[FFmpeg-cvslog] avcodec/mediacodecdec: refactor to take advantage of new decoding api
ffmpeg | branch: master | Aman Gupta | Thu Feb 15 19:52:14 2018
-0800| [f611fef37cca44b89d0d7e6dfd1ac257736b5f7a] | committer: Matthieu Bouron
avcodec/mediacodecdec: refactor to take advantage of new decoding api
This refactor splits up the main mediacodec decode loop into two
send/receive helpers, which are then used to rewrite the receive_frame
callback and take full advantage of the new decoding api. Since we
can now request packets on demand with ff_decode_get_packet(), the
fifo buffer is no longer necessary and has been removed.
This change was motivated by behavior observed on certain Android TV
devices, featuring hardware mpeg2/h264 decoders which also deinterlace
content (to produce multiple frames per field). Previously, this code
caused buffering issues because queueInputBuffer() was always invoked
before each dequeueOutputBuffer(), even though twice as many output
buffers were being generated.
With this patch, the decoder will always attempt to drain new frames
first before sending more data into the underlying codec.
Signed-off-by: Matthieu Bouron
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f611fef37cca44b89d0d7e6dfd1ac257736b5f7a
---
libavcodec/mediacodecdec.c| 107 ++
libavcodec/mediacodecdec_common.c | 50 --
libavcodec/mediacodecdec_common.h | 14 +++--
3 files changed, 80 insertions(+), 91 deletions(-)
diff --git a/libavcodec/mediacodecdec.c b/libavcodec/mediacodecdec.c
index cb1151a195..363e12427e 100644
--- a/libavcodec/mediacodecdec.c
+++ b/libavcodec/mediacodecdec.c
@@ -25,7 +25,6 @@
#include "libavutil/avassert.h"
#include "libavutil/common.h"
-#include "libavutil/fifo.h"
#include "libavutil/opt.h"
#include "libavutil/intreadwrite.h"
#include "libavutil/pixfmt.h"
@@ -43,8 +42,6 @@ typedef struct MediaCodecH264DecContext {
MediaCodecDecContext *ctx;
-AVFifoBuffer *fifo;
-
AVPacket buffered_pkt;
} MediaCodecH264DecContext;
@@ -56,8 +53,6 @@ static av_cold int mediacodec_decode_close(AVCodecContext
*avctx)
ff_mediacodec_dec_close(avctx, s->ctx);
s->ctx = NULL;
-av_fifo_free(s->fifo);
-
av_packet_unref(&s->buffered_pkt);
return 0;
@@ -400,12 +395,6 @@ static av_cold int mediacodec_decode_init(AVCodecContext
*avctx)
av_log(avctx, AV_LOG_INFO, "MediaCodec started successfully, ret = %d\n",
ret);
-s->fifo = av_fifo_alloc(sizeof(AVPacket));
-if (!s->fifo) {
-ret = AVERROR(ENOMEM);
-goto done;
-}
-
done:
if (format) {
ff_AMediaFormat_delete(format);
@@ -418,13 +407,33 @@ done:
return ret;
}
+static int mediacodec_send_receive(AVCodecContext *avctx,
+ MediaCodecH264DecContext *s,
+ AVFrame *frame, bool wait)
+{
+int ret;
+
+/* send any pending data from buffered packet */
+while (s->buffered_pkt.size) {
+ret = ff_mediacodec_dec_send(avctx, s->ctx, &s->buffered_pkt);
+if (ret == AVERROR(EAGAIN))
+break;
+else if (ret < 0)
+return ret;
+s->buffered_pkt.size -= ret;
+s->buffered_pkt.data += ret;
+if (s->buffered_pkt.size <= 0)
+av_packet_unref(&s->buffered_pkt);
+}
+
+/* check for new frame */
+return ff_mediacodec_dec_receive(avctx, s->ctx, frame, wait);
+}
+
static int mediacodec_receive_frame(AVCodecContext *avctx, AVFrame *frame)
{
MediaCodecH264DecContext *s = avctx->priv_data;
int ret;
-int got_frame = 0;
-int is_eof = 0;
-AVPacket pkt = { 0 };
/*
* MediaCodec.flush() discards both input and output buffers, thus we
@@ -452,74 +461,34 @@ static int mediacodec_receive_frame(AVCodecContext
*avctx, AVFrame *frame)
}
}
-ret = ff_decode_get_packet(avctx, &pkt);
-if (ret == AVERROR_EOF)
-is_eof = 1;
-else if (ret == AVERROR(EAGAIN))
-; /* no input packet, but fallthrough to check for pending frames */
-else if (ret < 0)
+/* flush buffered packet and check for new frame */
+ret = mediacodec_send_receive(avctx, s, frame, false);
+if (ret != AVERROR(EAGAIN))
return ret;
-/* buffer the input packet */
-if (pkt.size) {
-if (av_fifo_space(s->fifo) < sizeof(pkt)) {
-ret = av_fifo_realloc2(s->fifo,
- av_fifo_size(s->fifo) + sizeof(pkt));
-if (ret < 0) {
-av_packet_unref(&pkt);
-return ret;
-}
-}
-av_fifo_generic_write(s->fifo, &pkt, sizeof(pkt), NULL);
-}
-
-/* process buffered data */
-while (!got_frame) {
-/* prepare the input data */
-if (s->buffered_pkt.size <= 0) {
-av_packet_unref(&s->buffered_pkt);
-
-/* no more data */
-if (av_fifo_size(s->fifo) < sizeof(AVPacket)) {
-AVPacket null_pkt = { 0 };
-
[FFmpeg-cvslog] avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message()
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Fri Dec 15 17:50:12 2017 +0100| [01f2bc5ec89bc50fe917c789be5d860500fc7c4a] |
committer: Michael Niedermayer
avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message()
Fixes: signed integer overflow: 2147483520 + 255 cannot be represented in type
'int'
Fixes: 4554/clusterfuzz-testcase-minimized-4843714515042304
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 991ef6e5b9a6a9d95e274ff6bff52db1c82b3808)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=01f2bc5ec89bc50fe917c789be5d860500fc7c4a
---
libavcodec/hevc_sei.c | 4
1 file changed, 4 insertions(+)
diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c
index 9cf5e80010..190c18740e 100644
--- a/libavcodec/hevc_sei.c
+++ b/libavcodec/hevc_sei.c
@@ -344,11 +344,15 @@ static int decode_nal_sei_message(HEVCContext *s)
av_log(s->avctx, AV_LOG_DEBUG, "Decoding SEI\n");
while (byte == 0xFF) {
+if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255)
+return AVERROR_INVALIDDATA;
byte = get_bits(gb, 8);
payload_type += byte;
}
byte = 0xFF;
while (byte == 0xFF) {
+if (get_bits_left(gb) < 8 + 8LL*payload_size)
+return AVERROR_INVALIDDATA;
byte = get_bits(gb, 8);
payload_size += byte;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] libavfilter/af_dcshift.c: Fixed repeated spelling error
ffmpeg | branch: release/3.0 | Kelly Ledford | Tue
Dec 12 11:31:23 2017 -0800| [95139c4480b009f4f506d815e1340d931d2ade19] |
committer: Michael Niedermayer
libavfilter/af_dcshift.c: Fixed repeated spelling error
'threshhold' should be 'threshold'
Signed-off-by: Kelly Ledford
Signed-off-by: Michael Niedermayer
(cherry picked from commit bc219082bb04b9a4725bfe7e78ce0950244e6e84)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=95139c4480b009f4f506d815e1340d931d2ade19
---
libavfilter/af_dcshift.c | 20 ++--
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/libavfilter/af_dcshift.c b/libavfilter/af_dcshift.c
index 7332c12b19..5dbe40824c 100644
--- a/libavfilter/af_dcshift.c
+++ b/libavfilter/af_dcshift.c
@@ -28,7 +28,7 @@
typedef struct DCShiftContext {
const AVClass *class;
double dcshift;
-double limiterthreshhold;
+double limiterthreshold;
double limitergain;
} DCShiftContext;
@@ -47,7 +47,7 @@ static av_cold int init(AVFilterContext *ctx)
{
DCShiftContext *s = ctx->priv;
-s->limiterthreshhold = INT32_MAX * (1.0 - (fabs(s->dcshift) -
s->limitergain));
+s->limiterthreshold = INT32_MAX * (1.0 - (fabs(s->dcshift) -
s->limitergain));
return 0;
}
@@ -106,14 +106,14 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
d = src[j];
-if (d > s->limiterthreshhold && dcshift > 0) {
-d = (d - s->limiterthreshhold) * s->limitergain /
- (INT32_MAX - s->limiterthreshhold) +
- s->limiterthreshhold + dcshift;
-} else if (d < -s->limiterthreshhold && dcshift < 0) {
-d = (d + s->limiterthreshhold) * s->limitergain /
- (INT32_MAX - s->limiterthreshhold) -
- s->limiterthreshhold + dcshift;
+if (d > s->limiterthreshold && dcshift > 0) {
+d = (d - s->limiterthreshold) * s->limitergain /
+ (INT32_MAX - s->limiterthreshold) +
+ s->limiterthreshold + dcshift;
+} else if (d < -s->limiterthreshold && dcshift < 0) {
+d = (d + s->limiterthreshold) * s->limitergain /
+ (INT32_MAX - s->limiterthreshold) -
+ s->limiterthreshold + dcshift;
} else {
d = dcshift * INT32_MAX + d;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED()
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Sat Dec 2 21:53:22 2017 +0100| [4a5ec6226b858b1ec88b37c4e602c3b179539c04] |
committer: Michael Niedermayer
avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED()
Fixes: runtime error: signed integer overflow: 2147483646 + 2048 cannot be
represented in type 'int'
Fixes: 4479/clusterfuzz-testcase-minimized-6529894147162112
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 610dd74502a58e8bb0f1d8fcbc7015f86b78d70e)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4a5ec6226b858b1ec88b37c4e602c3b179539c04
---
libavcodec/diracdsp.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libavcodec/diracdsp.c b/libavcodec/diracdsp.c
index ab8d1497f7..33c8a6cb1e 100644
--- a/libavcodec/diracdsp.c
+++ b/libavcodec/diracdsp.c
@@ -159,10 +159,10 @@ static void put_signed_rect_clamped_ ## PX ##
bit_c(uint8_t *_dst, int dst_strid
int32_t *src = (int32_t *)_src;
\
for (y = 0; y < height; y++) {
\
for (x = 0; x < width; x+=4) {
\
-dst[x ] = av_clip_uintp2(src[x ] + (1 << (PX - 1)), PX);
\
-dst[x+1] = av_clip_uintp2(src[x+1] + (1 << (PX - 1)), PX);
\
-dst[x+2] = av_clip_uintp2(src[x+2] + (1 << (PX - 1)), PX);
\
-dst[x+3] = av_clip_uintp2(src[x+3] + (1 << (PX - 1)), PX);
\
+dst[x ] = av_clip_uintp2(src[x ] + (1U << (PX - 1)), PX);
\
+dst[x+1] = av_clip_uintp2(src[x+1] + (1U << (PX - 1)), PX);
\
+dst[x+2] = av_clip_uintp2(src[x+2] + (1U << (PX - 1)), PX);
\
+dst[x+3] = av_clip_uintp2(src[x+3] + (1U << (PX - 1)), PX);
\
}
\
dst += dst_stride >> 1;
\
src += src_stride >> 2;
\
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97*
ffmpeg | branch: release/3.0 | Michael Niedermayer | Sat Dec 2 21:48:04 2017 +0100| [a5a6d2dc75169918dec79e22aec146471e26db23] | committer: Michael Niedermayer avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97* Fixes: 4478/clusterfuzz-testcase-minimized-4752113767809024 Fixes: runtime error: signed integer overflow: -2147483626 + -319489 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5e9a13a5a33bf7566591216e335f2529612100bb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a5a6d2dc75169918dec79e22aec146471e26db23 --- libavcodec/dirac_dwt.h | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index eb5aebc878..50c8b1e394 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -117,16 +117,16 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); ((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ -(b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) +((unsigned)(b1) - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ -(b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) +((unsigned)(b1) - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ -(b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) +((unsigned)(b1) + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ -(b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) +((unsigned)(b1) + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv()
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Fri Dec 15 13:06:30 2017 +0100| [b7f48cd0444ba62fc21fe64b50f737d363c4bffe] |
committer: Michael Niedermayer
avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv()
Fixes: runtime error: left shift of negative value -3
Fixes: 4524/clusterfuzz-testcase-minimized-6055590120914944
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 439fbb9c8b2a90e97c44c7c57245e01ca84c865d)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b7f48cd0444ba62fc21fe64b50f737d363c4bffe
---
libavcodec/hevcdsp_template.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index 8ae193d2ea..57d18bd176 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -1057,7 +1057,7 @@ static void FUNC(put_hevc_qpel_bi_w_hv)(uint8_t *_dst,
ptrdiff_t _dststride, uin
for (y = 0; y < height; y++) {
for (x = 0; x < width; x++)
dst[x] = av_clip_pixel(((QPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1
+ src2[x] * wx0 +
-((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd +
1));
+((ox0 + ox1 + 1) * (1 << log2Wd))) >>
(log2Wd + 1));
tmp += MAX_PB_SIZE;
dst += dststride;
src2 += MAX_PB_SIZE;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed()
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Tue Dec 26 23:24:44 2017 +0100| [6fab791daade82f85234312577782e202323db4d] |
committer: Michael Niedermayer
avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed()
Fixes: signed integer overflow: 2 * 1629495328 cannot be represented in type
'int'
Fixes: 4716/clusterfuzz-testcase-minimized-5835915940331520
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 3d23f7a0969bf76ad6dcdc2c4a5cd3ae884745a8)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6fab791daade82f85234312577782e202323db4d
---
libavcodec/flacdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
index f552bbbdad..f95f795f5e 100644
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -287,7 +287,7 @@ static int decode_subframe_fixed(FLACContext *s, int32_t
*decoded,
if (pred_order > 2)
c = b - decoded[pred_order-2] + decoded[pred_order-3];
if (pred_order > 3)
-d = c - decoded[pred_order-2] + 2*decoded[pred_order-3] -
decoded[pred_order-4];
+d = c - decoded[pred_order-2] + 2U*decoded[pred_order-3] -
decoded[pred_order-4];
switch (pred_order) {
case 0:
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w()
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Tue Dec 26 23:24:45 2017 +0100| [844a9b439b27fe205c445b8d4d8b43ffefd326d3] |
committer: Michael Niedermayer
avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and
put_hevc_qpel_bi_w_w()
Fixes: left shift of negative value -1
Fixes: 4690/clusterfuzz-testcase-minimized-6117482428366848
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit d135f3c514ac1723256c8e0f5cdd466fe98a2578)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=844a9b439b27fe205c445b8d4d8b43ffefd326d3
---
libavcodec/hevcdsp_template.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index 4d2e6bf453..65dd179d0d 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -921,7 +921,7 @@ static void FUNC(put_hevc_qpel_bi_w_h)(uint8_t *_dst,
ptrdiff_t _dststride, uint
for (y = 0; y < height; y++) {
for (x = 0; x < width; x++)
dst[x] = av_clip_pixel(((QPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) *
wx1 + src2[x] * wx0 +
-((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd +
1));
+((ox0 + ox1 + 1) * (1 << log2Wd))) >>
(log2Wd + 1));
src += srcstride;
dst += dststride;
src2 += MAX_PB_SIZE;
@@ -976,7 +976,7 @@ static void FUNC(put_hevc_qpel_bi_w_v)(uint8_t *_dst,
ptrdiff_t _dststride, uint
for (y = 0; y < height; y++) {
for (x = 0; x < width; x++)
dst[x] = av_clip_pixel(((QPEL_FILTER(src, srcstride) >> (BIT_DEPTH
- 8)) * wx1 + src2[x] * wx0 +
-((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd +
1));
+((ox0 + ox1 + 1) * (1 << log2Wd))) >>
(log2Wd + 1));
src += srcstride;
dst += dststride;
src2 += MAX_PB_SIZE;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avfilter/formats: fix wrong function name in error message
ffmpeg | branch: release/3.0 | Jun Zhao | Mon Dec 4
12:50:34 2017 +0800| [e512c83e63fced446d050da564c38ec722b08840] | committer:
Michael Niedermayer
avfilter/formats: fix wrong function name in error message
Use perdefined micro __FUNCTION__ rather than hard coding function name
to fix wrong function name in error message.
Signed-off-by: Jun Zhao
Signed-off-by: Michael Niedermayer
(cherry picked from commit 4280948702bc256e21c375790b889c735d233b0d)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e512c83e63fced446d050da564c38ec722b08840
---
libavfilter/formats.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavfilter/formats.c b/libavfilter/formats.c
index f12dcf4783..8cb77b27b1 100644
--- a/libavfilter/formats.c
+++ b/libavfilter/formats.c
@@ -72,7 +72,7 @@ do {
for (j = 0; j < b->nb; j++)
\
if (a->fmts[i] == b->fmts[j]) {
\
if(k >= FFMIN(a->nb, b->nb)){
\
-av_log(NULL, AV_LOG_ERROR, "Duplicate formats in
avfilter_merge_formats() detected\n"); \
+av_log(NULL, AV_LOG_ERROR, "Duplicate formats in %s
detected\n", __FUNCTION__); \
av_free(ret->fmts);
\
av_free(ret);
\
return NULL;
\
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/amrwbdec: Fix division by 0 in voice_factor()
ffmpeg | branch: release/3.0 | Michael Niedermayer | Thu Dec 7 15:32:54 2017 +0100| [4d0a4601015b83c52990e5d5d8fb34c321a7d484] | committer: Michael Niedermayer avcodec/amrwbdec: Fix division by 0 in voice_factor() The added value matches "Digital cellular telecommunications system (Phase 2+) (GSM); Universal Mobile Telecommunications System (UMTS); LTE; Extended Adaptive Multi-Rate - Wideband (AMR-WB+) codec; Floating-point ANSI-C code (3GPP TS 26.304 version 14.0.0 Release 14) Extended Adaptive Multi-Rate - Wideband (AMR-WB+) codec; Floating-point ANSI-C code" Fixes: runtime error: division by zero Fixes: 4415/clusterfuzz-testcase-minimized-4677752314658816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1d0817d56b66797118880358ea7d7a2acfdca429) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4d0a4601015b83c52990e5d5d8fb34c321a7d484 --- libavcodec/amrwbdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 1431870fa3..328b754e7e 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -614,7 +614,7 @@ static float voice_factor(float *p_vector, float p_gain, AMRWB_SFR_SIZE) * f_gain * f_gain; -return (p_ener - f_ener) / (p_ener + f_ener); +return (p_ener - f_ener) / (p_ener + f_ener + 0.01); } /** ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs()
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Fri Dec 15 18:17:13 2017 +0100| [09d61d3b81ce758c165c290cb3369e5d6917ef98] |
committer: Michael Niedermayer
avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs()
Fixes: signed integer overflow: 2147483647 + 1073741824 cannot be represented
in type 'int'
Fixes: 4555/clusterfuzz-testcase-minimized-4505532481142784
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 0ee143558d55b590774dba69cff5a16eda089a4d)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=09d61d3b81ce758c165c290cb3369e5d6917ef98
---
libavcodec/hevc_cabac.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c
index d1bef8320f..99e6731d5d 100644
--- a/libavcodec/hevc_cabac.c
+++ b/libavcodec/hevc_cabac.c
@@ -633,8 +633,10 @@ int ff_hevc_cu_qp_delta_abs(HEVCContext *s)
suffix_val += 1 << k;
k++;
}
-if (k == CABAC_MAX_BIN)
+if (k == CABAC_MAX_BIN) {
av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k);
+return AVERROR_INVALIDDATA;
+}
while (k--)
suffix_val += get_cabac_bypass(&s->HEVClc->cc) << k;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dsp: Fix integer overflows in ict_int()
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Sun Jan 7 04:12:57 2018 +0100| [3cad8e730e06ab66bce5a160263452334c09dc68] |
committer: Michael Niedermayer
avcodec/jpeg2000dsp: Fix integer overflows in ict_int()
Fixes: signed integer overflow: 46802 * -71230 cannot be represented in type
'int'
Fixes: 4756/clusterfuzz-testcase-minimized-4812495563784192
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit b3192c64b5bdcb0474cda437d2d5f9421d68811e)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3cad8e730e06ab66bce5a160263452334c09dc68
---
libavcodec/jpeg2000dsp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c
index 85a12d0e9b..90e73b1e20 100644
--- a/libavcodec/jpeg2000dsp.c
+++ b/libavcodec/jpeg2000dsp.c
@@ -64,9 +64,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2,
int csize)
int i;
for (i = 0; i < csize; i++) {
-i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16);
+i0 = *src0 + *src2 + ((int)((26345U * *src2) + (1 << 15)) >> 16);
i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15))
>> 16)
- - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16);
+ - ((int)(((unsigned)i_ict_params[2] * *src2) + (1 << 15))
>> 16);
i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >>
16);
*src0++ = i0;
*src1++ = i1;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/exr: Check buf_size more completely
ffmpeg | branch: release/3.0 | Michael Niedermayer | Fri Dec 29 03:00:19 2017 +0100| [9143ddea0f160a739c380fd6912decf771b32bb0] | committer: Michael Niedermayer avcodec/exr: Check buf_size more completely Fixes: Out of heap array read Fixes: 4683/clusterfuzz-testcase-minimized-6152313673613312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 903be5e4f66268273dc6e3c42a7fdeaab32066ef) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9143ddea0f160a739c380fd6912decf771b32bb0 --- libavcodec/exr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 292707cd0a..c1490e521a 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -849,7 +849,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, line_offset = AV_RL64(s->gb.buffer + jobnr * 8); // Check if the buffer has the required bytes needed from the offset -if (line_offset > buf_size - 8) +if (buf_size < 8 || line_offset > buf_size - 8) return AVERROR_INVALIDDATA; src = buf + line_offset + 8; @@ -858,7 +858,7 @@ static int decode_block(AVCodecContext *avctx, void *tdata, return AVERROR_INVALIDDATA; data_size = AV_RL32(src - 4); -if (data_size <= 0 || data_size > buf_size) +if (data_size <= 0 || data_size > buf_size - line_offset - 8) return AVERROR_INVALIDDATA; s->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant)
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Fri Dec 22 03:12:03 2017 +0100| [b3af84774b03b1b48d919be2514a84b35ca91fe7] |
committer: Michael Niedermayer
avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant)
Fixes: runtime error: left shift of negative value -180
Fixes: 4626/clusterfuzz-testcase-minimized-5647837887987712
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 0c9ab5ef9c1ee852c80c859c9e07efe8730b57ed)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b3af84774b03b1b48d919be2514a84b35ca91fe7
---
libavcodec/hevcdsp_template.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index 57d18bd176..4d2e6bf453 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -125,7 +125,7 @@ static void FUNC(transform_skip)(int16_t *_coeffs, int16_t
log2_size)
} else {
for (y = 0; y < size; y++) {
for (x = 0; x < size; x++) {
-*coeffs = *coeffs << -shift;
+*coeffs = *(uint16_t*)coeffs << -shift;
coeffs++;
}
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_slice: Do not attempt to render into frames already output
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Wed Jan 3 23:42:01 2018 +0100| [06325d77bf12dead2126e42cf89a7fd601691a5f] |
committer: Michael Niedermayer
avcodec/h264_slice: Do not attempt to render into frames already output
Fixes: null pointer dereference
Fixes: 4698/clusterfuzz-testcase-minimized-5096956322906112
This testcase does not reproduce the issue before
03b82b3ab9883cef017e513c7d0b3b986b3b3e7b
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 476665d4de989dba48ec1195215ccc8db54538f4)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=06325d77bf12dead2126e42cf89a7fd601691a5f
---
libavcodec/h264_slice.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index c0b3b67e49..0afd49bac5 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1633,6 +1633,12 @@ int ff_h264_decode_slice_header(H264Context *h,
H264SliceContext *sl)
h->missing_fields ++;
h->cur_pic_ptr = NULL;
h->first_field = FIELD_PICTURE(h);
+} else if (h->cur_pic_ptr->reference & DELAYED_PIC_REF) {
+/* This frame was already output, we cannot draw into it
+ * anymore.
+ */
+h->first_field = 1;
+h->cur_pic_ptr = NULL;
} else {
h->missing_fields = 0;
if (h->cur_pic_ptr->frame_num != h->frame_num) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Thu Jan 11 22:47:10 2018 +0100| [c7e98ee6e08a0bc4a281a3dc4a403ddcc76fe542] |
committer: Michael Niedermayer
avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one
Fixes high pitched shriek
Fixes: 25420848_1478428308873746_4255813235963330560_n.mp4
Reported-by: Dale Curtis
Reviewed-by: Dale Curtis
Signed-off-by: Michael Niedermayer
(cherry picked from commit 7dbbb75ee32f87108ca9e15f5551dbbe69fe2641)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c7e98ee6e08a0bc4a281a3dc4a403ddcc76fe542
---
libavcodec/arm/sbrdsp_neon.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/arm/sbrdsp_neon.S b/libavcodec/arm/sbrdsp_neon.S
index e66abd682a..003b04ea05 100644
--- a/libavcodec/arm/sbrdsp_neon.S
+++ b/libavcodec/arm/sbrdsp_neon.S
@@ -336,11 +336,11 @@ function ff_sbr_hf_apply_noise_0_neon, export=1
vld1.32 {d0}, [r0,:64]
vld1.32 {d6}, [lr,:64]
vld1.32 {d2[]}, [r1,:32]!
-vld1.32 {d3[]}, [r2,:32]!
+vld1.32 {d18[]}, [r2,:32]!
vceq.f32d4, d2, #0
veord2, d2, d3
vmovd1, d0
-vmla.f32d0, d6, d3
+vmla.f32d0, d6, d18
vadd.f32s2, s2, s4
vbifd0, d1, d4
vst1.32 {d0}, [r0,:64]!
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0()
ffmpeg | branch: release/3.0 | Michael Niedermayer | Fri Dec 22 03:06:14 2017 +0100| [a0bcc6cced1af58e5ebf19e56281798dfef1f320] | committer: Michael Niedermayer avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0() Fixes: runtime error: signed integer overflow: 2147483646 + 33554433 cannot be represented in type 'int' Fixes: 4563/clusterfuzz-testcase-minimized-5438979567517696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4d70fbeec8cbab072b3a9b9f760b8deaaef240f2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a0bcc6cced1af58e5ebf19e56281798dfef1f320 --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 50c8b1e394..f9828d95a4 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -99,10 +99,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ -(b2 + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)) +(int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ -(b2 - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5)) +(int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ (b0 - ((b1 + 1) >> 1)) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/matroskadec: Fix float-cast-overflow undefined behavior in matroska_parse_tracks()
ffmpeg | branch: release/3.0 | Nikolas Bowe |
Thu Jan 18 15:21:56 2018 -0800| [9d0b3fa58c4b12cb0203440f9c2d5f172d4f1792] |
committer: Michael Niedermayer
avformat/matroskadec: Fix float-cast-overflow undefined behavior in
matroska_parse_tracks()
Signed-off-by: Michael Niedermayer
(cherry picked from commit e07649e618caedc07eaf2f4d09253de7f77d14f0)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9d0b3fa58c4b12cb0203440f9c2d5f172d4f1792
---
libavformat/matroskadec.c | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 76b9c8d0c2..0451c33fe7 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1782,8 +1782,16 @@ static int matroska_parse_tracks(AVFormatContext *s)
}
if (track->type == MATROSKA_TRACK_TYPE_VIDEO) {
-if (!track->default_duration && track->video.frame_rate > 0)
-track->default_duration = 10 / track->video.frame_rate;
+if (!track->default_duration && track->video.frame_rate > 0) {
+double default_duration = 10 / track->video.frame_rate;
+if (default_duration > UINT64_MAX || default_duration < 0) {
+av_log(matroska->ctx, AV_LOG_WARNING,
+ "Invalid frame rate %e. Cannot calculate default
duration.\n",
+ track->video.frame_rate);
+} else {
+track->default_duration = default_duration;
+}
+}
if (track->video.display_width == -1)
track->video.display_width = track->video.pixel_width;
if (track->video.display_height == -1)
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/utils: Avoid hardcoding duplicated types in sizeof()
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Sun Jun 4 01:53:58 2017 +0200| [222ac346127e2cba983f9368752398d58cbfad36] |
committer: Michael Niedermayer
avcodec/utils: Avoid hardcoding duplicated types in sizeof()
Signed-off-by: Michael Niedermayer
(cherry picked from commit 860d991fcd715233b5b9eb1f6c7bf0aadefb6061)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=222ac346127e2cba983f9368752398d58cbfad36
---
libavcodec/utils.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 72fd686e34..cfdfab7f7a 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -1209,7 +1209,7 @@ int attribute_align_arg avcodec_open2(AVCodecContext
*avctx, const AVCodec *code
if (ret < 0)
return ret;
-avctx->internal = av_mallocz(sizeof(AVCodecInternal));
+avctx->internal = av_mallocz(sizeof(*avctx->internal));
if (!avctx->internal) {
ret = AVERROR(ENOMEM);
goto end;
@@ -2534,7 +2534,7 @@ void avsubtitle_free(AVSubtitle *sub)
av_freep(&sub->rects);
-memset(sub, 0, sizeof(AVSubtitle));
+memset(sub, 0, sizeof(*sub));
}
av_cold int avcodec_close(AVCodecContext *avctx)
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/flacdec: avoid undefined shift
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Tue Dec 26 23:24:43 2017 +0100| [f08be2b3d2ad9ed86d99e3391562facf44ea46b0] |
committer: Michael Niedermayer
avcodec/flacdec: avoid undefined shift
Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int'
Fixes: 4688/clusterfuzz-testcase-minimized-6572210748653568
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 560daf88913b0de59a4d845bcd19254b406388dd)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f08be2b3d2ad9ed86d99e3391562facf44ea46b0
---
libavcodec/flacdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
index c372c1b91d..f552bbbdad 100644
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -445,7 +445,7 @@ static inline int decode_subframe(FLACContext *s, int
channel)
return AVERROR_INVALIDDATA;
}
-if (wasted) {
+if (wasted && wasted < 32) {
int i;
for (i = 0; i < s->blocksize; i++)
decoded[i] = (unsigned)decoded[i] << wasted;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs()
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Sun Jan 14 00:39:39 2018 +0100| [7d5ca21698112b0a9af49c6ac0023b29a2d959c8] |
committer: Michael Niedermayer
avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs()
Fixes: runtime error: signed integer overflow: 2147483520 + 128 cannot be
represented in type 'int'
Fixes: 4800/clusterfuzz-testcase-minimized-6110372403609600
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit a1f38c75893c852cf19dcf3e4553549ba1e70950)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7d5ca21698112b0a9af49c6ac0023b29a2d959c8
---
libavcodec/ac3dec_fixed.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c
index 56b62548ec..ef5fa5501a 100644
--- a/libavcodec/ac3dec_fixed.c
+++ b/libavcodec/ac3dec_fixed.c
@@ -64,8 +64,8 @@ static void scale_coefs (
int dynrng,
int len)
{
-int i, shift, round;
-unsigned mul;
+int i, shift;
+unsigned mul, round;
int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7;
mul = (dynrng & 0x1f) + 0x20;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ulti: Check number of blocks at init
ffmpeg | branch: release/3.0 | Michael Niedermayer | Mon Jan 15 19:03:48 2018 +0100| [e5296dfffaad9e8c61db88d6862c23cae08e35bc] | committer: Michael Niedermayer avcodec/ulti: Check number of blocks at init Fixes: Timeout Fixes: 4832/clusterfuzz-testcase-4699096590843904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 725353525e73bbe5b6b4d01528252675f2417a02) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e5296dfffaad9e8c61db88d6862c23cae08e35bc --- libavcodec/ulti.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ulti.c b/libavcodec/ulti.c index e6f4374981..9e4c088b10 100644 --- a/libavcodec/ulti.c +++ b/libavcodec/ulti.c @@ -50,6 +50,8 @@ static av_cold int ulti_decode_init(AVCodecContext *avctx) s->width = avctx->width; s->height = avctx->height; s->blocks = (s->width / 8) * (s->height / 8); +if (s->blocks == 0) +return AVERROR_INVALIDDATA; avctx->pix_fmt = AV_PIX_FMT_YUV410P; s->ulti_codebook = ulti_codebook; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] configure: bump year
ffmpeg | branch: release/3.0 | Carl Eugen Hoyos | Mon Jan 1 18:05:55 2018 +0100| [e858326086c60a9820db7977666515787ce244ed] | committer: Michael Niedermayer configure: bump year Happy new year! (cherry picked from commit bddf31ba7570325dd2c8d033eae3d0dd74127f96) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e858326086c60a9820db7977666515787ce244ed --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 090a938136..ee88da5d38 100755 --- a/configure +++ b/configure @@ -6412,7 +6412,7 @@ cat > $TMPH
[FFmpeg-cvslog] avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0
ffmpeg | branch: release/3.0 | Michael Niedermayer | Sun Jan 7 20:58:49 2018 +0100| [6164ca476570f5204882177b39f37eef5a2182b6] | committer: Michael Niedermayer avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0 Fixes: 4830/clusterfuzz-testcase-minimized-5255392054476800 Fixes: signed integer overflow: 2147483646 - -7 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0e62a2373475f58c72c0faf5568be00b26909585) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6164ca476570f5204882177b39f37eef5a2182b6 --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index f9828d95a4..1af41e0702 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -105,10 +105,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ -(b0 - ((b1 + 1) >> 1)) +((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1))) #define COMPOSE_HAARiH0(b0, b1)\ -(b0 + b1) +((int)(b0 + (unsigned)(b1))) #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ ((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Fix integer overflow with quant
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Sun Jan 7 20:43:24 2018 +0100| [b4d9605c67181f107b23fe38419e9120eee70823] |
committer: Michael Niedermayer
avcodec/diracdec: Fix integer overflow with quant
Fixes: signed integer overflow: 2 + 2147483646 cannot be represented in type
'int'
Fixes: 4792/clusterfuzz-testcase-minimized-6322450775146496
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit eaa93175895568ef6c2542b13104874907d9c4ef)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b4d9605c67181f107b23fe38419e9120eee70823
---
libavcodec/diracdec.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 69ff083157..2cdebe8700 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -516,16 +516,16 @@ static inline void codeblock(DiracContext *s, SubBand *b,
}
if (s->codeblock_mode && !(s->old_delta_quant && blockcnt_one)) {
-int quant = b->quant;
+int quant;
if (is_arith)
-quant += dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA);
+quant = dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA);
else
-quant += dirac_get_se_golomb(gb);
-if (quant < 0) {
+quant = dirac_get_se_golomb(gb);
+if (quant > INT_MAX - b->quant || b->quant + quant < 0) {
av_log(s->avctx, AV_LOG_ERROR, "Invalid quant\n");
return;
}
-b->quant = quant;
+b->quant += quant;
}
if (b->quant > 115) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dnxhddec: Check dc vlc
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Wed Jan 3 23:42:00 2018 +0100| [0c753a46efe2ec43bd2f1c5bbdd4c46e83af421e] |
committer: Michael Niedermayer
avcodec/dnxhddec: Check dc vlc
Fixes: signed integer overflow: 1024 + 2147483640 cannot be represented in type
'int'
Fixes: 4671/clusterfuzz-testcase-minimized-6027464343027712
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol
Signed-off-by: Michael Niedermayer
(cherry picked from commit b2be76c0a472b729756ed7a91225c209d0dd1d2e)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0c753a46efe2ec43bd2f1c5bbdd4c46e83af421e
---
libavcodec/dnxhddec.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c
index bf14869ac9..5f772b99a9 100644
--- a/libavcodec/dnxhddec.c
+++ b/libavcodec/dnxhddec.c
@@ -356,6 +356,10 @@ static av_always_inline int dnxhd_decode_dct_block(const
DNXHDContext *ctx,
UPDATE_CACHE(bs, &row->gb);
GET_VLC(len, bs, &row->gb, ctx->dc_vlc.table, DNXHD_DC_VLC_BITS, 1);
+if (len < 0) {
+ret = len;
+goto error;
+}
if (len) {
level = GET_CACHE(bs, &row->gb);
LAST_SKIP_BITS(bs, &row->gb, len);
@@ -409,7 +413,7 @@ static av_always_inline int dnxhd_decode_dct_block(const
DNXHDContext *ctx,
GET_VLC(index1, bs, &row->gb, ctx->ac_vlc.table,
DNXHD_VLC_BITS, 2);
}
-
+error:
CLOSE_READER(bs, &row->gb);
return ret;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK()
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Sat Jan 20 04:10:50 2018 +0100| [a8ce9d518b2980e0ab2c6cbbc29e04a197e41f83] |
committer: Michael Niedermayer
avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK()
Fixes: signed integer overflow: 1477974040 - -1877995504 cannot be represented
in type 'int'
Fixes: 4861/clusterfuzz-testcase-minimized-4570316383715328
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 56a53340ed4cc55898e49c07081311ebb2816630)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a8ce9d518b2980e0ab2c6cbbc29e04a197e41f83
---
libavcodec/truemotion2.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index f077f0e4bd..97c38f7f08 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -441,8 +441,8 @@ static inline int GET_TOK(TM2Context *ctx,int type)
/* recalculate last and delta values for next blocks */
#define TM2_RECALC_BLOCK(CHR, stride, last, CD) {\
-CD[0] = CHR[1] - last[1];\
-CD[1] = (int)CHR[stride + 1] - (int)CHR[1];\
+CD[0] = (unsigned)CHR[ 1] - (unsigned)last[1];\
+CD[1] = (unsigned)CHR[stride + 1] - (unsigned) CHR[1];\
last[0] = (int)CHR[stride + 0];\
last[1] = (int)CHR[stride + 1];}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/snowdec: Fix integer overflow before htaps check
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Mon Jan 15 03:03:36 2018 +0100| [dfb84488428bae5fe3aacecdb06f934c607a7e44] |
committer: Michael Niedermayer
avcodec/snowdec: Fix integer overflow before htaps check
Fixes: runtime error: signed integer overflow: -1094995529 * 2 cannot be
represented in type 'int'
Fixes: 4828/clusterfuzz-testcase-minimized-5100849937252352
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 2eecf3cf8eeae67697934df326e98df2149881e5)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dfb84488428bae5fe3aacecdb06f934c607a7e44
---
libavcodec/snowdec.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index df425b8cf3..00fa064102 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -363,9 +363,10 @@ static int decode_header(SnowContext *s){
int htaps, i, sum=0;
Plane *p= &s->plane[plane_index];
p->diag_mc= get_rac(&s->c, s->header_state);
-htaps= get_symbol(&s->c, s->header_state, 0)*2 + 2;
-if((unsigned)htaps >= HTAPS_MAX || htaps==0)
+htaps= get_symbol(&s->c, s->header_state, 0);
+if((unsigned)htaps >= HTAPS_MAX/2 - 1)
return AVERROR_INVALIDDATA;
+htaps = htaps*2 + 2;
p->htaps= htaps;
for(i= htaps/2; i; i--){
p->hcoeff[i]= get_symbol(&s->c, s->header_state, 0) *
(1-2*(i&1));
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/lrcdec: Fix memory leak in lrc_read_header()
ffmpeg | branch: release/3.0 | Nikolas Bowe | Fri Jan 19 13:17:07 2018 -0800| [23af1858fe2e4d4fdb3116f501e4a5021327440e] | committer: Michael Niedermayer avformat/lrcdec: Fix memory leak in lrc_read_header() Signed-off-by: Michael Niedermayer (cherry picked from commit ef5994e09d07ace62a672fcdc84761231288edad) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=23af1858fe2e4d4fdb3116f501e4a5021327440e --- libavformat/lrcdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c index d3655fccd5..1f0533f2d1 100644 --- a/libavformat/lrcdec.c +++ b/libavformat/lrcdec.c @@ -212,6 +212,7 @@ static int lrc_read_header(AVFormatContext *s) } ff_subtitles_queue_finalize(s, &lrc->q); ff_metadata_conv_ctx(s, NULL, ff_lrc_metadata_conv); +av_bprint_finalize(&line, NULL); return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/opus_parser: Check payload_len in parse_opus_ts_header()
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Fri Jan 5 22:12:07 2018 +0100| [c17cc8ee4ffb2f1c876697df418f51e1f569512b] |
committer: Michael Niedermayer
avcodec/opus_parser: Check payload_len in parse_opus_ts_header()
Fixes: clusterfuzz-testcase-minimized-6134545979277312
Fixes: crbug 797469
Reported-by: Matt Wolenetz
Signed-off-by: Michael Niedermayer
(cherry picked from commit 1bcd7fefcb3c1ec47978fdc64a9e8dfb9512ae62)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c17cc8ee4ffb2f1c876697df418f51e1f569512b
---
libavcodec/opus_parser.c | 16 +---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/libavcodec/opus_parser.c b/libavcodec/opus_parser.c
index c30fd7bbd4..1c61c0077f 100644
--- a/libavcodec/opus_parser.c
+++ b/libavcodec/opus_parser.c
@@ -43,6 +43,7 @@ static const uint8_t *parse_opus_ts_header(const uint8_t
*start, int *payload_le
const uint8_t *buf = start + 1;
int start_trim_flag, end_trim_flag, control_extension_flag,
control_extension_length;
uint8_t flags;
+uint64_t payload_len_tmp;
GetByteContext gb;
bytestream2_init(&gb, buf, buf_len);
@@ -52,11 +53,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t
*start, int *payload_le
end_trim_flag = (flags >> 3) & 1;
control_extension_flag = (flags >> 2) & 1;
-*payload_len = 0;
+payload_len_tmp = *payload_len = 0;
while (bytestream2_peek_byte(&gb) == 0xff)
-*payload_len += bytestream2_get_byte(&gb);
+payload_len_tmp += bytestream2_get_byte(&gb);
-*payload_len += bytestream2_get_byte(&gb);
+payload_len_tmp += bytestream2_get_byte(&gb);
if (start_trim_flag)
bytestream2_skip(&gb, 2);
@@ -67,6 +68,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t
*start, int *payload_le
bytestream2_skip(&gb, control_extension_length);
}
+if (bytestream2_tell(&gb) + payload_len_tmp > buf_len)
+return NULL;
+
+*payload_len = payload_len_tmp;
+
return buf + bytestream2_tell(&gb);
}
@@ -104,6 +110,10 @@ static int opus_find_frame_end(AVCodecParserContext *ctx,
AVCodecContext *avctx,
state = (state << 8) | payload[i];
if ((state & OPUS_TS_MASK) == OPUS_TS_HEADER) {
payload = parse_opus_ts_header(payload, &payload_len, buf_size
- i);
+if (!payload) {
+av_log(avctx, AV_LOG_ERROR, "Error parsing Ogg TS
header.\n");
+return AVERROR_INVALIDDATA;
+}
*header_len = payload - buf;
start_found = 1;
break;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dxtory: Fix bits left checks
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Mon Jan 22 14:02:59 2018 +0100| [181c3cbacfae86e2e1935049a11f4d0273fa2351] |
committer: Michael Niedermayer
avcodec/dxtory: Fix bits left checks
Fixes: Timeout
Fixes: 4863/clusterfuzz-testcase-6347354178322432
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 6e1a167c5564085385488b4f579e9efb987d4bfa)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=181c3cbacfae86e2e1935049a11f4d0273fa2351
---
libavcodec/dxtory.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c
index fc1936985d..19c7dbb012 100644
--- a/libavcodec/dxtory.c
+++ b/libavcodec/dxtory.c
@@ -325,7 +325,7 @@ static int dx2_decode_slice_5x5(GetBitContext *gb, AVFrame
*frame,
int stride = frame->linesize[0];
uint8_t *dst = frame->data[0] + stride * line;
-for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
+for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
for (x = 0; x < width; x++) {
b = decode_sym_565(gb, lru[0], 5);
g = decode_sym_565(gb, lru[1], is_565 ? 6 : 5);
@@ -391,7 +391,7 @@ static int dx2_decode_slice_rgb(GetBitContext *gb, AVFrame
*frame,
int stride = frame->linesize[0];
uint8_t *dst = frame->data[0] + stride * line;
-for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
+for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
for (x = 0; x < width; x++) {
dst[x * 3 + 0] = decode_sym(gb, lru[0]);
dst[x * 3 + 1] = decode_sym(gb, lru[1]);
@@ -436,7 +436,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame
*frame,
uint8_t *U = frame->data[1] + (ustride >> 2) * line;
uint8_t *V = frame->data[2] + (vstride >> 2) * line;
-for (y = 0; y < left - 3 && get_bits_left(gb) > 16; y += 4) {
+for (y = 0; y < left - 3 && get_bits_left(gb) > 9 * width; y += 4) {
for (x = 0; x < width; x += 4) {
for (j = 0; j < 4; j++)
for (i = 0; i < 4; i++)
@@ -480,7 +480,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame
*frame,
uint8_t *V = frame->data[2] + (vstride >> 1) * line;
-for (y = 0; y < left - 1 && get_bits_left(gb) > 16; y += 2) {
+for (y = 0; y < left - 1 && get_bits_left(gb) > 6 * width; y += 2) {
for (x = 0; x < width; x += 2) {
Y[x + 0 + 0 * ystride] = decode_sym(gb, lru[0]);
Y[x + 1 + 0 * ystride] = decode_sym(gb, lru[0]);
@@ -523,7 +523,7 @@ static int dx2_decode_slice_444(GetBitContext *gb, AVFrame
*frame,
uint8_t *U = frame->data[1] + ustride * line;
uint8_t *V = frame->data[2] + vstride * line;
-for (y = 0; y < left && get_bits_left(gb) > 16; y++) {
+for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) {
for (x = 0; x < width; x++) {
Y[x] = decode_sym(gb, lru[0]);
U[x] = decode_sym(gb, lru[1]) ^ 0x80;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Mon Jan 15 23:42:57 2018 +0100| [f7abc14d0d94066a59f7d8affeb76ea564dfab00] |
committer: Michael Niedermayer
avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down
Signed-off-by: Michael Niedermayer
(cherry picked from commit 94d4237a7a294ce80e1e577b38e9c93e8882aff9)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f7abc14d0d94066a59f7d8affeb76ea564dfab00
---
libavcodec/hevc_cabac.c | 11 +++
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c
index 99e6731d5d..c9525596bc 100644
--- a/libavcodec/hevc_cabac.c
+++ b/libavcodec/hevc_cabac.c
@@ -977,16 +977,19 @@ static av_always_inline int
coeff_abs_level_remaining_decode(HEVCContext *s, int
while (prefix < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc))
prefix++;
-if (prefix == CABAC_MAX_BIN) {
-av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
-return 0;
-}
+
if (prefix < 3) {
for (i = 0; i < rc_rice_param; i++)
suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc);
last_coeff_abs_level_remaining = (prefix << rc_rice_param) + suffix;
} else {
int prefix_minus3 = prefix - 3;
+
+if (prefix == CABAC_MAX_BIN) {
+av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
+return 0;
+}
+
for (i = 0; i < prefix_minus3 + rc_rice_param; i++)
suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc);
last_coeff_abs_level_remaining = (((1 << prefix_minus3) + 3 - 1)
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264addpx_template: Fixes integer overflows
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Sun Jan 7 03:48:43 2018 +0100| [abb7498c3f00482ebf35fd7c02f315de0344b2e7] |
committer: Michael Niedermayer
avcodec/h264addpx_template: Fixes integer overflows
Fixes: signed integer overflow: 512 + 2147483491 cannot be represented in type
'int'
Fixes: 4780/clusterfuzz-testcase-minimized-4709066174627840
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit d6945aeee419a8417b8019c7c92227e12e45b7ad)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=abb7498c3f00482ebf35fd7c02f315de0344b2e7
---
libavcodec/h264addpx_template.c | 24
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/libavcodec/h264addpx_template.c b/libavcodec/h264addpx_template.c
index 046b6c2e19..a99030c589 100644
--- a/libavcodec/h264addpx_template.c
+++ b/libavcodec/h264addpx_template.c
@@ -35,10 +35,10 @@ static void FUNCC(ff_h264_add_pixels4)(uint8_t *_dst,
int16_t *_src, int stride)
stride /= sizeof(pixel);
for (i = 0; i < 4; i++) {
-dst[0] += src[0];
-dst[1] += src[1];
-dst[2] += src[2];
-dst[3] += src[3];
+dst[0] += (unsigned)src[0];
+dst[1] += (unsigned)src[1];
+dst[2] += (unsigned)src[2];
+dst[3] += (unsigned)src[3];
dst += stride;
src += 4;
@@ -55,14 +55,14 @@ static void FUNCC(ff_h264_add_pixels8)(uint8_t *_dst,
int16_t *_src, int stride)
stride /= sizeof(pixel);
for (i = 0; i < 8; i++) {
-dst[0] += src[0];
-dst[1] += src[1];
-dst[2] += src[2];
-dst[3] += src[3];
-dst[4] += src[4];
-dst[5] += src[5];
-dst[6] += src[6];
-dst[7] += src[7];
+dst[0] += (unsigned)src[0];
+dst[1] += (unsigned)src[1];
+dst[2] += (unsigned)src[2];
+dst[3] += (unsigned)src[3];
+dst[4] += (unsigned)src[4];
+dst[5] += (unsigned)src[5];
+dst[6] += (unsigned)src[6];
+dst[7] += (unsigned)src[7];
dst += stride;
src += 8;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mjpegdec: Fix integer overflow in DC dequantization
ffmpeg | branch: release/3.0 | Michael Niedermayer | Wed Jan 24 03:28:49 2018 +0100| [269aecafabf84109cce914d236131afc99841cfe] | committer: Michael Niedermayer avcodec/mjpegdec: Fix integer overflow in DC dequantization Fixes: runtime error: signed integer overflow: -65535 * 65312 cannot be represented in type 'int' Fixes: 4900/clusterfuzz-testcase-minimized-5769019744321536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1bfc1aa004950c5ad527d823a08b8a19eef34eb0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=269aecafabf84109cce914d236131afc99841cfe --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 9a37b3251c..cefb9afdb7 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -686,7 +686,7 @@ static int decode_block(MJpegDecodeContext *s, int16_t *block, int component, av_log(s->avctx, AV_LOG_ERROR, "error dc\n"); return AVERROR_INVALIDDATA; } -val = val * quant_matrix[0] + s->last_dc[component]; +val = val * (unsigned)quant_matrix[0] + s->last_dc[component]; val = av_clip_int16(val); s->last_dc[component] = val; block[0] = val; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Check mb_num also against 0
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Sun Jan 28 02:29:00 2018 +0100| [78b1d57a4bc4337816dd5e88b6c2fab20cefdefb] |
committer: Michael Niedermayer
avcodec/mpeg4videodec: Check mb_num also against 0
The spec implies that 0 is invalid in addition to the existing checks
Found-by:
Reviewed-by: Kieran Kunhya
Signed-off-by: Michael Niedermayer
(cherry picked from commit 05f4703a168a336363750e32bcfdd6f303fbdbc3)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=78b1d57a4bc4337816dd5e88b6c2fab20cefdefb
---
libavcodec/mpeg4videodec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index eff809aafc..19ab1ef288 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -459,7 +459,7 @@ int ff_mpeg4_decode_video_packet_header(Mpeg4DecContext
*ctx)
}
mb_num = get_bits(&s->gb, mb_num_bits);
-if (mb_num >= s->mb_num) {
+if (mb_num >= s->mb_num || !mb_num) {
av_log(s->avctx, AV_LOG_ERROR,
"illegal mb_num in video packet (%d %d) \n", mb_num, s->mb_num);
return -1;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/get_bits: Document the return code of get_vlc2()
ffmpeg | branch: release/3.0 | Michael Niedermayer | Sun Jan 28 02:29:01 2018 +0100| [6a01b65034a1f5b3ca1c08e2fc242123a083cdee] | committer: Michael Niedermayer avcodec/get_bits: Document the return code of get_vlc2() Found-by: kierank Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit 4a94ff4ccd4f2329c599e37cabe4152dae60359e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6a01b65034a1f5b3ca1c08e2fc242123a083cdee --- libavcodec/get_bits.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index 30e9da311f..0ccbf4dfd2 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -574,6 +574,7 @@ void ff_free_vlc(VLC *vlc); * @param max_depth is the number of times bits bits must be read to completely * read the longest vlc code * = (max_vlc_length + bits - 1) / bits + * @returns the code parsed or -1 if no vlc matches */ static av_always_inline int get_vlc2(GetBitContext *s, VLC_TYPE (*table)[2], int bits, int max_depth) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode()
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Mon Jan 15 23:46:44 2018 +0100| [cedd9ea93ea2f71a57e3b1e9fa01bd7b0cf02bba] |
committer: Michael Niedermayer
avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in
coeff_abs_level_remaining_decode()
I suspect that this can be limited tighter, but i failed to find anything
in the spec that would confirm that.
Fixes: 4833/clusterfuzz-testcase-minimized-5302840101699584
Fixes: runtime error: left shift of 134217730 by 4 places cannot be represented
in type 'int'
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit a026a3efaeb9c2026668dccbbda339a21ab3206b)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cedd9ea93ea2f71a57e3b1e9fa01bd7b0cf02bba
---
libavcodec/hevc_cabac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c
index c9525596bc..0e4c522bb1 100644
--- a/libavcodec/hevc_cabac.c
+++ b/libavcodec/hevc_cabac.c
@@ -985,7 +985,7 @@ static av_always_inline int
coeff_abs_level_remaining_decode(HEVCContext *s, int
} else {
int prefix_minus3 = prefix - 3;
-if (prefix == CABAC_MAX_BIN) {
+if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) {
av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix);
return 0;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_ps: extract one SPS fields required for hvcC construction
ffmpeg | branch: release/3.0 | Aman Gupta | Tue Sep 26 18:04:12
2017 -0700| [d664557023040422ba3b43f7051bb932bee79973] | committer: Michael
Niedermayer
avcodec/hevc_ps: extract one SPS fields required for hvcC construction
Signed-off-by: Aman Gupta
Reviewed-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d664557023040422ba3b43f7051bb932bee79973
---
libavcodec/hevc.h| 1 +
libavcodec/hevc_ps.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h
index 77f3db8889..0d410bdd86 100644
--- a/libavcodec/hevc.h
+++ b/libavcodec/hevc.h
@@ -407,6 +407,7 @@ typedef struct HEVCSPS {
HEVCWindow pic_conf_win;
int bit_depth;
+int bit_depth_chroma;
int pixel_shift;
enum AVPixelFormat pix_fmt;
diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index 2383d18b21..863ab523eb 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -906,6 +906,7 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb,
unsigned int *sps_id,
sps->bit_depth, bit_depth_chroma);
return AVERROR_INVALIDDATA;
}
+sps->bit_depth_chroma = bit_depth_chroma;
ret = map_pixel_format(avctx, sps);
if (ret < 0)
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/indeo5: Do not leave frame_type set to an invalid value
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Fri Jan 26 00:24:49 2018 +0100| [c1a133b610def6b920e9a3dcd0bc9b7771e685a4] |
committer: Michael Niedermayer
avcodec/indeo5: Do not leave frame_type set to an invalid value
Fixes: null pointer dereference
Fixes: 5264/clusterfuzz-testcase-minimized-4621956621008896
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 2ff9f178519b68d4d1d606eb5451ad81da948efc)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c1a133b610def6b920e9a3dcd0bc9b7771e685a4
---
libavcodec/indeo5.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c
index 5f931c8b98..5028def4bc 100644
--- a/libavcodec/indeo5.c
+++ b/libavcodec/indeo5.c
@@ -324,6 +324,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx,
AVCodecContext *avctx)
ctx->frame_type = get_bits(&ctx->gb, 3);
if (ctx->frame_type >= 5) {
av_log(avctx, AV_LOG_ERROR, "Invalid frame type: %d \n",
ctx->frame_type);
+ctx->frame_type = FRAMETYPE_INTRA;
return AVERROR_INVALIDDATA;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avfilter/vf_transpose: Fix used plane count.
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Wed Jan 24 19:38:05 2018 +0100| [5d06804b313677c149f106a8dba97988ad064385] |
committer: Michael Niedermayer
avfilter/vf_transpose: Fix used plane count.
Fixes out of array access
Fixes: poc.mp4
Found-by: GwanYeong Kim
Signed-off-by: Michael Niedermayer
(cherry picked from commit c6939f65a116b1ffed345d29d8621ee4ffb32235)
(cherry picked from commit 3f621455d62e46745453568d915badd5b1e5bcd5)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5d06804b313677c149f106a8dba97988ad064385
---
libavfilter/vf_transpose.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/libavfilter/vf_transpose.c b/libavfilter/vf_transpose.c
index 9555ff20c8..8f2ff8e33c 100644
--- a/libavfilter/vf_transpose.c
+++ b/libavfilter/vf_transpose.c
@@ -27,6 +27,7 @@
#include
+#include "libavutil/avassert.h"
#include "libavutil/imgutils.h"
#include "libavutil/internal.h"
#include "libavutil/intreadwrite.h"
@@ -54,6 +55,7 @@ enum TransposeDir {
typedef struct TransContext {
const AVClass *class;
int hsub, vsub;
+int planes;
int pixsteps[4];
int passthrough;///< PassthroughType, landscape passthrough mode
enabled
@@ -106,6 +108,10 @@ static int config_props_output(AVFilterLink *outlink)
s->hsub = desc_in->log2_chroma_w;
s->vsub = desc_in->log2_chroma_h;
+s->planes = av_pix_fmt_count_planes(outlink->format);
+
+av_assert0(desc_in->nb_components == desc_out->nb_components);
+
av_image_fill_max_pixsteps(s->pixsteps, NULL, desc_out);
@@ -148,7 +154,7 @@ static int filter_slice(AVFilterContext *ctx, void *arg,
int jobnr,
AVFrame *in = td->in;
int plane;
-for (plane = 0; out->data[plane]; plane++) {
+for (plane = 0; plane < s->planes; plane++) {
int hsub= plane == 1 || plane == 2 ? s->hsub : 0;
int vsub= plane == 1 || plane == 2 ? s->vsub : 0;
int pixstep = s->pixsteps[plane];
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_ps: Check log2_sao_offset_scale_*
ffmpeg | branch: release/3.0 | Michael Niedermayer | Wed Jan 24 03:15:23 2018 +0100| [adb0a29111b321357d65d7b8732d6321303410fd] | committer: Michael Niedermayer avcodec/hevc_ps: Check log2_sao_offset_scale_* Fixes: 4868/clusterfuzz-testcase-minimized-6236542906400768 Fixes: runtime error: shift exponent 126 is too large for 32-bit type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a75a75c62efc645ec28444e4675c325b8f2bb1a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=adb0a29111b321357d65d7b8732d6321303410fd --- libavcodec/hevc_ps.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 863ab523eb..f76333d273 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1270,6 +1270,11 @@ static int pps_range_extensions(GetBitContext *gb, AVCodecContext *avctx, pps->log2_sao_offset_scale_luma = get_ue_golomb_long(gb); pps->log2_sao_offset_scale_chroma = get_ue_golomb_long(gb); +if ( pps->log2_sao_offset_scale_luma > FFMAX(sps->bit_depth- 10, 0) +|| pps->log2_sao_offset_scale_chroma > FFMAX(sps->bit_depth_chroma - 10, 0) +) +return AVERROR_INVALIDDATA; + return(0); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Avoid possibly aliasing violating casts
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Sun Jan 28 02:29:02 2018 +0100| [60039c2d125f5766279b51b387bcfcc007eb11b9] |
committer: Michael Niedermayer
avcodec/mpeg4videodec: Avoid possibly aliasing violating casts
Found-by: kierank
Reviewed-by: Kieran Kunhya
Signed-off-by: Michael Niedermayer
(cherry picked from commit d4967c04e040b3b2f937cad88599af825147ec94)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=60039c2d125f5766279b51b387bcfcc007eb11b9
---
libavcodec/mpeg4videodec.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 19ab1ef288..705efe0e67 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -1250,10 +1250,12 @@ not_coded:
*/
static int mpeg4_decode_partitioned_mb(MpegEncContext *s, int16_t block[6][64])
{
-Mpeg4DecContext *ctx = (Mpeg4DecContext *)s;
+Mpeg4DecContext *ctx = s->avctx->priv_data;
int cbp, mb_type;
const int xy = s->mb_x + s->mb_y * s->mb_stride;
+av_assert2(s == (void*)ctx);
+
mb_type = s->current_picture.mb_type[xy];
cbp = s->cbp_table[xy];
@@ -1335,12 +1337,13 @@ static int mpeg4_decode_partitioned_mb(MpegEncContext
*s, int16_t block[6][64])
static int mpeg4_decode_mb(MpegEncContext *s, int16_t block[6][64])
{
-Mpeg4DecContext *ctx = (Mpeg4DecContext *)s;
+Mpeg4DecContext *ctx = s->avctx->priv_data;
int cbpc, cbpy, i, cbp, pred_x, pred_y, mx, my, dquant;
int16_t *mot_val;
static const int8_t quant_tab[4] = { -1, -2, 1, 2 };
const int xy = s->mb_x + s->mb_y * s->mb_stride;
+av_assert2(s == (void*)ctx);
av_assert2(s->h263_pred);
if (s->pict_type == AV_PICTURE_TYPE_P ||
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt: Fix several integer overflows
ffmpeg | branch: release/3.0 | Michael Niedermayer | Thu Jan 25 23:14:37 2018 +0100| [35f47ac0d54b7591e8c390e47d209034b788d940] | committer: Michael Niedermayer avcodec/dirac_dwt: Fix several integer overflows Fixes: runtime error: signed integer overflow: -2146071175 + -268479557 cannot be represented in type 'int' Fixes: 5237/clusterfuzz-testcase-minimized-4569895275593728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe1e6c06d03432c3e9208f019533c1d701f485d0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=35f47ac0d54b7591e8c390e47d209034b788d940 --- libavcodec/dirac_dwt.h | 4 ++-- libavcodec/dirac_dwt_template.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 1af41e0702..68ebd19560 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -93,10 +93,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); // shared stuff for simd optimizations #define COMPOSE_53iL0(b0, b1, b2)\ -(b1 - ((int)(b0 + (unsigned)(b2) + 2) >> 2)) +(b1 - (unsigned)((int)(b0 + (unsigned)(b2) + 2) >> 2)) #define COMPOSE_DIRAC53iH0(b0, b1, b2)\ -(b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1)) +(b1 + (unsigned)((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index e436c247a1..e68cc4d530 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_ TYPE *b1 = (TYPE *)_b1; TYPE *b2 = (TYPE *)_b2; for (i = 0; i < width; i++) -b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2; +b1[i] -= (unsigned)((int)(b0[i] + (unsigned)b2[i] + 2) >> 2); } static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src1, int w2, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble()
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Wed Jan 31 18:13:07 2018 +0100| [6baa0e811b761f6d8256cbbedc1808da676acf50] |
committer: Michael Niedermayer
avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble()
Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be
represented in type 'int'
Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit b1bef755f617af9685b592d866b3eb7f3c4b02b1)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6baa0e811b761f6d8256cbbedc1808da676acf50
---
libavcodec/aacsbr_fixed.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c
index 2a679491b0..0622d2ff7c 100644
--- a/libavcodec/aacsbr_fixed.c
+++ b/libavcodec/aacsbr_fixed.c
@@ -572,7 +572,8 @@ static void sbr_hf_assemble(int Y1[38][64][2],
int A = (1-((indexsine+(kx & 1))&2));
int B = (A^(-idx)) + idx;
int *out = &Y1[i][kx][idx];
-int shift, round;
+int shift;
+unsigned round;
SoftFloat *in = sbr->s_m[e];
for (m = 0; m+1 < m_max; m+=2) {
@@ -585,12 +586,12 @@ static void sbr_hf_assemble(int Y1[38][64][2],
}
if (shift < 32) {
round = 1 << (shift-1);
-out[2*m ] += (in[m ].mant * A + round) >> shift;
+out[2*m ] += (int)(in[m ].mant * A + round) >> shift;
}
if (shift2 < 32) {
round = 1 << (shift2-1);
-out[2*m+2] += (in[m+1].mant * B + round) >> shift2;
+out[2*m+2] += (int)(in[m+1].mant * B + round) >>
shift2;
}
}
if(m_max&1)
@@ -601,7 +602,7 @@ static void sbr_hf_assemble(int Y1[38][64][2],
return;
} else if (shift < 32) {
round = 1 << (shift-1);
-out[2*m ] += (in[m ].mant * A + round) >> shift;
+out[2*m ] += (int)(in[m ].mant * A + round) >> shift;
}
}
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i()
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Sat Feb 17 21:47:09 2018 +0100| [6492799fcefba3bde7a291189e1d2fe7ce605282] |
committer: Michael Niedermayer
avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i()
Fixes: 5894/clusterfuzz-testcase-minimized-5315325420634112
Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be
represented in type 'int'
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 647fa49495c39a48b7ccb92acd8fb975b1575456)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6492799fcefba3bde7a291189e1d2fe7ce605282
---
libavcodec/dirac_dwt_template.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c
index e68cc4d530..8c25c1f822 100644
--- a/libavcodec/dirac_dwt_template.c
+++ b/libavcodec/dirac_dwt_template.c
@@ -95,8 +95,8 @@ static void RENAME(horizontal_compose_dd97i)(uint8_t *_b,
uint8_t *_tmp, int w)
tmp[w2+1] = tmp[w2] = tmp[w2-1];
for (x = 0; x < w2; x++) {
-b[2*x ] = (tmp[x] + 1)>>1;
-b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1],
tmp[x+2]) + 1)>>1;
+b[2*x ] = ((int)(tmp[x] + 1U))>>1;
+b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1],
tmp[x+2]) + 1U))>>1;
}
}
@@ -118,8 +118,8 @@ static void RENAME(horizontal_compose_dd137i)(uint8_t *_b,
uint8_t *_tmp, int w)
tmp[w2+1] = tmp[w2] = tmp[w2-1];
for (x = 0; x < w2; x++) {
-b[2*x ] = (tmp[x] + 1)>>1;
-b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1],
tmp[x+2]) + 1)>>1;
+b[2*x ] = ((int)(tmp[x] + 1U))>>1;
+b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1],
tmp[x+2]) + 1U))>>1;
}
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Update for 3.0.11
ffmpeg | branch: release/3.0 | Michael Niedermayer | Mon Feb 19 14:44:49 2018 +0100| [9f14908a96ca13b7bad900c65d82f1404fa4fb89] | committer: Michael Niedermayer Update for 3.0.11 Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9f14908a96ca13b7bad900c65d82f1404fa4fb89 --- Changelog| 57 + RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 59 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 71a00b80b9..f10fc09633 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,63 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.0.11 +- avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i() +- avcodec/vp8: Check for bitstream end before vp7_fade_frame() +- avcodec/exr: Check remaining bits in last get code loop +- avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c() +- avcodec/h264_cabac: Tighten allowed coeff_abs range +- avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc() +- avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs() +- avcodec/mpeg4videodec: Ignore multiple VOL headers +- avcodec/vp3: Check eob_run +- avcodec/huffyuvdec: Check input buffer size +- avcodec/wavpack: Fix integer overflow in FFABS +- avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble() +- avcodec/dirac_dwt: Fix several integer overflows +- avcodec/indeo5: Do not leave frame_type set to an invalid value +- avcodec/hevc_ps: Check log2_sao_offset_scale_* +- avcodec/hevc_ps: extract one SPS fields required for hvcC construction +- avcodec/mpeg4videodec: Avoid possibly aliasing violating casts +- avcodec/get_bits: Document the return code of get_vlc2() +- avcodec/mpeg4videodec: Check mb_num also against 0 +- avfilter/vf_transpose: Fix used plane count. +- avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode() +- avcodec/mjpegdec: Fix integer overflow in DC dequantization +- avcodec/dxtory: Fix bits left checks +- avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down +- avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK() +- avcodec/snowdec: Fix integer overflow before htaps check +- avcodec/ulti: Check number of blocks at init +- avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs() +- avformat/lrcdec: Fix memory leak in lrc_read_header() +- avformat/matroskadec: Fix float-cast-overflow undefined behavior in matroska_parse_tracks() +- configure: bump year +- avcodec/utils: Avoid hardcoding duplicated types in sizeof() +- avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one +- avcodec/h264addpx_template: Fixes integer overflows +- avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0 +- avcodec/diracdec: Fix integer overflow with quant +- avcodec/opus_parser: Check payload_len in parse_opus_ts_header() +- avcodec/jpeg2000dsp: Fix integer overflows in ict_int() +- avcodec/h264_slice: Do not attempt to render into frames already output +- avcodec/dnxhddec: Check dc vlc +- avcodec/exr: Check buf_size more completely +- avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed() +- avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w() +- avcodec/flacdec: avoid undefined shift +- avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant) +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0() +- avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs() +- avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv() +- libavfilter/af_dcshift.c: Fixed repeated spelling error +- avfilter/formats: fix wrong function name in error message +- avcodec/amrwbdec: Fix division by 0 in voice_factor() +- avcodec/diracdsp: Fix integer overflow in PUT_SIGNED_RECT_CLAMPED() +- avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97* +- avformat/libssh: check the user provided a password before trying to use it + version 3.0.10 - avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u. - Don't manipulate duration when it's AV_NOPTS_VALUE. diff --git a/RELEASE b/RELEASE index a909317fe5..778bf95c00 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.0.10 +3.0.11 diff --git a/doc/Doxyfile b/doc/Doxyfile index a48039b6ff..65eef53776 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 3.0.10 +PROJECT_NUMBER = 3.0.11 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maxi
[FFmpeg-cvslog] avcodec/vp8: Check for bitstream end before vp7_fade_frame()
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Sat Feb 17 04:20:52 2018 +0100| [010dd0d26e5abd3c244f6680eb3bb0f3370b48db] |
committer: Michael Niedermayer
avcodec/vp8: Check for bitstream end before vp7_fade_frame()
Fixes: Timeout
Fixes: 5653/clusterfuzz-testcase-5497680018014208
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit de675648cef7e451ca82fabaee0d8ec1fe653311)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=010dd0d26e5abd3c244f6680eb3bb0f3370b48db
---
libavcodec/vp8.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
index 7511f4dfc9..06d768a576 100644
--- a/libavcodec/vp8.c
+++ b/libavcodec/vp8.c
@@ -605,6 +605,8 @@ static int vp7_decode_frame_header(VP8Context *s, const
uint8_t *buf, int buf_si
s->fade_present = vp8_rac_get(c);
}
+if (c->end <= c->buffer && c->bits >= 0)
+return AVERROR_INVALIDDATA;
/* E. Fading information for previous frame */
if (s->fade_present && vp8_rac_get(c)) {
if ((ret = vp7_fade_frame(s ,c)) < 0)
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_cabac: Tighten allowed coeff_abs range
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Wed Feb 14 00:32:30 2018 +0100| [340c315c671efe137651d75da351c0f292d234fb] |
committer: Michael Niedermayer
avcodec/h264_cabac: Tighten allowed coeff_abs range
Fixes: integer overflows
Reported-by: "Xiaohan Wang (王消寒)"
Based on limits in "8.5 Transform coefficient decoding process and picture
construction process prior to deblocking filter process"
Signed-off-by: Michael Niedermayer
(cherry picked from commit f26a63c4ee1bdbe21d7ab462cd66f8ba20b14244)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=340c315c671efe137651d75da351c0f292d234fb
---
libavcodec/h264_cabac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c
index 649fa82b72..a450b4ec39 100644
--- a/libavcodec/h264_cabac.c
+++ b/libavcodec/h264_cabac.c
@@ -1736,7 +1736,7 @@ decode_cabac_residual_internal(const H264Context *h,
H264SliceContext *sl,
\
if( coeff_abs >= 15 ) { \
int j = 0; \
-while (get_cabac_bypass(CC) && j < 30) { \
+while (get_cabac_bypass(CC) && j < 16+7) { \
j++; \
} \
\
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c()
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Wed Feb 14 03:54:13 2018 +0100| [e38e2d6533d7086527ad8fd5a47d6294818798b2] |
committer: Michael Niedermayer
avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c()
Fixes: 5567/clusterfuzz-testcase-minimized-5769966247739392
Fixes: runtime error: negation of -2147483648 cannot be represented in type
'int'; cast to an unsigned type to negate this value to itself
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit ab6f571ef71967da7c7c1cfba483d3597c7357d5)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e38e2d6533d7086527ad8fd5a47d6294818798b2
---
libavutil/common.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavutil/common.h b/libavutil/common.h
index 8142b31fdb..53e43feb3a 100644
--- a/libavutil/common.h
+++ b/libavutil/common.h
@@ -158,7 +158,7 @@ static av_always_inline av_const int64_t
av_clip64_c(int64_t a, int64_t amin, in
*/
static av_always_inline av_const uint8_t av_clip_uint8_c(int a)
{
-if (a&(~0xFF)) return (-a)>>31;
+if (a&(~0xFF)) return (~a)>>31;
else return a;
}
@@ -180,7 +180,7 @@ static av_always_inline av_const int8_t av_clip_int8_c(int
a)
*/
static av_always_inline av_const uint16_t av_clip_uint16_c(int a)
{
-if (a&(~0x)) return (-a)>>31;
+if (a&(~0x)) return (~a)>>31;
else return a;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Ignore multiple VOL headers
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Fri Feb 9 22:24:58 2018 +0100| [ce46e45f4cb95fbfe4a787ccfbd0cabb94e8dccb] |
committer: Michael Niedermayer
avcodec/mpeg4videodec: Ignore multiple VOL headers
Fixes: Ticket7005
Signed-off-by: Michael Niedermayer
(cherry picked from commit 63a4bdbf3b732504e54cc2b9ec0886e6242a90bc)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ce46e45f4cb95fbfe4a787ccfbd0cabb94e8dccb
---
libavcodec/mpeg4videodec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 705efe0e67..63adcf96d4 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -2653,8 +2653,8 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx,
GetBitContext *gb)
if (startcode >= 0x120 && startcode <= 0x12F) {
if (vol) {
-av_log(s->avctx, AV_LOG_ERROR, "Multiple VOL headers");
-return AVERROR_INVALIDDATA;
+av_log(s->avctx, AV_LOG_WARNING, "Ignoring multiple VOL
headers\n");
+continue;
}
vol++;
if ((ret = decode_vol_header(ctx, gb)) < 0)
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc()
ffmpeg | branch: release/3.0 | Xiaohan Wang | Sat Feb 3
01:43:35 2018 -0800| [d4f9119532564c631bf9dfcfc3ab3498cdedcad7] | committer:
Michael Niedermayer
avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc()
When ff_h264_decode_mb_cavlc() failed due to wrong sl->qscale values,
e.g. dquant out of range, set the qscale to be a valid value before
returning -1 and exiting the function. The qscale value can be used
later e.g. in loop filter.
BUG=806122
Signed-off-by: Michael Niedermayer
(cherry picked from commit 71f39de2a57efc8db1d607b09c162c3b806cd45d)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d4f9119532564c631bf9dfcfc3ab3498cdedcad7
---
libavcodec/h264_cavlc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index 3fa5b2e197..97ec6fd4ae 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -1113,6 +1113,7 @@ decode_intra_mb:
elsesl->qscale -= max_qp+1;
if (((unsigned)sl->qscale) > max_qp){
av_log(h->avctx, AV_LOG_ERROR, "dquant out of range (%d) at %d
%d\n", dquant, sl->mb_x, sl->mb_y);
+sl->qscale = max_qp;
return -1;
}
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/exr: Check remaining bits in last get code loop
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Wed Feb 14 13:01:46 2018 +0100| [675e243949bcb331d5dc4f6fd72620a1200dbb40] |
committer: Michael Niedermayer
avcodec/exr: Check remaining bits in last get code loop
Fixes: runtime error: shift exponent -7 is negative
Fixes:
3902/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6081926122176512
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit dd8351b1184b8054925c28ecc5fcb6dbbc177fad)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=675e243949bcb331d5dc4f6fd72620a1200dbb40
---
libavcodec/exr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index c1490e521a..ac00f85150 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -539,7 +539,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec
*hdecod,
while (lc > 0) {
const HufDec pl = hdecod[(c << (HUF_DECBITS - lc)) & HUF_DECMASK];
-if (pl.len) {
+if (pl.len && lc >= pl.len) {
lc -= pl.len;
get_code(pl.lit, rlc, c, lc, gb, out, oe, outb);
} else {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vp3: Check eob_run
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Fri Feb 9 04:17:16 2018 +0100| [c6b5e80635ee1c822eff5adfc3ed3904ba70c206] |
committer: Michael Niedermayer
avcodec/vp3: Check eob_run
Fixes: out of array access
Fixes: 5919/clusterfuzz-testcase-minimized-5859311382167552
Fixes: special case for theora (untested due to lack of sample)
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 570023eab3e2962b4ad8345a157c1e18ca1a6eca)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c6b5e80635ee1c822eff5adfc3ed3904ba70c206
---
libavcodec/vp3.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index ea80c0e2b1..819239b8e8 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -978,6 +978,9 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext
*gb,
if (eob_run_get_bits[token])
eob_run += get_bits(gb, eob_run_get_bits[token]);
+if (!eob_run)
+eob_run = INT_MAX;
+
// record only the number of blocks ended in this plane,
// any spill will be recorded in the next plane.
if (eob_run > num_coeffs - coeff_i) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/huffyuvdec: Check input buffer size
ffmpeg | branch: release/3.0 | Michael Niedermayer | Wed Jan 31 19:20:10 2018 +0100| [a26ac3cc69210f14f05db70dca61ae509d7883e2] | committer: Michael Niedermayer avcodec/huffyuvdec: Check input buffer size Fixes: Timeout Fixes: 5487/clusterfuzz-testcase-4696837035393024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 08c220d26cff51ca2f6896b65aebfa3accc67290) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a26ac3cc69210f14f05db70dca61ae509d7883e2 --- libavcodec/huffyuvdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 7314519fca..47bca00010 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -915,6 +915,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVFrame *const p = data; int table_size = 0, ret; +if (buf_size < (width * height + 7)/8) +return AVERROR_INVALIDDATA; + av_fast_padded_malloc(&s->bitstream_buffer, &s->bitstream_buffer_size, buf_size); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wavpack: Fix integer overflow in FFABS
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Wed Jan 31 02:50:18 2018 +0100| [8886e1228d1c47cb49212766f7ebf80797dfdaf4] |
committer: Michael Niedermayer
avcodec/wavpack: Fix integer overflow in FFABS
Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an
unsigned type to negate this value to itself
Fixes: 5396/clusterfuzz-testcase-minimized-655829281536
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 8e50bd61e4ff97bd7fc6cbd7ec4ca514e17a70c4)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8886e1228d1c47cb49212766f7ebf80797dfdaf4
---
libavcodec/wavpack.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 0429adcfe1..34f73fe8f2 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -474,7 +474,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s,
GetBitContext *gb,
}
if (type == AV_SAMPLE_FMT_S16P) {
-if (FFABS(L) + (unsigned)FFABS(R) > (1<<19)) {
+if (FFABS((int64_t)L) + FFABS((int64_t)R) > (1<<19)) {
av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L,
R);
return AVERROR_INVALIDDATA;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs()
ffmpeg | branch: release/3.0 | Michael Niedermayer |
Sun Feb 11 03:38:54 2018 +0100| [664e3d217aadba713c46404e2e8cb1d8f9c28485] |
committer: Michael Niedermayer
avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs()
This fixes a hypothetical integer overflow
Signed-off-by: Michael Niedermayer
(cherry picked from commit f2318aee8ca8df1c84092f7d6691a2d0df02c474)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=664e3d217aadba713c46404e2e8cb1d8f9c28485
---
libavcodec/vp3.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index 819239b8e8..165a051541 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -951,9 +951,11 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext
*gb,
Vp3Fragment *all_fragments = s->all_fragments;
VLC_TYPE(*vlc_table)[2] = table->table;
-if (num_coeffs < 0)
+if (num_coeffs < 0) {
av_log(s->avctx, AV_LOG_ERROR,
"Invalid number of coefficents at level %d\n", coeff_index);
+return AVERROR_INVALIDDATA;
+}
if (eob_run > num_coeffs) {
coeff_i =
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] build: restore using dlltool/lib.exe for creating Win32 .lib files
ffmpeg | branch: master | Hendrik Leppkes | Fri Feb 16
21:24:59 2018 +0100| [6d8bef8c05ea5dcb95f5930954cd6bd28868c2c9] | committer:
Hendrik Leppkes
build: restore using dlltool/lib.exe for creating Win32 .lib files
The GCC generated import libraries don't work properly when being imported
by MSVC, resulting in missing symbols at runtime.
This reverts 5b5365fe9 and partially reverts changes from 98a9b1f0d
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6d8bef8c05ea5dcb95f5930954cd6bd28868c2c9
---
configure | 16 +++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/configure b/configure
index 99c53d482a..3b06b86a6e 100755
--- a/configure
+++ b/configure
@@ -4994,6 +4994,10 @@ case $target_os in
;;
mingw32*|mingw64*)
target_os=mingw32
+LIBTARGET=i386
+if enabled x86_64; then
+LIBTARGET="i386:x86-64"
+fi
if enabled shared; then
# Cannot build both shared and static libs when using dllimport.
disable static
@@ -5005,7 +5009,14 @@ case $target_os in
SLIBSUF=".dll"
SLIBNAME_WITH_VERSION='$(SLIBPREF)$(FULLNAME)-$(LIBVERSION)$(SLIBSUF)'
SLIBNAME_WITH_MAJOR='$(SLIBPREF)$(FULLNAME)-$(LIBMAJOR)$(SLIBSUF)'
-SLIB_EXTRA_CMD='cp $(SUBDIR)lib$(SLIBNAME:$(SLIBSUF)=.dll.a)
$(SUBDIR)$(SLIBNAME:$(SLIBSUF)=.lib)'
+if check_cmd lib.exe -list; then
+SLIB_EXTRA_CMD=-'lib.exe -nologo -machine:$(LIBTARGET)
-def:$$(@:$(SLIBSUF)=.def) -out:$(SUBDIR)$(SLIBNAME:$(SLIBSUF)=.lib)'
+if enabled x86_64; then
+LIBTARGET=x64
+fi
+else
+SLIB_EXTRA_CMD=-'$(DLLTOOL) -m $(LIBTARGET) -d
$$(@:$(SLIBSUF)=.def) -l $(SUBDIR)$(SLIBNAME:$(SLIBSUF)=.lib) -D
$(SLIBNAME_WITH_MAJOR)'
+fi
SLIB_INSTALL_NAME='$(SLIBNAME_WITH_MAJOR)'
SLIB_INSTALL_LINKS=
SLIB_INSTALL_EXTRA_SHLIB='$(SLIBNAME:$(SLIBSUF)=.lib)'
@@ -5013,6 +5024,7 @@ case $target_os in
SLIB_CREATE_DEF_CMD='EXTERN_PREFIX="$(EXTERN_PREFIX)" AR="$(AR_CMD)"
NM="$(NM_CMD)" $(SRC_PATH)/compat/windows/makedef $(SUBDIR)lib$(NAME).ver
$(OBJS) > $$(@:$(SLIBSUF)=.def)'
SHFLAGS='-shared
-Wl,--out-implib,$(SUBDIR)lib$(SLIBNAME:$(SLIBSUF)=.dll.a)
-Wl,--disable-auto-image-base $$(@:$(SLIBSUF)=.def)'
enabled x86_64 && objformat="win64" || objformat="win32"
+dlltool="${cross_prefix}dlltool"
ranlib=:
enable dos_paths
check_ldflags -Wl,--nxcompat,--dynamicbase
@@ -6886,6 +6898,7 @@ LD_O=$LD_O
X86ASM_O=$X86ASM_O
LD_LIB=$LD_LIB
LD_PATH=$LD_PATH
+DLLTOOL=$dlltool
WINDRES=$windres
DEPWINDRES=$dep_cc
DOXYGEN=$doxygen
@@ -6939,6 +6952,7 @@ LIB_INSTALL_EXTRA_CMD=$LIB_INSTALL_EXTRA_CMD
EXTRALIBS=$extralibs
COMPAT_OBJS=$compat_objs
INSTALL=$install
+LIBTARGET=${LIBTARGET}
SLIBNAME=${SLIBNAME}
SLIBNAME_WITH_VERSION=${SLIBNAME_WITH_VERSION}
SLIBNAME_WITH_MAJOR=${SLIBNAME_WITH_MAJOR}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Revert "configure: Stop using dlltool to create an import library"
ffmpeg | branch: master | Martin Storsjö | Sat Feb 17
00:08:45 2018 +0200| [97eee953e639bd4d17a9f9398293775277d00505] | committer:
Martin Storsjö
Revert "configure: Stop using dlltool to create an import library"
This reverts commit 67c72f08a4707c18a67a4734660e3a23cc9488b6.
While the linker produced import libraries might work with MSVC in
simple test cases, they don't if e.g. linking to multiple GNU ld
produced import libraries at the same time. (They end up importing
functions from the wrong libraries.) The ones produced by dlltool
work fine though.
This issue was pointed out by Hendrik Leppkes.
Signed-off-by: Martin Storsjö
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=97eee953e639bd4d17a9f9398293775277d00505
---
configure | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/configure b/configure
index ed930e6cd4..06fb839a18 100755
--- a/configure
+++ b/configure
@@ -3891,6 +3891,10 @@ case $target_os in
;;
mingw32*|mingw64*)
target_os=mingw32
+LIBTARGET=i386
+if enabled x86_64; then
+LIBTARGET="i386:x86-64"
+fi
if enabled shared; then
# Cannot build both shared and static libs when using dllimport.
disable static
@@ -3902,7 +3906,7 @@ case $target_os in
SLIBSUF=".dll"
SLIBNAME_WITH_VERSION='$(SLIBPREF)$(NAME)-$(LIBVERSION)$(SLIBSUF)'
SLIBNAME_WITH_MAJOR='$(SLIBPREF)$(NAME)-$(LIBMAJOR)$(SLIBSUF)'
-SLIB_EXTRA_CMD='cp $(SUBDIR)lib$(SLIBNAME:$(SLIBSUF)=.dll.a)
$(SUBDIR)$(SLIBNAME:$(SLIBSUF)=.lib)'
+SLIB_EXTRA_CMD=-'$(DLLTOOL) -m $(LIBTARGET) -d $$(@:$(SLIBSUF)=.def)
-l $(SUBDIR)$(SLIBNAME:$(SLIBSUF)=.lib) -D $(SLIBNAME_WITH_MAJOR)'
SLIB_INSTALL_NAME='$(SLIBNAME_WITH_MAJOR)'
SLIB_INSTALL_LINKS=
SLIB_INSTALL_EXTRA_SHLIB='$(SLIBNAME:$(SLIBSUF)=.lib)'
@@ -3910,6 +3914,7 @@ case $target_os in
SLIB_CREATE_DEF_CMD='EXTERN_PREFIX="$(EXTERN_PREFIX)" AR="$(AR_CMD)"
NM="$(NM_CMD)" $(SRC_PATH)/compat/windows/makedef $(SUBDIR)lib$(NAME).ver
$(OBJS) > $$(@:$(SLIBSUF)=.def)'
SHFLAGS='-shared
-Wl,--out-implib,$(SUBDIR)lib$(SLIBNAME:$(SLIBSUF)=.dll.a)
-Wl,--enable-auto-image-base $$(@:$(SLIBSUF)=.def)'
enabled x86_64 && objformat="win64" || objformat="win32"
+dlltool="${cross_prefix}dlltool"
ranlib=:
enable dos_paths
;;
@@ -5248,6 +5253,7 @@ X86ASM_O=$X86ASM_O
LD_O=$LD_O
LD_LIB=$LD_LIB
LD_PATH=$LD_PATH
+DLLTOOL=$dlltool
LDFLAGS=$LDFLAGS
LDEXEFLAGS=$LDEXEFLAGS
LDSOFLAGS=$LDSOFLAGS
@@ -5294,6 +5300,7 @@ LIB_INSTALL_EXTRA_CMD=$LIB_INSTALL_EXTRA_CMD
EXTRALIBS=$extralibs
COMPAT_OBJS=$compat_objs
INSTALL=install
+LIBTARGET=${LIBTARGET}
SLIBNAME=${SLIBNAME}
SLIBNAME_WITH_VERSION=${SLIBNAME_WITH_VERSION}
SLIBNAME_WITH_MAJOR=${SLIBNAME_WITH_MAJOR}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] configure: Pass the right machine types to dlltool for arm and arm64 mingw
ffmpeg | branch: master | Martin Storsjö | Sat Feb 17 00:17:21 2018 +0200| [cc1c94dacd0642ac1a6cad45deb65071f127d91a] | committer: Martin Storsjö configure: Pass the right machine types to dlltool for arm and arm64 mingw These are supported by llvm-dlltool. Signed-off-by: Martin Storsjö > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cc1c94dacd0642ac1a6cad45deb65071f127d91a --- configure | 4 1 file changed, 4 insertions(+) diff --git a/configure b/configure index 06fb839a18..1c35f9dc64 100755 --- a/configure +++ b/configure @@ -3894,6 +3894,10 @@ case $target_os in LIBTARGET=i386 if enabled x86_64; then LIBTARGET="i386:x86-64" +elif enabled arm; then +LIBTARGET="arm" +elif enabled aarch64; then +LIBTARGET="arm64" fi if enabled shared; then # Cannot build both shared and static libs when using dllimport. ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Merge commit '97eee953e639bd4d17a9f9398293775277d00505'
ffmpeg | branch: master | James Almer | Mon Feb 19 18:34:36 2018 -0300| [6dea6c4b9718132fbe32984942bcafaeb2712f73] | committer: James Almer Merge commit '97eee953e639bd4d17a9f9398293775277d00505' * commit '97eee953e639bd4d17a9f9398293775277d00505': Revert "configure: Stop using dlltool to create an import library" This commit is a noop, see 6d8bef8c05ea5dcb95f5930954cd6bd28868c2c9 Merged-by: James Almer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6dea6c4b9718132fbe32984942bcafaeb2712f73 --- ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Merge commit 'cc1c94dacd0642ac1a6cad45deb65071f127d91a'
ffmpeg | branch: master | James Almer | Mon Feb 19 18:35:32 2018 -0300| [04a8d5c2d7578456fc4d0a605784bf904cc42a4d] | committer: James Almer Merge commit 'cc1c94dacd0642ac1a6cad45deb65071f127d91a' * commit 'cc1c94dacd0642ac1a6cad45deb65071f127d91a': configure: Pass the right machine types to dlltool for arm and arm64 mingw Merged-by: James Almer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=04a8d5c2d7578456fc4d0a605784bf904cc42a4d --- configure | 4 1 file changed, 4 insertions(+) diff --git a/configure b/configure index 3b06b86a6e..013308cfa4 100755 --- a/configure +++ b/configure @@ -4997,6 +4997,10 @@ case $target_os in LIBTARGET=i386 if enabled x86_64; then LIBTARGET="i386:x86-64" +elif enabled arm; then +LIBTARGET="arm" +elif enabled aarch64; then +LIBTARGET="arm64" fi if enabled shared; then # Cannot build both shared and static libs when using dllimport. == ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] docs/codecs: remove dead codec debug options
ffmpeg | branch: master | Gyan Doshi | Mon Jan 15 20:38:33 2018 +0530| [b50f68bb1ecc6dcfe7aaed04c12dd94bdc222428] | committer: Lou Logan docs/codecs: remove dead codec debug options FF_API_DEBUG_MV has been disabled. Related options removed from docs. Mention of non-existent debug option value 'pts' also removed. > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b50f68bb1ecc6dcfe7aaed04c12dd94bdc222428 --- doc/codecs.texi | 8 1 file changed, 8 deletions(-) diff --git a/doc/codecs.texi b/doc/codecs.texi index 7e20374334..c9b9a1136d 100644 --- a/doc/codecs.texi +++ b/doc/codecs.texi @@ -467,8 +467,6 @@ rate control macroblock (MB) type @item qp per-block quantization parameter (QP) -@item mv -motion vector @item dct_coeff @item green_metadata @@ -478,18 +476,12 @@ display complexity metadata for the upcoming frame, GoP or for a given duration. @item startcode -@item pts - @item er error recognition @item mmco memory management control operations (H.264) @item bugs -@item vis_qp -visualize quantization parameter (QP), lower QP are tinted greener -@item vis_mb_type -visualize block types @item buffers picture buffer allocations @item thread_ops ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/matroskadec: ignore CodecPrivate if the stream is VP9
ffmpeg | branch: master | James Almer | Sat Jan 13 16:04:21
2018 -0300| [acdea9e7c56b74b05c56b4733acc855b959ba073] | committer: James Almer
avformat/matroskadec: ignore CodecPrivate if the stream is VP9
Defined in a recent revision of https://www.webmproject.org/docs/container/
This prevents storing the contents of CodecPrivate into extradata for
a codec that doesn't need nor expect any. It will among other things
prevent matroska specific binary data from being dumped onto other
formats during remuxing.
Signed-off-by: James Almer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=acdea9e7c56b74b05c56b4733acc855b959ba073
---
libavformat/matroskadec.c | 4
1 file changed, 4 insertions(+)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index cda8df2213..edc4f5d476 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -2397,6 +2397,10 @@ static int matroska_parse_tracks(AVFormatContext *s)
return ret;
} else if (codec_id == AV_CODEC_ID_PRORES && track->codec_priv.size ==
4) {
fourcc = AV_RL32(track->codec_priv.data);
+} else if (codec_id == AV_CODEC_ID_VP9 && track->codec_priv.size) {
+/* we don't need any value stored in CodecPrivate.
+ make sure that it's not exported as extradata. */
+track->codec_priv.size = 0;
}
track->codec_priv.size -= extradata_offset;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/matroskadec: ignore CodecPrivate if the stream is VP9
ffmpeg | branch: release/3.4 | James Almer | Sat Jan 13
16:04:21 2018 -0300| [3fdff40a32e31b8bfe9127841f75472f20e30354] | committer:
James Almer
avformat/matroskadec: ignore CodecPrivate if the stream is VP9
Defined in a recent revision of https://www.webmproject.org/docs/container/
This prevents storing the contents of CodecPrivate into extradata for
a codec that doesn't need nor expect any. It will among other things
prevent matroska specific binary data from being dumped onto other
formats during remuxing.
Signed-off-by: James Almer
(cherry picked from commit acdea9e7c56b74b05c56b4733acc855b959ba073)
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3fdff40a32e31b8bfe9127841f75472f20e30354
---
libavformat/matroskadec.c | 4
1 file changed, 4 insertions(+)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index e6631097b8..95189525e3 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -2390,6 +2390,10 @@ static int matroska_parse_tracks(AVFormatContext *s)
return ret;
} else if (codec_id == AV_CODEC_ID_PRORES && track->codec_priv.size ==
4) {
fourcc = AV_RL32(track->codec_priv.data);
+} else if (codec_id == AV_CODEC_ID_VP9 && track->codec_priv.size) {
+/* we don't need any value stored in CodecPrivate.
+ make sure that it's not exported as extradata. */
+track->codec_priv.size = 0;
}
track->codec_priv.size -= extradata_offset;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] swresample/rematrix: fix update of channel matrix if input or output layout is undefined
ffmpeg | branch: release/3.4 | Tobias Rapp | Wed Feb
14 17:01:08 2018 +0100| [8be1edf47ba9dcfaf6fccb1e01eeb8610ba97aff] | committer:
Tobias Rapp
swresample/rematrix: fix update of channel matrix if input or output layout is
undefined
Prefer direct in/out channel count values over channel layout, when
available. Fixes a pan filter bug (ticket #6790).
Signed-off-by: Tobias Rapp
(cherry picked from commit 6325bd3717348615adafb52e4da2fd01a3007d0a)
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8be1edf47ba9dcfaf6fccb1e01eeb8610ba97aff
---
libswresample/rematrix.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c
index 66a43c16c1..dacace93d0 100644
--- a/libswresample/rematrix.c
+++ b/libswresample/rematrix.c
@@ -69,8 +69,10 @@ int swr_set_matrix(struct SwrContext *s, const double
*matrix, int stride)
return AVERROR(EINVAL);
memset(s->matrix, 0, sizeof(s->matrix));
memset(s->matrix_flt, 0, sizeof(s->matrix_flt));
-nb_in = av_get_channel_layout_nb_channels(s->user_in_ch_layout);
-nb_out = av_get_channel_layout_nb_channels(s->user_out_ch_layout);
+nb_in = (s->user_in_ch_count > 0) ? s->user_in_ch_count :
+av_get_channel_layout_nb_channels(s->user_in_ch_layout);
+nb_out = (s->user_out_ch_count > 0) ? s->user_out_ch_count :
+av_get_channel_layout_nb_channels(s->user_out_ch_layout);
for (out = 0; out < nb_out; out++) {
for (in = 0; in < nb_in; in++)
s->matrix_flt[out][in] = s->matrix[out][in] = matrix[in];
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] swresample/rematrix: fix update of channel matrix if input or output layout is undefined
ffmpeg | branch: release/3.3 | Tobias Rapp | Wed Feb
14 17:01:08 2018 +0100| [fea559c3d5575bce51acdb17cf83a1a8fd237feb] | committer:
Tobias Rapp
swresample/rematrix: fix update of channel matrix if input or output layout is
undefined
Prefer direct in/out channel count values over channel layout, when
available. Fixes a pan filter bug (ticket #6790).
Signed-off-by: Tobias Rapp
(cherry picked from commit 6325bd3717348615adafb52e4da2fd01a3007d0a)
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fea559c3d5575bce51acdb17cf83a1a8fd237feb
---
libswresample/rematrix.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libswresample/rematrix.c b/libswresample/rematrix.c
index 03b9b20900..584ce69efd 100644
--- a/libswresample/rematrix.c
+++ b/libswresample/rematrix.c
@@ -69,8 +69,10 @@ int swr_set_matrix(struct SwrContext *s, const double
*matrix, int stride)
return AVERROR(EINVAL);
memset(s->matrix, 0, sizeof(s->matrix));
memset(s->matrix_flt, 0, sizeof(s->matrix_flt));
-nb_in = av_get_channel_layout_nb_channels(s->user_in_ch_layout);
-nb_out = av_get_channel_layout_nb_channels(s->user_out_ch_layout);
+nb_in = (s->user_in_ch_count > 0) ? s->user_in_ch_count :
+av_get_channel_layout_nb_channels(s->user_in_ch_layout);
+nb_out = (s->user_out_ch_count > 0) ? s->user_out_ch_count :
+av_get_channel_layout_nb_channels(s->user_out_ch_layout);
for (out = 0; out < nb_out; out++) {
for (in = 0; in < nb_in; in++)
s->matrix_flt[out][in] = s->matrix[out][in] = matrix[in];
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
