diff options
| author | Steve Kondik <steve@cyngn.com> | 2015-12-22 02:37:08 -0500 |
|---|---|---|
| committer | Steve Kondik <steve@cyngn.com> | 2015-12-22 02:37:08 -0500 |
| commit | bc1e061c245cfb1d8a8fdd52cfa394bf117f770a (patch) | |
| tree | 05f33f51bab749a67c82c67ae34a4f83edeb903a | |
| parent | a4a2a44d6836e2f58d9112bdb384e4f2cfac905d (diff) | |
| parent | 79f407b79a825c3123aff65cef64b383eca5a95e (diff) | |
| download | android_external_ffmpeg-bc1e061c245cfb1d8a8fdd52cfa394bf117f770a.tar.gz android_external_ffmpeg-bc1e061c245cfb1d8a8fdd52cfa394bf117f770a.tar.bz2 android_external_ffmpeg-bc1e061c245cfb1d8a8fdd52cfa394bf117f770a.zip | |
Merge branch 'release/2.8' of https://github.com/FFmpeg/FFmpeg into cm-13.0
60 files changed, 494 insertions, 127 deletions
@@ -1,6 +1,111 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.8.4 +- rawdec: only exempt BIT0 with need_copy from buffer sanity check +- mlvdec: check that index_entries exist +- avcodec/mpeg4videodec: also for empty partitioned slices +- avcodec/h264_refs: Fix long_idx check +- avcodec/h264_mc_template: prefetch list1 only if it is used in the MB +- avcodec/h264_slice: Simplify ref2frm indexing +- avfilter/vf_mpdecimate: Add missing emms_c() +- sonic: make sure num_taps * channels is not larger than frame_size +- opus_silk: fix typo causing overflow in silk_stabilize_lsf +- ffm: reject invalid codec_id and codec_type +- golomb: always check for invalid UE golomb codes in get_ue_golomb +- sbr_qmf_analysis: sanitize input for 32-bit imdct +- sbrdsp_fixed: assert that input values are in the valid range +- aacsbr: ensure strictly monotone time borders +- aacenc: update max_sfb when num_swb changes +- aaccoder: prevent crash of anmr coder +- ffmdec: reject zero-sized chunks +- swscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the alignment is insufficient for SSE* +- swscale/x86/rgb2rgb_template: Do not crash on misaligend stride +- avformat/mxfenc: Do not crash if there is no packet in the first stream +- lavf/tee: fix side data double free. +- avformat/hlsenc: Check the return code of avformat_write_header() +- avformat/mov: Enable parser for mp3s by old HandBrake +- avformat/mxfenc: Fix integer overflow in length computation +- avformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid duration for ts files with hevc codec +- avformat/matroskaenc: Check codecdelay before use +- avutil/mathematics: Fix division by 0 +- mjpegdec: consider chroma subsampling in size check +- libvpxenc: remove some unused ctrl id mappings +- avcodec/vp3: ensure header is parsed successfully before tables +- avcodec/jpeg2000dec: Check bpno in decode_cblk() +- avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented in type int +- swscale/utils: Fix for runtime error: left shift of negative value -1 +- avcodec/hevc: Fix integer overflow of entry_point_offset +- avcodec/dirac_parser: Check that there is a previous PU before accessing it +- avcodec/dirac_parser: Add basic validity checks for next_pu_offset and prev_pu_offset +- avcodec/dirac_parser: Fix potential overflows in pointer checks +- avcodec/wmaprodec: Check bits per sample to be within the range not causing integer overflows +- avcodec/wmaprodec: Fix overflow of cutoff +- avformat/smacker: fix integer overflow with pts_inc +- avcodec/vp3: Fix "runtime error: left shift of negative value" +- avformat/riffdec: Initialize bitrate +- mpegencts: Fix overflow in cbr mode period calculations +- avutil/timecode: Fix fps check +- avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() for overflows +- avcodec/apedec: Check length in long_filter_high_3800() +- avcodec/vp3: always set pix_fmt in theora_decode_header() +- avcodec/mpeg4videodec: Check available data before reading custom matrix +- avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd +- avutil/integer: Fix av_mod_i() with negative dividend +- avformat/dump: Fix integer overflow in av_dump_format() +- avcodec/h264_refs: Check that long references match before use +- avcodec/utils: Clear dimensions in ff_get_buffer() on failure +- avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string() +- avcodec/hevc: Check max ctb addresses for WPP +- avcodec/vp3: Clear context on reinitialization failure +- avcodec/hevc: allocate entries unconditionally +- avcodec/hevc_cabac: Fix multiple integer overflows +- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*() +- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*() +- avcodec/hevc: Check entry_point_offsets +- lavf/rtpenc_jpeg: Less strict check for standard Huffman tables. +- avcodec/ffv1dec: Clear quant_table_count if its invalid +- avcodec/ffv1dec: Print an error if the quant table count is invalid +- doc/filters/drawtext: fix centering example + + +version 2.8.3 +- avcodec/cabac: Check initial cabac decoder state +- avcodec/cabac_functions: Fix "left shift of negative value -31767" +- avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized +- rtmpcrypt: Do the xtea decryption in little endian mode +- avformat/matroskadec: Check subtitle stream before dereferencing +- avcodec/pngdec: Replace assert by request for sample for unsupported TRNS cases +- avformat/utils: Do not init parser if probing is unfinished +- avcodec/jpeg2000dec: Fix potential integer overflow with tile dimensions +- avcodec/jpeg2000: Use av_image_check_size() in ff_jpeg2000_init_component() +- avcodec/wmaprodec: Check for overread in decode_packet() +- avcodec/smacker: Check that the data size is a multiple of a sample vector +- avcodec/takdec: Skip last p2 sample (which is unused) +- avcodec/dxtory: Fix input size check in dxtory_decode_v1_410() +- avcodec/dxtory: Fix input size check in dxtory_decode_v1_420() +- avcodec/error_resilience: avoid accessing previous or next frames tables beyond height +- avcodec/dpx: Move need_align to act per line +- avcodec/flashsv: Check size before updating it +- avcodec/ivi: Check image dimensions +- avcodec/utils: Better check for channels in av_get_audio_frame_duration() +- avcodec/jpeg2000dec: Check for duplicate SIZ marker +- aacsbr: don't call sbr_dequant twice without intermediate read_sbr_data +- hqx: correct type and size check of info_offset +- mxfdec: check edit_rate also for physical_track +- avcodec/jpeg2000: Change coord to 32bit to support larger than 32k width or height +- avcodec/jpeg2000dec: Check SIZ dimensions to be within the supported range +- avcodec/jpeg2000: Check comp coords to be within the supported size +- mpegvideo: clear overread in clear_context +- avcodec/avrndec: Use the AVFrame format instead of the context +- dds: disable palette flag for compressed images +- dds: validate compressed source buffer size +- dds: validate source buffer size before copying +- dvdsubdec: validate offset2 similar to offset1 +- brstm: reject negative sample rate +- aacps: avoid division by zero in stereo_processing +- softfloat: assert when the argument of av_sqrt_sf is negative + version 2.8.2 - various fixes in the aac_fixed decoder - various fixes in softfloat @@ -1 +1 @@ -2.8.2 +2.8.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index 5e9a9033b2..5c4b4660f6 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.8.2 +PROJECT_NUMBER = 2.8.4 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff --git a/doc/filters.texi b/doc/filters.texi index d714a2713d..2a2fab61a0 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -4967,7 +4967,7 @@ within the parameter list. @item Show the text at the center of the video frame: @example -drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h-line_h)/2" +drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h)/2" @end example @item diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c index 86d598f021..e6b57aa980 100644 --- a/libavcodec/aaccoder.c +++ b/libavcodec/aaccoder.c @@ -499,7 +499,7 @@ static void search_for_quantizers_anmr(AVCodecContext *avctx, AACEncContext *s, } while (idx) { sce->sf_idx[bandaddr[idx]] = minq + q0; - minq = paths[idx][minq].prev; + minq = FFMAX(paths[idx][minq].prev, 0); idx--; } //set the same quantizers inside window groups diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 9cce1a2ff0..a7c73369c8 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -547,6 +547,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, ics->num_windows = wi[ch].num_windows; ics->swb_sizes = s->psy.bands [ics->num_windows == 8]; ics->num_swb = tag == TYPE_LFE ? ics->num_swb : s->psy.num_bands[ics->num_windows == 8]; + ics->max_sfb = FFMIN(ics->max_sfb, ics->num_swb); ics->swb_offset = wi[ch].window_type[0] == EIGHT_SHORT_SEQUENCE ? ff_swb_offset_128 [s->samplerate_index]: ff_swb_offset_1024[s->samplerate_index]; diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index a49940a076..b36c266ad1 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -718,8 +718,8 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, } for (i = 1; i <= ch_data->bs_num_env; i++) { - if (ch_data->t_env[i-1] > ch_data->t_env[i]) { - av_log(ac->avctx, AV_LOG_ERROR, "Non monotone time borders\n"); + if (ch_data->t_env[i-1] >= ch_data->t_env[i]) { + av_log(ac->avctx, AV_LOG_ERROR, "Not strictly monotone time borders\n"); return -1; } } @@ -1154,6 +1154,9 @@ static void sbr_qmf_analysis(AVFloatDSPContext *dsp, FFTContext *mdct, INTFLOAT z[320], INTFLOAT W[2][32][32][2], int buf_idx) { int i; +#if USE_FIXED + int j; +#endif memcpy(x , x+1024, (320-32)*sizeof(x[0])); memcpy(x+288, in, 1024*sizeof(x[0])); for (i = 0; i < 32; i++) { // numTimeSlots*RATE = 16*2 as 960 sample frames @@ -1161,6 +1164,21 @@ static void sbr_qmf_analysis(AVFloatDSPContext *dsp, FFTContext *mdct, dsp->vector_fmul_reverse(z, sbr_qmf_window_ds, x, 320); sbrdsp->sum64x5(z); sbrdsp->qmf_pre_shuffle(z); +#if USE_FIXED + for (j = 64; j < 128; j++) { + if (z[j] > 1<<24) { + av_log(NULL, AV_LOG_WARNING, + "sbr_qmf_analysis: value %09d too large, setting to %09d\n", + z[j], 1<<24); + z[j] = 1<<24; + } else if (z[j] < -(1<<24)) { + av_log(NULL, AV_LOG_WARNING, + "sbr_qmf_analysis: value %09d too small, setting to %09d\n", + z[j], -(1<<24)); + z[j] = -(1<<24); + } + } +#endif mdct->imdct_half(mdct, z, z+64); sbrdsp->qmf_post_shuffle(W[buf_idx][i], z); x += 32; diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 5536e0f8b1..c6eae55c4e 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -892,6 +892,9 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len int32_t dotprod, sign; int32_t coeffs[256], delay[256]; + if (order >= length) + return; + memset(coeffs, 0, order * sizeof(*coeffs)); for (i = 0; i < order; i++) delay[i] = buffer[i]; diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index 8cc9333e09..f298336ea4 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -51,7 +51,7 @@ void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size){ * * @param buf_size size of buf in bits */ -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ c->bytestream_start= c->bytestream= buf; c->bytestream_end= buf + buf_size; @@ -64,6 +64,9 @@ void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ #endif c->low+= ((*c->bytestream++)<<2) + 2; c->range= 0x1FE; + if ((c->range<<(CABAC_BITS+1)) < c->low) + return AVERROR_INVALIDDATA; + return 0; } void ff_init_cabac_states(void) diff --git a/libavcodec/cabac.h b/libavcodec/cabac.h index f9eafed105..857211c9d9 100644 --- a/libavcodec/cabac.h +++ b/libavcodec/cabac.h @@ -56,7 +56,7 @@ typedef struct CABACContext{ }CABACContext; void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size); -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); void ff_init_cabac_states(void); #endif /* AVCODEC_CABAC_H */ diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 15dba29f8e..2d1d2a6b89 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -74,7 +74,8 @@ static inline void renorm_cabac_decoder_once(CABACContext *c){ #ifndef get_cabac_inline static void refill2(CABACContext *c){ - int i, x; + int i; + unsigned x; x= c->low ^ (c->low-1); i= 7 - ff_h264_norm_shift[x>>(CABAC_BITS-1)]; @@ -190,7 +191,8 @@ static av_unused const uint8_t* skip_bytes(CABACContext *c, int n) { #endif if ((int) (c->bytestream_end - ptr) < n) return NULL; - ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n); + if (ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n) < 0) + return NULL; return ptr; } diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 83c35a2010..1ca7e31f1c 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -100,10 +100,12 @@ typedef struct DiracParseUnit { static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc, int offset) { - uint8_t *start = pc->buffer + offset; - uint8_t *end = pc->buffer + pc->index; - if (start < pc->buffer || (start + 13 > end)) + int8_t *start; + + if (offset < 0 || pc->index - 13 < offset) return 0; + + start = pc->buffer + offset; pu->pu_type = start[4]; pu->next_pu_offset = AV_RB32(start + 5); @@ -112,6 +114,15 @@ static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc, if (pu->pu_type == 0x10 && pu->next_pu_offset == 0) pu->next_pu_offset = 13; + if (pu->next_pu_offset && pu->next_pu_offset < 13) { + av_log(NULL, AV_LOG_ERROR, "next_pu_offset %d is invalid\n", pu->next_pu_offset); + return 0; + } + if (pu->prev_pu_offset && pu->prev_pu_offset < 13) { + av_log(NULL, AV_LOG_ERROR, "prev_pu_offset %d is invalid\n", pu->prev_pu_offset); + return 0; + } + return 1; } @@ -190,7 +201,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, } /* Get the picture number to set the pts and dts*/ - if (parse_timing_info) { + if (parse_timing_info && pu1.prev_pu_offset >= 13) { uint8_t *cur_pu = pc->buffer + pc->index - 13 - pu1.prev_pu_offset; int pts = AV_RB32(cur_pu + 13); diff --git a/libavcodec/exr.c b/libavcodec/exr.c index b9de7c1c0a..8feb9bddef 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -459,7 +459,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, lc += 8; \ } -#define get_code(po, rlc, c, lc, gb, out, oe) \ +#define get_code(po, rlc, c, lc, gb, out, oe, outb) \ { \ if (po == rlc) { \ if (lc < 8) \ @@ -468,7 +468,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, \ cs = c >> lc; \ \ - if (out + cs > oe) \ + if (out + cs > oe || out == outb) \ return AVERROR_INVALIDDATA; \ \ s = out[-1]; \ @@ -501,7 +501,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; - get_code(pl.lit, rlc, c, lc, gb, out, oe); + get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { int j; @@ -518,7 +518,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if ((hcode[pl.p[j]] >> 6) == ((c >> (lc - l)) & ((1LL << l) - 1))) { lc -= l; - get_code(pl.p[j], rlc, c, lc, gb, out, oe); + get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb); break; } } @@ -539,7 +539,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; - get_code(pl.lit, rlc, c, lc, gb, out, oe); + get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { return AVERROR_INVALIDDATA; } diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 680abcf042..9c941fab9a 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -569,8 +569,11 @@ static int read_extra_header(FFV1Context *f) } f->quant_table_count = get_symbol(c, state, 0); - if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) + if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { + av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); + f->quant_table_count = 0; return AVERROR_INVALIDDATA; + } for (i = 0; i < f->quant_table_count; i++) { f->context_count[i] = read_quant_tables(c, f->quant_tables[i]); diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index d30bb6bc86..5136a04845 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -68,7 +68,7 @@ static inline int get_ue_golomb(GetBitContext *gb) int log = 2 * av_log2(buf) - 31; LAST_SKIP_BITS(re, gb, 32 - log); CLOSE_READER(re, gb); - if (CONFIG_FTRAPV && log < 0) { + if (log < 7) { av_log(NULL, AV_LOG_ERROR, "Invalid UE golomb code\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index c1c8b80855..04d412b74b 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2026,6 +2026,7 @@ decode_intra_mb: const int mb_size = ff_h264_mb_sizes[h->sps.chroma_format_idc] * h->sps.bit_depth_luma >> 3; const uint8_t *ptr; + int ret; // We assume these blocks are very rare so we do not optimize it. // FIXME The two following lines get the bitstream position in the cabac @@ -2042,7 +2043,9 @@ decode_intra_mb: sl->intra_pcm_ptr = ptr; ptr += mb_size; - ff_init_cabac_decoder(&sl->cabac, ptr, sl->cabac.bytestream_end - ptr); + ret = ff_init_cabac_decoder(&sl->cabac, ptr, sl->cabac.bytestream_end - ptr); + if (ret < 0) + return ret; // All blocks are present h->cbp_table[mb_xy] = 0xf7ef; diff --git a/libavcodec/h264_mc_template.c b/libavcodec/h264_mc_template.c index eaead35bb2..e4333a733c 100644 --- a/libavcodec/h264_mc_template.c +++ b/libavcodec/h264_mc_template.c @@ -158,6 +158,7 @@ static void MCFUNC(hl_motion)(const H264Context *h, H264SliceContext *sl, } } - prefetch_motion(h, sl, 1, PIXEL_SHIFT, CHROMA_IDC); + if (USES_LIST(mb_type, 1)) + prefetch_motion(h, sl, 1, PIXEL_SHIFT, CHROMA_IDC); } diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 619f2edf84..a3de6b2f35 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -122,6 +122,14 @@ static int add_sorted(H264Picture **sorted, H264Picture **src, int len, int limi return out_i; } +static int mismatches_ref(H264Context *h, H264Picture *pic) +{ + AVFrame *f = pic->f; + return (h->cur_pic_ptr->f->width != f->width || + h->cur_pic_ptr->f->height != f->height || + h->cur_pic_ptr->f->format != f->format); +} + int ff_h264_fill_default_ref_list(H264Context *h, H264SliceContext *sl) { int i, len; @@ -193,10 +201,7 @@ int ff_h264_fill_default_ref_list(H264Context *h, H264SliceContext *sl) for (j = 0; j<1+(sl->slice_type_nos == AV_PICTURE_TYPE_B); j++) { for (i = 0; i < sl->ref_count[j]; i++) { if (h->default_ref_list[j][i].parent) { - AVFrame *f = h->default_ref_list[j][i].parent->f; - if (h->cur_pic_ptr->f->width != f->width || - h->cur_pic_ptr->f->height != f->height || - h->cur_pic_ptr->f->format != f->format) { + if (mismatches_ref(h, h->default_ref_list[j][i].parent)) { av_log(h->avctx, AV_LOG_ERROR, "Discarding mismatching reference\n"); memset(&h->default_ref_list[j][i], 0, sizeof(h->default_ref_list[j][i])); } @@ -298,14 +303,14 @@ int ff_h264_decode_ref_pic_list_reordering(H264Context *h, H264SliceContext *sl) long_idx = pic_num_extract(h, pic_id, &pic_structure); - if (long_idx > 31) { + if (long_idx > 31U) { av_log(h->avctx, AV_LOG_ERROR, "long_term_pic_idx overflow\n"); return AVERROR_INVALIDDATA; } ref = h->long_ref[long_idx]; assert(!(ref && !ref->reference)); - if (ref && (ref->reference & pic_structure)) { + if (ref && (ref->reference & pic_structure) && !mismatches_ref(h, ref)) { ref->pic_id = pic_id; assert(ref->long_ref); i = 0; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 041acfcd35..8be803b7fd 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1993,12 +1993,12 @@ static av_always_inline void fill_filter_caches_inter(const H264Context *h, if (USES_LIST(top_type, list)) { const int b_xy = h->mb2b_xy[top_xy] + 3 * b_stride; const int b8_xy = 4 * top_xy + 2; - int (*ref2frm)[64] = (void*)(sl->ref2frm[h->slice_table[top_xy] & (MAX_SLICES - 1)][0] + (MB_MBAFF(sl) ? 20 : 2)); + int *ref2frm = sl->ref2frm[h->slice_table[top_xy] & (MAX_SLICES - 1)][list] + (MB_MBAFF(sl) ? 20 : 2); AV_COPY128(mv_dst - 1 * 8, h->cur_pic.motion_val[list][b_xy + 0]); ref_cache[0 - 1 * 8] = - ref_cache[1 - 1 * 8] = ref2frm[list][h->cur_pic.ref_index[list][b8_xy + 0]]; + ref_cache[1 - 1 * 8] = ref2frm[h->cur_pic.ref_index[list][b8_xy + 0]]; ref_cache[2 - 1 * 8] = - ref_cache[3 - 1 * 8] = ref2frm[list][h->cur_pic.ref_index[list][b8_xy + 1]]; + ref_cache[3 - 1 * 8] = ref2frm[h->cur_pic.ref_index[list][b8_xy + 1]]; } else { AV_ZERO128(mv_dst - 1 * 8); AV_WN32A(&ref_cache[0 - 1 * 8], ((LIST_NOT_USED) & 0xFF) * 0x01010101u); @@ -2008,15 +2008,15 @@ static av_always_inline void fill_filter_caches_inter(const H264Context *h, if (USES_LIST(left_type[LTOP], list)) { const int b_xy = h->mb2b_xy[left_xy[LTOP]] + 3; const int b8_xy = 4 * left_xy[LTOP] + 1; - int (*ref2frm)[64] =(void*)( sl->ref2frm[h->slice_table[left_xy[LTOP]] & (MAX_SLICES - 1)][0] + (MB_MBAFF(sl) ? 20 : 2)); + int *ref2frm = sl->ref2frm[h->slice_table[left_xy[LTOP]] & (MAX_SLICES - 1)][list] + (MB_MBAFF(sl) ? 20 : 2); AV_COPY32(mv_dst - 1 + 0, h->cur_pic.motion_val[list][b_xy + b_stride * 0]); AV_COPY32(mv_dst - 1 + 8, h->cur_pic.motion_val[list][b_xy + b_stride * 1]); AV_COPY32(mv_dst - 1 + 16, h->cur_pic.motion_val[list][b_xy + b_stride * 2]); AV_COPY32(mv_dst - 1 + 24, h->cur_pic.motion_val[list][b_xy + b_stride * 3]); ref_cache[-1 + 0] = - ref_cache[-1 + 8] = ref2frm[list][h->cur_pic.ref_index[list][b8_xy + 2 * 0]]; + ref_cache[-1 + 8] = ref2frm[h->cur_pic.ref_index[list][b8_xy + 2 * 0]]; ref_cache[-1 + 16] = - ref_cache[-1 + 24] = ref2frm[list][h->cur_pic.ref_index[list][b8_xy + 2 * 1]]; + ref_cache[-1 + 24] = ref2frm[h->cur_pic.ref_index[list][b8_xy + 2 * 1]]; } else { AV_ZERO32(mv_dst - 1 + 0); AV_ZERO32(mv_dst - 1 + 8); @@ -2041,9 +2041,9 @@ static av_always_inline void fill_filter_caches_inter(const H264Context *h, { int8_t *ref = &h->cur_pic.ref_index[list][4 * mb_xy]; - int (*ref2frm)[64] = (void*)(sl->ref2frm[sl->slice_num & (MAX_SLICES - 1)][0] + (MB_MBAFF(sl) ? 20 : 2)); - uint32_t ref01 = (pack16to32(ref2frm[list][ref[0]], ref2frm[list][ref[1]]) & 0x00FF00FF) * 0x0101; - uint32_t ref23 = (pack16to32(ref2frm[list][ref[2]], ref2frm[list][ref[3]]) & 0x00FF00FF) * 0x0101; + int *ref2frm = sl->ref2frm[sl->slice_num & (MAX_SLICES - 1)][list] + (MB_MBAFF(sl) ? 20 : 2); + uint32_t ref01 = (pack16to32(ref2frm[ref[0]], ref2frm[ref[1]]) & 0x00FF00FF) * 0x0101; + uint32_t ref23 = (pack16to32(ref2frm[ref[2]], ref2frm[ref[3]]) & 0x00FF00FF) * 0x0101; AV_WN32A(&ref_cache[0 * 8], ref01); AV_WN32A(&ref_cache[1 * 8], ref01); AV_WN32A(&ref_cache[2 * 8], ref23); @@ -2372,9 +2372,11 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) align_get_bits(&sl->gb); /* init cabac */ - ff_init_cabac_decoder(&sl->cabac, + ret = ff_init_cabac_decoder(&sl->cabac, sl->gb.buffer + get_bits_count(&sl->gb) / 8, (get_bits_left(&sl->gb) + 7) / 8); + if (ret < 0) + return ret; ff_h264_init_cabac_states(h, sl); diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index e8c78b012e..5f777612c2 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -744,7 +744,7 @@ static int hls_slice_header(HEVCContext *s) av_freep(&sh->entry_point_offset); av_freep(&sh->offset); av_freep(&sh->size); - sh->entry_point_offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); + sh->entry_point_offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(unsigned)); sh->offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); sh->size = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); if (!sh->entry_point_offset || !sh->offset || !sh->size) { @@ -2440,8 +2440,8 @@ static int hls_slice_data_wpp(HEVCContext *s, const HEVCNAL *nal) HEVCLocalContext *lc = s->HEVClc; int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); - int offset; - int startheader, cmpt = 0; + int64_t offset; + int64_t startheader, cmpt = 0; int i, j, res = 0; if (!ret || !arg) { @@ -2450,11 +2450,18 @@ static int hls_slice_data_wpp(HEVCContext *s, const HEVCNAL *nal) return AVERROR(ENOMEM); } + if (s->sh.slice_ctb_addr_rs + s->sh.num_entry_point_offsets * s->ps.sps->ctb_width >= s->ps.sps->ctb_width * s->ps.sps->ctb_height) { + av_log(s->avctx, AV_LOG_ERROR, "WPP ctb addresses are wrong (%d %d %d %d)\n", + s->sh.slice_ctb_addr_rs, s->sh.num_entry_point_offsets, + s->ps.sps->ctb_width, s->ps.sps->ctb_height + ); + res = AVERROR_INVALIDDATA; + goto error; + } - if (!s->sList[1]) { - ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); - + ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); + if (!s->sList[1]) { for (i = 1; i < s->threads_number; i++) { s->sList[i] = av_malloc(sizeof(HEVCContext)); memcpy(s->sList[i], s, sizeof(HEVCContext)); @@ -2487,6 +2494,11 @@ static int hls_slice_data_wpp(HEVCContext *s, const HEVCNAL *nal) } if (s->sh.num_entry_point_offsets != 0) { offset += s->sh.entry_point_offset[s->sh.num_entry_point_offsets - 1] - cmpt; + if (length < offset) { + av_log(s->avctx, AV_LOG_ERROR, "entry_point_offset table is corrupted\n"); + res = AVERROR_INVALIDDATA; + goto error; + } s->sh.size[s->sh.num_entry_point_offsets - 1] = length - offset; s->sh.offset[s->sh.num_entry_point_offsets - 1] = offset; @@ -2513,6 +2525,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const HEVCNAL *nal) for (i = 0; i <= s->sh.num_entry_point_offsets; i++) res += ret[i]; +error: av_free(ret); av_free(arg); return res; diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index 66b9a2f0fc..d84e661600 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -622,7 +622,7 @@ typedef struct SliceHeader { unsigned int max_num_merge_cand; ///< 5 - 5_minus_max_num_merge_cand - int *entry_point_offset; + unsigned *entry_point_offset; int * offset; int * size; int num_entry_point_offsets; diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index ffff87d4f0..d1bef8320f 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -831,11 +831,13 @@ static av_always_inline int mvd_decode(HEVCContext *s) int k = 1; while (k < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) { - ret += 1 << k; + ret += 1U << k; k++; } - if (k == CABAC_MAX_BIN) + if (k == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); + return 0; + } while (k--) ret += get_cabac_bypass(&s->HEVClc->cc) << k; return get_cabac_bypass_sign(&s->HEVClc->cc, -ret); @@ -973,8 +975,10 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int while (prefix < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) prefix++; - if (prefix == CABAC_MAX_BIN) + if (prefix == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); + return 0; + } if (prefix < 3) { for (i = 0; i < rc_rice_param; i++) suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc); diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 214ff056d7..36ef001672 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1489,6 +1489,10 @@ static int decode_cblk(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty, ff_mqc_initdec(&t1->mqc, cblk->data, 0, 1); while (passno--) { + if (bpno < 0) { + av_log(s->avctx, AV_LOG_ERROR, "bpno became negative\n"); + return AVERROR_INVALIDDATA; + } switch(pass_t) { case 0: decode_sigpass(t1, width, height, bpno + 1, bandpos, diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index 2bf25a8c4e..a46c93a9b2 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -580,6 +580,9 @@ int ff_jpeg2000_dwt_init(DWTContext *s, int border[2][2], int ff_dwt_encode(DWTContext *s, void *t) { + if (s->ndeclevels == 0) + return 0; + switch(s->type){ case FF_DWT97: dwt_encode97_float(s, t); break; @@ -595,6 +598,9 @@ int ff_dwt_encode(DWTContext *s, void *t) int ff_dwt_decode(DWTContext *s, void *t) { + if (s->ndeclevels == 0) + return 0; + switch (s->type) { case FF_DWT97: dwt_decode97_float(s, t); diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index 5f39783087..992122c982 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -104,19 +104,11 @@ typedef struct VP8EncoderContext { /** String mappings for enum vp8e_enc_control_id */ static const char *const ctlidstr[] = { - [VP8E_UPD_ENTROPY] = "VP8E_UPD_ENTROPY", - [VP8E_UPD_REFERENCE] = "VP8E_UPD_REFERENCE", - [VP8E_USE_REFERENCE] = "VP8E_USE_REFERENCE", - [VP8E_SET_ROI_MAP] = "VP8E_SET_ROI_MAP", - [VP8E_SET_ACTIVEMAP] = "VP8E_SET_ACTIVEMAP", - [VP8E_SET_SCALEMODE] = "VP8E_SET_SCALEMODE", [VP8E_SET_CPUUSED] = "VP8E_SET_CPUUSED", [VP8E_SET_ENABLEAUTOALTREF] = "VP8E_SET_ENABLEAUTOALTREF", [VP8E_SET_NOISE_SENSITIVITY] = "VP8E_SET_NOISE_SENSITIVITY", - [VP8E_SET_SHARPNESS] = "VP8E_SET_SHARPNESS", [VP8E_SET_STATIC_THRESHOLD] = "VP8E_SET_STATIC_THRESHOLD", [VP8E_SET_TOKEN_PARTITIONS] = "VP8E_SET_TOKEN_PARTITIONS", - [VP8E_GET_LAST_QUANTIZER] = "VP8E_GET_LAST_QUANTIZER", [VP8E_SET_ARNR_MAXFRAMES] = "VP8E_SET_ARNR_MAXFRAMES", [VP8E_SET_ARNR_STRENGTH] = "VP8E_SET_ARNR_STRENGTH", [VP8E_SET_ARNR_TYPE] = "VP8E_SET_ARNR_TYPE", diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 6c6598ffd3..3f81fdfc68 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1246,7 +1246,7 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, int mb_bitmask_size, const AVFrame *reference) { - int i, mb_x, mb_y; + int i, mb_x, mb_y, chroma_h_shift, chroma_v_shift, chroma_width, chroma_height; uint8_t *data[MAX_COMPONENTS]; const uint8_t *reference_data[MAX_COMPONENTS]; int linesize[MAX_COMPONENTS]; @@ -1263,6 +1263,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, s->restart_count = 0; + av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, &chroma_h_shift, + &chroma_v_shift); + chroma_width = FF_CEIL_RSHIFT(s->width, chroma_h_shift); + chroma_height = FF_CEIL_RSHIFT(s->height, chroma_v_shift); + for (i = 0; i < nb_components; i++) { int c = s->comp_index[i]; data[c] = s->picture_ptr->data[c]; @@ -1299,8 +1304,8 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, if (s->interlaced && s->bottom_field) block_offset += linesize[c] >> 1; - if ( 8*(h * mb_x + x) < s->width - && 8*(v * mb_y + y) < s->height) { + if ( 8*(h * mb_x + x) < ((c == 1) || (c == 2) ? chroma_width : s->width) + && 8*(v * mb_y + y) < ((c == 1) || (c == 2) ? chroma_height : s->height)) { ptr = data[c] + block_offset; } else ptr = NULL; diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index f15747f6ab..2c34d21a14 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -883,7 +883,7 @@ int ff_mpeg4_decode_partitions(Mpeg4DecContext *ctx) const int part_a_end = s->pict_type == AV_PICTURE_TYPE_I ? (ER_DC_END | ER_MV_END) : ER_MV_END; mb_num = mpeg4_decode_partition_a(ctx); - if (mb_num < 0) { + if (mb_num <= 0) { ff_er_add_slice(&s->er, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, part_a_error); return -1; @@ -1881,6 +1881,10 @@ static int decode_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) int last = 0; for (i = 0; i < 64; i++) { int j; + if (get_bits_left(gb) < 8) { + av_log(s->avctx, AV_LOG_ERROR, "insufficient data for custom matrix\n"); + return AVERROR_INVALIDDATA; + } v = get_bits(gb, 8); if (v == 0) break; @@ -1904,6 +1908,10 @@ static int decode_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) int last = 0; for (i = 0; i < 64; i++) { int j; + if (get_bits_left(gb) < 8) { + av_log(s->avctx, AV_LOG_ERROR, "insufficient data for custom matrix\n"); + return AVERROR_INVALIDDATA; + } v = get_bits(gb, 8); if (v == 0) break; diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c index 15f4dd1c66..04c8e410a8 100644 --- a/libavcodec/on2avc.c +++ b/libavcodec/on2avc.c @@ -211,9 +211,16 @@ static inline int get_egolomb(GetBitContext *gb) { int v = 4; - while (get_bits1(gb)) v++; + while (get_bits1(gb)) { + v++; + if (v > 30) { + av_log(NULL, AV_LOG_WARNING, "Too large golomb code in get_egolomb.\n"); + v = 30; + break; + } + } - return (1 << v) + get_bits(gb, v); + return (1 << v) + get_bits_long(gb, v); } static int on2avc_decode_pairs(On2AVCContext *c, GetBitContext *gb, float *dst, diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 841d1ed25c..73526f9800 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -824,7 +824,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_ /* upper extent */ for (i = order; i > k; i--) - max_center -= min_delta[k]; + max_center -= min_delta[i]; max_center -= min_delta[k] >> 1; /* move apart */ diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index 0d307f5302..e567f53ab4 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -33,7 +33,7 @@ #include "libavutil/imgutils.h" #include "libavutil/opt.h" -#define RGBA(r,g,b,a) (((a) << 24) | ((r) << 16) | ((g) << 8) | (b)) +#define RGBA(r,g,b,a) (((unsigned)(a) << 24) | ((r) << 16) | ((g) << 8) | (b)) #define MAX_EPOCH_PALETTES 8 // Max 8 allowed per PGS epoch #define MAX_EPOCH_OBJECTS 64 // Max 64 allowed per PGS epoch #define MAX_OBJECT_REFS 2 // Max objects per display set diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index d8d77fceed..af764ab41e 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -258,7 +258,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, buf += buf_size - context->frame_size; len = context->frame_size - (avctx->pix_fmt==AV_PIX_FMT_PAL8 ? AVPALETTE_SIZE : 0); - if (buf_size < len && (avctx->codec_tag & 0xFFFFFF) != MKTAG('B','I','T', 0)) { + if (buf_size < len && ((avctx->codec_tag & 0xFFFFFF) != MKTAG('B','I','T', 0) || !need_copy)) { av_log(avctx, AV_LOG_ERROR, "Invalid buffer size, packet size %d < expected frame_size %d\n", buf_size, len); av_buffer_unref(&frame->buf[0]); return AVERROR(EINVAL); diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 5b7b7a6f9b..f4e3de0c71 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -38,9 +38,14 @@ static SoftFloat sbr_sum_square_c(int (*x)[2], int n) int i, nz, round; for (i = 0; i < n; i += 2) { + // Larger values are inavlid and could cause overflows of accu. + av_assert2(FFABS(x[i + 0][0]) >> 29 == 0); accu += (int64_t)x[i + 0][0] * x[i + 0][0]; + av_assert2(FFABS(x[i + 0][1]) >> 29 == 0); accu += (int64_t)x[i + 0][1] * x[i + 0][1]; + av_assert2(FFABS(x[i + 1][0]) >> 29 == 0); accu += (int64_t)x[i + 1][0] * x[i + 1][0]; + av_assert2(FFABS(x[i + 1][1]) >> 29 == 0); accu += (int64_t)x[i + 1][1] * x[i + 1][1]; } diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 4ec7d89fde..2e3ca79fdd 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -928,6 +928,13 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) s->frame_size = s->channels*s->block_align*s->downsampling; // avctx->frame_size = s->block_align; + if (s->num_taps * s->channels > s->frame_size) { + av_log(avctx, AV_LOG_ERROR, + "number of taps times channels (%d * %d) larger than frame size %d\n", + s->num_taps, s->channels, s->frame_size); + return AVERROR_INVALIDDATA; + } + av_log(avctx, AV_LOG_INFO, "Sonic: ver: %d.%d ls: %d dr: %d taps: %d block: %d frame: %d downsamp: %d\n", s->version, s->minor_version, s->lossless, s->decorrelation, s->num_taps, s->block_align, s->frame_size, s->downsampling); diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 735e71a044..892ddb911c 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1040,8 +1040,10 @@ end: int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame, int flags) { int ret = get_buffer_internal(avctx, frame, flags); - if (ret < 0) + if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + frame->width = frame->height = 0; + } return ret; } @@ -3178,8 +3180,8 @@ void avcodec_string(char *buf, int buf_size, AVCodecContext *enc, int encode) if (enc->sample_aspect_ratio.num) { av_reduce(&display_aspect_ratio.num, &display_aspect_ratio.den, - enc->width * enc->sample_aspect_ratio.num, - enc->height * enc->sample_aspect_ratio.den, + enc->width * (int64_t)enc->sample_aspect_ratio.num, + enc->height * (int64_t)enc->sample_aspect_ratio.den, 1024 * 1024); snprintf(buf + strlen(buf), buf_size - strlen(buf), " [SAR %d:%d DAR %d:%d]", diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 09e6f75ec4..9bdbbb87dd 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -131,7 +131,7 @@ static const uint8_t hilbert_offset[16][2] = { typedef struct Vp3DecodeContext { AVCodecContext *avctx; - int theora, theora_tables; + int theora, theora_tables, theora_header; int version; int width, height; int chroma_x_shift, chroma_y_shift; @@ -209,8 +209,8 @@ typedef struct Vp3DecodeContext { int16_t *dct_tokens[3][64]; int16_t *dct_tokens_base; #define TOKEN_EOB(eob_run) ((eob_run) << 2) -#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) << 9) + ((zero_run) << 2) + 1) -#define TOKEN_COEFF(coeff) (((coeff) << 2) + 2) +#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) * 512) + ((zero_run) << 2) + 1) +#define TOKEN_COEFF(coeff) (((coeff) * 4) + 2) /** * number of blocks that contain DCT coefficients at @@ -2016,17 +2016,19 @@ static int vp3_decode_frame(AVCodecContext *avctx, vp3_decode_end(avctx); ret = theora_decode_header(avctx, &gb); + if (ret >= 0) + ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); - } else - ret = vp3_decode_init(avctx); + } return ret; } else if (type == 2) { ret = theora_decode_tables(avctx, &gb); + if (ret >= 0) + ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); - } else - ret = vp3_decode_init(avctx); + } return ret; } @@ -2251,6 +2253,7 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) int ret; AVRational fps, aspect; + s->theora_header = 0; s->theora = get_bits_long(gb, 24); av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora); @@ -2321,7 +2324,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) return AVERROR_INVALIDDATA; } skip_bits(gb, 3); /* reserved */ - } + } else + avctx->pix_fmt = AV_PIX_FMT_YUV420P; ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) @@ -2355,6 +2359,7 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) avctx->color_trc = AVCOL_TRC_BT709; } + s->theora_header = 1; return 0; } @@ -2363,6 +2368,9 @@ static int theora_decode_tables(AVCodecContext *avctx, GetBitContext *gb) Vp3DecodeContext *s = avctx->priv_data; int i, n, matrices, inter, plane; + if (!s->theora_header) + return AVERROR_INVALIDDATA; + if (s->theora >= 0x030200) { n = get_bits(gb, 3); /* loop filter limit values table */ diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 7f6d3edd24..6f5a1706e2 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -300,6 +300,12 @@ static av_cold int decode_init(AVCodecContext *avctx) s->decode_flags = AV_RL16(edata_ptr+14); channel_mask = AV_RL32(edata_ptr+2); s->bits_per_sample = AV_RL16(edata_ptr); + + if (s->bits_per_sample > 32 || s->bits_per_sample < 1) { + avpriv_request_sample(avctx, "bits per sample is %d", s->bits_per_sample); + return AVERROR_PATCHWELCOME; + } + /** dump the extradata */ for (i = 0; i < avctx->extradata_size; i++) ff_dlog(avctx, "[%x] ", avctx->extradata[i]); @@ -477,7 +483,7 @@ static av_cold int decode_init(AVCodecContext *avctx) /** calculate subwoofer cutoff values */ for (i = 0; i < num_possible_block_sizes; i++) { int block_size = s->samples_per_frame >> i; - int cutoff = (440*block_size + 3 * (s->avctx->sample_rate >> 1) - 1) + int cutoff = (440*block_size + 3LL * (s->avctx->sample_rate >> 1) - 1) / s->avctx->sample_rate; s->subwoofer_cutoffs[i] = av_clip(cutoff, 4, block_size); } diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 2febedc4aa..64cd8418a2 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + avctx->height * lsize) { + if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + (uint64_t)avctx->height * lsize) { av_log(avctx, AV_LOG_ERROR, "input buffer too small\n"); return AVERROR_INVALIDDATA; } diff --git a/libavfilter/vf_mpdecimate.c b/libavfilter/vf_mpdecimate.c index 25efacfeeb..20b15a20f0 100644 --- a/libavfilter/vf_mpdecimate.c +++ b/libavfilter/vf_mpdecimate.c @@ -131,10 +131,13 @@ static int decimate_frame(AVFilterContext *ctx, cur->data[plane], cur->linesize[plane], ref->data[plane], ref->linesize[plane], FF_CEIL_RSHIFT(ref->width, hsub), - FF_CEIL_RSHIFT(ref->height, vsub))) + FF_CEIL_RSHIFT(ref->height, vsub))) { + emms_c(); return 0; + } } + emms_c(); return 1; } diff --git a/libavformat/dump.c b/libavformat/dump.c index 705da82148..08b86935e4 100644 --- a/libavformat/dump.c +++ b/libavformat/dump.c @@ -496,7 +496,7 @@ void av_dump_format(AVFormatContext *ic, int index, av_log(NULL, AV_LOG_INFO, " Duration: "); if (ic->duration != AV_NOPTS_VALUE) { int hours, mins, secs, us; - int64_t duration = ic->duration + 5000; + int64_t duration = ic->duration + (ic->duration <= INT64_MAX - 5000 ? 5000 : 0); secs = duration / AV_TIME_BASE; us = duration % AV_TIME_BASE; mins = secs / 60; diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index b743c872c0..db9fb6b7b9 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -268,6 +268,7 @@ static int ffm2_read_header(AVFormatContext *s) AVStream *st; AVIOContext *pb = s->pb; AVCodecContext *codec; + const AVCodecDescriptor *codec_desc; int ret; int f_main = 0, f_cprv = -1, f_stvi = -1, f_stau = -1; AVCodec *enc; @@ -322,7 +323,20 @@ static int ffm2_read_header(AVFormatContext *s) codec = st->codec; /* generic info */ codec->codec_id = avio_rb32(pb); + codec_desc = avcodec_descriptor_get(codec->codec_id); + if (!codec_desc) { + av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); + codec->codec_id = AV_CODEC_ID_NONE; + goto fail; + } codec->codec_type = avio_r8(pb); + if (codec->codec_type != codec_desc->type) { + av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n", + codec_desc->type, codec->codec_type); + codec->codec_id = AV_CODEC_ID_NONE; + codec->codec_type = AVMEDIA_TYPE_UNKNOWN; + goto fail; + } codec->bit_rate = avio_rb32(pb); codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); @@ -415,7 +429,7 @@ static int ffm2_read_header(AVFormatContext *s) } break; case MKBETAG('S', '2', 'V', 'I'): - if (f_stvi++) { + if (f_stvi++ || !size) { ret = AVERROR(EINVAL); goto fail; } @@ -430,7 +444,7 @@ static int ffm2_read_header(AVFormatContext *s) goto fail; break; case MKBETAG('S', '2', 'A', 'U'): - if (f_stau++) { + if (f_stau++ || !size) { ret = AVERROR(EINVAL); goto fail; } @@ -471,6 +485,7 @@ static int ffm_read_header(AVFormatContext *s) AVStream *st; AVIOContext *pb = s->pb; AVCodecContext *codec; + const AVCodecDescriptor *codec_desc; int i, nb_streams; uint32_t tag; @@ -508,7 +523,20 @@ static int ffm_read_header(AVFormatContext *s) codec = st->codec; /* generic info */ codec->codec_id = avio_rb32(pb); + codec_desc = avcodec_descriptor_get(codec->codec_id); + if (!codec_desc) { + av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); + codec->codec_id = AV_CODEC_ID_NONE; + goto fail; + } codec->codec_type = avio_r8(pb); /* codec_type */ + if (codec->codec_type != codec_desc->type) { + av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n", + codec_desc->type, codec->codec_type); + codec->codec_id = AV_CODEC_ID_NONE; + codec->codec_type = AVMEDIA_TYPE_UNKNOWN; + goto fail; + } codec->bit_rate = avio_rb32(pb); codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 6827b796f4..ebc5e1117b 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -548,8 +548,11 @@ static int hls_start(AVFormatContext *s) if (oc->oformat->priv_class && oc->priv_data) av_opt_set(oc->priv_data, "mpegts_flags", "resend_headers", 0); - if (c->vtt_basename) - avformat_write_header(vtt_oc,NULL); + if (c->vtt_basename) { + err = avformat_write_header(vtt_oc,NULL); + if (err < 0) + return err; + } return 0; } diff --git a/libavformat/isom.h b/libavformat/isom.h index 6e921c04a0..1f466f0286 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -184,6 +184,7 @@ typedef struct MOVContext { MOVTrackExt *trex_data; unsigned trex_count; int itunes_metadata; ///< metadata are itunes style + int handbrake_version; int chapter_track; int use_absolute_path; int ignore_editlist; diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 2b2d034e00..7918346aee 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -926,14 +926,18 @@ static int mkv_write_track(AVFormatContext *s, MatroskaMuxContext *mkv, } if (codec->codec_type == AVMEDIA_TYPE_AUDIO && codec->initial_padding && codec->codec_id == AV_CODEC_ID_OPUS) { + int64_t codecdelay = av_rescale_q(codec->initial_padding, + (AVRational){ 1, codec->sample_rate }, + (AVRational){ 1, 1000000000 }); + if (codecdelay < 0) { + av_log(s, AV_LOG_ERROR, "Initial padding is invalid\n"); + return AVERROR(EINVAL); + } // mkv->tracks[i].ts_offset = av_rescale_q(codec->initial_padding, // (AVRational){ 1, codec->sample_rate }, // st->time_base); - put_ebml_uint(pb, MATROSKA_ID_CODECDELAY, - av_rescale_q(codec->initial_padding, - (AVRational){ 1, codec->sample_rate }, - (AVRational){ 1, 1000000000 })); + put_ebml_uint(pb, MATROSKA_ID_CODECDELAY, codecdelay); } if (codec->codec_id == AV_CODEC_ID_OPUS) { put_ebml_uint(pb, MATROSKA_ID_SEEKPREROLL, OPUS_SEEK_PREROLL); diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 48a429eb23..4b3bdc1eca 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -365,6 +365,11 @@ static int read_header(AVFormatContext *avctx) if (ast) ast->duration = ast->nb_index_entries; + if ((vst && !vst->nb_index_entries) || (ast && !ast->nb_index_entries)) { + av_log(avctx, AV_LOG_ERROR, "no index entries found\n"); + return AVERROR_INVALIDDATA; + } + if (vst && ast) avio_seek(pb, FFMIN(vst->index_entries[0].pos, ast->index_entries[0].pos), SEEK_SET); else if (vst) diff --git a/libavformat/mov.c b/libavformat/mov.c index 735e956b62..4ce4e2dddd 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -419,6 +419,12 @@ retry: snprintf(key2, sizeof(key2), "%s-%s", key, language); av_dict_set(&c->fc->metadata, key2, str, 0); } + if (!strcmp(key, "encoder")) { + int major, minor, micro; + if (sscanf(str, "HandBrake %d.%d.%d", &major, &minor, µ) == 3) { + c->handbrake_version = 1000000*major + 1000*minor + micro; + } + } } av_log(c->fc, AV_LOG_TRACE, "lang \"%3s\" ", language); av_log(c->fc, AV_LOG_TRACE, "tag \"%s\" value \"%s\" atom \"%.4s\" %d %"PRId64"\n", @@ -4528,6 +4534,13 @@ static int mov_read_header(AVFormatContext *s) return err; } } + if (mov->handbrake_version && + mov->handbrake_version <= 1000000*0 + 1000*10 + 0 && // 0.10.0 + st->codec->codec_id == AV_CODEC_ID_MP3 + ) { + av_log(s, AV_LOG_VERBOSE, "Forcing full parsing for mp3 stream\n"); + st->need_parsing = AVSTREAM_PARSE_FULL; + } } if (mov->trex_data) { diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index 45bab1ce01..9b5864d1ef 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -756,11 +756,11 @@ static int mpegts_write_header(AVFormatContext *s) ts_st = pcr_st->priv_data; if (ts->mux_rate > 1) { - service->pcr_packet_period = (ts->mux_rate * ts->pcr_period) / + service->pcr_packet_period = (int64_t)ts->mux_rate * ts->pcr_period / (TS_PACKET_SIZE * 8 * 1000); - ts->sdt_packet_period = (ts->mux_rate * SDT_RETRANS_TIME) / + ts->sdt_packet_period = (int64_t)ts->mux_rate * SDT_RETRANS_TIME / (TS_PACKET_SIZE * 8 * 1000); - ts->pat_packet_period = (ts->mux_rate * PAT_RETRANS_TIME) / + ts->pat_packet_period = (int64_t)ts->mux_rate * PAT_RETRANS_TIME / (TS_PACKET_SIZE * 8 * 1000); if (ts->copyts < 1) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index 66e1f071f9..4013be024d 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -1266,11 +1266,11 @@ static void mxf_write_package(AVFormatContext *s, enum MXFMetadataSetType type, user_comment_count = mxf_write_user_comments(s, s->metadata); mxf_write_metadata_key(pb, 0x013600); PRINT_KEY(s, "Material Package key", pb->buf_ptr - 16); - klv_encode_ber_length(pb, 92 + name_size + (16*track_count) + (16*user_comment_count) + 12*mxf->store_user_comments); + klv_encode_ber_length(pb, 92 + name_size + (16*track_count) + (16*user_comment_count) + 12LL*mxf->store_user_comments); } else { mxf_write_metadata_key(pb, 0x013700); PRINT_KEY(s, "Source Package key", pb->buf_ptr - 16); - klv_encode_ber_length(pb, 112 + name_size + (16*track_count) + 12*mxf->store_user_comments); // 20 bytes length for descriptor reference + klv_encode_ber_length(pb, 112 + name_size + (16*track_count) + 12LL*mxf->store_user_comments); // 20 bytes length for descriptor reference } // write uid @@ -2467,6 +2467,10 @@ static int mxf_write_packet(AVFormatContext *s, AVPacket *pkt) } mxf->edit_units_count++; } else if (!mxf->edit_unit_byte_count && st->index == 1) { + if (!mxf->edit_units_count) { + av_log(s, AV_LOG_ERROR, "No packets in first stream\n"); + return AVERROR_PATCHWELCOME; + } mxf->index_entries[mxf->edit_units_count-1].slice_offset = mxf->body_offset - mxf->index_entries[mxf->edit_units_count-1].offset; } diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 63b0cd2fb9..bfa2bade27 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -927,7 +927,7 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int return ret; } value_len = ffio_read_varlen(bc); - if (avio_tell(bc) + value_len >= maxpos) + if (value_len < 0 || value_len >= maxpos - avio_tell(bc)) return AVERROR_INVALIDDATA; if (!strcmp(name, "Palette")) { dst = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, value_len); @@ -1126,7 +1126,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code) ret = av_new_packet(pkt, size + nut->header_len[header_idx]); if (ret < 0) return ret; - memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); + if (nut->header[header_idx]) + memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); pkt->pos = avio_tell(bc); // FIXME if (stc->last_flags & FLAG_SM_DATA) { int sm_size; diff --git a/libavformat/nuv.c b/libavformat/nuv.c index 001d9c8860..cb51511943 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -172,6 +172,15 @@ static int nuv_header(AVFormatContext *s) if (aspect > 0.9999 && aspect < 1.0001) aspect = 4.0 / 3.0; fps = av_int2double(avio_rl64(pb)); + if (fps < 0.0f) { + if (s->error_recognition & AV_EF_EXPLODE) { + av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps); + return AVERROR_INVALIDDATA; + } else { + av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 0.\n", fps); + fps = 0.0f; + } + } // number of packets per stream type, -1 means unknown, e.g. streaming v_packs = avio_rl32(pb); diff --git a/libavformat/riffdec.c b/libavformat/riffdec.c index 7eecdb24b8..bd9bca01c0 100644 --- a/libavformat/riffdec.c +++ b/libavformat/riffdec.c @@ -87,7 +87,7 @@ int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, AVCodecContext *codec, int size, int big_endian) { int id; - uint64_t bitrate; + uint64_t bitrate = 0; if (size < 14) { avpriv_request_sample(codec, "wav header size < 14"); diff --git a/libavformat/rtpenc_jpeg.c b/libavformat/rtpenc_jpeg.c index a6f2b32df4..60629cf179 100644 --- a/libavformat/rtpenc_jpeg.c +++ b/libavformat/rtpenc_jpeg.c @@ -36,6 +36,7 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size) int off = 0; /* fragment offset of the current JPEG frame */ int len; int i; + int default_huffman_tables = 0; s->buf_ptr = s->buf; s->timestamp = s->cur_timestamp; @@ -90,23 +91,66 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size) return; } } else if (buf[i + 1] == DHT) { - if ( AV_RB16(&buf[i + 2]) < 418 - || i + 420 >= size - || buf[i + 4] != 0x00 - || buf[i + 33] != 0x01 - || buf[i + 62] != 0x10 - || buf[i + 241] != 0x11 - || memcmp(buf + i + 5, avpriv_mjpeg_bits_dc_luminance + 1, 16) - || memcmp(buf + i + 21, avpriv_mjpeg_val_dc, 12) - || memcmp(buf + i + 34, avpriv_mjpeg_bits_dc_chrominance + 1, 16) - || memcmp(buf + i + 50, avpriv_mjpeg_val_dc, 12) - || memcmp(buf + i + 63, avpriv_mjpeg_bits_ac_luminance + 1, 16) - || memcmp(buf + i + 79, avpriv_mjpeg_val_ac_luminance, 162) - || memcmp(buf + i + 242, avpriv_mjpeg_bits_ac_chrominance + 1, 16) - || memcmp(buf + i + 258, avpriv_mjpeg_val_ac_chrominance, 162)) { - av_log(s1, AV_LOG_ERROR, - "RFC 2435 requires standard Huffman tables for jpeg\n"); - return; + int dht_size = AV_RB16(&buf[i + 2]); + default_huffman_tables |= 1 << 4; + i += 3; + dht_size -= 2; + if (i + dht_size >= size) + continue; + while (dht_size > 0) + switch (buf[i + 1]) { + case 0x00: + if ( dht_size >= 29 + && !memcmp(buf + i + 2, avpriv_mjpeg_bits_dc_luminance + 1, 16) + && !memcmp(buf + i + 18, avpriv_mjpeg_val_dc, 12)) { + default_huffman_tables |= 1; + i += 29; + dht_size -= 29; + } else { + i += dht_size; + dht_size = 0; + } + break; + case 0x01: + if ( dht_size >= 29 + && !memcmp(buf + i + 2, avpriv_mjpeg_bits_dc_chrominance + 1, 16) + && !memcmp(buf + i + 18, avpriv_mjpeg_val_dc, 12)) { + default_huffman_tables |= 1 << 1; + i += 29; + dht_size -= 29; + } else { + i += dht_size; + dht_size = 0; + } + break; + case 0x10: + if ( dht_size >= 179 + && !memcmp(buf + i + 2, avpriv_mjpeg_bits_ac_luminance + 1, 16) + && !memcmp(buf + i + 18, avpriv_mjpeg_val_ac_luminance, 162)) { + default_huffman_tables |= 1 << 2; + i += 179; + dht_size -= 179; + } else { + i += dht_size; + dht_size = 0; + } + break; + case 0x11: + if ( dht_size >= 179 + && !memcmp(buf + i + 2, avpriv_mjpeg_bits_ac_chrominance + 1, 16) + && !memcmp(buf + i + 18, avpriv_mjpeg_val_ac_chrominance, 162)) { + default_huffman_tables |= 1 << 3; + i += 179; + dht_size -= 179; + } else { + i += dht_size; + dht_size = 0; + } + break; + default: + i += dht_size; + dht_size = 0; + continue; } } else if (buf[i + 1] == SOS) { /* SOS is last marker in the header */ @@ -119,6 +163,11 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size) break; } } + if (default_huffman_tables && default_huffman_tables != 31) { + av_log(s1, AV_LOG_ERROR, + "RFC 2435 requires standard Huffman tables for jpeg\n"); + return; + } if (nb_qtables && nb_qtables != 2) av_log(s1, AV_LOG_WARNING, "RFC 2435 suggests two quantization tables, %d provided\n", diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 5dcf4adafe..de8bbdb07a 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -120,6 +120,11 @@ static int smacker_read_header(AVFormatContext *s) smk->height = avio_rl32(pb); smk->frames = avio_rl32(pb); smk->pts_inc = (int32_t)avio_rl32(pb); + if (smk->pts_inc > INT_MAX / 100) { + av_log(s, AV_LOG_ERROR, "pts_inc %d is too large\n", smk->pts_inc); + return AVERROR_INVALIDDATA; + } + smk->flags = avio_rl32(pb); if(smk->flags & SMACKER_FLAG_RING_FRAME) smk->frames++; diff --git a/libavformat/tee.c b/libavformat/tee.c index bc2e522f7c..a916841066 100644 --- a/libavformat/tee.c +++ b/libavformat/tee.c @@ -409,6 +409,8 @@ FF_ENABLE_DEPRECATION_WARNINGS } if (ret > 0) { + pkt->side_data = NULL; + pkt->side_data_elems = 0; av_free_packet(pkt); new_pkt.buf = av_buffer_create(new_pkt.data, new_pkt.size, av_buffer_default_free, NULL, 0); diff --git a/libavformat/utils.c b/libavformat/utils.c index 386ce37a77..30567fa2ec 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2451,7 +2451,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) } #define DURATION_MAX_READ_SIZE 250000LL -#define DURATION_MAX_RETRY 4 +#define DURATION_MAX_RETRY 6 /* only usable for MPEG-PS streams */ static void estimate_timings_from_pts(AVFormatContext *ic, int64_t old_offset) diff --git a/libavutil/integer.c b/libavutil/integer.c index 5bcde0dc6e..6d6855fa1b 100644 --- a/libavutil/integer.c +++ b/libavutil/integer.c @@ -29,6 +29,8 @@ #include "integer.h" #include "avassert.h" +static const AVInteger zero_i; + AVInteger av_add_i(AVInteger a, AVInteger b){ int i, carry=0; @@ -111,6 +113,12 @@ AVInteger av_mod_i(AVInteger *quot, AVInteger a, AVInteger b){ AVInteger quot_temp; if(!quot) quot = "_temp; + if ((int16_t)a.v[AV_INTEGER_SIZE-1] < 0) { + a = av_mod_i(quot, av_sub_i(zero_i, a), b); + *quot = av_sub_i(zero_i, *quot); + return av_sub_i(zero_i, a); + } + av_assert2((int16_t)a.v[AV_INTEGER_SIZE-1] >= 0 && (int16_t)b.v[AV_INTEGER_SIZE-1] >= 0); av_assert2(av_log2_i(b)>=0); diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index 126cffc3f0..78a87d8457 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -76,8 +76,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) rnd -= AV_ROUND_PASS_MINMAX; } - if (a < 0 && a != INT64_MIN) - return -av_rescale_rnd(-a, b, c, rnd ^ ((rnd >> 1) & 1)); + if (a < 0) + return -(uint64_t)av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1)); if (rnd == AV_ROUND_NEAR_INF) r = c / 2; @@ -87,8 +87,13 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) if (b <= INT_MAX && c <= INT_MAX) { if (a <= INT_MAX) return (a * b + r) / c; - else - return a / c * b + (a % c * b + r) / c; + else { + int64_t ad = a / c; + int64_t a2 = (a % c * b + r) / c; + if (ad >= INT32_MAX && b && ad > (INT64_MAX - a2) / b) + return INT64_MIN; + return ad * b + a2; + } } else { #if 1 uint64_t a0 = a & 0xFFFFFFFF; @@ -112,6 +117,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) t1++; } } + if (t1 > INT64_MAX) + return INT64_MIN; return t1; } #else diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index 5b285e3d9b..7488753d64 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -180,7 +180,7 @@ static av_always_inline SoftFloat av_sqrt_sf(SoftFloat val) if (val.mant == 0) val.exp = MIN_EXP; else if (val.mant < 0) - av_assert0(0); + abort(); else { tabIndex = (val.mant - 0x20000000) >> 20; diff --git a/libavutil/timecode.c b/libavutil/timecode.c index 1dfd040868..bf463ed515 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -151,7 +151,7 @@ static int check_fps(int fps) static int check_timecode(void *log_ctx, AVTimecode *tc) { - if (tc->fps <= 0) { + if ((int)tc->fps <= 0) { av_log(log_ctx, AV_LOG_ERROR, "Timecode frame rate must be specified\n"); return AVERROR(EINVAL); } diff --git a/libswscale/utils.c b/libswscale/utils.c index 0c4b4d7977..2a88dc96f7 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -385,7 +385,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, xDstInSrc = ((dstPos*(int64_t)xInc)>>7) - ((srcPos*0x10000LL)>>7); for (i = 0; i < dstW; i++) { - int xx = (xDstInSrc - ((int64_t)(filterSize - 2) << 16)) / (1 << 17); + int xx = (xDstInSrc - (filterSize - 2) * (1LL<<16)) / (1 << 17); int j; (*filterPos)[i] = xx; for (j = 0; j < filterSize; j++) { diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index e97ba4fe82..a10f268009 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1887,8 +1887,9 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; - if (width >= 16) + if (width >= 16) { #if COMPILE_TEMPLATE_SSE2 + if (!((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15)) { __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1907,7 +1908,8 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui ::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15) : "memory", XMM_CLOBBERS("xmm0", "xmm1", "xmm2",) "%"REG_a ); -#else + } else +#endif __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1933,7 +1935,8 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui ::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15) : "memory", "%"REG_a ); -#endif + + } for (w= (width&(~15)); w < width; w++) { dest[2*w+0] = src1[w]; dest[2*w+1] = src2[w]; @@ -1943,9 +1946,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui src2 += src2Stride; } __asm__( -#if !COMPILE_TEMPLATE_SSE2 EMMS" \n\t" -#endif SFENCE" \n\t" ::: "memory" ); |