date:20170219

[FFmpeg-cvslog] avfilter/af_atempo: fix drift calculation, ticket #6157

2017-02-19 Thread Pavel Koshevoy

ffmpeg | branch: master | Pavel Koshevoy  | Mon Feb 20 
10:51:28 2017 +0800| [947fdad92de8ce6912ed8f3095c218c35d0b9fa7] | committer: 
Steven Liu

avfilter/af_atempo: fix drift calculation, ticket #6157

ticket #6157

Reported-by: Steven Liu 
Signed-off-by: Pavel Koshevoy 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=947fdad92de8ce6912ed8f3095c218c35d0b9fa7
---

 libavfilter/af_atempo.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavfilter/af_atempo.c b/libavfilter/af_atempo.c
index a487882..eb62656 100644
--- a/libavfilter/af_atempo.c
+++ b/libavfilter/af_atempo.c
@@ -697,11 +697,11 @@ static int yae_adjust_position(ATempoContext *atempo)
 AudioFragment   *frag = yae_curr_frag(atempo);
 
 const double prev_output_position =
-(double)(prev->position[1] - atempo->origin[1] + atempo->window / 2);
+(double)(prev->position[1] - atempo->origin[1] + atempo->window / 2) *
+atempo->tempo;
 
 const double ideal_output_position =
-(double)(prev->position[0] - atempo->origin[0] + atempo->window / 2) /
-atempo->tempo;
+(double)(prev->position[0] - atempo->origin[0] + atempo->window / 2);
 
 const int drift = (int)(prev_output_position - ideal_output_position);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_ps: Fix runtime error: signed integer overflow: -1094995528 * 2 cannot be represented in type 'int'

2017-02-19 Thread Michael Niedermayer

ffmpeg | branch: master | Michael Niedermayer  | Sun 
Feb 19 22:54:30 2017 +0100| [59e5b05ef6f26064fc399f8e23aa05f962b8ae48] | 
committer: Michael Niedermayer

avcodec/h264_ps: Fix runtime error: signed integer overflow: -1094995528 * 2 
cannot be represented in type 'int'

Fixes: 615/clusterfuzz-testcase-5488002644049920
Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=59e5b05ef6f26064fc399f8e23aa05f962b8ae48
---

 libavcodec/h264_ps.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index 8218e3a..270d06b 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -468,7 +468,7 @@ int ff_h264_decode_seq_parameter_set(GetBitContext *gb, 
AVCodecContext *avctx,
 
 sps->frame_mbs_only_flag = get_bits1(gb);
 
-if (sps->mb_height >= INT_MAX / 2) {
+if (sps->mb_height >= INT_MAX / 2U) {
 av_log(avctx, AV_LOG_ERROR, "height overflow\n");
 goto fail;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int'

2017-02-19 Thread Michael Niedermayer

ffmpeg | branch: master | Michael Niedermayer  | Sun 
Feb 19 22:40:29 2017 +0100| [258763ad0e1efff82bbe2beb97527d3c19f40932] | 
committer: Michael Niedermayer

avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 
cannot be represented in type 'int'

Fixes: 614/clusterfuzz-testcase-4931860079575040

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=258763ad0e1efff82bbe2beb97527d3c19f40932
---

 libavcodec/h264_cabac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c
index fe83425..17a4bda 100644
--- a/libavcodec/h264_cabac.c
+++ b/libavcodec/h264_cabac.c
@@ -1743,7 +1743,7 @@ decode_cabac_residual_internal(const H264Context *h, 
H264SliceContext *sl,
 while( j-- ) { \
 coeff_abs += coeff_abs + get_cabac_bypass( CC ); \
 } \
-coeff_abs+= 14; \
+coeff_abs+= 14U; \
 } \
 \
 if( is_dc ) { \

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mjpegdec: Fix runtime error: left shift of negative value -507

2017-02-19 Thread Michael Niedermayer

ffmpeg | branch: master | Michael Niedermayer  | Sun 
Feb 19 20:39:13 2017 +0100| [c91bdd4524815125e1f7d8dee22ee7a73173c39a] | 
committer: Michael Niedermayer

avcodec/mjpegdec: Fix runtime error: left shift of negative value -507

Fixes: 611/clusterfuzz-testcase-5613455820193792

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c91bdd4524815125e1f7d8dee22ee7a73173c39a
---

 libavcodec/mjpegdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 34a988d..69469c5 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1137,7 +1137,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, 
int predictor,
 if (s->interlaced && s->bottom_field)
 ptr += linesize >> 1;
 pred &= mask;
-*ptr= pred + (dc << point_transform);
+*ptr= pred + ((unsigned)dc << point_transform);
 }else{
 ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 
2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap
 if(y==0 && toprow){

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative

2017-02-19 Thread Michael Niedermayer

ffmpeg | branch: master | Michael Niedermayer  | Sun 
Feb 19 21:33:27 2017 +0100| [aa2b75263e17651187b1475551a02aa2f4ff65fe] | 
committer: Michael Niedermayer

avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative

Fixes: 612/clusterfuzz-testcase-4707817137111040

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aa2b75263e17651187b1475551a02aa2f4ff65fe
---

 libavcodec/mpeg4videodec.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 0e549ef..58ae05f 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -367,6 +367,12 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext 
*ctx, GetBitContext *g
 } else {
 int shift_y = 16 - ctx->sprite_shift[0];
 int shift_c = 16 - ctx->sprite_shift[1];
+
+if (shift_c < 0 || shift_y < 0) {
+avpriv_request_sample(s->avctx, "Too large sprite shift");
+return AVERROR_PATCHWELCOME;
+}
+
 for (i = 0; i < 2; i++) {
 s->sprite_offset[0][i] *= 1 << shift_y;
 s->sprite_offset[1][i] *= 1 << shift_c;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/eac3dec: Fix runtime error: left shift of negative value

2017-02-19 Thread Michael Niedermayer

ffmpeg | branch: master | Michael Niedermayer  | Sun 
Feb 19 20:32:48 2017 +0100| [067485b673f6ac4b1207d6fc975d1fd968edc68e] | 
committer: Michael Niedermayer

avcodec/eac3dec: Fix runtime error: left shift of negative value

Fixes: 610/clusterfuzz-testcase-4831030085156864

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=067485b673f6ac4b1207d6fc975d1fd968edc68e
---

 libavcodec/eac3dec.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c
index 83a54bc..be23502 100644
--- a/libavcodec/eac3dec.c
+++ b/libavcodec/eac3dec.c
@@ -252,7 +252,7 @@ static void 
ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch)
 /* Vector Quantization */
 int v = get_bits(gbc, bits);
 for (blk = 0; blk < 6; blk++) {
-s->pre_mantissa[ch][bin][blk] = 
ff_eac3_mantissa_vq[hebap][v][blk] << 8;
+s->pre_mantissa[ch][bin][blk] = 
ff_eac3_mantissa_vq[hebap][v][blk] * (1 << 8);
 }
 } else {
 /* Gain Adaptive Quantization */
@@ -271,12 +271,12 @@ static void 
ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch)
 int b;
 int mbits = bits - (2 - log_gain);
 mant = get_sbits(gbc, mbits);
-mant <<= (23 - (mbits - 1));
+mant = ((unsigned)mant) << (23 - (mbits - 1));
 /* remap mantissa value to correct for asymmetric 
quantization */
 if (mant >= 0)
 b = 1 << (23 - log_gain);
 else
-b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] << 8;
+b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] * (1 
<< 8);
 mant += ((ff_eac3_gaq_remap_2_4_a[hebap-8][log_gain-1] * 
(int64_t)mant) >> 15) + b;
 } else {
 /* small mantissa, no GAQ, or Gk=1 */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] opus_pvq: fix PVQ search for K < 5 and low Ns

2017-02-19 Thread Rostislav Pehlivanov

ffmpeg | branch: master | Rostislav Pehlivanov  | Sun Feb 
19 18:20:39 2017 +| [67fa02ed794f9505bd9c3584c14bfb61c895f5bc] | committer: 
Rostislav Pehlivanov

opus_pvq: fix PVQ search for K < 5 and low Ns

If the PVQ search picked a place to increment/decrement on the y[]
vector which had no pulse then it would cause a desync since it would
change the sum in the wrong direction. Fix this by not considering
places without pulses as viable.

This makes the PVQ search slightly worse at K < 5 which isn't all that
common. Still, this is a workaround to prevent making broken files until
I can think of a better way of fixing it.

Also add an assertion, which can be removed or moved to assert1/2 once
the PVQ search is stable.

Signed-off-by: Rostislav Pehlivanov 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=67fa02ed794f9505bd9c3584c14bfb61c895f5bc
---

 libavcodec/opus_pvq.c | 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/libavcodec/opus_pvq.c b/libavcodec/opus_pvq.c
index 4197ccd..5920ab0 100644
--- a/libavcodec/opus_pvq.c
+++ b/libavcodec/opus_pvq.c
@@ -277,7 +277,7 @@ static inline int celt_compute_qn(int N, int b, int offset, 
int pulse_cap,
 }
 
 /* Convert the quantized vector to an index */
-static inline uint32_t celt_icwrsi(uint32_t N, const int *y)
+static inline uint32_t celt_icwrsi(uint32_t N, uint32_t K, const int *y)
 {
 int i, idx = 0, sum = 0;
 for (i = N - 1; i >= 0; i--) {
@@ -285,6 +285,7 @@ static inline uint32_t celt_icwrsi(uint32_t N, const int *y)
 idx += CELT_PVQ_U(N - i, sum) + (y[i] < 0)*i_s;
 sum += FFABS(y[i]);
 }
+av_assert0(sum == K);
 return idx;
 }
 
@@ -376,7 +377,7 @@ static inline uint64_t celt_cwrsi(uint32_t N, uint32_t K, 
uint32_t i, int *y)
 
 static inline void celt_encode_pulses(OpusRangeCoder *rc, int *y, uint32_t N, 
uint32_t K)
 {
-ff_opus_rc_enc_uint(rc, celt_icwrsi(N, y), CELT_PVQ_V(N, K));
+ff_opus_rc_enc_uint(rc, celt_icwrsi(N, K, y), CELT_PVQ_V(N, K));
 }
 
 static inline float celt_decode_pulses(OpusRangeCoder *rc, int *y, uint32_t N, 
uint32_t K)
@@ -415,7 +416,8 @@ static void celt_pvq_search(float *X, int *y, int K, int N)
 float xy_new = xy_norm + 1*phase*FFABS(X[i]);
 float y_new  = y_norm  + 2*phase*FFABS(y[i]);
 xy_new = xy_new * xy_new;
-if ((max_den*xy_new) > (y_new*max_num)) {
+/* FIXME: the y[i] check makes the search slightly worse at Ks 
below 5 */
+if (y[i] && (max_den*xy_new) > (y_new*max_num)) {
 max_den = y_new;
 max_num = xy_new;
 max_idx = i;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/pngdec: Check bit depth for validity

2017-02-19 Thread Michael Niedermayer

ffmpeg | branch: master | Michael Niedermayer  | Sun 
Feb 19 19:12:25 2017 +0100| [4279613a2652cdf2bee564f4b7244567e5ba91ba] | 
committer: Michael Niedermayer

avcodec/pngdec: Check bit depth for validity

Fixes: runtime error: shift exponent 132 is too large for 32-bit type 'int'
Fixes: 609/clusterfuzz-testcase-4825202619842560

See 11.2.2 IHDR Image header

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4279613a2652cdf2bee564f4b7244567e5ba91ba
---

 libavcodec/pngdec.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 5b0d3cf..c2ea4d2 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -559,6 +559,11 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, 
PNGDecContext *s,
 return AVERROR_INVALIDDATA;
 }
 s->bit_depth= bytestream2_get_byte(>gb);
+if (s->bit_depth != 1 && s->bit_depth != 2 && s->bit_depth != 4 &&
+s->bit_depth != 8 && s->bit_depth != 16) {
+av_log(avctx, AV_LOG_ERROR, "Invalid bit depth\n");
+goto error;
+}
 s->color_type   = bytestream2_get_byte(>gb);
 s->compression_type = bytestream2_get_byte(>gb);
 s->filter_type  = bytestream2_get_byte(>gb);
@@ -572,6 +577,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, 
PNGDecContext *s,
 s->compression_type, s->filter_type, s->interlace_type);
 
 return 0;
+error:
+s->cur_w = s->cur_h = s->width = s->height = 0;
+s->bit_depth = 8;
+return AVERROR_INVALIDDATA;
 }
 
 static int decode_phys_chunk(AVCodecContext *avctx, PNGDecContext *s)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg12dec: Fix runtime error: left shift of negative value

2017-02-19 Thread Michael Niedermayer

ffmpeg | branch: master | Michael Niedermayer  | Sun 
Feb 19 18:47:13 2017 +0100| [706757d26dd5e606c1745a4bb53fe45f6d6493cf] | 
committer: Michael Niedermayer

avcodec/mpeg12dec: Fix runtime error: left shift of negative value

Fixes: 608/clusterfuzz-testcase-603978286392934

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=706757d26dd5e606c1745a4bb53fe45f6d6493cf
---

 libavcodec/mpeg12dec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c
index f3cf6eb..5f86029 100644
--- a/libavcodec/mpeg12dec.c
+++ b/libavcodec/mpeg12dec.c
@@ -865,8 +865,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t 
block[12][64])
s->last_mv[i][0][1]);
 /* full_pel: only for MPEG-1 */
 if (s->full_pel[i]) {
-s->mv[i][0][0] <<= 1;
-s->mv[i][0][1] <<= 1;
+s->mv[i][0][0] *= 2;
+s->mv[i][0][1] *= 2;
 }
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter/f_setcmd: fix null pointer dereference on using dash as interval

2017-02-19 Thread Marton Balint

ffmpeg | branch: master | Marton Balint  | Thu Feb  9 00:03:21 
2017 +0100| [a9f3e4b138fc14f7512fde821c051fe1ff7f124f] | committer: Marton 
Balint

avfilter/f_setcmd: fix null pointer dereference on using dash as interval

Fixes Coverity CID 1396259.

Reviewed-by: Paul B Mahol 
Signed-off-by: Marton Balint 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a9f3e4b138fc14f7512fde821c051fe1ff7f124f
---

 libavfilter/f_sendcmd.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/libavfilter/f_sendcmd.c b/libavfilter/f_sendcmd.c
index fb30220..522d6ad 100644
--- a/libavfilter/f_sendcmd.c
+++ b/libavfilter/f_sendcmd.c
@@ -268,6 +268,13 @@ static int parse_interval(Interval *interval, int 
interval_count,
 char *start, *end;
 
 start = av_strtok(intervalstr, "-", );
+if (!start) {
+ret = AVERROR(EINVAL);
+av_log(log_ctx, AV_LOG_ERROR,
+   "Invalid interval specification '%s' in interval #%d\n",
+   intervalstr, interval_count);
+goto end;
+}
 if ((ret = av_parse_time(>start_ts, start, 1)) < 0) {
 av_log(log_ctx, AV_LOG_ERROR,
"Invalid start time specification '%s' in interval #%d\n",

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/fifo: assert on disallowed message type and state combinations

2017-02-19 Thread Marton Balint

ffmpeg | branch: master | Marton Balint  | Wed Feb  8 23:28:21 
2017 +0100| [8985e4af2bba6b2eb901693a6202e998b9929a68] | committer: Marton 
Balint

avformat/fifo: assert on disallowed message type and state combinations

Fixes Coverity CID 1396277.

Signed-off-by: Marton Balint 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8985e4af2bba6b2eb901693a6202e998b9929a68
---

 libavformat/fifo.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavformat/fifo.c b/libavformat/fifo.c
index 8f525e5..2cbe5c5 100644
--- a/libavformat/fifo.c
+++ b/libavformat/fifo.c
@@ -19,6 +19,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 
+#include "libavutil/avassert.h"
 #include "libavutil/opt.h"
 #include "libavutil/time.h"
 #include "libavutil/thread.h"
@@ -207,7 +208,7 @@ static int fifo_thread_write_trailer(FifoThreadContext *ctx)
 
 static int fifo_thread_dispatch_message(FifoThreadContext *ctx, FifoMessage 
*msg)
 {
-int ret;
+int ret = AVERROR(EINVAL);
 
 if (!ctx->header_written) {
 ret = fifo_thread_write_header(ctx);
@@ -217,6 +218,7 @@ static int fifo_thread_dispatch_message(FifoThreadContext 
*ctx, FifoMessage *msg
 
 switch(msg->type) {
 case FIFO_WRITE_HEADER:
+av_assert0(ret >= 0);
 return ret;
 case FIFO_WRITE_PACKET:
 return fifo_thread_write_packet(ctx, >pkt);
@@ -224,6 +226,7 @@ static int fifo_thread_dispatch_message(FifoThreadContext 
*ctx, FifoMessage *msg
 return fifo_thread_flush_output(ctx);
 }
 
+av_assert0(0);
 return AVERROR(EINVAL);
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avdevice/iec61883: free packet on buffer allocation error

2017-02-19 Thread Marton Balint

ffmpeg | branch: master | Marton Balint  | Wed Feb  8 23:37:42 
2017 +0100| [4556dad2b7379a527134db519ab60111abefaf10] | committer: Marton 
Balint

avdevice/iec61883: free packet on buffer allocation error

Fixes Coverity CID 1396416.

Signed-off-by: Marton Balint 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4556dad2b7379a527134db519ab60111abefaf10
---

 libavdevice/iec61883.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavdevice/iec61883.c b/libavdevice/iec61883.c
index c45ae9a..721dca3 100644
--- a/libavdevice/iec61883.c
+++ b/libavdevice/iec61883.c
@@ -120,6 +120,7 @@ static int iec61883_callback(unsigned char *data, int 
length,
 
 packet->buf = av_malloc(length);
 if (!packet->buf) {
+av_free(packet);
 ret = -1;
 goto exit;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/huffyuvencdsp: use an actual unsigned long constant

2017-02-19 Thread James Almer

ffmpeg | branch: master | James Almer  | Mon Feb  6 19:57:53 
2017 -0300| [b921b3b42b61a3dff19157bf3eec1f6f38a2cae7] | committer: James Almer

avcodec/huffyuvencdsp: use an actual unsigned long constant

Reviewed-by: Michael Niedermayer 
Signed-off-by: James Almer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b921b3b42b61a3dff19157bf3eec1f6f38a2cae7
---

 libavcodec/huffyuvencdsp.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/huffyuvencdsp.c b/libavcodec/huffyuvencdsp.c
index 7edcce8..427d118 100644
--- a/libavcodec/huffyuvencdsp.c
+++ b/libavcodec/huffyuvencdsp.c
@@ -21,6 +21,9 @@
 #include "huffyuvencdsp.h"
 #include "mathops.h"
 
+// 0x00010001 or 0x0001000100010001 or whatever, depending on the cpu's native 
arithmetic size
+#define pw_1 (ULONG_MAX / UINT16_MAX)
+
 static void diff_int16_c(uint16_t *dst, const uint16_t *src1, const uint16_t 
*src2, unsigned mask, int w){
 long i;
 #if !HAVE_FAST_UNALIGNED
@@ -34,8 +37,8 @@ static void diff_int16_c(uint16_t *dst, const uint16_t *src1, 
const uint16_t *sr
 }else
 #endif
 {
-unsigned long pw_lsb = (mask >> 1) * 0x0001000100010001ULL;
-unsigned long pw_msb = pw_lsb +  0x0001000100010001ULL;
+unsigned long pw_lsb = (mask >> 1) * pw_1;
+unsigned long pw_msb = pw_lsb +  pw_1;
 
 for (i = 0; i <= w - (int)sizeof(long)/2; i += sizeof(long)/2) {
 long a = *(long*)(src1+i);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/huffyuvdsp: use an actual unsigned long constant

2017-02-19 Thread James Almer

ffmpeg | branch: master | James Almer  | Mon Feb  6 19:57:30 
2017 -0300| [21d25da18025856bb30d80173174bb4218a91f82] | committer: James Almer

avcodec/huffyuvdsp: use an actual unsigned long constant

Reviewed-by: Michael Niedermayer 
Signed-off-by: James Almer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=21d25da18025856bb30d80173174bb4218a91f82
---

 libavcodec/huffyuvdsp.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/huffyuvdsp.c b/libavcodec/huffyuvdsp.c
index 759ffda..e770923 100644
--- a/libavcodec/huffyuvdsp.c
+++ b/libavcodec/huffyuvdsp.c
@@ -23,10 +23,13 @@
 #include "mathops.h"
 #include "huffyuvdsp.h"
 
+// 0x00010001 or 0x0001000100010001 or whatever, depending on the cpu's native 
arithmetic size
+#define pw_1 (ULONG_MAX / UINT16_MAX)
+
 static void add_int16_c(uint16_t *dst, const uint16_t *src, unsigned mask, int 
w){
 long i;
-unsigned long pw_lsb = (mask >> 1) * 0x0001000100010001ULL;
-unsigned long pw_msb = pw_lsb +  0x0001000100010001ULL;
+unsigned long pw_lsb = (mask >> 1) * pw_1;
+unsigned long pw_msb = pw_lsb +  pw_1;
 for (i = 0; i <= w - (int)sizeof(long)/2; i += sizeof(long)/2) {
 long a = *(long*)(src+i);
 long b = *(long*)(dst+i);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/wavpacl: Fix runtime error: left shift of negative value -1

2017-02-19 Thread Michael Niedermayer

ffmpeg | branch: master | Michael Niedermayer  | Sun 
Feb 19 15:09:34 2017 +0100| [12eebb845a7fe1ced91606547352cbdd93a2726d] | 
committer: Michael Niedermayer

avcodec/wavpacl: Fix runtime error: left shift of negative value -1

Fixes: 607/clusterfuzz-testcase-5108792465293312

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=12eebb845a7fe1ced91606547352cbdd93a2726d
---

 libavcodec/wavpack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 2bd7783..24d57f5 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -682,7 +682,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int 
block_no,
 s->hybrid_bitrate =   s->frame_flags & WV_HYBRID_BITRATE;
 s->post_shift = bpp * 8 - orig_bpp + ((s->frame_flags >> 13) & 0x1f);
 s->hybrid_maxclip =  ((1LL << (orig_bpp - 1)) - 1);
-s->hybrid_minclip = ((-1LL << (orig_bpp - 1)));
+s->hybrid_minclip = ((-1UL << (orig_bpp - 1)));
 s->CRC= bytestream2_get_le32();
 
 // parse metadata blocks

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/flac: Fix several integer overflows

2017-02-19 Thread Michael Niedermayer

ffmpeg | branch: master | Michael Niedermayer  | Sun 
Feb 19 14:34:55 2017 +0100| [3e1028c625e11d9d19376f5c88267de1cee8fa70] | 
committer: Michael Niedermayer

avcodec/flac: Fix several integer overflows

Fixes: 686513-media
Found-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3e1028c625e11d9d19376f5c88267de1cee8fa70
---

 libavcodec/flacdec.c |  4 ++--
 libavcodec/flacdsp.c | 12 ++--
 libavcodec/flacdsp.h | 11 +++
 3 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
index 0fffc2d..6ea86d4 100644
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -326,7 +326,7 @@ static int decode_subframe_fixed(FLACContext *s, int32_t 
*decoded,
 return 0;
 }
 
-static void lpc_analyze_remodulate(int32_t *decoded, const int coeffs[32],
+static void lpc_analyze_remodulate(SUINT32 *decoded, const int coeffs[32],
int order, int qlevel, int len, int bps)
 {
 int i, j;
@@ -342,7 +342,7 @@ static void lpc_analyze_remodulate(int32_t *decoded, const 
int coeffs[32],
 for (i = len - 1; i >= order; i--) {
 int64_t p = 0;
 for (j = 0; j < order; j++)
-p += coeffs[j] * (int64_t)decoded[i-order+j];
+p += coeffs[j] * (int64_t)(int32_t)decoded[i-order+j];
 decoded[i] -= p >> qlevel;
 }
 for (i = order; i < len; i++, decoded++) {
diff --git a/libavcodec/flacdsp.c b/libavcodec/flacdsp.c
index 52c3e32..560091f 100644
--- a/libavcodec/flacdsp.c
+++ b/libavcodec/flacdsp.c
@@ -43,14 +43,6 @@
 #define PLANAR 1
 #include "flacdsp_template.c"
 
-// For debuging we use signed operations so overflows can be detected (by 
ubsan)
-// For production we use unsigned so there are no undefined operations
-#ifdef CHECKED
-#define SUINT   int
-#else
-#define SUINT   unsigned
-#endif
-
 static void flac_lpc_16_c(int32_t *decoded, const int coeffs[32],
   int pred_order, int qlevel, int len)
 {
@@ -67,9 +59,9 @@ static void flac_lpc_16_c(int32_t *decoded, const int 
coeffs[32],
 c = coeffs[j];
 }
 s0 += c*d;
-d = decoded[j] += s0 >> qlevel;
+d = decoded[j] += (SUINT)(s0 >> qlevel);
 s1 += c*d;
-decoded[j + 1] += s1 >> qlevel;
+decoded[j + 1] += (SUINT)(s1 >> qlevel);
 }
 if (i < len) {
 int sum = 0;
diff --git a/libavcodec/flacdsp.h b/libavcodec/flacdsp.h
index f5cbd94..31417f8 100644
--- a/libavcodec/flacdsp.h
+++ b/libavcodec/flacdsp.h
@@ -20,8 +20,19 @@
 #define AVCODEC_FLACDSP_H
 
 #include 
+#include "libavutil/internal.h"
 #include "libavutil/samplefmt.h"
 
+// For debuging we use signed operations so overflows can be detected (by 
ubsan)
+// For production we use unsigned so there are no undefined operations
+#ifdef CHECKED
+#define SUINT   int
+#define SUINT32 int32_t
+#else
+#define SUINT   unsigned
+#define SUINT32 uint32_t
+#endif
+
 typedef struct FLACDSPContext {
 void (*decorrelate[4])(uint8_t **out, int32_t **in, int channels,
int len, int shift);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Factor CHECKED out of DEBUG so it can be set seperatly

2017-02-19 Thread Michael Niedermayer

ffmpeg | branch: master | Michael Niedermayer  | Sun 
Feb 19 12:49:45 2017 +0100| [e8d4eacc07c61ae24f48451073a2620d8d257d33] | 
committer: Michael Niedermayer

Factor CHECKED out of DEBUG so it can be set seperatly

Suggested-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e8d4eacc07c61ae24f48451073a2620d8d257d33
---

 libavcodec/flacdsp.c | 2 +-
 libavutil/internal.h | 4 
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/flacdsp.c b/libavcodec/flacdsp.c
index 180d4e7..52c3e32 100644
--- a/libavcodec/flacdsp.c
+++ b/libavcodec/flacdsp.c
@@ -45,7 +45,7 @@
 
 // For debuging we use signed operations so overflows can be detected (by 
ubsan)
 // For production we use unsigned so there are no undefined operations
-#ifdef DEBUG
+#ifdef CHECKED
 #define SUINT   int
 #else
 #define SUINT   unsigned
diff --git a/libavutil/internal.h b/libavutil/internal.h
index a19975d..4d1b3e2 100644
--- a/libavutil/internal.h
+++ b/libavutil/internal.h
@@ -30,6 +30,10 @@
 #define NDEBUG
 #endif
 
+#if defined(DEBUG) && !defined(CHECKED)
+#define CHECKED
+#endif
+
 #include 
 #include 
 #include 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/pngdec: Store metadata directly into AVFrame

2017-02-19 Thread Michael Niedermayer

ffmpeg | branch: master | Michael Niedermayer  | Thu 
Feb  2 21:48:05 2017 +0100| [2ac6eedac5e576bb98c9ba6573cfcd4782b175b0] | 
committer: Michael Niedermayer

avcodec/pngdec: Store metadata directly into AVFrame

Fixes memleak
Fixes: 500/clusterfuzz-testcase-6315221727576064

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2ac6eedac5e576bb98c9ba6573cfcd4782b175b0
---

 libavcodec/pngdec.c | 13 +
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 601b8db..5b0d3cf 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -1098,7 +1098,7 @@ static int handle_p_frame_apng(AVCodecContext *avctx, 
PNGDecContext *s,
 static int decode_frame_common(AVCodecContext *avctx, PNGDecContext *s,
AVFrame *p, AVPacket *avpkt)
 {
-AVDictionary *metadata  = NULL;
+AVDictionary **metadatap = NULL;
 uint32_t tag, length;
 int decode_next_dat = 0;
 int ret;
@@ -1109,7 +1109,6 @@ static int decode_frame_common(AVCodecContext *avctx, 
PNGDecContext *s,
 
 if (avctx->codec_id == AV_CODEC_ID_PNG &&
 avctx->skip_frame == AVDISCARD_ALL) {
-av_frame_set_metadata(p, metadata);
 return 0;
 }
 
@@ -1155,6 +1154,7 @@ static int decode_frame_common(AVCodecContext *avctx, 
PNGDecContext *s,
 }
 }
 
+metadatap = avpriv_frame_get_metadatap(p);
 switch (tag) {
 case MKTAG('I', 'H', 'D', 'R'):
 if ((ret = decode_ihdr_chunk(avctx, s, length)) < 0)
@@ -1196,12 +1196,12 @@ static int decode_frame_common(AVCodecContext *avctx, 
PNGDecContext *s,
 goto skip_tag;
 break;
 case MKTAG('t', 'E', 'X', 't'):
-if (decode_text_chunk(s, length, 0, ) < 0)
+if (decode_text_chunk(s, length, 0, metadatap) < 0)
 av_log(avctx, AV_LOG_WARNING, "Broken tEXt chunk\n");
 bytestream2_skip(>gb, length + 4);
 break;
 case MKTAG('z', 'T', 'X', 't'):
-if (decode_text_chunk(s, length, 1, ) < 0)
+if (decode_text_chunk(s, length, 1, metadatap) < 0)
 av_log(avctx, AV_LOG_WARNING, "Broken zTXt chunk\n");
 bytestream2_skip(>gb, length + 4);
 break;
@@ -1238,9 +1238,9 @@ skip_tag:
 }
 }
 exit_loop:
+
 if (avctx->codec_id == AV_CODEC_ID_PNG &&
 avctx->skip_frame == AVDISCARD_ALL) {
-av_frame_set_metadata(p, metadata);
 return 0;
 }
 
@@ -1290,12 +1290,9 @@ exit_loop:
 ff_thread_report_progress(>picture, INT_MAX, 0);
 ff_thread_report_progress(>previous_picture, INT_MAX, 0);
 
-av_frame_set_metadata(p, metadata);
-metadata   = NULL;
 return 0;
 
 fail:
-av_dict_free();
 ff_thread_report_progress(>picture, INT_MAX, 0);
 ff_thread_report_progress(>previous_picture, INT_MAX, 0);
 return ret;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter/af_atempo: fix drift calculation, ticket #6157

[FFmpeg-cvslog] avcodec/h264_ps: Fix runtime error: signed integer overflow: -1094995528 * 2 cannot be represented in type 'int'

[FFmpeg-cvslog] avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int'

[FFmpeg-cvslog] avcodec/mjpegdec: Fix runtime error: left shift of negative value -507

[FFmpeg-cvslog] avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative

[FFmpeg-cvslog] avcodec/eac3dec: Fix runtime error: left shift of negative value

[FFmpeg-cvslog] opus_pvq: fix PVQ search for K < 5 and low Ns

[FFmpeg-cvslog] avcodec/pngdec: Check bit depth for validity

[FFmpeg-cvslog] avcodec/mpeg12dec: Fix runtime error: left shift of negative value

[FFmpeg-cvslog] avfilter/f_setcmd: fix null pointer dereference on using dash as interval

[FFmpeg-cvslog] avformat/fifo: assert on disallowed message type and state combinations

[FFmpeg-cvslog] avdevice/iec61883: free packet on buffer allocation error

[FFmpeg-cvslog] avcodec/huffyuvencdsp: use an actual unsigned long constant

[FFmpeg-cvslog] avcodec/huffyuvdsp: use an actual unsigned long constant

[FFmpeg-cvslog] avcodec/wavpacl: Fix runtime error: left shift of negative value -1

[FFmpeg-cvslog] avcodec/flac: Fix several integer overflows

[FFmpeg-cvslog] Factor CHECKED out of DEBUG so it can be set seperatly

[FFmpeg-cvslog] avcodec/pngdec: Store metadata directly into AVFrame

18 matches

Site Navigation

Mail list logo

Footer information