[FFmpeg-cvslog] avfilter/tinterlace: Simplify checks for lowpass filtering flags

[James Almer]

ffmpeg | branch: master | James Almer  | Sun Sep 17 23:41:31 
2017 -0300| [3af1060319b46005dbfb3b01f9104539caf30146] | committer: James Almer

avfilter/tinterlace: Simplify checks for lowpass filtering flags

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3af1060319b46005dbfb3b01f9104539caf30146
---

 libavfilter/vf_tinterlace.c | 12 
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/libavfilter/vf_tinterlace.c b/libavfilter/vf_tinterlace.c
index 66c6d17ed9..9ae9daafc1 100644
--- a/libavfilter/vf_tinterlace.c
+++ b/libavfilter/vf_tinterlace.c
@@ -172,14 +172,12 @@ static int config_out_props(AVFilterLink *outlink)
tinterlace->black_linesize[i] * h);
 }
 }
-if ((tinterlace->flags & TINTERLACE_FLAG_VLPF
-  || tinterlace->flags & TINTERLACE_FLAG_CVLPF)
+if (tinterlace->flags & (TINTERLACE_FLAG_VLPF | TINTERLACE_FLAG_CVLPF)
 && !(tinterlace->mode == MODE_INTERLEAVE_TOP
   || tinterlace->mode == MODE_INTERLEAVE_BOTTOM)) {
 av_log(ctx, AV_LOG_WARNING, "low_pass_filter flags ignored with mode 
%d\n",
 tinterlace->mode);
-tinterlace->flags &= ~TINTERLACE_FLAG_VLPF;
-tinterlace->flags &= ~TINTERLACE_FLAG_CVLPF;
+tinterlace->flags &= ~(TINTERLACE_FLAG_VLPF | TINTERLACE_FLAG_CVLPF);
 }
 tinterlace->preout_time_base = inlink->time_base;
 if (tinterlace->mode == MODE_INTERLACEX2) {
@@ -263,10 +261,8 @@ void copy_picture_field(TInterlaceContext *tinterlace,
 // Low-pass filtering is required when creating an interlaced 
destination from
 // a progressive source which contains high-frequency vertical detail.
 // Filtering will reduce interlace 'twitter' and Moire patterning.
-if (flags & TINTERLACE_FLAG_VLPF || flags & TINTERLACE_FLAG_CVLPF) {
-int x = 0;
-if (flags & TINTERLACE_FLAG_CVLPF)
-x = 1;
+if (flags & (TINTERLACE_FLAG_VLPF | TINTERLACE_FLAG_CVLPF)) {
+int x = !!(flags & TINTERLACE_FLAG_CVLPF);
 for (h = lines; h > 0; h--) {
 ptrdiff_t pref = src_linesize[plane];
 ptrdiff_t mref = -pref;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] fate: add tinterlace lowpass filtering tests

[Thomas Mundt]

ffmpeg | branch: master | Thomas Mundt  | Sun Sep 17 
23:41:00 2017 -0300| [4492237e333c3b5eb57e255d3dba690dcf35940c] | committer: 
James Almer

fate: add tinterlace lowpass filtering tests

Signed-off-by: James Almer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4492237e333c3b5eb57e255d3dba690dcf35940c
---

 tests/fate/filter-video.mak|  6 ++
 tests/ref/fate/filter-pixfmts-tinterlace_cvlpf | 14 ++
 tests/ref/fate/filter-pixfmts-tinterlace_vlpf  | 14 ++
 3 files changed, 34 insertions(+)

diff --git a/tests/fate/filter-video.mak b/tests/fate/filter-video.mak
index 620487872b..d1e13414f6 100644
--- a/tests/fate/filter-video.mak
+++ b/tests/fate/filter-video.mak
@@ -668,12 +668,18 @@ fate-filter-pixfmts-super2xsai: CMD = pixfmts
 FATE_FILTER_PIXFMTS-$(CONFIG_SWAPUV_FILTER) += fate-filter-pixfmts-swapuv
 fate-filter-pixfmts-swapuv: CMD = pixfmts
 
+FATE_FILTER_PIXFMTS-$(CONFIG_TINTERLACE_FILTER) += 
fate-filter-pixfmts-tinterlace_cvlpf
+fate-filter-pixfmts-tinterlace_cvlpf: CMD = pixfmts "interleave_top:cvlpf"
+
 FATE_FILTER_PIXFMTS-$(CONFIG_TINTERLACE_FILTER) += 
fate-filter-pixfmts-tinterlace_merge
 fate-filter-pixfmts-tinterlace_merge: CMD = pixfmts "merge"
 
 FATE_FILTER_PIXFMTS-$(CONFIG_TINTERLACE_FILTER) += 
fate-filter-pixfmts-tinterlace_pad
 fate-filter-pixfmts-tinterlace_pad: CMD = pixfmts "pad"
 
+FATE_FILTER_PIXFMTS-$(CONFIG_TINTERLACE_FILTER) += 
fate-filter-pixfmts-tinterlace_vlpf
+fate-filter-pixfmts-tinterlace_vlpf: CMD = pixfmts "interleave_top:vlpf"
+
 FATE_FILTER_PIXFMTS-$(CONFIG_VFLIP_FILTER) += fate-filter-pixfmts-vflip
 fate-filter-pixfmts-vflip: CMD = pixfmts
 
diff --git a/tests/ref/fate/filter-pixfmts-tinterlace_cvlpf 
b/tests/ref/fate/filter-pixfmts-tinterlace_cvlpf
new file mode 100644
index 00..8623636ff9
--- /dev/null
+++ b/tests/ref/fate/filter-pixfmts-tinterlace_cvlpf
@@ -0,0 +1,14 @@
+gray9849d71519ae9c584ae8abfa8adb2f8e
+yuv410p 44ee4b74b95c82d6f79ddf53b5e3aa9d
+yuv411p 5fa9d1fba7adfd6f7fa04464332b631a
+yuv420p ee9591ea3ab06c73be902c4b8868c69e
+yuv422p b1be7b55567bde86d655adf80fac1257
+yuv440p ddf6ee697f4ff4f90d501e6869392309
+yuv444p 7cb5d0c0997c8c2545a16bfc4cb9fd6d
+yuva420pee0761e2f76ec441c545feede77103e4
+yuva422pa8da2806e21a88449079faa7f4303ffa
+yuva444pa3f57734d6f72bdf37f8f612ea7cce63
+yuvj420p9f358e311b694bcd01e1a07d1120ade5
+yuvj422p9a7628a9f1630d35c7176951ddc1b2f6
+yuvj440p112fe35292c687746ec0c622a42c611b
+yuvj444pf894438f40950229baa02545daa8812a
diff --git a/tests/ref/fate/filter-pixfmts-tinterlace_vlpf 
b/tests/ref/fate/filter-pixfmts-tinterlace_vlpf
new file mode 100644
index 00..2f52fd13f0
--- /dev/null
+++ b/tests/ref/fate/filter-pixfmts-tinterlace_vlpf
@@ -0,0 +1,14 @@
+grayb79791449947c25cd5b36d9d3b9d1831
+yuv410p 5bc03f4cf6b441b421f0fdaeeff1e9ed
+yuv411p 19046df1876c46ed1ef0458680270bd3
+yuv420p 69c743b84996be9430b051a55cfbcb29
+yuv422p d710ccd1941f6f389c97a09bc977e709
+yuv440p 1a482a23fe5a9b7d02388c299fd0a423
+yuv444p c968a92f4b7ab6706ee9b425eb5345b5
+yuva420p3f89a166f309c0cda8b91a9e8a0ce937
+yuva422pef8fdbe910d68e88e98227b0e99fb5a6
+yuva444p3662eadd5f61a6edbc9d715ea8591415
+yuvj420p14c4390b319c5d679184503309060ac3
+yuvj422pbbe00a26526931b72a024febe1cd6b90
+yuvj440pf654cf28b7879c6a6c950c3cb9612580
+yuvj444pc162a4fe7a665f4abf257443703f0d72

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] lavc/frame_thread_encoder: Do not mix variable declaration and code.

[Carl Eugen Hoyos]

ffmpeg | branch: master | Carl Eugen Hoyos  | Mon Sep 18 
03:24:52 2017 +0200| [3118e81f86067e8f04d729b070fc90ca2c9090d8] | committer: 
Carl Eugen Hoyos

lavc/frame_thread_encoder: Do not mix variable declaration and code.

Fixes a warning:
ISO C90 forbids mixed declarations and code

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3118e81f86067e8f04d729b070fc90ca2c9090d8
---

 libavcodec/frame_thread_encoder.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/frame_thread_encoder.c 
b/libavcodec/frame_thread_encoder.c
index 31a9fe9dae..ffbf5caf29 100644
--- a/libavcodec/frame_thread_encoder.c
+++ b/libavcodec/frame_thread_encoder.c
@@ -193,13 +193,14 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, 
AVDictionary *options){
 
 for(i=0; ithread_count ; i++){
 AVDictionary *tmp = NULL;
+int ret;
 void *tmpv;
 AVCodecContext *thread_avctx = avcodec_alloc_context3(avctx->codec);
 if(!thread_avctx)
 goto fail;
 tmpv = thread_avctx->priv_data;
 *thread_avctx = *avctx;
-int ret = av_opt_copy(thread_avctx, avctx);
+ret = av_opt_copy(thread_avctx, avctx);
 if (ret < 0)
 goto fail;
 thread_avctx->priv_data = tmpv;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] checkasm: add an exrdsp test

[James Almer]

ffmpeg | branch: master | James Almer  | Sun Sep 17 18:48:02 
2017 -0300| [7323c896b2cb6b2f3c0643094d6dd3e1d7179690] | committer: James Almer

checkasm: add an exrdsp test

Signed-off-by: James Almer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7323c896b2cb6b2f3c0643094d6dd3e1d7179690
---

 tests/checkasm/Makefile   |  1 +
 tests/checkasm/checkasm.c |  3 +++
 tests/checkasm/checkasm.h |  1 +
 tests/checkasm/exrdsp.c   | 68 +++
 tests/fate/checkasm.mak   |  1 +
 5 files changed, 74 insertions(+)

diff --git a/tests/checkasm/Makefile b/tests/checkasm/Makefile
index 184e981754..14916e5100 100644
--- a/tests/checkasm/Makefile
+++ b/tests/checkasm/Makefile
@@ -18,6 +18,7 @@ AVCODECOBJS-$(CONFIG_AAC_DECODER)   += aacpsdsp.o \
sbrdsp.o
 AVCODECOBJS-$(CONFIG_ALAC_DECODER)  += alacdsp.o
 AVCODECOBJS-$(CONFIG_DCA_DECODER)   += synth_filter.o
+AVCODECOBJS-$(CONFIG_EXR_DECODER)   += exrdsp.o
 AVCODECOBJS-$(CONFIG_JPEG2000_DECODER)  += jpeg2000dsp.o
 AVCODECOBJS-$(CONFIG_PIXBLOCKDSP)   += pixblockdsp.o
 AVCODECOBJS-$(CONFIG_HEVC_DECODER)  += hevc_add_res.o hevc_idct.o
diff --git a/tests/checkasm/checkasm.c b/tests/checkasm/checkasm.c
index ba729ac1bf..b8b0e32dbd 100644
--- a/tests/checkasm/checkasm.c
+++ b/tests/checkasm/checkasm.c
@@ -92,6 +92,9 @@ static const struct {
 #if CONFIG_DCA_DECODER
 { "synth_filter", checkasm_check_synth_filter },
 #endif
+#if CONFIG_EXR_DECODER
+{ "exrdsp", checkasm_check_exrdsp },
+#endif
 #if CONFIG_FLACDSP
 { "flacdsp", checkasm_check_flacdsp },
 #endif
diff --git a/tests/checkasm/checkasm.h b/tests/checkasm/checkasm.h
index b29a61331e..e5b1877dc0 100644
--- a/tests/checkasm/checkasm.h
+++ b/tests/checkasm/checkasm.h
@@ -46,6 +46,7 @@ void checkasm_check_blend(void);
 void checkasm_check_blockdsp(void);
 void checkasm_check_bswapdsp(void);
 void checkasm_check_colorspace(void);
+void checkasm_check_exrdsp(void);
 void checkasm_check_fixed_dsp(void);
 void checkasm_check_flacdsp(void);
 void checkasm_check_float_dsp(void);
diff --git a/tests/checkasm/exrdsp.c b/tests/checkasm/exrdsp.c
new file mode 100644
index 00..6637f6fdd2
--- /dev/null
+++ b/tests/checkasm/exrdsp.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 2017 James Almer
+ *
+ * This file is part of FFmpeg.
+ *
+ * FFmpeg is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * FFmpeg is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with FFmpeg; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include 
+
+#include "checkasm.h"
+#include "libavcodec/avcodec.h"
+#include "libavcodec/exrdsp.h"
+#include "libavutil/intreadwrite.h"
+
+#define BUF_SIZE 5120
+#define PADDED_BUF_SIZE BUF_SIZE+AV_INPUT_BUFFER_PADDING_SIZE*2
+
+#define randomize_buffers() \
+do {\
+int i;  \
+for (i = 0; i < BUF_SIZE; i += 4) { \
+uint32_t r = rnd(); \
+AV_WN32A(src + i, r);   \
+}   \
+} while (0)
+
+static void check_reorder_pixels(void) {
+LOCAL_ALIGNED_32(uint8_t, src, [PADDED_BUF_SIZE]);
+LOCAL_ALIGNED_32(uint8_t, dst_ref, [PADDED_BUF_SIZE]);
+LOCAL_ALIGNED_32(uint8_t, dst_new, [PADDED_BUF_SIZE]);
+
+declare_func(void, uint8_t *dst, const uint8_t *src, ptrdiff_t size);
+
+memset(src, 0, PADDED_BUF_SIZE);
+memset(dst_ref, 0, PADDED_BUF_SIZE);
+memset(dst_new, 0, PADDED_BUF_SIZE);
+randomize_buffers();
+call_ref(dst_ref, src, BUF_SIZE);
+call_new(dst_new, src, BUF_SIZE);
+if (memcmp(dst_ref, dst_new, BUF_SIZE))
+fail();
+bench_new(dst_new, src, BUF_SIZE);
+}
+
+void checkasm_check_exrdsp(void)
+{
+ExrDSPContext h;
+
+ff_exrdsp_init();
+
+if (check_func(h.reorder_pixels, "reorder_pixels"))
+check_reorder_pixels();
+
+report("reorder_pixels");
+}
diff --git a/tests/fate/checkasm.mak b/tests/fate/checkasm.mak
index 824ae2f32d..7e8623985c 100644
--- a/tests/fate/checkasm.mak
+++ b/tests/fate/checkasm.mak
@@ -3,6 +3,7 @@ FATE_CHECKASM = fate-checkasm-aacpsdsp  
\
 fate-checkasm-audiodsp  \
 fate-checkasm-blockdsp  \
  

[FFmpeg-cvslog] avcodec/exrdsp: improve the ExrDSPContext->reorder_pixels prototype

[James Almer]

ffmpeg | branch: master | James Almer  | Sun Sep 17 18:56:39 
2017 -0300| [98d7ad085e20f7cd3347bbaff251bd687db733ee] | committer: James Almer

avcodec/exrdsp: improve the ExrDSPContext->reorder_pixels prototype

Make dst be the first parameter and src const. It's more in line with the rest 
of the codebase.

Signed-off-by: James Almer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=98d7ad085e20f7cd3347bbaff251bd687db733ee
---

 libavcodec/exr.c | 4 ++--
 libavcodec/exrdsp.c  | 2 +-
 libavcodec/exrdsp.h  | 2 +-
 libavcodec/x86/exrdsp.asm| 4 ++--
 libavcodec/x86/exrdsp_init.c | 4 ++--
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index de2f05d3a9..230d5bbca8 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -289,7 +289,7 @@ static int zip_uncompress(EXRContext *s, const uint8_t 
*src, int compressed_size
 av_assert1(uncompressed_size % 2 == 0);
 
 predictor(td->tmp, uncompressed_size);
-s->dsp.reorder_pixels(td->tmp, td->uncompressed_data, uncompressed_size);
+s->dsp.reorder_pixels(td->uncompressed_data, td->tmp, uncompressed_size);
 
 return 0;
 }
@@ -336,7 +336,7 @@ static int rle_uncompress(EXRContext *ctx, const uint8_t 
*src, int compressed_si
 av_assert1(uncompressed_size % 2 == 0);
 
 predictor(td->tmp, uncompressed_size);
-ctx->dsp.reorder_pixels(td->tmp, td->uncompressed_data, uncompressed_size);
+ctx->dsp.reorder_pixels(td->uncompressed_data, td->tmp, uncompressed_size);
 
 return 0;
 }
diff --git a/libavcodec/exrdsp.c b/libavcodec/exrdsp.c
index e59dac3dc4..871b6f1276 100644
--- a/libavcodec/exrdsp.c
+++ b/libavcodec/exrdsp.c
@@ -24,7 +24,7 @@
 #include "exrdsp.h"
 #include "config.h"
 
-static void reorder_pixels_scalar(uint8_t *src, uint8_t *dst, ptrdiff_t size)
+static void reorder_pixels_scalar(uint8_t *dst, const uint8_t *src, ptrdiff_t 
size)
 {
 const uint8_t *t1 = src;
 int half_size = size / 2;
diff --git a/libavcodec/exrdsp.h b/libavcodec/exrdsp.h
index 09a76a518e..d8cb002efc 100644
--- a/libavcodec/exrdsp.h
+++ b/libavcodec/exrdsp.h
@@ -23,7 +23,7 @@
 #include "libavutil/common.h"
 
 typedef struct ExrDSPContext {
-void (*reorder_pixels)(uint8_t *src, uint8_t *dst, ptrdiff_t size);
+void (*reorder_pixels)(uint8_t *dst, const uint8_t *src, ptrdiff_t size);
 } ExrDSPContext;
 
 void ff_exrdsp_init(ExrDSPContext *c);
diff --git a/libavcodec/x86/exrdsp.asm b/libavcodec/x86/exrdsp.asm
index 91d9c0b0a7..b91a7be20d 100644
--- a/libavcodec/x86/exrdsp.asm
+++ b/libavcodec/x86/exrdsp.asm
@@ -27,11 +27,11 @@
 SECTION .text
 
 ;--
-; void ff_reorder_pixels(uint8_t *src, uint8_t *dst, ptrdiff_t size)
+; void ff_reorder_pixels(uint8_t *dst, const uint8_t *src, ptrdiff_t size);
 ;--
 
 %macro REORDER_PIXELS 0
-cglobal reorder_pixels, 3,4,3, src1, dst, size, src2
+cglobal reorder_pixels, 3,4,3, dst, src1, size, src2
 lea  src2q, [src1q+sizeq] ; src2 = src + 2 * 
half_size
 add   dstq, sizeq ; dst offset by size
 shr  sizeq, 1 ; half_size
diff --git a/libavcodec/x86/exrdsp_init.c b/libavcodec/x86/exrdsp_init.c
index c0f508b2c4..5669be3d97 100644
--- a/libavcodec/x86/exrdsp_init.c
+++ b/libavcodec/x86/exrdsp_init.c
@@ -22,9 +22,9 @@
 #include "libavutil/x86/cpu.h"
 #include "libavcodec/exrdsp.h"
 
-void ff_reorder_pixels_sse2(uint8_t *src, uint8_t *dst, ptrdiff_t size);
+void ff_reorder_pixels_sse2(uint8_t *dst, const uint8_t *src, ptrdiff_t size);
 
-void ff_reorder_pixels_avx2(uint8_t *src, uint8_t *dst, ptrdiff_t size);
+void ff_reorder_pixels_avx2(uint8_t *dst, const uint8_t *src, ptrdiff_t size);
 
 av_cold void ff_exrdsp_init_x86(ExrDSPContext *dsp)
 {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] libavcodec/exr : add X86 SIMD for reorder_pixels

[Martin Vignali]

ffmpeg | branch: master | Martin Vignali  | Sun Sep 
17 21:59:41 2017 +0200| [9b8c1224d7e1804b0b750de11e6a8c4648f1e115] | committer: 
James Almer

libavcodec/exr : add X86 SIMD for reorder_pixels

Signed-off-by: James Almer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9b8c1224d7e1804b0b750de11e6a8c4648f1e115
---

 libavcodec/Makefile  |  2 +-
 libavcodec/exr.c | 38 +++---
 libavcodec/exrdsp.c  | 47 +
 libavcodec/exrdsp.h  | 32 ++
 libavcodec/x86/Makefile  |  2 ++
 libavcodec/x86/exrdsp.asm| 63 
 libavcodec/x86/exrdsp_init.c | 39 +++
 7 files changed, 199 insertions(+), 24 deletions(-)

diff --git a/libavcodec/Makefile b/libavcodec/Makefile
index 943e5db511..fad56129a3 100644
--- a/libavcodec/Makefile
+++ b/libavcodec/Makefile
@@ -286,7 +286,7 @@ OBJS-$(CONFIG_EIGHTSVX_FIB_DECODER)+= 8svx.o
 OBJS-$(CONFIG_ESCAPE124_DECODER)   += escape124.o
 OBJS-$(CONFIG_ESCAPE130_DECODER)   += escape130.o
 OBJS-$(CONFIG_EVRC_DECODER)+= evrcdec.o acelp_vectors.o lsp.o
-OBJS-$(CONFIG_EXR_DECODER) += exr.o
+OBJS-$(CONFIG_EXR_DECODER) += exr.o exrdsp.o
 OBJS-$(CONFIG_FFV1_DECODER)+= ffv1dec.o ffv1.o
 OBJS-$(CONFIG_FFV1_ENCODER)+= ffv1enc.o ffv1.o
 OBJS-$(CONFIG_FFWAVESYNTH_DECODER) += ffwavesynth.o
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 759880756d..de2f05d3a9 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -51,6 +51,7 @@
 #include "bswapdsp.h"
 #endif
 
+#include "exrdsp.h"
 #include "get_bits.h"
 #include "internal.h"
 #include "mathops.h"
@@ -121,6 +122,7 @@ typedef struct EXRContext {
 AVClass *class;
 AVFrame *picture;
 AVCodecContext *avctx;
+ExrDSPContext dsp;
 
 #if HAVE_BIGENDIAN
 BswapDSPContext bbdsp;
@@ -275,23 +277,7 @@ static void predictor(uint8_t *src, int size)
 }
 }
 
-static void reorder_pixels(uint8_t *src, uint8_t *dst, int size)
-{
-const uint8_t *t1 = src;
-int half_size = size / 2;
-const uint8_t *t2 = src + half_size;
-uint8_t *s= dst;
-int i;
-
-av_assert1(size % 2 == 0);
-
-for (i = 0; i < half_size; i++) {
-*(s++) = *(t1++);
-*(s++) = *(t2++);
-}
-}
-
-static int zip_uncompress(const uint8_t *src, int compressed_size,
+static int zip_uncompress(EXRContext *s, const uint8_t *src, int 
compressed_size,
   int uncompressed_size, EXRThreadData *td)
 {
 unsigned long dest_len = uncompressed_size;
@@ -300,13 +286,15 @@ static int zip_uncompress(const uint8_t *src, int 
compressed_size,
 dest_len != uncompressed_size)
 return AVERROR_INVALIDDATA;
 
+av_assert1(uncompressed_size % 2 == 0);
+
 predictor(td->tmp, uncompressed_size);
-reorder_pixels(td->tmp, td->uncompressed_data, uncompressed_size);
+s->dsp.reorder_pixels(td->tmp, td->uncompressed_data, uncompressed_size);
 
 return 0;
 }
 
-static int rle_uncompress(const uint8_t *src, int compressed_size,
+static int rle_uncompress(EXRContext *ctx, const uint8_t *src, int 
compressed_size,
   int uncompressed_size, EXRThreadData *td)
 {
 uint8_t *d  = td->tmp;
@@ -345,8 +333,10 @@ static int rle_uncompress(const uint8_t *src, int 
compressed_size,
 if (dend != d)
 return AVERROR_INVALIDDATA;
 
+av_assert1(uncompressed_size % 2 == 0);
+
 predictor(td->tmp, uncompressed_size);
-reorder_pixels(td->tmp, td->uncompressed_data, uncompressed_size);
+ctx->dsp.reorder_pixels(td->tmp, td->uncompressed_data, uncompressed_size);
 
 return 0;
 }
@@ -1152,7 +1142,7 @@ static int decode_block(AVCodecContext *avctx, void 
*tdata,
 
 if (data_size < uncompressed_size) {
 av_fast_padded_malloc(>uncompressed_data,
-  >uncompressed_size, uncompressed_size);
+  >uncompressed_size, uncompressed_size + 
64);/* Force 64 padding for AVX2 reorder_pixels dst */
 
 if (!td->uncompressed_data)
 return AVERROR(ENOMEM);
@@ -1161,7 +1151,7 @@ static int decode_block(AVCodecContext *avctx, void 
*tdata,
 switch (s->compression) {
 case EXR_ZIP1:
 case EXR_ZIP16:
-ret = zip_uncompress(src, data_size, uncompressed_size, td);
+ret = zip_uncompress(s, src, data_size, uncompressed_size, td);
 break;
 case EXR_PIZ:
 ret = piz_uncompress(s, src, data_size, uncompressed_size, td);
@@ -1170,7 +1160,7 @@ static int decode_block(AVCodecContext *avctx, void 
*tdata,
 ret = pxr24_uncompress(s, src, data_size, uncompressed_size, td);
 break;
 case EXR_RLE:
-ret = rle_uncompress(src, data_size, uncompressed_size, td);
+ret = 

[FFmpeg-cvslog] avcodec/hevc_ps: Fix c?_qp_offset_list size

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Sun Sep 10 21:10:17 2017 +0200| [61c5c89d043896217df12455aa036ee24df49ff0] | 
committer: Michael Niedermayer

avcodec/hevc_ps: Fix c?_qp_offset_list size

Fixes: runtime error: index 5 out of bounds for type 'int8_t const[5]'
Fixes:3175/clusterfuzz-testcase-minimized-4736774054084608

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit abf3f9fa232409c00b60041464604a91fa5612c0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=61c5c89d043896217df12455aa036ee24df49ff0
---

 libavcodec/hevc.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h
index be91010378..162ca0e582 100644
--- a/libavcodec/hevc.h
+++ b/libavcodec/hevc.h
@@ -539,8 +539,8 @@ typedef struct HEVCPPS {
 uint8_t chroma_qp_offset_list_enabled_flag;
 uint8_t diff_cu_chroma_qp_offset_depth;
 uint8_t chroma_qp_offset_list_len_minus1;
-int8_t  cb_qp_offset_list[5];
-int8_t  cr_qp_offset_list[5];
+int8_t  cb_qp_offset_list[6];
+int8_t  cr_qp_offset_list[6];
 uint8_t log2_sao_offset_scale_luma;
 uint8_t log2_sao_offset_scale_chroma;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int()

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Fri Sep  8 23:29:12 2017 +0200| [33e67eb80cf2d67198828f9430815ef319ffae6e] | 
committer: Michael Niedermayer

avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int()

Fixes: runtime error: signed integer overflow: 22553 * -188962 cannot be 
represented in type 'int'
Fixes: 3042/clusterfuzz-testcase-minimized-5174210131394560

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2d025e742843ca3532bd49ebbfebeacd51337347)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=33e67eb80cf2d67198828f9430815ef319ffae6e
---

 libavcodec/jpeg2000dsp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c
index c746aed924..85a12d0e9b 100644
--- a/libavcodec/jpeg2000dsp.c
+++ b/libavcodec/jpeg2000dsp.c
@@ -65,9 +65,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, 
int csize)
 
 for (i = 0; i < csize; i++) {
 i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16);
-i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16)
+i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) 
>> 16)
- (((i_ict_params[2] * *src2) + (1 << 15)) >> 16);
-i2 = *src0 + (2 * *src1) + (((-14942 * *src1) + (1 << 15)) >> 16);
+i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 
16);
 *src0++ = i0;
 *src1++ = i1;
 *src2++ = i2;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Move buffer allocation and offset init to end of read_header()

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Sun Sep 10 21:10:16 2017 +0200| [19045efd0573b1c54d10db04c7f5426a2741bf14] | 
committer: Michael Niedermayer

avcodec/shorten: Move buffer allocation and offset init to end of read_header()

They are time consuming operations, performing them after the other checks
improves the speed with damaged input dramatically.

Fixes: Timeout
Fixes: 2928/clusterfuzz-testcase-4992812120539136

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 380659604f2692b625928a3a76a1c046f473c9f6)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=19045efd0573b1c54d10db04c7f5426a2741bf14
---

 libavcodec/shorten.c | 13 +++--
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index a36a77210e..b56d205932 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -453,12 +453,6 @@ static int read_header(ShortenContext *s)
 }
 s->nwrap = FFMAX(NWRAP, maxnlpc);
 
-if ((ret = allocate_buffers(s)) < 0)
-return ret;
-
-if ((ret = init_offset(s)) < 0)
-return ret;
-
 if (s->version > 1)
 s->lpcqoffset = V2LPCQOFFSET;
 
@@ -494,6 +488,13 @@ static int read_header(ShortenContext *s)
 }
 
 end:
+
+if ((ret = allocate_buffers(s)) < 0)
+return ret;
+
+if ((ret = init_offset(s)) < 0)
+return ret;
+
 s->cur_chan = 0;
 s->bitshift = 0;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Sun Sep 10 01:32:51 2017 +0200| [4b43dd03eddeac40deabcbb3c73370a058251556] | 
committer: Michael Niedermayer

avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels

Fixes: runtime error: left shift of negative value -95
Fixes: 3077/clusterfuzz-testcase-minimized-4684917524922368

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c225da68cffbea11270a758ff42859194c980863)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4b43dd03eddeac40deabcbb3c73370a058251556
---

 libavcodec/hevcdsp_template.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index b840d179c3..5bca02342d 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -599,7 +599,7 @@ static void FUNC(put_hevc_pel_bi_w_pixels)(uint8_t *_dst, 
ptrdiff_t _dststride,
 ox1 = ox1 * (1 << (BIT_DEPTH - 8));
 for (y = 0; y < height; y++) {
 for (x = 0; x < width; x++) {
-dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + 
src2[x] * wx0 + ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1));
+dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + 
src2[x] * wx0 + (ox0 + ox1 + 1) * (1 << log2Wd)) >> (log2Wd + 1));
 }
 src  += srcstride;
 dst  += dststride;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Fix DoS in read_tfra()

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Tue Sep  5 00:16:29 2017 +0200| [29b950521504a51f8b60dfcabe3cc141c4e01554] | 
committer: Michael Niedermayer

avformat/mov: Fix DoS in read_tfra()

Fixes: Missing EOF check in loop
No testcase

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 9cb4eb772839c5e1de2855d126bf74ff16d13382)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=29b950521504a51f8b60dfcabe3cc141c4e01554
---

 libavformat/mov.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 1815a7303f..a4474b43b3 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -4862,6 +4862,13 @@ static int read_tfra(MOVContext *mov, AVIOContext *f)
 }
 for (i = 0; i < index->item_count; i++) {
 int64_t time, offset;
+
+if (avio_feof(f)) {
+index->item_count = 0;
+av_freep(>items);
+return AVERROR_INVALIDDATA;
+}
+
 if (version == 1) {
 time   = avio_rb64(f);
 offset = avio_rb64(f);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Fri Sep  1 19:56:11 2017 +0200| [5cc3add03695e6ebc6a924dee5fd12138e45bb45] | 
committer: Michael Niedermayer

avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting

Fixes: runtime error: signed integer overflow: 1073901567 + 1073901567 cannot 
be represented in type 'int'
Fixes: 3124/clusterfuzz-testcase-minimized-454643435752652

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit f71cd44147e7a914f80fcfacca46c9e7b0374362)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5cc3add03695e6ebc6a924dee5fd12138e45bb45
---

 libavcodec/dirac_dwt.h | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index e715e53bc4..adf5178714 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
 (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8))
 
 #define COMPOSE_DAUB97iL1(b0, b1, b2)\
-(b1 - ((int)(1817U*(b0 + b2) + 2048) >> 12))
+(b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12))
 
 #define COMPOSE_DAUB97iH1(b0, b1, b2)\
-(b1 - ((int)( 113U*(b0 + b2) + 64) >> 7))
+(b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7))
 
 #define COMPOSE_DAUB97iL0(b0, b1, b2)\
-(b1 + ((int)( 217U*(b0 + b2) + 2048) >> 12))
+(b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12))
 
 #define COMPOSE_DAUB97iH0(b0, b1, b2)\
-(b1 + ((int)(6497U*(b0 + b2) + 2048) >> 12))
+(b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12))
 
 
 #endif /* AVCODEC_DWT_H */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/asfdec: Fix DoS in asf_build_simple_index()

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Tue Sep  5 00:16:29 2017 +0200| [5e7ddf0b4a697732b71cfc7e612ec0b62b75cca1] | 
committer: Michael Niedermayer

avformat/asfdec: Fix DoS in asf_build_simple_index()

Fixes: Missing EOF check in loop
No testcase

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit afc9c683ed9db01edb357bc8c19edad4282b3a97)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5e7ddf0b4a697732b71cfc7e612ec0b62b75cca1
---

 libavformat/asfdec_f.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 294fd345f5..2e9883b17e 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -1610,6 +1610,11 @@ static int asf_build_simple_index(AVFormatContext *s, 
int stream_index)
 int64_t pos   = s->internal->data_offset + s->packet_size * 
(int64_t)pktnum;
 int64_t index_pts = FFMAX(av_rescale(itime, i, 1) - 
asf->hdr.preroll, 0);
 
+if (avio_feof(s->pb)) {
+ret = AVERROR_INVALIDDATA;
+goto end;
+}
+
 if (pos != last_pos) {
 av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d  pts: 
%"PRId64"\n",
pktnum, pktct, index_pts);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Fix overflow in DC computation

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Sun Sep 10 01:32:50 2017 +0200| [10ae5fb2696103f46d74f069f7187883873002a6] | 
committer: Michael Niedermayer

avcodec/diracdec: Fix overflow in DC computation

Fixes: runtime error: signed integer overflow: 11896 + 2147483646 cannot be 
represented in type 'int'
Fixes: 3053/clusterfuzz-testcase-minimized-6355082062856192

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b5995856a4236c27f231210bb08d70688e045192)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=10ae5fb2696103f46d74f069f7187883873002a6
---

 libavcodec/diracdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index f92ff1b2ea..4f6de7af3d 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1343,7 +1343,7 @@ static void decode_block_params(DiracContext *s, 
DiracArith arith[8], DiracBlock
 if (!block->ref) {
 pred_block_dc(block, stride, x, y);
 for (i = 0; i < 3; i++)
-block->u.dc[i] += dirac_get_arith_int(arith+1+i, CTX_DC_F1, 
CTX_DC_DATA);
+block->u.dc[i] += (unsigned)dirac_get_arith_int(arith+1+i, 
CTX_DC_F1, CTX_DC_DATA);
 return;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()

[晓黑]

ffmpeg | branch: release/3.1 | 孙浩(晓黑)  | Tue Aug 29 
23:59:21 2017 +0200| [92ec4eacf9649501dd8e06b97af87c428ca06556] | committer: 
Michael Niedermayer

avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()

Fixes: 20170829A.mxf

Co-Author: 张洪亮(望初)" 
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 900f39692ca0337a98a7cf047e4e2611071810c2)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=92ec4eacf9649501dd8e06b97af87c428ca06556
---

 libavformat/mxfdec.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 5de13cca19..053ad24539 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -888,6 +888,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, 
MXFIndexTableSegment *seg
 segment->nb_index_entries = avio_rb32(pb);
 
 length = avio_rb32(pb);
+if(segment->nb_index_entries && length < 11)
+return AVERROR_INVALIDDATA;
 
 if 
(!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, 
sizeof(*segment->temporal_offset_entries))) ||
 !(segment->flag_entries  = 
av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) ||
@@ -898,6 +900,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, 
MXFIndexTableSegment *seg
 }
 
 for (i = 0; i < segment->nb_index_entries; i++) {
+if(avio_feof(pb))
+return AVERROR_INVALIDDATA;
 segment->temporal_offset_entries[i] = avio_r8(pb);
 avio_r8(pb);/* KeyFrameOffset 
*/
 segment->flag_entries[i] = avio_r8(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()

[晓黑]

ffmpeg | branch: release/3.1 | 孙浩(晓黑)  | Tue Aug 29 
23:59:21 2017 +0200| [22dbd1eb31d6ece0f448565a25f0cdab2a919068] | committer: 
Michael Niedermayer

avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()

Fixes: 20170829B.mxf

Co-Author: 张洪亮(望初)" 
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=22dbd1eb31d6ece0f448565a25f0cdab2a919068
---

 libavformat/mxfdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 053ad24539..cbabd4b239 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -492,7 +492,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, 
int tag, int size, U
 avpriv_request_sample(pb, "Primer pack item length %d", item_len);
 return AVERROR_PATCHWELCOME;
 }
-if (item_num > 65536) {
+if (item_num > 65536 || item_num < 0) {
 av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num);
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED()

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Fri Sep  1 19:56:10 2017 +0200| [93a32c15a84936064afc89ace5aea9e6c8c1] | 
committer: Michael Niedermayer

avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED()

Fixes: runtime error: signed integer overflow: 1168175789 + 1168178473 cannot 
be represented in type 'int'
Fixes: 3081/clusterfuzz-testcase-minimized-4807564879462400
Fixes: 2844/clusterfuzz-testcase-minimized-5561715838156800

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2a0823ae966be3ad40e5dba6ec4c4dc1e8c6bcad)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=93a32c15a84936064afc89ace5aea9e6c8c1
---

 libavcodec/diracdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 6f6a0ece45..f92ff1b2ea 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -594,7 +594,7 @@ static inline void codeblock(DiracContext *s, SubBand *b,
 } \
 
 INTRA_DC_PRED(8, int16_t)
-INTRA_DC_PRED(10, int32_t)
+INTRA_DC_PRED(10, uint32_t)
 
 /**
  * Dirac Specification ->

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate()

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Sat Aug 26 14:00:55 2017 +0200| [fcc2119eac26e7949a1a2149bf2bf3dd98b07d8b] | 
committer: Michael Niedermayer

avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate()

Fixes: runtime error: signed integer overflow: 8903997421129740175 + 
354481484684609529 cannot be represented in type 'long'
Fixes: 2045/clusterfuzz-testcase-minimized-6751255865065472

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit eefb68c9c335dda423c9115ba11dc4bb3e73e3f9)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fcc2119eac26e7949a1a2149bf2bf3dd98b07d8b
---

 libavcodec/sbrdsp_fixed.c | 36 ++--
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c
index 7d593a18b8..f45bb847a8 100644
--- a/libavcodec/sbrdsp_fixed.c
+++ b/libavcodec/sbrdsp_fixed.c
@@ -136,19 +136,19 @@ static av_always_inline void autocorrelate(const int 
x[40][2], SoftFloat phi[3][
 
 if (lag) {
 for (i = 1; i < 38; i++) {
-accu_re += (int64_t)x[i][0] * x[i+lag][0];
-accu_re += (int64_t)x[i][1] * x[i+lag][1];
-accu_im += (int64_t)x[i][0] * x[i+lag][1];
-accu_im -= (int64_t)x[i][1] * x[i+lag][0];
+accu_re += (uint64_t)x[i][0] * x[i+lag][0];
+accu_re += (uint64_t)x[i][1] * x[i+lag][1];
+accu_im += (uint64_t)x[i][0] * x[i+lag][1];
+accu_im -= (uint64_t)x[i][1] * x[i+lag][0];
 }
 
 real_sum = accu_re;
 imag_sum = accu_im;
 
-accu_re += (int64_t)x[ 0][0] * x[lag][0];
-accu_re += (int64_t)x[ 0][1] * x[lag][1];
-accu_im += (int64_t)x[ 0][0] * x[lag][1];
-accu_im -= (int64_t)x[ 0][1] * x[lag][0];
+accu_re += (uint64_t)x[ 0][0] * x[lag][0];
+accu_re += (uint64_t)x[ 0][1] * x[lag][1];
+accu_im += (uint64_t)x[ 0][0] * x[lag][1];
+accu_im -= (uint64_t)x[ 0][1] * x[lag][0];
 
 phi[2-lag][1][0] = autocorr_calc(accu_re);
 phi[2-lag][1][1] = autocorr_calc(accu_im);
@@ -156,28 +156,28 @@ static av_always_inline void autocorrelate(const int 
x[40][2], SoftFloat phi[3][
 if (lag == 1) {
 accu_re = real_sum;
 accu_im = imag_sum;
-accu_re += (int64_t)x[38][0] * x[39][0];
-accu_re += (int64_t)x[38][1] * x[39][1];
-accu_im += (int64_t)x[38][0] * x[39][1];
-accu_im -= (int64_t)x[38][1] * x[39][0];
+accu_re += (uint64_t)x[38][0] * x[39][0];
+accu_re += (uint64_t)x[38][1] * x[39][1];
+accu_im += (uint64_t)x[38][0] * x[39][1];
+accu_im -= (uint64_t)x[38][1] * x[39][0];
 
 phi[0][0][0] = autocorr_calc(accu_re);
 phi[0][0][1] = autocorr_calc(accu_im);
 }
 } else {
 for (i = 1; i < 38; i++) {
-accu_re += (int64_t)x[i][0] * x[i][0];
-accu_re += (int64_t)x[i][1] * x[i][1];
+accu_re += (uint64_t)x[i][0] * x[i][0];
+accu_re += (uint64_t)x[i][1] * x[i][1];
 }
 real_sum = accu_re;
-accu_re += (int64_t)x[ 0][0] * x[ 0][0];
-accu_re += (int64_t)x[ 0][1] * x[ 0][1];
+accu_re += (uint64_t)x[ 0][0] * x[ 0][0];
+accu_re += (uint64_t)x[ 0][1] * x[ 0][1];
 
 phi[2][1][0] = autocorr_calc(accu_re);
 
 accu_re = real_sum;
-accu_re += (int64_t)x[38][0] * x[38][0];
-accu_re += (int64_t)x[38][1] * x[38][1];
+accu_re += (uint64_t)x[38][0] * x[38][0];
+accu_re += (uint64_t)x[38][1] * x[38][1];
 
 phi[1][0][0] = autocorr_calc(accu_re);
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop.

[晓黑]

ffmpeg | branch: release/3.1 | 孙浩(晓黑)  | Tue Aug 29 
23:59:21 2017 +0200| [5d67851392135e3a76051b18eaf2206f79069ad2] | committer: 
Michael Niedermayer

avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop.

Fixes: 20170829.nsv

Co-Author: 张洪亮(望初)" 
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c24bcb553650b91e9eff15ef6e54ca73de2453b7)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5d67851392135e3a76051b18eaf2206f79069ad2
---

 libavformat/nsvdec.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c
index 507fb396a5..16d2fa59e2 100644
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@@ -350,8 +350,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s)
 if (!nsv->nsvs_file_offset)
 return AVERROR(ENOMEM);
 
-for(i=0;insvs_file_offset[i] = avio_rl32(pb) + size;
+}
 
 if(table_entries > table_entries_used &&
avio_rl32(pb) == MKTAG('T','O','C','2')) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_ps: Fix undefined shift in pcm code

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Sun Aug 27 23:59:09 2017 +0200| [f69905e2305b180086a240fb5a38862706922dc4] | 
committer: Michael Niedermayer

avcodec/hevc_ps: Fix undefined shift in pcm code

Fixes: runtime error: shift exponent -1 is negative
Fixes: 3091/clusterfuzz-testcase-minimized-6229767969832960

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2a83866c9f9531eb096c9b9fe0550e742b931ad1)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f69905e2305b180086a240fb5a38862706922dc4
---

 libavcodec/hevc_ps.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index b58689ab68..c1b69a0199 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -1014,10 +1014,10 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, 
unsigned int *sps_id,
 sps->pcm.log2_min_pcm_cb_size = get_ue_golomb_long(gb) + 3;
 sps->pcm.log2_max_pcm_cb_size = sps->pcm.log2_min_pcm_cb_size +
 get_ue_golomb_long(gb);
-if (sps->pcm.bit_depth > sps->bit_depth) {
+if (FFMAX(sps->pcm.bit_depth, sps->pcm.bit_depth_chroma) > 
sps->bit_depth) {
 av_log(avctx, AV_LOG_ERROR,
-   "PCM bit depth (%d) is greater than normal bit depth 
(%d)\n",
-   sps->pcm.bit_depth, sps->bit_depth);
+   "PCM bit depth (%d, %d) is greater than normal bit depth 
(%d)\n",
+   sps->pcm.bit_depth, sps->pcm.bit_depth_chroma, 
sps->bit_depth);
 return AVERROR_INVALIDDATA;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered()

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Mon Aug 28 00:30:33 2017 +0200| [0e4612ea68261d84d47a15aa88210abfd0184850] | 
committer: Michael Niedermayer

avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered()

Fixes: runtime error: signed integer overflow: 267 * 8388608 cannot be 
represented in type 'int'
Fixes: 2743/clusterfuzz-testcase-minimized-5820652076400640

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 732f9764561558a388c05483ed6a722a5c67b05c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0e4612ea68261d84d47a15aa88210abfd0184850
---

 libavcodec/snowdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 4ebfa07c6a..0ac0b55012 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -140,7 +140,7 @@ static inline void 
decode_subband_slice_buffered(SnowContext *s, SubBand *b, sli
 v = b->x_coeff[new_index].coeff;
 x = b->x_coeff[new_index++].x;
 while(x < w){
-register int t= ( (v>>1)*qmul + qadd)>>QEXPSHIFT;
+register int t= (int)( (v>>1)*(unsigned)qmul + qadd)>>QEXPSHIFT;
 register int u= -(v&1);
 line[x] = (t^u) - u;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/rl2: Fix DoS due to lack of eof check

[望初]

ffmpeg | branch: release/3.1 | 孙浩 and 张洪亮(望初)  | Fri Aug 25 01:15:29 2017 +0200| 
[953c6259d601bcda1d5045339913af1978be41fe] | committer: Michael Niedermayer

avformat/rl2: Fix DoS due to lack of eof check

Fixes: loop.rl2

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=953c6259d601bcda1d5045339913af1978be41fe
---

 libavformat/rl2.c | 15 ---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/libavformat/rl2.c b/libavformat/rl2.c
index 0bec8f1d9a..eb1682dfcb 100644
--- a/libavformat/rl2.c
+++ b/libavformat/rl2.c
@@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s)
 }
 
 /** read offset and size tables */
-for(i=0; i < frame_count;i++)
+for(i=0; i < frame_count;i++) {
+if (avio_feof(pb))
+return AVERROR_INVALIDDATA;
 chunk_size[i] = avio_rl32(pb);
-for(i=0; i < frame_count;i++)
+}
+for(i=0; i < frame_count;i++) {
+if (avio_feof(pb))
+return AVERROR_INVALIDDATA;
 chunk_offset[i] = avio_rl32(pb);
-for(i=0; i < frame_count;i++)
+}
+for(i=0; i < frame_count;i++) {
+if (avio_feof(pb))
+return AVERROR_INVALIDDATA;
 audio_size[i] = avio_rl32(pb) & 0x;
+}
 
 /** build the sample index */
 for(i=0;i

[FFmpeg-cvslog] avformat/hls: Fix DoS due to infinite loop

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Sat Aug 26 01:26:58 2017 +0200| [0d32491b74947bdb0d2be04d8ca909ff9406660d] | 
committer: Michael Niedermayer

avformat/hls: Fix DoS due to infinite loop

Fixes: loop.m3u

The default max iteration count of 1000 is arbitrary and ideas for a better 
solution are welcome

Found-by: Xiaohei and Wangchu from Alibaba Security Team

Previous version reviewed-by: Steven Liu 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7ec414892ddcad88313848494b6fc5f437c9ca4a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0d32491b74947bdb0d2be04d8ca909ff9406660d
---

 doc/demuxers.texi | 18 ++
 libavformat/hls.c |  7 +++
 2 files changed, 25 insertions(+)

diff --git a/doc/demuxers.texi b/doc/demuxers.texi
index 25b12a8977..d75dc9497e 100644
--- a/doc/demuxers.texi
+++ b/doc/demuxers.texi
@@ -306,6 +306,24 @@ used to end the output video at the length of the shortest 
input file,
 which in this case is @file{input.mp4} as the GIF in this example loops
 infinitely.
 
+@section hls
+
+HLS demuxer
+
+It accepts the following options:
+
+@table @option
+@item live_start_index
+segment index to start live streams at (negative values are from the end).
+
+@item allowed_extensions
+',' separated list of file extensions that hls is allowed to access.
+
+@item max_reload
+Maximum number of times a insufficient list is attempted to be reloaded.
+Default value is 1000.
+@end table
+
 @section image2
 
 Image file demuxer.
diff --git a/libavformat/hls.c b/libavformat/hls.c
index 3b89ae5a7c..087885a121 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -204,6 +204,7 @@ typedef struct HLSContext {
 AVDictionary *avio_opts;
 int strict_std_compliance;
 char *allowed_extensions;
+int max_reload;
 } HLSContext;
 
 static int read_chomp_line(AVIOContext *s, char *buf, int maxlen)
@@ -1254,6 +1255,7 @@ static int read_data(void *opaque, uint8_t *buf, int 
buf_size)
 HLSContext *c = v->parent->priv_data;
 int ret, i;
 int just_opened = 0;
+int reload_count = 0;
 
 restart:
 if (!v->needed)
@@ -1285,6 +1287,9 @@ restart:
 reload_interval = default_reload_interval(v);
 
 reload:
+reload_count++;
+if (reload_count > c->max_reload)
+return AVERROR_EOF;
 if (!v->finished &&
 av_gettime_relative() - v->last_load_time >= reload_interval) {
 if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {
@@ -2062,6 +2067,8 @@ static const AVOption hls_options[] = {
 OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
 {.str = 
"3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
 INT_MIN, INT_MAX, FLAGS},
+{"max_reload", "Maximum number of times a insufficient list is attempted 
to be reloaded",
+OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS},
 {NULL}
 };
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/rmdec: Fix DoS due to lack of eof check

[望初]

ffmpeg | branch: release/3.1 | 孙浩 and 张洪亮(望初)  | Fri Aug 25 01:15:28 2017 +0200| 
[770482def3b3064e236f9a0e1b6f5d0ca35ae7e2] | committer: Michael Niedermayer

avformat/rmdec: Fix DoS due to lack of eof check

Fixes: loop.ivr

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 124eb202e70678539544f6268efc98131f19fa49)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=770482def3b3064e236f9a0e1b6f5d0ca35ae7e2
---

 libavformat/rmdec.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 0809b0b251..c4f3e59676 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -1235,8 +1235,11 @@ static int ivr_read_header(AVFormatContext *s)
 av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val);
 } else if (type == 4) {
 av_log(s, AV_LOG_DEBUG, "%s = '0x", key);
-for (j = 0; j < len; j++)
+for (j = 0; j < len; j++) {
+if (avio_feof(pb))
+return AVERROR_INVALIDDATA;
 av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb));
+}
 av_log(s, AV_LOG_DEBUG, "'\n");
 } else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", 
tlen)) {
 nb_streams = value = avio_rb32(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] ffprobe: Fix NULL pointer handling in color parameter printing

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Tue Aug 22 17:27:17 2017 +0200| [d4a333f00b5015e402d92ed2f4205a4102e6ab31] | 
committer: Michael Niedermayer

ffprobe: Fix NULL pointer handling in color parameter printing

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 351e28f9a799d933dd10c964dca7219fa13b)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d4a333f00b5015e402d92ed2f4205a4102e6ab31
---

 ffprobe.c | 62 --
 1 file changed, 44 insertions(+), 18 deletions(-)

diff --git a/ffprobe.c b/ffprobe.c
index 9b14541a9f..25678040f8 100644
--- a/ffprobe.c
+++ b/ffprobe.c
@@ -1789,6 +1789,26 @@ static void print_pkt_side_data(WriterContext *w,
 writer_print_section_footer(w);
 }
 
+static void print_color_range(WriterContext *w, enum AVColorRange color_range, 
const char *fallback)
+{
+const char *val = av_color_range_name(color_range);
+if (!val || color_range == AVCOL_RANGE_UNSPECIFIED) {
+print_str_opt("color_range", fallback);
+} else {
+print_str("color_range", val);
+}
+}
+
+static void print_color_space(WriterContext *w, enum AVColorSpace color_space)
+{
+const char *val = av_color_space_name(color_space);
+if (!val || color_space == AVCOL_SPC_UNSPECIFIED) {
+print_str_opt("color_space", "unknown");
+} else {
+print_str("color_space", val);
+}
+}
+
 static void print_primaries(WriterContext *w, enum AVColorPrimaries 
color_primaries)
 {
 const char *val = av_color_primaries_name(color_primaries);
@@ -1799,6 +1819,26 @@ static void print_primaries(WriterContext *w, enum 
AVColorPrimaries color_primar
 }
 }
 
+static void print_color_trc(WriterContext *w, enum 
AVColorTransferCharacteristic color_trc)
+{
+const char *val = av_color_transfer_name(color_trc);
+if (!val || color_trc == AVCOL_TRC_UNSPECIFIED) {
+print_str_opt("color_transfer", "unknown");
+} else {
+print_str("color_transfer", val);
+}
+}
+
+static void print_chroma_location(WriterContext *w, enum AVChromaLocation 
chroma_location)
+{
+const char *val = av_chroma_location_name(chroma_location);
+if (!val || chroma_location == AVCHROMA_LOC_UNSPECIFIED) {
+print_str_opt("chroma_location", "unspecified");
+} else {
+print_str("chroma_location", val);
+}
+}
+
 static void show_packet(WriterContext *w, InputFile *ifile, AVPacket *pkt, int 
packet_idx)
 {
 char val_str[128];
@@ -2253,26 +2293,12 @@ static int show_stream(WriterContext *w, 
AVFormatContext *fmt_ctx, int stream_id
 if (s) print_str("pix_fmt", s);
 else   print_str_opt("pix_fmt", "unknown");
 print_int("level",   par->level);
-if (par->color_range != AVCOL_RANGE_UNSPECIFIED)
-print_str("color_range", 
av_color_range_name(par->color_range));
-else
-print_str_opt("color_range", "N/A");
-
-s = av_get_colorspace_name(par->color_space);
-if (s) print_str("color_space", s);
-else   print_str_opt("color_space", "unknown");
-
-if (par->color_trc != AVCOL_TRC_UNSPECIFIED)
-print_str("color_transfer", 
av_color_transfer_name(par->color_trc));
-else
-print_str_opt("color_transfer", 
av_color_transfer_name(par->color_trc));
 
+print_color_range(w, par->color_range, "N/A");
+print_color_space(w, par->color_space);
+print_color_trc(w, par->color_trc);
 print_primaries(w, par->color_primaries);
-
-if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED)
-print_str("chroma_location", 
av_chroma_location_name(par->chroma_location));
-else
-print_str_opt("chroma_location", 
av_chroma_location_name(par->chroma_location));
+print_chroma_location(w, par->chroma_location);
 
 #if FF_API_PRIVATE_OPT
 if (dec_ctx && dec_ctx->timecode_frame_start >= 0) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] ffprobe: Fix null pointer dereference with color primaries

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Tue Aug 22 11:02:38 2017 +0200| [5ff09443c5168e27b1708a314b6385440cfe8a4c] | 
committer: Michael Niedermayer

ffprobe: Fix null pointer dereference with color primaries

Found-by: AD-lab of venustech
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 837cb4325b712ff1aab531bf41668933f61d75d2)
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b2c39fcc3c0749490dc93bca80f56724878b55fe)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5ff09443c5168e27b1708a314b6385440cfe8a4c
---

 ffprobe.c | 15 +++
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/ffprobe.c b/ffprobe.c
index aee9ba982c..9b14541a9f 100644
--- a/ffprobe.c
+++ b/ffprobe.c
@@ -1789,6 +1789,16 @@ static void print_pkt_side_data(WriterContext *w,
 writer_print_section_footer(w);
 }
 
+static void print_primaries(WriterContext *w, enum AVColorPrimaries 
color_primaries)
+{
+const char *val = av_color_primaries_name(color_primaries);
+if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) {
+print_str_opt("color_primaries", "unknown");
+} else {
+print_str("color_primaries", val);
+}
+}
+
 static void show_packet(WriterContext *w, InputFile *ifile, AVPacket *pkt, int 
packet_idx)
 {
 char val_str[128];
@@ -2257,10 +2267,7 @@ static int show_stream(WriterContext *w, AVFormatContext 
*fmt_ctx, int stream_id
 else
 print_str_opt("color_transfer", 
av_color_transfer_name(par->color_trc));
 
-if (par->color_primaries != AVCOL_PRI_UNSPECIFIED)
-print_str("color_primaries", 
av_color_primaries_name(par->color_primaries));
-else
-print_str_opt("color_primaries", 
av_color_primaries_name(par->color_primaries));
+print_primaries(w, par->color_primaries);
 
 if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED)
 print_str("chroma_location", 
av_chroma_location_name(par->chroma_location));

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mvdec: Fix DoS due to lack of eof check

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Fri Aug 25 01:15:30 2017 +0200| [28c08ab9434b839f19e8c12668bacd6361beba80] | 
committer: Michael Niedermayer

avformat/mvdec: Fix DoS due to lack of eof check

Fixes: loop.mv

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=28c08ab9434b839f19e8c12668bacd6361beba80
---

 libavformat/mvdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
index 80ef4b1569..e9e9fab503 100644
--- a/libavformat/mvdec.c
+++ b/libavformat/mvdec.c
@@ -338,6 +338,8 @@ static int mv_read_header(AVFormatContext *avctx)
 uint32_t pos   = avio_rb32(pb);
 uint32_t asize = avio_rb32(pb);
 uint32_t vsize = avio_rb32(pb);
+if (avio_feof(pb))
+return AVERROR_INVALIDDATA;
 avio_skip(pb, 8);
 av_add_index_entry(ast, pos, timestamp, asize, 0, 
AVINDEX_KEYFRAME);
 av_add_index_entry(vst, pos + asize, i, vsize, 0, 
AVINDEX_KEYFRAME);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/asfdec: Fix DoS due to lack of eof check

[望初]

ffmpeg | branch: release/3.1 | 孙浩 and 张洪亮(望初)  | Fri Aug 25 12:37:25 2017 +0200| 
[0eb399381a2b3429980aa939bcd4dfbf0780f140] | committer: Michael Niedermayer

avformat/asfdec: Fix DoS due to lack of eof check

Fixes: loop.asf

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7f9ec5593e04827249e7aeb466da06a98a0d7329)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0eb399381a2b3429980aa939bcd4dfbf0780f140
---

 libavformat/asfdec_f.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 2c81b138f2..294fd345f5 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t 
size)
 count = avio_rl32(pb);// markers count
 avio_rl16(pb);// reserved 2 bytes
 name_len = avio_rl16(pb); // name length
-for (i = 0; i < name_len; i++)
-avio_r8(pb); // skip the name
+avio_skip(pb, name_len);
 
 for (i = 0; i < count; i++) {
 int64_t pres_time;
 int name_len;
 
+if (avio_feof(pb))
+return AVERROR_INVALIDDATA;
+
 avio_rl64(pb); // offset, 8 bytes
 pres_time = avio_rl64(pb); // presentation time
 pres_time -= asf->hdr.preroll * 1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/cinedec: Fix DoS due to lack of eof check

[望初]

ffmpeg | branch: release/3.1 | 孙浩 and 张洪亮(望初)  | Fri Aug 25 01:15:27 2017 +0200| 
[64aa8bb886a157af1e784de28839041cc6f5be81] | committer: Michael Niedermayer

avformat/cinedec: Fix DoS due to lack of eof check

Fixes: loop.cine

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7e80b63ecd259d69d383623e75b318bf2bd491f6)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=64aa8bb886a157af1e784de28839041cc6f5be81
---

 libavformat/cinedec.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c
index 0efedda1a3..545c97ad43 100644
--- a/libavformat/cinedec.c
+++ b/libavformat/cinedec.c
@@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx)
 
 /* parse image offsets */
 avio_seek(pb, offImageOffsets, SEEK_SET);
-for (i = 0; i < st->duration; i++)
+for (i = 0; i < st->duration; i++) {
+if (avio_feof(pb))
+return AVERROR_INVALIDDATA;
+
 av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME);
+}
 
 return 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Mon Aug 21 00:18:48 2017 +0200| [0575adfd4a59a0cef51e3ca081896a348c07c12e] | 
committer: Michael Niedermayer

avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()

Fixes: integer overflow
Fixes: 2893/clusterfuzz-testcase-minimized-5809330567774208

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2b44dcbc44e99daf9515753e9fd4c2e1ea53a2fa)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0575adfd4a59a0cef51e3ca081896a348c07c12e
---

 libavcodec/hevc_ps.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index 87e807bdd3..b58689ab68 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -224,6 +224,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, 
AVCodecContext *avctx,
 prev = 0;
 for (i = 0; i < rps->num_negative_pics; i++) {
 delta_poc = get_ue_golomb_long(gb) + 1;
+if (delta_poc < 1 || delta_poc > 32768) {
+av_log(avctx, AV_LOG_ERROR,
+"Invalid value of delta_poc: %d\n",
+delta_poc);
+return AVERROR_INVALIDDATA;
+}
 prev -= delta_poc;
 rps->delta_poc[i] = prev;
 rps->used[i]  = get_bits1(gb);
@@ -231,6 +237,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, 
AVCodecContext *avctx,
 prev = 0;
 for (i = 0; i < nb_positive_pics; i++) {
 delta_poc = get_ue_golomb_long(gb) + 1;
+if (delta_poc < 1 || delta_poc > 32768) {
+av_log(avctx, AV_LOG_ERROR,
+"Invalid value of delta_poc: %d\n",
+delta_poc);
+return AVERROR_INVALIDDATA;
+}
 prev += delta_poc;
 rps->delta_poc[rps->num_negative_pics + i] = prev;
 rps->used[rps->num_negative_pics + i]  = get_bits1(gb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/rtpdec_h264: Fix heap-buffer-overflow

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Wed Aug 23 21:30:37 2017 +0200| [5351c8bd46e23168b1aed8f92779fb1a20a7214a] | 
committer: Michael Niedermayer

avformat/rtpdec_h264: Fix heap-buffer-overflow

Fixes: rtp_sdp/poc.sdp

Found-by: Bingchang 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c42a1388a6d1bfd8001bf6a4241d8ca27e49326d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5351c8bd46e23168b1aed8f92779fb1a20a7214a
---

 libavformat/rtpdec_h264.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/rtpdec_h264.c b/libavformat/rtpdec_h264.c
index 8dd56a549e..6f8148ab6d 100644
--- a/libavformat/rtpdec_h264.c
+++ b/libavformat/rtpdec_h264.c
@@ -166,7 +166,7 @@ static int sdp_parse_fmtp_config_h264(AVFormatContext *s,
 parse_profile_level_id(s, h264_data, value);
 } else if (!strcmp(attr, "sprop-parameter-sets")) {
 int ret;
-if (value[strlen(value) - 1] == ',') {
+if (*value == 0 || value[strlen(value) - 1] == ',') {
 av_log(s, AV_LOG_WARNING, "Missing PPS in sprop-parameter-sets, 
ignoring\n");
 return 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/aviobuf: Fix signed integer overflow in avio_seek()

[Vitaly Buka]

ffmpeg | branch: release/3.1 | Vitaly Buka 
 | Sun Aug 20 11:56:47 2017 -0700| 
[6622be010b09368f57bfd09715386a373d79066c] | committer: Michael Niedermayer

avformat/aviobuf: Fix signed integer overflow in avio_seek()

Signed integer overflow is undefined behavior.
Detected with clang and -fsanitize=signed-integer-overflow

Signed-off-by: Vitaly Buka 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit eca2a49716ae1f42804dd3545da2f740edf03250)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6622be010b09368f57bfd09715386a373d79066c
---

 libavformat/aviobuf.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index 95793c92cd..2c56adb307 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -249,6 +249,8 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int 
whence)
 offset1 = pos + (s->buf_ptr - s->buffer);
 if (offset == 0)
 return offset1;
+if (offset > INT64_MAX - offset1)
+return AVERROR(EINVAL);
 offset += offset1;
 }
 if (offset < 0)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacdec_template: Fix running cleanup in decode_ics_info()

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Mon Aug 21 02:15:49 2017 +0200| [1fa31e28fd5d8d5c8e784b9e6c84c1ec7bffd3d4] | 
committer: Michael Niedermayer

avcodec/aacdec_template: Fix running cleanup in decode_ics_info()

Fixes: out of array read
Fixes: 2873/clusterfuzz-testcase-minimized-5924145713905664

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg

Previous version reviewed-by: Alex Converse 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6f03ffb47d51368a4bbc87702df8446e4660845d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1fa31e28fd5d8d5c8e784b9e6c84c1ec7bffd3d4
---

 libavcodec/aacdec_template.c | 13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c
index b3ce500973..7819d710bf 100644
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -1255,6 +1255,8 @@ static int decode_ics_info(AACContext *ac, 
IndividualChannelStream *ics,
 const MPEG4AudioConfig *const m4ac = >oc[1].m4ac;
 const int aot = m4ac->object_type;
 const int sampling_index = m4ac->sampling_index;
+int ret_fail = AVERROR_INVALIDDATA;
+
 if (aot != AOT_ER_AAC_ELD) {
 if (get_bits1(gb)) {
 av_log(ac->avctx, AV_LOG_ERROR, "Reserved bit set.\n");
@@ -1305,8 +1307,10 @@ static int decode_ics_info(AACContext *ac, 
IndividualChannelStream *ics,
 ics->num_swb   =ff_aac_num_swb_512[sampling_index];
 ics->tns_max_bands =  ff_tns_max_bands_512[sampling_index];
 }
-if (!ics->num_swb || !ics->swb_offset)
-return AVERROR_BUG;
+if (!ics->num_swb || !ics->swb_offset) {
+ret_fail = AVERROR_BUG;
+goto fail;
+}
 } else {
 ics->swb_offset=ff_swb_offset_1024[sampling_index];
 ics->num_swb   =   ff_aac_num_swb_1024[sampling_index];
@@ -1330,7 +1334,8 @@ static int decode_ics_info(AACContext *ac, 
IndividualChannelStream *ics,
 if (aot == AOT_ER_AAC_LD) {
 av_log(ac->avctx, AV_LOG_ERROR,
"LTP in ER AAC LD not yet implemented.\n");
-return AVERROR_PATCHWELCOME;
+ret_fail = AVERROR_PATCHWELCOME;
+goto fail;
 }
 if ((ics->ltp.present = get_bits(gb, 1)))
 decode_ltp(>ltp, gb, ics->max_sfb);
@@ -1349,7 +1354,7 @@ static int decode_ics_info(AACContext *ac, 
IndividualChannelStream *ics,
 return 0;
 fail:
 ics->max_sfb = 0;
-return AVERROR_INVALIDDATA;
+return ret_fail;
 }
 
 /**

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Fix signed integer overflows with total_size

[Vitaly Buka]

ffmpeg | branch: release/3.1 | Vitaly Buka 
 | Sun Aug 20 11:56:47 2017 -0700| 
[7b6dba892f63a620d4510c9114f414cfa6435942] | committer: Michael Niedermayer

avformat/mov: Fix signed integer overflows with total_size

Signed integer overflow is undefined behavior.
Detected with clang and -fsanitize=signed-integer-overflow

Signed-off-by: Vitaly Buka 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4a404cb5b90b878cbe1bb528fac65cf508668cc5)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7b6dba892f63a620d4510c9114f414cfa6435942
---

 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index a77d6908e3..1815a7303f 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -4415,7 +4415,7 @@ static int mov_read_default(MOVContext *c, AVIOContext 
*pb, MOVAtom atom)
 
 if (atom.size < 0)
 atom.size = INT64_MAX;
-while (total_size + 8 <= atom.size && !avio_feof(pb)) {
+while (total_size <= atom.size - 8 && !avio_feof(pb)) {
 int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL;
 a.size = atom.size;
 a.type=0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/me_cmp: Fix crashes on ARM due to misalignment

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Sat Aug 19 23:38:58 2017 +0200| [3ee6a9cfb44c9ffbaf47f5a66f698fa222e8b92d] | 
committer: Michael Niedermayer

avcodec/me_cmp: Fix crashes on ARM due to misalignment

Adds a diff_pixels_unaligned()

Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872503

Signed-off-by: Michael Niedermayer 
(cherry picked from commit bc488ec28aec4bc91ba47283c49c9f7f25696eaa)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3ee6a9cfb44c9ffbaf47f5a66f698fa222e8b92d
---

 libavcodec/me_cmp.c   | 10 +-
 libavcodec/pixblockdsp.c  |  1 +
 libavcodec/pixblockdsp.h  |  5 +
 libavcodec/x86/pixblockdsp_init.c |  2 ++
 4 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/libavcodec/me_cmp.c b/libavcodec/me_cmp.c
index dc76b07ba2..4234000487 100644
--- a/libavcodec/me_cmp.c
+++ b/libavcodec/me_cmp.c
@@ -555,7 +555,7 @@ static int dct_sad8x8_c(MpegEncContext *s, uint8_t *src1,
 
 av_assert2(h == 8);
 
-s->pdsp.diff_pixels(temp, src1, src2, stride);
+s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
 s->fdsp.fdct(temp);
 return s->mecc.sum_abs_dctelem(temp);
 }
@@ -595,7 +595,7 @@ static int dct264_sad8x8_c(MpegEncContext *s, uint8_t *src1,
 int16_t dct[8][8];
 int i, sum = 0;
 
-s->pdsp.diff_pixels(dct[0], src1, src2, stride);
+s->pdsp.diff_pixels_unaligned(dct[0], src1, src2, stride);
 
 #define SRC(x) dct[i][x]
 #define DST(x, v) dct[i][x] = v
@@ -622,7 +622,7 @@ static int dct_max8x8_c(MpegEncContext *s, uint8_t *src1,
 
 av_assert2(h == 8);
 
-s->pdsp.diff_pixels(temp, src1, src2, stride);
+s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
 s->fdsp.fdct(temp);
 
 for (i = 0; i < 64; i++)
@@ -641,7 +641,7 @@ static int quant_psnr8x8_c(MpegEncContext *s, uint8_t *src1,
 av_assert2(h == 8);
 s->mb_intra = 0;
 
-s->pdsp.diff_pixels(temp, src1, src2, stride);
+s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
 
 memcpy(bak, temp, 64 * sizeof(int16_t));
 
@@ -744,7 +744,7 @@ static int bit8x8_c(MpegEncContext *s, uint8_t *src1, 
uint8_t *src2,
 
 av_assert2(h == 8);
 
-s->pdsp.diff_pixels(temp, src1, src2, stride);
+s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
 
 s->block_last_index[0 /* FIXME */] =
 last   =
diff --git a/libavcodec/pixblockdsp.c b/libavcodec/pixblockdsp.c
index f0883d3d08..6152fe40c3 100644
--- a/libavcodec/pixblockdsp.c
+++ b/libavcodec/pixblockdsp.c
@@ -82,6 +82,7 @@ av_cold void ff_pixblockdsp_init(PixblockDSPContext *c, 
AVCodecContext *avctx)
 {
 const unsigned high_bit_depth = avctx->bits_per_raw_sample > 8;
 
+c->diff_pixels_unaligned =
 c->diff_pixels = diff_pixels_c;
 
 switch (avctx->bits_per_raw_sample) {
diff --git a/libavcodec/pixblockdsp.h b/libavcodec/pixblockdsp.h
index 79ed86c3a6..b14514de7e 100644
--- a/libavcodec/pixblockdsp.h
+++ b/libavcodec/pixblockdsp.h
@@ -31,6 +31,11 @@ typedef struct PixblockDSPContext {
 const uint8_t *s1 /* align 8 */,
 const uint8_t *s2 /* align 8 */,
 int stride);
+void (*diff_pixels_unaligned)(int16_t *av_restrict block /* align 16 */,
+const uint8_t *s1,
+const uint8_t *s2,
+int stride);
+
 } PixblockDSPContext;
 
 void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx);
diff --git a/libavcodec/x86/pixblockdsp_init.c 
b/libavcodec/x86/pixblockdsp_init.c
index 4d06a44c6d..b9027dee54 100644
--- a/libavcodec/x86/pixblockdsp_init.c
+++ b/libavcodec/x86/pixblockdsp_init.c
@@ -39,12 +39,14 @@ av_cold void ff_pixblockdsp_init_x86(PixblockDSPContext *c,
 if (EXTERNAL_MMX(cpu_flags)) {
 if (!high_bit_depth)
 c->get_pixels = ff_get_pixels_mmx;
+c->diff_pixels_unaligned =
 c->diff_pixels = ff_diff_pixels_mmx;
 }
 
 if (EXTERNAL_SSE2(cpu_flags)) {
 if (!high_bit_depth)
 c->get_pixels = ff_get_pixels_sse2;
+c->diff_pixels_unaligned =
 c->diff_pixels = ff_diff_pixels_sse2;
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0()

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Fri Aug 18 16:42:58 2017 +0200| [b2f99c424f154df4f912c8ed24f6f99a211fe9cd] | 
committer: Michael Niedermayer

avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0()

Fixes: runtime error: signed integer overflow: 2147483646 + 2 cannot be 
represented in type 'int'
Fixes: 3013/clusterfuzz-testcase-minimized-4644084197097472

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a165b53daa8a3a526d2328ca72c4aa9e7f163045)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b2f99c424f154df4f912c8ed24f6f99a211fe9cd
---

 libavcodec/dirac_dwt_template.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c
index 972c711cff..e436c247a1 100644
--- a/libavcodec/dirac_dwt_template.c
+++ b/libavcodec/dirac_dwt_template.c
@@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, 
uint8_t *_b1, uint8_t *_
 TYPE *b1 = (TYPE *)_b1;
 TYPE *b2 = (TYPE *)_b2;
 for (i = 0; i < width; i++)
-b1[i] -= (b0[i] + b2[i] + 2) >> 2;
+b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2;
 }
 
 static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE 
*src1, int w2,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization

[Vitaly Buka]

ffmpeg | branch: release/3.1 | Vitaly Buka 
 | Sun Aug 20 11:56:47 2017 -0700| 
[edac232860366fc954dc93f4610f76b6062ba933] | committer: Michael Niedermayer

avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy 
initialization

Signed integer overflow is undefined behavior.
Detected with clang and -fsanitize=signed-integer-overflow

Signed-off-by: Vitaly Buka 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8c2bb10ddfef1f151b9455d152c9aca91140a4b0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=edac232860366fc954dc93f4610f76b6062ba933
---

 libavcodec/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 01d61597a8..c4af9cbb17 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -1540,7 +1540,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
 }
 
 if (!avctx->rc_initial_buffer_occupancy)
-avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4;
+avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3LL / 
4;
 
 if (avctx->ticks_per_frame && avctx->time_base.num &&
 avctx->ticks_per_frame > INT_MAX / avctx->time_base.num) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/fic: Fixes signed integer overflow

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Thu Aug 17 18:24:37 2017 +0200| [96d5786027445bf01ab47212a1a71b9d2f2ea2df] | 
committer: Michael Niedermayer

avcodec/fic: Fixes signed integer overflow

Fixes: runtime error: signed integer overflow: 1037142357 + 1227025305 cannot 
be represented in type 'int'
Fixes: 3024/clusterfuzz-testcase-minimized-5885660323905536

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0c9d5b015c2022e8deebb93367f8ee8a8eb779e8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=96d5786027445bf01ab47212a1a71b9d2f2ea2df
---

 libavcodec/fic.c | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/libavcodec/fic.c b/libavcodec/fic.c
index 2c11515459..f66c05b94b 100644
--- a/libavcodec/fic.c
+++ b/libavcodec/fic.c
@@ -84,12 +84,12 @@ static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 
'C', 'V' };
 
 static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int 
rnd)
 {
-const int t0 =  27246 * blk[3 * step] + 18405 * blk[5 * step];
-const int t1 =  27246 * blk[5 * step] - 18405 * blk[3 * step];
-const int t2 =   6393 * blk[7 * step] + 32139 * blk[1 * step];
-const int t3 =   6393 * blk[1 * step] - 32139 * blk[7 * step];
-const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12);
-const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12);
+const unsigned t0 =  27246 * blk[3 * step] + 18405 * blk[5 * step];
+const unsigned t1 =  27246 * blk[5 * step] - 18405 * blk[3 * step];
+const unsigned t2 =   6393 * blk[7 * step] + 32139 * blk[1 * step];
+const unsigned t3 =   6393 * blk[1 * step] - 32139 * blk[7 * step];
+const unsigned t4 = 5793U * ((int)(t2 + t0 + 0x800) >> 12);
+const unsigned t5 = 5793U * ((int)(t3 + t1 + 0x800) >> 12);
 const unsigned t6 = t2 - t0;
 const unsigned t7 = t3 - t1;
 const unsigned t8 =  17734 * blk[2 * step] - 42813 * blk[6 * step];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/snowdec: Fix off by 1 error

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Thu Aug 17 20:32:03 2017 +0200| [1b5548cc0913032587b4579e4b8b23ebed4c5124] | 
committer: Michael Niedermayer

avcodec/snowdec: Fix off by 1 error

Fixes: runtime error: index 4 out of bounds for type 'int8_t [4]'
Fixes: 3023/clusterfuzz-testcase-minimized-6421736130084864

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d132683ddd4050d3fe103ca88c73258c3442dc34)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1b5548cc0913032587b4579e4b8b23ebed4c5124
---

 libavcodec/snowdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 7d6d7ff44f..4ebfa07c6a 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -355,7 +355,7 @@ static int decode_header(SnowContext *s){
 Plane *p= >plane[plane_index];
 p->diag_mc= get_rac(>c, s->header_state);
 htaps= get_symbol(>c, s->header_state, 0)*2 + 2;
-if((unsigned)htaps > HTAPS_MAX || htaps==0)
+if((unsigned)htaps >= HTAPS_MAX || htaps==0)
 return AVERROR_INVALIDDATA;
 p->htaps= htaps;
 for(i= htaps/2; i; i--){

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97*

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Sun Aug  6 05:01:45 2017 +0200| [55fe7a738f4ca6a92972f699f5d8816a5e133405] | 
committer: Michael Niedermayer

avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97*

Fix multiple: runtime error: signed integer overflow: 6497 * 3409630 cannot be 
represented in type 'int'
Fixes: 2819/clusterfuzz-testcase-minimized-4743700301217792

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a5380f9c1c460acccb2edaa8609e4a57c0456088)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=55fe7a738f4ca6a92972f699f5d8816a5e133405
---

 libavcodec/dirac_dwt.h | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index 62f8472b41..e715e53bc4 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
 (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8))
 
 #define COMPOSE_DAUB97iL1(b0, b1, b2)\
-(b1 - ((1817*(b0 + b2) + 2048) >> 12))
+(b1 - ((int)(1817U*(b0 + b2) + 2048) >> 12))
 
 #define COMPOSE_DAUB97iH1(b0, b1, b2)\
-(b1 - (( 113*(b0 + b2) + 64) >> 7))
+(b1 - ((int)( 113U*(b0 + b2) + 64) >> 7))
 
 #define COMPOSE_DAUB97iL0(b0, b1, b2)\
-(b1 + (( 217*(b0 + b2) + 2048) >> 12))
+(b1 + ((int)( 217U*(b0 + b2) + 2048) >> 12))
 
 #define COMPOSE_DAUB97iH0(b0, b1, b2)\
-(b1 + ((6497*(b0 + b2) + 2048) >> 12))
+(b1 + ((int)(6497U*(b0 + b2) + 2048) >> 12))
 
 
 #endif /* AVCODEC_DWT_H */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Check perspective_exp and zrs_exp.

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Tue Aug 15 03:32:43 2017 +0200| [df2efc212dabc2cccb7101e15bba0c78cb5d80b3] | 
committer: Michael Niedermayer

avcodec/diracdec: Check perspective_exp and zrs_exp.

Fixes: undefined shift
Fixes: runtime error: shift exponent 264 is too large for 32-bit type 'int'
Fixes: 2860/clusterfuzz-testcase-minimized-4672811689836544

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1e6cab874512070b36267a5a53fd053f90072fa2)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=df2efc212dabc2cccb7101e15bba0c78cb5d80b3
---

 libavcodec/diracdec.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 579ff97322..6f6a0ece45 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1082,6 +1082,10 @@ static int 
dirac_unpack_prediction_parameters(DiracContext *s)
 s->globalmc[ref].perspective[0]  = dirac_get_se_golomb(gb);
 s->globalmc[ref].perspective[1]  = dirac_get_se_golomb(gb);
 }
+if (s->globalmc[ref].perspective_exp + 
(uint64_t)s->globalmc[ref].zrs_exp > 30) {
+return AVERROR_INVALIDDATA;
+}
+
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_slice: Fix overflow in slice offset

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Fri Aug  4 02:41:05 2017 +0200| [74e9dbf0dfb009ced1dcba341b25bc37357b7b7a] | 
committer: Michael Niedermayer

avcodec/h264_slice: Fix overflow in slice offset

Fixes: runtime error: signed integer overflow: 1610612736 * 2 cannot be 
represented in type 'int'
Fixes: 2817/clusterfuzz-testcase-minimized-5289691240726528

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1f53bde6d817ae13a47748f321adbdfa79e15982)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=74e9dbf0dfb009ced1dcba341b25bc37357b7b7a
---

 libavcodec/h264_slice.c | 16 +---
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index d3f1360359..cdd56af1f7 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1697,17 +1697,19 @@ int ff_h264_decode_slice_header(H264Context *h, 
H264SliceContext *sl)
 sl->deblocking_filter ^= 1;  // 1<->0
 
 if (sl->deblocking_filter) {
-sl->slice_alpha_c0_offset = get_se_golomb(>gb) * 2;
-sl->slice_beta_offset = get_se_golomb(>gb) * 2;
-if (sl->slice_alpha_c0_offset >  12 ||
-sl->slice_alpha_c0_offset < -12 ||
-sl->slice_beta_offset >  12 ||
-sl->slice_beta_offset < -12) {
+int slice_alpha_c0_offset_div2 = get_se_golomb(>gb);
+int slice_beta_offset_div2 = get_se_golomb(>gb);
+if (slice_alpha_c0_offset_div2 >  6 ||
+slice_alpha_c0_offset_div2 < -6 ||
+slice_beta_offset_div2 >  6 ||
+slice_beta_offset_div2 < -6) {
 av_log(h->avctx, AV_LOG_ERROR,
"deblocking filter parameters %d %d out of range\n",
-   sl->slice_alpha_c0_offset, sl->slice_beta_offset);
+   slice_alpha_c0_offset_div2, slice_beta_offset_div2);
 return AVERROR_INVALIDDATA;
 }
+sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2;
+sl->slice_beta_offset = slice_beta_offset_div2 * 2;
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacdec_fixed: fix invalid shift in predict()

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Fri Aug  4 03:26:30 2017 +0200| [46023f3258f4082cf1aba9b47401bdb137174103] | 
committer: Michael Niedermayer

avcodec/aacdec_fixed: fix invalid shift in predict()

Fixes: runtime error: shift exponent -2 is negative
Fixes: 2818/clusterfuzz-testcase-minimized-5062943676825600

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1e443051b277f73b94a2f660d3fd31a1a7beab52)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=46023f3258f4082cf1aba9b47401bdb137174103
---

 libavcodec/aacdec_fixed.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index ccc82057e1..e7c2d2d299 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -305,8 +305,12 @@ static av_always_inline void predict(PredictorState *ps, 
int *coef,
 if (output_enable) {
 int shift = 28 - pv.exp;
 
-if (shift < 31)
-*coef += (pv.mant + (1 << (shift - 1))) >> shift;
+if (shift < 31) {
+if (shift > 0) {
+*coef += (pv.mant + (1 << (shift - 1))) >> shift;
+} else
+*coef += pv.mant << -shift;
+}
 }
 
 e0 = av_int2sf(*coef, 2);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videodec: Clear mcsel before decoding an image

[Michael Niedermayer]

ffmpeg | branch: release/3.1 | Michael Niedermayer  | 
Sun Aug  6 13:32:54 2017 +0200| [a5c83b586b8097948a9cbba8937f89245cad4274] | 
committer: Michael Niedermayer

avcodec/mpeg4videodec: Clear mcsel before decoding an image

Fixes: runtime error: signed integer overflow: 2146467840 + 1032192 cannot be 
represented in type 'int'
Fixes: 2826/clusterfuzz-testcase-minimized-5901511613743104

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7735ed29741d985e1e670249ca56e7a1ce18b729)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a5c83b586b8097948a9cbba8937f89245cad4274
---

 libavcodec/mpeg4videodec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 2e74a33758..d04286bc3d 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -2283,6 +2283,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, 
GetBitContext *gb)
 int time_incr, time_increment;
 int64_t pts;
 
+s->mcsel   = 0;
 s->pict_type = get_bits(gb, 2) + AV_PICTURE_TYPE_I;/* pict type: I 
= 0 , P = 1 */
 if (s->pict_type == AV_PICTURE_TYPE_B && s->low_delay &&
 ctx->vol_control_parameters == 0 && !(s->avctx->flags & 
AV_CODEC_FLAG_LOW_DELAY)) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/utils: fix memory leak in avformat_free_context

[Steven Siloti]

ffmpeg | branch: release/3.1 | Steven Siloti  | Tue Jul 
18 11:26:39 2017 -0700| [ee17fdffd4cb55eb8533ec2684ce5d7c8cf1fb22] | committer: 
Michael Niedermayer

avformat/utils: fix memory leak in avformat_free_context

The pointer to the packet queue is stored in the internal structure
so the queue needs to be flushed before internal is freed.

Signed-off-by: Steven Siloti 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 949debd1d1df3a96315b3a3083831162845c1188)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ee17fdffd4cb55eb8533ec2684ce5d7c8cf1fb22
---

 libavformat/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 46dc5109d1..5a35953d24 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -4046,8 +4046,8 @@ void avformat_free_context(AVFormatContext *s)
 av_freep(>chapters);
 av_dict_free(>metadata);
 av_freep(>streams);
-av_freep(>internal);
 flush_packet_queue(s);
+av_freep(>internal);
 av_free(s);
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] [ffmpeg-web] branch master updated. 1aa53f8 web: Add FFmpeg 3.2.8

[ffmpeg-git]

The branch, master has been updated
   via  1aa53f89859ffc61418734fdfac78a941c7863c6 (commit)
   via  f075439c16775b2bfa3f85dd217fbf62164369d2 (commit)
  from  df5f4d0b7e4cd2166b6cd73c801e321272b689cd (commit)


- Log -
commit 1aa53f89859ffc61418734fdfac78a941c7863c6
Author: Michael Niedermayer 
AuthorDate: Sun Sep 17 15:56:05 2017 +0200
Commit: Michael Niedermayer 
CommitDate: Sun Sep 17 15:56:05 2017 +0200

web: Add FFmpeg 3.2.8

diff --git a/src/download b/src/download
index d9bdff0..101032d 100644
--- a/src/download
+++ b/src/download
@@ -307,10 +307,10 @@ libpostproc54.  5.100
  

 
-  FFmpeg 3.2.7 "Hypatia"
+  FFmpeg 3.2.8 "Hypatia"
 
   
-3.2.7 was released on 2017-07-30. It is the latest stable FFmpeg release
+3.2.8 was released on 2017-09-17. It is the latest stable FFmpeg release
 from the 3.2 release branch, which was cut from master on 2016-10-26.
   
   It includes the following library versions:
@@ -328,19 +328,19 @@ libpostproc54.  1.100
 
   
 
-  Download 
xz tarball
-  PGP 
signature
+  Download 
xz tarball
+  PGP 
signature
  
 
-  Download 
bzip2 tarball
-  PGP 
signature
+  Download 
bzip2 tarball
+  PGP 
signature
  
 
-  Download 
gzip tarball
-  PGP 
signature
+  Download 
gzip tarball
+  PGP 
signature
  
 
-  https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n3.2.7;>Changelog
+  https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n3.2.8;>Changelog
   https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/refs/heads/release/3.2:/RELEASE_NOTES;>Release
 Notes
  

diff --git a/src/security b/src/security
index 3fe207a..9c6ca5a 100644
--- a/src/security
+++ b/src/security
@@ -62,6 +62,25 @@ CVE-2017-9996, a483e46b794539d21b1ec0f3e521f681a54a86d2 / 
1e42736b95065c69a7481d
 
 FFmpeg 3.2
 
+3.2.8
+
+Fixes following vulnerabilities:
+
+
+CVE-2017-14054, 2bbef8ee271240ce4509b23fd33e35076715a39f / 
124eb202e70678539544f6268efc98131f19fa49
+CVE-2017-14055, d4fc6b211f19365fbae4b4388ec396b293fda249 / 
4f05e2e2dc1a89f38cd9f0960a6561083d714f1e
+CVE-2017-14056, 5bc9f70441d7e7067cba9188898c9252c72bab35 / 
96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de
+CVE-2017-14057, f94517934bf0ff2510f472fa2bc4cd362951109c / 
7f9ec5593e04827249e7aeb466da06a98a0d7329
+CVE-2017-14058, 2920c7cec0b1958b59e5e7990078bea4428f6912 / 
7ec414892ddcad88313848494b6fc5f437c9ca4a
+CVE-2017-14059, 98e177c7288574b336d80618f4ec5d1f94243070 / 
7e80b63ecd259d69d383623e75b318bf2bd491f6
+CVE-2017-14169, 816f7337bf3ed3e08afdc28278668d8eb81910cb / 
9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad
+CVE-2017-14170, 9cbac3602610afa0867b03bc1475c5c13441d096 / 
900f39692ca0337a98a7cf047e4e2611071810c2
+CVE-2017-14171, a051de092e9c709b69d24d94b66a382909be67d5 / 
c24bcb553650b91e9eff15ef6e54ca73de2453b7
+CVE-2017-14222, c9527df274ada02a19c2f973b29d1d5b7069d4bf / 
9cb4eb772839c5e1de2855d126bf74ff16d13382
+CVE-2017-14223, 4e4177dde23be77a97887f409f237e17ef53f329 / 
afc9c683ed9db01edb357bc8c19edad4282b3a97
+CVE-2017-14225, 726133b6d2cd8f5f43b5af536024d8e02791d8cf / 
837cb4325b712ff1aab531bf41668933f61d75d2
+
+
 3.2.7
 
 Fixes following vulnerabilities:

commit f075439c16775b2bfa3f85dd217fbf62164369d2
Author: Michael Niedermayer 
AuthorDate: Sun Sep 17 12:33:13 2017 +0200
Commit: Michael Niedermayer 
CommitDate: Sun Sep 17 12:33:13 2017 +0200

web/security: use same length git hash for CVE-2017-14171

diff --git a/src/security b/src/security
index 57db9e5..3fe207a 100644
--- a/src/security
+++ b/src/security
@@ -20,7 +20,7 @@ CVE-2017-14056, 8cb0f2c4e55d1d8ba9dbc80dd19ad139d0200c2d / 
96f24d1bee7fe7bac08e2
 CVE-2017-14222, d9cf9f5af82228b588828ae2692acccec588fdac / 
9cb4eb772839c5e1de2855d126bf74ff16d13382
 CVE-2017-14169, 9d3a7c82a669a1a1c8e3904c65ded19e80d16edc / 
9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad
 CVE-2017-14223, b61e5a878c845b8bee1267fdb75c293feb00ae0d / 
afc9c683ed9db01edb357bc8c19edad4282b3a97
-CVE-2017-14171, e6a8d110d7e8e938913a0a85ca933b415f8ed24d / 
c24bcb553650b91e9eff15ef6e54ca73de2453b
+CVE-2017-14171, e6a8d110d7e8e938913a0a85ca933b415f8ed24d / 
c24bcb553650b91e9eff15ef6e54ca73de2453b7
 
 
 3.3.3

---

Summary of changes:
 src/download | 18 +-
 src/security | 21 -
 2 files changed, 29 insertions(+), 10 deletions(-)


hooks/post-receive
-- 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Tag n3.2.8 : FFmpeg 3.2.8 release

[git]

[ffmpeg] [branch: refs/tags/n3.2.8]
Tag:fd28307ed1b3d1b8eb51ba70a8da68759df91b4a
> http://git.videolan.org/gitweb.cgi/ffmpeg.git?a=tag;h=fd28307ed1b3d1b8eb51ba70a8da68759df91b4a

Tagger: Michael Niedermayer 
Date:   Sun Sep 17 13:08:38 2017 +0200

FFmpeg 3.2.8 release
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Update for 3.2.8

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Sep 17 12:23:15 2017 +0200| [98f8f5b12f2a6e0b9e27b8e0a04f5be694aa5367] | 
committer: Michael Niedermayer

Update for 3.2.8

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=98f8f5b12f2a6e0b9e27b8e0a04f5be694aa5367
---

 Changelog| 49 +
 RELEASE  |  2 +-
 doc/Doxyfile |  2 +-
 3 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/Changelog b/Changelog
index 9b5a6549b8..96052b9e8f 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,55 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
+version 3.2.8:
+- avcodec/hevc_ps: Fix c?_qp_offset_list size
+- avcodec/shorten: Move buffer allocation and offset init to end of 
read_header()
+- avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int()
+- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels
+- avcodec/diracdec: Fix overflow in DC computation
+- avcodec/dirac_vlc: limit res_bits in APPEND_RESIDUE()
+- libavcodec/h264_parse: don't use uninitialized value when 
chroma_format_idc==0
+- avformat/asfdec: Fix DoS in asf_build_simple_index()
+- avformat/mov: Fix DoS in read_tfra()
+- avcodec/dirac_vlc: Fix invalid shift in ff_dirac_golomb_read_32bit()
+- avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting
+- avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED()
+- avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
+- avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()
+- avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop.
+- avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered()
+- avcodec/hevc_ps: Fix undefined shift in pcm code
+- avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate()
+- avformat/mvdec: Fix DoS due to lack of eof check
+- avformat/rl2: Fix DoS due to lack of eof check
+- avformat/rmdec: Fix DoS due to lack of eof check
+- avformat/cinedec: Fix DoS due to lack of eof check
+- avformat/asfdec: Fix DoS due to lack of eof check
+- avformat/hls: Fix DoS due to infinite loop
+- ffprobe: Fix NULL pointer handling in color parameter printing
+- ffprobe: Fix null pointer dereference with color primaries
+- avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()
+- avformat/rtpdec_h264: Fix heap-buffer-overflow
+- avformat/aviobuf: Fix signed integer overflow in avio_seek()
+- avformat/mov: Fix signed integer overflows with total_size
+- avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy 
initialization
+- avcodec/aacdec_template: Fix running cleanup in decode_ics_info()
+- avcodec/me_cmp: Fix crashes on ARM due to misalignment
+- avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0()
+- avcodec/fic: Fixes signed integer overflow
+- avcodec/snowdec: Fix off by 1 error
+- avcodec/diracdec: Fixes integer overflow
+- avcodec/diracdec: Check perspective_exp and zrs_exp.
+- avcodec/ffv1dec_template: Fix undefined shift
+- avcodec/mpeg4videodec: Clear mcsel before decoding an image
+- avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97*
+- avcodec/aacdec_fixed: fix invalid shift in predict()
+- avcodec/h264_slice: Fix overflow in slice offset
+- avformat/utils: fix memory leak in avformat_free_context
+- avcodec/diracdsp: fix integer overflow
+- avcodec/diracdec: Check weight_log2denom
+- avfilter/vf_ssim: fix temp size calculation
+
 version 3.2.7:
 - avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0()
 - avcodec/diracdec: Fix integer overflow in divide3()
diff --git a/RELEASE b/RELEASE
index 406ebcbd95..f092941a75 100644
--- a/RELEASE
+++ b/RELEASE
@@ -1 +1 @@
-3.2.7
+3.2.8
diff --git a/doc/Doxyfile b/doc/Doxyfile
index d2df976ac6..18f4da5fda 100644
--- a/doc/Doxyfile
+++ b/doc/Doxyfile
@@ -38,7 +38,7 @@ PROJECT_NAME   = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.
 
-PROJECT_NUMBER = 3.2.7
+PROJECT_NUMBER = 3.2.8
 
 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_ps: Fix c?_qp_offset_list size

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Sep 10 21:10:17 2017 +0200| [0a5251d28eb6250fd5c1260bcf2ac72c12568da8] | 
committer: Michael Niedermayer

avcodec/hevc_ps: Fix c?_qp_offset_list size

Fixes: runtime error: index 5 out of bounds for type 'int8_t const[5]'
Fixes:3175/clusterfuzz-testcase-minimized-4736774054084608

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit abf3f9fa232409c00b60041464604a91fa5612c0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0a5251d28eb6250fd5c1260bcf2ac72c12568da8
---

 libavcodec/hevc.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h
index 6a3c7506c2..2afad011b7 100644
--- a/libavcodec/hevc.h
+++ b/libavcodec/hevc.h
@@ -545,8 +545,8 @@ typedef struct HEVCPPS {
 uint8_t chroma_qp_offset_list_enabled_flag;
 uint8_t diff_cu_chroma_qp_offset_depth;
 uint8_t chroma_qp_offset_list_len_minus1;
-int8_t  cb_qp_offset_list[5];
-int8_t  cr_qp_offset_list[5];
+int8_t  cb_qp_offset_list[6];
+int8_t  cr_qp_offset_list[6];
 uint8_t log2_sao_offset_scale_luma;
 uint8_t log2_sao_offset_scale_chroma;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_vlc: limit res_bits in APPEND_RESIDUE()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sat Sep  9 15:51:45 2017 +0200| [256ebf8bb4146d51da7d0cf1205c597627af1b04] | 
committer: Michael Niedermayer

avcodec/dirac_vlc: limit res_bits in APPEND_RESIDUE()

Fixes: runtime error: left shift of 1073741838 by 1 places cannot be 
represented in type 'int32_t' (aka 'int')
Fixes: 3279/clusterfuzz-testcase-minimized-4564805744590848

Suggested-by: 
Reviewed-by: 
Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d98d29a775d6de9357731fec872642644e57b233)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=256ebf8bb4146d51da7d0cf1205c597627af1b04
---

 libavcodec/dirac_vlc.c | 5 +
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/libavcodec/dirac_vlc.c b/libavcodec/dirac_vlc.c
index b642ee8599..496d8177cd 100644
--- a/libavcodec/dirac_vlc.c
+++ b/libavcodec/dirac_vlc.c
@@ -37,7 +37,7 @@
 
 #define APPEND_RESIDUE(N, M)   
\
 N  |= M >> (N ## _bits);   
\
-N ## _bits +=  (M ## _bits)
+N ## _bits  = (N ## _bits + (M ## _bits)) & 0x3F
 
 int ff_dirac_golomb_read_32bit(DiracGolombLUT *lut_ctx, const uint8_t *buf,
int bytes, uint8_t *_dst, int coeffs)
@@ -56,9 +56,6 @@ int ff_dirac_golomb_read_32bit(DiracGolombLUT *lut_ctx, const 
uint8_t *buf,
 if ((c_idx + 1) > coeffs)
 return c_idx;
 
-if (res_bits >= RSIZE_BITS)
-res_bits = res = 0;
-
 /* res_bits is a hint for better branch prediction */
 if (res_bits && l->sign) {
 int32_t coeff = 1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] libavcodec/h264_parse: don't use uninitialized value when chroma_format_idc==0

[Mark Wachsler]

ffmpeg | branch: release/3.2 | Mark Wachsler 
 | Thu Sep  7 09:42:07 2017 -0400| 
[36c0958fbd9f85e2e263ef9b97eda26d49d439b4] | committer: Michael Niedermayer

libavcodec/h264_parse: don't use uninitialized value when chroma_format_idc==0

When parsing a monochrome file, chroma_log2_weight_denom was used without
being initialized, which could lead to a bogus error message being printed, e.g.
  [h264 @ 0x61a26480] chroma_log2_weight_denom 24576 is out of range
It also could led to warnings using AddressSanitizer.

Signed-off-by: Michael Niedermayer 
(cherry picked from commit fde5c7dc79eb017790ba232442ad2a4eecea4bf1)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=36c0958fbd9f85e2e263ef9b97eda26d49d439b4
---

 libavcodec/h264_parse.c | 27 +++
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c
index 3d20075f6a..a7c71d9bbb 100644
--- a/libavcodec/h264_parse.c
+++ b/libavcodec/h264_parse.c
@@ -34,21 +34,22 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS 
*sps,
 
 pwt->use_weight = 0;
 pwt->use_weight_chroma  = 0;
-pwt->luma_log2_weight_denom = get_ue_golomb(gb);
-if (sps->chroma_format_idc)
-pwt->chroma_log2_weight_denom = get_ue_golomb(gb);
 
+pwt->luma_log2_weight_denom = get_ue_golomb(gb);
 if (pwt->luma_log2_weight_denom > 7U) {
 av_log(logctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is out of 
range\n", pwt->luma_log2_weight_denom);
 pwt->luma_log2_weight_denom = 0;
 }
-if (pwt->chroma_log2_weight_denom > 7U) {
-av_log(logctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of 
range\n", pwt->chroma_log2_weight_denom);
-pwt->chroma_log2_weight_denom = 0;
-}
+luma_def = 1 << pwt->luma_log2_weight_denom;
 
-luma_def   = 1 << pwt->luma_log2_weight_denom;
-chroma_def = 1 << pwt->chroma_log2_weight_denom;
+if (sps->chroma_format_idc) {
+pwt->chroma_log2_weight_denom = get_ue_golomb(gb);
+if (pwt->chroma_log2_weight_denom > 7U) {
+av_log(logctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out 
of range\n", pwt->chroma_log2_weight_denom);
+pwt->chroma_log2_weight_denom = 0;
+}
+chroma_def = 1 << pwt->chroma_log2_weight_denom;
+}
 
 for (list = 0; list < 2; list++) {
 pwt->luma_weight_flag[list]   = 0;
@@ -102,9 +103,11 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS 
*sps,
 if (picture_structure == PICT_FRAME) {
 pwt->luma_weight[16 + 2 * i][list][0] = pwt->luma_weight[16 + 
2 * i + 1][list][0] = pwt->luma_weight[i][list][0];
 pwt->luma_weight[16 + 2 * i][list][1] = pwt->luma_weight[16 + 
2 * i + 1][list][1] = pwt->luma_weight[i][list][1];
-for (j = 0; j < 2; j++) {
-pwt->chroma_weight[16 + 2 * i][list][j][0] = 
pwt->chroma_weight[16 + 2 * i + 1][list][j][0] = 
pwt->chroma_weight[i][list][j][0];
-pwt->chroma_weight[16 + 2 * i][list][j][1] = 
pwt->chroma_weight[16 + 2 * i + 1][list][j][1] = 
pwt->chroma_weight[i][list][j][1];
+if (sps->chroma_format_idc) {
+for (j = 0; j < 2; j++) {
+pwt->chroma_weight[16 + 2 * i][list][j][0] = 
pwt->chroma_weight[16 + 2 * i + 1][list][j][0] = 
pwt->chroma_weight[i][list][j][0];
+pwt->chroma_weight[16 + 2 * i][list][j][1] = 
pwt->chroma_weight[16 + 2 * i + 1][list][j][1] = 
pwt->chroma_weight[i][list][j][1];
+}
 }
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Move buffer allocation and offset init to end of read_header()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Sep 10 21:10:16 2017 +0200| [2cfabd8ce7913dcf4d5413441d0fb5a02cd18884] | 
committer: Michael Niedermayer

avcodec/shorten: Move buffer allocation and offset init to end of read_header()

They are time consuming operations, performing them after the other checks
improves the speed with damaged input dramatically.

Fixes: Timeout
Fixes: 2928/clusterfuzz-testcase-4992812120539136

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 380659604f2692b625928a3a76a1c046f473c9f6)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2cfabd8ce7913dcf4d5413441d0fb5a02cd18884
---

 libavcodec/shorten.c | 13 +++--
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index a36a77210e..b56d205932 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -453,12 +453,6 @@ static int read_header(ShortenContext *s)
 }
 s->nwrap = FFMAX(NWRAP, maxnlpc);
 
-if ((ret = allocate_buffers(s)) < 0)
-return ret;
-
-if ((ret = init_offset(s)) < 0)
-return ret;
-
 if (s->version > 1)
 s->lpcqoffset = V2LPCQOFFSET;
 
@@ -494,6 +488,13 @@ static int read_header(ShortenContext *s)
 }
 
 end:
+
+if ((ret = allocate_buffers(s)) < 0)
+return ret;
+
+if ((ret = init_offset(s)) < 0)
+return ret;
+
 s->cur_chan = 0;
 s->bitshift = 0;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/asfdec: Fix DoS in asf_build_simple_index()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Tue Sep  5 00:16:29 2017 +0200| [4e4177dde23be77a97887f409f237e17ef53f329] | 
committer: Michael Niedermayer

avformat/asfdec: Fix DoS in asf_build_simple_index()

Fixes: Missing EOF check in loop
No testcase

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit afc9c683ed9db01edb357bc8c19edad4282b3a97)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4e4177dde23be77a97887f409f237e17ef53f329
---

 libavformat/asfdec_f.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index 2cacafe50d..d9dfbf0fa3 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -1610,6 +1610,11 @@ static int asf_build_simple_index(AVFormatContext *s, 
int stream_index)
 int64_t pos   = s->internal->data_offset + s->packet_size * 
(int64_t)pktnum;
 int64_t index_pts = FFMAX(av_rescale(itime, i, 1) - 
asf->hdr.preroll, 0);
 
+if (avio_feof(s->pb)) {
+ret = AVERROR_INVALIDDATA;
+goto end;
+}
+
 if (pos != last_pos) {
 av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d  pts: 
%"PRId64"\n",
pktnum, pktct, index_pts);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Fri Sep  8 23:29:12 2017 +0200| [87ef295ddf53068a5bbfd2cd1c91a1b01b787ad7] | 
committer: Michael Niedermayer

avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int()

Fixes: runtime error: signed integer overflow: 22553 * -188962 cannot be 
represented in type 'int'
Fixes: 3042/clusterfuzz-testcase-minimized-5174210131394560

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2d025e742843ca3532bd49ebbfebeacd51337347)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=87ef295ddf53068a5bbfd2cd1c91a1b01b787ad7
---

 libavcodec/jpeg2000dsp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c
index c746aed924..85a12d0e9b 100644
--- a/libavcodec/jpeg2000dsp.c
+++ b/libavcodec/jpeg2000dsp.c
@@ -65,9 +65,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, 
int csize)
 
 for (i = 0; i < csize; i++) {
 i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16);
-i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16)
+i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) 
>> 16)
- (((i_ict_params[2] * *src2) + (1 << 15)) >> 16);
-i2 = *src0 + (2 * *src1) + (((-14942 * *src1) + (1 << 15)) >> 16);
+i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 
16);
 *src0++ = i0;
 *src1++ = i1;
 *src2++ = i2;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Sep 10 01:32:51 2017 +0200| [03bf78eba6933fff66cee51af0fa7a0f8c44677b] | 
committer: Michael Niedermayer

avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels

Fixes: runtime error: left shift of negative value -95
Fixes: 3077/clusterfuzz-testcase-minimized-4684917524922368

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c225da68cffbea11270a758ff42859194c980863)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=03bf78eba6933fff66cee51af0fa7a0f8c44677b
---

 libavcodec/hevcdsp_template.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index b840d179c3..5bca02342d 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -599,7 +599,7 @@ static void FUNC(put_hevc_pel_bi_w_pixels)(uint8_t *_dst, 
ptrdiff_t _dststride,
 ox1 = ox1 * (1 << (BIT_DEPTH - 8));
 for (y = 0; y < height; y++) {
 for (x = 0; x < width; x++) {
-dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + 
src2[x] * wx0 + ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1));
+dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + 
src2[x] * wx0 + (ox0 + ox1 + 1) * (1 << log2Wd)) >> (log2Wd + 1));
 }
 src  += srcstride;
 dst  += dststride;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Fix overflow in DC computation

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Sep 10 01:32:50 2017 +0200| [f3c3cd5afbacf99f14cdcafd6d5dffceb6d06626] | 
committer: Michael Niedermayer

avcodec/diracdec: Fix overflow in DC computation

Fixes: runtime error: signed integer overflow: 11896 + 2147483646 cannot be 
represented in type 'int'
Fixes: 3053/clusterfuzz-testcase-minimized-6355082062856192

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b5995856a4236c27f231210bb08d70688e045192)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f3c3cd5afbacf99f14cdcafd6d5dffceb6d06626
---

 libavcodec/diracdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 46e8377bc9..0b8b799dc0 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1416,7 +1416,7 @@ static void decode_block_params(DiracContext *s, 
DiracArith arith[8], DiracBlock
 if (!block->ref) {
 pred_block_dc(block, stride, x, y);
 for (i = 0; i < 3; i++)
-block->u.dc[i] += dirac_get_arith_int(arith+1+i, CTX_DC_F1, 
CTX_DC_DATA);
+block->u.dc[i] += (unsigned)dirac_get_arith_int(arith+1+i, 
CTX_DC_F1, CTX_DC_DATA);
 return;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Fix DoS in read_tfra()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Tue Sep  5 00:16:29 2017 +0200| [c9527df274ada02a19c2f973b29d1d5b7069d4bf] | 
committer: Michael Niedermayer

avformat/mov: Fix DoS in read_tfra()

Fixes: Missing EOF check in loop
No testcase

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 9cb4eb772839c5e1de2855d126bf74ff16d13382)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c9527df274ada02a19c2f973b29d1d5b7069d4bf
---

 libavformat/mov.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 405476fd71..b97aa001a3 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5394,6 +5394,13 @@ static int read_tfra(MOVContext *mov, AVIOContext *f)
 }
 for (i = 0; i < index->item_count; i++) {
 int64_t time, offset;
+
+if (avio_feof(f)) {
+index->item_count = 0;
+av_freep(>items);
+return AVERROR_INVALIDDATA;
+}
+
 if (version == 1) {
 time   = avio_rb64(f);
 offset = avio_rb64(f);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()

[晓黑]

ffmpeg | branch: release/3.2 | 孙浩(晓黑)  | Tue Aug 29 
23:59:21 2017 +0200| [9cbac3602610afa0867b03bc1475c5c13441d096] | committer: 
Michael Niedermayer

avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()

Fixes: 20170829A.mxf

Co-Author: 张洪亮(望初)" 
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 900f39692ca0337a98a7cf047e4e2611071810c2)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9cbac3602610afa0867b03bc1475c5c13441d096
---

 libavformat/mxfdec.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 2ad0c288f8..e2e34b246f 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -899,6 +899,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, 
MXFIndexTableSegment *seg
 segment->nb_index_entries = avio_rb32(pb);
 
 length = avio_rb32(pb);
+if(segment->nb_index_entries && length < 11)
+return AVERROR_INVALIDDATA;
 
 if 
(!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, 
sizeof(*segment->temporal_offset_entries))) ||
 !(segment->flag_entries  = 
av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) ||
@@ -909,6 +911,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, 
MXFIndexTableSegment *seg
 }
 
 for (i = 0; i < segment->nb_index_entries; i++) {
+if(avio_feof(pb))
+return AVERROR_INVALIDDATA;
 segment->temporal_offset_entries[i] = avio_r8(pb);
 avio_r8(pb);/* KeyFrameOffset 
*/
 segment->flag_entries[i] = avio_r8(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Fri Sep  1 19:56:10 2017 +0200| [2173539519fab324de3492db59620fd793a0ee4c] | 
committer: Michael Niedermayer

avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED()

Fixes: runtime error: signed integer overflow: 1168175789 + 1168178473 cannot 
be represented in type 'int'
Fixes: 3081/clusterfuzz-testcase-minimized-4807564879462400
Fixes: 2844/clusterfuzz-testcase-minimized-5561715838156800

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2a0823ae966be3ad40e5dba6ec4c4dc1e8c6bcad)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2173539519fab324de3492db59620fd793a0ee4c
---

 libavcodec/diracdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index e147f10564..46e8377bc9 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -580,7 +580,7 @@ static inline void codeblock(DiracContext *s, SubBand *b,
 } \
 
 INTRA_DC_PRED(8, int16_t)
-INTRA_DC_PRED(10, int32_t)
+INTRA_DC_PRED(10, uint32_t)
 
 /**
  * Dirac Specification ->

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Fri Sep  1 19:56:11 2017 +0200| [d5b42af8e7ca5010f6eaebb3f17d1957734dbeb8] | 
committer: Michael Niedermayer

avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting

Fixes: runtime error: signed integer overflow: 1073901567 + 1073901567 cannot 
be represented in type 'int'
Fixes: 3124/clusterfuzz-testcase-minimized-454643435752652

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit f71cd44147e7a914f80fcfacca46c9e7b0374362)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d5b42af8e7ca5010f6eaebb3f17d1957734dbeb8
---

 libavcodec/dirac_dwt.h | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index e715e53bc4..adf5178714 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
 (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8))
 
 #define COMPOSE_DAUB97iL1(b0, b1, b2)\
-(b1 - ((int)(1817U*(b0 + b2) + 2048) >> 12))
+(b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12))
 
 #define COMPOSE_DAUB97iH1(b0, b1, b2)\
-(b1 - ((int)( 113U*(b0 + b2) + 64) >> 7))
+(b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7))
 
 #define COMPOSE_DAUB97iL0(b0, b1, b2)\
-(b1 + ((int)( 217U*(b0 + b2) + 2048) >> 12))
+(b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12))
 
 #define COMPOSE_DAUB97iH0(b0, b1, b2)\
-(b1 + ((int)(6497U*(b0 + b2) + 2048) >> 12))
+(b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12))
 
 
 #endif /* AVCODEC_DWT_H */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop.

[晓黑]

ffmpeg | branch: release/3.2 | 孙浩(晓黑)  | Tue Aug 29 
23:59:21 2017 +0200| [a051de092e9c709b69d24d94b66a382909be67d5] | committer: 
Michael Niedermayer

avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop.

Fixes: 20170829.nsv

Co-Author: 张洪亮(望初)" 
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c24bcb553650b91e9eff15ef6e54ca73de2453b7)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a051de092e9c709b69d24d94b66a382909be67d5
---

 libavformat/nsvdec.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c
index 507fb396a5..16d2fa59e2 100644
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@@ -350,8 +350,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s)
 if (!nsv->nsvs_file_offset)
 return AVERROR(ENOMEM);
 
-for(i=0;insvs_file_offset[i] = avio_rl32(pb) + size;
+}
 
 if(table_entries > table_entries_used &&
avio_rl32(pb) == MKTAG('T','O','C','2')) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_vlc: Fix invalid shift in ff_dirac_golomb_read_32bit()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Fri Sep  1 19:56:12 2017 +0200| [372bb594385f97c31981e5ab5bf4c6cd56959102] | 
committer: Michael Niedermayer

avcodec/dirac_vlc: Fix invalid shift in ff_dirac_golomb_read_32bit()

Fixes: runtime error: shift exponent 64 is too large for 64-bit type 'residual' 
(aka 'unsigned long')
Fixes: 2838/clusterfuzz-testcase-minimized-6260066086813696

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c595139f1fdb5ce5ee128c317ed9e4e836282436)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=372bb594385f97c31981e5ab5bf4c6cd56959102
---

 libavcodec/dirac_vlc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/dirac_vlc.c b/libavcodec/dirac_vlc.c
index 773f720858..b642ee8599 100644
--- a/libavcodec/dirac_vlc.c
+++ b/libavcodec/dirac_vlc.c
@@ -56,6 +56,9 @@ int ff_dirac_golomb_read_32bit(DiracGolombLUT *lut_ctx, const 
uint8_t *buf,
 if ((c_idx + 1) > coeffs)
 return c_idx;
 
+if (res_bits >= RSIZE_BITS)
+res_bits = res = 0;
+
 /* res_bits is a hint for better branch prediction */
 if (res_bits && l->sign) {
 int32_t coeff = 1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()

[晓黑]

ffmpeg | branch: release/3.2 | 孙浩(晓黑)  | Tue Aug 29 
23:59:21 2017 +0200| [816f7337bf3ed3e08afdc28278668d8eb81910cb] | committer: 
Michael Niedermayer

avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()

Fixes: 20170829B.mxf

Co-Author: 张洪亮(望初)" 
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=816f7337bf3ed3e08afdc28278668d8eb81910cb
---

 libavformat/mxfdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index e2e34b246f..0e9153847e 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -500,7 +500,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, 
int tag, int size, U
 avpriv_request_sample(pb, "Primer pack item length %d", item_len);
 return AVERROR_PATCHWELCOME;
 }
-if (item_num > 65536) {
+if (item_num > 65536 || item_num < 0) {
 av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num);
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Mon Aug 28 00:30:33 2017 +0200| [e29c9ef2d56ade1618f0207f1d106898857674d0] | 
committer: Michael Niedermayer

avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered()

Fixes: runtime error: signed integer overflow: 267 * 8388608 cannot be 
represented in type 'int'
Fixes: 2743/clusterfuzz-testcase-minimized-5820652076400640

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 732f9764561558a388c05483ed6a722a5c67b05c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e29c9ef2d56ade1618f0207f1d106898857674d0
---

 libavcodec/snowdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 4ebfa07c6a..0ac0b55012 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -140,7 +140,7 @@ static inline void 
decode_subband_slice_buffered(SnowContext *s, SubBand *b, sli
 v = b->x_coeff[new_index].coeff;
 x = b->x_coeff[new_index++].x;
 while(x < w){
-register int t= ( (v>>1)*qmul + qadd)>>QEXPSHIFT;
+register int t= (int)( (v>>1)*(unsigned)qmul + qadd)>>QEXPSHIFT;
 register int u= -(v&1);
 line[x] = (t^u) - u;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_ps: Fix undefined shift in pcm code

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Aug 27 23:59:09 2017 +0200| [50d726273e9cd2dbdcd373617d0d20f789c44d79] | 
committer: Michael Niedermayer

avcodec/hevc_ps: Fix undefined shift in pcm code

Fixes: runtime error: shift exponent -1 is negative
Fixes: 3091/clusterfuzz-testcase-minimized-6229767969832960

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2a83866c9f9531eb096c9b9fe0550e742b931ad1)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=50d726273e9cd2dbdcd373617d0d20f789c44d79
---

 libavcodec/hevc_ps.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index a2c13faf0f..95d976ff08 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -1026,10 +1026,10 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, 
unsigned int *sps_id,
 sps->pcm.log2_min_pcm_cb_size = get_ue_golomb_long(gb) + 3;
 sps->pcm.log2_max_pcm_cb_size = sps->pcm.log2_min_pcm_cb_size +
 get_ue_golomb_long(gb);
-if (sps->pcm.bit_depth > sps->bit_depth) {
+if (FFMAX(sps->pcm.bit_depth, sps->pcm.bit_depth_chroma) > 
sps->bit_depth) {
 av_log(avctx, AV_LOG_ERROR,
-   "PCM bit depth (%d) is greater than normal bit depth 
(%d)\n",
-   sps->pcm.bit_depth, sps->bit_depth);
+   "PCM bit depth (%d, %d) is greater than normal bit depth 
(%d)\n",
+   sps->pcm.bit_depth, sps->pcm.bit_depth_chroma, 
sps->bit_depth);
 return AVERROR_INVALIDDATA;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mvdec: Fix DoS due to lack of eof check

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Fri Aug 25 01:15:30 2017 +0200| [d4fc6b211f19365fbae4b4388ec396b293fda249] | 
committer: Michael Niedermayer

avformat/mvdec: Fix DoS due to lack of eof check

Fixes: loop.mv

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d4fc6b211f19365fbae4b4388ec396b293fda249
---

 libavformat/mvdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
index 80ef4b1569..e9e9fab503 100644
--- a/libavformat/mvdec.c
+++ b/libavformat/mvdec.c
@@ -338,6 +338,8 @@ static int mv_read_header(AVFormatContext *avctx)
 uint32_t pos   = avio_rb32(pb);
 uint32_t asize = avio_rb32(pb);
 uint32_t vsize = avio_rb32(pb);
+if (avio_feof(pb))
+return AVERROR_INVALIDDATA;
 avio_skip(pb, 8);
 av_add_index_entry(ast, pos, timestamp, asize, 0, 
AVINDEX_KEYFRAME);
 av_add_index_entry(vst, pos + asize, i, vsize, 0, 
AVINDEX_KEYFRAME);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/cinedec: Fix DoS due to lack of eof check

[望初]

ffmpeg | branch: release/3.2 | 孙浩 and 张洪亮(望初)  | Fri Aug 25 01:15:27 2017 +0200| 
[98e177c7288574b336d80618f4ec5d1f94243070] | committer: Michael Niedermayer

avformat/cinedec: Fix DoS due to lack of eof check

Fixes: loop.cine

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7e80b63ecd259d69d383623e75b318bf2bd491f6)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=98e177c7288574b336d80618f4ec5d1f94243070
---

 libavformat/cinedec.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c
index 32cccf566b..c615d4fc49 100644
--- a/libavformat/cinedec.c
+++ b/libavformat/cinedec.c
@@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx)
 
 /* parse image offsets */
 avio_seek(pb, offImageOffsets, SEEK_SET);
-for (i = 0; i < st->duration; i++)
+for (i = 0; i < st->duration; i++) {
+if (avio_feof(pb))
+return AVERROR_INVALIDDATA;
+
 av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME);
+}
 
 return 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/rmdec: Fix DoS due to lack of eof check

[望初]

ffmpeg | branch: release/3.2 | 孙浩 and 张洪亮(望初)  | Fri Aug 25 01:15:28 2017 +0200| 
[2bbef8ee271240ce4509b23fd33e35076715a39f] | committer: Michael Niedermayer

avformat/rmdec: Fix DoS due to lack of eof check

Fixes: loop.ivr

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 124eb202e70678539544f6268efc98131f19fa49)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2bbef8ee271240ce4509b23fd33e35076715a39f
---

 libavformat/rmdec.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 4d565291af..7656812eb1 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -1238,8 +1238,11 @@ static int ivr_read_header(AVFormatContext *s)
 av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val);
 } else if (type == 4) {
 av_log(s, AV_LOG_DEBUG, "%s = '0x", key);
-for (j = 0; j < len; j++)
+for (j = 0; j < len; j++) {
+if (avio_feof(pb))
+return AVERROR_INVALIDDATA;
 av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb));
+}
 av_log(s, AV_LOG_DEBUG, "'\n");
 } else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", 
tlen)) {
 nb_streams = value = avio_rb32(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sat Aug 26 14:00:55 2017 +0200| [a4cc1101cc98819ed4704274d8d7ce40725cd774] | 
committer: Michael Niedermayer

avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate()

Fixes: runtime error: signed integer overflow: 8903997421129740175 + 
354481484684609529 cannot be represented in type 'long'
Fixes: 2045/clusterfuzz-testcase-minimized-6751255865065472

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit eefb68c9c335dda423c9115ba11dc4bb3e73e3f9)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a4cc1101cc98819ed4704274d8d7ce40725cd774
---

 libavcodec/sbrdsp_fixed.c | 36 ++--
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c
index 7d593a18b8..f45bb847a8 100644
--- a/libavcodec/sbrdsp_fixed.c
+++ b/libavcodec/sbrdsp_fixed.c
@@ -136,19 +136,19 @@ static av_always_inline void autocorrelate(const int 
x[40][2], SoftFloat phi[3][
 
 if (lag) {
 for (i = 1; i < 38; i++) {
-accu_re += (int64_t)x[i][0] * x[i+lag][0];
-accu_re += (int64_t)x[i][1] * x[i+lag][1];
-accu_im += (int64_t)x[i][0] * x[i+lag][1];
-accu_im -= (int64_t)x[i][1] * x[i+lag][0];
+accu_re += (uint64_t)x[i][0] * x[i+lag][0];
+accu_re += (uint64_t)x[i][1] * x[i+lag][1];
+accu_im += (uint64_t)x[i][0] * x[i+lag][1];
+accu_im -= (uint64_t)x[i][1] * x[i+lag][0];
 }
 
 real_sum = accu_re;
 imag_sum = accu_im;
 
-accu_re += (int64_t)x[ 0][0] * x[lag][0];
-accu_re += (int64_t)x[ 0][1] * x[lag][1];
-accu_im += (int64_t)x[ 0][0] * x[lag][1];
-accu_im -= (int64_t)x[ 0][1] * x[lag][0];
+accu_re += (uint64_t)x[ 0][0] * x[lag][0];
+accu_re += (uint64_t)x[ 0][1] * x[lag][1];
+accu_im += (uint64_t)x[ 0][0] * x[lag][1];
+accu_im -= (uint64_t)x[ 0][1] * x[lag][0];
 
 phi[2-lag][1][0] = autocorr_calc(accu_re);
 phi[2-lag][1][1] = autocorr_calc(accu_im);
@@ -156,28 +156,28 @@ static av_always_inline void autocorrelate(const int 
x[40][2], SoftFloat phi[3][
 if (lag == 1) {
 accu_re = real_sum;
 accu_im = imag_sum;
-accu_re += (int64_t)x[38][0] * x[39][0];
-accu_re += (int64_t)x[38][1] * x[39][1];
-accu_im += (int64_t)x[38][0] * x[39][1];
-accu_im -= (int64_t)x[38][1] * x[39][0];
+accu_re += (uint64_t)x[38][0] * x[39][0];
+accu_re += (uint64_t)x[38][1] * x[39][1];
+accu_im += (uint64_t)x[38][0] * x[39][1];
+accu_im -= (uint64_t)x[38][1] * x[39][0];
 
 phi[0][0][0] = autocorr_calc(accu_re);
 phi[0][0][1] = autocorr_calc(accu_im);
 }
 } else {
 for (i = 1; i < 38; i++) {
-accu_re += (int64_t)x[i][0] * x[i][0];
-accu_re += (int64_t)x[i][1] * x[i][1];
+accu_re += (uint64_t)x[i][0] * x[i][0];
+accu_re += (uint64_t)x[i][1] * x[i][1];
 }
 real_sum = accu_re;
-accu_re += (int64_t)x[ 0][0] * x[ 0][0];
-accu_re += (int64_t)x[ 0][1] * x[ 0][1];
+accu_re += (uint64_t)x[ 0][0] * x[ 0][0];
+accu_re += (uint64_t)x[ 0][1] * x[ 0][1];
 
 phi[2][1][0] = autocorr_calc(accu_re);
 
 accu_re = real_sum;
-accu_re += (int64_t)x[38][0] * x[38][0];
-accu_re += (int64_t)x[38][1] * x[38][1];
+accu_re += (uint64_t)x[38][0] * x[38][0];
+accu_re += (uint64_t)x[38][1] * x[38][1];
 
 phi[1][0][0] = autocorr_calc(accu_re);
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/rl2: Fix DoS due to lack of eof check

[望初]

ffmpeg | branch: release/3.2 | 孙浩 and 张洪亮(望初)  | Fri Aug 25 01:15:29 2017 +0200| 
[5bc9f70441d7e7067cba9188898c9252c72bab35] | committer: Michael Niedermayer

avformat/rl2: Fix DoS due to lack of eof check

Fixes: loop.rl2

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5bc9f70441d7e7067cba9188898c9252c72bab35
---

 libavformat/rl2.c | 15 ---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/libavformat/rl2.c b/libavformat/rl2.c
index 0bec8f1d9a..eb1682dfcb 100644
--- a/libavformat/rl2.c
+++ b/libavformat/rl2.c
@@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s)
 }
 
 /** read offset and size tables */
-for(i=0; i < frame_count;i++)
+for(i=0; i < frame_count;i++) {
+if (avio_feof(pb))
+return AVERROR_INVALIDDATA;
 chunk_size[i] = avio_rl32(pb);
-for(i=0; i < frame_count;i++)
+}
+for(i=0; i < frame_count;i++) {
+if (avio_feof(pb))
+return AVERROR_INVALIDDATA;
 chunk_offset[i] = avio_rl32(pb);
-for(i=0; i < frame_count;i++)
+}
+for(i=0; i < frame_count;i++) {
+if (avio_feof(pb))
+return AVERROR_INVALIDDATA;
 audio_size[i] = avio_rl32(pb) & 0x;
+}
 
 /** build the sample index */
 for(i=0;i

[FFmpeg-cvslog] avformat/asfdec: Fix DoS due to lack of eof check

[望初]

ffmpeg | branch: release/3.2 | 孙浩 and 张洪亮(望初)  | Fri Aug 25 12:37:25 2017 +0200| 
[f94517934bf0ff2510f472fa2bc4cd362951109c] | committer: Michael Niedermayer

avformat/asfdec: Fix DoS due to lack of eof check

Fixes: loop.asf

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7f9ec5593e04827249e7aeb466da06a98a0d7329)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f94517934bf0ff2510f472fa2bc4cd362951109c
---

 libavformat/asfdec_f.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index b973eff96e..2cacafe50d 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t 
size)
 count = avio_rl32(pb);// markers count
 avio_rl16(pb);// reserved 2 bytes
 name_len = avio_rl16(pb); // name length
-for (i = 0; i < name_len; i++)
-avio_r8(pb); // skip the name
+avio_skip(pb, name_len);
 
 for (i = 0; i < count; i++) {
 int64_t pres_time;
 int name_len;
 
+if (avio_feof(pb))
+return AVERROR_INVALIDDATA;
+
 avio_rl64(pb); // offset, 8 bytes
 pres_time = avio_rl64(pb); // presentation time
 pres_time -= asf->hdr.preroll * 1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/hls: Fix DoS due to infinite loop

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sat Aug 26 01:26:58 2017 +0200| [2920c7cec0b1958b59e5e7990078bea4428f6912] | 
committer: Michael Niedermayer

avformat/hls: Fix DoS due to infinite loop

Fixes: loop.m3u

The default max iteration count of 1000 is arbitrary and ideas for a better 
solution are welcome

Found-by: Xiaohei and Wangchu from Alibaba Security Team

Previous version reviewed-by: Steven Liu 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7ec414892ddcad88313848494b6fc5f437c9ca4a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2920c7cec0b1958b59e5e7990078bea4428f6912
---

 doc/demuxers.texi | 18 ++
 libavformat/hls.c |  7 +++
 2 files changed, 25 insertions(+)

diff --git a/doc/demuxers.texi b/doc/demuxers.texi
index 2934a1cf7f..d56ad1622a 100644
--- a/doc/demuxers.texi
+++ b/doc/demuxers.texi
@@ -293,6 +293,24 @@ used to end the output video at the length of the shortest 
input file,
 which in this case is @file{input.mp4} as the GIF in this example loops
 infinitely.
 
+@section hls
+
+HLS demuxer
+
+It accepts the following options:
+
+@table @option
+@item live_start_index
+segment index to start live streams at (negative values are from the end).
+
+@item allowed_extensions
+',' separated list of file extensions that hls is allowed to access.
+
+@item max_reload
+Maximum number of times a insufficient list is attempted to be reloaded.
+Default value is 1000.
+@end table
+
 @section image2
 
 Image file demuxer.
diff --git a/libavformat/hls.c b/libavformat/hls.c
index ffefd284f8..87948726da 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -205,6 +205,7 @@ typedef struct HLSContext {
 AVDictionary *avio_opts;
 int strict_std_compliance;
 char *allowed_extensions;
+int max_reload;
 } HLSContext;
 
 static int read_chomp_line(AVIOContext *s, char *buf, int maxlen)
@@ -1255,6 +1256,7 @@ static int read_data(void *opaque, uint8_t *buf, int 
buf_size)
 HLSContext *c = v->parent->priv_data;
 int ret, i;
 int just_opened = 0;
+int reload_count = 0;
 
 restart:
 if (!v->needed)
@@ -1286,6 +1288,9 @@ restart:
 reload_interval = default_reload_interval(v);
 
 reload:
+reload_count++;
+if (reload_count > c->max_reload)
+return AVERROR_EOF;
 if (!v->finished &&
 av_gettime_relative() - v->last_load_time >= reload_interval) {
 if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) {
@@ -2143,6 +2148,8 @@ static const AVOption hls_options[] = {
 OFFSET(allowed_extensions), AV_OPT_TYPE_STRING,
 {.str = 
"3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"},
 INT_MIN, INT_MAX, FLAGS},
+{"max_reload", "Maximum number of times a insufficient list is attempted 
to be reloaded",
+OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS},
 {NULL}
 };
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] ffprobe: Fix null pointer dereference with color primaries

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Tue Aug 22 11:02:38 2017 +0200| [726133b6d2cd8f5f43b5af536024d8e02791d8cf] | 
committer: Michael Niedermayer

ffprobe: Fix null pointer dereference with color primaries

Found-by: AD-lab of venustech
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 837cb4325b712ff1aab531bf41668933f61d75d2)
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b2c39fcc3c0749490dc93bca80f56724878b55fe)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=726133b6d2cd8f5f43b5af536024d8e02791d8cf
---

 ffprobe.c | 15 +++
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/ffprobe.c b/ffprobe.c
index 79fe296489..703304a8c0 100644
--- a/ffprobe.c
+++ b/ffprobe.c
@@ -1789,6 +1789,16 @@ static void print_pkt_side_data(WriterContext *w,
 writer_print_section_footer(w);
 }
 
+static void print_primaries(WriterContext *w, enum AVColorPrimaries 
color_primaries)
+{
+const char *val = av_color_primaries_name(color_primaries);
+if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) {
+print_str_opt("color_primaries", "unknown");
+} else {
+print_str("color_primaries", val);
+}
+}
+
 static void show_packet(WriterContext *w, InputFile *ifile, AVPacket *pkt, int 
packet_idx)
 {
 char val_str[128];
@@ -2258,10 +2268,7 @@ static int show_stream(WriterContext *w, AVFormatContext 
*fmt_ctx, int stream_id
 else
 print_str_opt("color_transfer", 
av_color_transfer_name(par->color_trc));
 
-if (par->color_primaries != AVCOL_PRI_UNSPECIFIED)
-print_str("color_primaries", 
av_color_primaries_name(par->color_primaries));
-else
-print_str_opt("color_primaries", 
av_color_primaries_name(par->color_primaries));
+print_primaries(w, par->color_primaries);
 
 if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED)
 print_str("chroma_location", 
av_chroma_location_name(par->chroma_location));

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Fix signed integer overflows with total_size

[Vitaly Buka]

ffmpeg | branch: release/3.2 | Vitaly Buka 
 | Sun Aug 20 11:56:47 2017 -0700| 
[74410f2abab091b2fdf995fdb669873e8f7e1d0e] | committer: Michael Niedermayer

avformat/mov: Fix signed integer overflows with total_size

Signed integer overflow is undefined behavior.
Detected with clang and -fsanitize=signed-integer-overflow

Signed-off-by: Vitaly Buka 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4a404cb5b90b878cbe1bb528fac65cf508668cc5)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=74410f2abab091b2fdf995fdb669873e8f7e1d0e
---

 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 24a76a0daa..405476fd71 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -4888,7 +4888,7 @@ static int mov_read_default(MOVContext *c, AVIOContext 
*pb, MOVAtom atom)
 
 if (atom.size < 0)
 atom.size = INT64_MAX;
-while (total_size + 8 <= atom.size && !avio_feof(pb)) {
+while (total_size <= atom.size - 8 && !avio_feof(pb)) {
 int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL;
 a.size = atom.size;
 a.type=0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] ffprobe: Fix NULL pointer handling in color parameter printing

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Tue Aug 22 17:27:17 2017 +0200| [baca98fc0971eb49438b589739132d83779bce1e] | 
committer: Michael Niedermayer

ffprobe: Fix NULL pointer handling in color parameter printing

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 351e28f9a799d933dd10c964dca7219fa13b)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=baca98fc0971eb49438b589739132d83779bce1e
---

 ffprobe.c | 62 --
 1 file changed, 44 insertions(+), 18 deletions(-)

diff --git a/ffprobe.c b/ffprobe.c
index 703304a8c0..0c6c0f6d3e 100644
--- a/ffprobe.c
+++ b/ffprobe.c
@@ -1789,6 +1789,26 @@ static void print_pkt_side_data(WriterContext *w,
 writer_print_section_footer(w);
 }
 
+static void print_color_range(WriterContext *w, enum AVColorRange color_range, 
const char *fallback)
+{
+const char *val = av_color_range_name(color_range);
+if (!val || color_range == AVCOL_RANGE_UNSPECIFIED) {
+print_str_opt("color_range", fallback);
+} else {
+print_str("color_range", val);
+}
+}
+
+static void print_color_space(WriterContext *w, enum AVColorSpace color_space)
+{
+const char *val = av_color_space_name(color_space);
+if (!val || color_space == AVCOL_SPC_UNSPECIFIED) {
+print_str_opt("color_space", "unknown");
+} else {
+print_str("color_space", val);
+}
+}
+
 static void print_primaries(WriterContext *w, enum AVColorPrimaries 
color_primaries)
 {
 const char *val = av_color_primaries_name(color_primaries);
@@ -1799,6 +1819,26 @@ static void print_primaries(WriterContext *w, enum 
AVColorPrimaries color_primar
 }
 }
 
+static void print_color_trc(WriterContext *w, enum 
AVColorTransferCharacteristic color_trc)
+{
+const char *val = av_color_transfer_name(color_trc);
+if (!val || color_trc == AVCOL_TRC_UNSPECIFIED) {
+print_str_opt("color_transfer", "unknown");
+} else {
+print_str("color_transfer", val);
+}
+}
+
+static void print_chroma_location(WriterContext *w, enum AVChromaLocation 
chroma_location)
+{
+const char *val = av_chroma_location_name(chroma_location);
+if (!val || chroma_location == AVCHROMA_LOC_UNSPECIFIED) {
+print_str_opt("chroma_location", "unspecified");
+} else {
+print_str("chroma_location", val);
+}
+}
+
 static void show_packet(WriterContext *w, InputFile *ifile, AVPacket *pkt, int 
packet_idx)
 {
 char val_str[128];
@@ -2254,26 +2294,12 @@ static int show_stream(WriterContext *w, 
AVFormatContext *fmt_ctx, int stream_id
 if (s) print_str("pix_fmt", s);
 else   print_str_opt("pix_fmt", "unknown");
 print_int("level",   par->level);
-if (par->color_range != AVCOL_RANGE_UNSPECIFIED)
-print_str("color_range", 
av_color_range_name(par->color_range));
-else
-print_str_opt("color_range", "N/A");
-
-s = av_get_colorspace_name(par->color_space);
-if (s) print_str("color_space", s);
-else   print_str_opt("color_space", "unknown");
-
-if (par->color_trc != AVCOL_TRC_UNSPECIFIED)
-print_str("color_transfer", 
av_color_transfer_name(par->color_trc));
-else
-print_str_opt("color_transfer", 
av_color_transfer_name(par->color_trc));
 
+print_color_range(w, par->color_range, "N/A");
+print_color_space(w, par->color_space);
+print_color_trc(w, par->color_trc);
 print_primaries(w, par->color_primaries);
-
-if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED)
-print_str("chroma_location", 
av_chroma_location_name(par->chroma_location));
-else
-print_str_opt("chroma_location", 
av_chroma_location_name(par->chroma_location));
+print_chroma_location(w, par->chroma_location);
 
 if (par->field_order == AV_FIELD_PROGRESSIVE)
 print_str("field_order", "progressive");

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/rtpdec_h264: Fix heap-buffer-overflow

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Wed Aug 23 21:30:37 2017 +0200| [53a6cdf89d694be1f075729f16e0a9e2dcbbcb78] | 
committer: Michael Niedermayer

avformat/rtpdec_h264: Fix heap-buffer-overflow

Fixes: rtp_sdp/poc.sdp

Found-by: Bingchang 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c42a1388a6d1bfd8001bf6a4241d8ca27e49326d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=53a6cdf89d694be1f075729f16e0a9e2dcbbcb78
---

 libavformat/rtpdec_h264.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/rtpdec_h264.c b/libavformat/rtpdec_h264.c
index 8dd56a549e..6f8148ab6d 100644
--- a/libavformat/rtpdec_h264.c
+++ b/libavformat/rtpdec_h264.c
@@ -166,7 +166,7 @@ static int sdp_parse_fmtp_config_h264(AVFormatContext *s,
 parse_profile_level_id(s, h264_data, value);
 } else if (!strcmp(attr, "sprop-parameter-sets")) {
 int ret;
-if (value[strlen(value) - 1] == ',') {
+if (*value == 0 || value[strlen(value) - 1] == ',') {
 av_log(s, AV_LOG_WARNING, "Missing PPS in sprop-parameter-sets, 
ignoring\n");
 return 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/aviobuf: Fix signed integer overflow in avio_seek()

[Vitaly Buka]

ffmpeg | branch: release/3.2 | Vitaly Buka 
 | Sun Aug 20 11:56:47 2017 -0700| 
[50cb32480b7691933756bc8a04265a1e488b5e06] | committer: Michael Niedermayer

avformat/aviobuf: Fix signed integer overflow in avio_seek()

Signed integer overflow is undefined behavior.
Detected with clang and -fsanitize=signed-integer-overflow

Signed-off-by: Vitaly Buka 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit eca2a49716ae1f42804dd3545da2f740edf03250)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=50cb32480b7691933756bc8a04265a1e488b5e06
---

 libavformat/aviobuf.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index 134d627a6e..02f6d38966 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -249,6 +249,8 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int 
whence)
 offset1 = pos + (s->buf_ptr - s->buffer);
 if (offset == 0)
 return offset1;
+if (offset > INT64_MAX - offset1)
+return AVERROR(EINVAL);
 offset += offset1;
 }
 if (offset < 0)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Mon Aug 21 00:18:48 2017 +0200| [3738a41830fbde1d4d6f950305278ba1cde01390] | 
committer: Michael Niedermayer

avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()

Fixes: integer overflow
Fixes: 2893/clusterfuzz-testcase-minimized-5809330567774208

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2b44dcbc44e99daf9515753e9fd4c2e1ea53a2fa)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3738a41830fbde1d4d6f950305278ba1cde01390
---

 libavcodec/hevc_ps.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index 7b104e6143..a2c13faf0f 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -224,6 +224,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, 
AVCodecContext *avctx,
 prev = 0;
 for (i = 0; i < rps->num_negative_pics; i++) {
 delta_poc = get_ue_golomb_long(gb) + 1;
+if (delta_poc < 1 || delta_poc > 32768) {
+av_log(avctx, AV_LOG_ERROR,
+"Invalid value of delta_poc: %d\n",
+delta_poc);
+return AVERROR_INVALIDDATA;
+}
 prev -= delta_poc;
 rps->delta_poc[i] = prev;
 rps->used[i]  = get_bits1(gb);
@@ -231,6 +237,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, 
AVCodecContext *avctx,
 prev = 0;
 for (i = 0; i < nb_positive_pics; i++) {
 delta_poc = get_ue_golomb_long(gb) + 1;
+if (delta_poc < 1 || delta_poc > 32768) {
+av_log(avctx, AV_LOG_ERROR,
+"Invalid value of delta_poc: %d\n",
+delta_poc);
+return AVERROR_INVALIDDATA;
+}
 prev += delta_poc;
 rps->delta_poc[rps->num_negative_pics + i] = prev;
 rps->used[rps->num_negative_pics + i]  = get_bits1(gb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization

[Vitaly Buka]

ffmpeg | branch: release/3.2 | Vitaly Buka 
 | Sun Aug 20 11:56:47 2017 -0700| 
[febea34f914b10e2aed177f49bfd6e9da9be5bef] | committer: Michael Niedermayer

avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy 
initialization

Signed integer overflow is undefined behavior.
Detected with clang and -fsanitize=signed-integer-overflow

Signed-off-by: Vitaly Buka 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8c2bb10ddfef1f151b9455d152c9aca91140a4b0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=febea34f914b10e2aed177f49bfd6e9da9be5bef
---

 libavcodec/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 2d57aea469..6d6bbb7c22 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -1570,7 +1570,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
 }
 
 if (!avctx->rc_initial_buffer_occupancy)
-avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4;
+avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3LL / 
4;
 
 if (avctx->ticks_per_frame && avctx->time_base.num &&
 avctx->ticks_per_frame > INT_MAX / avctx->time_base.num) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/fic: Fixes signed integer overflow

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Thu Aug 17 18:24:37 2017 +0200| [98cd9cd4c29c6b5cfdbd982a9b0a0ee5ce4bc503] | 
committer: Michael Niedermayer

avcodec/fic: Fixes signed integer overflow

Fixes: runtime error: signed integer overflow: 1037142357 + 1227025305 cannot 
be represented in type 'int'
Fixes: 3024/clusterfuzz-testcase-minimized-5885660323905536

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0c9d5b015c2022e8deebb93367f8ee8a8eb779e8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=98cd9cd4c29c6b5cfdbd982a9b0a0ee5ce4bc503
---

 libavcodec/fic.c | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/libavcodec/fic.c b/libavcodec/fic.c
index 2c11515459..f66c05b94b 100644
--- a/libavcodec/fic.c
+++ b/libavcodec/fic.c
@@ -84,12 +84,12 @@ static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 
'C', 'V' };
 
 static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int 
rnd)
 {
-const int t0 =  27246 * blk[3 * step] + 18405 * blk[5 * step];
-const int t1 =  27246 * blk[5 * step] - 18405 * blk[3 * step];
-const int t2 =   6393 * blk[7 * step] + 32139 * blk[1 * step];
-const int t3 =   6393 * blk[1 * step] - 32139 * blk[7 * step];
-const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12);
-const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12);
+const unsigned t0 =  27246 * blk[3 * step] + 18405 * blk[5 * step];
+const unsigned t1 =  27246 * blk[5 * step] - 18405 * blk[3 * step];
+const unsigned t2 =   6393 * blk[7 * step] + 32139 * blk[1 * step];
+const unsigned t3 =   6393 * blk[1 * step] - 32139 * blk[7 * step];
+const unsigned t4 = 5793U * ((int)(t2 + t0 + 0x800) >> 12);
+const unsigned t5 = 5793U * ((int)(t3 + t1 + 0x800) >> 12);
 const unsigned t6 = t2 - t0;
 const unsigned t7 = t3 - t1;
 const unsigned t8 =  17734 * blk[2 * step] - 42813 * blk[6 * step];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Fixes integer overflow

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Tue Aug 15 03:32:44 2017 +0200| [5bc3b18e3d98059ffd6ec0844b1aeca1f7f41360] | 
committer: Michael Niedermayer

avcodec/diracdec: Fixes integer overflow

Fixes: runtime error: signed integer overflow: 340018243 * 27 cannot be 
represented in type 'int'
Fixes: 2861/clusterfuzz-testcase-minimized-5361070510178304

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 92da23093c784b1d9f0db4db51d28ea80a59e759)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5bc3b18e3d98059ffd6ec0844b1aeca1f7f41360
---

 libavcodec/diracdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 6be3cae8d0..e147f10564 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -436,7 +436,7 @@ static av_cold int dirac_decode_end(AVCodecContext *avctx)
 static inline int coeff_unpack_golomb(GetBitContext *gb, int qfactor, int 
qoffset)
 {
 int coeff = dirac_get_se_golomb(gb);
-const int sign = FFSIGN(coeff);
+const unsigned sign = FFSIGN(coeff);
 if (coeff)
 coeff = sign*((sign * coeff * qfactor + qoffset) >> 2);
 return coeff;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Fri Aug 18 16:42:58 2017 +0200| [dc86479e5febb9f4150ab0c5d24116ac473e8a03] | 
committer: Michael Niedermayer

avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0()

Fixes: runtime error: signed integer overflow: 2147483646 + 2 cannot be 
represented in type 'int'
Fixes: 3013/clusterfuzz-testcase-minimized-4644084197097472

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a165b53daa8a3a526d2328ca72c4aa9e7f163045)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dc86479e5febb9f4150ab0c5d24116ac473e8a03
---

 libavcodec/dirac_dwt_template.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c
index 972c711cff..e436c247a1 100644
--- a/libavcodec/dirac_dwt_template.c
+++ b/libavcodec/dirac_dwt_template.c
@@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, 
uint8_t *_b1, uint8_t *_
 TYPE *b1 = (TYPE *)_b1;
 TYPE *b2 = (TYPE *)_b2;
 for (i = 0; i < width; i++)
-b1[i] -= (b0[i] + b2[i] + 2) >> 2;
+b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2;
 }
 
 static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE 
*src1, int w2,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacdec_template: Fix running cleanup in decode_ics_info()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Mon Aug 21 02:15:49 2017 +0200| [6da5e63ba71de2dc3db547b4f56b67ce28548bdc] | 
committer: Michael Niedermayer

avcodec/aacdec_template: Fix running cleanup in decode_ics_info()

Fixes: out of array read
Fixes: 2873/clusterfuzz-testcase-minimized-5924145713905664

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg

Previous version reviewed-by: Alex Converse 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6f03ffb47d51368a4bbc87702df8446e4660845d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6da5e63ba71de2dc3db547b4f56b67ce28548bdc
---

 libavcodec/aacdec_template.c | 13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c
index 1ac6503a78..d6880c90db 100644
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -1259,6 +1259,8 @@ static int decode_ics_info(AACContext *ac, 
IndividualChannelStream *ics,
 const MPEG4AudioConfig *const m4ac = >oc[1].m4ac;
 const int aot = m4ac->object_type;
 const int sampling_index = m4ac->sampling_index;
+int ret_fail = AVERROR_INVALIDDATA;
+
 if (aot != AOT_ER_AAC_ELD) {
 if (get_bits1(gb)) {
 av_log(ac->avctx, AV_LOG_ERROR, "Reserved bit set.\n");
@@ -1309,8 +1311,10 @@ static int decode_ics_info(AACContext *ac, 
IndividualChannelStream *ics,
 ics->num_swb   =ff_aac_num_swb_512[sampling_index];
 ics->tns_max_bands =  ff_tns_max_bands_512[sampling_index];
 }
-if (!ics->num_swb || !ics->swb_offset)
-return AVERROR_BUG;
+if (!ics->num_swb || !ics->swb_offset) {
+ret_fail = AVERROR_BUG;
+goto fail;
+}
 } else {
 ics->swb_offset=ff_swb_offset_1024[sampling_index];
 ics->num_swb   =   ff_aac_num_swb_1024[sampling_index];
@@ -1334,7 +1338,8 @@ static int decode_ics_info(AACContext *ac, 
IndividualChannelStream *ics,
 if (aot == AOT_ER_AAC_LD) {
 av_log(ac->avctx, AV_LOG_ERROR,
"LTP in ER AAC LD not yet implemented.\n");
-return AVERROR_PATCHWELCOME;
+ret_fail = AVERROR_PATCHWELCOME;
+goto fail;
 }
 if ((ics->ltp.present = get_bits(gb, 1)))
 decode_ltp(>ltp, gb, ics->max_sfb);
@@ -1353,7 +1358,7 @@ static int decode_ics_info(AACContext *ac, 
IndividualChannelStream *ics,
 return 0;
 fail:
 ics->max_sfb = 0;
-return AVERROR_INVALIDDATA;
+return ret_fail;
 }
 
 /**

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/me_cmp: Fix crashes on ARM due to misalignment

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sat Aug 19 23:38:58 2017 +0200| [d15b1da8bcb3b559e1369e1dbd4319deb2b21d6e] | 
committer: Michael Niedermayer

avcodec/me_cmp: Fix crashes on ARM due to misalignment

Adds a diff_pixels_unaligned()

Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872503

Signed-off-by: Michael Niedermayer 
(cherry picked from commit bc488ec28aec4bc91ba47283c49c9f7f25696eaa)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d15b1da8bcb3b559e1369e1dbd4319deb2b21d6e
---

 libavcodec/me_cmp.c   | 10 +-
 libavcodec/pixblockdsp.c  |  1 +
 libavcodec/pixblockdsp.h  |  5 +
 libavcodec/x86/pixblockdsp_init.c |  2 ++
 4 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/libavcodec/me_cmp.c b/libavcodec/me_cmp.c
index 6639b919ff..5e34a11593 100644
--- a/libavcodec/me_cmp.c
+++ b/libavcodec/me_cmp.c
@@ -628,7 +628,7 @@ static int dct_sad8x8_c(MpegEncContext *s, uint8_t *src1,
 
 av_assert2(h == 8);
 
-s->pdsp.diff_pixels(temp, src1, src2, stride);
+s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
 s->fdsp.fdct(temp);
 return s->mecc.sum_abs_dctelem(temp);
 }
@@ -668,7 +668,7 @@ static int dct264_sad8x8_c(MpegEncContext *s, uint8_t *src1,
 int16_t dct[8][8];
 int i, sum = 0;
 
-s->pdsp.diff_pixels(dct[0], src1, src2, stride);
+s->pdsp.diff_pixels_unaligned(dct[0], src1, src2, stride);
 
 #define SRC(x) dct[i][x]
 #define DST(x, v) dct[i][x] = v
@@ -695,7 +695,7 @@ static int dct_max8x8_c(MpegEncContext *s, uint8_t *src1,
 
 av_assert2(h == 8);
 
-s->pdsp.diff_pixels(temp, src1, src2, stride);
+s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
 s->fdsp.fdct(temp);
 
 for (i = 0; i < 64; i++)
@@ -714,7 +714,7 @@ static int quant_psnr8x8_c(MpegEncContext *s, uint8_t *src1,
 av_assert2(h == 8);
 s->mb_intra = 0;
 
-s->pdsp.diff_pixels(temp, src1, src2, stride);
+s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
 
 memcpy(bak, temp, 64 * sizeof(int16_t));
 
@@ -817,7 +817,7 @@ static int bit8x8_c(MpegEncContext *s, uint8_t *src1, 
uint8_t *src2,
 
 av_assert2(h == 8);
 
-s->pdsp.diff_pixels(temp, src1, src2, stride);
+s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride);
 
 s->block_last_index[0 /* FIXME */] =
 last   =
diff --git a/libavcodec/pixblockdsp.c b/libavcodec/pixblockdsp.c
index f0883d3d08..6152fe40c3 100644
--- a/libavcodec/pixblockdsp.c
+++ b/libavcodec/pixblockdsp.c
@@ -82,6 +82,7 @@ av_cold void ff_pixblockdsp_init(PixblockDSPContext *c, 
AVCodecContext *avctx)
 {
 const unsigned high_bit_depth = avctx->bits_per_raw_sample > 8;
 
+c->diff_pixels_unaligned =
 c->diff_pixels = diff_pixels_c;
 
 switch (avctx->bits_per_raw_sample) {
diff --git a/libavcodec/pixblockdsp.h b/libavcodec/pixblockdsp.h
index 79ed86c3a6..b14514de7e 100644
--- a/libavcodec/pixblockdsp.h
+++ b/libavcodec/pixblockdsp.h
@@ -31,6 +31,11 @@ typedef struct PixblockDSPContext {
 const uint8_t *s1 /* align 8 */,
 const uint8_t *s2 /* align 8 */,
 int stride);
+void (*diff_pixels_unaligned)(int16_t *av_restrict block /* align 16 */,
+const uint8_t *s1,
+const uint8_t *s2,
+int stride);
+
 } PixblockDSPContext;
 
 void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx);
diff --git a/libavcodec/x86/pixblockdsp_init.c 
b/libavcodec/x86/pixblockdsp_init.c
index 4d06a44c6d..b9027dee54 100644
--- a/libavcodec/x86/pixblockdsp_init.c
+++ b/libavcodec/x86/pixblockdsp_init.c
@@ -39,12 +39,14 @@ av_cold void ff_pixblockdsp_init_x86(PixblockDSPContext *c,
 if (EXTERNAL_MMX(cpu_flags)) {
 if (!high_bit_depth)
 c->get_pixels = ff_get_pixels_mmx;
+c->diff_pixels_unaligned =
 c->diff_pixels = ff_diff_pixels_mmx;
 }
 
 if (EXTERNAL_SSE2(cpu_flags)) {
 if (!high_bit_depth)
 c->get_pixels = ff_get_pixels_sse2;
+c->diff_pixels_unaligned =
 c->diff_pixels = ff_diff_pixels_sse2;
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/snowdec: Fix off by 1 error

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Thu Aug 17 20:32:03 2017 +0200| [bd09e3b19c71d06fa333d27740668119361841e2] | 
committer: Michael Niedermayer

avcodec/snowdec: Fix off by 1 error

Fixes: runtime error: index 4 out of bounds for type 'int8_t [4]'
Fixes: 3023/clusterfuzz-testcase-minimized-6421736130084864

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d132683ddd4050d3fe103ca88c73258c3442dc34)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bd09e3b19c71d06fa333d27740668119361841e2
---

 libavcodec/snowdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 7d6d7ff44f..4ebfa07c6a 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -355,7 +355,7 @@ static int decode_header(SnowContext *s){
 Plane *p= >plane[plane_index];
 p->diag_mc= get_rac(>c, s->header_state);
 htaps= get_symbol(>c, s->header_state, 0)*2 + 2;
-if((unsigned)htaps > HTAPS_MAX || htaps==0)
+if((unsigned)htaps >= HTAPS_MAX || htaps==0)
 return AVERROR_INVALIDDATA;
 p->htaps= htaps;
 for(i= htaps/2; i; i--){

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Check perspective_exp and zrs_exp.

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Tue Aug 15 03:32:43 2017 +0200| [952393b69e666c53361fde252bc0b3f2dbabead3] | 
committer: Michael Niedermayer

avcodec/diracdec: Check perspective_exp and zrs_exp.

Fixes: undefined shift
Fixes: runtime error: shift exponent 264 is too large for 32-bit type 'int'
Fixes: 2860/clusterfuzz-testcase-minimized-4672811689836544

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1e6cab874512070b36267a5a53fd053f90072fa2)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=952393b69e666c53361fde252bc0b3f2dbabead3
---

 libavcodec/diracdec.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index bd4ea845ca..6be3cae8d0 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1155,6 +1155,10 @@ static int 
dirac_unpack_prediction_parameters(DiracContext *s)
 s->globalmc[ref].perspective[0]  = dirac_get_se_golomb(gb);
 s->globalmc[ref].perspective[1]  = dirac_get_se_golomb(gb);
 }
+if (s->globalmc[ref].perspective_exp + 
(uint64_t)s->globalmc[ref].zrs_exp > 30) {
+return AVERROR_INVALIDDATA;
+}
+
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videodec: Clear mcsel before decoding an image

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Aug  6 13:32:54 2017 +0200| [342d5c20ce0a48074043d630e68629600b59ebdd] | 
committer: Michael Niedermayer

avcodec/mpeg4videodec: Clear mcsel before decoding an image

Fixes: runtime error: signed integer overflow: 2146467840 + 1032192 cannot be 
represented in type 'int'
Fixes: 2826/clusterfuzz-testcase-minimized-5901511613743104

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7735ed29741d985e1e670249ca56e7a1ce18b729)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=342d5c20ce0a48074043d630e68629600b59ebdd
---

 libavcodec/mpeg4videodec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 5dfd2954f7..758f77bcfc 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -2290,6 +2290,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, 
GetBitContext *gb)
 int time_incr, time_increment;
 int64_t pts;
 
+s->mcsel   = 0;
 s->pict_type = get_bits(gb, 2) + AV_PICTURE_TYPE_I;/* pict type: I 
= 0 , P = 1 */
 if (s->pict_type == AV_PICTURE_TYPE_B && s->low_delay &&
 ctx->vol_control_parameters == 0 && !(s->avctx->flags & 
AV_CODEC_FLAG_LOW_DELAY)) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1dec_template: Fix undefined shift

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Fri Aug 11 18:20:03 2017 +0200| [04db307c77c18b6e1832a086f676db0db9c152a7] | 
committer: Michael Niedermayer

avcodec/ffv1dec_template: Fix undefined shift

Fixes: runtime error: left shift of negative value -127
Fixes: 2834/clusterfuzz-testcase-minimized-5988039123795968

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 62702eebded6c6341d214405812a981f80e46ea2)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=04db307c77c18b6e1832a086f676db0db9c152a7
---

 libavcodec/ffv1dec_template.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/ffv1dec_template.c b/libavcodec/ffv1dec_template.c
index 892ccf22fa..f2f7432339 100644
--- a/libavcodec/ffv1dec_template.c
+++ b/libavcodec/ffv1dec_template.c
@@ -149,7 +149,7 @@ static void RENAME(decode_rgb_frame)(FFV1Context *s, 
uint8_t *src[3], int w, int
 }
 
 if (lbd)
-*((uint32_t*)(src[0] + x*4 + stride[0]*y)) = b + (g<<8) + 
(r<<16) + (a<<24);
+*((uint32_t*)(src[0] + x*4 + stride[0]*y)) = b + 
((unsigned)g<<8) + ((unsigned)r<<16) + ((unsigned)a<<24);
 else if (sizeof(TYPE) == 4) {
 *((uint16_t*)(src[0] + x*2 + stride[0]*y)) = g;
 *((uint16_t*)(src[1] + x*2 + stride[1]*y)) = b;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Check weight_log2denom

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sat Jul 29 15:46:50 2017 +0200| [892ceb512f0f10f6cdb7edb4446efbb0ae5b94ed] | 
committer: Michael Niedermayer

avcodec/diracdec: Check weight_log2denom

Fixes: runtime error: shift exponent -1 is negative
Fixes: 2742/clusterfuzz-testcase-minimized-5724322402402304
Fixes: 2744/clusterfuzz-testcase-minimized-4672435653705728
Fixes: 2749/clusterfuzz-testcase-minimized-5298741273690112

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 880f5c59139e1d85d3a0b3433103f3fea17ff2d3)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=892ceb512f0f10f6cdb7edb4446efbb0ae5b94ed
---

 libavcodec/diracdec.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index bc0eb90ab1..bd4ea845ca 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1173,6 +1173,11 @@ static int 
dirac_unpack_prediction_parameters(DiracContext *s)
 
 if (get_bits1(gb)) {
 s->weight_log2denom = get_interleaved_ue_golomb(gb);
+if (s->weight_log2denom < 1 || s->weight_log2denom > 8) {
+av_log(s->avctx, AV_LOG_ERROR, "weight_log2denom unsupported or 
invalid\n");
+s->weight_log2denom = 1;
+return AVERROR_INVALIDDATA;
+}
 s->weight[0] = dirac_get_se_golomb(gb);
 if (s->num_refs == 2)
 s->weight[1] = dirac_get_se_golomb(gb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacdec_fixed: fix invalid shift in predict()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Fri Aug  4 03:26:30 2017 +0200| [e5950870481b02baf320bca97d8e3ba67a616792] | 
committer: Michael Niedermayer

avcodec/aacdec_fixed: fix invalid shift in predict()

Fixes: runtime error: shift exponent -2 is negative
Fixes: 2818/clusterfuzz-testcase-minimized-5062943676825600

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1e443051b277f73b94a2f660d3fd31a1a7beab52)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e5950870481b02baf320bca97d8e3ba67a616792
---

 libavcodec/aacdec_fixed.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index ccc82057e1..e7c2d2d299 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -305,8 +305,12 @@ static av_always_inline void predict(PredictorState *ps, 
int *coef,
 if (output_enable) {
 int shift = 28 - pv.exp;
 
-if (shift < 31)
-*coef += (pv.mant + (1 << (shift - 1))) >> shift;
+if (shift < 31) {
+if (shift > 0) {
+*coef += (pv.mant + (1 << (shift - 1))) >> shift;
+} else
+*coef += pv.mant << -shift;
+}
 }
 
 e0 = av_int2sf(*coef, 2);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97*

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Aug  6 05:01:45 2017 +0200| [52c4069119ba1d879f11b99957e156c9962cabb7] | 
committer: Michael Niedermayer

avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97*

Fix multiple: runtime error: signed integer overflow: 6497 * 3409630 cannot be 
represented in type 'int'
Fixes: 2819/clusterfuzz-testcase-minimized-4743700301217792

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a5380f9c1c460acccb2edaa8609e4a57c0456088)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=52c4069119ba1d879f11b99957e156c9962cabb7
---

 libavcodec/dirac_dwt.h | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index 62f8472b41..e715e53bc4 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
 (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8))
 
 #define COMPOSE_DAUB97iL1(b0, b1, b2)\
-(b1 - ((1817*(b0 + b2) + 2048) >> 12))
+(b1 - ((int)(1817U*(b0 + b2) + 2048) >> 12))
 
 #define COMPOSE_DAUB97iH1(b0, b1, b2)\
-(b1 - (( 113*(b0 + b2) + 64) >> 7))
+(b1 - ((int)( 113U*(b0 + b2) + 64) >> 7))
 
 #define COMPOSE_DAUB97iL0(b0, b1, b2)\
-(b1 + (( 217*(b0 + b2) + 2048) >> 12))
+(b1 + ((int)( 217U*(b0 + b2) + 2048) >> 12))
 
 #define COMPOSE_DAUB97iH0(b0, b1, b2)\
-(b1 + ((6497*(b0 + b2) + 2048) >> 12))
+(b1 + ((int)(6497U*(b0 + b2) + 2048) >> 12))
 
 
 #endif /* AVCODEC_DWT_H */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdsp: fix integer overflow

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sat Jul 29 15:55:36 2017 +0200| [19938f1a11355a199135c7411eab5fbf026a4ffb] | 
committer: Michael Niedermayer

avcodec/diracdsp: fix integer overflow

Fixes: runtime error: signed integer overflow: 11 * 225726413 cannot be 
represented in type 'int'
Fixes: 2764/clusterfuzz-testcase-minimized-5382561922547712

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b2d9d7226943d6229a17e31714ce5162bdf88b33)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=19938f1a11355a199135c7411eab5fbf026a4ffb
---

 libavcodec/diracdsp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/diracdsp.c b/libavcodec/diracdsp.c
index cd1209e209..8bc79b788c 100644
--- a/libavcodec/diracdsp.c
+++ b/libavcodec/diracdsp.c
@@ -199,7 +199,7 @@ static void dequant_subband_ ## PX ## _c(uint8_t *src, 
uint8_t *dst, ptrdiff_t s
 for (i = 0; i < tot_h; i++) {  
\
 c = *src_r++;  
\
 sign = FFSIGN(c)*(!!c);
\
-c = (FFABS(c)*qf + qs) >> 2;   
\
+c = (FFABS(c)*(unsigned)qf + qs) >> 2; 
  \
 *dst_r++ = c*sign; 
\
 }  
\
 src += tot_h << (sizeof(PX) >> 1); 
\

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/utils: fix memory leak in avformat_free_context

[Steven Siloti]

ffmpeg | branch: release/3.2 | Steven Siloti  | Tue Jul 
18 11:26:39 2017 -0700| [16ee4057077b05e89a784cce1a17ec49b5e46ad2] | committer: 
Michael Niedermayer

avformat/utils: fix memory leak in avformat_free_context

The pointer to the packet queue is stored in the internal structure
so the queue needs to be flushed before internal is freed.

Signed-off-by: Steven Siloti 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 949debd1d1df3a96315b3a3083831162845c1188)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=16ee4057077b05e89a784cce1a17ec49b5e46ad2
---

 libavformat/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index cea3ab5a93..3e59e50bb1 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -4172,8 +4172,8 @@ void avformat_free_context(AVFormatContext *s)
 av_freep(>chapters);
 av_dict_free(>metadata);
 av_freep(>streams);
-av_freep(>internal);
 flush_packet_queue(s);
+av_freep(>internal);
 av_free(s);
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_slice: Fix overflow in slice offset

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Fri Aug  4 02:41:05 2017 +0200| [b66aa37834c2913be41a8404662c403c1c68b683] | 
committer: Michael Niedermayer

avcodec/h264_slice: Fix overflow in slice offset

Fixes: runtime error: signed integer overflow: 1610612736 * 2 cannot be 
represented in type 'int'
Fixes: 2817/clusterfuzz-testcase-minimized-5289691240726528

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1f53bde6d817ae13a47748f321adbdfa79e15982)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b66aa37834c2913be41a8404662c403c1c68b683
---

 libavcodec/h264_slice.c | 16 +---
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index 68b73da418..ce1fc18219 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1739,17 +1739,19 @@ static int h264_slice_header_parse(const H264Context 
*h, H264SliceContext *sl,
 sl->deblocking_filter ^= 1;  // 1<->0
 
 if (sl->deblocking_filter) {
-sl->slice_alpha_c0_offset = get_se_golomb(>gb) * 2;
-sl->slice_beta_offset = get_se_golomb(>gb) * 2;
-if (sl->slice_alpha_c0_offset >  12 ||
-sl->slice_alpha_c0_offset < -12 ||
-sl->slice_beta_offset >  12 ||
-sl->slice_beta_offset < -12) {
+int slice_alpha_c0_offset_div2 = get_se_golomb(>gb);
+int slice_beta_offset_div2 = get_se_golomb(>gb);
+if (slice_alpha_c0_offset_div2 >  6 ||
+slice_alpha_c0_offset_div2 < -6 ||
+slice_beta_offset_div2 >  6 ||
+slice_beta_offset_div2 < -6) {
 av_log(h->avctx, AV_LOG_ERROR,
"deblocking filter parameters %d %d out of range\n",
-   sl->slice_alpha_c0_offset, sl->slice_beta_offset);
+   slice_alpha_c0_offset_div2, slice_beta_offset_div2);
 return AVERROR_INVALIDDATA;
 }
+sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2;
+sl->slice_beta_offset = slice_beta_offset_div2 * 2;
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] [ffmpeg-web] branch master updated. df5f4d0 web/secrity: add CVEs for 3.3.4

[ffmpeg-git]

The branch, master has been updated
   via  df5f4d0b7e4cd2166b6cd73c801e321272b689cd (commit)
  from  2373ca7eef2117995b5fba90be7ddd7603fa3eec (commit)


- Log -
commit df5f4d0b7e4cd2166b6cd73c801e321272b689cd
Author: Michael Niedermayer 
AuthorDate: Sun Sep 17 12:28:24 2017 +0200
Commit: Michael Niedermayer 
CommitDate: Sun Sep 17 12:28:24 2017 +0200

web/secrity: add CVEs for 3.3.4

diff --git a/src/security b/src/security
index ab51443..57db9e5 100644
--- a/src/security
+++ b/src/security
@@ -4,6 +4,25 @@
 
 FFmpeg 3.3
 
+3.3.4
+
+Fixes following vulnerabilities:
+
+
+CVE-2017-14054, 6bd562e04440c48eb79e24c36800791bbb1ba0b6 / 
124eb202e70678539544f6268efc98131f19fa49
+CVE-2017-14055, e910f15fcbb709c4c7208737a6cc39185b41543b / 
4f05e2e2dc1a89f38cd9f0960a6561083d714f1e
+CVE-2017-14059, 4ff1fcd3caa2e59c3d4cec8e4c64c9ac79b09a1d / 
7e80b63ecd259d69d383623e75b318bf2bd491f6
+CVE-2017-14058, 305f37e5be009c66e0af3064855c8509aafba719 / 
7ec414892ddcad88313848494b6fc5f437c9ca4a
+CVE-2017-14057, 6447815dfbbe5036c7fa29d285b59896d76f4f9d / 
7f9ec5593e04827249e7aeb466da06a98a0d7329
+CVE-2017-14225, 5474a7e93b8ea0be1157ac9cf93c1511eccae7b0 / 
837cb4325b712ff1aab531bf41668933f61d75d2
+CVE-2017-14170, c01f799314c3254a98c415ccf99acd501bdbd9f2 / 
900f39692ca0337a98a7cf047e4e2611071810c2
+CVE-2017-14056, 8cb0f2c4e55d1d8ba9dbc80dd19ad139d0200c2d / 
96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de
+CVE-2017-14222, d9cf9f5af82228b588828ae2692acccec588fdac / 
9cb4eb772839c5e1de2855d126bf74ff16d13382
+CVE-2017-14169, 9d3a7c82a669a1a1c8e3904c65ded19e80d16edc / 
9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad
+CVE-2017-14223, b61e5a878c845b8bee1267fdb75c293feb00ae0d / 
afc9c683ed9db01edb357bc8c19edad4282b3a97
+CVE-2017-14171, e6a8d110d7e8e938913a0a85ca933b415f8ed24d / 
c24bcb553650b91e9eff15ef6e54ca73de2453b
+
+
 3.3.3
 
 Fixes following vulnerabilities:

---

Summary of changes:
 src/security | 19 +++
 1 file changed, 19 insertions(+)


hooks/post-receive
-- 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog