[FFmpeg-cvslog] avfilter/tinterlace: Simplify checks for lowpass filtering flags
ffmpeg | branch: master | James Almer| Sun Sep 17 23:41:31 2017 -0300| [3af1060319b46005dbfb3b01f9104539caf30146] | committer: James Almer avfilter/tinterlace: Simplify checks for lowpass filtering flags > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3af1060319b46005dbfb3b01f9104539caf30146 --- libavfilter/vf_tinterlace.c | 12 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/libavfilter/vf_tinterlace.c b/libavfilter/vf_tinterlace.c index 66c6d17ed9..9ae9daafc1 100644 --- a/libavfilter/vf_tinterlace.c +++ b/libavfilter/vf_tinterlace.c @@ -172,14 +172,12 @@ static int config_out_props(AVFilterLink *outlink) tinterlace->black_linesize[i] * h); } } -if ((tinterlace->flags & TINTERLACE_FLAG_VLPF - || tinterlace->flags & TINTERLACE_FLAG_CVLPF) +if (tinterlace->flags & (TINTERLACE_FLAG_VLPF | TINTERLACE_FLAG_CVLPF) && !(tinterlace->mode == MODE_INTERLEAVE_TOP || tinterlace->mode == MODE_INTERLEAVE_BOTTOM)) { av_log(ctx, AV_LOG_WARNING, "low_pass_filter flags ignored with mode %d\n", tinterlace->mode); -tinterlace->flags &= ~TINTERLACE_FLAG_VLPF; -tinterlace->flags &= ~TINTERLACE_FLAG_CVLPF; +tinterlace->flags &= ~(TINTERLACE_FLAG_VLPF | TINTERLACE_FLAG_CVLPF); } tinterlace->preout_time_base = inlink->time_base; if (tinterlace->mode == MODE_INTERLACEX2) { @@ -263,10 +261,8 @@ void copy_picture_field(TInterlaceContext *tinterlace, // Low-pass filtering is required when creating an interlaced destination from // a progressive source which contains high-frequency vertical detail. // Filtering will reduce interlace 'twitter' and Moire patterning. -if (flags & TINTERLACE_FLAG_VLPF || flags & TINTERLACE_FLAG_CVLPF) { -int x = 0; -if (flags & TINTERLACE_FLAG_CVLPF) -x = 1; +if (flags & (TINTERLACE_FLAG_VLPF | TINTERLACE_FLAG_CVLPF)) { +int x = !!(flags & TINTERLACE_FLAG_CVLPF); for (h = lines; h > 0; h--) { ptrdiff_t pref = src_linesize[plane]; ptrdiff_t mref = -pref; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] fate: add tinterlace lowpass filtering tests
ffmpeg | branch: master | Thomas Mundt| Sun Sep 17 23:41:00 2017 -0300| [4492237e333c3b5eb57e255d3dba690dcf35940c] | committer: James Almer fate: add tinterlace lowpass filtering tests Signed-off-by: James Almer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4492237e333c3b5eb57e255d3dba690dcf35940c --- tests/fate/filter-video.mak| 6 ++ tests/ref/fate/filter-pixfmts-tinterlace_cvlpf | 14 ++ tests/ref/fate/filter-pixfmts-tinterlace_vlpf | 14 ++ 3 files changed, 34 insertions(+) diff --git a/tests/fate/filter-video.mak b/tests/fate/filter-video.mak index 620487872b..d1e13414f6 100644 --- a/tests/fate/filter-video.mak +++ b/tests/fate/filter-video.mak @@ -668,12 +668,18 @@ fate-filter-pixfmts-super2xsai: CMD = pixfmts FATE_FILTER_PIXFMTS-$(CONFIG_SWAPUV_FILTER) += fate-filter-pixfmts-swapuv fate-filter-pixfmts-swapuv: CMD = pixfmts +FATE_FILTER_PIXFMTS-$(CONFIG_TINTERLACE_FILTER) += fate-filter-pixfmts-tinterlace_cvlpf +fate-filter-pixfmts-tinterlace_cvlpf: CMD = pixfmts "interleave_top:cvlpf" + FATE_FILTER_PIXFMTS-$(CONFIG_TINTERLACE_FILTER) += fate-filter-pixfmts-tinterlace_merge fate-filter-pixfmts-tinterlace_merge: CMD = pixfmts "merge" FATE_FILTER_PIXFMTS-$(CONFIG_TINTERLACE_FILTER) += fate-filter-pixfmts-tinterlace_pad fate-filter-pixfmts-tinterlace_pad: CMD = pixfmts "pad" +FATE_FILTER_PIXFMTS-$(CONFIG_TINTERLACE_FILTER) += fate-filter-pixfmts-tinterlace_vlpf +fate-filter-pixfmts-tinterlace_vlpf: CMD = pixfmts "interleave_top:vlpf" + FATE_FILTER_PIXFMTS-$(CONFIG_VFLIP_FILTER) += fate-filter-pixfmts-vflip fate-filter-pixfmts-vflip: CMD = pixfmts diff --git a/tests/ref/fate/filter-pixfmts-tinterlace_cvlpf b/tests/ref/fate/filter-pixfmts-tinterlace_cvlpf new file mode 100644 index 00..8623636ff9 --- /dev/null +++ b/tests/ref/fate/filter-pixfmts-tinterlace_cvlpf @@ -0,0 +1,14 @@ +gray9849d71519ae9c584ae8abfa8adb2f8e +yuv410p 44ee4b74b95c82d6f79ddf53b5e3aa9d +yuv411p 5fa9d1fba7adfd6f7fa04464332b631a +yuv420p ee9591ea3ab06c73be902c4b8868c69e +yuv422p b1be7b55567bde86d655adf80fac1257 +yuv440p ddf6ee697f4ff4f90d501e6869392309 +yuv444p 7cb5d0c0997c8c2545a16bfc4cb9fd6d +yuva420pee0761e2f76ec441c545feede77103e4 +yuva422pa8da2806e21a88449079faa7f4303ffa +yuva444pa3f57734d6f72bdf37f8f612ea7cce63 +yuvj420p9f358e311b694bcd01e1a07d1120ade5 +yuvj422p9a7628a9f1630d35c7176951ddc1b2f6 +yuvj440p112fe35292c687746ec0c622a42c611b +yuvj444pf894438f40950229baa02545daa8812a diff --git a/tests/ref/fate/filter-pixfmts-tinterlace_vlpf b/tests/ref/fate/filter-pixfmts-tinterlace_vlpf new file mode 100644 index 00..2f52fd13f0 --- /dev/null +++ b/tests/ref/fate/filter-pixfmts-tinterlace_vlpf @@ -0,0 +1,14 @@ +grayb79791449947c25cd5b36d9d3b9d1831 +yuv410p 5bc03f4cf6b441b421f0fdaeeff1e9ed +yuv411p 19046df1876c46ed1ef0458680270bd3 +yuv420p 69c743b84996be9430b051a55cfbcb29 +yuv422p d710ccd1941f6f389c97a09bc977e709 +yuv440p 1a482a23fe5a9b7d02388c299fd0a423 +yuv444p c968a92f4b7ab6706ee9b425eb5345b5 +yuva420p3f89a166f309c0cda8b91a9e8a0ce937 +yuva422pef8fdbe910d68e88e98227b0e99fb5a6 +yuva444p3662eadd5f61a6edbc9d715ea8591415 +yuvj420p14c4390b319c5d679184503309060ac3 +yuvj422pbbe00a26526931b72a024febe1cd6b90 +yuvj440pf654cf28b7879c6a6c950c3cb9612580 +yuvj444pc162a4fe7a665f4abf257443703f0d72 ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] lavc/frame_thread_encoder: Do not mix variable declaration and code.
ffmpeg | branch: master | Carl Eugen Hoyos| Mon Sep 18 03:24:52 2017 +0200| [3118e81f86067e8f04d729b070fc90ca2c9090d8] | committer: Carl Eugen Hoyos lavc/frame_thread_encoder: Do not mix variable declaration and code. Fixes a warning: ISO C90 forbids mixed declarations and code > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3118e81f86067e8f04d729b070fc90ca2c9090d8 --- libavcodec/frame_thread_encoder.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/frame_thread_encoder.c b/libavcodec/frame_thread_encoder.c index 31a9fe9dae..ffbf5caf29 100644 --- a/libavcodec/frame_thread_encoder.c +++ b/libavcodec/frame_thread_encoder.c @@ -193,13 +193,14 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ for(i=0; ithread_count ; i++){ AVDictionary *tmp = NULL; +int ret; void *tmpv; AVCodecContext *thread_avctx = avcodec_alloc_context3(avctx->codec); if(!thread_avctx) goto fail; tmpv = thread_avctx->priv_data; *thread_avctx = *avctx; -int ret = av_opt_copy(thread_avctx, avctx); +ret = av_opt_copy(thread_avctx, avctx); if (ret < 0) goto fail; thread_avctx->priv_data = tmpv; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] checkasm: add an exrdsp test
ffmpeg | branch: master | James Almer| Sun Sep 17 18:48:02 2017 -0300| [7323c896b2cb6b2f3c0643094d6dd3e1d7179690] | committer: James Almer checkasm: add an exrdsp test Signed-off-by: James Almer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7323c896b2cb6b2f3c0643094d6dd3e1d7179690 --- tests/checkasm/Makefile | 1 + tests/checkasm/checkasm.c | 3 +++ tests/checkasm/checkasm.h | 1 + tests/checkasm/exrdsp.c | 68 +++ tests/fate/checkasm.mak | 1 + 5 files changed, 74 insertions(+) diff --git a/tests/checkasm/Makefile b/tests/checkasm/Makefile index 184e981754..14916e5100 100644 --- a/tests/checkasm/Makefile +++ b/tests/checkasm/Makefile @@ -18,6 +18,7 @@ AVCODECOBJS-$(CONFIG_AAC_DECODER) += aacpsdsp.o \ sbrdsp.o AVCODECOBJS-$(CONFIG_ALAC_DECODER) += alacdsp.o AVCODECOBJS-$(CONFIG_DCA_DECODER) += synth_filter.o +AVCODECOBJS-$(CONFIG_EXR_DECODER) += exrdsp.o AVCODECOBJS-$(CONFIG_JPEG2000_DECODER) += jpeg2000dsp.o AVCODECOBJS-$(CONFIG_PIXBLOCKDSP) += pixblockdsp.o AVCODECOBJS-$(CONFIG_HEVC_DECODER) += hevc_add_res.o hevc_idct.o diff --git a/tests/checkasm/checkasm.c b/tests/checkasm/checkasm.c index ba729ac1bf..b8b0e32dbd 100644 --- a/tests/checkasm/checkasm.c +++ b/tests/checkasm/checkasm.c @@ -92,6 +92,9 @@ static const struct { #if CONFIG_DCA_DECODER { "synth_filter", checkasm_check_synth_filter }, #endif +#if CONFIG_EXR_DECODER +{ "exrdsp", checkasm_check_exrdsp }, +#endif #if CONFIG_FLACDSP { "flacdsp", checkasm_check_flacdsp }, #endif diff --git a/tests/checkasm/checkasm.h b/tests/checkasm/checkasm.h index b29a61331e..e5b1877dc0 100644 --- a/tests/checkasm/checkasm.h +++ b/tests/checkasm/checkasm.h @@ -46,6 +46,7 @@ void checkasm_check_blend(void); void checkasm_check_blockdsp(void); void checkasm_check_bswapdsp(void); void checkasm_check_colorspace(void); +void checkasm_check_exrdsp(void); void checkasm_check_fixed_dsp(void); void checkasm_check_flacdsp(void); void checkasm_check_float_dsp(void); diff --git a/tests/checkasm/exrdsp.c b/tests/checkasm/exrdsp.c new file mode 100644 index 00..6637f6fdd2 --- /dev/null +++ b/tests/checkasm/exrdsp.c @@ -0,0 +1,68 @@ +/* + * Copyright (c) 2017 James Almer + * + * This file is part of FFmpeg. + * + * FFmpeg is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * FFmpeg is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with FFmpeg; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#include + +#include "checkasm.h" +#include "libavcodec/avcodec.h" +#include "libavcodec/exrdsp.h" +#include "libavutil/intreadwrite.h" + +#define BUF_SIZE 5120 +#define PADDED_BUF_SIZE BUF_SIZE+AV_INPUT_BUFFER_PADDING_SIZE*2 + +#define randomize_buffers() \ +do {\ +int i; \ +for (i = 0; i < BUF_SIZE; i += 4) { \ +uint32_t r = rnd(); \ +AV_WN32A(src + i, r); \ +} \ +} while (0) + +static void check_reorder_pixels(void) { +LOCAL_ALIGNED_32(uint8_t, src, [PADDED_BUF_SIZE]); +LOCAL_ALIGNED_32(uint8_t, dst_ref, [PADDED_BUF_SIZE]); +LOCAL_ALIGNED_32(uint8_t, dst_new, [PADDED_BUF_SIZE]); + +declare_func(void, uint8_t *dst, const uint8_t *src, ptrdiff_t size); + +memset(src, 0, PADDED_BUF_SIZE); +memset(dst_ref, 0, PADDED_BUF_SIZE); +memset(dst_new, 0, PADDED_BUF_SIZE); +randomize_buffers(); +call_ref(dst_ref, src, BUF_SIZE); +call_new(dst_new, src, BUF_SIZE); +if (memcmp(dst_ref, dst_new, BUF_SIZE)) +fail(); +bench_new(dst_new, src, BUF_SIZE); +} + +void checkasm_check_exrdsp(void) +{ +ExrDSPContext h; + +ff_exrdsp_init(); + +if (check_func(h.reorder_pixels, "reorder_pixels")) +check_reorder_pixels(); + +report("reorder_pixels"); +} diff --git a/tests/fate/checkasm.mak b/tests/fate/checkasm.mak index 824ae2f32d..7e8623985c 100644 --- a/tests/fate/checkasm.mak +++ b/tests/fate/checkasm.mak @@ -3,6 +3,7 @@ FATE_CHECKASM = fate-checkasm-aacpsdsp \ fate-checkasm-audiodsp \ fate-checkasm-blockdsp \
[FFmpeg-cvslog] avcodec/exrdsp: improve the ExrDSPContext->reorder_pixels prototype
ffmpeg | branch: master | James Almer| Sun Sep 17 18:56:39 2017 -0300| [98d7ad085e20f7cd3347bbaff251bd687db733ee] | committer: James Almer avcodec/exrdsp: improve the ExrDSPContext->reorder_pixels prototype Make dst be the first parameter and src const. It's more in line with the rest of the codebase. Signed-off-by: James Almer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=98d7ad085e20f7cd3347bbaff251bd687db733ee --- libavcodec/exr.c | 4 ++-- libavcodec/exrdsp.c | 2 +- libavcodec/exrdsp.h | 2 +- libavcodec/x86/exrdsp.asm| 4 ++-- libavcodec/x86/exrdsp_init.c | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index de2f05d3a9..230d5bbca8 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -289,7 +289,7 @@ static int zip_uncompress(EXRContext *s, const uint8_t *src, int compressed_size av_assert1(uncompressed_size % 2 == 0); predictor(td->tmp, uncompressed_size); -s->dsp.reorder_pixels(td->tmp, td->uncompressed_data, uncompressed_size); +s->dsp.reorder_pixels(td->uncompressed_data, td->tmp, uncompressed_size); return 0; } @@ -336,7 +336,7 @@ static int rle_uncompress(EXRContext *ctx, const uint8_t *src, int compressed_si av_assert1(uncompressed_size % 2 == 0); predictor(td->tmp, uncompressed_size); -ctx->dsp.reorder_pixels(td->tmp, td->uncompressed_data, uncompressed_size); +ctx->dsp.reorder_pixels(td->uncompressed_data, td->tmp, uncompressed_size); return 0; } diff --git a/libavcodec/exrdsp.c b/libavcodec/exrdsp.c index e59dac3dc4..871b6f1276 100644 --- a/libavcodec/exrdsp.c +++ b/libavcodec/exrdsp.c @@ -24,7 +24,7 @@ #include "exrdsp.h" #include "config.h" -static void reorder_pixels_scalar(uint8_t *src, uint8_t *dst, ptrdiff_t size) +static void reorder_pixels_scalar(uint8_t *dst, const uint8_t *src, ptrdiff_t size) { const uint8_t *t1 = src; int half_size = size / 2; diff --git a/libavcodec/exrdsp.h b/libavcodec/exrdsp.h index 09a76a518e..d8cb002efc 100644 --- a/libavcodec/exrdsp.h +++ b/libavcodec/exrdsp.h @@ -23,7 +23,7 @@ #include "libavutil/common.h" typedef struct ExrDSPContext { -void (*reorder_pixels)(uint8_t *src, uint8_t *dst, ptrdiff_t size); +void (*reorder_pixels)(uint8_t *dst, const uint8_t *src, ptrdiff_t size); } ExrDSPContext; void ff_exrdsp_init(ExrDSPContext *c); diff --git a/libavcodec/x86/exrdsp.asm b/libavcodec/x86/exrdsp.asm index 91d9c0b0a7..b91a7be20d 100644 --- a/libavcodec/x86/exrdsp.asm +++ b/libavcodec/x86/exrdsp.asm @@ -27,11 +27,11 @@ SECTION .text ;-- -; void ff_reorder_pixels(uint8_t *src, uint8_t *dst, ptrdiff_t size) +; void ff_reorder_pixels(uint8_t *dst, const uint8_t *src, ptrdiff_t size); ;-- %macro REORDER_PIXELS 0 -cglobal reorder_pixels, 3,4,3, src1, dst, size, src2 +cglobal reorder_pixels, 3,4,3, dst, src1, size, src2 lea src2q, [src1q+sizeq] ; src2 = src + 2 * half_size add dstq, sizeq ; dst offset by size shr sizeq, 1 ; half_size diff --git a/libavcodec/x86/exrdsp_init.c b/libavcodec/x86/exrdsp_init.c index c0f508b2c4..5669be3d97 100644 --- a/libavcodec/x86/exrdsp_init.c +++ b/libavcodec/x86/exrdsp_init.c @@ -22,9 +22,9 @@ #include "libavutil/x86/cpu.h" #include "libavcodec/exrdsp.h" -void ff_reorder_pixels_sse2(uint8_t *src, uint8_t *dst, ptrdiff_t size); +void ff_reorder_pixels_sse2(uint8_t *dst, const uint8_t *src, ptrdiff_t size); -void ff_reorder_pixels_avx2(uint8_t *src, uint8_t *dst, ptrdiff_t size); +void ff_reorder_pixels_avx2(uint8_t *dst, const uint8_t *src, ptrdiff_t size); av_cold void ff_exrdsp_init_x86(ExrDSPContext *dsp) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] libavcodec/exr : add X86 SIMD for reorder_pixels
ffmpeg | branch: master | Martin Vignali| Sun Sep 17 21:59:41 2017 +0200| [9b8c1224d7e1804b0b750de11e6a8c4648f1e115] | committer: James Almer libavcodec/exr : add X86 SIMD for reorder_pixels Signed-off-by: James Almer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9b8c1224d7e1804b0b750de11e6a8c4648f1e115 --- libavcodec/Makefile | 2 +- libavcodec/exr.c | 38 +++--- libavcodec/exrdsp.c | 47 + libavcodec/exrdsp.h | 32 ++ libavcodec/x86/Makefile | 2 ++ libavcodec/x86/exrdsp.asm| 63 libavcodec/x86/exrdsp_init.c | 39 +++ 7 files changed, 199 insertions(+), 24 deletions(-) diff --git a/libavcodec/Makefile b/libavcodec/Makefile index 943e5db511..fad56129a3 100644 --- a/libavcodec/Makefile +++ b/libavcodec/Makefile @@ -286,7 +286,7 @@ OBJS-$(CONFIG_EIGHTSVX_FIB_DECODER)+= 8svx.o OBJS-$(CONFIG_ESCAPE124_DECODER) += escape124.o OBJS-$(CONFIG_ESCAPE130_DECODER) += escape130.o OBJS-$(CONFIG_EVRC_DECODER)+= evrcdec.o acelp_vectors.o lsp.o -OBJS-$(CONFIG_EXR_DECODER) += exr.o +OBJS-$(CONFIG_EXR_DECODER) += exr.o exrdsp.o OBJS-$(CONFIG_FFV1_DECODER)+= ffv1dec.o ffv1.o OBJS-$(CONFIG_FFV1_ENCODER)+= ffv1enc.o ffv1.o OBJS-$(CONFIG_FFWAVESYNTH_DECODER) += ffwavesynth.o diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 759880756d..de2f05d3a9 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -51,6 +51,7 @@ #include "bswapdsp.h" #endif +#include "exrdsp.h" #include "get_bits.h" #include "internal.h" #include "mathops.h" @@ -121,6 +122,7 @@ typedef struct EXRContext { AVClass *class; AVFrame *picture; AVCodecContext *avctx; +ExrDSPContext dsp; #if HAVE_BIGENDIAN BswapDSPContext bbdsp; @@ -275,23 +277,7 @@ static void predictor(uint8_t *src, int size) } } -static void reorder_pixels(uint8_t *src, uint8_t *dst, int size) -{ -const uint8_t *t1 = src; -int half_size = size / 2; -const uint8_t *t2 = src + half_size; -uint8_t *s= dst; -int i; - -av_assert1(size % 2 == 0); - -for (i = 0; i < half_size; i++) { -*(s++) = *(t1++); -*(s++) = *(t2++); -} -} - -static int zip_uncompress(const uint8_t *src, int compressed_size, +static int zip_uncompress(EXRContext *s, const uint8_t *src, int compressed_size, int uncompressed_size, EXRThreadData *td) { unsigned long dest_len = uncompressed_size; @@ -300,13 +286,15 @@ static int zip_uncompress(const uint8_t *src, int compressed_size, dest_len != uncompressed_size) return AVERROR_INVALIDDATA; +av_assert1(uncompressed_size % 2 == 0); + predictor(td->tmp, uncompressed_size); -reorder_pixels(td->tmp, td->uncompressed_data, uncompressed_size); +s->dsp.reorder_pixels(td->tmp, td->uncompressed_data, uncompressed_size); return 0; } -static int rle_uncompress(const uint8_t *src, int compressed_size, +static int rle_uncompress(EXRContext *ctx, const uint8_t *src, int compressed_size, int uncompressed_size, EXRThreadData *td) { uint8_t *d = td->tmp; @@ -345,8 +333,10 @@ static int rle_uncompress(const uint8_t *src, int compressed_size, if (dend != d) return AVERROR_INVALIDDATA; +av_assert1(uncompressed_size % 2 == 0); + predictor(td->tmp, uncompressed_size); -reorder_pixels(td->tmp, td->uncompressed_data, uncompressed_size); +ctx->dsp.reorder_pixels(td->tmp, td->uncompressed_data, uncompressed_size); return 0; } @@ -1152,7 +1142,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, if (data_size < uncompressed_size) { av_fast_padded_malloc(>uncompressed_data, - >uncompressed_size, uncompressed_size); + >uncompressed_size, uncompressed_size + 64);/* Force 64 padding for AVX2 reorder_pixels dst */ if (!td->uncompressed_data) return AVERROR(ENOMEM); @@ -1161,7 +1151,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, switch (s->compression) { case EXR_ZIP1: case EXR_ZIP16: -ret = zip_uncompress(src, data_size, uncompressed_size, td); +ret = zip_uncompress(s, src, data_size, uncompressed_size, td); break; case EXR_PIZ: ret = piz_uncompress(s, src, data_size, uncompressed_size, td); @@ -1170,7 +1160,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, ret = pxr24_uncompress(s, src, data_size, uncompressed_size, td); break; case EXR_RLE: -ret = rle_uncompress(src, data_size, uncompressed_size, td); +ret =
[FFmpeg-cvslog] avcodec/hevc_ps: Fix c?_qp_offset_list size
ffmpeg | branch: release/3.1 | Michael Niedermayer| Sun Sep 10 21:10:17 2017 +0200| [61c5c89d043896217df12455aa036ee24df49ff0] | committer: Michael Niedermayer avcodec/hevc_ps: Fix c?_qp_offset_list size Fixes: runtime error: index 5 out of bounds for type 'int8_t const[5]' Fixes:3175/clusterfuzz-testcase-minimized-4736774054084608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit abf3f9fa232409c00b60041464604a91fa5612c0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=61c5c89d043896217df12455aa036ee24df49ff0 --- libavcodec/hevc.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index be91010378..162ca0e582 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -539,8 +539,8 @@ typedef struct HEVCPPS { uint8_t chroma_qp_offset_list_enabled_flag; uint8_t diff_cu_chroma_qp_offset_depth; uint8_t chroma_qp_offset_list_len_minus1; -int8_t cb_qp_offset_list[5]; -int8_t cr_qp_offset_list[5]; +int8_t cb_qp_offset_list[6]; +int8_t cr_qp_offset_list[6]; uint8_t log2_sao_offset_scale_luma; uint8_t log2_sao_offset_scale_chroma; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int()
ffmpeg | branch: release/3.1 | Michael Niedermayer| Fri Sep 8 23:29:12 2017 +0200| [33e67eb80cf2d67198828f9430815ef319ffae6e] | committer: Michael Niedermayer avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int() Fixes: runtime error: signed integer overflow: 22553 * -188962 cannot be represented in type 'int' Fixes: 3042/clusterfuzz-testcase-minimized-5174210131394560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2d025e742843ca3532bd49ebbfebeacd51337347) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=33e67eb80cf2d67198828f9430815ef319ffae6e --- libavcodec/jpeg2000dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c index c746aed924..85a12d0e9b 100644 --- a/libavcodec/jpeg2000dsp.c +++ b/libavcodec/jpeg2000dsp.c @@ -65,9 +65,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize) for (i = 0; i < csize; i++) { i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16); -i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16) +i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16) - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16); -i2 = *src0 + (2 * *src1) + (((-14942 * *src1) + (1 << 15)) >> 16); +i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16); *src0++ = i0; *src1++ = i1; *src2++ = i2; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Move buffer allocation and offset init to end of read_header()
ffmpeg | branch: release/3.1 | Michael Niedermayer| Sun Sep 10 21:10:16 2017 +0200| [19045efd0573b1c54d10db04c7f5426a2741bf14] | committer: Michael Niedermayer avcodec/shorten: Move buffer allocation and offset init to end of read_header() They are time consuming operations, performing them after the other checks improves the speed with damaged input dramatically. Fixes: Timeout Fixes: 2928/clusterfuzz-testcase-4992812120539136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 380659604f2692b625928a3a76a1c046f473c9f6) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=19045efd0573b1c54d10db04c7f5426a2741bf14 --- libavcodec/shorten.c | 13 +++-- 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index a36a77210e..b56d205932 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -453,12 +453,6 @@ static int read_header(ShortenContext *s) } s->nwrap = FFMAX(NWRAP, maxnlpc); -if ((ret = allocate_buffers(s)) < 0) -return ret; - -if ((ret = init_offset(s)) < 0) -return ret; - if (s->version > 1) s->lpcqoffset = V2LPCQOFFSET; @@ -494,6 +488,13 @@ static int read_header(ShortenContext *s) } end: + +if ((ret = allocate_buffers(s)) < 0) +return ret; + +if ((ret = init_offset(s)) < 0) +return ret; + s->cur_chan = 0; s->bitshift = 0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels
ffmpeg | branch: release/3.1 | Michael Niedermayer| Sun Sep 10 01:32:51 2017 +0200| [4b43dd03eddeac40deabcbb3c73370a058251556] | committer: Michael Niedermayer avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels Fixes: runtime error: left shift of negative value -95 Fixes: 3077/clusterfuzz-testcase-minimized-4684917524922368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c225da68cffbea11270a758ff42859194c980863) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4b43dd03eddeac40deabcbb3c73370a058251556 --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index b840d179c3..5bca02342d 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -599,7 +599,7 @@ static void FUNC(put_hevc_pel_bi_w_pixels)(uint8_t *_dst, ptrdiff_t _dststride, ox1 = ox1 * (1 << (BIT_DEPTH - 8)); for (y = 0; y < height; y++) { for (x = 0; x < width; x++) { -dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); +dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + (ox0 + ox1 + 1) * (1 << log2Wd)) >> (log2Wd + 1)); } src += srcstride; dst += dststride; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Fix DoS in read_tfra()
ffmpeg | branch: release/3.1 | Michael Niedermayer| Tue Sep 5 00:16:29 2017 +0200| [29b950521504a51f8b60dfcabe3cc141c4e01554] | committer: Michael Niedermayer avformat/mov: Fix DoS in read_tfra() Fixes: Missing EOF check in loop No testcase Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 9cb4eb772839c5e1de2855d126bf74ff16d13382) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=29b950521504a51f8b60dfcabe3cc141c4e01554 --- libavformat/mov.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 1815a7303f..a4474b43b3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4862,6 +4862,13 @@ static int read_tfra(MOVContext *mov, AVIOContext *f) } for (i = 0; i < index->item_count; i++) { int64_t time, offset; + +if (avio_feof(f)) { +index->item_count = 0; +av_freep(>items); +return AVERROR_INVALIDDATA; +} + if (version == 1) { time = avio_rb64(f); offset = avio_rb64(f); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting
ffmpeg | branch: release/3.1 | Michael Niedermayer| Fri Sep 1 19:56:11 2017 +0200| [5cc3add03695e6ebc6a924dee5fd12138e45bb45] | committer: Michael Niedermayer avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting Fixes: runtime error: signed integer overflow: 1073901567 + 1073901567 cannot be represented in type 'int' Fixes: 3124/clusterfuzz-testcase-minimized-454643435752652 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f71cd44147e7a914f80fcfacca46c9e7b0374362) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5cc3add03695e6ebc6a924dee5fd12138e45bb45 --- libavcodec/dirac_dwt.h | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index e715e53bc4..adf5178714 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ -(b1 - ((int)(1817U*(b0 + b2) + 2048) >> 12)) +(b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ -(b1 - ((int)( 113U*(b0 + b2) + 64) >> 7)) +(b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ -(b1 + ((int)( 217U*(b0 + b2) + 2048) >> 12)) +(b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ -(b1 + ((int)(6497U*(b0 + b2) + 2048) >> 12)) +(b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/asfdec: Fix DoS in asf_build_simple_index()
ffmpeg | branch: release/3.1 | Michael Niedermayer| Tue Sep 5 00:16:29 2017 +0200| [5e7ddf0b4a697732b71cfc7e612ec0b62b75cca1] | committer: Michael Niedermayer avformat/asfdec: Fix DoS in asf_build_simple_index() Fixes: Missing EOF check in loop No testcase Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit afc9c683ed9db01edb357bc8c19edad4282b3a97) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5e7ddf0b4a697732b71cfc7e612ec0b62b75cca1 --- libavformat/asfdec_f.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 294fd345f5..2e9883b17e 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -1610,6 +1610,11 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index) int64_t pos = s->internal->data_offset + s->packet_size * (int64_t)pktnum; int64_t index_pts = FFMAX(av_rescale(itime, i, 1) - asf->hdr.preroll, 0); +if (avio_feof(s->pb)) { +ret = AVERROR_INVALIDDATA; +goto end; +} + if (pos != last_pos) { av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d pts: %"PRId64"\n", pktnum, pktct, index_pts); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Fix overflow in DC computation
ffmpeg | branch: release/3.1 | Michael Niedermayer| Sun Sep 10 01:32:50 2017 +0200| [10ae5fb2696103f46d74f069f7187883873002a6] | committer: Michael Niedermayer avcodec/diracdec: Fix overflow in DC computation Fixes: runtime error: signed integer overflow: 11896 + 2147483646 cannot be represented in type 'int' Fixes: 3053/clusterfuzz-testcase-minimized-6355082062856192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5995856a4236c27f231210bb08d70688e045192) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=10ae5fb2696103f46d74f069f7187883873002a6 --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index f92ff1b2ea..4f6de7af3d 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1343,7 +1343,7 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock if (!block->ref) { pred_block_dc(block, stride, x, y); for (i = 0; i < 3; i++) -block->u.dc[i] += dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); +block->u.dc[i] += (unsigned)dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); return; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()
ffmpeg | branch: release/3.1 | 孙浩(晓黑)| Tue Aug 29 23:59:21 2017 +0200| [92ec4eacf9649501dd8e06b97af87c428ca06556] | committer: Michael Niedermayer avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() Fixes: 20170829A.mxf Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 900f39692ca0337a98a7cf047e4e2611071810c2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=92ec4eacf9649501dd8e06b97af87c428ca06556 --- libavformat/mxfdec.c | 4 1 file changed, 4 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 5de13cca19..053ad24539 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -888,6 +888,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); +if(segment->nb_index_entries && length < 11) +return AVERROR_INVALIDDATA; if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) || !(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) || @@ -898,6 +900,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg } for (i = 0; i < segment->nb_index_entries; i++) { +if(avio_feof(pb)) +return AVERROR_INVALIDDATA; segment->temporal_offset_entries[i] = avio_r8(pb); avio_r8(pb);/* KeyFrameOffset */ segment->flag_entries[i] = avio_r8(pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
ffmpeg | branch: release/3.1 | 孙浩(晓黑)| Tue Aug 29 23:59:21 2017 +0200| [22dbd1eb31d6ece0f448565a25f0cdab2a919068] | committer: Michael Niedermayer avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() Fixes: 20170829B.mxf Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=22dbd1eb31d6ece0f448565a25f0cdab2a919068 --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 053ad24539..cbabd4b239 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -492,7 +492,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U avpriv_request_sample(pb, "Primer pack item length %d", item_len); return AVERROR_PATCHWELCOME; } -if (item_num > 65536) { +if (item_num > 65536 || item_num < 0) { av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED()
ffmpeg | branch: release/3.1 | Michael Niedermayer| Fri Sep 1 19:56:10 2017 +0200| [93a32c15a84936064afc89ace5aea9e6c8c1] | committer: Michael Niedermayer avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED() Fixes: runtime error: signed integer overflow: 1168175789 + 1168178473 cannot be represented in type 'int' Fixes: 3081/clusterfuzz-testcase-minimized-4807564879462400 Fixes: 2844/clusterfuzz-testcase-minimized-5561715838156800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a0823ae966be3ad40e5dba6ec4c4dc1e8c6bcad) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=93a32c15a84936064afc89ace5aea9e6c8c1 --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 6f6a0ece45..f92ff1b2ea 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -594,7 +594,7 @@ static inline void codeblock(DiracContext *s, SubBand *b, } \ INTRA_DC_PRED(8, int16_t) -INTRA_DC_PRED(10, int32_t) +INTRA_DC_PRED(10, uint32_t) /** * Dirac Specification -> ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate()
ffmpeg | branch: release/3.1 | Michael Niedermayer| Sat Aug 26 14:00:55 2017 +0200| [fcc2119eac26e7949a1a2149bf2bf3dd98b07d8b] | committer: Michael Niedermayer avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate() Fixes: runtime error: signed integer overflow: 8903997421129740175 + 354481484684609529 cannot be represented in type 'long' Fixes: 2045/clusterfuzz-testcase-minimized-6751255865065472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eefb68c9c335dda423c9115ba11dc4bb3e73e3f9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fcc2119eac26e7949a1a2149bf2bf3dd98b07d8b --- libavcodec/sbrdsp_fixed.c | 36 ++-- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 7d593a18b8..f45bb847a8 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -136,19 +136,19 @@ static av_always_inline void autocorrelate(const int x[40][2], SoftFloat phi[3][ if (lag) { for (i = 1; i < 38; i++) { -accu_re += (int64_t)x[i][0] * x[i+lag][0]; -accu_re += (int64_t)x[i][1] * x[i+lag][1]; -accu_im += (int64_t)x[i][0] * x[i+lag][1]; -accu_im -= (int64_t)x[i][1] * x[i+lag][0]; +accu_re += (uint64_t)x[i][0] * x[i+lag][0]; +accu_re += (uint64_t)x[i][1] * x[i+lag][1]; +accu_im += (uint64_t)x[i][0] * x[i+lag][1]; +accu_im -= (uint64_t)x[i][1] * x[i+lag][0]; } real_sum = accu_re; imag_sum = accu_im; -accu_re += (int64_t)x[ 0][0] * x[lag][0]; -accu_re += (int64_t)x[ 0][1] * x[lag][1]; -accu_im += (int64_t)x[ 0][0] * x[lag][1]; -accu_im -= (int64_t)x[ 0][1] * x[lag][0]; +accu_re += (uint64_t)x[ 0][0] * x[lag][0]; +accu_re += (uint64_t)x[ 0][1] * x[lag][1]; +accu_im += (uint64_t)x[ 0][0] * x[lag][1]; +accu_im -= (uint64_t)x[ 0][1] * x[lag][0]; phi[2-lag][1][0] = autocorr_calc(accu_re); phi[2-lag][1][1] = autocorr_calc(accu_im); @@ -156,28 +156,28 @@ static av_always_inline void autocorrelate(const int x[40][2], SoftFloat phi[3][ if (lag == 1) { accu_re = real_sum; accu_im = imag_sum; -accu_re += (int64_t)x[38][0] * x[39][0]; -accu_re += (int64_t)x[38][1] * x[39][1]; -accu_im += (int64_t)x[38][0] * x[39][1]; -accu_im -= (int64_t)x[38][1] * x[39][0]; +accu_re += (uint64_t)x[38][0] * x[39][0]; +accu_re += (uint64_t)x[38][1] * x[39][1]; +accu_im += (uint64_t)x[38][0] * x[39][1]; +accu_im -= (uint64_t)x[38][1] * x[39][0]; phi[0][0][0] = autocorr_calc(accu_re); phi[0][0][1] = autocorr_calc(accu_im); } } else { for (i = 1; i < 38; i++) { -accu_re += (int64_t)x[i][0] * x[i][0]; -accu_re += (int64_t)x[i][1] * x[i][1]; +accu_re += (uint64_t)x[i][0] * x[i][0]; +accu_re += (uint64_t)x[i][1] * x[i][1]; } real_sum = accu_re; -accu_re += (int64_t)x[ 0][0] * x[ 0][0]; -accu_re += (int64_t)x[ 0][1] * x[ 0][1]; +accu_re += (uint64_t)x[ 0][0] * x[ 0][0]; +accu_re += (uint64_t)x[ 0][1] * x[ 0][1]; phi[2][1][0] = autocorr_calc(accu_re); accu_re = real_sum; -accu_re += (int64_t)x[38][0] * x[38][0]; -accu_re += (int64_t)x[38][1] * x[38][1]; +accu_re += (uint64_t)x[38][0] * x[38][0]; +accu_re += (uint64_t)x[38][1] * x[38][1]; phi[1][0][0] = autocorr_calc(accu_re); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop.
ffmpeg | branch: release/3.1 | 孙浩(晓黑)| Tue Aug 29 23:59:21 2017 +0200| [5d67851392135e3a76051b18eaf2206f79069ad2] | committer: Michael Niedermayer avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. Fixes: 20170829.nsv Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit c24bcb553650b91e9eff15ef6e54ca73de2453b7) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5d67851392135e3a76051b18eaf2206f79069ad2 --- libavformat/nsvdec.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 507fb396a5..16d2fa59e2 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -350,8 +350,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s) if (!nsv->nsvs_file_offset) return AVERROR(ENOMEM); -for(i=0;i nsvs_file_offset[i] = avio_rl32(pb) + size; +} if(table_entries > table_entries_used && avio_rl32(pb) == MKTAG('T','O','C','2')) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_ps: Fix undefined shift in pcm code
ffmpeg | branch: release/3.1 | Michael Niedermayer| Sun Aug 27 23:59:09 2017 +0200| [f69905e2305b180086a240fb5a38862706922dc4] | committer: Michael Niedermayer avcodec/hevc_ps: Fix undefined shift in pcm code Fixes: runtime error: shift exponent -1 is negative Fixes: 3091/clusterfuzz-testcase-minimized-6229767969832960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a83866c9f9531eb096c9b9fe0550e742b931ad1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f69905e2305b180086a240fb5a38862706922dc4 --- libavcodec/hevc_ps.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index b58689ab68..c1b69a0199 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1014,10 +1014,10 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, sps->pcm.log2_min_pcm_cb_size = get_ue_golomb_long(gb) + 3; sps->pcm.log2_max_pcm_cb_size = sps->pcm.log2_min_pcm_cb_size + get_ue_golomb_long(gb); -if (sps->pcm.bit_depth > sps->bit_depth) { +if (FFMAX(sps->pcm.bit_depth, sps->pcm.bit_depth_chroma) > sps->bit_depth) { av_log(avctx, AV_LOG_ERROR, - "PCM bit depth (%d) is greater than normal bit depth (%d)\n", - sps->pcm.bit_depth, sps->bit_depth); + "PCM bit depth (%d, %d) is greater than normal bit depth (%d)\n", + sps->pcm.bit_depth, sps->pcm.bit_depth_chroma, sps->bit_depth); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered()
ffmpeg | branch: release/3.1 | Michael Niedermayer| Mon Aug 28 00:30:33 2017 +0200| [0e4612ea68261d84d47a15aa88210abfd0184850] | committer: Michael Niedermayer avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered() Fixes: runtime error: signed integer overflow: 267 * 8388608 cannot be represented in type 'int' Fixes: 2743/clusterfuzz-testcase-minimized-5820652076400640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 732f9764561558a388c05483ed6a722a5c67b05c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0e4612ea68261d84d47a15aa88210abfd0184850 --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 4ebfa07c6a..0ac0b55012 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -140,7 +140,7 @@ static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, sli v = b->x_coeff[new_index].coeff; x = b->x_coeff[new_index++].x; while(x < w){ -register int t= ( (v>>1)*qmul + qadd)>>QEXPSHIFT; +register int t= (int)( (v>>1)*(unsigned)qmul + qadd)>>QEXPSHIFT; register int u= -(v&1); line[x] = (t^u) - u; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/rl2: Fix DoS due to lack of eof check
ffmpeg | branch: release/3.1 | 孙浩 and 张洪亮(望初) | Fri Aug 25 01:15:29 2017 +0200| [953c6259d601bcda1d5045339913af1978be41fe] | committer: Michael Niedermayer avformat/rl2: Fix DoS due to lack of eof check Fixes: loop.rl2 Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer(cherry picked from commit 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=953c6259d601bcda1d5045339913af1978be41fe --- libavformat/rl2.c | 15 --- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavformat/rl2.c b/libavformat/rl2.c index 0bec8f1d9a..eb1682dfcb 100644 --- a/libavformat/rl2.c +++ b/libavformat/rl2.c @@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s) } /** read offset and size tables */ -for(i=0; i < frame_count;i++) +for(i=0; i < frame_count;i++) { +if (avio_feof(pb)) +return AVERROR_INVALIDDATA; chunk_size[i] = avio_rl32(pb); -for(i=0; i < frame_count;i++) +} +for(i=0; i < frame_count;i++) { +if (avio_feof(pb)) +return AVERROR_INVALIDDATA; chunk_offset[i] = avio_rl32(pb); -for(i=0; i < frame_count;i++) +} +for(i=0; i < frame_count;i++) { +if (avio_feof(pb)) +return AVERROR_INVALIDDATA; audio_size[i] = avio_rl32(pb) & 0x; +} /** build the sample index */ for(i=0;i
[FFmpeg-cvslog] avformat/hls: Fix DoS due to infinite loop
ffmpeg | branch: release/3.1 | Michael Niedermayer| Sat Aug 26 01:26:58 2017 +0200| [0d32491b74947bdb0d2be04d8ca909ff9406660d] | committer: Michael Niedermayer avformat/hls: Fix DoS due to infinite loop Fixes: loop.m3u The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome Found-by: Xiaohei and Wangchu from Alibaba Security Team Previous version reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit 7ec414892ddcad88313848494b6fc5f437c9ca4a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0d32491b74947bdb0d2be04d8ca909ff9406660d --- doc/demuxers.texi | 18 ++ libavformat/hls.c | 7 +++ 2 files changed, 25 insertions(+) diff --git a/doc/demuxers.texi b/doc/demuxers.texi index 25b12a8977..d75dc9497e 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -306,6 +306,24 @@ used to end the output video at the length of the shortest input file, which in this case is @file{input.mp4} as the GIF in this example loops infinitely. +@section hls + +HLS demuxer + +It accepts the following options: + +@table @option +@item live_start_index +segment index to start live streams at (negative values are from the end). + +@item allowed_extensions +',' separated list of file extensions that hls is allowed to access. + +@item max_reload +Maximum number of times a insufficient list is attempted to be reloaded. +Default value is 1000. +@end table + @section image2 Image file demuxer. diff --git a/libavformat/hls.c b/libavformat/hls.c index 3b89ae5a7c..087885a121 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -204,6 +204,7 @@ typedef struct HLSContext { AVDictionary *avio_opts; int strict_std_compliance; char *allowed_extensions; +int max_reload; } HLSContext; static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) @@ -1254,6 +1255,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size) HLSContext *c = v->parent->priv_data; int ret, i; int just_opened = 0; +int reload_count = 0; restart: if (!v->needed) @@ -1285,6 +1287,9 @@ restart: reload_interval = default_reload_interval(v); reload: +reload_count++; +if (reload_count > c->max_reload) +return AVERROR_EOF; if (!v->finished && av_gettime_relative() - v->last_load_time >= reload_interval) { if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) { @@ -2062,6 +2067,8 @@ static const AVOption hls_options[] = { OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, INT_MIN, INT_MAX, FLAGS}, +{"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", +OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, {NULL} }; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/rmdec: Fix DoS due to lack of eof check
ffmpeg | branch: release/3.1 | 孙浩 and 张洪亮(望初) | Fri Aug 25 01:15:28 2017 +0200| [770482def3b3064e236f9a0e1b6f5d0ca35ae7e2] | committer: Michael Niedermayer avformat/rmdec: Fix DoS due to lack of eof check Fixes: loop.ivr Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer(cherry picked from commit 124eb202e70678539544f6268efc98131f19fa49) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=770482def3b3064e236f9a0e1b6f5d0ca35ae7e2 --- libavformat/rmdec.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 0809b0b251..c4f3e59676 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1235,8 +1235,11 @@ static int ivr_read_header(AVFormatContext *s) av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val); } else if (type == 4) { av_log(s, AV_LOG_DEBUG, "%s = '0x", key); -for (j = 0; j < len; j++) +for (j = 0; j < len; j++) { +if (avio_feof(pb)) +return AVERROR_INVALIDDATA; av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb)); +} av_log(s, AV_LOG_DEBUG, "'\n"); } else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", tlen)) { nb_streams = value = avio_rb32(pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] ffprobe: Fix NULL pointer handling in color parameter printing
ffmpeg | branch: release/3.1 | Michael Niedermayer| Tue Aug 22 17:27:17 2017 +0200| [d4a333f00b5015e402d92ed2f4205a4102e6ab31] | committer: Michael Niedermayer ffprobe: Fix NULL pointer handling in color parameter printing Signed-off-by: Michael Niedermayer (cherry picked from commit 351e28f9a799d933dd10c964dca7219fa13b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d4a333f00b5015e402d92ed2f4205a4102e6ab31 --- ffprobe.c | 62 -- 1 file changed, 44 insertions(+), 18 deletions(-) diff --git a/ffprobe.c b/ffprobe.c index 9b14541a9f..25678040f8 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -1789,6 +1789,26 @@ static void print_pkt_side_data(WriterContext *w, writer_print_section_footer(w); } +static void print_color_range(WriterContext *w, enum AVColorRange color_range, const char *fallback) +{ +const char *val = av_color_range_name(color_range); +if (!val || color_range == AVCOL_RANGE_UNSPECIFIED) { +print_str_opt("color_range", fallback); +} else { +print_str("color_range", val); +} +} + +static void print_color_space(WriterContext *w, enum AVColorSpace color_space) +{ +const char *val = av_color_space_name(color_space); +if (!val || color_space == AVCOL_SPC_UNSPECIFIED) { +print_str_opt("color_space", "unknown"); +} else { +print_str("color_space", val); +} +} + static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries) { const char *val = av_color_primaries_name(color_primaries); @@ -1799,6 +1819,26 @@ static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primar } } +static void print_color_trc(WriterContext *w, enum AVColorTransferCharacteristic color_trc) +{ +const char *val = av_color_transfer_name(color_trc); +if (!val || color_trc == AVCOL_TRC_UNSPECIFIED) { +print_str_opt("color_transfer", "unknown"); +} else { +print_str("color_transfer", val); +} +} + +static void print_chroma_location(WriterContext *w, enum AVChromaLocation chroma_location) +{ +const char *val = av_chroma_location_name(chroma_location); +if (!val || chroma_location == AVCHROMA_LOC_UNSPECIFIED) { +print_str_opt("chroma_location", "unspecified"); +} else { +print_str("chroma_location", val); +} +} + static void show_packet(WriterContext *w, InputFile *ifile, AVPacket *pkt, int packet_idx) { char val_str[128]; @@ -2253,26 +2293,12 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id if (s) print_str("pix_fmt", s); else print_str_opt("pix_fmt", "unknown"); print_int("level", par->level); -if (par->color_range != AVCOL_RANGE_UNSPECIFIED) -print_str("color_range", av_color_range_name(par->color_range)); -else -print_str_opt("color_range", "N/A"); - -s = av_get_colorspace_name(par->color_space); -if (s) print_str("color_space", s); -else print_str_opt("color_space", "unknown"); - -if (par->color_trc != AVCOL_TRC_UNSPECIFIED) -print_str("color_transfer", av_color_transfer_name(par->color_trc)); -else -print_str_opt("color_transfer", av_color_transfer_name(par->color_trc)); +print_color_range(w, par->color_range, "N/A"); +print_color_space(w, par->color_space); +print_color_trc(w, par->color_trc); print_primaries(w, par->color_primaries); - -if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED) -print_str("chroma_location", av_chroma_location_name(par->chroma_location)); -else -print_str_opt("chroma_location", av_chroma_location_name(par->chroma_location)); +print_chroma_location(w, par->chroma_location); #if FF_API_PRIVATE_OPT if (dec_ctx && dec_ctx->timecode_frame_start >= 0) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] ffprobe: Fix null pointer dereference with color primaries
ffmpeg | branch: release/3.1 | Michael Niedermayer| Tue Aug 22 11:02:38 2017 +0200| [5ff09443c5168e27b1708a314b6385440cfe8a4c] | committer: Michael Niedermayer ffprobe: Fix null pointer dereference with color primaries Found-by: AD-lab of venustech Signed-off-by: Michael Niedermayer (cherry picked from commit 837cb4325b712ff1aab531bf41668933f61d75d2) Signed-off-by: Michael Niedermayer (cherry picked from commit b2c39fcc3c0749490dc93bca80f56724878b55fe) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5ff09443c5168e27b1708a314b6385440cfe8a4c --- ffprobe.c | 15 +++ 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/ffprobe.c b/ffprobe.c index aee9ba982c..9b14541a9f 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -1789,6 +1789,16 @@ static void print_pkt_side_data(WriterContext *w, writer_print_section_footer(w); } +static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries) +{ +const char *val = av_color_primaries_name(color_primaries); +if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) { +print_str_opt("color_primaries", "unknown"); +} else { +print_str("color_primaries", val); +} +} + static void show_packet(WriterContext *w, InputFile *ifile, AVPacket *pkt, int packet_idx) { char val_str[128]; @@ -2257,10 +2267,7 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id else print_str_opt("color_transfer", av_color_transfer_name(par->color_trc)); -if (par->color_primaries != AVCOL_PRI_UNSPECIFIED) -print_str("color_primaries", av_color_primaries_name(par->color_primaries)); -else -print_str_opt("color_primaries", av_color_primaries_name(par->color_primaries)); +print_primaries(w, par->color_primaries); if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED) print_str("chroma_location", av_chroma_location_name(par->chroma_location)); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mvdec: Fix DoS due to lack of eof check
ffmpeg | branch: release/3.1 | Michael Niedermayer| Fri Aug 25 01:15:30 2017 +0200| [28c08ab9434b839f19e8c12668bacd6361beba80] | committer: Michael Niedermayer avformat/mvdec: Fix DoS due to lack of eof check Fixes: loop.mv Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=28c08ab9434b839f19e8c12668bacd6361beba80 --- libavformat/mvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 80ef4b1569..e9e9fab503 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -338,6 +338,8 @@ static int mv_read_header(AVFormatContext *avctx) uint32_t pos = avio_rb32(pb); uint32_t asize = avio_rb32(pb); uint32_t vsize = avio_rb32(pb); +if (avio_feof(pb)) +return AVERROR_INVALIDDATA; avio_skip(pb, 8); av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/asfdec: Fix DoS due to lack of eof check
ffmpeg | branch: release/3.1 | 孙浩 and 张洪亮(望初) | Fri Aug 25 12:37:25 2017 +0200| [0eb399381a2b3429980aa939bcd4dfbf0780f140] | committer: Michael Niedermayer avformat/asfdec: Fix DoS due to lack of eof check Fixes: loop.asf Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer(cherry picked from commit 7f9ec5593e04827249e7aeb466da06a98a0d7329) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0eb399381a2b3429980aa939bcd4dfbf0780f140 --- libavformat/asfdec_f.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 2c81b138f2..294fd345f5 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) count = avio_rl32(pb);// markers count avio_rl16(pb);// reserved 2 bytes name_len = avio_rl16(pb); // name length -for (i = 0; i < name_len; i++) -avio_r8(pb); // skip the name +avio_skip(pb, name_len); for (i = 0; i < count; i++) { int64_t pres_time; int name_len; +if (avio_feof(pb)) +return AVERROR_INVALIDDATA; + avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time pres_time -= asf->hdr.preroll * 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/cinedec: Fix DoS due to lack of eof check
ffmpeg | branch: release/3.1 | 孙浩 and 张洪亮(望初) | Fri Aug 25 01:15:27 2017 +0200| [64aa8bb886a157af1e784de28839041cc6f5be81] | committer: Michael Niedermayer avformat/cinedec: Fix DoS due to lack of eof check Fixes: loop.cine Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer(cherry picked from commit 7e80b63ecd259d69d383623e75b318bf2bd491f6) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=64aa8bb886a157af1e784de28839041cc6f5be81 --- libavformat/cinedec.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c index 0efedda1a3..545c97ad43 100644 --- a/libavformat/cinedec.c +++ b/libavformat/cinedec.c @@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx) /* parse image offsets */ avio_seek(pb, offImageOffsets, SEEK_SET); -for (i = 0; i < st->duration; i++) +for (i = 0; i < st->duration; i++) { +if (avio_feof(pb)) +return AVERROR_INVALIDDATA; + av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME); +} return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()
ffmpeg | branch: release/3.1 | Michael Niedermayer| Mon Aug 21 00:18:48 2017 +0200| [0575adfd4a59a0cef51e3ca081896a348c07c12e] | committer: Michael Niedermayer avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps() Fixes: integer overflow Fixes: 2893/clusterfuzz-testcase-minimized-5809330567774208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b44dcbc44e99daf9515753e9fd4c2e1ea53a2fa) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0575adfd4a59a0cef51e3ca081896a348c07c12e --- libavcodec/hevc_ps.c | 12 1 file changed, 12 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 87e807bdd3..b58689ab68 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -224,6 +224,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx, prev = 0; for (i = 0; i < rps->num_negative_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; +if (delta_poc < 1 || delta_poc > 32768) { +av_log(avctx, AV_LOG_ERROR, +"Invalid value of delta_poc: %d\n", +delta_poc); +return AVERROR_INVALIDDATA; +} prev -= delta_poc; rps->delta_poc[i] = prev; rps->used[i] = get_bits1(gb); @@ -231,6 +237,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx, prev = 0; for (i = 0; i < nb_positive_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; +if (delta_poc < 1 || delta_poc > 32768) { +av_log(avctx, AV_LOG_ERROR, +"Invalid value of delta_poc: %d\n", +delta_poc); +return AVERROR_INVALIDDATA; +} prev += delta_poc; rps->delta_poc[rps->num_negative_pics + i] = prev; rps->used[rps->num_negative_pics + i] = get_bits1(gb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/rtpdec_h264: Fix heap-buffer-overflow
ffmpeg | branch: release/3.1 | Michael Niedermayer| Wed Aug 23 21:30:37 2017 +0200| [5351c8bd46e23168b1aed8f92779fb1a20a7214a] | committer: Michael Niedermayer avformat/rtpdec_h264: Fix heap-buffer-overflow Fixes: rtp_sdp/poc.sdp Found-by: Bingchang Signed-off-by: Michael Niedermayer (cherry picked from commit c42a1388a6d1bfd8001bf6a4241d8ca27e49326d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5351c8bd46e23168b1aed8f92779fb1a20a7214a --- libavformat/rtpdec_h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtpdec_h264.c b/libavformat/rtpdec_h264.c index 8dd56a549e..6f8148ab6d 100644 --- a/libavformat/rtpdec_h264.c +++ b/libavformat/rtpdec_h264.c @@ -166,7 +166,7 @@ static int sdp_parse_fmtp_config_h264(AVFormatContext *s, parse_profile_level_id(s, h264_data, value); } else if (!strcmp(attr, "sprop-parameter-sets")) { int ret; -if (value[strlen(value) - 1] == ',') { +if (*value == 0 || value[strlen(value) - 1] == ',') { av_log(s, AV_LOG_WARNING, "Missing PPS in sprop-parameter-sets, ignoring\n"); return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/aviobuf: Fix signed integer overflow in avio_seek()
ffmpeg | branch: release/3.1 | Vitaly Buka| Sun Aug 20 11:56:47 2017 -0700| [6622be010b09368f57bfd09715386a373d79066c] | committer: Michael Niedermayer avformat/aviobuf: Fix signed integer overflow in avio_seek() Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka Signed-off-by: Michael Niedermayer (cherry picked from commit eca2a49716ae1f42804dd3545da2f740edf03250) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6622be010b09368f57bfd09715386a373d79066c --- libavformat/aviobuf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 95793c92cd..2c56adb307 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -249,6 +249,8 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) offset1 = pos + (s->buf_ptr - s->buffer); if (offset == 0) return offset1; +if (offset > INT64_MAX - offset1) +return AVERROR(EINVAL); offset += offset1; } if (offset < 0) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_template: Fix running cleanup in decode_ics_info()
ffmpeg | branch: release/3.1 | Michael Niedermayer| Mon Aug 21 02:15:49 2017 +0200| [1fa31e28fd5d8d5c8e784b9e6c84c1ec7bffd3d4] | committer: Michael Niedermayer avcodec/aacdec_template: Fix running cleanup in decode_ics_info() Fixes: out of array read Fixes: 2873/clusterfuzz-testcase-minimized-5924145713905664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Previous version reviewed-by: Alex Converse Signed-off-by: Michael Niedermayer (cherry picked from commit 6f03ffb47d51368a4bbc87702df8446e4660845d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1fa31e28fd5d8d5c8e784b9e6c84c1ec7bffd3d4 --- libavcodec/aacdec_template.c | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index b3ce500973..7819d710bf 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1255,6 +1255,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, const MPEG4AudioConfig *const m4ac = >oc[1].m4ac; const int aot = m4ac->object_type; const int sampling_index = m4ac->sampling_index; +int ret_fail = AVERROR_INVALIDDATA; + if (aot != AOT_ER_AAC_ELD) { if (get_bits1(gb)) { av_log(ac->avctx, AV_LOG_ERROR, "Reserved bit set.\n"); @@ -1305,8 +1307,10 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, ics->num_swb =ff_aac_num_swb_512[sampling_index]; ics->tns_max_bands = ff_tns_max_bands_512[sampling_index]; } -if (!ics->num_swb || !ics->swb_offset) -return AVERROR_BUG; +if (!ics->num_swb || !ics->swb_offset) { +ret_fail = AVERROR_BUG; +goto fail; +} } else { ics->swb_offset=ff_swb_offset_1024[sampling_index]; ics->num_swb = ff_aac_num_swb_1024[sampling_index]; @@ -1330,7 +1334,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, if (aot == AOT_ER_AAC_LD) { av_log(ac->avctx, AV_LOG_ERROR, "LTP in ER AAC LD not yet implemented.\n"); -return AVERROR_PATCHWELCOME; +ret_fail = AVERROR_PATCHWELCOME; +goto fail; } if ((ics->ltp.present = get_bits(gb, 1))) decode_ltp(>ltp, gb, ics->max_sfb); @@ -1349,7 +1354,7 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, return 0; fail: ics->max_sfb = 0; -return AVERROR_INVALIDDATA; +return ret_fail; } /** ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Fix signed integer overflows with total_size
ffmpeg | branch: release/3.1 | Vitaly Buka| Sun Aug 20 11:56:47 2017 -0700| [7b6dba892f63a620d4510c9114f414cfa6435942] | committer: Michael Niedermayer avformat/mov: Fix signed integer overflows with total_size Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka Signed-off-by: Michael Niedermayer (cherry picked from commit 4a404cb5b90b878cbe1bb528fac65cf508668cc5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7b6dba892f63a620d4510c9114f414cfa6435942 --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index a77d6908e3..1815a7303f 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4415,7 +4415,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (atom.size < 0) atom.size = INT64_MAX; -while (total_size + 8 <= atom.size && !avio_feof(pb)) { +while (total_size <= atom.size - 8 && !avio_feof(pb)) { int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL; a.size = atom.size; a.type=0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/me_cmp: Fix crashes on ARM due to misalignment
ffmpeg | branch: release/3.1 | Michael Niedermayer| Sat Aug 19 23:38:58 2017 +0200| [3ee6a9cfb44c9ffbaf47f5a66f698fa222e8b92d] | committer: Michael Niedermayer avcodec/me_cmp: Fix crashes on ARM due to misalignment Adds a diff_pixels_unaligned() Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872503 Signed-off-by: Michael Niedermayer (cherry picked from commit bc488ec28aec4bc91ba47283c49c9f7f25696eaa) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3ee6a9cfb44c9ffbaf47f5a66f698fa222e8b92d --- libavcodec/me_cmp.c | 10 +- libavcodec/pixblockdsp.c | 1 + libavcodec/pixblockdsp.h | 5 + libavcodec/x86/pixblockdsp_init.c | 2 ++ 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/me_cmp.c b/libavcodec/me_cmp.c index dc76b07ba2..4234000487 100644 --- a/libavcodec/me_cmp.c +++ b/libavcodec/me_cmp.c @@ -555,7 +555,7 @@ static int dct_sad8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); -s->pdsp.diff_pixels(temp, src1, src2, stride); +s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); return s->mecc.sum_abs_dctelem(temp); } @@ -595,7 +595,7 @@ static int dct264_sad8x8_c(MpegEncContext *s, uint8_t *src1, int16_t dct[8][8]; int i, sum = 0; -s->pdsp.diff_pixels(dct[0], src1, src2, stride); +s->pdsp.diff_pixels_unaligned(dct[0], src1, src2, stride); #define SRC(x) dct[i][x] #define DST(x, v) dct[i][x] = v @@ -622,7 +622,7 @@ static int dct_max8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); -s->pdsp.diff_pixels(temp, src1, src2, stride); +s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); for (i = 0; i < 64; i++) @@ -641,7 +641,7 @@ static int quant_psnr8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); s->mb_intra = 0; -s->pdsp.diff_pixels(temp, src1, src2, stride); +s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); memcpy(bak, temp, 64 * sizeof(int16_t)); @@ -744,7 +744,7 @@ static int bit8x8_c(MpegEncContext *s, uint8_t *src1, uint8_t *src2, av_assert2(h == 8); -s->pdsp.diff_pixels(temp, src1, src2, stride); +s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->block_last_index[0 /* FIXME */] = last = diff --git a/libavcodec/pixblockdsp.c b/libavcodec/pixblockdsp.c index f0883d3d08..6152fe40c3 100644 --- a/libavcodec/pixblockdsp.c +++ b/libavcodec/pixblockdsp.c @@ -82,6 +82,7 @@ av_cold void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx) { const unsigned high_bit_depth = avctx->bits_per_raw_sample > 8; +c->diff_pixels_unaligned = c->diff_pixels = diff_pixels_c; switch (avctx->bits_per_raw_sample) { diff --git a/libavcodec/pixblockdsp.h b/libavcodec/pixblockdsp.h index 79ed86c3a6..b14514de7e 100644 --- a/libavcodec/pixblockdsp.h +++ b/libavcodec/pixblockdsp.h @@ -31,6 +31,11 @@ typedef struct PixblockDSPContext { const uint8_t *s1 /* align 8 */, const uint8_t *s2 /* align 8 */, int stride); +void (*diff_pixels_unaligned)(int16_t *av_restrict block /* align 16 */, +const uint8_t *s1, +const uint8_t *s2, +int stride); + } PixblockDSPContext; void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx); diff --git a/libavcodec/x86/pixblockdsp_init.c b/libavcodec/x86/pixblockdsp_init.c index 4d06a44c6d..b9027dee54 100644 --- a/libavcodec/x86/pixblockdsp_init.c +++ b/libavcodec/x86/pixblockdsp_init.c @@ -39,12 +39,14 @@ av_cold void ff_pixblockdsp_init_x86(PixblockDSPContext *c, if (EXTERNAL_MMX(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_mmx; +c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_mmx; } if (EXTERNAL_SSE2(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_sse2; +c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_sse2; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0()
ffmpeg | branch: release/3.1 | Michael Niedermayer| Fri Aug 18 16:42:58 2017 +0200| [b2f99c424f154df4f912c8ed24f6f99a211fe9cd] | committer: Michael Niedermayer avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0() Fixes: runtime error: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int' Fixes: 3013/clusterfuzz-testcase-minimized-4644084197097472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a165b53daa8a3a526d2328ca72c4aa9e7f163045) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b2f99c424f154df4f912c8ed24f6f99a211fe9cd --- libavcodec/dirac_dwt_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 972c711cff..e436c247a1 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_ TYPE *b1 = (TYPE *)_b1; TYPE *b2 = (TYPE *)_b2; for (i = 0; i < width; i++) -b1[i] -= (b0[i] + b2[i] + 2) >> 2; +b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2; } static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src1, int w2, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization
ffmpeg | branch: release/3.1 | Vitaly Buka| Sun Aug 20 11:56:47 2017 -0700| [edac232860366fc954dc93f4610f76b6062ba933] | committer: Michael Niedermayer avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka Signed-off-by: Michael Niedermayer (cherry picked from commit 8c2bb10ddfef1f151b9455d152c9aca91140a4b0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=edac232860366fc954dc93f4610f76b6062ba933 --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 01d61597a8..c4af9cbb17 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1540,7 +1540,7 @@ FF_ENABLE_DEPRECATION_WARNINGS } if (!avctx->rc_initial_buffer_occupancy) -avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4; +avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3LL / 4; if (avctx->ticks_per_frame && avctx->time_base.num && avctx->ticks_per_frame > INT_MAX / avctx->time_base.num) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/fic: Fixes signed integer overflow
ffmpeg | branch: release/3.1 | Michael Niedermayer| Thu Aug 17 18:24:37 2017 +0200| [96d5786027445bf01ab47212a1a71b9d2f2ea2df] | committer: Michael Niedermayer avcodec/fic: Fixes signed integer overflow Fixes: runtime error: signed integer overflow: 1037142357 + 1227025305 cannot be represented in type 'int' Fixes: 3024/clusterfuzz-testcase-minimized-5885660323905536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c9d5b015c2022e8deebb93367f8ee8a8eb779e8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=96d5786027445bf01ab47212a1a71b9d2f2ea2df --- libavcodec/fic.c | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 2c11515459..f66c05b94b 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -84,12 +84,12 @@ static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' }; static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd) { -const int t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; -const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; -const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; -const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; -const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12); -const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12); +const unsigned t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; +const unsigned t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; +const unsigned t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; +const unsigned t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; +const unsigned t4 = 5793U * ((int)(t2 + t0 + 0x800) >> 12); +const unsigned t5 = 5793U * ((int)(t3 + t1 + 0x800) >> 12); const unsigned t6 = t2 - t0; const unsigned t7 = t3 - t1; const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/snowdec: Fix off by 1 error
ffmpeg | branch: release/3.1 | Michael Niedermayer| Thu Aug 17 20:32:03 2017 +0200| [1b5548cc0913032587b4579e4b8b23ebed4c5124] | committer: Michael Niedermayer avcodec/snowdec: Fix off by 1 error Fixes: runtime error: index 4 out of bounds for type 'int8_t [4]' Fixes: 3023/clusterfuzz-testcase-minimized-6421736130084864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d132683ddd4050d3fe103ca88c73258c3442dc34) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1b5548cc0913032587b4579e4b8b23ebed4c5124 --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 7d6d7ff44f..4ebfa07c6a 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -355,7 +355,7 @@ static int decode_header(SnowContext *s){ Plane *p= >plane[plane_index]; p->diag_mc= get_rac(>c, s->header_state); htaps= get_symbol(>c, s->header_state, 0)*2 + 2; -if((unsigned)htaps > HTAPS_MAX || htaps==0) +if((unsigned)htaps >= HTAPS_MAX || htaps==0) return AVERROR_INVALIDDATA; p->htaps= htaps; for(i= htaps/2; i; i--){ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97*
ffmpeg | branch: release/3.1 | Michael Niedermayer| Sun Aug 6 05:01:45 2017 +0200| [55fe7a738f4ca6a92972f699f5d8816a5e133405] | committer: Michael Niedermayer avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97* Fix multiple: runtime error: signed integer overflow: 6497 * 3409630 cannot be represented in type 'int' Fixes: 2819/clusterfuzz-testcase-minimized-4743700301217792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a5380f9c1c460acccb2edaa8609e4a57c0456088) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=55fe7a738f4ca6a92972f699f5d8816a5e133405 --- libavcodec/dirac_dwt.h | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 62f8472b41..e715e53bc4 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ -(b1 - ((1817*(b0 + b2) + 2048) >> 12)) +(b1 - ((int)(1817U*(b0 + b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ -(b1 - (( 113*(b0 + b2) + 64) >> 7)) +(b1 - ((int)( 113U*(b0 + b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ -(b1 + (( 217*(b0 + b2) + 2048) >> 12)) +(b1 + ((int)( 217U*(b0 + b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ -(b1 + ((6497*(b0 + b2) + 2048) >> 12)) +(b1 + ((int)(6497U*(b0 + b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Check perspective_exp and zrs_exp.
ffmpeg | branch: release/3.1 | Michael Niedermayer| Tue Aug 15 03:32:43 2017 +0200| [df2efc212dabc2cccb7101e15bba0c78cb5d80b3] | committer: Michael Niedermayer avcodec/diracdec: Check perspective_exp and zrs_exp. Fixes: undefined shift Fixes: runtime error: shift exponent 264 is too large for 32-bit type 'int' Fixes: 2860/clusterfuzz-testcase-minimized-4672811689836544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e6cab874512070b36267a5a53fd053f90072fa2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=df2efc212dabc2cccb7101e15bba0c78cb5d80b3 --- libavcodec/diracdec.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 579ff97322..6f6a0ece45 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1082,6 +1082,10 @@ static int dirac_unpack_prediction_parameters(DiracContext *s) s->globalmc[ref].perspective[0] = dirac_get_se_golomb(gb); s->globalmc[ref].perspective[1] = dirac_get_se_golomb(gb); } +if (s->globalmc[ref].perspective_exp + (uint64_t)s->globalmc[ref].zrs_exp > 30) { +return AVERROR_INVALIDDATA; +} + } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_slice: Fix overflow in slice offset
ffmpeg | branch: release/3.1 | Michael Niedermayer| Fri Aug 4 02:41:05 2017 +0200| [74e9dbf0dfb009ced1dcba341b25bc37357b7b7a] | committer: Michael Niedermayer avcodec/h264_slice: Fix overflow in slice offset Fixes: runtime error: signed integer overflow: 1610612736 * 2 cannot be represented in type 'int' Fixes: 2817/clusterfuzz-testcase-minimized-5289691240726528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f53bde6d817ae13a47748f321adbdfa79e15982) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=74e9dbf0dfb009ced1dcba341b25bc37357b7b7a --- libavcodec/h264_slice.c | 16 +--- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index d3f1360359..cdd56af1f7 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1697,17 +1697,19 @@ int ff_h264_decode_slice_header(H264Context *h, H264SliceContext *sl) sl->deblocking_filter ^= 1; // 1<->0 if (sl->deblocking_filter) { -sl->slice_alpha_c0_offset = get_se_golomb(>gb) * 2; -sl->slice_beta_offset = get_se_golomb(>gb) * 2; -if (sl->slice_alpha_c0_offset > 12 || -sl->slice_alpha_c0_offset < -12 || -sl->slice_beta_offset > 12 || -sl->slice_beta_offset < -12) { +int slice_alpha_c0_offset_div2 = get_se_golomb(>gb); +int slice_beta_offset_div2 = get_se_golomb(>gb); +if (slice_alpha_c0_offset_div2 > 6 || +slice_alpha_c0_offset_div2 < -6 || +slice_beta_offset_div2 > 6 || +slice_beta_offset_div2 < -6) { av_log(h->avctx, AV_LOG_ERROR, "deblocking filter parameters %d %d out of range\n", - sl->slice_alpha_c0_offset, sl->slice_beta_offset); + slice_alpha_c0_offset_div2, slice_beta_offset_div2); return AVERROR_INVALIDDATA; } +sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2; +sl->slice_beta_offset = slice_beta_offset_div2 * 2; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_fixed: fix invalid shift in predict()
ffmpeg | branch: release/3.1 | Michael Niedermayer| Fri Aug 4 03:26:30 2017 +0200| [46023f3258f4082cf1aba9b47401bdb137174103] | committer: Michael Niedermayer avcodec/aacdec_fixed: fix invalid shift in predict() Fixes: runtime error: shift exponent -2 is negative Fixes: 2818/clusterfuzz-testcase-minimized-5062943676825600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e443051b277f73b94a2f660d3fd31a1a7beab52) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=46023f3258f4082cf1aba9b47401bdb137174103 --- libavcodec/aacdec_fixed.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index ccc82057e1..e7c2d2d299 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -305,8 +305,12 @@ static av_always_inline void predict(PredictorState *ps, int *coef, if (output_enable) { int shift = 28 - pv.exp; -if (shift < 31) -*coef += (pv.mant + (1 << (shift - 1))) >> shift; +if (shift < 31) { +if (shift > 0) { +*coef += (pv.mant + (1 << (shift - 1))) >> shift; +} else +*coef += pv.mant << -shift; +} } e0 = av_int2sf(*coef, 2); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Clear mcsel before decoding an image
ffmpeg | branch: release/3.1 | Michael Niedermayer| Sun Aug 6 13:32:54 2017 +0200| [a5c83b586b8097948a9cbba8937f89245cad4274] | committer: Michael Niedermayer avcodec/mpeg4videodec: Clear mcsel before decoding an image Fixes: runtime error: signed integer overflow: 2146467840 + 1032192 cannot be represented in type 'int' Fixes: 2826/clusterfuzz-testcase-minimized-5901511613743104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7735ed29741d985e1e670249ca56e7a1ce18b729) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a5c83b586b8097948a9cbba8937f89245cad4274 --- libavcodec/mpeg4videodec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 2e74a33758..d04286bc3d 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2283,6 +2283,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) int time_incr, time_increment; int64_t pts; +s->mcsel = 0; s->pict_type = get_bits(gb, 2) + AV_PICTURE_TYPE_I;/* pict type: I = 0 , P = 1 */ if (s->pict_type == AV_PICTURE_TYPE_B && s->low_delay && ctx->vol_control_parameters == 0 && !(s->avctx->flags & AV_CODEC_FLAG_LOW_DELAY)) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/utils: fix memory leak in avformat_free_context
ffmpeg | branch: release/3.1 | Steven Siloti| Tue Jul 18 11:26:39 2017 -0700| [ee17fdffd4cb55eb8533ec2684ce5d7c8cf1fb22] | committer: Michael Niedermayer avformat/utils: fix memory leak in avformat_free_context The pointer to the packet queue is stored in the internal structure so the queue needs to be flushed before internal is freed. Signed-off-by: Steven Siloti Signed-off-by: Michael Niedermayer (cherry picked from commit 949debd1d1df3a96315b3a3083831162845c1188) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ee17fdffd4cb55eb8533ec2684ce5d7c8cf1fb22 --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 46dc5109d1..5a35953d24 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4046,8 +4046,8 @@ void avformat_free_context(AVFormatContext *s) av_freep(>chapters); av_dict_free(>metadata); av_freep(>streams); -av_freep(>internal); flush_packet_queue(s); +av_freep(>internal); av_free(s); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] [ffmpeg-web] branch master updated. 1aa53f8 web: Add FFmpeg 3.2.8
The branch, master has been updated via 1aa53f89859ffc61418734fdfac78a941c7863c6 (commit) via f075439c16775b2bfa3f85dd217fbf62164369d2 (commit) from df5f4d0b7e4cd2166b6cd73c801e321272b689cd (commit) - Log - commit 1aa53f89859ffc61418734fdfac78a941c7863c6 Author: Michael NiedermayerAuthorDate: Sun Sep 17 15:56:05 2017 +0200 Commit: Michael Niedermayer CommitDate: Sun Sep 17 15:56:05 2017 +0200 web: Add FFmpeg 3.2.8 diff --git a/src/download b/src/download index d9bdff0..101032d 100644 --- a/src/download +++ b/src/download @@ -307,10 +307,10 @@ libpostproc54. 5.100 - FFmpeg 3.2.7 "Hypatia" + FFmpeg 3.2.8 "Hypatia" -3.2.7 was released on 2017-07-30. It is the latest stable FFmpeg release +3.2.8 was released on 2017-09-17. It is the latest stable FFmpeg release from the 3.2 release branch, which was cut from master on 2016-10-26. It includes the following library versions: @@ -328,19 +328,19 @@ libpostproc54. 1.100 - Download xz tarball - PGP signature + Download xz tarball + PGP signature - Download bzip2 tarball - PGP signature + Download bzip2 tarball + PGP signature - Download gzip tarball - PGP signature + Download gzip tarball + PGP signature - https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n3.2.7;>Changelog + https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n3.2.8;>Changelog https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/refs/heads/release/3.2:/RELEASE_NOTES;>Release Notes diff --git a/src/security b/src/security index 3fe207a..9c6ca5a 100644 --- a/src/security +++ b/src/security @@ -62,6 +62,25 @@ CVE-2017-9996, a483e46b794539d21b1ec0f3e521f681a54a86d2 / 1e42736b95065c69a7481d FFmpeg 3.2 +3.2.8 + +Fixes following vulnerabilities: + + +CVE-2017-14054, 2bbef8ee271240ce4509b23fd33e35076715a39f / 124eb202e70678539544f6268efc98131f19fa49 +CVE-2017-14055, d4fc6b211f19365fbae4b4388ec396b293fda249 / 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e +CVE-2017-14056, 5bc9f70441d7e7067cba9188898c9252c72bab35 / 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de +CVE-2017-14057, f94517934bf0ff2510f472fa2bc4cd362951109c / 7f9ec5593e04827249e7aeb466da06a98a0d7329 +CVE-2017-14058, 2920c7cec0b1958b59e5e7990078bea4428f6912 / 7ec414892ddcad88313848494b6fc5f437c9ca4a +CVE-2017-14059, 98e177c7288574b336d80618f4ec5d1f94243070 / 7e80b63ecd259d69d383623e75b318bf2bd491f6 +CVE-2017-14169, 816f7337bf3ed3e08afdc28278668d8eb81910cb / 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad +CVE-2017-14170, 9cbac3602610afa0867b03bc1475c5c13441d096 / 900f39692ca0337a98a7cf047e4e2611071810c2 +CVE-2017-14171, a051de092e9c709b69d24d94b66a382909be67d5 / c24bcb553650b91e9eff15ef6e54ca73de2453b7 +CVE-2017-14222, c9527df274ada02a19c2f973b29d1d5b7069d4bf / 9cb4eb772839c5e1de2855d126bf74ff16d13382 +CVE-2017-14223, 4e4177dde23be77a97887f409f237e17ef53f329 / afc9c683ed9db01edb357bc8c19edad4282b3a97 +CVE-2017-14225, 726133b6d2cd8f5f43b5af536024d8e02791d8cf / 837cb4325b712ff1aab531bf41668933f61d75d2 + + 3.2.7 Fixes following vulnerabilities: commit f075439c16775b2bfa3f85dd217fbf62164369d2 Author: Michael Niedermayer AuthorDate: Sun Sep 17 12:33:13 2017 +0200 Commit: Michael Niedermayer CommitDate: Sun Sep 17 12:33:13 2017 +0200 web/security: use same length git hash for CVE-2017-14171 diff --git a/src/security b/src/security index 57db9e5..3fe207a 100644 --- a/src/security +++ b/src/security @@ -20,7 +20,7 @@ CVE-2017-14056, 8cb0f2c4e55d1d8ba9dbc80dd19ad139d0200c2d / 96f24d1bee7fe7bac08e2 CVE-2017-14222, d9cf9f5af82228b588828ae2692acccec588fdac / 9cb4eb772839c5e1de2855d126bf74ff16d13382 CVE-2017-14169, 9d3a7c82a669a1a1c8e3904c65ded19e80d16edc / 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad CVE-2017-14223, b61e5a878c845b8bee1267fdb75c293feb00ae0d / afc9c683ed9db01edb357bc8c19edad4282b3a97 -CVE-2017-14171, e6a8d110d7e8e938913a0a85ca933b415f8ed24d / c24bcb553650b91e9eff15ef6e54ca73de2453b +CVE-2017-14171, e6a8d110d7e8e938913a0a85ca933b415f8ed24d / c24bcb553650b91e9eff15ef6e54ca73de2453b7 3.3.3 --- Summary of changes: src/download | 18 +- src/security | 21 - 2 files changed, 29 insertions(+), 10 deletions(-) hooks/post-receive -- ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Tag n3.2.8 : FFmpeg 3.2.8 release
[ffmpeg] [branch: refs/tags/n3.2.8] Tag:fd28307ed1b3d1b8eb51ba70a8da68759df91b4a > http://git.videolan.org/gitweb.cgi/ffmpeg.git?a=tag;h=fd28307ed1b3d1b8eb51ba70a8da68759df91b4a Tagger: Michael NiedermayerDate: Sun Sep 17 13:08:38 2017 +0200 FFmpeg 3.2.8 release ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Update for 3.2.8
ffmpeg | branch: release/3.2 | Michael Niedermayer| Sun Sep 17 12:23:15 2017 +0200| [98f8f5b12f2a6e0b9e27b8e0a04f5be694aa5367] | committer: Michael Niedermayer Update for 3.2.8 Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=98f8f5b12f2a6e0b9e27b8e0a04f5be694aa5367 --- Changelog| 49 + RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 51 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 9b5a6549b8..96052b9e8f 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,55 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.2.8: +- avcodec/hevc_ps: Fix c?_qp_offset_list size +- avcodec/shorten: Move buffer allocation and offset init to end of read_header() +- avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels +- avcodec/diracdec: Fix overflow in DC computation +- avcodec/dirac_vlc: limit res_bits in APPEND_RESIDUE() +- libavcodec/h264_parse: don't use uninitialized value when chroma_format_idc==0 +- avformat/asfdec: Fix DoS in asf_build_simple_index() +- avformat/mov: Fix DoS in read_tfra() +- avcodec/dirac_vlc: Fix invalid shift in ff_dirac_golomb_read_32bit() +- avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting +- avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED() +- avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() +- avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() +- avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. +- avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered() +- avcodec/hevc_ps: Fix undefined shift in pcm code +- avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate() +- avformat/mvdec: Fix DoS due to lack of eof check +- avformat/rl2: Fix DoS due to lack of eof check +- avformat/rmdec: Fix DoS due to lack of eof check +- avformat/cinedec: Fix DoS due to lack of eof check +- avformat/asfdec: Fix DoS due to lack of eof check +- avformat/hls: Fix DoS due to infinite loop +- ffprobe: Fix NULL pointer handling in color parameter printing +- ffprobe: Fix null pointer dereference with color primaries +- avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps() +- avformat/rtpdec_h264: Fix heap-buffer-overflow +- avformat/aviobuf: Fix signed integer overflow in avio_seek() +- avformat/mov: Fix signed integer overflows with total_size +- avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization +- avcodec/aacdec_template: Fix running cleanup in decode_ics_info() +- avcodec/me_cmp: Fix crashes on ARM due to misalignment +- avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0() +- avcodec/fic: Fixes signed integer overflow +- avcodec/snowdec: Fix off by 1 error +- avcodec/diracdec: Fixes integer overflow +- avcodec/diracdec: Check perspective_exp and zrs_exp. +- avcodec/ffv1dec_template: Fix undefined shift +- avcodec/mpeg4videodec: Clear mcsel before decoding an image +- avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97* +- avcodec/aacdec_fixed: fix invalid shift in predict() +- avcodec/h264_slice: Fix overflow in slice offset +- avformat/utils: fix memory leak in avformat_free_context +- avcodec/diracdsp: fix integer overflow +- avcodec/diracdec: Check weight_log2denom +- avfilter/vf_ssim: fix temp size calculation + version 3.2.7: - avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0() - avcodec/diracdec: Fix integer overflow in divide3() diff --git a/RELEASE b/RELEASE index 406ebcbd95..f092941a75 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.2.7 +3.2.8 diff --git a/doc/Doxyfile b/doc/Doxyfile index d2df976ac6..18f4da5fda 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.2.7 +PROJECT_NUMBER = 3.2.8 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_ps: Fix c?_qp_offset_list size
ffmpeg | branch: release/3.2 | Michael Niedermayer| Sun Sep 10 21:10:17 2017 +0200| [0a5251d28eb6250fd5c1260bcf2ac72c12568da8] | committer: Michael Niedermayer avcodec/hevc_ps: Fix c?_qp_offset_list size Fixes: runtime error: index 5 out of bounds for type 'int8_t const[5]' Fixes:3175/clusterfuzz-testcase-minimized-4736774054084608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit abf3f9fa232409c00b60041464604a91fa5612c0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0a5251d28eb6250fd5c1260bcf2ac72c12568da8 --- libavcodec/hevc.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index 6a3c7506c2..2afad011b7 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -545,8 +545,8 @@ typedef struct HEVCPPS { uint8_t chroma_qp_offset_list_enabled_flag; uint8_t diff_cu_chroma_qp_offset_depth; uint8_t chroma_qp_offset_list_len_minus1; -int8_t cb_qp_offset_list[5]; -int8_t cr_qp_offset_list[5]; +int8_t cb_qp_offset_list[6]; +int8_t cr_qp_offset_list[6]; uint8_t log2_sao_offset_scale_luma; uint8_t log2_sao_offset_scale_chroma; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_vlc: limit res_bits in APPEND_RESIDUE()
ffmpeg | branch: release/3.2 | Michael Niedermayer| Sat Sep 9 15:51:45 2017 +0200| [256ebf8bb4146d51da7d0cf1205c597627af1b04] | committer: Michael Niedermayer avcodec/dirac_vlc: limit res_bits in APPEND_RESIDUE() Fixes: runtime error: left shift of 1073741838 by 1 places cannot be represented in type 'int32_t' (aka 'int') Fixes: 3279/clusterfuzz-testcase-minimized-4564805744590848 Suggested-by: Reviewed-by: Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d98d29a775d6de9357731fec872642644e57b233) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=256ebf8bb4146d51da7d0cf1205c597627af1b04 --- libavcodec/dirac_vlc.c | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavcodec/dirac_vlc.c b/libavcodec/dirac_vlc.c index b642ee8599..496d8177cd 100644 --- a/libavcodec/dirac_vlc.c +++ b/libavcodec/dirac_vlc.c @@ -37,7 +37,7 @@ #define APPEND_RESIDUE(N, M) \ N |= M >> (N ## _bits); \ -N ## _bits += (M ## _bits) +N ## _bits = (N ## _bits + (M ## _bits)) & 0x3F int ff_dirac_golomb_read_32bit(DiracGolombLUT *lut_ctx, const uint8_t *buf, int bytes, uint8_t *_dst, int coeffs) @@ -56,9 +56,6 @@ int ff_dirac_golomb_read_32bit(DiracGolombLUT *lut_ctx, const uint8_t *buf, if ((c_idx + 1) > coeffs) return c_idx; -if (res_bits >= RSIZE_BITS) -res_bits = res = 0; - /* res_bits is a hint for better branch prediction */ if (res_bits && l->sign) { int32_t coeff = 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] libavcodec/h264_parse: don't use uninitialized value when chroma_format_idc==0
ffmpeg | branch: release/3.2 | Mark Wachsler| Thu Sep 7 09:42:07 2017 -0400| [36c0958fbd9f85e2e263ef9b97eda26d49d439b4] | committer: Michael Niedermayer libavcodec/h264_parse: don't use uninitialized value when chroma_format_idc==0 When parsing a monochrome file, chroma_log2_weight_denom was used without being initialized, which could lead to a bogus error message being printed, e.g. [h264 @ 0x61a26480] chroma_log2_weight_denom 24576 is out of range It also could led to warnings using AddressSanitizer. Signed-off-by: Michael Niedermayer (cherry picked from commit fde5c7dc79eb017790ba232442ad2a4eecea4bf1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=36c0958fbd9f85e2e263ef9b97eda26d49d439b4 --- libavcodec/h264_parse.c | 27 +++ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c index 3d20075f6a..a7c71d9bbb 100644 --- a/libavcodec/h264_parse.c +++ b/libavcodec/h264_parse.c @@ -34,21 +34,22 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, pwt->use_weight = 0; pwt->use_weight_chroma = 0; -pwt->luma_log2_weight_denom = get_ue_golomb(gb); -if (sps->chroma_format_idc) -pwt->chroma_log2_weight_denom = get_ue_golomb(gb); +pwt->luma_log2_weight_denom = get_ue_golomb(gb); if (pwt->luma_log2_weight_denom > 7U) { av_log(logctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is out of range\n", pwt->luma_log2_weight_denom); pwt->luma_log2_weight_denom = 0; } -if (pwt->chroma_log2_weight_denom > 7U) { -av_log(logctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", pwt->chroma_log2_weight_denom); -pwt->chroma_log2_weight_denom = 0; -} +luma_def = 1 << pwt->luma_log2_weight_denom; -luma_def = 1 << pwt->luma_log2_weight_denom; -chroma_def = 1 << pwt->chroma_log2_weight_denom; +if (sps->chroma_format_idc) { +pwt->chroma_log2_weight_denom = get_ue_golomb(gb); +if (pwt->chroma_log2_weight_denom > 7U) { +av_log(logctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", pwt->chroma_log2_weight_denom); +pwt->chroma_log2_weight_denom = 0; +} +chroma_def = 1 << pwt->chroma_log2_weight_denom; +} for (list = 0; list < 2; list++) { pwt->luma_weight_flag[list] = 0; @@ -102,9 +103,11 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, if (picture_structure == PICT_FRAME) { pwt->luma_weight[16 + 2 * i][list][0] = pwt->luma_weight[16 + 2 * i + 1][list][0] = pwt->luma_weight[i][list][0]; pwt->luma_weight[16 + 2 * i][list][1] = pwt->luma_weight[16 + 2 * i + 1][list][1] = pwt->luma_weight[i][list][1]; -for (j = 0; j < 2; j++) { -pwt->chroma_weight[16 + 2 * i][list][j][0] = pwt->chroma_weight[16 + 2 * i + 1][list][j][0] = pwt->chroma_weight[i][list][j][0]; -pwt->chroma_weight[16 + 2 * i][list][j][1] = pwt->chroma_weight[16 + 2 * i + 1][list][j][1] = pwt->chroma_weight[i][list][j][1]; +if (sps->chroma_format_idc) { +for (j = 0; j < 2; j++) { +pwt->chroma_weight[16 + 2 * i][list][j][0] = pwt->chroma_weight[16 + 2 * i + 1][list][j][0] = pwt->chroma_weight[i][list][j][0]; +pwt->chroma_weight[16 + 2 * i][list][j][1] = pwt->chroma_weight[16 + 2 * i + 1][list][j][1] = pwt->chroma_weight[i][list][j][1]; +} } } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Move buffer allocation and offset init to end of read_header()
ffmpeg | branch: release/3.2 | Michael Niedermayer| Sun Sep 10 21:10:16 2017 +0200| [2cfabd8ce7913dcf4d5413441d0fb5a02cd18884] | committer: Michael Niedermayer avcodec/shorten: Move buffer allocation and offset init to end of read_header() They are time consuming operations, performing them after the other checks improves the speed with damaged input dramatically. Fixes: Timeout Fixes: 2928/clusterfuzz-testcase-4992812120539136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 380659604f2692b625928a3a76a1c046f473c9f6) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2cfabd8ce7913dcf4d5413441d0fb5a02cd18884 --- libavcodec/shorten.c | 13 +++-- 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index a36a77210e..b56d205932 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -453,12 +453,6 @@ static int read_header(ShortenContext *s) } s->nwrap = FFMAX(NWRAP, maxnlpc); -if ((ret = allocate_buffers(s)) < 0) -return ret; - -if ((ret = init_offset(s)) < 0) -return ret; - if (s->version > 1) s->lpcqoffset = V2LPCQOFFSET; @@ -494,6 +488,13 @@ static int read_header(ShortenContext *s) } end: + +if ((ret = allocate_buffers(s)) < 0) +return ret; + +if ((ret = init_offset(s)) < 0) +return ret; + s->cur_chan = 0; s->bitshift = 0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/asfdec: Fix DoS in asf_build_simple_index()
ffmpeg | branch: release/3.2 | Michael Niedermayer| Tue Sep 5 00:16:29 2017 +0200| [4e4177dde23be77a97887f409f237e17ef53f329] | committer: Michael Niedermayer avformat/asfdec: Fix DoS in asf_build_simple_index() Fixes: Missing EOF check in loop No testcase Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit afc9c683ed9db01edb357bc8c19edad4282b3a97) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4e4177dde23be77a97887f409f237e17ef53f329 --- libavformat/asfdec_f.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index 2cacafe50d..d9dfbf0fa3 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -1610,6 +1610,11 @@ static int asf_build_simple_index(AVFormatContext *s, int stream_index) int64_t pos = s->internal->data_offset + s->packet_size * (int64_t)pktnum; int64_t index_pts = FFMAX(av_rescale(itime, i, 1) - asf->hdr.preroll, 0); +if (avio_feof(s->pb)) { +ret = AVERROR_INVALIDDATA; +goto end; +} + if (pos != last_pos) { av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d pts: %"PRId64"\n", pktnum, pktct, index_pts); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int()
ffmpeg | branch: release/3.2 | Michael Niedermayer| Fri Sep 8 23:29:12 2017 +0200| [87ef295ddf53068a5bbfd2cd1c91a1b01b787ad7] | committer: Michael Niedermayer avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int() Fixes: runtime error: signed integer overflow: 22553 * -188962 cannot be represented in type 'int' Fixes: 3042/clusterfuzz-testcase-minimized-5174210131394560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2d025e742843ca3532bd49ebbfebeacd51337347) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=87ef295ddf53068a5bbfd2cd1c91a1b01b787ad7 --- libavcodec/jpeg2000dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c index c746aed924..85a12d0e9b 100644 --- a/libavcodec/jpeg2000dsp.c +++ b/libavcodec/jpeg2000dsp.c @@ -65,9 +65,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize) for (i = 0; i < csize; i++) { i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16); -i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16) +i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16) - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16); -i2 = *src0 + (2 * *src1) + (((-14942 * *src1) + (1 << 15)) >> 16); +i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16); *src0++ = i0; *src1++ = i1; *src2++ = i2; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels
ffmpeg | branch: release/3.2 | Michael Niedermayer| Sun Sep 10 01:32:51 2017 +0200| [03bf78eba6933fff66cee51af0fa7a0f8c44677b] | committer: Michael Niedermayer avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels Fixes: runtime error: left shift of negative value -95 Fixes: 3077/clusterfuzz-testcase-minimized-4684917524922368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c225da68cffbea11270a758ff42859194c980863) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=03bf78eba6933fff66cee51af0fa7a0f8c44677b --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index b840d179c3..5bca02342d 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -599,7 +599,7 @@ static void FUNC(put_hevc_pel_bi_w_pixels)(uint8_t *_dst, ptrdiff_t _dststride, ox1 = ox1 * (1 << (BIT_DEPTH - 8)); for (y = 0; y < height; y++) { for (x = 0; x < width; x++) { -dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); +dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + (ox0 + ox1 + 1) * (1 << log2Wd)) >> (log2Wd + 1)); } src += srcstride; dst += dststride; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Fix overflow in DC computation
ffmpeg | branch: release/3.2 | Michael Niedermayer| Sun Sep 10 01:32:50 2017 +0200| [f3c3cd5afbacf99f14cdcafd6d5dffceb6d06626] | committer: Michael Niedermayer avcodec/diracdec: Fix overflow in DC computation Fixes: runtime error: signed integer overflow: 11896 + 2147483646 cannot be represented in type 'int' Fixes: 3053/clusterfuzz-testcase-minimized-6355082062856192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5995856a4236c27f231210bb08d70688e045192) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f3c3cd5afbacf99f14cdcafd6d5dffceb6d06626 --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 46e8377bc9..0b8b799dc0 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1416,7 +1416,7 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock if (!block->ref) { pred_block_dc(block, stride, x, y); for (i = 0; i < 3; i++) -block->u.dc[i] += dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); +block->u.dc[i] += (unsigned)dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); return; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Fix DoS in read_tfra()
ffmpeg | branch: release/3.2 | Michael Niedermayer| Tue Sep 5 00:16:29 2017 +0200| [c9527df274ada02a19c2f973b29d1d5b7069d4bf] | committer: Michael Niedermayer avformat/mov: Fix DoS in read_tfra() Fixes: Missing EOF check in loop No testcase Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 9cb4eb772839c5e1de2855d126bf74ff16d13382) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c9527df274ada02a19c2f973b29d1d5b7069d4bf --- libavformat/mov.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 405476fd71..b97aa001a3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5394,6 +5394,13 @@ static int read_tfra(MOVContext *mov, AVIOContext *f) } for (i = 0; i < index->item_count; i++) { int64_t time, offset; + +if (avio_feof(f)) { +index->item_count = 0; +av_freep(>items); +return AVERROR_INVALIDDATA; +} + if (version == 1) { time = avio_rb64(f); offset = avio_rb64(f); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()
ffmpeg | branch: release/3.2 | 孙浩(晓黑)| Tue Aug 29 23:59:21 2017 +0200| [9cbac3602610afa0867b03bc1475c5c13441d096] | committer: Michael Niedermayer avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() Fixes: 20170829A.mxf Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 900f39692ca0337a98a7cf047e4e2611071810c2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9cbac3602610afa0867b03bc1475c5c13441d096 --- libavformat/mxfdec.c | 4 1 file changed, 4 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 2ad0c288f8..e2e34b246f 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -899,6 +899,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); +if(segment->nb_index_entries && length < 11) +return AVERROR_INVALIDDATA; if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) || !(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) || @@ -909,6 +911,8 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg } for (i = 0; i < segment->nb_index_entries; i++) { +if(avio_feof(pb)) +return AVERROR_INVALIDDATA; segment->temporal_offset_entries[i] = avio_r8(pb); avio_r8(pb);/* KeyFrameOffset */ segment->flag_entries[i] = avio_r8(pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED()
ffmpeg | branch: release/3.2 | Michael Niedermayer| Fri Sep 1 19:56:10 2017 +0200| [2173539519fab324de3492db59620fd793a0ee4c] | committer: Michael Niedermayer avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED() Fixes: runtime error: signed integer overflow: 1168175789 + 1168178473 cannot be represented in type 'int' Fixes: 3081/clusterfuzz-testcase-minimized-4807564879462400 Fixes: 2844/clusterfuzz-testcase-minimized-5561715838156800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a0823ae966be3ad40e5dba6ec4c4dc1e8c6bcad) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2173539519fab324de3492db59620fd793a0ee4c --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index e147f10564..46e8377bc9 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -580,7 +580,7 @@ static inline void codeblock(DiracContext *s, SubBand *b, } \ INTRA_DC_PRED(8, int16_t) -INTRA_DC_PRED(10, int32_t) +INTRA_DC_PRED(10, uint32_t) /** * Dirac Specification -> ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting
ffmpeg | branch: release/3.2 | Michael Niedermayer| Fri Sep 1 19:56:11 2017 +0200| [d5b42af8e7ca5010f6eaebb3f17d1957734dbeb8] | committer: Michael Niedermayer avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting Fixes: runtime error: signed integer overflow: 1073901567 + 1073901567 cannot be represented in type 'int' Fixes: 3124/clusterfuzz-testcase-minimized-454643435752652 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f71cd44147e7a914f80fcfacca46c9e7b0374362) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d5b42af8e7ca5010f6eaebb3f17d1957734dbeb8 --- libavcodec/dirac_dwt.h | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index e715e53bc4..adf5178714 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ -(b1 - ((int)(1817U*(b0 + b2) + 2048) >> 12)) +(b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ -(b1 - ((int)( 113U*(b0 + b2) + 64) >> 7)) +(b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ -(b1 + ((int)( 217U*(b0 + b2) + 2048) >> 12)) +(b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ -(b1 + ((int)(6497U*(b0 + b2) + 2048) >> 12)) +(b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop.
ffmpeg | branch: release/3.2 | 孙浩(晓黑)| Tue Aug 29 23:59:21 2017 +0200| [a051de092e9c709b69d24d94b66a382909be67d5] | committer: Michael Niedermayer avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. Fixes: 20170829.nsv Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit c24bcb553650b91e9eff15ef6e54ca73de2453b7) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a051de092e9c709b69d24d94b66a382909be67d5 --- libavformat/nsvdec.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 507fb396a5..16d2fa59e2 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -350,8 +350,11 @@ static int nsv_parse_NSVf_header(AVFormatContext *s) if (!nsv->nsvs_file_offset) return AVERROR(ENOMEM); -for(i=0;i nsvs_file_offset[i] = avio_rl32(pb) + size; +} if(table_entries > table_entries_used && avio_rl32(pb) == MKTAG('T','O','C','2')) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_vlc: Fix invalid shift in ff_dirac_golomb_read_32bit()
ffmpeg | branch: release/3.2 | Michael Niedermayer| Fri Sep 1 19:56:12 2017 +0200| [372bb594385f97c31981e5ab5bf4c6cd56959102] | committer: Michael Niedermayer avcodec/dirac_vlc: Fix invalid shift in ff_dirac_golomb_read_32bit() Fixes: runtime error: shift exponent 64 is too large for 64-bit type 'residual' (aka 'unsigned long') Fixes: 2838/clusterfuzz-testcase-minimized-6260066086813696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c595139f1fdb5ce5ee128c317ed9e4e836282436) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=372bb594385f97c31981e5ab5bf4c6cd56959102 --- libavcodec/dirac_vlc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dirac_vlc.c b/libavcodec/dirac_vlc.c index 773f720858..b642ee8599 100644 --- a/libavcodec/dirac_vlc.c +++ b/libavcodec/dirac_vlc.c @@ -56,6 +56,9 @@ int ff_dirac_golomb_read_32bit(DiracGolombLUT *lut_ctx, const uint8_t *buf, if ((c_idx + 1) > coeffs) return c_idx; +if (res_bits >= RSIZE_BITS) +res_bits = res = 0; + /* res_bits is a hint for better branch prediction */ if (res_bits && l->sign) { int32_t coeff = 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
ffmpeg | branch: release/3.2 | 孙浩(晓黑)| Tue Aug 29 23:59:21 2017 +0200| [816f7337bf3ed3e08afdc28278668d8eb81910cb] | committer: Michael Niedermayer avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() Fixes: 20170829B.mxf Co-Author: 张洪亮(望初)" Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=816f7337bf3ed3e08afdc28278668d8eb81910cb --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index e2e34b246f..0e9153847e 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -500,7 +500,7 @@ static int mxf_read_primer_pack(void *arg, AVIOContext *pb, int tag, int size, U avpriv_request_sample(pb, "Primer pack item length %d", item_len); return AVERROR_PATCHWELCOME; } -if (item_num > 65536) { +if (item_num > 65536 || item_num < 0) { av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered()
ffmpeg | branch: release/3.2 | Michael Niedermayer| Mon Aug 28 00:30:33 2017 +0200| [e29c9ef2d56ade1618f0207f1d106898857674d0] | committer: Michael Niedermayer avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered() Fixes: runtime error: signed integer overflow: 267 * 8388608 cannot be represented in type 'int' Fixes: 2743/clusterfuzz-testcase-minimized-5820652076400640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 732f9764561558a388c05483ed6a722a5c67b05c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e29c9ef2d56ade1618f0207f1d106898857674d0 --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 4ebfa07c6a..0ac0b55012 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -140,7 +140,7 @@ static inline void decode_subband_slice_buffered(SnowContext *s, SubBand *b, sli v = b->x_coeff[new_index].coeff; x = b->x_coeff[new_index++].x; while(x < w){ -register int t= ( (v>>1)*qmul + qadd)>>QEXPSHIFT; +register int t= (int)( (v>>1)*(unsigned)qmul + qadd)>>QEXPSHIFT; register int u= -(v&1); line[x] = (t^u) - u; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_ps: Fix undefined shift in pcm code
ffmpeg | branch: release/3.2 | Michael Niedermayer| Sun Aug 27 23:59:09 2017 +0200| [50d726273e9cd2dbdcd373617d0d20f789c44d79] | committer: Michael Niedermayer avcodec/hevc_ps: Fix undefined shift in pcm code Fixes: runtime error: shift exponent -1 is negative Fixes: 3091/clusterfuzz-testcase-minimized-6229767969832960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2a83866c9f9531eb096c9b9fe0550e742b931ad1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=50d726273e9cd2dbdcd373617d0d20f789c44d79 --- libavcodec/hevc_ps.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index a2c13faf0f..95d976ff08 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1026,10 +1026,10 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, sps->pcm.log2_min_pcm_cb_size = get_ue_golomb_long(gb) + 3; sps->pcm.log2_max_pcm_cb_size = sps->pcm.log2_min_pcm_cb_size + get_ue_golomb_long(gb); -if (sps->pcm.bit_depth > sps->bit_depth) { +if (FFMAX(sps->pcm.bit_depth, sps->pcm.bit_depth_chroma) > sps->bit_depth) { av_log(avctx, AV_LOG_ERROR, - "PCM bit depth (%d) is greater than normal bit depth (%d)\n", - sps->pcm.bit_depth, sps->bit_depth); + "PCM bit depth (%d, %d) is greater than normal bit depth (%d)\n", + sps->pcm.bit_depth, sps->pcm.bit_depth_chroma, sps->bit_depth); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mvdec: Fix DoS due to lack of eof check
ffmpeg | branch: release/3.2 | Michael Niedermayer| Fri Aug 25 01:15:30 2017 +0200| [d4fc6b211f19365fbae4b4388ec396b293fda249] | committer: Michael Niedermayer avformat/mvdec: Fix DoS due to lack of eof check Fixes: loop.mv Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer (cherry picked from commit 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d4fc6b211f19365fbae4b4388ec396b293fda249 --- libavformat/mvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c index 80ef4b1569..e9e9fab503 100644 --- a/libavformat/mvdec.c +++ b/libavformat/mvdec.c @@ -338,6 +338,8 @@ static int mv_read_header(AVFormatContext *avctx) uint32_t pos = avio_rb32(pb); uint32_t asize = avio_rb32(pb); uint32_t vsize = avio_rb32(pb); +if (avio_feof(pb)) +return AVERROR_INVALIDDATA; avio_skip(pb, 8); av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/cinedec: Fix DoS due to lack of eof check
ffmpeg | branch: release/3.2 | 孙浩 and 张洪亮(望初) | Fri Aug 25 01:15:27 2017 +0200| [98e177c7288574b336d80618f4ec5d1f94243070] | committer: Michael Niedermayer avformat/cinedec: Fix DoS due to lack of eof check Fixes: loop.cine Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer(cherry picked from commit 7e80b63ecd259d69d383623e75b318bf2bd491f6) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=98e177c7288574b336d80618f4ec5d1f94243070 --- libavformat/cinedec.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c index 32cccf566b..c615d4fc49 100644 --- a/libavformat/cinedec.c +++ b/libavformat/cinedec.c @@ -267,8 +267,12 @@ static int cine_read_header(AVFormatContext *avctx) /* parse image offsets */ avio_seek(pb, offImageOffsets, SEEK_SET); -for (i = 0; i < st->duration; i++) +for (i = 0; i < st->duration; i++) { +if (avio_feof(pb)) +return AVERROR_INVALIDDATA; + av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME); +} return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/rmdec: Fix DoS due to lack of eof check
ffmpeg | branch: release/3.2 | 孙浩 and 张洪亮(望初) | Fri Aug 25 01:15:28 2017 +0200| [2bbef8ee271240ce4509b23fd33e35076715a39f] | committer: Michael Niedermayer avformat/rmdec: Fix DoS due to lack of eof check Fixes: loop.ivr Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer(cherry picked from commit 124eb202e70678539544f6268efc98131f19fa49) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2bbef8ee271240ce4509b23fd33e35076715a39f --- libavformat/rmdec.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 4d565291af..7656812eb1 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1238,8 +1238,11 @@ static int ivr_read_header(AVFormatContext *s) av_log(s, AV_LOG_DEBUG, "%s = '%s'\n", key, val); } else if (type == 4) { av_log(s, AV_LOG_DEBUG, "%s = '0x", key); -for (j = 0; j < len; j++) +for (j = 0; j < len; j++) { +if (avio_feof(pb)) +return AVERROR_INVALIDDATA; av_log(s, AV_LOG_DEBUG, "%X", avio_r8(pb)); +} av_log(s, AV_LOG_DEBUG, "'\n"); } else if (len == 4 && type == 3 && !strncmp(key, "StreamCount", tlen)) { nb_streams = value = avio_rb32(pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate()
ffmpeg | branch: release/3.2 | Michael Niedermayer| Sat Aug 26 14:00:55 2017 +0200| [a4cc1101cc98819ed4704274d8d7ce40725cd774] | committer: Michael Niedermayer avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate() Fixes: runtime error: signed integer overflow: 8903997421129740175 + 354481484684609529 cannot be represented in type 'long' Fixes: 2045/clusterfuzz-testcase-minimized-6751255865065472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eefb68c9c335dda423c9115ba11dc4bb3e73e3f9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a4cc1101cc98819ed4704274d8d7ce40725cd774 --- libavcodec/sbrdsp_fixed.c | 36 ++-- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 7d593a18b8..f45bb847a8 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -136,19 +136,19 @@ static av_always_inline void autocorrelate(const int x[40][2], SoftFloat phi[3][ if (lag) { for (i = 1; i < 38; i++) { -accu_re += (int64_t)x[i][0] * x[i+lag][0]; -accu_re += (int64_t)x[i][1] * x[i+lag][1]; -accu_im += (int64_t)x[i][0] * x[i+lag][1]; -accu_im -= (int64_t)x[i][1] * x[i+lag][0]; +accu_re += (uint64_t)x[i][0] * x[i+lag][0]; +accu_re += (uint64_t)x[i][1] * x[i+lag][1]; +accu_im += (uint64_t)x[i][0] * x[i+lag][1]; +accu_im -= (uint64_t)x[i][1] * x[i+lag][0]; } real_sum = accu_re; imag_sum = accu_im; -accu_re += (int64_t)x[ 0][0] * x[lag][0]; -accu_re += (int64_t)x[ 0][1] * x[lag][1]; -accu_im += (int64_t)x[ 0][0] * x[lag][1]; -accu_im -= (int64_t)x[ 0][1] * x[lag][0]; +accu_re += (uint64_t)x[ 0][0] * x[lag][0]; +accu_re += (uint64_t)x[ 0][1] * x[lag][1]; +accu_im += (uint64_t)x[ 0][0] * x[lag][1]; +accu_im -= (uint64_t)x[ 0][1] * x[lag][0]; phi[2-lag][1][0] = autocorr_calc(accu_re); phi[2-lag][1][1] = autocorr_calc(accu_im); @@ -156,28 +156,28 @@ static av_always_inline void autocorrelate(const int x[40][2], SoftFloat phi[3][ if (lag == 1) { accu_re = real_sum; accu_im = imag_sum; -accu_re += (int64_t)x[38][0] * x[39][0]; -accu_re += (int64_t)x[38][1] * x[39][1]; -accu_im += (int64_t)x[38][0] * x[39][1]; -accu_im -= (int64_t)x[38][1] * x[39][0]; +accu_re += (uint64_t)x[38][0] * x[39][0]; +accu_re += (uint64_t)x[38][1] * x[39][1]; +accu_im += (uint64_t)x[38][0] * x[39][1]; +accu_im -= (uint64_t)x[38][1] * x[39][0]; phi[0][0][0] = autocorr_calc(accu_re); phi[0][0][1] = autocorr_calc(accu_im); } } else { for (i = 1; i < 38; i++) { -accu_re += (int64_t)x[i][0] * x[i][0]; -accu_re += (int64_t)x[i][1] * x[i][1]; +accu_re += (uint64_t)x[i][0] * x[i][0]; +accu_re += (uint64_t)x[i][1] * x[i][1]; } real_sum = accu_re; -accu_re += (int64_t)x[ 0][0] * x[ 0][0]; -accu_re += (int64_t)x[ 0][1] * x[ 0][1]; +accu_re += (uint64_t)x[ 0][0] * x[ 0][0]; +accu_re += (uint64_t)x[ 0][1] * x[ 0][1]; phi[2][1][0] = autocorr_calc(accu_re); accu_re = real_sum; -accu_re += (int64_t)x[38][0] * x[38][0]; -accu_re += (int64_t)x[38][1] * x[38][1]; +accu_re += (uint64_t)x[38][0] * x[38][0]; +accu_re += (uint64_t)x[38][1] * x[38][1]; phi[1][0][0] = autocorr_calc(accu_re); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/rl2: Fix DoS due to lack of eof check
ffmpeg | branch: release/3.2 | 孙浩 and 张洪亮(望初) | Fri Aug 25 01:15:29 2017 +0200| [5bc9f70441d7e7067cba9188898c9252c72bab35] | committer: Michael Niedermayer avformat/rl2: Fix DoS due to lack of eof check Fixes: loop.rl2 Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer(cherry picked from commit 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5bc9f70441d7e7067cba9188898c9252c72bab35 --- libavformat/rl2.c | 15 --- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libavformat/rl2.c b/libavformat/rl2.c index 0bec8f1d9a..eb1682dfcb 100644 --- a/libavformat/rl2.c +++ b/libavformat/rl2.c @@ -170,12 +170,21 @@ static av_cold int rl2_read_header(AVFormatContext *s) } /** read offset and size tables */ -for(i=0; i < frame_count;i++) +for(i=0; i < frame_count;i++) { +if (avio_feof(pb)) +return AVERROR_INVALIDDATA; chunk_size[i] = avio_rl32(pb); -for(i=0; i < frame_count;i++) +} +for(i=0; i < frame_count;i++) { +if (avio_feof(pb)) +return AVERROR_INVALIDDATA; chunk_offset[i] = avio_rl32(pb); -for(i=0; i < frame_count;i++) +} +for(i=0; i < frame_count;i++) { +if (avio_feof(pb)) +return AVERROR_INVALIDDATA; audio_size[i] = avio_rl32(pb) & 0x; +} /** build the sample index */ for(i=0;i
[FFmpeg-cvslog] avformat/asfdec: Fix DoS due to lack of eof check
ffmpeg | branch: release/3.2 | 孙浩 and 张洪亮(望初) | Fri Aug 25 12:37:25 2017 +0200| [f94517934bf0ff2510f472fa2bc4cd362951109c] | committer: Michael Niedermayer avformat/asfdec: Fix DoS due to lack of eof check Fixes: loop.asf Found-by: Xiaohei and Wangchu from Alibaba Security Team Signed-off-by: Michael Niedermayer(cherry picked from commit 7f9ec5593e04827249e7aeb466da06a98a0d7329) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f94517934bf0ff2510f472fa2bc4cd362951109c --- libavformat/asfdec_f.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c index b973eff96e..2cacafe50d 100644 --- a/libavformat/asfdec_f.c +++ b/libavformat/asfdec_f.c @@ -749,13 +749,15 @@ static int asf_read_marker(AVFormatContext *s, int64_t size) count = avio_rl32(pb);// markers count avio_rl16(pb);// reserved 2 bytes name_len = avio_rl16(pb); // name length -for (i = 0; i < name_len; i++) -avio_r8(pb); // skip the name +avio_skip(pb, name_len); for (i = 0; i < count; i++) { int64_t pres_time; int name_len; +if (avio_feof(pb)) +return AVERROR_INVALIDDATA; + avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time pres_time -= asf->hdr.preroll * 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/hls: Fix DoS due to infinite loop
ffmpeg | branch: release/3.2 | Michael Niedermayer| Sat Aug 26 01:26:58 2017 +0200| [2920c7cec0b1958b59e5e7990078bea4428f6912] | committer: Michael Niedermayer avformat/hls: Fix DoS due to infinite loop Fixes: loop.m3u The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome Found-by: Xiaohei and Wangchu from Alibaba Security Team Previous version reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit 7ec414892ddcad88313848494b6fc5f437c9ca4a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2920c7cec0b1958b59e5e7990078bea4428f6912 --- doc/demuxers.texi | 18 ++ libavformat/hls.c | 7 +++ 2 files changed, 25 insertions(+) diff --git a/doc/demuxers.texi b/doc/demuxers.texi index 2934a1cf7f..d56ad1622a 100644 --- a/doc/demuxers.texi +++ b/doc/demuxers.texi @@ -293,6 +293,24 @@ used to end the output video at the length of the shortest input file, which in this case is @file{input.mp4} as the GIF in this example loops infinitely. +@section hls + +HLS demuxer + +It accepts the following options: + +@table @option +@item live_start_index +segment index to start live streams at (negative values are from the end). + +@item allowed_extensions +',' separated list of file extensions that hls is allowed to access. + +@item max_reload +Maximum number of times a insufficient list is attempted to be reloaded. +Default value is 1000. +@end table + @section image2 Image file demuxer. diff --git a/libavformat/hls.c b/libavformat/hls.c index ffefd284f8..87948726da 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -205,6 +205,7 @@ typedef struct HLSContext { AVDictionary *avio_opts; int strict_std_compliance; char *allowed_extensions; +int max_reload; } HLSContext; static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) @@ -1255,6 +1256,7 @@ static int read_data(void *opaque, uint8_t *buf, int buf_size) HLSContext *c = v->parent->priv_data; int ret, i; int just_opened = 0; +int reload_count = 0; restart: if (!v->needed) @@ -1286,6 +1288,9 @@ restart: reload_interval = default_reload_interval(v); reload: +reload_count++; +if (reload_count > c->max_reload) +return AVERROR_EOF; if (!v->finished && av_gettime_relative() - v->last_load_time >= reload_interval) { if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) { @@ -2143,6 +2148,8 @@ static const AVOption hls_options[] = { OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, INT_MIN, INT_MAX, FLAGS}, +{"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", +OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, {NULL} }; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] ffprobe: Fix null pointer dereference with color primaries
ffmpeg | branch: release/3.2 | Michael Niedermayer| Tue Aug 22 11:02:38 2017 +0200| [726133b6d2cd8f5f43b5af536024d8e02791d8cf] | committer: Michael Niedermayer ffprobe: Fix null pointer dereference with color primaries Found-by: AD-lab of venustech Signed-off-by: Michael Niedermayer (cherry picked from commit 837cb4325b712ff1aab531bf41668933f61d75d2) Signed-off-by: Michael Niedermayer (cherry picked from commit b2c39fcc3c0749490dc93bca80f56724878b55fe) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=726133b6d2cd8f5f43b5af536024d8e02791d8cf --- ffprobe.c | 15 +++ 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/ffprobe.c b/ffprobe.c index 79fe296489..703304a8c0 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -1789,6 +1789,16 @@ static void print_pkt_side_data(WriterContext *w, writer_print_section_footer(w); } +static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries) +{ +const char *val = av_color_primaries_name(color_primaries); +if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) { +print_str_opt("color_primaries", "unknown"); +} else { +print_str("color_primaries", val); +} +} + static void show_packet(WriterContext *w, InputFile *ifile, AVPacket *pkt, int packet_idx) { char val_str[128]; @@ -2258,10 +2268,7 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id else print_str_opt("color_transfer", av_color_transfer_name(par->color_trc)); -if (par->color_primaries != AVCOL_PRI_UNSPECIFIED) -print_str("color_primaries", av_color_primaries_name(par->color_primaries)); -else -print_str_opt("color_primaries", av_color_primaries_name(par->color_primaries)); +print_primaries(w, par->color_primaries); if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED) print_str("chroma_location", av_chroma_location_name(par->chroma_location)); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Fix signed integer overflows with total_size
ffmpeg | branch: release/3.2 | Vitaly Buka| Sun Aug 20 11:56:47 2017 -0700| [74410f2abab091b2fdf995fdb669873e8f7e1d0e] | committer: Michael Niedermayer avformat/mov: Fix signed integer overflows with total_size Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka Signed-off-by: Michael Niedermayer (cherry picked from commit 4a404cb5b90b878cbe1bb528fac65cf508668cc5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=74410f2abab091b2fdf995fdb669873e8f7e1d0e --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 24a76a0daa..405476fd71 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4888,7 +4888,7 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (atom.size < 0) atom.size = INT64_MAX; -while (total_size + 8 <= atom.size && !avio_feof(pb)) { +while (total_size <= atom.size - 8 && !avio_feof(pb)) { int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL; a.size = atom.size; a.type=0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] ffprobe: Fix NULL pointer handling in color parameter printing
ffmpeg | branch: release/3.2 | Michael Niedermayer| Tue Aug 22 17:27:17 2017 +0200| [baca98fc0971eb49438b589739132d83779bce1e] | committer: Michael Niedermayer ffprobe: Fix NULL pointer handling in color parameter printing Signed-off-by: Michael Niedermayer (cherry picked from commit 351e28f9a799d933dd10c964dca7219fa13b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=baca98fc0971eb49438b589739132d83779bce1e --- ffprobe.c | 62 -- 1 file changed, 44 insertions(+), 18 deletions(-) diff --git a/ffprobe.c b/ffprobe.c index 703304a8c0..0c6c0f6d3e 100644 --- a/ffprobe.c +++ b/ffprobe.c @@ -1789,6 +1789,26 @@ static void print_pkt_side_data(WriterContext *w, writer_print_section_footer(w); } +static void print_color_range(WriterContext *w, enum AVColorRange color_range, const char *fallback) +{ +const char *val = av_color_range_name(color_range); +if (!val || color_range == AVCOL_RANGE_UNSPECIFIED) { +print_str_opt("color_range", fallback); +} else { +print_str("color_range", val); +} +} + +static void print_color_space(WriterContext *w, enum AVColorSpace color_space) +{ +const char *val = av_color_space_name(color_space); +if (!val || color_space == AVCOL_SPC_UNSPECIFIED) { +print_str_opt("color_space", "unknown"); +} else { +print_str("color_space", val); +} +} + static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries) { const char *val = av_color_primaries_name(color_primaries); @@ -1799,6 +1819,26 @@ static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primar } } +static void print_color_trc(WriterContext *w, enum AVColorTransferCharacteristic color_trc) +{ +const char *val = av_color_transfer_name(color_trc); +if (!val || color_trc == AVCOL_TRC_UNSPECIFIED) { +print_str_opt("color_transfer", "unknown"); +} else { +print_str("color_transfer", val); +} +} + +static void print_chroma_location(WriterContext *w, enum AVChromaLocation chroma_location) +{ +const char *val = av_chroma_location_name(chroma_location); +if (!val || chroma_location == AVCHROMA_LOC_UNSPECIFIED) { +print_str_opt("chroma_location", "unspecified"); +} else { +print_str("chroma_location", val); +} +} + static void show_packet(WriterContext *w, InputFile *ifile, AVPacket *pkt, int packet_idx) { char val_str[128]; @@ -2254,26 +2294,12 @@ static int show_stream(WriterContext *w, AVFormatContext *fmt_ctx, int stream_id if (s) print_str("pix_fmt", s); else print_str_opt("pix_fmt", "unknown"); print_int("level", par->level); -if (par->color_range != AVCOL_RANGE_UNSPECIFIED) -print_str("color_range", av_color_range_name(par->color_range)); -else -print_str_opt("color_range", "N/A"); - -s = av_get_colorspace_name(par->color_space); -if (s) print_str("color_space", s); -else print_str_opt("color_space", "unknown"); - -if (par->color_trc != AVCOL_TRC_UNSPECIFIED) -print_str("color_transfer", av_color_transfer_name(par->color_trc)); -else -print_str_opt("color_transfer", av_color_transfer_name(par->color_trc)); +print_color_range(w, par->color_range, "N/A"); +print_color_space(w, par->color_space); +print_color_trc(w, par->color_trc); print_primaries(w, par->color_primaries); - -if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED) -print_str("chroma_location", av_chroma_location_name(par->chroma_location)); -else -print_str_opt("chroma_location", av_chroma_location_name(par->chroma_location)); +print_chroma_location(w, par->chroma_location); if (par->field_order == AV_FIELD_PROGRESSIVE) print_str("field_order", "progressive"); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/rtpdec_h264: Fix heap-buffer-overflow
ffmpeg | branch: release/3.2 | Michael Niedermayer| Wed Aug 23 21:30:37 2017 +0200| [53a6cdf89d694be1f075729f16e0a9e2dcbbcb78] | committer: Michael Niedermayer avformat/rtpdec_h264: Fix heap-buffer-overflow Fixes: rtp_sdp/poc.sdp Found-by: Bingchang Signed-off-by: Michael Niedermayer (cherry picked from commit c42a1388a6d1bfd8001bf6a4241d8ca27e49326d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=53a6cdf89d694be1f075729f16e0a9e2dcbbcb78 --- libavformat/rtpdec_h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rtpdec_h264.c b/libavformat/rtpdec_h264.c index 8dd56a549e..6f8148ab6d 100644 --- a/libavformat/rtpdec_h264.c +++ b/libavformat/rtpdec_h264.c @@ -166,7 +166,7 @@ static int sdp_parse_fmtp_config_h264(AVFormatContext *s, parse_profile_level_id(s, h264_data, value); } else if (!strcmp(attr, "sprop-parameter-sets")) { int ret; -if (value[strlen(value) - 1] == ',') { +if (*value == 0 || value[strlen(value) - 1] == ',') { av_log(s, AV_LOG_WARNING, "Missing PPS in sprop-parameter-sets, ignoring\n"); return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/aviobuf: Fix signed integer overflow in avio_seek()
ffmpeg | branch: release/3.2 | Vitaly Buka| Sun Aug 20 11:56:47 2017 -0700| [50cb32480b7691933756bc8a04265a1e488b5e06] | committer: Michael Niedermayer avformat/aviobuf: Fix signed integer overflow in avio_seek() Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka Signed-off-by: Michael Niedermayer (cherry picked from commit eca2a49716ae1f42804dd3545da2f740edf03250) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=50cb32480b7691933756bc8a04265a1e488b5e06 --- libavformat/aviobuf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 134d627a6e..02f6d38966 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -249,6 +249,8 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence) offset1 = pos + (s->buf_ptr - s->buffer); if (offset == 0) return offset1; +if (offset > INT64_MAX - offset1) +return AVERROR(EINVAL); offset += offset1; } if (offset < 0) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()
ffmpeg | branch: release/3.2 | Michael Niedermayer| Mon Aug 21 00:18:48 2017 +0200| [3738a41830fbde1d4d6f950305278ba1cde01390] | committer: Michael Niedermayer avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps() Fixes: integer overflow Fixes: 2893/clusterfuzz-testcase-minimized-5809330567774208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b44dcbc44e99daf9515753e9fd4c2e1ea53a2fa) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3738a41830fbde1d4d6f950305278ba1cde01390 --- libavcodec/hevc_ps.c | 12 1 file changed, 12 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 7b104e6143..a2c13faf0f 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -224,6 +224,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx, prev = 0; for (i = 0; i < rps->num_negative_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; +if (delta_poc < 1 || delta_poc > 32768) { +av_log(avctx, AV_LOG_ERROR, +"Invalid value of delta_poc: %d\n", +delta_poc); +return AVERROR_INVALIDDATA; +} prev -= delta_poc; rps->delta_poc[i] = prev; rps->used[i] = get_bits1(gb); @@ -231,6 +237,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx, prev = 0; for (i = 0; i < nb_positive_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; +if (delta_poc < 1 || delta_poc > 32768) { +av_log(avctx, AV_LOG_ERROR, +"Invalid value of delta_poc: %d\n", +delta_poc); +return AVERROR_INVALIDDATA; +} prev += delta_poc; rps->delta_poc[rps->num_negative_pics + i] = prev; rps->used[rps->num_negative_pics + i] = get_bits1(gb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization
ffmpeg | branch: release/3.2 | Vitaly Buka| Sun Aug 20 11:56:47 2017 -0700| [febea34f914b10e2aed177f49bfd6e9da9be5bef] | committer: Michael Niedermayer avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization Signed integer overflow is undefined behavior. Detected with clang and -fsanitize=signed-integer-overflow Signed-off-by: Vitaly Buka Signed-off-by: Michael Niedermayer (cherry picked from commit 8c2bb10ddfef1f151b9455d152c9aca91140a4b0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=febea34f914b10e2aed177f49bfd6e9da9be5bef --- libavcodec/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 2d57aea469..6d6bbb7c22 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1570,7 +1570,7 @@ FF_ENABLE_DEPRECATION_WARNINGS } if (!avctx->rc_initial_buffer_occupancy) -avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4; +avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3LL / 4; if (avctx->ticks_per_frame && avctx->time_base.num && avctx->ticks_per_frame > INT_MAX / avctx->time_base.num) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/fic: Fixes signed integer overflow
ffmpeg | branch: release/3.2 | Michael Niedermayer| Thu Aug 17 18:24:37 2017 +0200| [98cd9cd4c29c6b5cfdbd982a9b0a0ee5ce4bc503] | committer: Michael Niedermayer avcodec/fic: Fixes signed integer overflow Fixes: runtime error: signed integer overflow: 1037142357 + 1227025305 cannot be represented in type 'int' Fixes: 3024/clusterfuzz-testcase-minimized-5885660323905536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c9d5b015c2022e8deebb93367f8ee8a8eb779e8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=98cd9cd4c29c6b5cfdbd982a9b0a0ee5ce4bc503 --- libavcodec/fic.c | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 2c11515459..f66c05b94b 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -84,12 +84,12 @@ static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' }; static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd) { -const int t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; -const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; -const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; -const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; -const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12); -const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12); +const unsigned t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; +const unsigned t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; +const unsigned t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; +const unsigned t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; +const unsigned t4 = 5793U * ((int)(t2 + t0 + 0x800) >> 12); +const unsigned t5 = 5793U * ((int)(t3 + t1 + 0x800) >> 12); const unsigned t6 = t2 - t0; const unsigned t7 = t3 - t1; const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Fixes integer overflow
ffmpeg | branch: release/3.2 | Michael Niedermayer| Tue Aug 15 03:32:44 2017 +0200| [5bc3b18e3d98059ffd6ec0844b1aeca1f7f41360] | committer: Michael Niedermayer avcodec/diracdec: Fixes integer overflow Fixes: runtime error: signed integer overflow: 340018243 * 27 cannot be represented in type 'int' Fixes: 2861/clusterfuzz-testcase-minimized-5361070510178304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 92da23093c784b1d9f0db4db51d28ea80a59e759) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5bc3b18e3d98059ffd6ec0844b1aeca1f7f41360 --- libavcodec/diracdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 6be3cae8d0..e147f10564 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -436,7 +436,7 @@ static av_cold int dirac_decode_end(AVCodecContext *avctx) static inline int coeff_unpack_golomb(GetBitContext *gb, int qfactor, int qoffset) { int coeff = dirac_get_se_golomb(gb); -const int sign = FFSIGN(coeff); +const unsigned sign = FFSIGN(coeff); if (coeff) coeff = sign*((sign * coeff * qfactor + qoffset) >> 2); return coeff; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0()
ffmpeg | branch: release/3.2 | Michael Niedermayer| Fri Aug 18 16:42:58 2017 +0200| [dc86479e5febb9f4150ab0c5d24116ac473e8a03] | committer: Michael Niedermayer avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0() Fixes: runtime error: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int' Fixes: 3013/clusterfuzz-testcase-minimized-4644084197097472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a165b53daa8a3a526d2328ca72c4aa9e7f163045) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dc86479e5febb9f4150ab0c5d24116ac473e8a03 --- libavcodec/dirac_dwt_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 972c711cff..e436c247a1 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_ TYPE *b1 = (TYPE *)_b1; TYPE *b2 = (TYPE *)_b2; for (i = 0; i < width; i++) -b1[i] -= (b0[i] + b2[i] + 2) >> 2; +b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2; } static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src1, int w2, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_template: Fix running cleanup in decode_ics_info()
ffmpeg | branch: release/3.2 | Michael Niedermayer| Mon Aug 21 02:15:49 2017 +0200| [6da5e63ba71de2dc3db547b4f56b67ce28548bdc] | committer: Michael Niedermayer avcodec/aacdec_template: Fix running cleanup in decode_ics_info() Fixes: out of array read Fixes: 2873/clusterfuzz-testcase-minimized-5924145713905664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Previous version reviewed-by: Alex Converse Signed-off-by: Michael Niedermayer (cherry picked from commit 6f03ffb47d51368a4bbc87702df8446e4660845d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6da5e63ba71de2dc3db547b4f56b67ce28548bdc --- libavcodec/aacdec_template.c | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 1ac6503a78..d6880c90db 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -1259,6 +1259,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, const MPEG4AudioConfig *const m4ac = >oc[1].m4ac; const int aot = m4ac->object_type; const int sampling_index = m4ac->sampling_index; +int ret_fail = AVERROR_INVALIDDATA; + if (aot != AOT_ER_AAC_ELD) { if (get_bits1(gb)) { av_log(ac->avctx, AV_LOG_ERROR, "Reserved bit set.\n"); @@ -1309,8 +1311,10 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, ics->num_swb =ff_aac_num_swb_512[sampling_index]; ics->tns_max_bands = ff_tns_max_bands_512[sampling_index]; } -if (!ics->num_swb || !ics->swb_offset) -return AVERROR_BUG; +if (!ics->num_swb || !ics->swb_offset) { +ret_fail = AVERROR_BUG; +goto fail; +} } else { ics->swb_offset=ff_swb_offset_1024[sampling_index]; ics->num_swb = ff_aac_num_swb_1024[sampling_index]; @@ -1334,7 +1338,8 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, if (aot == AOT_ER_AAC_LD) { av_log(ac->avctx, AV_LOG_ERROR, "LTP in ER AAC LD not yet implemented.\n"); -return AVERROR_PATCHWELCOME; +ret_fail = AVERROR_PATCHWELCOME; +goto fail; } if ((ics->ltp.present = get_bits(gb, 1))) decode_ltp(>ltp, gb, ics->max_sfb); @@ -1353,7 +1358,7 @@ static int decode_ics_info(AACContext *ac, IndividualChannelStream *ics, return 0; fail: ics->max_sfb = 0; -return AVERROR_INVALIDDATA; +return ret_fail; } /** ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/me_cmp: Fix crashes on ARM due to misalignment
ffmpeg | branch: release/3.2 | Michael Niedermayer| Sat Aug 19 23:38:58 2017 +0200| [d15b1da8bcb3b559e1369e1dbd4319deb2b21d6e] | committer: Michael Niedermayer avcodec/me_cmp: Fix crashes on ARM due to misalignment Adds a diff_pixels_unaligned() Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872503 Signed-off-by: Michael Niedermayer (cherry picked from commit bc488ec28aec4bc91ba47283c49c9f7f25696eaa) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d15b1da8bcb3b559e1369e1dbd4319deb2b21d6e --- libavcodec/me_cmp.c | 10 +- libavcodec/pixblockdsp.c | 1 + libavcodec/pixblockdsp.h | 5 + libavcodec/x86/pixblockdsp_init.c | 2 ++ 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/libavcodec/me_cmp.c b/libavcodec/me_cmp.c index 6639b919ff..5e34a11593 100644 --- a/libavcodec/me_cmp.c +++ b/libavcodec/me_cmp.c @@ -628,7 +628,7 @@ static int dct_sad8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); -s->pdsp.diff_pixels(temp, src1, src2, stride); +s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); return s->mecc.sum_abs_dctelem(temp); } @@ -668,7 +668,7 @@ static int dct264_sad8x8_c(MpegEncContext *s, uint8_t *src1, int16_t dct[8][8]; int i, sum = 0; -s->pdsp.diff_pixels(dct[0], src1, src2, stride); +s->pdsp.diff_pixels_unaligned(dct[0], src1, src2, stride); #define SRC(x) dct[i][x] #define DST(x, v) dct[i][x] = v @@ -695,7 +695,7 @@ static int dct_max8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); -s->pdsp.diff_pixels(temp, src1, src2, stride); +s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); for (i = 0; i < 64; i++) @@ -714,7 +714,7 @@ static int quant_psnr8x8_c(MpegEncContext *s, uint8_t *src1, av_assert2(h == 8); s->mb_intra = 0; -s->pdsp.diff_pixels(temp, src1, src2, stride); +s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); memcpy(bak, temp, 64 * sizeof(int16_t)); @@ -817,7 +817,7 @@ static int bit8x8_c(MpegEncContext *s, uint8_t *src1, uint8_t *src2, av_assert2(h == 8); -s->pdsp.diff_pixels(temp, src1, src2, stride); +s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->block_last_index[0 /* FIXME */] = last = diff --git a/libavcodec/pixblockdsp.c b/libavcodec/pixblockdsp.c index f0883d3d08..6152fe40c3 100644 --- a/libavcodec/pixblockdsp.c +++ b/libavcodec/pixblockdsp.c @@ -82,6 +82,7 @@ av_cold void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx) { const unsigned high_bit_depth = avctx->bits_per_raw_sample > 8; +c->diff_pixels_unaligned = c->diff_pixels = diff_pixels_c; switch (avctx->bits_per_raw_sample) { diff --git a/libavcodec/pixblockdsp.h b/libavcodec/pixblockdsp.h index 79ed86c3a6..b14514de7e 100644 --- a/libavcodec/pixblockdsp.h +++ b/libavcodec/pixblockdsp.h @@ -31,6 +31,11 @@ typedef struct PixblockDSPContext { const uint8_t *s1 /* align 8 */, const uint8_t *s2 /* align 8 */, int stride); +void (*diff_pixels_unaligned)(int16_t *av_restrict block /* align 16 */, +const uint8_t *s1, +const uint8_t *s2, +int stride); + } PixblockDSPContext; void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx); diff --git a/libavcodec/x86/pixblockdsp_init.c b/libavcodec/x86/pixblockdsp_init.c index 4d06a44c6d..b9027dee54 100644 --- a/libavcodec/x86/pixblockdsp_init.c +++ b/libavcodec/x86/pixblockdsp_init.c @@ -39,12 +39,14 @@ av_cold void ff_pixblockdsp_init_x86(PixblockDSPContext *c, if (EXTERNAL_MMX(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_mmx; +c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_mmx; } if (EXTERNAL_SSE2(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_sse2; +c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_sse2; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/snowdec: Fix off by 1 error
ffmpeg | branch: release/3.2 | Michael Niedermayer| Thu Aug 17 20:32:03 2017 +0200| [bd09e3b19c71d06fa333d27740668119361841e2] | committer: Michael Niedermayer avcodec/snowdec: Fix off by 1 error Fixes: runtime error: index 4 out of bounds for type 'int8_t [4]' Fixes: 3023/clusterfuzz-testcase-minimized-6421736130084864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d132683ddd4050d3fe103ca88c73258c3442dc34) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bd09e3b19c71d06fa333d27740668119361841e2 --- libavcodec/snowdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 7d6d7ff44f..4ebfa07c6a 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -355,7 +355,7 @@ static int decode_header(SnowContext *s){ Plane *p= >plane[plane_index]; p->diag_mc= get_rac(>c, s->header_state); htaps= get_symbol(>c, s->header_state, 0)*2 + 2; -if((unsigned)htaps > HTAPS_MAX || htaps==0) +if((unsigned)htaps >= HTAPS_MAX || htaps==0) return AVERROR_INVALIDDATA; p->htaps= htaps; for(i= htaps/2; i; i--){ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Check perspective_exp and zrs_exp.
ffmpeg | branch: release/3.2 | Michael Niedermayer| Tue Aug 15 03:32:43 2017 +0200| [952393b69e666c53361fde252bc0b3f2dbabead3] | committer: Michael Niedermayer avcodec/diracdec: Check perspective_exp and zrs_exp. Fixes: undefined shift Fixes: runtime error: shift exponent 264 is too large for 32-bit type 'int' Fixes: 2860/clusterfuzz-testcase-minimized-4672811689836544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e6cab874512070b36267a5a53fd053f90072fa2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=952393b69e666c53361fde252bc0b3f2dbabead3 --- libavcodec/diracdec.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index bd4ea845ca..6be3cae8d0 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1155,6 +1155,10 @@ static int dirac_unpack_prediction_parameters(DiracContext *s) s->globalmc[ref].perspective[0] = dirac_get_se_golomb(gb); s->globalmc[ref].perspective[1] = dirac_get_se_golomb(gb); } +if (s->globalmc[ref].perspective_exp + (uint64_t)s->globalmc[ref].zrs_exp > 30) { +return AVERROR_INVALIDDATA; +} + } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Clear mcsel before decoding an image
ffmpeg | branch: release/3.2 | Michael Niedermayer| Sun Aug 6 13:32:54 2017 +0200| [342d5c20ce0a48074043d630e68629600b59ebdd] | committer: Michael Niedermayer avcodec/mpeg4videodec: Clear mcsel before decoding an image Fixes: runtime error: signed integer overflow: 2146467840 + 1032192 cannot be represented in type 'int' Fixes: 2826/clusterfuzz-testcase-minimized-5901511613743104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7735ed29741d985e1e670249ca56e7a1ce18b729) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=342d5c20ce0a48074043d630e68629600b59ebdd --- libavcodec/mpeg4videodec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 5dfd2954f7..758f77bcfc 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2290,6 +2290,7 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) int time_incr, time_increment; int64_t pts; +s->mcsel = 0; s->pict_type = get_bits(gb, 2) + AV_PICTURE_TYPE_I;/* pict type: I = 0 , P = 1 */ if (s->pict_type == AV_PICTURE_TYPE_B && s->low_delay && ctx->vol_control_parameters == 0 && !(s->avctx->flags & AV_CODEC_FLAG_LOW_DELAY)) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ffv1dec_template: Fix undefined shift
ffmpeg | branch: release/3.2 | Michael Niedermayer| Fri Aug 11 18:20:03 2017 +0200| [04db307c77c18b6e1832a086f676db0db9c152a7] | committer: Michael Niedermayer avcodec/ffv1dec_template: Fix undefined shift Fixes: runtime error: left shift of negative value -127 Fixes: 2834/clusterfuzz-testcase-minimized-5988039123795968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 62702eebded6c6341d214405812a981f80e46ea2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=04db307c77c18b6e1832a086f676db0db9c152a7 --- libavcodec/ffv1dec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec_template.c b/libavcodec/ffv1dec_template.c index 892ccf22fa..f2f7432339 100644 --- a/libavcodec/ffv1dec_template.c +++ b/libavcodec/ffv1dec_template.c @@ -149,7 +149,7 @@ static void RENAME(decode_rgb_frame)(FFV1Context *s, uint8_t *src[3], int w, int } if (lbd) -*((uint32_t*)(src[0] + x*4 + stride[0]*y)) = b + (g<<8) + (r<<16) + (a<<24); +*((uint32_t*)(src[0] + x*4 + stride[0]*y)) = b + ((unsigned)g<<8) + ((unsigned)r<<16) + ((unsigned)a<<24); else if (sizeof(TYPE) == 4) { *((uint16_t*)(src[0] + x*2 + stride[0]*y)) = g; *((uint16_t*)(src[1] + x*2 + stride[1]*y)) = b; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Check weight_log2denom
ffmpeg | branch: release/3.2 | Michael Niedermayer| Sat Jul 29 15:46:50 2017 +0200| [892ceb512f0f10f6cdb7edb4446efbb0ae5b94ed] | committer: Michael Niedermayer avcodec/diracdec: Check weight_log2denom Fixes: runtime error: shift exponent -1 is negative Fixes: 2742/clusterfuzz-testcase-minimized-5724322402402304 Fixes: 2744/clusterfuzz-testcase-minimized-4672435653705728 Fixes: 2749/clusterfuzz-testcase-minimized-5298741273690112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 880f5c59139e1d85d3a0b3433103f3fea17ff2d3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=892ceb512f0f10f6cdb7edb4446efbb0ae5b94ed --- libavcodec/diracdec.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index bc0eb90ab1..bd4ea845ca 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1173,6 +1173,11 @@ static int dirac_unpack_prediction_parameters(DiracContext *s) if (get_bits1(gb)) { s->weight_log2denom = get_interleaved_ue_golomb(gb); +if (s->weight_log2denom < 1 || s->weight_log2denom > 8) { +av_log(s->avctx, AV_LOG_ERROR, "weight_log2denom unsupported or invalid\n"); +s->weight_log2denom = 1; +return AVERROR_INVALIDDATA; +} s->weight[0] = dirac_get_se_golomb(gb); if (s->num_refs == 2) s->weight[1] = dirac_get_se_golomb(gb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_fixed: fix invalid shift in predict()
ffmpeg | branch: release/3.2 | Michael Niedermayer| Fri Aug 4 03:26:30 2017 +0200| [e5950870481b02baf320bca97d8e3ba67a616792] | committer: Michael Niedermayer avcodec/aacdec_fixed: fix invalid shift in predict() Fixes: runtime error: shift exponent -2 is negative Fixes: 2818/clusterfuzz-testcase-minimized-5062943676825600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1e443051b277f73b94a2f660d3fd31a1a7beab52) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e5950870481b02baf320bca97d8e3ba67a616792 --- libavcodec/aacdec_fixed.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index ccc82057e1..e7c2d2d299 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -305,8 +305,12 @@ static av_always_inline void predict(PredictorState *ps, int *coef, if (output_enable) { int shift = 28 - pv.exp; -if (shift < 31) -*coef += (pv.mant + (1 << (shift - 1))) >> shift; +if (shift < 31) { +if (shift > 0) { +*coef += (pv.mant + (1 << (shift - 1))) >> shift; +} else +*coef += pv.mant << -shift; +} } e0 = av_int2sf(*coef, 2); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97*
ffmpeg | branch: release/3.2 | Michael Niedermayer| Sun Aug 6 05:01:45 2017 +0200| [52c4069119ba1d879f11b99957e156c9962cabb7] | committer: Michael Niedermayer avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97* Fix multiple: runtime error: signed integer overflow: 6497 * 3409630 cannot be represented in type 'int' Fixes: 2819/clusterfuzz-testcase-minimized-4743700301217792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a5380f9c1c460acccb2edaa8609e4a57c0456088) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=52c4069119ba1d879f11b99957e156c9962cabb7 --- libavcodec/dirac_dwt.h | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 62f8472b41..e715e53bc4 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ -(b1 - ((1817*(b0 + b2) + 2048) >> 12)) +(b1 - ((int)(1817U*(b0 + b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ -(b1 - (( 113*(b0 + b2) + 64) >> 7)) +(b1 - ((int)( 113U*(b0 + b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ -(b1 + (( 217*(b0 + b2) + 2048) >> 12)) +(b1 + ((int)( 217U*(b0 + b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ -(b1 + ((6497*(b0 + b2) + 2048) >> 12)) +(b1 + ((int)(6497U*(b0 + b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdsp: fix integer overflow
ffmpeg | branch: release/3.2 | Michael Niedermayer| Sat Jul 29 15:55:36 2017 +0200| [19938f1a11355a199135c7411eab5fbf026a4ffb] | committer: Michael Niedermayer avcodec/diracdsp: fix integer overflow Fixes: runtime error: signed integer overflow: 11 * 225726413 cannot be represented in type 'int' Fixes: 2764/clusterfuzz-testcase-minimized-5382561922547712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b2d9d7226943d6229a17e31714ce5162bdf88b33) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=19938f1a11355a199135c7411eab5fbf026a4ffb --- libavcodec/diracdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/diracdsp.c b/libavcodec/diracdsp.c index cd1209e209..8bc79b788c 100644 --- a/libavcodec/diracdsp.c +++ b/libavcodec/diracdsp.c @@ -199,7 +199,7 @@ static void dequant_subband_ ## PX ## _c(uint8_t *src, uint8_t *dst, ptrdiff_t s for (i = 0; i < tot_h; i++) { \ c = *src_r++; \ sign = FFSIGN(c)*(!!c); \ -c = (FFABS(c)*qf + qs) >> 2; \ +c = (FFABS(c)*(unsigned)qf + qs) >> 2; \ *dst_r++ = c*sign; \ } \ src += tot_h << (sizeof(PX) >> 1); \ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/utils: fix memory leak in avformat_free_context
ffmpeg | branch: release/3.2 | Steven Siloti| Tue Jul 18 11:26:39 2017 -0700| [16ee4057077b05e89a784cce1a17ec49b5e46ad2] | committer: Michael Niedermayer avformat/utils: fix memory leak in avformat_free_context The pointer to the packet queue is stored in the internal structure so the queue needs to be flushed before internal is freed. Signed-off-by: Steven Siloti Signed-off-by: Michael Niedermayer (cherry picked from commit 949debd1d1df3a96315b3a3083831162845c1188) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=16ee4057077b05e89a784cce1a17ec49b5e46ad2 --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index cea3ab5a93..3e59e50bb1 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4172,8 +4172,8 @@ void avformat_free_context(AVFormatContext *s) av_freep(>chapters); av_dict_free(>metadata); av_freep(>streams); -av_freep(>internal); flush_packet_queue(s); +av_freep(>internal); av_free(s); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_slice: Fix overflow in slice offset
ffmpeg | branch: release/3.2 | Michael Niedermayer| Fri Aug 4 02:41:05 2017 +0200| [b66aa37834c2913be41a8404662c403c1c68b683] | committer: Michael Niedermayer avcodec/h264_slice: Fix overflow in slice offset Fixes: runtime error: signed integer overflow: 1610612736 * 2 cannot be represented in type 'int' Fixes: 2817/clusterfuzz-testcase-minimized-5289691240726528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f53bde6d817ae13a47748f321adbdfa79e15982) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b66aa37834c2913be41a8404662c403c1c68b683 --- libavcodec/h264_slice.c | 16 +--- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 68b73da418..ce1fc18219 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1739,17 +1739,19 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl, sl->deblocking_filter ^= 1; // 1<->0 if (sl->deblocking_filter) { -sl->slice_alpha_c0_offset = get_se_golomb(>gb) * 2; -sl->slice_beta_offset = get_se_golomb(>gb) * 2; -if (sl->slice_alpha_c0_offset > 12 || -sl->slice_alpha_c0_offset < -12 || -sl->slice_beta_offset > 12 || -sl->slice_beta_offset < -12) { +int slice_alpha_c0_offset_div2 = get_se_golomb(>gb); +int slice_beta_offset_div2 = get_se_golomb(>gb); +if (slice_alpha_c0_offset_div2 > 6 || +slice_alpha_c0_offset_div2 < -6 || +slice_beta_offset_div2 > 6 || +slice_beta_offset_div2 < -6) { av_log(h->avctx, AV_LOG_ERROR, "deblocking filter parameters %d %d out of range\n", - sl->slice_alpha_c0_offset, sl->slice_beta_offset); + slice_alpha_c0_offset_div2, slice_beta_offset_div2); return AVERROR_INVALIDDATA; } +sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2; +sl->slice_beta_offset = slice_beta_offset_div2 * 2; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] [ffmpeg-web] branch master updated. df5f4d0 web/secrity: add CVEs for 3.3.4
The branch, master has been updated via df5f4d0b7e4cd2166b6cd73c801e321272b689cd (commit) from 2373ca7eef2117995b5fba90be7ddd7603fa3eec (commit) - Log - commit df5f4d0b7e4cd2166b6cd73c801e321272b689cd Author: Michael NiedermayerAuthorDate: Sun Sep 17 12:28:24 2017 +0200 Commit: Michael Niedermayer CommitDate: Sun Sep 17 12:28:24 2017 +0200 web/secrity: add CVEs for 3.3.4 diff --git a/src/security b/src/security index ab51443..57db9e5 100644 --- a/src/security +++ b/src/security @@ -4,6 +4,25 @@ FFmpeg 3.3 +3.3.4 + +Fixes following vulnerabilities: + + +CVE-2017-14054, 6bd562e04440c48eb79e24c36800791bbb1ba0b6 / 124eb202e70678539544f6268efc98131f19fa49 +CVE-2017-14055, e910f15fcbb709c4c7208737a6cc39185b41543b / 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e +CVE-2017-14059, 4ff1fcd3caa2e59c3d4cec8e4c64c9ac79b09a1d / 7e80b63ecd259d69d383623e75b318bf2bd491f6 +CVE-2017-14058, 305f37e5be009c66e0af3064855c8509aafba719 / 7ec414892ddcad88313848494b6fc5f437c9ca4a +CVE-2017-14057, 6447815dfbbe5036c7fa29d285b59896d76f4f9d / 7f9ec5593e04827249e7aeb466da06a98a0d7329 +CVE-2017-14225, 5474a7e93b8ea0be1157ac9cf93c1511eccae7b0 / 837cb4325b712ff1aab531bf41668933f61d75d2 +CVE-2017-14170, c01f799314c3254a98c415ccf99acd501bdbd9f2 / 900f39692ca0337a98a7cf047e4e2611071810c2 +CVE-2017-14056, 8cb0f2c4e55d1d8ba9dbc80dd19ad139d0200c2d / 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de +CVE-2017-14222, d9cf9f5af82228b588828ae2692acccec588fdac / 9cb4eb772839c5e1de2855d126bf74ff16d13382 +CVE-2017-14169, 9d3a7c82a669a1a1c8e3904c65ded19e80d16edc / 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad +CVE-2017-14223, b61e5a878c845b8bee1267fdb75c293feb00ae0d / afc9c683ed9db01edb357bc8c19edad4282b3a97 +CVE-2017-14171, e6a8d110d7e8e938913a0a85ca933b415f8ed24d / c24bcb553650b91e9eff15ef6e54ca73de2453b + + 3.3.3 Fixes following vulnerabilities: --- Summary of changes: src/security | 19 +++ 1 file changed, 19 insertions(+) hooks/post-receive -- ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog