[FFmpeg-cvslog] avcodec/ra144: Fix integer overflow in add_wav()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Wed Oct 10 04:25:50 2018 +0200| [a3ef90a73cd9a2d09f8529b9672d05a1cf3ea825] | 
committer: Michael Niedermayer

avcodec/ra144: Fix integer overflow in add_wav()

Fixes: signed integer overflow: -2144033225 + -5208934 cannot be represented in 
type 'int'
Fixes: 
10633/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5679133791617024

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c6282141cba20934d9801f31134872fabbd6ba3e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a3ef90a73cd9a2d09f8529b9672d05a1cf3ea825
---

 libavcodec/ra144.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c
index 573703d70b..65a744876c 100644
--- a/libavcodec/ra144.c
+++ b/libavcodec/ra144.c
@@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, 
int *m,
 
 if (v[0]) {
 for (i=0; i < BLOCKSIZE; i++)
-dest[i] = ((int)(s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) 
>> 12;
+dest[i] = (int)((s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) 
>> 12;
 } else {
 for (i=0; i < BLOCKSIZE; i++)
 dest[i] = ( s2[i]*v[1] + s3[i]*v[2]) >> 12;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sat Oct 20 22:35:37 2018 +0200| [1bcc79db44ed0089c6dd7b2ce3ed99234bfa73db] | 
committer: Michael Niedermayer

avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling

Fixes: assertion failure
Fixes: 
10785/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5672160496975872

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 305e523105f6f59e7572050f19edc9f4671c036c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1bcc79db44ed0089c6dd7b2ce3ed99234bfa73db
---

 libavcodec/jpeg2000dec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 5cba177513..3edcb81094 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1130,7 +1130,7 @@ static int 
jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
 step_x = 32;
 step_y = 32;
 
-if (RSpoc > FFMIN(codsty->nreslevels, REpoc))
+if (RSpoc >= FFMIN(codsty->nreslevels, REpoc))
 continue;
 
 for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, 
REpoc); reslevelno++) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/integer: Fix integer overflow in av_mul_i()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Wed Oct 24 01:44:12 2018 +0200| [0e853b61e65c81f31da5707d40559815bfa39767] | 
committer: Michael Niedermayer

avutil/integer: Fix integer overflow in av_mul_i()

Found-by: fate
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3cc3cb663bf3061e40356392d2f7638de6a479fe)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0e853b61e65c81f31da5707d40559815bfa39767
---

 libavutil/integer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavutil/integer.c b/libavutil/integer.c
index 6d6855fa1b..ba4aa778c9 100644
--- a/libavutil/integer.c
+++ b/libavutil/integer.c
@@ -74,7 +74,7 @@ AVInteger av_mul_i(AVInteger a, AVInteger b){
 
 if(a.v[i])
 for(j=i; j>16) + out.v[j] + a.v[i]*b.v[j-i];
+carry= (carry>>16) + out.v[j] + a.v[i]*(unsigned)b.v[j-i];
 out.v[j]= carry;
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/gdv: Replace divisions by shifts in rescale()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Aug  5 16:13:24 2018 +0200| [848726afc642fbe8aea7773594506bfb495bd8ab] | 
committer: Michael Niedermayer

avcodec/gdv: Replace divisions by shifts in rescale()

Divisions tend to be slower than shifts unless the compiler optimizes them out.
And some of these are in inner loops.

Signed-off-by: Michael Niedermayer 
(cherry picked from commit b90d8cc7466386a166dd72107457498aa5a7c43d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=848726afc642fbe8aea7773594506bfb495bd8ab
---

 libavcodec/gdv.c | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/libavcodec/gdv.c b/libavcodec/gdv.c
index dc91869edf..d4d24931c9 100644
--- a/libavcodec/gdv.c
+++ b/libavcodec/gdv.c
@@ -85,14 +85,14 @@ static void rescale(GDVContext *gdv, uint8_t *dst, int w, 
int h, int scale_v, in
 int y = h - j - 1;
 for (i = 0; i < w; i++) {
 int x = w - i - 1;
-dst[PREAMBLE_SIZE + x + y * w] = dst[PREAMBLE_SIZE + x/2 + 
(y/2) * (w/2)];
+dst[PREAMBLE_SIZE + x + y * w] = dst[PREAMBLE_SIZE + (x>>1) + 
(y>>1) * (w>>1)];
 }
 }
 } else if (gdv->scale_h) {
 for (j = 0; j < h; j++) {
 int y = h - j - 1;
 for (x = 0; x < w; x++) {
-dst[PREAMBLE_SIZE + x + y * w] = dst[PREAMBLE_SIZE + x + (y/2) 
* w];
+dst[PREAMBLE_SIZE + x + y * w] = dst[PREAMBLE_SIZE + x + 
(y>>1) * w];
 }
 }
 } else if (gdv->scale_v) {
@@ -100,26 +100,26 @@ static void rescale(GDVContext *gdv, uint8_t *dst, int w, 
int h, int scale_v, in
 int y = h - j - 1;
 for (i = 0; i < w; i++) {
 int x = w - i - 1;
-dst[PREAMBLE_SIZE + x + y * w] = dst[PREAMBLE_SIZE + x/2 + y * 
(w/2)];
+dst[PREAMBLE_SIZE + x + y * w] = dst[PREAMBLE_SIZE + (x>>1) + 
y * (w>>1)];
 }
 }
 }
 
 if (scale_h && scale_v) {
-for (y = 0; y < h/2; y++) {
-for (x = 0; x < w/2; x++) {
-dst[PREAMBLE_SIZE + x + y * (w/2)] = dst[PREAMBLE_SIZE + x*2 + 
y*2 * w];
+for (y = 0; y < (h>>1); y++) {
+for (x = 0; x < (w>>1); x++) {
+dst[PREAMBLE_SIZE + x + y * (w>>1)] = dst[PREAMBLE_SIZE + x*2 
+ y*2 * w];
 }
 }
 } else if (scale_h) {
-for (y = 0; y < h/2; y++) {
+for (y = 0; y < (h>>1); y++) {
 for (x = 0; x < w; x++) {
 dst[PREAMBLE_SIZE + x + y * w] = dst[PREAMBLE_SIZE + x + y*2 * 
w];
 }
 }
 } else if (scale_v) {
 for (y = 0; y < h; y++) {
-for (x = 0; x < w/2; x++) {
+for (x = 0; x < (w>>1); x++) {
 dst[PREAMBLE_SIZE + x + y * w] = dst[PREAMBLE_SIZE + x*2 + y * 
w];
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/utils: Fix integer overflow in discontinuity check

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Fri Oct 12 03:00:32 2018 +0200| [e9975d1b511812984f208128711a6aa68eddf82a] | 
committer: Michael Niedermayer

avformat/utils: Fix integer overflow in discontinuity check

Fixes: signed integer overflow: 7738135736989908991 - -7954308516317364223 
cannot be represented in type 'long'
Fixes: find_stream_info_usan

Reported-by: Thomas Guilbert 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4e19cfcfa3944fe4cf97bea758f72f104dcaebad)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e9975d1b511812984f208128711a6aa68eddf82a
---

 libavformat/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 75adea10e3..db79577548 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -3748,7 +3748,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
  * sequence, we treat it as a discontinuity. */
 if (st->info->fps_last_dts != AV_NOPTS_VALUE &&
 st->info->fps_last_dts_idx > st->info->fps_first_dts_idx &&
-(pkt->dts - st->info->fps_last_dts) / 1000 >
+(pkt->dts - (uint64_t)st->info->fps_last_dts) / 1000 >
 (st->info->fps_last_dts - 
(uint64_t)st->info->fps_first_dts) /
 (st->info->fps_last_dts_idx - st->info->fps_first_dts_idx)) {
 av_log(ic, AV_LOG_WARNING,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/utils: Never store negative values in last_IP_duration

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Fri Oct 12 20:55:25 2018 +0200| [d17d08035cd4e8cc6782ad251d39b6c61913518e] | 
committer: Michael Niedermayer

avformat/utils: Never store negative values in last_IP_duration

Fixes: integer overflow compute_pkt_fields()
Fixes: compute_pkt_usan

Reported-by: Thomas Guilbert 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 079d1a7175c4b881631a7e7f449c4c13b761cdeb)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d17d08035cd4e8cc6782ad251d39b6c61913518e
---

 libavformat/utils.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index db79577548..27071e10b4 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -1314,7 +1314,7 @@ static void compute_pkt_fields(AVFormatContext *s, 
AVStream *st,
 
 /* This is tricky: the dts must be incremented by the duration
  * of the frame we are displaying, i.e. the last I- or P-frame. */
-if (st->last_IP_duration == 0)
+if (st->last_IP_duration == 0 && (uint64_t)pkt->duration <= 
INT32_MAX)
 st->last_IP_duration = pkt->duration;
 if (pkt->dts != AV_NOPTS_VALUE)
 st->cur_dts = pkt->dts + st->last_IP_duration;
@@ -1326,7 +1326,8 @@ static void compute_pkt_fields(AVFormatContext *s, 
AVStream *st,
 next_pts != AV_NOPTS_VALUE)
 pkt->pts = next_dts;
 
-st->last_IP_duration = pkt->duration;
+if ((uint64_t)pkt->duration <= INT32_MAX)
+st->last_IP_duration = pkt->duration;
 st->last_IP_pts  = pkt->pts;
 /* Cannot compute PTS if not present (we can compute it only
  * by knowing the future. */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/msrle: Check that the input is large enough to contain a end of picture code

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Oct 21 14:40:14 2018 +0200| [707ec3cfc00b227dcc2189cfdd51807f3cd45a92] | 
committer: Michael Niedermayer

avcodec/msrle: Check that the input is large enough to contain a end of picture 
code

Fixes: Timeout
Fixes: 
10625/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSRLE_fuzzer-5659651283091456

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 203ccb874699ce66beadd53b4631d217b9cd)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=707ec3cfc00b227dcc2189cfdd51807f3cd45a92
---

 libavcodec/msrle.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c
index adb55b1302..1ab8a41985 100644
--- a/libavcodec/msrle.c
+++ b/libavcodec/msrle.c
@@ -95,6 +95,9 @@ static int msrle_decode_frame(AVCodecContext *avctx,
 s->buf = buf;
 s->size = buf_size;
 
+if (buf_size < 2) //Minimally a end of picture code should be there
+return AVERROR_INVALIDDATA;
+
 if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
 return ret;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videodec: Fix typo in sprite delta check

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Thu Oct 18 01:19:36 2018 +0200| [6763ff890e41fb6669ce2cbc1ec1108d12641318] | 
committer: Michael Niedermayer

avcodec/mpeg4videodec: Fix typo in sprite delta check

Fixes: Integer overflow
Fixes: 
10890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5636062181851136

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b737317a8813e671c00b8ac7023c47e48ffeb1c8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6763ff890e41fb6669ce2cbc1ec1108d12641318
---

 libavcodec/mpeg4videodec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 91a0d726f9..d241c58e8a 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -392,7 +392,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext 
*ctx, GetBitContext *g
 llabs(sprite_offset[0][i] + sprite_delta[i][1] * (h+16LL)) >= 
INT_MAX ||
 llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL) + 
sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
 llabs(sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
-llabs(sprite_delta[i][1] * (w+16LL)) >= INT_MAX ||
+llabs(sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
 llabs(sd[0]) >= INT_MAX ||
 llabs(sd[1]) >= INT_MAX ||
 llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX ||

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/unary: Improve get_unary() docs

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sat Sep 22 15:18:17 2018 +0200| [0cbd4fb9955e1cb3ff2427b1a7dbf1b0da4d57d8] | 
committer: Michael Niedermayer

avcodec/unary: Improve get_unary() docs

Found-by: kierank
Signed-off-by: Michael Niedermayer 
(cherry picked from commit ad89e203bfedf25df00e2a6ed9196170d772f25b)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0cbd4fb9955e1cb3ff2427b1a7dbf1b0da4d57d8
---

 libavcodec/unary.h | 15 ++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/libavcodec/unary.h b/libavcodec/unary.h
index 908dc93507..d57f9f70c5 100644
--- a/libavcodec/unary.h
+++ b/libavcodec/unary.h
@@ -28,7 +28,20 @@
  * @param gb GetBitContext
  * @param[in] stop The bitstop value (unary code of 1's or 0's)
  * @param[in] len Maximum length
- * @return Unary length/index
+ * @return unary 0 based code index. This is also the length in bits of the
+ * code excluding the stop bit.
+ * (in case len=1)
+ * 10
+ * 01
+ * (in case len=2)
+ * 10
+ * 01   1
+ * 00   2
+ * (in case len=3)
+ * 10
+ * 01   1
+ * 001  2
+ * 000  3
  */
 static inline int get_unary(GetBitContext *gb, int stop, int len)
 {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_cavlc: Check mb_skip_run

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Thu Oct  4 03:13:41 2018 +0200| [ced37ef52c24d35ac61bf885a753799d2dee464e] | 
committer: Michael Niedermayer

avcodec/h264_cavlc: Check mb_skip_run

Fixes: 
10300/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6292205497483264
Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 
'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit f72b9904fefa79d799d0f6ecc8bd97ce52658725)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ced37ef52c24d35ac61bf885a753799d2dee464e
---

 libavcodec/h264_cavlc.c | 10 --
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index 5e6a20304a..d82144e3c3 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -714,8 +714,14 @@ int ff_h264_decode_mb_cavlc(const H264Context *h, 
H264SliceContext *sl)
 cbp = 0; /* avoid warning. FIXME: find a solution without slowing
 down the code */
 if (sl->slice_type_nos != AV_PICTURE_TYPE_I) {
-if (sl->mb_skip_run == -1)
-sl->mb_skip_run = get_ue_golomb_long(>gb);
+if (sl->mb_skip_run == -1) {
+unsigned mb_skip_run = get_ue_golomb_long(>gb);
+if (mb_skip_run > h->mb_num) {
+av_log(h->avctx, AV_LOG_ERROR, "mb_skip_run %d is invalid\n", 
mb_skip_run);
+return AVERROR_INVALIDDATA;
+}
+sl->mb_skip_run = mb_skip_run;
+}
 
 if (sl->mb_skip_run--) {
 if (FRAME_MBAFF(h) && (sl->mb_y & 1) == 0) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] examples: Fix use of AV_CODEC_FLAG_GLOBAL_HEADER

[Michael Bunk]

ffmpeg | branch: release/3.4 | Michael Bunk  | Thu Aug 
30 08:56:19 2018 +0200| [462edf5b94354fac265f5c76eff7c733f8ee5b3e] | committer: 
Michael Niedermayer

examples: Fix use of AV_CODEC_FLAG_GLOBAL_HEADER

AV_CODEC_FLAG_GLOBAL_HEADER should be set before calling avcodec_open2() to 
have any effect.

Signed-off-by: Michael Niedermayer 
(cherry picked from commit a82e4fb8c6f26e75506df6818fee1b61f940cbeb)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=462edf5b94354fac265f5c76eff7c733f8ee5b3e
---

 doc/examples/transcoding.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/examples/transcoding.c b/doc/examples/transcoding.c
index fb15a2148d..6e5124e6d3 100644
--- a/doc/examples/transcoding.c
+++ b/doc/examples/transcoding.c
@@ -173,6 +173,9 @@ static int open_output_file(const char *filename)
 enc_ctx->time_base = (AVRational){1, enc_ctx->sample_rate};
 }
 
+if (ofmt_ctx->oformat->flags & AVFMT_GLOBALHEADER)
+enc_ctx->flags |= AV_CODEC_FLAG_GLOBAL_HEADER;
+
 /* Third parameter can be used to pass settings to encoder */
 ret = avcodec_open2(enc_ctx, encoder, NULL);
 if (ret < 0) {
@@ -184,8 +187,6 @@ static int open_output_file(const char *filename)
 av_log(NULL, AV_LOG_ERROR, "Failed to copy encoder parameters 
to output stream #%u\n", i);
 return ret;
 }
-if (ofmt_ctx->oformat->flags & AVFMT_GLOBALHEADER)
-enc_ctx->flags |= AV_CODEC_FLAG_GLOBAL_HEADER;
 
 out_stream->time_base = enc_ctx->time_base;
 stream_ctx[i].enc_ctx = enc_ctx;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/zmbv: Check that the decompressed data size is correct

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Tue Sep 18 00:28:37 2018 +0200| [127ec77e8cc5563c21966ed0dc61be00ee167e71] | 
committer: Michael Niedermayer

avcodec/zmbv: Check that the decompressed data size is correct

This checks the value exactly for intra frames and checks it against a
minimum for inter frames as they can be variable.

Fixes: Timeout
Fixes: 
10182/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-6245951174344704

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit e33b28cc79d164fff22bfee750c9283587c00bc4)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=127ec77e8cc5563c21966ed0dc61be00ee167e71
---

 libavcodec/zmbv.c | 14 ++
 1 file changed, 14 insertions(+)

diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c
index 1ec656be36..b994e96e95 100644
--- a/libavcodec/zmbv.c
+++ b/libavcodec/zmbv.c
@@ -408,6 +408,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame, AVPac
 int zret = Z_OK; // Zlib return code
 int len = buf_size;
 int hi_ver, lo_ver, ret;
+int expected_size;
 
 /* parse header */
 if (len < 1)
@@ -504,6 +505,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame, AVPac
 memset(c->prev, 0, avctx->width * avctx->height * (c->bpp / 8));
 c->decode_intra= decode_intra;
 }
+if (c->flags & ZMBV_KEYFRAME) {
+expected_size = avctx->width * avctx->height * (c->bpp / 8);
+} else {
+expected_size = (c->bx * c->by * 2 + 3) & ~3;
+}
+if (avctx->pix_fmt == AV_PIX_FMT_PAL8 &&
+(c->flags & (ZMBV_DELTAPAL | ZMBV_KEYFRAME)))
+expected_size += 768;
 
 if (!c->decode_intra) {
 av_log(avctx, AV_LOG_ERROR, "Error! Got no format or no keyframe!\n");
@@ -533,6 +542,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame, AVPac
 }
 c->decomp_len = c->zstream.total_out;
 }
+if (expected_size > c->decomp_len ||
+(c->flags & ZMBV_KEYFRAME) && expected_size < c->decomp_len) {
+av_log(avctx, AV_LOG_ERROR, "decompressed size %d is incorrect, 
expected %d\n", c->decomp_len, expected_size);
+return AVERROR_INVALIDDATA;
+}
 if (c->flags & ZMBV_KEYFRAME) {
 frame->key_frame = 1;
 frame->pict_type = AV_PICTURE_TYPE_I;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/snowdec: Fix integer overflow with motion vector residual

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Mon Aug 20 20:15:19 2018 +0200| [812f7fae356af4ef679fe4fde09cce56b92726e2] | 
committer: Michael Niedermayer

avcodec/snowdec: Fix integer overflow with motion vector residual

Fixes: signed integer overflow: -19818 + -2147483648 cannot be represented in 
type 'int'
Fixes: 
9545/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4928769537081344

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit acba153a148782c08f9fd17f0c05b93468f3cbd0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=812f7fae356af4ef679fe4fde09cce56b92726e2
---

 libavcodec/snowdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 0146a2a4c9..59bd24e881 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -208,8 +208,8 @@ static int decode_q_branch(SnowContext *s, int level, int 
x, int y){
 return AVERROR_INVALIDDATA;
 }
 pred_mv(s, , , ref, left, top, tr);
-mx+= get_symbol(>c, >block_state[128 + 32*(mx_context + 
16*!!ref)], 1);
-my+= get_symbol(>c, >block_state[128 + 32*(my_context + 
16*!!ref)], 1);
+mx+= (unsigned)get_symbol(>c, >block_state[128 + 
32*(mx_context + 16*!!ref)], 1);
+my+= (unsigned)get_symbol(>c, >block_state[128 + 
32*(my_context + 16*!!ref)], 1);
 }
 set_blocks(s, level, x, y, l, cb, cr, mx, my, ref, type);
 }else{

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dvdsubdec: Avoid branch in decode_run_8bit()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Thu Sep 13 04:24:49 2018 +0200| [1a106752f37cf9119615e0db908d13b714f565d2] | 
committer: Michael Niedermayer

avcodec/dvdsubdec: Avoid branch in decode_run_8bit()

Speed improvment 35.5 sec -> 34.7sec

Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 71bf0330505e2108935d05c5c018ec65eac4b946)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1a106752f37cf9119615e0db908d13b714f565d2
---

 libavcodec/dvdsubdec.c | 5 +
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index e18113c20c..a5107096df 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -82,10 +82,7 @@ static int decode_run_8bit(GetBitContext *gb, int *color)
 {
 int len;
 int has_run = get_bits1(gb);
-if (get_bits1(gb))
-*color = get_bits(gb, 8);
-else
-*color = get_bits(gb, 2);
+*color = get_bits(gb, 2 + 6*get_bits1(gb));
 if (has_run) {
 if (get_bits1(gb)) {
 len = get_bits(gb, 7);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Error on too large stsd entry counts.

[Dale Curtis]

ffmpeg | branch: release/3.4 | Dale Curtis  | Thu Aug 
30 15:18:25 2018 -0700| [eab5f6e419ec8b195d0247d5a4acce9cfc9e0f7a] | committer: 
Michael Niedermayer

avformat/mov: Error on too large stsd entry counts.

Entries are always at least 8 bytes per the parsing code, so if we
see an impossible entry count avoid massive allocations. This is
similar to an existing check in mov_read_stsc().

Since ff_mov_read_stsd_entries() does eof checks, an alternative
approach could be to clamp the entry count to atom.size / 8.

Signed-off-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 320b631a99a9f759fd1d5460fd4e285d184b8186)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eab5f6e419ec8b195d0247d5a4acce9cfc9e0f7a
---

 libavformat/mov.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 7f5f93e648..2328b8f445 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2365,7 +2365,8 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 avio_rb24(pb); /* flags */
 entries = avio_rb32(pb);
 
-if (entries <= 0) {
+/* Each entry contains a size (4 bytes) and format (4 bytes). */
+if (entries <= 0 || entries > atom.size / 8) {
 av_log(c->fc, AV_LOG_ERROR, "invalid STSD entries %d\n", entries);
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dvdsubdec: Sanity check len in decode_rle()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Thu Sep 13 03:33:50 2018 +0200| [50aa132f4d34465e291eb7acb5c884e4d8aa7232] | 
committer: Michael Niedermayer

avcodec/dvdsubdec: Sanity check len in decode_rle()

Fixes: Timeout
Fixes: 
9778/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5186007132536832

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit e7b023e1db9fb13175929c02a02846d03510ec91)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=50aa132f4d34465e291eb7acb5c884e4d8aa7232
---

 libavcodec/dvdsubdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index a5107096df..cf10844753 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -124,6 +124,8 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, 
int h,
 len = decode_run_8bit(, );
 else
 len = decode_run_2bit(, );
+if (len != INT_MAX && len > w - x)
+return AVERROR_INVALIDDATA;
 len = FFMIN(len, w - x);
 memset(d + x, color, len);
 x += len;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Mon Aug 20 22:53:32 2018 +0200| [b61b38766ee9ebf31f69bea834fa23bb63dcb8b8] | 
committer: Michael Niedermayer

avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb()

Fixes: Timeout
Fixes: 
9634/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-6267852259590144

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c9222b972d6cbdaf6571cf7ae0a6513bffa5ff9f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b61b38766ee9ebf31f69bea834fa23bb63dcb8b8
---

 libavcodec/hq_hqa.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c
index f88ad7d5f5..ec9da3e04f 100644
--- a/libavcodec/hq_hqa.c
+++ b/libavcodec/hq_hqa.c
@@ -181,6 +181,9 @@ static int hqa_decode_mb(HQContext *c, AVFrame *pic, int 
qgroup,
 int flag = 0;
 int i, ret, cbp;
 
+if (get_bits_left(gb) < 1)
+return AVERROR_INVALIDDATA;
+
 cbp = get_vlc2(gb, c->hqa_cbp_vlc.table, 5, 1);
 
 for (i = 0; i < 12; i++)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/indeo4: Check dimensions in decode_pic_hdr()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Aug 26 01:58:32 2018 +0200| [073a65aefc2e17969d4508760fdda9e769e596c9] | 
committer: Michael Niedermayer

avcodec/indeo4: Check dimensions in decode_pic_hdr()

Fixes: Timeout
Fixes: 
9654/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-6289863463665664

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7592e88bfe3d5bf9109a55acd025af9110618405)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=073a65aefc2e17969d4508760fdda9e769e596c9
---

 libavcodec/indeo4.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c
index 15ad6f8afc..4bfc6cdd74 100644
--- a/libavcodec/indeo4.c
+++ b/libavcodec/indeo4.c
@@ -30,6 +30,7 @@
 #define BITSTREAM_READER_LE
 #include "avcodec.h"
 #include "get_bits.h"
+#include "libavutil/imgutils.h"
 #include "indeo4data.h"
 #include "internal.h"
 #include "ivi.h"
@@ -178,6 +179,13 @@ static int decode_pic_hdr(IVI45DecContext *ctx, 
AVCodecContext *avctx)
 pic_conf.chroma_bands = 0;
 if (pic_conf.luma_bands)
 pic_conf.chroma_bands = decode_plane_subdivision(>gb);
+
+if (av_image_check_size2(pic_conf.pic_width, pic_conf.pic_height, 
avctx->max_pixels, AV_PIX_FMT_YUV410P, 0, avctx) < 0) {
+av_log(avctx, AV_LOG_ERROR, "picture dimensions %d %d cannot be 
decoded\n",
+   pic_conf.pic_width, pic_conf.pic_height);
+return AVERROR_INVALIDDATA;
+}
+
 ctx->is_scalable = pic_conf.luma_bands != 1 || pic_conf.chroma_bands != 1;
 if (ctx->is_scalable && (pic_conf.luma_bands != 4 || pic_conf.chroma_bands 
!= 1)) {
 av_log(avctx, AV_LOG_ERROR, "Scalability: unsupported subdivision! 
Luma bands: %d, chroma bands: %d\n",

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Fix bitstream end check in read_header()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sat Sep 15 02:08:20 2018 +0200| [98709a12448283bff56a03f436c735d2f58e7b3e] | 
committer: Michael Niedermayer

avcodec/shorten: Fix bitstream end check in read_header()

Fixes: Timeout
Fixes: 
9961/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5687856176562176

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 28b80c2d52d82eb4f73af5f818dab60946bcf299)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=98709a12448283bff56a03f436c735d2f58e7b3e
---

 libavcodec/shorten.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 1ffb7d8d79..4b45e6d6dc 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -456,7 +456,7 @@ static int read_header(ShortenContext *s)
 }
 
 skip_bytes = get_uint(s, NSKIPSIZE);
-if ((unsigned)skip_bytes > get_bits_left(>gb)/8) {
+if ((unsigned)skip_bytes > FFMAX(get_bits_left(>gb), 0)/8) {
 av_log(s->avctx, AV_LOG_ERROR, "invalid skip_bytes: %d\n", 
skip_bytes);
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Fri Aug 17 02:06:27 2018 +0200| [ab5d930762389f4200fb600c84580e6b79b2c153] | 
committer: Michael Niedermayer

avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 697984b9db4d4d199680f43ac3eb662cd1d37eff)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ab5d930762389f4200fb600c84580e6b79b2c153
---

 libavcodec/h264_refs.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c
index af70829594..2cdb67f978 100644
--- a/libavcodec/h264_refs.c
+++ b/libavcodec/h264_refs.c
@@ -806,6 +806,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h)
 }
 }
 
+// Detect unmarked random access points
 if (   err >= 0
 && h->long_ref_count==0
 && (   h->short_ref_count<=2

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ra144: Fix undefined integer overflow in add_wav()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Aug 26 02:26:24 2018 +0200| [ee8b4c16d792482b0bec75dbe4d1fdb01f236985] | 
committer: Michael Niedermayer

avcodec/ra144: Fix undefined integer overflow in add_wav()

Fixes: signed integer overflow: -26884 * 91439 cannot be represented in type 
'int'
Fixes: 
9687/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-4995588121690112

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 93a203662f6ff1bb9fd2e966bf7df27e9bdb1916)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ee8b4c16d792482b0bec75dbe4d1fdb01f236985
---

 libavcodec/ra144.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c
index cf8127c236..573703d70b 100644
--- a/libavcodec/ra144.c
+++ b/libavcodec/ra144.c
@@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, 
int *m,
 
 if (v[0]) {
 for (i=0; i < BLOCKSIZE; i++)
-dest[i] = (s1[i]*v[0] + s2[i]*v[1] + s3[i]*v[2]) >> 12;
+dest[i] = ((int)(s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) 
>> 12;
 } else {
 for (i=0; i < BLOCKSIZE; i++)
 dest[i] = ( s2[i]*v[1] + s3[i]*v[2]) >> 12;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/zmbv: Update decomp_len in raw frames

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Mon Sep 17 21:33:59 2018 +0200| [80af29f32e54ae1d7d5f69d966d86ebda56517f0] | 
committer: Michael Niedermayer

avcodec/zmbv: Update decomp_len in raw frames

decomp_len is used in raw frames, so it should not be left at the value from
whatever was decoded previously (which may be any other frame)

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3d201b83cda03fd9e866acafee82d7ce88260e66)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=80af29f32e54ae1d7d5f69d966d86ebda56517f0
---

 libavcodec/zmbv.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c
index f91d2e3931..1ec656be36 100644
--- a/libavcodec/zmbv.c
+++ b/libavcodec/zmbv.c
@@ -519,6 +519,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame, AVPac
 return AVERROR_INVALIDDATA;
 }
 memcpy(c->decomp_buf, buf, len);
+c->decomp_len = len;
 } else { // ZLIB-compressed data
 c->zstream.total_in = c->zstream.total_out = 0;
 c->zstream.next_in = (uint8_t*)buf;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videodec: Fix undefined shift in get_amv()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sat Sep 15 00:20:38 2018 +0200| [f80da843b219d978d8c102a5ade94e032a09f9a2] | 
committer: Michael Niedermayer

avcodec/mpeg4videodec: Fix undefined shift in get_amv()

Fixes: runtime error: shift exponent -1 is negative
Fixes: 
9938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5653783529914368

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c88afa44c4823aba7b6f4a1b01fd6a4169643c57)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f80da843b219d978d8c102a5ade94e032a09f9a2
---

 libavcodec/mpeg4videodec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 319a3809ea..91a0d726f9 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -539,7 +539,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n)
 len >>= s->quarter_sample;
 
 if (s->real_sprite_warping_points == 1) {
-if (ctx->divx_version == 500 && ctx->divx_build == 413)
+if (ctx->divx_version == 500 && ctx->divx_build == 413 && a >= 
s->quarter_sample)
 sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample));
 else
 sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Fix integer overflow in residual/LPC combination

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Aug 12 22:55:59 2018 +0200| [ec573bd2eb085b40e65dd8e1cf3c488631f62ccb] | 
committer: Michael Niedermayer

avcodec/shorten: Fix integer overflow in residual/LPC combination

Fixes: signed integer overflow: -540538872 + -2012739576 cannot be represented 
in type 'int'
Fixes: 
9255/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5758630052757504

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit db7e9082e1a1479c6a8844f7adf77eae03cc2aa7)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ec573bd2eb085b40e65dd8e1cf3c488631f62ccb
---

 libavcodec/shorten.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 9094d3fc55..054494f8ce 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -391,7 +391,7 @@ static int decode_subframe_lpc(ShortenContext *s, int 
command, int channel,
 for (j = 0; j < pred_order; j++)
 sum += coeffs[j] * (unsigned)s->decoded[channel][i - j - 1];
 s->decoded[channel][i] = get_sr_golomb_shorten(>gb, residual_size) +
- (sum >> qshift);
+ (unsigned)(sum >> qshift);
 }
 
 /* add offset to current samples */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Fix signed 32bit overflow in shift in shorten_decode_frame()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Aug 12 23:06:55 2018 +0200| [e3cc5e81ab00f8b7a8ca230cd4cdba28443a39ef] | 
committer: Michael Niedermayer

avcodec/shorten: Fix signed 32bit overflow in shift in shorten_decode_frame()

Fixes: runtime error: left shift of 1 by 31 places cannot be represented in 
type 'int'
Fixes: 
9480/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-6647324284551168
 -rss_limit_mb=2000

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 9b604e96a51a1fca92bbabfe4f7ac53f0470ee41)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e3cc5e81ab00f8b7a8ca230cd4cdba28443a39ef
---

 libavcodec/shorten.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 054494f8ce..1ffb7d8d79 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -715,7 +715,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void 
*data,
 if (s->version < 2)
 s->offset[channel][s->nmean - 1] = sum / s->blocksize;
 else
-s->offset[channel][s->nmean - 1] = s->bitshift == 32 ? 0 : 
(sum / s->blocksize) * (1 << s->bitshift);
+s->offset[channel][s->nmean - 1] = s->bitshift == 32 ? 0 : 
(sum / s->blocksize) * (1LL << s->bitshift);
 }
 
 /* copy wrap samples for use with next block */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mlvdec: read_string() received unsigned size, make the argument unsigned

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Thu Aug 16 15:36:28 2018 +0200| [ff5196a98afbcfe0661d937a66ced6cf0844db3b] | 
committer: Michael Niedermayer

avformat/mlvdec: read_string() received unsigned size, make the argument 
unsigned

Fixes: infinite loop
Fixes: mlv-timeout-e3b8cab9835edecad6823baa057e029671329d04

Found-by: Paul Ch 
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1e71cb2c8edcf3dad657c15a6fb8572862f2afb9)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ff5196a98afbcfe0661d937a66ced6cf0844db3b
---

 libavformat/mlvdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
index 319cd26de4..6d774a191d 100644
--- a/libavformat/mlvdec.c
+++ b/libavformat/mlvdec.c
@@ -77,7 +77,7 @@ static int check_file_header(AVIOContext *pb, uint64_t guid)
 return 0;
 }
 
-static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char 
*tag, int size)
+static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char 
*tag, unsigned size)
 {
 char * value = av_malloc(size + 1);
 if (!value) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpegaudio_parser: Initialize poutbuf*

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Aug  5 14:51:36 2018 +0200| [4df3a367df8e35cdc415364fd11e26dd92cee18c] | 
committer: Michael Niedermayer

avcodec/mpegaudio_parser: Initialize poutbuf*

Possibly fixes: null pointer dereference
Possibly fixes: 
9352/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5146068961460224
Fixes: Heap-use-after-free
Fixes: 
9453/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5137954375729152

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0f4c3b0b8e5435d13fd3b64c91969b31c3c018dc)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4df3a367df8e35cdc415364fd11e26dd92cee18c
---

 libavcodec/mpegaudio_parser.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c
index 8c39825792..a072851ecf 100644
--- a/libavcodec/mpegaudio_parser.c
+++ b/libavcodec/mpegaudio_parser.c
@@ -98,6 +98,8 @@ static int mpegaudio_parse(AVCodecParserContext *s1,
 } else if (codec_id == AV_CODEC_ID_MP3ADU) {
 avpriv_report_missing_feature(avctx,
 "MP3ADU full parser");
+*poutbuf = NULL;
+*poutbuf_size = 0;
 return 0; /* parsers must not return error codes */
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Check verbatim length

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Aug 12 22:43:33 2018 +0200| [7f480bedd069df9b4b9f9646ac8c649024a76e1b] | 
committer: Michael Niedermayer

avcodec/shorten: Check verbatim length

Fixes: Timeout
Fixes: 
9252/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5780720709533696

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7007dabec08f2f9f81661e71ef482dde394e17a8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7f480bedd069df9b4b9f9646ac8c649024a76e1b
---

 libavcodec/shorten.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 0f491090fd..9094d3fc55 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -623,6 +623,11 @@ static int shorten_decode_frame(AVCodecContext *avctx, 
void *data,
 switch (cmd) {
 case FN_VERBATIM:
 len = get_ur_golomb_shorten(>gb, VERBATIM_CKSIZE_SIZE);
+if (len < 0 || len > get_bits_left(>gb)) {
+av_log(avctx, AV_LOG_ERROR, "verbatim length %d invalid\n",
+   len);
+return AVERROR_INVALIDDATA;
+}
 while (len--)
 get_ur_golomb_shorten(>gb, VERBATIM_BYTE_SIZE);
 break;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vb: Check for end of bytestream before reading blocktype

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Mon Aug 20 22:19:23 2018 +0200| [88afcff2f5530ec08f2e559987d73945da640aea] | 
committer: Michael Niedermayer

avcodec/vb: Check for end of bytestream before reading blocktype

Fixes: Timeout
Fixes: 
9601/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VB_fuzzer-4550228702134272

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1cbac9ce20d32806febf64cbd9f830e1485695ca)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=88afcff2f5530ec08f2e559987d73945da640aea
---

 libavcodec/vb.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/vb.c b/libavcodec/vb.c
index 021657f7d8..c6dd6fb456 100644
--- a/libavcodec/vb.c
+++ b/libavcodec/vb.c
@@ -107,6 +107,10 @@ static int vb_decode_framedata(VBDecContext *c, int offset)
 blk2   = 0;
 for (blk = 0; blk < blocks; blk++) {
 if (!(blk & 3)) {
+if (bytestream2_get_bytes_left() < 1) {
+av_log(c->avctx, AV_LOG_ERROR, "Insufficient data\n");
+return AVERROR_INVALIDDATA;
+}
 blocktypes = bytestream2_get_byte();
 }
 switch (blocktypes & 0xC0) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/scpr: Check for min > max in decompress_p()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sat Aug  4 23:45:52 2018 +0200| [007da8396fedde3a3fb8c99cb7c7aaa46cdec1c9] | 
committer: Michael Niedermayer

avcodec/scpr: Check for min > max in decompress_p()

Fixes: Timeout
Fixes: 
9342/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-4795990841229312

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3378194ce8e9a126a7cc6ed57bedde1221790469)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=007da8396fedde3a3fb8c99cb7c7aaa46cdec1c9
---

 libavcodec/scpr.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c
index ad6073dbf0..66b4157576 100644
--- a/libavcodec/scpr.c
+++ b/libavcodec/scpr.c
@@ -522,6 +522,9 @@ static int decompress_p(AVCodecContext *avctx,
 return ret;
 
 max += temp << 8;
+if (min > max)
+return AVERROR_INVALIDDATA;
+
 memset(s->blocks, 0, sizeof(*s->blocks) * s->nbcount);
 
 while (min <= max) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Thu Aug 16 15:36:29 2018 +0200| [17c03479779111d966ff284c50fd09e008971653] | 
committer: Michael Niedermayer

avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header()

Fixes: long running loop
Fixes: ivr-timeout-42468cb797f52f025fb329394702f5d4d64322d6

Found-by: Paul Ch 
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c2eec1762d372663c35aaf3d6ee419bafb185057)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=17c03479779111d966ff284c50fd09e008971653
---

 libavformat/rmdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 3eb49a5d29..f3fa550c63 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -1270,6 +1270,8 @@ static int ivr_read_header(AVFormatContext *s)
 if (avio_rb32(pb) == MKBETAG('M', 'L', 'T', 'I')) {
 ret = rm_read_multi(s, pb, st, NULL);
 } else {
+if (avio_feof(pb))
+return AVERROR_INVALIDDATA;
 avio_seek(pb, -4, SEEK_CUR);
 ret = ff_rm_read_mdpr_codecdata(s, pb, st, st->priv_data, 
len, NULL);
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/nsvdec: Do not parse multiple NSVf

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Thu Aug 16 12:23:20 2018 +0200| [0ef49c0818f29150d74d01c264ac792acd5598dc] | 
committer: Michael Niedermayer

avformat/nsvdec: Do not parse multiple NSVf

The specification states "NSV files may contain a single file header. "
Fixes: out of array access
Fixes: nsv-asan-002f473f726a0dcbd3bd53e422c4fc40b3cf3421

Found-by: Paul Ch 
Tested-by: Paul Ch 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 78d4b6bd43fc266a2ee926f0555c8782246f9445)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0ef49c0818f29150d74d01c264ac792acd5598dc
---

 libavformat/nsvdec.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c
index d8ce656817..92f7d178f6 100644
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@@ -176,6 +176,7 @@ typedef struct NSVContext {
 int16_t avsync;
 AVRational framerate;
 uint32_t *nsvs_timestamps;
+int nsvf;
 } NSVContext;
 
 static const AVCodecTag nsv_codec_video_tags[] = {
@@ -266,6 +267,12 @@ static int nsv_parse_NSVf_header(AVFormatContext *s)
 
 nsv->state = NSV_UNSYNC; /* in case we fail */
 
+if (nsv->nsvf) {
+av_log(s, AV_LOG_TRACE, "Multiple NSVf\n");
+return 0;
+}
+nsv->nsvf = 1;
+
 size = avio_rl32(pb);
 if (size < 28)
 return -1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sat Jul 28 10:59:09 2018 +0200| [b6098dd17feca3f1d0b8796c81bab5f038258a1f] | 
committer: Michael Niedermayer

avcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c()

Fixes: signed integer overflow: -1813244069 + -1407981383 cannot be represented 
in type 'int'
Fixes: 
8823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5643295618236416

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 47db5763e21c5e3b0ddde2430d15938f8d88480d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b6098dd17feca3f1d0b8796c81bab5f038258a1f
---

 libavcodec/aacpsdsp_template.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c
index 65867649c7..5f4be017d5 100644
--- a/libavcodec/aacpsdsp_template.c
+++ b/libavcodec/aacpsdsp_template.c
@@ -150,10 +150,10 @@ static void ps_stereo_interpolate_c(INTFLOAT (*l)[2], 
INTFLOAT (*r)[2],
 INTFLOAT h1 = h[0][1];
 INTFLOAT h2 = h[0][2];
 INTFLOAT h3 = h[0][3];
-INTFLOAT hs0 = h_step[0][0];
-INTFLOAT hs1 = h_step[0][1];
-INTFLOAT hs2 = h_step[0][2];
-INTFLOAT hs3 = h_step[0][3];
+UINTFLOAT hs0 = h_step[0][0];
+UINTFLOAT hs1 = h_step[0][1];
+UINTFLOAT hs2 = h_step[0][2];
+UINTFLOAT hs3 = h_step[0][3];
 int n;
 
 for (n = 0; n < len; n++) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Jul 22 19:11:04 2018 +0200| [330ed0772c6f6f36e9a027757f393a2886e44c55] | 
committer: Michael Niedermayer

avcodec/dirac_dwt_template: Fix several integer overflows in 
horizontal_compose_daub97i()

Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 
'int'
Fixes: 
8926/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6047609228623872

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 69cac9e130dc8c9d2a5b8012011df372974adf35)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=330ed0772c6f6f36e9a027757f393a2886e44c55
---

 libavcodec/dirac_dwt_template.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c
index 2369c8d15b..5d55d932a1 100644
--- a/libavcodec/dirac_dwt_template.c
+++ b/libavcodec/dirac_dwt_template.c
@@ -190,15 +190,15 @@ static void RENAME(horizontal_compose_daub97i)(uint8_t 
*_b, uint8_t *_temp, int
 
 // second stage combined with interleave and shift
 b0 = b2 = COMPOSE_DAUB97iL0(temp[w2], temp[0], temp[w2]);
-b[0] = (b0 + 1) >> 1;
+b[0] = ~((~b0) >> 1);
 for (x = 1; x < w2; x++) {
 b2 = COMPOSE_DAUB97iL0(temp[x+w2-1], temp[x ], temp[x+w2]);
 b1 = COMPOSE_DAUB97iH0(  b0, temp[x+w2-1], b2);
-b[2*x-1] = (b1 + 1) >> 1;
-b[2*x  ] = (b2 + 1) >> 1;
+b[2*x-1] = ~((~b1) >> 1);
+b[2*x  ] = ~((~b2) >> 1);
 b0 = b2;
 }
-b[w-1] = (COMPOSE_DAUB97iH0(b2, temp[w-1], b2) + 1) >> 1;
+b[w-1] = ~((~COMPOSE_DAUB97iH0(b2, temp[w-1], b2)) >> 1);
 }
 
 static void RENAME(vertical_compose_dirac53iH0)(uint8_t *_b0, uint8_t *_b1, 
uint8_t *_b2,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/pixfmt: Document chroma plane size for odd resolutions

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Wed Jul 18 22:22:35 2018 +0200| [7489a527f000a8b48bfcd1c1dafcb68f310e1695] | 
committer: Michael Niedermayer

avutil/pixfmt: Document chroma plane size for odd resolutions

Signed-off-by: Michael Niedermayer 
(cherry picked from commit be0b77e6e83b61c2da338201b5ddfae1c9acedc5)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7489a527f000a8b48bfcd1c1dafcb68f310e1695
---

 libavutil/pixfmt.h | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavutil/pixfmt.h b/libavutil/pixfmt.h
index 24889c8e52..8a26fa874c 100644
--- a/libavutil/pixfmt.h
+++ b/libavutil/pixfmt.h
@@ -42,6 +42,10 @@
  * This is stored as BGRA on little-endian CPU architectures and ARGB on
  * big-endian CPUs.
  *
+ * @note
+ * If the resolution is not a multiple of the chroma subsampling factor
+ * then the chroma plane resolution must be rounded up.
+ *
  * @par
  * When the pixel format is palettized RGB32 (AV_PIX_FMT_PAL8), the palettized
  * image data is stored in AVFrame.data[0]. The palette is transported in

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Jul 22 21:42:16 2018 +0200| [9abcade734cb72a908264ca29f187554cdfde8c8] | 
committer: Michael Niedermayer

avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too

Fixes: signed integer overflow: 8 * 340018243 cannot be represented in type 
'int'
Fixes: 
9441/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5194665207791616

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit bed125b7108481574f36fdd6ee699b27354602e8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9abcade734cb72a908264ca29f187554cdfde8c8
---

 libavcodec/diracdec.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 2ceb2234c6..04f54634e0 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -985,6 +985,10 @@ static int decode_lowdelay(DiracContext *s)
 for (slice_x = 0; bufsize > 0 && slice_x < s->num_x; slice_x++) {
 bytes = (slice_num+1) * (int64_t)s->lowdelay.bytes.num / 
s->lowdelay.bytes.den
- slice_num* (int64_t)s->lowdelay.bytes.num / 
s->lowdelay.bytes.den;
+if (bytes >= INT_MAX || bytes*8 > bufsize) {
+av_log(s->avctx, AV_LOG_ERROR, "too many bytes\n");
+return AVERROR_INVALIDDATA;
+}
 slices[slice_num].bytes   = bytes;
 slices[slice_num].slice_x = slice_x;
 slices[slice_num].slice_y = slice_y;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Jul 29 12:40:48 2018 +0200| [7abc4445f911a4264876d45d2f905ea2475fbfb9] | 
committer: Michael Niedermayer

avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp()

Fixes: Timeout
Fixes: 
9213/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QTRLE_fuzzer-5649753332252672

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7dd836a3f9771e0e44df1b27e67d6866d91e06d7)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7abc4445f911a4264876d45d2f905ea2475fbfb9
---

 libavcodec/qtrle.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c
index 1b0d2016b5..cd8301d143 100644
--- a/libavcodec/qtrle.c
+++ b/libavcodec/qtrle.c
@@ -155,6 +155,8 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int 
row_ptr,
 CHECK_PIXEL_PTR(0);
 
 while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) {
+if (bytestream2_get_bytes_left(>g) < 1)
+return;
 if (rle_code == 0) {
 /* there's another skip code in the stream */
 pixel_ptr += (num_pixels * (bytestream2_get_byte(>g) - 1));
@@ -210,6 +212,8 @@ static void qtrle_decode_8bpp(QtrleContext *s, int row_ptr, 
int lines_to_change)
 CHECK_PIXEL_PTR(0);
 
 while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) {
+if (bytestream2_get_bytes_left(>g) < 1)
+return;
 if (rle_code == 0) {
 /* there's another skip code in the stream */
 pixel_ptr += (4 * (bytestream2_get_byte(>g) - 1));
@@ -259,6 +263,8 @@ static void qtrle_decode_16bpp(QtrleContext *s, int 
row_ptr, int lines_to_change
 CHECK_PIXEL_PTR(0);
 
 while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) {
+if (bytestream2_get_bytes_left(>g) < 1)
+return;
 if (rle_code == 0) {
 /* there's another skip code in the stream */
 pixel_ptr += (bytestream2_get_byte(>g) - 1) * 2;
@@ -303,6 +309,8 @@ static void qtrle_decode_24bpp(QtrleContext *s, int 
row_ptr, int lines_to_change
 CHECK_PIXEL_PTR(0);
 
 while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) {
+if (bytestream2_get_bytes_left(>g) < 1)
+return;
 if (rle_code == 0) {
 /* there's another skip code in the stream */
 pixel_ptr += (bytestream2_get_byte(>g) - 1) * 3;
@@ -350,6 +358,8 @@ static void qtrle_decode_32bpp(QtrleContext *s, int 
row_ptr, int lines_to_change
 CHECK_PIXEL_PTR(0);
 
 while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) {
+if (bytestream2_get_bytes_left(>g) < 1)
+return;
 if (rle_code == 0) {
 /* there's another skip code in the stream */
 pixel_ptr += (bytestream2_get_byte(>g) - 1) * 4;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] swresample/swresample: Fix input channel count in resample_first computation

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Tue Jul 24 22:44:12 2018 +0200| [5cbf4849e37620b0886e63e25aef02cd766ba5f9] | 
committer: Michael Niedermayer

swresample/swresample: Fix input channel count in resample_first computation

Found-by: Marcin Gorzel 
Reviewed-by: Marcin Gorzel 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit bce4da85e8110b66040a5fb07ffc724ab4e09a86)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5cbf4849e37620b0886e63e25aef02cd766ba5f9
---

 libswresample/swresample.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libswresample/swresample.c b/libswresample/swresample.c
index 170f76bc56..c740f5d5fd 100644
--- a/libswresample/swresample.c
+++ b/libswresample/swresample.c
@@ -318,7 +318,7 @@ av_cold int swr_init(struct SwrContext *s){
 
 av_assert0(s->used_ch_count);
 av_assert0(s->out.ch_count);
-s->resample_first= RSC*s->out.ch_count/s->in.ch_count - RSC < 
s->out_sample_rate/(float)s-> in_sample_rate - 1.0;
+s->resample_first= RSC*s->out.ch_count/s->used_ch_count - RSC < 
s->out_sample_rate/(float)s-> in_sample_rate - 1.0;
 
 s->in_buffer= s->in;
 s->silence  = s->in;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] lavc/svq3: Fix regression decoding some files.

[Nikolas Bowe]

ffmpeg | branch: release/3.4 | Nikolas Bowe  | Mon Jul 30 
17:22:02 2018 -0700| [c90457a95ee8c81617ec6227784780b691ad3061] | committer: 
Michael Niedermayer

lavc/svq3: Fix regression decoding some files.

Fixes some SVQ3 encoded files which fail to decode correctly after 6d6faa2a2d.
These files exhibit lots of artifacts and logs show "Media key encryption is 
not implemented".
However they decode without artifacts before 6d6faa2a2d.
The attatched patch allows these files to successfully decode, but also reject 
media key files.

Tested on the files in #6094 and 
http://samples.mplayerhq.hu/V-codecs/SVQ3/Vertical400kbit.sorenson3.mov

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5aeb3b008080d8d4a38f245d557dbc9bd6c36dcf)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c90457a95ee8c81617ec6227784780b691ad3061
---

 libavcodec/svq3.c | 9 -
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c
index a937b2f951..5d89921323 100644
--- a/libavcodec/svq3.c
+++ b/libavcodec/svq3.c
@@ -1064,16 +1064,15 @@ static int svq3_decode_slice_header(AVCodecContext 
*avctx)
 av_log(s->avctx, AV_LOG_ERROR, "illegal slice type %u \n", slice_id);
 return -1;
 }
-if (get_bits1(>gb_slice)) {
-avpriv_report_missing_feature(s->avctx, "Media key encryption");
-return AVERROR_PATCHWELCOME;
-}
 
 s->slice_type = ff_h264_golomb_to_pict_type[slice_id];
 
 if ((header & 0x9F) == 2) {
-i = (s->mb_num < 64) ? 5 : av_log2(s->mb_num - 1);
+i = (s->mb_num < 64) ? 6 : (1 + av_log2(s->mb_num - 1));
 get_bits(>gb_slice, i);
+} else if (get_bits1(>gb_slice)) {
+avpriv_report_missing_feature(s->avctx, "Media key encryption");
+return AVERROR_PATCHWELCOME;
 }
 
 s->slice_num  = get_bits(>gb_slice, 8);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Prevent integer overflow in intermediate in global_mv()

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Jul 22 18:58:34 2018 +0200| [9da24737a3b27c962a4bba8d1b16acdff4a078f2] | 
committer: Michael Niedermayer

avcodec/diracdec: Prevent integer overflow in intermediate in global_mv()

Fixes: signed integer overflow: -393471 * 5460 cannot be represented in type 
'int'
Fixes: 
8890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6299775379963904

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 51290406461ed40b70e0e05b389a461a283f3367)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9da24737a3b27c962a4bba8d1b16acdff4a078f2
---

 libavcodec/diracdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 2c8d94758c..98474eaf50 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1398,8 +1398,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, 
int x, int y, int ref)
 int *c  = s->globalmc[ref].perspective;
 
 int m   = (1> (ez+ep);
 block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Check slice numbers for overflows in relation to picture dimensions

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Jul 22 21:26:24 2018 +0200| [a594ce26ce3842a1a52558bcfc3f8f57fd5c6f45] | 
committer: Michael Niedermayer

avcodec/diracdec: Check slice numbers for overflows in relation to picture 
dimensions

Fixes: signed integer overflow: 88 * 33685506 cannot be represented in type 
'int'
Fixes: 
9433/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5725943535501312

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit f457c0ad7f73e31e99761f2ad3738cf3b3c24ca0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a594ce26ce3842a1a52558bcfc3f8f57fd5c6f45
---

 libavcodec/diracdec.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 376732c310..2ceb2234c6 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1242,7 +1242,10 @@ static int dirac_unpack_idwt_params(DiracContext *s)
 else {
 s->num_x= get_interleaved_ue_golomb(gb);
 s->num_y= get_interleaved_ue_golomb(gb);
-if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > 
INT_MAX) {
+if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > 
INT_MAX ||
+s->num_x * (uint64_t)s->avctx->width  > INT_MAX ||
+s->num_y * (uint64_t)s->avctx->height > INT_MAX
+) {
 av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n");
 s->num_x = s->num_y = 0;
 return AVERROR_INVALIDDATA;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/flvenc: Check audio packet size

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sat Jul 28 15:03:50 2018 +0200| [44e878d08674a15906badfb921443a44ebf6257d] | 
committer: Michael Niedermayer

avformat/flvenc: Check audio packet size

Fixes: Assertion failure
Fixes: assert_flvenc.c:941_1.swf

Found-by: #CHEN HONGXU# 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6b67d7f05918f7a1ee8fc6ff21355d7e8736aa10)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=44e878d08674a15906badfb921443a44ebf6257d
---

 libavformat/flvenc.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c
index 899b07ea7b..e966c36c65 100644
--- a/libavformat/flvenc.c
+++ b/libavformat/flvenc.c
@@ -879,6 +879,11 @@ static int flv_write_packet(AVFormatContext *s, AVPacket 
*pkt)
 int flags = -1, flags_size, ret;
 int64_t cur_offset = avio_tell(pb);
 
+if (par->codec_type == AVMEDIA_TYPE_AUDIO && !pkt->size) {
+av_log(s, AV_LOG_WARNING, "Empty audio Packet\n");
+return AVERROR(EINVAL);
+}
+
 if (par->codec_id == AV_CODEC_ID_VP6F || par->codec_id == AV_CODEC_ID_VP6A 
||
 par->codec_id == AV_CODEC_ID_VP6  || par->codec_id == AV_CODEC_ID_AAC)
 flags_size = 2;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case

[Michael Niedermayer]

ffmpeg | branch: release/3.4 | Michael Niedermayer  | 
Sun Jul 22 20:45:39 2018 +0200| [7068bcf58ad2ad8190ce343934503dd1f0b98ee4] | 
committer: Michael Niedermayer

avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the 
bitstream and we also have a -1 special case

Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 
'int'
Fixes: 
9291/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6324345860259840

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 462d1be6dec5ff4768be8c202f359cbf037db3c6)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7068bcf58ad2ad8190ce343934503dd1f0b98ee4
---

 libavcodec/diracdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 98474eaf50..376732c310 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -140,7 +140,7 @@ typedef struct DiracContext {
 GetBitContext gb;
 AVDiracSeqHeader seq;
 int seen_sequence_header;
-int frame_number;   /* number of the next frame to display   */
+int64_t frame_number;   /* number of the next frame to display   */
 Plane plane[3];
 int chroma_x_shift;
 int chroma_y_shift;
@@ -2302,7 +2302,7 @@ static int dirac_decode_frame(AVCodecContext *avctx, void 
*data, int *got_frame,
 }
 
 if (*got_frame)
-s->frame_number = picture->display_picture_number + 1;
+s->frame_number = picture->display_picture_number + 1LL;
 
 return buf_idx;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] [ffmpeg-web] branch master updated. e51f0b6 src/download: Add FFmpeg 3.0.12

[ffmpeg-git]

The branch, master has been updated
   via  e51f0b6f978d9958a0abfb59da2e674d7e22ea3f (commit)
  from  da078c7a2c3eb4db5c379b7fbdb23ae3ae1c6f95 (commit)


- Log -
commit e51f0b6f978d9958a0abfb59da2e674d7e22ea3f
Author: Michael Niedermayer 
AuthorDate: Sun Oct 28 02:20:46 2018 +0200
Commit: Michael Niedermayer 
CommitDate: Sun Oct 28 02:20:46 2018 +0200

src/download: Add FFmpeg 3.0.12

diff --git a/src/download b/src/download
index 40f4706..ded1f0f 100644
--- a/src/download
+++ b/src/download
@@ -420,10 +420,10 @@ libpostproc54.  1.100
  

 
-  FFmpeg 3.0.11 "Einstein"
+  FFmpeg 3.0.12 "Einstein"
 
   
-3.0.11 was released on 2018-02-27. It is the latest stable FFmpeg release
+3.0.12 was released on 2018-10-28. It is the latest stable FFmpeg release
 from the 3.0 release branch, which was cut from master on 2016-02-14.
   
   It includes the following library versions:
@@ -441,19 +441,19 @@ libpostproc54.  0.100
 
   
 
-  Download 
xz tarball
-  PGP 
signature
+  Download 
xz tarball
+  PGP 
signature
  
 
-  Download bzip2 tarball
-  PGP 
signature
+  Download bzip2 tarball
+  PGP 
signature
  
 
-  Download 
gzip tarball
-  PGP 
signature
+  Download 
gzip tarball
+  PGP 
signature
  
 
-  https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n3.0.11;>Changelog
+  https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n3.0.12;>Changelog
   https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/refs/heads/release/3.0:/RELEASE_NOTES;>Release
 Notes
  


---

Summary of changes:
 src/download | 18 +-
 1 file changed, 9 insertions(+), 9 deletions(-)


hooks/post-receive
-- 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Tag n3.0.12 : FFmpeg 3.0.12 release

[git]

[ffmpeg] [branch: refs/tags/n3.0.12]
Tag:316824e0a7b56f2d52ff6f4681e4bb2aa17ee153
> http://git.videolan.org/gitweb.cgi/ffmpeg.git?a=tag;h=316824e0a7b56f2d52ff6f4681e4bb2aa17ee153

Tagger: Michael Niedermayer 
Date:   Sun Oct 28 02:11:29 2018 +0200

FFmpeg 3.0.12 release
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Changelog: Update

[Michael Niedermayer]

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Sun Oct 28 00:24:53 2018 +0200| [527e64d32c345e2da17ae8afc0f852c3cca28345] | 
committer: Michael Niedermayer

Changelog: Update

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=527e64d32c345e2da17ae8afc0f852c3cca28345
---

 Changelog | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Changelog b/Changelog
index 12b3cd9b98..441be22abe 100644
--- a/Changelog
+++ b/Changelog
@@ -2,6 +2,8 @@ Entries are sorted chronologically from oldest to youngest 
within each release,
 releases are sorted from youngest to oldest.
 
 version 3.0.12
+- avutil/integer: Fix integer overflow in av_mul_i()
+- avcodec/msrle: Check that the input is large enough to contain a end of 
picture code
 - avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling
 - avcodec/mpeg4videodec: Fix typo in sprite delta check
 - avcodec/h264_cavlc: Check mb_skip_run

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/msrle: Check that the input is large enough to contain a end of picture code

[Michael Niedermayer]

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Sun Oct 21 14:40:14 2018 +0200| [82e796a4c9ccaf2765c0a1e85dbcec73733f4246] | 
committer: Michael Niedermayer

avcodec/msrle: Check that the input is large enough to contain a end of picture 
code

Fixes: Timeout
Fixes: 
10625/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSRLE_fuzzer-5659651283091456

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 203ccb874699ce66beadd53b4631d217b9cd)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=82e796a4c9ccaf2765c0a1e85dbcec73733f4246
---

 libavcodec/msrle.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c
index 33b157bc75..23858fe6d0 100644
--- a/libavcodec/msrle.c
+++ b/libavcodec/msrle.c
@@ -95,6 +95,9 @@ static int msrle_decode_frame(AVCodecContext *avctx,
 s->buf = buf;
 s->size = buf_size;
 
+if (buf_size < 2) //Minimally a end of picture code should be there
+return AVERROR_INVALIDDATA;
+
 if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
 return ret;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/integer: Fix integer overflow in av_mul_i()

[Michael Niedermayer]

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Wed Oct 24 01:44:12 2018 +0200| [15296d64ca4f691285f245b1e5af04241e5b2fd2] | 
committer: Michael Niedermayer

avutil/integer: Fix integer overflow in av_mul_i()

Found-by: fate
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3cc3cb663bf3061e40356392d2f7638de6a479fe)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=15296d64ca4f691285f245b1e5af04241e5b2fd2
---

 libavutil/integer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavutil/integer.c b/libavutil/integer.c
index 6d6855fa1b..ba4aa778c9 100644
--- a/libavutil/integer.c
+++ b/libavutil/integer.c
@@ -74,7 +74,7 @@ AVInteger av_mul_i(AVInteger a, AVInteger b){
 
 if(a.v[i])
 for(j=i; j>16) + out.v[j] + a.v[i]*b.v[j-i];
+carry= (carry>>16) + out.v[j] + a.v[i]*(unsigned)b.v[j-i];
 out.v[j]= carry;
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter/vf_pixdesctest: Use 32bit read/write

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer  | Thu 
Oct 25 23:15:54 2018 +0200| [cd34c6a57ee6d12b30e6283db94a7e44fbedb244] | 
committer: Michael Niedermayer

avfilter/vf_pixdesctest: Use 32bit read/write

This is needed for processing 32bit floats

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cd34c6a57ee6d12b30e6283db94a7e44fbedb244
---

 libavfilter/vf_pixdesctest.c| 10 +-
 tests/ref/fate/filter-pixdesc-grayf32be |  2 +-
 tests/ref/fate/filter-pixdesc-grayf32le |  2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/libavfilter/vf_pixdesctest.c b/libavfilter/vf_pixdesctest.c
index 2d0749e20b..680d1a772a 100644
--- a/libavfilter/vf_pixdesctest.c
+++ b/libavfilter/vf_pixdesctest.c
@@ -31,7 +31,7 @@
 
 typedef struct PixdescTestContext {
 const AVPixFmtDescriptor *pix_desc;
-uint16_t *line;
+uint32_t *line;
 } PixdescTestContext;
 
 static av_cold void uninit(AVFilterContext *ctx)
@@ -89,17 +89,17 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
 const int h1 = c == 1 || c == 2 ? ch : h;
 
 for (i = 0; i < h1; i++) {
-av_read_image_line(priv->line,
+av_read_image_line2(priv->line,
(void*)in->data,
in->linesize,
priv->pix_desc,
-   0, i, c, w1, 0);
+   0, i, c, w1, 0, 4);
 
-av_write_image_line(priv->line,
+av_write_image_line2(priv->line,
 out->data,
 out->linesize,
 priv->pix_desc,
-0, i, c, w1);
+0, i, c, w1, 4);
 }
 }
 
diff --git a/tests/ref/fate/filter-pixdesc-grayf32be 
b/tests/ref/fate/filter-pixdesc-grayf32be
index 787ca0ca7e..171475483a 100644
--- a/tests/ref/fate/filter-pixdesc-grayf32be
+++ b/tests/ref/fate/filter-pixdesc-grayf32be
@@ -1 +1 @@
-pixdesc-grayf32be   047d17c62f2e712c6547e4227b427303
+pixdesc-grayf32be   9b23c74e8e8ffae5d7c7e82bbf5929da
diff --git a/tests/ref/fate/filter-pixdesc-grayf32le 
b/tests/ref/fate/filter-pixdesc-grayf32le
index 8de4d4c88d..d598d123b4 100644
--- a/tests/ref/fate/filter-pixdesc-grayf32le
+++ b/tests/ref/fate/filter-pixdesc-grayf32le
@@ -1 +1 @@
-pixdesc-grayf32le   cdedfdbaa4e192b9f2c84092f955fb4b
+pixdesc-grayf32le   291f074a24c44799a1f437d1c6f1

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/pixdesc: Add av_write_image_line2(), av_read_image_line2()

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer  | Thu 
Oct 25 23:08:20 2018 +0200| [718044dc198710f9d6e70d94affd5f8a1a52430f] | 
committer: Michael Niedermayer

avutil/pixdesc: Add av_write_image_line2(), av_read_image_line2()

This is needed because of 32bit float formats (which are difficult to
store in 16bits)

This also fixes undefined behavior found by fate

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=718044dc198710f9d6e70d94affd5f8a1a52430f
---

 doc/APIchanges  |  3 ++
 libavutil/pixdesc.c | 72 +
 libavutil/pixdesc.h | 11 +
 libavutil/version.h |  2 +-
 tests/ref/fate/filter-pixdesc-grayf32be |  2 +-
 tests/ref/fate/filter-pixdesc-grayf32le |  2 +-
 6 files changed, 73 insertions(+), 19 deletions(-)

diff --git a/doc/APIchanges b/doc/APIchanges
index ca4f93b8b2..346a5f0229 100644
--- a/doc/APIchanges
+++ b/doc/APIchanges
@@ -15,6 +15,9 @@ libavutil: 2017-10-21
 
 API changes, most recent first:
 
+2018-XX-XX - xx - lavu 56.21.100 - pixdesc.h
+  Add av_read_image_line2(), av_write_image_line2()
+
 2018-10-24 - xx - lavu 56.20.100 - frame.h
   Add AV_FRAME_DATA_S12M_TIMECODE
 
diff --git a/libavutil/pixdesc.c b/libavutil/pixdesc.c
index 970a83214c..1c36577289 100644
--- a/libavutil/pixdesc.c
+++ b/libavutil/pixdesc.c
@@ -31,19 +31,22 @@
 #include "intreadwrite.h"
 #include "version.h"
 
-void av_read_image_line(uint16_t *dst,
+void av_read_image_line2(void *dst,
 const uint8_t *data[4], const int linesize[4],
 const AVPixFmtDescriptor *desc,
 int x, int y, int c, int w,
-int read_pal_component)
+int read_pal_component,
+int dst_element_size)
 {
 AVComponentDescriptor comp = desc->comp[c];
 int plane = comp.plane;
 int depth = comp.depth;
-int mask  = (1 << depth) - 1;
+unsigned mask  = (1ULL << depth) - 1;
 int shift = comp.shift;
 int step  = comp.step;
 int flags = desc->flags;
+uint16_t *dst16 = dst;
+uint32_t *dst32 = dst;
 
 if (flags & AV_PIX_FMT_FLAG_BITSTREAM) {
 int skip = x * step + comp.offset;
@@ -57,38 +60,56 @@ void av_read_image_line(uint16_t *dst,
 shift -= step;
 p -= shift >> 3;
 shift &= 7;
-*dst++ = val;
+if (dst_element_size == 4) *dst32++ = val;
+else   *dst16++ = val;
 }
 } else {
 const uint8_t *p = data[plane] + y * linesize[plane] +
x * step + comp.offset;
 int is_8bit = shift + depth <= 8;
+int is_16bit= shift + depth <=16;
 
 if (is_8bit)
 p += !!(flags & AV_PIX_FMT_FLAG_BE);
 
 while (w--) {
-int val = is_8bit ? *p :
-flags & AV_PIX_FMT_FLAG_BE ? AV_RB16(p) : AV_RL16(p);
+unsigned val;
+if (is_8bit)  val = *p;
+else if(is_16bit) val = flags & AV_PIX_FMT_FLAG_BE ? AV_RB16(p) : 
AV_RL16(p);
+else  val = flags & AV_PIX_FMT_FLAG_BE ? AV_RB32(p) : 
AV_RL32(p);
 val = (val >> shift) & mask;
 if (read_pal_component)
 val = data[1][4 * val + c];
 p += step;
-*dst++ = val;
+if (dst_element_size == 4) *dst32++ = val;
+else   *dst16++ = val;
 }
 }
 }
 
-void av_write_image_line(const uint16_t *src,
+void av_read_image_line(uint16_t *dst,
+const uint8_t *data[4], const int linesize[4],
+const AVPixFmtDescriptor *desc,
+int x, int y, int c, int w,
+int read_pal_component)
+{
+av_read_image_line2(dst, data, linesize, desc,x, y, c, w,
+read_pal_component,
+2);
+}
+
+void av_write_image_line2(const void *src,
  uint8_t *data[4], const int linesize[4],
  const AVPixFmtDescriptor *desc,
- int x, int y, int c, int w)
+ int x, int y, int c, int w, int src_element_size)
 {
 AVComponentDescriptor comp = desc->comp[c];
 int plane = comp.plane;
 int depth = comp.depth;
 int step  = comp.step;
 int flags = desc->flags;
+const uint32_t *src32 = src;
+const uint16_t *src16 = src;
 
 if (flags & AV_PIX_FMT_FLAG_BITSTREAM) {
 int skip = x * step + comp.offset;
@@ -96,7 +117,7 @@ void av_write_image_line(const uint16_t *src,
 int shift = 8 - depth - (skip & 7);
 
 while (w--) {
-*p |= *src++ << shift;
+*p |= (src_element_size == 4 ? *src32++ : *src16++) << shift;
 shift -= step;
 p -= shift 

[FFmpeg-cvslog] avcodec/cbs_vp9: fix parsing sRGB samples

[James Almer]

ffmpeg | branch: master | James Almer  | Fri Oct 26 16:32:56 
2018 -0300| [a5d98da4d6f3d0cd89d61af43e6377a9c9dd4cb2] | committer: James Almer

avcodec/cbs_vp9: fix parsing sRGB samples

Signed-off-by: Hendrik Leppkes 
Signed-off-by: James Almer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a5d98da4d6f3d0cd89d61af43e6377a9c9dd4cb2
---

 libavcodec/cbs_vp9_syntax_template.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/cbs_vp9_syntax_template.c 
b/libavcodec/cbs_vp9_syntax_template.c
index 0db0f52a6d..b4a7f65e85 100644
--- a/libavcodec/cbs_vp9_syntax_template.c
+++ b/libavcodec/cbs_vp9_syntax_template.c
@@ -65,6 +65,7 @@ static int FUNC(color_config)(CodedBitstreamContext *ctx, 
RWContext *rw,
 if (profile == 1 || profile == 3) {
 infer(subsampling_x, 0);
 infer(subsampling_y, 0);
+f(1, color_config_reserved_zero);
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/cbs_av1: fix parsing frame_size_with_refs

[James Almer]

ffmpeg | branch: master | James Almer  | Fri Oct 26 21:32:36 
2018 -0300| [99ef8b8afd993fec3160c633f5fe87cceb7fe392] | committer: James Almer

avcodec/cbs_av1: fix parsing frame_size_with_refs

found_ref is not a single value in the bitstream. Fixes parsing files with
frame size changes.

Based on code from cbs_vp9.

Reviewed-by: Mark Thompson 
Signed-off-by: James Almer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=99ef8b8afd993fec3160c633f5fe87cceb7fe392
---

 libavcodec/cbs_av1.h | 2 +-
 libavcodec/cbs_av1_syntax_template.c | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/cbs_av1.h b/libavcodec/cbs_av1.h
index 0d7fd761f1..b66a09c389 100644
--- a/libavcodec/cbs_av1.h
+++ b/libavcodec/cbs_av1.h
@@ -161,7 +161,7 @@ typedef struct AV1RawFrameHeader {
 uint8_t  render_width_minus_1;
 uint8_t  render_height_minus_1;
 
-uint8_t found_ref;
+uint8_t found_ref[AV1_REFS_PER_FRAME];
 
 uint8_t refresh_frame_flags;
 uint8_t allow_intrabc;
diff --git a/libavcodec/cbs_av1_syntax_template.c 
b/libavcodec/cbs_av1_syntax_template.c
index 84ab2973ab..e146bbf8bb 100644
--- a/libavcodec/cbs_av1_syntax_template.c
+++ b/libavcodec/cbs_av1_syntax_template.c
@@ -417,8 +417,8 @@ static int FUNC(frame_size_with_refs)(CodedBitstreamContext 
*ctx, RWContext *rw,
 int i, err;
 
 for (i = 0; i < AV1_REFS_PER_FRAME; i++) {
-flag(found_ref);
-if (current->found_ref) {
+flags(found_ref[i], 1, i);
+if (current->found_ref[i]) {
 AV1ReferenceFrameState *ref =
 >ref[current->ref_frame_idx[i]];
 
@@ -439,7 +439,7 @@ static int FUNC(frame_size_with_refs)(CodedBitstreamContext 
*ctx, RWContext *rw,
 }
 }
 
-if (current->found_ref == 0) {
+if (i >= AV1_REFS_PER_FRAME) {
 CHECK(FUNC(frame_size)(ctx, rw, current));
 CHECK(FUNC(render_size)(ctx, rw, current));
 } else {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] vaapi_encode_mpeg2: Use common slice sizing code

[Mark Thompson]

ffmpeg | branch: master | Mark Thompson  | Sun Sep 23 22:52:57 
2018 +0100| [29816e278f4ff22f50d9c831e3cf5f4d1b0e0214] | committer: Mark 
Thompson

vaapi_encode_mpeg2: Use common slice sizing code

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=29816e278f4ff22f50d9c831e3cf5f4d1b0e0214
---

 libavcodec/vaapi_encode_mpeg2.c | 18 --
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/libavcodec/vaapi_encode_mpeg2.c b/libavcodec/vaapi_encode_mpeg2.c
index 1377eeb9bb..99a8b43237 100644
--- a/libavcodec/vaapi_encode_mpeg2.c
+++ b/libavcodec/vaapi_encode_mpeg2.c
@@ -35,9 +35,6 @@ typedef struct VAAPIEncodeMPEG2Context {
 int level;
 
 // Derived settings.
-int mb_width;
-int mb_height;
-
 int quant_i;
 int quant_p;
 int quant_b;
@@ -477,8 +474,6 @@ static int 
vaapi_encode_mpeg2_init_picture_params(AVCodecContext *avctx,
 vpic->f_code[1][0]   = pce->f_code[1][0];
 vpic->f_code[1][1]   = pce->f_code[1][1];
 
-pic->nb_slices = priv->mb_height;
-
 return 0;
 }
 
@@ -490,8 +485,8 @@ static int 
vaapi_encode_mpeg2_init_slice_params(AVCodecContext *avctx,
 VAEncSliceParameterBufferMPEG2   *vslice = slice->codec_slice_params;
 int qp;
 
-vslice->macroblock_address = priv->mb_width * slice->index;
-vslice->num_macroblocks= priv->mb_width;
+vslice->macroblock_address = slice->block_start;
+vslice->num_macroblocks= slice->block_size;
 
 switch (pic->type) {
 case PICTURE_TYPE_IDR:
@@ -525,9 +520,6 @@ static av_cold int 
vaapi_encode_mpeg2_configure(AVCodecContext *avctx)
 if (err < 0)
 return err;
 
-priv->mb_width  = FFALIGN(avctx->width,  16) / 16;
-priv->mb_height = FFALIGN(avctx->height, 16) / 16;
-
 if (ctx->va_rc_mode == VA_RC_CQP) {
 priv->quant_p = av_clip(avctx->global_quality, 1, 31);
 if (avctx->i_quant_factor > 0.0)
@@ -553,6 +545,12 @@ static av_cold int 
vaapi_encode_mpeg2_configure(AVCodecContext *avctx)
 av_assert0(0 && "Invalid RC mode.");
 }
 
+ctx->slice_block_rows = FFALIGN(avctx->width,  16) / 16;
+ctx->slice_block_cols = FFALIGN(avctx->height, 16) / 16;
+
+ctx->nb_slices  = ctx->slice_block_rows;
+ctx->slice_size = 1;
+
 return 0;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] vaapi_encode: Support configurable slices

[Mark Thompson]

ffmpeg | branch: master | Mark Thompson  | Sun Sep 23 22:52:56 
2018 +0100| [2923ed247ee2f507f32b34aeddd6785bab173a71] | committer: Mark 
Thompson

vaapi_encode: Support configurable slices

This adds common code to query driver support and set appropriate
address/size information for each slice.  It only supports rectangular
slices for now, since that is the most common use-case.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2923ed247ee2f507f32b34aeddd6785bab173a71
---

 doc/encoders.texi |   2 +
 libavcodec/vaapi_encode.c | 148 ++
 libavcodec/vaapi_encode.h |  22 +++
 3 files changed, 172 insertions(+)

diff --git a/doc/encoders.texi b/doc/encoders.texi
index 8d184f72f8..899faac49b 100644
--- a/doc/encoders.texi
+++ b/doc/encoders.texi
@@ -2598,6 +2598,8 @@ Size / quality tradeoff: higher values are smaller / 
worse quality.
 @option{b_qfactor} / @option{b_quant_factor}
 @item
 @option{b_qoffset} / @option{b_quant_offset}
+@item
+@option{slices}
 @end itemize
 
 All encoders support the following options:
diff --git a/libavcodec/vaapi_encode.c b/libavcodec/vaapi_encode.c
index 2c34cdce2c..e01c3c112b 100644
--- a/libavcodec/vaapi_encode.c
+++ b/libavcodec/vaapi_encode.c
@@ -319,16 +319,60 @@ static int vaapi_encode_issue(AVCodecContext *avctx,
 }
 }
 
+if (pic->nb_slices == 0)
+pic->nb_slices = ctx->nb_slices;
 if (pic->nb_slices > 0) {
+int rounding;
+
 pic->slices = av_mallocz_array(pic->nb_slices, sizeof(*pic->slices));
 if (!pic->slices) {
 err = AVERROR(ENOMEM);
 goto fail;
 }
+
+for (i = 0; i < pic->nb_slices; i++)
+pic->slices[i].row_size = ctx->slice_size;
+
+rounding = ctx->slice_block_rows - ctx->nb_slices * ctx->slice_size;
+if (rounding > 0) {
+// Place rounding error at top and bottom of frame.
+av_assert0(rounding < pic->nb_slices);
+// Some Intel drivers contain a bug where the encoder will fail
+// if the last slice is smaller than the one before it.  Since
+// that's straightforward to avoid here, just do so.
+if (rounding <= 2) {
+for (i = 0; i < rounding; i++)
+++pic->slices[i].row_size;
+} else {
+for (i = 0; i < (rounding + 1) / 2; i++)
+++pic->slices[pic->nb_slices - i - 1].row_size;
+for (i = 0; i < rounding / 2; i++)
+++pic->slices[i].row_size;
+}
+} else if (rounding < 0) {
+// Remove rounding error from last slice only.
+av_assert0(rounding < ctx->slice_size);
+pic->slices[pic->nb_slices - 1].row_size += rounding;
+}
 }
 for (i = 0; i < pic->nb_slices; i++) {
 slice = >slices[i];
 slice->index = i;
+if (i == 0) {
+slice->row_start   = 0;
+slice->block_start = 0;
+} else {
+const VAAPIEncodeSlice *prev = >slices[i - 1];
+slice->row_start   = prev->row_start   + prev->row_size;
+slice->block_start = prev->block_start + prev->block_size;
+}
+slice->block_size  = slice->row_size * ctx->slice_block_cols;
+
+av_log(avctx, AV_LOG_DEBUG, "Slice %d: %d-%d (%d rows), "
+   "%d-%d (%d blocks).\n", i, slice->row_start,
+   slice->row_start + slice->row_size - 1, slice->row_size,
+   slice->block_start, slice->block_start + slice->block_size - 1,
+   slice->block_size);
 
 if (ctx->codec->slice_params_size > 0) {
 slice->codec_slice_params = 
av_mallocz(ctx->codec->slice_params_size);
@@ -1444,6 +1488,106 @@ static av_cold int 
vaapi_encode_init_gop_structure(AVCodecContext *avctx)
 return 0;
 }
 
+static av_cold int vaapi_encode_init_slice_structure(AVCodecContext *avctx)
+{
+VAAPIEncodeContext *ctx = avctx->priv_data;
+VAConfigAttrib attr[2] = { { VAConfigAttribEncMaxSlices },
+   { VAConfigAttribEncSliceStructure } };
+VAStatus vas;
+uint32_t max_slices, slice_structure;
+int req_slices;
+
+if (!(ctx->codec->flags & FLAG_SLICE_CONTROL)) {
+if (avctx->slices > 0) {
+av_log(avctx, AV_LOG_WARNING, "Multiple slices were requested "
+   "but this codec does not support controlling slices.\n");
+}
+return 0;
+}
+
+ctx->slice_block_rows = (avctx->height + ctx->slice_block_height - 1) /
+ ctx->slice_block_height;
+ctx->slice_block_cols = (avctx->width  + ctx->slice_block_width  - 1) /
+ ctx->slice_block_width;
+
+if (avctx->slices <= 1) {
+ctx->nb_slices  = 1;
+ctx->slice_size = ctx->slice_block_rows;
+return 0;
+}
+
+vas = 

[FFmpeg-cvslog] vaapi_encode_h264: Enable multiple-slice support

[Mark Thompson]

ffmpeg | branch: master | Mark Thompson  | Sun Sep 23 22:52:58 
2018 +0100| [a769e72c750e113c75b1f106296ade94caa28748] | committer: Mark 
Thompson

vaapi_encode_h264: Enable multiple-slice support

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a769e72c750e113c75b1f106296ade94caa28748
---

 libavcodec/vaapi_encode_h264.c | 13 +++--
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/libavcodec/vaapi_encode_h264.c b/libavcodec/vaapi_encode_h264.c
index 8feae0d42f..7bb77cfba2 100644
--- a/libavcodec/vaapi_encode_h264.c
+++ b/libavcodec/vaapi_encode_h264.c
@@ -733,8 +733,6 @@ static int 
vaapi_encode_h264_init_picture_params(AVCodecContext *avctx,
 vpic->pic_fields.bits.idr_pic_flag   = (pic->type == PICTURE_TYPE_IDR);
 vpic->pic_fields.bits.reference_pic_flag = (pic->type != PICTURE_TYPE_B);
 
-pic->nb_slices = 1;
-
 return 0;
 }
 
@@ -758,8 +756,7 @@ static int 
vaapi_encode_h264_init_slice_params(AVCodecContext *avctx,
 sh->nal_unit_header.nal_ref_idc   = pic->type != PICTURE_TYPE_B;
 }
 
-// Only one slice per frame.
-sh->first_mb_in_slice = 0;
+sh->first_mb_in_slice = slice->block_start;
 sh->slice_type= priv->slice_type;
 
 sh->pic_parameter_set_id = pps->pic_parameter_set_id;
@@ -780,8 +777,8 @@ static int 
vaapi_encode_h264_init_slice_params(AVCodecContext *avctx,
 sh->slice_qp_delta = priv->fixed_qp_idr - (pps->pic_init_qp_minus26 + 
26);
 
 
-vslice->macroblock_address = sh->first_mb_in_slice;
-vslice->num_macroblocks= priv->mb_width * priv->mb_height;
+vslice->macroblock_address = slice->block_start;
+vslice->num_macroblocks= slice->block_size;
 
 vslice->macroblock_info = VA_INVALID_ID;
 
@@ -903,6 +900,8 @@ static const VAAPIEncodeProfile 
vaapi_encode_h264_profiles[] = {
 static const VAAPIEncodeType vaapi_encode_type_h264 = {
 .profiles  = vaapi_encode_h264_profiles,
 
+.flags = FLAG_SLICE_CONTROL,
+
 .configure = _encode_h264_configure,
 
 .sequence_params_size  = sizeof(VAEncSequenceParameterBufferH264),
@@ -978,6 +977,8 @@ static av_cold int vaapi_encode_h264_init(AVCodecContext 
*avctx)
 ctx->surface_width  = FFALIGN(avctx->width,  16);
 ctx->surface_height = FFALIGN(avctx->height, 16);
 
+ctx->slice_block_height = ctx->slice_block_width = 16;
+
 return ff_vaapi_encode_init(avctx);
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] vaapi_encode_h265: Enable multiple-slice support

[Mark Thompson]

ffmpeg | branch: master | Mark Thompson  | Sun Sep 23 22:52:59 
2018 +0100| [a7eda762dce66e7df993f66fc3abdf06c7074190] | committer: Mark 
Thompson

vaapi_encode_h265: Enable multiple-slice support

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a7eda762dce66e7df993f66fc3abdf06c7074190
---

 libavcodec/vaapi_encode_h265.c | 29 +++--
 1 file changed, 11 insertions(+), 18 deletions(-)

diff --git a/libavcodec/vaapi_encode_h265.c b/libavcodec/vaapi_encode_h265.c
index 10312fbd60..367fa5fde2 100644
--- a/libavcodec/vaapi_encode_h265.c
+++ b/libavcodec/vaapi_encode_h265.c
@@ -54,9 +54,6 @@ typedef struct VAAPIEncodeH265Context {
 int sei;
 
 // Derived settings.
-unsigned int ctu_width;
-unsigned int ctu_height;
-
 int fixed_qp_idr;
 int fixed_qp_p;
 int fixed_qp_b;
@@ -349,7 +346,8 @@ static int 
vaapi_encode_h265_init_sequence_params(AVCodecContext *avctx)
 
 level = ff_h265_guess_level(ptl, avctx->bit_rate,
 ctx->surface_width, ctx->surface_height,
-1, 1, 1, (ctx->b_per_p > 0) + 1);
+ctx->nb_slices, 1, 1,
+(ctx->b_per_p > 0) + 1);
 if (level) {
 av_log(avctx, AV_LOG_VERBOSE, "Using level %s.\n", level->name);
 ptl->general_level_idc = level->level_idc;
@@ -850,8 +848,6 @@ static int 
vaapi_encode_h265_init_picture_params(AVCodecContext *avctx,
 av_assert0(0 && "invalid picture type");
 }
 
-pic->nb_slices = 1;
-
 return 0;
 }
 
@@ -876,9 +872,8 @@ static int 
vaapi_encode_h265_init_slice_params(AVCodecContext *avctx,
 
 sh->slice_pic_parameter_set_id  = pps->pps_pic_parameter_set_id;
 
-// Currently we only support one slice per frame.
-sh->first_slice_segment_in_pic_flag = 1;
-sh->slice_segment_address   = 0;
+sh->first_slice_segment_in_pic_flag = slice->index == 0;
+sh->slice_segment_address   = slice->block_start;
 
 sh->slice_type = priv->slice_type;
 
@@ -968,7 +963,7 @@ static int 
vaapi_encode_h265_init_slice_params(AVCodecContext *avctx,
 
 *vslice = (VAEncSliceParameterBufferHEVC) {
 .slice_segment_address = sh->slice_segment_address,
-.num_ctu_in_slice  = priv->ctu_width * priv->ctu_height,
+.num_ctu_in_slice  = slice->block_size,
 
 .slice_type = sh->slice_type,
 .slice_pic_parameter_set_id = sh->slice_pic_parameter_set_id,
@@ -989,7 +984,7 @@ static int 
vaapi_encode_h265_init_slice_params(AVCodecContext *avctx,
 .slice_tc_offset_div2   = sh->slice_tc_offset_div2,
 
 .slice_fields.bits = {
-.last_slice_of_pic_flag   = 1,
+.last_slice_of_pic_flag   = slice->index == pic->nb_slices - 1,
 .dependent_slice_segment_flag = sh->dependent_slice_segment_flag,
 .colour_plane_id  = sh->colour_plane_id,
 .slice_temporal_mvp_enabled_flag =
@@ -1041,13 +1036,6 @@ static av_cold int 
vaapi_encode_h265_configure(AVCodecContext *avctx)
 if (err < 0)
 return err;
 
-priv->ctu_width = FFALIGN(ctx->surface_width,  32) / 32;
-priv->ctu_height= FFALIGN(ctx->surface_height, 32) / 32;
-
-av_log(avctx, AV_LOG_VERBOSE, "Input %ux%u -> Surface %ux%u -> CTU 
%ux%u.\n",
-   avctx->width, avctx->height, ctx->surface_width,
-   ctx->surface_height, priv->ctu_width, priv->ctu_height);
-
 if (ctx->va_rc_mode == VA_RC_CQP) {
 priv->fixed_qp_p = priv->qp;
 if (avctx->i_quant_factor > 0.0)
@@ -1092,6 +1080,8 @@ static const VAAPIEncodeProfile 
vaapi_encode_h265_profiles[] = {
 static const VAAPIEncodeType vaapi_encode_type_h265 = {
 .profiles  = vaapi_encode_h265_profiles,
 
+.flags = FLAG_SLICE_CONTROL,
+
 .configure = _encode_h265_configure,
 
 .sequence_params_size  = sizeof(VAEncSequenceParameterBufferHEVC),
@@ -1138,6 +1128,9 @@ static av_cold int vaapi_encode_h265_init(AVCodecContext 
*avctx)
 ctx->surface_width  = FFALIGN(avctx->width,  16);
 ctx->surface_height = FFALIGN(avctx->height, 16);
 
+// CTU size is currently hard-coded to 32.
+ctx->slice_block_width = ctx->slice_block_height = 32;
+
 return ff_vaapi_encode_init(avctx);
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] vaapi_encode: Add flag to mark encoders supporting only constant-quality

[Mark Thompson]

ffmpeg | branch: master | Mark Thompson  | Sun Sep 23 22:53:00 
2018 +0100| [fef2162b6ea752c76a1220f59ad962b65a400fc3] | committer: Mark 
Thompson

vaapi_encode: Add flag to mark encoders supporting only constant-quality

And set it for MJPEG.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fef2162b6ea752c76a1220f59ad962b65a400fc3
---

 libavcodec/vaapi_encode.c   | 3 ++-
 libavcodec/vaapi_encode.h   | 2 ++
 libavcodec/vaapi_encode_mjpeg.c | 2 ++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavcodec/vaapi_encode.c b/libavcodec/vaapi_encode.c
index e01c3c112b..2fe8501287 100644
--- a/libavcodec/vaapi_encode.c
+++ b/libavcodec/vaapi_encode.c
@@ -1277,7 +1277,8 @@ static av_cold int 
vaapi_encode_init_rate_control(AVCodecContext *avctx)
 ctx->va_rc_mode = VA_RC_CQP;
 return 0;
 }
-if (avctx->flags & AV_CODEC_FLAG_QSCALE ||
+if (ctx->codec->flags & FLAG_CONSTANT_QUALITY_ONLY ||
+avctx->flags & AV_CODEC_FLAG_QSCALE ||
 avctx->bit_rate <= 0) {
 if (rc_attr.value & VA_RC_CQP) {
 av_log(avctx, AV_LOG_VERBOSE, "Using constant-quality mode.\n");
diff --git a/libavcodec/vaapi_encode.h b/libavcodec/vaapi_encode.h
index 271d4ef518..965fe65c0b 100644
--- a/libavcodec/vaapi_encode.h
+++ b/libavcodec/vaapi_encode.h
@@ -251,6 +251,8 @@ typedef struct VAAPIEncodeContext {
 enum {
 // Codec supports controlling the subdivision of pictures into slices.
 FLAG_SLICE_CONTROL = 1 << 0,
+// Codec only supports constant quality (no rate control).
+FLAG_CONSTANT_QUALITY_ONLY = 1 << 1,
 };
 
 typedef struct VAAPIEncodeType {
diff --git a/libavcodec/vaapi_encode_mjpeg.c b/libavcodec/vaapi_encode_mjpeg.c
index fe8439ce88..79f43473f5 100644
--- a/libavcodec/vaapi_encode_mjpeg.c
+++ b/libavcodec/vaapi_encode_mjpeg.c
@@ -476,6 +476,8 @@ static const VAAPIEncodeProfile 
vaapi_encode_mjpeg_profiles[] = {
 static const VAAPIEncodeType vaapi_encode_type_mjpeg = {
 .profiles  = vaapi_encode_mjpeg_profiles,
 
+.flags = FLAG_CONSTANT_QUALITY_ONLY,
+
 .configure = _encode_mjpeg_configure,
 
 .picture_params_size   = sizeof(VAEncPictureParameterBufferJPEG),

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter/window_func: add bohman window

[Paul B Mahol]

ffmpeg | branch: master | Paul B Mahol  | Sat Oct 27 13:13:31 
2018 +0200| [40ac622460284f4aad10a13b786d03d6c2cfa868] | committer: Paul B Mahol

avfilter/window_func: add bohman window

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=40ac622460284f4aad10a13b786d03d6c2cfa868
---

 doc/filters.texi   | 3 +++
 libavfilter/asrc_hilbert.c | 1 +
 libavfilter/avf_showfreqs.c| 1 +
 libavfilter/avf_showspectrum.c | 2 ++
 libavfilter/window_func.h  | 9 +
 5 files changed, 16 insertions(+)

diff --git a/doc/filters.texi b/doc/filters.texi
index 7811c25ddb..9c7cc2284b 100644
--- a/doc/filters.texi
+++ b/doc/filters.texi
@@ -20851,6 +20851,7 @@ It accepts the following values:
 @item cauchy
 @item parzen
 @item poisson
+@item bohman
 @end table
 Default is @code{hanning}.
 
@@ -21009,6 +21010,7 @@ It accepts the following values:
 @item cauchy
 @item parzen
 @item poisson
+@item bohman
 @end table
 
 Default value is @code{hann}.
@@ -21172,6 +21174,7 @@ It accepts the following values:
 @item cauchy
 @item parzen
 @item poisson
+@item bohman
 @end table
 Default value is @code{hann}.
 
diff --git a/libavfilter/asrc_hilbert.c b/libavfilter/asrc_hilbert.c
index a3a395254f..a51c676c6f 100644
--- a/libavfilter/asrc_hilbert.c
+++ b/libavfilter/asrc_hilbert.c
@@ -67,6 +67,7 @@ static const AVOption hilbert_options[] = {
 { "cauchy",   "Cauchy",   0, AV_OPT_TYPE_CONST, 
{.i64=WFUNC_CAUCHY},   0, 0, FLAGS, "win_func" },
 { "parzen",   "Parzen",   0, AV_OPT_TYPE_CONST, 
{.i64=WFUNC_PARZEN},   0, 0, FLAGS, "win_func" },
 { "poisson",  "Poisson",  0, AV_OPT_TYPE_CONST, 
{.i64=WFUNC_POISSON},  0, 0, FLAGS, "win_func" },
+{ "bohman" ,  "Bohman",   0, AV_OPT_TYPE_CONST, 
{.i64=WFUNC_BOHMAN},   0, 0, FLAGS, "win_func" },
 {NULL}
 };
 
diff --git a/libavfilter/avf_showfreqs.c b/libavfilter/avf_showfreqs.c
index 22f28ec387..ff6a762547 100644
--- a/libavfilter/avf_showfreqs.c
+++ b/libavfilter/avf_showfreqs.c
@@ -118,6 +118,7 @@ static const AVOption showfreqs_options[] = {
 { "cauchy",   "Cauchy",   0, AV_OPT_TYPE_CONST, 
{.i64=WFUNC_CAUCHY},   0, 0, FLAGS, "win_func" },
 { "parzen",   "Parzen",   0, AV_OPT_TYPE_CONST, 
{.i64=WFUNC_PARZEN},   0, 0, FLAGS, "win_func" },
 { "poisson",  "Poisson",  0, AV_OPT_TYPE_CONST, 
{.i64=WFUNC_POISSON},  0, 0, FLAGS, "win_func" },
+{ "bohman",   "Bohman",   0, AV_OPT_TYPE_CONST, 
{.i64=WFUNC_BOHMAN} ,  0, 0, FLAGS, "win_func" },
 { "overlap",  "set window overlap", OFFSET(overlap), AV_OPT_TYPE_FLOAT, 
{.dbl=1.}, 0., 1., FLAGS },
 { "averaging", "set time averaging", OFFSET(avg), AV_OPT_TYPE_INT, 
{.i64=1}, 0, INT32_MAX, FLAGS },
 { "colors", "set channels colors", OFFSET(colors), AV_OPT_TYPE_STRING, 
{.str = "red|green|blue|yellow|orange|lime|pink|magenta|brown" }, 0, 0, FLAGS },
diff --git a/libavfilter/avf_showspectrum.c b/libavfilter/avf_showspectrum.c
index 41693a0ce1..b278790071 100644
--- a/libavfilter/avf_showspectrum.c
+++ b/libavfilter/avf_showspectrum.c
@@ -152,6 +152,7 @@ static const AVOption showspectrum_options[] = {
 { "cauchy",   "Cauchy",   0, AV_OPT_TYPE_CONST, 
{.i64=WFUNC_CAUCHY},   0, 0, FLAGS, "win_func" },
 { "parzen",   "Parzen",   0, AV_OPT_TYPE_CONST, 
{.i64=WFUNC_PARZEN},   0, 0, FLAGS, "win_func" },
 { "poisson",  "Poisson",  0, AV_OPT_TYPE_CONST, 
{.i64=WFUNC_POISSON},  0, 0, FLAGS, "win_func" },
+{ "bohman",   "Bohman",   0, AV_OPT_TYPE_CONST, 
{.i64=WFUNC_BOHMAN},   0, 0, FLAGS, "win_func" },
 { "orientation", "set orientation", OFFSET(orientation), AV_OPT_TYPE_INT, 
{.i64=VERTICAL}, 0, NB_ORIENTATIONS-1, FLAGS, "orientation" },
 { "vertical",   NULL, 0, AV_OPT_TYPE_CONST, {.i64=VERTICAL},   0, 0, 
FLAGS, "orientation" },
 { "horizontal", NULL, 0, AV_OPT_TYPE_CONST, {.i64=HORIZONTAL}, 0, 0, 
FLAGS, "orientation" },
@@ -1425,6 +1426,7 @@ static const AVOption showspectrumpic_options[] = {
 { "cauchy",   "Cauchy",   0, AV_OPT_TYPE_CONST, 
{.i64=WFUNC_CAUCHY},   0, 0, FLAGS, "win_func" },
 { "parzen",   "Parzen",   0, AV_OPT_TYPE_CONST, 
{.i64=WFUNC_PARZEN},   0, 0, FLAGS, "win_func" },
 { "poisson",  "Poisson",  0, AV_OPT_TYPE_CONST, 
{.i64=WFUNC_POISSON},  0, 0, FLAGS, "win_func" },
+{ "bohman",   "Bohman",   0, AV_OPT_TYPE_CONST, 
{.i64=WFUNC_BOHMAN},   0, 0, FLAGS, "win_func" },
 { "orientation", "set orientation", OFFSET(orientation), AV_OPT_TYPE_INT, 
{.i64=VERTICAL}, 0, NB_ORIENTATIONS-1, FLAGS, "orientation" },
 { "vertical",   NULL, 0, AV_OPT_TYPE_CONST, {.i64=VERTICAL},   0, 0, 
FLAGS, "orientation" },
 { "horizontal", NULL, 0, AV_OPT_TYPE_CONST, {.i64=HORIZONTAL}, 0, 0, 
FLAGS, "orientation" },
diff --git a/libavfilter/window_func.h b/libavfilter/window_func.h
index a94482c937..1de8f1fbdb 100644
---