date:20171201

[FFmpeg-cvslog] avfilter/vf_tile: add init_padding option

2017-12-01 Thread Paul B Mahol

ffmpeg | branch: master | Paul B Mahol  | Fri Nov 17 21:33:37 
2017 +0100| [2cfc8b172ce767928a6394e066cb0b2789efd395] | committer: Paul B Mahol

avfilter/vf_tile: add init_padding option

Signed-off-by: Paul B Mahol 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2cfc8b172ce767928a6394e066cb0b2789efd395
---

 doc/filters.texi  |  5 +
 libavfilter/vf_tile.c | 12 +++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/doc/filters.texi b/doc/filters.texi
index 4a4efc70c8..ec37b9dcb8 100644
--- a/doc/filters.texi
+++ b/doc/filters.texi
@@ -14637,6 +14637,11 @@ is "black".
 @item overlap
 Set the number of frames to overlap when tiling several successive frames 
together.
 The value must be between @code{0} and @var{nb_frames - 1}.
+
+@item init_padding
+Set the number of frames to initially be empty before displaying first output 
frame.
+This controls how soon will one get first output frame.
+The value must be between @code{0} and @var{nb_frames - 1}.
 @end table
 
 @subsection Examples
diff --git a/libavfilter/vf_tile.c b/libavfilter/vf_tile.c
index 7717ce12e7..439689a14d 100644
--- a/libavfilter/vf_tile.c
+++ b/libavfilter/vf_tile.c
@@ -38,6 +38,7 @@ typedef struct TileContext {
 unsigned margin;
 unsigned padding;
 unsigned overlap;
+unsigned init_padding;
 unsigned current;
 unsigned nb_frames;
 FFDrawContext draw;
@@ -62,6 +63,8 @@ static const AVOption tile_options[] = {
 { "color",   "set the color of the unused area", OFFSET(rgba_color), 
AV_OPT_TYPE_COLOR, {.str = "black"}, .flags = FLAGS },
 { "overlap", "set how many frames to overlap for each render", 
OFFSET(overlap),
 AV_OPT_TYPE_INT, {.i64 = 0}, 0, INT_MAX, FLAGS },
+{ "init_padding", " set how many frames to initially pad", 
OFFSET(init_padding),
+AV_OPT_TYPE_INT, {.i64 = 0}, 0, INT_MAX, FLAGS },
 { NULL }
 };
 
@@ -99,6 +102,12 @@ static av_cold int init(AVFilterContext *ctx)
 tile->overlap = tile->nb_frames - 1;
 }
 
+if (tile->init_padding >= tile->nb_frames) {
+av_log(ctx, AV_LOG_WARNING, "init_padding must be less than %d\n", 
tile->nb_frames);
+} else {
+tile->current = tile->init_padding;
+}
+
 return 0;
 }
 
@@ -201,11 +210,12 @@ static int filter_frame(AVFilterLink *inlink, AVFrame 
*picref)
 tile->out_ref->height = outlink->h;
 
 /* fill surface once for margin/padding */
-if (tile->margin || tile->padding)
+if (tile->margin || tile->padding || tile->init_padding)
 ff_fill_rectangle(&tile->draw, &tile->blank,
   tile->out_ref->data,
   tile->out_ref->linesize,
   0, 0, outlink->w, outlink->h);
+tile->init_padding = 0;
 }
 
 if (tile->prev_out_ref) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u.

2017-12-01 Thread Dale Curtis

ffmpeg | branch: master | Dale Curtis  | Thu Nov 30 
12:20:36 2017 -0800| [95bacb521af8cd28f146f045437c9f75717a493a] | committer: 
Michael Niedermayer

avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u.

Didn't notice this one when 9648cc6d was landed.

Signed-off-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=95bacb521af8cd28f146f045437c9f75717a493a
---

 libavcodec/vorbis.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c
index 5ccc37a2df..cca2aa7c63 100644
--- a/libavcodec/vorbis.c
+++ b/libavcodec/vorbis.c
@@ -67,7 +67,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, 
unsigned num)
 if (bits[p] > 32)
 return AVERROR_INVALIDDATA;
 for (i = 0; i < bits[p]; ++i)
-exit_at_level[i+1] = 1 << i;
+exit_at_level[i+1] = 1u << i;
 
 ++p;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter: add fillborders filter

2017-12-01 Thread Paul B Mahol

ffmpeg | branch: master | Paul B Mahol  | Sat Nov 18 18:18:39 
2017 +0100| [e1dd97bd4c03d658f9b18a0d6269f1bc06f796c9] | committer: Paul B Mahol

avfilter: add fillborders filter

Signed-off-by: Paul B Mahol 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e1dd97bd4c03d658f9b18a0d6269f1bc06f796c9
---

 Changelog|   1 +
 doc/filters.texi |  42 +
 libavfilter/Makefile |   1 +
 libavfilter/allfilters.c |   1 +
 libavfilter/version.h|   2 +-
 libavfilter/vf_fillborders.c | 394 +++
 6 files changed, 440 insertions(+), 1 deletion(-)

diff --git a/Changelog b/Changelog
index 9eaaedbcab..b00996157c 100644
--- a/Changelog
+++ b/Changelog
@@ -23,6 +23,7 @@ version :
 - audio lv2 wrapper filter
 - VAAPI VP8 decoding
 - AMD AMF H.264 and HEVC encoders
+- video fillborders filter
 
 
 version 3.4:
diff --git a/doc/filters.texi b/doc/filters.texi
index ec37b9dcb8..f7c371592f 100644
--- a/doc/filters.texi
+++ b/doc/filters.texi
@@ -8610,6 +8610,48 @@ framework.
 
 It does not take parameters.
 
+@section fillborders
+
+Fill borders of the input video, without changing video stream dimensions.
+Sometimes video can have garbage at the four edges and you may not want to
+crop video input to keep size multiple of some number.
+
+This filter accepts the following options:
+
+@table @option
+@item left
+Number of pixels to fill from left border.
+
+@item right
+Number of pixels to fill from right border.
+
+@item top
+Number of pixels to fill from top border.
+
+@item bottom
+Number of pixels to fill from bottom border.
+
+@item mode
+Set fill mode.
+
+It accepts the following values:
+@table @samp
+@item smear
+fill pixels using outermost pixels
+
+@item mirror
+fill pixels using mirroring
+
+@item fixed
+fill pixels with constant value
+@end table
+
+Default is @var{smear}.
+
+@item color
+Set color for pixels in fixed mode. Default is @var{black}.
+@end table
+
 @section find_rect
 
 Find a rectangular object
diff --git a/libavfilter/Makefile b/libavfilter/Makefile
index 0b77d7a01f..1c0cc1da80 100644
--- a/libavfilter/Makefile
+++ b/libavfilter/Makefile
@@ -192,6 +192,7 @@ OBJS-$(CONFIG_FIELD_FILTER)  += vf_field.o
 OBJS-$(CONFIG_FIELDHINT_FILTER)  += vf_fieldhint.o
 OBJS-$(CONFIG_FIELDMATCH_FILTER) += vf_fieldmatch.o
 OBJS-$(CONFIG_FIELDORDER_FILTER) += vf_fieldorder.o
+OBJS-$(CONFIG_FILLBORDERS_FILTER)+= vf_fillborders.o
 OBJS-$(CONFIG_FIND_RECT_FILTER)  += vf_find_rect.o lavfutils.o
 OBJS-$(CONFIG_FLOODFILL_FILTER)  += vf_floodfill.o
 OBJS-$(CONFIG_FORMAT_FILTER) += vf_format.o
diff --git a/libavfilter/allfilters.c b/libavfilter/allfilters.c
index 4c834f7381..fc212e58db 100644
--- a/libavfilter/allfilters.c
+++ b/libavfilter/allfilters.c
@@ -202,6 +202,7 @@ static void register_all(void)
 REGISTER_FILTER(FIELDHINT,  fieldhint,  vf);
 REGISTER_FILTER(FIELDMATCH, fieldmatch, vf);
 REGISTER_FILTER(FIELDORDER, fieldorder, vf);
+REGISTER_FILTER(FILLBORDERS,fillborders,vf);
 REGISTER_FILTER(FIND_RECT,  find_rect,  vf);
 REGISTER_FILTER(FLOODFILL,  floodfill,  vf);
 REGISTER_FILTER(FORMAT, format, vf);
diff --git a/libavfilter/version.h b/libavfilter/version.h
index 1d356a9a5a..6b8110c9de 100644
--- a/libavfilter/version.h
+++ b/libavfilter/version.h
@@ -30,7 +30,7 @@
 #include "libavutil/version.h"
 
 #define LIBAVFILTER_VERSION_MAJOR   7
-#define LIBAVFILTER_VERSION_MINOR   5
+#define LIBAVFILTER_VERSION_MINOR   6
 #define LIBAVFILTER_VERSION_MICRO 100
 
 #define LIBAVFILTER_VERSION_INT AV_VERSION_INT(LIBAVFILTER_VERSION_MAJOR, \
diff --git a/libavfilter/vf_fillborders.c b/libavfilter/vf_fillborders.c
new file mode 100644
index 00..df883bc62e
--- /dev/null
+++ b/libavfilter/vf_fillborders.c
@@ -0,0 +1,394 @@
+/*
+ * Copyright (c) 2017 Paul B Mahol
+ *
+ * This file is part of FFmpeg.
+ *
+ * FFmpeg is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * FFmpeg is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with FFmpeg; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include "libavutil/colorspace.h"
+#include "libavutil/common.h"
+#include "libavutil/opt.h"
+#include "libavutil/pixdesc.h"
+#include "avfilter.h"
+#include "drawutils.h"
+#include "formats.h"
+#include "int

[FFmpeg-cvslog] checkasm/utvideo : be more explicit to the WIDTH_PADDED define

2017-12-01 Thread Martin Vignali

ffmpeg | branch: master | Martin Vignali  | Tue Nov 
21 22:01:42 2017 +0100| [9bed17cd0f02dda5e1211a7a61c24b8957a2e100] | committer: 
Martin Vignali

checkasm/utvideo : be more explicit to the WIDTH_PADDED define

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9bed17cd0f02dda5e1211a7a61c24b8957a2e100
---

 tests/checkasm/utvideodsp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/checkasm/utvideodsp.c b/tests/checkasm/utvideodsp.c
index 618706a6e3..080b4287d7 100644
--- a/tests/checkasm/utvideodsp.c
+++ b/tests/checkasm/utvideodsp.c
@@ -27,7 +27,7 @@
 
 #define WIDTH 240
 #define HEIGHT 120
-#define WIDTH_PADDED (WIDTH+WIDTH%32)
+#define WIDTH_PADDED (WIDTH + 16) /* padded to 32 */
 #define BUFFER_SIZE (WIDTH_PADDED * HEIGHT)
 
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] mediacodecdec: fix build by including hwaccel.h

2017-12-01 Thread Jan Ekström

ffmpeg | branch: master | Jan Ekström  | Fri Dec  1 22:21:54 
2017 +0200| [6939b3cb9d60a3159413d76c8656cb240c823412] | committer: Jan Ekström

mediacodecdec: fix build by including hwaccel.h

Enables the decoder to utilize the type AVCodecHWConfigInternal.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6939b3cb9d60a3159413d76c8656cb240c823412
---

 libavcodec/mediacodecdec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/mediacodecdec.c b/libavcodec/mediacodecdec.c
index 6d392adb3a..39f5cbc045 100644
--- a/libavcodec/mediacodecdec.c
+++ b/libavcodec/mediacodecdec.c
@@ -33,6 +33,7 @@
 #include "avcodec.h"
 #include "h264_parse.h"
 #include "hevc_parse.h"
+#include "hwaccel.h"
 #include "internal.h"
 #include "mediacodec_wrapper.h"
 #include "mediacodecdec_common.h"

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] examples/vaapi_encode: Fix leak on hwframe init failure

2017-12-01 Thread Mark Thompson

ffmpeg | branch: master | Mark Thompson  | Fri Dec  1 21:06:42 
2017 +| [a763d278274cfbda4e78e21b338b9b525fe22eab] | committer: Mark 
Thompson

examples/vaapi_encode: Fix leak on hwframe init failure

Fixes CID #1424882.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a763d278274cfbda4e78e21b338b9b525fe22eab
---

 doc/examples/vaapi_encode.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/examples/vaapi_encode.c b/doc/examples/vaapi_encode.c
index 866b03d58c..f66a4a7c48 100644
--- a/doc/examples/vaapi_encode.c
+++ b/doc/examples/vaapi_encode.c
@@ -58,6 +58,7 @@ static int set_hwframe_ctx(AVCodecContext *ctx, AVBufferRef 
*hw_device_ctx)
 if ((err = av_hwframe_ctx_init(hw_frames_ref)) < 0) {
 fprintf(stderr, "Failed to initialize VAAPI frame context."
 "Error code: %s\n",av_err2str(err));
+av_buffer_unref(&hw_frames_ref);
 return err;
 }
 ctx->hw_frames_ctx = av_buffer_ref(hw_frames_ref);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/j2kenc: Fix out of array access in encode_cblk()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: master | Michael Niedermayer  | Thu 
Nov 30 23:42:04 2017 +0100| [0674087004538599797688785f6ac82358abc23b] | 
committer: Michael Niedermayer

avcodec/j2kenc: Fix out of array access in encode_cblk()

Fixes: 4427/clusterfuzz-testcase-minimized-5106919271301120

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0674087004538599797688785f6ac82358abc23b
---

 libavcodec/j2kenc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c
index 32c7fddb74..78ec88a694 100644
--- a/libavcodec/j2kenc.c
+++ b/libavcodec/j2kenc.c
@@ -690,7 +690,8 @@ static void encode_cblk(Jpeg2000EncoderContext *s, 
Jpeg2000T1Context *t1, Jpeg20
 cblk->npasses = passno;
 cblk->ninclpasses = passno;
 
-cblk->passes[passno-1].rate = ff_mqc_flush_to(&t1->mqc, 
cblk->passes[passno-1].flushed, &cblk->passes[passno-1].flushed_len);
+if (passno)
+cblk->passes[passno-1].rate = ff_mqc_flush_to(&t1->mqc, 
cblk->passes[passno-1].flushed, &cblk->passes[passno-1].flushed_len);
 }
 
 /* tier-2 routines: */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000: Only allocate Jpeg2000Pass for the encoder

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: master | Michael Niedermayer  | Thu 
Nov 30 21:51:56 2017 +0100| [b5587fd2c6ce39bad7a5e7ebb3bd86b6469648de] | 
committer: Michael Niedermayer

avcodec/jpeg2000: Only allocate Jpeg2000Pass for the encoder

Reduces memory needed.
Fixes: OOM
Fixes: 4427/clusterfuzz-testcase-minimized-5106919271301120

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b5587fd2c6ce39bad7a5e7ebb3bd86b6469648de
---

 libavcodec/j2kenc.c   | 4 +++-
 libavcodec/jpeg2000.c | 1 +
 libavcodec/jpeg2000.h | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c
index 78ec88a694..3e542af3c6 100644
--- a/libavcodec/j2kenc.c
+++ b/libavcodec/j2kenc.c
@@ -941,7 +941,9 @@ static int encode_tile(Jpeg2000EncoderContext *s, 
Jpeg2000Tile *tile, int tileno
 }
 if (!prec->cblk[cblkno].data)
 prec->cblk[cblkno].data = av_malloc(1 + 8192);
-if (!prec->cblk[cblkno].data)
+if (!prec->cblk[cblkno].passes)
+prec->cblk[cblkno].passes = 
av_malloc_array(JPEG2000_MAX_PASSES, sizeof (*prec->cblk[cblkno].passes));
+if (!prec->cblk[cblkno].data || 
!prec->cblk[cblkno].passes)
 return AVERROR(ENOMEM);
 encode_cblk(s, &t1, prec->cblk + cblkno, tile, xx1 - 
xx0, yy1 - yy0,
 bandpos, codsty->nreslevels - reslevelno - 
1);
diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c
index 8551cf8d6c..5f3965047f 100644
--- a/libavcodec/jpeg2000.c
+++ b/libavcodec/jpeg2000.c
@@ -606,6 +606,7 @@ void ff_jpeg2000_cleanup(Jpeg2000Component *comp, 
Jpeg2000CodingStyle *codsty)
 for (cblkno = 0; cblkno < nb_code_blocks; cblkno ++) {
 Jpeg2000Cblk *cblk = &prec->cblk[cblkno];
 av_freep(&cblk->data);
+av_freep(&cblk->passes);
 }
 av_freep(&prec->cblk);
 }
diff --git a/libavcodec/jpeg2000.h b/libavcodec/jpeg2000.h
index eaf7faf342..752feae96b 100644
--- a/libavcodec/jpeg2000.h
+++ b/libavcodec/jpeg2000.h
@@ -173,7 +173,7 @@ typedef struct Jpeg2000Cblk {
 int nb_terminations;
 int nb_terminationsinc;
 int data_start[JPEG2000_MAX_PASSES];
-Jpeg2000Pass passes[JPEG2000_MAX_PASSES];
+Jpeg2000Pass *passes;
 int coord[2][2]; // border coordinates {{x0, x1}, {y0, y1}}
 } Jpeg2000Cblk; // code block
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: master | Michael Niedermayer  | Thu 
Nov 30 21:27:37 2017 +0100| [0409d333115e623b5ccdbb364d64ca2a52fd8467] | 
committer: Michael Niedermayer

avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h()

Fixes: runtime error: left shift of negative value -127
Fixes: 4397/clusterfuzz-testcase-minimized-4779061080489984

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0409d333115e623b5ccdbb364d64ca2a52fd8467
---

 libavcodec/hevcdsp_template.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index 46a0da2045..0623cfad89 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -1355,7 +1355,7 @@ static void FUNC(put_hevc_epel_bi_w_h)(uint8_t *_dst, 
ptrdiff_t _dststride, uint
 for (y = 0; y < height; y++) {
 for (x = 0; x < width; x++)
 dst[x] = av_clip_pixel(((EPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * 
wx1 + src2[x] * wx0 +
-((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 
1));
+((ox0 + ox1 + 1) * (1 << log2Wd))) >> 
(log2Wd + 1));
 src  += srcstride;
 dst  += dststride;
 src2 += MAX_PB_SIZE;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Wed Nov  1 14:00:20 2017 +0100| [b45971a955572390dca2c180c3477995152447df] | 
committer: Michael Niedermayer

avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c()

Fixes: runtime error: shift exponent 66 is too large for 64-bit type 'long long'
Fixes: 3642/clusterfuzz-testcase-minimized-5443853801750528

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 981e99ab99986935affad7c164ebdfe28e8ea7f8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b45971a955572390dca2c180c3477995152447df
---

 libavcodec/sbrdsp_fixed.c | 12 +++-
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c
index f45bb847a8..07ef12117c 100644
--- a/libavcodec/sbrdsp_fixed.c
+++ b/libavcodec/sbrdsp_fixed.c
@@ -233,12 +233,14 @@ static void sbr_hf_g_filt_c(int (*Y)[2], const int 
(*X_high)[40][2],
 int64_t accu;
 
 for (m = 0; m < m_max; m++) {
-int64_t r = 1LL << (22-g_filt[m].exp);
-accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7);
-Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp));
+if (22 - g_filt[m].exp < 61) {
+int64_t r = 1LL << (22-g_filt[m].exp);
+accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7);
+Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp));
 
-accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7);
-Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp));
+accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7);
+Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp));
+}
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Wed Nov  1 14:00:19 2017 +0100| [21ae8b4869e2b2d51be2ce726b03cd86bc36285f] | 
committer: Michael Niedermayer

avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc()

Fixes: 3642/clusterfuzz-testcase-minimized-5443853801750528

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7d1dec466895eed12f2c79b7ab5447f5390fe869)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=21ae8b4869e2b2d51be2ce726b03cd86bc36285f
---

 libavcodec/aacsbr_fixed.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c
index 1f5ff410d1..2a679491b0 100644
--- a/libavcodec/aacsbr_fixed.c
+++ b/libavcodec/aacsbr_fixed.c
@@ -437,6 +437,7 @@ static void sbr_gain_calc(AACContext *ac, 
SpectralBandReplication *sbr,
 av_add_sf(FLOAT_1, 
sbr->e_curr[e][m]),
 av_add_sf(FLOAT_1, 
sbr->q_mapped[e][m];
 }
+sbr->gain[e][m] = av_add_sf(sbr->gain[e][m], FLOAT_MIN);
 }
 for (m = sbr->f_tablelim[k] - sbr->kx[1]; m < sbr->f_tablelim[k + 
1] - sbr->kx[1]; m++) {
 sum[0] = av_add_sf(sum[0], sbr->e_origmapped[e][m]);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeglsdec: Check ilv for being a supported value

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Thu Oct 26 00:02:56 2017 +0200| [52bb493afaa51e9929929412a3c37434c109acea] | 
committer: Michael Niedermayer

avcodec/jpeglsdec: Check ilv for being a supported value

Fixes: 1773/clusterfuzz-testcase-minimized-4832523987189760

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit fe533628b9604e2f8e5179d5c5dd17c3cb764265)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=52bb493afaa51e9929929412a3c37434c109acea
---

 libavcodec/jpeglsdec.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index 20b40445fd..60701d69fd 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -438,6 +438,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int 
near,
 avpriv_report_missing_feature(s->avctx, "Sample interleaved images");
 ret = AVERROR_PATCHWELCOME;
 goto end;
+} else { /* unknown interleaving */
+avpriv_report_missing_feature(s->avctx, "Unknown interleaved images");
+ret = AVERROR_PATCHWELCOME;
+goto end;
 }
 
 if (s->xfrm && s->nb_components == 3) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Fri Oct 27 02:23:21 2017 +0200| [52ebd1a0dc2f0eb29eb6cf39c5b0cd9b35b3a0b5] | 
committer: Michael Niedermayer

avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed()

Fixes: runtime error: signed integer overflow: 623487 * 536870912 cannot be 
represented in type 'int'
Fixes: 3594/clusterfuzz-testcase-minimized-4650622935629824

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 41d96af2a74cb5df50346b160067facd43149667)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=52ebd1a0dc2f0eb29eb6cf39c5b0cd9b35b3a0b5
---

 libavcodec/aacdec_fixed.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index 21d81e046e..d6959b8ac2 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -394,7 +394,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac,
 for (k = offsets[i]; k < offsets[i + 1]; k++) {
 tmp = (int)(((int64_t)src[group * 128 + k] * c + \
 (int64_t)0x10) >> 37);
-dest[group * 128 + k] += tmp * (1 << shift);
+dest[group * 128 + k] += tmp * (1U << shift);
 }
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Sat Nov  4 01:19:20 2017 +0100| [122634a580dfecec51f6105205b144e60731ae78] | 
committer: Michael Niedermayer

avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add()

Fixes: runtime error: signed integer overflow: -503316480 + -2013265038 cannot 
be represented in type 'int'
Fixes: 3805/clusterfuzz-testcase-minimized-6578427831255040

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit e131b8cedb00043dcc97cc05ca04749ec8ff57de)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=122634a580dfecec51f6105205b144e60731ae78
---

 libavcodec/h264idct_template.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c
index abf888ed96..e402c9636b 100644
--- a/libavcodec/h264idct_template.c
+++ b/libavcodec/h264idct_template.c
@@ -91,10 +91,10 @@ void FUNCC(ff_h264_idct8_add)(uint8_t *_dst, int16_t 
*_block, int stride){
 const int a5 = -block[i+1*8] + block[i+7*8] + block[i+5*8] + 
(block[i+5*8]>>1);
 const int a7 =  block[i+3*8] + block[i+5*8] + block[i+1*8] + 
(block[i+1*8]>>1);
 
-const int b1 = (a7>>2) + a1;
-const int b3 =  a3 + (a5>>2);
-const int b5 = (a3>>2) - a5;
-const int b7 =  a7 - (a1>>2);
+const int b1 = (a7>>2) + (unsigned)a1;
+const int b3 =  (unsigned)a3 + (a5>>2);
+const int b5 = (a3>>2) - (unsigned)a5;
+const int b7 =  (unsigned)a7 - (a1>>2);
 
 block[i+0*8] = b0 + b7;
 block[i+7*8] = b0 - b7;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/xan: Improve overlapping check

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Mon Oct 30 23:21:40 2017 +0100| [a3bb922c4da1745fb6a12adc1b4e15e97794aaa6] | 
committer: Michael Niedermayer

avcodec/xan: Improve overlapping check

Fixes: memcpy-param-overlap
Fixes: 3612/clusterfuzz-testcase-minimized-6393461273001984

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit e8fafef1db43ead4eae5a6301ccc300e73aa47da)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a3bb922c4da1745fb6a12adc1b4e15e97794aaa6
---

 libavcodec/xan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/xan.c b/libavcodec/xan.c
index 662386af9a..85fa8e7394 100644
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -262,7 +262,7 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, 
AVFrame *frame,
 prevframe_index = (y + motion_y) * stride + x + motion_x;
 prevframe_x = x + motion_x;
 
-if (prev_palette_plane == palette_plane && FFABS(curframe_index - 
prevframe_index) < pixel_count) {
+if (prev_palette_plane == palette_plane && FFABS(motion_x + 
width*motion_y) < pixel_count) {
  avpriv_request_sample(s->avctx, "Overlapping copy");
  return ;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Check size of STSC allocation

2017-12-01 Thread Fredrik Hubinette

ffmpeg | branch: release/3.0 | Fredrik Hubinette  | Wed Nov 
15 17:24:30 2017 -0800| [74677deaca819c4a25b01488e0b69d9e984f103f] | committer: 
Michael Niedermayer

avformat/mov: Check size of STSC allocation

Signed-off-by: Michael Niedermayer 
(cherry picked from commit a6fdd75fe6440d2f4150cb456a9078aa68b00fdb)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=74677deaca819c4a25b01488e0b69d9e984f103f
---

 libavformat/mov.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 6768aa2792..85bf2e5211 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2248,6 +2248,8 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 avio_rb24(pb); /* flags */
 
 entries = avio_rb32(pb);
+if ((uint64_t)entries * 12 + 4 > atom.size)
+return AVERROR_INVALIDDATA;
 
 av_log(c->fc, AV_LOG_TRACE, "track[%i].stsc.entries = %i\n", 
c->fc->nb_streams-1, entries);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix integer overflow in predict()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Fri Oct 27 02:23:20 2017 +0200| [56cc35019e4a51bc40b06d9898a6ace387964c7d] | 
committer: Michael Niedermayer

avcodec/aacdec_fixed: Fix integer overflow in predict()

Fixes: runtime error: signed integer overflow: -2110708110 + -82837504 cannot 
be represented in type 'int'
Fixes: 3547/clusterfuzz-testcase-minimized-6009386439802880

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0976752420706c0a8b3cb8fd61497a47c7d7270f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=56cc35019e4a51bc40b06d9898a6ace387964c7d
---

 libavcodec/aacdec_fixed.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index 8c8eeafcc1..21d81e046e 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -307,9 +307,9 @@ static av_always_inline void predict(PredictorState *ps, 
int *coef,
 
 if (shift < 31) {
 if (shift > 0) {
-*coef += (pv.mant + (1 << (shift - 1))) >> shift;
+*coef += (unsigned)((pv.mant + (1 << (shift - 1))) >> shift);
 } else
-*coef += pv.mant << -shift;
+*coef += (unsigned)(pv.mant << -shift);
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat: Free the internal codec context at the end

2017-12-01 Thread Luca Barbato

ffmpeg | branch: release/3.0 | Luca Barbato  | Wed Apr 12 
01:46:30 2017 +0200| [66754f0a962ebb0323269fca4ac2e93643393777] | committer: 
Michael Niedermayer

avformat: Free the internal codec context at the end

Avoid a use after free in avformat_find_stream_info.

(cherry picked from commit 9e4a5eb51b9f3b2bff0ef08e0074b7fe4893075d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=66754f0a962ebb0323269fca4ac2e93643393777
---

 libavformat/utils.c | 7 +--
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index fa64e5c188..1a098b6d88 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -3475,12 +3475,6 @@ int avformat_find_stream_info(AVFormatContext *ic, 
AVDictionary **options)
 }
 }
 
-// close codecs which were opened in try_decode_frame()
-for (i = 0; i < ic->nb_streams; i++) {
-st = ic->streams[i];
-avcodec_close(st->codec);
-}
-
 ff_rfps_calculate(ic);
 
 for (i = 0; i < ic->nb_streams; i++) {
@@ -3596,6 +3590,7 @@ find_stream_info_err:
 ic->streams[i]->codec->thread_count = 0;
 if (st->info)
 av_freep(&st->info->duration_error);
+avcodec_close(st->codec);
 av_freep(&ic->streams[i]->info);
 }
 if (ic->pb)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/softfloat: Add FLOAT_MIN

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Wed Nov  1 14:00:18 2017 +0100| [4fbee4272793da37c8ba563eab754de355304ad7] | 
committer: Michael Niedermayer

avutil/softfloat: Add FLOAT_MIN

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4fbee4272793da37c8ba563eab754de355304ad7
---

 libavutil/softfloat.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h
index df610b7b3b..64696450e2 100644
--- a/libavutil/softfloat.h
+++ b/libavutil/softfloat.h
@@ -43,6 +43,7 @@ static const SoftFloat FLOAT_EPSILON= { 0x29F16B12, -16};
 static const SoftFloat FLOAT_1584893192 = { 0x32B771ED,   1};
 static const SoftFloat FLOAT_10 = { 0x30D4,  17};
 static const SoftFloat FLOAT_099= { 0x3BCE,   0};
+static const SoftFloat FLOAT_MIN= { 0x2000,   MIN_EXP};
 
 static inline av_const double av_sf2double(SoftFloat v) {
 v.exp -= ONE_BITS +1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix undefined shift

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Sun Nov  5 21:20:07 2017 +0100| [43299eabeabc61c6a5b56f85f0901591bd8fb205] | 
committer: Michael Niedermayer

avcodec/aacdec_fixed: Fix undefined shift

Fixes: runtime error: left shift of negative value -801112064
Fixes: 3492/clusterfuzz-testcase-minimized-5784775283441664

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit fca198fb5bf42ba6b765b3f75b11738e4b4fc2a9)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=43299eabeabc61c6a5b56f85f0901591bd8fb205
---

 libavcodec/aacdec_fixed.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index d6959b8ac2..535b323fc0 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -309,7 +309,7 @@ static av_always_inline void predict(PredictorState *ps, 
int *coef,
 if (shift > 0) {
 *coef += (unsigned)((pv.mant + (1 << (shift - 1))) >> shift);
 } else
-*coef += (unsigned)(pv.mant << -shift);
+*coef += (unsigned)pv.mant << -shift;
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/snowdec: Check intra block dc differences.

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Wed Nov 15 21:17:15 2017 +0100| [b8a10f10cc5ff6191bd63561cea740f6490366c3] | 
committer: Michael Niedermayer

avcodec/snowdec: Check intra block dc differences.

Fixes: Timeout
Fixes: 3142/clusterfuzz-testcase-5007853163118592

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c3b9bbcc6edf2d83fe4857484cfa0839872188c6)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b8a10f10cc5ff6191bd63561cea740f6490366c3
---

 libavcodec/snowdec.c | 17 +
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 2b92ed3de0..af92cb0070 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -183,13 +183,22 @@ static int decode_q_branch(SnowContext *s, int level, int 
x, int y){
 int my_context= av_log2(2*FFABS(left->my - top->my)) + 
0*av_log2(2*FFABS(tr->my - top->my));
 
 type= get_rac(&s->c, &s->block_state[1 + left->type + top->type]) ? 
BLOCK_INTRA : 0;
-
 if(type){
+int ld, cbd, crd;
 pred_mv(s, &mx, &my, 0, left, top, tr);
-l += get_symbol(&s->c, &s->block_state[32], 1);
+ld = get_symbol(&s->c, &s->block_state[32], 1);
+if (ld < -255 || ld > 255) {
+return AVERROR_INVALIDDATA;
+}
+l += ld;
 if (s->nb_planes > 2) {
-cb+= get_symbol(&s->c, &s->block_state[64], 1);
-cr+= get_symbol(&s->c, &s->block_state[96], 1);
+cbd = get_symbol(&s->c, &s->block_state[64], 1);
+crd = get_symbol(&s->c, &s->block_state[96], 1);
+if (cbd < -255 || cbd > 255 || crd < -255 || crd > 255) {
+return AVERROR_INVALIDDATA;
+}
+cb += cbd;
+cr += crd;
 }
 }else{
 if(s->ref_frames > 1)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/xan: Check for bitstream end in xan_huffman_decode()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Fri Nov  3 17:48:29 2017 +0100| [4d9321136d7fc344166893153fc092fb821df961] | 
committer: Michael Niedermayer

avcodec/xan: Check for bitstream end in xan_huffman_decode()

Fixes: Timeout
Fixes: 3707/clusterfuzz-testcase-6465922706440192

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4b51437dccd62fc5491280db44e3c21b44aeeb3f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4d9321136d7fc344166893153fc092fb821df961
---

 libavcodec/xan.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/xan.c b/libavcodec/xan.c
index 85fa8e7394..cafcbed9dc 100644
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -130,7 +130,10 @@ static int xan_huffman_decode(uint8_t *dest, int dest_len,
 return ret;
 
 while (val != 0x16) {
-unsigned idx = val - 0x17 + get_bits1(&gb) * byte;
+unsigned idx;
+if (get_bits_left(&gb) < 1)
+return AVERROR_INVALIDDATA;
+idx = val - 0x17 + get_bits1(&gb) * byte;
 if (idx >= 2 * byte)
 return AVERROR_INVALIDDATA;
 val = src[idx];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264dec: Fix potential array overread

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Sat Oct 21 18:04:44 2017 +0200| [2fc1a8ba4984097aca266d6539e52bcfe67d02fb] | 
committer: Michael Niedermayer

avcodec/h264dec: Fix potential array overread

add padding before scantable arrays

See: 522d850e68ec4b77d3477b3c8f55b1ba00a9d69a

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 380b48fb9fdc7b0c40d67e026f9b3accb12794eb)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2fc1a8ba4984097aca266d6539e52bcfe67d02fb
---

 libavcodec/h264.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/h264.h b/libavcodec/h264.h
index a5fc3a053f..cfd14aa646 100644
--- a/libavcodec/h264.h
+++ b/libavcodec/h264.h
@@ -605,6 +605,7 @@ typedef struct H264Context {
 uint8_t (*mvd_table[2])[2];
 uint8_t *direct_table;
 
+uint8_t scan_padding[16];
 uint8_t zigzag_scan[16];
 uint8_t zigzag_scan8x8[64];
 uint8_t zigzag_scan8x8_cavlc[64];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Thu Oct 26 00:02:57 2017 +0200| [93854b705273fa77ff22aed393232ae19dfb30d9] | 
committer: Michael Niedermayer

avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line()

Fixes: 1773/clusterfuzz-testcase-minimized-4832523987189760

Fixes: Timeout

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit f80224ed19a4c012549fd460d529c7c04e68cf21)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=93854b705273fa77ff22aed393232ae19dfb30d9
---

 libavcodec/jpeglsdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index 60701d69fd..5e0a3d2978 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -233,6 +233,9 @@ static inline void ls_decode_line(JLSState *state, 
MJpegDecodeContext *s,
 while (x < w) {
 int err, pred;
 
+if (get_bits_left(&s->gb) <= 0)
+return;
+
 /* compute gradients */
 Ra = x ? R(dst, x - stride) : R(last, x);
 Rb = R(last, x);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mdct_*: Fix integer overflow in addition in RESCALE()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Sun Nov  5 21:20:06 2017 +0100| [f2763b8ba80cb258663807a5e61f028564b02ac3] | 
committer: Michael Niedermayer

avcodec/mdct_*: Fix integer overflow in addition in RESCALE()

Fixes: runtime error: signed integer overflow: 1219998458 - -1469874012 cannot 
be represented in type 'int'
Fixes: 3443/clusterfuzz-testcase-minimized-5369987105554432

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 770c934fa1635f4fadf5db4fc5cc5ad15d82455a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f2763b8ba80cb258663807a5e61f028564b02ac3
---

 libavcodec/mdct_fixed.c|  8 
 libavcodec/mdct_template.c | 14 +++---
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/libavcodec/mdct_fixed.c b/libavcodec/mdct_fixed.c
index a32cb00ca0..aabf0c88f8 100644
--- a/libavcodec/mdct_fixed.c
+++ b/libavcodec/mdct_fixed.c
@@ -39,13 +39,13 @@ void ff_mdct_calcw_c(FFTContext *s, FFTDouble *out, const 
FFTSample *input)
 
 /* pre rotation */
 for(i=0;i> 6)
+#   define RSCALE(x, y) ((int)((x) + (unsigned)(y) + 32) >> 6)
 #else /* FFT_FIXED_32 */
-#   define RSCALE(x) ((x) >> 1)
+#   define RSCALE(x, y) ((int)((x) + (unsigned)(y)) >> 1)
 #endif /* FFT_FIXED_32 */
 #endif
 
@@ -181,13 +181,13 @@ void ff_mdct_calc_c(FFTContext *s, FFTSample *out, const 
FFTSample *input)
 
 /* pre rotation */
 for(i=0;ihttp://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Sun Nov  5 21:20:08 2017 +0100| [91aadc6a5b8e295dd649c430e9a994226dc002be] | 
committer: Michael Niedermayer

avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c()

Fixes: runtime error: signed integer overflow: 1939661764 - -454942263 cannot 
be represented in type 'int'
Fixes: 3191/clusterfuzz-testcase-minimized-5688798451073024

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2afe05402f05d485f0c356b04dc562f0510d317d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=91aadc6a5b8e295dd649c430e9a994226dc002be
---

 libavcodec/aacpsdsp_template.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c
index 3049ce8b79..0e532fcf84 100644
--- a/libavcodec/aacpsdsp_template.c
+++ b/libavcodec/aacpsdsp_template.c
@@ -129,12 +129,12 @@ static void ps_decorrelate_c(INTFLOAT (*out)[2], INTFLOAT 
(*delay)[2],
 INTFLOAT apd_im = in_im;
 in_re = AAC_MSUB30(link_delay_re, fractional_delay_re,
 link_delay_im, fractional_delay_im);
-in_re -= a_re;
+in_re -= (UINTFLOAT)a_re;
 in_im = AAC_MADD30(link_delay_re, fractional_delay_im,
 link_delay_im, fractional_delay_re);
-in_im -= a_im;
-ap_delay[m][n+5][0] = apd_re + AAC_MUL31(ag[m], in_re);
-ap_delay[m][n+5][1] = apd_im + AAC_MUL31(ag[m], in_im);
+in_im -= (UINTFLOAT)a_im;
+ap_delay[m][n+5][0] = apd_re + (UINTFLOAT)AAC_MUL31(ag[m], in_re);
+ap_delay[m][n+5][1] = apd_im + (UINTFLOAT)AAC_MUL31(ag[m], in_im);
 }
 out[n][0] = AAC_MUL16(transient_gain[n], in_re);
 out[n][1] = AAC_MUL16(transient_gain[n], in_im);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Mon Nov 13 20:47:48 2017 +0100| [b8a6b5602762e540fbac982cbc3689fa0d2768de] | 
committer: Michael Niedermayer

avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu

Fixes: out of array read
Fixes: 3516/attachment-311488.dat

Found-by: Insu Yun, Georgia Tech.
Tested-by: wuni...@gmail.com
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 58cf31cee7a456057f337b3102a03206d833d5e8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b8a6b5602762e540fbac982cbc3689fa0d2768de
---

 libavcodec/x86/mpegvideodsp.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavcodec/x86/mpegvideodsp.c b/libavcodec/x86/mpegvideodsp.c
index 941a8e2e4c..5dcfd76a61 100644
--- a/libavcodec/x86/mpegvideodsp.c
+++ b/libavcodec/x86/mpegvideodsp.c
@@ -53,8 +53,9 @@ static void gmc_mmx(uint8_t *dst, uint8_t *src,
 const int dyh = (dyy - (1 << (16 + shift))) * (h - 1);
 const int dxh = dxy * (h - 1);
 const int dyw = dyx * (w - 1);
-int need_emu  =  (unsigned) ix >= width  - w ||
- (unsigned) iy >= height - h;
+int need_emu  =  (unsigned) ix >= width  - w || width < w ||
+ (unsigned) iy >= height - h || height< h
+ ;
 
 if ( // non-constant fullpel offset (3% of blocks)
 ((ox ^ (ox + dxw)) | (ox ^ (ox + dxh)) | (ox ^ (ox + dxw + dxh)) |

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Sat Nov 25 03:15:16 2017 +0100| [2214afdf408c7cfb9aa1861e2efb5909fdd1bcfb] | 
committer: Michael Niedermayer

avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*

Fixes: runtime error: signed integer overflow: -2143827186 - 7404944 cannot be 
represented in type 'int'
Fixes: 4354/clusterfuzz-testcase-minimized-4671122764201984

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2b6964f764382742bb052a1ee3b7167cac35332f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2214afdf408c7cfb9aa1861e2efb5909fdd1bcfb
---

 libavcodec/dirac_dwt.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index f9a9e9e1b3..eb5aebc878 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -111,10 +111,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
 (b0 + b1)
 
 #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\
-(b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 
46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8))
+((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 
46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8))
 
 #define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\
-(b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 
25*(b2+(unsigned)b6) +  81*(b3+(unsigned)b5) + 128) >> 8))
+((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 
25*(b2+(unsigned)b6) +  81*(b3+(unsigned)b5) + 128) >> 8))
 
 #define COMPOSE_DAUB97iL1(b0, b1, b2)\
 (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12))

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/kgv1dec: Check that there is enough input for maximum RLE compression

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Wed Nov 22 20:14:54 2017 +0100| [71e40180cb1df511cfb67e17ff041f69d8d11d32] | 
committer: Michael Niedermayer

avcodec/kgv1dec: Check that there is enough input for maximum RLE compression

Fixes: Timeout
Fixes: 4271/clusterfuzz-testcase-4676667768307712

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3aad94bf2b140cfba8ae69d018da05d4948ef37f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=71e40180cb1df511cfb67e17ff041f69d8d11d32
---

 libavcodec/kgv1dec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c
index 5359411c76..a6bd9400ac 100644
--- a/libavcodec/kgv1dec.c
+++ b/libavcodec/kgv1dec.c
@@ -62,6 +62,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame,
 h = (buf[1] + 1) * 8;
 buf += 2;
 
+if (avpkt->size < 2 + w*h / 513)
+return AVERROR_INVALIDDATA;
+
 if (w != avctx->width || h != avctx->height) {
 av_freep(&c->frame_buffer);
 av_freep(&c->last_frame_buffer);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/j2kenc: Fix out of array access in encode_cblk()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Thu Nov 30 23:42:04 2017 +0100| [44dc83f0e07a7bcce135ced249d231c3a7b2fd5d] | 
committer: Michael Niedermayer

avcodec/j2kenc: Fix out of array access in encode_cblk()

Fixes: 4427/clusterfuzz-testcase-minimized-5106919271301120

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0674087004538599797688785f6ac82358abc23b)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=44dc83f0e07a7bcce135ced249d231c3a7b2fd5d
---

 libavcodec/j2kenc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/j2kenc.c b/libavcodec/j2kenc.c
index c8d3861732..baaf47422c 100644
--- a/libavcodec/j2kenc.c
+++ b/libavcodec/j2kenc.c
@@ -688,7 +688,8 @@ static void encode_cblk(Jpeg2000EncoderContext *s, 
Jpeg2000T1Context *t1, Jpeg20
 cblk->npasses = passno;
 cblk->ninclpasses = passno;
 
-cblk->passes[passno-1].rate = ff_mqc_flush_to(&t1->mqc, 
cblk->passes[passno-1].flushed, &cblk->passes[passno-1].flushed_len);
+if (passno)
+cblk->passes[passno-1].rate = ff_mqc_flush_to(&t1->mqc, 
cblk->passes[passno-1].flushed, &cblk->passes[passno-1].flushed_len);
 }
 
 /* tier-2 routines: */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/utils: Prevent undefined shift with wrap_bits > 64.

2017-12-01 Thread Dale Curtis

ffmpeg | branch: release/3.0 | Dale Curtis  | Fri Nov 
17 13:35:56 2017 -0800| [b01020a0501aefc6decce15901437d4e03c4bbbf] | committer: 
Michael Niedermayer

avformat/utils: Prevent undefined shift with wrap_bits > 64.

2LL << (wrap_bits=64 - 1) does not fit in int64_t; change the
code to use a uint64_t (2ULL) and add an av_assert2() to
ensure wrap_bits <= 64.

Signed-off-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 03fbc0daa7e37af024f8b017a28105c32bbe25ca)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b01020a0501aefc6decce15901437d4e03c4bbbf
---

 libavformat/utils.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 1a098b6d88..6201e38814 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -1535,13 +1535,14 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt)
 
 if (next_pkt->dts != AV_NOPTS_VALUE) {
 int wrap_bits = 
s->streams[next_pkt->stream_index]->pts_wrap_bits;
+av_assert2(wrap_bits <= 64);
 // last dts seen for this stream. if any of packets following
 // current one had no dts, we will set this to AV_NOPTS_VALUE.
 int64_t last_dts = next_pkt->dts;
 while (pktl && next_pkt->pts == AV_NOPTS_VALUE) {
 if (pktl->pkt.stream_index == next_pkt->stream_index &&
-(av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2LL << 
(wrap_bits - 1)) < 0)) {
-if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2LL 
<< (wrap_bits - 1))) {
+av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2ULL << 
(wrap_bits - 1)) < 0) {
+if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2ULL 
<< (wrap_bits - 1))) {
 // not B-frame
 next_pkt->pts = pktl->pkt.dts;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vc2enc: Clear coef_buf on allocation

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Wed Nov 15 16:53:34 2017 +0100| [4171249d7632ea4ea2964b992eca7adc12dacb76] | 
committer: Michael Niedermayer

avcodec/vc2enc: Clear coef_buf on allocation

Fixes: Use of uninitialized memory
Fixes: assertion failure

Reviewed-by: 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6d00905f8134a2932e5c00dd1ec8b2a1f0a38035)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4171249d7632ea4ea2964b992eca7adc12dacb76
---

 libavcodec/vc2enc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c
index eb4e1e3c7e..ac551caaa1 100644
--- a/libavcodec/vc2enc.c
+++ b/libavcodec/vc2enc.c
@@ -1088,7 +1088,7 @@ static av_cold int vc2_encode_init(AVCodecContext *avctx)
 p->dwt_width  = w = FFALIGN(p->width,  (1 << s->wavelet_depth));
 p->dwt_height = h = FFALIGN(p->height, (1 << s->wavelet_depth));
 p->coef_stride = FFALIGN(p->dwt_width, 32);
-p->coef_buf = av_malloc(p->coef_stride*p->dwt_height*sizeof(dwtcoef));
+p->coef_buf = av_mallocz(p->coef_stride*p->dwt_height*sizeof(dwtcoef));
 if (!p->coef_buf)
 goto alloc_fail;
 for (level = s->wavelet_depth-1; level >= 0; level--) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Fri Nov 17 22:01:29 2017 +0100| [bf44f250a2234d963489642eadcf32e79f9bb804] | 
committer: Michael Niedermayer

avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v()

Fixes: runtime error: left shift of negative value -255
Fixes: 4037/clusterfuzz-testcase-minimized-5290998163832832

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7d88586e4728e97349f98e07ff782bb168ab96c3)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bf44f250a2234d963489642eadcf32e79f9bb804
---

 libavcodec/hevcdsp_template.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index dd1643f6d1..82ee0b63ac 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -1413,7 +1413,7 @@ static void FUNC(put_hevc_epel_bi_w_v)(uint8_t *_dst, 
ptrdiff_t _dststride, uint
 for (y = 0; y < height; y++) {
 for (x = 0; x < width; x++)
 dst[x] = av_clip_pixel(((EPEL_FILTER(src, srcstride) >> (BIT_DEPTH 
- 8)) * wx1 + src2[x] * wx0 +
-((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 
1));
+((ox0 + ox1 + 1) * (1 << log2Wd))) >> 
(log2Wd + 1));
 src  += srcstride;
 dst  += dststride;
 src2 += MAX_PB_SIZE;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Tue Nov 14 03:40:07 2017 +0100| [bc65abecd31f2c7f21103472dcd71145e7a8efe7] | 
committer: Michael Niedermayer

avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0()

Fixes: 4035/clusterfuzz-testcase-minimized-6479308925173760
Fixes: runtime error: signed integer overflow: 9 * 402653183 cannot be 
represented in type 'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 73964680d7bce6d81ddc553a24d73e9a1c9156f9)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bc65abecd31f2c7f21103472dcd71145e7a8efe7
---

 libavcodec/dirac_dwt.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index 35ed8857e9..f9a9e9e1b3 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -102,7 +102,7 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
 (b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))
 
 #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\
-(b2 - ((-b0 + 9*b1 + 9*b3 - b4 + 16) >> 5))
+(b2 - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))
 
 #define COMPOSE_HAARiL0(b0, b1)\
 (b0 - ((b1 + 1) >> 1))

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/snowdec: Fix integer overflow in header parsing

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Sun Nov  5 21:20:05 2017 +0100| [f33f13172cfe34b3bedb59964957d8d784f9cea0] | 
committer: Michael Niedermayer

avcodec/snowdec: Fix integer overflow in header parsing

Fixes: 3984/clusterfuzz-testcase-minimized-5265759929368576
Fixes: runtime error: signed integer overflow: -1085585801 + -1094995529 cannot 
be represented in type 'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c897a9285846b6a072b9650976afd4f091b7a71f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f33f13172cfe34b3bedb59964957d8d784f9cea0
---

 libavcodec/snowdec.c | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 6eff729a19..2b92ed3de0 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -374,7 +374,7 @@ static int decode_header(SnowContext *s){
 }
 }
 
-s->spatial_decomposition_type+= get_symbol(&s->c, s->header_state, 1);
+s->spatial_decomposition_type+= (unsigned)get_symbol(&s->c, 
s->header_state, 1);
 if(s->spatial_decomposition_type > 1U){
 av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_type %d not 
supported\n", s->spatial_decomposition_type);
 return AVERROR_INVALIDDATA;
@@ -390,10 +390,10 @@ static int decode_header(SnowContext *s){
 }
 
 
-s->qlog   += get_symbol(&s->c, s->header_state, 1);
-s->mv_scale   += get_symbol(&s->c, s->header_state, 1);
-s->qbias  += get_symbol(&s->c, s->header_state, 1);
-s->block_max_depth+= get_symbol(&s->c, s->header_state, 1);
+s->qlog   += (unsigned)get_symbol(&s->c, s->header_state, 1);
+s->mv_scale   += (unsigned)get_symbol(&s->c, s->header_state, 1);
+s->qbias  += (unsigned)get_symbol(&s->c, s->header_state, 1);
+s->block_max_depth+= (unsigned)get_symbol(&s->c, s->header_state, 1);
 if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){
 av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", 
s->block_max_depth);
 s->block_max_depth= 0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/cngdec: Fix integer clipping

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Thu Nov  2 18:34:09 2017 +0100| [b9e9c5cee03ff9a092f9d8f13df22d91979c24e3] | 
committer: Michael Niedermayer

avcodec/cngdec: Fix integer clipping

Fixes: runtime error: value -36211.7 is outside the range of representable 
values of type 'short'
Fixes: 2992/clusterfuzz-testcase-6649611793989632

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 51090133b31bc719ea868db15d3ee38e9dbe90f1)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b9e9c5cee03ff9a092f9d8f13df22d91979c24e3
---

 libavcodec/cngdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/cngdec.c b/libavcodec/cngdec.c
index 0251086042..a3fabf90e3 100644
--- a/libavcodec/cngdec.c
+++ b/libavcodec/cngdec.c
@@ -147,7 +147,7 @@ static int cng_decode_frame(AVCodecContext *avctx, void 
*data,
 return ret;
 buf_out = (int16_t *)frame->data[0];
 for (i = 0; i < avctx->frame_size; i++)
-buf_out[i] = p->filter_out[i + p->order];
+buf_out[i] = av_clip_int16(p->filter_out[i + p->order]);
 memcpy(p->filter_out, p->filter_out + avctx->frame_size,
p->order * sizeof(*p->filter_out));
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/snowdec: Check for remaining bitstream in decode_blocks()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Wed Nov 15 21:17:16 2017 +0100| [12aea29a95960603c6777982d363ed644cabfb9a] | 
committer: Michael Niedermayer

avcodec/snowdec: Check for remaining bitstream in decode_blocks()

Fixes: Timeout
Fixes: 3142/clusterfuzz-testcase-5007853163118592

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4527ec2216109867498edc3ac8a17fd879b5d017)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=12aea29a95960603c6777982d363ed644cabfb9a
---

 libavcodec/snowdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index af92cb0070..df425b8cf3 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -437,6 +437,8 @@ static int decode_blocks(SnowContext *s){
 
 for(y=0; yc.bytestream >= s->c.bytestream_end)
+return AVERROR_INVALIDDATA;
 if ((res = decode_q_branch(s, 0, x, y)) < 0)
 return res;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Changelog: update

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Sat Dec  2 00:30:18 2017 +0100| [2bc6b9b2a9c9f22b26ce2207f73f6e7a5aa7c0b9] | 
committer: Michael Niedermayer

Changelog: update

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2bc6b9b2a9c9f22b26ce2207f73f6e7a5aa7c0b9
---

 Changelog | 41 +
 1 file changed, 41 insertions(+)

diff --git a/Changelog b/Changelog
index ea82067a6a..71a00b80b9 100644
--- a/Changelog
+++ b/Changelog
@@ -2,6 +2,47 @@ Entries are sorted chronologically from oldest to youngest 
within each release,
 releases are sorted from youngest to oldest.
 
 version 3.0.10
+- avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u.
+- Don't manipulate duration when it's AV_NOPTS_VALUE.
+- avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead.
+- avformat/utils: Prevent undefined shift with wrap_bits > 64.
+- avcodec/j2kenc: Fix out of array access in encode_cblk()
+- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h()
+- avcodec/mlpdsp: Fix signed integer overflow, 2nd try
+- avcodec/kgv1dec: Check that there is enough input for maximum RLE compression
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*
+- avcodec/mpeg4videodec: Check also for negative versions in the validity check
+- Close ogg stream upon error when using AV_EF_EXPLODE.
+- Fix undefined shift on assumed 8-bit input.
+- Use ff_thread_once for fixed, float table init.
+- avformat/mov: Propagate errors in mov_switch_root.
+- avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v()
+- avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output()
+- avcodec/zmbv: Check that the buffer is large enough for mvec
+- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0()
+- avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and 
ff_wmv2_decode_mb()
+- avcodec/snowdec: Check for remaining bitstream in decode_blocks()
+- avcodec/snowdec: Check intra block dc differences.
+- avformat/mov: Check size of STSC allocation
+- avcodec/vc2enc: Clear coef_buf on allocation
+- avcodec/h264dec: Fix potential array overread
+- avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu
+- avcodec/aacpsdsp_template: Fix integer overflows in ps_decorrelate_c()
+- avcodec/aacdec_fixed: Fix undefined shift
+- avcodec/mdct_*: Fix integer overflow in addition in RESCALE()
+- avcodec/snowdec: Fix integer overflow in header parsing
+- avcodec/cngdec: Fix integer clipping
+- avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c()
+- avutil/softfloat: Add FLOAT_MIN
+- avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc()
+- avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add()
+- avcodec/xan: Check for bitstream end in xan_huffman_decode()
+- avformat: Free the internal codec context at the end
+- avcodec/xan: Improve overlapping check
+- avcodec/aacdec_fixed: Fix integer overflow in 
apply_dependent_coupling_fixed()
+- avcodec/aacdec_fixed: Fix integer overflow in predict()
+- avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line()
+- avcodec/jpeglsdec: Check ilv for being a supported value
 - avcodec/snowdec: Check mv_scale
 - avcodec/pafvideo: Check for bitstream end in decode_0()
 - avcodec/ffv1dec: Fix out of array read in slice counting

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Sun Sep 17 01:28:07 2017 +0200| [d1421edab7c1a2e7d481130884cbecf9c9291c54] | 
committer: Michael Niedermayer

avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and 
ff_wmv2_decode_mb()

Fixes: Timeout
Fixes: 3200/clusterfuzz-testcase-5750022136135680

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 65e0a7c473f23f1833538ffecf53c81fe500b5e4)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d1421edab7c1a2e7d481130884cbecf9c9291c54
---

 libavcodec/wmv2dec.c | 18 --
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/libavcodec/wmv2dec.c b/libavcodec/wmv2dec.c
index 99c95d397a..98df381509 100644
--- a/libavcodec/wmv2dec.c
+++ b/libavcodec/wmv2dec.c
@@ -30,7 +30,7 @@
 #include "wmv2.h"
 
 
-static void parse_mb_skip(Wmv2Context *w)
+static int parse_mb_skip(Wmv2Context *w)
 {
 int mb_x, mb_y;
 MpegEncContext *const s = &w->s;
@@ -45,6 +45,8 @@ static void parse_mb_skip(Wmv2Context *w)
 MB_TYPE_16x16 | MB_TYPE_L0;
 break;
 case SKIP_TYPE_MPEG:
+if (get_bits_left(&s->gb) < s->mb_height * s->mb_width)
+return AVERROR_INVALIDDATA;
 for (mb_y = 0; mb_y < s->mb_height; mb_y++)
 for (mb_x = 0; mb_x < s->mb_width; mb_x++)
 mb_type[mb_y * s->mb_stride + mb_x] =
@@ -52,6 +54,8 @@ static void parse_mb_skip(Wmv2Context *w)
 break;
 case SKIP_TYPE_ROW:
 for (mb_y = 0; mb_y < s->mb_height; mb_y++) {
+if (get_bits_left(&s->gb) < 1)
+return AVERROR_INVALIDDATA;
 if (get_bits1(&s->gb)) {
 for (mb_x = 0; mb_x < s->mb_width; mb_x++)
 mb_type[mb_y * s->mb_stride + mb_x] =
@@ -65,6 +69,8 @@ static void parse_mb_skip(Wmv2Context *w)
 break;
 case SKIP_TYPE_COL:
 for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
+if (get_bits_left(&s->gb) < 1)
+return AVERROR_INVALIDDATA;
 if (get_bits1(&s->gb)) {
 for (mb_y = 0; mb_y < s->mb_height; mb_y++)
 mb_type[mb_y * s->mb_stride + mb_x] =
@@ -77,6 +83,7 @@ static void parse_mb_skip(Wmv2Context *w)
 }
 break;
 }
+return 0;
 }
 
 static int decode_ext_header(Wmv2Context *w)
@@ -170,9 +177,12 @@ int ff_wmv2_decode_secondary_picture_header(MpegEncContext 
*s)
 }
 } else {
 int cbp_index;
+int ret;
 w->j_type = 0;
 
-parse_mb_skip(w);
+ret = parse_mb_skip(w);
+if (ret < 0)
+return ret;
 cbp_index = decode012(&s->gb);
 w->cbp_table_index = wmv2_get_cbp_table_index(s, cbp_index);
 
@@ -352,6 +362,8 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t 
block[6][64])
 w->hshift  = 0;
 return 0;
 }
+if (get_bits_left(&s->gb) <= 0)
+return AVERROR_INVALIDDATA;
 
 code = get_vlc2(&s->gb, ff_mb_non_intra_vlc[w->cbp_table_index].table,
 MB_NON_INTRA_VLC_BITS, 3);
@@ -362,6 +374,8 @@ int ff_wmv2_decode_mb(MpegEncContext *s, int16_t 
block[6][64])
 cbp = code & 0x3f;
 } else {
 s->mb_intra = 1;
+if (get_bits_left(&s->gb) <= 0)
+return AVERROR_INVALIDDATA;
 code = get_vlc2(&s->gb, ff_msmp4_mb_i_vlc.table, MB_INTRA_VLC_BITS, 2);
 if (code < 0) {
 av_log(s->avctx, AV_LOG_ERROR,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Wed Nov 15 03:38:37 2017 +0100| [a3606385f075170dd67d54dfe3ca6b760730fed2] | 
committer: Michael Niedermayer

avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output()

Fixes: runtime error: left shift of negative value -7862264
Fixes: 4074/clusterfuzz-testcase-minimized-4516104123711488

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4f7f70738e8dd77a698a5e28bba552ea7064af21)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a3606385f075170dd67d54dfe3ca6b760730fed2
---

 libavcodec/mlpdsp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c
index fbafa92d72..4e3a16c781 100644
--- a/libavcodec/mlpdsp.c
+++ b/libavcodec/mlpdsp.c
@@ -117,7 +117,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data,
   (1U << output_shift[mat_ch]);
 lossless_check_data ^= (sample & 0xff) << mat_ch;
 if (is32)
-*data_32++ = sample << 8;
+*data_32++ = sample * 256;
 else
 *data_16++ = sample >> 8;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/zmbv: Check that the buffer is large enough for mvec

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Wed Nov 15 17:11:12 2017 +0100| [b9b4d34ecfdd49b9962491c32422b906e2f455ac] | 
committer: Michael Niedermayer

avcodec/zmbv: Check that the buffer is large enough for mvec

Fixes: Timeout
Fixes: 4143/clusterfuzz-testcase-4736864637419520

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2ab9568a2c3349039eec29fb960fe39de354b514)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b9b4d34ecfdd49b9962491c32422b906e2f455ac
---

 libavcodec/zmbv.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c
index 25a1cd215d..39a08db0eb 100644
--- a/libavcodec/zmbv.c
+++ b/libavcodec/zmbv.c
@@ -539,6 +539,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame, AVPac
 } else {
 frame->key_frame = 0;
 frame->pict_type = AV_PICTURE_TYPE_P;
+if (c->decomp_len < 2LL * ((c->width + c->bw - 1) / c->bw) * 
((c->height + c->bh - 1) / c->bh))
+return AVERROR_INVALIDDATA;
 if (c->decomp_len)
 c->decode_xor(c);
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Don't manipulate duration when it's AV_NOPTS_VALUE.

2017-12-01 Thread Dale Curtis

ffmpeg | branch: release/3.0 | Dale Curtis  | Tue Nov 
28 14:26:55 2017 -0800| [532f0d1278c049a9f55d0de3f7b56b958c598440] | committer: 
Michael Niedermayer

Don't manipulate duration when it's AV_NOPTS_VALUE.

This leads to signed integer overflow.

Signed-off-by: Dale Curtis 
Signed-off-by: James Almer 
(cherry picked from commit c5fd57f483d2ad8e34551b78509f1e14136f73c0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=532f0d1278c049a9f55d0de3f7b56b958c598440
---

 libavformat/oggparsevp8.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/oggparsevp8.c b/libavformat/oggparsevp8.c
index ca13928f1e..54f1fa6544 100644
--- a/libavformat/oggparsevp8.c
+++ b/libavformat/oggparsevp8.c
@@ -125,7 +125,7 @@ static int vp8_packet(AVFormatContext *s, int idx)
 os->lastdts = vp8_gptopts(s, idx, os->granule, NULL) - duration;
 if(s->streams[idx]->start_time == AV_NOPTS_VALUE) {
 s->streams[idx]->start_time = os->lastpts;
-if (s->streams[idx]->duration)
+if (s->streams[idx]->duration && s->streams[idx]->duration != 
AV_NOPTS_VALUE)
 s->streams[idx]->duration -= s->streams[idx]->start_time;
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u.

2017-12-01 Thread Dale Curtis

ffmpeg | branch: release/3.0 | Dale Curtis  | Thu Nov 
30 12:20:36 2017 -0800| [06a6f73ad83b53a7b3da4cb7b97cb1c878ec837b] | committer: 
Michael Niedermayer

avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u.

Didn't notice this one when 9648cc6d was landed.

Signed-off-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 95bacb521af8cd28f146f045437c9f75717a493a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=06a6f73ad83b53a7b3da4cb7b97cb1c878ec837b
---

 libavcodec/vorbis.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c
index 61c395e71e..80d5198c62 100644
--- a/libavcodec/vorbis.c
+++ b/libavcodec/vorbis.c
@@ -73,7 +73,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, 
unsigned num)
 if (bits[p] > 32)
 return AVERROR_INVALIDDATA;
 for (i = 0; i < bits[p]; ++i)
-exit_at_level[i+1] = 1 << i;
+exit_at_level[i+1] = 1u << i;
 
 #ifdef DEBUG
 av_log(NULL, AV_LOG_INFO, " %u. of %u code len %d code %d - ", p, num, 
bits[p], codes[p]);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Use ff_thread_once for fixed, float table init.

2017-12-01 Thread Dale Curtis

ffmpeg | branch: release/3.0 | Dale Curtis  | Fri Nov 
17 14:51:09 2017 -0800| [712814fb17b62557d17d0bcff5b57e2a9d8e613c] | committer: 
Michael Niedermayer

Use ff_thread_once for fixed, float table init.

These tables are static so they should only be initialized once
instead of on every call to ff_mpadsp_init().

Signed-off-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5eaaffaf64d1854493f0fe9ec822eed1b3cd9fe1)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=712814fb17b62557d17d0bcff5b57e2a9d8e613c
---

 libavcodec/mpegaudiodsp.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/mpegaudiodsp.c b/libavcodec/mpegaudiodsp.c
index a5d20df629..3cafca27bf 100644
--- a/libavcodec/mpegaudiodsp.c
+++ b/libavcodec/mpegaudiodsp.c
@@ -20,17 +20,21 @@
 
 #include "config.h"
 #include "libavutil/attributes.h"
+#include "libavutil/thread.h"
 #include "mpegaudiodsp.h"
 #include "dct.h"
 #include "dct32.h"
 
+static AVOnce mpadsp_float_table_init = AV_ONCE_INIT;
+static AVOnce mpadsp_fixed_table_init = AV_ONCE_INIT;
+
 av_cold void ff_mpadsp_init(MPADSPContext *s)
 {
 DCTContext dct;
 
 ff_dct_init(&dct, 5, DCT_II);
-ff_init_mpadsp_tabs_float();
-ff_init_mpadsp_tabs_fixed();
+ff_thread_once(&mpadsp_float_table_init, &ff_init_mpadsp_tabs_float);
+ff_thread_once(&mpadsp_fixed_table_init, &ff_init_mpadsp_tabs_fixed);
 
 s->apply_window_float = ff_mpadsp_apply_window_float;
 s->apply_window_fixed = ff_mpadsp_apply_window_fixed;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videodec: Check also for negative versions in the validity check

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Tue Nov 21 03:15:53 2017 +0100| [abff307736fba32305e3b0ac669d62020013a174] | 
committer: Michael Niedermayer

avcodec/mpeg4videodec: Check also for negative versions in the validity check

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0e7865ce4152f8b04cda6a698bbee4fd4a94009d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=abff307736fba32305e3b0ac669d62020013a174
---

 libavcodec/mpeg4videodec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index d9d67b0fe4..eff809aafc 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -2140,7 +2140,7 @@ static int decode_user_data(Mpeg4DecContext *ctx, 
GetBitContext *gb)
 if (e != 4) {
 e = sscanf(buf, "Lavc%d.%d.%d", &ver, &ver2, &ver3) + 1;
 if (e > 1) {
-if (ver > 0xFF || ver2 > 0xFF || ver3 > 0xFF) {
+if (ver > 0xFFU || ver2 > 0xFFU || ver3 > 0xFFU) {
 av_log(s->avctx, AV_LOG_WARNING,
  "Unknown Lavc version string encountered, %d.%d.%d; "
  "clamping sub-version values to 8-bits.\n",

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mlpdsp: Fix signed integer overflow, 2nd try

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Mon Nov 20 18:45:45 2017 +0100| [78b6e8fb233f52284d6a3bee169361f5ee82c79f] | 
committer: Michael Niedermayer

avcodec/mlpdsp: Fix signed integer overflow, 2nd try

The outputted bits should match what is used in the lossless check

Fixes: runtime error: signed integer overflow: -538697856 * 256 cannot be 
represented in type 'int'
Fixes: 4326/clusterfuzz-testcase-minimized-5689449645080576

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 97c00edaa043043c29d985653e7e1687b56dfa23)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=78b6e8fb233f52284d6a3bee169361f5ee82c79f
---

 libavcodec/mlpdsp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c
index 4e3a16c781..32a4503b64 100644
--- a/libavcodec/mlpdsp.c
+++ b/libavcodec/mlpdsp.c
@@ -117,7 +117,7 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data,
   (1U << output_shift[mat_ch]);
 lossless_check_data ^= (sample & 0xff) << mat_ch;
 if (is32)
-*data_32++ = sample * 256;
+*data_32++ = sample * 256U;
 else
 *data_16++ = sample >> 8;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead.

2017-12-01 Thread Dale Curtis

ffmpeg | branch: release/3.0 | Dale Curtis  | Wed Nov 
22 10:58:39 2017 -0800| [e6c6bb218e0b4ae4b6963268d6488cf6104656d0] | committer: 
Michael Niedermayer

avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead.

Signed-off-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 9648cc6d7fdbb0a260bed1e3e23300569cff9579)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e6c6bb218e0b4ae4b6963268d6488cf6104656d0
---

 libavcodec/vorbis.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c
index 86d10407f4..61c395e71e 100644
--- a/libavcodec/vorbis.c
+++ b/libavcodec/vorbis.c
@@ -105,7 +105,7 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, 
unsigned num)
 exit_at_level[i] = 0;
 // construct code (append 0s to end) and introduce new exits
 for (j = i + 1 ;j <= bits[p]; ++j)
-exit_at_level[j] = code + (1 << (j - 1));
+exit_at_level[j] = code + (1u << (j - 1));
 codes[p] = code;
 
 #ifdef DEBUG

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Propagate errors in mov_switch_root.

2017-12-01 Thread Jacob Trimble

ffmpeg | branch: release/3.0 | Jacob Trimble 
 | Mon Nov 20 12:05:02 2017 -0800| 
[20e78d53394fa56eb4bcb3be06ff70375a86dd94] | committer: Michael Niedermayer

avformat/mov: Propagate errors in mov_switch_root.

Signed-off-by: Jacob Trimble 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2d9cf3bf16b94cd9db10dabad695c69c5cff4f58)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=20e78d53394fa56eb4bcb3be06ff70375a86dd94
---

 libavformat/mov.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 85bf2e5211..d41778cbed 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -4975,6 +4975,7 @@ static int should_retry(AVIOContext *pb, int error_code) {
 
 static int mov_switch_root(AVFormatContext *s, int64_t target)
 {
+int ret;
 MOVContext *mov = s->priv_data;
 int i, j;
 int already_read = 0;
@@ -5011,8 +5012,10 @@ static int mov_switch_root(AVFormatContext *s, int64_t 
target)
 
 mov->found_mdat = 0;
 
-if (mov_read_default(mov, s->pb, (MOVAtom){ AV_RL32("root"), INT64_MAX }) 
< 0 ||
-avio_feof(s->pb))
+ret = mov_read_default(mov, s->pb, (MOVAtom){ AV_RL32("root"), INT64_MAX 
});
+if (ret < 0)
+return ret;
+if (avio_feof(s->pb))
 return AVERROR_EOF;
 av_log(s, AV_LOG_TRACE, "read fragments, offset 0x%"PRIx64"\n", 
avio_tell(s->pb));
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Close ogg stream upon error when using AV_EF_EXPLODE.

2017-12-01 Thread Dale Curtis

ffmpeg | branch: release/3.0 | Dale Curtis  | Mon Nov 
20 12:07:57 2017 -0800| [50b22648100e2fa77c798ac770967982d841d04d] | committer: 
Michael Niedermayer

Close ogg stream upon error when using AV_EF_EXPLODE.

Without this there can be multiple memory leaks for unrecognized
ogg streams.

Signed-off-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit bce8fc0754c4b31f574a4372c6d7996ed29f7c2a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=50b22648100e2fa77c798ac770967982d841d04d
---

 libavformat/oggdec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 7ecb42ce8f..99e51b8b65 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -709,8 +709,10 @@ static int ogg_read_header(AVFormatContext *s)
"Headers mismatch for stream %d: "
"expected %d received %d.\n",
i, os->codec->nb_header, os->nb_header);
-if (s->error_recognition & AV_EF_EXPLODE)
+if (s->error_recognition & AV_EF_EXPLODE) {
+ogg_read_close(s);
 return AVERROR_INVALIDDATA;
+}
 }
 if (os->start_granule != OGG_NOGRANULE_VALUE)
 os->lastpts = s->streams[i]->start_time =

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Fix undefined shift on assumed 8-bit input.

2017-12-01 Thread Dale Curtis

ffmpeg | branch: release/3.0 | Dale Curtis  | Fri Nov 
17 16:05:30 2017 -0800| [c09d587ac54d0ecb8190618fb867e9fd907e1359] | committer: 
Michael Niedermayer

Fix undefined shift on assumed 8-bit input.

decode_user_data() attempts to create an integer |build|
value with 8 bits of spacing for 3 components. However
each component is an int32_t, so shifting each component
is undefined for values outside of the 8 bit range.

This patch simply clamps input to 8-bits per component
and prints out a warning that the values were clamped.

Signed-off-by: Dale Curtis 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7010dd98b575d2e39fca947e609b85be7490b269)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c09d587ac54d0ecb8190618fb867e9fd907e1359
---

 libavcodec/mpeg4videodec.c | 11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index cb2224a07b..d9d67b0fe4 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -2139,8 +2139,15 @@ static int decode_user_data(Mpeg4DecContext *ctx, 
GetBitContext *gb)
 e = sscanf(buf, "FFmpeg v%d.%d.%d / libavcodec build: %d", &ver, 
&ver2, &ver3, &build);
 if (e != 4) {
 e = sscanf(buf, "Lavc%d.%d.%d", &ver, &ver2, &ver3) + 1;
-if (e > 1)
-build = (ver << 16) + (ver2 << 8) + ver3;
+if (e > 1) {
+if (ver > 0xFF || ver2 > 0xFF || ver3 > 0xFF) {
+av_log(s->avctx, AV_LOG_WARNING,
+ "Unknown Lavc version string encountered, %d.%d.%d; "
+ "clamping sub-version values to 8-bits.\n",
+ ver, ver2, ver3);
+}
+build = ((ver & 0xFF) << 16) + ((ver2 & 0xFF) << 8) + (ver3 & 
0xFF);
+}
 }
 if (e != 4) {
 if (strcmp(buf, "ffmpeg") == 0)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h()

2017-12-01 Thread Michael Niedermayer

ffmpeg | branch: release/3.0 | Michael Niedermayer  | 
Thu Nov 30 21:27:37 2017 +0100| [a65633aa9d2291244d039abeda2864492ca810c6] | 
committer: Michael Niedermayer

avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h()

Fixes: runtime error: left shift of negative value -127
Fixes: 4397/clusterfuzz-testcase-minimized-4779061080489984

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0409d333115e623b5ccdbb364d64ca2a52fd8467)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a65633aa9d2291244d039abeda2864492ca810c6
---

 libavcodec/hevcdsp_template.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index 82ee0b63ac..8ae193d2ea 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -1361,7 +1361,7 @@ static void FUNC(put_hevc_epel_bi_w_h)(uint8_t *_dst, 
ptrdiff_t _dststride, uint
 for (y = 0; y < height; y++) {
 for (x = 0; x < width; x++)
 dst[x] = av_clip_pixel(((EPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * 
wx1 + src2[x] * wx0 +
-((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 
1));
+((ox0 + ox1 + 1) * (1 << log2Wd))) >> 
(log2Wd + 1));
 src  += srcstride;
 dst  += dststride;
 src2 += MAX_PB_SIZE;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] Tag n3.0.10 : FFmpeg 3.0.10 release

2017-12-01 Thread git

[ffmpeg] [branch: refs/tags/n3.0.10]
Tag:2cbf356f1208e0d1622f18fa6377d5c97d6c86c6
> http://git.videolan.org/gitweb.cgi/ffmpeg.git?a=tag;h=2cbf356f1208e0d1622f18fa6377d5c97d6c86c6

Tagger: Michael Niedermayer 
Date:   Sat Dec  2 01:41:22 2017 +0100

FFmpeg 3.0.10 release
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] [ffmpeg-web] branch master updated. 4132772 web/download: add FFmpeg 3.0.10

2017-12-01 Thread ffmpeg-git

The branch, master has been updated
   via  41327720f20067d8ef16eadc15e50abba78c030d (commit)
  from  a418a99abf4df21042d788c9afb4e22fe0ad4b8c (commit)


- Log -
commit 41327720f20067d8ef16eadc15e50abba78c030d
Author: Michael Niedermayer 
AuthorDate: Sat Dec 2 01:44:16 2017 +0100
Commit: Michael Niedermayer 
CommitDate: Sat Dec 2 01:44:58 2017 +0100

web/download: add FFmpeg 3.0.10

diff --git a/src/download b/src/download
index bdc11e6..69f3cad 100644
--- a/src/download
+++ b/src/download
@@ -425,10 +425,10 @@ libpostproc54.  0.100

 
 
-  FFmpeg 3.0.9 "Einstein"
+  FFmpeg 3.0.10 "Einstein"
 
   
-3.0.9 was released on 2017-07-19. It is the latest stable FFmpeg release
+3.0.10 was released on 2017-12-01. It is the latest stable FFmpeg release
 from the 3.0 release branch, which was cut from master on 2016-02-14.
   
   It includes the following library versions:
@@ -446,19 +446,19 @@ libpostproc54.  0.100
 
   
 
-  Download 
xz tarball
-  PGP 
signature
+  Download 
xz tarball
+  PGP 
signature
  
 
-  Download 
bzip2 tarball
-  PGP 
signature
+  Download bzip2 tarball
+  PGP 
signature
  
 
-  Download 
gzip tarball
-  PGP 
signature
+  Download 
gzip tarball
+  PGP 
signature
  
 
-  https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n3.0.9";>Changelog
+  https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n3.0.10";>Changelog
   https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/refs/heads/release/3.0:/RELEASE_NOTES";>Release
 Notes
  


---

Summary of changes:
 src/download | 18 +-
 1 file changed, 9 insertions(+), 9 deletions(-)


hooks/post-receive
-- 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

53 matches

Mail list logo