[FFmpeg-cvslog] avformat/http: return EINVAL if ff_http_do_new_request is called with non-http URLContext
ffmpeg | branch: master | Aman Gupta| Fri Dec 29 15:25:14 2017 -0800| [c0b08ef94f037572876448990dca840b85432262] | committer: Aman Gupta avformat/http: return EINVAL if ff_http_do_new_request is called with non-http URLContext Signed-off-by: Aman Gupta > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c0b08ef94f037572876448990dca840b85432262 --- libavformat/http.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavformat/http.c b/libavformat/http.c index a376f1a488..8f7e56de54 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -311,6 +311,11 @@ int ff_http_do_new_request(URLContext *h, const char *uri) char hostname1[1024], hostname2[1024], proto1[10], proto2[10]; int port1, port2; +if (!h->prot || +!(!strcmp(h->prot->name, "http") || + !strcmp(h->prot->name, "https"))) +return AVERROR(EINVAL); + av_url_split(proto1, sizeof(proto1), NULL, 0, hostname1, sizeof(hostname1), , NULL, 0, s->location); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] opus: merge encoder and decoder bitallocation functions into one
ffmpeg | branch: master | Rostislav Pehlivanov| Sat Dec 30 17:02:54 2017 +| [51027d0b8b2835d4c70c9cb7b2ab5e28d5e3f22f] | committer: Rostislav Pehlivanov opus: merge encoder and decoder bitallocation functions into one There's no difference apart from which entropy coding functions get called. Signed-off-by: Rostislav Pehlivanov > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=51027d0b8b2835d4c70c9cb7b2ab5e28d5e3f22f --- libavcodec/opus.c| 348 +++ libavcodec/opus.h| 3 + libavcodec/opus_celt.c | 334 + libavcodec/opusenc.c | 337 + libavcodec/opusenc.h | 2 - libavcodec/opusenc_psy.c | 2 +- 6 files changed, 358 insertions(+), 668 deletions(-) diff --git a/libavcodec/opus.c b/libavcodec/opus.c index 46b749cae6..9cbf4aed92 100644 --- a/libavcodec/opus.c +++ b/libavcodec/opus.c @@ -546,3 +546,351 @@ void ff_celt_quant_bands(CeltFrame *f, OpusRangeCoder *rc) update_lowband = (b > band_size << 3); } } + +#define NORMC(bits) ((bits) << (f->channels - 1) << f->size >> 2) + +void ff_celt_bitalloc(CeltFrame *f, OpusRangeCoder *rc, int encode) +{ +int i, j, low, high, total, done, bandbits, remaining, tbits_8ths; +int skip_startband = f->start_band; +int skip_bit= 0; +int intensitystereo_bit = 0; +int dualstereo_bit = 0; +int dynalloc= 6; +int extrabits = 0; + +int boost[CELT_MAX_BANDS] = { 0 }; +int trim_offset[CELT_MAX_BANDS]; +int threshold[CELT_MAX_BANDS]; +int bits1[CELT_MAX_BANDS]; +int bits2[CELT_MAX_BANDS]; + +/* Spread */ +if (opus_rc_tell(rc) + 4 <= f->framebits) +if (encode) +ff_opus_rc_enc_cdf(rc, f->spread, ff_celt_model_spread); +else +f->spread = ff_opus_rc_dec_cdf(rc, ff_celt_model_spread); +else +f->spread = CELT_SPREAD_NORMAL; + +/* Initialize static allocation caps */ +for (i = 0; i < CELT_MAX_BANDS; i++) +f->caps[i] = NORMC((ff_celt_static_caps[f->size][f->channels - 1][i] + 64) * ff_celt_freq_range[i]); + +/* Band boosts */ +tbits_8ths = f->framebits << 3; +for (i = f->start_band; i < f->end_band; i++) { +int quanta = ff_celt_freq_range[i] << (f->channels - 1) << f->size; +int b_dynalloc = dynalloc; +int boost_amount = f->alloc_boost[i]; +quanta = FFMIN(quanta << 3, FFMAX(6 << 3, quanta)); + +while (opus_rc_tell_frac(rc) + (b_dynalloc << 3) < tbits_8ths && boost[i] < f->caps[i]) { +int is_boost; +if (encode) { +is_boost = boost_amount--; +ff_opus_rc_enc_log(rc, is_boost, b_dynalloc); +} else { +is_boost = ff_opus_rc_dec_log(rc, b_dynalloc); +} + +if (!is_boost) +break; + +boost[i] += quanta; +tbits_8ths -= quanta; + +b_dynalloc = 1; +} + +if (boost[i]) +dynalloc = FFMAX(dynalloc - 1, 2); +} + +/* Allocation trim */ +if (opus_rc_tell_frac(rc) + (6 << 3) <= tbits_8ths) +if (encode) +ff_opus_rc_enc_cdf(rc, f->alloc_trim, ff_celt_model_alloc_trim); +else +f->alloc_trim = ff_opus_rc_dec_cdf(rc, ff_celt_model_alloc_trim); + +/* Anti-collapse bit reservation */ +tbits_8ths = (f->framebits << 3) - opus_rc_tell_frac(rc) - 1; +f->anticollapse_needed = 0; +if (f->transient && f->size >= 2 && tbits_8ths >= ((f->size + 2) << 3)) +f->anticollapse_needed = 1 << 3; +tbits_8ths -= f->anticollapse_needed; + +/* Band skip bit reservation */ +if (tbits_8ths >= 1 << 3) +skip_bit = 1 << 3; +tbits_8ths -= skip_bit; + +/* Intensity/dual stereo bit reservation */ +if (f->channels == 2) { +intensitystereo_bit = ff_celt_log2_frac[f->end_band - f->start_band]; +if (intensitystereo_bit <= tbits_8ths) { +tbits_8ths -= intensitystereo_bit; +if (tbits_8ths >= 1 << 3) { +dualstereo_bit = 1 << 3; +tbits_8ths -= 1 << 3; +} +} else { +intensitystereo_bit = 0; +} +} + +/* Trim offsets */ +for (i = f->start_band; i < f->end_band; i++) { +int trim = f->alloc_trim - 5 - f->size; +int band = ff_celt_freq_range[i] * (f->end_band - i - 1); +int duration = f->size + 3; +int scale= duration + f->channels - 1; + +/* PVQ minimum allocation threshold, below this value the band is + * skipped */ +threshold[i] = FFMAX(3 * ff_celt_freq_range[i] << duration >> 4, + f->channels << 3); + +trim_offset[i] = trim * (band << scale) >> 6; + +if (ff_celt_freq_range[i]
[FFmpeg-cvslog] avcodec/exr: Check buf_size more completely
ffmpeg | branch: master | Michael Niedermayer| Fri Dec 29 03:00:19 2017 +0100| [903be5e4f66268273dc6e3c42a7fdeaab32066ef] | committer: Michael Niedermayer avcodec/exr: Check buf_size more completely Fixes: Out of heap array read Fixes: 4683/clusterfuzz-testcase-minimized-6152313673613312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=903be5e4f66268273dc6e3c42a7fdeaab32066ef --- libavcodec/exr.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index b1ecde4ebd..454dc74cfb 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1051,7 +1051,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, line_offset = AV_RL64(s->gb.buffer + jobnr * 8); if (s->is_tile) { -if (line_offset > buf_size - 20) +if (buf_size < 20 || line_offset > buf_size - 20) return AVERROR_INVALIDDATA; src = buf + line_offset + 20; @@ -1062,7 +1062,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, tile_level_y = AV_RL32(src - 8); data_size = AV_RL32(src - 4); -if (data_size <= 0 || data_size > buf_size) +if (data_size <= 0 || data_size > buf_size - line_offset - 20) return AVERROR_INVALIDDATA; if (tile_level_x || tile_level_y) { /* tile level, is not the full res level */ @@ -1095,7 +1095,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */ } else { -if (line_offset > buf_size - 8) +if (buf_size < 8 || line_offset > buf_size - 8) return AVERROR_INVALIDDATA; src = buf + line_offset + 8; @@ -1105,7 +1105,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, return AVERROR_INVALIDDATA; data_size = AV_RL32(src - 4); -if (data_size <= 0 || data_size > buf_size) +if (data_size <= 0 || data_size > buf_size - line_offset - 8) return AVERROR_INVALIDDATA; td->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/exr: fix undefined shift in pxr24_uncompress()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Nov 4 01:19:19 2017 +0100| [4a47195d2a88113877d28ffac5917491bb501883] | committer: Michael Niedermayer avcodec/exr: fix undefined shift in pxr24_uncompress() Fixes: runtime error: left shift of 255 by 24 places cannot be represented in type 'int' Fixes: 3787/clusterfuzz-testcase-minimized-5728764920070144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 66f0c958bfd5475658b432d1af4d2e174b2dfcda) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4a47195d2a88113877d28ffac5917491bb501883 --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index ec940222b2..b4063f8fa4 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -866,7 +866,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src, in = ptr[2] + td->xsize; for (j = 0; j < td->xsize; ++j) { -uint32_t diff = (*(ptr[0]++) << 24) | +uint32_t diff = ((unsigned)*(ptr[0]++) << 24) | (*(ptr[1]++) << 16) | (*(ptr[2]++) << 8); pixel += diff; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/softfloat: Add FLOAT_MIN
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Nov 1 14:00:18 2017 +0100| [56a56c0cb564aa20e6f91f257beccf1a907674d1] | committer: Michael Niedermayer avutil/softfloat: Add FLOAT_MIN Signed-off-by: Michael Niedermayer (cherry picked from commit e34fe61bf45331d2e6d2840604f799fa4b55c843) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=56a56c0cb564aa20e6f91f257beccf1a907674d1 --- libavutil/softfloat.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index c50aaf5285..4789b209cd 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -43,6 +43,7 @@ static const SoftFloat FLOAT_EPSILON= { 0x29F16B12, -16}; static const SoftFloat FLOAT_1584893192 = { 0x32B771ED, 1}; ///< 1.584893192 (10^.2) static const SoftFloat FLOAT_10 = { 0x30D4, 17}; ///< 10 static const SoftFloat FLOAT_099= { 0x3BCE, 0}; ///< 0.99 +static const SoftFloat FLOAT_MIN= { 0x2000, MIN_EXP}; /** ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix integer overflow in predict()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Oct 27 02:23:20 2017 +0200| [18fbf2622cd53985da438f0de06552c6cc49320d] | committer: Michael Niedermayer avcodec/aacdec_fixed: Fix integer overflow in predict() Fixes: runtime error: signed integer overflow: -2110708110 + -82837504 cannot be represented in type 'int' Fixes: 3547/clusterfuzz-testcase-minimized-6009386439802880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0976752420706c0a8b3cb8fd61497a47c7d7270f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=18fbf2622cd53985da438f0de06552c6cc49320d --- libavcodec/aacdec_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index e7c2d2d299..06bfa87e28 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -307,9 +307,9 @@ static av_always_inline void predict(PredictorState *ps, int *coef, if (shift < 31) { if (shift > 0) { -*coef += (pv.mant + (1 << (shift - 1))) >> shift; +*coef += (unsigned)((pv.mant + (1 << (shift - 1))) >> shift); } else -*coef += pv.mant << -shift; +*coef += (unsigned)(pv.mant << -shift); } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu
ffmpeg | branch: release/3.3 | Michael Niedermayer| Mon Nov 13 20:47:48 2017 +0100| [96fe37a3390aaa07a1798d8daa6aa2d622c4870b] | committer: Michael Niedermayer avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu Fixes: out of array read Fixes: 3516/attachment-311488.dat Found-by: Insu Yun, Georgia Tech. Tested-by: wuni...@gmail.com Signed-off-by: Michael Niedermayer (cherry picked from commit 58cf31cee7a456057f337b3102a03206d833d5e8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=96fe37a3390aaa07a1798d8daa6aa2d622c4870b --- libavcodec/x86/mpegvideodsp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/x86/mpegvideodsp.c b/libavcodec/x86/mpegvideodsp.c index e0498f3849..6009b64e07 100644 --- a/libavcodec/x86/mpegvideodsp.c +++ b/libavcodec/x86/mpegvideodsp.c @@ -52,8 +52,9 @@ static void gmc_mmx(uint8_t *dst, uint8_t *src, const int dyh = (dyy - (1 << (16 + shift))) * (h - 1); const int dxh = dxy * (h - 1); const int dyw = dyx * (w - 1); -int need_emu = (unsigned) ix >= width - w || - (unsigned) iy >= height - h; +int need_emu = (unsigned) ix >= width - w || width < w || + (unsigned) iy >= height - h || height< h + ; if ( // non-constant fullpel offset (3% of blocks) ((ox ^ (ox + dxw)) | (ox ^ (ox + dxh)) | (ox ^ (ox + dxw + dxh)) | ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cngdec: Fix integer clipping
ffmpeg | branch: release/3.3 | Michael Niedermayer| Thu Nov 2 18:34:09 2017 +0100| [286e3bf17429e3d8eee4fbe36110c9c0764fa74d] | committer: Michael Niedermayer avcodec/cngdec: Fix integer clipping Fixes: runtime error: value -36211.7 is outside the range of representable values of type 'short' Fixes: 2992/clusterfuzz-testcase-6649611793989632 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51090133b31bc719ea868db15d3ee38e9dbe90f1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=286e3bf17429e3d8eee4fbe36110c9c0764fa74d --- libavcodec/cngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cngdec.c b/libavcodec/cngdec.c index 34f881448d..42ef5bb3db 100644 --- a/libavcodec/cngdec.c +++ b/libavcodec/cngdec.c @@ -147,7 +147,7 @@ static int cng_decode_frame(AVCodecContext *avctx, void *data, return ret; buf_out = (int16_t *)frame->data[0]; for (i = 0; i < avctx->frame_size; i++) -buf_out[i] = p->filter_out[i + p->order]; +buf_out[i] = av_clip_int16(p->filter_out[i + p->order]); memcpy(p->filter_out, p->filter_out + avctx->frame_size, p->order * sizeof(*p->filter_out)); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Nov 5 21:20:08 2017 +0100| [b3067f95c9802a1219abe7dea3aa93419c8cc0f7] | committer: Michael Niedermayer avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c() Fixes: runtime error: signed integer overflow: 1939661764 - -454942263 cannot be represented in type 'int' Fixes: 3191/clusterfuzz-testcase-minimized-5688798451073024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2afe05402f05d485f0c356b04dc562f0510d317d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b3067f95c9802a1219abe7dea3aa93419c8cc0f7 --- libavcodec/aacpsdsp_template.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c index 3049ce8b79..0e532fcf84 100644 --- a/libavcodec/aacpsdsp_template.c +++ b/libavcodec/aacpsdsp_template.c @@ -129,12 +129,12 @@ static void ps_decorrelate_c(INTFLOAT (*out)[2], INTFLOAT (*delay)[2], INTFLOAT apd_im = in_im; in_re = AAC_MSUB30(link_delay_re, fractional_delay_re, link_delay_im, fractional_delay_im); -in_re -= a_re; +in_re -= (UINTFLOAT)a_re; in_im = AAC_MADD30(link_delay_re, fractional_delay_im, link_delay_im, fractional_delay_re); -in_im -= a_im; -ap_delay[m][n+5][0] = apd_re + AAC_MUL31(ag[m], in_re); -ap_delay[m][n+5][1] = apd_im + AAC_MUL31(ag[m], in_im); +in_im -= (UINTFLOAT)a_im; +ap_delay[m][n+5][0] = apd_re + (UINTFLOAT)AAC_MUL31(ag[m], in_re); +ap_delay[m][n+5][1] = apd_im + (UINTFLOAT)AAC_MUL31(ag[m], in_im); } out[n][0] = AAC_MUL16(transient_gain[n], in_re); out[n][1] = AAC_MUL16(transient_gain[n], in_im); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/snowdec: Fix integer overflow in header parsing
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Nov 5 21:20:05 2017 +0100| [c8027878d024394fc59184ffdf7182fae0bf38dd] | committer: Michael Niedermayer avcodec/snowdec: Fix integer overflow in header parsing Fixes: 3984/clusterfuzz-testcase-minimized-5265759929368576 Fixes: runtime error: signed integer overflow: -1085585801 + -1094995529 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c897a9285846b6a072b9650976afd4f091b7a71f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c8027878d024394fc59184ffdf7182fae0bf38dd --- libavcodec/snowdec.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 6eff729a19..2b92ed3de0 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -374,7 +374,7 @@ static int decode_header(SnowContext *s){ } } -s->spatial_decomposition_type+= get_symbol(>c, s->header_state, 1); +s->spatial_decomposition_type+= (unsigned)get_symbol(>c, s->header_state, 1); if(s->spatial_decomposition_type > 1U){ av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_type %d not supported\n", s->spatial_decomposition_type); return AVERROR_INVALIDDATA; @@ -390,10 +390,10 @@ static int decode_header(SnowContext *s){ } -s->qlog += get_symbol(>c, s->header_state, 1); -s->mv_scale += get_symbol(>c, s->header_state, 1); -s->qbias += get_symbol(>c, s->header_state, 1); -s->block_max_depth+= get_symbol(>c, s->header_state, 1); +s->qlog += (unsigned)get_symbol(>c, s->header_state, 1); +s->mv_scale += (unsigned)get_symbol(>c, s->header_state, 1); +s->qbias += (unsigned)get_symbol(>c, s->header_state, 1); +s->block_max_depth+= (unsigned)get_symbol(>c, s->header_state, 1); if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){ av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", s->block_max_depth); s->block_max_depth= 0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix undefined shift
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Nov 5 21:20:07 2017 +0100| [8be48f1c9a4e6db2de6ea5d896d4d4eedc3ec638] | committer: Michael Niedermayer avcodec/aacdec_fixed: Fix undefined shift Fixes: runtime error: left shift of negative value -801112064 Fixes: 3492/clusterfuzz-testcase-minimized-5784775283441664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fca198fb5bf42ba6b765b3f75b11738e4b4fc2a9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8be48f1c9a4e6db2de6ea5d896d4d4eedc3ec638 --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 1aaa6a2cb1..6ba0e63325 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -309,7 +309,7 @@ static av_always_inline void predict(PredictorState *ps, int *coef, if (shift > 0) { *coef += (unsigned)((pv.mant + (1 << (shift - 1))) >> shift); } else -*coef += (unsigned)(pv.mant << -shift); +*coef += (unsigned)pv.mant << -shift; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Nov 4 01:19:20 2017 +0100| [d3264c496a0ed8edfe940eb197ceb5b650b8a17e] | committer: Michael Niedermayer avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() Fixes: runtime error: signed integer overflow: -503316480 + -2013265038 cannot be represented in type 'int' Fixes: 3805/clusterfuzz-testcase-minimized-6578427831255040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e131b8cedb00043dcc97cc05ca04749ec8ff57de) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d3264c496a0ed8edfe940eb197ceb5b650b8a17e --- libavcodec/h264idct_template.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index ec8a3d083a..e6f40fccd9 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -91,10 +91,10 @@ void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, int16_t *_block, int stride){ const int a5 = -block[i+1*8] + block[i+7*8] + block[i+5*8] + (block[i+5*8]>>1); const int a7 = block[i+3*8] + block[i+5*8] + block[i+1*8] + (block[i+1*8]>>1); -const int b1 = (a7>>2) + a1; -const int b3 = a3 + (a5>>2); -const int b5 = (a3>>2) - a5; -const int b7 = a7 - (a1>>2); +const int b1 = (a7>>2) + (unsigned)a1; +const int b3 = (unsigned)a3 + (a5>>2); +const int b5 = (a3>>2) - (unsigned)a5; +const int b7 = (unsigned)a7 - (a1>>2); block[i+0*8] = b0 + b7; block[i+7*8] = b0 - b7; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Nov 1 14:00:19 2017 +0100| [67208cf992ef20c987a1342a5157c8d48881da0e] | committer: Michael Niedermayer avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc() Fixes: 3642/clusterfuzz-testcase-minimized-5443853801750528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7d1dec466895eed12f2c79b7ab5447f5390fe869) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=67208cf992ef20c987a1342a5157c8d48881da0e --- libavcodec/aacsbr_fixed.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 1f5ff410d1..2a679491b0 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -437,6 +437,7 @@ static void sbr_gain_calc(AACContext *ac, SpectralBandReplication *sbr, av_add_sf(FLOAT_1, sbr->e_curr[e][m]), av_add_sf(FLOAT_1, sbr->q_mapped[e][m]; } +sbr->gain[e][m] = av_add_sf(sbr->gain[e][m], FLOAT_MIN); } for (m = sbr->f_tablelim[k] - sbr->kx[1]; m < sbr->f_tablelim[k + 1] - sbr->kx[1]; m++) { sum[0] = av_add_sf(sum[0], sbr->e_origmapped[e][m]); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Mon Oct 30 23:21:41 2017 +0100| [6fb7e324fee1b26f5c0ff41eab81c0a0ddd49fe5] | committer: Michael Niedermayer avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() Fixes: runtime error: signed integer overflow: 924846844 + 1457520640 cannot be represented in type 'int' Fixes: 3416/clusterfuzz-testcase-minimized-6125587682820096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b739e1cb8f6ce8baead03ce5c999103ba78f24f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6fb7e324fee1b26f5c0ff41eab81c0a0ddd49fe5 --- libavcodec/h264idct_template.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c index 288107d5a4..ec8a3d083a 100644 --- a/libavcodec/h264idct_template.c +++ b/libavcodec/h264idct_template.c @@ -107,10 +107,10 @@ void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, int16_t *_block, int stride){ } for( i = 0; i < 8; i++ ) { -const unsigned a0 = block[0+i*8] + block[4+i*8]; -const unsigned a2 = block[0+i*8] - block[4+i*8]; -const unsigned a4 = (block[2+i*8]>>1) - block[6+i*8]; -const unsigned a6 = (block[6+i*8]>>1) + block[2+i*8]; +const unsigned a0 = block[0+i*8] + (unsigned)block[4+i*8]; +const unsigned a2 = block[0+i*8] - (unsigned)block[4+i*8]; +const unsigned a4 = (block[2+i*8]>>1) - (unsigned)block[6+i*8]; +const unsigned a6 = (block[6+i*8]>>1) + (unsigned)block[2+i*8]; const unsigned b0 = a0 + a6; const unsigned b2 = a2 + a4; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeglsdec: Check ilv for being a supported value
ffmpeg | branch: release/3.3 | Michael Niedermayer| Thu Oct 26 00:02:56 2017 +0200| [b33d3021954cb81a7291f8a00efa1ffebd13bfca] | committer: Michael Niedermayer avcodec/jpeglsdec: Check ilv for being a supported value Fixes: 1773/clusterfuzz-testcase-minimized-4832523987189760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe533628b9604e2f8e5179d5c5dd17c3cb764265) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b33d3021954cb81a7291f8a00efa1ffebd13bfca --- libavcodec/jpeglsdec.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 64505321af..cb2f89a88c 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -443,6 +443,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, avpriv_report_missing_feature(s->avctx, "Sample interleaved images"); ret = AVERROR_PATCHWELCOME; goto end; +} else { /* unknown interleaving */ +avpriv_report_missing_feature(s->avctx, "Unknown interleaved images"); +ret = AVERROR_PATCHWELCOME; +goto end; } if (s->xfrm && s->nb_components == 3) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Oct 27 02:23:21 2017 +0200| [02612c3e3eb54cdf60392929d17909e4a4f80f89] | committer: Michael Niedermayer avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed() Fixes: runtime error: signed integer overflow: 623487 * 536870912 cannot be represented in type 'int' Fixes: 3594/clusterfuzz-testcase-minimized-4650622935629824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 41d96af2a74cb5df50346b160067facd43149667) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=02612c3e3eb54cdf60392929d17909e4a4f80f89 --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 06bfa87e28..1aaa6a2cb1 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -394,7 +394,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac, for (k = offsets[i]; k < offsets[i + 1]; k++) { tmp = (int)(((int64_t)src[group * 128 + k] * c + \ (int64_t)0x10) >> 37); -dest[group * 128 + k] += tmp * (1 << shift); +dest[group * 128 + k] += tmp * (1U << shift); } } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/xan: Improve overlapping check
ffmpeg | branch: release/3.3 | Michael Niedermayer| Mon Oct 30 23:21:40 2017 +0100| [faa84a0c0667927b89f20f8c5af64129ccbb18ef] | committer: Michael Niedermayer avcodec/xan: Improve overlapping check Fixes: memcpy-param-overlap Fixes: 3612/clusterfuzz-testcase-minimized-6393461273001984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e8fafef1db43ead4eae5a6301ccc300e73aa47da) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=faa84a0c0667927b89f20f8c5af64129ccbb18ef --- libavcodec/xan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 4c01c0013f..8b4ec82405 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -263,7 +263,7 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, AVFrame *frame, prevframe_index = (y + motion_y) * stride + x + motion_x; prevframe_x = x + motion_x; -if (prev_palette_plane == palette_plane && FFABS(curframe_index - prevframe_index) < pixel_count) { +if (prev_palette_plane == palette_plane && FFABS(motion_x + width*motion_y) < pixel_count) { avpriv_request_sample(s->avctx, "Overlapping copy"); return ; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat: Free the internal codec context at the end
ffmpeg | branch: release/3.3 | Luca Barbato| Wed Apr 12 01:46:30 2017 +0200| [912448efc110d4249e9ec7ff7b19bd7dab0c6e50] | committer: Michael Niedermayer avformat: Free the internal codec context at the end Avoid a use after free in avformat_find_stream_info. (cherry picked from commit 9e4a5eb51b9f3b2bff0ef08e0074b7fe4893075d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=912448efc110d4249e9ec7ff7b19bd7dab0c6e50 --- libavformat/utils.c | 7 +-- 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index ff55fc8d97..5200c7d2e7 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3763,12 +3763,6 @@ FF_ENABLE_DEPRECATION_WARNINGS } } -// close codecs which were opened in try_decode_frame() -for (i = 0; i < ic->nb_streams; i++) { -st = ic->streams[i]; -avcodec_close(st->internal->avctx); -} - ff_rfps_calculate(ic); for (i = 0; i < ic->nb_streams; i++) { @@ -3949,6 +3943,7 @@ find_stream_info_err: st = ic->streams[i]; if (st->info) av_freep(>info->duration_error); +avcodec_close(ic->streams[i]->internal->avctx); av_freep(>streams[i]->info); } if (ic->pb) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Nov 1 14:00:20 2017 +0100| [19fb467fcbbfdb9cba784fd0cd05d6e8333bc3fb] | committer: Michael Niedermayer avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c() Fixes: runtime error: shift exponent 66 is too large for 64-bit type 'long long' Fixes: 3642/clusterfuzz-testcase-minimized-5443853801750528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 981e99ab99986935affad7c164ebdfe28e8ea7f8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=19fb467fcbbfdb9cba784fd0cd05d6e8333bc3fb --- libavcodec/sbrdsp_fixed.c | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index f45bb847a8..07ef12117c 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -233,12 +233,14 @@ static void sbr_hf_g_filt_c(int (*Y)[2], const int (*X_high)[40][2], int64_t accu; for (m = 0; m < m_max; m++) { -int64_t r = 1LL << (22-g_filt[m].exp); -accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7); -Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp)); +if (22 - g_filt[m].exp < 61) { +int64_t r = 1LL << (22-g_filt[m].exp); +accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7); +Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp)); -accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7); -Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp)); +accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7); +Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp)); +} } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/xan: Check for bitstream end in xan_huffman_decode()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Nov 3 17:48:29 2017 +0100| [ffa2d60ac5af229268607b6530ff4e32baa1b2fa] | committer: Michael Niedermayer avcodec/xan: Check for bitstream end in xan_huffman_decode() Fixes: Timeout Fixes: 3707/clusterfuzz-testcase-6465922706440192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4b51437dccd62fc5491280db44e3c21b44aeeb3f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ffa2d60ac5af229268607b6530ff4e32baa1b2fa --- libavcodec/xan.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 8b4ec82405..1ccf164847 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -131,7 +131,10 @@ static int xan_huffman_decode(uint8_t *dest, int dest_len, return ret; while (val != 0x16) { -unsigned idx = val - 0x17 + get_bits1() * byte; +unsigned idx; +if (get_bits_left() < 1) +return AVERROR_INVALIDDATA; +idx = val - 0x17 + get_bits1() * byte; if (idx >= 2 * byte) return AVERROR_INVALIDDATA; val = src[idx]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mdct_*: Fix integer overflow in addition in RESCALE()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Nov 5 21:20:06 2017 +0100| [c1d31ccfac480d4dd8b6aa20f8f0e6e183d620c2] | committer: Michael Niedermayer avcodec/mdct_*: Fix integer overflow in addition in RESCALE() Fixes: runtime error: signed integer overflow: 1219998458 - -1469874012 cannot be represented in type 'int' Fixes: 3443/clusterfuzz-testcase-minimized-5369987105554432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 770c934fa1635f4fadf5db4fc5cc5ad15d82455a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c1d31ccfac480d4dd8b6aa20f8f0e6e183d620c2 --- libavcodec/mdct_fixed.c| 8 libavcodec/mdct_template.c | 14 +++--- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/libavcodec/mdct_fixed.c b/libavcodec/mdct_fixed.c index a32cb00ca0..aabf0c88f8 100644 --- a/libavcodec/mdct_fixed.c +++ b/libavcodec/mdct_fixed.c @@ -39,13 +39,13 @@ void ff_mdct_calcw_c(FFTContext *s, FFTDouble *out, const FFTSample *input) /* pre rotation */ for(i=0;i > 6) +# define RSCALE(x, y) ((int)((x) + (unsigned)(y) + 32) >> 6) #else /* FFT_FIXED_32 */ -# define RSCALE(x) ((x) >> 1) +# define RSCALE(x, y) ((int)((x) + (unsigned)(y)) >> 1) #endif /* FFT_FIXED_32 */ #endif @@ -181,13 +181,13 @@ void ff_mdct_calc_c(FFTContext *s, FFTSample *out, const FFTSample *input) /* pre rotation */ for(i=0;i
[FFmpeg-cvslog] avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Thu Oct 26 00:02:57 2017 +0200| [3d6ffa2bb50a99434a1e54f1212b266189245cdb] | committer: Michael Niedermayer avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line() Fixes: 1773/clusterfuzz-testcase-minimized-4832523987189760 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f80224ed19a4c012549fd460d529c7c04e68cf21) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3d6ffa2bb50a99434a1e54f1212b266189245cdb --- libavcodec/jpeglsdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index cb2f89a88c..5308b744df 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -233,6 +233,9 @@ static inline void ls_decode_line(JLSState *state, MJpegDecodeContext *s, while (x < w) { int err, pred; +if (get_bits_left(>gb) <= 0) +return; + /* compute gradients */ Ra = x ? R(dst, x - stride) : R(last, x); Rb = R(last, x); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/hls: ignore http_persistent for segments requring crypto
ffmpeg | branch: master | Aman Gupta| Fri Dec 29 15:30:55 2017 -0800| [97b89432e4566a5d620f97bfdf4c8ae9c83d94e8] | committer: Aman Gupta avformat/hls: ignore http_persistent for segments requring crypto Encrypted HLS segments have regular http:// urls, but open_input() actually prefixes them with crypto+ before calling open_url(), so they end up using the crypto protocol and not the http protocol. This means invoking ff_http_do_new_request will fail, so we avoid calling it in the first place. After the earlier http.c commit, the failure results in a warning printed to the user. In earlier versions, the failure would cause a segfault. Signed-off-by: Aman Gupta > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=97b89432e4566a5d620f97bfdf4c8ae9c83d94e8 --- libavformat/hls.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index dccc7c7dd2..d9f7c6de4d 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -1479,7 +1479,7 @@ reload: seg = next_segment(v); if (c->http_multiple == 1 && !v->input_next_requested && -seg && av_strstart(seg->url, "http", NULL)) { +seg && seg->key_type == KEY_NONE && av_strstart(seg->url, "http", NULL)) { ret = open_input(c, v, seg, >input_next); if (ret < 0) { if (ff_check_interrupt(c->interrupt_callback)) @@ -1511,7 +1511,8 @@ reload: return ret; } -if (c->http_persistent && av_strstart(seg->url, "http", NULL)) { +if (c->http_persistent && +seg->key_type == KEY_NONE && av_strstart(seg->url, "http", NULL)) { v->input_read_done = 1; } else { ff_format_io_close(v->parent, >input); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] x264: Support version 153
ffmpeg | branch: release/2.4 | Luca Barbato| Tue Dec 26 12:32:42 2017 +0100| [8d75aa8d79519c21f91a7dd96f330ad30d6625ed] | committer: Michael Niedermayer x264: Support version 153 It has native simultaneus 8 and 10 bit support. (cherry picked from commit c6558e8840fbb2386bf8742e4d68dd6e067d262e) (cherry picked from commit 96e8400553ae47f8f8df5b66cc268297ba38824c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8d75aa8d79519c21f91a7dd96f330ad30d6625ed --- libavcodec/libx264.c | 29 + 1 file changed, 29 insertions(+) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index fa3aea9375..7f46abd80b 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -167,7 +167,11 @@ static int X264_frame(AVCodecContext *ctx, AVPacket *pkt, const AVFrame *frame, x264_picture_init( >pic ); x4->pic.img.i_csp = x4->params.i_csp; +#if X264_BUILD >= 153 +if (x4->params.i_bitdepth > 8) +#else if (x264_bit_depth > 8) +#endif x4->pic.img.i_csp |= X264_CSP_HIGH_DEPTH; x4->pic.img.i_plane = avfmt2_num_planes(ctx->pix_fmt); @@ -393,6 +397,9 @@ static av_cold int X264_init(AVCodecContext *avctx) x4->params.p_log_private= avctx; x4->params.i_log_level = X264_LOG_DEBUG; x4->params.i_csp= convert_pix_fmt(avctx->pix_fmt); +#if X264_BUILD >= 153 +x4->params.i_bitdepth = av_pix_fmt_desc_get(avctx->pix_fmt)->comp[0].depth; +#endif OPT_STR("weightp", x4->wpredp); @@ -731,6 +738,24 @@ static const enum AVPixelFormat pix_fmts_10bit[] = { AV_PIX_FMT_NV20, AV_PIX_FMT_NONE }; +static const enum AVPixelFormat pix_fmts_all[] = { +AV_PIX_FMT_YUV420P, +AV_PIX_FMT_YUVJ420P, +AV_PIX_FMT_YUV422P, +AV_PIX_FMT_YUVJ422P, +AV_PIX_FMT_YUV444P, +AV_PIX_FMT_YUVJ444P, +AV_PIX_FMT_NV12, +AV_PIX_FMT_NV16, +#ifdef X264_CSP_NV21 +AV_PIX_FMT_NV21, +#endif +AV_PIX_FMT_YUV420P10, +AV_PIX_FMT_YUV422P10, +AV_PIX_FMT_YUV444P10, +AV_PIX_FMT_NV20, +AV_PIX_FMT_NONE +}; static const enum AVPixelFormat pix_fmts_8bit_rgb[] = { #ifdef X264_CSP_BGR AV_PIX_FMT_BGR24, @@ -741,12 +766,16 @@ static const enum AVPixelFormat pix_fmts_8bit_rgb[] = { static av_cold void X264_init_static(AVCodec *codec) { +#if X264_BUILD < 153 if (x264_bit_depth == 8) codec->pix_fmts = pix_fmts_8bit; else if (x264_bit_depth == 9) codec->pix_fmts = pix_fmts_9bit; else if (x264_bit_depth == 10) codec->pix_fmts = pix_fmts_10bit; +#else +codec->pix_fmts = pix_fmts_all; +#endif } #define OFFSET(x) offsetof(X264Context, x) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] changelog: update with previous commit
ffmpeg | branch: release/3.3 | James Almer| Sat Dec 30 19:38:23 2017 -0300| [03292829aa2e7a7db36de490c6cc19a4792ab3cc] | committer: James Almer changelog: update with previous commit Signed-off-by: James Almer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=03292829aa2e7a7db36de490c6cc19a4792ab3cc --- Changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog b/Changelog index 4564611d77..cd95ddab50 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,7 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.3.6: +- x264: Support version 153 - avcodec/exr: Check buf_size more completely - avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed() - avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w() ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] x264: Support version 153
ffmpeg | branch: release/3.3 | Luca Barbato| Tue Dec 26 12:32:42 2017 +0100| [96e8400553ae47f8f8df5b66cc268297ba38824c] | committer: James Almer x264: Support version 153 It has native simultaneus 8 and 10 bit support. (cherry picked from commit c6558e8840fbb2386bf8742e4d68dd6e067d262e) > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=96e8400553ae47f8f8df5b66cc268297ba38824c --- libavcodec/libx264.c | 29 + 1 file changed, 29 insertions(+) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index b11ede6198..6568b25b1a 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -279,7 +279,11 @@ static int X264_frame(AVCodecContext *ctx, AVPacket *pkt, const AVFrame *frame, x264_picture_init( >pic ); x4->pic.img.i_csp = x4->params.i_csp; +#if X264_BUILD >= 153 +if (x4->params.i_bitdepth > 8) +#else if (x264_bit_depth > 8) +#endif x4->pic.img.i_csp |= X264_CSP_HIGH_DEPTH; x4->pic.img.i_plane = avfmt2_num_planes(ctx->pix_fmt); @@ -490,6 +494,9 @@ static av_cold int X264_init(AVCodecContext *avctx) x4->params.p_log_private= avctx; x4->params.i_log_level = X264_LOG_DEBUG; x4->params.i_csp= convert_pix_fmt(avctx->pix_fmt); +#if X264_BUILD >= 153 +x4->params.i_bitdepth = av_pix_fmt_desc_get(avctx->pix_fmt)->comp[0].depth; +#endif PARSE_X264_OPT("weightp", wpredp); @@ -878,6 +885,24 @@ static const enum AVPixelFormat pix_fmts_10bit[] = { AV_PIX_FMT_NV20, AV_PIX_FMT_NONE }; +static const enum AVPixelFormat pix_fmts_all[] = { +AV_PIX_FMT_YUV420P, +AV_PIX_FMT_YUVJ420P, +AV_PIX_FMT_YUV422P, +AV_PIX_FMT_YUVJ422P, +AV_PIX_FMT_YUV444P, +AV_PIX_FMT_YUVJ444P, +AV_PIX_FMT_NV12, +AV_PIX_FMT_NV16, +#ifdef X264_CSP_NV21 +AV_PIX_FMT_NV21, +#endif +AV_PIX_FMT_YUV420P10, +AV_PIX_FMT_YUV422P10, +AV_PIX_FMT_YUV444P10, +AV_PIX_FMT_NV20, +AV_PIX_FMT_NONE +}; #if CONFIG_LIBX264RGB_ENCODER static const enum AVPixelFormat pix_fmts_8bit_rgb[] = { AV_PIX_FMT_BGR0, @@ -889,12 +914,16 @@ static const enum AVPixelFormat pix_fmts_8bit_rgb[] = { static av_cold void X264_init_static(AVCodec *codec) { +#if X264_BUILD < 153 if (x264_bit_depth == 8) codec->pix_fmts = pix_fmts_8bit; else if (x264_bit_depth == 9) codec->pix_fmts = pix_fmts_9bit; else if (x264_bit_depth == 10) codec->pix_fmts = pix_fmts_10bit; +#else +codec->pix_fmts = pix_fmts_all; +#endif } #define OFFSET(x) offsetof(X264Context, x) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Don't manipulate duration when it's AV_NOPTS_VALUE.
ffmpeg | branch: release/3.3 | Dale Curtis| Tue Nov 28 14:26:55 2017 -0800| [272a9687a73c44e5c27b969dd454b3e04cc32279] | committer: Michael Niedermayer Don't manipulate duration when it's AV_NOPTS_VALUE. This leads to signed integer overflow. Signed-off-by: Dale Curtis Signed-off-by: James Almer (cherry picked from commit c5fd57f483d2ad8e34551b78509f1e14136f73c0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=272a9687a73c44e5c27b969dd454b3e04cc32279 --- libavformat/oggparsevp8.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparsevp8.c b/libavformat/oggparsevp8.c index c534ab117d..b76ac71cc5 100644 --- a/libavformat/oggparsevp8.c +++ b/libavformat/oggparsevp8.c @@ -125,7 +125,7 @@ static int vp8_packet(AVFormatContext *s, int idx) os->lastdts = vp8_gptopts(s, idx, os->granule, NULL) - duration; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; -if (s->streams[idx]->duration) +if (s->streams[idx]->duration && s->streams[idx]->duration != AV_NOPTS_VALUE) s->streams[idx]->duration -= s->streams[idx]->start_time; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97*
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Dec 2 21:48:04 2017 +0100| [454a2405ce80dcfa85d38f18e3b9788d0b57e40c] | committer: Michael Niedermayer avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97* Fixes: 4478/clusterfuzz-testcase-minimized-4752113767809024 Fixes: runtime error: signed integer overflow: -2147483626 + -319489 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5e9a13a5a33bf7566591216e335f2529612100bb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=454a2405ce80dcfa85d38f18e3b9788d0b57e40c --- libavcodec/dirac_dwt.h | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index eb5aebc878..50c8b1e394 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); ((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ -(b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) +((unsigned)(b1) - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ -(b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) +((unsigned)(b1) - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ -(b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) +((unsigned)(b1) + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ -(b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) +((unsigned)(b1) + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Dec 2 21:53:22 2017 +0100| [054188db10873fa23cd7739bb468850b23dbe8ac] | committer: Michael Niedermayer avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED() Fixes: runtime error: signed integer overflow: 2147483646 + 2048 cannot be represented in type 'int' Fixes: 4479/clusterfuzz-testcase-minimized-6529894147162112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 610dd74502a58e8bb0f1d8fcbc7015f86b78d70e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=054188db10873fa23cd7739bb468850b23dbe8ac --- libavcodec/diracdsp.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/diracdsp.c b/libavcodec/diracdsp.c index 8bc79b788c..2dd56f83f3 100644 --- a/libavcodec/diracdsp.c +++ b/libavcodec/diracdsp.c @@ -159,10 +159,10 @@ static void put_signed_rect_clamped_ ## PX ## bit_c(uint8_t *_dst, int dst_strid int32_t *src = (int32_t *)_src; \ for (y = 0; y < height; y++) { \ for (x = 0; x < width; x+=4) { \ -dst[x ] = av_clip_uintp2(src[x ] + (1 << (PX - 1)), PX); \ -dst[x+1] = av_clip_uintp2(src[x+1] + (1 << (PX - 1)), PX); \ -dst[x+2] = av_clip_uintp2(src[x+2] + (1 << (PX - 1)), PX); \ -dst[x+3] = av_clip_uintp2(src[x+3] + (1 << (PX - 1)), PX); \ +dst[x ] = av_clip_uintp2(src[x ] + (1U << (PX - 1)), PX); \ +dst[x+1] = av_clip_uintp2(src[x+1] + (1U << (PX - 1)), PX); \ +dst[x+2] = av_clip_uintp2(src[x+2] + (1U << (PX - 1)), PX); \ +dst[x+3] = av_clip_uintp2(src[x+3] + (1U << (PX - 1)), PX); \ } \ dst += dst_stride >> 1; \ src += src_stride >> 2; \ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Fix undefined shift on assumed 8-bit input.
ffmpeg | branch: release/3.3 | Dale Curtis| Fri Nov 17 16:05:30 2017 -0800| [11a940adbcabd2dbbd78bd95023e8853985aa525] | committer: Michael Niedermayer Fix undefined shift on assumed 8-bit input. decode_user_data() attempts to create an integer |build| value with 8 bits of spacing for 3 components. However each component is an int32_t, so shifting each component is undefined for values outside of the 8 bit range. This patch simply clamps input to 8-bits per component and prints out a warning that the values were clamped. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 7010dd98b575d2e39fca947e609b85be7490b269) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=11a940adbcabd2dbbd78bd95023e8853985aa525 --- libavcodec/mpeg4videodec.c | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index cd39131d55..5ae724bed1 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2149,8 +2149,15 @@ static int decode_user_data(Mpeg4DecContext *ctx, GetBitContext *gb) e = sscanf(buf, "FFmpeg v%d.%d.%d / libavcodec build: %d", , , , ); if (e != 4) { e = sscanf(buf, "Lavc%d.%d.%d", , , ) + 1; -if (e > 1) -build = (ver << 16) + (ver2 << 8) + ver3; +if (e > 1) { +if (ver > 0xFF || ver2 > 0xFF || ver3 > 0xFF) { +av_log(s->avctx, AV_LOG_WARNING, + "Unknown Lavc version string encountered, %d.%d.%d; " + "clamping sub-version values to 8-bits.\n", + ver, ver2, ver3); +} +build = ((ver & 0xFF) << 16) + ((ver2 & 0xFF) << 8) + (ver3 & 0xFF); +} } if (e != 4) { if (strcmp(buf, "ffmpeg") == 0) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Check size of STSC allocation
ffmpeg | branch: release/3.3 | Fredrik Hubinette| Wed Nov 15 17:24:30 2017 -0800| [74104d2dc05d903a2b94e3457fc1a2cf8fe224a2] | committer: Michael Niedermayer avformat/mov: Check size of STSC allocation Signed-off-by: Michael Niedermayer (cherry picked from commit a6fdd75fe6440d2f4150cb456a9078aa68b00fdb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=74104d2dc05d903a2b94e3457fc1a2cf8fe224a2 --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 90b068f091..6ebdf8a4b7 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2411,6 +2411,8 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb24(pb); /* flags */ entries = avio_rb32(pb); +if ((uint64_t)entries * 12 + 4 > atom.size) +return AVERROR_INVALIDDATA; av_log(c->fc, AV_LOG_TRACE, "track[%u].stsc.entries = %u\n", c->fc->nb_streams - 1, entries); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Fix leak of frame_duration_buffer in mov_fix_index().
ffmpeg | branch: release/3.3 | Dale Curtis| Fri Nov 17 14:53:25 2017 -0800| [362967fec6a4c4772e56b50efba49dab06f49de6] | committer: Michael Niedermayer Fix leak of frame_duration_buffer in mov_fix_index(). Should be unconditionally freed at the end of mov_fix_index() in case it hasn't been used during the fix up. Signed-off-by: Dale Curtis Reviewed-by: Sasi Inguva Signed-off-by: Michael Niedermayer (cherry picked from commit d073be2291e40129d107ca4573097d6d6d2dbf68) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=362967fec6a4c4772e56b50efba49dab06f49de6 --- libavformat/mov.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 2f6965eabb..f2eb22eb3d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3296,6 +3296,7 @@ static void mov_fix_index(MOVContext *mov, AVStream *st) // Free the old index and the old CTTS structures av_free(e_old); av_free(ctts_data_old); +av_freep(_duration_buffer); // Null terminate the index ranges array current_index_range++; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Use ff_thread_once for fixed, float table init.
ffmpeg | branch: release/3.3 | Dale Curtis| Fri Nov 17 14:51:09 2017 -0800| [edd0cd21f41e6b0b8b39b5a53891d4a2c61fafff] | committer: Michael Niedermayer Use ff_thread_once for fixed, float table init. These tables are static so they should only be initialized once instead of on every call to ff_mpadsp_init(). Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 5eaaffaf64d1854493f0fe9ec822eed1b3cd9fe1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=edd0cd21f41e6b0b8b39b5a53891d4a2c61fafff --- libavcodec/mpegaudiodsp.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegaudiodsp.c b/libavcodec/mpegaudiodsp.c index a5d20df629..3cafca27bf 100644 --- a/libavcodec/mpegaudiodsp.c +++ b/libavcodec/mpegaudiodsp.c @@ -20,17 +20,21 @@ #include "config.h" #include "libavutil/attributes.h" +#include "libavutil/thread.h" #include "mpegaudiodsp.h" #include "dct.h" #include "dct32.h" +static AVOnce mpadsp_float_table_init = AV_ONCE_INIT; +static AVOnce mpadsp_fixed_table_init = AV_ONCE_INIT; + av_cold void ff_mpadsp_init(MPADSPContext *s) { DCTContext dct; ff_dct_init(, 5, DCT_II); -ff_init_mpadsp_tabs_float(); -ff_init_mpadsp_tabs_fixed(); +ff_thread_once(_float_table_init, _init_mpadsp_tabs_float); +ff_thread_once(_fixed_table_init, _init_mpadsp_tabs_fixed); s->apply_window_float = ff_mpadsp_apply_window_float; s->apply_window_fixed = ff_mpadsp_apply_window_fixed; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Propagate errors in mov_switch_root.
ffmpeg | branch: release/3.3 | Jacob Trimble| Mon Nov 20 12:05:02 2017 -0800| [a0eccf673cda83697e8e42d13e10d31a60a45346] | committer: Michael Niedermayer avformat/mov: Propagate errors in mov_switch_root. Signed-off-by: Jacob Trimble Signed-off-by: Michael Niedermayer (cherry picked from commit 2d9cf3bf16b94cd9db10dabad695c69c5cff4f58) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a0eccf673cda83697e8e42d13e10d31a60a45346 --- libavformat/mov.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6ebdf8a4b7..2f6965eabb 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6171,6 +6171,7 @@ static int should_retry(AVIOContext *pb, int error_code) { static int mov_switch_root(AVFormatContext *s, int64_t target) { +int ret; MOVContext *mov = s->priv_data; int i, j; int already_read = 0; @@ -6207,8 +6208,10 @@ static int mov_switch_root(AVFormatContext *s, int64_t target) mov->found_mdat = 0; -if (mov_read_default(mov, s->pb, (MOVAtom){ AV_RL32("root"), INT64_MAX }) < 0 || -avio_feof(s->pb)) +ret = mov_read_default(mov, s->pb, (MOVAtom){ AV_RL32("root"), INT64_MAX }); +if (ret < 0) +return ret; +if (avio_feof(s->pb)) return AVERROR_EOF; av_log(s, AV_LOG_TRACE, "read fragments, offset 0x%"PRIx64"\n", avio_tell(s->pb)); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Sep 17 01:28:07 2017 +0200| [4a412dc6ad195eaf1bf43c8a77b622923aacf99a] | committer: Michael Niedermayer avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb() Fixes: Timeout Fixes: 3200/clusterfuzz-testcase-5750022136135680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 65e0a7c473f23f1833538ffecf53c81fe500b5e4) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4a412dc6ad195eaf1bf43c8a77b622923aacf99a --- libavcodec/wmv2dec.c | 18 -- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/libavcodec/wmv2dec.c b/libavcodec/wmv2dec.c index 20dbee5703..225e30ab5a 100644 --- a/libavcodec/wmv2dec.c +++ b/libavcodec/wmv2dec.c @@ -30,7 +30,7 @@ #include "wmv2.h" -static void parse_mb_skip(Wmv2Context *w) +static int parse_mb_skip(Wmv2Context *w) { int mb_x, mb_y; MpegEncContext *const s = >s; @@ -45,6 +45,8 @@ static void parse_mb_skip(Wmv2Context *w) MB_TYPE_16x16 | MB_TYPE_L0; break; case SKIP_TYPE_MPEG: +if (get_bits_left(>gb) < s->mb_height * s->mb_width) +return AVERROR_INVALIDDATA; for (mb_y = 0; mb_y < s->mb_height; mb_y++) for (mb_x = 0; mb_x < s->mb_width; mb_x++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -52,6 +54,8 @@ static void parse_mb_skip(Wmv2Context *w) break; case SKIP_TYPE_ROW: for (mb_y = 0; mb_y < s->mb_height; mb_y++) { +if (get_bits_left(>gb) < 1) +return AVERROR_INVALIDDATA; if (get_bits1(>gb)) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -65,6 +69,8 @@ static void parse_mb_skip(Wmv2Context *w) break; case SKIP_TYPE_COL: for (mb_x = 0; mb_x < s->mb_width; mb_x++) { +if (get_bits_left(>gb) < 1) +return AVERROR_INVALIDDATA; if (get_bits1(>gb)) { for (mb_y = 0; mb_y < s->mb_height; mb_y++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -77,6 +83,7 @@ static void parse_mb_skip(Wmv2Context *w) } break; } +return 0; } static int decode_ext_header(Wmv2Context *w) @@ -170,9 +177,12 @@ int ff_wmv2_decode_secondary_picture_header(MpegEncContext *s) } } else { int cbp_index; +int ret; w->j_type = 0; -parse_mb_skip(w); +ret = parse_mb_skip(w); +if (ret < 0) +return ret; cbp_index = decode012(>gb); w->cbp_table_index = wmv2_get_cbp_table_index(s, cbp_index); @@ -359,6 +369,8 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t block[6][64]) w->hshift = 0; return 0; } +if (get_bits_left(>gb) <= 0) +return AVERROR_INVALIDDATA; code = get_vlc2(>gb, ff_mb_non_intra_vlc[w->cbp_table_index].table, MB_NON_INTRA_VLC_BITS, 3); @@ -369,6 +381,8 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t block[6][64]) cbp = code & 0x3f; } else { s->mb_intra = 1; +if (get_bits_left(>gb) <= 0) +return AVERROR_INVALIDDATA; code = get_vlc2(>gb, ff_msmp4_mb_i_vlc.table, MB_INTRA_VLC_BITS, 2); if (code < 0) { av_log(s->avctx, AV_LOG_ERROR, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/zmbv: Check that the buffer is large enough for mvec
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Nov 15 17:11:12 2017 +0100| [1c9af4d7a888eca8eb7908e21cea557607f8c56b] | committer: Michael Niedermayer avcodec/zmbv: Check that the buffer is large enough for mvec Fixes: Timeout Fixes: 4143/clusterfuzz-testcase-4736864637419520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ab9568a2c3349039eec29fb960fe39de354b514) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1c9af4d7a888eca8eb7908e21cea557607f8c56b --- libavcodec/zmbv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index b09dc41ebd..f91d2e3931 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -539,6 +539,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } else { frame->key_frame = 0; frame->pict_type = AV_PICTURE_TYPE_P; +if (c->decomp_len < 2LL * ((c->width + c->bw - 1) / c->bw) * ((c->height + c->bh - 1) / c->bh)) +return AVERROR_INVALIDDATA; if (c->decomp_len) c->decode_xor(c); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Nov 25 03:15:16 2017 +0100| [7bc064d461659553f7785d5b7d72a1518fc2aae3] | committer: Michael Niedermayer avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi* Fixes: runtime error: signed integer overflow: -2143827186 - 7404944 cannot be represented in type 'int' Fixes: 4354/clusterfuzz-testcase-minimized-4671122764201984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2b6964f764382742bb052a1ee3b7167cac35332f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7bc064d461659553f7785d5b7d72a1518fc2aae3 --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index f9a9e9e1b3..eb5aebc878 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -111,10 +111,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b0 + b1) #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ -(b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) +((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ -(b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) +((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/snowdec: Check for remaining bitstream in decode_blocks()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Nov 15 21:17:16 2017 +0100| [01439fe1e139b42fa218688c3a6be398bc809294] | committer: Michael Niedermayer avcodec/snowdec: Check for remaining bitstream in decode_blocks() Fixes: Timeout Fixes: 3142/clusterfuzz-testcase-5007853163118592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4527ec2216109867498edc3ac8a17fd879b5d017) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=01439fe1e139b42fa218688c3a6be398bc809294 --- libavcodec/snowdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index af92cb0070..df425b8cf3 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -437,6 +437,8 @@ static int decode_blocks(SnowContext *s){ for(y=0; y c.bytestream >= s->c.bytestream_end) +return AVERROR_INVALIDDATA; if ((res = decode_q_branch(s, 0, x, y)) < 0) return res; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Close ogg stream upon error when using AV_EF_EXPLODE.
ffmpeg | branch: release/3.3 | Dale Curtis| Mon Nov 20 12:07:57 2017 -0800| [2de4eb6fec18808f08f0ea8a5f8940eb842662c1] | committer: Michael Niedermayer Close ogg stream upon error when using AV_EF_EXPLODE. Without this there can be multiple memory leaks for unrecognized ogg streams. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit bce8fc0754c4b31f574a4372c6d7996ed29f7c2a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2de4eb6fec18808f08f0ea8a5f8940eb842662c1 --- libavformat/oggdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 97ad1a27d1..193a286e43 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -719,8 +719,10 @@ static int ogg_read_header(AVFormatContext *s) "Headers mismatch for stream %d: " "expected %d received %d.\n", i, os->codec->nb_header, os->nb_header); -if (s->error_recognition & AV_EF_EXPLODE) +if (s->error_recognition & AV_EF_EXPLODE) { +ogg_read_close(s); return AVERROR_INVALIDDATA; +} } if (os->start_granule != OGG_NOGRANULE_VALUE) os->lastpts = s->streams[i]->start_time = ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/utils: Prevent undefined shift with wrap_bits > 64.
ffmpeg | branch: release/3.3 | Dale Curtis| Fri Nov 17 13:35:56 2017 -0800| [85ea121684a7b128c39373845506e6016daa60cc] | committer: Michael Niedermayer avformat/utils: Prevent undefined shift with wrap_bits > 64. 2LL << (wrap_bits=64 - 1) does not fit in int64_t; change the code to use a uint64_t (2ULL) and add an av_assert2() to ensure wrap_bits <= 64. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 03fbc0daa7e37af024f8b017a28105c32bbe25ca) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=85ea121684a7b128c39373845506e6016daa60cc --- libavformat/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 5200c7d2e7..2c622d2c56 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1732,13 +1732,14 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt) if (next_pkt->dts != AV_NOPTS_VALUE) { int wrap_bits = s->streams[next_pkt->stream_index]->pts_wrap_bits; +av_assert2(wrap_bits <= 64); // last dts seen for this stream. if any of packets following // current one had no dts, we will set this to AV_NOPTS_VALUE. int64_t last_dts = next_pkt->dts; while (pktl && next_pkt->pts == AV_NOPTS_VALUE) { if (pktl->pkt.stream_index == next_pkt->stream_index && -(av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2LL << (wrap_bits - 1)) < 0)) { -if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2LL << (wrap_bits - 1))) { +av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2ULL << (wrap_bits - 1)) < 0) { +if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2ULL << (wrap_bits - 1))) { // not B-frame next_pkt->pts = pktl->pkt.dts; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Check also for negative versions in the validity check
ffmpeg | branch: release/3.3 | Michael Niedermayer| Tue Nov 21 03:15:53 2017 +0100| [70dc266342ee2972b31f0eda5905ec8ebf3b2584] | committer: Michael Niedermayer avcodec/mpeg4videodec: Check also for negative versions in the validity check Signed-off-by: Michael Niedermayer (cherry picked from commit 0e7865ce4152f8b04cda6a698bbee4fd4a94009d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=70dc266342ee2972b31f0eda5905ec8ebf3b2584 --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 5ae724bed1..8eafc783b8 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2150,7 +2150,7 @@ static int decode_user_data(Mpeg4DecContext *ctx, GetBitContext *gb) if (e != 4) { e = sscanf(buf, "Lavc%d.%d.%d", , , ) + 1; if (e > 1) { -if (ver > 0xFF || ver2 > 0xFF || ver3 > 0xFF) { +if (ver > 0xFFU || ver2 > 0xFFU || ver3 > 0xFFU) { av_log(s->avctx, AV_LOG_WARNING, "Unknown Lavc version string encountered, %d.%d.%d; " "clamping sub-version values to 8-bits.\n", ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mlpdsp: Fix signed integer overflow, 2nd try
ffmpeg | branch: release/3.3 | Michael Niedermayer| Mon Nov 20 18:45:45 2017 +0100| [cead6c94c502a90f1318ddc47885bfaa407068dd] | committer: Michael Niedermayer avcodec/mlpdsp: Fix signed integer overflow, 2nd try The outputted bits should match what is used in the lossless check Fixes: runtime error: signed integer overflow: -538697856 * 256 cannot be represented in type 'int' Fixes: 4326/clusterfuzz-testcase-minimized-5689449645080576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 97c00edaa043043c29d985653e7e1687b56dfa23) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cead6c94c502a90f1318ddc47885bfaa407068dd --- libavcodec/mlpdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 4e3a16c781..32a4503b64 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -117,7 +117,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, (1U << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xff) << mat_ch; if (is32) -*data_32++ = sample * 256; +*data_32++ = sample * 256U; else *data_16++ = sample >> 8; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead.
ffmpeg | branch: release/3.3 | Dale Curtis| Wed Nov 22 10:58:39 2017 -0800| [9bc2f44c27a315e783a10ca59396c93f568982c0] | committer: Michael Niedermayer avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 9648cc6d7fdbb0a260bed1e3e23300569cff9579) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9bc2f44c27a315e783a10ca59396c93f568982c0 --- libavcodec/vorbis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 399020eec5..f710c23450 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -91,7 +91,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num) exit_at_level[i] = 0; // construct code (append 0s to end) and introduce new exits for (j = i + 1 ;j <= bits[p]; ++j) -exit_at_level[j] = code + (1 << (j - 1)); +exit_at_level[j] = code + (1u << (j - 1)); codes[p] = code; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/extract_extradata_bsf: Fix leak discovered via fuzzing
ffmpeg | branch: release/3.3 | Nikolas Bowe| Tue Dec 5 15:11:26 2017 -0800| [01ab4117dc034e3407d16da0439861bd0d9ec039] | committer: Michael Niedermayer avcodec/extract_extradata_bsf: Fix leak discovered via fuzzing Signed-off-by: Michael Niedermayer (cherry picked from commit 5a412a5c3cc216ae1d15e6b884bda7214b73a5b0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=01ab4117dc034e3407d16da0439861bd0d9ec039 --- libavcodec/extract_extradata_bsf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/extract_extradata_bsf.c b/libavcodec/extract_extradata_bsf.c index ed6509c681..d40907a675 100644 --- a/libavcodec/extract_extradata_bsf.c +++ b/libavcodec/extract_extradata_bsf.c @@ -78,7 +78,7 @@ static int extract_extradata_h2645(AVBSFContext *ctx, AVPacket *pkt, ret = ff_h2645_packet_split(_pkt, pkt->data, pkt->size, ctx, 0, 0, ctx->par_in->codec_id, 1); if (ret < 0) -return ret; +goto fail; for (i = 0; i < h2645_pkt.nb_nals; i++) { H2645NAL *nal = _pkt.nals[i]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Thu Nov 30 21:27:37 2017 +0100| [c8bbddf057e6f26df1f45bad15d1a339ad9289e6] | committer: Michael Niedermayer avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h() Fixes: runtime error: left shift of negative value -127 Fixes: 4397/clusterfuzz-testcase-minimized-4779061080489984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0409d333115e623b5ccdbb364d64ca2a52fd8467) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c8bbddf057e6f26df1f45bad15d1a339ad9289e6 --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 46a0da2045..0623cfad89 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1355,7 +1355,7 @@ static void FUNC(put_hevc_epel_bi_w_h)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + -((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); +((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/kgv1dec: Check that there is enough input for maximum RLE compression
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Nov 22 20:14:54 2017 +0100| [d5bdcd8a2702623af06a0db76a7f7f68f08c457b] | committer: Michael Niedermayer avcodec/kgv1dec: Check that there is enough input for maximum RLE compression Fixes: Timeout Fixes: 4271/clusterfuzz-testcase-4676667768307712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3aad94bf2b140cfba8ae69d018da05d4948ef37f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d5bdcd8a2702623af06a0db76a7f7f68f08c457b --- libavcodec/kgv1dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index 5359411c76..a6bd9400ac 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -62,6 +62,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, h = (buf[1] + 1) * 8; buf += 2; +if (avpkt->size < 2 + w*h / 513) +return AVERROR_INVALIDDATA; + if (w != avctx->width || h != avctx->height) { av_freep(>frame_buffer); av_freep(>last_frame_buffer); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u.
ffmpeg | branch: release/3.3 | Dale Curtis| Thu Nov 30 12:20:36 2017 -0800| [39db2f95145f6b13f77acd05bd684a7f81ccad1b] | committer: Michael Niedermayer avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u. Didn't notice this one when 9648cc6d was landed. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 95bacb521af8cd28f146f045437c9f75717a493a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=39db2f95145f6b13f77acd05bd684a7f81ccad1b --- libavcodec/vorbis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index f710c23450..aabd9bbd19 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -67,7 +67,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num) if (bits[p] > 32) return AVERROR_INVALIDDATA; for (i = 0; i < bits[p]; ++i) -exit_at_level[i+1] = 1 << i; +exit_at_level[i+1] = 1u << i; ++p; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/amrwbdec: Fix division by 0 in voice_factor()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Thu Dec 7 15:32:54 2017 +0100| [3d297038a9ab1f518890491765a4771221a7b0cb] | committer: Michael Niedermayer avcodec/amrwbdec: Fix division by 0 in voice_factor() The added value matches "Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; Extended Adaptive Multi-Rate - Wideband (AMR-WB+) codec; Floating-point ANSI-C code (3GPP TS 26.304 version 14.0.0 Release 14) Extended Adaptive Multi-Rate - Wideband (AMR-WB+) codec; Floating-point ANSI-C code" Fixes: runtime error: division by zero Fixes: 4415/clusterfuzz-testcase-minimized-4677752314658816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d0817d56b66797118880358ea7d7a2acfdca429) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3d297038a9ab1f518890491765a4771221a7b0cb --- libavcodec/amrwbdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 57aed874cc..7f2874d35f 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -611,7 +611,7 @@ static float voice_factor(float *p_vector, float p_gain, AMRWB_SFR_SIZE) * f_gain * f_gain; -return (p_ener - f_ener) / (p_ener + f_ener); +return (p_ener - f_ener) / (p_ener + f_ener + 0.01); } /** ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avfilter/formats: fix wrong function name in error message
ffmpeg | branch: release/3.3 | Jun Zhao| Mon Dec 4 12:50:34 2017 +0800| [603845225cb3214d6107b22a8f884559c4b7ea9d] | committer: Michael Niedermayer avfilter/formats: fix wrong function name in error message Use perdefined micro __FUNCTION__ rather than hard coding function name to fix wrong function name in error message. Signed-off-by: Jun Zhao Signed-off-by: Michael Niedermayer (cherry picked from commit 4280948702bc256e21c375790b889c735d233b0d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=603845225cb3214d6107b22a8f884559c4b7ea9d --- libavfilter/formats.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/formats.c b/libavfilter/formats.c index d4de862237..20a2c89719 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -72,7 +72,7 @@ do { for (j = 0; j < b->nb; j++) \ if (a->fmts[i] == b->fmts[j]) { \ if(k >= FFMIN(a->nb, b->nb)){ \ -av_log(NULL, AV_LOG_ERROR, "Duplicate formats in avfilter_merge_formats() detected\n"); \ +av_log(NULL, AV_LOG_ERROR, "Duplicate formats in %s detected\n", __FUNCTION__); \ av_free(ret->fmts); \ av_free(ret); \ return NULL; \ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Nov 17 22:01:29 2017 +0100| [fa29141e34c99763f091435f74c81d4fbb718fad] | committer: Michael Niedermayer avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v() Fixes: runtime error: left shift of negative value -255 Fixes: 4037/clusterfuzz-testcase-minimized-5290998163832832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7d88586e4728e97349f98e07ff782bb168ab96c3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fa29141e34c99763f091435f74c81d4fbb718fad --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index e09c661759..46a0da2045 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1407,7 +1407,7 @@ static void FUNC(put_hevc_epel_bi_w_v)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + -((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); +((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Tue Nov 14 03:40:07 2017 +0100| [78a0356fae83e4b7624e11032663aaef45038d3b] | committer: Michael Niedermayer avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0() Fixes: 4035/clusterfuzz-testcase-minimized-6479308925173760 Fixes: runtime error: signed integer overflow: 9 * 402653183 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 73964680d7bce6d81ddc553a24d73e9a1c9156f9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=78a0356fae83e4b7624e11032663aaef45038d3b --- libavcodec/dirac_dwt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 35ed8857e9..f9a9e9e1b3 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -102,7 +102,7 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ -(b2 - ((-b0 + 9*b1 + 9*b3 - b4 + 16) >> 5)) +(b2 - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5)) #define COMPOSE_HAARiL0(b0, b1)\ (b0 - ((b1 + 1) >> 1)) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Nov 15 03:38:37 2017 +0100| [f4e25620a1fc815eceafebf6d3c8a52351b2049b] | committer: Michael Niedermayer avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output() Fixes: runtime error: left shift of negative value -7862264 Fixes: 4074/clusterfuzz-testcase-minimized-4516104123711488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4f7f70738e8dd77a698a5e28bba552ea7064af21) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f4e25620a1fc815eceafebf6d3c8a52351b2049b --- libavcodec/mlpdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index fbafa92d72..4e3a16c781 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -117,7 +117,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, (1U << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xff) << mat_ch; if (is32) -*data_32++ = sample << 8; +*data_32++ = sample * 256; else *data_16++ = sample >> 8; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vc2enc: Clear coef_buf on allocation
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Nov 15 16:53:34 2017 +0100| [066c65737682817611ad2f30a4895acb5f47629b] | committer: Michael Niedermayer avcodec/vc2enc: Clear coef_buf on allocation Fixes: Use of uninitialized memory Fixes: assertion failure Reviewed-by: Signed-off-by: Michael Niedermayer (cherry picked from commit 6d00905f8134a2932e5c00dd1ec8b2a1f0a38035) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=066c65737682817611ad2f30a4895acb5f47629b --- libavcodec/vc2enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index 745c6e974d..3dbdf57a12 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -1171,7 +1171,7 @@ static av_cold int vc2_encode_init(AVCodecContext *avctx) p->dwt_width = w = FFALIGN(p->width, (1 << s->wavelet_depth)); p->dwt_height = h = FFALIGN(p->height, (1 << s->wavelet_depth)); p->coef_stride = FFALIGN(p->dwt_width, 32); -p->coef_buf = av_malloc(p->coef_stride*p->dwt_height*sizeof(dwtcoef)); +p->coef_buf = av_mallocz(p->coef_stride*p->dwt_height*sizeof(dwtcoef)); if (!p->coef_buf) goto alloc_fail; for (level = s->wavelet_depth-1; level >= 0; level--) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264dec: Fix potential array overread
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Oct 21 18:04:44 2017 +0200| [aac7ca7a36da5d1dfdd2aec3f52417ead783eaed] | committer: Michael Niedermayer avcodec/h264dec: Fix potential array overread add padding before scantable arrays See: 522d850e68ec4b77d3477b3c8f55b1ba00a9d69a Signed-off-by: Michael Niedermayer (cherry picked from commit 380b48fb9fdc7b0c40d67e026f9b3accb12794eb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aac7ca7a36da5d1dfdd2aec3f52417ead783eaed --- libavcodec/h264dec.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264dec.h b/libavcodec/h264dec.h index e994f7e7fe..af3d98bb32 100644 --- a/libavcodec/h264dec.h +++ b/libavcodec/h264dec.h @@ -415,6 +415,7 @@ typedef struct H264Context { uint8_t (*mvd_table[2])[2]; uint8_t *direct_table; +uint8_t scan_padding[16]; uint8_t zigzag_scan[16]; uint8_t zigzag_scan8x8[64]; uint8_t zigzag_scan8x8_cavlc[64]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/snowdec: Check intra block dc differences.
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Nov 15 21:17:15 2017 +0100| [488c2e8487e5dae6ddb27e2b75d0a9eb4155ea34] | committer: Michael Niedermayer avcodec/snowdec: Check intra block dc differences. Fixes: Timeout Fixes: 3142/clusterfuzz-testcase-5007853163118592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c3b9bbcc6edf2d83fe4857484cfa0839872188c6) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=488c2e8487e5dae6ddb27e2b75d0a9eb4155ea34 --- libavcodec/snowdec.c | 17 + 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 2b92ed3de0..af92cb0070 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -183,13 +183,22 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ int my_context= av_log2(2*FFABS(left->my - top->my)) + 0*av_log2(2*FFABS(tr->my - top->my)); type= get_rac(>c, >block_state[1 + left->type + top->type]) ? BLOCK_INTRA : 0; - if(type){ +int ld, cbd, crd; pred_mv(s, , , 0, left, top, tr); -l += get_symbol(>c, >block_state[32], 1); +ld = get_symbol(>c, >block_state[32], 1); +if (ld < -255 || ld > 255) { +return AVERROR_INVALIDDATA; +} +l += ld; if (s->nb_planes > 2) { -cb+= get_symbol(>c, >block_state[64], 1); -cr+= get_symbol(>c, >block_state[96], 1); +cbd = get_symbol(>c, >block_state[64], 1); +crd = get_symbol(>c, >block_state[96], 1); +if (cbd < -255 || cbd > 255 || crd < -255 || crd > 255) { +return AVERROR_INVALIDDATA; +} +cb += cbd; +cr += crd; } }else{ if(s->ref_frames > 1) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/j2kenc: Fix out of array access in encode_cblk()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Thu Nov 30 23:42:04 2017 +0100| [79ec6381151c0db5619555cc2d75988d8f8805f6] | committer: Michael Niedermayer avcodec/j2kenc: Fix out of array access in encode_cblk() Fixes: 4427/clusterfuzz-testcase-minimized-5106919271301120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0674087004538599797688785f6ac82358abc23b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79ec6381151c0db5619555cc2d75988d8f8805f6 --- libavcodec/j2kenc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c index c8d3861732..baaf47422c 100644 --- a/libavcodec/j2kenc.c +++ b/libavcodec/j2kenc.c @@ -688,7 +688,8 @@ static void encode_cblk(Jpeg2000EncoderContext *s, Jpeg2000T1Context *t1, Jpeg20 cblk->npasses = passno; cblk->ninclpasses = passno; -cblk->passes[passno-1].rate = ff_mqc_flush_to(>mqc, cblk->passes[passno-1].flushed, >passes[passno-1].flushed_len); +if (passno) +cblk->passes[passno-1].rate = ff_mqc_flush_to(>mqc, cblk->passes[passno-1].flushed, >passes[passno-1].flushed_len); } /* tier-2 routines: */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Dec 15 17:50:12 2017 +0100| [bdba0f6786d57356c2ead515338fb44754aa91c4] | committer: Michael Niedermayer avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message() Fixes: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' Fixes: 4554/clusterfuzz-testcase-minimized-4843714515042304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 991ef6e5b9a6a9d95e274ff6bff52db1c82b3808) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bdba0f6786d57356c2ead515338fb44754aa91c4 --- libavcodec/hevc_sei.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index d4a82fd456..31813aae2c 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -344,11 +344,15 @@ static int decode_nal_sei_message(HEVCContext *s) av_log(s->avctx, AV_LOG_DEBUG, "Decoding SEI\n"); while (byte == 0xFF) { +if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255) +return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_type += byte; } byte = 0xFF; while (byte == 0xFF) { +if (get_bits_left(gb) < 8 + 8LL*payload_size) +return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_size += byte; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Update for 3.3.6
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Dec 30 21:13:19 2017 +0100| [54897d74663f2b3e440c200657718bab3273dc37] | committer: Michael Niedermayer Update for 3.3.6 Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=54897d74663f2b3e440c200657718bab3273dc37 --- Changelog| 63 RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 65 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 1c3a366dc5..4564611d77 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,69 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.3.6: +- avcodec/exr: Check buf_size more completely +- avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed() +- avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w() +- avcodec/flacdec: avoid undefined shift +- avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant) +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0() +- avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs() +- tests/audiomatch: Add missing return code at the end of main() +- avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv() +- libavfilter/af_dcshift.c: Fixed repeated spelling error +- avfilter/formats: fix wrong function name in error message +- avcodec/amrwbdec: Fix division by 0 in voice_factor() +- avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED() +- avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97* +- avcodec/extract_extradata_bsf: Fix leak discovered via fuzzing +- avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u. +- Don't manipulate duration when it's AV_NOPTS_VALUE. +- avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead. +- avformat/utils: Prevent undefined shift with wrap_bits > 64. +- avcodec/j2kenc: Fix out of array access in encode_cblk() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h() +- avcodec/mlpdsp: Fix signed integer overflow, 2nd try +- avcodec/kgv1dec: Check that there is enough input for maximum RLE compression +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi* +- avcodec/mpeg4videodec: Check also for negative versions in the validity check +- Close ogg stream upon error when using AV_EF_EXPLODE. +- Fix undefined shift on assumed 8-bit input. +- Use ff_thread_once for fixed, float table init. +- Fix leak of frame_duration_buffer in mov_fix_index(). +- avformat/mov: Propagate errors in mov_switch_root. +- avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v() +- avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output() +- avcodec/zmbv: Check that the buffer is large enough for mvec +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0() +- avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb() +- avcodec/snowdec: Check for remaining bitstream in decode_blocks() +- avcodec/snowdec: Check intra block dc differences. +- avformat/mov: Check size of STSC allocation +- avcodec/vc2enc: Clear coef_buf on allocation +- avcodec/h264dec: Fix potential array overread +- avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu +- avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c() +- avcodec/aacdec_fixed: Fix undefined shift +- avcodec/mdct_*: Fix integer overflow in addition in RESCALE() +- avcodec/snowdec: Fix integer overflow in header parsing +- avcodec/cngdec: Fix integer clipping +- avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c() +- avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc() +- avutil/softfloat: Add FLOAT_MIN +- avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() +- avcodec/xan: Check for bitstream end in xan_huffman_decode() +- avcodec/exr: fix undefined shift in pxr24_uncompress() +- avformat: Free the internal codec context at the end +- avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() +- avcodec/xan: Improve overlapping check +- avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed() +- avcodec/aacdec_fixed: Fix integer overflow in predict() +- avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line() +- avcodec/jpeglsdec: Check ilv for being a supported value +- lavfi/af_pan: fix sign handling in channel coefficient parser +- vc2enc_dwt: pad the temporary buffer by the slice siz version 3.3.5: - ffserver: Fix off by 1 error in path diff --git a/RELEASE b/RELEASE index fa7adc7ac7..9c25013dbb 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.3.5 +3.3.6 diff --git a/doc/Doxyfile b/doc/Doxyfile index 3a239ea70d..4f2b3dc57f 100644
[FFmpeg-cvslog] avcodec/exr: Check buf_size more completely
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Dec 29 03:00:19 2017 +0100| [f2b83f4aba2b9e248fb62cdfffb0842332b0e068] | committer: Michael Niedermayer avcodec/exr: Check buf_size more completely Fixes: Out of heap array read Fixes: 4683/clusterfuzz-testcase-minimized-6152313673613312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 903be5e4f66268273dc6e3c42a7fdeaab32066ef) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f2b83f4aba2b9e248fb62cdfffb0842332b0e068 --- libavcodec/exr.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index b4063f8fa4..7fa17ca887 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1062,7 +1062,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, line_offset = AV_RL64(s->gb.buffer + jobnr * 8); if (s->is_tile) { -if (line_offset > buf_size - 20) +if (buf_size < 20 || line_offset > buf_size - 20) return AVERROR_INVALIDDATA; src = buf + line_offset + 20; @@ -1073,7 +1073,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, tileLevelY = AV_RL32(src - 8); data_size = AV_RL32(src - 4); -if (data_size <= 0 || data_size > buf_size) +if (data_size <= 0 || data_size > buf_size - line_offset - 20) return AVERROR_INVALIDDATA; if (tileLevelX || tileLevelY) { /* tile level, is not the full res level */ @@ -1106,7 +1106,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* uncompress size of the block */ } else { -if (line_offset > buf_size - 8) +if (buf_size < 8 || line_offset > buf_size - 8) return AVERROR_INVALIDDATA; src = buf + line_offset + 8; @@ -1116,7 +1116,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, return AVERROR_INVALIDDATA; data_size = AV_RL32(src - 4); -if (data_size <= 0 || data_size > buf_size) +if (data_size <= 0 || data_size > buf_size - line_offset - 8) return AVERROR_INVALIDDATA; td->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Tue Dec 26 23:24:45 2017 +0100| [2cde8dc055c0ffbd27e10f095598873328a21a72] | committer: Michael Niedermayer avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w() Fixes: left shift of negative value -1 Fixes: 4690/clusterfuzz-testcase-minimized-6117482428366848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d135f3c514ac1723256c8e0f5cdd466fe98a2578) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2cde8dc055c0ffbd27e10f095598873328a21a72 --- libavcodec/hevcdsp_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 903aa3fe95..56cd9e605d 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -915,7 +915,7 @@ static void FUNC(put_hevc_qpel_bi_w_h)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + -((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); +((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; @@ -970,7 +970,7 @@ static void FUNC(put_hevc_qpel_bi_w_v)(uint8_t *_dst, ptrdiff_t _dststride, uint for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + -((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); +((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Dec 22 03:06:14 2017 +0100| [1d9830cba30dfa1ff44f5227763e9d5257841854] | committer: Michael Niedermayer avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0() Fixes: runtime error: signed integer overflow: 2147483646 + 33554433 cannot be represented in type 'int' Fixes: 4563/clusterfuzz-testcase-minimized-5438979567517696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4d70fbeec8cbab072b3a9b9f760b8deaaef240f2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1d9830cba30dfa1ff44f5227763e9d5257841854 --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 50c8b1e394..f9828d95a4 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -99,10 +99,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ -(b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) +(int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ -(b2 - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5)) +(int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ (b0 - ((b1 + 1) >> 1)) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] libavfilter/af_dcshift.c: Fixed repeated spelling error
ffmpeg | branch: release/3.3 | Kelly Ledford| Tue Dec 12 11:31:23 2017 -0800| [b7c9f27ad6e8e3bb8693548da6901af20e128b0e] | committer: Michael Niedermayer libavfilter/af_dcshift.c: Fixed repeated spelling error 'threshhold' should be 'threshold' Signed-off-by: Kelly Ledford Signed-off-by: Michael Niedermayer (cherry picked from commit bc219082bb04b9a4725bfe7e78ce0950244e6e84) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b7c9f27ad6e8e3bb8693548da6901af20e128b0e --- libavfilter/af_dcshift.c | 20 ++-- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavfilter/af_dcshift.c b/libavfilter/af_dcshift.c index 7332c12b19..5dbe40824c 100644 --- a/libavfilter/af_dcshift.c +++ b/libavfilter/af_dcshift.c @@ -28,7 +28,7 @@ typedef struct DCShiftContext { const AVClass *class; double dcshift; -double limiterthreshhold; +double limiterthreshold; double limitergain; } DCShiftContext; @@ -47,7 +47,7 @@ static av_cold int init(AVFilterContext *ctx) { DCShiftContext *s = ctx->priv; -s->limiterthreshhold = INT32_MAX * (1.0 - (fabs(s->dcshift) - s->limitergain)); +s->limiterthreshold = INT32_MAX * (1.0 - (fabs(s->dcshift) - s->limitergain)); return 0; } @@ -106,14 +106,14 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in) d = src[j]; -if (d > s->limiterthreshhold && dcshift > 0) { -d = (d - s->limiterthreshhold) * s->limitergain / - (INT32_MAX - s->limiterthreshhold) + - s->limiterthreshhold + dcshift; -} else if (d < -s->limiterthreshhold && dcshift < 0) { -d = (d + s->limiterthreshhold) * s->limitergain / - (INT32_MAX - s->limiterthreshhold) - - s->limiterthreshhold + dcshift; +if (d > s->limiterthreshold && dcshift > 0) { +d = (d - s->limiterthreshold) * s->limitergain / + (INT32_MAX - s->limiterthreshold) + + s->limiterthreshold + dcshift; +} else if (d < -s->limiterthreshold && dcshift < 0) { +d = (d + s->limiterthreshold) * s->limitergain / + (INT32_MAX - s->limiterthreshold) - + s->limiterthreshold + dcshift; } else { d = dcshift * INT32_MAX + d; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Dec 15 13:06:30 2017 +0100| [badca11741ea9bd0b4aa1b3af69f38754d4c69e0] | committer: Michael Niedermayer avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv() Fixes: runtime error: left shift of negative value -3 Fixes: 4524/clusterfuzz-testcase-minimized-6055590120914944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 439fbb9c8b2a90e97c44c7c57245e01ca84c865d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=badca11741ea9bd0b4aa1b3af69f38754d4c69e0 --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 0623cfad89..4017af8eb0 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -1051,7 +1051,7 @@ static void FUNC(put_hevc_qpel_bi_w_hv)(uint8_t *_dst, ptrdiff_t _dststride, uin for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 + src2[x] * wx0 + -((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); +((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); tmp += MAX_PB_SIZE; dst += dststride; src2 += MAX_PB_SIZE; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/flacdec: avoid undefined shift
ffmpeg | branch: release/3.3 | Michael Niedermayer| Tue Dec 26 23:24:43 2017 +0100| [0da741ba6b30799d282554a8cec1b4b2859cc8b4] | committer: Michael Niedermayer avcodec/flacdec: avoid undefined shift Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 4688/clusterfuzz-testcase-minimized-6572210748653568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 560daf88913b0de59a4d845bcd19254b406388dd) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0da741ba6b30799d282554a8cec1b4b2859cc8b4 --- libavcodec/flacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 581c73efc8..5bbb8ee5b9 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -456,7 +456,7 @@ static inline int decode_subframe(FLACContext *s, int channel) return AVERROR_INVALIDDATA; } -if (wasted) { +if (wasted && wasted < 32) { int i; for (i = 0; i < s->blocksize; i++) decoded[i] = (unsigned)decoded[i] << wasted; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] tests/audiomatch: Add missing return code at the end of main()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Tue Dec 19 21:05:40 2017 +0100| [7a5c73896394c3f53371b7c91f0da99dbf0c2ae2] | committer: Michael Niedermayer tests/audiomatch: Add missing return code at the end of main() Signed-off-by: Michael Niedermayer (cherry picked from commit 65da5c56e661a839e017db4c51c73d6f3d8a8fcb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7a5c73896394c3f53371b7c91f0da99dbf0c2ae2 --- tests/audiomatch.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/audiomatch.c b/tests/audiomatch.c index ca56df09b3..9671789a37 100644 --- a/tests/audiomatch.c +++ b/tests/audiomatch.c @@ -107,4 +107,6 @@ int main(int argc, char **argv){ } } printf("presig: %d postsig:%d c:%7.4f lenerr:%d\n", bestpos, datlen - siglen - bestpos, bestc / sigamp, datlen - siglen); + +return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Dec 15 18:17:13 2017 +0100| [41a706b9125c0c27dda50996723ceade871b0a9a] | committer: Michael Niedermayer avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs() Fixes: signed integer overflow: 2147483647 + 1073741824 cannot be represented in type 'int' Fixes: 4555/clusterfuzz-testcase-minimized-4505532481142784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0ee143558d55b590774dba69cff5a16eda089a4d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=41a706b9125c0c27dda50996723ceade871b0a9a --- libavcodec/hevc_cabac.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index e27c54ed4b..3c22e30faa 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -635,8 +635,10 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s) suffix_val += 1 << k; k++; } -if (k == CABAC_MAX_BIN) +if (k == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); +return AVERROR_INVALIDDATA; +} while (k--) suffix_val += get_cabac_bypass(>HEVClc->cc) << k; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant)
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Dec 22 03:12:03 2017 +0100| [b66e3e321f64a659a534e520c5fad085e8c293f5] | committer: Michael Niedermayer avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant) Fixes: runtime error: left shift of negative value -180 Fixes: 4626/clusterfuzz-testcase-minimized-5647837887987712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c9ab5ef9c1ee852c80c859c9e07efe8730b57ed) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b66e3e321f64a659a534e520c5fad085e8c293f5 --- libavcodec/hevcdsp_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c index 4017af8eb0..903aa3fe95 100644 --- a/libavcodec/hevcdsp_template.c +++ b/libavcodec/hevcdsp_template.c @@ -121,7 +121,7 @@ static void FUNC(dequant)(int16_t *coeffs, int16_t log2_size) } else { for (y = 0; y < size; y++) { for (x = 0; x < size; x++) { -*coeffs = *coeffs << -shift; +*coeffs = *(uint16_t*)coeffs << -shift; coeffs++; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog