[FFmpeg-cvslog] lavu/avsscanf: Do not mix declaration and code.

[Carl Eugen Hoyos]

ffmpeg | branch: master | Carl Eugen Hoyos  | Sun Nov 18 
03:51:42 2018 +0100| [529debc98776f94651cc927c2c27cc6de611697f] | committer: 
Carl Eugen Hoyos

lavu/avsscanf: Do not mix declaration and code.

Fixes the following warning:
libavutil/avsscanf.c: In function 'decfloat':
libavutil/avsscanf.c:354:9: warning: ISO C90 forbids mixed declarations and 
code [-Wdeclaration-after-statement]
 int bitlim = bits-3*(int)(rp-9);
 ^~~

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=529debc98776f94651cc927c2c27cc6de611697f
---

 libavutil/avsscanf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavutil/avsscanf.c b/libavutil/avsscanf.c
index 7c61b860ae..9b3685f34b 100644
--- a/libavutil/avsscanf.c
+++ b/libavutil/avsscanf.c
@@ -349,9 +349,10 @@ static double decfloat(FFFILE *f, int c, int bits, int 
emin, int sign, int pok)
 
 /* Optimize small to mid-size integers (even in exp. notation) */
 if (lnz<9 && lnz<=rp && rp < 18) {
+int bitlim;
 if (rp == 9) return sign * (double)x[0];
 if (rp < 9) return sign * (double)x[0] / p10s[8-rp];
-int bitlim = bits-3*(int)(rp-9);
+bitlim = bits-3*(int)(rp-9);
 if (bitlim>30 || x[0]>>bitlim==0)
 return sign * (double)x[0] * p10s[rp-10];
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/pngdec: Check compression method

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Fri Nov  9 03:12:45 2018 +0100| [de1d2ea6b20ac6c2a2bf23e67d07a86b87836386] | 
committer: Michael Niedermayer

avcodec/pngdec: Check compression method

method 0 (inflate/deflate) is the only specified in the specification and the 
only supported

Fixes: Timeout
Fixes: 
10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1f99674cc33f4c37def0a206e31ad7c4c1af)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=de1d2ea6b20ac6c2a2bf23e67d07a86b87836386
---

 libavcodec/pngdec.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 7f0d416683..10d0575f70 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -566,6 +566,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, 
PNGDecContext *s,
 }
 s->color_type   = bytestream2_get_byte(>gb);
 s->compression_type = bytestream2_get_byte(>gb);
+if (s->compression_type) {
+av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n", 
s->compression_type);
+goto error;
+}
 s->filter_type  = bytestream2_get_byte(>gb);
 s->interlace_type   = bytestream2_get_byte(>gb);
 bytestream2_skip(>gb, 4); /* crc */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/msrle: Check that the input is large enough to contain a end of picture code

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Oct 21 14:40:14 2018 +0200| [e6f8f6a7eefd1fb29db17a86bba4434117eaab08] | 
committer: Michael Niedermayer

avcodec/msrle: Check that the input is large enough to contain a end of picture 
code

Fixes: Timeout
Fixes: 
10625/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSRLE_fuzzer-5659651283091456

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 203ccb874699ce66beadd53b4631d217b9cd)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e6f8f6a7eefd1fb29db17a86bba4434117eaab08
---

 libavcodec/msrle.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c
index adb55b1302..1ab8a41985 100644
--- a/libavcodec/msrle.c
+++ b/libavcodec/msrle.c
@@ -95,6 +95,9 @@ static int msrle_decode_frame(AVCodecContext *avctx,
 s->buf = buf;
 s->size = buf_size;
 
+if (buf_size < 2) //Minimally a end of picture code should be there
+return AVERROR_INVALIDDATA;
+
 if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
 return ret;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Oct 28 21:08:39 2018 +0100| [875a5d055b4ccbe9b9dabab2899ed425f73afcd3] | 
committer: Michael Niedermayer

avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported 
mp3adu case

Fixes: Timeout
Fixes: 
10966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADU_fuzzer-5348695024336896
Fixes: 
10969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5691669402877952

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit df91af140c5543cfbbed187f696e79b554d2c135)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=875a5d055b4ccbe9b9dabab2899ed425f73afcd3
---

 libavcodec/mpegaudio_parser.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c
index a072851ecf..04400a44e7 100644
--- a/libavcodec/mpegaudio_parser.c
+++ b/libavcodec/mpegaudio_parser.c
@@ -100,7 +100,7 @@ static int mpegaudio_parse(AVCodecParserContext *s1,
 "MP3ADU full parser");
 *poutbuf = NULL;
 *poutbuf_size = 0;
-return 0; /* parsers must not return error codes */
+return buf_size; /* parsers must not return error 
codes */
 }
 
 break;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Fix integer overflow with offset

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Fri Nov  9 19:59:27 2018 +0100| [0612e6a0d7dea838211e60c53491a0caff1842d4] | 
committer: Michael Niedermayer

avcodec/shorten: Fix integer overflow with offset

Fixes: signed integer overflow: -1625810908 - 582229060 cannot be represented 
in type 'int'
Fixes: 
10977/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5732602018267136

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2f888771cd1ce8d68d4b18a1009650c1f260aaf2)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0612e6a0d7dea838211e60c53491a0caff1842d4
---

 libavcodec/shorten.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 9d591bd668..35e22359be 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -373,7 +373,7 @@ static int decode_subframe_lpc(ShortenContext *s, int 
command, int channel,
 /* subtract offset from previous samples to use in prediction */
 if (command == FN_QLPC && coffset)
 for (i = -pred_order; i < 0; i++)
-s->decoded[channel][i] -= coffset;
+s->decoded[channel][i] -= (unsigned)coffset;
 
 /* decode residual and do LPC prediction */
 init_sum = pred_order ? (command == FN_QLPC ? s->lpcqoffset : 0) : coffset;
@@ -388,7 +388,7 @@ static int decode_subframe_lpc(ShortenContext *s, int 
command, int channel,
 /* add offset to current samples */
 if (command == FN_QLPC && coffset)
 for (i = 0; i < s->blocksize; i++)
-s->decoded[channel][i] += coffset;
+s->decoded[channel][i] += (unsigned)coffset;
 
 return 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/cavsdec: Propagate error codes inside decode_mb_i()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Nov  4 20:00:16 2018 +0100| [d10266a96f28824a9248b096a01de5a944d261b2] | 
committer: Michael Niedermayer

avcodec/cavsdec: Propagate error codes inside decode_mb_i()

Fixes: Timeout
Fixes: 
10702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5669940938407936

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c1cee0565692c541f589aefd7f375d37f55b9d94)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d10266a96f28824a9248b096a01de5a944d261b2
---

 libavcodec/cavsdec.c | 29 +
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index cb1aea2a9f..4d051c5ba0 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -591,14 +591,21 @@ static int decode_residual_block(AVSContext *h, 
GetBitContext *gb,
 }
 
 
-static inline void decode_residual_chroma(AVSContext *h)
+static inline int decode_residual_chroma(AVSContext *h)
 {
-if (h->cbp & (1 << 4))
-decode_residual_block(h, >gb, chroma_dec, 0,
+if (h->cbp & (1 << 4)) {
+int ret = decode_residual_block(h, >gb, chroma_dec, 0,
   ff_cavs_chroma_qp[h->qp], h->cu, h->c_stride);
-if (h->cbp & (1 << 5))
-decode_residual_block(h, >gb, chroma_dec, 0,
+if (ret < 0)
+return ret;
+}
+if (h->cbp & (1 << 5)) {
+int ret = decode_residual_block(h, >gb, chroma_dec, 0,
   ff_cavs_chroma_qp[h->qp], h->cv, h->c_stride);
+if (ret < 0)
+return ret;
+}
+return 0;
 }
 
 static inline int decode_residual_inter(AVSContext *h)
@@ -649,6 +656,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
 uint8_t top[18];
 uint8_t *left = NULL;
 uint8_t *d;
+int ret;
 
 ff_cavs_init_mb(h);
 
@@ -692,8 +700,11 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
 ff_cavs_load_intra_pred_luma(h, top, , block);
 h->intra_pred_l[h->pred_mode_Y[scan3x3[block]]]
 (d, top, left, h->l_stride);
-if (h->cbp & (1l_stride);
+if (h->cbp & (1l_stride);
+if (ret < 0)
+return ret;
+}
 }
 
 /* chroma intra prediction */
@@ -703,7 +714,9 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
 h->intra_pred_c[pred_mode_uv](h->cv, >top_border_v[h->mbx * 10],
   h->left_border_v, h->c_stride);
 
-decode_residual_chroma(h);
+ret = decode_residual_chroma(h);
+if (ret < 0)
+return ret;
 ff_cavs_filter(h, I_8X8);
 set_mv_intra(h);
 return 0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videodec: Fix typo in sprite delta check

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Thu Oct 18 01:19:36 2018 +0200| [1effc4baa19de9ee203c7bc4b55a71270aeb3eef] | 
committer: Michael Niedermayer

avcodec/mpeg4videodec: Fix typo in sprite delta check

Fixes: Integer overflow
Fixes: 
10890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5636062181851136

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b737317a8813e671c00b8ac7023c47e48ffeb1c8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1effc4baa19de9ee203c7bc4b55a71270aeb3eef
---

 libavcodec/mpeg4videodec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 4d0db3dc73..caad104934 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -392,7 +392,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext 
*ctx, GetBitContext *g
 llabs(sprite_offset[0][i] + sprite_delta[i][1] * (h+16LL)) >= 
INT_MAX ||
 llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL) + 
sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
 llabs(sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
-llabs(sprite_delta[i][1] * (w+16LL)) >= INT_MAX ||
+llabs(sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
 llabs(sd[0]) >= INT_MAX ||
 llabs(sd[1]) >= INT_MAX ||
 llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX ||

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ra144: Fix integer overflow in add_wav()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Wed Oct 10 04:25:50 2018 +0200| [f266eca585f0e570350cc54578c762aa8ebd86c7] | 
committer: Michael Niedermayer

avcodec/ra144: Fix integer overflow in add_wav()

Fixes: signed integer overflow: -2144033225 + -5208934 cannot be represented in 
type 'int'
Fixes: 
10633/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5679133791617024

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c6282141cba20934d9801f31134872fabbd6ba3e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f266eca585f0e570350cc54578c762aa8ebd86c7
---

 libavcodec/ra144.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c
index 573703d70b..65a744876c 100644
--- a/libavcodec/ra144.c
+++ b/libavcodec/ra144.c
@@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, 
int *m,
 
 if (v[0]) {
 for (i=0; i < BLOCKSIZE; i++)
-dest[i] = ((int)(s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) 
>> 12;
+dest[i] = (int)((s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) 
>> 12;
 } else {
 for (i=0; i < BLOCKSIZE; i++)
 dest[i] = ( s2[i]*v[1] + s3[i]*v[2]) >> 12;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Mon Aug 20 22:53:32 2018 +0200| [368e7a0994222442a46be577f38aedc18f97aeac] | 
committer: Michael Niedermayer

avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb()

Fixes: Timeout
Fixes: 
9634/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-6267852259590144

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c9222b972d6cbdaf6571cf7ae0a6513bffa5ff9f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=368e7a0994222442a46be577f38aedc18f97aeac
---

 libavcodec/hq_hqa.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c
index f88ad7d5f5..ec9da3e04f 100644
--- a/libavcodec/hq_hqa.c
+++ b/libavcodec/hq_hqa.c
@@ -181,6 +181,9 @@ static int hqa_decode_mb(HQContext *c, AVFrame *pic, int 
qgroup,
 int flag = 0;
 int i, ret, cbp;
 
+if (get_bits_left(gb) < 1)
+return AVERROR_INVALIDDATA;
+
 cbp = get_vlc2(gb, c->hqa_cbp_vlc.table, 5, 1);
 
 for (i = 0; i < 12; i++)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_cavlc: Check mb_skip_run

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Thu Oct  4 03:13:41 2018 +0200| [72268fbdc37ea692f01e0afbddae3939a9c02eb7] | 
committer: Michael Niedermayer

avcodec/h264_cavlc: Check mb_skip_run

Fixes: 
10300/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6292205497483264
Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 
'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit f72b9904fefa79d799d0f6ecc8bd97ce52658725)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=72268fbdc37ea692f01e0afbddae3939a9c02eb7
---

 libavcodec/h264_cavlc.c | 10 --
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index ffed204441..c88140650a 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -714,8 +714,14 @@ int ff_h264_decode_mb_cavlc(const H264Context *h, 
H264SliceContext *sl)
 cbp = 0; /* avoid warning. FIXME: find a solution without slowing
 down the code */
 if (sl->slice_type_nos != AV_PICTURE_TYPE_I) {
-if (sl->mb_skip_run == -1)
-sl->mb_skip_run = get_ue_golomb_long(>gb);
+if (sl->mb_skip_run == -1) {
+unsigned mb_skip_run = get_ue_golomb_long(>gb);
+if (mb_skip_run > h->mb_num) {
+av_log(h->avctx, AV_LOG_ERROR, "mb_skip_run %d is invalid\n", 
mb_skip_run);
+return AVERROR_INVALIDDATA;
+}
+sl->mb_skip_run = mb_skip_run;
+}
 
 if (sl->mb_skip_run--) {
 if (FRAME_MBAFF(h) && (sl->mb_y & 1) == 0) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mlvdec: read_string() received unsigned size, make the argument unsigned

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Thu Aug 16 15:36:28 2018 +0200| [949995b2252124b0abd8cd414a854e62bd241290] | 
committer: Michael Niedermayer

avformat/mlvdec: read_string() received unsigned size, make the argument 
unsigned

Fixes: infinite loop
Fixes: mlv-timeout-e3b8cab9835edecad6823baa057e029671329d04

Found-by: Paul Ch 
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1e71cb2c8edcf3dad657c15a6fb8572862f2afb9)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=949995b2252124b0abd8cd414a854e62bd241290
---

 libavformat/mlvdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
index 665b28d4f8..de8f217dad 100644
--- a/libavformat/mlvdec.c
+++ b/libavformat/mlvdec.c
@@ -77,7 +77,7 @@ static int check_file_header(AVIOContext *pb, uint64_t guid)
 return 0;
 }
 
-static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char 
*tag, int size)
+static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char 
*tag, unsigned size)
 {
 char * value = av_malloc(size + 1);
 if (!value) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Fix bitstream end check in read_header()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sat Sep 15 02:08:20 2018 +0200| [3b20cd4f6576a18776252ee96ece0946557cbe7d] | 
committer: Michael Niedermayer

avcodec/shorten: Fix bitstream end check in read_header()

Fixes: Timeout
Fixes: 
9961/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5687856176562176

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 28b80c2d52d82eb4f73af5f818dab60946bcf299)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3b20cd4f6576a18776252ee96ece0946557cbe7d
---

 libavcodec/shorten.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index c1a6df3802..9d591bd668 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -447,7 +447,7 @@ static int read_header(ShortenContext *s)
 }
 
 skip_bytes = get_uint(s, NSKIPSIZE);
-if ((unsigned)skip_bytes > get_bits_left(>gb)/8) {
+if ((unsigned)skip_bytes > FFMAX(get_bits_left(>gb), 0)/8) {
 av_log(s->avctx, AV_LOG_ERROR, "invalid skip_bytes: %d\n", 
skip_bytes);
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Thu Aug 16 15:36:29 2018 +0200| [b535e8936b7285e23f2f007682be94cde4e8b857] | 
committer: Michael Niedermayer

avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header()

Fixes: long running loop
Fixes: ivr-timeout-42468cb797f52f025fb329394702f5d4d64322d6

Found-by: Paul Ch 
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c2eec1762d372663c35aaf3d6ee419bafb185057)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b535e8936b7285e23f2f007682be94cde4e8b857
---

 libavformat/rmdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 59e27b026d..0b823b7b87 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -1285,6 +1285,8 @@ static int ivr_read_header(AVFormatContext *s)
 if (avio_rb32(pb) == MKBETAG('M', 'L', 'T', 'I')) {
 ret = rm_read_multi(s, pb, st, NULL);
 } else {
+if (avio_feof(pb))
+return AVERROR_INVALIDDATA;
 avio_seek(pb, -4, SEEK_CUR);
 ret = ff_rm_read_mdpr_codecdata(s, pb, st, st->priv_data, 
len, NULL);
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/zmbv: Check that the decompressed data size is correct

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Tue Sep 18 00:28:37 2018 +0200| [2baee6dd1b9e33d88c7a6621a00a487f9c3fd95e] | 
committer: Michael Niedermayer

avcodec/zmbv: Check that the decompressed data size is correct

This checks the value exactly for intra frames and checks it against a
minimum for inter frames as they can be variable.

Fixes: Timeout
Fixes: 
10182/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-6245951174344704

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit e33b28cc79d164fff22bfee750c9283587c00bc4)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2baee6dd1b9e33d88c7a6621a00a487f9c3fd95e
---

 libavcodec/zmbv.c | 14 ++
 1 file changed, 14 insertions(+)

diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c
index 0ffeea502c..46f59583c9 100644
--- a/libavcodec/zmbv.c
+++ b/libavcodec/zmbv.c
@@ -408,6 +408,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame, AVPac
 int zret = Z_OK; // Zlib return code
 int len = buf_size;
 int hi_ver, lo_ver, ret;
+int expected_size;
 
 /* parse header */
 if (len < 1)
@@ -504,6 +505,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame, AVPac
 memset(c->prev, 0, avctx->width * avctx->height * (c->bpp / 8));
 c->decode_intra= decode_intra;
 }
+if (c->flags & ZMBV_KEYFRAME) {
+expected_size = avctx->width * avctx->height * (c->bpp / 8);
+} else {
+expected_size = (c->bx * c->by * 2 + 3) & ~3;
+}
+if (avctx->pix_fmt == AV_PIX_FMT_PAL8 &&
+(c->flags & (ZMBV_DELTAPAL | ZMBV_KEYFRAME)))
+expected_size += 768;
 
 if (!c->decode_intra) {
 av_log(avctx, AV_LOG_ERROR, "Error! Got no format or no keyframe!\n");
@@ -533,6 +542,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame, AVPac
 }
 c->decomp_len = c->zstream.total_out;
 }
+if (expected_size > c->decomp_len ||
+(c->flags & ZMBV_KEYFRAME) && expected_size < c->decomp_len) {
+av_log(avctx, AV_LOG_ERROR, "decompressed size %d is incorrect, 
expected %d\n", c->decomp_len, expected_size);
+return AVERROR_INVALIDDATA;
+}
 if (c->flags & ZMBV_KEYFRAME) {
 frame->key_frame = 1;
 frame->pict_type = AV_PICTURE_TYPE_I;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/utils: Never store negative values in last_IP_duration

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Fri Oct 12 20:55:25 2018 +0200| [77d35ab73435a9c847f387621f066c1f98733580] | 
committer: Michael Niedermayer

avformat/utils: Never store negative values in last_IP_duration

Fixes: integer overflow compute_pkt_fields()
Fixes: compute_pkt_usan

Reported-by: Thomas Guilbert 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 079d1a7175c4b881631a7e7f449c4c13b761cdeb)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=77d35ab73435a9c847f387621f066c1f98733580
---

 libavformat/utils.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 8cdad78659..dc867a96a3 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -1293,7 +1293,7 @@ static void compute_pkt_fields(AVFormatContext *s, 
AVStream *st,
 
 /* This is tricky: the dts must be incremented by the duration
  * of the frame we are displaying, i.e. the last I- or P-frame. */
-if (st->last_IP_duration == 0)
+if (st->last_IP_duration == 0 && (uint64_t)pkt->duration <= 
INT32_MAX)
 st->last_IP_duration = pkt->duration;
 if (pkt->dts != AV_NOPTS_VALUE)
 st->cur_dts = pkt->dts + st->last_IP_duration;
@@ -1305,7 +1305,8 @@ static void compute_pkt_fields(AVFormatContext *s, 
AVStream *st,
 next_pts != AV_NOPTS_VALUE)
 pkt->pts = next_dts;
 
-st->last_IP_duration = pkt->duration;
+if ((uint64_t)pkt->duration <= INT32_MAX)
+st->last_IP_duration = pkt->duration;
 st->last_IP_pts  = pkt->pts;
 /* Cannot compute PTS if not present (we can compute it only
  * by knowing the future. */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sat Oct 20 22:35:37 2018 +0200| [353ef58a8279d3c3a45fe18d1245d84cb843eb18] | 
committer: Michael Niedermayer

avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling

Fixes: assertion failure
Fixes: 
10785/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5672160496975872

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 305e523105f6f59e7572050f19edc9f4671c036c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=353ef58a8279d3c3a45fe18d1245d84cb843eb18
---

 libavcodec/jpeg2000dec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index ba62aa7b10..9e0a0cb933 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1128,7 +1128,7 @@ static int 
jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
 step_x = 32;
 step_y = 32;
 
-if (RSpoc > FFMIN(codsty->nreslevels, REpoc))
+if (RSpoc >= FFMIN(codsty->nreslevels, REpoc))
 continue;
 
 for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, 
REpoc); reslevelno++) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/zmbv: Update decomp_len in raw frames

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Mon Sep 17 21:33:59 2018 +0200| [5fe92631fc2015ced579da5fe4efa8fc52042911] | 
committer: Michael Niedermayer

avcodec/zmbv: Update decomp_len in raw frames

decomp_len is used in raw frames, so it should not be left at the value from
whatever was decoded previously (which may be any other frame)

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3d201b83cda03fd9e866acafee82d7ce88260e66)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5fe92631fc2015ced579da5fe4efa8fc52042911
---

 libavcodec/zmbv.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c
index 5deef804bc..0ffeea502c 100644
--- a/libavcodec/zmbv.c
+++ b/libavcodec/zmbv.c
@@ -519,6 +519,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame, AVPac
 return AVERROR_INVALIDDATA;
 }
 memcpy(c->decomp_buf, buf, len);
+c->decomp_len = len;
 } else { // ZLIB-compressed data
 c->zstream.total_in = c->zstream.total_out = 0;
 c->zstream.next_in = (uint8_t*)buf;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/integer: Fix integer overflow in av_mul_i()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Wed Oct 24 01:44:12 2018 +0200| [c2af767c3e288b63eab873e60c3376b0adcb0186] | 
committer: Michael Niedermayer

avutil/integer: Fix integer overflow in av_mul_i()

Found-by: fate
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3cc3cb663bf3061e40356392d2f7638de6a479fe)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c2af767c3e288b63eab873e60c3376b0adcb0186
---

 libavutil/integer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavutil/integer.c b/libavutil/integer.c
index 6d6855fa1b..ba4aa778c9 100644
--- a/libavutil/integer.c
+++ b/libavutil/integer.c
@@ -74,7 +74,7 @@ AVInteger av_mul_i(AVInteger a, AVInteger b){
 
 if(a.v[i])
 for(j=i; j>16) + out.v[j] + a.v[i]*b.v[j-i];
+carry= (carry>>16) + out.v[j] + a.v[i]*(unsigned)b.v[j-i];
 out.v[j]= carry;
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dvdsubdec: Avoid branch in decode_run_8bit()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Thu Sep 13 04:24:49 2018 +0200| [9f0e0a4cf29c860e85a7f1c47ec6418923abbeb3] | 
committer: Michael Niedermayer

avcodec/dvdsubdec: Avoid branch in decode_run_8bit()

Speed improvment 35.5 sec -> 34.7sec

Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 71bf0330505e2108935d05c5c018ec65eac4b946)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9f0e0a4cf29c860e85a7f1c47ec6418923abbeb3
---

 libavcodec/dvdsubdec.c | 5 +
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index 0c73fb2bbd..79cb0c4046 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -82,10 +82,7 @@ static int decode_run_8bit(GetBitContext *gb, int *color)
 {
 int len;
 int has_run = get_bits1(gb);
-if (get_bits1(gb))
-*color = get_bits(gb, 8);
-else
-*color = get_bits(gb, 2);
+*color = get_bits(gb, 2 + 6*get_bits1(gb));
 if (has_run) {
 if (get_bits1(gb)) {
 len = get_bits(gb, 7);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/utils: Fix integer overflow in discontinuity check

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Fri Oct 12 03:00:32 2018 +0200| [9181ecd2e60285136f77c655d87ec7538cdfded1] | 
committer: Michael Niedermayer

avformat/utils: Fix integer overflow in discontinuity check

Fixes: signed integer overflow: 7738135736989908991 - -7954308516317364223 
cannot be represented in type 'long'
Fixes: find_stream_info_usan

Reported-by: Thomas Guilbert 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4e19cfcfa3944fe4cf97bea758f72f104dcaebad)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9181ecd2e60285136f77c655d87ec7538cdfded1
---

 libavformat/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index eda9220923..8cdad78659 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -3600,7 +3600,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
  * sequence, we treat it as a discontinuity. */
 if (st->info->fps_last_dts != AV_NOPTS_VALUE &&
 st->info->fps_last_dts_idx > st->info->fps_first_dts_idx &&
-(pkt->dts - st->info->fps_last_dts) / 1000 >
+(pkt->dts - (uint64_t)st->info->fps_last_dts) / 1000 >
 (st->info->fps_last_dts - 
(uint64_t)st->info->fps_first_dts) /
 (st->info->fps_last_dts_idx - st->info->fps_first_dts_idx)) {
 av_log(ic, AV_LOG_WARNING,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/unary: Improve get_unary() docs

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sat Sep 22 15:18:17 2018 +0200| [72babd45c81e7760e02040f0a29a07042004bb52] | 
committer: Michael Niedermayer

avcodec/unary: Improve get_unary() docs

Found-by: kierank
Signed-off-by: Michael Niedermayer 
(cherry picked from commit ad89e203bfedf25df00e2a6ed9196170d772f25b)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=72babd45c81e7760e02040f0a29a07042004bb52
---

 libavcodec/unary.h | 15 ++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/libavcodec/unary.h b/libavcodec/unary.h
index 908dc93507..d57f9f70c5 100644
--- a/libavcodec/unary.h
+++ b/libavcodec/unary.h
@@ -28,7 +28,20 @@
  * @param gb GetBitContext
  * @param[in] stop The bitstop value (unary code of 1's or 0's)
  * @param[in] len Maximum length
- * @return Unary length/index
+ * @return unary 0 based code index. This is also the length in bits of the
+ * code excluding the stop bit.
+ * (in case len=1)
+ * 10
+ * 01
+ * (in case len=2)
+ * 10
+ * 01   1
+ * 00   2
+ * (in case len=3)
+ * 10
+ * 01   1
+ * 001  2
+ * 000  3
  */
 static inline int get_unary(GetBitContext *gb, int stop, int len)
 {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/nsvdec: Do not parse multiple NSVf

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Thu Aug 16 12:23:20 2018 +0200| [5d7bab77de261dd70218ac311a8536b4d42b98e8] | 
committer: Michael Niedermayer

avformat/nsvdec: Do not parse multiple NSVf

The specification states "NSV files may contain a single file header. "
Fixes: out of array access
Fixes: nsv-asan-002f473f726a0dcbd3bd53e422c4fc40b3cf3421

Found-by: Paul Ch 
Tested-by: Paul Ch 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 78d4b6bd43fc266a2ee926f0555c8782246f9445)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5d7bab77de261dd70218ac311a8536b4d42b98e8
---

 libavformat/nsvdec.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c
index 16d2fa59e2..3e7d815295 100644
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@@ -177,6 +177,7 @@ typedef struct NSVContext {
 AVRational framerate;
 uint32_t *nsvs_timestamps;
 //DVDemuxContext* dv_demux;
+int nsvf;
 } NSVContext;
 
 static const AVCodecTag nsv_codec_video_tags[] = {
@@ -280,6 +281,12 @@ static int nsv_parse_NSVf_header(AVFormatContext *s)
 
 nsv->state = NSV_UNSYNC; /* in case we fail */
 
+if (nsv->nsvf) {
+av_log(s, AV_LOG_TRACE, "Multiple NSVf\n");
+return 0;
+}
+nsv->nsvf = 1;
+
 size = avio_rl32(pb);
 if (size < 28)
 return -1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videodec: Fix undefined shift in get_amv()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sat Sep 15 00:20:38 2018 +0200| [64bccfd11dde05f9bac18d0df8a34f03adb86ce9] | 
committer: Michael Niedermayer

avcodec/mpeg4videodec: Fix undefined shift in get_amv()

Fixes: runtime error: shift exponent -1 is negative
Fixes: 
9938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5653783529914368

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c88afa44c4823aba7b6f4a1b01fd6a4169643c57)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=64bccfd11dde05f9bac18d0df8a34f03adb86ce9
---

 libavcodec/mpeg4videodec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index def1df3f99..4d0db3dc73 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -539,7 +539,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n)
 len >>= s->quarter_sample;
 
 if (s->real_sprite_warping_points == 1) {
-if (ctx->divx_version == 500 && ctx->divx_build == 413)
+if (ctx->divx_version == 500 && ctx->divx_build == 413 && a >= 
s->quarter_sample)
 sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample));
 else
 sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vb: Check for end of bytestream before reading blocktype

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Mon Aug 20 22:19:23 2018 +0200| [2df51ffcb7f2f1ee14715e28793ef549b0a7f565] | 
committer: Michael Niedermayer

avcodec/vb: Check for end of bytestream before reading blocktype

Fixes: Timeout
Fixes: 
9601/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VB_fuzzer-4550228702134272

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1cbac9ce20d32806febf64cbd9f830e1485695ca)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2df51ffcb7f2f1ee14715e28793ef549b0a7f565
---

 libavcodec/vb.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/vb.c b/libavcodec/vb.c
index 021657f7d8..c6dd6fb456 100644
--- a/libavcodec/vb.c
+++ b/libavcodec/vb.c
@@ -107,6 +107,10 @@ static int vb_decode_framedata(VBDecContext *c, int offset)
 blk2   = 0;
 for (blk = 0; blk < blocks; blk++) {
 if (!(blk & 3)) {
+if (bytestream2_get_bytes_left() < 1) {
+av_log(c->avctx, AV_LOG_ERROR, "Insufficient data\n");
+return AVERROR_INVALIDDATA;
+}
 blocktypes = bytestream2_get_byte();
 }
 switch (blocktypes & 0xC0) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/snowdec: Fix integer overflow with motion vector residual

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Mon Aug 20 20:15:19 2018 +0200| [c6b7060137cfdf5536df95bb8e58bd30acc90b89] | 
committer: Michael Niedermayer

avcodec/snowdec: Fix integer overflow with motion vector residual

Fixes: signed integer overflow: -19818 + -2147483648 cannot be represented in 
type 'int'
Fixes: 
9545/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4928769537081344

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit acba153a148782c08f9fd17f0c05b93468f3cbd0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c6b7060137cfdf5536df95bb8e58bd30acc90b89
---

 libavcodec/snowdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 00fa064102..a9fe91d251 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -208,8 +208,8 @@ static int decode_q_branch(SnowContext *s, int level, int 
x, int y){
 return AVERROR_INVALIDDATA;
 }
 pred_mv(s, , , ref, left, top, tr);
-mx+= get_symbol(>c, >block_state[128 + 32*(mx_context + 
16*!!ref)], 1);
-my+= get_symbol(>c, >block_state[128 + 32*(my_context + 
16*!!ref)], 1);
+mx+= (unsigned)get_symbol(>c, >block_state[128 + 
32*(mx_context + 16*!!ref)], 1);
+my+= (unsigned)get_symbol(>c, >block_state[128 + 
32*(my_context + 16*!!ref)], 1);
 }
 set_blocks(s, level, x, y, l, cb, cr, mx, my, ref, type);
 }else{

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Fri Aug 17 02:06:27 2018 +0200| [59c463f4ccb0067545086dc986998f07e209d069] | 
committer: Michael Niedermayer

avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 697984b9db4d4d199680f43ac3eb662cd1d37eff)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=59c463f4ccb0067545086dc986998f07e209d069
---

 libavcodec/h264_refs.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c
index 97bf588b51..8c4e0fe725 100644
--- a/libavcodec/h264_refs.c
+++ b/libavcodec/h264_refs.c
@@ -807,6 +807,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h)
 }
 }
 
+// Detect unmarked random access points
 if (   err >= 0
 && h->long_ref_count==0
 && (   h->short_ref_count<=2

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Check verbatim length

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Aug 12 22:43:33 2018 +0200| [f20a35a13e4b789ccdc0c4dba27025984792a623] | 
committer: Michael Niedermayer

avcodec/shorten: Check verbatim length

Fixes: Timeout
Fixes: 
9252/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5780720709533696

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7007dabec08f2f9f81661e71ef482dde394e17a8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f20a35a13e4b789ccdc0c4dba27025984792a623
---

 libavcodec/shorten.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 94deb0a316..77d66189e4 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -613,6 +613,11 @@ static int shorten_decode_frame(AVCodecContext *avctx, 
void *data,
 switch (cmd) {
 case FN_VERBATIM:
 len = get_ur_golomb_shorten(>gb, VERBATIM_CKSIZE_SIZE);
+if (len < 0 || len > get_bits_left(>gb)) {
+av_log(avctx, AV_LOG_ERROR, "verbatim length %d invalid\n",
+   len);
+return AVERROR_INVALIDDATA;
+}
 while (len--)
 get_ur_golomb_shorten(>gb, VERBATIM_BYTE_SIZE);
 break;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ra144: Fix undefined integer overflow in add_wav()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Aug 26 02:26:24 2018 +0200| [a90f6d3e908b4cfff1387316131a5ac476dbb6d6] | 
committer: Michael Niedermayer

avcodec/ra144: Fix undefined integer overflow in add_wav()

Fixes: signed integer overflow: -26884 * 91439 cannot be represented in type 
'int'
Fixes: 
9687/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-4995588121690112

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 93a203662f6ff1bb9fd2e966bf7df27e9bdb1916)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a90f6d3e908b4cfff1387316131a5ac476dbb6d6
---

 libavcodec/ra144.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c
index cf8127c236..573703d70b 100644
--- a/libavcodec/ra144.c
+++ b/libavcodec/ra144.c
@@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, 
int *m,
 
 if (v[0]) {
 for (i=0; i < BLOCKSIZE; i++)
-dest[i] = (s1[i]*v[0] + s2[i]*v[1] + s3[i]*v[2]) >> 12;
+dest[i] = ((int)(s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) 
>> 12;
 } else {
 for (i=0; i < BLOCKSIZE; i++)
 dest[i] = ( s2[i]*v[1] + s3[i]*v[2]) >> 12;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Check slice numbers for overflows in relation to picture dimensions

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Jul 22 21:26:24 2018 +0200| [ec7cf0c74f75089617696f7f6e6787760997dcc0] | 
committer: Michael Niedermayer

avcodec/diracdec: Check slice numbers for overflows in relation to picture 
dimensions

Fixes: signed integer overflow: 88 * 33685506 cannot be represented in type 
'int'
Fixes: 
9433/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5725943535501312

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit f457c0ad7f73e31e99761f2ad3738cf3b3c24ca0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ec7cf0c74f75089617696f7f6e6787760997dcc0
---

 libavcodec/diracdec.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index bc8aabecda..081a3118be 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1236,7 +1236,10 @@ static int dirac_unpack_idwt_params(DiracContext *s)
 else {
 s->num_x= get_interleaved_ue_golomb(gb);
 s->num_y= get_interleaved_ue_golomb(gb);
-if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > 
INT_MAX) {
+if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > 
INT_MAX ||
+s->num_x * (uint64_t)s->avctx->width  > INT_MAX ||
+s->num_y * (uint64_t)s->avctx->height > INT_MAX
+) {
 av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n");
 s->num_x = s->num_y = 0;
 return AVERROR_INVALIDDATA;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Error on too large stsd entry counts.

[Dale Curtis]

ffmpeg | branch: release/3.2 | Dale Curtis  | Thu Aug 
30 15:18:25 2018 -0700| [a72d42b80ff4a9220cb20b2231d55ada0d6b0b3b] | committer: 
Michael Niedermayer

avformat/mov: Error on too large stsd entry counts.

Entries are always at least 8 bytes per the parsing code, so if we
see an impossible entry count avoid massive allocations. This is
similar to an existing check in mov_read_stsc().

Since ff_mov_read_stsd_entries() does eof checks, an alternative
approach could be to clamp the entry count to atom.size / 8.

Signed-off-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 320b631a99a9f759fd1d5460fd4e285d184b8186)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a72d42b80ff4a9220cb20b2231d55ada0d6b0b3b
---

 libavformat/mov.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 672a218bb0..272ef7b503 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2335,7 +2335,8 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 avio_rb24(pb); /* flags */
 entries = avio_rb32(pb); /* entries */
 
-if (entries <= 0) {
+/* Each entry contains a size (4 bytes) and format (4 bytes). */
+if (entries <= 0 || entries > atom.size / 8) {
 av_log(c->fc, AV_LOG_ERROR, "invalid STSD entries %d\n", entries);
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dvdsubdec: Sanity check len in decode_rle()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Thu Sep 13 03:33:50 2018 +0200| [7bcc4d7ea7b2a167dfa6cb9063bd452af4dce8f7] | 
committer: Michael Niedermayer

avcodec/dvdsubdec: Sanity check len in decode_rle()

Fixes: Timeout
Fixes: 
9778/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5186007132536832

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit e7b023e1db9fb13175929c02a02846d03510ec91)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7bcc4d7ea7b2a167dfa6cb9063bd452af4dce8f7
---

 libavcodec/dvdsubdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index 79cb0c4046..7bfd03a019 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -124,6 +124,8 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, 
int h,
 len = decode_run_8bit(, );
 else
 len = decode_run_2bit(, );
+if (len != INT_MAX && len > w - x)
+return AVERROR_INVALIDDATA;
 len = FFMIN(len, w - x);
 memset(d + x, color, len);
 x += len;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Jul 22 21:42:16 2018 +0200| [7a7a6bf8e25054f599d274831f6993ac86267cf2] | 
committer: Michael Niedermayer

avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too

Fixes: signed integer overflow: 8 * 340018243 cannot be represented in type 
'int'
Fixes: 
9441/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5194665207791616

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit bed125b7108481574f36fdd6ee699b27354602e8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7a7a6bf8e25054f599d274831f6993ac86267cf2
---

 libavcodec/diracdec.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 081a3118be..33927c26b3 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -979,6 +979,10 @@ static int decode_lowdelay(DiracContext *s)
 for (slice_x = 0; bufsize > 0 && slice_x < s->num_x; slice_x++) {
 bytes = (slice_num+1) * (int64_t)s->lowdelay.bytes.num / 
s->lowdelay.bytes.den
- slice_num* (int64_t)s->lowdelay.bytes.num / 
s->lowdelay.bytes.den;
+if (bytes >= INT_MAX || bytes*8 > bufsize) {
+av_log(s->avctx, AV_LOG_ERROR, "too many bytes\n");
+return AVERROR_INVALIDDATA;
+}
 slices[slice_num].bytes   = bytes;
 slices[slice_num].slice_x = slice_x;
 slices[slice_num].slice_y = slice_y;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpegaudio_parser: Initialize poutbuf*

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Aug  5 14:51:36 2018 +0200| [1a9810dde019dba2fc4c11b7ac56533f85963ac7] | 
committer: Michael Niedermayer

avcodec/mpegaudio_parser: Initialize poutbuf*

Possibly fixes: null pointer dereference
Possibly fixes: 
9352/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5146068961460224
Fixes: Heap-use-after-free
Fixes: 
9453/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5137954375729152

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0f4c3b0b8e5435d13fd3b64c91969b31c3c018dc)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1a9810dde019dba2fc4c11b7ac56533f85963ac7
---

 libavcodec/mpegaudio_parser.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c
index 8c39825792..a072851ecf 100644
--- a/libavcodec/mpegaudio_parser.c
+++ b/libavcodec/mpegaudio_parser.c
@@ -98,6 +98,8 @@ static int mpegaudio_parse(AVCodecParserContext *s1,
 } else if (codec_id == AV_CODEC_ID_MP3ADU) {
 avpriv_report_missing_feature(avctx,
 "MP3ADU full parser");
+*poutbuf = NULL;
+*poutbuf_size = 0;
 return 0; /* parsers must not return error codes */
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Jul 29 12:40:48 2018 +0200| [09800cbc0105d734c9974f7a5c835f2346026d5e] | 
committer: Michael Niedermayer

avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp()

Fixes: Timeout
Fixes: 
9213/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QTRLE_fuzzer-5649753332252672

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7dd836a3f9771e0e44df1b27e67d6866d91e06d7)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=09800cbc0105d734c9974f7a5c835f2346026d5e
---

 libavcodec/qtrle.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c
index 1b0d2016b5..cd8301d143 100644
--- a/libavcodec/qtrle.c
+++ b/libavcodec/qtrle.c
@@ -155,6 +155,8 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int 
row_ptr,
 CHECK_PIXEL_PTR(0);
 
 while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) {
+if (bytestream2_get_bytes_left(>g) < 1)
+return;
 if (rle_code == 0) {
 /* there's another skip code in the stream */
 pixel_ptr += (num_pixels * (bytestream2_get_byte(>g) - 1));
@@ -210,6 +212,8 @@ static void qtrle_decode_8bpp(QtrleContext *s, int row_ptr, 
int lines_to_change)
 CHECK_PIXEL_PTR(0);
 
 while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) {
+if (bytestream2_get_bytes_left(>g) < 1)
+return;
 if (rle_code == 0) {
 /* there's another skip code in the stream */
 pixel_ptr += (4 * (bytestream2_get_byte(>g) - 1));
@@ -259,6 +263,8 @@ static void qtrle_decode_16bpp(QtrleContext *s, int 
row_ptr, int lines_to_change
 CHECK_PIXEL_PTR(0);
 
 while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) {
+if (bytestream2_get_bytes_left(>g) < 1)
+return;
 if (rle_code == 0) {
 /* there's another skip code in the stream */
 pixel_ptr += (bytestream2_get_byte(>g) - 1) * 2;
@@ -303,6 +309,8 @@ static void qtrle_decode_24bpp(QtrleContext *s, int 
row_ptr, int lines_to_change
 CHECK_PIXEL_PTR(0);
 
 while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) {
+if (bytestream2_get_bytes_left(>g) < 1)
+return;
 if (rle_code == 0) {
 /* there's another skip code in the stream */
 pixel_ptr += (bytestream2_get_byte(>g) - 1) * 3;
@@ -350,6 +358,8 @@ static void qtrle_decode_32bpp(QtrleContext *s, int 
row_ptr, int lines_to_change
 CHECK_PIXEL_PTR(0);
 
 while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) {
+if (bytestream2_get_bytes_left(>g) < 1)
+return;
 if (rle_code == 0) {
 /* there's another skip code in the stream */
 pixel_ptr += (bytestream2_get_byte(>g) - 1) * 4;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Jul 22 20:45:39 2018 +0200| [6ebb8f5ab5663dc55f5fd8b66b54d30bab7b79f6] | 
committer: Michael Niedermayer

avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the 
bitstream and we also have a -1 special case

Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 
'int'
Fixes: 
9291/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6324345860259840

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 462d1be6dec5ff4768be8c202f359cbf037db3c6)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6ebb8f5ab5663dc55f5fd8b66b54d30bab7b79f6
---

 libavcodec/diracdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index f2bc8e6959..bc8aabecda 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -139,7 +139,7 @@ typedef struct DiracContext {
 GetBitContext gb;
 AVDiracSeqHeader seq;
 int seen_sequence_header;
-int frame_number;   /* number of the next frame to display   */
+int64_t frame_number;   /* number of the next frame to display   */
 Plane plane[3];
 int chroma_x_shift;
 int chroma_y_shift;
@@ -2294,7 +2294,7 @@ static int dirac_decode_frame(AVCodecContext *avctx, void 
*data, int *got_frame,
 }
 
 if (*got_frame)
-s->frame_number = picture->display_picture_number + 1;
+s->frame_number = picture->display_picture_number + 1LL;
 
 return buf_idx;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sat Jul 28 10:59:09 2018 +0200| [cc9263c2e165c4c46a55ee643aae1a6da14f4a96] | 
committer: Michael Niedermayer

avcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c()

Fixes: signed integer overflow: -1813244069 + -1407981383 cannot be represented 
in type 'int'
Fixes: 
8823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5643295618236416

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 47db5763e21c5e3b0ddde2430d15938f8d88480d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cc9263c2e165c4c46a55ee643aae1a6da14f4a96
---

 libavcodec/aacpsdsp_template.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c
index 8f72624559..b924148e0f 100644
--- a/libavcodec/aacpsdsp_template.c
+++ b/libavcodec/aacpsdsp_template.c
@@ -149,10 +149,10 @@ static void ps_stereo_interpolate_c(INTFLOAT (*l)[2], 
INTFLOAT (*r)[2],
 INTFLOAT h1 = h[0][1];
 INTFLOAT h2 = h[0][2];
 INTFLOAT h3 = h[0][3];
-INTFLOAT hs0 = h_step[0][0];
-INTFLOAT hs1 = h_step[0][1];
-INTFLOAT hs2 = h_step[0][2];
-INTFLOAT hs3 = h_step[0][3];
+UINTFLOAT hs0 = h_step[0][0];
+UINTFLOAT hs1 = h_step[0][1];
+UINTFLOAT hs2 = h_step[0][2];
+UINTFLOAT hs3 = h_step[0][3];
 int n;
 
 for (n = 0; n < len; n++) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Fix integer overflow in residual/LPC combination

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Aug 12 22:55:59 2018 +0200| [eba99acdf2673c07b43617f60b449f29b0a6177e] | 
committer: Michael Niedermayer

avcodec/shorten: Fix integer overflow in residual/LPC combination

Fixes: signed integer overflow: -540538872 + -2012739576 cannot be represented 
in type 'int'
Fixes: 
9255/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5758630052757504

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit db7e9082e1a1479c6a8844f7adf77eae03cc2aa7)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eba99acdf2673c07b43617f60b449f29b0a6177e
---

 libavcodec/shorten.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 77d66189e4..17a3cce0df 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -382,7 +382,7 @@ static int decode_subframe_lpc(ShortenContext *s, int 
command, int channel,
 for (j = 0; j < pred_order; j++)
 sum += coeffs[j] * (unsigned)s->decoded[channel][i - j - 1];
 s->decoded[channel][i] = get_sr_golomb_shorten(>gb, residual_size) +
- (sum >> qshift);
+ (unsigned)(sum >> qshift);
 }
 
 /* add offset to current samples */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/flvenc: Check audio packet size

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sat Jul 28 15:03:50 2018 +0200| [1b283238226bf2ff1f328ab4811375240224b346] | 
committer: Michael Niedermayer

avformat/flvenc: Check audio packet size

Fixes: Assertion failure
Fixes: assert_flvenc.c:941_1.swf

Found-by: #CHEN HONGXU# 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6b67d7f05918f7a1ee8fc6ff21355d7e8736aa10)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1b283238226bf2ff1f328ab4811375240224b346
---

 libavformat/flvenc.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c
index e50f8e4519..3bb7a216a4 100644
--- a/libavformat/flvenc.c
+++ b/libavformat/flvenc.c
@@ -575,6 +575,11 @@ static int flv_write_packet(AVFormatContext *s, AVPacket 
*pkt)
 uint8_t *data = NULL;
 int flags = -1, flags_size, ret;
 
+if (par->codec_type == AVMEDIA_TYPE_AUDIO && !pkt->size) {
+av_log(s, AV_LOG_WARNING, "Empty audio Packet\n");
+return AVERROR(EINVAL);
+}
+
 if (par->codec_id == AV_CODEC_ID_VP6F || par->codec_id == AV_CODEC_ID_VP6A 
||
 par->codec_id == AV_CODEC_ID_VP6  || par->codec_id == AV_CODEC_ID_AAC)
 flags_size = 2;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Prevent integer overflow in intermediate in global_mv()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Jul 22 18:58:34 2018 +0200| [8ed1874dab710b06227aa87241b7f56b27140883] | 
committer: Michael Niedermayer

avcodec/diracdec: Prevent integer overflow in intermediate in global_mv()

Fixes: signed integer overflow: -393471 * 5460 cannot be represented in type 
'int'
Fixes: 
8890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6299775379963904

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 51290406461ed40b70e0e05b389a461a283f3367)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8ed1874dab710b06227aa87241b7f56b27140883
---

 libavcodec/diracdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 9739886854..f2bc8e6959 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1393,8 +1393,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, 
int x, int y, int ref)
 int *c  = s->globalmc[ref].perspective;
 
 int m   = (1> (ez+ep);
 block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] swresample/swresample: Fix input channel count in resample_first computation

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Tue Jul 24 22:44:12 2018 +0200| [430405eb0bd0135bb1efafac06aeddae44c02ae6] | 
committer: Michael Niedermayer

swresample/swresample: Fix input channel count in resample_first computation

Found-by: Marcin Gorzel 
Reviewed-by: Marcin Gorzel 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit bce4da85e8110b66040a5fb07ffc724ab4e09a86)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=430405eb0bd0135bb1efafac06aeddae44c02ae6
---

 libswresample/swresample.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libswresample/swresample.c b/libswresample/swresample.c
index a7010c391e..d2dbe75238 100644
--- a/libswresample/swresample.c
+++ b/libswresample/swresample.c
@@ -319,7 +319,7 @@ av_cold int swr_init(struct SwrContext *s){
 
 av_assert0(s->used_ch_count);
 av_assert0(s->out.ch_count);
-s->resample_first= RSC*s->out.ch_count/s->in.ch_count - RSC < 
s->out_sample_rate/(float)s-> in_sample_rate - 1.0;
+s->resample_first= RSC*s->out.ch_count/s->used_ch_count - RSC < 
s->out_sample_rate/(float)s-> in_sample_rate - 1.0;
 
 s->in_buffer= s->in;
 s->silence  = s->in;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i()

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Sun Jul 22 19:11:04 2018 +0200| [33ee198cdbb2c3b844513e7290709c85dd86fbea] | 
committer: Michael Niedermayer

avcodec/dirac_dwt_template: Fix several integer overflows in 
horizontal_compose_daub97i()

Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 
'int'
Fixes: 
8926/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6047609228623872

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 69cac9e130dc8c9d2a5b8012011df372974adf35)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=33ee198cdbb2c3b844513e7290709c85dd86fbea
---

 libavcodec/dirac_dwt_template.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c
index 2369c8d15b..5d55d932a1 100644
--- a/libavcodec/dirac_dwt_template.c
+++ b/libavcodec/dirac_dwt_template.c
@@ -190,15 +190,15 @@ static void RENAME(horizontal_compose_daub97i)(uint8_t 
*_b, uint8_t *_temp, int
 
 // second stage combined with interleave and shift
 b0 = b2 = COMPOSE_DAUB97iL0(temp[w2], temp[0], temp[w2]);
-b[0] = (b0 + 1) >> 1;
+b[0] = ~((~b0) >> 1);
 for (x = 1; x < w2; x++) {
 b2 = COMPOSE_DAUB97iL0(temp[x+w2-1], temp[x ], temp[x+w2]);
 b1 = COMPOSE_DAUB97iH0(  b0, temp[x+w2-1], b2);
-b[2*x-1] = (b1 + 1) >> 1;
-b[2*x  ] = (b2 + 1) >> 1;
+b[2*x-1] = ~((~b1) >> 1);
+b[2*x  ] = ~((~b2) >> 1);
 b0 = b2;
 }
-b[w-1] = (COMPOSE_DAUB97iH0(b2, temp[w-1], b2) + 1) >> 1;
+b[w-1] = ~((~COMPOSE_DAUB97iH0(b2, temp[w-1], b2)) >> 1);
 }
 
 static void RENAME(vertical_compose_dirac53iH0)(uint8_t *_b0, uint8_t *_b1, 
uint8_t *_b2,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/pixfmt: Document chroma plane size for odd resolutions

[Michael Niedermayer]

ffmpeg | branch: release/3.2 | Michael Niedermayer  | 
Wed Jul 18 22:22:35 2018 +0200| [b130cdb92332f94f9006544f8a47970d85013b46] | 
committer: Michael Niedermayer

avutil/pixfmt: Document chroma plane size for odd resolutions

Signed-off-by: Michael Niedermayer 
(cherry picked from commit be0b77e6e83b61c2da338201b5ddfae1c9acedc5)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b130cdb92332f94f9006544f8a47970d85013b46
---

 libavutil/pixfmt.h | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavutil/pixfmt.h b/libavutil/pixfmt.h
index 7a3f68be7e..2b8f8129eb 100644
--- a/libavutil/pixfmt.h
+++ b/libavutil/pixfmt.h
@@ -42,6 +42,10 @@
  * This is stored as BGRA on little-endian CPU architectures and ARGB on
  * big-endian CPUs.
  *
+ * @note
+ * If the resolution is not a multiple of the chroma subsampling factor
+ * then the chroma plane resolution must be rounded up.
+ *
  * @par
  * When the pixel format is palettized RGB32 (AV_PIX_FMT_PAL8), the palettized
  * image data is stored in AVFrame.data[0]. The palette is transported in

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] [ffmpeg-web] branch master updated. f17e468 web: Add FFmpeg 3.3.9

[ffmpeg-git]

The branch, master has been updated
   via  f17e4685e464ed07a201c59d7bfc5ff6ca9497bb (commit)
  from  b847b31d71105bd0e537c119899f7284d1442a47 (commit)


- Log -
commit f17e4685e464ed07a201c59d7bfc5ff6ca9497bb
Author: Michael Niedermayer 
AuthorDate: Sun Nov 18 02:18:56 2018 +0100
Commit: Michael Niedermayer 
CommitDate: Sun Nov 18 02:19:21 2018 +0100

web: Add FFmpeg 3.3.9

diff --git a/src/download b/src/download
index d4ef0d0..cf05273 100644
--- a/src/download
+++ b/src/download
@@ -381,10 +381,10 @@ libpostproc54.  7.100
  

 
-  FFmpeg 3.3.8 "Hilbert"
+  FFmpeg 3.3.9 "Hilbert"
 
   
-3.3.8 was released on 2018-07-17. It is the latest stable FFmpeg release
+3.3.9 was released on 2018-11-18. It is the latest stable FFmpeg release
 from the 3.3 release branch, which was cut from master on 2017-04-02.
   
   It includes the following library versions:
@@ -402,19 +402,19 @@ libpostproc54.  5.100
 
   
 
-  Download 
xz tarball
-  PGP 
signature
+  Download 
xz tarball
+  PGP 
signature
  
 
-  Download 
bzip2 tarball
-  PGP 
signature
+  Download 
bzip2 tarball
+  PGP 
signature
  
 
-  Download 
gzip tarball
-  PGP 
signature
+  Download 
gzip tarball
+  PGP 
signature
  
 
-  https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n3.3.8;>Changelog
+  https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n3.3.9;>Changelog
   https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/refs/heads/release/3.3:/RELEASE_NOTES;>Release
 Notes
  

diff --git a/src/security b/src/security
index 748a447..3ed5880 100644
--- a/src/security
+++ b/src/security
@@ -129,6 +129,14 @@ CVE-2017-17081, 127a362630e11fe724e2e63fc871791fdcbcfa64
 
 FFmpeg 3.3
 
+3.3.9
+
+Fixes following vulnerabilities:
+
+
+CVE-2018-15822, 0026d007428a1ef5cd4e8f54bafc54c0306beab9 / 
6b67d7f05918f7a1ee8fc6ff21355d7e8736aa10
+
+
 3.3.8
 
 Fixes following vulnerabilities:

---

Summary of changes:
 src/download | 18 +-
 src/security |  8 
 2 files changed, 17 insertions(+), 9 deletions(-)


hooks/post-receive
-- 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Tag n3.3.9 : FFmpeg 3.3.9 release

[git]

[ffmpeg] [branch: refs/tags/n3.3.9]
Tag:cc75da0e05c3981062b2e90a9ea9c609651df39b
> http://git.videolan.org/gitweb.cgi/ffmpeg.git?a=tag;h=cc75da0e05c3981062b2e90a9ea9c609651df39b

Tagger: Michael Niedermayer 
Date:   Sun Nov 18 02:02:36 2018 +0100

FFmpeg 3.3.9 release
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] fftools/ffmpeg: Repair reinit_filter feature

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Tue Nov 13 20:29:40 2018 +0100| [3c4a874388a903abc03954c9d5220a47a5e11df6] | 
committer: Michael Niedermayer

fftools/ffmpeg: Repair reinit_filter feature

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 35040048793bc5d19942277fe17d1235e915a7d8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3c4a874388a903abc03954c9d5220a47a5e11df6
---

 ffmpeg.c | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/ffmpeg.c b/ffmpeg.c
index eb0f8b7c9c..b0ac1c6708 100644
--- a/ffmpeg.c
+++ b/ffmpeg.c
@@ -2154,9 +2154,6 @@ static int ifilter_send_frame(InputFilter *ifilter, 
AVFrame *frame)
 
 /* determine if the parameters for this input changed */
 need_reinit = ifilter->format != frame->format;
-if (!!ifilter->hw_frames_ctx != !!frame->hw_frames_ctx ||
-(ifilter->hw_frames_ctx && ifilter->hw_frames_ctx->data != 
frame->hw_frames_ctx->data))
-need_reinit = 1;
 
 switch (ifilter->ist->st->codecpar->codec_type) {
 case AVMEDIA_TYPE_AUDIO:
@@ -2170,6 +2167,13 @@ static int ifilter_send_frame(InputFilter *ifilter, 
AVFrame *frame)
 break;
 }
 
+if (!ifilter->ist->reinit_filters && fg->graph)
+need_reinit = 0;
+
+if (!!ifilter->hw_frames_ctx != !!frame->hw_frames_ctx ||
+(ifilter->hw_frames_ctx && ifilter->hw_frames_ctx->data != 
frame->hw_frames_ctx->data))
+need_reinit = 1;
+
 if (need_reinit) {
 ret = ifilter_parameters_from_frame(ifilter, frame);
 if (ret < 0)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Fix integer overflow with offset

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Nov  9 19:59:27 2018 +0100| [26610256798174b0216ae807d92af3e712b99040] | 
committer: Michael Niedermayer

avcodec/shorten: Fix integer overflow with offset

Fixes: signed integer overflow: -1625810908 - 582229060 cannot be represented 
in type 'int'
Fixes: 
10977/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5732602018267136

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2f888771cd1ce8d68d4b18a1009650c1f260aaf2)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=26610256798174b0216ae807d92af3e712b99040
---

 libavcodec/shorten.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index fa5ed3b64b..181d89f021 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -382,7 +382,7 @@ static int decode_subframe_lpc(ShortenContext *s, int 
command, int channel,
 /* subtract offset from previous samples to use in prediction */
 if (command == FN_QLPC && coffset)
 for (i = -pred_order; i < 0; i++)
-s->decoded[channel][i] -= coffset;
+s->decoded[channel][i] -= (unsigned)coffset;
 
 /* decode residual and do LPC prediction */
 init_sum = pred_order ? (command == FN_QLPC ? s->lpcqoffset : 0) : coffset;
@@ -397,7 +397,7 @@ static int decode_subframe_lpc(ShortenContext *s, int 
command, int channel,
 /* add offset to current samples */
 if (command == FN_QLPC && coffset)
 for (i = 0; i < s->blocksize; i++)
-s->decoded[channel][i] += coffset;
+s->decoded[channel][i] += (unsigned)coffset;
 
 return 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Oct 28 21:08:39 2018 +0100| [ecbf42e13a682481deb83eb4e63d56fe87a4b356] | 
committer: Michael Niedermayer

avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported 
mp3adu case

Fixes: Timeout
Fixes: 
10966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADU_fuzzer-5348695024336896
Fixes: 
10969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5691669402877952

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit df91af140c5543cfbbed187f696e79b554d2c135)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ecbf42e13a682481deb83eb4e63d56fe87a4b356
---

 libavcodec/mpegaudio_parser.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c
index a072851ecf..04400a44e7 100644
--- a/libavcodec/mpegaudio_parser.c
+++ b/libavcodec/mpegaudio_parser.c
@@ -100,7 +100,7 @@ static int mpegaudio_parse(AVCodecParserContext *s1,
 "MP3ADU full parser");
 *poutbuf = NULL;
 *poutbuf_size = 0;
-return 0; /* parsers must not return error codes */
+return buf_size; /* parsers must not return error 
codes */
 }
 
 break;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Changelog: update

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Nov 18 01:33:38 2018 +0100| [9cba90e5ef03f741074d45e3e68741d26c6c1741] | 
committer: Michael Niedermayer

Changelog: update

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9cba90e5ef03f741074d45e3e68741d26c6c1741
---

 Changelog | 5 +
 1 file changed, 5 insertions(+)

diff --git a/Changelog b/Changelog
index ea75538f17..126772a013 100644
--- a/Changelog
+++ b/Changelog
@@ -2,6 +2,11 @@ Entries are sorted chronologically from oldest to youngest 
within each release,
 releases are sorted from youngest to oldest.
 
 version 3.3.9:
+- avcodec/pngdec: Check compression method
+- fftools/ffmpeg: Repair reinit_filter feature
+- avcodec/shorten: Fix integer overflow with offset
+- avcodec/cavsdec: Propagate error codes inside decode_mb_i()
+- avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the 
unsupported mp3adu case
 - avutil/integer: Fix integer overflow in av_mul_i()
 - avcodec/msrle: Check that the input is large enough to contain a end of 
picture code
 - avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/cavsdec: Propagate error codes inside decode_mb_i()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Nov  4 20:00:16 2018 +0100| [14c8795361a8b59c575cdce60961d9086aedd2b4] | 
committer: Michael Niedermayer

avcodec/cavsdec: Propagate error codes inside decode_mb_i()

Fixes: Timeout
Fixes: 
10702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5669940938407936

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c1cee0565692c541f589aefd7f375d37f55b9d94)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=14c8795361a8b59c575cdce60961d9086aedd2b4
---

 libavcodec/cavsdec.c | 29 +
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 79349b5005..b4ec6e996a 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -591,14 +591,21 @@ static int decode_residual_block(AVSContext *h, 
GetBitContext *gb,
 }
 
 
-static inline void decode_residual_chroma(AVSContext *h)
+static inline int decode_residual_chroma(AVSContext *h)
 {
-if (h->cbp & (1 << 4))
-decode_residual_block(h, >gb, chroma_dec, 0,
+if (h->cbp & (1 << 4)) {
+int ret = decode_residual_block(h, >gb, chroma_dec, 0,
   ff_cavs_chroma_qp[h->qp], h->cu, h->c_stride);
-if (h->cbp & (1 << 5))
-decode_residual_block(h, >gb, chroma_dec, 0,
+if (ret < 0)
+return ret;
+}
+if (h->cbp & (1 << 5)) {
+int ret = decode_residual_block(h, >gb, chroma_dec, 0,
   ff_cavs_chroma_qp[h->qp], h->cv, h->c_stride);
+if (ret < 0)
+return ret;
+}
+return 0;
 }
 
 static inline int decode_residual_inter(AVSContext *h)
@@ -649,6 +656,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
 uint8_t top[18];
 uint8_t *left = NULL;
 uint8_t *d;
+int ret;
 
 ff_cavs_init_mb(h);
 
@@ -692,8 +700,11 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
 ff_cavs_load_intra_pred_luma(h, top, , block);
 h->intra_pred_l[h->pred_mode_Y[scan3x3[block]]]
 (d, top, left, h->l_stride);
-if (h->cbp & (1l_stride);
+if (h->cbp & (1l_stride);
+if (ret < 0)
+return ret;
+}
 }
 
 /* chroma intra prediction */
@@ -703,7 +714,9 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
 h->intra_pred_c[pred_mode_uv](h->cv, >top_border_v[h->mbx * 10],
   h->left_border_v, h->c_stride);
 
-decode_residual_chroma(h);
+ret = decode_residual_chroma(h);
+if (ret < 0)
+return ret;
 ff_cavs_filter(h, I_8X8);
 set_mv_intra(h);
 return 0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/pngdec: Check compression method

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Nov  9 03:12:45 2018 +0100| [14778d3fda0a1fe83d6f40cd8ee1dcf4199b1f98] | 
committer: Michael Niedermayer

avcodec/pngdec: Check compression method

method 0 (inflate/deflate) is the only specified in the specification and the 
only supported

Fixes: Timeout
Fixes: 
10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1f99674cc33f4c37def0a206e31ad7c4c1af)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=14778d3fda0a1fe83d6f40cd8ee1dcf4199b1f98
---

 libavcodec/pngdec.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 67a6e3f9d0..e25239780a 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -577,6 +577,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, 
PNGDecContext *s,
 }
 s->color_type   = bytestream2_get_byte(>gb);
 s->compression_type = bytestream2_get_byte(>gb);
+if (s->compression_type) {
+av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n", 
s->compression_type);
+goto error;
+}
 s->filter_type  = bytestream2_get_byte(>gb);
 s->interlace_type   = bytestream2_get_byte(>gb);
 bytestream2_skip(>gb, 4); /* crc */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter: use av_clip_uintp2 instead of av_clip for 10b and 12b

[Martin Vignali]

ffmpeg | branch: master | Martin Vignali  | Sat Nov 
17 17:57:27 2018 +0100| [d3621b232142165d6641708de14c51b78bf2b2df] | committer: 
Paul B Mahol

avfilter: use av_clip_uintp2 instead of av_clip for 10b and 12b

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d3621b232142165d6641708de14c51b78bf2b2df
---

 libavfilter/vf_blend.c | 20 ++--
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/libavfilter/vf_blend.c b/libavfilter/vf_blend.c
index c00773c924..80d3e24699 100644
--- a/libavfilter/vf_blend.c
+++ b/libavfilter/vf_blend.c
@@ -326,15 +326,15 @@ DEFINE_BLEND16(linearlight,av_clip_uint16((B < 32768) ? B 
+ 2 * A - 65535 : B +
 #define DODGE(a, b)   (((a) == 1023) ? (a) : FFMIN(1023, (((b) << 10) / 
(1023 - (a)
 
 DEFINE_BLEND16(addition,   FFMIN(1023, A + B), 10)
-DEFINE_BLEND16(grainmerge, av_clip(A + B - 512, 0, 1023), 10)
+DEFINE_BLEND16(grainmerge, (int)av_clip_uintp2(A + B - 512, 10), 10)
 DEFINE_BLEND16(average,(A + B) / 2, 10)
 DEFINE_BLEND16(subtract,   FFMAX(0, A - B), 10)
 DEFINE_BLEND16(multiply,   MULTIPLY(1, A, B), 10)
-DEFINE_BLEND16(multiply128, av_clip((A - 512) * B / 128. + 512, 0, 1023), 10)
+DEFINE_BLEND16(multiply128, (int)av_clip_uintp2((A - 512) * B / 128. + 512, 
10), 10)
 DEFINE_BLEND16(negation,   1023 - FFABS(1023 - A - B), 10)
 DEFINE_BLEND16(extremity,  FFABS(1023 - A - B), 10)
 DEFINE_BLEND16(difference, FFABS(A - B), 10)
-DEFINE_BLEND16(grainextract, av_clip(512 + A - B, 0, 1023), 10)
+DEFINE_BLEND16(grainextract, (int)av_clip_uintp2(512 + A - B, 10), 10)
 DEFINE_BLEND16(screen, SCREEN(1, A, B), 10)
 DEFINE_BLEND16(overlay,(A < 512) ? MULTIPLY(2, A, B) : SCREEN(2, A, B), 10)
 DEFINE_BLEND16(hardlight,  (B < 512) ? MULTIPLY(2, B, A) : SCREEN(2, B, A), 10)
@@ -343,7 +343,7 @@ DEFINE_BLEND16(heat,   (A == 0) ? 0 : 1023 - 
FFMIN(((1023 - B) * (1023 - B))
 DEFINE_BLEND16(freeze, (B == 0) ? 0 : 1023 - FFMIN(((1023 - A) * (1023 - 
A)) / B, 1023), 10)
 DEFINE_BLEND16(darken, FFMIN(A, B), 10)
 DEFINE_BLEND16(lighten,FFMAX(A, B), 10)
-DEFINE_BLEND16(divide, av_clip(B == 0 ? 1023 : 1023 * A / B, 0, 1023), 10)
+DEFINE_BLEND16(divide, (int)av_clip_uintp2(B == 0 ? 1023 : 1023 * A / B, 
10), 10)
 DEFINE_BLEND16(dodge,  DODGE(A, B), 10)
 DEFINE_BLEND16(burn,   BURN(A, B), 10)
 DEFINE_BLEND16(softlight,  (A > 511) ? B + (1023 - B) * (A - 511.5) / 511.5 * 
(0.5 - fabs(B - 511.5) / 1023): B - B * ((511.5 - A) / 511.5) * (0.5 - fabs(B - 
511.5)/1023), 10)
@@ -356,7 +356,7 @@ DEFINE_BLEND16(and,A & B, 10)
 DEFINE_BLEND16(or, A | B, 10)
 DEFINE_BLEND16(xor,A ^ B, 10)
 DEFINE_BLEND16(vividlight, (A < 512) ? BURN(2 * A, B) : DODGE(2 * (A - 512), 
B), 10)
-DEFINE_BLEND16(linearlight,av_clip((B < 512) ? B + 2 * A - 1023 : B + 2 * (A - 
512), 0, 1023), 10)
+DEFINE_BLEND16(linearlight,(int)av_clip_uintp2((B < 512) ? B + 2 * A - 1023 : 
B + 2 * (A - 512), 10), 10)
 
 #undef MULTIPLY
 #undef SCREEN
@@ -369,15 +369,15 @@ DEFINE_BLEND16(linearlight,av_clip((B < 512) ? B + 2 * A 
- 1023 : B + 2 * (A - 5
 #define DODGE(a, b)   (((a) == 4095) ? (a) : FFMIN(4095, (((b) << 12) / 
(4095 - (a)
 
 DEFINE_BLEND16(addition,   FFMIN(4095, A + B), 12)
-DEFINE_BLEND16(grainmerge, av_clip(A + B - 2048, 0, 4095), 12)
+DEFINE_BLEND16(grainmerge, (int)av_clip_uintp2(A + B - 2048, 12), 12)
 DEFINE_BLEND16(average,(A + B) / 2, 12)
 DEFINE_BLEND16(subtract,   FFMAX(0, A - B), 12)
 DEFINE_BLEND16(multiply,   MULTIPLY(1, A, B), 12)
-DEFINE_BLEND16(multiply128, av_clip((A - 2048) * B / 512. + 2048, 0, 4095), 12)
+DEFINE_BLEND16(multiply128, (int)av_clip_uintp2((A - 2048) * B / 512. + 2048, 
12), 12)
 DEFINE_BLEND16(negation,   4095 - FFABS(4095 - A - B), 12)
 DEFINE_BLEND16(extremity,  FFABS(4095 - A - B), 12)
 DEFINE_BLEND16(difference, FFABS(A - B), 12)
-DEFINE_BLEND16(grainextract, av_clip(2048 + A - B, 0, 4095), 12)
+DEFINE_BLEND16(grainextract, (int)av_clip_uintp2(2048 + A - B, 12), 12)
 DEFINE_BLEND16(screen, SCREEN(1, A, B), 12)
 DEFINE_BLEND16(overlay,(A < 2048) ? MULTIPLY(2, A, B) : SCREEN(2, A, B), 
12)
 DEFINE_BLEND16(hardlight,  (B < 2048) ? MULTIPLY(2, B, A) : SCREEN(2, B, A), 
12)
@@ -386,7 +386,7 @@ DEFINE_BLEND16(heat,   (A == 0) ? 0 : 4095 - 
FFMIN(((4095 - B) * (4095 - B))
 DEFINE_BLEND16(freeze, (B == 0) ? 0 : 4095 - FFMIN(((4095 - A) * (4095 - 
A)) / B, 4095), 12)
 DEFINE_BLEND16(darken, FFMIN(A, B), 12)
 DEFINE_BLEND16(lighten,FFMAX(A, B), 12)
-DEFINE_BLEND16(divide, av_clip(B == 0 ? 4095 : 4095 * A / B, 0, 4095), 12)
+DEFINE_BLEND16(divide, (int)av_clip_uintp2(B == 0 ? 4095 : 4095 * A / B, 
12), 12)
 DEFINE_BLEND16(dodge,  DODGE(A, B), 12)
 DEFINE_BLEND16(burn,   BURN(A, B), 12)
 DEFINE_BLEND16(softlight,  (A > 2047) ? B + (4095 - B) * (A - 2047.5) / 2047.5 
* (0.5 - fabs(B - 2047.5) / 4095): B - B * ((2047.5 - A) / 2047.5) * (0.5 - 
fabs(B - 2047.5)/4095), 12)
@@ -399,7 +399,7 @@ DEFINE_BLEND16(and,A & B, 12)
 DEFINE_BLEND16(or,  

[FFmpeg-cvslog] avutil/cuda_check: Make sure this passes make fate-source

[Philip Langdale]

ffmpeg | branch: master | Philip Langdale  | Sat Nov 17 
08:16:28 2018 -0800| [420ab946ace27e4b4bfb6c2be0a65a4ffd6e05a1] | committer: 
Philip Langdale

avutil/cuda_check: Make sure this passes make fate-source

The header guards were unnecessarily non-standard and the c file
inclusion trick means the files dont't have standard licence
headers.

Based on a patch by: Martin Vignali 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=420ab946ace27e4b4bfb6c2be0a65a4ffd6e05a1
---

 libavutil/cuda_check.h | 6 +++---
 tests/ref/fate/source  | 2 ++
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/libavutil/cuda_check.h b/libavutil/cuda_check.h
index 0d45538c2f..b8e5f65cbb 100644
--- a/libavutil/cuda_check.h
+++ b/libavutil/cuda_check.h
@@ -17,8 +17,8 @@
  */
 
 
-#ifndef FF_CUDA_CHECK_H
-#define FF_CUDA_CHECK_H
+#ifndef AVUTIL_CUDA_CHECK_H
+#define AVUTIL_CUDA_CHECK_H
 
 /**
  * Wrap a CUDA function call and print error information if it fails.
@@ -40,4 +40,4 @@ int ff_cuda_check(void *avctx,
 
 #define FF_CUDA_CHECK_DL(avclass, cudl, x) ff_cuda_check(avclass, 
cudl->cuGetErrorName, cudl->cuGetErrorString, (x), #x)
 
-#endif /* FF_CUDA_CHECK_H */
+#endif /* AVUTIL_CUDA_CHECK_H */
diff --git a/tests/ref/fate/source b/tests/ref/fate/source
index 4b9467aa77..b35f016127 100644
--- a/tests/ref/fate/source
+++ b/tests/ref/fate/source
@@ -1,6 +1,7 @@
 Files without standard license headers:
 compat/avisynth/windowsPorts/basicDataTypeConversions.h
 compat/avisynth/windowsPorts/windows2linux.h
+libavcodec/cuda_check.c
 libavcodec/file_open.c
 libavcodec/ilbcdata.h
 libavcodec/ilbcdec.c
@@ -9,6 +10,7 @@ libavcodec/log2_tab.c
 libavcodec/reverse.c
 libavdevice/file_open.c
 libavdevice/reverse.c
+libavfilter/cuda_check.c
 libavfilter/log2_tab.c
 libavformat/file_open.c
 libavformat/golomb_tab.c

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter/vf_neighbor: fix >8 bit deflate/inflate

[Paul B Mahol]

ffmpeg | branch: master | Paul B Mahol  | Sat Nov 17 11:07:58 
2018 +0100| [fbea2ea76ef9ec7119e91783bd7e460b2404df12] | committer: Paul B Mahol

avfilter/vf_neighbor: fix >8 bit deflate/inflate

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fbea2ea76ef9ec7119e91783bd7e460b2404df12
---

 libavfilter/vf_neighbor.c | 43 +++
 1 file changed, 27 insertions(+), 16 deletions(-)

diff --git a/libavfilter/vf_neighbor.c b/libavfilter/vf_neighbor.c
index 2db1e5e57c..e50d4b4ed0 100644
--- a/libavfilter/vf_neighbor.c
+++ b/libavfilter/vf_neighbor.c
@@ -41,10 +41,12 @@ typedef struct NContext {
 int coordinates;
 
 int depth;
+int max;
 int bpc;
 
 void (*filter)(uint8_t *dst, const uint8_t *p1, int width,
-   int threshold, const uint8_t *coordinates[], int coord);
+   int threshold, const uint8_t *coordinates[], int coord,
+   int maxc);
 } NContext;
 
 static int query_formats(AVFilterContext *ctx)
@@ -74,7 +76,8 @@ static int query_formats(AVFilterContext *ctx)
 }
 
 static void erosion(uint8_t *dst, const uint8_t *p1, int width,
-int threshold, const uint8_t *coordinates[], int coord)
+int threshold, const uint8_t *coordinates[], int coord,
+int maxc)
 {
 int x, i;
 
@@ -94,7 +97,8 @@ static void erosion(uint8_t *dst, const uint8_t *p1, int 
width,
 }
 
 static void erosion16(uint8_t *dstp, const uint8_t *p1, int width,
-  int threshold, const uint8_t *coordinates[], int coord)
+  int threshold, const uint8_t *coordinates[], int coord,
+  int maxc)
 {
 uint16_t *dst = (uint16_t *)dstp;
 int x, i;
@@ -115,7 +119,8 @@ static void erosion16(uint8_t *dstp, const uint8_t *p1, int 
width,
 }
 
 static void dilation(uint8_t *dst, const uint8_t *p1, int width,
- int threshold, const uint8_t *coordinates[], int coord)
+ int threshold, const uint8_t *coordinates[], int coord,
+ int maxc)
 {
 int x, i;
 
@@ -135,14 +140,15 @@ static void dilation(uint8_t *dst, const uint8_t *p1, int 
width,
 }
 
 static void dilation16(uint8_t *dstp, const uint8_t *p1, int width,
-   int threshold, const uint8_t *coordinates[], int coord)
+   int threshold, const uint8_t *coordinates[], int coord,
+   int maxc)
 {
 uint16_t *dst = (uint16_t *)dstp;
 int x, i;
 
 for (x = 0; x < width; x++) {
 int max = AV_RN16A([x * 2]);
-int limit = FFMIN(max + threshold, 255);
+int limit = FFMIN(max + threshold, maxc);
 
 for (i = 0; i < 8; i++) {
 if (coord & (1 << i)) {
@@ -156,7 +162,8 @@ static void dilation16(uint8_t *dstp, const uint8_t *p1, 
int width,
 }
 
 static void deflate(uint8_t *dst, const uint8_t *p1, int width,
-int threshold, const uint8_t *coordinates[], int coord)
+int threshold, const uint8_t *coordinates[], int coord,
+int maxc)
 {
 int x, i;
 
@@ -171,7 +178,8 @@ static void deflate(uint8_t *dst, const uint8_t *p1, int 
width,
 }
 
 static void deflate16(uint8_t *dstp, const uint8_t *p1, int width,
-  int threshold, const uint8_t *coordinates[], int coord)
+  int threshold, const uint8_t *coordinates[], int coord,
+  int maxc)
 {
 uint16_t *dst = (uint16_t *)dstp;
 int x, i;
@@ -182,12 +190,13 @@ static void deflate16(uint8_t *dstp, const uint8_t *p1, 
int width,
 
 for (i = 0; i < 8; sum += AV_RN16A(coordinates[i++] + x * 2));
 
-dst[x] = FFMAX(FFMIN(sum / 8, p1[x]), limit);
+dst[x] = FFMAX(FFMIN(sum / 8, AV_RN16A([2 * x])), limit);
 }
 }
 
 static void inflate(uint8_t *dst, const uint8_t *p1, int width,
-int threshold, const uint8_t *coordinates[], int coord)
+int threshold, const uint8_t *coordinates[], int coord,
+int maxc)
 {
 int x, i;
 
@@ -202,18 +211,19 @@ static void inflate(uint8_t *dst, const uint8_t *p1, int 
width,
 }
 
 static void inflate16(uint8_t *dstp, const uint8_t *p1, int width,
-  int threshold, const uint8_t *coordinates[], int coord)
+  int threshold, const uint8_t *coordinates[], int coord,
+  int maxc)
 {
 uint16_t *dst = (uint16_t *)dstp;
 int x, i;
 
 for (x = 0; x < width; x++) {
 int sum = 0;
-int limit = FFMIN(AV_RN16A([2 * x]) + threshold, 255);
+int limit = FFMIN(AV_RN16A([2 * x]) + threshold, maxc);
 
 for (i = 0; i < 8; sum += AV_RN16A(coordinates[i++] + x * 2));
 
-dst[x] = FFMIN(FFMAX(sum / 8, p1[x]), limit);
+dst[x] = FFMIN(FFMAX(sum / 8, AV_RN16A([x * 2])), limit);
 }
 }
 
@@ -224,6 +234,7 @@ static int