[FFmpeg-cvslog] avfilter/af_atempo: fix drift calculation, ticket #6157
ffmpeg | branch: master | Pavel Koshevoy| Mon Feb 20 10:51:28 2017 +0800| [947fdad92de8ce6912ed8f3095c218c35d0b9fa7] | committer: Steven Liu avfilter/af_atempo: fix drift calculation, ticket #6157 ticket #6157 Reported-by: Steven Liu Signed-off-by: Pavel Koshevoy > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=947fdad92de8ce6912ed8f3095c218c35d0b9fa7 --- libavfilter/af_atempo.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavfilter/af_atempo.c b/libavfilter/af_atempo.c index a487882..eb62656 100644 --- a/libavfilter/af_atempo.c +++ b/libavfilter/af_atempo.c @@ -697,11 +697,11 @@ static int yae_adjust_position(ATempoContext *atempo) AudioFragment *frag = yae_curr_frag(atempo); const double prev_output_position = -(double)(prev->position[1] - atempo->origin[1] + atempo->window / 2); +(double)(prev->position[1] - atempo->origin[1] + atempo->window / 2) * +atempo->tempo; const double ideal_output_position = -(double)(prev->position[0] - atempo->origin[0] + atempo->window / 2) / -atempo->tempo; +(double)(prev->position[0] - atempo->origin[0] + atempo->window / 2); const int drift = (int)(prev_output_position - ideal_output_position); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_ps: Fix runtime error: signed integer overflow: -1094995528 * 2 cannot be represented in type 'int'
ffmpeg | branch: master | Michael Niedermayer| Sun Feb 19 22:54:30 2017 +0100| [59e5b05ef6f26064fc399f8e23aa05f962b8ae48] | committer: Michael Niedermayer avcodec/h264_ps: Fix runtime error: signed integer overflow: -1094995528 * 2 cannot be represented in type 'int' Fixes: 615/clusterfuzz-testcase-5488002644049920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=59e5b05ef6f26064fc399f8e23aa05f962b8ae48 --- libavcodec/h264_ps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 8218e3a..270d06b 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -468,7 +468,7 @@ int ff_h264_decode_seq_parameter_set(GetBitContext *gb, AVCodecContext *avctx, sps->frame_mbs_only_flag = get_bits1(gb); -if (sps->mb_height >= INT_MAX / 2) { +if (sps->mb_height >= INT_MAX / 2U) { av_log(avctx, AV_LOG_ERROR, "height overflow\n"); goto fail; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int'
ffmpeg | branch: master | Michael Niedermayer| Sun Feb 19 22:40:29 2017 +0100| [258763ad0e1efff82bbe2beb97527d3c19f40932] | committer: Michael Niedermayer avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int' Fixes: 614/clusterfuzz-testcase-4931860079575040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=258763ad0e1efff82bbe2beb97527d3c19f40932 --- libavcodec/h264_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index fe83425..17a4bda 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1743,7 +1743,7 @@ decode_cabac_residual_internal(const H264Context *h, H264SliceContext *sl, while( j-- ) { \ coeff_abs += coeff_abs + get_cabac_bypass( CC ); \ } \ -coeff_abs+= 14; \ +coeff_abs+= 14U; \ } \ \ if( is_dc ) { \ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mjpegdec: Fix runtime error: left shift of negative value -507
ffmpeg | branch: master | Michael Niedermayer| Sun Feb 19 20:39:13 2017 +0100| [c91bdd4524815125e1f7d8dee22ee7a73173c39a] | committer: Michael Niedermayer avcodec/mjpegdec: Fix runtime error: left shift of negative value -507 Fixes: 611/clusterfuzz-testcase-5613455820193792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c91bdd4524815125e1f7d8dee22ee7a73173c39a --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 34a988d..69469c5 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1137,7 +1137,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, if (s->interlaced && s->bottom_field) ptr += linesize >> 1; pred &= mask; -*ptr= pred + (dc << point_transform); +*ptr= pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap if(y==0 && toprow){ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative
ffmpeg | branch: master | Michael Niedermayer| Sun Feb 19 21:33:27 2017 +0100| [aa2b75263e17651187b1475551a02aa2f4ff65fe] | committer: Michael Niedermayer avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative Fixes: 612/clusterfuzz-testcase-4707817137111040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aa2b75263e17651187b1475551a02aa2f4ff65fe --- libavcodec/mpeg4videodec.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 0e549ef..58ae05f 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -367,6 +367,12 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g } else { int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; + +if (shift_c < 0 || shift_y < 0) { +avpriv_request_sample(s->avctx, "Too large sprite shift"); +return AVERROR_PATCHWELCOME; +} + for (i = 0; i < 2; i++) { s->sprite_offset[0][i] *= 1 << shift_y; s->sprite_offset[1][i] *= 1 << shift_c; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/eac3dec: Fix runtime error: left shift of negative value
ffmpeg | branch: master | Michael Niedermayer| Sun Feb 19 20:32:48 2017 +0100| [067485b673f6ac4b1207d6fc975d1fd968edc68e] | committer: Michael Niedermayer avcodec/eac3dec: Fix runtime error: left shift of negative value Fixes: 610/clusterfuzz-testcase-4831030085156864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=067485b673f6ac4b1207d6fc975d1fd968edc68e --- libavcodec/eac3dec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index 83a54bc..be23502 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -252,7 +252,7 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) /* Vector Quantization */ int v = get_bits(gbc, bits); for (blk = 0; blk < 6; blk++) { -s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] << 8; +s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] * (1 << 8); } } else { /* Gain Adaptive Quantization */ @@ -271,12 +271,12 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) int b; int mbits = bits - (2 - log_gain); mant = get_sbits(gbc, mbits); -mant <<= (23 - (mbits - 1)); +mant = ((unsigned)mant) << (23 - (mbits - 1)); /* remap mantissa value to correct for asymmetric quantization */ if (mant >= 0) b = 1 << (23 - log_gain); else -b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] << 8; +b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] * (1 << 8); mant += ((ff_eac3_gaq_remap_2_4_a[hebap-8][log_gain-1] * (int64_t)mant) >> 15) + b; } else { /* small mantissa, no GAQ, or Gk=1 */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] opus_pvq: fix PVQ search for K < 5 and low Ns
ffmpeg | branch: master | Rostislav Pehlivanov| Sun Feb 19 18:20:39 2017 +| [67fa02ed794f9505bd9c3584c14bfb61c895f5bc] | committer: Rostislav Pehlivanov opus_pvq: fix PVQ search for K < 5 and low Ns If the PVQ search picked a place to increment/decrement on the y[] vector which had no pulse then it would cause a desync since it would change the sum in the wrong direction. Fix this by not considering places without pulses as viable. This makes the PVQ search slightly worse at K < 5 which isn't all that common. Still, this is a workaround to prevent making broken files until I can think of a better way of fixing it. Also add an assertion, which can be removed or moved to assert1/2 once the PVQ search is stable. Signed-off-by: Rostislav Pehlivanov > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=67fa02ed794f9505bd9c3584c14bfb61c895f5bc --- libavcodec/opus_pvq.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/opus_pvq.c b/libavcodec/opus_pvq.c index 4197ccd..5920ab0 100644 --- a/libavcodec/opus_pvq.c +++ b/libavcodec/opus_pvq.c @@ -277,7 +277,7 @@ static inline int celt_compute_qn(int N, int b, int offset, int pulse_cap, } /* Convert the quantized vector to an index */ -static inline uint32_t celt_icwrsi(uint32_t N, const int *y) +static inline uint32_t celt_icwrsi(uint32_t N, uint32_t K, const int *y) { int i, idx = 0, sum = 0; for (i = N - 1; i >= 0; i--) { @@ -285,6 +285,7 @@ static inline uint32_t celt_icwrsi(uint32_t N, const int *y) idx += CELT_PVQ_U(N - i, sum) + (y[i] < 0)*i_s; sum += FFABS(y[i]); } +av_assert0(sum == K); return idx; } @@ -376,7 +377,7 @@ static inline uint64_t celt_cwrsi(uint32_t N, uint32_t K, uint32_t i, int *y) static inline void celt_encode_pulses(OpusRangeCoder *rc, int *y, uint32_t N, uint32_t K) { -ff_opus_rc_enc_uint(rc, celt_icwrsi(N, y), CELT_PVQ_V(N, K)); +ff_opus_rc_enc_uint(rc, celt_icwrsi(N, K, y), CELT_PVQ_V(N, K)); } static inline float celt_decode_pulses(OpusRangeCoder *rc, int *y, uint32_t N, uint32_t K) @@ -415,7 +416,8 @@ static void celt_pvq_search(float *X, int *y, int K, int N) float xy_new = xy_norm + 1*phase*FFABS(X[i]); float y_new = y_norm + 2*phase*FFABS(y[i]); xy_new = xy_new * xy_new; -if ((max_den*xy_new) > (y_new*max_num)) { +/* FIXME: the y[i] check makes the search slightly worse at Ks below 5 */ +if (y[i] && (max_den*xy_new) > (y_new*max_num)) { max_den = y_new; max_num = xy_new; max_idx = i; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/pngdec: Check bit depth for validity
ffmpeg | branch: master | Michael Niedermayer| Sun Feb 19 19:12:25 2017 +0100| [4279613a2652cdf2bee564f4b7244567e5ba91ba] | committer: Michael Niedermayer avcodec/pngdec: Check bit depth for validity Fixes: runtime error: shift exponent 132 is too large for 32-bit type 'int' Fixes: 609/clusterfuzz-testcase-4825202619842560 See 11.2.2 IHDR Image header Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4279613a2652cdf2bee564f4b7244567e5ba91ba --- libavcodec/pngdec.c | 9 + 1 file changed, 9 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 5b0d3cf..c2ea4d2 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -559,6 +559,11 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } s->bit_depth= bytestream2_get_byte(>gb); +if (s->bit_depth != 1 && s->bit_depth != 2 && s->bit_depth != 4 && +s->bit_depth != 8 && s->bit_depth != 16) { +av_log(avctx, AV_LOG_ERROR, "Invalid bit depth\n"); +goto error; +} s->color_type = bytestream2_get_byte(>gb); s->compression_type = bytestream2_get_byte(>gb); s->filter_type = bytestream2_get_byte(>gb); @@ -572,6 +577,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, s->compression_type, s->filter_type, s->interlace_type); return 0; +error: +s->cur_w = s->cur_h = s->width = s->height = 0; +s->bit_depth = 8; +return AVERROR_INVALIDDATA; } static int decode_phys_chunk(AVCodecContext *avctx, PNGDecContext *s) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg12dec: Fix runtime error: left shift of negative value
ffmpeg | branch: master | Michael Niedermayer| Sun Feb 19 18:47:13 2017 +0100| [706757d26dd5e606c1745a4bb53fe45f6d6493cf] | committer: Michael Niedermayer avcodec/mpeg12dec: Fix runtime error: left shift of negative value Fixes: 608/clusterfuzz-testcase-603978286392934 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=706757d26dd5e606c1745a4bb53fe45f6d6493cf --- libavcodec/mpeg12dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index f3cf6eb..5f86029 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -865,8 +865,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) s->last_mv[i][0][1]); /* full_pel: only for MPEG-1 */ if (s->full_pel[i]) { -s->mv[i][0][0] <<= 1; -s->mv[i][0][1] <<= 1; +s->mv[i][0][0] *= 2; +s->mv[i][0][1] *= 2; } } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avfilter/f_setcmd: fix null pointer dereference on using dash as interval
ffmpeg | branch: master | Marton Balint| Thu Feb 9 00:03:21 2017 +0100| [a9f3e4b138fc14f7512fde821c051fe1ff7f124f] | committer: Marton Balint avfilter/f_setcmd: fix null pointer dereference on using dash as interval Fixes Coverity CID 1396259. Reviewed-by: Paul B Mahol Signed-off-by: Marton Balint > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a9f3e4b138fc14f7512fde821c051fe1ff7f124f --- libavfilter/f_sendcmd.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/libavfilter/f_sendcmd.c b/libavfilter/f_sendcmd.c index fb30220..522d6ad 100644 --- a/libavfilter/f_sendcmd.c +++ b/libavfilter/f_sendcmd.c @@ -268,6 +268,13 @@ static int parse_interval(Interval *interval, int interval_count, char *start, *end; start = av_strtok(intervalstr, "-", ); +if (!start) { +ret = AVERROR(EINVAL); +av_log(log_ctx, AV_LOG_ERROR, + "Invalid interval specification '%s' in interval #%d\n", + intervalstr, interval_count); +goto end; +} if ((ret = av_parse_time(>start_ts, start, 1)) < 0) { av_log(log_ctx, AV_LOG_ERROR, "Invalid start time specification '%s' in interval #%d\n", ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/fifo: assert on disallowed message type and state combinations
ffmpeg | branch: master | Marton Balint| Wed Feb 8 23:28:21 2017 +0100| [8985e4af2bba6b2eb901693a6202e998b9929a68] | committer: Marton Balint avformat/fifo: assert on disallowed message type and state combinations Fixes Coverity CID 1396277. Signed-off-by: Marton Balint > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8985e4af2bba6b2eb901693a6202e998b9929a68 --- libavformat/fifo.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/fifo.c b/libavformat/fifo.c index 8f525e5..2cbe5c5 100644 --- a/libavformat/fifo.c +++ b/libavformat/fifo.c @@ -19,6 +19,7 @@ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ +#include "libavutil/avassert.h" #include "libavutil/opt.h" #include "libavutil/time.h" #include "libavutil/thread.h" @@ -207,7 +208,7 @@ static int fifo_thread_write_trailer(FifoThreadContext *ctx) static int fifo_thread_dispatch_message(FifoThreadContext *ctx, FifoMessage *msg) { -int ret; +int ret = AVERROR(EINVAL); if (!ctx->header_written) { ret = fifo_thread_write_header(ctx); @@ -217,6 +218,7 @@ static int fifo_thread_dispatch_message(FifoThreadContext *ctx, FifoMessage *msg switch(msg->type) { case FIFO_WRITE_HEADER: +av_assert0(ret >= 0); return ret; case FIFO_WRITE_PACKET: return fifo_thread_write_packet(ctx, >pkt); @@ -224,6 +226,7 @@ static int fifo_thread_dispatch_message(FifoThreadContext *ctx, FifoMessage *msg return fifo_thread_flush_output(ctx); } +av_assert0(0); return AVERROR(EINVAL); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avdevice/iec61883: free packet on buffer allocation error
ffmpeg | branch: master | Marton Balint| Wed Feb 8 23:37:42 2017 +0100| [4556dad2b7379a527134db519ab60111abefaf10] | committer: Marton Balint avdevice/iec61883: free packet on buffer allocation error Fixes Coverity CID 1396416. Signed-off-by: Marton Balint > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4556dad2b7379a527134db519ab60111abefaf10 --- libavdevice/iec61883.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavdevice/iec61883.c b/libavdevice/iec61883.c index c45ae9a..721dca3 100644 --- a/libavdevice/iec61883.c +++ b/libavdevice/iec61883.c @@ -120,6 +120,7 @@ static int iec61883_callback(unsigned char *data, int length, packet->buf = av_malloc(length); if (!packet->buf) { +av_free(packet); ret = -1; goto exit; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/huffyuvencdsp: use an actual unsigned long constant
ffmpeg | branch: master | James Almer| Mon Feb 6 19:57:53 2017 -0300| [b921b3b42b61a3dff19157bf3eec1f6f38a2cae7] | committer: James Almer avcodec/huffyuvencdsp: use an actual unsigned long constant Reviewed-by: Michael Niedermayer Signed-off-by: James Almer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b921b3b42b61a3dff19157bf3eec1f6f38a2cae7 --- libavcodec/huffyuvencdsp.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/huffyuvencdsp.c b/libavcodec/huffyuvencdsp.c index 7edcce8..427d118 100644 --- a/libavcodec/huffyuvencdsp.c +++ b/libavcodec/huffyuvencdsp.c @@ -21,6 +21,9 @@ #include "huffyuvencdsp.h" #include "mathops.h" +// 0x00010001 or 0x0001000100010001 or whatever, depending on the cpu's native arithmetic size +#define pw_1 (ULONG_MAX / UINT16_MAX) + static void diff_int16_c(uint16_t *dst, const uint16_t *src1, const uint16_t *src2, unsigned mask, int w){ long i; #if !HAVE_FAST_UNALIGNED @@ -34,8 +37,8 @@ static void diff_int16_c(uint16_t *dst, const uint16_t *src1, const uint16_t *sr }else #endif { -unsigned long pw_lsb = (mask >> 1) * 0x0001000100010001ULL; -unsigned long pw_msb = pw_lsb + 0x0001000100010001ULL; +unsigned long pw_lsb = (mask >> 1) * pw_1; +unsigned long pw_msb = pw_lsb + pw_1; for (i = 0; i <= w - (int)sizeof(long)/2; i += sizeof(long)/2) { long a = *(long*)(src1+i); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/huffyuvdsp: use an actual unsigned long constant
ffmpeg | branch: master | James Almer| Mon Feb 6 19:57:30 2017 -0300| [21d25da18025856bb30d80173174bb4218a91f82] | committer: James Almer avcodec/huffyuvdsp: use an actual unsigned long constant Reviewed-by: Michael Niedermayer Signed-off-by: James Almer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=21d25da18025856bb30d80173174bb4218a91f82 --- libavcodec/huffyuvdsp.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/huffyuvdsp.c b/libavcodec/huffyuvdsp.c index 759ffda..e770923 100644 --- a/libavcodec/huffyuvdsp.c +++ b/libavcodec/huffyuvdsp.c @@ -23,10 +23,13 @@ #include "mathops.h" #include "huffyuvdsp.h" +// 0x00010001 or 0x0001000100010001 or whatever, depending on the cpu's native arithmetic size +#define pw_1 (ULONG_MAX / UINT16_MAX) + static void add_int16_c(uint16_t *dst, const uint16_t *src, unsigned mask, int w){ long i; -unsigned long pw_lsb = (mask >> 1) * 0x0001000100010001ULL; -unsigned long pw_msb = pw_lsb + 0x0001000100010001ULL; +unsigned long pw_lsb = (mask >> 1) * pw_1; +unsigned long pw_msb = pw_lsb + pw_1; for (i = 0; i <= w - (int)sizeof(long)/2; i += sizeof(long)/2) { long a = *(long*)(src+i); long b = *(long*)(dst+i); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wavpacl: Fix runtime error: left shift of negative value -1
ffmpeg | branch: master | Michael Niedermayer| Sun Feb 19 15:09:34 2017 +0100| [12eebb845a7fe1ced91606547352cbdd93a2726d] | committer: Michael Niedermayer avcodec/wavpacl: Fix runtime error: left shift of negative value -1 Fixes: 607/clusterfuzz-testcase-5108792465293312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=12eebb845a7fe1ced91606547352cbdd93a2726d --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 2bd7783..24d57f5 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -682,7 +682,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->hybrid_bitrate = s->frame_flags & WV_HYBRID_BITRATE; s->post_shift = bpp * 8 - orig_bpp + ((s->frame_flags >> 13) & 0x1f); s->hybrid_maxclip = ((1LL << (orig_bpp - 1)) - 1); -s->hybrid_minclip = ((-1LL << (orig_bpp - 1))); +s->hybrid_minclip = ((-1UL << (orig_bpp - 1))); s->CRC= bytestream2_get_le32(); // parse metadata blocks ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/flac: Fix several integer overflows
ffmpeg | branch: master | Michael Niedermayer| Sun Feb 19 14:34:55 2017 +0100| [3e1028c625e11d9d19376f5c88267de1cee8fa70] | committer: Michael Niedermayer avcodec/flac: Fix several integer overflows Fixes: 686513-media Found-by: Matt Wolenetz Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3e1028c625e11d9d19376f5c88267de1cee8fa70 --- libavcodec/flacdec.c | 4 ++-- libavcodec/flacdsp.c | 12 ++-- libavcodec/flacdsp.h | 11 +++ 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 0fffc2d..6ea86d4 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -326,7 +326,7 @@ static int decode_subframe_fixed(FLACContext *s, int32_t *decoded, return 0; } -static void lpc_analyze_remodulate(int32_t *decoded, const int coeffs[32], +static void lpc_analyze_remodulate(SUINT32 *decoded, const int coeffs[32], int order, int qlevel, int len, int bps) { int i, j; @@ -342,7 +342,7 @@ static void lpc_analyze_remodulate(int32_t *decoded, const int coeffs[32], for (i = len - 1; i >= order; i--) { int64_t p = 0; for (j = 0; j < order; j++) -p += coeffs[j] * (int64_t)decoded[i-order+j]; +p += coeffs[j] * (int64_t)(int32_t)decoded[i-order+j]; decoded[i] -= p >> qlevel; } for (i = order; i < len; i++, decoded++) { diff --git a/libavcodec/flacdsp.c b/libavcodec/flacdsp.c index 52c3e32..560091f 100644 --- a/libavcodec/flacdsp.c +++ b/libavcodec/flacdsp.c @@ -43,14 +43,6 @@ #define PLANAR 1 #include "flacdsp_template.c" -// For debuging we use signed operations so overflows can be detected (by ubsan) -// For production we use unsigned so there are no undefined operations -#ifdef CHECKED -#define SUINT int -#else -#define SUINT unsigned -#endif - static void flac_lpc_16_c(int32_t *decoded, const int coeffs[32], int pred_order, int qlevel, int len) { @@ -67,9 +59,9 @@ static void flac_lpc_16_c(int32_t *decoded, const int coeffs[32], c = coeffs[j]; } s0 += c*d; -d = decoded[j] += s0 >> qlevel; +d = decoded[j] += (SUINT)(s0 >> qlevel); s1 += c*d; -decoded[j + 1] += s1 >> qlevel; +decoded[j + 1] += (SUINT)(s1 >> qlevel); } if (i < len) { int sum = 0; diff --git a/libavcodec/flacdsp.h b/libavcodec/flacdsp.h index f5cbd94..31417f8 100644 --- a/libavcodec/flacdsp.h +++ b/libavcodec/flacdsp.h @@ -20,8 +20,19 @@ #define AVCODEC_FLACDSP_H #include +#include "libavutil/internal.h" #include "libavutil/samplefmt.h" +// For debuging we use signed operations so overflows can be detected (by ubsan) +// For production we use unsigned so there are no undefined operations +#ifdef CHECKED +#define SUINT int +#define SUINT32 int32_t +#else +#define SUINT unsigned +#define SUINT32 uint32_t +#endif + typedef struct FLACDSPContext { void (*decorrelate[4])(uint8_t **out, int32_t **in, int channels, int len, int shift); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Factor CHECKED out of DEBUG so it can be set seperatly
ffmpeg | branch: master | Michael Niedermayer| Sun Feb 19 12:49:45 2017 +0100| [e8d4eacc07c61ae24f48451073a2620d8d257d33] | committer: Michael Niedermayer Factor CHECKED out of DEBUG so it can be set seperatly Suggested-by: Matt Wolenetz Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e8d4eacc07c61ae24f48451073a2620d8d257d33 --- libavcodec/flacdsp.c | 2 +- libavutil/internal.h | 4 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/flacdsp.c b/libavcodec/flacdsp.c index 180d4e7..52c3e32 100644 --- a/libavcodec/flacdsp.c +++ b/libavcodec/flacdsp.c @@ -45,7 +45,7 @@ // For debuging we use signed operations so overflows can be detected (by ubsan) // For production we use unsigned so there are no undefined operations -#ifdef DEBUG +#ifdef CHECKED #define SUINT int #else #define SUINT unsigned diff --git a/libavutil/internal.h b/libavutil/internal.h index a19975d..4d1b3e2 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -30,6 +30,10 @@ #define NDEBUG #endif +#if defined(DEBUG) && !defined(CHECKED) +#define CHECKED +#endif + #include #include #include ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/pngdec: Store metadata directly into AVFrame
ffmpeg | branch: master | Michael Niedermayer| Thu Feb 2 21:48:05 2017 +0100| [2ac6eedac5e576bb98c9ba6573cfcd4782b175b0] | committer: Michael Niedermayer avcodec/pngdec: Store metadata directly into AVFrame Fixes memleak Fixes: 500/clusterfuzz-testcase-6315221727576064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2ac6eedac5e576bb98c9ba6573cfcd4782b175b0 --- libavcodec/pngdec.c | 13 + 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 601b8db..5b0d3cf 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1098,7 +1098,7 @@ static int handle_p_frame_apng(AVCodecContext *avctx, PNGDecContext *s, static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, AVFrame *p, AVPacket *avpkt) { -AVDictionary *metadata = NULL; +AVDictionary **metadatap = NULL; uint32_t tag, length; int decode_next_dat = 0; int ret; @@ -1109,7 +1109,6 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, if (avctx->codec_id == AV_CODEC_ID_PNG && avctx->skip_frame == AVDISCARD_ALL) { -av_frame_set_metadata(p, metadata); return 0; } @@ -1155,6 +1154,7 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, } } +metadatap = avpriv_frame_get_metadatap(p); switch (tag) { case MKTAG('I', 'H', 'D', 'R'): if ((ret = decode_ihdr_chunk(avctx, s, length)) < 0) @@ -1196,12 +1196,12 @@ static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s, goto skip_tag; break; case MKTAG('t', 'E', 'X', 't'): -if (decode_text_chunk(s, length, 0, ) < 0) +if (decode_text_chunk(s, length, 0, metadatap) < 0) av_log(avctx, AV_LOG_WARNING, "Broken tEXt chunk\n"); bytestream2_skip(>gb, length + 4); break; case MKTAG('z', 'T', 'X', 't'): -if (decode_text_chunk(s, length, 1, ) < 0) +if (decode_text_chunk(s, length, 1, metadatap) < 0) av_log(avctx, AV_LOG_WARNING, "Broken zTXt chunk\n"); bytestream2_skip(>gb, length + 4); break; @@ -1238,9 +1238,9 @@ skip_tag: } } exit_loop: + if (avctx->codec_id == AV_CODEC_ID_PNG && avctx->skip_frame == AVDISCARD_ALL) { -av_frame_set_metadata(p, metadata); return 0; } @@ -1290,12 +1290,9 @@ exit_loop: ff_thread_report_progress(>picture, INT_MAX, 0); ff_thread_report_progress(>previous_picture, INT_MAX, 0); -av_frame_set_metadata(p, metadata); -metadata = NULL; return 0; fail: -av_dict_free(); ff_thread_report_progress(>picture, INT_MAX, 0); ff_thread_report_progress(>previous_picture, INT_MAX, 0); return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog