[FFmpeg-cvslog] lavfi/colorspace: move some functions to common file
ffmpeg | branch: master | Ruiling Song | Tue Jan 22 14:27:01 2019 +0800| [d0f3798b4e7f9ec3142f74946f7de41b9e3485cb] | committer: Ruiling Song lavfi/colorspace: move some functions to common file These functions can be reused by other colorspace filters, so move them to common file. No functional changes. Signed-off-by: Ruiling Song > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d0f3798b4e7f9ec3142f74946f7de41b9e3485cb --- libavfilter/colorspace.c| 71 libavfilter/colorspace.h| 4 +++ libavfilter/vf_colorspace.c | 80 +++-- 3 files changed, 79 insertions(+), 76 deletions(-) diff --git a/libavfilter/colorspace.c b/libavfilter/colorspace.c index c6682216d6..19616e4f12 100644 --- a/libavfilter/colorspace.c +++ b/libavfilter/colorspace.c @@ -93,6 +93,77 @@ void ff_fill_rgb2xyz_table(const struct PrimaryCoefficients *coeffs, rgb2xyz[2][1] *= sg; rgb2xyz[2][2] *= sb; } +static const double ycgco_matrix[3][3] = +{ +{ 0.25, 0.5, 0.25 }, +{ -0.25, 0.5, -0.25 }, +{ 0.5, 0, -0.5 }, +}; + +static const double gbr_matrix[3][3] = +{ +{ 0,1, 0 }, +{ 0, -0.5, 0.5 }, +{ 0.5, -0.5, 0 }, +}; + +/* + * All constants explained in e.g. https://linuxtv.org/downloads/v4l-dvb-apis/ch02s06.html + * The older ones (bt470bg/m) are also explained in their respective ITU docs + * (e.g. https://www.itu.int/dms_pubrec/itu-r/rec/bt/R-REC-BT.470-5-199802-S!!PDF-E.pdf) + * whereas the newer ones can typically be copied directly from wikipedia :) + */ +static const struct LumaCoefficients luma_coefficients[AVCOL_SPC_NB] = { +[AVCOL_SPC_FCC]= { 0.30, 0.59, 0.11 }, +[AVCOL_SPC_BT470BG]= { 0.299, 0.587, 0.114 }, +[AVCOL_SPC_SMPTE170M] = { 0.299, 0.587, 0.114 }, +[AVCOL_SPC_BT709] = { 0.2126, 0.7152, 0.0722 }, +[AVCOL_SPC_SMPTE240M] = { 0.212, 0.701, 0.087 }, +[AVCOL_SPC_YCOCG] = { 0.25, 0.5,0.25 }, +[AVCOL_SPC_RGB]= { 1, 1, 1 }, +[AVCOL_SPC_BT2020_NCL] = { 0.2627, 0.6780, 0.0593 }, +[AVCOL_SPC_BT2020_CL] = { 0.2627, 0.6780, 0.0593 }, +}; + +const struct LumaCoefficients *ff_get_luma_coefficients(enum AVColorSpace csp) +{ +const struct LumaCoefficients *coeffs; + +if (csp >= AVCOL_SPC_NB) +return NULL; +coeffs = _coefficients[csp]; +if (!coeffs->cr) +return NULL; + +return coeffs; +} + +void ff_fill_rgb2yuv_table(const struct LumaCoefficients *coeffs, + double rgb2yuv[3][3]) +{ +double bscale, rscale; + +// special ycgco matrix +if (coeffs->cr == 0.25 && coeffs->cg == 0.5 && coeffs->cb == 0.25) { +memcpy(rgb2yuv, ycgco_matrix, sizeof(double) * 9); +return; +} else if (coeffs->cr == 1 && coeffs->cg == 1 && coeffs->cb == 1) { +memcpy(rgb2yuv, gbr_matrix, sizeof(double) * 9); +return; +} + +rgb2yuv[0][0] = coeffs->cr; +rgb2yuv[0][1] = coeffs->cg; +rgb2yuv[0][2] = coeffs->cb; +bscale = 0.5 / (coeffs->cb - 1.0); +rscale = 0.5 / (coeffs->cr - 1.0); +rgb2yuv[1][0] = bscale * coeffs->cr; +rgb2yuv[1][1] = bscale * coeffs->cg; +rgb2yuv[1][2] = 0.5; +rgb2yuv[2][0] = 0.5; +rgb2yuv[2][1] = rscale * coeffs->cg; +rgb2yuv[2][2] = rscale * coeffs->cb; +} double ff_determine_signal_peak(AVFrame *in) { diff --git a/libavfilter/colorspace.h b/libavfilter/colorspace.h index 936681815a..459a5df60d 100644 --- a/libavfilter/colorspace.h +++ b/libavfilter/colorspace.h @@ -44,6 +44,10 @@ void ff_fill_rgb2xyz_table(const struct PrimaryCoefficients *coeffs, const struct WhitepointCoefficients *wp, double rgb2xyz[3][3]); +const struct LumaCoefficients *ff_get_luma_coefficients(enum AVColorSpace csp); +void ff_fill_rgb2yuv_table(const struct LumaCoefficients *coeffs, + double rgb2yuv[3][3]); + double ff_determine_signal_peak(AVFrame *in); void ff_update_hdr_metadata(AVFrame *in, double peak); diff --git a/libavfilter/vf_colorspace.c b/libavfilter/vf_colorspace.c index f8d1ecdf4a..2120199bee 100644 --- a/libavfilter/vf_colorspace.c +++ b/libavfilter/vf_colorspace.c @@ -170,78 +170,6 @@ typedef struct ColorSpaceContext { // FIXME dithering if bitdepth goes down? // FIXME bitexact for fate integration? -static const double ycgco_matrix[3][3] = -{ -{ 0.25, 0.5, 0.25 }, -{ -0.25, 0.5, -0.25 }, -{ 0.5, 0, -0.5 }, -}; - -static const double gbr_matrix[3][3] = -{ -{ 0,1, 0 }, -{ 0, -0.5, 0.5 }, -{ 0.5, -0.5, 0 }, -}; - -/* - * All constants explained in e.g. https://linuxtv.org/downloads/v4l-dvb-apis/ch02s06.html - * The older ones (bt470bg/m) are also explained in their respective ITU docs - * (e.g. https://www.itu.int/dms_pubrec/itu-r/rec/bt/R-REC-BT.470-5-199802-S!!PDF-E.pdf) - * whereas the newer ones can
[FFmpeg-cvslog] lavfi/colorspace_common: add ifdef check to be more compatible.
ffmpeg | branch: master | Ruiling Song | Mon Jan 21 15:44:04 2019 +0800| [b073fb9eeae8f021a4e18886ccf73cda9f67b00c] | committer: Ruiling Song lavfi/colorspace_common: add ifdef check to be more compatible. Some filters may not need to do linearize/delinearize, thus will even not define them. Add ifdef check, so they could easily re-use the .cl file. Signed-off-by: Ruiling Song > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b073fb9eeae8f021a4e18886ccf73cda9f67b00c --- libavfilter/opencl/colorspace_common.cl | 14 -- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavfilter/opencl/colorspace_common.cl b/libavfilter/opencl/colorspace_common.cl index 1d68a546c7..ac911f03ef 100644 --- a/libavfilter/opencl/colorspace_common.cl +++ b/libavfilter/opencl/colorspace_common.cl @@ -124,10 +124,14 @@ float3 yuv2rgb(float y, float u, float v) { float3 yuv2lrgb(float3 yuv) { float3 rgb = yuv2rgb(yuv.x, yuv.y, yuv.z); +#ifdef linearize float r = linearize(rgb.x); float g = linearize(rgb.y); float b = linearize(rgb.z); return (float3)(r, g, b); +#else +return rgb; +#endif } float3 rgb2yuv(float r, float g, float b) { @@ -151,19 +155,25 @@ float rgb2y(float r, float g, float b) { } float3 lrgb2yuv(float3 c) { +#ifdef delinearize float r = delinearize(c.x); float g = delinearize(c.y); float b = delinearize(c.z); - return rgb2yuv(r, g, b); +#else +return rgb2yuv(c.x, c.y, c.z); +#endif } float lrgb2y(float3 c) { +#ifdef delinearize float r = delinearize(c.x); float g = delinearize(c.y); float b = delinearize(c.z); - return rgb2y(r, g, b); +#else +return rgb2y(c.x, c.y, c.z); +#endif } float3 lrgb2lrgb(float3 c) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] lavu/opencl: replace va_ext.h with standard name
ffmpeg | branch: master | Ruiling Song | Fri Nov 23 13:39:12 2018 +0800| [61cb505d18b8a335bd118d88c05b9daf40eb5f9b] | committer: Ruiling Song lavu/opencl: replace va_ext.h with standard name Khronos OpenCL header (https://github.com/KhronosGroup/OpenCL-Headers) uses cl_va_api_media_sharing_intel.h. And Intel's official OpenCL driver for Intel GPU (https://github.com/intel/compute-runtime) was compiled against Khronos OpenCL header. So it's better to align with Khronos. Signed-off-by: Ruiling Song > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=61cb505d18b8a335bd118d88c05b9daf40eb5f9b --- configure| 2 +- libavutil/hwcontext_opencl.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/configure b/configure index a817479559..331393f8d5 100755 --- a/configure +++ b/configure @@ -6472,7 +6472,7 @@ fi if enabled_all opencl vaapi ; then enabled opencl_drm_beignet && enable opencl_vaapi_beignet -check_type "CL/cl.h CL/va_ext.h" "clCreateFromVA_APIMediaSurfaceINTEL_fn" && +check_type "CL/cl.h CL/cl_va_api_media_sharing_intel.h" "clCreateFromVA_APIMediaSurfaceINTEL_fn" && enable opencl_vaapi_intel_media fi diff --git a/libavutil/hwcontext_opencl.c b/libavutil/hwcontext_opencl.c index d3df6221c4..b116c5b708 100644 --- a/libavutil/hwcontext_opencl.c +++ b/libavutil/hwcontext_opencl.c @@ -50,7 +50,7 @@ #include #endif #include -#include +#include #include "hwcontext_vaapi.h" #endif ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] lavfi/opencl: add ff_opencl_print_const_matrix_3x3()
ffmpeg | branch: master | Ruiling Song | Tue Jan 22 14:47:54 2019 +0800| [2593122a167de3294abd5b9cf04df5b8072ee3ed] | committer: Ruiling Song lavfi/opencl: add ff_opencl_print_const_matrix_3x3() This is used to print a 3x3 matrix into a part of OpenCL source code. Signed-off-by: Ruiling Song > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2593122a167de3294abd5b9cf04df5b8072ee3ed --- libavfilter/opencl.c | 13 + libavfilter/opencl.h | 8 2 files changed, 21 insertions(+) diff --git a/libavfilter/opencl.c b/libavfilter/opencl.c index ac5eec68c6..95f0bfc604 100644 --- a/libavfilter/opencl.c +++ b/libavfilter/opencl.c @@ -337,3 +337,16 @@ int ff_opencl_filter_work_size_from_image(AVFilterContext *avctx, return 0; } + +void ff_opencl_print_const_matrix_3x3(AVBPrint *buf, const char *name_str, + double mat[3][3]) +{ +int i, j; +av_bprintf(buf, "__constant float %s[9] = {\n", name_str); +for (i = 0; i < 3; i++) { +for (j = 0; j < 3; j++) +av_bprintf(buf, " %.5ff,", mat[i][j]); +av_bprintf(buf, "\n"); +} +av_bprintf(buf, "};\n"); +} diff --git a/libavfilter/opencl.h b/libavfilter/opencl.h index 1b7f117865..0b06232ade 100644 --- a/libavfilter/opencl.h +++ b/libavfilter/opencl.h @@ -25,6 +25,7 @@ // it was introduced in OpenCL 2.0. #define CL_USE_DEPRECATED_OPENCL_1_2_APIS +#include "libavutil/bprint.h" #include "libavutil/buffer.h" #include "libavutil/hwcontext.h" #include "libavutil/hwcontext_opencl.h" @@ -124,5 +125,12 @@ int ff_opencl_filter_work_size_from_image(AVFilterContext *avctx, size_t *work_size, AVFrame *frame, int plane, int block_alignment); +/** + * Print a 3x3 matrix into a buffer as __constant array, which could + * be included in an OpenCL program. +*/ + +void ff_opencl_print_const_matrix_3x3(AVBPrint *buf, const char *name_str, + double mat[3][3]); #endif /* AVFILTER_OPENCL_H */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] lavfi/tonemap_opencl: reuse color matrix calculation from colorspace.c
ffmpeg | branch: master | Ruiling Song | Tue Jan 22 15:01:56 2019 +0800| [8b951cd4752c8db2b4532fae9fb300d422950cdd] | committer: Ruiling Song lavfi/tonemap_opencl: reuse color matrix calculation from colorspace.c Signed-off-by: Ruiling Song > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8b951cd4752c8db2b4532fae9fb300d422950cdd --- libavfilter/opencl/colorspace_common.cl | 25 - libavfilter/vf_tonemap_opencl.c | 64 +++-- 2 files changed, 29 insertions(+), 60 deletions(-) diff --git a/libavfilter/opencl/colorspace_common.cl b/libavfilter/opencl/colorspace_common.cl index 94a4dd0e0e..1d68a546c7 100644 --- a/libavfilter/opencl/colorspace_common.cl +++ b/libavfilter/opencl/colorspace_common.cl @@ -39,31 +39,6 @@ constant const float ST2084_C1 = 0.8359375f; constant const float ST2084_C2 = 18.8515625f; constant const float ST2084_C3 = 18.6875f; -__constant float yuv2rgb_bt2020[] = { -1.0f, 0.0f, 1.4746f, -1.0f, -0.16455f, -0.57135f, -1.0f, 1.8814f, 0.0f -}; - -__constant float yuv2rgb_bt709[] = { -1.0f, 0.0f, 1.5748f, -1.0f, -0.18732f, -0.46812f, -1.0f, 1.8556f, 0.0f -}; - -__constant float rgb2yuv_bt709[] = { -0.2126f, 0.7152f, 0.0722f, --0.11457f, -0.38543f, 0.5f, -0.5f, -0.45415f, -0.04585f -}; - -__constant float rgb2yuv_bt2020[] ={ -0.2627f, 0.678f, 0.0593f, --0.1396f, -0.36037f, 0.5f, -0.5f, -0.4598f, -0.0402f, -}; - - float get_luma_dst(float3 c) { return luma_dst.x * c.x + luma_dst.y * c.y + luma_dst.z * c.z; } diff --git a/libavfilter/vf_tonemap_opencl.c b/libavfilter/vf_tonemap_opencl.c index ae3f98d817..315ead49d4 100644 --- a/libavfilter/vf_tonemap_opencl.c +++ b/libavfilter/vf_tonemap_opencl.c @@ -18,7 +18,6 @@ #include #include "libavutil/avassert.h" -#include "libavutil/bprint.h" #include "libavutil/common.h" #include "libavutil/imgutils.h" #include "libavutil/mem.h" @@ -35,7 +34,6 @@ // TODO: // - separate peak-detection from tone-mapping kernel to solve //one-frame-delay issue. -// - import colorspace matrix generation from vf_colorspace.c // - more format support #define DETECTION_FRAMES 63 @@ -73,16 +71,6 @@ typedef struct TonemapOpenCLContext { cl_memutil_mem; } TonemapOpenCLContext; -static const char *yuv_coff[AVCOL_SPC_NB] = { -[AVCOL_SPC_BT709] = "rgb2yuv_bt709", -[AVCOL_SPC_BT2020_NCL] = "rgb2yuv_bt2020", -}; - -static const char *rgb_coff[AVCOL_SPC_NB] = { -[AVCOL_SPC_BT709] = "yuv2rgb_bt709", -[AVCOL_SPC_BT2020_NCL] = "yuv2rgb_bt2020", -}; - static const char *linearize_funcs[AVCOL_TRC_NB] = { [AVCOL_TRC_SMPTE2084] = "eotf_st2084", [AVCOL_TRC_ARIB_STD_B67] = "inverse_oetf_hlg", @@ -93,11 +81,6 @@ static const char *delinearize_funcs[AVCOL_TRC_NB] = { [AVCOL_TRC_BT2020_10] = "inverse_eotf_bt1886", }; -static const struct LumaCoefficients luma_coefficients[AVCOL_SPC_NB] = { -[AVCOL_SPC_BT709] = { 0.2126, 0.7152, 0.0722 }, -[AVCOL_SPC_BT2020_NCL] = { 0.2627, 0.6780, 0.0593 }, -}; - static const struct PrimaryCoefficients primaries_table[AVCOL_PRI_NB] = { [AVCOL_PRI_BT709] = { 0.640, 0.330, 0.300, 0.600, 0.150, 0.060 }, [AVCOL_PRI_BT2020] = { 0.708, 0.292, 0.170, 0.797, 0.131, 0.046 }, @@ -137,8 +120,8 @@ static int tonemap_opencl_init(AVFilterContext *avctx) { TonemapOpenCLContext *ctx = avctx->priv; int rgb2rgb_passthrough = 1; -double rgb2rgb[3][3]; -struct LumaCoefficients luma_src, luma_dst; +double rgb2rgb[3][3], rgb2yuv[3][3], yuv2rgb[3][3]; +const struct LumaCoefficients *luma_src, *luma_dst; cl_int cle; int err; AVBPrint header; @@ -215,27 +198,37 @@ static int tonemap_opencl_init(AVFilterContext *avctx) if (rgb2rgb_passthrough) av_bprintf(, "#define RGB2RGB_PASSTHROUGH\n"); -else { -av_bprintf(, "__constant float rgb2rgb[9] = {\n"); -av_bprintf(, "%.4ff, %.4ff, %.4ff,\n", - rgb2rgb[0][0], rgb2rgb[0][1], rgb2rgb[0][2]); -av_bprintf(, "%.4ff, %.4ff, %.4ff,\n", - rgb2rgb[1][0], rgb2rgb[1][1], rgb2rgb[1][2]); -av_bprintf(, "%.4ff, %.4ff, %.4ff};\n", - rgb2rgb[2][0], rgb2rgb[2][1], rgb2rgb[2][2]); +else +ff_opencl_print_const_matrix_3x3(, "rgb2rgb", rgb2rgb); + + +luma_src = ff_get_luma_coefficients(ctx->colorspace_in); +if (!luma_src) { +err = AVERROR(EINVAL); +av_log(avctx, AV_LOG_ERROR, "unsupported input colorspace %d (%s)\n", + ctx->colorspace_in, av_color_space_name(ctx->colorspace_in)); +goto fail; } -av_bprintf(, "#define rgb_matrix %s\n", - rgb_coff[ctx->colorspace_in]); -av_bprintf(, "#define yuv_matrix %s\n", - yuv_coff[ctx->colorspace_out]); +luma_dst = ff_get_luma_coefficients(ctx->colorspace_out); +if (!luma_dst) { +err = AVERROR(EINVAL); +av_log(avctx,
[FFmpeg-cvslog] MAINTAINERS: remove myself as mailing list maintainer
ffmpeg | branch: master | Lou Logan | Thu Mar 21 11:34:13 2019 -0800| [73661740862286464513e2792a31813d383c6afa] | committer: Lou Logan MAINTAINERS: remove myself as mailing list maintainer Refer to Michael, compn, or Baptiste. Signed-off-by: Lou Logan > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=73661740862286464513e2792a31813d383c6afa --- MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MAINTAINERS b/MAINTAINERS index 0545b87e55..88b0109f22 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -53,7 +53,7 @@ Communication website Deby Barbara Lepage fate.ffmpeg.org Timothy Gu Trac bug trackerAlexander Strasser, Michael Niedermayer, Carl Eugen Hoyos -mailing lists Baptiste Coudurier, Lou Logan +mailing lists Baptiste Coudurier Google+ Paul B Mahol, Michael Niedermayer, Alexander Strasser Twitter Lou Logan, Reynaldo H. Verdejo Pinochet Launchpad Timothy Gu ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] doc/mailing-list-faq: ffmpeg-devel is now subscription only
ffmpeg | branch: master | Lou Logan | Thu Mar 21 11:26:11 2019 -0800| [171f8ee40bd77eebe0cf18315a370e097833cd1b] | committer: Lou Logan doc/mailing-list-faq: ffmpeg-devel is now subscription only Nobody is going to check the queue anymore, so users must now subscribe to send messages to ffmpeg-devel. This will prevent orphaned/ignored messages from rotting in the abandoned queue. This matches the behavior of ffmpeg-user and libav-user. Also, this addresses some other nits. Signed-off-by: Lou Logan > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=171f8ee40bd77eebe0cf18315a370e097833cd1b --- doc/mailing-list-faq.texi | 22 -- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/doc/mailing-list-faq.texi b/doc/mailing-list-faq.texi index 3f2be1071a..132c037554 100644 --- a/doc/mailing-list-faq.texi +++ b/doc/mailing-list-faq.texi @@ -64,10 +64,6 @@ Email @email{ffmpeg-devel@@ffmpeg.org} to send a message to the ffmpeg-devel mailing list. @end itemize -Note that the ffmpeg-devel mailing list does not require you to subscribe -to send a message or patch, but ffmpeg-user and libav-user do require -subscription. - @chapter Subscribing / Unsubscribing @anchor{How do I subscribe?} @@ -94,6 +90,9 @@ The process is the same for the other mailing lists. Please avoid asking a mailing list admin to unsubscribe you unless you are absolutely unable to do so by yourself. See @ref{Who do I contact if I have a problem with the mailing list?} +Note that it is possible to temporarily halt message delivery (vacation mode). +See @ref{How do I disable mail delivery without unsubscribing?} + @chapter Moderation Queue @anchor{Why is my message awaiting moderator approval?} @section Why is my message awaiting moderator approval? @@ -116,7 +115,8 @@ or is abusive towards others). @section How long does it take for my message in the moderation queue to be approved? -The queue is usually checked daily to several times a week. +The queue is not checked on a regular basis. You can ask on the +@t{#ffmpeg-devel} IRC channel on Freenode for someone to approve your message. @anchor{How do I delete my message in the moderation queue?} @section How do I delete my message in the moderation queue? @@ -157,11 +157,12 @@ Perform a site search using your favorite search engine. Example: You can ask for help in the official @t{#ffmpeg} IRC channel on Freenode. -Some users prefer the third-party Nabble interface which presents the -mailing lists in a typical forum layout. +Some users prefer the third-party @url{http://www.ffmpeg-archive.org/, Nabble} +interface which presents the mailing lists in a typical forum layout. -There are also numerous third-party help sites such as Super User and -r/ffmpeg on reddit. +There are also numerous third-party help sites such as +@url{https://superuser.com/tags/ffmpeg, Super User} and +@url{https://www.reddit.com/r/ffmpeg/, r/ffmpeg on reddit}. @anchor{What is top-posting?} @section What is top-posting? @@ -181,7 +182,7 @@ instead of attaching them. Anywhere that is not too annoying for us to use. Google Drive and Dropbox are acceptable if you need a file host, and -0x0.st is good for files under 256 MiB. +@url{https://0x0.st/, 0x0.st} is good for files under 256 MiB. Small, short samples are preferred if possible. @@ -228,6 +229,7 @@ or headers. You can then filter the mailing list messages to their own folder. +@anchor{How do I disable mail delivery without unsubscribing?} @section How do I disable mail delivery without unsubscribing? Sometimes you may want to temporarily stop receiving all mailing list ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dfa: Check the chunk header is not truncated
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sun Mar 10 23:45:19 2019 +0100| [2a2bc7918727eb2d1baa8e2ea7e279d0d9b1] | committer: Michael Niedermayer avcodec/dfa: Check the chunk header is not truncated Fixes: Timeout (11sec -> 3sec) Fixes: 13218/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DFA_fuzzer-5661074316066816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f20760fadbc77483b9ff4b400b53ebb38ee33793) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2a2bc7918727eb2d1baa8e2ea7e279d0d9b1 --- libavcodec/dfa.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 970175fb73..c6106b9397 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -355,6 +355,8 @@ static int dfa_decode_frame(AVCodecContext *avctx, bytestream2_init(, avpkt->data, avpkt->size); while (bytestream2_get_bytes_left() > 0) { +if (bytestream2_get_bytes_left() < 12) +return AVERROR_INVALIDDATA; bytestream2_skip(, 4); chunk_size = bytestream2_get_le32(); chunk_type = bytestream2_get_le32(); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/clearvideo: Check remaining data in P frames
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Mar 8 01:42:06 2019 +0100| [599cfce022b3d7f7b3641867254c7d8a2e027497] | committer: Michael Niedermayer avcodec/clearvideo: Check remaining data in P frames Fixes: Timeout (19sec -> 419msec) Fixes: 13411/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CLEARVIDEO_fuzzer-5733153811988480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 41f93f941155f9f9dbb2d5e7f5d20b2238150836) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=599cfce022b3d7f7b3641867254c7d8a2e027497 --- libavcodec/clearvideo.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c index 5e2f019929..a533613a3e 100644 --- a/libavcodec/clearvideo.c +++ b/libavcodec/clearvideo.c @@ -558,6 +558,9 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data, } else { int plane; +if (c->pmb_width * c->pmb_height > 8LL*(buf_size - bytestream2_tell())) +return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dvbsubdec: Check object position
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Mar 5 20:14:05 2019 +0100| [86af0e2a87321663b6c6f5538017dcb1726400c1] | committer: Michael Niedermayer avcodec/dvbsubdec: Check object position Reference: ETSI EN 300 743 V1.2.1 7.2.2 Region composition segment Fixes: Timeout Fixes: 13325/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVBSUB_fuzzer-5143979392237568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a8c5ae451184e879fc8ff1333c6f26f9542c8ebf) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=86af0e2a87321663b6c6f5538017dcb1726400c1 --- libavcodec/dvbsubdec.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index a657b1d3d0..6af6ef7b70 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -1261,6 +1261,13 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx, display->y_pos = AV_RB16(buf) & 0xfff; buf += 2; +if (display->x_pos >= region->width || +display->y_pos >= region->height) { +av_log(avctx, AV_LOG_ERROR, "Object outside region\n"); +av_free(display); +return AVERROR_INVALIDDATA; +} + if ((object->type == 1 || object->type == 2) && buf+1 < buf_end) { display->fgcolor = *buf++; display->bgcolor = *buf++; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Update for 4.0.4
ffmpeg | branch: release/4.0 | Michael Niedermayer | Thu Mar 21 16:52:50 2019 +0100| [162b44e110cbb1f78014a971d5d3641cd30e3bc6] | committer: Michael Niedermayer Update for 4.0.4 Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=162b44e110cbb1f78014a971d5d3641cd30e3bc6 --- Changelog| 84 RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 86 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index e3aa4e30a0..00ff5fe7d5 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,90 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.0.4: +- avcodec/dfa: Check the chunk header is not truncated +- avcodec/clearvideo: Check remaining data in P frames +- avcodec/dvbsubdec: Check object position +- avcodec/cdgraphics: Use ff_set_dimensions() +- avformat/gdv: Check fps +- configure: use vpx_codec_vp8_dx/cx for libvpx-vp8 checking +- configure: add missing pthreads extralibs dependency for libvpx-vp9 +- avcodec/mpeg4videodec: Check idx in mpeg4_decode_studio_block() +- avcodec/dxv: Correct integer overflow in get_opcodes() +- avcodec/scpr: Fix use of uninitialized variable +- avcodec/qpeg: Limit copy in qpeg_decode_intra() to the available bytes +- avcodec/aic: Check remaining bits in aic_decode_coeffs() +- avcodec/gdv: Check for truncated tags in decompress_5() +- avcodec/bethsoftvideo: Check block_type +- avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int() +- avcodec/error_resilience: Use a symmetric check for skipping MV estimation +- avcodec/mlpdec: Insuffient typo +- avcodec/zmbv: obtain frame later +- avcodec/jvdec: Check available input space before decode8x8() +- avcodec/h264_direct: Fix overflow in POC comparission +- avformat/webmdashenc: Check id in adaption_sets +- avformat/http: Fix Out-of-Bounds access in process_line() +- avformat/ftp: Fix Out-of-Bounds Access and Information Leak in ftp.c:393 +- avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for handling braces +- avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for tag scaning +- avformat/matroskadec: Do not leak queued packets on sync errors +- avcodec/mpeg4videodec: Clear interlaced_dct for studio profile +- avformat/mov: Do not use reference stream in mov_read_sidx() if there is no reference stream +- avcodec/sbrdsp_fixed.c: remove input value limit for sbr_sum_square_c() +- avformat/mov: validate chunk_count vs stsc_data +- avformat/mov.c: require tfhd to begin parsing trun +- avcodec/pgssubdec: Check for duplicate display segments +- avformat/rtsp: Check number of streams in sdp_parse_line() +- avformat/rtsp: Clear reply in every iteration in ff_rtsp_connect() +- avcodec/fic: Check that there is input left in fic_decode_block() +- avcodec/tiff: Check for 12bit gray fax +- avutil/imgutils: Optimize memset_bytes() by using av_memcpy_backptr() +- avutil/mem: Optimize fill32() by unrolling and using 64bit +- configure: bump year +- avcodec/diracdec: Check component quant +- avcodec/tests/rangecoder: initialize array to avoid valgrind warning +- avcodec/h264_slice: Fix integer overflow in implicit_weight_table() +- avcodec/exr: set layer_match in all branches +- avcodec/exr: Check for duplicate channel index +- avcodec/4xm: Fix returned error codes +- avformat/libopenmpt: Fix successfull typo +- avcodec/v4l2_m2m: fix cant typo +- avcodec/mjpegbdec: Fix some misplaced {} and spaces +- avformat/wvdec: detect and error out on WavPack DSD files +- avcodec/mips: Fix failed case: hevc-conformance-AMP_A_Samsung_* when enable msa +- avcodec/fic: Fail on invalid slice size/off +- postproc/postprocess_template: remove FF_REG_sp from clobber list +- postproc/postprocess_template: Avoid using %4 for the threshold compare +- avcodec/rpza: Check that there is enough data for all the blocks +- avcodec/rpza: Move frame allocation to a later point +- avcodec/avcodec: Document the data type for AV_PKT_DATA_MPEGTS_STREAM_ID +- avformat/mpegts: Fix side data type for stream id +- tests/fate/filter-video: increase fuzz for fate-filter-refcmp-psnr-rgb +- avcodec/mjpegdec: Fix indention of ljpeg_decode_yuv_scan() +- lavf/id3v2: fail read_apic on EOF reading mimetype +- avformat/nutenc: Document trailer index assert better +- lavf/mov: ensure only one tkhd per trak +- avcodec/clearvideo: Check remaining input bits in P macro block loop +- avcodec/dxv: Check that there is enough data to decompress +- avcodec/ppc/hevcdsp: Fix build failures with powerpc-linux-gnu-gcc-4.8 with --disable-optimizations +- avcodec/msvideo1: Check for too small dimensions +- avcodec/wmv2dec: Skip I frame if its smaller than 1/8 of the minimal size +- avcodec/msmpeg4dec: Skip frame if its smaller than 1/8 of the minimal size +- avcodec/truemotion2rt: Fix rounding in input size check +-
[FFmpeg-cvslog] avcodec/aic: Check remaining bits in aic_decode_coeffs()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Mon Feb 25 13:26:25 2019 +0100| [ccf6ca1701d8e5e7ecc697c983a369e2e87680b8] | committer: Michael Niedermayer avcodec/aic: Check remaining bits in aic_decode_coeffs() Fixes: Timeout (78 seconds -> 2 seconds) Fixes: 13186/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AIC_fuzzer-5639516533030912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 951bb7632fe6e3bb1a9c3b47610705871e471f34) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ccf6ca1701d8e5e7ecc697c983a369e2e87680b8 --- libavcodec/aic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/aic.c b/libavcodec/aic.c index 9c6f806655..dc28c83661 100644 --- a/libavcodec/aic.c +++ b/libavcodec/aic.c @@ -208,6 +208,9 @@ static int aic_decode_coeffs(GetBitContext *gb, int16_t *dst, int mb, idx; unsigned val; +if (get_bits_left(gb) < 5) +return AVERROR_INVALIDDATA; + has_skips = get_bits1(gb); coeff_type = get_bits1(gb); coeff_bits = get_bits(gb, 3); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] configure: add missing pthreads extralibs dependency for libvpx-vp9
ffmpeg | branch: release/4.0 | Guo, Yejun | Tue Mar 5 06:09:11 2019 +0800| [01209d220b36e42a307233249f917e578ebacc4c] | committer: Michael Niedermayer configure: add missing pthreads extralibs dependency for libvpx-vp9 Signed-off-by: Guo, Yejun Signed-off-by: James Almer (cherry picked from commit 402bf262375dfecd0e90d7acc67c238abe952fc3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=01209d220b36e42a307233249f917e578ebacc4c --- configure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure b/configure index fca17e6d9c..9a6ccb39f1 100755 --- a/configure +++ b/configure @@ -6083,11 +6083,11 @@ enabled libvpx&& { } enabled libvpx_vp9_decoder && { check_pkg_config libvpx_vp9_decoder "vpx >= 1.4.0" "vpx/vpx_decoder.h vpx/vp8dx.h" vpx_codec_vp9_dx || -check_lib libvpx_vp9_decoder "vpx/vpx_decoder.h vpx/vp8dx.h" "vpx_codec_vp9_dx VPX_IMG_FMT_HIGHBITDEPTH" "-lvpx $libm_extralibs" +check_lib libvpx_vp9_decoder "vpx/vpx_decoder.h vpx/vp8dx.h" "vpx_codec_vp9_dx VPX_IMG_FMT_HIGHBITDEPTH" "-lvpx $libm_extralibs $pthreads_extralibs" } enabled libvpx_vp9_encoder && { check_pkg_config libvpx_vp9_encoder "vpx >= 1.4.0" "vpx/vpx_encoder.h vpx/vp8cx.h" vpx_codec_vp9_cx || -check_lib libvpx_vp9_encoder "vpx/vpx_encoder.h vpx/vp8cx.h" "vpx_codec_vp9_cx VPX_IMG_FMT_HIGHBITDEPTH" "-lvpx $libm_extralibs" +check_lib libvpx_vp9_encoder "vpx/vpx_encoder.h vpx/vp8cx.h" "vpx_codec_vp9_cx VPX_IMG_FMT_HIGHBITDEPTH" "-lvpx $libm_extralibs $pthreads_extralibs" } if disabled_all libvpx_vp8_decoder libvpx_vp9_decoder libvpx_vp8_encoder libvpx_vp9_encoder; then die "libvpx enabled but no supported decoders found" ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] configure: use vpx_codec_vp8_dx/cx for libvpx-vp8 checking
ffmpeg | branch: release/4.0 | Guo, Yejun | Tue Mar 5 06:09:18 2019 +0800| [33651c09407e83b011dab95e15b1519bf48cb32e] | committer: Michael Niedermayer configure: use vpx_codec_vp8_dx/cx for libvpx-vp8 checking Signed-off-by: Guo, Yejun Signed-off-by: James Almer (cherry picked from commit d9b2668766e3e924d4ebb3c6531b449874e13666) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=33651c09407e83b011dab95e15b1519bf48cb32e --- configure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure b/configure index 9a6ccb39f1..15e6c321b1 100755 --- a/configure +++ b/configure @@ -6073,12 +6073,12 @@ enabled libvorbis && require_pkg_config libvorbis vorbis vorbis/codec.h enabled libvpx&& { enabled libvpx_vp8_decoder && { check_pkg_config libvpx_vp8_decoder "vpx >= 1.4.0" "vpx/vpx_decoder.h vpx/vp8dx.h" vpx_codec_vp8_dx || -check_lib libvpx_vp8_decoder "vpx/vpx_decoder.h vpx/vp8dx.h" "vpx_codec_dec_init_ver VPX_IMG_FMT_HIGHBITDEPTH" -lvpx || +check_lib libvpx_vp8_decoder "vpx/vpx_decoder.h vpx/vp8dx.h" "vpx_codec_vp8_dx VPX_IMG_FMT_HIGHBITDEPTH" "-lvpx $libm_extralibs $pthreads_extralibs" || die "ERROR: libvpx decoder version must be >=1.4.0"; } enabled libvpx_vp8_encoder && { check_pkg_config libvpx_vp8_encoder "vpx >= 1.4.0" "vpx/vpx_encoder.h vpx/vp8cx.h" vpx_codec_vp8_cx || -check_lib libvpx_vp8_encoder "vpx/vpx_encoder.h vpx/vp8cx.h" "vpx_codec_enc_init_ver VPX_IMG_FMT_HIGHBITDEPTH" -lvpx || +check_lib libvpx_vp8_encoder "vpx/vpx_encoder.h vpx/vp8cx.h" "vpx_codec_vp8_cx VPX_IMG_FMT_HIGHBITDEPTH" "-lvpx $libm_extralibs $pthreads_extralibs" || die "ERROR: libvpx encoder version must be >=1.4.0"; } enabled libvpx_vp9_decoder && { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cdgraphics: Use ff_set_dimensions()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Mar 5 12:51:22 2019 +0100| [09b6cce9ba4935b9c50f7ca2aad1ed83c7ca6c38] | committer: Michael Niedermayer avcodec/cdgraphics: Use ff_set_dimensions() Fixes: Timeout (17 sec -> 65 milli sec) Fixes: 13264/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDGRAPHICS_fuzzer-5711167941509120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9a9f0e239c1c6f5c96cc90ba673087f86ca1eabc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=09b6cce9ba4935b9c50f7ca2aad1ed83c7ca6c38 --- libavcodec/cdgraphics.c | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index 87ad5e79f4..da6fb7af03 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -80,11 +80,8 @@ static av_cold int cdg_decode_init(AVCodecContext *avctx) return AVERROR(ENOMEM); cc->transparency = -1; -avctx->width = CDG_FULL_WIDTH; -avctx->height = CDG_FULL_HEIGHT; avctx->pix_fmt = AV_PIX_FMT_PAL8; - -return 0; +return ff_set_dimensions(avctx, CDG_FULL_WIDTH, CDG_FULL_HEIGHT); } static void cdg_border_preset(CDGraphicsContext *cc, uint8_t *data) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/gdv: Check fps
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Mar 5 00:48:18 2019 +0100| [1d77b60e3531917fe8fef217b54088154b61b675] | committer: Michael Niedermayer avformat/gdv: Check fps Fixes: Division by 0 Fixes: ffmpeg_zero_division.bin Found-by: Anatoly Trosinenko Signed-off-by: Michael Niedermayer (cherry picked from commit 38381400fca45d1ae6e7604335b507b7dc70a903) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1d77b60e3531917fe8fef217b54088154b61b675 --- libavformat/gdv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/gdv.c b/libavformat/gdv.c index a69c349cab..3ead383892 100644 --- a/libavformat/gdv.c +++ b/libavformat/gdv.c @@ -86,6 +86,9 @@ static int gdv_read_header(AVFormatContext *ctx) vst->nb_frames = avio_rl16(pb); fps = avio_rl16(pb); +if (!fps) +return AVERROR_INVALIDDATA; + snd_flags = avio_rl16(pb); if (snd_flags & 1) { ast = avformat_new_stream(ctx, 0); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/qpeg: Limit copy in qpeg_decode_intra() to the available bytes
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sun Feb 24 00:44:40 2019 +0100| [36a1939b59f0a966cda4de8215621db626833694] | committer: Michael Niedermayer avcodec/qpeg: Limit copy in qpeg_decode_intra() to the available bytes Fixes: Timeout (27 sec -> 39 milli sec) Fixes: 13151/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QPEG_fuzzer-5717536023248896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b819472995f55e827d6bb70dcdd86d963f65ae31) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=36a1939b59f0a966cda4de8215621db626833694 --- libavcodec/qpeg.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/qpeg.c b/libavcodec/qpeg.c index e1210c1972..10b55d2dff 100644 --- a/libavcodec/qpeg.c +++ b/libavcodec/qpeg.c @@ -90,6 +90,8 @@ static void qpeg_decode_intra(QpegContext *qctx, uint8_t *dst, } } } else { +if (bytestream2_get_bytes_left(>buffer) < copy) +copy = bytestream2_get_bytes_left(>buffer); for(i = 0; i < copy; i++) { dst[filled++] = bytestream2_get_byte(>buffer); if (filled >= width) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dxv: Correct integer overflow in get_opcodes()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sun Mar 3 00:47:47 2019 +0100| [63383dea3b16bcf47c362950a2da1177e2693923] | committer: Michael Niedermayer avcodec/dxv: Correct integer overflow in get_opcodes() Fixes: 13099/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5665598896340992 Fixes: signed integer overflow: 2147483647 + 7 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e0b5d3a20e107860a34e90139b860d6b8219a1d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=63383dea3b16bcf47c362950a2da1177e2693923 --- libavcodec/dxv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index bf53d7d706..aef5ec19dd 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -426,7 +426,8 @@ static int fill_optable(unsigned *table0, OpcodeTable *table1, int nb_elements) static int get_opcodes(GetByteContext *gb, uint32_t *table, uint8_t *dst, int op_size, int nb_elements) { OpcodeTable optable[1024]; -int sum, x, val, lshift, rshift, ret, size_in_bits, i, idx; +int sum, x, val, lshift, rshift, ret, i, idx; +int64_t size_in_bits; unsigned endoffset, newoffset, offset; unsigned next; uint8_t *src = (uint8_t *)gb->buffer; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Check idx in mpeg4_decode_studio_block()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sun Mar 10 01:40:59 2019 +0100| [aadce82c585181168f3b7cdf260c3d461d4baa1b] | committer: Michael Niedermayer avcodec/mpeg4videodec: Check idx in mpeg4_decode_studio_block() Fixes: Out of array access Fixes: 13500/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5769760178962432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit d227ed5d598340e719eff7156b1aa0a4469e9a6a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aadce82c585181168f3b7cdf260c3d461d4baa1b --- libavcodec/mpeg4videodec.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index e0cfff170f..c9823807b5 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1897,14 +1897,20 @@ static int mpeg4_decode_studio_block(MpegEncContext *s, int32_t block[64], int n code >>= 1; run = (1 << (additional_code_len - 1)) + code; idx += run; +if (idx > 63) +return AVERROR_INVALIDDATA; j = scantable[idx++]; block[j] = sign ? 1 : -1; } else if (group >= 13 && group <= 20) { /* Level value (Table B.49) */ +if (idx > 63) +return AVERROR_INVALIDDATA; j = scantable[idx++]; block[j] = get_xbits(>gb, additional_code_len); } else if (group == 21) { /* Escape */ +if (idx > 63) +return AVERROR_INVALIDDATA; j = scantable[idx++]; additional_code_len = s->avctx->bits_per_raw_sample + s->dct_precision + 4; flc = get_bits(>gb, additional_code_len); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/error_resilience: Use a symmetric check for skipping MV estimation
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Feb 19 18:41:42 2019 +0100| [63957591e951b9aafb3f37551020841dca25a1cd] | committer: Michael Niedermayer avcodec/error_resilience: Use a symmetric check for skipping MV estimation This speeds up the testcase by a factor of 4 Fixes: Timeout Fixes: 13100/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV2_fuzzer-5767533905313792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e4289cb253e29e4d62dc46759eb1a45d8f6d82df) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=63957591e951b9aafb3f37551020841dca25a1cd --- libavcodec/error_resilience.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index 1abae53f41..35d0c609e5 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -437,7 +437,7 @@ static void guess_mv(ERContext *s) } if ((!(s->avctx->error_concealment_EC_GUESS_MVS)) || -num_avail <= mb_width / 2) { +num_avail <= FFMAX(mb_width, mb_height) / 2) { for (mb_y = 0; mb_y < mb_height; mb_y++) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) { const int mb_xy = mb_x + mb_y * s->mb_stride; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/zmbv: obtain frame later
ffmpeg | branch: release/4.0 | Michael Niedermayer | Thu Feb 21 17:25:14 2019 +0100| [f32ce15f7c0beff43c060560de23daea2f353a7d] | committer: Michael Niedermayer avcodec/zmbv: obtain frame later The frame is not needed that early so obtaining it later avoids the costly operation in case other checks fail. Fixes: Timeout (14sec -> 4sec) Fixes: 13140/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-5738330308739072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 177b40890c6de8c6896e0a1d4a631ea1ca89c044) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f32ce15f7c0beff43c060560de23daea2f353a7d --- libavcodec/zmbv.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index b994e96e95..6ef549dff1 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -519,9 +519,6 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac return AVERROR_INVALIDDATA; } -if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) -return ret; - if (c->comp == 0) { // uncompressed data if (c->decomp_size < len) { av_log(avctx, AV_LOG_ERROR, "Buffer too small\n"); @@ -547,6 +544,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac av_log(avctx, AV_LOG_ERROR, "decompressed size %d is incorrect, expected %d\n", c->decomp_len, expected_size); return AVERROR_INVALIDDATA; } +if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) +return ret; + if (c->flags & ZMBV_KEYFRAME) { frame->key_frame = 1; frame->pict_type = AV_PICTURE_TYPE_I; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/scpr: Fix use of uninitialized variable
ffmpeg | branch: release/4.0 | Michael Niedermayer | Thu Feb 28 00:12:14 2019 +0100| [8f6d7a454a32d7dfb7985f9607d800061d047018] | committer: Michael Niedermayer avcodec/scpr: Fix use of uninitialized variable Fixes: Undefined shift Fixes: 12911/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5677102915911680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53248acfb3b23007c89ae822d7bcae451272d5a7) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8f6d7a454a32d7dfb7985f9607d800061d047018 --- libavcodec/scpr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index d76148998b..4856095222 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -508,7 +508,7 @@ static int decompress_p(AVCodecContext *avctx, { SCPRContext *s = avctx->priv_data; GetByteContext *gb = >gb; -int ret, temp, min, max, x, y, cx = 0, cx1 = 0; +int ret, temp = 0, min, max, x, y, cx = 0, cx1 = 0; int backstep = linesize - avctx->width; const int cxshift = s->cxshift; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jvdec: Check available input space before decode8x8()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Thu Feb 21 01:09:43 2019 +0100| [ffaa3c3071ea979650ea1e5d90be465d5a8707b3] | committer: Michael Niedermayer avcodec/jvdec: Check available input space before decode8x8() Fixes: Timeout (78 sec -> 15 millisec) Fixes: 13147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JV_fuzzer-5727107827630080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 61523683c5a9bda9aaa7ae24764a3df0401a9877) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ffaa3c3071ea979650ea1e5d90be465d5a8707b3 --- libavcodec/jvdec.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index cbe83d3c10..4337d5681e 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -170,6 +170,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, GetBitContext gb; init_get_bits(, buf, 8 * video_size); +if (avctx->height/8 * (avctx->width/8) > 4 * video_size) { +av_log(avctx, AV_LOG_ERROR, "Insufficient input data for dimensions\n"); +return AVERROR_INVALIDDATA; +} + for (j = 0; j < avctx->height; j += 8) for (i = 0; i < avctx->width; i += 8) decode8x8(, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mlpdec: Insuffient typo
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sat Feb 23 22:00:39 2019 +0100| [80c88154441007022eb57f48136d6d9eed3e691f] | committer: Michael Niedermayer avcodec/mlpdec: Insuffient typo Signed-off-by: Michael Niedermayer (cherry picked from commit fc32e08941ea2795a3096e7a4013843e9ebf5fe3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=80c88154441007022eb57f48136d6d9eed3e691f --- libavcodec/mlpdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 8caa266b7e..3139a0172f 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -1195,7 +1195,7 @@ static int read_access_unit(AVCodecContext *avctx, void* data, } if (length < header_size + substr_header_size) { -av_log(m->avctx, AV_LOG_ERROR, "Insuffient data for headers\n"); +av_log(m->avctx, AV_LOG_ERROR, "Insufficient data for headers\n"); goto error; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/gdv: Check for truncated tags in decompress_5()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Mon Feb 25 01:26:30 2019 +0100| [87eecb7d854599221c4112a241a49e742f4d1f66] | committer: Michael Niedermayer avcodec/gdv: Check for truncated tags in decompress_5() Testcase: 13169/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_GDV_fuzzer-5666354038833152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5cf42f65b60d226d1223d2100cb1d90402189275) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=87eecb7d854599221c4112a241a49e742f4d1f66 --- libavcodec/gdv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/gdv.c b/libavcodec/gdv.c index 79ca157dde..addd513091 100644 --- a/libavcodec/gdv.c +++ b/libavcodec/gdv.c @@ -244,6 +244,8 @@ static int decompress_5(AVCodecContext *avctx, unsigned skip) while (bytestream2_get_bytes_left_p(pb) > 0 && bytestream2_get_bytes_left(gb) > 0) { int tag = read_bits2(, gb); +if (bytestream2_get_bytes_left(gb) < 1) +return AVERROR_INVALIDDATA; if (tag == 0) { bytestream2_put_byte(pb, bytestream2_get_byte(gb)); } else if (tag == 1) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/bethsoftvideo: Check block_type
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sun Feb 24 23:39:44 2019 +0100| [24e4039c6fa152b40ff2ebb491f5ea9df88686aa] | committer: Michael Niedermayer avcodec/bethsoftvideo: Check block_type Fixes: Timeout (17 seconds -> 1 second) Fixes: 13184/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BETHSOFTVID_fuzzer-5711446296494080 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b8ecadec0582a1521b5d0d253376966138e6ca78) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=24e4039c6fa152b40ff2ebb491f5ea9df88686aa --- libavcodec/bethsoftvideo.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/bethsoftvideo.c b/libavcodec/bethsoftvideo.c index 274516bf4d..e5a73f55a1 100644 --- a/libavcodec/bethsoftvideo.c +++ b/libavcodec/bethsoftvideo.c @@ -109,6 +109,11 @@ static int bethsoftvid_decode_frame(AVCodecContext *avctx, if(yoffset >= avctx->height) return AVERROR_INVALIDDATA; dst += vid->frame->linesize[0] * yoffset; +case VIDEO_P_FRAME: +case VIDEO_I_FRAME: +break; +default: +return AVERROR_INVALIDDATA; } // main code ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Feb 19 00:05:51 2019 +0100| [4ee463b69f30c51d0665bfbd6b80364beb2ba65c] | committer: Michael Niedermayer avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int() Fixes: runtime error: signed integer overflow: 2147483598 + 128 cannot be represented in type 'int' Fixes: 12926/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5705100733972480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4801eea0d465cd54670e7c19322705544e3e7524) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4ee463b69f30c51d0665bfbd6b80364beb2ba65c --- libavcodec/jpeg2000dwt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index ce1678a3d7..badf0f8cd0 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -531,7 +531,7 @@ static void dwt_decode97_int(DWTContext *s, int32_t *t) } for (i = 0; i < w * h; i++) -data[i] = (data[i] + ((1<>1)) >> I_PRESHIFT; +data[i] = (data[i] + ((1LL<>1)) >> I_PRESHIFT; } int ff_jpeg2000_dwt_init(DWTContext *s, int border[2][2], ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_direct: Fix overflow in POC comparission
ffmpeg | branch: release/4.0 | Michael Niedermayer | Thu Feb 14 00:05:34 2019 +0100| [5f52e2c420e0f166d78b6a5d4e592c1483b5aad3] | committer: Michael Niedermayer avcodec/h264_direct: Fix overflow in POC comparission Fixes: runtime error: signed integer overflow: 2147421862 - -33624063 cannot be represented in type 'int' Fixes: 12885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5733516975800320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5ccf296e74725bc8bdfbfe500d0482daa200b6f3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5f52e2c420e0f166d78b6a5d4e592c1483b5aad3 --- libavcodec/h264_direct.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c index ec9fca0350..a01d823e7a 100644 --- a/libavcodec/h264_direct.c +++ b/libavcodec/h264_direct.c @@ -156,8 +156,8 @@ void ff_h264_direct_ref_list_init(const H264Context *const h, H264SliceContext * av_log(h->avctx, AV_LOG_ERROR, "co located POCs unavailable\n"); sl->col_parity = 1; } else -sl->col_parity = (FFABS(col_poc[0] - cur_poc) >= - FFABS(col_poc[1] - cur_poc)); +sl->col_parity = (FFABS(col_poc[0] - (int64_t)cur_poc) >= + FFABS(col_poc[1] - (int64_t)cur_poc)); ref1sidx = sidx = sl->col_parity; // FL -> FL & differ parity ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/webmdashenc: Check id in adaption_sets
ffmpeg | branch: release/4.0 | Michael Niedermayer | Wed Feb 13 10:15:04 2019 +0100| [f1263f5c7d656ddff75a1127aa45d346e35752fb] | committer: Michael Niedermayer avformat/webmdashenc: Check id in adaption_sets Fixes: out of array access Found-by: Wenxiang Qian Signed-off-by: Michael Niedermayer (cherry picked from commit b687b549aa0fb115861b1343208de8c2630803bf) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f1263f5c7d656ddff75a1127aa45d346e35752fb --- libavformat/webmdashenc.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index 1280d8a763..26b8727304 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -466,6 +466,7 @@ static int parse_adaptation_sets(AVFormatContext *s) continue; else if (state == new_set && !strncmp(p, "id=", 3)) { void *mem = av_realloc(w->as, sizeof(*w->as) * (w->nb_as + 1)); +const char *comma; if (mem == NULL) return AVERROR(ENOMEM); w->as = mem; @@ -474,6 +475,11 @@ static int parse_adaptation_sets(AVFormatContext *s) w->as[w->nb_as - 1].streams = NULL; p += 3; // consume "id=" q = w->as[w->nb_as - 1].id; +comma = strchr(p, ','); +if (!comma || comma - p >= sizeof(w->as[w->nb_as - 1].id)) { +av_log(s, AV_LOG_ERROR, "'id' in 'adaptation_sets' is malformed.\n"); +return AVERROR(EINVAL); +} while (*p != ',') *q++ = *p++; *q = 0; p++; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/ftp: Fix Out-of-Bounds Access and Information Leak in ftp.c:393
ffmpeg | branch: release/4.0 | Wenxiang Qian | Wed Feb 13 08:47:20 2019 +0100| [02518ba07fe6ec7295ac9f786965de72a02b6a4e] | committer: Michael Niedermayer avformat/ftp: Fix Out-of-Bounds Access and Information Leak in ftp.c:393 Signed-off-by: Michael Niedermayer (cherry picked from commit a142ffdcaec06fcbf7d4b00dbb0e5ddfb9e3344d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=02518ba07fe6ec7295ac9f786965de72a02b6a4e --- libavformat/ftp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/ftp.c b/libavformat/ftp.c index 35bfbd47ab..ba64abb429 100644 --- a/libavformat/ftp.c +++ b/libavformat/ftp.c @@ -389,7 +389,7 @@ static int ftp_file_size(FTPContext *s) static const int size_codes[] = {213, 0}; snprintf(command, sizeof(command), "SIZE %s\r\n", s->path); -if (ftp_send_command(s, command, size_codes, ) == 213 && res) { +if (ftp_send_command(s, command, size_codes, ) == 213 && res && strlen(res) > 4) { s->filesize = strtoll([4], NULL, 10); } else { s->filesize = -1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for handling braces
ffmpeg | branch: release/4.0 | Kevin Backhouse via RT | Wed Feb 6 12:56:01 2019 +| [7dc5c930354c4339ce36a6cc4f2113c9cfd294f5] | committer: Michael Niedermayer avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for handling braces Fixes: [Semmle Security Reports #19439] Fixes: dos_sscanf2.mkv Signed-off-by: Michael Niedermayer (cherry picked from commit 894995c41e0795c7a44f81adc4838dedc3932e65) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7dc5c930354c4339ce36a6cc4f2113c9cfd294f5 --- libavcodec/htmlsubtitles.c | 23 +-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index c0cfccfb16..d9221ba16b 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -24,6 +24,7 @@ #include "libavutil/common.h" #include "libavutil/parseutils.h" #include "htmlsubtitles.h" +#include static int html_color_parse(void *log_ctx, const char *str) { @@ -44,14 +45,32 @@ static void rstrip_spaces_buf(AVBPrint *buf) buf->str[--buf->len] = 0; } +/* + * Fast code for scanning text enclosed in braces. Functionally + * equivalent to this sscanf call: + * + * sscanf(in, "{\\an%*1u}%n", ) >= 0 && len > 0 + */ +static int scanbraces(const char* in) { +if (strncmp(in, "{\\an", 4) != 0) { +return 0; +} +if (!isdigit(in[4])) { +return 0; +} +if (in[5] != '}') { +return 0; +} +return 1; +} + /* skip all {\xxx} substrings except for {\an%d} and all microdvd like styles such as {Y:xxx} */ static void handle_open_brace(AVBPrint *dst, const char **inp, int *an, int *closing_brace_missing) { -int len = 0; const char *in = *inp; -*an += sscanf(in, "{\\an%*1u}%n", ) >= 0 && len > 0; +*an += scanbraces(in); if (!*closing_brace_missing) { if ( (*an != 1 && in[1] == '\\') ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/http: Fix Out-of-Bounds access in process_line()
ffmpeg | branch: release/4.0 | Wenxiang Qian | Wed Feb 13 08:54:08 2019 +0100| [4a9f11129697a03353ae58ae42d1c3248de3d0aa] | committer: Michael Niedermayer avformat/http: Fix Out-of-Bounds access in process_line() Signed-off-by: Michael Niedermayer (cherry picked from commit 85f91ed760a517c0d5fcf692d40a5a9d7efa9476) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4a9f11129697a03353ae58ae42d1c3248de3d0aa --- libavformat/http.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/http.c b/libavformat/http.c index 4fdb2f13f2..954eee3ba2 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -915,7 +915,7 @@ static int process_line(URLContext *h, char *line, int line_count, while (av_isspace(*p)) p++; resource = p; -while (!av_isspace(*p)) +while (*p && !av_isspace(*p)) p++; *(p++) = '\0'; av_log(h, AV_LOG_TRACE, "Requested resource: %s\n", resource); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/matroskadec: Do not leak queued packets on sync errors
ffmpeg | branch: release/4.0 | Michael Niedermayer | Wed Feb 6 15:29:38 2019 +0100| [c50ba3cb6cec30daa09bb579295ac619498de9ac] | committer: Michael Niedermayer avformat/matroskadec: Do not leak queued packets on sync errors Fixes: memleak Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-5649187601121280 Reported-by: Chris Cunningham Tested-by: Chris Cunningham Signed-off-by: Michael Niedermayer (cherry picked from commit d1afa7284c3feba4debfebf1b9cf8ad67640e34a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c50ba3cb6cec30daa09bb579295ac619498de9ac --- libavformat/matroskadec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 1ded431b80..37c9a1c11e 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3537,7 +3537,7 @@ static int matroska_read_packet(AVFormatContext *s, AVPacket *pkt) ret = matroska_resync(matroska, pos); } -return ret; +return 0; } static int matroska_read_seek(AVFormatContext *s, int stream_index, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for tag scaning
ffmpeg | branch: release/4.0 | Kevin Backhouse via RT | Wed Feb 6 11:29:22 2019 +| [381fa4a29d38e4ddef2a83876fb8f76e96f45a5d] | committer: Michael Niedermayer avcodec/htmlsubtitles: Fixes denial of service due to use of sscanf in inner loop for tag scaning Fixes: [Semmle Security Reports #19438] Fixes: dos_sscanf1.mkv Signed-off-by: Michael Niedermayer (cherry picked from commit 1f00c97bc3475c477f3c468cf2d924d5761d0982) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=381fa4a29d38e4ddef2a83876fb8f76e96f45a5d --- libavcodec/htmlsubtitles.c | 30 +- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index fb9f900422..c0cfccfb16 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -75,6 +75,34 @@ struct font_tag { }; /* + * Fast code for scanning the rest of a tag. Functionally equivalent to + * this sscanf call: + * + * sscanf(in, "%127[^<>]>%n", buffer, lenp) == 2 + */ +static int scantag(const char* in, char* buffer, int* lenp) { +int len; + +for (len = 0; len < 128; len++) { +const char c = *in++; +switch (c) { +case '\0': +return 0; +case '<': +return 0; +case '>': +buffer[len] = '\0'; +*lenp = len+1; +return 1; +default: +break; +} +buffer[len] = c; +} +return 0; +} + +/* * The general politic of the convert is to mask unsupported tags or formatting * errors (but still alert the user/subtitles writer with an error/warning) * without dropping any actual text content for the final user. @@ -155,7 +183,7 @@ int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) len = 0; -if (sscanf(in+tag_close+1, "%127[^<>]>%n", buffer, ) >= 1 && len > 0) { +if (scantag(in+tag_close+1, buffer, ) && len > 0) { const int skip = len + tag_close; const char *tagname = buffer; while (*tagname == ' ') { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_slice: Fix integer overflow in implicit_weight_table()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Jan 4 20:00:38 2019 +0100| [5a9170345a29f191269aab4999fac69ce3aa2d29] | committer: Michael Niedermayer avcodec/h264_slice: Fix integer overflow in implicit_weight_table() Fixes: signed integer overflow: 2 * 2132811760 cannot be represented in type 'int' Fixes: 11156/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6237685933408256 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 77e56d74f972537aecd5bc2c5c4111e1d6ad0963) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5a9170345a29f191269aab4999fac69ce3aa2d29 --- libavcodec/h264_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index d71ddbe9ba..0790f32a43 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -671,7 +671,7 @@ static void implicit_weight_table(const H264Context *h, H264SliceContext *sl, in cur_poc = h->cur_pic_ptr->field_poc[h->picture_structure - 1]; } if (sl->ref_count[0] == 1 && sl->ref_count[1] == 1 && !FRAME_MBAFF(h) && -sl->ref_list[0][0].poc + (int64_t)sl->ref_list[1][0].poc == 2 * cur_poc) { +sl->ref_list[0][0].poc + (int64_t)sl->ref_list[1][0].poc == 2LL * cur_poc) { sl->pwt.use_weight= 0; sl->pwt.use_weight_chroma = 0; return; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/mem: Optimize fill32() by unrolling and using 64bit
ffmpeg | branch: release/4.0 | Michael Niedermayer | Thu Jan 17 22:35:10 2019 +0100| [63de02051d72cf42e19465300ef8f75d91d261c1] | committer: Michael Niedermayer avutil/mem: Optimize fill32() by unrolling and using 64bit Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit 12b1338be376a3e5fb606d9fe41b58dc4a9e62c7) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=63de02051d72cf42e19465300ef8f75d91d261c1 --- libavutil/mem.c | 12 1 file changed, 12 insertions(+) diff --git a/libavutil/mem.c b/libavutil/mem.c index 6149755a6b..88fe09b179 100644 --- a/libavutil/mem.c +++ b/libavutil/mem.c @@ -399,6 +399,18 @@ static void fill32(uint8_t *dst, int len) { uint32_t v = AV_RN32(dst - 4); +#if HAVE_FAST_64BIT +uint64_t v2= v + ((uint64_t)v<<32); +while (len >= 32) { +AV_WN64(dst , v2); +AV_WN64(dst+ 8, v2); +AV_WN64(dst+16, v2); +AV_WN64(dst+24, v2); +dst += 32; +len -= 32; +} +#endif + while (len >= 4) { AV_WN32(dst, v); dst += 4; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/sbrdsp_fixed.c: remove input value limit for sbr_sum_square_c()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sun Feb 3 15:13:03 2019 +0100| [d5a946615ffc7d7f63485b67ce61f0c9b9fab6cb] | committer: Michael Niedermayer avcodec/sbrdsp_fixed.c: remove input value limit for sbr_sum_square_c() Fixes: 1377/clusterfuzz-testcase-minimized-5487049807233024 Fixes: assertion failure in sbr_sum_square_c() Signed-off-by: Michael Niedermayer (cherry picked from commit 4cde7e62dbaa63eda173e8d24a97d273890f282c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d5a946615ffc7d7f63485b67ce61f0c9b9fab6cb --- libavcodec/sbrdsp_fixed.c | 34 +++--- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 57d98da979..91fa664c08 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -34,32 +34,36 @@ static SoftFloat sbr_sum_square_c(int (*x)[2], int n) { SoftFloat ret; -uint64_t accu, round; +uint64_t accu = 0, round; uint64_t accu0 = 0, accu1 = 0, accu2 = 0, accu3 = 0; int i, nz, nz0; unsigned u; +nz = 0; for (i = 0; i < n; i += 2) { -// Larger values are inavlid and could cause overflows of accu. -av_assert2(FFABS(x[i + 0][0]) >> 30 == 0); accu0 += (int64_t)x[i + 0][0] * x[i + 0][0]; -av_assert2(FFABS(x[i + 0][1]) >> 30 == 0); accu1 += (int64_t)x[i + 0][1] * x[i + 0][1]; -av_assert2(FFABS(x[i + 1][0]) >> 30 == 0); accu2 += (int64_t)x[i + 1][0] * x[i + 1][0]; -av_assert2(FFABS(x[i + 1][1]) >> 30 == 0); accu3 += (int64_t)x[i + 1][1] * x[i + 1][1]; +if ((accu0|accu1|accu2|accu3) > UINT64_MAX - INT32_MIN*(int64_t)INT32_MIN || i+2>=n) { +accu0 >>= nz; +accu1 >>= nz; +accu2 >>= nz; +accu3 >>= nz; +while ((accu0|accu1|accu2|accu3) > (UINT64_MAX - accu) >> 2) { +accu0 >>= 1; +accu1 >>= 1; +accu2 >>= 1; +accu3 >>= 1; +accu >>= 1; +nz ++; +} +accu += accu0 + accu1 + accu2 + accu3; +accu0 = accu1 = accu2 = accu3 = 0; +} } -nz0 = 15; -while ((accu0|accu1|accu2|accu3) >> 62) { -accu0 >>= 1; -accu1 >>= 1; -accu2 >>= 1; -accu3 >>= 1; -nz0 --; -} -accu = accu0 + accu1 + accu2 + accu3; +nz0 = 15 - nz; u = accu >> 32; if (u) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/tests/rangecoder: initialize array to avoid valgrind warning
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Jan 4 02:46:29 2019 +0100| [bf83eadbccbe9536cd71582d0fc3601b9e80bc6c] | committer: Michael Niedermayer avcodec/tests/rangecoder: initialize array to avoid valgrind warning Found-by: jamrial Signed-off-by: Michael Niedermayer (cherry picked from commit c15972f0af7679b466dd4a10a54ab2f04f9372c8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bf83eadbccbe9536cd71582d0fc3601b9e80bc6c --- libavcodec/tests/rangecoder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tests/rangecoder.c b/libavcodec/tests/rangecoder.c index 2da5c0ce33..3a8ba6759c 100644 --- a/libavcodec/tests/rangecoder.c +++ b/libavcodec/tests/rangecoder.c @@ -29,7 +29,7 @@ int main(void) { RangeCoder c; -uint8_t b[9 * SIZE]; +uint8_t b[9 * SIZE] = {0}; uint8_t r[9 * SIZE]; int i; uint8_t state[10]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/imgutils: Optimize memset_bytes() by using av_memcpy_backptr()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Dec 25 23:15:20 2018 +0100| [f5c6d42124a4ef8c71b8bd5f9ce078384655daf6] | committer: Michael Niedermayer avutil/imgutils: Optimize memset_bytes() by using av_memcpy_backptr() This is strongly based on code by Marton Balint, and depends on the previous commit Fixes: Timeout Fixes: 11502/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WCMV_fuzzer-5664893810769920 Before: Executed clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WCMV_fuzzer-5664893810769920 in 11209 ms After: Executed clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WCMV_fuzzer-5664893810769920 in 4104 ms Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit f64c0dffa13e6263de3fdff0058ab2fdb03ac1d6) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f5c6d42124a4ef8c71b8bd5f9ce078384655daf6 --- libavutil/imgutils.c | 27 +-- 1 file changed, 5 insertions(+), 22 deletions(-) diff --git a/libavutil/imgutils.c b/libavutil/imgutils.c index 4938a7ef67..afc73e2def 100644 --- a/libavutil/imgutils.c +++ b/libavutil/imgutils.c @@ -501,7 +501,6 @@ int av_image_copy_to_buffer(uint8_t *dst, int dst_size, static void memset_bytes(uint8_t *dst, size_t dst_size, uint8_t *clear, size_t clear_size) { -size_t pos = 0; int same = 1; int i; @@ -521,28 +520,12 @@ static void memset_bytes(uint8_t *dst, size_t dst_size, uint8_t *clear, if (clear_size == 1) { memset(dst, clear[0], dst_size); dst_size = 0; -} else if (clear_size == 2) { -uint16_t val = AV_RN16(clear); -for (; dst_size >= 2; dst_size -= 2) { -AV_WN16(dst, val); -dst += 2; -} -} else if (clear_size == 4) { -uint32_t val = AV_RN32(clear); -for (; dst_size >= 4; dst_size -= 4) { -AV_WN32(dst, val); -dst += 4; -} -} else if (clear_size == 8) { -uint32_t val = AV_RN64(clear); -for (; dst_size >= 8; dst_size -= 8) { -AV_WN64(dst, val); -dst += 8; -} +} else { +if (clear_size > dst_size) +clear_size = dst_size; +memcpy(dst, clear, clear_size); +av_memcpy_backptr(dst + clear_size, clear_size, dst_size - clear_size); } - -for (; dst_size; dst_size--) -*dst++ = clear[pos++ % clear_size]; } // Maximum size in bytes of a plane element (usually a pixel, or multiple pixels ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Do not use reference stream in mov_read_sidx() if there is no reference stream
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Feb 12 23:28:35 2019 +0100| [5f799f0cee95fc92fdcaba543f491be997f5c52a] | committer: Michael Niedermayer avformat/mov: Do not use reference stream in mov_read_sidx() if there is no reference stream Fixes: NULL pointer dereference Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-5634316373721088 Reported-by: Chris Cunningham Signed-off-by: Michael Niedermayer (cherry picked from commit b0d8b7cb8e86367178ef0c35dcae359d820c3b27) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5f799f0cee95fc92fdcaba543f491be997f5c52a --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 8e38ad2ff6..14a02dc4e6 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5029,7 +5029,7 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom) } } } -for (i = 0; i < c->fc->nb_streams; i++) { +if (ref_st) for (i = 0; i < c->fc->nb_streams; i++) { st = c->fc->streams[i]; sc = st->priv_data; if (!sc->has_sidx) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/fic: Check that there is input left in fic_decode_block()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Wed Jan 23 00:30:53 2019 +0100| [c600c06af96e7cadae6b77e54b220c1c2a240a80] | committer: Michael Niedermayer avcodec/fic: Check that there is input left in fic_decode_block() Fixes: Timeout Fixes: 12450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-5661984622641152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db1c4acd02af4de5dfbea6012c296470679aa7a6) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c600c06af96e7cadae6b77e54b220c1c2a240a80 --- libavcodec/fic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 0b491ef7de..b7b834596b 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -139,6 +139,9 @@ static int fic_decode_block(FICContext *ctx, GetBitContext *gb, { int i, num_coeff; +if (get_bits_left(gb) < 8) +return AVERROR_INVALIDDATA; + /* Is it a skip block? */ if (get_bits1(gb)) { *is_p = 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Clear interlaced_dct for studio profile
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Feb 15 01:57:09 2019 +0100| [8183623ca38cbeb5bceddc874f218fec66bd802b] | committer: Michael Niedermayer avcodec/mpeg4videodec: Clear interlaced_dct for studio profile Fixes: Out of array access Fixes: 13090/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5408668986638336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit 1f686d023b95219db933394a7704ad9aa5f01cbb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8183623ca38cbeb5bceddc874f218fec66bd802b --- libavcodec/mpeg4videodec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 1776efa9ae..e0cfff170f 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2968,6 +2968,7 @@ static int decode_studio_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) return 0; s->partitioned_frame = 0; +s->interlaced_dct = 0; s->decode_mb = mpeg4_decode_studio_mb; decode_smpte_tc(ctx, gb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/rtsp: Check number of streams in sdp_parse_line()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Jan 25 21:30:04 2019 +0100| [a066fc25ca7a925b4ba28c6602dd45d98d943148] | committer: Michael Niedermayer avformat/rtsp: Check number of streams in sdp_parse_line() Fixes: OOM Found-by: Michael Hanselmann Reviewed-by: Michael Hanselmann Signed-off-by: Michael Niedermayer (cherry picked from commit 497c9b0cce559d43607bbbd679fe42f1d7e9040e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a066fc25ca7a925b4ba28c6602dd45d98d943148 --- libavformat/rtsp.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 82c6c12af5..975637cf54 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -454,7 +454,10 @@ static void sdp_parse_line(AVFormatContext *s, SDPParseState *s1, } else if (!strcmp(st_type, "text")) { codec_type = AVMEDIA_TYPE_SUBTITLE; } -if (codec_type == AVMEDIA_TYPE_UNKNOWN || !(rt->media_type_mask & (1 << codec_type))) { +if (codec_type == AVMEDIA_TYPE_UNKNOWN || +!(rt->media_type_mask & (1 << codec_type)) || +rt->nb_rtsp_streams >= s->max_streams +) { s1->skip_media = 1; return; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov.c: require tfhd to begin parsing trun
ffmpeg | branch: release/4.0 | chcunningham | Wed Feb 6 16:12:51 2019 -0800| [12a09ce975145c2641877bb0253c0ad905a28f97] | committer: Michael Niedermayer avformat/mov.c: require tfhd to begin parsing trun Detecting missing tfhd avoids re-using tfhd track info from the previous moof. For files with multiple tracks, this may make a mess of the avindex and fragindex, which can later trigger av_assert0 in mov_read_trun(). Reviewed-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer (cherry picked from commit 3ea87e5d9ea075d5b3c0f4f8c6c48e514b454cbe) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=12a09ce975145c2641877bb0253c0ad905a28f97 --- libavformat/isom.h | 1 + libavformat/mov.c | 10 ++ 2 files changed, 11 insertions(+) diff --git a/libavformat/isom.h b/libavformat/isom.h index 4da34142f0..0f81bef4cc 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -85,6 +85,7 @@ typedef struct MOVAtom { struct MOVParseTableEntry; typedef struct MOVFragment { +int found_tfhd; unsigned track_id; uint64_t base_data_offset; uint64_t moof_offset; diff --git a/libavformat/mov.c b/libavformat/mov.c index 1864810846..60ad594381 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1368,6 +1368,9 @@ static void fix_frag_index_entries(MOVFragmentIndex *frag_index, int index, static int mov_read_moof(MOVContext *c, AVIOContext *pb, MOVAtom atom) { +// Set by mov_read_tfhd(). mov_read_trun() will reject files missing tfhd. +c->fragment.found_tfhd = 0; + if (!c->has_looked_for_mfra && c->use_mfra_for > 0) { c->has_looked_for_mfra = 1; if (pb->seekable & AVIO_SEEKABLE_NORMAL) { @@ -4531,6 +4534,8 @@ static int mov_read_tfhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) MOVTrackExt *trex = NULL; int flags, track_id, i; +c->fragment.found_tfhd = 1; + avio_r8(pb); /* version */ flags = avio_rb24(pb); @@ -4666,6 +4671,11 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) AVIndexEntry *new_entries; MOVFragmentStreamInfo * frag_stream_info; +if (!frag->found_tfhd) { +av_log(c->fc, AV_LOG_ERROR, "trun track id unknown, no tfhd was found\n"); +return AVERROR_INVALIDDATA; +} + for (i = 0; i < c->fc->nb_streams; i++) { if (c->fc->streams[i]->id == frag->track_id) { st = c->fc->streams[i]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Check component quant
ffmpeg | branch: release/4.0 | Michael Niedermayer | Wed Nov 14 09:42:44 2018 +0100| [1e09bf4d10289d035916258862613241790c7225] | committer: Michael Niedermayer avcodec/diracdec: Check component quant Fixes: Timeout Fixes: 10708/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5730140957442048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 28c96c2ce2781c2cd147a9f3c299e18ce1dc7ff8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1e09bf4d10289d035916258862613241790c7225 --- libavcodec/diracdec.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 9a417caec5..37c976def7 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -668,6 +668,10 @@ static void decode_component(DiracContext *s, int comp) b->length = get_interleaved_ue_golomb(>gb); if (b->length) { b->quant = get_interleaved_ue_golomb(>gb); +if (b->quant > (DIRAC_MAX_QUANT_INDEX - 1)) { +av_log(s->avctx, AV_LOG_ERROR, "Unsupported quant %d\n", b->quant); +b->quant = 0; +} align_get_bits(>gb); b->coeff_data = s->gb.buffer + get_bits_count(>gb)/8; b->length = FFMIN(b->length, FFMAX(get_bits_left(>gb)/8, 0)); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/pgssubdec: Check for duplicate display segments
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Jan 29 01:06:01 2019 +0100| [b9269c960cae81b5cc503e6629892894380a5527] | committer: Michael Niedermayer avcodec/pgssubdec: Check for duplicate display segments In such a duplication the previous gets overwritten and leaks Fixes: memleak Fixes: 12510/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGSSUB_fuzzer-5694439226343424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e35c3d887b3e374c6a091342206a42da48785d70) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b9269c960cae81b5cc503e6629892894380a5527 --- libavcodec/pgssubdec.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index b897d72aab..8c10f6d573 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -676,6 +676,11 @@ static int decode(AVCodecContext *avctx, void *data, int *data_size, */ break; case DISPLAY_SEGMENT: +if (*data_size) { +av_log(avctx, AV_LOG_ERROR, "Duplicate display segment\n"); +ret = AVERROR_INVALIDDATA; +break; +} ret = display_end_segment(avctx, data, buf, segment_length); if (ret >= 0) *data_size = ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: validate chunk_count vs stsc_data
ffmpeg | branch: release/4.0 | chcunningham | Thu Feb 7 14:58:17 2019 -0800| [32017af5ef62c9fccf33b4ee240e33da80c5eefa] | committer: Michael Niedermayer avformat/mov: validate chunk_count vs stsc_data Bad content may contain stsc boxes with a first_chunk index that exceeds stco.entries (chunk_count). This ammends the existing check to include cases where chunk_count == 0. It also patches up the case when stsc refers to unknown chunks, but stts has no samples (so we can simply ignore stsc). Signed-off-by: Michael Niedermayer (cherry picked from commit 1c15449ca9a5bfa387868ac55628397273da761f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=32017af5ef62c9fccf33b4ee240e33da80c5eefa --- libavformat/mov.c | 14 -- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 60ad594381..8e38ad2ff6 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2692,8 +2692,11 @@ static inline int64_t mov_get_stsc_samples(MOVStreamContext *sc, unsigned int in if (mov_stsc_index_valid(index, sc->stsc_count)) chunk_count = sc->stsc_data[index + 1].first - sc->stsc_data[index].first; -else +else { +// Validation for stsc / stco happens earlier in mov_read_stsc + mov_read_trak. +av_assert0(sc->stsc_data[index].first <= sc->chunk_count); chunk_count = sc->chunk_count - (sc->stsc_data[index].first - 1); +} return sc->stsc_data[index].count * (int64_t)chunk_count; } @@ -4157,6 +4160,13 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) c->trak_index = -1; +// Here stsc refers to a chunk not described in stco. This is technically invalid, +// but we can overlook it (clearing stsc) whenever stts_count == 0 (indicating no samples). +if (!sc->chunk_count && !sc->stts_count && sc->stsc_count) { +sc->stsc_count = 0; +av_freep(>stsc_data); +} + /* sanity checks */ if ((sc->chunk_count && (!sc->stts_count || !sc->stsc_count || (!sc->sample_size && !sc->sample_count))) || @@ -4165,7 +4175,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->index); return 0; } -if (sc->chunk_count && sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { +if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n", st->index); return AVERROR_INVALIDDATA; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/rtsp: Clear reply in every iteration in ff_rtsp_connect()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Mon Jan 28 00:53:22 2019 +0100| [636e66f3500108476ef6d251bf53587d1c7b86d5] | committer: Michael Niedermayer avformat/rtsp: Clear reply in every iteration in ff_rtsp_connect() Fixes: Infinite loop Found-by: Michael Hanselmann Reviewed-by: Michael Hanselmann Signed-off-by: Michael Niedermayer (cherry picked from commit 0b50f27635f684ec0526e9975c9979f35bbf486b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=636e66f3500108476ef6d251bf53587d1c7b86d5 --- libavformat/rtsp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index ceb770a3a4..82c6c12af5 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1663,7 +1663,7 @@ int ff_rtsp_connect(AVFormatContext *s) char tcpname[1024], cmd[2048], auth[128]; const char *lower_rtsp_proto = "tcp"; int port, err, tcp_fd; -RTSPMessageHeader reply1 = {0}, *reply = +RTSPMessageHeader reply1, *reply = int lower_transport_mask = 0; int default_port = RTSP_DEFAULT_PORT; char real_challenge[64] = ""; @@ -1692,6 +1692,7 @@ int ff_rtsp_connect(AVFormatContext *s) rt->lower_transport_mask &= (1 << RTSP_LOWER_TRANSPORT_NB) - 1; redirect: +memset(, 0, sizeof(reply1)); /* extract hostname and port */ av_url_split(proto, sizeof(proto), auth, sizeof(auth), host, sizeof(host), , path, sizeof(path), s->url); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/tiff: Check for 12bit gray fax
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sat Jan 12 19:37:18 2019 +0100| [fcfa104b0e0521dfdb8e5d3d07b81f7552d00b2b] | committer: Michael Niedermayer avcodec/tiff: Check for 12bit gray fax Fixes: Assertion failure Fixes: 11898/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5759794191794176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ec28a85107cccece4dce17c0ccb633defe2d6e98) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fcfa104b0e0521dfdb8e5d3d07b81f7552d00b2b --- libavcodec/tiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 1b332a754d..9c13a758ee 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -571,7 +571,7 @@ static int tiff_unpack_strip(TiffContext *s, AVFrame *p, uint8_t *dst, int strid if (s->compr == TIFF_CCITT_RLE || s->compr == TIFF_G3|| s->compr == TIFF_G4) { -if (is_yuv) +if (is_yuv || p->format == AV_PIX_FMT_GRAY12) return AVERROR_INVALIDDATA; return tiff_unpack_fax(s, dst, stride, src, size, width, lines); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/exr: Check for duplicate channel index
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Dec 25 18:41:58 2018 +0100| [6c2b4c716b1b5a0a2b8ec98465abcd85f6ccf9a5] | committer: Michael Niedermayer avcodec/exr: Check for duplicate channel index Fixes: Out of memory Fixes: 11582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5730204559867904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f9728feaf90eb7493f8872356f54150efafb59cc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6c2b4c716b1b5a0a2b8ec98465abcd85f6ccf9a5 --- libavcodec/exr.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 5253cc3f13..13755e1e6e 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1463,6 +1463,11 @@ static int decode_header(EXRContext *s, AVFrame *frame) } s->pixel_type = current_pixel_type; s->channel_offsets[channel_index] = s->current_channel_offset; +} else if (channel_index >= 0) { +av_log(s->avctx, AV_LOG_ERROR, +"Multiple channels with index %d.\n", channel_index); +ret = AVERROR_INVALIDDATA; +goto fail; } s->channels = av_realloc(s->channels, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/exr: set layer_match in all branches
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Dec 25 21:30:54 2018 +0100| [11e8ea4d0a8531f26af161a9893057ce1e5d6af3] | committer: Michael Niedermayer avcodec/exr: set layer_match in all branches Otherwise it is left to the value from the previous iteration Signed-off-by: Michael Niedermayer (cherry picked from commit 433d2ae4353f3c513a45780845d9d8ca252cd4dc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=11e8ea4d0a8531f26af161a9893057ce1e5d6af3 --- libavcodec/exr.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 13755e1e6e..0f8b0fda9f 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1389,6 +1389,7 @@ static int decode_header(EXRContext *s, AVFrame *frame) if (*ch_gb.buffer == '.') ch_gb.buffer++; /* skip dot if not given */ } else { +layer_match = 0; av_log(s->avctx, AV_LOG_INFO, "Channel doesn't match layer : %s.\n", ch_gb.buffer); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] configure: bump year
ffmpeg | branch: release/4.0 | James Almer | Tue Jan 1 15:26:31 2019 -0300| [48ca78728afcbaf22f78942a5d6aee912c297c01] | committer: Michael Niedermayer configure: bump year Happy new year! (cherry picked from commit 3209d7b3930bab554bf7d97d8041d9d0b88423a8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=48ca78728afcbaf22f78942a5d6aee912c297c01 --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 172611bb4a..fca17e6d9c 100755 --- a/configure +++ b/configure @@ -7155,7 +7155,7 @@ cat > $TMPH
[FFmpeg-cvslog] avformat/wvdec: detect and error out on WavPack DSD files
ffmpeg | branch: release/4.0 | David Bryant | Tue Nov 20 21:00:47 2018 -0800| [cdf1dc136caa5844d4b8c024b35a36aa76e0f545] | committer: Michael Niedermayer avformat/wvdec: detect and error out on WavPack DSD files Not currently supported. (cherry picked from commit db109373d87b1fa5fe9f3d027d1bb752f725b74a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cdf1dc136caa5844d4b8c024b35a36aa76e0f545 --- libavformat/wvdec.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/libavformat/wvdec.c b/libavformat/wvdec.c index 82526563ec..2060523c3b 100644 --- a/libavformat/wvdec.c +++ b/libavformat/wvdec.c @@ -40,6 +40,7 @@ enum WV_FLAGS { WV_HBAL = 0x0400, WV_MCINIT = 0x0800, WV_MCEND = 0x1000, +WV_DSD= 0x8000, }; static const int wv_rates[16] = { @@ -97,6 +98,11 @@ static int wv_read_block_header(AVFormatContext *ctx, AVIOContext *pb) return ret; } +if (wc->header.flags & WV_DSD) { +avpriv_report_missing_feature(ctx, "WV DSD"); +return AVERROR_PATCHWELCOME; +} + if (wc->header.version < 0x402 || wc->header.version > 0x410) { avpriv_report_missing_feature(ctx, "WV version 0x%03X", wc->header.version); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] postproc/postprocess_template: remove FF_REG_sp from clobber list
ffmpeg | branch: release/4.0 | Michael Niedermayer | Thu Dec 20 22:40:06 2018 +0100| [33555963259c51263ea622434726574d1fd6fedb] | committer: Michael Niedermayer postproc/postprocess_template: remove FF_REG_sp from clobber list Future gcc may no longer support this Tested-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit c1cbeb87db4bfc6e281e4254a6c7fdd3854fc9b9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=33555963259c51263ea622434726574d1fd6fedb --- libpostproc/postprocess_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libpostproc/postprocess_template.c b/libpostproc/postprocess_template.c index 485eb5cfc0..b0adfd168c 100644 --- a/libpostproc/postprocess_template.c +++ b/libpostproc/postprocess_template.c @@ -1317,7 +1317,7 @@ DERING_CORE((%0, %1, 8) ,(%%FF_REGd, %1, 4),%%mm2,%%mm4,%%mm0,%%mm3,%%mm5, "1:\n\t" : : "r" (src), "r" ((x86_reg)stride), "m" (c->pQPb), "m"(c->pQPb2), "q"(tmp) NAMED_CONSTRAINTS_ADD(deringThreshold,b00,b02,b08) -: "%"FF_REG_a, "%"FF_REG_d, "%"FF_REG_sp +: "%"FF_REG_a, "%"FF_REG_d ); #else // HAVE_7REGS && (TEMPLATE_PP_MMXEXT || TEMPLATE_PP_3DNOW) int y; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mpegts: Fix side data type for stream id
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Dec 7 21:51:48 2018 +0100| [d0e900187c2df1df183eb3f5cdd77048338cfd44] | committer: Michael Niedermayer avformat/mpegts: Fix side data type for stream id Signed-off-by: Michael Niedermayer (cherry picked from commit ab1319d82f0c77308792fa2d88cbfc73c3e47cb7) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d0e900187c2df1df183eb3f5cdd77048338cfd44 --- libavformat/mpegts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index a21668d3c1..92baca61a4 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -900,7 +900,7 @@ static void new_data_packet(const uint8_t *buffer, int len, AVPacket *pkt) static int new_pes_packet(PESContext *pes, AVPacket *pkt) { -char *sd; +uint8_t *sd; av_init_packet(pkt); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/4xm: Fix returned error codes
ffmpeg | branch: release/4.0 | Michael Niedermayer | Mon Dec 31 18:11:44 2018 +0100| [96ef96f6ba8f43e00b631506b78fc6afcbe4e3f8] | committer: Michael Niedermayer avcodec/4xm: Fix returned error codes Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 07607a1db879d0d96e2c91e1354bc4e425937d3a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=96ef96f6ba8f43e00b631506b78fc6afcbe4e3f8 --- libavcodec/4xm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c index 5547dfd87f..8e05a4c366 100644 --- a/libavcodec/4xm.c +++ b/libavcodec/4xm.c @@ -498,7 +498,7 @@ static int decode_i_block(FourXContext *f, int16_t *block) if (get_bits_left(>gb) < 2){ av_log(f->avctx, AV_LOG_ERROR, "%d bits left before decode_i_block()\n", get_bits_left(>gb)); -return -1; +return AVERROR_INVALIDDATA; } /* DC coef */ @@ -732,7 +732,7 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length) for (x = 0; x < width; x += 16) { unsigned int color[4] = { 0 }, bits; if (buf_end - buf < 8) -return -1; +return AVERROR_INVALIDDATA; // warning following is purely guessed ... color[0] = bytestream2_get_le16u(); color[1] = bytestream2_get_le16u(); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/fic: Fail on invalid slice size/off
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sun Dec 16 21:43:07 2018 +0100| [67bc75d5b1bc48ee29c9bc9ac07a7ecbafdd7a8a] | committer: Michael Niedermayer avcodec/fic: Fail on invalid slice size/off Fixes: Timeout Fixes: 11486/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-5677133863583744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 30a7a81cdc2ee2eac6d3271439c43f11b7327b3e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=67bc75d5b1bc48ee29c9bc9ac07a7ecbafdd7a8a --- libavcodec/fic.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index c288c9771b..0b491ef7de 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -380,6 +380,8 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, slice_h = FFALIGN(avctx->height - ctx->slice_h * (nslices - 1), 16); } else { slice_size = AV_RB32(src + tsize + FIC_HEADER_SIZE + slice * 4 + 4); +if (slice_size < slice_off) +return AVERROR_INVALIDDATA; } if (slice_size < slice_off || slice_size > msize) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/libopenmpt: Fix successfull typo
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Dec 28 22:22:52 2018 +0100| [ab0a8e477242c0cf2c7fa509a11ac27fdbcdb932] | committer: Michael Niedermayer avformat/libopenmpt: Fix successfull typo Reviewed-by: Lou Logan Signed-off-by: Michael Niedermayer (cherry picked from commit 571af98a5959d72c65a6753eb8e82cde407f4cd0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ab0a8e477242c0cf2c7fa509a11ac27fdbcdb932 --- libavformat/libopenmpt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/libopenmpt.c b/libavformat/libopenmpt.c index 0fff702a36..a334270847 100644 --- a/libavformat/libopenmpt.c +++ b/libavformat/libopenmpt.c @@ -259,7 +259,7 @@ static int read_probe_openmpt(AVProbeData *p) } else { /* The file extension is unknown and we have very few data * bytes available. libopenmpt cannot decide anything here, - * and returning any score > 0 would result in successfull + * and returning any score > 0 would result in successful * probing of random data. */ return 0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/v4l2_m2m: fix cant typo
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Dec 28 22:22:53 2018 +0100| [472498ed473f28d4c634d47255a74e8b7fb270e1] | committer: Michael Niedermayer avcodec/v4l2_m2m: fix cant typo Reviewed-by: Lou Logan Signed-off-by: Michael Niedermayer (cherry picked from commit 062bf5639359e183e016bcb795ac10735f83e863) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=472498ed473f28d4c634d47255a74e8b7fb270e1 --- libavcodec/v4l2_m2m.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/v4l2_m2m.h b/libavcodec/v4l2_m2m.h index 452bf0d9bc..0d4671beb1 100644 --- a/libavcodec/v4l2_m2m.h +++ b/libavcodec/v4l2_m2m.h @@ -104,7 +104,7 @@ int ff_v4l2_m2m_codec_init(AVCodecContext *avctx); int ff_v4l2_m2m_codec_end(AVCodecContext *avctx); /** - * Reinitializes the V4L2m2mContext when the driver cant continue processing + * Reinitializes the V4L2m2mContext when the driver cannot continue processing * with the capture parameters. * * @param[in] ctx The V4L2m2mContext instantiated by the encoder/decoder. @@ -114,7 +114,7 @@ int ff_v4l2_m2m_codec_end(AVCodecContext *avctx); int ff_v4l2_m2m_codec_reinit(V4L2m2mContext *ctx); /** - * Reinitializes the V4L2m2mContext when the driver cant continue processing + * Reinitializes the V4L2m2mContext when the driver cannot continue processing * with the any of the current V4L2Contexts (ie, changes in output and capture). * * @param[in] ctx The V4L2m2mContext instantiated by the encoder/decoder. ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mjpegbdec: Fix some misplaced {} and spaces
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Dec 28 22:22:56 2018 +0100| [541b627962562015f3bd48a0f5617ab4a89d6263] | committer: Michael Niedermayer avcodec/mjpegbdec: Fix some misplaced {} and spaces Reviewed-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer (cherry picked from commit 11a8d2ccab1fe165eef4578c048d38731dbe1d6f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=541b627962562015f3bd48a0f5617ab4a89d6263 --- libavcodec/mjpegbdec.c | 24 +--- 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c index a858707d54..8583fcb4f9 100644 --- a/libavcodec/mjpegbdec.c +++ b/libavcodec/mjpegbdec.c @@ -70,8 +70,7 @@ read_header: skip_bits(, 32); /* reserved zeros */ -if (get_bits_long(, 32) != MKBETAG('m','j','p','g')) -{ +if (get_bits_long(, 32) != MKBETAG('m','j','p','g')) { av_log(avctx, AV_LOG_WARNING, "not mjpeg-b (bad fourcc)\n"); return AVERROR_INVALIDDATA; } @@ -85,19 +84,17 @@ read_header: dqt_offs = read_offs(avctx, , buf_end - buf_ptr, "dqt is %d and size is %d\n"); av_log(avctx, AV_LOG_DEBUG, "dqt offs: 0x%"PRIx32"\n", dqt_offs); -if (dqt_offs) -{ +if (dqt_offs) { init_get_bits(>gb, buf_ptr+dqt_offs, (buf_end - (buf_ptr+dqt_offs))*8); s->start_code = DQT; if (ff_mjpeg_decode_dqt(s) < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) - return AVERROR_INVALIDDATA; +return AVERROR_INVALIDDATA; } dht_offs = read_offs(avctx, , buf_end - buf_ptr, "dht is %d and size is %d\n"); av_log(avctx, AV_LOG_DEBUG, "dht offs: 0x%"PRIx32"\n", dht_offs); -if (dht_offs) -{ +if (dht_offs) { init_get_bits(>gb, buf_ptr+dht_offs, (buf_end - (buf_ptr+dht_offs))*8); s->start_code = DHT; ff_mjpeg_decode_dht(s); @@ -105,8 +102,7 @@ read_header: sof_offs = read_offs(avctx, , buf_end - buf_ptr, "sof is %d and size is %d\n"); av_log(avctx, AV_LOG_DEBUG, "sof offs: 0x%"PRIx32"\n", sof_offs); -if (sof_offs) -{ +if (sof_offs) { init_get_bits(>gb, buf_ptr+sof_offs, (buf_end - (buf_ptr+sof_offs))*8); s->start_code = SOF0; if (ff_mjpeg_decode_sof(s) < 0) @@ -117,25 +113,23 @@ read_header: av_log(avctx, AV_LOG_DEBUG, "sos offs: 0x%"PRIx32"\n", sos_offs); sod_offs = read_offs(avctx, , buf_end - buf_ptr, "sof is %d and size is %d\n"); av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%"PRIx32"\n", sod_offs); -if (sos_offs) -{ +if (sos_offs) { init_get_bits(>gb, buf_ptr + sos_offs, 8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs)); s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(>gb, 16)); s->start_code = SOS; if (ff_mjpeg_decode_sos(s, NULL, 0, NULL) < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) - return AVERROR_INVALIDDATA; +return AVERROR_INVALIDDATA; } if (s->interlaced) { s->bottom_field ^= 1; /* if not bottom field, do not output image yet */ -if (s->bottom_field != s->interlace_polarity && second_field_offs) -{ +if (s->bottom_field != s->interlace_polarity && second_field_offs) { buf_ptr = buf + second_field_offs; goto read_header; -} +} } //XXX FIXME factorize, this looks very similar to the EOI code ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/nutenc: Document trailer index assert better
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Dec 14 21:52:09 2018 +0100| [b80d504412334a7341b15491b7327531a669e430] | committer: Michael Niedermayer avformat/nutenc: Document trailer index assert better Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 3a95b73abc868995b08ca2b4d8bbf2cda43184f8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b80d504412334a7341b15491b7327531a669e430 --- libavformat/nutenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c index a92ff55c01..e9a3bb49db 100644 --- a/libavformat/nutenc.c +++ b/libavformat/nutenc.c @@ -1172,7 +1172,7 @@ static int nut_write_trailer(AVFormatContext *s) ret = avio_open_dyn_buf(_bc); if (ret >= 0 && nut->sp_count) { -av_assert1(nut->write_index); +av_assert1(nut->write_index); // sp_count should be 0 if no index is going to be written write_index(nut, dyn_bc); put_packet(nut, bc, dyn_bc, 1, INDEX_STARTCODE); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/msmpeg4dec: Skip frame if its smaller than 1/8 of the minimal size
ffmpeg | branch: release/4.0 | Michael Niedermayer | Thu Nov 29 02:32:10 2018 +0100| [ee20d64bec7e78cc1b3552cc12029c4252bd7958] | committer: Michael Niedermayer avcodec/msmpeg4dec: Skip frame if its smaller than 1/8 of the minimal size Frames that small are not valid and of limited use for error concealment, while being very computationally intensive to process. Fixes: Timeout Fixes: 11318/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSMPEG4V1_fuzzer-5710884555456512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 09ec182864d41c990bc18f620eabb77444aeff57) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ee20d64bec7e78cc1b3552cc12029c4252bd7958 --- libavcodec/msmpeg4dec.c | 8 1 file changed, 8 insertions(+) diff --git a/libavcodec/msmpeg4dec.c b/libavcodec/msmpeg4dec.c index 457a37e745..16b67192b5 100644 --- a/libavcodec/msmpeg4dec.c +++ b/libavcodec/msmpeg4dec.c @@ -412,6 +412,14 @@ int ff_msmpeg4_decode_picture_header(MpegEncContext * s) { int code; +// at minimum one bit per macroblock is required at least in a valid frame, +// we discard frames much smaller than this. Frames smaller than 1/8 of the +// smallest "black/skip" frame generally contain not much recoverable content +// while at the same time they have the highest computational requirements +// per byte +if (get_bits_left(>gb) * 8LL < (s->width+15)/16 * ((s->height+15)/16)) +return AVERROR_INVALIDDATA; + if(s->msmpeg4_version==1){ int start_code = get_bits_long(>gb, 32); if(start_code!=0x0100){ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mips: Fix failed case: hevc-conformance-AMP_A_Samsung_* when enable msa
ffmpeg | branch: release/4.0 | gxw | Mon Dec 24 14:07:44 2018 +0800| [4dbfbcef16703ed44c1c1605827cb27945a3c897] | committer: Michael Niedermayer avcodec/mips: Fix failed case: hevc-conformance-AMP_A_Samsung_* when enable msa The AV_INPUT_BUFFER_PADDING_SIZE has been increased to 64, but the value is still 32 in function ff_hevc_sao_edge_filter_8_msa. So, use AV_INPUT_BUFFER_PADDING_SIZE directly. Also, use MAX_PB_SIZE directly instead of 64. Fate tests passed. Reviewed-by: Derek Buitenhuis Signed-off-by: Michael Niedermayer (cherry picked from commit f652c7a45c60427db0a89fae665e63b546af6ebb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4dbfbcef16703ed44c1c1605827cb27945a3c897 --- libavcodec/mips/hevc_lpf_sao_msa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mips/hevc_lpf_sao_msa.c b/libavcodec/mips/hevc_lpf_sao_msa.c index 5b5537a264..adcafde621 100644 --- a/libavcodec/mips/hevc_lpf_sao_msa.c +++ b/libavcodec/mips/hevc_lpf_sao_msa.c @@ -2630,7 +2630,7 @@ void ff_hevc_sao_edge_filter_8_msa(uint8_t *dst, uint8_t *src, int16_t *sao_offset_val, int eo, int width, int height) { -ptrdiff_t stride_src = (2 * 64 + 32) / sizeof(uint8_t); +ptrdiff_t stride_src = (2 * MAX_PB_SIZE + AV_INPUT_BUFFER_PADDING_SIZE) / sizeof(uint8_t); switch (eo) { case 0: ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ppc/hevcdsp: Fix build failures with powerpc-linux-gnu-gcc-4.8 with --disable-optimizations
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Dec 4 16:29:40 2018 +0100| [7070de99c082c89c8f940fe8c7cd4bdc25ceb59b] | committer: Michael Niedermayer avcodec/ppc/hevcdsp: Fix build failures with powerpc-linux-gnu-gcc-4.8 with --disable-optimizations The affected functions could also be changed into macros, this is the smaller change to fix it though. And avoids (probably) less readable macros The extra code should be optimized out when optimizations are done as all values are known at build after inlining. Signed-off-by: Michael Niedermayer (cherry picked from commit 2c64a6bcd280c64997e6c4799bc89c0a9393bbf3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7070de99c082c89c8f940fe8c7cd4bdc25ceb59b --- libavcodec/ppc/hevcdsp.c | 17 +++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/libavcodec/ppc/hevcdsp.c b/libavcodec/ppc/hevcdsp.c index 4b1037d792..42a5bc487d 100644 --- a/libavcodec/ppc/hevcdsp.c +++ b/libavcodec/ppc/hevcdsp.c @@ -57,7 +57,13 @@ static void transform4x4(vec_s16 src_01, vec_s16 src_23, vec_s32 res[4], e1 = vec_msums(src_02, trans4[2], zero); o1 = vec_msums(src_13, trans4[3], zero); -add = vec_sl(vec_splat_s32(1), vec_splat_u32(shift - 1)); +switch(shift) { +case 7: add = vec_sl(vec_splat_s32(1), vec_splat_u32( 7 - 1)); break; +case 10: add = vec_sl(vec_splat_s32(1), vec_splat_u32(10 - 1)); break; +case 12: add = vec_sl(vec_splat_s32(1), vec_splat_u32(12 - 1)); break; +default: abort(); +} + e0 = vec_add(e0, add); e1 = vec_add(e1, add); @@ -70,7 +76,14 @@ static void transform4x4(vec_s16 src_01, vec_s16 src_23, vec_s32 res[4], static void scale(vec_s32 res[4], vec_s16 res_packed[2], int shift) { int i; -vec_u32 v_shift = vec_splat_u32(shift); +vec_u32 v_shift; + +switch(shift) { +case 7: v_shift = vec_splat_u32(7) ; break; +case 10: v_shift = vec_splat_u32(10); break; +case 12: v_shift = vec_splat_u32(12); break; +default: abort(); +} for (i = 0; i < 4; i++) res[i] = vec_sra(res[i], v_shift); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/rpza: Move frame allocation to a later point
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sun Dec 16 19:04:56 2018 +0100| [5161e1e6104154988d751ce60cbf859d5f453fd8] | committer: Michael Niedermayer avcodec/rpza: Move frame allocation to a later point This will allow performing some fast checks before the slow allocation Signed-off-by: Michael Niedermayer (cherry picked from commit 8a708aa99cb0e8d76e52117b1fd89d221f0055e9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5161e1e6104154988d751ce60cbf859d5f453fd8 --- libavcodec/rpza.c | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index b71ebd1cbe..cffbfe4416 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -73,13 +73,12 @@ typedef struct RpzaContext { static int rpza_decode_stream(RpzaContext *s) { int width = s->avctx->width; -int stride = s->frame->linesize[0] / 2; -int row_inc = stride - 4; +int stride, row_inc, ret; int chunk_size; uint16_t colorA = 0, colorB; uint16_t color4[4]; uint16_t ta, tb; -uint16_t *pixels = (uint16_t *)s->frame->data[0]; +uint16_t *pixels; int row_ptr = 0; int pixel_ptr = 0; @@ -106,6 +105,12 @@ static int rpza_decode_stream(RpzaContext *s) /* Number of 4x4 blocks in frame. */ total_blocks = ((s->avctx->width + 3) / 4) * ((s->avctx->height + 3) / 4); +if ((ret = ff_reget_buffer(s->avctx, s->frame)) < 0) +return ret; +pixels = (uint16_t *)s->frame->data[0]; +stride = s->frame->linesize[0] / 2; +row_inc = stride - 4; + /* Process chunk data */ while (bytestream2_get_bytes_left(>gb)) { uint8_t opcode = bytestream2_get_byte(>gb); /* Get opcode */ @@ -256,9 +261,6 @@ static int rpza_decode_frame(AVCodecContext *avctx, bytestream2_init(>gb, avpkt->data, avpkt->size); -if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) -return ret; - ret = rpza_decode_stream(s); if (ret < 0) return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] tests/fate/filter-video: increase fuzz for fate-filter-refcmp-psnr-rgb
ffmpeg | branch: release/4.0 | Michael Niedermayer | Thu Dec 6 21:51:22 2018 +0100| [965eddc7ed0c38bcb18b7fb7278c80def5bffd0e] | committer: Michael Niedermayer tests/fate/filter-video: increase fuzz for fate-filter-refcmp-psnr-rgb Fixes: test failure on powerpc Signed-off-by: Michael Niedermayer (cherry picked from commit f8f762c300e29d80ece363edc08e137b371d909f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=965eddc7ed0c38bcb18b7fb7278c80def5bffd0e --- tests/fate/filter-video.mak | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/fate/filter-video.mak b/tests/fate/filter-video.mak index 17d6363678..0a9bf93513 100644 --- a/tests/fate/filter-video.mak +++ b/tests/fate/filter-video.mak @@ -767,7 +767,7 @@ fate-filter-meta-4560-rotate0: CMD = framecrc -flags +bitexact -c:a aac_fixed -i REFCMP_DEPS = FFMPEG LAVFI_INDEV TESTSRC2_FILTER AVGBLUR_FILTER METADATA_FILTER FATE_FILTER_SAMPLES-$(call ALLYES, $(REFCMP_DEPS) PSNR_FILTER) += fate-filter-refcmp-psnr-rgb -fate-filter-refcmp-psnr-rgb: CMD = refcmp_metadata psnr rgb24 0.001 +fate-filter-refcmp-psnr-rgb: CMD = refcmp_metadata psnr rgb24 0.002 FATE_FILTER_SAMPLES-$(call ALLYES, $(REFCMP_DEPS) PSNR_FILTER) += fate-filter-refcmp-psnr-yuv fate-filter-refcmp-psnr-yuv: CMD = refcmp_metadata psnr yuv422p 0.0015 ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/clearvideo: Check remaining input bits in P macro block loop
ffmpeg | branch: release/4.0 | Michael Niedermayer | Thu Dec 6 01:19:37 2018 +0100| [50ee16431c56562225cde14f4250e60e86dbfd9c] | committer: Michael Niedermayer avcodec/clearvideo: Check remaining input bits in P macro block loop Fixes: Timeout Fixes: 11083/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CLEARVIDEO_fuzzer-5657180351496192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7aaab127bebb33003105a620736d6cae8c45a6e5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=50ee16431c56562225cde14f4250e60e86dbfd9c --- libavcodec/clearvideo.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c index 6061cb571e..5e2f019929 100644 --- a/libavcodec/clearvideo.c +++ b/libavcodec/clearvideo.c @@ -573,6 +573,8 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data, for (j = 0; j < c->pmb_height; j++) { for (i = 0; i < c->pmb_width; i++) { +if (get_bits_left(>gb) <= 0) +return AVERROR_INVALIDDATA; if (get_bits1(>gb)) { MV mv = mvi_predict(>mvi, i, j, zero_mv); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wmv2dec: Skip I frame if its smaller than 1/8 of the minimal size
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Nov 27 23:37:03 2018 +0100| [f3095068d85d61d97418a723b2c655b731dd1ecb] | committer: Michael Niedermayer avcodec/wmv2dec: Skip I frame if its smaller than 1/8 of the minimal size Frames that small are not valid and of limited use for error concealment, while being very computationally intensive to process. Fixes: Timeout Fixes: 11168/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV2_fuzzer-573378203278 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d6f4341522c3eafb046c47b115d79ce684a899fc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f3095068d85d61d97418a723b2c655b731dd1ecb --- libavcodec/wmv2dec.c | 8 1 file changed, 8 insertions(+) diff --git a/libavcodec/wmv2dec.c b/libavcodec/wmv2dec.c index ea0e0594b5..a99da25deb 100644 --- a/libavcodec/wmv2dec.c +++ b/libavcodec/wmv2dec.c @@ -166,6 +166,14 @@ int ff_wmv2_decode_secondary_picture_header(MpegEncContext *s) } s->dc_table_index = get_bits1(>gb); + +// at minimum one bit per macroblock is required at least in a valid frame, +// we discard frames much smaller than this. Frames smaller than 1/8 of the +// smallest "black/skip" frame generally contain not much recoverable content +// while at the same time they have the highest computational requirements +// per byte +if (get_bits_left(>gb) * 8LL < (s->width+15)/16 * ((s->height+15)/16)) +return AVERROR_INVALIDDATA; } s->inter_intra_pred = 0; s->no_rounding = 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] postproc/postprocess_template: Avoid using %4 for the threshold compare
ffmpeg | branch: release/4.0 | Michael Niedermayer | Thu Dec 20 22:40:05 2018 +0100| [3006a5675c7bfabfa92cb5c940bfb40d8f90e908] | committer: Michael Niedermayer postproc/postprocess_template: Avoid using %4 for the threshold compare This avoids problems if %4 is the stack pointer the constraints do not allow %4 to be the stack pointer but gcc 9 may no longer support specifying such constraints Signed-off-by: Michael Niedermayer (cherry picked from commit 4325527e1c4fd2da119e81933172065ee1274eda) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3006a5675c7bfabfa92cb5c940bfb40d8f90e908 --- libpostproc/postprocess_template.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libpostproc/postprocess_template.c b/libpostproc/postprocess_template.c index 0a43989266..485eb5cfc0 100644 --- a/libpostproc/postprocess_template.c +++ b/libpostproc/postprocess_template.c @@ -1184,10 +1184,10 @@ FIND_MIN_MAX((%0, %1, 8)) #endif "movq %%mm6, %%mm0 \n\t" // max "psubb %%mm7, %%mm6 \n\t" // max - min -"push %4 \n\t" -"movd %%mm6, %k4\n\t" -"cmpb "MANGLE(deringThreshold)", %b4\n\t" -"pop %4 \n\t" +"push %%"FF_REG_a" \n\t" +"movd %%mm6, %%eax \n\t" +"cmpb "MANGLE(deringThreshold)", %%al \n\t" +"pop %%"FF_REG_a" \n\t" " jb 1f \n\t" PAVGB(%%mm0, %%mm7) // a=(max + min)/2 "punpcklbw %%mm7, %%mm7 \n\t" ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cavsdec: Propagate error codes inside decode_mb_i()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sun Nov 4 20:00:16 2018 +0100| [92382748e4ad67588af31fc4624a4fcb2dfce441] | committer: Michael Niedermayer avcodec/cavsdec: Propagate error codes inside decode_mb_i() Fixes: Timeout Fixes: 10702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5669940938407936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c1cee0565692c541f589aefd7f375d37f55b9d94) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=92382748e4ad67588af31fc4624a4fcb2dfce441 --- libavcodec/cavsdec.c | 29 + 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index c7fff67c06..5f3b354518 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -591,14 +591,21 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb, } -static inline void decode_residual_chroma(AVSContext *h) +static inline int decode_residual_chroma(AVSContext *h) { -if (h->cbp & (1 << 4)) -decode_residual_block(h, >gb, chroma_dec, 0, +if (h->cbp & (1 << 4)) { +int ret = decode_residual_block(h, >gb, chroma_dec, 0, ff_cavs_chroma_qp[h->qp], h->cu, h->c_stride); -if (h->cbp & (1 << 5)) -decode_residual_block(h, >gb, chroma_dec, 0, +if (ret < 0) +return ret; +} +if (h->cbp & (1 << 5)) { +int ret = decode_residual_block(h, >gb, chroma_dec, 0, ff_cavs_chroma_qp[h->qp], h->cv, h->c_stride); +if (ret < 0) +return ret; +} +return 0; } static inline int decode_residual_inter(AVSContext *h) @@ -649,6 +656,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) uint8_t top[18]; uint8_t *left = NULL; uint8_t *d; +int ret; ff_cavs_init_mb(h); @@ -692,8 +700,11 @@ static int decode_mb_i(AVSContext *h, int cbp_code) ff_cavs_load_intra_pred_luma(h, top, , block); h->intra_pred_l[h->pred_mode_Y[scan3x3[block]]] (d, top, left, h->l_stride); -if (h->cbp & (1l_stride); +if (h->cbp & (1 l_stride); +if (ret < 0) +return ret; +} } /* chroma intra prediction */ @@ -703,7 +714,9 @@ static int decode_mb_i(AVSContext *h, int cbp_code) h->intra_pred_c[pred_mode_uv](h->cv, >top_border_v[h->mbx * 10], h->left_border_v, h->c_stride); -decode_residual_chroma(h); +ret = decode_residual_chroma(h); +if (ret < 0) +return ret; ff_cavs_filter(h, I_8X8); set_mv_intra(h); return 0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sun Oct 28 21:08:39 2018 +0100| [9664c3a4d40edb77d8e0b7a8b490a5b0d4843e50] | committer: Michael Niedermayer avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case Fixes: Timeout Fixes: 10966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADU_fuzzer-5348695024336896 Fixes: 10969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5691669402877952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit df91af140c5543cfbbed187f696e79b554d2c135) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9664c3a4d40edb77d8e0b7a8b490a5b0d4843e50 --- libavcodec/mpegaudio_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index a109f12701..1005e89aae 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -101,7 +101,7 @@ static int mpegaudio_parse(AVCodecParserContext *s1, "MP3ADU full parser"); *poutbuf = NULL; *poutbuf_size = 0; -return 0; /* parsers must not return error codes */ +return buf_size; /* parsers must not return error codes */ } break; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] fftools/ffmpeg: Repair reinit_filter feature
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Nov 13 20:29:40 2018 +0100| [dab6409d84a798a778d827e5fccaf618c3449acc] | committer: Michael Niedermayer fftools/ffmpeg: Repair reinit_filter feature Signed-off-by: Michael Niedermayer (cherry picked from commit 35040048793bc5d19942277fe17d1235e915a7d8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dab6409d84a798a778d827e5fccaf618c3449acc --- fftools/ffmpeg.c | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c index c0214c42d8..d436a0e71c 100644 --- a/fftools/ffmpeg.c +++ b/fftools/ffmpeg.c @@ -2121,9 +2121,6 @@ static int ifilter_send_frame(InputFilter *ifilter, AVFrame *frame) /* determine if the parameters for this input changed */ need_reinit = ifilter->format != frame->format; -if (!!ifilter->hw_frames_ctx != !!frame->hw_frames_ctx || -(ifilter->hw_frames_ctx && ifilter->hw_frames_ctx->data != frame->hw_frames_ctx->data)) -need_reinit = 1; switch (ifilter->ist->st->codecpar->codec_type) { case AVMEDIA_TYPE_AUDIO: @@ -2137,6 +2134,13 @@ static int ifilter_send_frame(InputFilter *ifilter, AVFrame *frame) break; } +if (!ifilter->ist->reinit_filters && fg->graph) +need_reinit = 0; + +if (!!ifilter->hw_frames_ctx != !!frame->hw_frames_ctx || +(ifilter->hw_frames_ctx && ifilter->hw_frames_ctx->data != frame->hw_frames_ctx->data)) +need_reinit = 1; + if (need_reinit) { ret = ifilter_parameters_from_frame(ifilter, frame); if (ret < 0) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/pngdec: Check compression method
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Nov 9 03:12:45 2018 +0100| [0e11b29834484233461b031bacf6ff92ecd87920] | committer: Michael Niedermayer avcodec/pngdec: Check compression method method 0 (inflate/deflate) is the only specified in the specification and the only supported Fixes: Timeout Fixes: 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f99674cc33f4c37def0a206e31ad7c4c1af) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0e11b29834484233461b031bacf6ff92ecd87920 --- libavcodec/pngdec.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index f93f200bb1..f761f2f7d9 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -578,6 +578,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, } s->color_type = bytestream2_get_byte(>gb); s->compression_type = bytestream2_get_byte(>gb); +if (s->compression_type) { +av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n", s->compression_type); +goto error; +} s->filter_type = bytestream2_get_byte(>gb); s->interlace_type = bytestream2_get_byte(>gb); bytestream2_skip(>gb, 4); /* crc */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/avcodec: Document the data type for AV_PKT_DATA_MPEGTS_STREAM_ID
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Dec 7 21:52:30 2018 +0100| [b29b6afdfbbf2d4cdbc13f6c61be8bcc89cec5a2] | committer: Michael Niedermayer avcodec/avcodec: Document the data type for AV_PKT_DATA_MPEGTS_STREAM_ID Signed-off-by: Michael Niedermayer (cherry picked from commit 68e011e4103b9cb5ac2d152d73ca8393065a33fb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b29b6afdfbbf2d4cdbc13f6c61be8bcc89cec5a2 --- libavcodec/avcodec.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index fb0c6fae70..0139d72091 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -1312,7 +1312,7 @@ enum AVPacketSideDataType { AV_PKT_DATA_METADATA_UPDATE, /** - * MPEGTS stream ID, this is required to pass the stream ID + * MPEGTS stream ID as uint8_t, this is required to pass the stream ID * information from the demuxer to the corresponding muxer. */ AV_PKT_DATA_MPEGTS_STREAM_ID, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mjpegdec: Fix indention of ljpeg_decode_yuv_scan()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Dec 18 14:27:48 2018 +0100| [bd9525b4bf1445059ab85c616ba9f103084c0493] | committer: Michael Niedermayer avcodec/mjpegdec: Fix indention of ljpeg_decode_yuv_scan() Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit ea30ac1e408246382796f61d645d1e087aed390a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bd9525b4bf1445059ab85c616ba9f103084c0493 --- libavcodec/mjpegdec.c | 32 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 5e784d980c..58c4c053a9 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1201,25 +1201,25 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, || v * mb_y + y >= s->height) { // Nothing to do } else if (bits<=8) { -ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap -if(y==0 && toprow){ -if(x==0 && leftcol){ -pred= 1 << (bits - 1); -}else{ -pred= ptr[-1]; -} -}else{ -if(x==0 && leftcol){ -pred= ptr[-linesize]; +ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap +if(y==0 && toprow){ +if(x==0 && leftcol){ +pred= 1 << (bits - 1); +}else{ +pred= ptr[-1]; +} }else{ -PREDICT(pred, ptr[-linesize-1], ptr[-linesize], ptr[-1], predictor); +if(x==0 && leftcol){ +pred= ptr[-linesize]; +}else{ +PREDICT(pred, ptr[-linesize-1], ptr[-linesize], ptr[-1], predictor); +} } -} -if (s->interlaced && s->bottom_field) -ptr += linesize >> 1; -pred &= mask; -*ptr= pred + ((unsigned)dc << point_transform); +if (s->interlaced && s->bottom_field) +ptr += linesize >> 1; +pred &= mask; +*ptr= pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap if(y==0 && toprow){ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] lavf/mov: ensure only one tkhd per trak
ffmpeg | branch: release/4.0 | chcunningham | Thu Dec 13 13:58:40 2018 -0800| [5d9daae62b9c1a669a504433b78d5a3e75409089] | committer: Michael Niedermayer lavf/mov: ensure only one tkhd per trak Chromium fuzzing produced a whacky file with extra tkhds. This caused an AVStream that was already in use to be corrupted by assigning it a new id, which blows up later in mov_read_trun because the MOVFragmentStreamInfo.index_entry now points OOB. Reviewed-by: Baptiste Coudurier Signed-off-by: Michael Niedermayer (cherry picked from commit c9f7b6f7a9fdffa0ab8f3aa84a1f701cf5b3a6e9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5d9daae62b9c1a669a504433b78d5a3e75409089 --- libavformat/mov.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index bd9b302e74..1864810846 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1325,6 +1325,10 @@ static int update_frag_index(MOVContext *c, int64_t offset) return -1; for (i = 0; i < c->fc->nb_streams; i++) { +// Avoid building frag index if streams lack track id. +if (c->fc->streams[i]->id < 0) +return AVERROR_INVALIDDATA; + frag_stream_info[i].id = c->fc->streams[i]->id; frag_stream_info[i].sidx_pts = AV_NOPTS_VALUE; frag_stream_info[i].tfdt_dts = AV_NOPTS_VALUE; @@ -4136,7 +4140,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st = avformat_new_stream(c->fc, NULL); if (!st) return AVERROR(ENOMEM); -st->id = c->fc->nb_streams; +st->id = -1; sc = av_mallocz(sizeof(MOVStreamContext)); if (!sc) return AVERROR(ENOMEM); @@ -4420,6 +4424,11 @@ static int mov_read_tkhd(MOVContext *c, AVIOContext *pb, MOVAtom atom) st = c->fc->streams[c->fc->nb_streams-1]; sc = st->priv_data; +// Each stream (trak) should have exactly 1 tkhd. This catches bad files and +// avoids corrupting AVStreams mapped to an earlier tkhd. +if (st->id != -1) +return AVERROR_INVALIDDATA; + version = avio_r8(pb); flags = avio_rb24(pb); st->disposition |= (flags & MOV_TKHD_FLAG_ENABLED) ? AV_DISPOSITION_DEFAULT : 0; @@ -4686,6 +4695,7 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) break; } } +av_assert0(index_entry_pos <= st->nb_index_entries); avio_r8(pb); /* version */ flags = avio_rb24(pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Clear partitioned frame in decode_studio_vop_header()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sun Nov 4 19:02:55 2018 +0100| [86ba4473fa3095b8eb07900d64845bd24302f84a] | committer: Michael Niedermayer avcodec/mpeg4videodec: Clear partitioned frame in decode_studio_vop_header() partitioned_frame is also set/cleared in decode_vop_header() Fixes: out of array read Fixes: 9789/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5638681627983872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 074187d599a2ece2bdf77bd08b4b797c5800eda6) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=86ba4473fa3095b8eb07900d64845bd24302f84a --- libavcodec/mpeg4videodec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 8064f1eb40..1776efa9ae 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2967,6 +2967,7 @@ static int decode_studio_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) if (get_bits_left(gb) <= 32) return 0; +s->partitioned_frame = 0; s->decode_mb = mpeg4_decode_studio_mb; decode_smpte_tc(ctx, gb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] lavf/id3v2: fail read_apic on EOF reading mimetype
ffmpeg | branch: release/4.0 | chcunningham | Fri Dec 14 13:44:07 2018 -0800| [e02f55a3c5c3761ddcbd326c62bdf571bb2be0b4] | committer: Michael Niedermayer lavf/id3v2: fail read_apic on EOF reading mimetype avio_read may return EOF, leaving the mimetype array unitialized. fail early when this occurs to avoid using the array in an unitialized state. Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit ee1e39a576977fd38c3b94fc56125d31d38833e9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e02f55a3c5c3761ddcbd326c62bdf571bb2be0b4 --- libavformat/id3v2.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index f7de26a1d8..5fe055b591 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -590,7 +590,7 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen, int isv34) { int enc, pic_type; -char mimetype[64]; +char mimetype[64] = {0}; const CodecMime *mime = ff_id3v2_mime_tags; enum AVCodecID id = AV_CODEC_ID_NONE; ID3v2ExtraMetaAPIC *apic = NULL; @@ -612,7 +612,9 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen, if (isv34) { taglen -= avio_get_str(pb, taglen, mimetype, sizeof(mimetype)); } else { -avio_read(pb, mimetype, 3); +if (avio_read(pb, mimetype, 3) < 0) +goto fail; + mimetype[3] = 0; taglen-= 3; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/rpza: Check that there is enough data for all the blocks
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sun Dec 16 19:13:27 2018 +0100| [90d73a207c6a8d7abe67114e143f06d11d519eeb] | committer: Michael Niedermayer avcodec/rpza: Check that there is enough data for all the blocks Fixes: Timeout Fixes: 11547/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RPZA_fuzzer-5678435842654208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e63517e00a1a8375c7fb3b8c4c64c9a7c3da713e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=90d73a207c6a8d7abe67114e143f06d11d519eeb --- libavcodec/rpza.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c index cffbfe4416..8e1efa2445 100644 --- a/libavcodec/rpza.c +++ b/libavcodec/rpza.c @@ -105,6 +105,9 @@ static int rpza_decode_stream(RpzaContext *s) /* Number of 4x4 blocks in frame. */ total_blocks = ((s->avctx->width + 3) / 4) * ((s->avctx->height + 3) / 4); +if (total_blocks / 32 > bytestream2_get_bytes_left(>gb)) +return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(s->avctx, s->frame)) < 0) return ret; pixels = (uint16_t *)s->frame->data[0]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/truemotion2rt: Fix rounding in input size check
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sat Nov 17 09:24:30 2018 +0100| [773f58229ff07c940ccab0ceaa65b679cd7bff6d] | committer: Michael Niedermayer avcodec/truemotion2rt: Fix rounding in input size check Fixes: Timeout Fixes: 11332/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2RT_fuzzer-5678456612847616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f22a4ebc97817fd0968f5ea8295c9a59a6292e0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=773f58229ff07c940ccab0ceaa65b679cd7bff6d --- libavcodec/truemotion2rt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2rt.c b/libavcodec/truemotion2rt.c index 9df0b527bb..e3ab998fda 100644 --- a/libavcodec/truemotion2rt.c +++ b/libavcodec/truemotion2rt.c @@ -116,7 +116,7 @@ static int truemotion2rt_decode_frame(AVCodecContext *avctx, void *data, if (ret < 0) return ret; -if (avctx->width / s->hscale * avctx->height * s->delta_size > avpkt->size * 8LL * 4) +if ((avctx->width + s->hscale - 1)/ s->hscale * avctx->height * s->delta_size > avpkt->size * 8LL * 4) return AVERROR_INVALIDDATA; ret = init_get_bits8(gb, avpkt->data + ret, avpkt->size - ret); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/truemotion2: fix integer overflows in tm2_low_chroma()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sat Nov 17 00:38:53 2018 +0100| [040aa140748af9a546f6a2961a329263cd248f03] | committer: Michael Niedermayer avcodec/truemotion2: fix integer overflows in tm2_low_chroma() Fixes: 11295/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-4888953459572736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ae39d795613f3c6925c59852b625029b747fe42) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=040aa140748af9a546f6a2961a329263cd248f03 --- libavcodec/truemotion2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index b689efdb99..2945d9948d 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -480,7 +480,7 @@ static inline void tm2_high_chroma(int *data, int stride, int *last, unsigned *C } } -static inline void tm2_low_chroma(int *data, int stride, int *clast, int *CD, int *deltas, int bx) +static inline void tm2_low_chroma(int *data, int stride, int *clast, unsigned *CD, int *deltas, int bx) { int t; int l; @@ -490,8 +490,8 @@ static inline void tm2_low_chroma(int *data, int stride, int *clast, int *CD, in prev = clast[-3]; else prev = 0; -t= (CD[0] + CD[1]) >> 1; -l= (prev - CD[0] - CD[1] + clast[1]) >> 1; +t= (int)(CD[0] + CD[1]) >> 1; +l= (int)(prev - CD[0] - CD[1] + clast[1]) >> 1; CD[1]= CD[0] + CD[1] - t; CD[0]= t; clast[0] = l; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dxv: Check that there is enough data to decompress
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sat Dec 1 21:41:01 2018 +0100| [ff8ba749b439cd1c232cd7f30ba5e4e1d3d8c20a] | committer: Michael Niedermayer avcodec/dxv: Check that there is enough data to decompress Fixes: Timeout Fixes: 10979/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-6178582203203584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2bc3811c0d6b34e43a55a7541722761f548628d0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ff8ba749b439cd1c232cd7f30ba5e4e1d3d8c20a --- libavcodec/dxv.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c index 08aca73b1f..bf53d7d706 100644 --- a/libavcodec/dxv.c +++ b/libavcodec/dxv.c @@ -1192,6 +1192,12 @@ static int dxv_decode(AVCodecContext *avctx, void *data, ret = decompress_tex(avctx); if (ret < 0) return ret; +{ +int w_block = avctx->coded_width / ctx->texture_block_w; +int h_block = avctx->coded_height / ctx->texture_block_h; +if (w_block * h_block * ctx->tex_step > ctx->tex_size * 8LL) +return AVERROR_INVALIDDATA; +} tframe.f = data; ret = ff_thread_get_buffer(avctx, , 0); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Fix integer overflow with offset
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Nov 9 19:59:27 2018 +0100| [4b0d040e1837df21674815b0781baec80d577df2] | committer: Michael Niedermayer avcodec/shorten: Fix integer overflow with offset Fixes: signed integer overflow: -1625810908 - 582229060 cannot be represented in type 'int' Fixes: 10977/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5732602018267136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f888771cd1ce8d68d4b18a1009650c1f260aaf2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4b0d040e1837df21674815b0781baec80d577df2 --- libavcodec/shorten.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 4b45e6d6dc..4134af74cf 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -382,7 +382,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* subtract offset from previous samples to use in prediction */ if (command == FN_QLPC && coffset) for (i = -pred_order; i < 0; i++) -s->decoded[channel][i] -= coffset; +s->decoded[channel][i] -= (unsigned)coffset; /* decode residual and do LPC prediction */ init_sum = pred_order ? (command == FN_QLPC ? s->lpcqoffset : 0) : coffset; @@ -397,7 +397,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* add offset to current samples */ if (command == FN_QLPC && coffset) for (i = 0; i < s->blocksize; i++) -s->decoded[channel][i] += coffset; +s->decoded[channel][i] += (unsigned)coffset; return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/msvideo1: Check for too small dimensions
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sat Dec 1 22:16:19 2018 +0100| [c3e263b862ec8ae187aa56d9bfc75fb5666996f4] | committer: Michael Niedermayer avcodec/msvideo1: Check for too small dimensions Such low resolution would result in empty output as a minimum of 4x4 is needed We could also check for multiple of 4 dimensions but that is not needed Fixes: Timeout Fixes: 11191/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSVIDEO1_fuzzer-5739529588178944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 953bd58861ad933e614510140b05a61e3d1375be) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c3e263b862ec8ae187aa56d9bfc75fb5666996f4 --- libavcodec/msvideo1.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/msvideo1.c b/libavcodec/msvideo1.c index 29700f54b6..de048d8b6f 100644 --- a/libavcodec/msvideo1.c +++ b/libavcodec/msvideo1.c @@ -62,6 +62,9 @@ static av_cold int msvideo1_decode_init(AVCodecContext *avctx) s->avctx = avctx; +if (avctx->width < 4 || avctx->height < 4) +return AVERROR_INVALIDDATA; + /* figure out the colorspace based on the presence of a palette */ if (s->avctx->bits_per_coded_sample == 8) { s->mode_8bit = 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] h264_redundant_pps: Fix logging context
ffmpeg | branch: release/4.0 | Andreas Rheinhardt | Fri Nov 9 06:31:38 2018 +0100| [5bdc1e51fd3a57e5259279c950c47301a0aeaf7b] | committer: Michael Niedermayer h264_redundant_pps: Fix logging context The first element of H264RedundantPPSContext is not a pointer to an AVClass as required. Signed-off-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 6dafcb6fdb6271d35220b889833561705c2b366f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5bdc1e51fd3a57e5259279c950c47301a0aeaf7b --- libavcodec/h264_redundant_pps_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_redundant_pps_bsf.c b/libavcodec/h264_redundant_pps_bsf.c index 26baca84e3..46cd77a7c1 100644 --- a/libavcodec/h264_redundant_pps_bsf.c +++ b/libavcodec/h264_redundant_pps_bsf.c @@ -90,7 +90,7 @@ static int h264_redundant_pps_filter(AVBSFContext *bsf, AVPacket *out) if (nal->type == H264_NAL_PPS) { h264_redundant_pps_fixup_pps(ctx, nal->content); if (!au_has_sps) { -av_log(ctx, AV_LOG_VERBOSE, "Deleting redundant PPS " +av_log(bsf, AV_LOG_VERBOSE, "Deleting redundant PPS " "at %"PRId64".\n", in->pts); ff_cbs_delete_unit(ctx->input, au, i); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] lavf: Constify the probe function argument.
ffmpeg | branch: master | Carl Eugen Hoyos | Thu Mar 21 01:18:37 2019 +0100| [4d8875ec23cf299277a0f028ea2ac99eb6f603c9] | committer: Carl Eugen Hoyos lavf: Constify the probe function argument. Reviewed-by: Lauri Kasanen Reviewed-by: Tomas Härdin > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4d8875ec23cf299277a0f028ea2ac99eb6f603c9 --- libavformat/3dostr.c | 2 +- libavformat/4xm.c | 2 +- libavformat/aacdec.c | 2 +- libavformat/aadec.c| 2 +- libavformat/ac3dec.c | 6 ++--- libavformat/acm.c | 2 +- libavformat/act.c | 2 +- libavformat/adp.c | 2 +- libavformat/ads.c | 2 +- libavformat/adxdec.c | 2 +- libavformat/aea.c | 2 +- libavformat/aiffdec.c | 2 +- libavformat/aixdec.c | 2 +- libavformat/amr.c | 6 ++--- libavformat/anm.c | 2 +- libavformat/apc.c | 2 +- libavformat/ape.c | 2 +- libavformat/apngdec.c | 2 +- libavformat/aqtitledec.c | 2 +- libavformat/asfdec_f.c | 2 +- libavformat/asfdec_o.c | 2 +- libavformat/assdec.c | 2 +- libavformat/astdec.c | 2 +- libavformat/au.c | 2 +- libavformat/avformat.h | 2 +- libavformat/avidec.c | 2 +- libavformat/avr.c | 2 +- libavformat/avs.c | 2 +- libavformat/bethsoftvid.c | 2 +- libavformat/bfi.c | 2 +- libavformat/bink.c | 2 +- libavformat/bintext.c | 6 ++--- libavformat/bit.c | 2 +- libavformat/boadec.c | 2 +- libavformat/brstm.c| 4 ++-- libavformat/c93.c | 2 +- libavformat/cafdec.c | 2 +- libavformat/cavsvideodec.c | 2 +- libavformat/cdxl.c | 2 +- libavformat/cinedec.c | 2 +- libavformat/codec2.c | 2 +- libavformat/concatdec.c| 2 +- libavformat/dashdec.c | 2 +- libavformat/davs2.c| 2 +- libavformat/dcstr.c| 2 +- libavformat/dfa.c | 2 +- libavformat/dhav.c | 2 +- libavformat/diracdec.c | 2 +- libavformat/dnxhddec.c | 2 +- libavformat/dsfdec.c | 2 +- libavformat/dsicin.c | 2 +- libavformat/dss.c | 2 +- libavformat/dtsdec.c | 2 +- libavformat/dtshddec.c | 2 +- libavformat/dv.c | 2 +- libavformat/dvbsub.c | 2 +- libavformat/dvbtxt.c | 2 +- libavformat/dxa.c | 2 +- libavformat/eacdata.c | 2 +- libavformat/electronicarts.c | 2 +- libavformat/epafdec.c | 2 +- libavformat/ffmetadec.c| 2 +- libavformat/fitsdec.c | 2 +- libavformat/flacdec.c | 4 ++-- libavformat/flic.c | 2 +- libavformat/flvdec.c | 6 ++--- libavformat/frmdec.c | 2 +- libavformat/fsb.c | 2 +- libavformat/gdv.c | 2 +- libavformat/genh.c | 2 +- libavformat/gifdec.c | 2 +- libavformat/gsmdec.c | 2 +- libavformat/gxf.c | 2 +- libavformat/h261dec.c | 2 +- libavformat/h263dec.c | 2 +- libavformat/h264dec.c | 2 +- libavformat/hcom.c | 2 +- libavformat/hevcdec.c | 2 +- libavformat/hls.c | 2 +- libavformat/hnm.c | 2 +- libavformat/icodec.c | 2 +- libavformat/idcin.c| 2 +- libavformat/idroqdec.c | 2 +- libavformat/iff.c | 2 +- libavformat/ilbc.c | 2 +- libavformat/img2_alias_pix.c | 2 +- libavformat/img2_brender_pix.c | 2 +- libavformat/img2dec.c | 54 +- libavformat/ingenientdec.c | 2 +- libavformat/ipmovie.c | 2 +- libavformat/ircamdec.c | 2 +- libavformat/iss.c | 2 +- libavformat/iv8.c | 2 +- libavformat/ivfdec.c | 2 +- libavformat/jacosubdec.c | 2 +- libavformat/jvdec.c| 2 +- libavformat/libgme.c | 2 +- libavformat/libmodplug.c | 2 +- libavformat/libopenmpt.c | 2 +- libavformat/lmlm4.c| 2 +- libavformat/loasdec.c | 2 +- libavformat/lrcdec.c | 2 +- libavformat/lvfdec.c | 2 +- libavformat/lxfdec.c | 2 +- libavformat/m4vdec.c | 2 +- libavformat/matroskadec.c | 2 +- libavformat/mgsts.c| 2 +- libavformat/microdvddec.c | 2 +- libavformat/mj2kdec.c | 2 +- libavformat/mlpdec.c | 6 ++--- libavformat/mlvdec.c | 2 +- libavformat/mm.c | 2 +- libavformat/mmf.c | 2 +- libavformat/mov.c | 2 +-
[FFmpeg-cvslog] avcodec/dfa: Check the chunk header is not truncated
ffmpeg | branch: release/4.1 | Michael Niedermayer | Sun Mar 10 23:45:19 2019 +0100| [b429df281d50e960fb7f44659cac393a42cdfd35] | committer: Michael Niedermayer avcodec/dfa: Check the chunk header is not truncated Fixes: Timeout (11sec -> 3sec) Fixes: 13218/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DFA_fuzzer-5661074316066816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f20760fadbc77483b9ff4b400b53ebb38ee33793) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b429df281d50e960fb7f44659cac393a42cdfd35 --- libavcodec/dfa.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 970175fb73..c6106b9397 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -355,6 +355,8 @@ static int dfa_decode_frame(AVCodecContext *avctx, bytestream2_init(, avpkt->data, avpkt->size); while (bytestream2_get_bytes_left() > 0) { +if (bytestream2_get_bytes_left() < 12) +return AVERROR_INVALIDDATA; bytestream2_skip(, 4); chunk_size = bytestream2_get_le32(); chunk_type = bytestream2_get_le32(); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Changelog: update
ffmpeg | branch: release/4.1 | Michael Niedermayer | Thu Mar 21 09:02:44 2019 +0100| [a7cb7a2e4314956e06a351333ff8096fab9afa7f] | committer: Michael Niedermayer Changelog: update Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a7cb7a2e4314956e06a351333ff8096fab9afa7f --- Changelog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Changelog b/Changelog index 5d2d645d34..7df4e199bf 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,9 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 4.1.2: +- avcodec/dfa: Check the chunk header is not truncated +- avcodec/clearvideo: Check remaining data in P frames +- avcodec/hevcdec: decode at most one slice reporting being the first in the picture - avcodec/dvbsubdec: Check object position - avcodec/cdgraphics: Use ff_set_dimensions() - avformat/gdv: Check fps ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/clearvideo: Check remaining data in P frames
ffmpeg | branch: release/4.1 | Michael Niedermayer | Fri Mar 8 01:42:06 2019 +0100| [7ce56329e71fc75512ef82f4794c43b629b8c488] | committer: Michael Niedermayer avcodec/clearvideo: Check remaining data in P frames Fixes: Timeout (19sec -> 419msec) Fixes: 13411/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CLEARVIDEO_fuzzer-5733153811988480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 41f93f941155f9f9dbb2d5e7f5d20b2238150836) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7ce56329e71fc75512ef82f4794c43b629b8c488 --- libavcodec/clearvideo.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c index ad3012f7b7..82df8f3752 100644 --- a/libavcodec/clearvideo.c +++ b/libavcodec/clearvideo.c @@ -555,6 +555,9 @@ static int clv_decode_frame(AVCodecContext *avctx, void *data, } else { int plane; +if (c->pmb_width * c->pmb_height > 8LL*(buf_size - bytestream2_tell())) +return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog