[FFmpeg-cvslog] nuv: sanitize negative fps rate
ffmpeg | branch: master | Andreas Cadhalpun| Wed Dec 16 20:52:39 2015 +0100| [f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce] | committer: Andreas Cadhalpun nuv: sanitize negative fps rate Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce --- libavformat/nuv.c |9 + 1 file changed, 9 insertions(+) diff --git a/libavformat/nuv.c b/libavformat/nuv.c index 2a1b70f..c30da60 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -172,6 +172,15 @@ static int nuv_header(AVFormatContext *s) if (aspect > 0. && aspect < 1.0001) aspect = 4.0 / 3.0; fps = av_int2double(avio_rl64(pb)); +if (fps < 0.0f) { +if (s->error_recognition & AV_EF_EXPLODE) { +av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps); +return AVERROR_INVALIDDATA; +} else { +av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 0.\n", fps); +fps = 0.0f; +} +} // number of packets per stream type, -1 means unknown, e.g. streaming v_packs = avio_rl32(pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] nutdec: only copy the header if it exists
ffmpeg | branch: release/2.8 | Andreas Cadhalpun| Fri Dec 18 15:18:47 2015 +0100| [38f8c80901033042488579c8975efb39ab153793] | committer: Andreas Cadhalpun nutdec: only copy the header if it exists Fixes ubsan runtime error: null pointer passed as argument 2, which is declared to never be null Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9f82506c79874edd7b09707ab63d9e72078de8f9) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=38f8c80901033042488579c8975efb39ab153793 --- libavformat/nutdec.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 63b0cd2..201c34e 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -1126,7 +1126,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code) ret = av_new_packet(pkt, size + nut->header_len[header_idx]); if (ret < 0) return ret; -memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); +if (nut->header[header_idx]) +memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); pkt->pos = avio_tell(bc); // FIXME if (stc->last_flags & FLAG_SM_DATA) { int sm_size; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] exr: fix out of bounds read in get_code
ffmpeg | branch: release/2.8 | Andreas Cadhalpun| Sun Dec 13 23:17:09 2015 +0100| [945ae04fab4513ee724751d908e87a3447c3e609] | committer: Andreas Cadhalpun exr: fix out of bounds read in get_code This macro unconditionally used out[-1], which causes an out of bounds read, if out is the very beginning of the buffer. Signed-off-by: Andreas Cadhalpun (cherry picked from commit 90b99a81071d10e6b5efe86a4602d54d4f45bbcb) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=945ae04fab4513ee724751d908e87a3447c3e609 --- libavcodec/exr.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index b9de7c1..8feb9bd 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -459,7 +459,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, lc += 8; \ } -#define get_code(po, rlc, c, lc, gb, out, oe) \ +#define get_code(po, rlc, c, lc, gb, out, oe, outb) \ { \ if (po == rlc) { \ if (lc < 8) \ @@ -468,7 +468,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, \ cs = c >> lc; \ \ -if (out + cs > oe)\ +if (out + cs > oe || out == outb) \ return AVERROR_INVALIDDATA; \ \ s = out[-1]; \ @@ -501,7 +501,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; -get_code(pl.lit, rlc, c, lc, gb, out, oe); +get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { int j; @@ -518,7 +518,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if ((hcode[pl.p[j]] >> 6) == ((c >> (lc - l)) & ((1LL << l) - 1))) { lc -= l; -get_code(pl.p[j], rlc, c, lc, gb, out, oe); +get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb); break; } } @@ -539,7 +539,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; -get_code(pl.lit, rlc, c, lc, gb, out, oe); +get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] on2avc: limit number of bits to 30 in get_egolomb
ffmpeg | branch: release/2.8 | Andreas Cadhalpun| Wed Dec 16 16:48:19 2015 +0100| [6d7b4dbcb4103a0c54d486d3a51aa3122a4914b6] | committer: Andreas Cadhalpun on2avc: limit number of bits to 30 in get_egolomb More don't fit into the integer output. Also use get_bits_long, since get_bits only supports reading up to 25 bits, while get_bits_long supports the full integer range. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 4d5c3b02e9d2c9a630ca433fabca43285879e0b8) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6d7b4dbcb4103a0c54d486d3a51aa3122a4914b6 --- libavcodec/on2avc.c | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c index 15f4dd1..04c8e41 100644 --- a/libavcodec/on2avc.c +++ b/libavcodec/on2avc.c @@ -211,9 +211,16 @@ static inline int get_egolomb(GetBitContext *gb) { int v = 4; -while (get_bits1(gb)) v++; +while (get_bits1(gb)) { +v++; +if (v > 30) { +av_log(NULL, AV_LOG_WARNING, "Too large golomb code in get_egolomb.\n"); +v = 30; +break; +} +} -return (1 << v) + get_bits(gb, v); +return (1 << v) + get_bits_long(gb, v); } static int on2avc_decode_pairs(On2AVCContext *c, GetBitContext *gb, float *dst, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] nuv: sanitize negative fps rate
ffmpeg | branch: release/2.8 | Andreas Cadhalpun| Wed Dec 16 20:52:39 2015 +0100| [79f407b79a825c3123aff65cef64b383eca5a95e] | committer: Andreas Cadhalpun nuv: sanitize negative fps rate Signed-off-by: Andreas Cadhalpun (cherry picked from commit f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79f407b79a825c3123aff65cef64b383eca5a95e --- libavformat/nuv.c |9 + 1 file changed, 9 insertions(+) diff --git a/libavformat/nuv.c b/libavformat/nuv.c index 001d9c8..cb51511 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -172,6 +172,15 @@ static int nuv_header(AVFormatContext *s) if (aspect > 0. && aspect < 1.0001) aspect = 4.0 / 3.0; fps = av_int2double(avio_rl64(pb)); +if (fps < 0.0f) { +if (s->error_recognition & AV_EF_EXPLODE) { +av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps); +return AVERROR_INVALIDDATA; +} else { +av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 0.\n", fps); +fps = 0.0f; +} +} // number of packets per stream type, -1 means unknown, e.g. streaming v_packs = avio_rl32(pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] xwddec: prevent overflow of lsize * avctx->height
ffmpeg | branch: release/2.8 | Andreas Cadhalpun| Fri Dec 18 19:28:51 2015 +0100| [778c8de40f2c8d8bdbdf9a52306c59b6a425d401] | committer: Andreas Cadhalpun xwddec: prevent overflow of lsize * avctx->height This is used to check if the input buffer is large enough, so if this overflows it can cause a false negative leading to a segmentation fault in bytestream2_get_bufferu. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9d38f06d05efbb9d6196c27668eb943e934943ae) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=778c8de40f2c8d8bdbdf9a52306c59b6a425d401 --- libavcodec/xwddec.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 2febedc..64cd841 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } -if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + avctx->height * lsize) { +if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + (uint64_t)avctx->height * lsize) { av_log(avctx, AV_LOG_ERROR, "input buffer too small\n"); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avfilter/avf_showfreqs: make it possible to split channels
ffmpeg | branch: master | Paul B Mahol| Sun Dec 20 19:52:51 2015 +0100| [9e569abe995dc41a3e8fb30fb6d9c4d002b8ba4d] | committer: Paul B Mahol avfilter/avf_showfreqs: make it possible to split channels Signed-off-by: Paul B Mahol > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9e569abe995dc41a3e8fb30fb6d9c4d002b8ba4d --- doc/filters.texi| 11 +++ libavfilter/avf_showfreqs.c | 19 +-- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/doc/filters.texi b/doc/filters.texi index ba81dc7..a55cad4 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -14438,6 +14438,17 @@ Default is @code{1}, which means time averaging is disabled. Specify list of colors separated by space or by '|' which will be used to draw channel frequencies. Unrecognized or missing colors will be replaced by white color. + +@item cmode +Set channel display mode. + +It accepts the following values: +@table @samp +@item combined +@item separate +@end table +Default is @code{combined}. + @end table @section showspectrum diff --git a/libavfilter/avf_showfreqs.c b/libavfilter/avf_showfreqs.c index 3ed0155..df3fcd1 100644 --- a/libavfilter/avf_showfreqs.c +++ b/libavfilter/avf_showfreqs.c @@ -34,6 +34,7 @@ #include "internal.h" enum DisplayMode{ LINE, BAR, DOT, NB_MODES }; +enum ChannelMode{ COMBINED, SEPARATE, NB_CMODES }; enum FrequencyScale { FS_LINEAR, FS_LOG, FS_RLOG, NB_FSCALES }; enum AmplitudeScale { AS_LINEAR, AS_SQRT, AS_CBRT, AS_LOG, NB_ASCALES }; enum WindowFunc { WFUNC_RECT, WFUNC_HANNING, WFUNC_HAMMING, WFUNC_BLACKMAN, @@ -45,6 +46,7 @@ typedef struct ShowFreqsContext { const AVClass *class; int w, h; int mode; +int cmode; int fft_bits; int ascale, fscale; int avg; @@ -115,6 +117,9 @@ static const AVOption showfreqs_options[] = { { "overlap", "set window overlap", OFFSET(overlap), AV_OPT_TYPE_FLOAT, {.dbl=1.}, 0., 1., FLAGS }, { "averaging", "set time averaging", OFFSET(avg), AV_OPT_TYPE_INT, {.i64=1}, 0, INT32_MAX, FLAGS }, { "colors", "set channels colors", OFFSET(colors), AV_OPT_TYPE_STRING, {.str = "red|green|blue|yellow|orange|lime|pink|magenta|brown" }, 0, 0, FLAGS }, +{ "cmode", "set channel mode", OFFSET(cmode), AV_OPT_TYPE_INT, {.i64=COMBINED}, 0, NB_CMODES-1, FLAGS, "cmode" }, +{ "combined", "show all channels in same window", 0, AV_OPT_TYPE_CONST, {.i64=COMBINED}, 0, 0, FLAGS, "cmode" }, +{ "separate", "show each channel in own window", 0, AV_OPT_TYPE_CONST, {.i64=SEPARATE}, 0, 0, FLAGS, "cmode" }, { NULL } }; @@ -358,6 +363,7 @@ static inline void plot_freq(ShowFreqsContext *s, int ch, const float avg = s->avg_data[ch][f]; const float bsize = get_bsize(s, f); const int sx = get_sx(s, f); +int end = outlink->h; int x, y, i; switch(s->ascale) { @@ -374,7 +380,16 @@ static inline void plot_freq(ShowFreqsContext *s, int ch, a = 1.0 - a; break; } -y = a * outlink->h - 1; + +switch (s->cmode) { +case COMBINED: +y = a * outlink->h - 1; +break; +case SEPARATE: +end = (outlink->h / s->nb_channels) * (ch + 1); +y = (outlink->h / s->nb_channels) * ch + a * (outlink->h / s->nb_channels) - 1; +break; +} if (y < 0) return; @@ -410,7 +425,7 @@ static inline void plot_freq(ShowFreqsContext *s, int ch, break; case BAR: for (x = sx; x < sx + bsize && x < w; x++) -for (i = y; i < outlink->h; i++) +for (i = y; i < end; i++) draw_dot(out, x, i, fg); break; case DOT: ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] rawdec: only exempt BIT0 with need_copy from buffer sanity check
ffmpeg | branch: master | Andreas Cadhalpun| Sat Dec 19 23:45:06 2015 +0100| [699e68371ec7e381e5cc48e3d96e29c669261af7] | committer: Andreas Cadhalpun rawdec: only exempt BIT0 with need_copy from buffer sanity check Otherwise the too small buffer is directly used in the frame, causing segmentation faults, when trying to use the frame. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=699e68371ec7e381e5cc48e3d96e29c669261af7 --- libavcodec/rawdec.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 611178f..50cee39 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -257,7 +257,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, buf += buf_size - context->frame_size; len = context->frame_size - (avctx->pix_fmt==AV_PIX_FMT_PAL8 ? AVPALETTE_SIZE : 0); -if (buf_size < len && (avctx->codec_tag & 0xFF) != MKTAG('B','I','T', 0)) { +if (buf_size < len && ((avctx->codec_tag & 0xFF) != MKTAG('B','I','T', 0) || !need_copy)) { av_log(avctx, AV_LOG_ERROR, "Invalid buffer size, packet size %d < expected frame_size %d\n", buf_size, len); av_buffer_unref(>buf[0]); return AVERROR(EINVAL); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_parser: Fix potential overflows in pointer checks
ffmpeg | branch: release/2.6 | Michael Niedermayer| Sat Dec 5 17:11:54 2015 +0100| [cc88d7a640884e29490b1adb598643ab1365d747] | committer: Michael Niedermayer avcodec/dirac_parser: Fix potential overflows in pointer checks Signed-off-by: Michael Niedermayer (cherry picked from commit 79798f7c57b098c78e0bbc6becd64b9888b013d1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cc88d7a640884e29490b1adb598643ab1365d747 --- libavcodec/dirac_parser.c |8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 61a978d..36674d7 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -100,10 +100,12 @@ typedef struct DiracParseUnit { static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc, int offset) { -uint8_t *start = pc->buffer + offset; -uint8_t *end = pc->buffer + pc->index; -if (start < pc->buffer || (start + 13 > end)) +int8_t *start; + +if (offset < 0 || pc->index - 13 < offset) return 0; + +start = pc->buffer + offset; pu->pu_type = start[4]; pu->next_pu_offset = AV_RB32(start + 5); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/smacker: fix integer overflow with pts_inc
ffmpeg | branch: release/2.6 | Michael Niedermayer| Sat Dec 5 13:06:16 2015 +0100| [354fa47018e333baeb3a6979d13cce8703bc19c8] | committer: Michael Niedermayer avformat/smacker: fix integer overflow with pts_inc Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7ed47e97297fd5ef473d0cc93f0455adbadaac83) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=354fa47018e333baeb3a6979d13cce8703bc19c8 --- libavformat/smacker.c |5 + 1 file changed, 5 insertions(+) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 5dcf4ad..de8bbdb 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -120,6 +120,11 @@ static int smacker_read_header(AVFormatContext *s) smk->height = avio_rl32(pb); smk->frames = avio_rl32(pb); smk->pts_inc = (int32_t)avio_rl32(pb); +if (smk->pts_inc > INT_MAX / 100) { +av_log(s, AV_LOG_ERROR, "pts_inc %d is too large\n", smk->pts_inc); +return AVERROR_INVALIDDATA; +} + smk->flags = avio_rl32(pb); if(smk->flags & SMACKER_FLAG_RING_FRAME) smk->frames++; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*()
ffmpeg | branch: release/2.6 | Michael Niedermayer| Fri Nov 27 20:52:39 2015 +0100| [20a96b9d8c71b77761b82edd1971dc54354c175f] | committer: Michael Niedermayer avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*() Fixes out of array access Fixes: 01859c9a9ac6cd60a008274123275574/asan_heap-oob_1dff571_8250_50d3d1611e294c3519fd1fa82198b69b.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 75422280fbcdfbe9dc56bde5525b4d8b280f1bc5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=20a96b9d8c71b77761b82edd1971dc54354c175f --- libavcodec/jpeg2000dwt.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index ceceda3..015a4fe 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -555,6 +555,9 @@ int ff_dwt_encode(DWTContext *s, void *t) int ff_dwt_decode(DWTContext *s, void *t) { +if (s->ndeclevels == 0) +return 0; + switch (s->type) { case FF_DWT97: dwt_decode97_float(s, t); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/mathematics: Fix division by 0
ffmpeg | branch: release/2.6 | Michael Niedermayer| Wed Dec 9 17:39:38 2015 +0100| [f821441795c4131ba638216ea92f0cb9f660fdbf] | committer: Michael Niedermayer avutil/mathematics: Fix division by 0 Fixes: CID1341571 Signed-off-by: Michael Niedermayer (cherry picked from commit bc8b1e694cc395fdf5e2917377ef11263c937d85) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f821441795c4131ba638216ea92f0cb9f660fdbf --- libavutil/mathematics.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index 4d8467b..78a87d8 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -90,7 +90,7 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) else { int64_t ad = a / c; int64_t a2 = (a % c * b + r) / c; -if (ad >= INT32_MAX && ad > (INT64_MAX - a2) / b) +if (ad >= INT32_MAX && b && ad > (INT64_MAX - a2) / b) return INT64_MIN; return ad * b + a2; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vp3: ensure header is parsed successfully before tables
ffmpeg | branch: release/2.6 | Michael Niedermayer| Wed Dec 2 22:59:56 2015 +0100| [63c50350b6e5038e3acf95a56fe58d43e3db5422] | committer: Michael Niedermayer avcodec/vp3: ensure header is parsed successfully before tables Fixes assertion failure Fixes: 266ee543812e934f7b4a72923a2701d4/signal_sigabrt_76ae7cc9_7322_85218d61759d461bdf7387180e8000c9.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 26379d4fddc17cac853ef297ff327b58c44edbad) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=63c50350b6e5038e3acf95a56fe58d43e3db5422 --- libavcodec/vp3.c |7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index c6f83dd..3b19db9 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -131,7 +131,7 @@ static const uint8_t hilbert_offset[16][2] = { typedef struct Vp3DecodeContext { AVCodecContext *avctx; -int theora, theora_tables; +int theora, theora_tables, theora_header; int version; int width, height; int chroma_x_shift, chroma_y_shift; @@ -2251,6 +2251,7 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) int ret; AVRational fps, aspect; +s->theora_header = 0; s->theora = get_bits_long(gb, 24); av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora); @@ -2356,6 +2357,7 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) avctx->color_trc = AVCOL_TRC_BT709; } +s->theora_header = 1; return 0; } @@ -2364,6 +2366,9 @@ static int theora_decode_tables(AVCodecContext *avctx, GetBitContext *gb) Vp3DecodeContext *s = avctx->priv_data; int i, n, matrices, inter, plane; +if (!s->theora_header) +return AVERROR_INVALIDDATA; + if (s->theora >= 0x030200) { n = get_bits(gb, 3); /* loop filter limit values table */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup
ffmpeg | branch: release/2.6 | Michael Niedermayer| Wed Sep 30 13:10:48 2015 +0200| [292842a0ed80afc0ad80626397100fed5e9595f4] | committer: Michael Niedermayer avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup The variable is not a constant and can lead to race conditions Fixes: repro.webm (not reproducable with FFmpeg alone) Found-by: Dale Curtis Tested-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit dabea74d0e82ea80cd344f630497cafcb3ef872c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=292842a0ed80afc0ad80626397100fed5e9595f4 --- libavcodec/vp8.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 0dae1b2..7cea034 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -164,7 +164,7 @@ int update_dimensions(VP8Context *s, int width, int height, int is_vp7) s->mb_height = (s->avctx->coded_height + 15) / 16; s->mb_layout = is_vp7 || avctx->active_thread_type == FF_THREAD_SLICE && - FFMIN(s->num_coeff_partitions, avctx->thread_count) > 1; + avctx->thread_count > 1; if (!s->mb_layout) { // Frame threading and one thread s->macroblocks_base = av_mallocz((s->mb_width + s->mb_height * 2 + 1) * sizeof(*s->macroblocks)); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cabac_functions: Fix "left shift of negative value -31767"
ffmpeg | branch: release/2.6 | Michael Niedermayer| Fri Nov 27 12:11:29 2015 +0100| [2da8c533869afc5836d144571fb5e8b824f15e03] | committer: Michael Niedermayer avcodec/cabac_functions: Fix "left shift of negative value -31767" Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer (cherry picked from commit a1f6b05f5228979dab0e149deca7a30d22e98af5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2da8c533869afc5836d144571fb5e8b824f15e03 --- libavcodec/cabac_functions.h |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 15dba29..4e13253 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -74,7 +74,8 @@ static inline void renorm_cabac_decoder_once(CABACContext *c){ #ifndef get_cabac_inline static void refill2(CABACContext *c){ -int i, x; +int i; +unsigned x; x= c->low ^ (c->low-1); i= 7 - ff_h264_norm_shift[x>>(CABAC_BITS-1)]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/timecode: Fix fps check
ffmpeg | branch: release/2.6 | Michael Niedermayer| Thu Dec 3 03:14:11 2015 +0100| [2e77ab8f100946d2467e3800a7964e2d94eae288] | committer: Michael Niedermayer avutil/timecode: Fix fps check The fps variable is explicitly set to -1 in case of some errors, the check must thus be signed or the code setting it needs to use 0 as error code the type of the field could be changed as well but its in an installed header Fixes: integer overflow Fixes: 9982cc157b1ea90429435640a989122f/asan_generic_3ad004a_3799_22cf198d9cd09928e2d9ad250474fa58.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b46dcd5209a77254345ae098b83a872634c5591b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2e77ab8f100946d2467e3800a7964e2d94eae288 --- libavutil/timecode.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index 1dfd040..bf463ed 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -151,7 +151,7 @@ static int check_fps(int fps) static int check_timecode(void *log_ctx, AVTimecode *tc) { -if (tc->fps <= 0) { +if ((int)tc->fps <= 0) { av_log(log_ctx, AV_LOG_ERROR, "Timecode frame rate must be specified\n"); return AVERROR(EINVAL); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/apedec: Check length in long_filter_high_3800()
ffmpeg | branch: release/2.6 | Michael Niedermayer| Wed Dec 2 21:16:27 2015 +0100| [0350f373f7f0eebc2f49a5144511ba4a7b718c1b] | committer: Michael Niedermayer avcodec/apedec: Check length in long_filter_high_3800() Fixes out of array read Fixes: 0a7ff0c1d93da9cef28a315ec91b692a/asan_heap-oob_4a52e5_3604_9c56dbb20e308f4faeef7b35f688521a.ape Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit cd7524fdd13dc8d0cf22e2cfd8300a245542b13a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0350f373f7f0eebc2f49a5144511ba4a7b718c1b --- libavcodec/apedec.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 03afd75..9984b40 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -892,6 +892,9 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len int32_t dotprod, sign; int32_t coeffs[256], delay[256]; +if (order >= length) +return; + memset(coeffs, 0, order * sizeof(*coeffs)); for (i = 0; i < order; i++) delay[i] = buffer[i]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vp3: Fix "runtime error: left shift of negative value"
ffmpeg | branch: release/2.6 | Michael Niedermayer| Fri Dec 4 12:47:20 2015 +0100| [ad09bebe0cad7eaeda0c09eea00c68197c2a8e65] | committer: Michael Niedermayer avcodec/vp3: Fix "runtime error: left shift of negative value" Fixes: 5c6129154b356b80bcab86f9e3ee5d29/signal_sigabrt_76ae7cc9_7322_d26ac6d7cb6567db1b8be0159b387d0b.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 18268f761bffb37552f59f87542fef3d5c80618c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ad09bebe0cad7eaeda0c09eea00c68197c2a8e65 --- libavcodec/vp3.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index fbacedf..c6f83dd 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -209,8 +209,8 @@ typedef struct Vp3DecodeContext { int16_t *dct_tokens[3][64]; int16_t *dct_tokens_base; #define TOKEN_EOB(eob_run) ((eob_run) << 2) -#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) << 9) + ((zero_run) << 2) + 1) -#define TOKEN_COEFF(coeff) (((coeff) << 2) + 2) +#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) * 512) + ((zero_run) << 2) + 1) +#define TOKEN_COEFF(coeff) (((coeff) * 4) + 2) /** * number of blocks that contain DCT coefficients at ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_cabac: Fix multiple integer overflows
ffmpeg | branch: release/2.6 | Michael Niedermayer| Fri Nov 27 22:45:46 2015 +0100| [4916aa2383153745d2ca54c7f8ea6cbc75f1c00e] | committer: Michael Niedermayer avcodec/hevc_cabac: Fix multiple integer overflows Fixes: 04ec80eefa77aecd7a49a442cc02baea/asan_heap-oob_19544fa_3303_1905796cd9d8e15f86d664332caabc00.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d5028f61e44b7607b6a547f218f7d85217490a5b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4916aa2383153745d2ca54c7f8ea6cbc75f1c00e --- libavcodec/hevc_cabac.c | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 3862df7..9fe99da 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -883,11 +883,13 @@ static av_always_inline int mvd_decode(HEVCContext *s) int k = 1; while (k < CABAC_MAX_BIN && get_cabac_bypass(>HEVClc->cc)) { -ret += 1 << k; +ret += 1U << k; k++; } -if (k == CABAC_MAX_BIN) +if (k == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); +return 0; +} while (k--) ret += get_cabac_bypass(>HEVClc->cc) << k; return get_cabac_bypass_sign(>HEVClc->cc, -ret); @@ -1025,8 +1027,10 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int while (prefix < CABAC_MAX_BIN && get_cabac_bypass(>HEVClc->cc)) prefix++; -if (prefix == CABAC_MAX_BIN) +if (prefix == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); +return 0; +} if (prefix < 3) { for (i = 0; i < rc_rice_param; i++) suffix = (suffix << 1) | get_cabac_bypass(>HEVClc->cc); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*()
ffmpeg | branch: release/2.6 | Michael Niedermayer| Fri Nov 27 21:02:13 2015 +0100| [40d5f570d8aa42ab54e2f30cded7b257ee8797f5] | committer: Michael Niedermayer avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*() Signed-off-by: Michael Niedermayer (cherry picked from commit feb3f39614b88c113211a98dda1bc2fe5c3c6957) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=40d5f570d8aa42ab54e2f30cded7b257ee8797f5 --- libavcodec/jpeg2000dwt.c |3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index 015a4fe..925adea 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -540,6 +540,9 @@ int ff_jpeg2000_dwt_init(DWTContext *s, uint16_t border[2][2], int ff_dwt_encode(DWTContext *s, void *t) { +if (s->ndeclevels == 0) +return 0; + switch(s->type){ case FF_DWT97: dwt_encode97_float(s, t); break; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cabac: Check initial cabac decoder state
ffmpeg | branch: release/2.6 | Michael Niedermayer| Fri Nov 27 13:37:50 2015 +0100| [1f6aea2cc4e379346d0b5b67e9ce775e12b39def] | committer: Michael Niedermayer avcodec/cabac: Check initial cabac decoder state Fixes integer overflows Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer (cherry picked from commit 8000d484b83aafa752d84fbdbfb352ffe0dc64f8) Conflicts: libavcodec/cabac.h Conflicts: libavcodec/h264_cabac.c libavcodec/h264_slice.c > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1f6aea2cc4e379346d0b5b67e9ce775e12b39def --- libavcodec/cabac.c |5 - libavcodec/cabac.h |2 +- libavcodec/cabac_functions.h |3 ++- libavcodec/h264_cabac.c |5 - libavcodec/h264_slice.c |5 - 5 files changed, 15 insertions(+), 5 deletions(-) diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index 81a75dd..48f70ca 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -51,7 +51,7 @@ void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size){ * * @param buf_size size of buf in bits */ -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ c->bytestream_start= c->bytestream= buf; c->bytestream_end= buf + buf_size; @@ -64,6 +64,9 @@ void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ #endif c->low+= ((*c->bytestream++)<<2) + 2; c->range= 0x1FE; +if ((c->range<<(CABAC_BITS+1)) < c->low) +return AVERROR_INVALIDDATA; +return 0; } void ff_init_cabac_states(void) diff --git a/libavcodec/cabac.h b/libavcodec/cabac.h index f9eafed..857211c 100644 --- a/libavcodec/cabac.h +++ b/libavcodec/cabac.h @@ -56,7 +56,7 @@ typedef struct CABACContext{ }CABACContext; void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size); -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); void ff_init_cabac_states(void); #endif /* AVCODEC_CABAC_H */ diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 4e13253..2d1d2a6 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -191,7 +191,8 @@ static av_unused const uint8_t* skip_bytes(CABACContext *c, int n) { #endif if ((int) (c->bytestream_end - ptr) < n) return NULL; -ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n); +if (ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n) < 0) +return NULL; return ptr; } diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 41e0f86..397b070 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2000,6 +2000,7 @@ decode_intra_mb: const int mb_size = ff_h264_mb_sizes[h->sps.chroma_format_idc] * h->sps.bit_depth_luma >> 3; const uint8_t *ptr; +int ret; // We assume these blocks are very rare so we do not optimize it. // FIXME The two following lines get the bitstream position in the cabac @@ -2016,7 +2017,9 @@ decode_intra_mb: h->intra_pcm_ptr = ptr; ptr += mb_size; -ff_init_cabac_decoder(>cabac, ptr, h->cabac.bytestream_end - ptr); +ret = ff_init_cabac_decoder(>cabac, ptr, h->cabac.bytestream_end - ptr); +if (ret < 0) +return ret; // All blocks are present h->cbp_table[mb_xy] = 0xf7ef; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 3501be3..b0b4060 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -2422,13 +2422,16 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) } if (h->pps.cabac) { +int ret; /* realign */ align_get_bits(>gb); /* init cabac */ -ff_init_cabac_decoder(>cabac, +ret = ff_init_cabac_decoder(>cabac, h->gb.buffer + get_bits_count(>gb) / 8, (get_bits_left(>gb) + 7) / 8); +if (ret < 0) +return ret; ff_h264_init_cabac_states(h); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc: allocate entries unconditionally
ffmpeg | branch: release/2.6 | Michael Niedermayer| Fri Nov 27 23:33:03 2015 +0100| [c84ec8d5c93887c2a97c3da514848f5fbb5ba3e6] | committer: Michael Niedermayer avcodec/hevc: allocate entries unconditionally Fixes out of array access Fixes: 08664a2a7921ef48172f26495c7455be/asan_heap-oob_23036c6_3301_523388ef84285a0270caf67a43247b59.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d85aa76115214183e7e3b7d65e950da61474959a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c84ec8d5c93887c2a97c3da514848f5fbb5ba3e6 --- libavcodec/hevc.c |4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index a2c602a..66ebf3d 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2430,11 +2430,9 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) return AVERROR(ENOMEM); } +ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); if (!s->sList[1]) { -ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); - - for (i = 1; i < s->threads_number; i++) { s->sList[i] = av_malloc(sizeof(HEVCContext)); memcpy(s->sList[i], s, sizeof(HEVCContext)); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd
ffmpeg | branch: release/2.6 | Michael Niedermayer| Tue Dec 1 12:44:23 2015 +0100| [100dbe1bf007024224c7ae2bb5d1aa956d979722] | committer: Michael Niedermayer avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd The code expects actual positive numbers and gives completely wrong results if INT64_MIN is treated as positive Instead clip it into the valid range that is add 1 and treat it as negative Signed-off-by: Michael Niedermayer (cherry picked from commit 25e37f5ea92d4201976a59ae306ce848d257a7e6) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=100dbe1bf007024224c7ae2bb5d1aa956d979722 --- libavutil/mathematics.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index 126cffc..b1ffd65 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -76,8 +76,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) rnd -= AV_ROUND_PASS_MINMAX; } -if (a < 0 && a != INT64_MIN) -return -av_rescale_rnd(-a, b, c, rnd ^ ((rnd >> 1) & 1)); +if (a < 0) +return -av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1)); if (rnd == AV_ROUND_NEAR_INF) r = c / 2; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_parser: Add basic validity checks for next_pu_offset and prev_pu_offset
ffmpeg | branch: release/2.6 | Michael Niedermayer| Sat Dec 5 17:14:36 2015 +0100| [09305dca59fd36509b593292a78ef7e7cf8220fd] | committer: Michael Niedermayer avcodec/dirac_parser: Add basic validity checks for next_pu_offset and prev_pu_offset Signed-off-by: Michael Niedermayer (cherry picked from commit c7d6ec947c053699950af90f695413a5640b3872) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=09305dca59fd36509b593292a78ef7e7cf8220fd --- libavcodec/dirac_parser.c |9 + 1 file changed, 9 insertions(+) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 36674d7..1ca7e31 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -114,6 +114,15 @@ static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc, if (pu->pu_type == 0x10 && pu->next_pu_offset == 0) pu->next_pu_offset = 13; +if (pu->next_pu_offset && pu->next_pu_offset < 13) { +av_log(NULL, AV_LOG_ERROR, "next_pu_offset %d is invalid\n", pu->next_pu_offset); +return 0; +} +if (pu->prev_pu_offset && pu->prev_pu_offset < 13) { +av_log(NULL, AV_LOG_ERROR, "prev_pu_offset %d is invalid\n", pu->prev_pu_offset); +return 0; +} + return 1; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc: Check entry_point_offsets
ffmpeg | branch: release/2.6 | Michael Niedermayer| Fri Nov 27 18:30:05 2015 +0100| [6157938408a020d973b9e80c11d3e3e00899bea7] | committer: Michael Niedermayer avcodec/hevc: Check entry_point_offsets Fixes out of array read Fixes: 007c4a36608ebdf27ee260ad60a81184/asan_heap-oob_32076b4_2243_116b1cb29d91cc4974d6680e3d10bd91.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ef9f7bbfa47317f9d46bf46982a394d2be78503c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6157938408a020d973b9e80c11d3e3e00899bea7 --- libavcodec/hevc.c |8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 2ebb7e2..a2c602a 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2420,7 +2420,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) HEVCLocalContext *lc = s->HEVClc; int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); -int offset; +int64_t offset; int startheader, cmpt = 0; int i, j, res = 0; @@ -2467,6 +2467,11 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) } if (s->sh.num_entry_point_offsets != 0) { offset += s->sh.entry_point_offset[s->sh.num_entry_point_offsets - 1] - cmpt; +if (length < offset) { +av_log(s->avctx, AV_LOG_ERROR, "entry_point_offset table is corrupted\n"); +res = AVERROR_INVALIDDATA; +goto error; +} s->sh.size[s->sh.num_entry_point_offsets - 1] = length - offset; s->sh.offset[s->sh.num_entry_point_offsets - 1] = offset; @@ -2493,6 +2498,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) for (i = 0; i <= s->sh.num_entry_point_offsets; i++) res += ret[i]; +error: av_free(ret); av_free(arg); return res; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/utils: Clear dimensions in ff_get_buffer() on failure
ffmpeg | branch: release/2.6 | Michael Niedermayer| Sat Nov 28 20:08:46 2015 +0100| [a0a2bfbfd876571344df2b7fe5fd781791ec02a3] | committer: Michael Niedermayer avcodec/utils: Clear dimensions in ff_get_buffer() on failure Fixes out of array access Fixes: 482d8f2fd17c9f532b586458a33f267c/asan_heap-oob_4a52b6_7417_1d08d477736d66cdadd833d146bb8bae.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit abee0a1c60612e8638640a8a3738fffb65e16dbf) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a0a2bfbfd876571344df2b7fe5fd781791ec02a3 --- libavcodec/utils.c |4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index d5b01d6..a83b0ba 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1032,8 +1032,10 @@ end: int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame, int flags) { int ret = get_buffer_internal(avctx, frame, flags); -if (ret < 0) +if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); +frame->width = frame->height = 0; +} return ret; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc: Fix integer overflow of entry_point_offset
ffmpeg | branch: release/2.6 | Michael Niedermayer| Sat Dec 5 22:08:59 2015 +0100| [929fd61602710211ccfd3c7fd8093fb6b032ad86] | committer: Michael Niedermayer avcodec/hevc: Fix integer overflow of entry_point_offset Fixes out of array read Fixes: d41d8cd98f00b204e9800998ecf8427e/signal_sigsegv_321165b_7641_077dfcd8cbc80b1c0b470c8554cd6ffb.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 214085852491448631dcecb008b5d172c11b8892) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=929fd61602710211ccfd3c7fd8093fb6b032ad86 --- libavcodec/hevc.c |4 ++-- libavcodec/hevc.h |2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 66ebf3d..a8643d0 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -716,7 +716,7 @@ static int hls_slice_header(HEVCContext *s) av_freep(>entry_point_offset); av_freep(>offset); av_freep(>size); -sh->entry_point_offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); +sh->entry_point_offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(unsigned)); sh->offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); sh->size = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); if (!sh->entry_point_offset || !sh->offset || !sh->size) { @@ -2421,7 +2421,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); int64_t offset; -int startheader, cmpt = 0; +int64_t startheader, cmpt = 0; int i, j, res = 0; if (!ret || !arg) { diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index 22d6989..9e183b7 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -609,7 +609,7 @@ typedef struct SliceHeader { unsigned int max_num_merge_cand; ///< 5 - 5_minus_max_num_merge_cand -int *entry_point_offset; +unsigned *entry_point_offset; int * offset; int * size; int num_entry_point_offsets; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd () for overflows
ffmpeg | branch: release/2.6 | Michael Niedermayer| Tue Dec 1 13:32:31 2015 +0100| [00fde782a10902270c3d92d92427297683fb911b] | committer: Michael Niedermayer avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() for overflows Fixes integer overflow Fixes: mozilla bug 1229167 Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit f03c2ceec174877e03bb302f5971fbe9ffbe4856) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=00fde782a10902270c3d92d92427297683fb911b --- libavutil/mathematics.c | 13 ++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index b1ffd65..4d8467b 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -77,7 +77,7 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) } if (a < 0) -return -av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1)); +return -(uint64_t)av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1)); if (rnd == AV_ROUND_NEAR_INF) r = c / 2; @@ -87,8 +87,13 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) if (b <= INT_MAX && c <= INT_MAX) { if (a <= INT_MAX) return (a * b + r) / c; -else -return a / c * b + (a % c * b + r) / c; +else { +int64_t ad = a / c; +int64_t a2 = (a % c * b + r) / c; +if (ad >= INT32_MAX && ad > (INT64_MAX - a2) / b) +return INT64_MIN; +return ad * b + a2; +} } else { #if 1 uint64_t a0 = a & 0x; @@ -112,6 +117,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) t1++; } } +if (t1 > INT64_MAX) +return INT64_MIN; return t1; } #else ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vp3: Clear context on reinitialization failure
ffmpeg | branch: release/2.6 | Michael Niedermayer| Sat Nov 28 00:23:54 2015 +0100| [67b29888f4dc03a45dd060fbb785481ac91b0219] | committer: Michael Niedermayer avcodec/vp3: Clear context on reinitialization failure Fixes null pointer dereference Fixes: 1536b9b096a8f95b742bae9d3d761cc6/signal_sigsegv_294aaed_2039_8d1797aeb823ea43858d0fa45c9eb899.ogv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 6105b7219a90438deae71b0dc5a034c71ee30fc0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=67b29888f4dc03a45dd060fbb785481ac91b0219 --- libavcodec/vp3.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index b728bbc..a0845e4 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2014,17 +2014,19 @@ static int vp3_decode_frame(AVCodecContext *avctx, vp3_decode_end(avctx); ret = theora_decode_header(avctx, ); +if (ret >= 0) +ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); -} else -ret = vp3_decode_init(avctx); +} return ret; } else if (type == 2) { ret = theora_decode_tables(avctx, ); +if (ret >= 0) +ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); -} else -ret = vp3_decode_init(avctx); +} return ret; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/matroskaenc: Check codecdelay before use
ffmpeg | branch: release/2.6 | Michael Niedermayer| Wed Dec 9 16:16:46 2015 +0100| [8e053f61f5622feff12609e21847f33342f556f5] | committer: Michael Niedermayer avformat/matroskaenc: Check codecdelay before use Fixes CID1238790 Signed-off-by: Michael Niedermayer (cherry picked from commit e6971db12b8ae49712b77378fa8141de4904082b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8e053f61f5622feff12609e21847f33342f556f5 --- libavformat/matroskaenc.c | 12 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 66b4555..2867c06b 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -896,14 +896,18 @@ static int mkv_write_track(AVFormatContext *s, MatroskaMuxContext *mkv, } if (codec->codec_type == AVMEDIA_TYPE_AUDIO && codec->initial_padding && codec->codec_id == AV_CODEC_ID_OPUS) { +int64_t codecdelay = av_rescale_q(codec->initial_padding, + (AVRational){ 1, codec->sample_rate }, + (AVRational){ 1, 10 }); +if (codecdelay < 0) { +av_log(s, AV_LOG_ERROR, "Initial padding is invalid\n"); +return AVERROR(EINVAL); +} // mkv->tracks[i].ts_offset = av_rescale_q(codec->initial_padding, // (AVRational){ 1, codec->sample_rate }, // st->time_base); -put_ebml_uint(pb, MATROSKA_ID_CODECDELAY, - av_rescale_q(codec->initial_padding, - (AVRational){ 1, codec->sample_rate }, - (AVRational){ 1, 10 })); +put_ebml_uint(pb, MATROSKA_ID_CODECDELAY, codecdelay); } if (codec->codec_id == AV_CODEC_ID_OPUS) { put_ebml_uint(pb, MATROSKA_ID_SEEKPREROLL, OPUS_SEEK_PREROLL); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid duration for ts files with hevc codec
ffmpeg | branch: release/2.6 | Rainer Hochecker| Sun Nov 15 13:58:50 2015 +0100| [bc264004e081db584bdac811536ad8154e07066b] | committer: Michael Niedermayer avformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid duration for ts files with hevc codec Fixes a mpegts file with hevc that fails estimating duration. Increasing number of retries fixes the issue. Signed-off-by: Michael Niedermayer (cherry picked from commit 2d8c2f1a28073d451c7db31291c333cb15ca3d0b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bc264004e081db584bdac811536ad8154e07066b --- libavformat/utils.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index e5b1c58..bdcbd72 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2383,7 +2383,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) } #define DURATION_MAX_READ_SIZE 25LL -#define DURATION_MAX_RETRY 4 +#define DURATION_MAX_RETRY 6 /* only usable for MPEG-PS streams */ static void estimate_timings_from_pts(AVFormatContext *ic, int64_t old_offset) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/dump: Fix integer overflow in av_dump_format()
ffmpeg | branch: release/2.6 | Michael Niedermayer| Tue Dec 1 12:40:32 2015 +0100| [93e168705dbe306ad040d56d4c3ac8a8567143ab] | committer: Michael Niedermayer avformat/dump: Fix integer overflow in av_dump_format() Fixes part of mozilla bug 1229167 Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 8e7f4520226d2d9ad6a58ad6c32d1455a8b244b2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=93e168705dbe306ad040d56d4c3ac8a8567143ab --- libavformat/dump.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dump.c b/libavformat/dump.c index df102e6..71bb5bd 100644 --- a/libavformat/dump.c +++ b/libavformat/dump.c @@ -444,7 +444,7 @@ void av_dump_format(AVFormatContext *ic, int index, av_log(NULL, AV_LOG_INFO, " Duration: "); if (ic->duration != AV_NOPTS_VALUE) { int hours, mins, secs, us; -int64_t duration = ic->duration + 5000; +int64_t duration = ic->duration + (ic->duration <= INT64_MAX - 5000 ? 5000 : 0); secs = duration / AV_TIME_BASE; us= duration % AV_TIME_BASE; mins = secs / 60; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized
ffmpeg | branch: release/2.6 | Michael Niedermayer| Tue Nov 24 22:12:37 2015 +0100| [dd4c2fe74afe76868a279fd96fbc56eeffa5] | committer: Michael Niedermayer avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized Fixes out of array access Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2049_f2192b6829ab6e0eefcb035329c03c60.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4ea4d2f438c9a7eba37980c9a87be4b34943e4d5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dd4c2fe74afe76868a279fd96fbc56eeffa5 --- libavcodec/h264_slice.c |1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 15700a8..3501be3 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1194,6 +1194,7 @@ static int h264_slice_header_init(H264Context *h, int reinit) nb_slices = max_slices; } h->slice_context_count = nb_slices; +h->max_contexts = FFMIN(h->max_contexts, nb_slices); if (!HAVE_THREADS || !(h->avctx->active_thread_type & FF_THREAD_SLICE)) { ret = ff_h264_context_init(h); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/integer: Fix av_mod_i() with negative dividend
ffmpeg | branch: release/2.6 | Michael Niedermayer| Tue Dec 1 12:41:43 2015 +0100| [d8a66a150ae1ef88b6d9a43905de0f90f4a1385f] | committer: Michael Niedermayer avutil/integer: Fix av_mod_i() with negative dividend Signed-off-by: Michael Niedermayer (cherry picked from commit 3a9cb18855d29c96a5d9d2f5ad30448cae3a2ddf) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d8a66a150ae1ef88b6d9a43905de0f90f4a1385f --- libavutil/integer.c |8 1 file changed, 8 insertions(+) diff --git a/libavutil/integer.c b/libavutil/integer.c index 5bcde0d..6d6855f 100644 --- a/libavutil/integer.c +++ b/libavutil/integer.c @@ -29,6 +29,8 @@ #include "integer.h" #include "avassert.h" +static const AVInteger zero_i; + AVInteger av_add_i(AVInteger a, AVInteger b){ int i, carry=0; @@ -111,6 +113,12 @@ AVInteger av_mod_i(AVInteger *quot, AVInteger a, AVInteger b){ AVInteger quot_temp; if(!quot) quot = _temp; +if ((int16_t)a.v[AV_INTEGER_SIZE-1] < 0) { +a = av_mod_i(quot, av_sub_i(zero_i, a), b); +*quot = av_sub_i(zero_i, *quot); +return av_sub_i(zero_i, a); +} + av_assert2((int16_t)a.v[AV_INTEGER_SIZE-1] >= 0 && (int16_t)b.v[AV_INTEGER_SIZE-1] >= 0); av_assert2(av_log2_i(b)>=0); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vp3: always set pix_fmt in theora_decode_header()
ffmpeg | branch: release/2.6 | Michael Niedermayer| Mon Nov 30 03:32:36 2015 +0100| [4d8d2f1991cd7514a3ccd6e4ad5e62bb8f1fba57] | committer: Michael Niedermayer avcodec/vp3: always set pix_fmt in theora_decode_header() Fixes assertion failure Fixes: d0bb0662da342ec65f8f2a081222e6b9/signal_sigabrt_76ae7cc9_5471_82964f0a9ac2f4d3d59390c15473f6f7.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a814f1d364ba912adf61adef158168c5f7604e93) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4d8d2f1991cd7514a3ccd6e4ad5e62bb8f1fba57 --- libavcodec/vp3.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index a0845e4..fbacedf 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2321,7 +2321,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) return AVERROR_INVALIDDATA; } skip_bits(gb, 3); /* reserved */ -} +} else +avctx->pix_fmt = AV_PIX_FMT_YUV420P; ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wmaprodec: Fix overflow of cutoff
ffmpeg | branch: release/2.6 | Michael Niedermayer| Sat Dec 5 13:11:23 2015 +0100| [5164067861ed3fc5311a12b7a197f23ba546b629] | committer: Michael Niedermayer avcodec/wmaprodec: Fix overflow of cutoff Fixes: 129ca3e28d73af7b1e24a9d4118e7a2d/signal_sigabrt_76ae7cc9_836_762b310fc3ef6087bd7771e5d8e90b9b.asf Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0c56f8303e676556ea09bfac73d881c6c9057259) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5164067861ed3fc5311a12b7a197f23ba546b629 --- libavcodec/wmaprodec.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 8083b73..0049a80 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -477,7 +477,7 @@ static av_cold int decode_init(AVCodecContext *avctx) /** calculate subwoofer cutoff values */ for (i = 0; i < num_possible_block_sizes; i++) { int block_size = s->samples_per_frame >> i; -int cutoff = (440*block_size + 3 * (s->avctx->sample_rate >> 1) - 1) +int cutoff = (440*block_size + 3LL * (s->avctx->sample_rate >> 1) - 1) / s->avctx->sample_rate; s->subwoofer_cutoffs[i] = av_clip(cutoff, 4, block_size); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mxfenc: Do not crash if there is no packet in the first stream
ffmpeg | branch: release/2.6 | Michael Niedermayer| Sun Dec 13 16:13:22 2015 +0100| [10395b4738df2c312293460c84b72c13fa0eac70] | committer: Michael Niedermayer avformat/mxfenc: Do not crash if there is no packet in the first stream Fixes: Ticket4914 Signed-off-by: Michael Niedermayer (cherry picked from commit b51e7554e74cbf007a1cab83c7bed3ad9fa2793a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=10395b4738df2c312293460c84b72c13fa0eac70 --- libavformat/mxfenc.c |4 1 file changed, 4 insertions(+) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index f2fc093..5e7a8b8 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -2211,6 +2211,10 @@ static int mxf_write_packet(AVFormatContext *s, AVPacket *pkt) } mxf->edit_units_count++; } else if (!mxf->edit_unit_byte_count && st->index == 1) { +if (!mxf->edit_units_count) { +av_log(s, AV_LOG_ERROR, "No packets in first stream\n"); +return AVERROR_PATCHWELCOME; +} mxf->index_entries[mxf->edit_units_count-1].slice_offset = mxf->body_offset - mxf->index_entries[mxf->edit_units_count-1].offset; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Check bpno in decode_cblk()
ffmpeg | branch: release/2.6 | Michael Niedermayer| Fri Dec 4 16:23:24 2015 +0100| [7294d95689f9d70f565cb3aa8f485bed1d79928b] | committer: Michael Niedermayer avcodec/jpeg2000dec: Check bpno in decode_cblk() Fixes: undefined shift Fixes: c409ef86f892335a0a164b5871174d5a/asan_heap-oob_1dff564_2159_162b7234616deab02b544410455eb07b.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a85b02dcf70f62a6a433a607143f1f78fa5648bb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7294d95689f9d70f565cb3aa8f485bed1d79928b --- libavcodec/jpeg2000dec.c |4 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 66f126f..1f71afd 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1081,6 +1081,10 @@ static int decode_cblk(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty, ff_mqc_initdec(>mqc, cblk->data); while (passno--) { +if (bpno < 0) { +av_log(s->avctx, AV_LOG_ERROR, "bpno became negative\n"); +return AVERROR_INVALIDDATA; +} switch(pass_t) { case 0: decode_sigpass(t1, width, height, bpno + 1, bandpos, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] mpegencts: Fix overflow in cbr mode period calculations
ffmpeg | branch: release/2.6 | Timo Teräs| Sat Nov 28 08:27:39 2015 +0200| [e8fa0e3ec633f716a53ba78aa5ebe37dd69694cb] | committer: Michael Niedermayer mpegencts: Fix overflow in cbr mode period calculations ts->mux_rate is int (signed 32-bit) type. The period calculations will start to overflow when mux_rate > 5mbps. This fixes overflows by converting first to 64-bit type. Fixes #5044. Signed-off-by: Timo Teräs Signed-off-by: Michael Niedermayer (cherry picked from commit 64f7db554ee83846f207e82a08946a6a5a6acfe2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e8fa0e3ec633f716a53ba78aa5ebe37dd69694cb --- libavformat/mpegtsenc.c |6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index cc650bb..4440932 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -751,11 +751,11 @@ static int mpegts_write_header(AVFormatContext *s) ts_st = pcr_st->priv_data; if (ts->mux_rate > 1) { -service->pcr_packet_period = (ts->mux_rate * ts->pcr_period) / +service->pcr_packet_period = (int64_t)ts->mux_rate * ts->pcr_period / (TS_PACKET_SIZE * 8 * 1000); -ts->sdt_packet_period = (ts->mux_rate * SDT_RETRANS_TIME) / +ts->sdt_packet_period = (int64_t)ts->mux_rate * SDT_RETRANS_TIME / (TS_PACKET_SIZE * 8 * 1000); -ts->pat_packet_period = (ts->mux_rate * PAT_RETRANS_TIME) / +ts->pat_packet_period = (int64_t)ts->mux_rate * PAT_RETRANS_TIME / (TS_PACKET_SIZE * 8 * 1000); if (ts->copyts < 1) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string()
ffmpeg | branch: release/2.6 | Michael Niedermayer| Sat Nov 28 17:26:05 2015 +0100| [80a24e88e3db27d3604584069122e359dda4a340] | committer: Michael Niedermayer avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string() Fixes integer overflow Fixes: 3a45b2ae02f2cf12b7bd99543cdcdae5/asan_heap-oob_1dff502_8022_899f75e1e81046ebd7b6c2394a1419f4.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4f03bebc79f76df3a3e5bb9e1bc32baabfb7797c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=80a24e88e3db27d3604584069122e359dda4a340 --- libavcodec/utils.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index f7d049b..d5b01d6 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -3092,8 +3092,8 @@ void avcodec_string(char *buf, int buf_size, AVCodecContext *enc, int encode) if (enc->sample_aspect_ratio.num) { av_reduce(_aspect_ratio.num, _aspect_ratio.den, - enc->width * enc->sample_aspect_ratio.num, - enc->height * enc->sample_aspect_ratio.den, + enc->width * (int64_t)enc->sample_aspect_ratio.num, + enc->height * (int64_t)enc->sample_aspect_ratio.den, 1024 * 1024); snprintf(buf + strlen(buf), buf_size - strlen(buf), " [SAR %d:%d DAR %d:%d]", ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wmaprodec: Check bits per sample to be within the range not causing integer overflows
ffmpeg | branch: release/2.6 | Michael Niedermayer| Sat Dec 5 13:48:06 2015 +0100| [e12f07b4751cc4b09b85c8d19b5c7a0b16c07556] | committer: Michael Niedermayer avcodec/wmaprodec: Check bits per sample to be within the range not causing integer overflows Fixes: 549d5aab1480d10f2a775ed90b0342f1/signal_sigabrt_76ae7cc9_5643_96bbb0cfe3e28be1dadfce1075016345.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 66e05f6ff5e5c105bdd7bf3a49234ddac1b592c5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e12f07b4751cc4b09b85c8d19b5c7a0b16c07556 --- libavcodec/wmaprodec.c |6 ++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 0049a80..4ea61c0 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -300,6 +300,12 @@ static av_cold int decode_init(AVCodecContext *avctx) s->decode_flags= AV_RL16(edata_ptr+14); channel_mask = AV_RL32(edata_ptr+2); s->bits_per_sample = AV_RL16(edata_ptr); + +if (s->bits_per_sample > 32 || s->bits_per_sample < 1) { +avpriv_request_sample(avctx, "bits per sample is %d", s->bits_per_sample); +return AVERROR_PATCHWELCOME; +} + /** dump the extradata */ for (i = 0; i < avctx->extradata_size; i++) av_dlog(avctx, "[%x] ", avctx->extradata[i]); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_refs: Fix long_idx check
ffmpeg | branch: release/2.6 | Michael Niedermayer| Sat Dec 19 21:59:42 2015 +0100| [d0d9fad2ba5a0d53f59f69f780e3fb6f8ad97dff] | committer: Michael Niedermayer avcodec/h264_refs: Fix long_idx check Fixes out of array read Fixes mozilla bug 1233606 Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit b92b4775a0d07cacfdd2b4be6511f3cb362c977b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d0d9fad2ba5a0d53f59f69f780e3fb6f8ad97dff --- libavcodec/h264_refs.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 826b2ca..353412d 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -276,7 +276,7 @@ int ff_h264_decode_ref_pic_list_reordering(H264Context *h) long_idx = pic_num_extract(h, pic_id, _structure); -if (long_idx > 31) { +if (long_idx > 31U) { av_log(h->avctx, AV_LOG_ERROR, "long_term_pic_idx overflow\n"); return AVERROR_INVALIDDATA; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] swscale/utils: Fix for runtime error: left shift of negative value -1
ffmpeg | branch: release/2.6 | Michael Niedermayer| Fri Dec 4 21:44:05 2015 +0100| [0fa22a42d6b2d5fe3a0f84c72395ea404421e9da] | committer: Michael Niedermayer swscale/utils: Fix for runtime error: left shift of negative value -1 Fixes: c106b36fa36db8ff8f3ed0c82be7bea2/asan_heap-oob_32699f0_6321_467b9a1d7e03d7cfd310b7e65dc53bcc.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 325b59368dae3c3f2f5cc39873002b4cf133ccbc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0fa22a42d6b2d5fe3a0f84c72395ea404421e9da --- libswscale/utils.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index e7b5fa5..71456db 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -380,7 +380,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, xDstInSrc = ((dstPos*(int64_t)xInc)>>7) - ((srcPos*0x1LL)>>7); for (i = 0; i < dstW; i++) { -int xx = (xDstInSrc - ((int64_t)(filterSize - 2) << 16)) / (1 << 17); +int xx = (xDstInSrc - (filterSize - 2) * (1LL<<16)) / (1 << 17); int j; (*filterPos)[i] = xx; for (j = 0; j < filterSize; j++) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avfilter/vf_mpdecimate: Add missing emms_c()
ffmpeg | branch: release/2.6 | Michael Niedermayer| Mon Dec 14 18:56:13 2015 +0100| [3f7bbb0ded3f16c9c8c5de96bbc1b71b6979274b] | committer: Michael Niedermayer avfilter/vf_mpdecimate: Add missing emms_c() Signed-off-by: Michael Niedermayer (cherry picked from commit 997de2e8107cc4256e50611463d609b18fe9619f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3f7bbb0ded3f16c9c8c5de96bbc1b71b6979274b --- libavfilter/vf_mpdecimate.c |5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_mpdecimate.c b/libavfilter/vf_mpdecimate.c index 3ed9602..94c9e0b 100644 --- a/libavfilter/vf_mpdecimate.c +++ b/libavfilter/vf_mpdecimate.c @@ -120,10 +120,13 @@ static int decimate_frame(AVFilterContext *ctx, cur->data[plane], cur->linesize[plane], ref->data[plane], ref->linesize[plane], FF_CEIL_RSHIFT(ref->width, hsub), -FF_CEIL_RSHIFT(ref->height, vsub))) +FF_CEIL_RSHIFT(ref->height, vsub))) { +emms_c(); return 0; +} } +emms_c(); return 1; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc: Check max ctb addresses for WPP
ffmpeg | branch: release/2.6 | Michael Niedermayer| Sat Nov 28 13:42:05 2015 +0100| [3e8d9eade6557aa98813e4c2ae7dc9bc33d0727e] | committer: Michael Niedermayer avcodec/hevc: Check max ctb addresses for WPP Fixes out of array read Fixes: 2f95ddd996db8a6281d2e18c184595a7/asan_heap-oob_192fe91_3330_58e4441181e30a66c19f743dcb392347.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit dad354f38ddc9bfc834bc21358a1d0ad41532ca0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3e8d9eade6557aa98813e4c2ae7dc9bc33d0727e --- libavcodec/hevc.c |9 + 1 file changed, 9 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index a8643d0..061ea41 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2430,6 +2430,15 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length) return AVERROR(ENOMEM); } +if (s->sh.slice_ctb_addr_rs + s->sh.num_entry_point_offsets * s->sps->ctb_width >= s->sps->ctb_width * s->sps->ctb_height) { +av_log(s->avctx, AV_LOG_ERROR, "WPP ctb addresses are wrong (%d %d %d %d)\n", +s->sh.slice_ctb_addr_rs, s->sh.num_entry_point_offsets, +s->sps->ctb_width, s->sps->ctb_height +); +res = AVERROR_INVALIDDATA; +goto error; +} + ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); if (!s->sList[1]) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] nuv: sanitize negative fps rate
ffmpeg | branch: release/2.7 | Andreas Cadhalpun| Wed Dec 16 20:52:39 2015 +0100| [7ad058168665a74c8975a2bb1bd4286d37280218] | committer: Andreas Cadhalpun nuv: sanitize negative fps rate Signed-off-by: Andreas Cadhalpun (cherry picked from commit f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7ad058168665a74c8975a2bb1bd4286d37280218 --- libavformat/nuv.c |9 + 1 file changed, 9 insertions(+) diff --git a/libavformat/nuv.c b/libavformat/nuv.c index 001d9c8..cb51511 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -172,6 +172,15 @@ static int nuv_header(AVFormatContext *s) if (aspect > 0. && aspect < 1.0001) aspect = 4.0 / 3.0; fps = av_int2double(avio_rl64(pb)); +if (fps < 0.0f) { +if (s->error_recognition & AV_EF_EXPLODE) { +av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps); +return AVERROR_INVALIDDATA; +} else { +av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 0.\n", fps); +fps = 0.0f; +} +} // number of packets per stream type, -1 means unknown, e.g. streaming v_packs = avio_rl32(pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] exr: fix out of bounds read in get_code
ffmpeg | branch: release/2.7 | Andreas Cadhalpun| Sun Dec 13 23:17:09 2015 +0100| [5b88d24f241f1ae31d86d2987b17a1db7547a509] | committer: Andreas Cadhalpun exr: fix out of bounds read in get_code This macro unconditionally used out[-1], which causes an out of bounds read, if out is the very beginning of the buffer. Signed-off-by: Andreas Cadhalpun (cherry picked from commit 90b99a81071d10e6b5efe86a4602d54d4f45bbcb) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5b88d24f241f1ae31d86d2987b17a1db7547a509 --- libavcodec/exr.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 9308ae0..29cb403 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -459,7 +459,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, lc += 8; \ } -#define get_code(po, rlc, c, lc, gb, out, oe) \ +#define get_code(po, rlc, c, lc, gb, out, oe, outb) \ { \ if (po == rlc) { \ if (lc < 8) \ @@ -468,7 +468,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, \ cs = c >> lc; \ \ -if (out + cs > oe)\ +if (out + cs > oe || out == outb) \ return AVERROR_INVALIDDATA; \ \ s = out[-1]; \ @@ -501,7 +501,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; -get_code(pl.lit, rlc, c, lc, gb, out, oe); +get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { int j; @@ -518,7 +518,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if ((hcode[pl.p[j]] >> 6) == ((c >> (lc - l)) & ((1LL << l) - 1))) { lc -= l; -get_code(pl.p[j], rlc, c, lc, gb, out, oe); +get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb); break; } } @@ -539,7 +539,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; -get_code(pl.lit, rlc, c, lc, gb, out, oe); +get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] on2avc: limit number of bits to 30 in get_egolomb
ffmpeg | branch: release/2.7 | Andreas Cadhalpun| Wed Dec 16 16:48:19 2015 +0100| [3e187a9a2dfacea0d76df90dd88d957938f9d33c] | committer: Andreas Cadhalpun on2avc: limit number of bits to 30 in get_egolomb More don't fit into the integer output. Also use get_bits_long, since get_bits only supports reading up to 25 bits, while get_bits_long supports the full integer range. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 4d5c3b02e9d2c9a630ca433fabca43285879e0b8) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3e187a9a2dfacea0d76df90dd88d957938f9d33c --- libavcodec/on2avc.c | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c index 1d8fcbc..9ca716c 100644 --- a/libavcodec/on2avc.c +++ b/libavcodec/on2avc.c @@ -211,9 +211,16 @@ static inline int get_egolomb(GetBitContext *gb) { int v = 4; -while (get_bits1(gb)) v++; +while (get_bits1(gb)) { +v++; +if (v > 30) { +av_log(NULL, AV_LOG_WARNING, "Too large golomb code in get_egolomb.\n"); +v = 30; +break; +} +} -return (1 << v) + get_bits(gb, v); +return (1 << v) + get_bits_long(gb, v); } static int on2avc_decode_pairs(On2AVCContext *c, GetBitContext *gb, float *dst, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] nutdec: reject negative value_len in read_sm_data
ffmpeg | branch: release/2.7 | Andreas Cadhalpun| Sat Dec 19 12:02:56 2015 +0100| [1dc135e03d83d14274e3049011396a5bcb36e464] | committer: Andreas Cadhalpun nutdec: reject negative value_len in read_sm_data If it is negative, it can cause the byte position to move backwards in avio_skip, which in turn makes sm_size negative and thus size larger than the size of the packet buffer, causing invalid writes in avio_read. Also fix potential overflow of avio_tell(bc) + value_len. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ce10f572c12b0d172c72d31d8c979afce602bf0c) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1dc135e03d83d14274e3049011396a5bcb36e464 --- libavformat/nutdec.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 41c9689..2be52e4 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -927,7 +927,7 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int return ret; } value_len = ffio_read_varlen(bc); -if (avio_tell(bc) + value_len >= maxpos) +if (value_len < 0 || value_len >= maxpos - avio_tell(bc)) return AVERROR_INVALIDDATA; if (!strcmp(name, "Palette")) { dst = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, value_len); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] nutdec: only copy the header if it exists
ffmpeg | branch: release/2.7 | Andreas Cadhalpun| Fri Dec 18 15:18:47 2015 +0100| [7f320ed15d7ba4c4c84764888eb126daea932d7b] | committer: Andreas Cadhalpun nutdec: only copy the header if it exists Fixes ubsan runtime error: null pointer passed as argument 2, which is declared to never be null Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9f82506c79874edd7b09707ab63d9e72078de8f9) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7f320ed15d7ba4c4c84764888eb126daea932d7b --- libavformat/nutdec.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 606deaa..41c9689 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -1126,7 +1126,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code) ret = av_new_packet(pkt, size + nut->header_len[header_idx]); if (ret < 0) return ret; -memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); +if (nut->header[header_idx]) +memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); pkt->pos = avio_tell(bc); // FIXME if (stc->last_flags & FLAG_SM_DATA) { int sm_size; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] rawdec: only exempt BIT0 with need_copy from buffer sanity check
ffmpeg | branch: release/2.7 | Andreas Cadhalpun| Sat Dec 19 23:45:06 2015 +0100| [3219de21f4e9e9bcd09df9dbc5eab63492dd05a4] | committer: Andreas Cadhalpun rawdec: only exempt BIT0 with need_copy from buffer sanity check Otherwise the too small buffer is directly used in the frame, causing segmentation faults, when trying to use the frame. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 699e68371ec7e381e5cc48e3d96e29c669261af7) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3219de21f4e9e9bcd09df9dbc5eab63492dd05a4 --- libavcodec/rawdec.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 647dfa9..5685539 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -258,7 +258,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, buf += buf_size - context->frame_size; len = context->frame_size - (avctx->pix_fmt==AV_PIX_FMT_PAL8 ? AVPALETTE_SIZE : 0); -if (buf_size < len && (avctx->codec_tag & 0xFF) != MKTAG('B','I','T', 0)) { +if (buf_size < len && ((avctx->codec_tag & 0xFF) != MKTAG('B','I','T', 0) || !need_copy)) { av_log(avctx, AV_LOG_ERROR, "Invalid buffer size, packet size %d < expected frame_size %d\n", buf_size, len); av_buffer_unref(>buf[0]); return AVERROR(EINVAL); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] xwddec: prevent overflow of lsize * avctx->height
ffmpeg | branch: release/2.7 | Andreas Cadhalpun| Fri Dec 18 19:28:51 2015 +0100| [f040f3e5d5abfe4f59036e7b671d7b03eda244e7] | committer: Andreas Cadhalpun xwddec: prevent overflow of lsize * avctx->height This is used to check if the input buffer is large enough, so if this overflows it can cause a false negative leading to a segmentation fault in bytestream2_get_bufferu. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9d38f06d05efbb9d6196c27668eb943e934943ae) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f040f3e5d5abfe4f59036e7b671d7b03eda244e7 --- libavcodec/xwddec.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 62dfdac..18b1f93 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } -if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + avctx->height * lsize) { +if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + (uint64_t)avctx->height * lsize) { av_log(avctx, AV_LOG_ERROR, "input buffer too small\n"); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] nutdec: only copy the header if it exists
ffmpeg | branch: release/2.6 | Andreas Cadhalpun| Fri Dec 18 15:18:47 2015 +0100| [ea5ac146cd94c781136abd2ff3e39daea9994516] | committer: Andreas Cadhalpun nutdec: only copy the header if it exists Fixes ubsan runtime error: null pointer passed as argument 2, which is declared to never be null Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9f82506c79874edd7b09707ab63d9e72078de8f9) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ea5ac146cd94c781136abd2ff3e39daea9994516 --- libavformat/nutdec.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 056f1f2..cdcce64 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -1069,7 +1069,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code) ret = av_new_packet(pkt, size + nut->header_len[header_idx]); if (ret < 0) return ret; -memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); +if (nut->header[header_idx]) +memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); pkt->pos = avio_tell(bc); // FIXME if (stc->last_flags & FLAG_SM_DATA) { int sm_size; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] exr: fix out of bounds read in get_code
ffmpeg | branch: release/2.6 | Andreas Cadhalpun| Sun Dec 13 23:17:09 2015 +0100| [350f1f4919a13555167f378ef8f8f38f39db1a80] | committer: Andreas Cadhalpun exr: fix out of bounds read in get_code This macro unconditionally used out[-1], which causes an out of bounds read, if out is the very beginning of the buffer. Signed-off-by: Andreas Cadhalpun (cherry picked from commit 90b99a81071d10e6b5efe86a4602d54d4f45bbcb) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=350f1f4919a13555167f378ef8f8f38f39db1a80 --- libavcodec/exr.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 9308ae0..29cb403 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -459,7 +459,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, lc += 8; \ } -#define get_code(po, rlc, c, lc, gb, out, oe) \ +#define get_code(po, rlc, c, lc, gb, out, oe, outb) \ { \ if (po == rlc) { \ if (lc < 8) \ @@ -468,7 +468,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, \ cs = c >> lc; \ \ -if (out + cs > oe)\ +if (out + cs > oe || out == outb) \ return AVERROR_INVALIDDATA; \ \ s = out[-1]; \ @@ -501,7 +501,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; -get_code(pl.lit, rlc, c, lc, gb, out, oe); +get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { int j; @@ -518,7 +518,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if ((hcode[pl.p[j]] >> 6) == ((c >> (lc - l)) & ((1LL << l) - 1))) { lc -= l; -get_code(pl.p[j], rlc, c, lc, gb, out, oe); +get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb); break; } } @@ -539,7 +539,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; -get_code(pl.lit, rlc, c, lc, gb, out, oe); +get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] nuv: sanitize negative fps rate
ffmpeg | branch: release/2.6 | Andreas Cadhalpun| Wed Dec 16 20:52:39 2015 +0100| [b2cb7db14f82737f0d25602336c7f0ba9bbffdab] | committer: Andreas Cadhalpun nuv: sanitize negative fps rate Signed-off-by: Andreas Cadhalpun (cherry picked from commit f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b2cb7db14f82737f0d25602336c7f0ba9bbffdab --- libavformat/nuv.c |9 + 1 file changed, 9 insertions(+) diff --git a/libavformat/nuv.c b/libavformat/nuv.c index 001d9c8..cb51511 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -172,6 +172,15 @@ static int nuv_header(AVFormatContext *s) if (aspect > 0. && aspect < 1.0001) aspect = 4.0 / 3.0; fps = av_int2double(avio_rl64(pb)); +if (fps < 0.0f) { +if (s->error_recognition & AV_EF_EXPLODE) { +av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps); +return AVERROR_INVALIDDATA; +} else { +av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 0.\n", fps); +fps = 0.0f; +} +} // number of packets per stream type, -1 means unknown, e.g. streaming v_packs = avio_rl32(pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] xwddec: prevent overflow of lsize * avctx->height
ffmpeg | branch: release/2.6 | Andreas Cadhalpun| Fri Dec 18 19:28:51 2015 +0100| [c4b2985d9ab0eaac9e8b454b693570ef80f41175] | committer: Andreas Cadhalpun xwddec: prevent overflow of lsize * avctx->height This is used to check if the input buffer is large enough, so if this overflows it can cause a false negative leading to a segmentation fault in bytestream2_get_bufferu. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9d38f06d05efbb9d6196c27668eb943e934943ae) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c4b2985d9ab0eaac9e8b454b693570ef80f41175 --- libavcodec/xwddec.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 62dfdac..18b1f93 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } -if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + avctx->height * lsize) { +if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + (uint64_t)avctx->height * lsize) { av_log(avctx, AV_LOG_ERROR, "input buffer too small\n"); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] mlvdec: check that index_entries exist
ffmpeg | branch: release/2.6 | Andreas Cadhalpun| Sat Dec 19 23:44:53 2015 +0100| [c51800d324a9a86dcc84a57d29fff8f9d8f5b1e3] | committer: Andreas Cadhalpun mlvdec: check that index_entries exist This fixes NULL pointer dereferencing. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9fcfe4a3cdf9a5af0c37758b178965b7b99582d4) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c51800d324a9a86dcc84a57d29fff8f9d8f5b1e3 --- libavformat/mlvdec.c |5 + 1 file changed, 5 insertions(+) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 4ab08e5..4416814 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -358,6 +358,11 @@ static int read_header(AVFormatContext *avctx) if (ast) ast->duration = ast->nb_index_entries; +if ((vst && !vst->nb_index_entries) || (ast && !ast->nb_index_entries)) { +av_log(avctx, AV_LOG_ERROR, "no index entries found\n"); +return AVERROR_INVALIDDATA; +} + if (vst && ast) avio_seek(pb, FFMIN(vst->index_entries[0].pos, ast->index_entries[0].pos), SEEK_SET); else if (vst) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] nutdec: reject negative value_len in read_sm_data
ffmpeg | branch: release/2.6 | Andreas Cadhalpun| Sat Dec 19 12:02:56 2015 +0100| [4d2f9368034353037ae4fb96c1156848fe0ebe7a] | committer: Andreas Cadhalpun nutdec: reject negative value_len in read_sm_data If it is negative, it can cause the byte position to move backwards in avio_skip, which in turn makes sm_size negative and thus size larger than the size of the packet buffer, causing invalid writes in avio_read. Also fix potential overflow of avio_tell(bc) + value_len. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ce10f572c12b0d172c72d31d8c979afce602bf0c) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4d2f9368034353037ae4fb96c1156848fe0ebe7a --- libavformat/nutdec.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index cdcce64..e0f106a 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -872,7 +872,7 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int get_str(bc, type_str, sizeof(type_str)); value_len = ffio_read_varlen(bc); -if (avio_tell(bc) + value_len >= maxpos) +if (value_len < 0 || value_len >= maxpos - avio_tell(bc)) return AVERROR_INVALIDDATA; if (!strcmp(name, "Palette")) { dst = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, value_len); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] rawdec: only exempt BIT0 with need_copy from buffer sanity check
ffmpeg | branch: release/2.6 | Andreas Cadhalpun| Sat Dec 19 23:45:06 2015 +0100| [462afe5d00c815aef20ee33aaabcf1d30e4455c8] | committer: Andreas Cadhalpun rawdec: only exempt BIT0 with need_copy from buffer sanity check Otherwise the too small buffer is directly used in the frame, causing segmentation faults, when trying to use the frame. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 699e68371ec7e381e5cc48e3d96e29c669261af7) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=462afe5d00c815aef20ee33aaabcf1d30e4455c8 --- libavcodec/rawdec.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 647dfa9..5685539 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -258,7 +258,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, buf += buf_size - context->frame_size; len = context->frame_size - (avctx->pix_fmt==AV_PIX_FMT_PAL8 ? AVPALETTE_SIZE : 0); -if (buf_size < len && (avctx->codec_tag & 0xFF) != MKTAG('B','I','T', 0)) { +if (buf_size < len && ((avctx->codec_tag & 0xFF) != MKTAG('B','I','T', 0) || !need_copy)) { av_log(avctx, AV_LOG_ERROR, "Invalid buffer size, packet size %d < expected frame_size %d\n", buf_size, len); av_buffer_unref(>buf[0]); return AVERROR(EINVAL); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] exr: fix out of bounds read in get_code
ffmpeg | branch: release/2.5 | Andreas Cadhalpun| Sun Dec 13 23:17:09 2015 +0100| [79d75f1554de110d020a8035c86458a80dd7d773] | committer: Andreas Cadhalpun exr: fix out of bounds read in get_code This macro unconditionally used out[-1], which causes an out of bounds read, if out is the very beginning of the buffer. Signed-off-by: Andreas Cadhalpun (cherry picked from commit 90b99a81071d10e6b5efe86a4602d54d4f45bbcb) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79d75f1554de110d020a8035c86458a80dd7d773 --- libavcodec/exr.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 0e62f4e..9088581 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -461,7 +461,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, lc += 8; \ } -#define get_code(po, rlc, c, lc, gb, out, oe) \ +#define get_code(po, rlc, c, lc, gb, out, oe, outb) \ { \ if (po == rlc) { \ if (lc < 8) \ @@ -470,7 +470,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, \ cs = c >> lc; \ \ -if (out + cs > oe)\ +if (out + cs > oe || out == outb) \ return AVERROR_INVALIDDATA; \ \ s = out[-1]; \ @@ -503,7 +503,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; -get_code(pl.lit, rlc, c, lc, gb, out, oe); +get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { int j; @@ -520,7 +520,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if ((hcode[pl.p[j]] >> 6) == ((c >> (lc - l)) & ((1LL << l) - 1))) { lc -= l; -get_code(pl.p[j], rlc, c, lc, gb, out, oe); +get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb); break; } } @@ -541,7 +541,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; -get_code(pl.lit, rlc, c, lc, gb, out, oe); +get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] nutdec: only copy the header if it exists
ffmpeg | branch: release/2.5 | Andreas Cadhalpun| Fri Dec 18 15:18:47 2015 +0100| [0f1e398874399ddf0586b54735d8c85ff1228c85] | committer: Andreas Cadhalpun nutdec: only copy the header if it exists Fixes ubsan runtime error: null pointer passed as argument 2, which is declared to never be null Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9f82506c79874edd7b09707ab63d9e72078de8f9) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0f1e398874399ddf0586b54735d8c85ff1228c85 --- libavformat/nutdec.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index cd1da9f..a28c632 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -1069,7 +1069,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code) ret = av_new_packet(pkt, size + nut->header_len[header_idx]); if (ret < 0) return ret; -memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); +if (nut->header[header_idx]) +memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); pkt->pos = avio_tell(bc); // FIXME if (stc->last_flags & FLAG_SM_DATA) { int sm_size; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] ffm: reject invalid codec_id and codec_type
ffmpeg | branch: release/2.5 | Andreas Cadhalpun| Mon Dec 14 22:11:55 2015 +0100| [5478e7bbc106b5781b7a49429b2b9db0f2d4f378] | committer: Andreas Cadhalpun ffm: reject invalid codec_id and codec_type A negative codec_id cannot be handled by the found_decoder API of AVStream->info: if the codec_id is not recognized, found_decoder is set to -codec_id, which has to be '<0' according to the API documentation. This can cause NULL pointer dereferencing in try_decode_frame. Also make sure the codec_type matches the expected one for codec_id. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ecf63b7cc24b9fd3e6d604313325dd1ada4db662) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5478e7bbc106b5781b7a49429b2b9db0f2d4f378 --- libavformat/ffmdec.c | 28 1 file changed, 28 insertions(+) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 87cf546..b1cc14a 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -267,6 +267,7 @@ static int ffm2_read_header(AVFormatContext *s) AVStream *st; AVIOContext *pb = s->pb; AVCodecContext *codec; +const AVCodecDescriptor *codec_desc; int ret; int f_main = 0, f_cprv = -1, f_stvi = -1, f_stau = -1; AVCodec *enc; @@ -321,7 +322,20 @@ static int ffm2_read_header(AVFormatContext *s) codec = st->codec; /* generic info */ codec->codec_id = avio_rb32(pb); +codec_desc = avcodec_descriptor_get(codec->codec_id); +if (!codec_desc) { +av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); +codec->codec_id = AV_CODEC_ID_NONE; +goto fail; +} codec->codec_type = avio_r8(pb); +if (codec->codec_type != codec_desc->type) { +av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n", + codec_desc->type, codec->codec_type); +codec->codec_id = AV_CODEC_ID_NONE; +codec->codec_type = AVMEDIA_TYPE_UNKNOWN; +goto fail; +} codec->bit_rate = avio_rb32(pb); codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); @@ -469,6 +483,7 @@ static int ffm_read_header(AVFormatContext *s) AVStream *st; AVIOContext *pb = s->pb; AVCodecContext *codec; +const AVCodecDescriptor *codec_desc; int i, nb_streams; uint32_t tag; @@ -506,7 +521,20 @@ static int ffm_read_header(AVFormatContext *s) codec = st->codec; /* generic info */ codec->codec_id = avio_rb32(pb); +codec_desc = avcodec_descriptor_get(codec->codec_id); +if (!codec_desc) { +av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); +codec->codec_id = AV_CODEC_ID_NONE; +goto fail; +} codec->codec_type = avio_r8(pb); /* codec_type */ +if (codec->codec_type != codec_desc->type) { +av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n", + codec_desc->type, codec->codec_type); +codec->codec_id = AV_CODEC_ID_NONE; +codec->codec_type = AVMEDIA_TYPE_UNKNOWN; +goto fail; +} codec->bit_rate = avio_rb32(pb); codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] on2avc: limit number of bits to 30 in get_egolomb
ffmpeg | branch: release/2.5 | Andreas Cadhalpun| Wed Dec 16 16:48:19 2015 +0100| [105be66545ec3fa250e3a4e4792b097cec7f62a1] | committer: Andreas Cadhalpun on2avc: limit number of bits to 30 in get_egolomb More don't fit into the integer output. Also use get_bits_long, since get_bits only supports reading up to 25 bits, while get_bits_long supports the full integer range. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 4d5c3b02e9d2c9a630ca433fabca43285879e0b8) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=105be66545ec3fa250e3a4e4792b097cec7f62a1 --- libavcodec/on2avc.c | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c index 7d2e81a..15b75e6 100644 --- a/libavcodec/on2avc.c +++ b/libavcodec/on2avc.c @@ -211,9 +211,16 @@ static inline int get_egolomb(GetBitContext *gb) { int v = 4; -while (get_bits1(gb)) v++; +while (get_bits1(gb)) { +v++; +if (v > 30) { +av_log(NULL, AV_LOG_WARNING, "Too large golomb code in get_egolomb.\n"); +v = 30; +break; +} +} -return (1 << v) + get_bits(gb, v); +return (1 << v) + get_bits_long(gb, v); } static int on2avc_decode_pairs(On2AVCContext *c, GetBitContext *gb, float *dst, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] nuv: sanitize negative fps rate
ffmpeg | branch: release/2.5 | Andreas Cadhalpun| Wed Dec 16 20:52:39 2015 +0100| [eca27eeea95f906c7d887cd98e5406e8531f1e44] | committer: Andreas Cadhalpun nuv: sanitize negative fps rate Signed-off-by: Andreas Cadhalpun (cherry picked from commit f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eca27eeea95f906c7d887cd98e5406e8531f1e44 --- libavformat/nuv.c |9 + 1 file changed, 9 insertions(+) diff --git a/libavformat/nuv.c b/libavformat/nuv.c index e7f0eea..f1bc93e 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -171,6 +171,15 @@ static int nuv_header(AVFormatContext *s) if (aspect > 0. && aspect < 1.0001) aspect = 4.0 / 3.0; fps = av_int2double(avio_rl64(pb)); +if (fps < 0.0f) { +if (s->error_recognition & AV_EF_EXPLODE) { +av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps); +return AVERROR_INVALIDDATA; +} else { +av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 0.\n", fps); +fps = 0.0f; +} +} // number of packets per stream type, -1 means unknown, e.g. streaming v_packs = avio_rl32(pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] nutdec: reject negative value_len in read_sm_data
ffmpeg | branch: release/2.5 | Andreas Cadhalpun| Sat Dec 19 12:02:56 2015 +0100| [2db78f83bad187012f446ca43f6edcb845e7f513] | committer: Andreas Cadhalpun nutdec: reject negative value_len in read_sm_data If it is negative, it can cause the byte position to move backwards in avio_skip, which in turn makes sm_size negative and thus size larger than the size of the packet buffer, causing invalid writes in avio_read. Also fix potential overflow of avio_tell(bc) + value_len. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ce10f572c12b0d172c72d31d8c979afce602bf0c) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2db78f83bad187012f446ca43f6edcb845e7f513 --- libavformat/nutdec.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index a28c632..6ace90a 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -872,7 +872,7 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int get_str(bc, type_str, sizeof(type_str)); value_len = ffio_read_varlen(bc); -if (avio_tell(bc) + value_len >= maxpos) +if (value_len < 0 || value_len >= maxpos - avio_tell(bc)) return AVERROR_INVALIDDATA; if (!strcmp(name, "Palette")) { dst = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, value_len); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] opus_silk: fix typo causing overflow in silk_stabilize_lsf
ffmpeg | branch: release/2.5 | Andreas Cadhalpun| Tue Dec 15 22:00:31 2015 +0100| [31d6900161221f6b83b76aa85221de49b7adbf32] | committer: Andreas Cadhalpun opus_silk: fix typo causing overflow in silk_stabilize_lsf Due to this typo max_center can be too large, causing nlsf to be set to too large values, which in turn can cause nlsf[i - 1] + min_delta[i] to overflow to a negative value, which is not allowed for nlsf and can cause an out of bounds read in silk_lsf2lpc. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit f61d44b74aaae1d306d8a0d38b7b3d4292c89ced) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=31d6900161221f6b83b76aa85221de49b7adbf32 --- libavcodec/opus_silk.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 7a89479..4c64cdf 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -824,7 +824,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_ /* upper extent */ for (i = order; i > k; i--) -max_center -= min_delta[k]; +max_center -= min_delta[i]; max_center -= min_delta[k] >> 1; /* move apart */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] xwddec: prevent overflow of lsize * avctx->height
ffmpeg | branch: release/2.5 | Andreas Cadhalpun| Fri Dec 18 19:28:51 2015 +0100| [882391f9758ea13643639e21de81e3f7978b0695] | committer: Andreas Cadhalpun xwddec: prevent overflow of lsize * avctx->height This is used to check if the input buffer is large enough, so if this overflows it can cause a false negative leading to a segmentation fault in bytestream2_get_bufferu. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9d38f06d05efbb9d6196c27668eb943e934943ae) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=882391f9758ea13643639e21de81e3f7978b0695 --- libavcodec/xwddec.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 62dfdac..18b1f93 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } -if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + avctx->height * lsize) { +if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + (uint64_t)avctx->height * lsize) { av_log(avctx, AV_LOG_ERROR, "input buffer too small\n"); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] sonic: make sure num_taps * channels is not larger than frame_size
ffmpeg | branch: release/2.5 | Andreas Cadhalpun| Tue Dec 15 23:43:03 2015 +0100| [46e7a63b6e011b47d87b54659b2a3799056e5753] | committer: Andreas Cadhalpun sonic: make sure num_taps * channels is not larger than frame_size If that is the case, the loop setting predictor_state in sonic_decode_frame causes out of bounds reads of int_samples, which has only frame_size number of elements. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9637c2531f7eb040ad1c3cb46cb40a63dfc77b80) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=46e7a63b6e011b47d87b54659b2a3799056e5753 --- libavcodec/sonic.c |7 +++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index c5076f9..ab947c4 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -925,6 +925,13 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) s->frame_size = s->channels*s->block_align*s->downsampling; //avctx->frame_size = s->block_align; +if (s->num_taps * s->channels > s->frame_size) { +av_log(avctx, AV_LOG_ERROR, + "number of taps times channels (%d * %d) larger than frame size %d\n", + s->num_taps, s->channels, s->frame_size); +return AVERROR_INVALIDDATA; +} + av_log(avctx, AV_LOG_INFO, "Sonic: ver: %d.%d ls: %d dr: %d taps: %d block: %d frame: %d downsamp: %d\n", s->version, s->minor_version, s->lossless, s->decorrelation, s->num_taps, s->block_align, s->frame_size, s->downsampling); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] aaccoder: prevent crash of anmr coder
ffmpeg | branch: release/2.5 | Andreas Cadhalpun| Fri Dec 4 18:13:07 2015 +0100| [26b74a7213bf720f2818e9b5e8c8359cbadf9207] | committer: Andreas Cadhalpun aaccoder: prevent crash of anmr coder If minq is negative, the range of sf_idx can be larger than SCALE_MAX_DIFF allows, causing assertion failures later in encode_scale_factors. Reviewed-by: Claudio Freire Signed-off-by: Andreas Cadhalpun (cherry picked from commit 7a4652dd5da0502ff21c183b5ca7d76b1cfd6c51) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=26b74a7213bf720f2818e9b5e8c8359cbadf9207 --- libavcodec/aaccoder.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c index 5bf6a9c..4b915da 100644 --- a/libavcodec/aaccoder.c +++ b/libavcodec/aaccoder.c @@ -691,7 +691,7 @@ static void search_for_quantizers_anmr(AVCodecContext *avctx, AACEncContext *s, } while (idx) { sce->sf_idx[bandaddr[idx]] = minq + q0; -minq = paths[idx][minq].prev; +minq = FFMAX(paths[idx][minq].prev, 0); idx--; } //set the same quantizers inside window groups ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] ffmdec: reject zero-sized chunks
ffmpeg | branch: release/2.5 | Andreas Cadhalpun| Wed Dec 2 22:47:12 2015 +0100| [cc77012329f0b68373f6fadc2fda19e0d1f661cb] | committer: Andreas Cadhalpun ffmdec: reject zero-sized chunks If size is zero, avio_get_str fails, leaving the buffer uninitialized. This causes invalid reads in av_set_options_string. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit a611375db532c3d5363d97b10fadd0211811a4fd) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cc77012329f0b68373f6fadc2fda19e0d1f661cb --- libavformat/ffmdec.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 57df43b..87cf546 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -414,7 +414,7 @@ static int ffm2_read_header(AVFormatContext *s) } break; case MKBETAG('S', '2', 'V', 'I'): -if (f_stvi++) { +if (f_stvi++ || !size) { ret = AVERROR(EINVAL); goto fail; } @@ -429,7 +429,7 @@ static int ffm2_read_header(AVFormatContext *s) goto fail; break; case MKBETAG('S', '2', 'A', 'U'): -if (f_stau++) { +if (f_stau++ || !size) { ret = AVERROR(EINVAL); goto fail; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/s302menc: check if buf_size can actually be put into 16bit size
ffmpeg | branch: master | Paul B Mahol| Sat Dec 19 21:52:19 2015 +0100| [db6e337b41fce401e67daa2f05fbe0663f825240] | committer: Paul B Mahol avcodec/s302menc: check if buf_size can actually be put into 16bit size This disallows creating unplayable audio. Signed-off-by: Paul B Mahol > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=db6e337b41fce401e67daa2f05fbe0663f825240 --- libavcodec/s302menc.c |5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/s302menc.c b/libavcodec/s302menc.c index 3706eba..c703e9a 100644 --- a/libavcodec/s302menc.c +++ b/libavcodec/s302menc.c @@ -78,6 +78,11 @@ static int s302m_encode2_frame(AVCodecContext *avctx, AVPacket *avpkt, uint8_t *o; PutBitContext pb; +if (buf_size - AES3_HEADER_LEN > UINT16_MAX) { +av_log(avctx, AV_LOG_ERROR, "number of samples in frame too big\n"); +return AVERROR(EINVAL); +} + if ((ret = ff_alloc_packet2(avctx, avpkt, buf_size, 0)) < 0) return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] ffm: reject invalid codec_id and codec_type
ffmpeg | branch: release/2.4 | Andreas Cadhalpun| Mon Dec 14 22:11:55 2015 +0100| [6fc3f6f43b24b98a768acc28f03fec37ef1a79e3] | committer: Andreas Cadhalpun ffm: reject invalid codec_id and codec_type A negative codec_id cannot be handled by the found_decoder API of AVStream->info: if the codec_id is not recognized, found_decoder is set to -codec_id, which has to be '<0' according to the API documentation. This can cause NULL pointer dereferencing in try_decode_frame. Also make sure the codec_type matches the expected one for codec_id. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ecf63b7cc24b9fd3e6d604313325dd1ada4db662) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6fc3f6f43b24b98a768acc28f03fec37ef1a79e3 --- libavformat/ffmdec.c | 28 1 file changed, 28 insertions(+) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 2753f2c..ee3e1d6 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -243,6 +243,7 @@ static int ffm2_read_header(AVFormatContext *s) AVStream *st; AVIOContext *pb = s->pb; AVCodecContext *codec; +const AVCodecDescriptor *codec_desc; int ret; ffm->packet_size = avio_rb32(pb); @@ -289,7 +290,20 @@ static int ffm2_read_header(AVFormatContext *s) codec = st->codec; /* generic info */ codec->codec_id = avio_rb32(pb); +codec_desc = avcodec_descriptor_get(codec->codec_id); +if (!codec_desc) { +av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); +codec->codec_id = AV_CODEC_ID_NONE; +goto fail; +} codec->codec_type = avio_r8(pb); +if (codec->codec_type != codec_desc->type) { +av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n", + codec_desc->type, codec->codec_type); +codec->codec_id = AV_CODEC_ID_NONE; +codec->codec_type = AVMEDIA_TYPE_UNKNOWN; +goto fail; +} codec->bit_rate = avio_rb32(pb); codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); @@ -389,6 +403,7 @@ static int ffm_read_header(AVFormatContext *s) AVStream *st; AVIOContext *pb = s->pb; AVCodecContext *codec; +const AVCodecDescriptor *codec_desc; int i, nb_streams; uint32_t tag; @@ -426,7 +441,20 @@ static int ffm_read_header(AVFormatContext *s) codec = st->codec; /* generic info */ codec->codec_id = avio_rb32(pb); +codec_desc = avcodec_descriptor_get(codec->codec_id); +if (!codec_desc) { +av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); +codec->codec_id = AV_CODEC_ID_NONE; +goto fail; +} codec->codec_type = avio_r8(pb); /* codec_type */ +if (codec->codec_type != codec_desc->type) { +av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n", + codec_desc->type, codec->codec_type); +codec->codec_id = AV_CODEC_ID_NONE; +codec->codec_type = AVMEDIA_TYPE_UNKNOWN; +goto fail; +} codec->bit_rate = avio_rb32(pb); codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] mlvdec: check that index_entries exist
ffmpeg | branch: release/2.4 | Andreas Cadhalpun| Sat Dec 19 23:44:53 2015 +0100| [f0eea9cc3a112f69991ffba79d6ca224d9eb60f5] | committer: Andreas Cadhalpun mlvdec: check that index_entries exist This fixes NULL pointer dereferencing. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9fcfe4a3cdf9a5af0c37758b178965b7b99582d4) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f0eea9cc3a112f69991ffba79d6ca224d9eb60f5 --- libavformat/mlvdec.c |5 + 1 file changed, 5 insertions(+) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 564e113..98373bd 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -363,6 +363,11 @@ static int read_header(AVFormatContext *avctx) if (ast) ast->duration = ast->nb_index_entries; +if ((vst && !vst->nb_index_entries) || (ast && !ast->nb_index_entries)) { +av_log(avctx, AV_LOG_ERROR, "no index entries found\n"); +return AVERROR_INVALIDDATA; +} + if (vst && ast) avio_seek(pb, FFMIN(vst->index_entries[0].pos, ast->index_entries[0].pos), SEEK_SET); else if (vst) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] xwddec: prevent overflow of lsize * avctx->height
ffmpeg | branch: release/2.4 | Andreas Cadhalpun| Fri Dec 18 19:28:51 2015 +0100| [dcecc180a6ad9e05f2b1f5802ec04c95a4cc6a8d] | committer: Andreas Cadhalpun xwddec: prevent overflow of lsize * avctx->height This is used to check if the input buffer is large enough, so if this overflows it can cause a false negative leading to a segmentation fault in bytestream2_get_bufferu. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9d38f06d05efbb9d6196c27668eb943e934943ae) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dcecc180a6ad9e05f2b1f5802ec04c95a4cc6a8d --- libavcodec/xwddec.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 62dfdac..18b1f93 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } -if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + avctx->height * lsize) { +if (bytestream2_get_bytes_left() < ncolors * XWD_CMAP_SIZE + (uint64_t)avctx->height * lsize) { av_log(avctx, AV_LOG_ERROR, "input buffer too small\n"); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: also for empty partitioned slices
ffmpeg | branch: release/2.4 | Michael Niedermayer| Sat Dec 19 23:21:33 2015 +0100| [fbfb2814b28d24c275c5809a7f6f6e33efe7b7dc] | committer: Andreas Cadhalpun avcodec/mpeg4videodec: also for empty partitioned slices Fixes assertion failure Fixes: id_acf3e47f864e1ee4c7b86c0653e0ff31e5bde56e.m4v Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 70f13abb4f9a376ddc0d2c566739bc3c6a0c47e7) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fbfb2814b28d24c275c5809a7f6f6e33efe7b7dc --- libavcodec/mpeg4videodec.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index e6b89fd..9acb163 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -881,7 +881,7 @@ int ff_mpeg4_decode_partitions(Mpeg4DecContext *ctx) const int part_a_end = s->pict_type == AV_PICTURE_TYPE_I ? (ER_DC_END | ER_MV_END) : ER_MV_END; mb_num = mpeg4_decode_partition_a(ctx); -if (mb_num < 0) { +if (mb_num <= 0) { ff_er_add_slice(>er, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, part_a_error); return -1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] rawdec: only exempt BIT0 with need_copy from buffer sanity check
ffmpeg | branch: release/2.4 | Andreas Cadhalpun| Sat Dec 19 23:45:06 2015 +0100| [b0a8095f2bf0bc03c5d4dfccaba845de6fd5bb4f] | committer: Andreas Cadhalpun rawdec: only exempt BIT0 with need_copy from buffer sanity check Otherwise the too small buffer is directly used in the frame, causing segmentation faults, when trying to use the frame. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 699e68371ec7e381e5cc48e3d96e29c669261af7) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b0a8095f2bf0bc03c5d4dfccaba845de6fd5bb4f --- libavcodec/rawdec.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index 647dfa9..5685539 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -258,7 +258,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, buf += buf_size - context->frame_size; len = context->frame_size - (avctx->pix_fmt==AV_PIX_FMT_PAL8 ? AVPALETTE_SIZE : 0); -if (buf_size < len && (avctx->codec_tag & 0xFF) != MKTAG('B','I','T', 0)) { +if (buf_size < len && ((avctx->codec_tag & 0xFF) != MKTAG('B','I','T', 0) || !need_copy)) { av_log(avctx, AV_LOG_ERROR, "Invalid buffer size, packet size %d < expected frame_size %d\n", buf_size, len); av_buffer_unref(>buf[0]); return AVERROR(EINVAL); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] on2avc: limit number of bits to 30 in get_egolomb
ffmpeg | branch: release/2.4 | Andreas Cadhalpun| Wed Dec 16 16:48:19 2015 +0100| [e32095807b86480dfa5395972f7734990e27c146] | committer: Andreas Cadhalpun on2avc: limit number of bits to 30 in get_egolomb More don't fit into the integer output. Also use get_bits_long, since get_bits only supports reading up to 25 bits, while get_bits_long supports the full integer range. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 4d5c3b02e9d2c9a630ca433fabca43285879e0b8) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e32095807b86480dfa5395972f7734990e27c146 --- libavcodec/on2avc.c | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c index c864e14..c4e45af 100644 --- a/libavcodec/on2avc.c +++ b/libavcodec/on2avc.c @@ -211,9 +211,16 @@ static inline int get_egolomb(GetBitContext *gb) { int v = 4; -while (get_bits1(gb)) v++; +while (get_bits1(gb)) { +v++; +if (v > 30) { +av_log(NULL, AV_LOG_WARNING, "Too large golomb code in get_egolomb.\n"); +v = 30; +break; +} +} -return (1 << v) + get_bits(gb, v); +return (1 << v) + get_bits_long(gb, v); } static int on2avc_decode_pairs(On2AVCContext *c, GetBitContext *gb, float *dst, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] nutdec: only copy the header if it exists
ffmpeg | branch: release/2.4 | Andreas Cadhalpun| Fri Dec 18 15:18:47 2015 +0100| [2306964b3a0336e24d1c9d04bd54aaecf2d198d7] | committer: Andreas Cadhalpun nutdec: only copy the header if it exists Fixes ubsan runtime error: null pointer passed as argument 2, which is declared to never be null Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9f82506c79874edd7b09707ab63d9e72078de8f9) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2306964b3a0336e24d1c9d04bd54aaecf2d198d7 --- libavformat/nutdec.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 76fd8cc..eec6423 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -1082,7 +1082,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code) ret = av_new_packet(pkt, size + nut->header_len[header_idx]); if (ret < 0) return ret; -memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); +if (nut->header[header_idx]) +memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); pkt->pos = avio_tell(bc); // FIXME if (stc->last_flags & FLAG_SM_DATA) { int sm_size; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] opus_silk: fix typo causing overflow in silk_stabilize_lsf
ffmpeg | branch: release/2.4 | Andreas Cadhalpun| Tue Dec 15 22:00:31 2015 +0100| [7a26ea7a7e67cff8c1f3367e4f505f1c650ca0f5] | committer: Andreas Cadhalpun opus_silk: fix typo causing overflow in silk_stabilize_lsf Due to this typo max_center can be too large, causing nlsf to be set to too large values, which in turn can cause nlsf[i - 1] + min_delta[i] to overflow to a negative value, which is not allowed for nlsf and can cause an out of bounds read in silk_lsf2lpc. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit f61d44b74aaae1d306d8a0d38b7b3d4292c89ced) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7a26ea7a7e67cff8c1f3367e4f505f1c650ca0f5 --- libavcodec/opus_silk.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 7a89479..4c64cdf 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -824,7 +824,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_ /* upper extent */ for (i = order; i > k; i--) -max_center -= min_delta[k]; +max_center -= min_delta[i]; max_center -= min_delta[k] >> 1; /* move apart */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] sonic: make sure num_taps * channels is not larger than frame_size
ffmpeg | branch: release/2.4 | Andreas Cadhalpun| Tue Dec 15 23:43:03 2015 +0100| [465dd4bc941e96abc00e60e35947673d64d34907] | committer: Andreas Cadhalpun sonic: make sure num_taps * channels is not larger than frame_size If that is the case, the loop setting predictor_state in sonic_decode_frame causes out of bounds reads of int_samples, which has only frame_size number of elements. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9637c2531f7eb040ad1c3cb46cb40a63dfc77b80) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=465dd4bc941e96abc00e60e35947673d64d34907 --- libavcodec/sonic.c |7 +++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index c5076f9..ab947c4 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -925,6 +925,13 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) s->frame_size = s->channels*s->block_align*s->downsampling; //avctx->frame_size = s->block_align; +if (s->num_taps * s->channels > s->frame_size) { +av_log(avctx, AV_LOG_ERROR, + "number of taps times channels (%d * %d) larger than frame size %d\n", + s->num_taps, s->channels, s->frame_size); +return AVERROR_INVALIDDATA; +} + av_log(avctx, AV_LOG_INFO, "Sonic: ver: %d.%d ls: %d dr: %d taps: %d block: %d frame: %d downsamp: %d\n", s->version, s->minor_version, s->lossless, s->decorrelation, s->num_taps, s->block_align, s->frame_size, s->downsampling); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] nuv: sanitize negative fps rate
ffmpeg | branch: release/2.4 | Andreas Cadhalpun| Wed Dec 16 20:52:39 2015 +0100| [1317c63b4b1d96c554f88a92a6b770341c529a66] | committer: Andreas Cadhalpun nuv: sanitize negative fps rate Signed-off-by: Andreas Cadhalpun (cherry picked from commit f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1317c63b4b1d96c554f88a92a6b770341c529a66 --- libavformat/nuv.c |9 + 1 file changed, 9 insertions(+) diff --git a/libavformat/nuv.c b/libavformat/nuv.c index e7f0eea..f1bc93e 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -171,6 +171,15 @@ static int nuv_header(AVFormatContext *s) if (aspect > 0. && aspect < 1.0001) aspect = 4.0 / 3.0; fps = av_int2double(avio_rl64(pb)); +if (fps < 0.0f) { +if (s->error_recognition & AV_EF_EXPLODE) { +av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps); +return AVERROR_INVALIDDATA; +} else { +av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 0.\n", fps); +fps = 0.0f; +} +} // number of packets per stream type, -1 means unknown, e.g. streaming v_packs = avio_rl32(pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: also for empty partitioned slices
ffmpeg | branch: release/2.5 | Michael Niedermayer| Sat Dec 19 23:21:33 2015 +0100| [8cd0e23be83d7967ce6d0c1e933e1bd0819c8cb6] | committer: Andreas Cadhalpun avcodec/mpeg4videodec: also for empty partitioned slices Fixes assertion failure Fixes: id_acf3e47f864e1ee4c7b86c0653e0ff31e5bde56e.m4v Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 70f13abb4f9a376ddc0d2c566739bc3c6a0c47e7) Signed-off-by: Andreas Cadhalpun > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8cd0e23be83d7967ce6d0c1e933e1bd0819c8cb6 --- libavcodec/mpeg4videodec.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 174d60e..526e0e3 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -881,7 +881,7 @@ int ff_mpeg4_decode_partitions(Mpeg4DecContext *ctx) const int part_a_end = s->pict_type == AV_PICTURE_TYPE_I ? (ER_DC_END | ER_MV_END) : ER_MV_END; mb_num = mpeg4_decode_partition_a(ctx); -if (mb_num < 0) { +if (mb_num <= 0) { ff_er_add_slice(>er, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, part_a_error); return -1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/flacenc: use designated initializers for AVClass
ffmpeg | branch: master | Paul B Mahol| Sun Dec 20 17:47:21 2015 +0100| [367ffa0c151792651a741554c608a73bad112663] | committer: Paul B Mahol avcodec/flacenc: use designated initializers for AVClass Signed-off-by: Paul B Mahol > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=367ffa0c151792651a741554c608a73bad112663 --- libavcodec/flacenc.c |8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/flacenc.c b/libavcodec/flacenc.c index b3833fa..5db043a 100644 --- a/libavcodec/flacenc.c +++ b/libavcodec/flacenc.c @@ -1468,10 +1468,10 @@ static const AVOption options[] = { }; static const AVClass flac_encoder_class = { -"FLAC encoder", -av_default_item_name, -options, -LIBAVUTIL_VERSION_INT, +.class_name = "FLAC encoder", +.item_name = av_default_item_name, +.option = options, +.version= LIBAVUTIL_VERSION_INT, }; AVCodec ff_flac_encoder = { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] x86/hevc_sao: simplify sao_edge_filter 10/12bit
ffmpeg | branch: master | James Almer| Sun Dec 6 02:46:51 2015 -0300| [3ff2beff65af87fc9ce75d55f2c06e01d606cebc] | committer: James Almer x86/hevc_sao: simplify sao_edge_filter 10/12bit Reviewed-by: Michael Niedermayer Reviewed-by: Christophe Gisquet Signed-off-by: James Almer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3ff2beff65af87fc9ce75d55f2c06e01d606cebc --- libavcodec/x86/hevc_sao_10bit.asm | 150 + 1 file changed, 54 insertions(+), 96 deletions(-) diff --git a/libavcodec/x86/hevc_sao_10bit.asm b/libavcodec/x86/hevc_sao_10bit.asm index 3a7048a..79776ac 100644 --- a/libavcodec/x86/hevc_sao_10bit.asm +++ b/libavcodec/x86/hevc_sao_10bit.asm @@ -221,46 +221,6 @@ HEVC_SAO_BAND_FILTER 12, 64, 4 addb_strideq, tmpq %endmacro -%macro HEVC_SAO_EDGE_FILTER_COMPUTE 0 -PMINUWm4, m1, m2, m6 -PMINUWm5, m1, m3, m7 -pcmpeqw m2, m4 -pcmpeqw m3, m5 -pcmpeqw m4, m1 -pcmpeqw m5, m1 -psubw m4, m2 -psubw m5, m3 - -paddw m4, m5 -pcmpeqw m2, m4, [pw_m2] -%if ARCH_X86_64 -pcmpeqw m3, m4, m13 -pcmpeqw m5, m4, m0 -pcmpeqw m6, m4, m14 -pcmpeqw m7, m4, m15 -pand m2, m8 -pand m3, m9 -pand m5, m10 -pand m6, m11 -pand m7, m12 -%else -pcmpeqw m3, m4, [pw_m1] -pcmpeqw m5, m4, m0 -pcmpeqw m6, m4, [pw_1] -pcmpeqw m7, m4, [pw_2] -pand m2, [rsp+MMSIZE*0] -pand m3, [rsp+MMSIZE*1] -pand m5, [rsp+MMSIZE*2] -pand m6, [rsp+MMSIZE*3] -pand m7, [rsp+MMSIZE*4] -%endif -paddw m2, m3 -paddw m5, m6 -paddw m2, m7 -paddw m2, m1 -paddw m2, m5 -%endmacro - ;void ff_hevc_sao_edge_filter___(uint8_t *_dst, uint8_t *_src, ptrdiff_t stride_dst, int16_t *sao_offset_val, ; int eo, int width, int height); %macro HEVC_SAO_EDGE_FILTER 3 @@ -274,7 +234,6 @@ cglobal hevc_sao_edge_filter_%2_%1, 4, 9, 16, dst, src, dststride, offset, eo, a %else ; ARCH_X86_32 cglobal hevc_sao_edge_filter_%2_%1, 1, 6, 8, 5*mmsize, dst, src, dststride, a_stride, b_stride, height -%assign MMSIZE mmsize %define eoq srcq %define tmpq heightq %define tmp2q dststrideq @@ -325,54 +284,53 @@ cglobal hevc_sao_edge_filter_%2_%1, 1, 6, 8, 5*mmsize, dst, src, dststride, a_st align 16 .loop: -%if %2 == 8 -mova m1, [srcq] -movu m2, [srcq+a_strideq] -movu m3, [srcq+b_strideq] - -HEVC_SAO_EDGE_FILTER_COMPUTE -CLIPW m2, m0, [pw_mask %+ %1] -movu [dstq], m2 -%endif - %assign i 0 %rep %3 mova m1, [srcq + i] movu m2, [srcq+a_strideq + i] movu m3, [srcq+b_strideq + i] -HEVC_SAO_EDGE_FILTER_COMPUTE -CLIPW m2, m0, [pw_mask %+ %1] -mova [dstq + i], m2 +PMINUWm4, m1, m2, m6 +PMINUWm5, m1, m3, m7 +pcmpeqw m2, m4 +pcmpeqw m3, m5 +pcmpeqw m4, m1 +pcmpeqw m5, m1 +psubw m4, m2 +psubw m5, m3 -mova m1, [srcq + i + mmsize] -movu m2, [srcq+a_strideq + i + mmsize] -movu m3, [srcq+b_strideq + i + mmsize] -HEVC_SAO_EDGE_FILTER_COMPUTE +paddw m4, m5 +pcmpeqw m2, m4, [pw_m2] +%if ARCH_X86_64 +pcmpeqw m3, m4, m13 +pcmpeqw m5, m4, m0 +pcmpeqw m6, m4, m14 +pcmpeqw m7, m4, m15 +pand m2, m8 +pand m3, m9 +pand m5, m10 +pand m6, m11 +pand m7, m12 +%else +pcmpeqw m3, m4, [pw_m1] +pcmpeqw m5, m4, m0 +pcmpeqw m6, m4, [pw_1] +pcmpeqw m7, m4, [pw_2] +pand m2, [rsp+mmsize*0] +pand m3, [rsp+mmsize*1] +pand m5, [rsp+mmsize*2] +pand m6, [rsp+mmsize*3] +pand m7, [rsp+mmsize*4] +%endif +paddw m2, m3 +paddw m5, m6 +paddw m2, m7 +paddw m2, m1 +paddw m2, m5 CLIPW m2, m0, [pw_mask %+ %1] -mova [dstq + i + mmsize], m2 -%assign i i+mmsize*2 +mova [dstq + i], m2 +%assign i i+mmsize %endrep -%if %2 == 48 -INIT_XMM cpuname -mova m1, [srcq + i] -movu m2, [srcq+a_strideq + i] -movu m3, [srcq+b_strideq +
[FFmpeg-cvslog] avcodec/indeo2: use init_get_bits8
ffmpeg | branch: master | Paul B Mahol| Sun Dec 20 21:31:55 2015 +0100| [484cc66f577ba25c142d73c1c2c6590b01d031c2] | committer: Paul B Mahol avcodec/indeo2: use init_get_bits8 Signed-off-by: Paul B Mahol > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=484cc66f577ba25c142d73c1c2c6590b01d031c2 --- libavcodec/indeo2.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 74135b9..3424e00 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -165,7 +165,8 @@ static int ir2_decode_frame(AVCodecContext *avctx, buf[i] = ff_reverse[buf[i]]; #endif -init_get_bits(>gb, buf + start, (buf_size - start) * 8); +if ((ret = init_get_bits8(>gb, buf + start, buf_size - start)) < 0) +return ret; if (s->decode_delta) { /* intraframe */ if ((ret = ir2_decode_plane(s, avctx->width, avctx->height, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] x86/hevc_sao: simplify sao_band_filter 10/12bit
ffmpeg | branch: master | James Almer| Sun Dec 6 02:42:34 2015 -0300| [34b2bd03cf94e26e0352b4edd5f9ca86c5e95b0b] | committer: James Almer x86/hevc_sao: simplify sao_band_filter 10/12bit Reviewed-by: Michael Niedermayer Reviewed-by: Christophe Gisquet Signed-off-by: James Almer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=34b2bd03cf94e26e0352b4edd5f9ca86c5e95b0b --- libavcodec/x86/hevc_sao_10bit.asm | 142 +++-- 1 file changed, 57 insertions(+), 85 deletions(-) diff --git a/libavcodec/x86/hevc_sao_10bit.asm b/libavcodec/x86/hevc_sao_10bit.asm index f45fc56..3a7048a 100644 --- a/libavcodec/x86/hevc_sao_10bit.asm +++ b/libavcodec/x86/hevc_sao_10bit.asm @@ -83,7 +83,6 @@ SECTION .text mova [rsp+mmsize*6], m6 mova m1, [pw_mask %+ %1] pxor m0, m0 -%assign MMSIZE mmsize %define m14 m0 %define m13 m1 %define m9 m2 @@ -93,37 +92,6 @@ DEFINE_ARGS dst, src, dststride, srcstride, offset, height mov heightd, r7m %endmacro -%macro HEVC_SAO_BAND_FILTER_COMPUTE 3 -psraw %2, %3, %1-5 -%if ARCH_X86_64 -pcmpeqw m10, %2, m0 -pcmpeqw m11, %2, m1 -pcmpeqw m12, %2, m2 -pcmpeqw %2, m3 -pand m10, m4 -pand m11, m5 -pand m12, m6 -pand %2, m7 -por m10, m11 -por m12, %2 -por m10, m12 -paddw %3, m10 -%else ; ARCH_X86_32 -pcmpeqw m4, %2, [rsp+MMSIZE*0] -pcmpeqw m5, %2, [rsp+MMSIZE*1] -pcmpeqw m6, %2, [rsp+MMSIZE*2] -pcmpeqw %2, [rsp+MMSIZE*3] -pand m4, [rsp+MMSIZE*4] -pand m5, [rsp+MMSIZE*5] -pand m6, [rsp+MMSIZE*6] -pand %2, m7 -por m4, m5 -por m6, %2 -por m4, m6 -paddw %3, m4 -%endif ; ARCH -%endmacro - ;void ff_hevc_sao_band_filter___(uint8_t *_dst, uint8_t *_src, ptrdiff_t _stride_dst, ptrdiff_t _stride_src, ; int16_t *sao_offset_val, int sao_left_class, int width, int height); %macro HEVC_SAO_BAND_FILTER 3 @@ -132,43 +100,47 @@ cglobal hevc_sao_band_filter_%2_%1, 6, 6, 15, 7*mmsize*ARCH_X86_32, dst, src, ds align 16 .loop: -%if %2 == 8 -movu m8, [srcq] -HEVC_SAO_BAND_FILTER_COMPUTE %1, m9, m8 -CLIPW m8, m14, m13 -movu [dstq], m8 -%endif %assign i 0 +%assign j 0 %rep %3 -mova m8, [srcq + i] -HEVC_SAO_BAND_FILTER_COMPUTE %1, m9, m8 -CLIPW m8, m14, m13 -mova [dstq + i], m8 - -mova m9, [srcq + i + mmsize] -HEVC_SAO_BAND_FILTER_COMPUTE %1, m8, m9 -CLIPW m9, m14, m13 -mova [dstq + i + mmsize], m9 -%assign i i+mmsize*2 +%assign k 8+(j&1) +%assign l 9-(j&1) +mova m %+ k, [srcq + i] +psraw m %+ l, m %+ k, %1-5 +%if ARCH_X86_64 +pcmpeqw m10, m %+ l, m0 +pcmpeqw m11, m %+ l, m1 +pcmpeqw m12, m %+ l, m2 +pcmpeqw m %+ l, m3 +pand m10, m4 +pand m11, m5 +pand m12, m6 +pand m %+ l, m7 +por m10, m11 +por m12, m %+ l +por m10, m12 +paddw m %+ k, m10 +%else ; ARCH_X86_32 +pcmpeqw m4, m %+ l, [rsp+mmsize*0] +pcmpeqw m5, m %+ l, [rsp+mmsize*1] +pcmpeqw m6, m %+ l, [rsp+mmsize*2] +pcmpeqw m %+ l, [rsp+mmsize*3] +pand m4, [rsp+mmsize*4] +pand m5, [rsp+mmsize*5] +pand m6, [rsp+mmsize*6] +pand m %+ l, m7 +por m4, m5 +por m6, m %+ l +por m4, m6 +paddw m %+ k, m4 +%endif ; ARCH +CLIPW m %+ k, m14, m13 +mova [dstq + i], m %+ k +%assign i i+mmsize +%assign j j+1 %endrep -%if %2 == 48 -INIT_XMM cpuname -mova m8, [srcq + i] -HEVC_SAO_BAND_FILTER_COMPUTE %1, m9, m8 -CLIPW m8, m14, m13 -mova [dstq + i], m8 - -mova m9, [srcq + i + mmsize] -HEVC_SAO_BAND_FILTER_COMPUTE %1, m8, m9 -CLIPW m9, m14, m13 -mova [dstq + i + mmsize], m9 -%if cpuflag(avx2) -INIT_YMM cpuname -%endif -%endif ; %1 == 48 - add dstq, dststrideq add srcq, srcstrideq dec heightd @@ -177,17 +149,17 @@ INIT_YMM cpuname %endmacro %macro HEVC_SAO_BAND_FILTER_FUNCS 0 -HEVC_SAO_BAND_FILTER 10, 8, 0 -HEVC_SAO_BAND_FILTER 10, 16, 1 -HEVC_SAO_BAND_FILTER 10, 32, 2 -HEVC_SAO_BAND_FILTER 10, 48, 2 -HEVC_SAO_BAND_FILTER 10, 64, 4 - -HEVC_SAO_BAND_FILTER