7d773] | committer: Andreas Cadhalpun

exr: fix out of bounds read in get_code

This macro unconditionally used out[-1], which causes an out of bounds
read, if out is the very beginning of the buffer.

Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 90b99a81071d10e6b5efe86a4602d54d4f45bbcb)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79d75f1554de110d020a8035c86458a80dd7d773
---

 libavcodec/exr.c |   10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 0e62f4e..9088581 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -461,7 +461,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int 
im,
 lc += 8;  \
 }
 
-#define get_code(po, rlc, c, lc, gb, out, oe) \
+#define get_code(po, rlc, c, lc, gb, out, oe, outb)   \
 { \
 if (po == rlc) {  \
 if (lc < 8)   \
@@ -470,7 +470,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int 
im,
   \
 cs = c >> lc; \
   \
-if (out + cs > oe)\
+if (out + cs > oe || out == outb) \
 return AVERROR_INVALIDDATA;   \
   \
 s = out[-1];  \
@@ -503,7 +503,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec 
*hdecod,
 
 if (pl.len) {
 lc -= pl.len;
-get_code(pl.lit, rlc, c, lc, gb, out, oe);
+get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
 } else {
 int j;
 
@@ -520,7 +520,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec 
*hdecod,
 if ((hcode[pl.p[j]] >> 6) ==
 ((c >> (lc - l)) & ((1LL << l) - 1))) {
 lc -= l;
-get_code(pl.p[j], rlc, c, lc, gb, out, oe);
+get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb);
 break;
 }
 }
@@ -541,7 +541,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec 
*hdecod,
 
 if (pl.len) {
 lc -= pl.len;
-get_code(pl.lit, rlc, c, lc, gb, out, oe);
+get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
 } else {
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] nutdec: only copy the header if it exists

[Andreas Cadhalpun]

ffmpeg | branch: release/2.5 | Andreas Cadhalpun 
 | Fri Dec 18 15:18:47 2015 +0100| 
[0f1e398874399ddf0586b54735d8c85ff1228c85] | committer: Andreas Cadhalpun

nutdec: only copy the header if it exists

Fixes ubsan runtime error: null pointer passed as argument 2, which is
declared to never be null

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 9f82506c79874edd7b09707ab63d9e72078de8f9)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0f1e398874399ddf0586b54735d8c85ff1228c85
---

 libavformat/nutdec.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index cd1da9f..a28c632 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -1069,7 +1069,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, 
int frame_code)
 ret = av_new_packet(pkt, size + nut->header_len[header_idx]);
 if (ret < 0)
 return ret;
-memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]);
+if (nut->header[header_idx])
+memcpy(pkt->data, nut->header[header_idx], 
nut->header_len[header_idx]);
 pkt->pos = avio_tell(bc); // FIXME
 if (stc->last_flags & FLAG_SM_DATA) {
 int sm_size;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] ffm: reject invalid codec_id and codec_type

[Andreas Cadhalpun]

ffmpeg | branch: release/2.5 | Andreas Cadhalpun 
 | Mon Dec 14 22:11:55 2015 +0100| 
[5478e7bbc106b5781b7a49429b2b9db0f2d4f378] | committer: Andreas Cadhalpun

ffm: reject invalid codec_id and codec_type

A negative codec_id cannot be handled by the found_decoder API of
AVStream->info: if the codec_id is not recognized, found_decoder is set
to -codec_id, which has to be '<0' according to the API documentation.

This can cause NULL pointer dereferencing in try_decode_frame.

Also make sure the codec_type matches the expected one for codec_id.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit ecf63b7cc24b9fd3e6d604313325dd1ada4db662)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5478e7bbc106b5781b7a49429b2b9db0f2d4f378
---

 libavformat/ffmdec.c |   28 
 1 file changed, 28 insertions(+)

diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c
index 87cf546..b1cc14a 100644
--- a/libavformat/ffmdec.c
+++ b/libavformat/ffmdec.c
@@ -267,6 +267,7 @@ static int ffm2_read_header(AVFormatContext *s)
 AVStream *st;
 AVIOContext *pb = s->pb;
 AVCodecContext *codec;
+const AVCodecDescriptor *codec_desc;
 int ret;
 int f_main = 0, f_cprv = -1, f_stvi = -1, f_stau = -1;
 AVCodec *enc;
@@ -321,7 +322,20 @@ static int ffm2_read_header(AVFormatContext *s)
 codec = st->codec;
 /* generic info */
 codec->codec_id = avio_rb32(pb);
+codec_desc = avcodec_descriptor_get(codec->codec_id);
+if (!codec_desc) {
+av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", 
codec->codec_id);
+codec->codec_id = AV_CODEC_ID_NONE;
+goto fail;
+}
 codec->codec_type = avio_r8(pb);
+if (codec->codec_type != codec_desc->type) {
+av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, 
found %d\n",
+   codec_desc->type, codec->codec_type);
+codec->codec_id = AV_CODEC_ID_NONE;
+codec->codec_type = AVMEDIA_TYPE_UNKNOWN;
+goto fail;
+}
 codec->bit_rate = avio_rb32(pb);
 codec->flags = avio_rb32(pb);
 codec->flags2 = avio_rb32(pb);
@@ -469,6 +483,7 @@ static int ffm_read_header(AVFormatContext *s)
 AVStream *st;
 AVIOContext *pb = s->pb;
 AVCodecContext *codec;
+const AVCodecDescriptor *codec_desc;
 int i, nb_streams;
 uint32_t tag;
 
@@ -506,7 +521,20 @@ static int ffm_read_header(AVFormatContext *s)
 codec = st->codec;
 /* generic info */
 codec->codec_id = avio_rb32(pb);
+codec_desc = avcodec_descriptor_get(codec->codec_id);
+if (!codec_desc) {
+av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id);
+codec->codec_id = AV_CODEC_ID_NONE;
+goto fail;
+}
 codec->codec_type = avio_r8(pb); /* codec_type */
+if (codec->codec_type != codec_desc->type) {
+av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found 
%d\n",
+   codec_desc->type, codec->codec_type);
+codec->codec_id = AV_CODEC_ID_NONE;
+codec->codec_type = AVMEDIA_TYPE_UNKNOWN;
+goto fail;
+}
 codec->bit_rate = avio_rb32(pb);
 codec->flags = avio_rb32(pb);
 codec->flags2 = avio_rb32(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] on2avc: limit number of bits to 30 in get_egolomb

[Andreas Cadhalpun]

ffmpeg | branch: release/2.5 | Andreas Cadhalpun 
 | Wed Dec 16 16:48:19 2015 +0100| 
[105be66545ec3fa250e3a4e4792b097cec7f62a1] | committer: Andreas Cadhalpun

on2avc: limit number of bits to 30 in get_egolomb

More don't fit into the integer output.

Also use get_bits_long, since get_bits only supports reading up to 25
bits, while get_bits_long supports the full integer range.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 4d5c3b02e9d2c9a630ca433fabca43285879e0b8)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=105be66545ec3fa250e3a4e4792b097cec7f62a1
---

 libavcodec/on2avc.c |   11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c
index 7d2e81a..15b75e6 100644
--- a/libavcodec/on2avc.c
+++ b/libavcodec/on2avc.c
@@ -211,9 +211,16 @@ static inline int get_egolomb(GetBitContext *gb)
 {
 int v = 4;
 
-while (get_bits1(gb)) v++;
+while (get_bits1(gb)) {
+v++;
+if (v > 30) {
+av_log(NULL, AV_LOG_WARNING, "Too large golomb code in 
get_egolomb.\n");
+v = 30;
+break;
+}
+}
 
-return (1 << v) + get_bits(gb, v);
+return (1 << v) + get_bits_long(gb, v);
 }
 
 static int on2avc_decode_pairs(On2AVCContext *c, GetBitContext *gb, float *dst,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] nuv: sanitize negative fps rate

[Andreas Cadhalpun]

ffmpeg | branch: release/2.5 | Andreas Cadhalpun 
 | Wed Dec 16 20:52:39 2015 +0100| 
[eca27eeea95f906c7d887cd98e5406e8531f1e44] | committer: Andreas Cadhalpun

nuv: sanitize negative fps rate

Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eca27eeea95f906c7d887cd98e5406e8531f1e44
---

 libavformat/nuv.c |9 +
 1 file changed, 9 insertions(+)

diff --git a/libavformat/nuv.c b/libavformat/nuv.c
index e7f0eea..f1bc93e 100644
--- a/libavformat/nuv.c
+++ b/libavformat/nuv.c
@@ -171,6 +171,15 @@ static int nuv_header(AVFormatContext *s)
 if (aspect > 0. && aspect < 1.0001)
 aspect = 4.0 / 3.0;
 fps = av_int2double(avio_rl64(pb));
+if (fps < 0.0f) {
+if (s->error_recognition & AV_EF_EXPLODE) {
+av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps);
+return AVERROR_INVALIDDATA;
+} else {
+av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 
0.\n", fps);
+fps = 0.0f;
+}
+}
 
 // number of packets per stream type, -1 means unknown, e.g. streaming
 v_packs = avio_rl32(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] nutdec: reject negative value_len in read_sm_data

[Andreas Cadhalpun]

ffmpeg | branch: release/2.5 | Andreas Cadhalpun 
 | Sat Dec 19 12:02:56 2015 +0100| 
[2db78f83bad187012f446ca43f6edcb845e7f513] | committer: Andreas Cadhalpun

nutdec: reject negative value_len in read_sm_data

If it is negative, it can cause the byte position to move backwards in
avio_skip, which in turn makes sm_size negative and thus size larger
than the size of the packet buffer, causing invalid writes in avio_read.

Also fix potential overflow of avio_tell(bc) + value_len.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit ce10f572c12b0d172c72d31d8c979afce602bf0c)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2db78f83bad187012f446ca43f6edcb845e7f513
---

 libavformat/nutdec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index a28c632..6ace90a 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -872,7 +872,7 @@ static int read_sm_data(AVFormatContext *s, AVIOContext 
*bc, AVPacket *pkt, int
 
 get_str(bc, type_str, sizeof(type_str));
 value_len = ffio_read_varlen(bc);
-if (avio_tell(bc) + value_len >= maxpos)
+if (value_len < 0 || value_len >= maxpos - avio_tell(bc))
 return AVERROR_INVALIDDATA;
 if (!strcmp(name, "Palette")) {
 dst = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, 
value_len);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] opus_silk: fix typo causing overflow in silk_stabilize_lsf

[Andreas Cadhalpun]

ffmpeg | branch: release/2.5 | Andreas Cadhalpun 
 | Tue Dec 15 22:00:31 2015 +0100| 
[31d6900161221f6b83b76aa85221de49b7adbf32] | committer: Andreas Cadhalpun

opus_silk: fix typo causing overflow in silk_stabilize_lsf

Due to this typo max_center can be too large, causing nlsf to be set to
too large values, which in turn can cause nlsf[i - 1] + min_delta[i] to
overflow to a negative value, which is not allowed for nlsf and can
cause an out of bounds read in silk_lsf2lpc.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit f61d44b74aaae1d306d8a0d38b7b3d4292c89ced)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=31d6900161221f6b83b76aa85221de49b7adbf32
---

 libavcodec/opus_silk.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c
index 7a89479..4c64cdf 100644
--- a/libavcodec/opus_silk.c
+++ b/libavcodec/opus_silk.c
@@ -824,7 +824,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int 
order, const uint16_
 
 /* upper extent */
 for (i = order; i > k; i--)
-max_center -= min_delta[k];
+max_center -= min_delta[i];
 max_center -= min_delta[k] >> 1;
 
 /* move apart */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] xwddec: prevent overflow of lsize * avctx->height

[Andreas Cadhalpun]

ffmpeg | branch: release/2.5 | Andreas Cadhalpun 
 | Fri Dec 18 19:28:51 2015 +0100| 
[882391f9758ea13643639e21de81e3f7978b0695] | committer: Andreas Cadhalpun

xwddec: prevent overflow of lsize * avctx->height

This is used to check if the input buffer is large enough, so if this
overflows it can cause a false negative leading to a segmentation fault
in bytestream2_get_bufferu.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 9d38f06d05efbb9d6196c27668eb943e934943ae)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=882391f9758ea13643639e21de81e3f7978b0695
---

 libavcodec/xwddec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c
index 62dfdac..18b1f93 100644
--- a/libavcodec/xwddec.c
+++ b/libavcodec/xwddec.c
@@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void 
*data,
 return AVERROR_INVALIDDATA;
 }
 
-if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + 
avctx->height * lsize) {
+if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + 
(uint64_t)avctx->height * lsize) {
 av_log(avctx, AV_LOG_ERROR, "input buffer too small\n");
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] sonic: make sure num_taps * channels is not larger than frame_size

[Andreas Cadhalpun]

ffmpeg | branch: release/2.5 | Andreas Cadhalpun 
 | Tue Dec 15 23:43:03 2015 +0100| 
[46e7a63b6e011b47d87b54659b2a3799056e5753] | committer: Andreas Cadhalpun

sonic: make sure num_taps * channels is not larger than frame_size

If that is the case, the loop setting predictor_state in
sonic_decode_frame causes out of bounds reads of int_samples, which has
only frame_size number of elements.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 9637c2531f7eb040ad1c3cb46cb40a63dfc77b80)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=46e7a63b6e011b47d87b54659b2a3799056e5753
---

 libavcodec/sonic.c |7 +++
 1 file changed, 7 insertions(+)

diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c
index c5076f9..ab947c4 100644
--- a/libavcodec/sonic.c
+++ b/libavcodec/sonic.c
@@ -925,6 +925,13 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx)
 s->frame_size = s->channels*s->block_align*s->downsampling;
 //avctx->frame_size = s->block_align;
 
+if (s->num_taps * s->channels > s->frame_size) {
+av_log(avctx, AV_LOG_ERROR,
+   "number of taps times channels (%d * %d) larger than frame size 
%d\n",
+   s->num_taps, s->channels, s->frame_size);
+return AVERROR_INVALIDDATA;
+}
+
 av_log(avctx, AV_LOG_INFO, "Sonic: ver: %d.%d ls: %d dr: %d taps: %d 
block: %d frame: %d downsamp: %d\n",
 s->version, s->minor_version, s->lossless, s->decorrelation, 
s->num_taps, s->block_align, s->frame_size, s->downsampling);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] aaccoder: prevent crash of anmr coder

[Andreas Cadhalpun]

ffmpeg | branch: release/2.5 | Andreas Cadhalpun 
 | Fri Dec  4 18:13:07 2015 +0100| 
[26b74a7213bf720f2818e9b5e8c8359cbadf9207] | committer: Andreas Cadhalpun

aaccoder: prevent crash of anmr coder

If minq is negative, the range of sf_idx can be larger than
SCALE_MAX_DIFF allows, causing assertion failures later in
encode_scale_factors.

Reviewed-by: Claudio Freire 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 7a4652dd5da0502ff21c183b5ca7d76b1cfd6c51)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=26b74a7213bf720f2818e9b5e8c8359cbadf9207
---

 libavcodec/aaccoder.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c
index 5bf6a9c..4b915da 100644
--- a/libavcodec/aaccoder.c
+++ b/libavcodec/aaccoder.c
@@ -691,7 +691,7 @@ static void search_for_quantizers_anmr(AVCodecContext 
*avctx, AACEncContext *s,
 }
 while (idx) {
 sce->sf_idx[bandaddr[idx]] = minq + q0;
-minq = paths[idx][minq].prev;
+minq = FFMAX(paths[idx][minq].prev, 0);
 idx--;
 }
 //set the same quantizers inside window groups

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] ffmdec: reject zero-sized chunks

[Andreas Cadhalpun]

ffmpeg | branch: release/2.5 | Andreas Cadhalpun 
 | Wed Dec  2 22:47:12 2015 +0100| 
[cc77012329f0b68373f6fadc2fda19e0d1f661cb] | committer: Andreas Cadhalpun

ffmdec: reject zero-sized chunks

If size is zero, avio_get_str fails, leaving the buffer uninitialized.
This causes invalid reads in av_set_options_string.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit a611375db532c3d5363d97b10fadd0211811a4fd)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cc77012329f0b68373f6fadc2fda19e0d1f661cb
---

 libavformat/ffmdec.c |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c
index 57df43b..87cf546 100644
--- a/libavformat/ffmdec.c
+++ b/libavformat/ffmdec.c
@@ -414,7 +414,7 @@ static int ffm2_read_header(AVFormatContext *s)
 }
 break;
 case MKBETAG('S', '2', 'V', 'I'):
-if (f_stvi++) {
+if (f_stvi++ || !size) {
 ret = AVERROR(EINVAL);
 goto fail;
 }
@@ -429,7 +429,7 @@ static int ffm2_read_header(AVFormatContext *s)
 goto fail;
 break;
 case MKBETAG('S', '2', 'A', 'U'):
-if (f_stau++) {
+if (f_stau++ || !size) {
 ret = AVERROR(EINVAL);
 goto fail;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/s302menc: check if buf_size can actually be put into 16bit size

[Paul B Mahol]

ffmpeg | branch: master | Paul B Mahol  | Sat Dec 19 21:52:19 
2015 +0100| [db6e337b41fce401e67daa2f05fbe0663f825240] | committer: Paul B Mahol

avcodec/s302menc: check if buf_size can actually be put into 16bit size

This disallows creating unplayable audio.

Signed-off-by: Paul B Mahol 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=db6e337b41fce401e67daa2f05fbe0663f825240
---

 libavcodec/s302menc.c |5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/s302menc.c b/libavcodec/s302menc.c
index 3706eba..c703e9a 100644
--- a/libavcodec/s302menc.c
+++ b/libavcodec/s302menc.c
@@ -78,6 +78,11 @@ static int s302m_encode2_frame(AVCodecContext *avctx, 
AVPacket *avpkt,
 uint8_t *o;
 PutBitContext pb;
 
+if (buf_size - AES3_HEADER_LEN > UINT16_MAX) {
+av_log(avctx, AV_LOG_ERROR, "number of samples in frame too big\n");
+return AVERROR(EINVAL);
+}
+
 if ((ret = ff_alloc_packet2(avctx, avpkt, buf_size, 0)) < 0)
 return ret;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] ffm: reject invalid codec_id and codec_type

[Andreas Cadhalpun]

ffmpeg | branch: release/2.4 | Andreas Cadhalpun 
 | Mon Dec 14 22:11:55 2015 +0100| 
[6fc3f6f43b24b98a768acc28f03fec37ef1a79e3] | committer: Andreas Cadhalpun

ffm: reject invalid codec_id and codec_type

A negative codec_id cannot be handled by the found_decoder API of
AVStream->info: if the codec_id is not recognized, found_decoder is set
to -codec_id, which has to be '<0' according to the API documentation.

This can cause NULL pointer dereferencing in try_decode_frame.

Also make sure the codec_type matches the expected one for codec_id.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit ecf63b7cc24b9fd3e6d604313325dd1ada4db662)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6fc3f6f43b24b98a768acc28f03fec37ef1a79e3
---

 libavformat/ffmdec.c |   28 
 1 file changed, 28 insertions(+)

diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c
index 2753f2c..ee3e1d6 100644
--- a/libavformat/ffmdec.c
+++ b/libavformat/ffmdec.c
@@ -243,6 +243,7 @@ static int ffm2_read_header(AVFormatContext *s)
 AVStream *st;
 AVIOContext *pb = s->pb;
 AVCodecContext *codec;
+const AVCodecDescriptor *codec_desc;
 int ret;
 
 ffm->packet_size = avio_rb32(pb);
@@ -289,7 +290,20 @@ static int ffm2_read_header(AVFormatContext *s)
 codec = st->codec;
 /* generic info */
 codec->codec_id = avio_rb32(pb);
+codec_desc = avcodec_descriptor_get(codec->codec_id);
+if (!codec_desc) {
+av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", 
codec->codec_id);
+codec->codec_id = AV_CODEC_ID_NONE;
+goto fail;
+}
 codec->codec_type = avio_r8(pb);
+if (codec->codec_type != codec_desc->type) {
+av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, 
found %d\n",
+   codec_desc->type, codec->codec_type);
+codec->codec_id = AV_CODEC_ID_NONE;
+codec->codec_type = AVMEDIA_TYPE_UNKNOWN;
+goto fail;
+}
 codec->bit_rate = avio_rb32(pb);
 codec->flags = avio_rb32(pb);
 codec->flags2 = avio_rb32(pb);
@@ -389,6 +403,7 @@ static int ffm_read_header(AVFormatContext *s)
 AVStream *st;
 AVIOContext *pb = s->pb;
 AVCodecContext *codec;
+const AVCodecDescriptor *codec_desc;
 int i, nb_streams;
 uint32_t tag;
 
@@ -426,7 +441,20 @@ static int ffm_read_header(AVFormatContext *s)
 codec = st->codec;
 /* generic info */
 codec->codec_id = avio_rb32(pb);
+codec_desc = avcodec_descriptor_get(codec->codec_id);
+if (!codec_desc) {
+av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id);
+codec->codec_id = AV_CODEC_ID_NONE;
+goto fail;
+}
 codec->codec_type = avio_r8(pb); /* codec_type */
+if (codec->codec_type != codec_desc->type) {
+av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found 
%d\n",
+   codec_desc->type, codec->codec_type);
+codec->codec_id = AV_CODEC_ID_NONE;
+codec->codec_type = AVMEDIA_TYPE_UNKNOWN;
+goto fail;
+}
 codec->bit_rate = avio_rb32(pb);
 codec->flags = avio_rb32(pb);
 codec->flags2 = avio_rb32(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] mlvdec: check that index_entries exist

[Andreas Cadhalpun]

ffmpeg | branch: release/2.4 | Andreas Cadhalpun 
 | Sat Dec 19 23:44:53 2015 +0100| 
[f0eea9cc3a112f69991ffba79d6ca224d9eb60f5] | committer: Andreas Cadhalpun

mlvdec: check that index_entries exist

This fixes NULL pointer dereferencing.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 9fcfe4a3cdf9a5af0c37758b178965b7b99582d4)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f0eea9cc3a112f69991ffba79d6ca224d9eb60f5
---

 libavformat/mlvdec.c |5 +
 1 file changed, 5 insertions(+)

diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
index 564e113..98373bd 100644
--- a/libavformat/mlvdec.c
+++ b/libavformat/mlvdec.c
@@ -363,6 +363,11 @@ static int read_header(AVFormatContext *avctx)
 if (ast)
 ast->duration = ast->nb_index_entries;
 
+if ((vst && !vst->nb_index_entries) || (ast && !ast->nb_index_entries)) {
+av_log(avctx, AV_LOG_ERROR, "no index entries found\n");
+return AVERROR_INVALIDDATA;
+}
+
 if (vst && ast)
 avio_seek(pb, FFMIN(vst->index_entries[0].pos, 
ast->index_entries[0].pos), SEEK_SET);
 else if (vst)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] xwddec: prevent overflow of lsize * avctx->height

[Andreas Cadhalpun]

ffmpeg | branch: release/2.4 | Andreas Cadhalpun 
 | Fri Dec 18 19:28:51 2015 +0100| 
[dcecc180a6ad9e05f2b1f5802ec04c95a4cc6a8d] | committer: Andreas Cadhalpun

xwddec: prevent overflow of lsize * avctx->height

This is used to check if the input buffer is large enough, so if this
overflows it can cause a false negative leading to a segmentation fault
in bytestream2_get_bufferu.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 9d38f06d05efbb9d6196c27668eb943e934943ae)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dcecc180a6ad9e05f2b1f5802ec04c95a4cc6a8d
---

 libavcodec/xwddec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c
index 62dfdac..18b1f93 100644
--- a/libavcodec/xwddec.c
+++ b/libavcodec/xwddec.c
@@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void 
*data,
 return AVERROR_INVALIDDATA;
 }
 
-if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + 
avctx->height * lsize) {
+if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + 
(uint64_t)avctx->height * lsize) {
 av_log(avctx, AV_LOG_ERROR, "input buffer too small\n");
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videodec: also for empty partitioned slices

[Michael Niedermayer]

ffmpeg | branch: release/2.4 | Michael Niedermayer  | 
Sat Dec 19 23:21:33 2015 +0100| [fbfb2814b28d24c275c5809a7f6f6e33efe7b7dc] | 
committer: Andreas Cadhalpun

avcodec/mpeg4videodec: also for empty partitioned slices

Fixes assertion failure
Fixes: id_acf3e47f864e1ee4c7b86c0653e0ff31e5bde56e.m4v

Found-by: Andreas Cadhalpun 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 70f13abb4f9a376ddc0d2c566739bc3c6a0c47e7)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fbfb2814b28d24c275c5809a7f6f6e33efe7b7dc
---

 libavcodec/mpeg4videodec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index e6b89fd..9acb163 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -881,7 +881,7 @@ int ff_mpeg4_decode_partitions(Mpeg4DecContext *ctx)
 const int part_a_end   = s->pict_type == AV_PICTURE_TYPE_I ? (ER_DC_END   
| ER_MV_END)   : ER_MV_END;
 
 mb_num = mpeg4_decode_partition_a(ctx);
-if (mb_num < 0) {
+if (mb_num <= 0) {
 ff_er_add_slice(>er, s->resync_mb_x, s->resync_mb_y,
 s->mb_x, s->mb_y, part_a_error);
 return -1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] rawdec: only exempt BIT0 with need_copy from buffer sanity check

[Andreas Cadhalpun]

ffmpeg | branch: release/2.4 | Andreas Cadhalpun 
 | Sat Dec 19 23:45:06 2015 +0100| 
[b0a8095f2bf0bc03c5d4dfccaba845de6fd5bb4f] | committer: Andreas Cadhalpun

rawdec: only exempt BIT0 with need_copy from buffer sanity check

Otherwise the too small buffer is directly used in the frame, causing
segmentation faults, when trying to use the frame.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 699e68371ec7e381e5cc48e3d96e29c669261af7)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b0a8095f2bf0bc03c5d4dfccaba845de6fd5bb4f
---

 libavcodec/rawdec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c
index 647dfa9..5685539 100644
--- a/libavcodec/rawdec.c
+++ b/libavcodec/rawdec.c
@@ -258,7 +258,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, 
int *got_frame,
 buf += buf_size - context->frame_size;
 
 len = context->frame_size - (avctx->pix_fmt==AV_PIX_FMT_PAL8 ? 
AVPALETTE_SIZE : 0);
-if (buf_size < len && (avctx->codec_tag & 0xFF) != MKTAG('B','I','T', 
0)) {
+if (buf_size < len && ((avctx->codec_tag & 0xFF) != MKTAG('B','I','T', 
0) || !need_copy)) {
 av_log(avctx, AV_LOG_ERROR, "Invalid buffer size, packet size %d < 
expected frame_size %d\n", buf_size, len);
 av_buffer_unref(>buf[0]);
 return AVERROR(EINVAL);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] on2avc: limit number of bits to 30 in get_egolomb

[Andreas Cadhalpun]

ffmpeg | branch: release/2.4 | Andreas Cadhalpun 
 | Wed Dec 16 16:48:19 2015 +0100| 
[e32095807b86480dfa5395972f7734990e27c146] | committer: Andreas Cadhalpun

on2avc: limit number of bits to 30 in get_egolomb

More don't fit into the integer output.

Also use get_bits_long, since get_bits only supports reading up to 25
bits, while get_bits_long supports the full integer range.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 4d5c3b02e9d2c9a630ca433fabca43285879e0b8)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e32095807b86480dfa5395972f7734990e27c146
---

 libavcodec/on2avc.c |   11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c
index c864e14..c4e45af 100644
--- a/libavcodec/on2avc.c
+++ b/libavcodec/on2avc.c
@@ -211,9 +211,16 @@ static inline int get_egolomb(GetBitContext *gb)
 {
 int v = 4;
 
-while (get_bits1(gb)) v++;
+while (get_bits1(gb)) {
+v++;
+if (v > 30) {
+av_log(NULL, AV_LOG_WARNING, "Too large golomb code in 
get_egolomb.\n");
+v = 30;
+break;
+}
+}
 
-return (1 << v) + get_bits(gb, v);
+return (1 << v) + get_bits_long(gb, v);
 }
 
 static int on2avc_decode_pairs(On2AVCContext *c, GetBitContext *gb, float *dst,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] nutdec: only copy the header if it exists

[Andreas Cadhalpun]

ffmpeg | branch: release/2.4 | Andreas Cadhalpun 
 | Fri Dec 18 15:18:47 2015 +0100| 
[2306964b3a0336e24d1c9d04bd54aaecf2d198d7] | committer: Andreas Cadhalpun

nutdec: only copy the header if it exists

Fixes ubsan runtime error: null pointer passed as argument 2, which is
declared to never be null

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 9f82506c79874edd7b09707ab63d9e72078de8f9)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2306964b3a0336e24d1c9d04bd54aaecf2d198d7
---

 libavformat/nutdec.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index 76fd8cc..eec6423 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -1082,7 +1082,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, 
int frame_code)
 ret = av_new_packet(pkt, size + nut->header_len[header_idx]);
 if (ret < 0)
 return ret;
-memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]);
+if (nut->header[header_idx])
+memcpy(pkt->data, nut->header[header_idx], 
nut->header_len[header_idx]);
 pkt->pos = avio_tell(bc); // FIXME
 if (stc->last_flags & FLAG_SM_DATA) {
 int sm_size;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] opus_silk: fix typo causing overflow in silk_stabilize_lsf

[Andreas Cadhalpun]

ffmpeg | branch: release/2.4 | Andreas Cadhalpun 
 | Tue Dec 15 22:00:31 2015 +0100| 
[7a26ea7a7e67cff8c1f3367e4f505f1c650ca0f5] | committer: Andreas Cadhalpun

opus_silk: fix typo causing overflow in silk_stabilize_lsf

Due to this typo max_center can be too large, causing nlsf to be set to
too large values, which in turn can cause nlsf[i - 1] + min_delta[i] to
overflow to a negative value, which is not allowed for nlsf and can
cause an out of bounds read in silk_lsf2lpc.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit f61d44b74aaae1d306d8a0d38b7b3d4292c89ced)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7a26ea7a7e67cff8c1f3367e4f505f1c650ca0f5
---

 libavcodec/opus_silk.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c
index 7a89479..4c64cdf 100644
--- a/libavcodec/opus_silk.c
+++ b/libavcodec/opus_silk.c
@@ -824,7 +824,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int 
order, const uint16_
 
 /* upper extent */
 for (i = order; i > k; i--)
-max_center -= min_delta[k];
+max_center -= min_delta[i];
 max_center -= min_delta[k] >> 1;
 
 /* move apart */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] sonic: make sure num_taps * channels is not larger than frame_size

[Andreas Cadhalpun]

ffmpeg | branch: release/2.4 | Andreas Cadhalpun 
 | Tue Dec 15 23:43:03 2015 +0100| 
[465dd4bc941e96abc00e60e35947673d64d34907] | committer: Andreas Cadhalpun

sonic: make sure num_taps * channels is not larger than frame_size

If that is the case, the loop setting predictor_state in
sonic_decode_frame causes out of bounds reads of int_samples, which has
only frame_size number of elements.

Reviewed-by: Michael Niedermayer 
Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit 9637c2531f7eb040ad1c3cb46cb40a63dfc77b80)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=465dd4bc941e96abc00e60e35947673d64d34907
---

 libavcodec/sonic.c |7 +++
 1 file changed, 7 insertions(+)

diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c
index c5076f9..ab947c4 100644
--- a/libavcodec/sonic.c
+++ b/libavcodec/sonic.c
@@ -925,6 +925,13 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx)
 s->frame_size = s->channels*s->block_align*s->downsampling;
 //avctx->frame_size = s->block_align;
 
+if (s->num_taps * s->channels > s->frame_size) {
+av_log(avctx, AV_LOG_ERROR,
+   "number of taps times channels (%d * %d) larger than frame size 
%d\n",
+   s->num_taps, s->channels, s->frame_size);
+return AVERROR_INVALIDDATA;
+}
+
 av_log(avctx, AV_LOG_INFO, "Sonic: ver: %d.%d ls: %d dr: %d taps: %d 
block: %d frame: %d downsamp: %d\n",
 s->version, s->minor_version, s->lossless, s->decorrelation, 
s->num_taps, s->block_align, s->frame_size, s->downsampling);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] nuv: sanitize negative fps rate

[Andreas Cadhalpun]

ffmpeg | branch: release/2.4 | Andreas Cadhalpun 
 | Wed Dec 16 20:52:39 2015 +0100| 
[1317c63b4b1d96c554f88a92a6b770341c529a66] | committer: Andreas Cadhalpun

nuv: sanitize negative fps rate

Signed-off-by: Andreas Cadhalpun 
(cherry picked from commit f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1317c63b4b1d96c554f88a92a6b770341c529a66
---

 libavformat/nuv.c |9 +
 1 file changed, 9 insertions(+)

diff --git a/libavformat/nuv.c b/libavformat/nuv.c
index e7f0eea..f1bc93e 100644
--- a/libavformat/nuv.c
+++ b/libavformat/nuv.c
@@ -171,6 +171,15 @@ static int nuv_header(AVFormatContext *s)
 if (aspect > 0. && aspect < 1.0001)
 aspect = 4.0 / 3.0;
 fps = av_int2double(avio_rl64(pb));
+if (fps < 0.0f) {
+if (s->error_recognition & AV_EF_EXPLODE) {
+av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps);
+return AVERROR_INVALIDDATA;
+} else {
+av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 
0.\n", fps);
+fps = 0.0f;
+}
+}
 
 // number of packets per stream type, -1 means unknown, e.g. streaming
 v_packs = avio_rl32(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videodec: also for empty partitioned slices

[Michael Niedermayer]

ffmpeg | branch: release/2.5 | Michael Niedermayer  | 
Sat Dec 19 23:21:33 2015 +0100| [8cd0e23be83d7967ce6d0c1e933e1bd0819c8cb6] | 
committer: Andreas Cadhalpun

avcodec/mpeg4videodec: also for empty partitioned slices

Fixes assertion failure
Fixes: id_acf3e47f864e1ee4c7b86c0653e0ff31e5bde56e.m4v

Found-by: Andreas Cadhalpun 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 70f13abb4f9a376ddc0d2c566739bc3c6a0c47e7)
Signed-off-by: Andreas Cadhalpun 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8cd0e23be83d7967ce6d0c1e933e1bd0819c8cb6
---

 libavcodec/mpeg4videodec.c |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 174d60e..526e0e3 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -881,7 +881,7 @@ int ff_mpeg4_decode_partitions(Mpeg4DecContext *ctx)
 const int part_a_end   = s->pict_type == AV_PICTURE_TYPE_I ? (ER_DC_END   
| ER_MV_END)   : ER_MV_END;
 
 mb_num = mpeg4_decode_partition_a(ctx);
-if (mb_num < 0) {
+if (mb_num <= 0) {
 ff_er_add_slice(>er, s->resync_mb_x, s->resync_mb_y,
 s->mb_x, s->mb_y, part_a_error);
 return -1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/flacenc: use designated initializers for AVClass

[Paul B Mahol]

ffmpeg | branch: master | Paul B Mahol  | Sun Dec 20 17:47:21 
2015 +0100| [367ffa0c151792651a741554c608a73bad112663] | committer: Paul B Mahol

avcodec/flacenc: use designated initializers for AVClass

Signed-off-by: Paul B Mahol 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=367ffa0c151792651a741554c608a73bad112663
---

 libavcodec/flacenc.c |8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/flacenc.c b/libavcodec/flacenc.c
index b3833fa..5db043a 100644
--- a/libavcodec/flacenc.c
+++ b/libavcodec/flacenc.c
@@ -1468,10 +1468,10 @@ static const AVOption options[] = {
 };
 
 static const AVClass flac_encoder_class = {
-"FLAC encoder",
-av_default_item_name,
-options,
-LIBAVUTIL_VERSION_INT,
+.class_name = "FLAC encoder",
+.item_name  = av_default_item_name,
+.option = options,
+.version= LIBAVUTIL_VERSION_INT,
 };
 
 AVCodec ff_flac_encoder = {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] x86/hevc_sao: simplify sao_edge_filter 10/12bit

[James Almer]

ffmpeg | branch: master | James Almer  | Sun Dec  6 02:46:51 
2015 -0300| [3ff2beff65af87fc9ce75d55f2c06e01d606cebc] | committer: James Almer

x86/hevc_sao: simplify sao_edge_filter 10/12bit

Reviewed-by: Michael Niedermayer 
Reviewed-by: Christophe Gisquet 
Signed-off-by: James Almer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3ff2beff65af87fc9ce75d55f2c06e01d606cebc
---

 libavcodec/x86/hevc_sao_10bit.asm |  150 +
 1 file changed, 54 insertions(+), 96 deletions(-)

diff --git a/libavcodec/x86/hevc_sao_10bit.asm 
b/libavcodec/x86/hevc_sao_10bit.asm
index 3a7048a..79776ac 100644
--- a/libavcodec/x86/hevc_sao_10bit.asm
+++ b/libavcodec/x86/hevc_sao_10bit.asm
@@ -221,46 +221,6 @@ HEVC_SAO_BAND_FILTER 12, 64, 4
 addb_strideq, tmpq
 %endmacro
 
-%macro HEVC_SAO_EDGE_FILTER_COMPUTE 0
-PMINUWm4, m1, m2, m6
-PMINUWm5, m1, m3, m7
-pcmpeqw   m2, m4
-pcmpeqw   m3, m5
-pcmpeqw   m4, m1
-pcmpeqw   m5, m1
-psubw m4, m2
-psubw m5, m3
-
-paddw m4, m5
-pcmpeqw   m2, m4, [pw_m2]
-%if ARCH_X86_64
-pcmpeqw   m3, m4, m13
-pcmpeqw   m5, m4, m0
-pcmpeqw   m6, m4, m14
-pcmpeqw   m7, m4, m15
-pand  m2, m8
-pand  m3, m9
-pand  m5, m10
-pand  m6, m11
-pand  m7, m12
-%else
-pcmpeqw   m3, m4, [pw_m1]
-pcmpeqw   m5, m4, m0
-pcmpeqw   m6, m4, [pw_1]
-pcmpeqw   m7, m4, [pw_2]
-pand  m2, [rsp+MMSIZE*0]
-pand  m3, [rsp+MMSIZE*1]
-pand  m5, [rsp+MMSIZE*2]
-pand  m6, [rsp+MMSIZE*3]
-pand  m7, [rsp+MMSIZE*4]
-%endif
-paddw m2, m3
-paddw m5, m6
-paddw m2, m7
-paddw m2, m1
-paddw m2, m5
-%endmacro
-
 ;void ff_hevc_sao_edge_filter___(uint8_t *_dst, uint8_t 
*_src, ptrdiff_t stride_dst, int16_t *sao_offset_val,
 ;   int eo, int width, int 
height);
 %macro HEVC_SAO_EDGE_FILTER 3
@@ -274,7 +234,6 @@ cglobal hevc_sao_edge_filter_%2_%1, 4, 9, 16, dst, src, 
dststride, offset, eo, a
 
 %else ; ARCH_X86_32
 cglobal hevc_sao_edge_filter_%2_%1, 1, 6, 8, 5*mmsize, dst, src, dststride, 
a_stride, b_stride, height
-%assign MMSIZE mmsize
 %define eoq   srcq
 %define tmpq  heightq
 %define tmp2q dststrideq
@@ -325,54 +284,53 @@ cglobal hevc_sao_edge_filter_%2_%1, 1, 6, 8, 5*mmsize, 
dst, src, dststride, a_st
 align 16
 .loop:
 
-%if %2 == 8
-mova  m1, [srcq]
-movu  m2, [srcq+a_strideq]
-movu  m3, [srcq+b_strideq]
-
-HEVC_SAO_EDGE_FILTER_COMPUTE
-CLIPW m2, m0, [pw_mask %+ %1]
-movu  [dstq], m2
-%endif
-
 %assign i 0
 %rep %3
 mova  m1, [srcq + i]
 movu  m2, [srcq+a_strideq + i]
 movu  m3, [srcq+b_strideq + i]
-HEVC_SAO_EDGE_FILTER_COMPUTE
-CLIPW m2, m0, [pw_mask %+ %1]
-mova  [dstq + i], m2
+PMINUWm4, m1, m2, m6
+PMINUWm5, m1, m3, m7
+pcmpeqw   m2, m4
+pcmpeqw   m3, m5
+pcmpeqw   m4, m1
+pcmpeqw   m5, m1
+psubw m4, m2
+psubw m5, m3
 
-mova  m1, [srcq + i + mmsize]
-movu  m2, [srcq+a_strideq + i + mmsize]
-movu  m3, [srcq+b_strideq + i + mmsize]
-HEVC_SAO_EDGE_FILTER_COMPUTE
+paddw m4, m5
+pcmpeqw   m2, m4, [pw_m2]
+%if ARCH_X86_64
+pcmpeqw   m3, m4, m13
+pcmpeqw   m5, m4, m0
+pcmpeqw   m6, m4, m14
+pcmpeqw   m7, m4, m15
+pand  m2, m8
+pand  m3, m9
+pand  m5, m10
+pand  m6, m11
+pand  m7, m12
+%else
+pcmpeqw   m3, m4, [pw_m1]
+pcmpeqw   m5, m4, m0
+pcmpeqw   m6, m4, [pw_1]
+pcmpeqw   m7, m4, [pw_2]
+pand  m2, [rsp+mmsize*0]
+pand  m3, [rsp+mmsize*1]
+pand  m5, [rsp+mmsize*2]
+pand  m6, [rsp+mmsize*3]
+pand  m7, [rsp+mmsize*4]
+%endif
+paddw m2, m3
+paddw m5, m6
+paddw m2, m7
+paddw m2, m1
+paddw m2, m5
 CLIPW m2, m0, [pw_mask %+ %1]
-mova [dstq + i + mmsize], m2
-%assign i i+mmsize*2
+mova  [dstq + i], m2
+%assign i i+mmsize
 %endrep
 
-%if %2 == 48
-INIT_XMM cpuname
-mova  m1, [srcq + i]
-movu  m2, [srcq+a_strideq + i]
-movu  m3, [srcq+b_strideq + 

[FFmpeg-cvslog] avcodec/indeo2: use init_get_bits8

[Paul B Mahol]

ffmpeg | branch: master | Paul B Mahol  | Sun Dec 20 21:31:55 
2015 +0100| [484cc66f577ba25c142d73c1c2c6590b01d031c2] | committer: Paul B Mahol

avcodec/indeo2: use init_get_bits8

Signed-off-by: Paul B Mahol 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=484cc66f577ba25c142d73c1c2c6590b01d031c2
---

 libavcodec/indeo2.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c
index 74135b9..3424e00 100644
--- a/libavcodec/indeo2.c
+++ b/libavcodec/indeo2.c
@@ -165,7 +165,8 @@ static int ir2_decode_frame(AVCodecContext *avctx,
 buf[i] = ff_reverse[buf[i]];
 #endif
 
-init_get_bits(>gb, buf + start, (buf_size - start) * 8);
+if ((ret = init_get_bits8(>gb, buf + start, buf_size - start)) < 0)
+return ret;
 
 if (s->decode_delta) { /* intraframe */
 if ((ret = ir2_decode_plane(s, avctx->width, avctx->height,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] x86/hevc_sao: simplify sao_band_filter 10/12bit

[James Almer]

ffmpeg | branch: master | James Almer  | Sun Dec  6 02:42:34 
2015 -0300| [34b2bd03cf94e26e0352b4edd5f9ca86c5e95b0b] | committer: James Almer

x86/hevc_sao: simplify sao_band_filter 10/12bit

Reviewed-by: Michael Niedermayer 
Reviewed-by: Christophe Gisquet 
Signed-off-by: James Almer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=34b2bd03cf94e26e0352b4edd5f9ca86c5e95b0b
---

 libavcodec/x86/hevc_sao_10bit.asm |  142 +++--
 1 file changed, 57 insertions(+), 85 deletions(-)

diff --git a/libavcodec/x86/hevc_sao_10bit.asm 
b/libavcodec/x86/hevc_sao_10bit.asm
index f45fc56..3a7048a 100644
--- a/libavcodec/x86/hevc_sao_10bit.asm
+++ b/libavcodec/x86/hevc_sao_10bit.asm
@@ -83,7 +83,6 @@ SECTION .text
 mova  [rsp+mmsize*6], m6
 mova  m1, [pw_mask %+ %1]
 pxor  m0, m0
-%assign MMSIZE mmsize
 %define m14 m0
 %define m13 m1
 %define  m9 m2
@@ -93,37 +92,6 @@ DEFINE_ARGS dst, src, dststride, srcstride, offset, height
 mov  heightd, r7m
 %endmacro
 
-%macro HEVC_SAO_BAND_FILTER_COMPUTE 3
-psraw %2, %3, %1-5
-%if ARCH_X86_64
-pcmpeqw  m10, %2, m0
-pcmpeqw  m11, %2, m1
-pcmpeqw  m12, %2, m2
-pcmpeqw   %2, m3
-pand m10, m4
-pand m11, m5
-pand m12, m6
-pand  %2, m7
-por  m10, m11
-por  m12, %2
-por  m10, m12
-paddw %3, m10
-%else ; ARCH_X86_32
-pcmpeqw   m4, %2, [rsp+MMSIZE*0]
-pcmpeqw   m5, %2, [rsp+MMSIZE*1]
-pcmpeqw   m6, %2, [rsp+MMSIZE*2]
-pcmpeqw   %2, [rsp+MMSIZE*3]
-pand  m4, [rsp+MMSIZE*4]
-pand  m5, [rsp+MMSIZE*5]
-pand  m6, [rsp+MMSIZE*6]
-pand  %2, m7
-por   m4, m5
-por   m6, %2
-por   m4, m6
-paddw %3, m4
-%endif ; ARCH
-%endmacro
-
 ;void ff_hevc_sao_band_filter___(uint8_t *_dst, uint8_t 
*_src, ptrdiff_t _stride_dst, ptrdiff_t _stride_src,
 ;   int16_t *sao_offset_val, 
int sao_left_class, int width, int height);
 %macro HEVC_SAO_BAND_FILTER 3
@@ -132,43 +100,47 @@ cglobal hevc_sao_band_filter_%2_%1, 6, 6, 15, 
7*mmsize*ARCH_X86_32, dst, src, ds
 
 align 16
 .loop:
-%if %2 == 8
-movu  m8, [srcq]
-HEVC_SAO_BAND_FILTER_COMPUTE %1, m9, m8
-CLIPW m8, m14, m13
-movu  [dstq], m8
-%endif
 
 %assign i 0
+%assign j 0
 %rep %3
-mova  m8, [srcq + i]
-HEVC_SAO_BAND_FILTER_COMPUTE %1, m9, m8
-CLIPW m8, m14, m13
-mova  [dstq + i], m8
-
-mova  m9, [srcq + i + mmsize]
-HEVC_SAO_BAND_FILTER_COMPUTE %1, m8, m9
-CLIPW m9, m14, m13
-mova  [dstq + i + mmsize], m9
-%assign i i+mmsize*2
+%assign k 8+(j&1)
+%assign l 9-(j&1)
+mova  m %+ k, [srcq + i]
+psraw m %+ l, m %+ k, %1-5
+%if ARCH_X86_64
+pcmpeqw  m10, m %+ l, m0
+pcmpeqw  m11, m %+ l, m1
+pcmpeqw  m12, m %+ l, m2
+pcmpeqw   m %+ l, m3
+pand m10, m4
+pand m11, m5
+pand m12, m6
+pand  m %+ l, m7
+por  m10, m11
+por  m12, m %+ l
+por  m10, m12
+paddw m %+ k, m10
+%else ; ARCH_X86_32
+pcmpeqw   m4, m %+ l, [rsp+mmsize*0]
+pcmpeqw   m5, m %+ l, [rsp+mmsize*1]
+pcmpeqw   m6, m %+ l, [rsp+mmsize*2]
+pcmpeqw   m %+ l, [rsp+mmsize*3]
+pand  m4, [rsp+mmsize*4]
+pand  m5, [rsp+mmsize*5]
+pand  m6, [rsp+mmsize*6]
+pand  m %+ l, m7
+por   m4, m5
+por   m6, m %+ l
+por   m4, m6
+paddw m %+ k, m4
+%endif ; ARCH
+CLIPW m %+ k, m14, m13
+mova  [dstq + i], m %+ k
+%assign i i+mmsize
+%assign j j+1
 %endrep
 
-%if %2 == 48
-INIT_XMM cpuname
-mova  m8, [srcq + i]
-HEVC_SAO_BAND_FILTER_COMPUTE %1, m9, m8
-CLIPW m8, m14, m13
-mova  [dstq + i], m8
-
-mova  m9, [srcq + i + mmsize]
-HEVC_SAO_BAND_FILTER_COMPUTE %1, m8, m9
-CLIPW m9, m14, m13
-mova  [dstq + i + mmsize], m9
-%if cpuflag(avx2)
-INIT_YMM cpuname
-%endif
-%endif ; %1 == 48
-
 add dstq, dststrideq
 add srcq, srcstrideq
 dec  heightd
@@ -177,17 +149,17 @@ INIT_YMM cpuname
 %endmacro
 
 %macro HEVC_SAO_BAND_FILTER_FUNCS 0
-HEVC_SAO_BAND_FILTER 10,  8, 0
-HEVC_SAO_BAND_FILTER 10, 16, 1
-HEVC_SAO_BAND_FILTER 10, 32, 2
-HEVC_SAO_BAND_FILTER 10, 48, 2
-HEVC_SAO_BAND_FILTER 10, 64, 4
-
-HEVC_SAO_BAND_FILTER