[FFmpeg-cvslog] Changelog: update for the previous four commits

[James Almer]

ffmpeg | branch: release/3.4 | James Almer  | Tue Jan 30 
22:13:05 2018 -0300| [9b97afe7ad065fc840609c5302e594538026befc] | committer: 
James Almer

Changelog: update for the previous four commits

Signed-off-by: James Almer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9b97afe7ad065fc840609c5302e594538026befc
---

 Changelog | 4 
 1 file changed, 4 insertions(+)

diff --git a/Changelog b/Changelog
index 98943a4bf6..45572de937 100644
--- a/Changelog
+++ b/Changelog
@@ -2,6 +2,10 @@ Entries are sorted chronologically from oldest to youngest 
within each release,
 releases are sorted from youngest to oldest.
 
 version 3.4.2:
+- avcodec/mediacodecdec: use ff_hevc_ps_uninit()
+- avcodec/hevc_parser: use ff_hevc_uninit_parameter_sets()
+- avcodec/hevcdec: use ff_hevc_uninit_parameter_sets()
+- avcodec/hevc_ps: add a function to uninitialize parameter set buffers
 - avcodec/dirac_dwt: Fix several integer overflows
 - avcodec/indeo5: Do not leave frame_type set to an invalid value
 - avcodec/hevc_ps: Check log2_sao_offset_scale_*

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_ps: add a function to uninitialize parameter set buffers

[James Almer]

ffmpeg | branch: release/3.4 | James Almer  | Sat Jan 20 
16:54:15 2018 -0300| [64f0fd599845fb9e4db9ba51012792abaf38a9ea] | committer: 
James Almer

avcodec/hevc_ps: add a function to uninitialize parameter set buffers

Reviewed-by: Michael Niedermayer 
Signed-off-by: James Almer 
(cherry picked from commit 9462b2b8205397ea5972b2365c2e8db6872ef3e9)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=64f0fd599845fb9e4db9ba51012792abaf38a9ea
---

 libavcodec/hevc_ps.c | 16 
 libavcodec/hevc_ps.h |  2 ++
 2 files changed, 18 insertions(+)

diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index 2ab4c34013..6f3af2daec 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -1709,6 +1709,22 @@ err:
 return ret;
 }
 
+void ff_hevc_ps_uninit(HEVCParamSets *ps)
+{
+int i;
+
+for (i = 0; i < FF_ARRAY_ELEMS(ps->vps_list); i++)
+av_buffer_unref(>vps_list[i]);
+for (i = 0; i < FF_ARRAY_ELEMS(ps->sps_list); i++)
+av_buffer_unref(>sps_list[i]);
+for (i = 0; i < FF_ARRAY_ELEMS(ps->pps_list); i++)
+av_buffer_unref(>pps_list[i]);
+
+ps->sps = NULL;
+ps->pps = NULL;
+ps->vps = NULL;
+}
+
 int ff_hevc_compute_poc(const HEVCSPS *sps, int pocTid0, int poc_lsb, int 
nal_unit_type)
 {
 int max_poc_lsb  = 1 << sps->log2_max_poc_lsb;
diff --git a/libavcodec/hevc_ps.h b/libavcodec/hevc_ps.h
index 76f8eb31e6..f19d022469 100644
--- a/libavcodec/hevc_ps.h
+++ b/libavcodec/hevc_ps.h
@@ -421,6 +421,8 @@ int ff_hevc_decode_nal_sps(GetBitContext *gb, 
AVCodecContext *avctx,
 int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx,
HEVCParamSets *ps);
 
+void ff_hevc_ps_uninit(HEVCParamSets *ps);
+
 int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx,
   ShortTermRPS *rps, const HEVCSPS *sps, int 
is_slice_header);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevcdec: use ff_hevc_uninit_parameter_sets()

[James Almer]

ffmpeg | branch: release/3.4 | James Almer  | Sat Jan 20 
16:54:51 2018 -0300| [d7d5a3379dfe35422b894d7ce1039c4cff0581f6] | committer: 
James Almer

avcodec/hevcdec: use ff_hevc_uninit_parameter_sets()

Reviewed-by: Michael Niedermayer 
Signed-off-by: James Almer 
(cherry picked from commit 1f0cf1b2f4ef6304c343d53508193ac4b5d9c1d2)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d7d5a3379dfe35422b894d7ce1039c4cff0581f6
---

 libavcodec/hevcdec.c | 10 +-
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index 2e4add2ae3..67ac9ab262 100644
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -3215,15 +3215,7 @@ static av_cold int hevc_decode_free(AVCodecContext 
*avctx)
 av_frame_free(>DPB[i].frame);
 }
 
-for (i = 0; i < FF_ARRAY_ELEMS(s->ps.vps_list); i++)
-av_buffer_unref(>ps.vps_list[i]);
-for (i = 0; i < FF_ARRAY_ELEMS(s->ps.sps_list); i++)
-av_buffer_unref(>ps.sps_list[i]);
-for (i = 0; i < FF_ARRAY_ELEMS(s->ps.pps_list); i++)
-av_buffer_unref(>ps.pps_list[i]);
-s->ps.sps = NULL;
-s->ps.pps = NULL;
-s->ps.vps = NULL;
+ff_hevc_ps_uninit(>ps);
 
 av_freep(>sh.entry_point_offset);
 av_freep(>sh.offset);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mediacodecdec: use ff_hevc_ps_uninit()

[James Almer]

ffmpeg | branch: release/3.4 | James Almer  | Sat Jan 20 
16:55:17 2018 -0300| [af54886de8ab5845bef6f67431f1ef8f68b9f58d] | committer: 
James Almer

avcodec/mediacodecdec: use ff_hevc_ps_uninit()

Fixes memleaks.

Signed-off-by: James Almer 
(cherry picked from commit 782e066e3e3d8015d6d64c47cda0925c10aebe08)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=af54886de8ab5845bef6f67431f1ef8f68b9f58d
---

 libavcodec/mediacodecdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/mediacodecdec.c b/libavcodec/mediacodecdec.c
index 6962ce2474..366c039de4 100644
--- a/libavcodec/mediacodecdec.c
+++ b/libavcodec/mediacodecdec.c
@@ -256,6 +256,8 @@ static int hevc_set_extradata(AVCodecContext *avctx, 
FFAMediaFormat *format)
 }
 
 done:
+ff_hevc_ps_uninit();
+
 av_freep(_data);
 av_freep(_data);
 av_freep(_data);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_parser: use ff_hevc_uninit_parameter_sets()

[James Almer]

ffmpeg | branch: release/3.4 | James Almer  | Sat Jan 20 
16:55:00 2018 -0300| [e5bbb52194411320209f95ac9cac5bd6c34b575a] | committer: 
James Almer

avcodec/hevc_parser: use ff_hevc_uninit_parameter_sets()

Reviewed-by: Michael Niedermayer 
Signed-off-by: James Almer 
(cherry picked from commit 2159d4bbc3e69d04242e87bac13ebea8b942d94d)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e5bbb52194411320209f95ac9cac5bd6c34b575a
---

 libavcodec/hevc_parser.c | 11 +--
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/libavcodec/hevc_parser.c b/libavcodec/hevc_parser.c
index dc63c6b954..3bef236983 100644
--- a/libavcodec/hevc_parser.c
+++ b/libavcodec/hevc_parser.c
@@ -359,17 +359,8 @@ static int hevc_split(AVCodecContext *avctx, const uint8_t 
*buf, int buf_size)
 static void hevc_parser_close(AVCodecParserContext *s)
 {
 HEVCParserContext *ctx = s->priv_data;
-int i;
-
-for (i = 0; i < FF_ARRAY_ELEMS(ctx->ps.vps_list); i++)
-av_buffer_unref(>ps.vps_list[i]);
-for (i = 0; i < FF_ARRAY_ELEMS(ctx->ps.sps_list); i++)
-av_buffer_unref(>ps.sps_list[i]);
-for (i = 0; i < FF_ARRAY_ELEMS(ctx->ps.pps_list); i++)
-av_buffer_unref(>ps.pps_list[i]);
-
-ctx->ps.sps = NULL;
 
+ff_hevc_ps_uninit(>ps);
 ff_h2645_packet_uninit(>pkt);
 ff_hevc_reset_sei(>sei);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Mon Jan 15 23:42:57 2018 +0100| [edf200e2bc9a98de57782fe0b611a4666e2d66d6] | 
committer: Michael Niedermayer

avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 94d4237a7a294ce80e1e577b38e9c93e8882aff9)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=edf200e2bc9a98de57782fe0b611a4666e2d66d6
---

 libavcodec/hevc_cabac.c | 11 +++
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c
index 5b5da1165a..743168500c 100644
--- a/libavcodec/hevc_cabac.c
+++ b/libavcodec/hevc_cabac.c
@@ -990,16 +990,19 @@ static av_always_inline int 
coeff_abs_level_remaining_decode(HEVCContext *s, int
 
 while (prefix < CABAC_MAX_BIN && get_cabac_bypass(>HEVClc->cc))
 prefix++;
-if (prefix == CABAC_MAX_BIN) {
-av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
-return 0;
-}
+
 if (prefix < 3) {
 for (i = 0; i < rc_rice_param; i++)
 suffix = (suffix << 1) | get_cabac_bypass(>HEVClc->cc);
 last_coeff_abs_level_remaining = (prefix << rc_rice_param) + suffix;
 } else {
 int prefix_minus3 = prefix - 3;
+
+if (prefix == CABAC_MAX_BIN) {
+av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
+return 0;
+}
+
 for (i = 0; i < prefix_minus3 + rc_rice_param; i++)
 suffix = (suffix << 1) | get_cabac_bypass(>HEVClc->cc);
 last_coeff_abs_level_remaining = (((1 << prefix_minus3) + 3 - 1)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sat Jan 20 04:10:50 2018 +0100| [6ed5e44998ed59d8525661c8d6443e371b13c62d] | 
committer: Michael Niedermayer

avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK()

Fixes: signed integer overflow: 1477974040 - -1877995504 cannot be represented 
in type 'int'
Fixes: 4861/clusterfuzz-testcase-minimized-4570316383715328

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 56a53340ed4cc55898e49c07081311ebb2816630)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6ed5e44998ed59d8525661c8d6443e371b13c62d
---

 libavcodec/truemotion2.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index f077f0e4bd..97c38f7f08 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -441,8 +441,8 @@ static inline int GET_TOK(TM2Context *ctx,int type)
 
 /* recalculate last and delta values for next blocks */
 #define TM2_RECALC_BLOCK(CHR, stride, last, CD) {\
-CD[0] = CHR[1] - last[1];\
-CD[1] = (int)CHR[stride + 1] - (int)CHR[1];\
+CD[0] = (unsigned)CHR[ 1] - (unsigned)last[1];\
+CD[1] = (unsigned)CHR[stride + 1] - (unsigned) CHR[1];\
 last[0] = (int)CHR[stride + 0];\
 last[1] = (int)CHR[stride + 1];}
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dxtory: Fix bits left checks

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Mon Jan 22 14:02:59 2018 +0100| [c1b74d608c6e0c0a9fcd3ae6c4a21e96026ac905] | 
committer: Michael Niedermayer

avcodec/dxtory: Fix bits left checks

Fixes: Timeout
Fixes: 4863/clusterfuzz-testcase-6347354178322432

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6e1a167c5564085385488b4f579e9efb987d4bfa)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c1b74d608c6e0c0a9fcd3ae6c4a21e96026ac905
---

 libavcodec/dxtory.c | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c
index 6f8652ad49..e736cec8db 100644
--- a/libavcodec/dxtory.c
+++ b/libavcodec/dxtory.c
@@ -326,7 +326,7 @@ static int dx2_decode_slice_5x5(GetBitContext *gb, AVFrame 
*frame,
 int stride   = frame->linesize[0];
 uint8_t *dst = frame->data[0] + stride * line;
 
-for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
+for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
 for (x = 0; x < width; x++) {
 b = decode_sym_565(gb, lru[0], 5);
 g = decode_sym_565(gb, lru[1], is_565 ? 6 : 5);
@@ -392,7 +392,7 @@ static int dx2_decode_slice_rgb(GetBitContext *gb, AVFrame 
*frame,
 int stride   = frame->linesize[0];
 uint8_t *dst = frame->data[0] + stride * line;
 
-for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
+for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
 for (x = 0; x < width; x++) {
 dst[x * 3 + 0] = decode_sym(gb, lru[0]);
 dst[x * 3 + 1] = decode_sym(gb, lru[1]);
@@ -437,7 +437,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame 
*frame,
 uint8_t *U  = frame->data[1] + (ustride >> 2) * line;
 uint8_t *V  = frame->data[2] + (vstride >> 2) * line;
 
-for (y = 0; y < left - 3 && get_bits_left(gb) > 16; y += 4) {
+for (y = 0; y < left - 3 && get_bits_left(gb) > 9 * width; y += 4) {
 for (x = 0; x < width; x += 4) {
 for (j = 0; j < 4; j++)
 for (i = 0; i < 4; i++)
@@ -481,7 +481,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame 
*frame,
 uint8_t *V  = frame->data[2] + (vstride >> 1) * line;
 
 
-for (y = 0; y < left - 1 && get_bits_left(gb) > 16; y += 2) {
+for (y = 0; y < left - 1 && get_bits_left(gb) > 6 * width; y += 2) {
 for (x = 0; x < width; x += 2) {
 Y[x + 0 + 0 * ystride] = decode_sym(gb, lru[0]);
 Y[x + 1 + 0 * ystride] = decode_sym(gb, lru[0]);
@@ -524,7 +524,7 @@ static int dx2_decode_slice_444(GetBitContext *gb, AVFrame 
*frame,
 uint8_t *U  = frame->data[1] + ustride * line;
 uint8_t *V  = frame->data[2] + vstride * line;
 
-for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
+for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
 for (x = 0; x < width; x++) {
 Y[x] = decode_sym(gb, lru[0]);
 U[x] = decode_sym(gb, lru[1]) ^ 0x80;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Update for 3.4.2

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Wed Jan 31 01:09:12 2018 +0100| [dd93df46a618c442ead15cc90d8b236d5e1894a9] | 
committer: Michael Niedermayer

Update for 3.4.2

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dd93df46a618c442ead15cc90d8b236d5e1894a9
---

 Changelog| 46 ++
 RELEASE  |  2 +-
 doc/Doxyfile |  2 +-
 3 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/Changelog b/Changelog
index d9f6b8a87a..98943a4bf6 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,52 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
+version 3.4.2:
+- avcodec/dirac_dwt: Fix several integer overflows
+- avcodec/indeo5: Do not leave frame_type set to an invalid value
+- avcodec/hevc_ps: Check log2_sao_offset_scale_*
+- avcodec/mpeg4videodec: Avoid possibly aliasing violating casts
+- avcodec/get_bits: Document the return code of get_vlc2()
+- avcodec/mpeg4videodec: Check mb_num also against 0
+- avfilter/vf_transpose: Fix used plane count.
+- avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in 
coeff_abs_level_remaining_decode()
+- avcodec/mjpegdec: Fix integer overflow in DC dequantization
+- avcodec/dxtory: Fix bits left checks
+- avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() 
down
+- avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK()
+- avcodec/snowdec: Fix integer overflow before htaps check
+- avcodec/ulti: Check number of blocks at init
+- avcodec/wavpack: Fix integer overflows in wv_unpack_stereo / mono
+- avcodec/jpeg2000: Check sum of sizes of band->prec before allocating
+- avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs()
+- avformat/lrcdec: Fix memory leak in lrc_read_header()
+- avformat/matroskadec: Fix float-cast-overflow undefined behavior in 
matroska_parse_tracks()
+- lavfi/deinterlace_vaapi: fix can't show full option information.
+- configure:version 3.4.1: bump year
+- avcodec/utils: Avoid hardcoding duplicated types in sizeof()
+- avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in 
one
+- avcodec/h264addpx_template: Fixes integer overflows
+- avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0
+- avcodec/diracdec: Fix integer overflow with quant
+- avcodec/opus_parser: Check payload_len in parse_opus_ts_header()
+- avcodec/jpeg2000dsp: Fix integer overflows in ict_int()
+- avcodec/h264_slice: Do not attempt to render into frames already output
+- avcodec/dnxhddec: Check dc vlc
+- avcodec/exr: Check buf_size more completely
+- avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed()
+- avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and 
put_hevc_qpel_bi_w_w()
+- avcodec/flacdec: avoid undefined shift
+- avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant)
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and 
COMPOSE_DD137iL0()
+- avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs()
+- tests/audiomatch: Add missing return code at the end of main()
+- avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message()
+- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv()
+- avcodec/h264_parse: Treat escaped and unescaped decoding error equal in 
decode_extradata_ps_mp4()
+- avcodec/vp9: mark frame as finished on decode_tiles() failure
+- libavfilter/af_dcshift.c: Fixed repeated spelling error
+- avfilter/formats: fix wrong function name in error message
+
 version 3.4.1:
 - avcodec/vp9_superframe_split_bsf: Fix integer overflow in 
frame_size/total_size checks
 - avcodec/amrwbdec: Fix division by 0 in voice_factor()
diff --git a/RELEASE b/RELEASE
index 47b322c971..4d9d11cf50 100644
--- a/RELEASE
+++ b/RELEASE
@@ -1 +1 @@
-3.4.1
+3.4.2
diff --git a/doc/Doxyfile b/doc/Doxyfile
index ca68f1aad6..4f0c5ab628 100644
--- a/doc/Doxyfile
+++ b/doc/Doxyfile
@@ -38,7 +38,7 @@ PROJECT_NAME   = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.
 
-PROJECT_NUMBER = 3.4.1
+PROJECT_NUMBER = 3.4.2
 
 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videodec: Avoid possibly aliasing violating casts

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Jan 28 02:29:02 2018 +0100| [d07f78ae726bbc8cde010f530676e53468acfa53] | 
committer: Michael Niedermayer

avcodec/mpeg4videodec: Avoid possibly aliasing violating casts

Found-by: kierank
Reviewed-by: Kieran Kunhya 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d4967c04e040b3b2f937cad88599af825147ec94)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d07f78ae726bbc8cde010f530676e53468acfa53
---

 libavcodec/mpeg4videodec.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index afa41a8641..d0162d1074 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -1251,10 +1251,12 @@ not_coded:
  */
 static int mpeg4_decode_partitioned_mb(MpegEncContext *s, int16_t block[6][64])
 {
-Mpeg4DecContext *ctx = (Mpeg4DecContext *)s;
+Mpeg4DecContext *ctx = s->avctx->priv_data;
 int cbp, mb_type;
 const int xy = s->mb_x + s->mb_y * s->mb_stride;
 
+av_assert2(s == (void*)ctx);
+
 mb_type = s->current_picture.mb_type[xy];
 cbp = s->cbp_table[xy];
 
@@ -1336,12 +1338,13 @@ static int mpeg4_decode_partitioned_mb(MpegEncContext 
*s, int16_t block[6][64])
 
 static int mpeg4_decode_mb(MpegEncContext *s, int16_t block[6][64])
 {
-Mpeg4DecContext *ctx = (Mpeg4DecContext *)s;
+Mpeg4DecContext *ctx = s->avctx->priv_data;
 int cbpc, cbpy, i, cbp, pred_x, pred_y, mx, my, dquant;
 int16_t *mot_val;
 static const int8_t quant_tab[4] = { -1, -2, 1, 2 };
 const int xy = s->mb_x + s->mb_y * s->mb_stride;
 
+av_assert2(s ==  (void*)ctx);
 av_assert2(s->h263_pred);
 
 if (s->pict_type == AV_PICTURE_TYPE_P ||

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videodec: Check mb_num also against 0

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Jan 28 02:29:00 2018 +0100| [6723a436095f76f6d1edec4de21b2a0b47954067] | 
committer: Michael Niedermayer

avcodec/mpeg4videodec: Check mb_num also against 0

The spec implies that 0 is invalid in addition to the existing checks

Found-by: 
Reviewed-by: Kieran Kunhya 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 05f4703a168a336363750e32bcfdd6f303fbdbc3)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6723a436095f76f6d1edec4de21b2a0b47954067
---

 libavcodec/mpeg4videodec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 8eafc783b8..afa41a8641 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -460,7 +460,7 @@ int ff_mpeg4_decode_video_packet_header(Mpeg4DecContext 
*ctx)
 }
 
 mb_num = get_bits(>gb, mb_num_bits);
-if (mb_num >= s->mb_num) {
+if (mb_num >= s->mb_num || !mb_num) {
 av_log(s->avctx, AV_LOG_ERROR,
"illegal mb_num in video packet (%d %d) \n", mb_num, s->mb_num);
 return -1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/get_bits: Document the return code of get_vlc2()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Jan 28 02:29:01 2018 +0100| [cd478122b0a05abaf82d96da2c9eb2d00635f72e] | 
committer: Michael Niedermayer

avcodec/get_bits: Document the return code of get_vlc2()

Found-by: kierank
Reviewed-by: Kieran Kunhya 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4a94ff4ccd4f2329c599e37cabe4152dae60359e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cd478122b0a05abaf82d96da2c9eb2d00635f72e
---

 libavcodec/get_bits.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h
index c530015169..0c7f5ff0c6 100644
--- a/libavcodec/get_bits.h
+++ b/libavcodec/get_bits.h
@@ -550,6 +550,7 @@ static inline const uint8_t *align_get_bits(GetBitContext 
*s)
  * @param max_depth is the number of times bits bits must be read to completely
  *  read the longest vlc code
  *  = (max_vlc_length + bits - 1) / bits
+ * @returns the code parsed or -1 if no vlc matches
  */
 static av_always_inline int get_vlc2(GetBitContext *s, VLC_TYPE (*table)[2],
  int bits, int max_depth)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/indeo5: Do not leave frame_type set to an invalid value

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Fri Jan 26 00:24:49 2018 +0100| [d06972535e4890f503e82ffe245cc0f859b762ce] | 
committer: Michael Niedermayer

avcodec/indeo5: Do not leave frame_type set to an invalid value

Fixes: null pointer dereference
Fixes: 5264/clusterfuzz-testcase-minimized-4621956621008896

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2ff9f178519b68d4d1d606eb5451ad81da948efc)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d06972535e4890f503e82ffe245cc0f859b762ce
---

 libavcodec/indeo5.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c
index 81b4514038..b39cffd9a9 100644
--- a/libavcodec/indeo5.c
+++ b/libavcodec/indeo5.c
@@ -324,6 +324,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx, 
AVCodecContext *avctx)
 ctx->frame_type  = get_bits(>gb, 3);
 if (ctx->frame_type >= 5) {
 av_log(avctx, AV_LOG_ERROR, "Invalid frame type: %d \n", 
ctx->frame_type);
+ctx->frame_type = FRAMETYPE_INTRA;
 return AVERROR_INVALIDDATA;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Mon Jan 15 23:46:44 2018 +0100| [11498c22a0db9ed08027405e5d6a4ba7c1e41418] | 
committer: Michael Niedermayer

avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in 
coeff_abs_level_remaining_decode()

I suspect that this can be limited tighter, but i failed to find anything
in the spec that would confirm that.

Fixes: 4833/clusterfuzz-testcase-minimized-5302840101699584
Fixes: runtime error: left shift of 134217730 by 4 places cannot be represented 
in type 'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a026a3efaeb9c2026668dccbbda339a21ab3206b)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=11498c22a0db9ed08027405e5d6a4ba7c1e41418
---

 libavcodec/hevc_cabac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c
index 743168500c..faa36d5459 100644
--- a/libavcodec/hevc_cabac.c
+++ b/libavcodec/hevc_cabac.c
@@ -998,7 +998,7 @@ static av_always_inline int 
coeff_abs_level_remaining_decode(HEVCContext *s, int
 } else {
 int prefix_minus3 = prefix - 3;
 
-if (prefix == CABAC_MAX_BIN) {
+if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) {
 av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
 return 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt: Fix several integer overflows

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Thu Jan 25 23:14:37 2018 +0100| [c1c50fc4a75492b97ac616ea3d393627b9648795] | 
committer: Michael Niedermayer

avcodec/dirac_dwt: Fix several integer overflows

Fixes: runtime error: signed integer overflow: -2146071175 + -268479557 cannot 
be represented in type 'int'
Fixes: 5237/clusterfuzz-testcase-minimized-4569895275593728

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit fe1e6c06d03432c3e9208f019533c1d701f485d0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c1c50fc4a75492b97ac616ea3d393627b9648795
---

 libavcodec/dirac_dwt.h  | 4 ++--
 libavcodec/dirac_dwt_template.c | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index 1af41e0702..68ebd19560 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -93,10 +93,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
 
 // shared stuff for simd optimizations
 #define COMPOSE_53iL0(b0, b1, b2)\
-(b1 - ((int)(b0 + (unsigned)(b2) + 2) >> 2))
+(b1 - (unsigned)((int)(b0 + (unsigned)(b2) + 2) >> 2))
 
 #define COMPOSE_DIRAC53iH0(b0, b1, b2)\
-(b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1))
+(b1 + (unsigned)((int)(b0 + (unsigned)(b2) + 1) >> 1))
 
 #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\
 (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)))
diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c
index e436c247a1..e68cc4d530 100644
--- a/libavcodec/dirac_dwt_template.c
+++ b/libavcodec/dirac_dwt_template.c
@@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, 
uint8_t *_b1, uint8_t *_
 TYPE *b1 = (TYPE *)_b1;
 TYPE *b2 = (TYPE *)_b2;
 for (i = 0; i < width; i++)
-b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2;
+b1[i] -= (unsigned)((int)(b0[i] + (unsigned)b2[i] + 2) >> 2);
 }
 
 static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE 
*src1, int w2,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter/vf_transpose: Fix used plane count.

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Wed Jan 24 19:38:05 2018 +0100| [2980b95fafb39148cfade120eab5c75b46bfffc6] | 
committer: Michael Niedermayer

avfilter/vf_transpose: Fix used plane count.

Fixes out of array access
Fixes: poc.mp4

Found-by: GwanYeong Kim 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c6939f65a116b1ffed345d29d8621ee4ffb32235)
(cherry picked from commit 3f621455d62e46745453568d915badd5b1e5bcd5)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2980b95fafb39148cfade120eab5c75b46bfffc6
---

 libavfilter/vf_transpose.c | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavfilter/vf_transpose.c b/libavfilter/vf_transpose.c
index 982fb0c8ca..3ff4cb4249 100644
--- a/libavfilter/vf_transpose.c
+++ b/libavfilter/vf_transpose.c
@@ -27,6 +27,7 @@
 
 #include 
 
+#include "libavutil/avassert.h"
 #include "libavutil/imgutils.h"
 #include "libavutil/internal.h"
 #include "libavutil/intreadwrite.h"
@@ -54,6 +55,7 @@ enum TransposeDir {
 typedef struct TransContext {
 const AVClass *class;
 int hsub, vsub;
+int planes;
 int pixsteps[4];
 
 int passthrough;///< PassthroughType, landscape passthrough mode 
enabled
@@ -215,6 +217,10 @@ static int config_props_output(AVFilterLink *outlink)
 
 s->hsub = desc_in->log2_chroma_w;
 s->vsub = desc_in->log2_chroma_h;
+s->planes = av_pix_fmt_count_planes(outlink->format);
+
+av_assert0(desc_in->nb_components == desc_out->nb_components);
+
 
 av_image_fill_max_pixsteps(s->pixsteps, NULL, desc_out);
 
@@ -272,7 +278,7 @@ static int filter_slice(AVFilterContext *ctx, void *arg, 
int jobnr,
 AVFrame *in = td->in;
 int plane;
 
-for (plane = 0; out->data[plane]; plane++) {
+for (plane = 0; plane < s->planes; plane++) {
 int hsub= plane == 1 || plane == 2 ? s->hsub : 0;
 int vsub= plane == 1 || plane == 2 ? s->vsub : 0;
 int pixstep = s->pixsteps[plane];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_ps: Check log2_sao_offset_scale_*

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Wed Jan 24 03:15:23 2018 +0100| [93437a18d878f3924199a3dba5082aa3d09a3094] | 
committer: Michael Niedermayer

avcodec/hevc_ps: Check log2_sao_offset_scale_*

Fixes: 4868/clusterfuzz-testcase-minimized-6236542906400768
Fixes: runtime error: shift exponent 126 is too large for 32-bit type 'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4a75a75c62efc645ec28444e4675c325b8f2bb1a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=93437a18d878f3924199a3dba5082aa3d09a3094
---

 libavcodec/hevc_ps.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index 902917d4dd..2ab4c34013 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -1324,6 +1324,11 @@ static int pps_range_extensions(GetBitContext *gb, 
AVCodecContext *avctx,
 pps->log2_sao_offset_scale_luma = get_ue_golomb_long(gb);
 pps->log2_sao_offset_scale_chroma = get_ue_golomb_long(gb);
 
+if (   pps->log2_sao_offset_scale_luma   > FFMAX(sps->bit_depth- 
10, 0)
+|| pps->log2_sao_offset_scale_chroma > FFMAX(sps->bit_depth_chroma - 
10, 0)
+)
+return AVERROR_INVALIDDATA;
+
 return(0);
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mjpegdec: Fix integer overflow in DC dequantization

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Wed Jan 24 03:28:49 2018 +0100| [2fdb27b5123d9a74d819ea8b019be878df5942ba] | 
committer: Michael Niedermayer

avcodec/mjpegdec: Fix integer overflow in DC dequantization

Fixes: runtime error: signed integer overflow: -65535 * 65312 cannot be 
represented in type 'int'
Fixes: 4900/clusterfuzz-testcase-minimized-5769019744321536

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1bfc1aa004950c5ad527d823a08b8a19eef34eb0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2fdb27b5123d9a74d819ea8b019be878df5942ba
---

 libavcodec/mjpegdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 5b2409755c..3455126cac 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -715,7 +715,7 @@ static int decode_block(MJpegDecodeContext *s, int16_t 
*block, int component,
 av_log(s->avctx, AV_LOG_ERROR, "error dc\n");
 return AVERROR_INVALIDDATA;
 }
-val = val * quant_matrix[0] + s->last_dc[component];
+val = val * (unsigned)quant_matrix[0] + s->last_dc[component];
 val = av_clip_int16(val);
 s->last_dc[component] = val;
 block[0] = val;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/wavpack: Fix integer overflows in wv_unpack_stereo / mono

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Jan 14 00:39:41 2018 +0100| [bae4d39437fea9a7bd3bb30d161f0a23dc862c55] | 
committer: Michael Niedermayer

avcodec/wavpack: Fix integer overflows in wv_unpack_stereo / mono

Fixes: runtime error: signed integer overflow: 2146276249 + 1487583 cannot be 
represented in type 'int'
Fixes: 4823/clusterfuzz-testcase-minimized-4551896611160064

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 83e34ae3c2b36e7b20169a8866e3f49294db1f5a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bae4d39437fea9a7bd3bb30d161f0a23dc862c55
---

 libavcodec/wavpack.c | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index a117e8aa81..d5e1e07b74 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -433,8 +433,8 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, 
GetBitContext *gb,
 L2 = L + ((s->decorr[i].weightA * (int64_t)A + 512) >> 10);
 R2 = R + ((s->decorr[i].weightB * (int64_t)B + 512) >> 10);
 } else {
-L2 = L + ((int)(s->decorr[i].weightA * (unsigned)A + 512) 
>> 10);
-R2 = R + ((int)(s->decorr[i].weightB * (unsigned)B + 512) 
>> 10);
+L2 = L + (unsigned)((int)(s->decorr[i].weightA * 
(unsigned)A + 512) >> 10);
+R2 = R + (unsigned)((int)(s->decorr[i].weightB * 
(unsigned)B + 512) >> 10);
 }
 if (A && L)
 s->decorr[i].weightA -= L ^ A) >> 30) & 2) - 1) * 
s->decorr[i].delta;
@@ -446,7 +446,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, 
GetBitContext *gb,
 if (type != AV_SAMPLE_FMT_S16P)
 L2 = L + ((s->decorr[i].weightA * 
(int64_t)s->decorr[i].samplesA[0] + 512) >> 10);
 else
-L2 = L + ((int)(s->decorr[i].weightA * 
(unsigned)s->decorr[i].samplesA[0] + 512) >> 10);
+L2 = L + (unsigned)((int)(s->decorr[i].weightA * 
(unsigned)s->decorr[i].samplesA[0] + 512) >> 10);
 UPDATE_WEIGHT_CLIP(s->decorr[i].weightA, s->decorr[i].delta, 
s->decorr[i].samplesA[0], L);
 L = L2;
 if (type != AV_SAMPLE_FMT_S16P)
@@ -460,7 +460,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, 
GetBitContext *gb,
 if (type != AV_SAMPLE_FMT_S16P)
 R2 = R + ((s->decorr[i].weightB * 
(int64_t)s->decorr[i].samplesB[0] + 512) >> 10);
 else
-R2 = R + ((int)(s->decorr[i].weightB * 
(unsigned)s->decorr[i].samplesB[0] + 512) >> 10);
+R2 = R + (unsigned)((int)(s->decorr[i].weightB * 
(unsigned)s->decorr[i].samplesB[0] + 512) >> 10);
 UPDATE_WEIGHT_CLIP(s->decorr[i].weightB, s->decorr[i].delta, 
s->decorr[i].samplesB[0], R);
 R = R2;
 
@@ -472,7 +472,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, 
GetBitContext *gb,
 if (type != AV_SAMPLE_FMT_S16P)
 L2 = L + ((s->decorr[i].weightA * (int64_t)R2 + 512) >> 
10);
 else
-L2 = L + ((int)(s->decorr[i].weightA * (unsigned)R2 + 512) 
>> 10);
+L2 = L + (unsigned)((int)(s->decorr[i].weightA * 
(unsigned)R2 + 512) >> 10);
 UPDATE_WEIGHT_CLIP(s->decorr[i].weightA, s->decorr[i].delta, 
R2, L);
 L= L2;
 s->decorr[i].samplesB[0] = L;
@@ -554,7 +554,7 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, 
GetBitContext *gb,
 if (type != AV_SAMPLE_FMT_S16P)
 S = T + ((s->decorr[i].weightA * (int64_t)A + 512) >> 10);
 else
-S = T + ((int)(s->decorr[i].weightA * (unsigned)A + 512) >> 
10);
+S = T + (unsigned)((int)(s->decorr[i].weightA * (unsigned)A + 
512) >> 10);
 if (A && T)
 s->decorr[i].weightA -= T ^ A) >> 30) & 2) - 1) * 
s->decorr[i].delta;
 s->decorr[i].samplesA[j] = T = S;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Jan 14 00:39:39 2018 +0100| [56b0179b6a030f1d3b0bcad101d05d01583aad38] | 
committer: Michael Niedermayer

avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs()

Fixes: runtime error: signed integer overflow: 2147483520 + 128 cannot be 
represented in type 'int'
Fixes: 4800/clusterfuzz-testcase-minimized-6110372403609600

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a1f38c75893c852cf19dcf3e4553549ba1e70950)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=56b0179b6a030f1d3b0bcad101d05d01583aad38
---

 libavcodec/ac3dec_fixed.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c
index 9a6d7a08b1..bd66175d50 100644
--- a/libavcodec/ac3dec_fixed.c
+++ b/libavcodec/ac3dec_fixed.c
@@ -64,8 +64,8 @@ static void scale_coefs (
 int dynrng,
 int len)
 {
-int i, shift, round;
-unsigned mul;
+int i, shift;
+unsigned mul, round;
 int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7;
 
 mul = (dynrng & 0x1f) + 0x20;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/snowdec: Fix integer overflow before htaps check

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Mon Jan 15 03:03:36 2018 +0100| [aed915b8a62cd7be2a8eb5261cc29df824f8d874] | 
committer: Michael Niedermayer

avcodec/snowdec: Fix integer overflow before htaps check

Fixes: runtime error: signed integer overflow: -1094995529 * 2 cannot be 
represented in type 'int'
Fixes: 4828/clusterfuzz-testcase-minimized-5100849937252352

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2eecf3cf8eeae67697934df326e98df2149881e5)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aed915b8a62cd7be2a8eb5261cc29df824f8d874
---

 libavcodec/snowdec.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index a9bdb8da5e..0146a2a4c9 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -363,9 +363,10 @@ static int decode_header(SnowContext *s){
 int htaps, i, sum=0;
 Plane *p= >plane[plane_index];
 p->diag_mc= get_rac(>c, s->header_state);
-htaps= get_symbol(>c, s->header_state, 0)*2 + 2;
-if((unsigned)htaps >= HTAPS_MAX || htaps==0)
+htaps= get_symbol(>c, s->header_state, 0);
+if((unsigned)htaps >= HTAPS_MAX/2 - 1)
 return AVERROR_INVALIDDATA;
+htaps = htaps*2 + 2;
 p->htaps= htaps;
 for(i= htaps/2; i; i--){
 p->hcoeff[i]= get_symbol(>c, s->header_state, 0) * 
(1-2*(i&1));

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ulti: Check number of blocks at init

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Mon Jan 15 19:03:48 2018 +0100| [540f4467c8258b29c52be4dc0506a83ac29888bc] | 
committer: Michael Niedermayer

avcodec/ulti: Check number of blocks at init

Fixes: Timeout
Fixes: 4832/clusterfuzz-testcase-4699096590843904

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 725353525e73bbe5b6b4d01528252675f2417a02)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=540f4467c8258b29c52be4dc0506a83ac29888bc
---

 libavcodec/ulti.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/ulti.c b/libavcodec/ulti.c
index e6f4374981..9e4c088b10 100644
--- a/libavcodec/ulti.c
+++ b/libavcodec/ulti.c
@@ -50,6 +50,8 @@ static av_cold int ulti_decode_init(AVCodecContext *avctx)
 s->width = avctx->width;
 s->height = avctx->height;
 s->blocks = (s->width / 8) * (s->height / 8);
+if (s->blocks == 0)
+return AVERROR_INVALIDDATA;
 avctx->pix_fmt = AV_PIX_FMT_YUV410P;
 s->ulti_codebook = ulti_codebook;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000: Check sum of sizes of band->prec before allocating

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Jan 14 00:39:40 2018 +0100| [f56215d3ff63c5b8d4de890901df6778fd897757] | 
committer: Michael Niedermayer

avcodec/jpeg2000: Check sum of sizes of band->prec before allocating

Fixes: OOM
Fixes: 4810/clusterfuzz-testcase-minimized-6034253235093504

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6887e412434776eb260ad3904f565be491dd5726)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f56215d3ff63c5b8d4de890901df6778fd897757
---

 libavcodec/jpeg2000.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c
index afeb9df27c..026b2db56f 100644
--- a/libavcodec/jpeg2000.c
+++ b/libavcodec/jpeg2000.c
@@ -543,6 +543,9 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
 if (!reslevel->band)
 return AVERROR(ENOMEM);
 
+if (reslevel->num_precincts_x * (uint64_t)reslevel->num_precincts_y * 
reslevel->nbands > avctx->max_pixels / sizeof(*reslevel->band->prec))
+return AVERROR(ENOMEM);
+
 for (bandno = 0; bandno < reslevel->nbands; bandno++, gbandno++) {
 ret = init_band(avctx, reslevel,
 comp, codsty, qntsty,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264addpx_template: Fixes integer overflows

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Jan  7 03:48:43 2018 +0100| [4715ef27a068df8c7c3d3b2e40ba1617dbafd5b8] | 
committer: Michael Niedermayer

avcodec/h264addpx_template: Fixes integer overflows

Fixes: signed integer overflow: 512 + 2147483491 cannot be represented in type 
'int'
Fixes: 4780/clusterfuzz-testcase-minimized-4709066174627840

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d6945aeee419a8417b8019c7c92227e12e45b7ad)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4715ef27a068df8c7c3d3b2e40ba1617dbafd5b8
---

 libavcodec/h264addpx_template.c | 24 
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/libavcodec/h264addpx_template.c b/libavcodec/h264addpx_template.c
index b71aaea439..9a1e6a2f2f 100644
--- a/libavcodec/h264addpx_template.c
+++ b/libavcodec/h264addpx_template.c
@@ -35,10 +35,10 @@ static void FUNCC(ff_h264_add_pixels4)(uint8_t *_dst, 
int16_t *_src, int stride)
 stride /= sizeof(pixel);
 
 for (i = 0; i < 4; i++) {
-dst[0] += src[0];
-dst[1] += src[1];
-dst[2] += src[2];
-dst[3] += src[3];
+dst[0] += (unsigned)src[0];
+dst[1] += (unsigned)src[1];
+dst[2] += (unsigned)src[2];
+dst[3] += (unsigned)src[3];
 
 dst += stride;
 src += 4;
@@ -55,14 +55,14 @@ static void FUNCC(ff_h264_add_pixels8)(uint8_t *_dst, 
int16_t *_src, int stride)
 stride /= sizeof(pixel);
 
 for (i = 0; i < 8; i++) {
-dst[0] += src[0];
-dst[1] += src[1];
-dst[2] += src[2];
-dst[3] += src[3];
-dst[4] += src[4];
-dst[5] += src[5];
-dst[6] += src[6];
-dst[7] += src[7];
+dst[0] += (unsigned)src[0];
+dst[1] += (unsigned)src[1];
+dst[2] += (unsigned)src[2];
+dst[3] += (unsigned)src[3];
+dst[4] += (unsigned)src[4];
+dst[5] += (unsigned)src[5];
+dst[6] += (unsigned)src[6];
+dst[7] += (unsigned)src[7];
 
 dst += stride;
 src += 8;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/utils: Avoid hardcoding duplicated types in sizeof()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Jun  4 01:53:58 2017 +0200| [04949cc08ecea6eaf6615285f19c09517ae38d42] | 
committer: Michael Niedermayer

avcodec/utils: Avoid hardcoding duplicated types in sizeof()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 860d991fcd715233b5b9eb1f6c7bf0aadefb6061)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=04949cc08ecea6eaf6615285f19c09517ae38d42
---

 libavcodec/utils.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 9551f312e7..0c47e761f6 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -655,7 +655,7 @@ int attribute_align_arg avcodec_open2(AVCodecContext 
*avctx, const AVCodec *code
 if (ret < 0)
 return ret;
 
-avctx->internal = av_mallocz(sizeof(AVCodecInternal));
+avctx->internal = av_mallocz(sizeof(*avctx->internal));
 if (!avctx->internal) {
 ret = AVERROR(ENOMEM);
 goto end;
@@ -1157,7 +1157,7 @@ void avsubtitle_free(AVSubtitle *sub)
 
 av_freep(>rects);
 
-memset(sub, 0, sizeof(AVSubtitle));
+memset(sub, 0, sizeof(*sub));
 }
 
 av_cold int avcodec_close(AVCodecContext *avctx)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Fix integer overflow with quant

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Jan  7 20:43:24 2018 +0100| [097bc4d32d59f8aed42e6d9923f65593f1138f81] | 
committer: Michael Niedermayer

avcodec/diracdec: Fix integer overflow with quant

Fixes: signed integer overflow: 2 + 2147483646 cannot be represented in type 
'int'
Fixes: 4792/clusterfuzz-testcase-minimized-6322450775146496

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg

Signed-off-by: Michael Niedermayer 
(cherry picked from commit eaa93175895568ef6c2542b13104874907d9c4ef)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=097bc4d32d59f8aed42e6d9923f65593f1138f81
---

 libavcodec/diracdec.c | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 0abb8b0599..7be7f33145 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -508,16 +508,16 @@ static inline void codeblock(DiracContext *s, SubBand *b,
 }
 
 if (s->codeblock_mode && !(s->old_delta_quant && blockcnt_one)) {
-int quant = b->quant;
+int quant;
 if (is_arith)
-quant += dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA);
+quant = dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA);
 else
-quant += dirac_get_se_golomb(gb);
-if (quant < 0) {
+quant = dirac_get_se_golomb(gb);
+if (quant > INT_MAX - b->quant || b->quant + quant < 0) {
 av_log(s->avctx, AV_LOG_ERROR, "Invalid quant\n");
 return;
 }
-b->quant = quant;
+b->quant += quant;
 }
 
 if (b->quant > (DIRAC_MAX_QUANT_INDEX - 1)) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dnxhddec: Check dc vlc

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Wed Jan  3 23:42:00 2018 +0100| [b1af55778b007c798d997735b607798b41149f00] | 
committer: Michael Niedermayer

avcodec/dnxhddec: Check dc vlc

Fixes: signed integer overflow: 1024 + 2147483640 cannot be represented in type 
'int'
Fixes: 4671/clusterfuzz-testcase-minimized-6027464343027712

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b2be76c0a472b729756ed7a91225c209d0dd1d2e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b1af55778b007c798d997735b607798b41149f00
---

 libavcodec/dnxhddec.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c
index f46e41a456..1f93f9dfc2 100644
--- a/libavcodec/dnxhddec.c
+++ b/libavcodec/dnxhddec.c
@@ -381,6 +381,10 @@ static av_always_inline int dnxhd_decode_dct_block(const 
DNXHDContext *ctx,
 
 UPDATE_CACHE(bs, >gb);
 GET_VLC(len, bs, >gb, ctx->dc_vlc.table, DNXHD_DC_VLC_BITS, 1);
+if (len < 0) {
+ret = len;
+goto error;
+}
 if (len) {
 level = GET_CACHE(bs, >gb);
 LAST_SKIP_BITS(bs, >gb, len);
@@ -434,7 +438,7 @@ static av_always_inline int dnxhd_decode_dct_block(const 
DNXHDContext *ctx,
 GET_VLC(index1, bs, >gb, ctx->ac_vlc.table,
 DNXHD_VLC_BITS, 2);
 }
-
+error:
 CLOSE_READER(bs, >gb);
 return ret;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/opus_parser: Check payload_len in parse_opus_ts_header()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Fri Jan  5 22:12:07 2018 +0100| [a3add1924095150fa33a22e3ca58f7263253414f] | 
committer: Michael Niedermayer

avcodec/opus_parser: Check payload_len in parse_opus_ts_header()

Fixes: clusterfuzz-testcase-minimized-6134545979277312
Fixes: crbug 797469

Reported-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1bcd7fefcb3c1ec47978fdc64a9e8dfb9512ae62)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a3add1924095150fa33a22e3ca58f7263253414f
---

 libavcodec/opus_parser.c | 16 +---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/libavcodec/opus_parser.c b/libavcodec/opus_parser.c
index 893573eb82..28b0933900 100644
--- a/libavcodec/opus_parser.c
+++ b/libavcodec/opus_parser.c
@@ -43,6 +43,7 @@ static const uint8_t *parse_opus_ts_header(const uint8_t 
*start, int *payload_le
 const uint8_t *buf = start + 1;
 int start_trim_flag, end_trim_flag, control_extension_flag, 
control_extension_length;
 uint8_t flags;
+uint64_t payload_len_tmp;
 
 GetByteContext gb;
 bytestream2_init(, buf, buf_len);
@@ -52,11 +53,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t 
*start, int *payload_le
 end_trim_flag  = (flags >> 3) & 1;
 control_extension_flag = (flags >> 2) & 1;
 
-*payload_len = 0;
+payload_len_tmp = *payload_len = 0;
 while (bytestream2_peek_byte() == 0xff)
-*payload_len += bytestream2_get_byte();
+payload_len_tmp += bytestream2_get_byte();
 
-*payload_len += bytestream2_get_byte();
+payload_len_tmp += bytestream2_get_byte();
 
 if (start_trim_flag)
 bytestream2_skip(, 2);
@@ -67,6 +68,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t 
*start, int *payload_le
 bytestream2_skip(, control_extension_length);
 }
 
+if (bytestream2_tell() + payload_len_tmp > buf_len)
+return NULL;
+
+*payload_len = payload_len_tmp;
+
 return buf + bytestream2_tell();
 }
 
@@ -104,6 +110,10 @@ static int opus_find_frame_end(AVCodecParserContext *ctx, 
AVCodecContext *avctx,
 state = (state << 8) | payload[i];
 if ((state & OPUS_TS_MASK) == OPUS_TS_HEADER) {
 payload = parse_opus_ts_header(payload, _len, buf_size 
- i);
+if (!payload) {
+av_log(avctx, AV_LOG_ERROR, "Error parsing Ogg TS 
header.\n");
+return AVERROR_INVALIDDATA;
+}
 *header_len = payload - buf;
 start_found = 1;
 break;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_slice: Do not attempt to render into frames already output

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Wed Jan  3 23:42:01 2018 +0100| [62024c127798452f49b56c6dbeac81f7d19b6cbe] | 
committer: Michael Niedermayer

avcodec/h264_slice: Do not attempt to render into frames already output

Fixes: null pointer dereference
Fixes: 4698/clusterfuzz-testcase-minimized-5096956322906112

This testcase does not reproduce the issue before 
03b82b3ab9883cef017e513c7d0b3b986b3b3e7b

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 476665d4de989dba48ec1195215ccc8db54538f4)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=62024c127798452f49b56c6dbeac81f7d19b6cbe
---

 libavcodec/h264_slice.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index 2577edd8a6..cf1b22fc32 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1577,6 +1577,12 @@ static int h264_field_start(H264Context *h, const 
H264SliceContext *sl,
  * one except for reference purposes. */
 h->first_field = 1;
 h->cur_pic_ptr = NULL;
+} else if (h->cur_pic_ptr->reference & DELAYED_PIC_REF) {
+/* This frame was already output, we cannot draw into it
+ * anymore.
+ */
+h->first_field = 1;
+h->cur_pic_ptr = NULL;
 } else {
 /* Second field in complementary pair */
 h->first_field = 0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/matroskadec: Fix float-cast-overflow undefined behavior in matroska_parse_tracks()

[Nikolas Bowe]

ffmpeg | branch: release/3.4 | Nikolas Bowe  | 
Thu Jan 18 15:21:56 2018 -0800| [facd0521e44063f8d8b57b11a4803ae82c0c123b] | 
committer: Michael Niedermayer

avformat/matroskadec: Fix float-cast-overflow undefined behavior in 
matroska_parse_tracks()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit e07649e618caedc07eaf2f4d09253de7f77d14f0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=facd0521e44063f8d8b57b11a4803ae82c0c123b
---

 libavformat/matroskadec.c | 12 ++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 94a56ebfa7..e6631097b8 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -2089,8 +2089,16 @@ static int matroska_parse_tracks(AVFormatContext *s)
 }
 
 if (track->type == MATROSKA_TRACK_TYPE_VIDEO) {
-if (!track->default_duration && track->video.frame_rate > 0)
-track->default_duration = 10 / track->video.frame_rate;
+if (!track->default_duration && track->video.frame_rate > 0) {
+double default_duration = 10 / track->video.frame_rate;
+if (default_duration > UINT64_MAX || default_duration < 0) {
+av_log(matroska->ctx, AV_LOG_WARNING,
+ "Invalid frame rate %e. Cannot calculate default 
duration.\n",
+ track->video.frame_rate);
+} else {
+track->default_duration = default_duration;
+}
+}
 if (track->video.display_width == -1)
 track->video.display_width = track->video.pixel_width;
 if (track->video.display_height == -1)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Thu Jan 11 22:47:10 2018 +0100| [ece78799924977c8298078d9df6c5fcd59503268] | 
committer: Michael Niedermayer

avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one

Fixes high pitched shriek
Fixes: 25420848_1478428308873746_4255813235963330560_n.mp4

Reported-by: Dale Curtis 
Reviewed-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7dbbb75ee32f87108ca9e15f5551dbbe69fe2641)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ece78799924977c8298078d9df6c5fcd59503268
---

 libavcodec/arm/sbrdsp_neon.S | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/arm/sbrdsp_neon.S b/libavcodec/arm/sbrdsp_neon.S
index e66abd682a..003b04ea05 100644
--- a/libavcodec/arm/sbrdsp_neon.S
+++ b/libavcodec/arm/sbrdsp_neon.S
@@ -336,11 +336,11 @@ function ff_sbr_hf_apply_noise_0_neon, export=1
 vld1.32 {d0}, [r0,:64]
 vld1.32 {d6}, [lr,:64]
 vld1.32 {d2[]},   [r1,:32]!
-vld1.32 {d3[]},   [r2,:32]!
+vld1.32 {d18[]},  [r2,:32]!
 vceq.f32d4,  d2,  #0
 veord2,  d2,  d3
 vmovd1,  d0
-vmla.f32d0,  d6,  d3
+vmla.f32d0,  d6,  d18
 vadd.f32s2,  s2,  s4
 vbifd0,  d1,  d4
 vst1.32 {d0}, [r0,:64]!

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/lrcdec: Fix memory leak in lrc_read_header()

[Nikolas Bowe]

ffmpeg | branch: release/3.4 | Nikolas Bowe  | 
Fri Jan 19 13:17:07 2018 -0800| [e755482d367a256f03758a1bb6358f1c7bd68edc] | 
committer: Michael Niedermayer

avformat/lrcdec: Fix memory leak in lrc_read_header()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit ef5994e09d07ace62a672fcdc84761231288edad)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e755482d367a256f03758a1bb6358f1c7bd68edc
---

 libavformat/lrcdec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c
index 12f74b22a0..f4e9a4efa9 100644
--- a/libavformat/lrcdec.c
+++ b/libavformat/lrcdec.c
@@ -212,6 +212,7 @@ static int lrc_read_header(AVFormatContext *s)
 }
 ff_subtitles_queue_finalize(s, >q);
 ff_metadata_conv_ctx(s, NULL, ff_lrc_metadata_conv);
+av_bprint_finalize(, NULL);
 return 0;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Tue Dec 26 23:24:44 2017 +0100| [91f5a2b7b88aaba20800c5363aef49b14811b4c9] | 
committer: Michael Niedermayer

avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed()

Fixes: signed integer overflow: 2 * 1629495328 cannot be represented in type 
'int'
Fixes: 4716/clusterfuzz-testcase-minimized-5835915940331520

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3d23f7a0969bf76ad6dcdc2c4a5cd3ae884745a8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=91f5a2b7b88aaba20800c5363aef49b14811b4c9
---

 libavcodec/flacdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
index 5bbb8ee5b9..3d41a1af7f 100644
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -298,7 +298,7 @@ static int decode_subframe_fixed(FLACContext *s, int32_t 
*decoded,
 if (pred_order > 2)
 c = b - decoded[pred_order-2] + decoded[pred_order-3];
 if (pred_order > 3)
-d = c - decoded[pred_order-2] + 2*decoded[pred_order-3] - 
decoded[pred_order-4];
+d = c - decoded[pred_order-2] + 2U*decoded[pred_order-3] - 
decoded[pred_order-4];
 
 switch (pred_order) {
 case 0:

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] lavfi/deinterlace_vaapi: fix can't show full option information.

[Jun Zhao]

ffmpeg | branch: release/3.4 | Jun Zhao  | Tue Jan 16 
22:44:02 2018 +0800| [7b56d6584c46072b0f959f22a461cff01b302a65] | committer: 
Michael Niedermayer

lavfi/deinterlace_vaapi: fix can't show full option information.

use ffmpeg -h filter=deinterlace_vaapi can't get full help information,
the root cause is not setting the flags fileld in options.

Signed-off-by: Jun Zhao 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 383804edd812410219a097e2bf3efac8a8b4562a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7b56d6584c46072b0f959f22a461cff01b302a65
---

 libavfilter/vf_deinterlace_vaapi.c | 14 +++---
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/libavfilter/vf_deinterlace_vaapi.c 
b/libavfilter/vf_deinterlace_vaapi.c
index 44c5ae7642..a38da5d57b 100644
--- a/libavfilter/vf_deinterlace_vaapi.c
+++ b/libavfilter/vf_deinterlace_vaapi.c
@@ -615,22 +615,22 @@ static const AVOption deint_vaapi_options[] = {
   OFFSET(mode), AV_OPT_TYPE_INT, { .i64 = VAProcDeinterlacingNone },
   VAProcDeinterlacingNone, VAProcDeinterlacingCount - 1, FLAGS, "mode" },
 { "default", "Use the highest-numbered (and therefore possibly most 
advanced) deinterlacing algorithm",
-  0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingNone }, .unit = "mode" 
},
+  0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingNone }, 0, 0, FLAGS, 
"mode" },
 { "bob", "Use the bob deinterlacing algorithm",
-  0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingBob }, .unit = "mode" 
},
+  0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingBob }, 0, 0, FLAGS, 
"mode" },
 { "weave", "Use the weave deinterlacing algorithm",
-  0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingWeave }, .unit = 
"mode" },
+  0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingWeave }, 0, 0, FLAGS,  
"mode" },
 { "motion_adaptive", "Use the motion adaptive deinterlacing algorithm",
-  0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingMotionAdaptive }, 
.unit = "mode" },
+  0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingMotionAdaptive }, 0, 
0, FLAGS, "mode" },
 { "motion_compensated", "Use the motion compensated deinterlacing 
algorithm",
-  0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingMotionCompensated }, 
.unit = "mode" },
+  0, AV_OPT_TYPE_CONST, { .i64 = VAProcDeinterlacingMotionCompensated }, 
0, 0, FLAGS, "mode" },
 
 { "rate", "Generate output at frame rate or field rate",
   OFFSET(field_rate), AV_OPT_TYPE_INT, { .i64 = 1 }, 1, 2, FLAGS, "rate" },
 { "frame", "Output at frame rate (one frame of output for each 
field-pair)",
-  0, AV_OPT_TYPE_CONST, { .i64 = 1 }, .unit = "rate" },
+  0, AV_OPT_TYPE_CONST, { .i64 = 1 }, 0, 0, FLAGS, "rate" },
 { "field", "Output at field rate (one frame of output for each field)",
-  0, AV_OPT_TYPE_CONST, { .i64 = 2 }, .unit = "rate" },
+  0, AV_OPT_TYPE_CONST, { .i64 = 2 }, 0, 0, FLAGS, "rate" },
 
 { "auto", "Only deinterlace fields, passing frames through unchanged",
   OFFSET(auto_enable), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, 1, FLAGS },

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant)

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Fri Dec 22 03:12:03 2017 +0100| [0e7d8ce37c2fd543bde32914ddb7ce54fc2f9220] | 
committer: Michael Niedermayer

avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant)

Fixes: runtime error: left shift of negative value -180
Fixes: 4626/clusterfuzz-testcase-minimized-5647837887987712

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0c9ab5ef9c1ee852c80c859c9e07efe8730b57ed)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0e7d8ce37c2fd543bde32914ddb7ce54fc2f9220
---

 libavcodec/hevcdsp_template.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index 4017af8eb0..903aa3fe95 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -121,7 +121,7 @@ static void FUNC(dequant)(int16_t *coeffs, int16_t 
log2_size)
 } else {
 for (y = 0; y < size; y++) {
 for (x = 0; x < size; x++) {
-*coeffs = *coeffs << -shift;
+*coeffs = *(uint16_t*)coeffs << -shift;
 coeffs++;
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Fri Dec 22 03:06:14 2017 +0100| [e55a6c5f055ccae4e64fe3bee96f53be9c15c708] | 
committer: Michael Niedermayer

avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and 
COMPOSE_DD137iL0()

Fixes: runtime error: signed integer overflow: 2147483646 + 33554433 cannot be 
represented in type 'int'
Fixes: 4563/clusterfuzz-testcase-minimized-5438979567517696

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4d70fbeec8cbab072b3a9b9f760b8deaaef240f2)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e55a6c5f055ccae4e64fe3bee96f53be9c15c708
---

 libavcodec/dirac_dwt.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index 50c8b1e394..f9828d95a4 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -99,10 +99,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
 (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1))
 
 #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\
-(b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))
+(int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)))
 
 #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\
-(b2 - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))
+(int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5)))
 
 #define COMPOSE_HAARiL0(b0, b1)\
 (b0 - ((b1 + 1) >> 1))

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] configure: bump year

[Carl Eugen Hoyos]

ffmpeg | branch: release/3.4 | Carl Eugen Hoyos  | Mon Jan  
1 18:05:55 2018 +0100| [092febb2add69463e84bc2409cb9c5c4081989b6] | committer: 
Michael Niedermayer

configure: bump year

Happy new year!

(cherry picked from commit bddf31ba7570325dd2c8d033eae3d0dd74127f96)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=092febb2add69463e84bc2409cb9c5c4081989b6
---

 configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure b/configure
index 1797c5dd4f..231c6c371c 100755
--- a/configure
+++ b/configure
@@ -7000,7 +7000,7 @@ cat > $TMPH 

[FFmpeg-cvslog] avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Jan  7 20:58:49 2018 +0100| [8263246ba8f627d8cfeefb3a83d062989e507e77] | 
committer: Michael Niedermayer

avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0

Fixes: 4830/clusterfuzz-testcase-minimized-5255392054476800
Fixes: signed integer overflow: 2147483646 - -7 cannot be represented in type 
'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0e62a2373475f58c72c0faf5568be00b26909585)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8263246ba8f627d8cfeefb3a83d062989e507e77
---

 libavcodec/dirac_dwt.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index f9828d95a4..1af41e0702 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -105,10 +105,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
 (int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5)))
 
 #define COMPOSE_HAARiL0(b0, b1)\
-(b0 - ((b1 + 1) >> 1))
+((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1)))
 
 #define COMPOSE_HAARiH0(b0, b1)\
-(b0 + b1)
+((int)(b0 + (unsigned)(b1)))
 
 #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\
 ((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 
46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8))

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dsp: Fix integer overflows in ict_int()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Jan  7 04:12:57 2018 +0100| [5365904e964209d7d50af085abc16f40b3bf6010] | 
committer: Michael Niedermayer

avcodec/jpeg2000dsp: Fix integer overflows in ict_int()

Fixes: signed integer overflow: 46802 * -71230 cannot be represented in type 
'int'
Fixes: 4756/clusterfuzz-testcase-minimized-4812495563784192

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b3192c64b5bdcb0474cda437d2d5f9421d68811e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5365904e964209d7d50af085abc16f40b3bf6010
---

 libavcodec/jpeg2000dsp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c
index 85a12d0e9b..90e73b1e20 100644
--- a/libavcodec/jpeg2000dsp.c
+++ b/libavcodec/jpeg2000dsp.c
@@ -64,9 +64,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, 
int csize)
 int i;
 
 for (i = 0; i < csize; i++) {
-i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16);
+i0 = *src0 + *src2 + ((int)((26345U * *src2) + (1 << 15)) >> 16);
 i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) 
>> 16)
-   - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16);
+   - ((int)(((unsigned)i_ict_params[2] * *src2) + (1 << 15)) 
>> 16);
 i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 
16);
 *src0++ = i0;
 *src1++ = i1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vp9: mark frame as finished on decode_tiles() failure

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Thu Dec 14 02:02:55 2017 +0100| [0f0a2ff5a09d0372d9864c070859849654589ad0] | 
committer: Michael Niedermayer

avcodec/vp9: mark frame as finished on decode_tiles() failure

Fixes deadlock with framethreads
Fixes: 
Netflix_Aerial_1080p_60fps_8bit_420.y4m.vp9.noaltref.webm.ivf.s69372_r01-05_b6-.ivf
Fixes: 
Netflix_Aerial_1080p_60fps_10bit_420.y4m.vp9.noaltref.webm.ivf.s149104_r01-05_b6-.ivf
Fixes: ducks_take_off_444_720p50.y4m.vp9.webm.ivf.s107375_r01-05_b6-.ivf

Reported-by: James Zern 
Reviewed-by: James Zern 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5e03eea673a9da2253ed15152e46b1422b35d145)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0f0a2ff5a09d0372d9864c070859849654589ad0
---

 libavcodec/vp9.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c
index 6b5de19266..f2cf194243 100644
--- a/libavcodec/vp9.c
+++ b/libavcodec/vp9.c
@@ -1634,8 +1634,10 @@ FF_ENABLE_DEPRECATION_WARNINGS
 #endif
 {
 ret = decode_tiles(avctx, data, size);
-if (ret < 0)
+if (ret < 0) {
+ff_thread_report_progress(>s.frames[CUR_FRAME].tf, INT_MAX, 
0);
 return ret;
+}
 }
 
 // Sum all counts fields into td[0].counts for tile threading

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter/formats: fix wrong function name in error message

[Jun Zhao]

ffmpeg | branch: release/3.4 | Jun Zhao  | Mon Dec  4 
12:50:34 2017 +0800| [9aa0ed850b77fe46d5b766329f45deb9150cea10] | committer: 
Michael Niedermayer

avfilter/formats: fix wrong function name in error message

Use perdefined micro __FUNCTION__ rather than hard coding function name
to fix wrong function name in error message.

Signed-off-by: Jun Zhao 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4280948702bc256e21c375790b889c735d233b0d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9aa0ed850b77fe46d5b766329f45deb9150cea10
---

 libavfilter/formats.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavfilter/formats.c b/libavfilter/formats.c
index d4de862237..20a2c89719 100644
--- a/libavfilter/formats.c
+++ b/libavfilter/formats.c
@@ -72,7 +72,7 @@ do {
 for (j = 0; j < b->nb; j++)
 \
 if (a->fmts[i] == b->fmts[j]) {
 \
 if(k >= FFMIN(a->nb, b->nb)){  
 \
-av_log(NULL, AV_LOG_ERROR, "Duplicate formats in 
avfilter_merge_formats() detected\n"); \
+av_log(NULL, AV_LOG_ERROR, "Duplicate formats in %s 
detected\n", __FUNCTION__); \
 av_free(ret->fmts);
 \
 av_free(ret);  
 \
 return NULL;   
 \

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/exr: Check buf_size more completely

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Fri Dec 29 03:00:19 2017 +0100| [6abe1e06f5922a350a4f4f975bdf8809d5553203] | 
committer: Michael Niedermayer

avcodec/exr: Check buf_size more completely

Fixes: Out of heap array read
Fixes: 4683/clusterfuzz-testcase-minimized-6152313673613312

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 903be5e4f66268273dc6e3c42a7fdeaab32066ef)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6abe1e06f5922a350a4f4f975bdf8809d5553203
---

 libavcodec/exr.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index b1ecde4ebd..454dc74cfb 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1051,7 +1051,7 @@ static int decode_block(AVCodecContext *avctx, void 
*tdata,
 line_offset = AV_RL64(s->gb.buffer + jobnr * 8);
 
 if (s->is_tile) {
-if (line_offset > buf_size - 20)
+if (buf_size < 20 || line_offset > buf_size - 20)
 return AVERROR_INVALIDDATA;
 
 src  = buf + line_offset + 20;
@@ -1062,7 +1062,7 @@ static int decode_block(AVCodecContext *avctx, void 
*tdata,
 tile_level_y = AV_RL32(src - 8);
 
 data_size = AV_RL32(src - 4);
-if (data_size <= 0 || data_size > buf_size)
+if (data_size <= 0 || data_size > buf_size - line_offset - 20)
 return AVERROR_INVALIDDATA;
 
 if (tile_level_x || tile_level_y) { /* tile level, is not the full res 
level */
@@ -1095,7 +1095,7 @@ static int decode_block(AVCodecContext *avctx, void 
*tdata,
 td->channel_line_size = td->xsize * s->current_channel_offset;/* 
uncompress size of one line */
 uncompressed_size = td->channel_line_size * (uint64_t)td->ysize;/* 
uncompress size of the block */
 } else {
-if (line_offset > buf_size - 8)
+if (buf_size < 8 || line_offset > buf_size - 8)
 return AVERROR_INVALIDDATA;
 
 src  = buf + line_offset + 8;
@@ -1105,7 +1105,7 @@ static int decode_block(AVCodecContext *avctx, void 
*tdata,
 return AVERROR_INVALIDDATA;
 
 data_size = AV_RL32(src - 4);
-if (data_size <= 0 || data_size > buf_size)
+if (data_size <= 0 || data_size > buf_size - line_offset - 8)
 return AVERROR_INVALIDDATA;
 
 td->ysize  = FFMIN(s->scan_lines_per_block, s->ymax - line + 
1); /* s->ydelta - line ?? */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] tests/audiomatch: Add missing return code at the end of main()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Tue Dec 19 21:05:40 2017 +0100| [43c03866b23ab49ccdce014a55b601a25e5094cf] | 
committer: Michael Niedermayer

tests/audiomatch: Add missing return code at the end of main()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 65da5c56e661a839e017db4c51c73d6f3d8a8fcb)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=43c03866b23ab49ccdce014a55b601a25e5094cf
---

 tests/audiomatch.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/audiomatch.c b/tests/audiomatch.c
index ca56df09b3..9671789a37 100644
--- a/tests/audiomatch.c
+++ b/tests/audiomatch.c
@@ -107,4 +107,6 @@ int main(int argc, char **argv){
 }
 }
 printf("presig: %d postsig:%d c:%7.4f lenerr:%d\n", bestpos, datlen - 
siglen - bestpos, bestc / sigamp, datlen - siglen);
+
+return 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Fri Dec 15 17:50:12 2017 +0100| [2e426fae43f3a543649a6b9bf3ed6c0ae6892ce5] | 
committer: Michael Niedermayer

avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message()

Fixes: signed integer overflow: 2147483520 + 255 cannot be represented in type 
'int'
Fixes: 4554/clusterfuzz-testcase-minimized-4843714515042304

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 991ef6e5b9a6a9d95e274ff6bff52db1c82b3808)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2e426fae43f3a543649a6b9bf3ed6c0ae6892ce5
---

 libavcodec/hevc_sei.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c
index d0f9966a29..4fae797251 100644
--- a/libavcodec/hevc_sei.c
+++ b/libavcodec/hevc_sei.c
@@ -324,11 +324,15 @@ static int decode_nal_sei_message(GetBitContext *gb, 
HEVCSEIContext *s,
 av_log(logctx, AV_LOG_DEBUG, "Decoding SEI\n");
 
 while (byte == 0xFF) {
+if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255)
+return AVERROR_INVALIDDATA;
 byte  = get_bits(gb, 8);
 payload_type += byte;
 }
 byte = 0xFF;
 while (byte == 0xFF) {
+if (get_bits_left(gb) < 8 + 8LL*payload_size)
+return AVERROR_INVALIDDATA;
 byte  = get_bits(gb, 8);
 payload_size += byte;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/flacdec: avoid undefined shift

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Tue Dec 26 23:24:43 2017 +0100| [fb9560b366da69bd54011455c0c35303669e7ce6] | 
committer: Michael Niedermayer

avcodec/flacdec: avoid undefined shift

Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int'
Fixes: 4688/clusterfuzz-testcase-minimized-6572210748653568

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 560daf88913b0de59a4d845bcd19254b406388dd)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fb9560b366da69bd54011455c0c35303669e7ce6
---

 libavcodec/flacdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
index 581c73efc8..5bbb8ee5b9 100644
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -456,7 +456,7 @@ static inline int decode_subframe(FLACContext *s, int 
channel)
 return AVERROR_INVALIDDATA;
 }
 
-if (wasted) {
+if (wasted && wasted < 32) {
 int i;
 for (i = 0; i < s->blocksize; i++)
 decoded[i] = (unsigned)decoded[i] << wasted;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_parse: Treat escaped and unescaped decoding error equal in decode_extradata_ps_mp4()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sat Nov 25 22:21:16 2017 +0100| [d6a13f031ced11ef291768a76c90d76e1b586526] | 
committer: Michael Niedermayer

avcodec/h264_parse: Treat escaped and unescaped decoding error equal in 
decode_extradata_ps_mp4()

Fixes: lorex.mp4
Fixes: ticket6762

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4bb7d72bcfb56ae4fe56055927cf53cf484f5df4)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d6a13f031ced11ef291768a76c90d76e1b586526
---

 libavcodec/h264_parse.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c
index a7c71d9bbb..fee28d90d9 100644
--- a/libavcodec/h264_parse.c
+++ b/libavcodec/h264_parse.c
@@ -425,10 +425,9 @@ static int decode_extradata_ps_mp4(const uint8_t *buf, int 
buf_size, H264ParamSe
 escaped_buf_size = bytestream2_tell_p();
 AV_WB16(escaped_buf, escaped_buf_size - 2);
 
-ret = decode_extradata_ps(escaped_buf, escaped_buf_size, ps, 1, 
logctx);
+(void)decode_extradata_ps(escaped_buf, escaped_buf_size, ps, 1, 
logctx);
+// lorex.mp4 decodes ok even with extradata decoding failing
 av_freep(_buf);
-if (ret < 0)
-return ret;
 }
 
 return 0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Tue Dec 26 23:24:45 2017 +0100| [7e402c31efd8fc332175121b2d901eb16ed5614a] | 
committer: Michael Niedermayer

avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and 
put_hevc_qpel_bi_w_w()

Fixes: left shift of negative value -1
Fixes: 4690/clusterfuzz-testcase-minimized-6117482428366848

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d135f3c514ac1723256c8e0f5cdd466fe98a2578)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7e402c31efd8fc332175121b2d901eb16ed5614a
---

 libavcodec/hevcdsp_template.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index 903aa3fe95..56cd9e605d 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -915,7 +915,7 @@ static void FUNC(put_hevc_qpel_bi_w_h)(uint8_t *_dst, 
ptrdiff_t _dststride, uint
 for (y = 0; y < height; y++) {
 for (x = 0; x < width; x++)
 dst[x] = av_clip_pixel(((QPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * 
wx1 + src2[x] * wx0 +
-((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 
1));
+((ox0 + ox1 + 1) * (1 << log2Wd))) >> 
(log2Wd + 1));
 src  += srcstride;
 dst  += dststride;
 src2 += MAX_PB_SIZE;
@@ -970,7 +970,7 @@ static void FUNC(put_hevc_qpel_bi_w_v)(uint8_t *_dst, 
ptrdiff_t _dststride, uint
 for (y = 0; y < height; y++) {
 for (x = 0; x < width; x++)
 dst[x] = av_clip_pixel(((QPEL_FILTER(src, srcstride) >> (BIT_DEPTH 
- 8)) * wx1 + src2[x] * wx0 +
-((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 
1));
+((ox0 + ox1 + 1) * (1 << log2Wd))) >> 
(log2Wd + 1));
 src  += srcstride;
 dst  += dststride;
 src2 += MAX_PB_SIZE;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Fri Dec 15 18:17:13 2017 +0100| [0288d15cdded73991b72c1407e98654a295a09ae] | 
committer: Michael Niedermayer

avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs()

Fixes: signed integer overflow: 2147483647 + 1073741824 cannot be represented 
in type 'int'
Fixes: 4555/clusterfuzz-testcase-minimized-4505532481142784

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0ee143558d55b590774dba69cff5a16eda089a4d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0288d15cdded73991b72c1407e98654a295a09ae
---

 libavcodec/hevc_cabac.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c
index 853fd3f722..5b5da1165a 100644
--- a/libavcodec/hevc_cabac.c
+++ b/libavcodec/hevc_cabac.c
@@ -646,8 +646,10 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s)
 suffix_val += 1 << k;
 k++;
 }
-if (k == CABAC_MAX_BIN)
+if (k == CABAC_MAX_BIN) {
 av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k);
+return AVERROR_INVALIDDATA;
+}
 
 while (k--)
 suffix_val += get_cabac_bypass(>HEVClc->cc) << k;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] libavfilter/af_dcshift.c: Fixed repeated spelling error

[Kelly Ledford]

ffmpeg | branch: release/3.4 | Kelly Ledford  | Tue 
Dec 12 11:31:23 2017 -0800| [a3832486e4f152d9f9660ecf812ee45b03d784f1] | 
committer: Michael Niedermayer

libavfilter/af_dcshift.c: Fixed repeated spelling error

'threshhold' should be 'threshold'

Signed-off-by: Kelly Ledford 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit bc219082bb04b9a4725bfe7e78ce0950244e6e84)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a3832486e4f152d9f9660ecf812ee45b03d784f1
---

 libavfilter/af_dcshift.c | 20 ++--
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/libavfilter/af_dcshift.c b/libavfilter/af_dcshift.c
index 6d33daee0b..e007efe05e 100644
--- a/libavfilter/af_dcshift.c
+++ b/libavfilter/af_dcshift.c
@@ -28,7 +28,7 @@
 typedef struct DCShiftContext {
 const AVClass *class;
 double dcshift;
-double limiterthreshhold;
+double limiterthreshold;
 double limitergain;
 } DCShiftContext;
 
@@ -47,7 +47,7 @@ static av_cold int init(AVFilterContext *ctx)
 {
 DCShiftContext *s = ctx->priv;
 
-s->limiterthreshhold = INT32_MAX * (1.0 - (fabs(s->dcshift) - 
s->limitergain));
+s->limiterthreshold = INT32_MAX * (1.0 - (fabs(s->dcshift) - 
s->limitergain));
 
 return 0;
 }
@@ -111,14 +111,14 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
 
 d = src[j];
 
-if (d > s->limiterthreshhold && dcshift > 0) {
-d = (d - s->limiterthreshhold) * s->limitergain /
- (INT32_MAX - s->limiterthreshhold) +
- s->limiterthreshhold + dcshift;
-} else if (d < -s->limiterthreshhold && dcshift < 0) {
-d = (d + s->limiterthreshhold) * s->limitergain /
- (INT32_MAX - s->limiterthreshhold) -
- s->limiterthreshhold + dcshift;
+if (d > s->limiterthreshold && dcshift > 0) {
+d = (d - s->limiterthreshold) * s->limitergain /
+ (INT32_MAX - s->limiterthreshold) +
+ s->limiterthreshold + dcshift;
+} else if (d < -s->limiterthreshold && dcshift < 0) {
+d = (d + s->limiterthreshold) * s->limitergain /
+ (INT32_MAX - s->limiterthreshold) -
+ s->limiterthreshold + dcshift;
 } else {
 d = dcshift * INT32_MAX + d;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Fri Dec 15 13:06:30 2017 +0100| [d147e2d55d2947742ec1d42a8b107f7131fdc383] | 
committer: Michael Niedermayer

avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv()

Fixes: runtime error: left shift of negative value -3
Fixes: 4524/clusterfuzz-testcase-minimized-6055590120914944

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 439fbb9c8b2a90e97c44c7c57245e01ca84c865d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d147e2d55d2947742ec1d42a8b107f7131fdc383
---

 libavcodec/hevcdsp_template.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index 0623cfad89..4017af8eb0 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -1051,7 +1051,7 @@ static void FUNC(put_hevc_qpel_bi_w_hv)(uint8_t *_dst, 
ptrdiff_t _dststride, uin
 for (y = 0; y < height; y++) {
 for (x = 0; x < width; x++)
 dst[x] = av_clip_pixel(((QPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 
+ src2[x] * wx0 +
-((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 
1));
+((ox0 + ox1 + 1) * (1 << log2Wd))) >> 
(log2Wd + 1));
 tmp  += MAX_PB_SIZE;
 dst  += dststride;
 src2 += MAX_PB_SIZE;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_ps: Check log2_sao_offset_scale_*

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer  | Wed 
Jan 24 03:15:23 2018 +0100| [4a75a75c62efc645ec28444e4675c325b8f2bb1a] | 
committer: Michael Niedermayer

avcodec/hevc_ps: Check log2_sao_offset_scale_*

Fixes: 4868/clusterfuzz-testcase-minimized-6236542906400768
Fixes: runtime error: shift exponent 126 is too large for 32-bit type 'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4a75a75c62efc645ec28444e4675c325b8f2bb1a
---

 libavcodec/hevc_ps.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index 4787312cfa..1f18d0335b 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -1324,6 +1324,11 @@ static int pps_range_extensions(GetBitContext *gb, 
AVCodecContext *avctx,
 pps->log2_sao_offset_scale_luma = get_ue_golomb_long(gb);
 pps->log2_sao_offset_scale_chroma = get_ue_golomb_long(gb);
 
+if (   pps->log2_sao_offset_scale_luma   > FFMAX(sps->bit_depth- 
10, 0)
+|| pps->log2_sao_offset_scale_chroma > FFMAX(sps->bit_depth_chroma - 
10, 0)
+)
+return AVERROR_INVALIDDATA;
+
 return(0);
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/indeo5: Do not leave frame_type set to an invalid value

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer  | Fri 
Jan 26 00:24:49 2018 +0100| [2ff9f178519b68d4d1d606eb5451ad81da948efc] | 
committer: Michael Niedermayer

avcodec/indeo5: Do not leave frame_type set to an invalid value

Fixes: null pointer dereference
Fixes: 5264/clusterfuzz-testcase-minimized-4621956621008896

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2ff9f178519b68d4d1d606eb5451ad81da948efc
---

 libavcodec/indeo5.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c
index 81b4514038..b39cffd9a9 100644
--- a/libavcodec/indeo5.c
+++ b/libavcodec/indeo5.c
@@ -324,6 +324,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx, 
AVCodecContext *avctx)
 ctx->frame_type  = get_bits(>gb, 3);
 if (ctx->frame_type >= 5) {
 av_log(avctx, AV_LOG_ERROR, "Invalid frame type: %d \n", 
ctx->frame_type);
+ctx->frame_type = FRAMETYPE_INTRA;
 return AVERROR_INVALIDDATA;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt: Fix several integer overflows

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer  | Thu 
Jan 25 23:14:37 2018 +0100| [fe1e6c06d03432c3e9208f019533c1d701f485d0] | 
committer: Michael Niedermayer

avcodec/dirac_dwt: Fix several integer overflows

Fixes: runtime error: signed integer overflow: -2146071175 + -268479557 cannot 
be represented in type 'int'
Fixes: 5237/clusterfuzz-testcase-minimized-4569895275593728

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fe1e6c06d03432c3e9208f019533c1d701f485d0
---

 libavcodec/dirac_dwt.h  | 4 ++--
 libavcodec/dirac_dwt_template.c | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index 1af41e0702..68ebd19560 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -93,10 +93,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
 
 // shared stuff for simd optimizations
 #define COMPOSE_53iL0(b0, b1, b2)\
-(b1 - ((int)(b0 + (unsigned)(b2) + 2) >> 2))
+(b1 - (unsigned)((int)(b0 + (unsigned)(b2) + 2) >> 2))
 
 #define COMPOSE_DIRAC53iH0(b0, b1, b2)\
-(b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1))
+(b1 + (unsigned)((int)(b0 + (unsigned)(b2) + 1) >> 1))
 
 #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\
 (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)))
diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c
index e436c247a1..e68cc4d530 100644
--- a/libavcodec/dirac_dwt_template.c
+++ b/libavcodec/dirac_dwt_template.c
@@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, 
uint8_t *_b1, uint8_t *_
 TYPE *b1 = (TYPE *)_b1;
 TYPE *b2 = (TYPE *)_b2;
 for (i = 0; i < width; i++)
-b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2;
+b1[i] -= (unsigned)((int)(b0[i] + (unsigned)b2[i] + 2) >> 2);
 }
 
 static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE 
*src1, int w2,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mediacodecdec: use ff_hevc_ps_uninit()

[James Almer]

ffmpeg | branch: master | James Almer  | Sat Jan 20 16:55:17 
2018 -0300| [782e066e3e3d8015d6d64c47cda0925c10aebe08] | committer: James Almer

avcodec/mediacodecdec: use ff_hevc_ps_uninit()

Fixes memleaks.

Signed-off-by: James Almer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=782e066e3e3d8015d6d64c47cda0925c10aebe08
---

 libavcodec/mediacodecdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/mediacodecdec.c b/libavcodec/mediacodecdec.c
index 6c5d3ddd79..cb1151a195 100644
--- a/libavcodec/mediacodecdec.c
+++ b/libavcodec/mediacodecdec.c
@@ -258,6 +258,8 @@ static int hevc_set_extradata(AVCodecContext *avctx, 
FFAMediaFormat *format)
 }
 
 done:
+ff_hevc_ps_uninit();
+
 av_freep(_data);
 av_freep(_data);
 av_freep(_data);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_parser: use ff_hevc_decode_extradata() to parse extradata

[James Almer]

ffmpeg | branch: master | James Almer  | Sat Jan 20 00:57:18 
2018 -0300| [222d7055e2dd20eb1381c257d34a50ec4c8dadb0] | committer: James Almer

avcodec/hevc_parser: use ff_hevc_decode_extradata() to parse extradata

Signed-off-by: James Almer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=222d7055e2dd20eb1381c257d34a50ec4c8dadb0
---

 libavcodec/hevc_parser.c | 21 +
 1 file changed, 9 insertions(+), 12 deletions(-)

diff --git a/libavcodec/hevc_parser.c b/libavcodec/hevc_parser.c
index 88d3d9a22f..a468682ed3 100644
--- a/libavcodec/hevc_parser.c
+++ b/libavcodec/hevc_parser.c
@@ -24,6 +24,7 @@
 
 #include "golomb.h"
 #include "hevc.h"
+#include "hevc_parse.h"
 #include "hevc_ps.h"
 #include "hevc_sei.h"
 #include "h2645_parse.h"
@@ -43,6 +44,8 @@ typedef struct HEVCParserContext {
 HEVCSEI sei;
 SliceHeader sh;
 
+int is_avc;
+int nal_length_size;
 int parsed_extradata;
 
 int poc;
@@ -181,7 +184,6 @@ static int parse_nal_units(AVCodecParserContext *s, const 
uint8_t *buf,
 HEVCParserContext *ctx = s->priv_data;
 HEVCParamSets *ps = >ps;
 HEVCSEI *sei = >sei;
-int is_global = buf == avctx->extradata;
 int ret, i;
 
 /* set some sane default values */
@@ -191,8 +193,8 @@ static int parse_nal_units(AVCodecParserContext *s, const 
uint8_t *buf,
 
 ff_hevc_reset_sei(sei);
 
-ret = ff_h2645_packet_split(>pkt, buf, buf_size, avctx, 0, 0,
-AV_CODEC_ID_HEVC, 1);
+ret = ff_h2645_packet_split(>pkt, buf, buf_size, avctx, ctx->is_avc,
+ctx->nal_length_size, AV_CODEC_ID_HEVC, 1);
 if (ret < 0)
 return ret;
 
@@ -230,12 +232,6 @@ static int parse_nal_units(AVCodecParserContext *s, const 
uint8_t *buf,
 case HEVC_NAL_RADL_R:
 case HEVC_NAL_RASL_N:
 case HEVC_NAL_RASL_R:
-
-if (is_global) {
-av_log(avctx, AV_LOG_ERROR, "Invalid NAL unit: %d\n", 
nal->type);
-return AVERROR_INVALIDDATA;
-}
-
 ret = hevc_parse_slice_header(s, nal, avctx);
 if (ret)
 return ret;
@@ -243,8 +239,7 @@ static int parse_nal_units(AVCodecParserContext *s, const 
uint8_t *buf,
 }
 }
 /* didn't find a picture! */
-if (!is_global)
-av_log(avctx, AV_LOG_ERROR, "missing picture in access unit\n");
+av_log(avctx, AV_LOG_ERROR, "missing picture in access unit\n");
 return -1;
 }
 
@@ -301,7 +296,9 @@ static int hevc_parse(AVCodecParserContext *s, 
AVCodecContext *avctx,
 ParseContext *pc = >pc;
 
 if (avctx->extradata && !ctx->parsed_extradata) {
-parse_nal_units(s, avctx->extradata, avctx->extradata_size, avctx);
+ff_hevc_decode_extradata(avctx->extradata, avctx->extradata_size, 
>ps, >sei,
+ >is_avc, >nal_length_size, 
avctx->err_recognition,
+ 1, avctx);
 ctx->parsed_extradata = 1;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] [ffmpeg-web] branch master updated. 9275cd5 Remove battleforthenet widget

[ffmpeg-git]

The branch, master has been updated
   via  9275cd54eddb83faf5bd40ffaccb5717de8b798d (commit)
  from  69585f5407f8c00adcddb1947951253d1f7d55f3 (commit)


- Log -
commit 9275cd54eddb83faf5bd40ffaccb5717de8b798d
Author: Ricardo Constantino 
AuthorDate: Tue Jan 30 11:05:29 2018 +
Commit: Michael Niedermayer 
CommitDate: Tue Jan 30 13:08:22 2018 +0100

Remove battleforthenet widget

diff --git a/src/template_head2 b/src/template_head2
index 71daf07..a0b11ab 100644
--- a/src/template_head2
+++ b/src/template_head2
@@ -3,29 +3,6 @@