[FFmpeg-cvslog] avformat/http: return EINVAL if ff_http_do_new_request is called with non-http URLContext

2017-12-30 Thread Aman Gupta 
ffmpeg | branch: master | Aman Gupta  | Fri Dec 29 15:25:14 2017 
-0800| [c0b08ef94f037572876448990dca840b85432262] | committer: Aman Gupta

avformat/http: return EINVAL if ff_http_do_new_request is called with non-http 
URLContext

Signed-off-by: Aman Gupta 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c0b08ef94f037572876448990dca840b85432262
---

 libavformat/http.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavformat/http.c b/libavformat/http.c
index a376f1a488..8f7e56de54 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -311,6 +311,11 @@ int ff_http_do_new_request(URLContext *h, const char *uri)
 char hostname1[1024], hostname2[1024], proto1[10], proto2[10];
 int port1, port2;
 
+if (!h->prot ||
+!(!strcmp(h->prot->name, "http") ||
+  !strcmp(h->prot->name, "https")))
+return AVERROR(EINVAL);
+
 av_url_split(proto1, sizeof(proto1), NULL, 0,
  hostname1, sizeof(hostname1), ,
  NULL, 0, s->location);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] opus: merge encoder and decoder bitallocation functions into one

2017-12-30 Thread Rostislav Pehlivanov 
ffmpeg | branch: master | Rostislav Pehlivanov  | Sat Dec 
30 17:02:54 2017 +| [51027d0b8b2835d4c70c9cb7b2ab5e28d5e3f22f] | committer: 
Rostislav Pehlivanov

opus: merge encoder and decoder bitallocation functions into one

There's no difference apart from which entropy coding functions get called.

Signed-off-by: Rostislav Pehlivanov 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=51027d0b8b2835d4c70c9cb7b2ab5e28d5e3f22f
---

 libavcodec/opus.c| 348 +++
 libavcodec/opus.h|   3 +
 libavcodec/opus_celt.c   | 334 +
 libavcodec/opusenc.c | 337 +
 libavcodec/opusenc.h |   2 -
 libavcodec/opusenc_psy.c |   2 +-
 6 files changed, 358 insertions(+), 668 deletions(-)

diff --git a/libavcodec/opus.c b/libavcodec/opus.c
index 46b749cae6..9cbf4aed92 100644
--- a/libavcodec/opus.c
+++ b/libavcodec/opus.c
@@ -546,3 +546,351 @@ void ff_celt_quant_bands(CeltFrame *f, OpusRangeCoder *rc)
 update_lowband = (b > band_size << 3);
 }
 }
+
+#define NORMC(bits) ((bits) << (f->channels - 1) << f->size >> 2)
+
+void ff_celt_bitalloc(CeltFrame *f, OpusRangeCoder *rc, int encode)
+{
+int i, j, low, high, total, done, bandbits, remaining, tbits_8ths;
+int skip_startband  = f->start_band;
+int skip_bit= 0;
+int intensitystereo_bit = 0;
+int dualstereo_bit  = 0;
+int dynalloc= 6;
+int extrabits   = 0;
+
+int boost[CELT_MAX_BANDS] = { 0 };
+int trim_offset[CELT_MAX_BANDS];
+int threshold[CELT_MAX_BANDS];
+int bits1[CELT_MAX_BANDS];
+int bits2[CELT_MAX_BANDS];
+
+/* Spread */
+if (opus_rc_tell(rc) + 4 <= f->framebits)
+if (encode)
+ff_opus_rc_enc_cdf(rc, f->spread, ff_celt_model_spread);
+else
+f->spread = ff_opus_rc_dec_cdf(rc, ff_celt_model_spread);
+else
+f->spread = CELT_SPREAD_NORMAL;
+
+/* Initialize static allocation caps */
+for (i = 0; i < CELT_MAX_BANDS; i++)
+f->caps[i] = NORMC((ff_celt_static_caps[f->size][f->channels - 1][i] + 
64) * ff_celt_freq_range[i]);
+
+/* Band boosts */
+tbits_8ths = f->framebits << 3;
+for (i = f->start_band; i < f->end_band; i++) {
+int quanta = ff_celt_freq_range[i] << (f->channels - 1) << f->size;
+int b_dynalloc = dynalloc;
+int boost_amount = f->alloc_boost[i];
+quanta = FFMIN(quanta << 3, FFMAX(6 << 3, quanta));
+
+while (opus_rc_tell_frac(rc) + (b_dynalloc << 3) < tbits_8ths && 
boost[i] < f->caps[i]) {
+int is_boost;
+if (encode) {
+is_boost = boost_amount--;
+ff_opus_rc_enc_log(rc, is_boost, b_dynalloc);
+} else {
+is_boost = ff_opus_rc_dec_log(rc, b_dynalloc);
+}
+
+if (!is_boost)
+break;
+
+boost[i]   += quanta;
+tbits_8ths -= quanta;
+
+b_dynalloc = 1;
+}
+
+if (boost[i])
+dynalloc = FFMAX(dynalloc - 1, 2);
+}
+
+/* Allocation trim */
+if (opus_rc_tell_frac(rc) + (6 << 3) <= tbits_8ths)
+if (encode)
+ff_opus_rc_enc_cdf(rc, f->alloc_trim, ff_celt_model_alloc_trim);
+else
+f->alloc_trim = ff_opus_rc_dec_cdf(rc, ff_celt_model_alloc_trim);
+
+/* Anti-collapse bit reservation */
+tbits_8ths = (f->framebits << 3) - opus_rc_tell_frac(rc) - 1;
+f->anticollapse_needed = 0;
+if (f->transient && f->size >= 2 && tbits_8ths >= ((f->size + 2) << 3))
+f->anticollapse_needed = 1 << 3;
+tbits_8ths -= f->anticollapse_needed;
+
+/* Band skip bit reservation */
+if (tbits_8ths >= 1 << 3)
+skip_bit = 1 << 3;
+tbits_8ths -= skip_bit;
+
+/* Intensity/dual stereo bit reservation */
+if (f->channels == 2) {
+intensitystereo_bit = ff_celt_log2_frac[f->end_band - f->start_band];
+if (intensitystereo_bit <= tbits_8ths) {
+tbits_8ths -= intensitystereo_bit;
+if (tbits_8ths >= 1 << 3) {
+dualstereo_bit = 1 << 3;
+tbits_8ths -= 1 << 3;
+}
+} else {
+intensitystereo_bit = 0;
+}
+}
+
+/* Trim offsets */
+for (i = f->start_band; i < f->end_band; i++) {
+int trim = f->alloc_trim - 5 - f->size;
+int band = ff_celt_freq_range[i] * (f->end_band - i - 1);
+int duration = f->size + 3;
+int scale= duration + f->channels - 1;
+
+/* PVQ minimum allocation threshold, below this value the band is
+ * skipped */
+threshold[i] = FFMAX(3 * ff_celt_freq_range[i] << duration >> 4,
+ f->channels << 3);
+
+trim_offset[i] = trim * (band << scale) >> 6;
+
+if (ff_celt_freq_range[i]

[FFmpeg-cvslog] avcodec/exr: Check buf_size more completely

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: master | Michael Niedermayer  | Fri 
Dec 29 03:00:19 2017 +0100| [903be5e4f66268273dc6e3c42a7fdeaab32066ef] | 
committer: Michael Niedermayer

avcodec/exr: Check buf_size more completely

Fixes: Out of heap array read
Fixes: 4683/clusterfuzz-testcase-minimized-6152313673613312

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=903be5e4f66268273dc6e3c42a7fdeaab32066ef
---

 libavcodec/exr.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index b1ecde4ebd..454dc74cfb 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1051,7 +1051,7 @@ static int decode_block(AVCodecContext *avctx, void 
*tdata,
 line_offset = AV_RL64(s->gb.buffer + jobnr * 8);
 
 if (s->is_tile) {
-if (line_offset > buf_size - 20)
+if (buf_size < 20 || line_offset > buf_size - 20)
 return AVERROR_INVALIDDATA;
 
 src  = buf + line_offset + 20;
@@ -1062,7 +1062,7 @@ static int decode_block(AVCodecContext *avctx, void 
*tdata,
 tile_level_y = AV_RL32(src - 8);
 
 data_size = AV_RL32(src - 4);
-if (data_size <= 0 || data_size > buf_size)
+if (data_size <= 0 || data_size > buf_size - line_offset - 20)
 return AVERROR_INVALIDDATA;
 
 if (tile_level_x || tile_level_y) { /* tile level, is not the full res 
level */
@@ -1095,7 +1095,7 @@ static int decode_block(AVCodecContext *avctx, void 
*tdata,
 td->channel_line_size = td->xsize * s->current_channel_offset;/* 
uncompress size of one line */
 uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* 
uncompress size of the block */
 } else {
-if (line_offset > buf_size - 8)
+if (buf_size < 8 || line_offset > buf_size - 8)
 return AVERROR_INVALIDDATA;
 
 src  = buf + line_offset + 8;
@@ -1105,7 +1105,7 @@ static int decode_block(AVCodecContext *avctx, void 
*tdata,
 return AVERROR_INVALIDDATA;
 
 data_size = AV_RL32(src - 4);
-if (data_size <= 0 || data_size > buf_size)
+if (data_size <= 0 || data_size > buf_size - line_offset - 8)
 return AVERROR_INVALIDDATA;
 
 td->ysize  = FFMIN(s->scan_lines_per_block, s->ymax - line + 
1); /* s->ydelta - line ?? */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/exr: fix undefined shift in pxr24_uncompress()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Nov  4 01:19:19 2017 +0100| [4a47195d2a88113877d28ffac5917491bb501883] | 
committer: Michael Niedermayer

avcodec/exr: fix undefined shift in pxr24_uncompress()

Fixes: runtime error: left shift of 255 by 24 places cannot be represented in 
type 'int'
Fixes: 3787/clusterfuzz-testcase-minimized-5728764920070144

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 66f0c958bfd5475658b432d1af4d2e174b2dfcda)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4a47195d2a88113877d28ffac5917491bb501883
---

 libavcodec/exr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index ec940222b2..b4063f8fa4 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -866,7 +866,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t 
*src,
 in = ptr[2] + td->xsize;
 
 for (j = 0; j < td->xsize; ++j) {
-uint32_t diff = (*(ptr[0]++) << 24) |
+uint32_t diff = ((unsigned)*(ptr[0]++) << 24) |
 (*(ptr[1]++) << 16) |
 (*(ptr[2]++) << 8);
 pixel += diff;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/softfloat: Add FLOAT_MIN

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Nov  1 14:00:18 2017 +0100| [56a56c0cb564aa20e6f91f257beccf1a907674d1] | 
committer: Michael Niedermayer

avutil/softfloat: Add FLOAT_MIN

Signed-off-by: Michael Niedermayer 
(cherry picked from commit e34fe61bf45331d2e6d2840604f799fa4b55c843)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=56a56c0cb564aa20e6f91f257beccf1a907674d1
---

 libavutil/softfloat.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h
index c50aaf5285..4789b209cd 100644
--- a/libavutil/softfloat.h
+++ b/libavutil/softfloat.h
@@ -43,6 +43,7 @@ static const SoftFloat FLOAT_EPSILON= { 0x29F16B12, -16};
 static const SoftFloat FLOAT_1584893192 = { 0x32B771ED,   1};  
 ///< 1.584893192 (10^.2)
 static const SoftFloat FLOAT_10 = { 0x30D4,  17};  
 ///< 10
 static const SoftFloat FLOAT_099= { 0x3BCE,   0};  
 ///< 0.99
+static const SoftFloat FLOAT_MIN= { 0x2000,   MIN_EXP};
 
 
 /**

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix integer overflow in predict()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Oct 27 02:23:20 2017 +0200| [18fbf2622cd53985da438f0de06552c6cc49320d] | 
committer: Michael Niedermayer

avcodec/aacdec_fixed: Fix integer overflow in predict()

Fixes: runtime error: signed integer overflow: -2110708110 + -82837504 cannot 
be represented in type 'int'
Fixes: 3547/clusterfuzz-testcase-minimized-6009386439802880

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0976752420706c0a8b3cb8fd61497a47c7d7270f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=18fbf2622cd53985da438f0de06552c6cc49320d
---

 libavcodec/aacdec_fixed.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index e7c2d2d299..06bfa87e28 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -307,9 +307,9 @@ static av_always_inline void predict(PredictorState *ps, 
int *coef,
 
 if (shift < 31) {
 if (shift > 0) {
-*coef += (pv.mant + (1 << (shift - 1))) >> shift;
+*coef += (unsigned)((pv.mant + (1 << (shift - 1))) >> shift);
 } else
-*coef += pv.mant << -shift;
+*coef += (unsigned)(pv.mant << -shift);
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Mon Nov 13 20:47:48 2017 +0100| [96fe37a3390aaa07a1798d8daa6aa2d622c4870b] | 
committer: Michael Niedermayer

avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu

Fixes: out of array read
Fixes: 3516/attachment-311488.dat

Found-by: Insu Yun, Georgia Tech.
Tested-by: wuni...@gmail.com
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 58cf31cee7a456057f337b3102a03206d833d5e8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=96fe37a3390aaa07a1798d8daa6aa2d622c4870b
---

 libavcodec/x86/mpegvideodsp.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavcodec/x86/mpegvideodsp.c b/libavcodec/x86/mpegvideodsp.c
index e0498f3849..6009b64e07 100644
--- a/libavcodec/x86/mpegvideodsp.c
+++ b/libavcodec/x86/mpegvideodsp.c
@@ -52,8 +52,9 @@ static void gmc_mmx(uint8_t *dst, uint8_t *src,
 const int dyh = (dyy - (1 << (16 + shift))) * (h - 1);
 const int dxh = dxy * (h - 1);
 const int dyw = dyx * (w - 1);
-int need_emu  =  (unsigned) ix >= width  - w ||
- (unsigned) iy >= height - h;
+int need_emu  =  (unsigned) ix >= width  - w || width < w ||
+ (unsigned) iy >= height - h || height< h
+ ;
 
 if ( // non-constant fullpel offset (3% of blocks)
 ((ox ^ (ox + dxw)) | (ox ^ (ox + dxh)) | (ox ^ (ox + dxw + dxh)) |

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/cngdec: Fix integer clipping

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Thu Nov  2 18:34:09 2017 +0100| [286e3bf17429e3d8eee4fbe36110c9c0764fa74d] | 
committer: Michael Niedermayer

avcodec/cngdec: Fix integer clipping

Fixes: runtime error: value -36211.7 is outside the range of representable 
values of type 'short'
Fixes: 2992/clusterfuzz-testcase-6649611793989632

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 51090133b31bc719ea868db15d3ee38e9dbe90f1)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=286e3bf17429e3d8eee4fbe36110c9c0764fa74d
---

 libavcodec/cngdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/cngdec.c b/libavcodec/cngdec.c
index 34f881448d..42ef5bb3db 100644
--- a/libavcodec/cngdec.c
+++ b/libavcodec/cngdec.c
@@ -147,7 +147,7 @@ static int cng_decode_frame(AVCodecContext *avctx, void 
*data,
 return ret;
 buf_out = (int16_t *)frame->data[0];
 for (i = 0; i < avctx->frame_size; i++)
-buf_out[i] = p->filter_out[i + p->order];
+buf_out[i] = av_clip_int16(p->filter_out[i + p->order]);
 memcpy(p->filter_out, p->filter_out + avctx->frame_size,
p->order * sizeof(*p->filter_out));
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Nov  5 21:20:08 2017 +0100| [b3067f95c9802a1219abe7dea3aa93419c8cc0f7] | 
committer: Michael Niedermayer

avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c()

Fixes: runtime error: signed integer overflow: 1939661764 - -454942263 cannot 
be represented in type 'int'
Fixes: 3191/clusterfuzz-testcase-minimized-5688798451073024

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2afe05402f05d485f0c356b04dc562f0510d317d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b3067f95c9802a1219abe7dea3aa93419c8cc0f7
---

 libavcodec/aacpsdsp_template.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c
index 3049ce8b79..0e532fcf84 100644
--- a/libavcodec/aacpsdsp_template.c
+++ b/libavcodec/aacpsdsp_template.c
@@ -129,12 +129,12 @@ static void ps_decorrelate_c(INTFLOAT (*out)[2], INTFLOAT 
(*delay)[2],
 INTFLOAT apd_im = in_im;
 in_re = AAC_MSUB30(link_delay_re, fractional_delay_re,
 link_delay_im, fractional_delay_im);
-in_re -= a_re;
+in_re -= (UINTFLOAT)a_re;
 in_im = AAC_MADD30(link_delay_re, fractional_delay_im,
 link_delay_im, fractional_delay_re);
-in_im -= a_im;
-ap_delay[m][n+5][0] = apd_re + AAC_MUL31(ag[m], in_re);
-ap_delay[m][n+5][1] = apd_im + AAC_MUL31(ag[m], in_im);
+in_im -= (UINTFLOAT)a_im;
+ap_delay[m][n+5][0] = apd_re + (UINTFLOAT)AAC_MUL31(ag[m], in_re);
+ap_delay[m][n+5][1] = apd_im + (UINTFLOAT)AAC_MUL31(ag[m], in_im);
 }
 out[n][0] = AAC_MUL16(transient_gain[n], in_re);
 out[n][1] = AAC_MUL16(transient_gain[n], in_im);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/snowdec: Fix integer overflow in header parsing

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Nov  5 21:20:05 2017 +0100| [c8027878d024394fc59184ffdf7182fae0bf38dd] | 
committer: Michael Niedermayer

avcodec/snowdec: Fix integer overflow in header parsing

Fixes: 3984/clusterfuzz-testcase-minimized-5265759929368576
Fixes: runtime error: signed integer overflow: -1085585801 + -1094995529 cannot 
be represented in type 'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c897a9285846b6a072b9650976afd4f091b7a71f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c8027878d024394fc59184ffdf7182fae0bf38dd
---

 libavcodec/snowdec.c | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 6eff729a19..2b92ed3de0 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -374,7 +374,7 @@ static int decode_header(SnowContext *s){
 }
 }
 
-s->spatial_decomposition_type+= get_symbol(>c, s->header_state, 1);
+s->spatial_decomposition_type+= (unsigned)get_symbol(>c, 
s->header_state, 1);
 if(s->spatial_decomposition_type > 1U){
 av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_type %d not 
supported\n", s->spatial_decomposition_type);
 return AVERROR_INVALIDDATA;
@@ -390,10 +390,10 @@ static int decode_header(SnowContext *s){
 }
 
 
-s->qlog   += get_symbol(>c, s->header_state, 1);
-s->mv_scale   += get_symbol(>c, s->header_state, 1);
-s->qbias  += get_symbol(>c, s->header_state, 1);
-s->block_max_depth+= get_symbol(>c, s->header_state, 1);
+s->qlog   += (unsigned)get_symbol(>c, s->header_state, 1);
+s->mv_scale   += (unsigned)get_symbol(>c, s->header_state, 1);
+s->qbias  += (unsigned)get_symbol(>c, s->header_state, 1);
+s->block_max_depth+= (unsigned)get_symbol(>c, s->header_state, 1);
 if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){
 av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", 
s->block_max_depth);
 s->block_max_depth= 0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix undefined shift

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Nov  5 21:20:07 2017 +0100| [8be48f1c9a4e6db2de6ea5d896d4d4eedc3ec638] | 
committer: Michael Niedermayer

avcodec/aacdec_fixed: Fix undefined shift

Fixes: runtime error: left shift of negative value -801112064
Fixes: 3492/clusterfuzz-testcase-minimized-5784775283441664

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit fca198fb5bf42ba6b765b3f75b11738e4b4fc2a9)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8be48f1c9a4e6db2de6ea5d896d4d4eedc3ec638
---

 libavcodec/aacdec_fixed.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index 1aaa6a2cb1..6ba0e63325 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -309,7 +309,7 @@ static av_always_inline void predict(PredictorState *ps, 
int *coef,
 if (shift > 0) {
 *coef += (unsigned)((pv.mant + (1 << (shift - 1))) >> shift);
 } else
-*coef += (unsigned)(pv.mant << -shift);
+*coef += (unsigned)pv.mant << -shift;
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Nov  4 01:19:20 2017 +0100| [d3264c496a0ed8edfe940eb197ceb5b650b8a17e] | 
committer: Michael Niedermayer

avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add()

Fixes: runtime error: signed integer overflow: -503316480 + -2013265038 cannot 
be represented in type 'int'
Fixes: 3805/clusterfuzz-testcase-minimized-6578427831255040

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit e131b8cedb00043dcc97cc05ca04749ec8ff57de)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d3264c496a0ed8edfe940eb197ceb5b650b8a17e
---

 libavcodec/h264idct_template.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c
index ec8a3d083a..e6f40fccd9 100644
--- a/libavcodec/h264idct_template.c
+++ b/libavcodec/h264idct_template.c
@@ -91,10 +91,10 @@ void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, int16_t 
*_block, int stride){
 const int a5 = -block[i+1*8] + block[i+7*8] + block[i+5*8] + 
(block[i+5*8]>>1);
 const int a7 =  block[i+3*8] + block[i+5*8] + block[i+1*8] + 
(block[i+1*8]>>1);
 
-const int b1 = (a7>>2) + a1;
-const int b3 =  a3 + (a5>>2);
-const int b5 = (a3>>2) - a5;
-const int b7 =  a7 - (a1>>2);
+const int b1 = (a7>>2) + (unsigned)a1;
+const int b3 =  (unsigned)a3 + (a5>>2);
+const int b5 = (a3>>2) - (unsigned)a5;
+const int b7 =  (unsigned)a7 - (a1>>2);
 
 block[i+0*8] = b0 + b7;
 block[i+7*8] = b0 - b7;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Nov  1 14:00:19 2017 +0100| [67208cf992ef20c987a1342a5157c8d48881da0e] | 
committer: Michael Niedermayer

avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc()

Fixes: 3642/clusterfuzz-testcase-minimized-5443853801750528

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7d1dec466895eed12f2c79b7ab5447f5390fe869)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=67208cf992ef20c987a1342a5157c8d48881da0e
---

 libavcodec/aacsbr_fixed.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c
index 1f5ff410d1..2a679491b0 100644
--- a/libavcodec/aacsbr_fixed.c
+++ b/libavcodec/aacsbr_fixed.c
@@ -437,6 +437,7 @@ static void sbr_gain_calc(AACContext *ac, 
SpectralBandReplication *sbr,
 av_add_sf(FLOAT_1, 
sbr->e_curr[e][m]),
 av_add_sf(FLOAT_1, 
sbr->q_mapped[e][m];
 }
+sbr->gain[e][m] = av_add_sf(sbr->gain[e][m], FLOAT_MIN);
 }
 for (m = sbr->f_tablelim[k] - sbr->kx[1]; m < sbr->f_tablelim[k + 
1] - sbr->kx[1]; m++) {
 sum[0] = av_add_sf(sum[0], sbr->e_origmapped[e][m]);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Mon Oct 30 23:21:41 2017 +0100| [6fb7e324fee1b26f5c0ff41eab81c0a0ddd49fe5] | 
committer: Michael Niedermayer

avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add()

Fixes: runtime error: signed integer overflow: 924846844 + 1457520640 cannot be 
represented in type 'int'
Fixes: 3416/clusterfuzz-testcase-minimized-6125587682820096

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2b739e1cb8f6ce8baead03ce5c999103ba78f24f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6fb7e324fee1b26f5c0ff41eab81c0a0ddd49fe5
---

 libavcodec/h264idct_template.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c
index 288107d5a4..ec8a3d083a 100644
--- a/libavcodec/h264idct_template.c
+++ b/libavcodec/h264idct_template.c
@@ -107,10 +107,10 @@ void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, int16_t 
*_block, int stride){
 }
 for( i = 0; i < 8; i++ )
 {
-const unsigned a0 =  block[0+i*8] + block[4+i*8];
-const unsigned a2 =  block[0+i*8] - block[4+i*8];
-const unsigned a4 = (block[2+i*8]>>1) - block[6+i*8];
-const unsigned a6 = (block[6+i*8]>>1) + block[2+i*8];
+const unsigned a0 =  block[0+i*8] + (unsigned)block[4+i*8];
+const unsigned a2 =  block[0+i*8] - (unsigned)block[4+i*8];
+const unsigned a4 = (block[2+i*8]>>1) - (unsigned)block[6+i*8];
+const unsigned a6 = (block[6+i*8]>>1) + (unsigned)block[2+i*8];
 
 const unsigned b0 = a0 + a6;
 const unsigned b2 = a2 + a4;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeglsdec: Check ilv for being a supported value

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Thu Oct 26 00:02:56 2017 +0200| [b33d3021954cb81a7291f8a00efa1ffebd13bfca] | 
committer: Michael Niedermayer

avcodec/jpeglsdec: Check ilv for being a supported value

Fixes: 1773/clusterfuzz-testcase-minimized-4832523987189760

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit fe533628b9604e2f8e5179d5c5dd17c3cb764265)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b33d3021954cb81a7291f8a00efa1ffebd13bfca
---

 libavcodec/jpeglsdec.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index 64505321af..cb2f89a88c 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -443,6 +443,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int 
near,
 avpriv_report_missing_feature(s->avctx, "Sample interleaved images");
 ret = AVERROR_PATCHWELCOME;
 goto end;
+} else { /* unknown interleaving */
+avpriv_report_missing_feature(s->avctx, "Unknown interleaved images");
+ret = AVERROR_PATCHWELCOME;
+goto end;
 }
 
 if (s->xfrm && s->nb_components == 3) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Oct 27 02:23:21 2017 +0200| [02612c3e3eb54cdf60392929d17909e4a4f80f89] | 
committer: Michael Niedermayer

avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed()

Fixes: runtime error: signed integer overflow: 623487 * 536870912 cannot be 
represented in type 'int'
Fixes: 3594/clusterfuzz-testcase-minimized-4650622935629824

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 41d96af2a74cb5df50346b160067facd43149667)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=02612c3e3eb54cdf60392929d17909e4a4f80f89
---

 libavcodec/aacdec_fixed.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index 06bfa87e28..1aaa6a2cb1 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -394,7 +394,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac,
 for (k = offsets[i]; k < offsets[i + 1]; k++) {
 tmp = (int)(((int64_t)src[group * 128 + k] * c + \
 (int64_t)0x10) >> 37);
-dest[group * 128 + k] += tmp * (1 << shift);
+dest[group * 128 + k] += tmp * (1U << shift);
 }
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/xan: Improve overlapping check

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Mon Oct 30 23:21:40 2017 +0100| [faa84a0c0667927b89f20f8c5af64129ccbb18ef] | 
committer: Michael Niedermayer

avcodec/xan: Improve overlapping check

Fixes: memcpy-param-overlap
Fixes: 3612/clusterfuzz-testcase-minimized-6393461273001984

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit e8fafef1db43ead4eae5a6301ccc300e73aa47da)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=faa84a0c0667927b89f20f8c5af64129ccbb18ef
---

 libavcodec/xan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/xan.c b/libavcodec/xan.c
index 4c01c0013f..8b4ec82405 100644
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -263,7 +263,7 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, 
AVFrame *frame,
 prevframe_index = (y + motion_y) * stride + x + motion_x;
 prevframe_x = x + motion_x;
 
-if (prev_palette_plane == palette_plane && FFABS(curframe_index - 
prevframe_index) < pixel_count) {
+if (prev_palette_plane == palette_plane && FFABS(motion_x + 
width*motion_y) < pixel_count) {
  avpriv_request_sample(s->avctx, "Overlapping copy");
  return ;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat: Free the internal codec context at the end

2017-12-30 Thread Luca Barbato 
ffmpeg | branch: release/3.3 | Luca Barbato  | Wed Apr 12 
01:46:30 2017 +0200| [912448efc110d4249e9ec7ff7b19bd7dab0c6e50] | committer: 
Michael Niedermayer

avformat: Free the internal codec context at the end

Avoid a use after free in avformat_find_stream_info.

(cherry picked from commit 9e4a5eb51b9f3b2bff0ef08e0074b7fe4893075d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=912448efc110d4249e9ec7ff7b19bd7dab0c6e50
---

 libavformat/utils.c | 7 +--
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index ff55fc8d97..5200c7d2e7 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -3763,12 +3763,6 @@ FF_ENABLE_DEPRECATION_WARNINGS
 }
 }
 
-// close codecs which were opened in try_decode_frame()
-for (i = 0; i < ic->nb_streams; i++) {
-st = ic->streams[i];
-avcodec_close(st->internal->avctx);
-}
-
 ff_rfps_calculate(ic);
 
 for (i = 0; i < ic->nb_streams; i++) {
@@ -3949,6 +3943,7 @@ find_stream_info_err:
 st = ic->streams[i];
 if (st->info)
 av_freep(>info->duration_error);
+avcodec_close(ic->streams[i]->internal->avctx);
 av_freep(>streams[i]->info);
 }
 if (ic->pb)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Nov  1 14:00:20 2017 +0100| [19fb467fcbbfdb9cba784fd0cd05d6e8333bc3fb] | 
committer: Michael Niedermayer

avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c()

Fixes: runtime error: shift exponent 66 is too large for 64-bit type 'long long'
Fixes: 3642/clusterfuzz-testcase-minimized-5443853801750528

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 981e99ab99986935affad7c164ebdfe28e8ea7f8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=19fb467fcbbfdb9cba784fd0cd05d6e8333bc3fb
---

 libavcodec/sbrdsp_fixed.c | 12 +++-
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c
index f45bb847a8..07ef12117c 100644
--- a/libavcodec/sbrdsp_fixed.c
+++ b/libavcodec/sbrdsp_fixed.c
@@ -233,12 +233,14 @@ static void sbr_hf_g_filt_c(int (*Y)[2], const int 
(*X_high)[40][2],
 int64_t accu;
 
 for (m = 0; m < m_max; m++) {
-int64_t r = 1LL << (22-g_filt[m].exp);
-accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7);
-Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp));
+if (22 - g_filt[m].exp < 61) {
+int64_t r = 1LL << (22-g_filt[m].exp);
+accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7);
+Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp));
 
-accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7);
-Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp));
+accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7);
+Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp));
+}
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/xan: Check for bitstream end in xan_huffman_decode()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Nov  3 17:48:29 2017 +0100| [ffa2d60ac5af229268607b6530ff4e32baa1b2fa] | 
committer: Michael Niedermayer

avcodec/xan: Check for bitstream end in xan_huffman_decode()

Fixes: Timeout
Fixes: 3707/clusterfuzz-testcase-6465922706440192

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4b51437dccd62fc5491280db44e3c21b44aeeb3f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ffa2d60ac5af229268607b6530ff4e32baa1b2fa
---

 libavcodec/xan.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/xan.c b/libavcodec/xan.c
index 8b4ec82405..1ccf164847 100644
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -131,7 +131,10 @@ static int xan_huffman_decode(uint8_t *dest, int dest_len,
 return ret;
 
 while (val != 0x16) {
-unsigned idx = val - 0x17 + get_bits1() * byte;
+unsigned idx;
+if (get_bits_left() < 1)
+return AVERROR_INVALIDDATA;
+idx = val - 0x17 + get_bits1() * byte;
 if (idx >= 2 * byte)
 return AVERROR_INVALIDDATA;
 val = src[idx];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mdct_*: Fix integer overflow in addition in RESCALE()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Nov  5 21:20:06 2017 +0100| [c1d31ccfac480d4dd8b6aa20f8f0e6e183d620c2] | 
committer: Michael Niedermayer

avcodec/mdct_*: Fix integer overflow in addition in RESCALE()

Fixes: runtime error: signed integer overflow: 1219998458 - -1469874012 cannot 
be represented in type 'int'
Fixes: 3443/clusterfuzz-testcase-minimized-5369987105554432

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 770c934fa1635f4fadf5db4fc5cc5ad15d82455a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c1d31ccfac480d4dd8b6aa20f8f0e6e183d620c2
---

 libavcodec/mdct_fixed.c|  8 
 libavcodec/mdct_template.c | 14 +++---
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/libavcodec/mdct_fixed.c b/libavcodec/mdct_fixed.c
index a32cb00ca0..aabf0c88f8 100644
--- a/libavcodec/mdct_fixed.c
+++ b/libavcodec/mdct_fixed.c
@@ -39,13 +39,13 @@ void ff_mdct_calcw_c(FFTContext *s, FFTDouble *out, const 
FFTSample *input)
 
 /* pre rotation */
 for(i=0;i> 6)
+#   define RSCALE(x, y) ((int)((x) + (unsigned)(y) + 32) >> 6)
 #else /* FFT_FIXED_32 */
-#   define RSCALE(x) ((x) >> 1)
+#   define RSCALE(x, y) ((int)((x) + (unsigned)(y)) >> 1)
 #endif /* FFT_FIXED_32 */
 #endif
 
@@ -181,13 +181,13 @@ void ff_mdct_calc_c(FFTContext *s, FFTSample *out, const 
FFTSample *input)
 
 /* pre rotation */
 for(i=0;i

[FFmpeg-cvslog] avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Thu Oct 26 00:02:57 2017 +0200| [3d6ffa2bb50a99434a1e54f1212b266189245cdb] | 
committer: Michael Niedermayer

avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line()

Fixes: 1773/clusterfuzz-testcase-minimized-4832523987189760

Fixes: Timeout

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit f80224ed19a4c012549fd460d529c7c04e68cf21)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3d6ffa2bb50a99434a1e54f1212b266189245cdb
---

 libavcodec/jpeglsdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index cb2f89a88c..5308b744df 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -233,6 +233,9 @@ static inline void ls_decode_line(JLSState *state, 
MJpegDecodeContext *s,
 while (x < w) {
 int err, pred;
 
+if (get_bits_left(>gb) <= 0)
+return;
+
 /* compute gradients */
 Ra = x ? R(dst, x - stride) : R(last, x);
 Rb = R(last, x);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/hls: ignore http_persistent for segments requring crypto

2017-12-30 Thread Aman Gupta 
ffmpeg | branch: master | Aman Gupta  | Fri Dec 29 15:30:55 2017 
-0800| [97b89432e4566a5d620f97bfdf4c8ae9c83d94e8] | committer: Aman Gupta

avformat/hls: ignore http_persistent for segments requring crypto

Encrypted HLS segments have regular http:// urls, but open_input()
actually prefixes them with crypto+ before calling open_url(), so
they end up using the crypto protocol and not the http protocol.

This means invoking ff_http_do_new_request will fail, so we avoid
calling it in the first place. After the earlier http.c commit,
the failure results in a warning printed to the user. In earlier
versions, the failure would cause a segfault.

Signed-off-by: Aman Gupta 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=97b89432e4566a5d620f97bfdf4c8ae9c83d94e8
---

 libavformat/hls.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavformat/hls.c b/libavformat/hls.c
index dccc7c7dd2..d9f7c6de4d 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -1479,7 +1479,7 @@ reload:
 
 seg = next_segment(v);
 if (c->http_multiple == 1 && !v->input_next_requested &&
-seg && av_strstart(seg->url, "http", NULL)) {
+seg && seg->key_type == KEY_NONE && av_strstart(seg->url, "http", 
NULL)) {
 ret = open_input(c, v, seg, >input_next);
 if (ret < 0) {
 if (ff_check_interrupt(c->interrupt_callback))
@@ -1511,7 +1511,8 @@ reload:
 
 return ret;
 }
-if (c->http_persistent && av_strstart(seg->url, "http", NULL)) {
+if (c->http_persistent &&
+seg->key_type == KEY_NONE && av_strstart(seg->url, "http", NULL)) {
 v->input_read_done = 1;
 } else {
 ff_format_io_close(v->parent, >input);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] x264: Support version 153

2017-12-30 Thread Luca Barbato 
ffmpeg | branch: release/2.4 | Luca Barbato  | Tue Dec 26 
12:32:42 2017 +0100| [8d75aa8d79519c21f91a7dd96f330ad30d6625ed] | committer: 
Michael Niedermayer

x264: Support version 153

It has native simultaneus 8 and 10 bit support.

(cherry picked from commit c6558e8840fbb2386bf8742e4d68dd6e067d262e)
(cherry picked from commit 96e8400553ae47f8f8df5b66cc268297ba38824c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8d75aa8d79519c21f91a7dd96f330ad30d6625ed
---

 libavcodec/libx264.c | 29 +
 1 file changed, 29 insertions(+)

diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c
index fa3aea9375..7f46abd80b 100644
--- a/libavcodec/libx264.c
+++ b/libavcodec/libx264.c
@@ -167,7 +167,11 @@ static int X264_frame(AVCodecContext *ctx, AVPacket *pkt, 
const AVFrame *frame,
 
 x264_picture_init( >pic );
 x4->pic.img.i_csp   = x4->params.i_csp;
+#if X264_BUILD >= 153
+if (x4->params.i_bitdepth > 8)
+#else
 if (x264_bit_depth > 8)
+#endif
 x4->pic.img.i_csp |= X264_CSP_HIGH_DEPTH;
 x4->pic.img.i_plane = avfmt2_num_planes(ctx->pix_fmt);
 
@@ -393,6 +397,9 @@ static av_cold int X264_init(AVCodecContext *avctx)
 x4->params.p_log_private= avctx;
 x4->params.i_log_level  = X264_LOG_DEBUG;
 x4->params.i_csp= convert_pix_fmt(avctx->pix_fmt);
+#if X264_BUILD >= 153
+x4->params.i_bitdepth   = 
av_pix_fmt_desc_get(avctx->pix_fmt)->comp[0].depth;
+#endif
 
 OPT_STR("weightp", x4->wpredp);
 
@@ -731,6 +738,24 @@ static const enum AVPixelFormat pix_fmts_10bit[] = {
 AV_PIX_FMT_NV20,
 AV_PIX_FMT_NONE
 };
+static const enum AVPixelFormat pix_fmts_all[] = {
+AV_PIX_FMT_YUV420P,
+AV_PIX_FMT_YUVJ420P,
+AV_PIX_FMT_YUV422P,
+AV_PIX_FMT_YUVJ422P,
+AV_PIX_FMT_YUV444P,
+AV_PIX_FMT_YUVJ444P,
+AV_PIX_FMT_NV12,
+AV_PIX_FMT_NV16,
+#ifdef X264_CSP_NV21
+AV_PIX_FMT_NV21,
+#endif
+AV_PIX_FMT_YUV420P10,
+AV_PIX_FMT_YUV422P10,
+AV_PIX_FMT_YUV444P10,
+AV_PIX_FMT_NV20,
+AV_PIX_FMT_NONE
+};
 static const enum AVPixelFormat pix_fmts_8bit_rgb[] = {
 #ifdef X264_CSP_BGR
 AV_PIX_FMT_BGR24,
@@ -741,12 +766,16 @@ static const enum AVPixelFormat pix_fmts_8bit_rgb[] = {
 
 static av_cold void X264_init_static(AVCodec *codec)
 {
+#if X264_BUILD < 153
 if (x264_bit_depth == 8)
 codec->pix_fmts = pix_fmts_8bit;
 else if (x264_bit_depth == 9)
 codec->pix_fmts = pix_fmts_9bit;
 else if (x264_bit_depth == 10)
 codec->pix_fmts = pix_fmts_10bit;
+#else
+codec->pix_fmts = pix_fmts_all;
+#endif
 }
 
 #define OFFSET(x) offsetof(X264Context, x)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] changelog: update with previous commit

2017-12-30 Thread James Almer 
ffmpeg | branch: release/3.3 | James Almer  | Sat Dec 30 
19:38:23 2017 -0300| [03292829aa2e7a7db36de490c6cc19a4792ab3cc] | committer: 
James Almer

changelog: update with previous commit

Signed-off-by: James Almer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=03292829aa2e7a7db36de490c6cc19a4792ab3cc
---

 Changelog | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Changelog b/Changelog
index 4564611d77..cd95ddab50 100644
--- a/Changelog
+++ b/Changelog
@@ -2,6 +2,7 @@ Entries are sorted chronologically from oldest to youngest 
within each release,
 releases are sorted from youngest to oldest.
 
 version 3.3.6:
+- x264: Support version 153
 - avcodec/exr: Check buf_size more completely
 - avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed()
 - avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and 
put_hevc_qpel_bi_w_w()

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] x264: Support version 153

2017-12-30 Thread Luca Barbato 
ffmpeg | branch: release/3.3 | Luca Barbato  | Tue Dec 26 
12:32:42 2017 +0100| [96e8400553ae47f8f8df5b66cc268297ba38824c] | committer: 
James Almer

x264: Support version 153

It has native simultaneus 8 and 10 bit support.

(cherry picked from commit c6558e8840fbb2386bf8742e4d68dd6e067d262e)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=96e8400553ae47f8f8df5b66cc268297ba38824c
---

 libavcodec/libx264.c | 29 +
 1 file changed, 29 insertions(+)

diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c
index b11ede6198..6568b25b1a 100644
--- a/libavcodec/libx264.c
+++ b/libavcodec/libx264.c
@@ -279,7 +279,11 @@ static int X264_frame(AVCodecContext *ctx, AVPacket *pkt, 
const AVFrame *frame,
 
 x264_picture_init( >pic );
 x4->pic.img.i_csp   = x4->params.i_csp;
+#if X264_BUILD >= 153
+if (x4->params.i_bitdepth > 8)
+#else
 if (x264_bit_depth > 8)
+#endif
 x4->pic.img.i_csp |= X264_CSP_HIGH_DEPTH;
 x4->pic.img.i_plane = avfmt2_num_planes(ctx->pix_fmt);
 
@@ -490,6 +494,9 @@ static av_cold int X264_init(AVCodecContext *avctx)
 x4->params.p_log_private= avctx;
 x4->params.i_log_level  = X264_LOG_DEBUG;
 x4->params.i_csp= convert_pix_fmt(avctx->pix_fmt);
+#if X264_BUILD >= 153
+x4->params.i_bitdepth   = 
av_pix_fmt_desc_get(avctx->pix_fmt)->comp[0].depth;
+#endif
 
 PARSE_X264_OPT("weightp", wpredp);
 
@@ -878,6 +885,24 @@ static const enum AVPixelFormat pix_fmts_10bit[] = {
 AV_PIX_FMT_NV20,
 AV_PIX_FMT_NONE
 };
+static const enum AVPixelFormat pix_fmts_all[] = {
+AV_PIX_FMT_YUV420P,
+AV_PIX_FMT_YUVJ420P,
+AV_PIX_FMT_YUV422P,
+AV_PIX_FMT_YUVJ422P,
+AV_PIX_FMT_YUV444P,
+AV_PIX_FMT_YUVJ444P,
+AV_PIX_FMT_NV12,
+AV_PIX_FMT_NV16,
+#ifdef X264_CSP_NV21
+AV_PIX_FMT_NV21,
+#endif
+AV_PIX_FMT_YUV420P10,
+AV_PIX_FMT_YUV422P10,
+AV_PIX_FMT_YUV444P10,
+AV_PIX_FMT_NV20,
+AV_PIX_FMT_NONE
+};
 #if CONFIG_LIBX264RGB_ENCODER
 static const enum AVPixelFormat pix_fmts_8bit_rgb[] = {
 AV_PIX_FMT_BGR0,
@@ -889,12 +914,16 @@ static const enum AVPixelFormat pix_fmts_8bit_rgb[] = {
 
 static av_cold void X264_init_static(AVCodec *codec)
 {
+#if X264_BUILD < 153
 if (x264_bit_depth == 8)
 codec->pix_fmts = pix_fmts_8bit;
 else if (x264_bit_depth == 9)
 codec->pix_fmts = pix_fmts_9bit;
 else if (x264_bit_depth == 10)
 codec->pix_fmts = pix_fmts_10bit;
+#else
+codec->pix_fmts = pix_fmts_all;
+#endif
 }
 
 #define OFFSET(x) offsetof(X264Context, x)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Don't manipulate duration when it's AV_NOPTS_VALUE.

2017-12-30 Thread Dale Curtis 
ffmpeg | branch: release/3.3 | Dale Curtis  | Tue Nov 
28 14:26:55 2017 -0800| [272a9687a73c44e5c27b969dd454b3e04cc32279] | committer: 
Michael Niedermayer

Don't manipulate duration when it's AV_NOPTS_VALUE.

This leads to signed integer overflow.

Signed-off-by: Dale Curtis 
Signed-off-by: James Almer 
(cherry picked from commit c5fd57f483d2ad8e34551b78509f1e14136f73c0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=272a9687a73c44e5c27b969dd454b3e04cc32279
---

 libavformat/oggparsevp8.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/oggparsevp8.c b/libavformat/oggparsevp8.c
index c534ab117d..b76ac71cc5 100644
--- a/libavformat/oggparsevp8.c
+++ b/libavformat/oggparsevp8.c
@@ -125,7 +125,7 @@ static int vp8_packet(AVFormatContext *s, int idx)
 os->lastdts = vp8_gptopts(s, idx, os->granule, NULL) - duration;
 if(s->streams[idx]->start_time == AV_NOPTS_VALUE) {
 s->streams[idx]->start_time = os->lastpts;
-if (s->streams[idx]->duration)
+if (s->streams[idx]->duration && s->streams[idx]->duration != 
AV_NOPTS_VALUE)
 s->streams[idx]->duration -= s->streams[idx]->start_time;
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97*

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Dec  2 21:48:04 2017 +0100| [454a2405ce80dcfa85d38f18e3b9788d0b57e40c] | 
committer: Michael Niedermayer

avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97*

Fixes: 4478/clusterfuzz-testcase-minimized-4752113767809024
Fixes: runtime error: signed integer overflow: -2147483626 + -319489 cannot be 
represented in type 'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5e9a13a5a33bf7566591216e335f2529612100bb)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=454a2405ce80dcfa85d38f18e3b9788d0b57e40c
---

 libavcodec/dirac_dwt.h | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index eb5aebc878..50c8b1e394 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
 ((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 
25*(b2+(unsigned)b6) +  81*(b3+(unsigned)b5) + 128) >> 8))
 
 #define COMPOSE_DAUB97iL1(b0, b1, b2)\
-(b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12))
+((unsigned)(b1) - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12))
 
 #define COMPOSE_DAUB97iH1(b0, b1, b2)\
-(b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7))
+((unsigned)(b1) - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7))
 
 #define COMPOSE_DAUB97iL0(b0, b1, b2)\
-(b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12))
+((unsigned)(b1) + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12))
 
 #define COMPOSE_DAUB97iH0(b0, b1, b2)\
-(b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12))
+((unsigned)(b1) + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12))
 
 
 #endif /* AVCODEC_DWT_H */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Dec  2 21:53:22 2017 +0100| [054188db10873fa23cd7739bb468850b23dbe8ac] | 
committer: Michael Niedermayer

avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED()

Fixes: runtime error: signed integer overflow: 2147483646 + 2048 cannot be 
represented in type 'int'
Fixes: 4479/clusterfuzz-testcase-minimized-6529894147162112

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 610dd74502a58e8bb0f1d8fcbc7015f86b78d70e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=054188db10873fa23cd7739bb468850b23dbe8ac
---

 libavcodec/diracdsp.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/diracdsp.c b/libavcodec/diracdsp.c
index 8bc79b788c..2dd56f83f3 100644
--- a/libavcodec/diracdsp.c
+++ b/libavcodec/diracdsp.c
@@ -159,10 +159,10 @@ static void put_signed_rect_clamped_ ## PX ## 
bit_c(uint8_t *_dst, int dst_strid
 int32_t *src = (int32_t *)_src;
 \
 for (y = 0; y < height; y++) { 
 \
 for (x = 0; x < width; x+=4) { 
 \
-dst[x  ] = av_clip_uintp2(src[x  ] + (1 << (PX - 1)), PX); 
 \
-dst[x+1] = av_clip_uintp2(src[x+1] + (1 << (PX - 1)), PX); 
 \
-dst[x+2] = av_clip_uintp2(src[x+2] + (1 << (PX - 1)), PX); 
 \
-dst[x+3] = av_clip_uintp2(src[x+3] + (1 << (PX - 1)), PX); 
 \
+dst[x  ] = av_clip_uintp2(src[x  ] + (1U << (PX - 1)), PX);
  \
+dst[x+1] = av_clip_uintp2(src[x+1] + (1U << (PX - 1)), PX);
  \
+dst[x+2] = av_clip_uintp2(src[x+2] + (1U << (PX - 1)), PX);
  \
+dst[x+3] = av_clip_uintp2(src[x+3] + (1U << (PX - 1)), PX);
  \
 }  
 \
 dst += dst_stride >> 1;
 \
 src += src_stride >> 2;
 \

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Fix undefined shift on assumed 8-bit input.

2017-12-30 Thread Dale Curtis 
ffmpeg | branch: release/3.3 | Dale Curtis  | Fri Nov 
17 16:05:30 2017 -0800| [11a940adbcabd2dbbd78bd95023e8853985aa525] | committer: 
Michael Niedermayer

Fix undefined shift on assumed 8-bit input.

decode_user_data() attempts to create an integer |build|
value with 8 bits of spacing for 3 components. However
each component is an int32_t, so shifting each component
is undefined for values outside of the 8 bit range.

This patch simply clamps input to 8-bits per component
and prints out a warning that the values were clamped.

Signed-off-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7010dd98b575d2e39fca947e609b85be7490b269)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=11a940adbcabd2dbbd78bd95023e8853985aa525
---

 libavcodec/mpeg4videodec.c | 11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index cd39131d55..5ae724bed1 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -2149,8 +2149,15 @@ static int decode_user_data(Mpeg4DecContext *ctx, 
GetBitContext *gb)
 e = sscanf(buf, "FFmpeg v%d.%d.%d / libavcodec build: %d", , 
, , );
 if (e != 4) {
 e = sscanf(buf, "Lavc%d.%d.%d", , , ) + 1;
-if (e > 1)
-build = (ver << 16) + (ver2 << 8) + ver3;
+if (e > 1) {
+if (ver > 0xFF || ver2 > 0xFF || ver3 > 0xFF) {
+av_log(s->avctx, AV_LOG_WARNING,
+ "Unknown Lavc version string encountered, %d.%d.%d; "
+ "clamping sub-version values to 8-bits.\n",
+ ver, ver2, ver3);
+}
+build = ((ver & 0xFF) << 16) + ((ver2 & 0xFF) << 8) + (ver3 & 
0xFF);
+}
 }
 if (e != 4) {
 if (strcmp(buf, "ffmpeg") == 0)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Check size of STSC allocation

2017-12-30 Thread Fredrik Hubinette 
ffmpeg | branch: release/3.3 | Fredrik Hubinette  | Wed Nov 
15 17:24:30 2017 -0800| [74104d2dc05d903a2b94e3457fc1a2cf8fe224a2] | committer: 
Michael Niedermayer

avformat/mov: Check size of STSC allocation

Signed-off-by: Michael Niedermayer 
(cherry picked from commit a6fdd75fe6440d2f4150cb456a9078aa68b00fdb)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=74104d2dc05d903a2b94e3457fc1a2cf8fe224a2
---

 libavformat/mov.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 90b068f091..6ebdf8a4b7 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2411,6 +2411,8 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 avio_rb24(pb); /* flags */
 
 entries = avio_rb32(pb);
+if ((uint64_t)entries * 12 + 4 > atom.size)
+return AVERROR_INVALIDDATA;
 
 av_log(c->fc, AV_LOG_TRACE, "track[%u].stsc.entries = %u\n", 
c->fc->nb_streams - 1, entries);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Fix leak of frame_duration_buffer in mov_fix_index().

2017-12-30 Thread Dale Curtis 
ffmpeg | branch: release/3.3 | Dale Curtis  | Fri Nov 
17 14:53:25 2017 -0800| [362967fec6a4c4772e56b50efba49dab06f49de6] | committer: 
Michael Niedermayer

Fix leak of frame_duration_buffer in mov_fix_index().

Should be unconditionally freed at the end of mov_fix_index() in
case it hasn't been used during the fix up.

Signed-off-by: Dale Curtis 
Reviewed-by: Sasi Inguva 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d073be2291e40129d107ca4573097d6d6d2dbf68)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=362967fec6a4c4772e56b50efba49dab06f49de6
---

 libavformat/mov.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 2f6965eabb..f2eb22eb3d 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3296,6 +3296,7 @@ static void mov_fix_index(MOVContext *mov, AVStream *st)
 // Free the old index and the old CTTS structures
 av_free(e_old);
 av_free(ctts_data_old);
+av_freep(_duration_buffer);
 
 // Null terminate the index ranges array
 current_index_range++;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Use ff_thread_once for fixed, float table init.

2017-12-30 Thread Dale Curtis 
ffmpeg | branch: release/3.3 | Dale Curtis  | Fri Nov 
17 14:51:09 2017 -0800| [edd0cd21f41e6b0b8b39b5a53891d4a2c61fafff] | committer: 
Michael Niedermayer

Use ff_thread_once for fixed, float table init.

These tables are static so they should only be initialized once
instead of on every call to ff_mpadsp_init().

Signed-off-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5eaaffaf64d1854493f0fe9ec822eed1b3cd9fe1)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=edd0cd21f41e6b0b8b39b5a53891d4a2c61fafff
---

 libavcodec/mpegaudiodsp.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/mpegaudiodsp.c b/libavcodec/mpegaudiodsp.c
index a5d20df629..3cafca27bf 100644
--- a/libavcodec/mpegaudiodsp.c
+++ b/libavcodec/mpegaudiodsp.c
@@ -20,17 +20,21 @@
 
 #include "config.h"
 #include "libavutil/attributes.h"
+#include "libavutil/thread.h"
 #include "mpegaudiodsp.h"
 #include "dct.h"
 #include "dct32.h"
 
+static AVOnce mpadsp_float_table_init = AV_ONCE_INIT;
+static AVOnce mpadsp_fixed_table_init = AV_ONCE_INIT;
+
 av_cold void ff_mpadsp_init(MPADSPContext *s)
 {
 DCTContext dct;
 
 ff_dct_init(, 5, DCT_II);
-ff_init_mpadsp_tabs_float();
-ff_init_mpadsp_tabs_fixed();
+ff_thread_once(_float_table_init, _init_mpadsp_tabs_float);
+ff_thread_once(_fixed_table_init, _init_mpadsp_tabs_fixed);
 
 s->apply_window_float = ff_mpadsp_apply_window_float;
 s->apply_window_fixed = ff_mpadsp_apply_window_fixed;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Propagate errors in mov_switch_root.

2017-12-30 Thread Jacob Trimble 
ffmpeg | branch: release/3.3 | Jacob Trimble 
 | Mon Nov 20 12:05:02 2017 -0800| 
[a0eccf673cda83697e8e42d13e10d31a60a45346] | committer: Michael Niedermayer

avformat/mov: Propagate errors in mov_switch_root.

Signed-off-by: Jacob Trimble 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2d9cf3bf16b94cd9db10dabad695c69c5cff4f58)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a0eccf673cda83697e8e42d13e10d31a60a45346
---

 libavformat/mov.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 6ebdf8a4b7..2f6965eabb 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -6171,6 +6171,7 @@ static int should_retry(AVIOContext *pb, int error_code) {
 
 static int mov_switch_root(AVFormatContext *s, int64_t target)
 {
+int ret;
 MOVContext *mov = s->priv_data;
 int i, j;
 int already_read = 0;
@@ -6207,8 +6208,10 @@ static int mov_switch_root(AVFormatContext *s, int64_t 
target)
 
 mov->found_mdat = 0;
 
-if (mov_read_default(mov, s->pb, (MOVAtom){ AV_RL32("root"), INT64_MAX }) 
< 0 ||
-avio_feof(s->pb))
+ret = mov_read_default(mov, s->pb, (MOVAtom){ AV_RL32("root"), INT64_MAX 
});
+if (ret < 0)
+return ret;
+if (avio_feof(s->pb))
 return AVERROR_EOF;
 av_log(s, AV_LOG_TRACE, "read fragments, offset 0x%"PRIx64"\n", 
avio_tell(s->pb));
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Sep 17 01:28:07 2017 +0200| [4a412dc6ad195eaf1bf43c8a77b622923aacf99a] | 
committer: Michael Niedermayer

avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and 
ff_wmv2_decode_mb()

Fixes: Timeout
Fixes: 3200/clusterfuzz-testcase-5750022136135680

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 65e0a7c473f23f1833538ffecf53c81fe500b5e4)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4a412dc6ad195eaf1bf43c8a77b622923aacf99a
---

 libavcodec/wmv2dec.c | 18 --
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/libavcodec/wmv2dec.c b/libavcodec/wmv2dec.c
index 20dbee5703..225e30ab5a 100644
--- a/libavcodec/wmv2dec.c
+++ b/libavcodec/wmv2dec.c
@@ -30,7 +30,7 @@
 #include "wmv2.h"
 
 
-static void parse_mb_skip(Wmv2Context *w)
+static int parse_mb_skip(Wmv2Context *w)
 {
 int mb_x, mb_y;
 MpegEncContext *const s = >s;
@@ -45,6 +45,8 @@ static void parse_mb_skip(Wmv2Context *w)
 MB_TYPE_16x16 | MB_TYPE_L0;
 break;
 case SKIP_TYPE_MPEG:
+if (get_bits_left(>gb) < s->mb_height * s->mb_width)
+return AVERROR_INVALIDDATA;
 for (mb_y = 0; mb_y < s->mb_height; mb_y++)
 for (mb_x = 0; mb_x < s->mb_width; mb_x++)
 mb_type[mb_y * s->mb_stride + mb_x] =
@@ -52,6 +54,8 @@ static void parse_mb_skip(Wmv2Context *w)
 break;
 case SKIP_TYPE_ROW:
 for (mb_y = 0; mb_y < s->mb_height; mb_y++) {
+if (get_bits_left(>gb) < 1)
+return AVERROR_INVALIDDATA;
 if (get_bits1(>gb)) {
 for (mb_x = 0; mb_x < s->mb_width; mb_x++)
 mb_type[mb_y * s->mb_stride + mb_x] =
@@ -65,6 +69,8 @@ static void parse_mb_skip(Wmv2Context *w)
 break;
 case SKIP_TYPE_COL:
 for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
+if (get_bits_left(>gb) < 1)
+return AVERROR_INVALIDDATA;
 if (get_bits1(>gb)) {
 for (mb_y = 0; mb_y < s->mb_height; mb_y++)
 mb_type[mb_y * s->mb_stride + mb_x] =
@@ -77,6 +83,7 @@ static void parse_mb_skip(Wmv2Context *w)
 }
 break;
 }
+return 0;
 }
 
 static int decode_ext_header(Wmv2Context *w)
@@ -170,9 +177,12 @@ int ff_wmv2_decode_secondary_picture_header(MpegEncContext 
*s)
 }
 } else {
 int cbp_index;
+int ret;
 w->j_type = 0;
 
-parse_mb_skip(w);
+ret = parse_mb_skip(w);
+if (ret < 0)
+return ret;
 cbp_index = decode012(>gb);
 w->cbp_table_index = wmv2_get_cbp_table_index(s, cbp_index);
 
@@ -359,6 +369,8 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t 
block[6][64])
 w->hshift  = 0;
 return 0;
 }
+if (get_bits_left(>gb) <= 0)
+return AVERROR_INVALIDDATA;
 
 code = get_vlc2(>gb, ff_mb_non_intra_vlc[w->cbp_table_index].table,
 MB_NON_INTRA_VLC_BITS, 3);
@@ -369,6 +381,8 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t 
block[6][64])
 cbp = code & 0x3f;
 } else {
 s->mb_intra = 1;
+if (get_bits_left(>gb) <= 0)
+return AVERROR_INVALIDDATA;
 code = get_vlc2(>gb, ff_msmp4_mb_i_vlc.table, MB_INTRA_VLC_BITS, 2);
 if (code < 0) {
 av_log(s->avctx, AV_LOG_ERROR,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/zmbv: Check that the buffer is large enough for mvec

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Nov 15 17:11:12 2017 +0100| [1c9af4d7a888eca8eb7908e21cea557607f8c56b] | 
committer: Michael Niedermayer

avcodec/zmbv: Check that the buffer is large enough for mvec

Fixes: Timeout
Fixes: 4143/clusterfuzz-testcase-4736864637419520

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2ab9568a2c3349039eec29fb960fe39de354b514)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1c9af4d7a888eca8eb7908e21cea557607f8c56b
---

 libavcodec/zmbv.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c
index b09dc41ebd..f91d2e3931 100644
--- a/libavcodec/zmbv.c
+++ b/libavcodec/zmbv.c
@@ -539,6 +539,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame, AVPac
 } else {
 frame->key_frame = 0;
 frame->pict_type = AV_PICTURE_TYPE_P;
+if (c->decomp_len < 2LL * ((c->width + c->bw - 1) / c->bw) * 
((c->height + c->bh - 1) / c->bh))
+return AVERROR_INVALIDDATA;
 if (c->decomp_len)
 c->decode_xor(c);
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Nov 25 03:15:16 2017 +0100| [7bc064d461659553f7785d5b7d72a1518fc2aae3] | 
committer: Michael Niedermayer

avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*

Fixes: runtime error: signed integer overflow: -2143827186 - 7404944 cannot be 
represented in type 'int'
Fixes: 4354/clusterfuzz-testcase-minimized-4671122764201984

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2b6964f764382742bb052a1ee3b7167cac35332f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7bc064d461659553f7785d5b7d72a1518fc2aae3
---

 libavcodec/dirac_dwt.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index f9a9e9e1b3..eb5aebc878 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -111,10 +111,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
 (b0 + b1)
 
 #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\
-(b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 
46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8))
+((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 
46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8))
 
 #define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\
-(b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 
25*(b2+(unsigned)b6) +  81*(b3+(unsigned)b5) + 128) >> 8))
+((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 
25*(b2+(unsigned)b6) +  81*(b3+(unsigned)b5) + 128) >> 8))
 
 #define COMPOSE_DAUB97iL1(b0, b1, b2)\
 (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12))

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/snowdec: Check for remaining bitstream in decode_blocks()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Nov 15 21:17:16 2017 +0100| [01439fe1e139b42fa218688c3a6be398bc809294] | 
committer: Michael Niedermayer

avcodec/snowdec: Check for remaining bitstream in decode_blocks()

Fixes: Timeout
Fixes: 3142/clusterfuzz-testcase-5007853163118592

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4527ec2216109867498edc3ac8a17fd879b5d017)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=01439fe1e139b42fa218688c3a6be398bc809294
---

 libavcodec/snowdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index af92cb0070..df425b8cf3 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -437,6 +437,8 @@ static int decode_blocks(SnowContext *s){
 
 for(y=0; yc.bytestream >= s->c.bytestream_end)
+return AVERROR_INVALIDDATA;
 if ((res = decode_q_branch(s, 0, x, y)) < 0)
 return res;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Close ogg stream upon error when using AV_EF_EXPLODE.

2017-12-30 Thread Dale Curtis 
ffmpeg | branch: release/3.3 | Dale Curtis  | Mon Nov 
20 12:07:57 2017 -0800| [2de4eb6fec18808f08f0ea8a5f8940eb842662c1] | committer: 
Michael Niedermayer

Close ogg stream upon error when using AV_EF_EXPLODE.

Without this there can be multiple memory leaks for unrecognized
ogg streams.

Signed-off-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit bce8fc0754c4b31f574a4372c6d7996ed29f7c2a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2de4eb6fec18808f08f0ea8a5f8940eb842662c1
---

 libavformat/oggdec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 97ad1a27d1..193a286e43 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -719,8 +719,10 @@ static int ogg_read_header(AVFormatContext *s)
"Headers mismatch for stream %d: "
"expected %d received %d.\n",
i, os->codec->nb_header, os->nb_header);
-if (s->error_recognition & AV_EF_EXPLODE)
+if (s->error_recognition & AV_EF_EXPLODE) {
+ogg_read_close(s);
 return AVERROR_INVALIDDATA;
+}
 }
 if (os->start_granule != OGG_NOGRANULE_VALUE)
 os->lastpts = s->streams[i]->start_time =

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/utils: Prevent undefined shift with wrap_bits > 64.

2017-12-30 Thread Dale Curtis 
ffmpeg | branch: release/3.3 | Dale Curtis  | Fri Nov 
17 13:35:56 2017 -0800| [85ea121684a7b128c39373845506e6016daa60cc] | committer: 
Michael Niedermayer

avformat/utils: Prevent undefined shift with wrap_bits > 64.

2LL << (wrap_bits=64 - 1) does not fit in int64_t; change the
code to use a uint64_t (2ULL) and add an av_assert2() to
ensure wrap_bits <= 64.

Signed-off-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 03fbc0daa7e37af024f8b017a28105c32bbe25ca)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=85ea121684a7b128c39373845506e6016daa60cc
---

 libavformat/utils.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 5200c7d2e7..2c622d2c56 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -1732,13 +1732,14 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt)
 
 if (next_pkt->dts != AV_NOPTS_VALUE) {
 int wrap_bits = 
s->streams[next_pkt->stream_index]->pts_wrap_bits;
+av_assert2(wrap_bits <= 64);
 // last dts seen for this stream. if any of packets following
 // current one had no dts, we will set this to AV_NOPTS_VALUE.
 int64_t last_dts = next_pkt->dts;
 while (pktl && next_pkt->pts == AV_NOPTS_VALUE) {
 if (pktl->pkt.stream_index == next_pkt->stream_index &&
-(av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2LL << 
(wrap_bits - 1)) < 0)) {
-if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2LL 
<< (wrap_bits - 1))) {
+av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2ULL << 
(wrap_bits - 1)) < 0) {
+if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2ULL 
<< (wrap_bits - 1))) {
 // not B-frame
 next_pkt->pts = pktl->pkt.dts;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videodec: Check also for negative versions in the validity check

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Tue Nov 21 03:15:53 2017 +0100| [70dc266342ee2972b31f0eda5905ec8ebf3b2584] | 
committer: Michael Niedermayer

avcodec/mpeg4videodec: Check also for negative versions in the validity check

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0e7865ce4152f8b04cda6a698bbee4fd4a94009d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=70dc266342ee2972b31f0eda5905ec8ebf3b2584
---

 libavcodec/mpeg4videodec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 5ae724bed1..8eafc783b8 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -2150,7 +2150,7 @@ static int decode_user_data(Mpeg4DecContext *ctx, 
GetBitContext *gb)
 if (e != 4) {
 e = sscanf(buf, "Lavc%d.%d.%d", , , ) + 1;
 if (e > 1) {
-if (ver > 0xFF || ver2 > 0xFF || ver3 > 0xFF) {
+if (ver > 0xFFU || ver2 > 0xFFU || ver3 > 0xFFU) {
 av_log(s->avctx, AV_LOG_WARNING,
  "Unknown Lavc version string encountered, %d.%d.%d; "
  "clamping sub-version values to 8-bits.\n",

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mlpdsp: Fix signed integer overflow, 2nd try

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Mon Nov 20 18:45:45 2017 +0100| [cead6c94c502a90f1318ddc47885bfaa407068dd] | 
committer: Michael Niedermayer

avcodec/mlpdsp: Fix signed integer overflow, 2nd try

The outputted bits should match what is used in the lossless check

Fixes: runtime error: signed integer overflow: -538697856 * 256 cannot be 
represented in type 'int'
Fixes: 4326/clusterfuzz-testcase-minimized-5689449645080576

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 97c00edaa043043c29d985653e7e1687b56dfa23)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cead6c94c502a90f1318ddc47885bfaa407068dd
---

 libavcodec/mlpdsp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c
index 4e3a16c781..32a4503b64 100644
--- a/libavcodec/mlpdsp.c
+++ b/libavcodec/mlpdsp.c
@@ -117,7 +117,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data,
   (1U << output_shift[mat_ch]);
 lossless_check_data ^= (sample & 0xff) << mat_ch;
 if (is32)
-*data_32++ = sample * 256;
+*data_32++ = sample * 256U;
 else
 *data_16++ = sample >> 8;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead.

2017-12-30 Thread Dale Curtis 
ffmpeg | branch: release/3.3 | Dale Curtis  | Wed Nov 
22 10:58:39 2017 -0800| [9bc2f44c27a315e783a10ca59396c93f568982c0] | committer: 
Michael Niedermayer

avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead.

Signed-off-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 9648cc6d7fdbb0a260bed1e3e23300569cff9579)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9bc2f44c27a315e783a10ca59396c93f568982c0
---

 libavcodec/vorbis.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c
index 399020eec5..f710c23450 100644
--- a/libavcodec/vorbis.c
+++ b/libavcodec/vorbis.c
@@ -91,7 +91,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, 
unsigned num)
 exit_at_level[i] = 0;
 // construct code (append 0s to end) and introduce new exits
 for (j = i + 1 ;j <= bits[p]; ++j)
-exit_at_level[j] = code + (1 << (j - 1));
+exit_at_level[j] = code + (1u << (j - 1));
 codes[p] = code;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/extract_extradata_bsf: Fix leak discovered via fuzzing

2017-12-30 Thread Nikolas Bowe 
ffmpeg | branch: release/3.3 | Nikolas Bowe  | 
Tue Dec  5 15:11:26 2017 -0800| [01ab4117dc034e3407d16da0439861bd0d9ec039] | 
committer: Michael Niedermayer

avcodec/extract_extradata_bsf: Fix leak discovered via fuzzing

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5a412a5c3cc216ae1d15e6b884bda7214b73a5b0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=01ab4117dc034e3407d16da0439861bd0d9ec039
---

 libavcodec/extract_extradata_bsf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/extract_extradata_bsf.c 
b/libavcodec/extract_extradata_bsf.c
index ed6509c681..d40907a675 100644
--- a/libavcodec/extract_extradata_bsf.c
+++ b/libavcodec/extract_extradata_bsf.c
@@ -78,7 +78,7 @@ static int extract_extradata_h2645(AVBSFContext *ctx, 
AVPacket *pkt,
 ret = ff_h2645_packet_split(_pkt, pkt->data, pkt->size,
 ctx, 0, 0, ctx->par_in->codec_id, 1);
 if (ret < 0)
-return ret;
+goto fail;
 
 for (i = 0; i < h2645_pkt.nb_nals; i++) {
 H2645NAL *nal = _pkt.nals[i];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Thu Nov 30 21:27:37 2017 +0100| [c8bbddf057e6f26df1f45bad15d1a339ad9289e6] | 
committer: Michael Niedermayer

avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h()

Fixes: runtime error: left shift of negative value -127
Fixes: 4397/clusterfuzz-testcase-minimized-4779061080489984

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0409d333115e623b5ccdbb364d64ca2a52fd8467)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c8bbddf057e6f26df1f45bad15d1a339ad9289e6
---

 libavcodec/hevcdsp_template.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index 46a0da2045..0623cfad89 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -1355,7 +1355,7 @@ static void FUNC(put_hevc_epel_bi_w_h)(uint8_t *_dst, 
ptrdiff_t _dststride, uint
 for (y = 0; y < height; y++) {
 for (x = 0; x < width; x++)
 dst[x] = av_clip_pixel(((EPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * 
wx1 + src2[x] * wx0 +
-((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 
1));
+((ox0 + ox1 + 1) * (1 << log2Wd))) >> 
(log2Wd + 1));
 src  += srcstride;
 dst  += dststride;
 src2 += MAX_PB_SIZE;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/kgv1dec: Check that there is enough input for maximum RLE compression

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Nov 22 20:14:54 2017 +0100| [d5bdcd8a2702623af06a0db76a7f7f68f08c457b] | 
committer: Michael Niedermayer

avcodec/kgv1dec: Check that there is enough input for maximum RLE compression

Fixes: Timeout
Fixes: 4271/clusterfuzz-testcase-4676667768307712

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3aad94bf2b140cfba8ae69d018da05d4948ef37f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d5bdcd8a2702623af06a0db76a7f7f68f08c457b
---

 libavcodec/kgv1dec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c
index 5359411c76..a6bd9400ac 100644
--- a/libavcodec/kgv1dec.c
+++ b/libavcodec/kgv1dec.c
@@ -62,6 +62,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame,
 h = (buf[1] + 1) * 8;
 buf += 2;
 
+if (avpkt->size < 2 + w*h / 513)
+return AVERROR_INVALIDDATA;
+
 if (w != avctx->width || h != avctx->height) {
 av_freep(>frame_buffer);
 av_freep(>last_frame_buffer);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u.

2017-12-30 Thread Dale Curtis 
ffmpeg | branch: release/3.3 | Dale Curtis  | Thu Nov 
30 12:20:36 2017 -0800| [39db2f95145f6b13f77acd05bd684a7f81ccad1b] | committer: 
Michael Niedermayer

avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u.

Didn't notice this one when 9648cc6d was landed.

Signed-off-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 95bacb521af8cd28f146f045437c9f75717a493a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=39db2f95145f6b13f77acd05bd684a7f81ccad1b
---

 libavcodec/vorbis.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c
index f710c23450..aabd9bbd19 100644
--- a/libavcodec/vorbis.c
+++ b/libavcodec/vorbis.c
@@ -67,7 +67,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, 
unsigned num)
 if (bits[p] > 32)
 return AVERROR_INVALIDDATA;
 for (i = 0; i < bits[p]; ++i)
-exit_at_level[i+1] = 1 << i;
+exit_at_level[i+1] = 1u << i;
 
 ++p;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/amrwbdec: Fix division by 0 in voice_factor()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Thu Dec  7 15:32:54 2017 +0100| [3d297038a9ab1f518890491765a4771221a7b0cb] | 
committer: Michael Niedermayer

avcodec/amrwbdec: Fix division by 0 in voice_factor()

The added value matches "Digital cellular telecommunications system (Phase 2+) 
(GSM); Universal Mobile Telecommunications System (UMTS); LTE; Extended 
Adaptive Multi-Rate - Wideband (AMR-WB+) codec; Floating-point ANSI-C code 
(3GPP TS 26.304 version 14.0.0 Release 14)
Extended Adaptive Multi-Rate - Wideband (AMR-WB+) codec; Floating-point ANSI-C 
code"

Fixes: runtime error: division by zero
Fixes: 4415/clusterfuzz-testcase-minimized-4677752314658816

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1d0817d56b66797118880358ea7d7a2acfdca429)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3d297038a9ab1f518890491765a4771221a7b0cb
---

 libavcodec/amrwbdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c
index 57aed874cc..7f2874d35f 100644
--- a/libavcodec/amrwbdec.c
+++ b/libavcodec/amrwbdec.c
@@ -611,7 +611,7 @@ static float voice_factor(float *p_vector, float p_gain,
   AMRWB_SFR_SIZE) *
 f_gain * f_gain;
 
-return (p_ener - f_ener) / (p_ener + f_ener);
+return (p_ener - f_ener) / (p_ener + f_ener + 0.01);
 }
 
 /**

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter/formats: fix wrong function name in error message

2017-12-30 Thread Jun Zhao 
ffmpeg | branch: release/3.3 | Jun Zhao  | Mon Dec  4 
12:50:34 2017 +0800| [603845225cb3214d6107b22a8f884559c4b7ea9d] | committer: 
Michael Niedermayer

avfilter/formats: fix wrong function name in error message

Use perdefined micro __FUNCTION__ rather than hard coding function name
to fix wrong function name in error message.

Signed-off-by: Jun Zhao 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4280948702bc256e21c375790b889c735d233b0d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=603845225cb3214d6107b22a8f884559c4b7ea9d
---

 libavfilter/formats.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavfilter/formats.c b/libavfilter/formats.c
index d4de862237..20a2c89719 100644
--- a/libavfilter/formats.c
+++ b/libavfilter/formats.c
@@ -72,7 +72,7 @@ do {
 for (j = 0; j < b->nb; j++)
 \
 if (a->fmts[i] == b->fmts[j]) {
 \
 if(k >= FFMIN(a->nb, b->nb)){  
 \
-av_log(NULL, AV_LOG_ERROR, "Duplicate formats in 
avfilter_merge_formats() detected\n"); \
+av_log(NULL, AV_LOG_ERROR, "Duplicate formats in %s 
detected\n", __FUNCTION__); \
 av_free(ret->fmts);
 \
 av_free(ret);  
 \
 return NULL;   
 \

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Nov 17 22:01:29 2017 +0100| [fa29141e34c99763f091435f74c81d4fbb718fad] | 
committer: Michael Niedermayer

avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v()

Fixes: runtime error: left shift of negative value -255
Fixes: 4037/clusterfuzz-testcase-minimized-5290998163832832

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7d88586e4728e97349f98e07ff782bb168ab96c3)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fa29141e34c99763f091435f74c81d4fbb718fad
---

 libavcodec/hevcdsp_template.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index e09c661759..46a0da2045 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -1407,7 +1407,7 @@ static void FUNC(put_hevc_epel_bi_w_v)(uint8_t *_dst, 
ptrdiff_t _dststride, uint
 for (y = 0; y < height; y++) {
 for (x = 0; x < width; x++)
 dst[x] = av_clip_pixel(((EPEL_FILTER(src, srcstride) >> (BIT_DEPTH 
- 8)) * wx1 + src2[x] * wx0 +
-((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 
1));
+((ox0 + ox1 + 1) * (1 << log2Wd))) >> 
(log2Wd + 1));
 src  += srcstride;
 dst  += dststride;
 src2 += MAX_PB_SIZE;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Tue Nov 14 03:40:07 2017 +0100| [78a0356fae83e4b7624e11032663aaef45038d3b] | 
committer: Michael Niedermayer

avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0()

Fixes: 4035/clusterfuzz-testcase-minimized-6479308925173760
Fixes: runtime error: signed integer overflow: 9 * 402653183 cannot be 
represented in type 'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 73964680d7bce6d81ddc553a24d73e9a1c9156f9)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=78a0356fae83e4b7624e11032663aaef45038d3b
---

 libavcodec/dirac_dwt.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index 35ed8857e9..f9a9e9e1b3 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -102,7 +102,7 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
 (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))
 
 #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\
-(b2 - ((-b0 + 9*b1 + 9*b3 - b4 + 16) >> 5))
+(b2 - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))
 
 #define COMPOSE_HAARiL0(b0, b1)\
 (b0 - ((b1 + 1) >> 1))

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Nov 15 03:38:37 2017 +0100| [f4e25620a1fc815eceafebf6d3c8a52351b2049b] | 
committer: Michael Niedermayer

avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output()

Fixes: runtime error: left shift of negative value -7862264
Fixes: 4074/clusterfuzz-testcase-minimized-4516104123711488

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4f7f70738e8dd77a698a5e28bba552ea7064af21)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f4e25620a1fc815eceafebf6d3c8a52351b2049b
---

 libavcodec/mlpdsp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c
index fbafa92d72..4e3a16c781 100644
--- a/libavcodec/mlpdsp.c
+++ b/libavcodec/mlpdsp.c
@@ -117,7 +117,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data,
   (1U << output_shift[mat_ch]);
 lossless_check_data ^= (sample & 0xff) << mat_ch;
 if (is32)
-*data_32++ = sample << 8;
+*data_32++ = sample * 256;
 else
 *data_16++ = sample >> 8;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vc2enc: Clear coef_buf on allocation

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Nov 15 16:53:34 2017 +0100| [066c65737682817611ad2f30a4895acb5f47629b] | 
committer: Michael Niedermayer

avcodec/vc2enc: Clear coef_buf on allocation

Fixes: Use of uninitialized memory
Fixes: assertion failure

Reviewed-by: 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6d00905f8134a2932e5c00dd1ec8b2a1f0a38035)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=066c65737682817611ad2f30a4895acb5f47629b
---

 libavcodec/vc2enc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c
index 745c6e974d..3dbdf57a12 100644
--- a/libavcodec/vc2enc.c
+++ b/libavcodec/vc2enc.c
@@ -1171,7 +1171,7 @@ static av_cold int vc2_encode_init(AVCodecContext *avctx)
 p->dwt_width  = w = FFALIGN(p->width,  (1 << s->wavelet_depth));
 p->dwt_height = h = FFALIGN(p->height, (1 << s->wavelet_depth));
 p->coef_stride = FFALIGN(p->dwt_width, 32);
-p->coef_buf = av_malloc(p->coef_stride*p->dwt_height*sizeof(dwtcoef));
+p->coef_buf = av_mallocz(p->coef_stride*p->dwt_height*sizeof(dwtcoef));
 if (!p->coef_buf)
 goto alloc_fail;
 for (level = s->wavelet_depth-1; level >= 0; level--) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264dec: Fix potential array overread

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Oct 21 18:04:44 2017 +0200| [aac7ca7a36da5d1dfdd2aec3f52417ead783eaed] | 
committer: Michael Niedermayer

avcodec/h264dec: Fix potential array overread

add padding before scantable arrays

See: 522d850e68ec4b77d3477b3c8f55b1ba00a9d69a

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 380b48fb9fdc7b0c40d67e026f9b3accb12794eb)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aac7ca7a36da5d1dfdd2aec3f52417ead783eaed
---

 libavcodec/h264dec.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/h264dec.h b/libavcodec/h264dec.h
index e994f7e7fe..af3d98bb32 100644
--- a/libavcodec/h264dec.h
+++ b/libavcodec/h264dec.h
@@ -415,6 +415,7 @@ typedef struct H264Context {
 uint8_t (*mvd_table[2])[2];
 uint8_t *direct_table;
 
+uint8_t scan_padding[16];
 uint8_t zigzag_scan[16];
 uint8_t zigzag_scan8x8[64];
 uint8_t zigzag_scan8x8_cavlc[64];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/snowdec: Check intra block dc differences.

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Nov 15 21:17:15 2017 +0100| [488c2e8487e5dae6ddb27e2b75d0a9eb4155ea34] | 
committer: Michael Niedermayer

avcodec/snowdec: Check intra block dc differences.

Fixes: Timeout
Fixes: 3142/clusterfuzz-testcase-5007853163118592

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c3b9bbcc6edf2d83fe4857484cfa0839872188c6)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=488c2e8487e5dae6ddb27e2b75d0a9eb4155ea34
---

 libavcodec/snowdec.c | 17 +
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 2b92ed3de0..af92cb0070 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -183,13 +183,22 @@ static int decode_q_branch(SnowContext *s, int level, int 
x, int y){
 int my_context= av_log2(2*FFABS(left->my - top->my)) + 
0*av_log2(2*FFABS(tr->my - top->my));
 
 type= get_rac(>c, >block_state[1 + left->type + top->type]) ? 
BLOCK_INTRA : 0;
-
 if(type){
+int ld, cbd, crd;
 pred_mv(s, , , 0, left, top, tr);
-l += get_symbol(>c, >block_state[32], 1);
+ld = get_symbol(>c, >block_state[32], 1);
+if (ld < -255 || ld > 255) {
+return AVERROR_INVALIDDATA;
+}
+l += ld;
 if (s->nb_planes > 2) {
-cb+= get_symbol(>c, >block_state[64], 1);
-cr+= get_symbol(>c, >block_state[96], 1);
+cbd = get_symbol(>c, >block_state[64], 1);
+crd = get_symbol(>c, >block_state[96], 1);
+if (cbd < -255 || cbd > 255 || crd < -255 || crd > 255) {
+return AVERROR_INVALIDDATA;
+}
+cb += cbd;
+cr += crd;
 }
 }else{
 if(s->ref_frames > 1)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/j2kenc: Fix out of array access in encode_cblk()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Thu Nov 30 23:42:04 2017 +0100| [79ec6381151c0db5619555cc2d75988d8f8805f6] | 
committer: Michael Niedermayer

avcodec/j2kenc: Fix out of array access in encode_cblk()

Fixes: 4427/clusterfuzz-testcase-minimized-5106919271301120

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0674087004538599797688785f6ac82358abc23b)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79ec6381151c0db5619555cc2d75988d8f8805f6
---

 libavcodec/j2kenc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c
index c8d3861732..baaf47422c 100644
--- a/libavcodec/j2kenc.c
+++ b/libavcodec/j2kenc.c
@@ -688,7 +688,8 @@ static void encode_cblk(Jpeg2000EncoderContext *s, 
Jpeg2000T1Context *t1, Jpeg20
 cblk->npasses = passno;
 cblk->ninclpasses = passno;
 
-cblk->passes[passno-1].rate = ff_mqc_flush_to(>mqc, 
cblk->passes[passno-1].flushed, >passes[passno-1].flushed_len);
+if (passno)
+cblk->passes[passno-1].rate = ff_mqc_flush_to(>mqc, 
cblk->passes[passno-1].flushed, >passes[passno-1].flushed_len);
 }
 
 /* tier-2 routines: */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Dec 15 17:50:12 2017 +0100| [bdba0f6786d57356c2ead515338fb44754aa91c4] | 
committer: Michael Niedermayer

avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message()

Fixes: signed integer overflow: 2147483520 + 255 cannot be represented in type 
'int'
Fixes: 4554/clusterfuzz-testcase-minimized-4843714515042304

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 991ef6e5b9a6a9d95e274ff6bff52db1c82b3808)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bdba0f6786d57356c2ead515338fb44754aa91c4
---

 libavcodec/hevc_sei.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c
index d4a82fd456..31813aae2c 100644
--- a/libavcodec/hevc_sei.c
+++ b/libavcodec/hevc_sei.c
@@ -344,11 +344,15 @@ static int decode_nal_sei_message(HEVCContext *s)
 av_log(s->avctx, AV_LOG_DEBUG, "Decoding SEI\n");
 
 while (byte == 0xFF) {
+if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255)
+return AVERROR_INVALIDDATA;
 byte  = get_bits(gb, 8);
 payload_type += byte;
 }
 byte = 0xFF;
 while (byte == 0xFF) {
+if (get_bits_left(gb) < 8 + 8LL*payload_size)
+return AVERROR_INVALIDDATA;
 byte  = get_bits(gb, 8);
 payload_size += byte;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Update for 3.3.6

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Dec 30 21:13:19 2017 +0100| [54897d74663f2b3e440c200657718bab3273dc37] | 
committer: Michael Niedermayer

Update for 3.3.6

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=54897d74663f2b3e440c200657718bab3273dc37
---

 Changelog| 63 
 RELEASE  |  2 +-
 doc/Doxyfile |  2 +-
 3 files changed, 65 insertions(+), 2 deletions(-)

diff --git a/Changelog b/Changelog
index 1c3a366dc5..4564611d77 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,69 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
+version 3.3.6:
+- avcodec/exr: Check buf_size more completely
+- avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed()
+- avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and 
put_hevc_qpel_bi_w_w()
+- avcodec/flacdec: avoid undefined shift
+- avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant)
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and 
COMPOSE_DD137iL0()
+- avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs()
+- tests/audiomatch: Add missing return code at the end of main()
+- avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message()
+- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv()
+- libavfilter/af_dcshift.c: Fixed repeated spelling error
+- avfilter/formats: fix wrong function name in error message
+- avcodec/amrwbdec: Fix division by 0 in voice_factor()
+- avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED()
+- avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97*
+- avcodec/extract_extradata_bsf: Fix leak discovered via fuzzing
+- avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u.
+- Don't manipulate duration when it's AV_NOPTS_VALUE.
+- avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead.
+- avformat/utils: Prevent undefined shift with wrap_bits > 64.
+- avcodec/j2kenc: Fix out of array access in encode_cblk()
+- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h()
+- avcodec/mlpdsp: Fix signed integer overflow, 2nd try
+- avcodec/kgv1dec: Check that there is enough input for maximum RLE compression
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*
+- avcodec/mpeg4videodec: Check also for negative versions in the validity check
+- Close ogg stream upon error when using AV_EF_EXPLODE.
+- Fix undefined shift on assumed 8-bit input.
+- Use ff_thread_once for fixed, float table init.
+- Fix leak of frame_duration_buffer in mov_fix_index().
+- avformat/mov: Propagate errors in mov_switch_root.
+- avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v()
+- avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output()
+- avcodec/zmbv: Check that the buffer is large enough for mvec
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0()
+- avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and 
ff_wmv2_decode_mb()
+- avcodec/snowdec: Check for remaining bitstream in decode_blocks()
+- avcodec/snowdec: Check intra block dc differences.
+- avformat/mov: Check size of STSC allocation
+- avcodec/vc2enc: Clear coef_buf on allocation
+- avcodec/h264dec: Fix potential array overread
+- avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu
+- avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c()
+- avcodec/aacdec_fixed: Fix undefined shift
+- avcodec/mdct_*: Fix integer overflow in addition in RESCALE()
+- avcodec/snowdec: Fix integer overflow in header parsing
+- avcodec/cngdec: Fix integer clipping
+- avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c()
+- avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc()
+- avutil/softfloat: Add FLOAT_MIN
+- avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add()
+- avcodec/xan: Check for bitstream end in xan_huffman_decode()
+- avcodec/exr: fix undefined shift in pxr24_uncompress()
+- avformat: Free the internal codec context at the end
+- avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add()
+- avcodec/xan: Improve overlapping check
+- avcodec/aacdec_fixed: Fix integer overflow in 
apply_dependent_coupling_fixed()
+- avcodec/aacdec_fixed: Fix integer overflow in predict()
+- avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line()
+- avcodec/jpeglsdec: Check ilv for being a supported value
+- lavfi/af_pan: fix sign handling in channel coefficient parser
+- vc2enc_dwt: pad the temporary buffer by the slice siz
 
 version 3.3.5:
 - ffserver: Fix off by 1 error in path
diff --git a/RELEASE b/RELEASE
index fa7adc7ac7..9c25013dbb 100644
--- a/RELEASE
+++ b/RELEASE
@@ -1 +1 @@
-3.3.5
+3.3.6
diff --git a/doc/Doxyfile b/doc/Doxyfile
index 3a239ea70d..4f2b3dc57f 100644

[FFmpeg-cvslog] avcodec/exr: Check buf_size more completely

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Dec 29 03:00:19 2017 +0100| [f2b83f4aba2b9e248fb62cdfffb0842332b0e068] | 
committer: Michael Niedermayer

avcodec/exr: Check buf_size more completely

Fixes: Out of heap array read
Fixes: 4683/clusterfuzz-testcase-minimized-6152313673613312

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 903be5e4f66268273dc6e3c42a7fdeaab32066ef)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f2b83f4aba2b9e248fb62cdfffb0842332b0e068
---

 libavcodec/exr.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index b4063f8fa4..7fa17ca887 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1062,7 +1062,7 @@ static int decode_block(AVCodecContext *avctx, void 
*tdata,
 line_offset = AV_RL64(s->gb.buffer + jobnr * 8);
 
 if (s->is_tile) {
-if (line_offset > buf_size - 20)
+if (buf_size < 20 || line_offset > buf_size - 20)
 return AVERROR_INVALIDDATA;
 
 src  = buf + line_offset + 20;
@@ -1073,7 +1073,7 @@ static int decode_block(AVCodecContext *avctx, void 
*tdata,
 tileLevelY = AV_RL32(src - 8);
 
 data_size = AV_RL32(src - 4);
-if (data_size <= 0 || data_size > buf_size)
+if (data_size <= 0 || data_size > buf_size - line_offset - 20)
 return AVERROR_INVALIDDATA;
 
 if (tileLevelX || tileLevelY) { /* tile level, is not the full res 
level */
@@ -1106,7 +1106,7 @@ static int decode_block(AVCodecContext *avctx, void 
*tdata,
 td->channel_line_size = td->xsize * s->current_channel_offset;/* 
uncompress size of one line */
 uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* 
uncompress size of the block */
 } else {
-if (line_offset > buf_size - 8)
+if (buf_size < 8 || line_offset > buf_size - 8)
 return AVERROR_INVALIDDATA;
 
 src  = buf + line_offset + 8;
@@ -1116,7 +1116,7 @@ static int decode_block(AVCodecContext *avctx, void 
*tdata,
 return AVERROR_INVALIDDATA;
 
 data_size = AV_RL32(src - 4);
-if (data_size <= 0 || data_size > buf_size)
+if (data_size <= 0 || data_size > buf_size - line_offset - 8)
 return AVERROR_INVALIDDATA;
 
 td->ysize  = FFMIN(s->scan_lines_per_block, s->ymax - line + 
1); /* s->ydelta - line ?? */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Tue Dec 26 23:24:45 2017 +0100| [2cde8dc055c0ffbd27e10f095598873328a21a72] | 
committer: Michael Niedermayer

avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and 
put_hevc_qpel_bi_w_w()

Fixes: left shift of negative value -1
Fixes: 4690/clusterfuzz-testcase-minimized-6117482428366848

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d135f3c514ac1723256c8e0f5cdd466fe98a2578)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2cde8dc055c0ffbd27e10f095598873328a21a72
---

 libavcodec/hevcdsp_template.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index 903aa3fe95..56cd9e605d 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -915,7 +915,7 @@ static void FUNC(put_hevc_qpel_bi_w_h)(uint8_t *_dst, 
ptrdiff_t _dststride, uint
 for (y = 0; y < height; y++) {
 for (x = 0; x < width; x++)
 dst[x] = av_clip_pixel(((QPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * 
wx1 + src2[x] * wx0 +
-((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 
1));
+((ox0 + ox1 + 1) * (1 << log2Wd))) >> 
(log2Wd + 1));
 src  += srcstride;
 dst  += dststride;
 src2 += MAX_PB_SIZE;
@@ -970,7 +970,7 @@ static void FUNC(put_hevc_qpel_bi_w_v)(uint8_t *_dst, 
ptrdiff_t _dststride, uint
 for (y = 0; y < height; y++) {
 for (x = 0; x < width; x++)
 dst[x] = av_clip_pixel(((QPEL_FILTER(src, srcstride) >> (BIT_DEPTH 
- 8)) * wx1 + src2[x] * wx0 +
-((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 
1));
+((ox0 + ox1 + 1) * (1 << log2Wd))) >> 
(log2Wd + 1));
 src  += srcstride;
 dst  += dststride;
 src2 += MAX_PB_SIZE;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Dec 22 03:06:14 2017 +0100| [1d9830cba30dfa1ff44f5227763e9d5257841854] | 
committer: Michael Niedermayer

avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and 
COMPOSE_DD137iL0()

Fixes: runtime error: signed integer overflow: 2147483646 + 33554433 cannot be 
represented in type 'int'
Fixes: 4563/clusterfuzz-testcase-minimized-5438979567517696

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4d70fbeec8cbab072b3a9b9f760b8deaaef240f2)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1d9830cba30dfa1ff44f5227763e9d5257841854
---

 libavcodec/dirac_dwt.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index 50c8b1e394..f9828d95a4 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -99,10 +99,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
 (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1))
 
 #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\
-(b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))
+(int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)))
 
 #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\
-(b2 - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))
+(int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5)))
 
 #define COMPOSE_HAARiL0(b0, b1)\
 (b0 - ((b1 + 1) >> 1))

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] libavfilter/af_dcshift.c: Fixed repeated spelling error

2017-12-30 Thread Kelly Ledford 
ffmpeg | branch: release/3.3 | Kelly Ledford  | Tue 
Dec 12 11:31:23 2017 -0800| [b7c9f27ad6e8e3bb8693548da6901af20e128b0e] | 
committer: Michael Niedermayer

libavfilter/af_dcshift.c: Fixed repeated spelling error

'threshhold' should be 'threshold'

Signed-off-by: Kelly Ledford 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit bc219082bb04b9a4725bfe7e78ce0950244e6e84)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b7c9f27ad6e8e3bb8693548da6901af20e128b0e
---

 libavfilter/af_dcshift.c | 20 ++--
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/libavfilter/af_dcshift.c b/libavfilter/af_dcshift.c
index 7332c12b19..5dbe40824c 100644
--- a/libavfilter/af_dcshift.c
+++ b/libavfilter/af_dcshift.c
@@ -28,7 +28,7 @@
 typedef struct DCShiftContext {
 const AVClass *class;
 double dcshift;
-double limiterthreshhold;
+double limiterthreshold;
 double limitergain;
 } DCShiftContext;
 
@@ -47,7 +47,7 @@ static av_cold int init(AVFilterContext *ctx)
 {
 DCShiftContext *s = ctx->priv;
 
-s->limiterthreshhold = INT32_MAX * (1.0 - (fabs(s->dcshift) - 
s->limitergain));
+s->limiterthreshold = INT32_MAX * (1.0 - (fabs(s->dcshift) - 
s->limitergain));
 
 return 0;
 }
@@ -106,14 +106,14 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
 
 d = src[j];
 
-if (d > s->limiterthreshhold && dcshift > 0) {
-d = (d - s->limiterthreshhold) * s->limitergain /
- (INT32_MAX - s->limiterthreshhold) +
- s->limiterthreshhold + dcshift;
-} else if (d < -s->limiterthreshhold && dcshift < 0) {
-d = (d + s->limiterthreshhold) * s->limitergain /
- (INT32_MAX - s->limiterthreshhold) -
- s->limiterthreshhold + dcshift;
+if (d > s->limiterthreshold && dcshift > 0) {
+d = (d - s->limiterthreshold) * s->limitergain /
+ (INT32_MAX - s->limiterthreshold) +
+ s->limiterthreshold + dcshift;
+} else if (d < -s->limiterthreshold && dcshift < 0) {
+d = (d + s->limiterthreshold) * s->limitergain /
+ (INT32_MAX - s->limiterthreshold) -
+ s->limiterthreshold + dcshift;
 } else {
 d = dcshift * INT32_MAX + d;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Dec 15 13:06:30 2017 +0100| [badca11741ea9bd0b4aa1b3af69f38754d4c69e0] | 
committer: Michael Niedermayer

avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv()

Fixes: runtime error: left shift of negative value -3
Fixes: 4524/clusterfuzz-testcase-minimized-6055590120914944

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 439fbb9c8b2a90e97c44c7c57245e01ca84c865d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=badca11741ea9bd0b4aa1b3af69f38754d4c69e0
---

 libavcodec/hevcdsp_template.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index 0623cfad89..4017af8eb0 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -1051,7 +1051,7 @@ static void FUNC(put_hevc_qpel_bi_w_hv)(uint8_t *_dst, 
ptrdiff_t _dststride, uin
 for (y = 0; y < height; y++) {
 for (x = 0; x < width; x++)
 dst[x] = av_clip_pixel(((QPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 
+ src2[x] * wx0 +
-((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 
1));
+((ox0 + ox1 + 1) * (1 << log2Wd))) >> 
(log2Wd + 1));
 tmp  += MAX_PB_SIZE;
 dst  += dststride;
 src2 += MAX_PB_SIZE;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/flacdec: avoid undefined shift

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Tue Dec 26 23:24:43 2017 +0100| [0da741ba6b30799d282554a8cec1b4b2859cc8b4] | 
committer: Michael Niedermayer

avcodec/flacdec: avoid undefined shift

Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int'
Fixes: 4688/clusterfuzz-testcase-minimized-6572210748653568

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 560daf88913b0de59a4d845bcd19254b406388dd)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0da741ba6b30799d282554a8cec1b4b2859cc8b4
---

 libavcodec/flacdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
index 581c73efc8..5bbb8ee5b9 100644
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -456,7 +456,7 @@ static inline int decode_subframe(FLACContext *s, int 
channel)
 return AVERROR_INVALIDDATA;
 }
 
-if (wasted) {
+if (wasted && wasted < 32) {
 int i;
 for (i = 0; i < s->blocksize; i++)
 decoded[i] = (unsigned)decoded[i] << wasted;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] tests/audiomatch: Add missing return code at the end of main()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Tue Dec 19 21:05:40 2017 +0100| [7a5c73896394c3f53371b7c91f0da99dbf0c2ae2] | 
committer: Michael Niedermayer

tests/audiomatch: Add missing return code at the end of main()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 65da5c56e661a839e017db4c51c73d6f3d8a8fcb)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7a5c73896394c3f53371b7c91f0da99dbf0c2ae2
---

 tests/audiomatch.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/audiomatch.c b/tests/audiomatch.c
index ca56df09b3..9671789a37 100644
--- a/tests/audiomatch.c
+++ b/tests/audiomatch.c
@@ -107,4 +107,6 @@ int main(int argc, char **argv){
 }
 }
 printf("presig: %d postsig:%d c:%7.4f lenerr:%d\n", bestpos, datlen - 
siglen - bestpos, bestc / sigamp, datlen - siglen);
+
+return 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs()

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Dec 15 18:17:13 2017 +0100| [41a706b9125c0c27dda50996723ceade871b0a9a] | 
committer: Michael Niedermayer

avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs()

Fixes: signed integer overflow: 2147483647 + 1073741824 cannot be represented 
in type 'int'
Fixes: 4555/clusterfuzz-testcase-minimized-4505532481142784

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0ee143558d55b590774dba69cff5a16eda089a4d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=41a706b9125c0c27dda50996723ceade871b0a9a
---

 libavcodec/hevc_cabac.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c
index e27c54ed4b..3c22e30faa 100644
--- a/libavcodec/hevc_cabac.c
+++ b/libavcodec/hevc_cabac.c
@@ -635,8 +635,10 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s)
 suffix_val += 1 << k;
 k++;
 }
-if (k == CABAC_MAX_BIN)
+if (k == CABAC_MAX_BIN) {
 av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k);
+return AVERROR_INVALIDDATA;
+}
 
 while (k--)
 suffix_val += get_cabac_bypass(>HEVClc->cc) << k;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant)

2017-12-30 Thread Michael Niedermayer 
ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Dec 22 03:12:03 2017 +0100| [b66e3e321f64a659a534e520c5fad085e8c293f5] | 
committer: Michael Niedermayer

avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant)

Fixes: runtime error: left shift of negative value -180
Fixes: 4626/clusterfuzz-testcase-minimized-5647837887987712

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0c9ab5ef9c1ee852c80c859c9e07efe8730b57ed)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b66e3e321f64a659a534e520c5fad085e8c293f5
---

 libavcodec/hevcdsp_template.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index 4017af8eb0..903aa3fe95 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -121,7 +121,7 @@ static void FUNC(dequant)(int16_t *coeffs, int16_t 
log2_size)
 } else {
 for (y = 0; y < size; y++) {
 for (x = 0; x < size; x++) {
-*coeffs = *coeffs << -shift;
+*coeffs = *(uint16_t*)coeffs << -shift;
 coeffs++;
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog