[FFmpeg-cvslog] avformat/utils: fix mixed declarations and code

[James Almer]

ffmpeg | branch: release/3.3 | James Almer  | Fri Nov 24 
17:46:16 2017 -0300| [3e3704da0c71d5254b986300f610b0f0217f2023] | committer: 
Michael Niedermayer

avformat/utils: fix mixed declarations and code

Signed-off-by: James Almer 
(cherry picked from commit 31de45d20b1ff90d4baf7c5a65e88f582efdb2a6)

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3e3704da0c71d5254b986300f610b0f0217f2023
---

 libavformat/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 2053c3f755..0749151ee3 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -1732,10 +1732,10 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt)
 
 if (next_pkt->dts != AV_NOPTS_VALUE) {
 int wrap_bits = 
s->streams[next_pkt->stream_index]->pts_wrap_bits;
-av_assert2(wrap_bits <= 64);
 // last dts seen for this stream. if any of packets following
 // current one had no dts, we will set this to AV_NOPTS_VALUE.
 int64_t last_dts = next_pkt->dts;
+av_assert2(wrap_bits <= 64);
 while (pktl && next_pkt->pts == AV_NOPTS_VALUE) {
 if (pktl->pkt.stream_index == next_pkt->stream_index &&
 av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2ULL << 
(wrap_bits - 1)) < 0) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Update for 3.3.7

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Apr 13 01:22:06 2018 +0200| [7af6fba1455afb19e12b19119665b97f4fd032dd] | 
committer: Michael Niedermayer

Update for 3.3.7

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7af6fba1455afb19e12b19119665b97f4fd032dd
---

 Changelog| 103 +++
 RELEASE  |   2 +-
 doc/Doxyfile |   2 +-
 3 files changed, 105 insertions(+), 2 deletions(-)

diff --git a/Changelog b/Changelog
index cd95ddab50..24337668ed 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,109 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
+version 3.3.7:
+- avformat/utils: fix mixed declarations and code
+- avcodec/mjpegdec: Check input buffer size.
+- avcodec/h264_slice: Fix integer overflow with last_poc
+- avformat/mov: Fix extradata memleak
+- lavc/libopusdec: Allow avcodec_open2 to call .close
+- avcodec/movtextdec: Check style_start/end
+- avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble()
+- libavcodec/rv34: error out earlier on missing references
+- swresample/swresample: Fix for seg fault in swr_convert_internal() -> 
sum2_float during dithering.
+- avcodec/aacdec_fixed: Fix integer overflow in 
apply_independent_coupling_fixed()
+- avcodec/cscd: Error out when LZ* decompression fails
+- avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list()
+- avfilter/vf_signature: use av_strlcpy()
+- avcodec/utvideodec: Set pro flag based on fourcc
+- avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame()
+- avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables
+- avformat/mov: Move +1 in check to avoid hypothetical overflow in 
add_ctts_entry()
+- avcodec/get_bits: Make sure the input bitstream with padding can be addressed
+- avformat/mov: Check STSC and remove invalid entries
+- avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded 
pixels thus reject it
+- avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg
+- avcodec/wmalosslessdec: Reset num_saved_bits on error path
+- avformat/mov: Fix integer overflows related to sample_duration
+- avformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE
+- avformat/oggparseogm: Check lb against psize
+- avformat/oggparseogm: Fix undefined shift in ogm_packet()
+- avformat/avidec: Fix integer overflow in cum_len check
+- avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE
+- avformat/utils: Fix integer overflow of fps_first/last_dts
+- avformat/oggdec: Fix metadata memleak on multiple headers
+- libavformat/oggparsevorbis: Fix memleak on multiple headers
+- avcodec/truemotion2rt: Check input buffer size
+- avcodec/g2meet: Check tile dimensions with av_image_check_size2()
+- avcodec/exr: fix invalid shift in unpack_14()
+- avcodec/bintext: sanity check dimensions
+- avcodec/utvideodec: Check subsample factors
+- avcodec/smc: Check input packet size
+- avcodec/cavsdec: Check alpha/beta offset
+- avcodec/diracdec: Fix integer overflow in mv computation
+- avcodec/h264_parse: Clear invalid chroma weights in 
ff_h264_pred_weight_table()
+- avcodec/aacdec_templat: Fix integer overflow in apply_ltp()
+- avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53()
+- avcodec/diracdec: Use int64 in global mv to prevent overflow
+- avcodec/dxtory: Remove code that corrupts dimensions
+- avcodec/dirac_dwt_template: Fix Integer overflow in 
horizontal_compose_dd137i()
+- avcodec/hevcdec: Check luma/chroma_log2_weight_denom
+- avcodec/jpeg2000dec: Use av_image_check_size2()
+- avcodec/vp8: Check for bitstream end before vp7_fade_frame()
+- avcodec/exr: Check remaining bits in last get code loop
+- avutil/common: Fix integer overflow in av_clip_uint8_c() and 
av_clip_uint16_c()
+- avcodec/h264_cabac: Tighten allowed coeff_abs range
+- avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc()
+- avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs()
+- avcodec/mpeg4videodec: Ignore multiple VOL headers
+- avcodec/vp3: Check eob_run
+- avcodec/pafvideo: Check allocated frame size
+- avcodec/scpr: Fix reading a pixel before the first
+- avcodec/mpeg2dec: Fix field selection for skipped macroblocks
+- avcodec/huffyuvdec: Check input buffer size
+- avcodec/utvideodec: Fix bytes left check in decode_frame()
+- avcodec/wavpack: Fix integer overflow in FFABS
+- avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble()
+- avcodec/exr: Fix memleaks in decode_header()
+- avcodec/dirac_dwt: Fix several integer overflows
+- avcodec/indeo5: Do not leave frame_type set to an invalid value
+- avcodec/hevc_ps: Check log2_sao_offset_scale_*
+- avcodec/hevc_ps: extract SPS fields required for hvcC construction
+- avcodec/mpeg4videodec: Avoid possibly aliasing violating casts
+- avcodec/get_bits: Document the return 

[FFmpeg-cvslog] avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Apr  7 21:55:06 2018 +0200| [0e5946d5b247d0f9d59096629ccae3bf01b9d40d] | 
committer: Michael Niedermayer

avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble()

Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be 
represented in type 'int'

This was missed in b1bef755f617af9685b592d866b3eb7f3c4b02b1
Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c837918f50a7bbd6150afd340857ea43fe4717c7)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0e5946d5b247d0f9d59096629ccae3bf01b9d40d
---

 libavcodec/aacsbr_fixed.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c
index 0622d2ff7c..a25605800f 100644
--- a/libavcodec/aacsbr_fixed.c
+++ b/libavcodec/aacsbr_fixed.c
@@ -571,7 +571,7 @@ static void sbr_hf_assemble(int Y1[38][64][2],
 int idx = indexsine&1;
 int A = (1-((indexsine+(kx & 1))&2));
 int B = (A^(-idx)) + idx;
-int *out = [i][kx][idx];
+unsigned *out = [i][kx][idx];
 int shift;
 unsigned round;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Thu Mar 29 01:07:24 2018 +0200| [769cb8973817674c65542efed68aadacb867828b] | 
committer: Michael Niedermayer

avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables

Found-by: James Almer 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5c75438b893539dd17998c489fb4c540fc5a6e48)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=769cb8973817674c65542efed68aadacb867828b
---

 libavcodec/tableprint_vlc.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/tableprint_vlc.h b/libavcodec/tableprint_vlc.h
index 675251a836..3004be3f9c 100644
--- a/libavcodec/tableprint_vlc.h
+++ b/libavcodec/tableprint_vlc.h
@@ -35,6 +35,7 @@
 #define av_freep(p) while(0)
 #define AVCODEC_AVCODEC_H
 #define AVCODEC_INTERNAL_H
+#define AV_INPUT_BUFFER_PADDING_SIZE 64 // the value does not matter for this
 #include "tableprint.h"
 #include "get_bits.h"
 #include "mathtables.c"

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_slice: Fix integer overflow with last_poc

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Apr  7 00:34:25 2018 +0200| [41458534aa8890810b678bcdb4c1c04f38b72231] | 
committer: Michael Niedermayer

avcodec/h264_slice: Fix integer overflow with last_poc

Fixes: signed integer overflow: 2147483646 - -2816 cannot be represented in 
type 'int'
Fixes: crbug 823145

Reported-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8c02cd8ca097871dcd00cf8e08ce51660873f405)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=41458534aa8890810b678bcdb4c1c04f38b72231
---

 libavcodec/h264_slice.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index d83ba000ce..4d24ac6d66 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1297,7 +1297,7 @@ static int h264_select_output_frame(H264Context *h)
 }
 out_of_order = MAX_DELAYED_PIC_COUNT - i;
 if(   cur->f->pict_type == AV_PICTURE_TYPE_B
-   || (h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > INT_MIN && 
h->last_pocs[MAX_DELAYED_PIC_COUNT-1] - h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > 
2))
+   || (h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > INT_MIN && 
h->last_pocs[MAX_DELAYED_PIC_COUNT-1] - 
(int64_t)h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > 2))
 out_of_order = FFMAX(out_of_order, 1);
 if (out_of_order == MAX_DELAYED_PIC_COUNT) {
 av_log(h->avctx, AV_LOG_VERBOSE, "Invalid POC %d<%d\n", cur->poc, 
h->last_pocs[0]);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mjpegdec: Check input buffer size.

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Tue Apr 10 16:12:15 2018 +0200| [6de499caed33f26cfce32f0ddd74b2a518f60402] | 
committer: Michael Niedermayer

avcodec/mjpegdec: Check input buffer size.

Fixes: Timeout
Fixes: 
6381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5665032743419904

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8d381b57fd9d17fb5c3a851ca46c738b3afc33a2)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6de499caed33f26cfce32f0ddd74b2a518f60402
---

 libavcodec/mjpegdec.c | 4 
 libavcodec/mjpegdec.h | 1 +
 2 files changed, 5 insertions(+)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 31c8fb422d..ab326b8e9a 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -309,6 +309,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
 av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height);
 if (av_image_check_size(width, height, 0, s->avctx))
 return AVERROR_INVALIDDATA;
+if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size * 
4LL)
+return AVERROR_INVALIDDATA;
 
 nb_components = get_bits(>gb, 8);
 if (nb_components <= 0 ||
@@ -2091,6 +2093,8 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void 
*data, int *got_frame,
 int ret = 0;
 int is16bit;
 
+s->buf_size = buf_size;
+
 av_dict_free(>exif_metadata);
 av_freep(>stereo3d);
 s->adobe_transform = -1;
diff --git a/libavcodec/mjpegdec.h b/libavcodec/mjpegdec.h
index 024cedcb5a..0fa5a748a1 100644
--- a/libavcodec/mjpegdec.h
+++ b/libavcodec/mjpegdec.h
@@ -45,6 +45,7 @@ typedef struct MJpegDecodeContext {
 AVClass *class;
 AVCodecContext *avctx;
 GetBitContext gb;
+int buf_size;
 
 int start_code; /* current start code */
 int buffer_size;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Fix extradata memleak

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Apr  6 23:56:57 2018 +0200| [9b56e65e8c124cb2972295f8d80519c8409ab190] | 
committer: Michael Niedermayer

avformat/mov: Fix extradata memleak

Fixes: crbug 822705

Reported-by: Matt Wolenetz 
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0a8133119ca5d087c7c7140d100406ff84c477ee)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9b56e65e8c124cb2972295f8d80519c8409ab190
---

 libavformat/mov.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index b60f8f0eac..921db588ef 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2391,6 +2391,12 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 
 return mov_finalize_stsd_codec(c, pb, st, sc);
 fail:
+if (sc->extradata) {
+int j;
+for (j = 0; j < sc->stsd_count; j++)
+av_freep(>extradata[j]);
+}
+
 av_freep(>extradata);
 av_freep(>extradata_size);
 return ret;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/cscd: Error out when LZ* decompression fails

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Mon Mar 12 00:05:04 2018 +0100| [1d3c141af4f0fa693cf86d0d7a70265beace4cb5] | 
committer: Michael Niedermayer

avcodec/cscd: Error out when LZ* decompression fails

Fixes: Timeout
Fixes: 
6304/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-5754772461191168

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d52be5d4e91871a22dac70af3e0ab429e95a2d10)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1d3c141af4f0fa693cf86d0d7a70265beace4cb5
---

 libavcodec/cscd.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c
index 9e1dec9d96..35c4ee08c3 100644
--- a/libavcodec/cscd.c
+++ b/libavcodec/cscd.c
@@ -81,15 +81,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame,
 switch ((buf[0] >> 1) & 7) {
 case 0: { // lzo compression
 int outlen = c->decomp_size, inlen = buf_size - 2;
-if (av_lzo1x_decode(c->decomp_buf, , [2], ))
+if (av_lzo1x_decode(c->decomp_buf, , [2], )) {
 av_log(avctx, AV_LOG_ERROR, "error during lzo 
decompression\n");
+return AVERROR_INVALIDDATA;
+}
 break;
 }
 case 1: { // zlib compression
 #if CONFIG_ZLIB
 unsigned long dlen = c->decomp_size;
-if (uncompress(c->decomp_buf, , [2], buf_size - 2) != 
Z_OK)
+if (uncompress(c->decomp_buf, , [2], buf_size - 2) != 
Z_OK) {
 av_log(avctx, AV_LOG_ERROR, "error during zlib 
decompression\n");
+return AVERROR_INVALIDDATA;
+}
 break;
 #else
 av_log(avctx, AV_LOG_ERROR, "compiled without zlib support\n");

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/utvideodec: Set pro flag based on fourcc

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Mar 31 03:10:43 2018 +0200| [15d4dc0da1e9f2450b5f9e748e1704fc0e6ef3a4] | 
committer: Michael Niedermayer

avcodec/utvideodec: Set pro flag based on fourcc

This avoids mixing 8bit variants with pro and 10bit with non pro mode.
Fixes: out of array read
Fixes: poc_03_30.avi

Found-by: GwanYeong Kim 
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 47b7c68ae54560e2308bdb6be4fb076c73b93081)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=15d4dc0da1e9f2450b5f9e748e1704fc0e6ef3a4
---

 libavcodec/utvideodec.c | 64 +
 1 file changed, 33 insertions(+), 31 deletions(-)

diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 2cf9ce2855..50dede6de3 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -832,37 +832,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
 ff_bswapdsp_init(>bdsp);
 ff_llviddsp_init(>llviddsp);
 
-if (avctx->extradata_size >= 16) {
-av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n",
-   avctx->extradata[3], avctx->extradata[2],
-   avctx->extradata[1], avctx->extradata[0]);
-av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n",
-   AV_RB32(avctx->extradata + 4));
-c->frame_info_size = AV_RL32(avctx->extradata + 8);
-c->flags   = AV_RL32(avctx->extradata + 12);
-
-if (c->frame_info_size != 4)
-avpriv_request_sample(avctx, "Frame info not 4 bytes");
-av_log(avctx, AV_LOG_DEBUG, "Encoding parameters %08"PRIX32"\n", 
c->flags);
-c->slices  = (c->flags >> 24) + 1;
-c->compression = c->flags & 1;
-c->interlaced  = c->flags & 0x800;
-} else if (avctx->extradata_size == 8) {
-av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n",
-   avctx->extradata[3], avctx->extradata[2],
-   avctx->extradata[1], avctx->extradata[0]);
-av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n",
-   AV_RB32(avctx->extradata + 4));
-c->interlaced  = 0;
-c->pro = 1;
-c->frame_info_size = 4;
-} else {
-av_log(avctx, AV_LOG_ERROR,
-   "Insufficient extradata size %d, should be at least 16\n",
-   avctx->extradata_size);
-return AVERROR_INVALIDDATA;
-}
-
 c->slice_bits_size = 0;
 
 switch (avctx->codec_tag) {
@@ -891,14 +860,17 @@ static av_cold int decode_init(AVCodecContext *avctx)
 break;
 case MKTAG('U', 'Q', 'Y', '2'):
 c->planes  = 3;
+c->pro = 1;
 avctx->pix_fmt = AV_PIX_FMT_YUV422P10;
 break;
 case MKTAG('U', 'Q', 'R', 'G'):
 c->planes  = 3;
+c->pro = 1;
 avctx->pix_fmt = AV_PIX_FMT_GBRP10;
 break;
 case MKTAG('U', 'Q', 'R', 'A'):
 c->planes  = 4;
+c->pro = 1;
 avctx->pix_fmt = AV_PIX_FMT_GBRAP10;
 break;
 case MKTAG('U', 'L', 'H', '0'):
@@ -929,6 +901,36 @@ static av_cold int decode_init(AVCodecContext *avctx)
 return AVERROR_PATCHWELCOME;
 }
 
+if (!c->pro && avctx->extradata_size >= 16) {
+av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n",
+   avctx->extradata[3], avctx->extradata[2],
+   avctx->extradata[1], avctx->extradata[0]);
+av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n",
+   AV_RB32(avctx->extradata + 4));
+c->frame_info_size = AV_RL32(avctx->extradata + 8);
+c->flags   = AV_RL32(avctx->extradata + 12);
+
+if (c->frame_info_size != 4)
+avpriv_request_sample(avctx, "Frame info not 4 bytes");
+av_log(avctx, AV_LOG_DEBUG, "Encoding parameters %08"PRIX32"\n", 
c->flags);
+c->slices  = (c->flags >> 24) + 1;
+c->compression = c->flags & 1;
+c->interlaced  = c->flags & 0x800;
+} else if (c->pro && avctx->extradata_size == 8) {
+av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n",
+   avctx->extradata[3], avctx->extradata[2],
+   avctx->extradata[1], avctx->extradata[0]);
+av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n",
+   AV_RB32(avctx->extradata + 4));
+c->interlaced  = 0;
+c->frame_info_size = 4;
+} else {
+av_log(avctx, AV_LOG_ERROR,
+   "Insufficient extradata size %d, should be at least 16\n",
+   avctx->extradata_size);
+return AVERROR_INVALIDDATA;
+}
+
 return 0;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org

[FFmpeg-cvslog] avformat/oggdec: Fix metadata memleak on multiple headers

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Tue Mar  6 18:14:12 2018 +0100| [fef832c188c07245c7b9a44432a89f49a4c0d2ff] | 
committer: Michael Niedermayer

avformat/oggdec: Fix metadata memleak on multiple headers

Fixes: Chromium bug 800123
Reported-by: Matt Wolenetz 
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit da069e9c68ec1a54e618940dcb9ebae9bf179a32)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fef832c188c07245c7b9a44432a89f49a4c0d2ff
---

 libavformat/oggdec.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 193a286e43..6a05278b52 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -128,7 +128,10 @@ static int ogg_restore(AVFormatContext *s)
 ogg->state = ost->next;
 
 for (i = 0; i < ogg->nstreams; i++) {
-av_freep(>streams[i].buf);
+struct ogg_stream *stream = >streams[i];
+av_freep(>buf);
+av_freep(>new_metadata);
+
 if (i >= ost->nstreams || !ost->streams[i].private) {
 free_stream(s, i);
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Mar 31 21:19:19 2018 +0200| [ae2c159b87f2ee5c12c9403deadf3ccdeb2503c4] | 
committer: Michael Niedermayer

avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed()

I was not able to reproduce this, this fix is based on just the fuzzer log.
Fixes: 4959/clusterfuzz-testcase-minimized-6035350934781952

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 197a4e8feed45b2e5868760240e83636818f32a9)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ae2c159b87f2ee5c12c9403deadf3ccdeb2503c4
---

 libavcodec/aacdec_fixed.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index 6ba0e63325..b19a622403 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -417,7 +417,7 @@ static void apply_independent_coupling_fixed(AACContext *ac,
 int i, c, shift, round, tmp;
 const int gain = cce->coup.gain[index][0];
 const int *src = cce->ch[0].ret;
-int *dest = target->ret;
+unsigned int *dest = target->ret;
 const int len = 1024 << (ac->oc[1].m4ac.sbr == 1);
 
 c = cce_scale_fixed[gain & 7];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter/vf_signature: use av_strlcpy()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Mar 30 02:16:31 2018 +0200| [49336482fd04541623e9418264644dd80640dbfe] | 
committer: Michael Niedermayer

avfilter/vf_signature: use av_strlcpy()

Fixes: out of array access

Found-by: Kira 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 35eeff30caf34df835206f1c12bcf4b7c2bd6758)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=49336482fd04541623e9418264644dd80640dbfe
---

 libavfilter/vf_signature.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c
index 06b1b910d4..3b117e7735 100644
--- a/libavfilter/vf_signature.c
+++ b/libavfilter/vf_signature.c
@@ -573,7 +573,8 @@ static int export(AVFilterContext *ctx, StreamContext *sc, 
int input)
 /* error already handled */
 av_assert0(av_get_frame_filename(filename, sizeof(filename), 
sic->filename, input) == 0);
 } else {
-strcpy(filename, sic->filename);
+if (av_strlcpy(filename, sic->filename, sizeof(filename)) >= 
sizeof(filename))
+return AVERROR(EINVAL);
 }
 if (sic->format == FORMAT_XML) {
 return xml_export(ctx, sc, filename);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Fix integer overflows related to sample_duration

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Mar  9 16:43:29 2018 +0100| [edfe9ae63b191ea435f23628904094fdba3f1364] | 
committer: Michael Niedermayer

avformat/mov: Fix integer overflows related to sample_duration

Fixes: runtime error: signed integer overflow: -9166684017437101870 + 
-2495066639299164439 cannot be represented in type

Fixes: Chromium bug 791349

Reported-by: Matt Wolenetz 
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2f37082827a405430c40408ee2db19ea2866ce64)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=edfe9ae63b191ea435f23628904094fdba3f1364
---

 libavformat/mov.c | 20 +++-
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index f2eb22eb3d..5381dbb704 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2672,14 +2672,19 @@ static int mov_read_stts(MOVContext *c, AVIOContext 
*pb, MOVAtom atom)
 && total_sample_count > 100
 && sample_duration/10 > duration / total_sample_count)
 sample_duration = duration / total_sample_count;
-duration+=(int64_t)sample_duration*sample_count;
+duration+=(int64_t)sample_duration*(uint64_t)sample_count;
 total_sample_count+=sample_count;
 }
 
 sc->stts_count = i;
 
-sc->duration_for_fps  += duration;
-sc->nb_frames_for_fps += total_sample_count;
+if (duration > 0 &&
+duration <= INT64_MAX - sc->duration_for_fps &&
+total_sample_count <= INT64_MAX - sc->nb_frames_for_fps
+) {
+sc->duration_for_fps  += duration;
+sc->nb_frames_for_fps += total_sample_count;
+}
 
 if (pb->eof_reached)
 return AVERROR_EOF;
@@ -4340,8 +4345,13 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 dts += sample_duration;
 offset += sample_size;
 sc->data_size += sample_size;
-sc->duration_for_fps += sample_duration;
-sc->nb_frames_for_fps ++;
+
+if (sample_duration <= INT64_MAX - sc->duration_for_fps &&
+1 <= INT64_MAX - sc->nb_frames_for_fps
+) {
+sc->duration_for_fps += sample_duration;
+sc->nb_frames_for_fps ++;
+}
 }
 
 if (pb->eof_reached)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] libavformat/oggparsevorbis: Fix memleak on multiple headers

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Tue Mar  6 18:14:12 2018 +0100| [6daa205cd3fe32dcf6eb61c8949fab33a3501498] | 
committer: Michael Niedermayer

libavformat/oggparsevorbis: Fix memleak on multiple headers

Fixes: Chromium bug 800123
Reported-by: Matt Wolenetz 
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3934aa495d786845d9f541c84ee405c096938f76)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6daa205cd3fe32dcf6eb61c8949fab33a3501498
---

 libavformat/oggparsevorbis.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c
index 65b1998a02..572e5169ca 100644
--- a/libavformat/oggparsevorbis.c
+++ b/libavformat/oggparsevorbis.c
@@ -230,6 +230,10 @@ static int fixup_vorbis_headers(AVFormatContext *as,
 
 len = priv->len[0] + priv->len[1] + priv->len[2];
 buf_len = len + len / 255 + 64;
+
+if (*buf)
+return AVERROR_INVALIDDATA;
+
 ptr = *buf = av_realloc(NULL, buf_len);
 if (!ptr)
 return AVERROR(ENOMEM);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/wmalosslessdec: Reset num_saved_bits on error path

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Mar 11 00:13:57 2018 +0100| [02bf1c617cdd34a80a290963c23f92a7e01630dc] | 
committer: Michael Niedermayer

avcodec/wmalosslessdec: Reset num_saved_bits on error path

Fixes: NULL pointer dereference
Fixes: poc-201803.wav
Found-by: GwanYeong Kim 
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 64c9ce0abc0fd8774b523afda3ddb17c86caa86a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=02bf1c617cdd34a80a290963c23f92a7e01630dc
---

 libavcodec/wmalosslessdec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c
index 133a3e92d1..59e8929586 100644
--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -1148,6 +1148,7 @@ static void save_bits(WmallDecodeCtx *s, GetBitContext* 
gb, int len,
 if (len <= 0 || buflen > s->max_frame_size) {
 avpriv_request_sample(s->avctx, "Too small input buffer");
 s->packet_loss = 1;
+s->num_saved_bits = 0;
 return;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/oggparseogm: Check lb against psize

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Mar  9 01:05:20 2018 +0100| [e61cdbe27167434b87ff814769b54178c5a3d2a6] | 
committer: Michael Niedermayer

avformat/oggparseogm: Check lb against psize

No testcase, this was found during code review

Found-by: Matt Wolenetz 
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3e7c847aaf5a298b62afae12b4ecfb8e12385998)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e61cdbe27167434b87ff814769b54178c5a3d2a6
---

 libavformat/oggparseogm.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c
index 4d09d174b8..03499486f7 100644
--- a/libavformat/oggparseogm.c
+++ b/libavformat/oggparseogm.c
@@ -177,6 +177,9 @@ ogm_packet(AVFormatContext *s, int idx)
 os->pflags |= AV_PKT_FLAG_KEY;
 
 lb = ((*p & 2) << 1) | ((*p >> 6) & 3);
+if (os->psize < lb + 1)
+return AVERROR_INVALIDDATA;
+
 os->pstart += lb + 1;
 os->psize -= lb + 1;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list()

[heimdallr]

ffmpeg | branch: release/3.3 | heimdallr  | Sat Mar 31 
19:37:23 2018 +0700| [3f949b7a6461679204159eb7a9fbcd206484649b] | committer: 
Michael Niedermayer

avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list()

example:

AVPixelFormat pixFmts[] = { AV_PIX_FMT_RGB24, AV_PIX_FMT_RGBA };
int loss = 0;
AVPixelFormat best = avcodec_find_best_pix_fmt_of_list(pixFmts, 
AV_PIX_FMT_BGRA, 1, );

best is AV_PIX_FMT_RGB24. But AV_PIX_FMT_RGBA is better.

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 354b26a3945eadd4ed8fcd801dfefad2566241de)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3f949b7a6461679204159eb7a9fbcd206484649b
---

 libavcodec/imgconvert.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c
index 1547f18966..7b0005b308 100644
--- a/libavcodec/imgconvert.c
+++ b/libavcodec/imgconvert.c
@@ -69,10 +69,14 @@ enum AVPixelFormat avcodec_find_best_pix_fmt_of_list(const 
enum AVPixelFormat *p
 int i;
 
 enum AVPixelFormat best = AV_PIX_FMT_NONE;
+int loss;
 
-for(i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++)
-best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], 
src_pix_fmt, has_alpha, loss_ptr);
+for (i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) {
+loss = *loss_ptr;
+best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], 
src_pix_fmt, has_alpha, );
+}
 
+*loss_ptr = loss;
 return best;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Move +1 in check to avoid hypothetical overflow in add_ctts_entry()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Feb  3 21:36:22 2018 +0100| [8a89cce372884c38c6f22eede59c43f486b83394] | 
committer: Michael Niedermayer

avformat/mov: Move +1 in check to avoid hypothetical overflow in 
add_ctts_entry()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit eb60b9d342265fb1960be6fff6383cfdbf37)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8a89cce372884c38c6f22eede59c43f486b83394
---

 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 6124b0b573..b60f8f0eac 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2970,7 +2970,7 @@ static int64_t add_ctts_entry(MOVStts** ctts_data, 
unsigned int* ctts_count, uns
 FFMAX(min_size_needed, 2 * (*allocated_size)) :
 min_size_needed;
 
-if((unsigned)(*ctts_count) + 1 >= UINT_MAX / sizeof(MOVStts))
+if((unsigned)(*ctts_count) >= UINT_MAX / sizeof(MOVStts) - 1)
 return -1;
 
 ctts_buf_new = av_fast_realloc(*ctts_data, allocated_size, requested_size);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Thu Mar  8 17:28:36 2018 +0100| [3a29fda42ab7da12102d8990859554abfe13996a] | 
committer: Michael Niedermayer

avformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE

Fixes: potential signed integer overflow

Signed-off-by: Michael Niedermayer 
(cherry picked from commit f655ddfb47e8484b205b14c7f871c643ad24d701)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3a29fda42ab7da12102d8990859554abfe13996a
---

 libavformat/oggparsedaala.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavformat/oggparsedaala.c b/libavformat/oggparsedaala.c
index a373b41b4c..e944470aca 100644
--- a/libavformat/oggparsedaala.c
+++ b/libavformat/oggparsedaala.c
@@ -218,6 +218,7 @@ static int daala_packet(AVFormatContext *s, int idx)
 int seg, duration = 1;
 struct ogg *ogg = s->priv_data;
 struct ogg_stream *os = ogg->streams + idx;
+int64_t pts;
 
 /*
  * first packet handling: here we parse the duration of each packet in the
@@ -230,7 +231,10 @@ static int daala_packet(AVFormatContext *s, int idx)
 if (os->segments[seg] < 255)
 duration++;
 
-os->lastpts = os->lastdts = daala_gptopts(s, idx, os->granule, NULL) - 
duration;
+pts = daala_gptopts(s, idx, os->granule, NULL);
+if (pts != AV_NOPTS_VALUE)
+pts -= duration;
+os->lastpts = os->lastdts = pts;
 if(s->streams[idx]->start_time == AV_NOPTS_VALUE) {
 s->streams[idx]->start_time = os->lastpts;
 if (s->streams[idx]->duration != AV_NOPTS_VALUE)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] lavc/libopusdec: Allow avcodec_open2 to call .close

[Matt Wolenetz]

ffmpeg | branch: release/3.3 | Matt Wolenetz  | Tue Apr 10 
13:59:25 2018 -0700| [9b1a4da668999c0bd4d78b370872b9448cf746c3] | committer: 
Michael Niedermayer

lavc/libopusdec: Allow avcodec_open2 to call .close

If there is a decoder initialization failure detected in avcodec_open2
after .init is called, allow graceful decoder .close to prevent leaking
libopus decoder allocations.

BUG=828526

Signed-off-by: Michael Niedermayer 
(cherry picked from commit e43e97f0e0f0596b56ceb2f887fe7414f202f081)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9b1a4da668999c0bd4d78b370872b9448cf746c3
---

 libavcodec/libopusdec.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c
index e6ca61a78f..806ca1863d 100644
--- a/libavcodec/libopusdec.c
+++ b/libavcodec/libopusdec.c
@@ -126,7 +126,10 @@ static av_cold int libopus_decode_close(AVCodecContext 
*avc)
 {
 struct libopus_context *opus = avc->priv_data;
 
-opus_multistream_decoder_destroy(opus->dec);
+if (opus->dec) {
+opus_multistream_decoder_destroy(opus->dec);
+opus->dec = NULL;
+}
 return 0;
 }
 
@@ -200,6 +203,7 @@ AVCodec ff_libopus_decoder = {
 .decode = libopus_decode,
 .flush  = libopus_flush,
 .capabilities   = AV_CODEC_CAP_DR1,
+.caps_internal  = FF_CODEC_CAP_INIT_CLEANUP,
 .sample_fmts= (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_FLT,
  AV_SAMPLE_FMT_S16,
  AV_SAMPLE_FMT_NONE },

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] libavcodec/rv34: error out earlier on missing references

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Mon Apr  2 20:01:07 2018 +0200| [23f13130f12a269b9b721cf233c3343ffc2ed3bc] | 
committer: Michael Niedermayer

libavcodec/rv34: error out earlier on missing references

Fixes visual corruption on seeking

Fixes: downloadTest_clip_24M.rmvb

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6cd81d68c5e4b0ff00288970c4151ff4031c0ea9)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=23f13130f12a269b9b721cf233c3343ffc2ed3bc
---

 libavcodec/rv34.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
index d2d676a86d..d65ab41552 100644
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1585,7 +1585,7 @@ int ff_rv34_decode_update_thread_context(AVCodecContext 
*dst, const AVCodecConte
 
 // Do no call ff_mpeg_update_thread_context on a partially initialized
 // decoder context.
-if (!s1->linesize)
+if (!s1->context_initialized)
 return 0;
 
 return ff_mpeg_update_thread_context(dst, src);
@@ -1733,6 +1733,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
 if ((err = rv34_decoder_realloc(r)) < 0)
 return err;
 }
+if (faulty_b)
+return AVERROR_INVALIDDATA;
 s->pict_type = si.type ? si.type : AV_PICTURE_TYPE_I;
 if (ff_mpv_frame_start(s, s->avctx) < 0)
 return -1;
@@ -1783,8 +1785,6 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
"multithreading mode (start MB is %d).\n", si.start);
 return AVERROR_INVALIDDATA;
 }
-if (faulty_b)
-return AVERROR_INVALIDDATA;
 
 for(i = 0; i < slice_count; i++){
 int offset  = get_slice_offset(avctx, slices_hdr, i  , slice_count, 
buf_size);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/movtextdec: Check style_start/end

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Apr  8 03:29:44 2018 +0200| [c9452899db109d0fe2238d9162a8fd1b315b78c4] | 
committer: Michael Niedermayer

avcodec/movtextdec: Check style_start/end

Limits based on 3GPP TS 26.245 V14.0.0
Fixes: Timeout
Fixes: 
6377/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOVTEXT_fuzzer-5175929115508736

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Philip Langdale 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 249aca8f98ff7fb09c12ea68e23c862c62203b95)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c9452899db109d0fe2238d9162a8fd1b315b78c4
---

 libavcodec/movtextdec.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c
index fb5085c3e8..73e83f2f2c 100644
--- a/libavcodec/movtextdec.c
+++ b/libavcodec/movtextdec.c
@@ -299,6 +299,14 @@ static int decode_styl(const uint8_t *tsmb, MovTextContext 
*m, AVPacket *avpkt)
 m->s_temp->style_start = AV_RB16(tsmb);
 tsmb += 2;
 m->s_temp->style_end = AV_RB16(tsmb);
+
+if (   m->s_temp->style_end < m->s_temp->style_start
+|| (m->count_s && m->s_temp->style_start < m->s[m->count_s - 
1]->style_end)) {
+av_freep(>s_temp);
+mov_text_cleanup(m);
+return AVERROR(ENOMEM);
+}
+
 tsmb += 2;
 m->s_temp->style_fontID = AV_RB16(tsmb);
 tsmb += 2;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/avidec: Fix integer overflow in cum_len check

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Thu Mar  8 22:40:50 2018 +0100| [8cf7205a72f5a330781470a28485584f7d08054d] | 
committer: Michael Niedermayer

avformat/avidec: Fix integer overflow in cum_len check

Fixes: signed integer overflow: 3775922176 * 4278190080 cannot be represented 
in type 'long'
Fixes: Chromium bug 791237

Reported-by: Matt Wolenetz 
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 06e092e7819b9437da32925200e7c369f93d82e7)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8cf7205a72f5a330781470a28485584f7d08054d
---

 libavformat/avidec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index ed043470f0..64a129af82 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -670,7 +670,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
 st->start_time = 0;
 avio_rl32(pb); /* buffer size */
 avio_rl32(pb); /* quality */
-if (ast->cum_len*ast->scale/ast->rate > 3600) {
+if (ast->cum_len > 3600LL * ast->rate / ast->scale) {
 av_log(s, AV_LOG_ERROR, "crazy start time, iam scared, giving 
up\n");
 ast->cum_len = 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Mar 25 01:51:28 2018 +0100| [d79b274acc3a608358c0cd1ffe8ebd92bf108480] | 
committer: Michael Niedermayer

avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame()

Fixes: 2018_03_23_poc.wav
Found-by: GwanYeong Kim 

Signed-off-by: Michael Niedermayer 
(cherry picked from commit ea15915b2dc5aaa80c91879fbd183475a7e66e54)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d79b274acc3a608358c0cd1ffe8ebd92bf108480
---

 libavcodec/wmalosslessdec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c
index 59e8929586..eb1db615ae 100644
--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -1256,7 +1256,9 @@ static int decode_packet(AVCodecContext *avctx, void 
*data, int *got_frame_ptr,
 (frame_size = show_bits(gb, s->log2_frame_size)) &&
 frame_size <= remaining_bits(s, gb)) {
 save_bits(s, gb, frame_size, 0);
-s->packet_done = !decode_frame(s);
+
+if (!s->packet_loss)
+s->packet_done = !decode_frame(s);
 } else if (!s->len_prefix
&& s->num_saved_bits > get_bits_count(>gb)) {
 /* when the frames do not have a length prefix, we don't know the

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/utils: Fix integer overflow of fps_first/last_dts

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Mar  7 00:10:11 2018 +0100| [e89d8ed7cb3fc0dd1e108a5919b2c6f4f454fe60] | 
committer: Michael Niedermayer

avformat/utils: Fix integer overflow of fps_first/last_dts

Fixes: runtime error: signed integer overflow: 7738135736989908991 - 
-7898362169240453118 cannot be represented in type 'long'
Fixes: Chromium bug 796778
Reported-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1b1362e408cd6acb63fef126b814b0d16562aa8e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e89d8ed7cb3fc0dd1e108a5919b2c6f4f454fe60
---

 libavformat/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 2c622d2c56..2053c3f755 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -3622,7 +3622,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
 if (st->info->fps_last_dts != AV_NOPTS_VALUE &&
 st->info->fps_last_dts_idx > st->info->fps_first_dts_idx &&
 (pkt->dts - st->info->fps_last_dts) / 1000 >
-(st->info->fps_last_dts - st->info->fps_first_dts) /
+(st->info->fps_last_dts - 
(uint64_t)st->info->fps_first_dts) /
 (st->info->fps_last_dts_idx - st->info->fps_first_dts_idx)) {
 av_log(ic, AV_LOG_WARNING,
"DTS discontinuity in stream %d: packet %d with DTS "

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering.

[Hendrik Schreiber]

ffmpeg | branch: release/3.3 | Hendrik Schreiber  | Thu Apr  
5 13:58:37 2018 +0200| [30c26bb78f6a7d347c05d0b175593e095ae312ea] | committer: 
Michael Niedermayer

swresample/swresample: Fix for seg fault in swr_convert_internal() -> 
sum2_float during dithering.

Removed +len1 in call to s->mix_2_1_f() as I found no logical explanation for 
it. After removal, problem was gone.

Signed-off-by: Hendrik Schreiber 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 647fd4b8292e3bfae30b1086aa842a5ee47ee868)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=30c26bb78f6a7d347c05d0b175593e095ae312ea
---

 libswresample/swresample.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libswresample/swresample.c b/libswresample/swresample.c
index 74c96dce60..170f76bc56 100644
--- a/libswresample/swresample.c
+++ b/libswresample/swresample.c
@@ -678,7 +678,7 @@ static int swr_convert_internal(struct SwrContext *s, 
AudioData *out, int out_co
 s->mix_2_1_simd(conv_src->ch[ch], preout->ch[ch], 
s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos, 
s->native_simd_one, 0, 0, len1);
 if(out_count != len1)
 for(ch=0; chch_count; ch++)
-s->mix_2_1_f(conv_src->ch[ch] + off, 
preout->ch[ch] + off, s->dither.noise.ch[ch] + s->dither.noise.bps * 
s->dither.noise_pos + off + len1, s->native_one, 0, 0, out_count - len1);
+s->mix_2_1_f(conv_src->ch[ch] + off, 
preout->ch[ch] + off, s->dither.noise.ch[ch] + s->dither.noise.bps * 
s->dither.noise_pos + off, s->native_one, 0, 0, out_count - len1);
 } else {
 for(ch=0; chch_count; ch++)
 s->mix_2_1_f(conv_src->ch[ch], preout->ch[ch], 
s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos, 
s->native_one, 0, 0, out_count);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/truemotion2rt: Check input buffer size

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Thu Feb 22 03:04:40 2018 +0100| [e908a595db8e254629cb1275fb9e17099dd2efab] | 
committer: Michael Niedermayer

avcodec/truemotion2rt: Check input buffer size

Fixes: Timeout
Fixes: 
6250/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2RT_fuzzer-5479814011027456

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8b5c29b6c2ab00f8fb545475238a99f575b5d81d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e908a595db8e254629cb1275fb9e17099dd2efab
---

 libavcodec/truemotion2rt.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/truemotion2rt.c b/libavcodec/truemotion2rt.c
index d63918742d..9df0b527bb 100644
--- a/libavcodec/truemotion2rt.c
+++ b/libavcodec/truemotion2rt.c
@@ -116,6 +116,9 @@ static int truemotion2rt_decode_frame(AVCodecContext 
*avctx, void *data,
 if (ret < 0)
 return ret;
 
+if (avctx->width / s->hscale * avctx->height * s->delta_size > avpkt->size 
* 8LL * 4)
+return AVERROR_INVALIDDATA;
+
 ret = init_get_bits8(gb, avpkt->data + ret, avpkt->size - ret);
 if (ret < 0)
 return ret;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Tue Feb 27 15:17:12 2018 +0100| [5b586f0bc87dc1c19bc722ea7386d670c33eeb71] | 
committer: Michael Niedermayer

avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded 
pixels thus reject it

Fixes: Timeout
Fixes: 
6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 939440ad1aa820bed51f54d273b4fa6c5016d9f9)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5b586f0bc87dc1c19bc722ea7386d670c33eeb71
---

 libavcodec/nuv.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c
index 8d806dbbff..32ed65899b 100644
--- a/libavcodec/nuv.c
+++ b/libavcodec/nuv.c
@@ -199,6 +199,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame,
 case NUV_RTJPEG_IN_LZO:
 case NUV_RTJPEG:
 keyframe = !buf[2];
+if (c->width < 16 || c->height < 16) {
+return AVERROR_INVALIDDATA;
+}
 break;
 case NUV_COPY_LAST:
 keyframe = 0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Thu Mar  8 17:28:36 2018 +0100| [42bd425205f464e95b2bfc1def239ee31e2becfe] | 
committer: Michael Niedermayer

avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE

Fixes: Chromium bug 795653
Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented 
in type 'long'
Reported-by: Matt Wolenetz 
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 02ecda4aba69670ca744ccc640391b7621f01fb0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=42bd425205f464e95b2bfc1def239ee31e2becfe
---

 libavformat/oggparsetheora.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavformat/oggparsetheora.c b/libavformat/oggparsetheora.c
index b14f9f0669..b0c0edc7a5 100644
--- a/libavformat/oggparsetheora.c
+++ b/libavformat/oggparsetheora.c
@@ -181,6 +181,7 @@ static int theora_packet(AVFormatContext *s, int idx)
 
 if ((!os->lastpts || os->lastpts == AV_NOPTS_VALUE) && !(os->flags & 
OGG_FLAG_EOS)) {
 int seg;
+int64_t pts;
 
 duration = 1;
 for (seg = os->segp; seg < os->nsegs; seg++) {
@@ -188,7 +189,10 @@ static int theora_packet(AVFormatContext *s, int idx)
 duration ++;
 }
 
-os->lastpts = os->lastdts   = theora_gptopts(s, idx, os->granule, 
NULL) - duration;
+pts = theora_gptopts(s, idx, os->granule, NULL);
+if (pts != AV_NOPTS_VALUE)
+pts -= duration;
+os->lastpts = os->lastdts = pts;
 if(s->streams[idx]->start_time == AV_NOPTS_VALUE) {
 s->streams[idx]->start_time = os->lastpts;
 if (s->streams[idx]->duration > 0)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/get_bits: Make sure the input bitstream with padding can be addressed

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Mar 24 01:38:53 2018 +0100| [899d40c17fefe7f7a0ba7f7a95ae61be81b6d0ad] | 
committer: Michael Niedermayer

avcodec/get_bits: Make sure the input bitstream with padding can be addressed

Signed-off-by: Michael Niedermayer 
(cherry picked from commit e529fe7633762cb26a665fb6dee3be29b15285cc)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=899d40c17fefe7f7a0ba7f7a95ae61be81b6d0ad
---

 libavcodec/get_bits.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h
index 0c7f5ff0c6..d7cf286378 100644
--- a/libavcodec/get_bits.h
+++ b/libavcodec/get_bits.h
@@ -32,6 +32,7 @@
 #include "libavutil/intreadwrite.h"
 #include "libavutil/log.h"
 #include "libavutil/avassert.h"
+#include "avcodec.h"
 #include "mathops.h"
 #include "vlc.h"
 
@@ -428,7 +429,7 @@ static inline int init_get_bits(GetBitContext *s, const 
uint8_t *buffer,
 int buffer_size;
 int ret = 0;
 
-if (bit_size >= INT_MAX - 7 || bit_size < 0 || !buffer) {
+if (bit_size >= INT_MAX - FFMAX(7, AV_INPUT_BUFFER_PADDING_SIZE*8) || 
bit_size < 0 || !buffer) {
 bit_size= 0;
 buffer  = NULL;
 ret = AVERROR_INVALIDDATA;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Tue Feb 27 15:17:12 2018 +0100| [719b9b673cfb723234c614a4ff8cfad7c0c4499a] | 
committer: Michael Niedermayer

avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg

Fixes: Timeout
Fixes: 
6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8ee3265dbe2e85537affe3b3055b00ba8646aa70)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=719b9b673cfb723234c614a4ff8cfad7c0c4499a
---

 libavcodec/nuv.c | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c
index ad6c029e50..8d806dbbff 100644
--- a/libavcodec/nuv.c
+++ b/libavcodec/nuv.c
@@ -161,6 +161,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame,
 int orig_size  = buf_size;
 int keyframe, ret;
 int size_change = 0;
+int minsize = 0;
 int result, init_frame = !avctx->frame_number;
 enum {
 NUV_UNCOMPRESSED  = '0',
@@ -206,6 +207,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame,
 keyframe = 1;
 break;
 }
+switch (comptype) {
+case NUV_UNCOMPRESSED:
+minsize = c->width * c->height * 3 / 2;
+break;
+case NUV_RTJPEG:
+minsize = c->width/16 * (c->height/16) * 6;
+break;
+}
+if (buf_size < minsize / 4)
+return AVERROR_INVALIDDATA;
 retry:
 // Skip the rest of the frame header.
 buf   = [12];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/bintext: sanity check dimensions

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Mon Feb 26 21:17:08 2018 +0100| [5909508e8df3bd762efc0dbd10b5e5a16ed2993e] | 
committer: Michael Niedermayer

avcodec/bintext: sanity check dimensions

Fixes: Timeout
Fixes: 
6277/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XBIN_fuzzer-6047202288861184

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 090c0abff9c8b27304614f15d9464dbf4ea59833)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5909508e8df3bd762efc0dbd10b5e5a16ed2993e
---

 libavcodec/bintext.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/bintext.c b/libavcodec/bintext.c
index 90bbe67b59..d967317671 100644
--- a/libavcodec/bintext.c
+++ b/libavcodec/bintext.c
@@ -35,6 +35,8 @@
 #include "bintext.h"
 #include "internal.h"
 
+#define FONT_WIDTH 8
+
 typedef struct XbinContext {
 AVFrame *frame;
 int palette[16];
@@ -91,6 +93,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
 break;
 }
 }
+if (avctx->width < FONT_WIDTH || avctx->height < s->font_height)
+return AVERROR_INVALIDDATA;
+
 
 s->frame = av_frame_alloc();
 if (!s->frame)
@@ -113,8 +118,6 @@ av_unused static void hscroll(AVCodecContext *avctx)
 }
 }
 
-#define FONT_WIDTH 8
-
 /**
  * Draw character to screen
  */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/oggparseogm: Fix undefined shift in ogm_packet()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Thu Mar  8 23:14:04 2018 +0100| [e0a08c833dd8fafa18f4f7133c2e81df22606ab5] | 
committer: Michael Niedermayer

avformat/oggparseogm: Fix undefined shift in ogm_packet()

Fixes: shift exponent 48 is too large for 32-bit type 'int'
Fixes: Chromium bug 786793
Reported-by: Matt Wolenetz 
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 010b7b30b721b90993e05e9ee6338e88bb8debb3)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e0a08c833dd8fafa18f4f7133c2e81df22606ab5
---

 libavformat/oggparseogm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c
index e7a501b5a7..4d09d174b8 100644
--- a/libavformat/oggparseogm.c
+++ b/libavformat/oggparseogm.c
@@ -181,7 +181,7 @@ ogm_packet(AVFormatContext *s, int idx)
 os->psize -= lb + 1;
 
 while (lb--)
-os->pduration += p[lb+1] << (lb*8);
+os->pduration += (uint64_t)p[lb+1] << (lb*8);
 
 return 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dxtory: Remove code that corrupts dimensions

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Feb 17 21:27:16 2018 +0100| [af5c12c0290b6269d178dcded041f2201a8532b4] | 
committer: Michael Niedermayer

avcodec/dxtory: Remove code that corrupts dimensions

Fixes: Timeout
Fixes: 5796/clusterfuzz-testcase-minimized-5206729085157376

Does someone have a valid sample that triggers this path ?

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3748746a4d6988484d34516f7a3c6febf7bdf488)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=af5c12c0290b6269d178dcded041f2201a8532b4
---

 libavcodec/dxtory.c | 6 +-
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c
index e736cec8db..285ca38efb 100644
--- a/libavcodec/dxtory.c
+++ b/libavcodec/dxtory.c
@@ -305,11 +305,7 @@ static int dxtory_decode_v2(AVCodecContext *avctx, AVFrame 
*pic,
 }
 
 if (avctx->height - line) {
-av_log(avctx, AV_LOG_VERBOSE,
-   "Not enough slice data available, "
-   "cropping the frame by %d pixels\n",
-avctx->height - line);
-avctx->height = line;
+avpriv_request_sample(avctx, "Not enough slice data available");
 }
 
 return 0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/exr: fix invalid shift in unpack_14()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Feb 21 04:29:44 2018 +0100| [4d45d5b606a11f6f401d7694df08e7e47989af32] | 
committer: Michael Niedermayer

avcodec/exr: fix invalid shift in unpack_14()

Fixes: 6154/clusterfuzz-testcase-minimized-5762231061970944
Fixes: runtime error: shift exponent 63 is too large for 32-bit type 'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 49062a90174b6e4104876c0257dc673a0da854ca)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4d45d5b606a11f6f401d7694df08e7e47989af32
---

 libavcodec/exr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index b27132d6bb..2481959a21 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -910,7 +910,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t 
*src,
 
 static void unpack_14(const uint8_t b[14], uint16_t s[16])
 {
-unsigned short shift = (b[ 2] >> 2);
+unsigned short shift = (b[ 2] >> 2) & 15;
 unsigned short bias = (0x20 << shift);
 int i;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_parse: Clear invalid chroma weights in ff_h264_pred_weight_table()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Feb 18 17:12:28 2018 +0100| [4018d8586ffe1fc8d5f7f28df6c010c748d3fb75] | 
committer: Michael Niedermayer

avcodec/h264_parse: Clear invalid chroma weights in ff_h264_pred_weight_table()

Fixes: 6037/clusterfuzz-testcase-minimized-5030249784934400
Fixes: signed integer overflow: 256 * 16992036 cannot be represented in type 
'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 85c85f3f9c75301db3eba1bd5f2fb1e6285d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4018d8586ffe1fc8d5f7f28df6c010c748d3fb75
---

 libavcodec/h264_parse.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c
index a7c71d9bbb..dfc57076d1 100644
--- a/libavcodec/h264_parse.c
+++ b/libavcodec/h264_parse.c
@@ -82,8 +82,11 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS 
*sps,
 pwt->chroma_weight[i][list][j][0] = get_se_golomb(gb);
 pwt->chroma_weight[i][list][j][1] = get_se_golomb(gb);
 if ((int8_t)pwt->chroma_weight[i][list][j][0] != 
pwt->chroma_weight[i][list][j][0] ||
-(int8_t)pwt->chroma_weight[i][list][j][1] != 
pwt->chroma_weight[i][list][j][1])
+(int8_t)pwt->chroma_weight[i][list][j][1] != 
pwt->chroma_weight[i][list][j][1]) {
+pwt->chroma_weight[i][list][j][0] = chroma_def;
+pwt->chroma_weight[i][list][j][1] = 0;
 goto out_range_weight;
+}
 if (pwt->chroma_weight[i][list][j][0] != chroma_def ||
 pwt->chroma_weight[i][list][j][1] != 0) {
 pwt->use_weight_chroma= 1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/cavsdec: Check alpha/beta offset

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Tue Feb 20 23:11:01 2018 +0100| [f3562ee6fc847db3162fccfa98449ce21404608e] | 
committer: Michael Niedermayer

avcodec/cavsdec: Check alpha/beta offset

Fixes: Integer overflow
Fixes: 6183/clusterfuzz-testcase-minimized-6269224436629504

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit ae2eb04648839bfc6c61c32cb0f124e91bb7ff8e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f3562ee6fc847db3162fccfa98449ce21404608e
---

 libavcodec/cavsdec.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 2bcb42a6eb..79349b5005 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -1067,6 +1067,11 @@ static int decode_pic(AVSContext *h)
 if (!h->loop_filter_disable && get_bits1(>gb)) {
 h->alpha_offset= get_se_golomb(>gb);
 h->beta_offset = get_se_golomb(>gb);
+if (   h->alpha_offset < -64 || h->alpha_offset > 64
+|| h-> beta_offset < -64 || h-> beta_offset > 64) {
+h->alpha_offset = h->beta_offset  = 0;
+return AVERROR_INVALIDDATA;
+}
 } else {
 h->alpha_offset = h->beta_offset  = 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Feb 18 00:11:33 2018 +0100| [1a387f1ce6ec8a8b57849adac5ffbb53c1d07c83] | 
committer: Michael Niedermayer

avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53()

Fixes: 5918/clusterfuzz-testcase-minimized-5120505435652096

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 793347a54579ee954b58d336b82eed4a1786de21)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1a387f1ce6ec8a8b57849adac5ffbb53c1d07c83
---

 libavcodec/jpeg2000dwt.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c
index e4aa2e4a3d..8092297b8c 100644
--- a/libavcodec/jpeg2000dwt.c
+++ b/libavcodec/jpeg2000dwt.c
@@ -305,22 +305,22 @@ static void dwt_encode97_int(DWTContext *s, int *t)
 t[i] = (t[i] + ((1<>1)) >> I_PRESHIFT;
 }
 
-static void sr_1d53(int *p, int i0, int i1)
+static void sr_1d53(unsigned *p, int i0, int i1)
 {
 int i;
 
 if (i1 <= i0 + 1) {
 if (i0 == 1)
-p[1] >>= 1;
+p[1] = (int)p[1] >> 1;
 return;
 }
 
 extend53(p, i0, i1);
 
 for (i = (i0 >> 1); i < (i1 >> 1) + 1; i++)
-p[2 * i] -= (p[2 * i - 1] + p[2 * i + 1] + 2) >> 2;
+p[2 * i] -= (int)(p[2 * i - 1] + p[2 * i + 1] + 2) >> 2;
 for (i = (i0 >> 1); i < (i1 >> 1); i++)
-p[2 * i + 1] += (p[2 * i] + p[2 * i + 2]) >> 1;
+p[2 * i + 1] += (int)(p[2 * i] + p[2 * i + 2]) >> 1;
 }
 
 static void dwt_decode53(DWTContext *s, int *t)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Check STSC and remove invalid entries

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Mar 16 19:53:36 2018 +0100| [a89b45b492dd3c82d9aab1d67dac21bf56bcf43d] | 
committer: Michael Niedermayer

avformat/mov: Check STSC and remove invalid entries

Fixes assertion failure
Fixes: crbug 822547, crbug 822666 and crbug 823009

Affects: aark15sd_9A62E2FA.mp4

Found-by: ClusterFuzz
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 9e67447a4ffacf28af8bace33faf3ea432ddc43e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a89b45b492dd3c82d9aab1d67dac21bf56bcf43d
---

 libavformat/mov.c | 20 
 1 file changed, 20 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 5381dbb704..6124b0b573 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2433,6 +2433,21 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 }
 
 sc->stsc_count = i;
+for (i = sc->stsc_count - 1; i < UINT_MAX; i--) {
+if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= 
sc->stsc_data[i+1].first) ||
+(i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) ||
+sc->stsc_data[i].first < 1 ||
+sc->stsc_data[i].count < 1 ||
+sc->stsc_data[i].id < 1) {
+av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d 
count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, 
sc->stsc_data[i].id);
+if (i+1 >= sc->stsc_count || sc->stsc_data[i+1].first < 2)
+return AVERROR_INVALIDDATA;
+// We replace this entry by the next valid
+sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1;
+sc->stsc_data[i].count = sc->stsc_data[i+1].count;
+sc->stsc_data[i].id= sc->stsc_data[i+1].id;
+}
+}
 
 if (pb->eof_reached)
 return AVERROR_EOF;
@@ -3737,6 +3752,11 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
st->index);
 return 0;
 }
+if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > 
sc->chunk_count) {
+av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and 
STCO\n",
+   st->index);
+return AVERROR_INVALIDDATA;
+}
 
 fix_timescale(c, sc);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Fix integer overflow in mv computation

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Feb 18 21:51:38 2018 +0100| [b9d5b1f05dadf6ab3062f59e7a2cbc482e655cb8] | 
committer: Michael Niedermayer

avcodec/diracdec: Fix integer overflow in mv computation

Fixes: signed integer overflow: -2072 + -2147483646 cannot be represented in 
type 'int'
Fixes: 6097/clusterfuzz-testcase-minimized-5034145253163008

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 47e65ad63b3d067445c4de41a7718b83fc07767c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b9d5b1f05dadf6ab3062f59e7a2cbc482e655cb8
---

 libavcodec/diracdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 3b5eb16d87..fee2b7787c 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1437,8 +1437,8 @@ static void decode_block_params(DiracContext *s, 
DiracArith arith[8], DiracBlock
 global_mv(s, block, x, y, i);
 } else {
 pred_mv(block, stride, x, y, i);
-block->u.mv[i][0] += dirac_get_arith_int(arith + 4 + 2 * i, 
CTX_MV_F1, CTX_MV_DATA);
-block->u.mv[i][1] += dirac_get_arith_int(arith + 5 + 2 * i, 
CTX_MV_F1, CTX_MV_DATA);
+block->u.mv[i][0] += (unsigned)dirac_get_arith_int(arith + 4 + 
2 * i, CTX_MV_F1, CTX_MV_DATA);
+block->u.mv[i][1] += (unsigned)dirac_get_arith_int(arith + 5 + 
2 * i, CTX_MV_F1, CTX_MV_DATA);
 }
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/g2meet: Check tile dimensions with av_image_check_size2()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Thu Feb 22 02:34:05 2018 +0100| [c3e774784bac7930743d47cbd37e0e9f06fa6e30] | 
committer: Michael Niedermayer

avcodec/g2meet: Check tile dimensions with av_image_check_size2()

Fixes: OOM
Fixes: 
6216/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-4983807968018432

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3981fb8d2a03cdb3399590da8621a7bcc22e2964)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c3e774784bac7930743d47cbd37e0e9f06fa6e30
---

 libavcodec/g2meet.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c
index 10b6808f81..3b8b97ab41 100644
--- a/libavcodec/g2meet.c
+++ b/libavcodec/g2meet.c
@@ -28,6 +28,7 @@
 #include 
 #include 
 
+#include "libavutil/imgutils.h"
 #include "libavutil/intreadwrite.h"
 
 #include "avcodec.h"
@@ -1451,7 +1452,8 @@ static int g2m_decode_frame(AVCodecContext *avctx, void 
*data,
 c->tile_height = bytestream2_get_be32();
 if (c->tile_width <= 0 || c->tile_height <= 0 ||
 ((c->tile_width | c->tile_height) & 0xF) ||
-c->tile_width * (uint64_t)c->tile_height >= INT_MAX / 4
+c->tile_width * (uint64_t)c->tile_height >= INT_MAX / 4 ||
+av_image_check_size2(c->tile_width, c->tile_height, 
avctx->max_pixels, avctx->pix_fmt, 0, avctx) < 0
 ) {
 av_log(avctx, AV_LOG_ERROR,
"Invalid tile dimensions %dx%d\n",

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/utvideodec: Check subsample factors

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Mon Feb 26 03:02:48 2018 +0100| [bafb13dc0fd60f49f613bf4c52ce88b91176755c] | 
committer: Michael Niedermayer

avcodec/utvideodec: Check subsample factors

Fixes: Out of array read
Fixes: heap_poc

Found-by: GwanYeong Kim 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7414d0bda7763f9bd69c26c068e482ab297c1c96)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bafb13dc0fd60f49f613bf4c52ce88b91176755c
---

 libavcodec/utvideodec.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index fda5de0732..2cf9ce2855 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -28,6 +28,7 @@
 #include 
 
 #include "libavutil/intreadwrite.h"
+#include "libavutil/pixdesc.h"
 #include "avcodec.h"
 #include "bswapdsp.h"
 #include "bytestream.h"
@@ -824,6 +825,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame,
 static av_cold int decode_init(AVCodecContext *avctx)
 {
 UtvideoContext * const c = avctx->priv_data;
+int h_shift, v_shift;
 
 c->avctx = avctx;
 
@@ -920,6 +922,13 @@ static av_cold int decode_init(AVCodecContext *avctx)
 return AVERROR_INVALIDDATA;
 }
 
+av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, _shift, _shift);
+if ((avctx->width  & ((1<height & ((1<

[FFmpeg-cvslog] avcodec/hevcdec: Check luma/chroma_log2_weight_denom

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Feb 17 21:42:34 2018 +0100| [37cd7f3375302b2c8e35946a53db13a8bd123b8b] | 
committer: Michael Niedermayer

avcodec/hevcdec: Check luma/chroma_log2_weight_denom

Fixes: signed integer overflow: 3 + 2147483647 cannot be represented in type 
'int'
Fixes: 5888/clusterfuzz-testcase-minimized-5634701067812864

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit f82dd4c09b2decb033f1e339d4be81efd38554f1)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=37cd7f3375302b2c8e35946a53db13a8bd123b8b
---

 libavcodec/hevcdec.c | 12 +---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index 5579a4df43..db0bebfa49 100644
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -149,12 +149,18 @@ static int pred_weight_table(HEVCContext *s, 
GetBitContext *gb)
 int luma_log2_weight_denom;
 
 luma_log2_weight_denom = get_ue_golomb_long(gb);
-if (luma_log2_weight_denom < 0 || luma_log2_weight_denom > 7)
+if (luma_log2_weight_denom < 0 || luma_log2_weight_denom > 7) {
 av_log(s->avctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is 
invalid\n", luma_log2_weight_denom);
+return AVERROR_INVALIDDATA;
+}
 s->sh.luma_log2_weight_denom = av_clip_uintp2(luma_log2_weight_denom, 3);
 if (s->ps.sps->chroma_format_idc != 0) {
-int delta = get_se_golomb(gb);
-s->sh.chroma_log2_weight_denom = 
av_clip_uintp2(s->sh.luma_log2_weight_denom + delta, 3);
+int64_t chroma_log2_weight_denom = luma_log2_weight_denom + 
(int64_t)get_se_golomb(gb);
+if (chroma_log2_weight_denom < 0 || chroma_log2_weight_denom > 7) {
+av_log(s->avctx, AV_LOG_ERROR, "chroma_log2_weight_denom %"PRId64" 
is invalid\n", chroma_log2_weight_denom);
+return AVERROR_INVALIDDATA;
+}
+s->sh.chroma_log2_weight_denom = chroma_log2_weight_denom;
 }
 
 for (i = 0; i < s->sh.nb_refs[L0]; i++) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/smc: Check input packet size

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Feb 23 03:40:02 2018 +0100| [bcc6d409283aebc114d674ace998016d04523ce3] | 
committer: Michael Niedermayer

avcodec/smc: Check input packet size

Fixes: Timeout
Fixes: 
6261/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMC_fuzzer-5811309653262336

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0293663483ab5dbfff23602a62800d84e021b33c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bcc6d409283aebc114d674ace998016d04523ce3
---

 libavcodec/smc.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/smc.c b/libavcodec/smc.c
index 79f9a757a0..3cb4834737 100644
--- a/libavcodec/smc.c
+++ b/libavcodec/smc.c
@@ -438,6 +438,10 @@ static int smc_decode_frame(AVCodecContext *avctx,
 int pal_size;
 const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, 
_size);
 int ret;
+int total_blocks = ((s->avctx->width + 3) / 4) * ((s->avctx->height + 3) / 
4);
+
+if (total_blocks / 1024 > avpkt->size)
+return AVERROR_INVALIDDATA;
 
 bytestream2_init(>gb, buf, buf_size);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacdec_templat: Fix integer overflow in apply_ltp()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Feb 18 16:55:52 2018 +0100| [b172815c3c9bb7dcaa88e388418bbbefd5aa978e] | 
committer: Michael Niedermayer

avcodec/aacdec_templat: Fix integer overflow in apply_ltp()

Fixes: signed integer overflow: -1625276744 + -1041893960 cannot be represented 
in type 'int'
Fixes: 5948/clusterfuzz-testcase-minimized-5791479856365568

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 33fe17bdc88d51a8e0c87aa1e8011aaaf38a7a90)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b172815c3c9bb7dcaa88e388418bbbefd5aa978e
---

 libavcodec/aacdec_template.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c
index 6a93aed2e8..659b6e5a31 100644
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -2522,7 +2522,7 @@ static void apply_ltp(AACContext *ac, 
SingleChannelElement *sce)
 for (sfb = 0; sfb < FFMIN(sce->ics.max_sfb, MAX_LTP_LONG_SFB); sfb++)
 if (ltp->used[sfb])
 for (i = offsets[sfb]; i < offsets[sfb + 1]; i++)
-sce->coeffs[i] += predFreq[i];
+sce->coeffs[i] += (UINTFLOAT)predFreq[i];
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/exr: Check remaining bits in last get code loop

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Feb 14 13:01:46 2018 +0100| [659a23e89fbaf649f8984a9d5dfd5479e5a37386] | 
committer: Michael Niedermayer

avcodec/exr: Check remaining bits in last get code loop

Fixes: runtime error: shift exponent -7 is negative
Fixes: 
3902/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6081926122176512

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit dd8351b1184b8054925c28ecc5fcb6dbbc177fad)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=659a23e89fbaf649f8984a9d5dfd5479e5a37386
---

 libavcodec/exr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index fe978805c5..b27132d6bb 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -574,7 +574,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec 
*hdecod,
 while (lc > 0) {
 const HufDec pl = hdecod[(c << (HUF_DECBITS - lc)) & HUF_DECMASK];
 
-if (pl.len) {
+if (pl.len && lc >= pl.len) {
 lc -= pl.len;
 get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
 } else {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Feb 17 21:47:09 2018 +0100| [93a16aebf2ac0b29956bd831417e4dbc2477dacf] | 
committer: Michael Niedermayer

avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i()

Fixes: 5894/clusterfuzz-testcase-minimized-5315325420634112
Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be 
represented in type 'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 647fa49495c39a48b7ccb92acd8fb975b1575456)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=93a16aebf2ac0b29956bd831417e4dbc2477dacf
---

 libavcodec/dirac_dwt_template.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c
index e68cc4d530..8c25c1f822 100644
--- a/libavcodec/dirac_dwt_template.c
+++ b/libavcodec/dirac_dwt_template.c
@@ -95,8 +95,8 @@ static void RENAME(horizontal_compose_dd97i)(uint8_t *_b, 
uint8_t *_tmp, int w)
 tmp[w2+1] = tmp[w2] = tmp[w2-1];
 
 for (x = 0; x < w2; x++) {
-b[2*x  ] = (tmp[x] + 1)>>1;
-b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], 
tmp[x+2]) + 1)>>1;
+b[2*x  ] = ((int)(tmp[x] + 1U))>>1;
+b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], 
tmp[x+2]) + 1U))>>1;
 }
 }
 
@@ -118,8 +118,8 @@ static void RENAME(horizontal_compose_dd137i)(uint8_t *_b, 
uint8_t *_tmp, int w)
 tmp[w2+1] = tmp[w2] = tmp[w2-1];
 
 for (x = 0; x < w2; x++) {
-b[2*x  ] = (tmp[x] + 1)>>1;
-b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], 
tmp[x+2]) + 1)>>1;
+b[2*x  ] = ((int)(tmp[x] + 1U))>>1;
+b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], 
tmp[x+2]) + 1U))>>1;
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dec: Use av_image_check_size2()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Feb 17 04:20:53 2018 +0100| [1a4f8de03d57490b6344ec2eeba3aa816cd1eb62] | 
committer: Michael Niedermayer

avcodec/jpeg2000dec: Use av_image_check_size2()

Fixes: OOM
Fixes: 5733/clusterfuzz-testcase-minimized-4906757966004224

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 01370b31aced784593f2bc0836f4ba6fd8e7f6b3)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1a4f8de03d57490b6344ec2eeba3aa816cd1eb62
---

 libavcodec/jpeg2000dec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index f1abc9a5ef..404cf06ddc 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -282,7 +282,7 @@ static int get_siz(Jpeg2000DecoderContext *s)
 avpriv_request_sample(s->avctx, "Support for image offsets");
 return AVERROR_PATCHWELCOME;
 }
-if (av_image_check_size(s->width, s->height, 0, s->avctx)) {
+if (av_image_check_size2(s->width, s->height, s->avctx->max_pixels, 
AV_PIX_FMT_NONE, 0, s->avctx)) {
 avpriv_request_sample(s->avctx, "Large Dimensions");
 return AVERROR_PATCHWELCOME;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Use int64 in global mv to prevent overflow

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Feb 17 23:54:44 2018 +0100| [205689ae8a5e00ce2d39e9559252c020cb784e56] | 
committer: Michael Niedermayer

avcodec/diracdec: Use int64 in global mv to prevent overflow

Fixes: runtime error: signed integer overflow: 361 * -6295541 cannot be 
represented in type 'int'
Fixes: 5911/clusterfuzz-testcase-minimized-6450382197751808

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit cbcbefdc3b4cbc917d2f8b2dd216fb12121a838b)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=205689ae8a5e00ce2d39e9559252c020cb784e56
---

 libavcodec/diracdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 9df70c3f7a..3b5eb16d87 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1399,8 +1399,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, 
int x, int y, int ref)
 int *c  = s->globalmc[ref].perspective;
 
 int m   = (1<u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep);
 block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vp8: Check for bitstream end before vp7_fade_frame()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Feb 17 04:20:52 2018 +0100| [2a85ead5a374f37bc52d716da9237f4e722dee58] | 
committer: Michael Niedermayer

avcodec/vp8: Check for bitstream end before vp7_fade_frame()

Fixes: Timeout
Fixes: 5653/clusterfuzz-testcase-5497680018014208

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit de675648cef7e451ca82fabaee0d8ec1fe653311)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2a85ead5a374f37bc52d716da9237f4e722dee58
---

 libavcodec/vp8.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
index 5bf601a8ef..fd036538e0 100644
--- a/libavcodec/vp8.c
+++ b/libavcodec/vp8.c
@@ -606,6 +606,8 @@ static int vp7_decode_frame_header(VP8Context *s, const 
uint8_t *buf, int buf_si
 s->fade_present = vp8_rac_get(c);
 }
 
+if (c->end <= c->buffer && c->bits >= 0)
+return AVERROR_INVALIDDATA;
 /* E. Fading information for previous frame */
 if (s->fade_present && vp8_rac_get(c)) {
 if ((ret = vp7_fade_frame(s ,c)) < 0)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_cabac: Tighten allowed coeff_abs range

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Feb 14 00:32:30 2018 +0100| [878fc42a906d13cd6a78b0820eed75f4fd8e26e5] | 
committer: Michael Niedermayer

avcodec/h264_cabac: Tighten allowed coeff_abs range

Fixes: integer overflows
Reported-by: "Xiaohan Wang (王消寒)" 

Based on limits in "8.5 Transform coefficient decoding process and picture
construction process prior to deblocking  filter process"

Signed-off-by: Michael Niedermayer 
(cherry picked from commit f26a63c4ee1bdbe21d7ab462cd66f8ba20b14244)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=878fc42a906d13cd6a78b0820eed75f4fd8e26e5
---

 libavcodec/h264_cabac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c
index 04b77f284f..1e05c04680 100644
--- a/libavcodec/h264_cabac.c
+++ b/libavcodec/h264_cabac.c
@@ -1735,7 +1735,7 @@ decode_cabac_residual_internal(const H264Context *h, 
H264SliceContext *sl,
 \
 if( coeff_abs >= 15 ) { \
 int j = 0; \
-while (get_cabac_bypass(CC) && j < 30) { \
+while (get_cabac_bypass(CC) && j < 16+7) { \
 j++; \
 } \
 \

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Feb 14 03:54:13 2018 +0100| [519d48c861a91f3c458e37478d0e408aa608117c] | 
committer: Michael Niedermayer

avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c()

Fixes: 5567/clusterfuzz-testcase-minimized-5769966247739392
Fixes: runtime error: negation of -2147483648 cannot be represented in type 
'int'; cast to an unsigned type to negate this value to itself

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit ab6f571ef71967da7c7c1cfba483d3597c7357d5)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=519d48c861a91f3c458e37478d0e408aa608117c
---

 libavutil/common.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavutil/common.h b/libavutil/common.h
index 8142b31fdb..53e43feb3a 100644
--- a/libavutil/common.h
+++ b/libavutil/common.h
@@ -158,7 +158,7 @@ static av_always_inline av_const int64_t 
av_clip64_c(int64_t a, int64_t amin, in
  */
 static av_always_inline av_const uint8_t av_clip_uint8_c(int a)
 {
-if (a&(~0xFF)) return (-a)>>31;
+if (a&(~0xFF)) return (~a)>>31;
 else   return a;
 }
 
@@ -180,7 +180,7 @@ static av_always_inline av_const int8_t av_clip_int8_c(int 
a)
  */
 static av_always_inline av_const uint16_t av_clip_uint16_c(int a)
 {
-if (a&(~0x)) return (-a)>>31;
+if (a&(~0x)) return (~a)>>31;
 else return a;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg2dec: Fix field selection for skipped macroblocks

[Nekopanda]

ffmpeg | branch: release/3.3 | Nekopanda 
 | Sat Feb 10 18:36:32 2018 +0900| 
[66881cf2b58b8021e9e7f4271e30deeba0c6cb7f] | committer: Michael Niedermayer

avcodec/mpeg2dec: Fix field selection for skipped macroblocks

For B field pictures, the spec says,

> The prediction shall be made from the field of the same parity as the field 
> being predicted.

I did it.

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8b154cb3e90a3e599cadf477d815a9854b7bb4e1)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=66881cf2b58b8021e9e7f4271e30deeba0c6cb7f
---

 libavcodec/mpeg12dec.c |   2 +
 tests/ref/fate/mpeg2-ticket186 | 328 -
 2 files changed, 166 insertions(+), 164 deletions(-)

diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c
index 186fbd27b6..3786dc61b3 100644
--- a/libavcodec/mpeg12dec.c
+++ b/libavcodec/mpeg12dec.c
@@ -1983,6 +1983,8 @@ static int mpeg_decode_slice(MpegEncContext *s, int mb_y,
 s->mv[0][0][1] = s->last_mv[0][0][1];
 s->mv[1][0][0] = s->last_mv[1][0][0];
 s->mv[1][0][1] = s->last_mv[1][0][1];
+s->field_select[0][0] = (s->picture_structure - 1) & 1;
+s->field_select[1][0] = (s->picture_structure - 1) & 1;
 }
 }
 }
diff --git a/tests/ref/fate/mpeg2-ticket186 b/tests/ref/fate/mpeg2-ticket186
index b716ca5611..31afda15e8 100644
--- a/tests/ref/fate/mpeg2-ticket186
+++ b/tests/ref/fate/mpeg2-ticket186
@@ -3,354 +3,354 @@
 #codec_id 0: rawvideo
 #dimensions 0: 352x288
 #sar 0: 12/11
-0,  0,  0,1,   152064, 0xd23ffc59
+0,  0,  0,1,   152064, 0x8f9d00c1
 0,  1,  1,1,   152064, 0x899fb8b1
-0,  2,  2,1,   152064, 0x5958d070
+0,  2,  2,1,   152064, 0x7225cb39
 0,  3,  3,1,   152064, 0xf2becd8f
-0,  4,  4,1,   152064, 0xb47bbed7
+0,  4,  4,1,   152064, 0xd56bc556
 0,  5,  5,1,   152064, 0x7ca54f36
-0,  6,  6,1,   152064, 0x02389610
+0,  6,  6,1,   152064, 0x06d7805c
 0,  7,  7,1,   152064, 0x469f3f87
-0,  8,  8,1,   152064, 0x935a780e
+0,  8,  8,1,   152064, 0xdb2f57d5
 0,  9,  9,1,   152064, 0x3876c20c
-0, 10, 10,1,   152064, 0x49df265f
+0, 10, 10,1,   152064, 0x5b670e79
 0, 11, 11,1,   152064, 0xdfe420e0
-0, 12, 12,1,   152064, 0x6e34a0c4
+0, 12, 12,1,   152064, 0x17578222
 0, 13, 13,1,   152064, 0x47e1cb26
-0, 14, 14,1,   152064, 0x68e74188
+0, 14, 14,1,   152064, 0x168e35d6
 0, 15, 15,1,   152064, 0xe9d34b4e
-0, 16, 16,1,   152064, 0xa8665e1a
+0, 16, 16,1,   152064, 0x5e395308
 0, 17, 17,1,   152064, 0x88e3b39f
-0, 18, 18,1,   152064, 0x1c1ab2c3
+0, 18, 18,1,   152064, 0x6b099c51
 0, 19, 19,1,   152064, 0xb1a24ddf
-0, 20, 20,1,   152064, 0x030d5afc
+0, 20, 20,1,   152064, 0xcea840fc
 0, 21, 21,1,   152064, 0x98306d64
-0, 22, 22,1,   152064, 0x5ce0548d
+0, 22, 22,1,   152064, 0xb05354d3
 0, 23, 23,1,   152064, 0xacac26f3
-0, 24, 24,1,   152064, 0xf167f698
+0, 24, 24,1,   152064, 0xbccdf14b
 0, 25, 25,1,   152064, 0xd9398539
-0, 26, 26,1,   152064, 0xd7aec2c4
+0, 26, 26,1,   152064, 0x07aec13a
 0, 27, 27,1,   152064, 0xa6ef9440
-0, 28, 28,1,   152064, 0xc289b278
+0, 28, 28,1,   152064, 0x0e7ab64e
 0, 29, 29,1,   152064, 0x3796939d
-0, 30, 30,1,   152064, 0x48c09366
+0, 30, 30,1,   152064, 0xcc219365
 0, 31, 31,1,   152064, 0xf4cc815a
-0, 32, 32,1,   152064, 0x1c63cdc2
+0, 32, 32,1,   152064, 0x8b91c622
 0, 33, 33,1,   152064, 0xd3a8ad8e
-0, 34, 34,1,   152064, 0x70f94bc0
+0, 34, 34,1,   152064, 0x658e498f
 0, 35, 35,1,   152064, 0xf9c115ea
-0, 36, 36,1,   152064, 

[FFmpeg-cvslog] avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Feb 11 03:38:54 2018 +0100| [76a886dae364c665ee83d3eac44e28062b687baa] | 
committer: Michael Niedermayer

avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs()

This fixes a hypothetical integer overflow

Signed-off-by: Michael Niedermayer 
(cherry picked from commit f2318aee8ca8df1c84092f7d6691a2d0df02c474)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=76a886dae364c665ee83d3eac44e28062b687baa
---

 libavcodec/vp3.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index e46a9e6971..bb4e554dde 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -951,9 +951,11 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext 
*gb,
 Vp3Fragment *all_fragments = s->all_fragments;
 VLC_TYPE(*vlc_table)[2] = table->table;
 
-if (num_coeffs < 0)
+if (num_coeffs < 0) {
 av_log(s->avctx, AV_LOG_ERROR,
"Invalid number of coefficients at level %d\n", coeff_index);
+return AVERROR_INVALIDDATA;
+}
 
 if (eob_run > num_coeffs) {
 coeff_i  =

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/huffyuvdec: Check input buffer size

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Jan 31 19:20:10 2018 +0100| [838d02fcff8d08dfe138db572eaff01193f388ab] | 
committer: Michael Niedermayer

avcodec/huffyuvdec: Check input buffer size

Fixes: Timeout
Fixes: 5487/clusterfuzz-testcase-4696837035393024

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 08c220d26cff51ca2f6896b65aebfa3accc67290)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=838d02fcff8d08dfe138db572eaff01193f388ab
---

 libavcodec/huffyuvdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c
index 979c4b9d5c..66357bfb40 100644
--- a/libavcodec/huffyuvdec.c
+++ b/libavcodec/huffyuvdec.c
@@ -919,6 +919,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame,
 AVFrame *const p = data;
 int table_size = 0, ret;
 
+if (buf_size < (width * height + 7)/8)
+return AVERROR_INVALIDDATA;
+
 av_fast_padded_malloc(>bitstream_buffer,
>bitstream_buffer_size,
buf_size);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/pafvideo: Check allocated frame size

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Feb  4 02:14:49 2018 +0100| [65fc03589fb48ee1d24797ad3984199b01feec82] | 
committer: Michael Niedermayer

avcodec/pafvideo: Check allocated frame size

Fixes: OOM
Fixes: 5549/clusterfuzz-testcase-minimized-5390553567985664

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 66acb630286cf1bf03bfbdab6c7c784ff20bde61)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=65fc03589fb48ee1d24797ad3984199b01feec82
---

 libavcodec/pafvideo.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c
index 6980ae1b35..7c5861dfaf 100644
--- a/libavcodec/pafvideo.c
+++ b/libavcodec/pafvideo.c
@@ -78,6 +78,7 @@ static av_cold int paf_video_init(AVCodecContext *avctx)
 {
 PAFVideoDecContext *c = avctx->priv_data;
 int i;
+int ret;
 
 c->width  = avctx->width;
 c->height = avctx->height;
@@ -90,6 +91,9 @@ static av_cold int paf_video_init(AVCodecContext *avctx)
 }
 
 avctx->pix_fmt = AV_PIX_FMT_PAL8;
+ret = av_image_check_size2(avctx->width, FFALIGN(avctx->height, 256), 
avctx->max_pixels, avctx->pix_fmt, 0, avctx);
+if (ret < 0)
+return ret;
 
 c->pic = av_frame_alloc();
 if (!c->pic)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc()

[Xiaohan Wang]

ffmpeg | branch: release/3.3 | Xiaohan Wang  | Sat Feb  3 
01:43:35 2018 -0800| [e8fb74c0c9cd3bad7f990b8cf98b56ab54ae3a9c] | committer: 
Michael Niedermayer

avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc()

When ff_h264_decode_mb_cavlc() failed due to wrong sl->qscale values,
e.g. dquant out of range, set the qscale to be a valid value before
returning -1 and exiting the function. The qscale value can be used
later e.g. in loop filter.

BUG=806122

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 71f39de2a57efc8db1d607b09c162c3b806cd45d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e8fb74c0c9cd3bad7f990b8cf98b56ab54ae3a9c
---

 libavcodec/h264_cavlc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index cd2e97af7e..ffed204441 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -,6 +,7 @@ decode_intra_mb:
 elsesl->qscale -= max_qp+1;
 if (((unsigned)sl->qscale) > max_qp){
 av_log(h->avctx, AV_LOG_ERROR, "dquant out of range (%d) at %d 
%d\n", dquant, sl->mb_x, sl->mb_y);
+sl->qscale = max_qp;
 return -1;
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/utvideodec: Fix bytes left check in decode_frame()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Feb  2 21:44:57 2018 +0100| [0322f781777d4413bd57815ee9b5a7d6a0cfe716] | 
committer: Michael Niedermayer

avcodec/utvideodec: Fix bytes left check in decode_frame()

Fixes: out of array read
Fixes: poc-2017.avi

Found-by: GwanYeong Kim 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 118e1b0b3370dd1c0da442901b486689efd1654b)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0322f781777d4413bd57815ee9b5a7d6a0cfe716
---

 libavcodec/utvideodec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 7c65d779c3..fda5de0732 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -638,7 +638,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame,
 for (j = 0; j < c->slices; j++) {
 slice_end   = bytestream2_get_le32u();
 if (slice_end < 0 || slice_end < slice_start ||
-bytestream2_get_bytes_left() < slice_end) {
+bytestream2_get_bytes_left() < slice_end + 1024LL) {
 av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n");
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Jan 31 18:13:07 2018 +0100| [a97335b1b3aec9fb449ddf1a8b33cdaf418bf1a2] | 
committer: Michael Niedermayer

avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble()

Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be 
represented in type 'int'
Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b1bef755f617af9685b592d866b3eb7f3c4b02b1)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a97335b1b3aec9fb449ddf1a8b33cdaf418bf1a2
---

 libavcodec/aacsbr_fixed.c | 9 +
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c
index 2a679491b0..0622d2ff7c 100644
--- a/libavcodec/aacsbr_fixed.c
+++ b/libavcodec/aacsbr_fixed.c
@@ -572,7 +572,8 @@ static void sbr_hf_assemble(int Y1[38][64][2],
 int A = (1-((indexsine+(kx & 1))&2));
 int B = (A^(-idx)) + idx;
 int *out = [i][kx][idx];
-int shift, round;
+int shift;
+unsigned round;
 
 SoftFloat *in  = sbr->s_m[e];
 for (m = 0; m+1 < m_max; m+=2) {
@@ -585,12 +586,12 @@ static void sbr_hf_assemble(int Y1[38][64][2],
 }
 if (shift < 32) {
 round = 1 << (shift-1);
-out[2*m  ] += (in[m  ].mant * A + round) >> shift;
+out[2*m  ] += (int)(in[m  ].mant * A + round) >> shift;
 }
 
 if (shift2 < 32) {
 round = 1 << (shift2-1);
-out[2*m+2] += (in[m+1].mant * B + round) >> shift2;
+out[2*m+2] += (int)(in[m+1].mant * B + round) >> 
shift2;
 }
 }
 if(m_max&1)
@@ -601,7 +602,7 @@ static void sbr_hf_assemble(int Y1[38][64][2],
 return;
 } else if (shift < 32) {
 round = 1 << (shift-1);
-out[2*m  ] += (in[m  ].mant * A + round) >> shift;
+out[2*m  ] += (int)(in[m  ].mant * A + round) >> shift;
 }
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videodec: Ignore multiple VOL headers

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Feb  9 22:24:58 2018 +0100| [f03616d2a43833cad5bda2fdf6f605aa09aa89e0] | 
committer: Michael Niedermayer

avcodec/mpeg4videodec: Ignore multiple VOL headers

Fixes: Ticket7005

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 63a4bdbf3b732504e54cc2b9ec0886e6242a90bc)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f03616d2a43833cad5bda2fdf6f605aa09aa89e0
---

 libavcodec/mpeg4videodec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index d0162d1074..319a3809ea 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -2670,8 +2670,8 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, 
GetBitContext *gb)
 
 if (startcode >= 0x120 && startcode <= 0x12F) {
 if (vol) {
-av_log(s->avctx, AV_LOG_ERROR, "Multiple VOL headers");
-return AVERROR_INVALIDDATA;
+av_log(s->avctx, AV_LOG_WARNING, "Ignoring multiple VOL 
headers\n");
+continue;
 }
 vol++;
 if ((ret = decode_vol_header(ctx, gb)) < 0)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vp3: Check eob_run

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Feb  9 04:17:16 2018 +0100| [0df3ad79c7d8d8740693deedccf82e7c28bb60b6] | 
committer: Michael Niedermayer

avcodec/vp3: Check eob_run

Fixes: out of array access
Fixes: 5919/clusterfuzz-testcase-minimized-5859311382167552
Fixes: special case for theora (untested due to lack of sample)

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 570023eab3e2962b4ad8345a157c1e18ca1a6eca)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0df3ad79c7d8d8740693deedccf82e7c28bb60b6
---

 libavcodec/vp3.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index b10cb39f8a..e46a9e6971 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -978,6 +978,9 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext 
*gb,
 if (eob_run_get_bits[token])
 eob_run += get_bits(gb, eob_run_get_bits[token]);
 
+if (!eob_run)
+eob_run = INT_MAX;
+
 // record only the number of blocks ended in this plane,
 // any spill will be recorded in the next plane.
 if (eob_run > num_coeffs - coeff_i) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/scpr: Fix reading a pixel before the first

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Feb  3 18:49:07 2018 +0100| [55e6c6b5feb7e2a9110fab1dc06ced23360b14e2] | 
committer: Michael Niedermayer

avcodec/scpr: Fix reading a pixel before the first

Fixes: 5540/clusterfuzz-testcase-minimized-6122458273808384

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0fb33a82890753233225c61863fff1fcc9d970d4)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=55e6c6b5feb7e2a9110fab1dc06ced23360b14e2
---

 libavcodec/scpr.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c
index 78a6d5c0cd..694450abf0 100644
--- a/libavcodec/scpr.c
+++ b/libavcodec/scpr.c
@@ -679,6 +679,8 @@ static int decompress_p(AVCodecContext *avctx,
 return AVERROR_INVALIDDATA;
 
 if (bx == 0) {
+if (by < 2)
+return AVERROR_INVALIDDATA;
 z = backstep;
 } else {
 z = 0;
@@ -708,6 +710,8 @@ static int decompress_p(AVCodecContext *avctx,
 return AVERROR_INVALIDDATA;
 
 if (bx == 0) {
+if (by < 2)
+return AVERROR_INVALIDDATA;
 z = backstep;
 } else {
 z = 0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Thu Jan 11 22:47:10 2018 +0100| [d8e501de42d9c3dfe4a1f38b23a55f761866a6a1] | 
committer: Michael Niedermayer

avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one

Fixes high pitched shriek
Fixes: 25420848_1478428308873746_4255813235963330560_n.mp4

Reported-by: Dale Curtis 
Reviewed-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7dbbb75ee32f87108ca9e15f5551dbbe69fe2641)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d8e501de42d9c3dfe4a1f38b23a55f761866a6a1
---

 libavcodec/arm/sbrdsp_neon.S | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/arm/sbrdsp_neon.S b/libavcodec/arm/sbrdsp_neon.S
index e66abd682a..003b04ea05 100644
--- a/libavcodec/arm/sbrdsp_neon.S
+++ b/libavcodec/arm/sbrdsp_neon.S
@@ -336,11 +336,11 @@ function ff_sbr_hf_apply_noise_0_neon, export=1
 vld1.32 {d0}, [r0,:64]
 vld1.32 {d6}, [lr,:64]
 vld1.32 {d2[]},   [r1,:32]!
-vld1.32 {d3[]},   [r2,:32]!
+vld1.32 {d18[]},  [r2,:32]!
 vceq.f32d4,  d2,  #0
 veord2,  d2,  d3
 vmovd1,  d0
-vmla.f32d0,  d6,  d3
+vmla.f32d0,  d6,  d18
 vadd.f32s2,  s2,  s4
 vbifd0,  d1,  d4
 vst1.32 {d0}, [r0,:64]!

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videodec: Avoid possibly aliasing violating casts

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Jan 28 02:29:02 2018 +0100| [90cfaff0bbc79f133a2d8c9f67763ba90072c9f9] | 
committer: Michael Niedermayer

avcodec/mpeg4videodec: Avoid possibly aliasing violating casts

Found-by: kierank
Reviewed-by: Kieran Kunhya 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d4967c04e040b3b2f937cad88599af825147ec94)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=90cfaff0bbc79f133a2d8c9f67763ba90072c9f9
---

 libavcodec/mpeg4videodec.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index afa41a8641..d0162d1074 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -1251,10 +1251,12 @@ not_coded:
  */
 static int mpeg4_decode_partitioned_mb(MpegEncContext *s, int16_t block[6][64])
 {
-Mpeg4DecContext *ctx = (Mpeg4DecContext *)s;
+Mpeg4DecContext *ctx = s->avctx->priv_data;
 int cbp, mb_type;
 const int xy = s->mb_x + s->mb_y * s->mb_stride;
 
+av_assert2(s == (void*)ctx);
+
 mb_type = s->current_picture.mb_type[xy];
 cbp = s->cbp_table[xy];
 
@@ -1336,12 +1338,13 @@ static int mpeg4_decode_partitioned_mb(MpegEncContext 
*s, int16_t block[6][64])
 
 static int mpeg4_decode_mb(MpegEncContext *s, int16_t block[6][64])
 {
-Mpeg4DecContext *ctx = (Mpeg4DecContext *)s;
+Mpeg4DecContext *ctx = s->avctx->priv_data;
 int cbpc, cbpy, i, cbp, pred_x, pred_y, mx, my, dquant;
 int16_t *mot_val;
 static const int8_t quant_tab[4] = { -1, -2, 1, 2 };
 const int xy = s->mb_x + s->mb_y * s->mb_stride;
 
+av_assert2(s ==  (void*)ctx);
 av_assert2(s->h263_pred);
 
 if (s->pict_type == AV_PICTURE_TYPE_P ||

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Jan 14 00:39:39 2018 +0100| [eecb0ecf51ed9f270832a66c85949d5731e626af] | 
committer: Michael Niedermayer

avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs()

Fixes: runtime error: signed integer overflow: 2147483520 + 128 cannot be 
represented in type 'int'
Fixes: 4800/clusterfuzz-testcase-minimized-6110372403609600

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a1f38c75893c852cf19dcf3e4553549ba1e70950)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eecb0ecf51ed9f270832a66c85949d5731e626af
---

 libavcodec/ac3dec_fixed.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c
index 9a6d7a08b1..bd66175d50 100644
--- a/libavcodec/ac3dec_fixed.c
+++ b/libavcodec/ac3dec_fixed.c
@@ -64,8 +64,8 @@ static void scale_coefs (
 int dynrng,
 int len)
 {
-int i, shift, round;
-unsigned mul;
+int i, shift;
+unsigned mul, round;
 int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7;
 
 mul = (dynrng & 0x1f) + 0x20;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Mon Jan 15 23:46:44 2018 +0100| [aec30d0da9dc66de0d05b0c9d65022611bbf3f9b] | 
committer: Michael Niedermayer

avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in 
coeff_abs_level_remaining_decode()

I suspect that this can be limited tighter, but i failed to find anything
in the spec that would confirm that.

Fixes: 4833/clusterfuzz-testcase-minimized-5302840101699584
Fixes: runtime error: left shift of 134217730 by 4 places cannot be represented 
in type 'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a026a3efaeb9c2026668dccbbda339a21ab3206b)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aec30d0da9dc66de0d05b0c9d65022611bbf3f9b
---

 libavcodec/hevc_cabac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c
index 5e46c59a24..29485dc64c 100644
--- a/libavcodec/hevc_cabac.c
+++ b/libavcodec/hevc_cabac.c
@@ -987,7 +987,7 @@ static av_always_inline int 
coeff_abs_level_remaining_decode(HEVCContext *s, int
 } else {
 int prefix_minus3 = prefix - 3;
 
-if (prefix == CABAC_MAX_BIN) {
+if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) {
 av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
 return 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ulti: Check number of blocks at init

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Mon Jan 15 19:03:48 2018 +0100| [a9fb2f8c80d4c76854773bf654175573942312a9] | 
committer: Michael Niedermayer

avcodec/ulti: Check number of blocks at init

Fixes: Timeout
Fixes: 4832/clusterfuzz-testcase-4699096590843904

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 725353525e73bbe5b6b4d01528252675f2417a02)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a9fb2f8c80d4c76854773bf654175573942312a9
---

 libavcodec/ulti.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/ulti.c b/libavcodec/ulti.c
index e6f4374981..9e4c088b10 100644
--- a/libavcodec/ulti.c
+++ b/libavcodec/ulti.c
@@ -50,6 +50,8 @@ static av_cold int ulti_decode_init(AVCodecContext *avctx)
 s->width = avctx->width;
 s->height = avctx->height;
 s->blocks = (s->width / 8) * (s->height / 8);
+if (s->blocks == 0)
+return AVERROR_INVALIDDATA;
 avctx->pix_fmt = AV_PIX_FMT_YUV410P;
 s->ulti_codebook = ulti_codebook;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dnxhddec: Check dc vlc

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Jan  3 23:42:00 2018 +0100| [05a92668942f1a7bb04815e88043ed5c24d068c0] | 
committer: Michael Niedermayer

avcodec/dnxhddec: Check dc vlc

Fixes: signed integer overflow: 1024 + 2147483640 cannot be represented in type 
'int'
Fixes: 4671/clusterfuzz-testcase-minimized-6027464343027712

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b2be76c0a472b729756ed7a91225c209d0dd1d2e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=05a92668942f1a7bb04815e88043ed5c24d068c0
---

 libavcodec/dnxhddec.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c
index 7cb6a75261..cd475bc170 100644
--- a/libavcodec/dnxhddec.c
+++ b/libavcodec/dnxhddec.c
@@ -377,6 +377,10 @@ static av_always_inline int dnxhd_decode_dct_block(const 
DNXHDContext *ctx,
 
 UPDATE_CACHE(bs, >gb);
 GET_VLC(len, bs, >gb, ctx->dc_vlc.table, DNXHD_DC_VLC_BITS, 1);
+if (len < 0) {
+ret = len;
+goto error;
+}
 if (len) {
 level = GET_CACHE(bs, >gb);
 LAST_SKIP_BITS(bs, >gb, len);
@@ -430,7 +434,7 @@ static av_always_inline int dnxhd_decode_dct_block(const 
DNXHDContext *ctx,
 GET_VLC(index1, bs, >gb, ctx->ac_vlc.table,
 DNXHD_VLC_BITS, 2);
 }
-
+error:
 CLOSE_READER(bs, >gb);
 return ret;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/exr: Fix memleaks in decode_header()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Jan 31 17:50:21 2018 +0100| [d07a0ae1af038ad6d4a4084d22940b4efbea141e] | 
committer: Michael Niedermayer

avcodec/exr: Fix memleaks in decode_header()

Fixes: 4793/clusterfuzz-testcase-minimized-5707366629638144

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0a2560a9775be7c5df09c85c9908b05e711a54a3)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d07a0ae1af038ad6d4a4084d22940b4efbea141e
---

 libavcodec/exr.c | 82 ++--
 1 file changed, 56 insertions(+), 26 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 7fa17ca887..fe978805c5 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1317,6 +1317,7 @@ static int decode_header(EXRContext *s, AVFrame *frame)
 AVDictionary *metadata = NULL;
 int magic_number, version, i, flags, sar = 0;
 int layer_match = 0;
+int ret;
 
 s->current_channel_offset = 0;
 s->xmin   = ~0;
@@ -1375,8 +1376,10 @@ static int decode_header(EXRContext *s, AVFrame *frame)
 if ((var_size = check_header_variable(s, "channels",
   "chlist", 38)) >= 0) {
 GetByteContext ch_gb;
-if (!var_size)
-return AVERROR_INVALIDDATA;
+if (!var_size) {
+ret = AVERROR_INVALIDDATA;
+goto fail;
+}
 
 bytestream2_init(_gb, s->gb.buffer, var_size);
 
@@ -1435,14 +1438,16 @@ static int decode_header(EXRContext *s, AVFrame *frame)
 
 if (bytestream2_get_bytes_left(_gb) < 4) {
 av_log(s->avctx, AV_LOG_ERROR, "Incomplete header.\n");
-return AVERROR_INVALIDDATA;
+ret = AVERROR_INVALIDDATA;
+goto fail;
 }
 
 current_pixel_type = bytestream2_get_le32(_gb);
 if (current_pixel_type >= EXR_UNKNOWN) {
 avpriv_report_missing_feature(s->avctx, "Pixel type %d",
   current_pixel_type);
-return AVERROR_PATCHWELCOME;
+ret = AVERROR_PATCHWELCOME;
+goto fail;
 }
 
 bytestream2_skip(_gb, 4);
@@ -1453,7 +1458,8 @@ static int decode_header(EXRContext *s, AVFrame *frame)
 avpriv_report_missing_feature(s->avctx,
   "Subsampling %dx%d",
   xsub, ysub);
-return AVERROR_PATCHWELCOME;
+ret = AVERROR_PATCHWELCOME;
+goto fail;
 }
 
 if (channel_index >= 0 && s->channel_offsets[channel_index] == 
-1) { /* channel has not been previously assigned */
@@ -1461,7 +1467,8 @@ static int decode_header(EXRContext *s, AVFrame *frame)
 s->pixel_type != current_pixel_type) {
 av_log(s->avctx, AV_LOG_ERROR,
"RGB channels not of the same depth.\n");
-return AVERROR_INVALIDDATA;
+ret = AVERROR_INVALIDDATA;
+goto fail;
 }
 s->pixel_type = current_pixel_type;
 s->channel_offsets[channel_index] = 
s->current_channel_offset;
@@ -1469,8 +1476,10 @@ static int decode_header(EXRContext *s, AVFrame *frame)
 
 s->channels = av_realloc(s->channels,
  ++s->nb_channels * 
sizeof(EXRChannel));
-if (!s->channels)
-return AVERROR(ENOMEM);
+if (!s->channels) {
+ret = AVERROR(ENOMEM);
+goto fail;
+}
 channel = >channels[s->nb_channels - 1];
 channel->pixel_type = current_pixel_type;
 channel->xsub   = xsub;
@@ -1495,7 +1504,8 @@ static int decode_header(EXRContext *s, AVFrame *frame)
 av_log(s->avctx, AV_LOG_ERROR, "Missing green 
channel.\n");
 if (s->channel_offsets[2] < 0)
 av_log(s->avctx, AV_LOG_ERROR, "Missing blue 
channel.\n");
-return AVERROR_INVALIDDATA;
+ret = AVERROR_INVALIDDATA;
+goto fail;
 }
 }
 
@@ -1504,8 +1514,10 @@ static int decode_header(EXRContext *s, AVFrame *frame)
 continue;
 } else if ((var_size = check_header_variable(s, "dataWindow", "box2i",
  

[FFmpeg-cvslog] avcodec/h264addpx_template: Fixes integer overflows

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Jan  7 03:48:43 2018 +0100| [014ba5c73758298366feda73e9f6c97a5af860e1] | 
committer: Michael Niedermayer

avcodec/h264addpx_template: Fixes integer overflows

Fixes: signed integer overflow: 512 + 2147483491 cannot be represented in type 
'int'
Fixes: 4780/clusterfuzz-testcase-minimized-4709066174627840

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d6945aeee419a8417b8019c7c92227e12e45b7ad)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=014ba5c73758298366feda73e9f6c97a5af860e1
---

 libavcodec/h264addpx_template.c | 24 
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/libavcodec/h264addpx_template.c b/libavcodec/h264addpx_template.c
index b71aaea439..9a1e6a2f2f 100644
--- a/libavcodec/h264addpx_template.c
+++ b/libavcodec/h264addpx_template.c
@@ -35,10 +35,10 @@ static void FUNCC(ff_h264_add_pixels4)(uint8_t *_dst, 
int16_t *_src, int stride)
 stride /= sizeof(pixel);
 
 for (i = 0; i < 4; i++) {
-dst[0] += src[0];
-dst[1] += src[1];
-dst[2] += src[2];
-dst[3] += src[3];
+dst[0] += (unsigned)src[0];
+dst[1] += (unsigned)src[1];
+dst[2] += (unsigned)src[2];
+dst[3] += (unsigned)src[3];
 
 dst += stride;
 src += 4;
@@ -55,14 +55,14 @@ static void FUNCC(ff_h264_add_pixels8)(uint8_t *_dst, 
int16_t *_src, int stride)
 stride /= sizeof(pixel);
 
 for (i = 0; i < 8; i++) {
-dst[0] += src[0];
-dst[1] += src[1];
-dst[2] += src[2];
-dst[3] += src[3];
-dst[4] += src[4];
-dst[5] += src[5];
-dst[6] += src[6];
-dst[7] += src[7];
+dst[0] += (unsigned)src[0];
+dst[1] += (unsigned)src[1];
+dst[2] += (unsigned)src[2];
+dst[3] += (unsigned)src[3];
+dst[4] += (unsigned)src[4];
+dst[5] += (unsigned)src[5];
+dst[6] += (unsigned)src[6];
+dst[7] += (unsigned)src[7];
 
 dst += stride;
 src += 8;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/matroskadec: Fix float-cast-overflow undefined behavior in matroska_parse_tracks()

[Nikolas Bowe]

ffmpeg | branch: release/3.3 | Nikolas Bowe  | 
Thu Jan 18 15:21:56 2018 -0800| [980fe1b7a6fcbfc087dd2580308b565840e4eb6a] | 
committer: Michael Niedermayer

avformat/matroskadec: Fix float-cast-overflow undefined behavior in 
matroska_parse_tracks()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit e07649e618caedc07eaf2f4d09253de7f77d14f0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=980fe1b7a6fcbfc087dd2580308b565840e4eb6a
---

 libavformat/matroskadec.c | 12 ++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 3ec1636584..cd6db9ebac 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -2071,8 +2071,16 @@ static int matroska_parse_tracks(AVFormatContext *s)
 }
 
 if (track->type == MATROSKA_TRACK_TYPE_VIDEO) {
-if (!track->default_duration && track->video.frame_rate > 0)
-track->default_duration = 10 / track->video.frame_rate;
+if (!track->default_duration && track->video.frame_rate > 0) {
+double default_duration = 10 / track->video.frame_rate;
+if (default_duration > UINT64_MAX || default_duration < 0) {
+av_log(matroska->ctx, AV_LOG_WARNING,
+ "Invalid frame rate %e. Cannot calculate default 
duration.\n",
+ track->video.frame_rate);
+} else {
+track->default_duration = default_duration;
+}
+}
 if (track->video.display_width == -1)
 track->video.display_width = track->video.pixel_width;
 if (track->video.display_height == -1)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/indeo5: Do not leave frame_type set to an invalid value

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Jan 26 00:24:49 2018 +0100| [38384cdd991cf6c7d28f365c368523d8c8066d3e] | 
committer: Michael Niedermayer

avcodec/indeo5: Do not leave frame_type set to an invalid value

Fixes: null pointer dereference
Fixes: 5264/clusterfuzz-testcase-minimized-4621956621008896

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2ff9f178519b68d4d1d606eb5451ad81da948efc)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=38384cdd991cf6c7d28f365c368523d8c8066d3e
---

 libavcodec/indeo5.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c
index 5f931c8b98..5028def4bc 100644
--- a/libavcodec/indeo5.c
+++ b/libavcodec/indeo5.c
@@ -324,6 +324,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx, 
AVCodecContext *avctx)
 ctx->frame_type  = get_bits(>gb, 3);
 if (ctx->frame_type >= 5) {
 av_log(avctx, AV_LOG_ERROR, "Invalid frame type: %d \n", 
ctx->frame_type);
+ctx->frame_type = FRAMETYPE_INTRA;
 return AVERROR_INVALIDDATA;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_slice: Do not attempt to render into frames already output

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Jan  3 23:42:01 2018 +0100| [d81bfc042cea588213d7ce2162d9c7fd1b23b98f] | 
committer: Michael Niedermayer

avcodec/h264_slice: Do not attempt to render into frames already output

Fixes: null pointer dereference
Fixes: 4698/clusterfuzz-testcase-minimized-5096956322906112

This testcase does not reproduce the issue before 
03b82b3ab9883cef017e513c7d0b3b986b3b3e7b

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 476665d4de989dba48ec1195215ccc8db54538f4)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d81bfc042cea588213d7ce2162d9c7fd1b23b98f
---

 libavcodec/h264_slice.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index 3f3a3e4067..d83ba000ce 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1552,6 +1552,12 @@ static int h264_field_start(H264Context *h, const 
H264SliceContext *sl,
  * one except for reference purposes. */
 h->first_field = 1;
 h->cur_pic_ptr = NULL;
+} else if (h->cur_pic_ptr->reference & DELAYED_PIC_REF) {
+/* This frame was already output, we cannot draw into it
+ * anymore.
+ */
+h->first_field = 1;
+h->cur_pic_ptr = NULL;
 } else {
 /* Second field in complementary pair */
 h->first_field = 0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt: Fix several integer overflows

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Thu Jan 25 23:14:37 2018 +0100| [55f9c21363af98b0f00c927b7d9c9a92f2f378d2] | 
committer: Michael Niedermayer

avcodec/dirac_dwt: Fix several integer overflows

Fixes: runtime error: signed integer overflow: -2146071175 + -268479557 cannot 
be represented in type 'int'
Fixes: 5237/clusterfuzz-testcase-minimized-4569895275593728

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit fe1e6c06d03432c3e9208f019533c1d701f485d0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=55f9c21363af98b0f00c927b7d9c9a92f2f378d2
---

 libavcodec/dirac_dwt.h  | 4 ++--
 libavcodec/dirac_dwt_template.c | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index 1af41e0702..68ebd19560 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -93,10 +93,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
 
 // shared stuff for simd optimizations
 #define COMPOSE_53iL0(b0, b1, b2)\
-(b1 - ((int)(b0 + (unsigned)(b2) + 2) >> 2))
+(b1 - (unsigned)((int)(b0 + (unsigned)(b2) + 2) >> 2))
 
 #define COMPOSE_DIRAC53iH0(b0, b1, b2)\
-(b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1))
+(b1 + (unsigned)((int)(b0 + (unsigned)(b2) + 1) >> 1))
 
 #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\
 (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)))
diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c
index e436c247a1..e68cc4d530 100644
--- a/libavcodec/dirac_dwt_template.c
+++ b/libavcodec/dirac_dwt_template.c
@@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, 
uint8_t *_b1, uint8_t *_
 TYPE *b1 = (TYPE *)_b1;
 TYPE *b2 = (TYPE *)_b2;
 for (i = 0; i < width; i++)
-b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2;
+b1[i] -= (unsigned)((int)(b0[i] + (unsigned)b2[i] + 2) >> 2);
 }
 
 static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE 
*src1, int w2,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/wavpack: Fix integer overflow in FFABS

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Jan 31 02:50:18 2018 +0100| [4d4656e8cd094188ec2ada7f5bd6dbba14b52dd9] | 
committer: Michael Niedermayer

avcodec/wavpack: Fix integer overflow in FFABS

Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an 
unsigned type to negate this value to itself
Fixes: 5396/clusterfuzz-testcase-minimized-655829281536

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8e50bd61e4ff97bd7fc6cbd7ec4ca514e17a70c4)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4d4656e8cd094188ec2ada7f5bd6dbba14b52dd9
---

 libavcodec/wavpack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 27d631c4e9..e0440959ff 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -480,7 +480,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, 
GetBitContext *gb,
 }
 
 if (type == AV_SAMPLE_FMT_S16P) {
-if (FFABS(L) + (unsigned)FFABS(R) > (1<<19)) {
+if (FFABS((int64_t)L) + FFABS((int64_t)R) > (1<<19)) {
 av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L, 
R);
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/lrcdec: Fix memory leak in lrc_read_header()

[Nikolas Bowe]

ffmpeg | branch: release/3.3 | Nikolas Bowe  | 
Fri Jan 19 13:17:07 2018 -0800| [68f9a9fe4bcba2db62a3cb43b3013bf58368fb6d] | 
committer: Michael Niedermayer

avformat/lrcdec: Fix memory leak in lrc_read_header()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit ef5994e09d07ace62a672fcdc84761231288edad)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=68f9a9fe4bcba2db62a3cb43b3013bf58368fb6d
---

 libavformat/lrcdec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c
index 12f74b22a0..f4e9a4efa9 100644
--- a/libavformat/lrcdec.c
+++ b/libavformat/lrcdec.c
@@ -212,6 +212,7 @@ static int lrc_read_header(AVFormatContext *s)
 }
 ff_subtitles_queue_finalize(s, >q);
 ff_metadata_conv_ctx(s, NULL, ff_lrc_metadata_conv);
+av_bprint_finalize(, NULL);
 return 0;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_ps: extract SPS fields required for hvcC construction

[Aman Gupta]

ffmpeg | branch: release/3.3 | Aman Gupta  | Tue Sep 26 18:04:12 
2017 -0700| [bb5748ec9d244e22e783e2914b64abf64c0808e3] | committer: Michael 
Niedermayer

avcodec/hevc_ps: extract SPS fields required for hvcC construction

Signed-off-by: Aman Gupta 
Reviewed-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bb5748ec9d244e22e783e2914b64abf64c0808e3
---

 libavcodec/hevc_ps.c | 3 ++-
 libavcodec/hevc_ps.h | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index f2c26c4598..dc1429fa73 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -891,7 +891,7 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, 
unsigned int *sps_id,
 return AVERROR_INVALIDDATA;
 }
 
-skip_bits1(gb); // temporal_id_nesting_flag
+sps->temporal_id_nesting_flag = get_bits(gb, 1);
 
 if ((ret = parse_ptl(gb, avctx, >ptl, sps->max_sub_layers)) < 0)
 return ret;
@@ -954,6 +954,7 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, 
unsigned int *sps_id,
sps->bit_depth, bit_depth_chroma);
 return AVERROR_INVALIDDATA;
 }
+sps->bit_depth_chroma = bit_depth_chroma;
 
 ret = map_pixel_format(avctx, sps);
 if (ret < 0)
diff --git a/libavcodec/hevc_ps.h b/libavcodec/hevc_ps.h
index 44de3980e1..26842ef189 100644
--- a/libavcodec/hevc_ps.h
+++ b/libavcodec/hevc_ps.h
@@ -151,6 +151,7 @@ typedef struct HEVCSPS {
 HEVCWindow pic_conf_win;
 
 int bit_depth;
+int bit_depth_chroma;
 int pixel_shift;
 enum AVPixelFormat pix_fmt;
 
@@ -163,6 +164,7 @@ typedef struct HEVCSPS {
 int num_reorder_pics;
 int max_latency_increase;
 } temporal_layer[HEVC_MAX_SUB_LAYERS];
+uint8_t temporal_id_nesting_flag;
 
 VUI vui;
 PTL ptl;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_ps: Check log2_sao_offset_scale_*

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Jan 24 03:15:23 2018 +0100| [4019c2a67c6aafeadb93aa8fc741cc3915817597] | 
committer: Michael Niedermayer

avcodec/hevc_ps: Check log2_sao_offset_scale_*

Fixes: 4868/clusterfuzz-testcase-minimized-6236542906400768
Fixes: runtime error: shift exponent 126 is too large for 32-bit type 'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4a75a75c62efc645ec28444e4675c325b8f2bb1a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4019c2a67c6aafeadb93aa8fc741cc3915817597
---

 libavcodec/hevc_ps.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index dc1429fa73..b64dc68919 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -1330,6 +1330,11 @@ static int pps_range_extensions(GetBitContext *gb, 
AVCodecContext *avctx,
 pps->log2_sao_offset_scale_luma = get_ue_golomb_long(gb);
 pps->log2_sao_offset_scale_chroma = get_ue_golomb_long(gb);
 
+if (   pps->log2_sao_offset_scale_luma   > FFMAX(sps->bit_depth- 
10, 0)
+|| pps->log2_sao_offset_scale_chroma > FFMAX(sps->bit_depth_chroma - 
10, 0)
+)
+return AVERROR_INVALIDDATA;
+
 return(0);
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mjpegdec: Fix integer overflow in DC dequantization

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Jan 24 03:28:49 2018 +0100| [dbe356a00974632a18612c7a395366cee4c49118] | 
committer: Michael Niedermayer

avcodec/mjpegdec: Fix integer overflow in DC dequantization

Fixes: runtime error: signed integer overflow: -65535 * 65312 cannot be 
represented in type 'int'
Fixes: 4900/clusterfuzz-testcase-minimized-5769019744321536

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1bfc1aa004950c5ad527d823a08b8a19eef34eb0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dbe356a00974632a18612c7a395366cee4c49118
---

 libavcodec/mjpegdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index bd6dd7ef47..31c8fb422d 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -696,7 +696,7 @@ static int decode_block(MJpegDecodeContext *s, int16_t 
*block, int component,
 av_log(s->avctx, AV_LOG_ERROR, "error dc\n");
 return AVERROR_INVALIDDATA;
 }
-val = val * quant_matrix[0] + s->last_dc[component];
+val = val * (unsigned)quant_matrix[0] + s->last_dc[component];
 val = av_clip_int16(val);
 s->last_dc[component] = val;
 block[0] = val;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter/vf_transpose: Fix used plane count.

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Wed Jan 24 19:38:05 2018 +0100| [d74839d793ebf8c6c7c4a2a8a22ae2bd695d2c41] | 
committer: Michael Niedermayer

avfilter/vf_transpose: Fix used plane count.

Fixes out of array access
Fixes: poc.mp4

Found-by: GwanYeong Kim 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c6939f65a116b1ffed345d29d8621ee4ffb32235)
(cherry picked from commit 3f621455d62e46745453568d915badd5b1e5bcd5)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d74839d793ebf8c6c7c4a2a8a22ae2bd695d2c41
---

 libavfilter/vf_transpose.c | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavfilter/vf_transpose.c b/libavfilter/vf_transpose.c
index 75b4dda41f..1e5505b713 100644
--- a/libavfilter/vf_transpose.c
+++ b/libavfilter/vf_transpose.c
@@ -27,6 +27,7 @@
 
 #include 
 
+#include "libavutil/avassert.h"
 #include "libavutil/imgutils.h"
 #include "libavutil/internal.h"
 #include "libavutil/intreadwrite.h"
@@ -54,6 +55,7 @@ enum TransposeDir {
 typedef struct TransContext {
 const AVClass *class;
 int hsub, vsub;
+int planes;
 int pixsteps[4];
 
 int passthrough;///< PassthroughType, landscape passthrough mode 
enabled
@@ -106,6 +108,10 @@ static int config_props_output(AVFilterLink *outlink)
 
 s->hsub = desc_in->log2_chroma_w;
 s->vsub = desc_in->log2_chroma_h;
+s->planes = av_pix_fmt_count_planes(outlink->format);
+
+av_assert0(desc_in->nb_components == desc_out->nb_components);
+
 
 av_image_fill_max_pixsteps(s->pixsteps, NULL, desc_out);
 
@@ -148,7 +154,7 @@ static int filter_slice(AVFilterContext *ctx, void *arg, 
int jobnr,
 AVFrame *in = td->in;
 int plane;
 
-for (plane = 0; out->data[plane]; plane++) {
+for (plane = 0; plane < s->planes; plane++) {
 int hsub= plane == 1 || plane == 2 ? s->hsub : 0;
 int vsub= plane == 1 || plane == 2 ? s->vsub : 0;
 int pixstep = s->pixsteps[plane];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videodec: Check mb_num also against 0

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Jan 28 02:29:00 2018 +0100| [61a911d0073b19974ea289b1594e2bf8bba56007] | 
committer: Michael Niedermayer

avcodec/mpeg4videodec: Check mb_num also against 0

The spec implies that 0 is invalid in addition to the existing checks

Found-by: 
Reviewed-by: Kieran Kunhya 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 05f4703a168a336363750e32bcfdd6f303fbdbc3)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=61a911d0073b19974ea289b1594e2bf8bba56007
---

 libavcodec/mpeg4videodec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 8eafc783b8..afa41a8641 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -460,7 +460,7 @@ int ff_mpeg4_decode_video_packet_header(Mpeg4DecContext 
*ctx)
 }
 
 mb_num = get_bits(>gb, mb_num_bits);
-if (mb_num >= s->mb_num) {
+if (mb_num >= s->mb_num || !mb_num) {
 av_log(s->avctx, AV_LOG_ERROR,
"illegal mb_num in video packet (%d %d) \n", mb_num, s->mb_num);
 return -1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/get_bits: Document the return code of get_vlc2()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Jan 28 02:29:01 2018 +0100| [093c80747ba4b3a6ca1a1532d1404dafa421b2b5] | 
committer: Michael Niedermayer

avcodec/get_bits: Document the return code of get_vlc2()

Found-by: kierank
Reviewed-by: Kieran Kunhya 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4a94ff4ccd4f2329c599e37cabe4152dae60359e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=093c80747ba4b3a6ca1a1532d1404dafa421b2b5
---

 libavcodec/get_bits.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h
index c530015169..0c7f5ff0c6 100644
--- a/libavcodec/get_bits.h
+++ b/libavcodec/get_bits.h
@@ -550,6 +550,7 @@ static inline const uint8_t *align_get_bits(GetBitContext 
*s)
  * @param max_depth is the number of times bits bits must be read to completely
  *  read the longest vlc code
  *  = (max_vlc_length + bits - 1) / bits
+ * @returns the code parsed or -1 if no vlc matches
  */
 static av_always_inline int get_vlc2(GetBitContext *s, VLC_TYPE (*table)[2],
  int bits, int max_depth)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sat Jan 20 04:10:50 2018 +0100| [162bbc22e2032db4bf9fc3aadeb9b4e05924e76b] | 
committer: Michael Niedermayer

avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK()

Fixes: signed integer overflow: 1477974040 - -1877995504 cannot be represented 
in type 'int'
Fixes: 4861/clusterfuzz-testcase-minimized-4570316383715328

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 56a53340ed4cc55898e49c07081311ebb2816630)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=162bbc22e2032db4bf9fc3aadeb9b4e05924e76b
---

 libavcodec/truemotion2.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index f077f0e4bd..97c38f7f08 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -441,8 +441,8 @@ static inline int GET_TOK(TM2Context *ctx,int type)
 
 /* recalculate last and delta values for next blocks */
 #define TM2_RECALC_BLOCK(CHR, stride, last, CD) {\
-CD[0] = CHR[1] - last[1];\
-CD[1] = (int)CHR[stride + 1] - (int)CHR[1];\
+CD[0] = (unsigned)CHR[ 1] - (unsigned)last[1];\
+CD[1] = (unsigned)CHR[stride + 1] - (unsigned) CHR[1];\
 last[0] = (int)CHR[stride + 0];\
 last[1] = (int)CHR[stride + 1];}
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dxtory: Fix bits left checks

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Mon Jan 22 14:02:59 2018 +0100| [ce82d4722bde503f899521519d3a8e8c2200c205] | 
committer: Michael Niedermayer

avcodec/dxtory: Fix bits left checks

Fixes: Timeout
Fixes: 4863/clusterfuzz-testcase-6347354178322432

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6e1a167c5564085385488b4f579e9efb987d4bfa)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ce82d4722bde503f899521519d3a8e8c2200c205
---

 libavcodec/dxtory.c | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c
index 6f8652ad49..e736cec8db 100644
--- a/libavcodec/dxtory.c
+++ b/libavcodec/dxtory.c
@@ -326,7 +326,7 @@ static int dx2_decode_slice_5x5(GetBitContext *gb, AVFrame 
*frame,
 int stride   = frame->linesize[0];
 uint8_t *dst = frame->data[0] + stride * line;
 
-for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
+for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
 for (x = 0; x < width; x++) {
 b = decode_sym_565(gb, lru[0], 5);
 g = decode_sym_565(gb, lru[1], is_565 ? 6 : 5);
@@ -392,7 +392,7 @@ static int dx2_decode_slice_rgb(GetBitContext *gb, AVFrame 
*frame,
 int stride   = frame->linesize[0];
 uint8_t *dst = frame->data[0] + stride * line;
 
-for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
+for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
 for (x = 0; x < width; x++) {
 dst[x * 3 + 0] = decode_sym(gb, lru[0]);
 dst[x * 3 + 1] = decode_sym(gb, lru[1]);
@@ -437,7 +437,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame 
*frame,
 uint8_t *U  = frame->data[1] + (ustride >> 2) * line;
 uint8_t *V  = frame->data[2] + (vstride >> 2) * line;
 
-for (y = 0; y < left - 3 && get_bits_left(gb) > 16; y += 4) {
+for (y = 0; y < left - 3 && get_bits_left(gb) > 9 * width; y += 4) {
 for (x = 0; x < width; x += 4) {
 for (j = 0; j < 4; j++)
 for (i = 0; i < 4; i++)
@@ -481,7 +481,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame 
*frame,
 uint8_t *V  = frame->data[2] + (vstride >> 1) * line;
 
 
-for (y = 0; y < left - 1 && get_bits_left(gb) > 16; y += 2) {
+for (y = 0; y < left - 1 && get_bits_left(gb) > 6 * width; y += 2) {
 for (x = 0; x < width; x += 2) {
 Y[x + 0 + 0 * ystride] = decode_sym(gb, lru[0]);
 Y[x + 1 + 0 * ystride] = decode_sym(gb, lru[0]);
@@ -524,7 +524,7 @@ static int dx2_decode_slice_444(GetBitContext *gb, AVFrame 
*frame,
 uint8_t *U  = frame->data[1] + ustride * line;
 uint8_t *V  = frame->data[2] + vstride * line;
 
-for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
+for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
 for (x = 0; x < width; x++) {
 Y[x] = decode_sym(gb, lru[0]);
 U[x] = decode_sym(gb, lru[1]) ^ 0x80;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Mon Jan 15 23:42:57 2018 +0100| [fb27cebc93cb2999c31f9a0dc7f843d5b71187a8] | 
committer: Michael Niedermayer

avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 94d4237a7a294ce80e1e577b38e9c93e8882aff9)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fb27cebc93cb2999c31f9a0dc7f843d5b71187a8
---

 libavcodec/hevc_cabac.c | 11 +++
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c
index 3c22e30faa..5e46c59a24 100644
--- a/libavcodec/hevc_cabac.c
+++ b/libavcodec/hevc_cabac.c
@@ -979,16 +979,19 @@ static av_always_inline int 
coeff_abs_level_remaining_decode(HEVCContext *s, int
 
 while (prefix < CABAC_MAX_BIN && get_cabac_bypass(>HEVClc->cc))
 prefix++;
-if (prefix == CABAC_MAX_BIN) {
-av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
-return 0;
-}
+
 if (prefix < 3) {
 for (i = 0; i < rc_rice_param; i++)
 suffix = (suffix << 1) | get_cabac_bypass(>HEVClc->cc);
 last_coeff_abs_level_remaining = (prefix << rc_rice_param) + suffix;
 } else {
 int prefix_minus3 = prefix - 3;
+
+if (prefix == CABAC_MAX_BIN) {
+av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
+return 0;
+}
+
 for (i = 0; i < prefix_minus3 + rc_rice_param; i++)
 suffix = (suffix << 1) | get_cabac_bypass(>HEVClc->cc);
 last_coeff_abs_level_remaining = (((1 << prefix_minus3) + 3 - 1)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Fix integer overflow with quant

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Jan  7 20:43:24 2018 +0100| [347744121bc88c82088234ce8cc086453b077179] | 
committer: Michael Niedermayer

avcodec/diracdec: Fix integer overflow with quant

Fixes: signed integer overflow: 2 + 2147483646 cannot be represented in type 
'int'
Fixes: 4792/clusterfuzz-testcase-minimized-6322450775146496

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg

Signed-off-by: Michael Niedermayer 
(cherry picked from commit eaa93175895568ef6c2542b13104874907d9c4ef)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=347744121bc88c82088234ce8cc086453b077179
---

 libavcodec/diracdec.c | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 791b7f9928..9df70c3f7a 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -508,16 +508,16 @@ static inline void codeblock(DiracContext *s, SubBand *b,
 }
 
 if (s->codeblock_mode && !(s->old_delta_quant && blockcnt_one)) {
-int quant = b->quant;
+int quant;
 if (is_arith)
-quant += dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA);
+quant = dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA);
 else
-quant += dirac_get_se_golomb(gb);
-if (quant < 0) {
+quant = dirac_get_se_golomb(gb);
+if (quant > INT_MAX - b->quant || b->quant + quant < 0) {
 av_log(s->avctx, AV_LOG_ERROR, "Invalid quant\n");
 return;
 }
-b->quant = quant;
+b->quant += quant;
 }
 
 if (b->quant > (DIRAC_MAX_QUANT_INDEX - 1)) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dsp: Fix integer overflows in ict_int()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Jan  7 04:12:57 2018 +0100| [e4afafaa7effe5086373790639c1d0a962d4d007] | 
committer: Michael Niedermayer

avcodec/jpeg2000dsp: Fix integer overflows in ict_int()

Fixes: signed integer overflow: 46802 * -71230 cannot be represented in type 
'int'
Fixes: 4756/clusterfuzz-testcase-minimized-4812495563784192

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b3192c64b5bdcb0474cda437d2d5f9421d68811e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e4afafaa7effe5086373790639c1d0a962d4d007
---

 libavcodec/jpeg2000dsp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c
index 85a12d0e9b..90e73b1e20 100644
--- a/libavcodec/jpeg2000dsp.c
+++ b/libavcodec/jpeg2000dsp.c
@@ -64,9 +64,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, 
int csize)
 int i;
 
 for (i = 0; i < csize; i++) {
-i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16);
+i0 = *src0 + *src2 + ((int)((26345U * *src2) + (1 << 15)) >> 16);
 i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) 
>> 16)
-   - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16);
+   - ((int)(((unsigned)i_ict_params[2] * *src2) + (1 << 15)) 
>> 16);
 i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 
16);
 *src0++ = i0;
 *src1++ = i1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] configure: bump year

[Carl Eugen Hoyos]

ffmpeg | branch: release/3.3 | Carl Eugen Hoyos  | Mon Jan  
1 18:05:55 2018 +0100| [68ca7aefb26cba079c9a963235e3d7bbb6001dc0] | committer: 
Michael Niedermayer

configure: bump year

Happy new year!

(cherry picked from commit bddf31ba7570325dd2c8d033eae3d0dd74127f96)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=68ca7aefb26cba079c9a963235e3d7bbb6001dc0
---

 configure | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure b/configure
index 97aab62990..a48f7858bf 100755
--- a/configure
+++ b/configure
@@ -6799,7 +6799,7 @@ cat > $TMPH 

[FFmpeg-cvslog] avcodec/opus_parser: Check payload_len in parse_opus_ts_header()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Fri Jan  5 22:12:07 2018 +0100| [ba2f8469ba951db28c7d7ede25908cb8beeacfae] | 
committer: Michael Niedermayer

avcodec/opus_parser: Check payload_len in parse_opus_ts_header()

Fixes: clusterfuzz-testcase-minimized-6134545979277312
Fixes: crbug 797469

Reported-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1bcd7fefcb3c1ec47978fdc64a9e8dfb9512ae62)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ba2f8469ba951db28c7d7ede25908cb8beeacfae
---

 libavcodec/opus_parser.c | 16 +---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/libavcodec/opus_parser.c b/libavcodec/opus_parser.c
index 893573eb82..28b0933900 100644
--- a/libavcodec/opus_parser.c
+++ b/libavcodec/opus_parser.c
@@ -43,6 +43,7 @@ static const uint8_t *parse_opus_ts_header(const uint8_t 
*start, int *payload_le
 const uint8_t *buf = start + 1;
 int start_trim_flag, end_trim_flag, control_extension_flag, 
control_extension_length;
 uint8_t flags;
+uint64_t payload_len_tmp;
 
 GetByteContext gb;
 bytestream2_init(, buf, buf_len);
@@ -52,11 +53,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t 
*start, int *payload_le
 end_trim_flag  = (flags >> 3) & 1;
 control_extension_flag = (flags >> 2) & 1;
 
-*payload_len = 0;
+payload_len_tmp = *payload_len = 0;
 while (bytestream2_peek_byte() == 0xff)
-*payload_len += bytestream2_get_byte();
+payload_len_tmp += bytestream2_get_byte();
 
-*payload_len += bytestream2_get_byte();
+payload_len_tmp += bytestream2_get_byte();
 
 if (start_trim_flag)
 bytestream2_skip(, 2);
@@ -67,6 +68,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t 
*start, int *payload_le
 bytestream2_skip(, control_extension_length);
 }
 
+if (bytestream2_tell() + payload_len_tmp > buf_len)
+return NULL;
+
+*payload_len = payload_len_tmp;
+
 return buf + bytestream2_tell();
 }
 
@@ -104,6 +110,10 @@ static int opus_find_frame_end(AVCodecParserContext *ctx, 
AVCodecContext *avctx,
 state = (state << 8) | payload[i];
 if ((state & OPUS_TS_MASK) == OPUS_TS_HEADER) {
 payload = parse_opus_ts_header(payload, _len, buf_size 
- i);
+if (!payload) {
+av_log(avctx, AV_LOG_ERROR, "Error parsing Ogg TS 
header.\n");
+return AVERROR_INVALIDDATA;
+}
 *header_len = payload - buf;
 start_found = 1;
 break;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Jan  7 20:58:49 2018 +0100| [bf7715fd29d5701d68379a37c59465096717ed15] | 
committer: Michael Niedermayer

avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0

Fixes: 4830/clusterfuzz-testcase-minimized-5255392054476800
Fixes: signed integer overflow: 2147483646 - -7 cannot be represented in type 
'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0e62a2373475f58c72c0faf5568be00b26909585)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bf7715fd29d5701d68379a37c59465096717ed15
---

 libavcodec/dirac_dwt.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index f9828d95a4..1af41e0702 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -105,10 +105,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
 (int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5)))
 
 #define COMPOSE_HAARiL0(b0, b1)\
-(b0 - ((b1 + 1) >> 1))
+((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1)))
 
 #define COMPOSE_HAARiH0(b0, b1)\
-(b0 + b1)
+((int)(b0 + (unsigned)(b1)))
 
 #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\
 ((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 
46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8))

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000: Check sum of sizes of band->prec before allocating

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Jan 14 00:39:40 2018 +0100| [488a6ae7e5e8ffbcddcdda62174b898bbe6a8b4d] | 
committer: Michael Niedermayer

avcodec/jpeg2000: Check sum of sizes of band->prec before allocating

Fixes: OOM
Fixes: 4810/clusterfuzz-testcase-minimized-6034253235093504

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6887e412434776eb260ad3904f565be491dd5726)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=488a6ae7e5e8ffbcddcdda62174b898bbe6a8b4d
---

 libavcodec/jpeg2000.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c
index afeb9df27c..026b2db56f 100644
--- a/libavcodec/jpeg2000.c
+++ b/libavcodec/jpeg2000.c
@@ -543,6 +543,9 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp,
 if (!reslevel->band)
 return AVERROR(ENOMEM);
 
+if (reslevel->num_precincts_x * (uint64_t)reslevel->num_precincts_y * 
reslevel->nbands > avctx->max_pixels / sizeof(*reslevel->band->prec))
+return AVERROR(ENOMEM);
+
 for (bandno = 0; bandno < reslevel->nbands; bandno++, gbandno++) {
 ret = init_band(avctx, reslevel,
 comp, codsty, qntsty,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/snowdec: Fix integer overflow before htaps check

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Mon Jan 15 03:03:36 2018 +0100| [60bc7a6ec08a662c02e10eb1660d15e2a65ff0f5] | 
committer: Michael Niedermayer

avcodec/snowdec: Fix integer overflow before htaps check

Fixes: runtime error: signed integer overflow: -1094995529 * 2 cannot be 
represented in type 'int'
Fixes: 4828/clusterfuzz-testcase-minimized-5100849937252352

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2eecf3cf8eeae67697934df326e98df2149881e5)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=60bc7a6ec08a662c02e10eb1660d15e2a65ff0f5
---

 libavcodec/snowdec.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index df425b8cf3..00fa064102 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -363,9 +363,10 @@ static int decode_header(SnowContext *s){
 int htaps, i, sum=0;
 Plane *p= >plane[plane_index];
 p->diag_mc= get_rac(>c, s->header_state);
-htaps= get_symbol(>c, s->header_state, 0)*2 + 2;
-if((unsigned)htaps >= HTAPS_MAX || htaps==0)
+htaps= get_symbol(>c, s->header_state, 0);
+if((unsigned)htaps >= HTAPS_MAX/2 - 1)
 return AVERROR_INVALIDDATA;
+htaps = htaps*2 + 2;
 p->htaps= htaps;
 for(i= htaps/2; i; i--){
 p->hcoeff[i]= get_symbol(>c, s->header_state, 0) * 
(1-2*(i&1));

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/utils: Avoid hardcoding duplicated types in sizeof()

[Michael Niedermayer]

ffmpeg | branch: release/3.3 | Michael Niedermayer  | 
Sun Jun  4 01:53:58 2017 +0200| [7965ffbeb111af1a8c676ca587e0ab5927c374d4] | 
committer: Michael Niedermayer

avcodec/utils: Avoid hardcoding duplicated types in sizeof()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 860d991fcd715233b5b9eb1f6c7bf0aadefb6061)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7965ffbeb111af1a8c676ca587e0ab5927c374d4
---

 libavcodec/utils.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 9363026695..9064cb31d6 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -1270,7 +1270,7 @@ int attribute_align_arg avcodec_open2(AVCodecContext 
*avctx, const AVCodec *code
 if (ret < 0)
 return ret;
 
-avctx->internal = av_mallocz(sizeof(AVCodecInternal));
+avctx->internal = av_mallocz(sizeof(*avctx->internal));
 if (!avctx->internal) {
 ret = AVERROR(ENOMEM);
 goto end;
@@ -2795,7 +2795,7 @@ void avsubtitle_free(AVSubtitle *sub)
 
 av_freep(>rects);
 
-memset(sub, 0, sizeof(AVSubtitle));
+memset(sub, 0, sizeof(*sub));
 }
 
 static int do_decode(AVCodecContext *avctx, AVPacket *pkt)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/utils: Stream specifier enhancement

[Bela Bodecs]

ffmpeg | branch: master | Bela Bodecs  | Sun Apr  1 
23:29:14 2018 +0200| [37d0213968a2b58499f52dfe09c8d7a27d4c5a86] | committer: 
Michael Niedermayer

avformat/utils: Stream specifier enhancement

Currently when specifying the program id you can only decide to select
all stream of the specified program (e.g. p:103 will select all streams
of program 103) or narrow the selection to a specific stream sub index
(e.g. p:145:1 will select 2nd stream of program 145.) But you can not
specify like all audio streams of program 145 or 3rd video stream of
program 311.
In some case, mainly working with multiprogram mpeg-ts containers as
input, this feature would be handy.
This patch makes it possible to narrow the stream selection among
streams of the specified program by stream type and optionally its
index. Handled types: a, v, s, d.
Examples: p:601:a  will select all audio streams of program 601,
p:603:a:1 will select 2nd audio streams of program 603,
p:604:v:0 will select first video stream of program 604.

Signed-off-by: Bela Bodecs 
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=37d0213968a2b58499f52dfe09c8d7a27d4c5a86
---

 doc/fftools-common-opts.texi | 10 +--
 libavformat/utils.c  | 65 
 2 files changed, 67 insertions(+), 8 deletions(-)

diff --git a/doc/fftools-common-opts.texi b/doc/fftools-common-opts.texi
index 7787e11cda..79feb39ca7 100644
--- a/doc/fftools-common-opts.texi
+++ b/doc/fftools-common-opts.texi
@@ -42,10 +42,14 @@ streams, 'V' only matches video streams which are not 
attached pictures, video
 thumbnails or cover arts.  If @var{stream_index} is given, then it matches
 stream number @var{stream_index} of this type. Otherwise, it matches all
 streams of this type.
-@item p:@var{program_id}[:@var{stream_index}]
-If @var{stream_index} is given, then it matches the stream with number 
@var{stream_index}
+@item p:@var{program_id}[:@var{stream_index}] or 
p:@var{program_id}[:@var{stream_type}[:@var{stream_index}]]
+In first version, if @var{stream_index} is given, then it matches the stream 
with number @var{stream_index}
 in the program with the id @var{program_id}. Otherwise, it matches all streams 
in the
-program.
+program. In the latter version, @var{stream_type} is one of following: 'v' for 
video, 'a' for audio, 's'
+for subtitle, 'd' for data. If @var{stream_index} is also given, then it 
matches
+stream number @var{stream_index} of this type in the program with the id 
@var{program_id}.
+Otherwise, if only @var{stream_type} is given, it matches all
+streams of this type in the program with the id @var{program_id}.
 @item #@var{stream_id} or i:@var{stream_id}
 Match the stream by stream id (e.g. PID in MPEG-TS container).
 @item m:@var{key}[:@var{value}]
diff --git a/libavformat/utils.c b/libavformat/utils.c
index 3e482a3bbc..cc35998336 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -5070,11 +5070,66 @@ FF_ENABLE_DEPRECATION_WARNINGS
 if (s->programs[i]->id != prog_id)
 continue;
 
-if (*endptr++ == ':') {
-int stream_idx = strtol(endptr, NULL, 0);
-return stream_idx >= 0 &&
-stream_idx < s->programs[i]->nb_stream_indexes &&
-st->index == s->programs[i]->stream_index[stream_idx];
+if (*endptr++ == ':') {  // p::
+if ( *endptr == 'a' || *endptr == 'v' ||
+ *endptr == 's' || *endptr == 'd') {  // 
p::[:]
+enum AVMediaType type;
+
+switch (*endptr++) {
+case 'v': type = AVMEDIA_TYPE_VIDEO;  break;
+case 'a': type = AVMEDIA_TYPE_AUDIO;  break;
+case 's': type = AVMEDIA_TYPE_SUBTITLE;   break;
+case 'd': type = AVMEDIA_TYPE_DATA;   break;
+default:  av_assert0(0);
+}
+if (*endptr++ == ':') {  // p:::
+int stream_idx = strtol(endptr, NULL, 0), type_counter 
= 0;
+for (j = 0; j < s->programs[i]->nb_stream_indexes; 
j++) {
+int stream_index = s->programs[i]->stream_index[j];
+if (st->index == s->programs[i]->stream_index[j]) {
+#if FF_API_LAVF_AVCTX
+FF_DISABLE_DEPRECATION_WARNINGS
+return type_counter == stream_idx &&
+   (type == st->codecpar->codec_type ||
+type == st->codec->codec_type);
+FF_ENABLE_DEPRECATION_WARNINGS
+#else
+return type_counter == stream_idx &&
+   type == st->codecpar->codec_type;
+#endif
+ }
+#if FF_API_LAVF_AVCTX

[FFmpeg-cvslog] avcodec/mjpegdec: Check input buffer size.

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer  | Tue 
Apr 10 16:12:15 2018 +0200| [8d381b57fd9d17fb5c3a851ca46c738b3afc33a2] | 
committer: Michael Niedermayer

avcodec/mjpegdec: Check input buffer size.

Fixes: Timeout
Fixes: 
6381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5665032743419904

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8d381b57fd9d17fb5c3a851ca46c738b3afc33a2
---

 libavcodec/mjpegdec.c | 4 
 libavcodec/mjpegdec.h | 1 +
 2 files changed, 5 insertions(+)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index beef174618..22ca69f841 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -335,6 +335,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
 av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height);
 if (av_image_check_size(width, height, 0, s->avctx) < 0)
 return AVERROR_INVALIDDATA;
+if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size * 
4LL)
+return AVERROR_INVALIDDATA;
 
 nb_components = get_bits(>gb, 8);
 if (nb_components <= 0 ||
@@ -2247,6 +2249,8 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void 
*data, int *got_frame,
 int ret = 0;
 int is16bit;
 
+s->buf_size = buf_size;
+
 av_dict_free(>exif_metadata);
 av_freep(>stereo3d);
 s->adobe_transform = -1;
diff --git a/libavcodec/mjpegdec.h b/libavcodec/mjpegdec.h
index ff301bcb93..653fe7cae6 100644
--- a/libavcodec/mjpegdec.h
+++ b/libavcodec/mjpegdec.h
@@ -47,6 +47,7 @@ typedef struct MJpegDecodeContext {
 AVClass *class;
 AVCodecContext *avctx;
 GetBitContext gb;
+int buf_size;
 
 int start_code; /* current start code */
 int buffer_size;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_slice: Fix integer overflow with last_poc

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer  | Sat 
Apr  7 00:34:25 2018 +0200| [8c02cd8ca097871dcd00cf8e08ce51660873f405] | 
committer: Michael Niedermayer

avcodec/h264_slice: Fix integer overflow with last_poc

Fixes: signed integer overflow: 2147483646 - -2816 cannot be represented in 
type 'int'
Fixes: crbug 823145

Reported-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8c02cd8ca097871dcd00cf8e08ce51660873f405
---

 libavcodec/h264_slice.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index 90e05ed8f1..d71ddbe9ba 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1316,7 +1316,7 @@ static int h264_select_output_frame(H264Context *h)
 }
 out_of_order = MAX_DELAYED_PIC_COUNT - i;
 if(   cur->f->pict_type == AV_PICTURE_TYPE_B
-   || (h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > INT_MIN && 
h->last_pocs[MAX_DELAYED_PIC_COUNT-1] - h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > 
2))
+   || (h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > INT_MIN && 
h->last_pocs[MAX_DELAYED_PIC_COUNT-1] - 
(int64_t)h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > 2))
 out_of_order = FFMAX(out_of_order, 1);
 if (out_of_order == MAX_DELAYED_PIC_COUNT) {
 av_log(h->avctx, AV_LOG_VERBOSE, "Invalid POC %d<%d\n", cur->poc, 
h->last_pocs[0]);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] fate: to test program sub stream selection by its type in mpegts

[Bela Bodecs]

ffmpeg | branch: master | Bela Bodecs  | Wed Apr 11 
22:33:02 2018 +0200| [a06175d7392326201a131fc09b3ea52617f310df] | committer: 
Michael Niedermayer

fate: to test program sub stream selection by its type in mpegts

Signed-off-by: Bela Bodecs 
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a06175d7392326201a131fc09b3ea52617f310df
---

 tests/fate/mpegts.mak   | 6 ++
 tests/ref/fate/mpegts-probe-program | 8 
 2 files changed, 14 insertions(+)

diff --git a/tests/fate/mpegts.mak b/tests/fate/mpegts.mak
index bb0d9d98a7..2b128492e0 100644
--- a/tests/fate/mpegts.mak
+++ b/tests/fate/mpegts.mak
@@ -9,6 +9,12 @@ FATE_MPEGTS_PROBE-$(call DEMDEC, MPEGTS, HEVC, AAC_LATM) += 
fate-mpegts-probe-la
 fate-mpegts-probe-latm: SRC = $(TARGET_SAMPLES)/mpegts/loewe.ts
 fate-mpegts-probe-latm: CMD = run $(PROBE_CODEC_NAME_COMMAND) -i "$(SRC)"
 
+
+FATE_MPEGTS_PROBE-$(call DEMDEC, MPEGTS, HEVC, AAC_LATM) += 
fate-mpegts-probe-program
+fate-mpegts-probe-program: SRC = $(TARGET_SAMPLES)/mpegts/loewe.ts
+fate-mpegts-probe-program: CMD = run $(PROBE_CODEC_NAME_COMMAND) 
-select_streams p:769:v:0 -i "$(SRC)"
+
+
 FATE_SAMPLES_FFPROBE += $(FATE_MPEGTS_PROBE-yes)
 
 fate-mpegts: $(FATE_MPEGTS_PROBE-yes)
diff --git a/tests/ref/fate/mpegts-probe-program 
b/tests/ref/fate/mpegts-probe-program
new file mode 100644
index 00..bb1012c8c7
--- /dev/null
+++ b/tests/ref/fate/mpegts-probe-program
@@ -0,0 +1,8 @@
+[PROGRAM]
+[STREAM]
+codec_name=hevc
+[/STREAM]
+[/PROGRAM]
+[STREAM]
+codec_name=hevc
+[/STREAM]

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Fix extradata memleak

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer  | Fri 
Apr  6 23:56:57 2018 +0200| [0a8133119ca5d087c7c7140d100406ff84c477ee] | 
committer: Michael Niedermayer

avformat/mov: Fix extradata memleak

Fixes: crbug 822705

Reported-by: Matt Wolenetz 
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0a8133119ca5d087c7c7140d100406ff84c477ee
---

 libavformat/mov.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 97b1462aab..1340bf3913 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2592,6 +2592,12 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 
 return mov_finalize_stsd_codec(c, pb, st, sc);
 fail:
+if (sc->extradata) {
+int j;
+for (j = 0; j < sc->stsd_count; j++)
+av_freep(>extradata[j]);
+}
+
 av_freep(>extradata);
 av_freep(>extradata_size);
 return ret;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] doc/filters: fix lenscorrection k1 & k2 typo

[Lou Logan]

ffmpeg | branch: master | Lou Logan  | Thu Apr 12 12:44:49 2018 
-0800| [4d544f608608f69e68136b8333d3649866e2a7ed] | committer: Lou Logan

doc/filters: fix lenscorrection k1 & k2 typo

0 means no correction, not 0.5.

Also document ranges and defaults for options.

Signed-off-by: Lou Logan 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4d544f608608f69e68136b8333d3649866e2a7ed
---

 doc/filters.texi | 10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/doc/filters.texi b/doc/filters.texi
index b78e05a329..09b07d2a4a 100644
--- a/doc/filters.texi
+++ b/doc/filters.texi
@@ -10373,15 +10373,17 @@ The filter accepts the following options:
 @item cx
 Relative x-coordinate of the focal point of the image, and thereby the center 
of the
 distortion. This value has a range [0,1] and is expressed as fractions of the 
image
-width.
+width. Default is 0.5.
 @item cy
 Relative y-coordinate of the focal point of the image, and thereby the center 
of the
 distortion. This value has a range [0,1] and is expressed as fractions of the 
image
-height.
+height. Default is 0.5.
 @item k1
-Coefficient of the quadratic correction term. 0.5 means no correction.
+Coefficient of the quadratic correction term. This value has a range [-1,1]. 0 
means
+no correction. Default is 0.
 @item k2
-Coefficient of the double quadratic correction term. 0.5 means no correction.
+Coefficient of the double quadratic correction term. This value has a range 
[-1,1].
+0 means no correction. Default is 0.
 @end table
 
 The formula that generates the correction is:

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] lavf/hls: use ff_get_chomp_line

[Jun Zhao]

ffmpeg | branch: master | Jun Zhao  | Mon Apr  9 23:11:02 
2018 +0800| [0e49118271ce0a3e8911200824032508b5a7de16] | committer: Jun Zhao

lavf/hls: use ff_get_chomp_line

Signed-off-by: Jun Zhao 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0e49118271ce0a3e8911200824032508b5a7de16
---

 libavformat/hls.c | 12 ++--
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/libavformat/hls.c b/libavformat/hls.c
index ae0545a086..1257cd101c 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -216,14 +216,6 @@ typedef struct HLSContext {
 AVIOContext *playlist_pb;
 } HLSContext;
 
-static int read_chomp_line(AVIOContext *s, char *buf, int maxlen)
-{
-int len = ff_get_line(s, buf, maxlen);
-while (len > 0 && av_isspace(buf[len - 1]))
-buf[--len] = '\0';
-return len;
-}
-
 static void free_segment_list(struct playlist *pls)
 {
 int i;
@@ -770,7 +762,7 @@ static int parse_playlist(HLSContext *c, const char *url,
 if (av_opt_get(in, "location", AV_OPT_SEARCH_CHILDREN, _url) >= 0)
 url = new_url;
 
-read_chomp_line(in, line, sizeof(line));
+ff_get_chomp_line(in, line, sizeof(line));
 if (strcmp(line, "#EXTM3U")) {
 ret = AVERROR_INVALIDDATA;
 goto fail;
@@ -782,7 +774,7 @@ static int parse_playlist(HLSContext *c, const char *url,
 pls->type = PLS_TYPE_UNSPECIFIED;
 }
 while (!avio_feof(in)) {
-read_chomp_line(in, line, sizeof(line));
+ff_get_chomp_line(in, line, sizeof(line));
 if (av_strstart(line, "#EXT-X-STREAM-INF:", )) {
 is_variant = 1;
 memset(_info, 0, sizeof(variant_info));

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog