From 24c504bd0a7cd20b5e48607c7fbf5c85dc1321ab Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 12:11:29 +0100 Subject: avcodec/cabac_functions: Fix "left shift of negative value -31767" Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer (cherry picked from commit a1f6b05f5228979dab0e149deca7a30d22e98af5) Signed-off-by: Michael Niedermayer --- libavcodec/cabac_functions.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 15dba29f8e..4e132535e1 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -74,7 +74,8 @@ static inline void renorm_cabac_decoder_once(CABACContext *c){ #ifndef get_cabac_inline static void refill2(CABACContext *c){ - int i, x; + int i; + unsigned x; x= c->low ^ (c->low-1); i= 7 - ff_h264_norm_shift[x>>(CABAC_BITS-1)]; -- cgit v1.2.3 From 4c718691ea32e9ab70ccaa5e90bfebcea4588c42 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 13:37:50 +0100 Subject: avcodec/cabac: Check initial cabac decoder state Fixes integer overflows Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Found-by: xiedingbao (Ticket4727) Signed-off-by: Michael Niedermayer (cherry picked from commit 8000d484b83aafa752d84fbdbfb352ffe0dc64f8) Conflicts: libavcodec/cabac.h --- libavcodec/cabac.c | 5 ++++- libavcodec/cabac.h | 2 +- libavcodec/cabac_functions.h | 3 ++- libavcodec/h264_cabac.c | 5 ++++- libavcodec/h264_slice.c | 4 +++- 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/cabac.c b/libavcodec/cabac.c index 8cc9333e09..f298336ea4 100644 --- a/libavcodec/cabac.c +++ b/libavcodec/cabac.c @@ -51,7 +51,7 @@ void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size){ * * @param buf_size size of buf in bits */ -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ c->bytestream_start= c->bytestream= buf; c->bytestream_end= buf + buf_size; @@ -64,6 +64,9 @@ void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size){ #endif c->low+= ((*c->bytestream++)<<2) + 2; c->range= 0x1FE; + if ((c->range<<(CABAC_BITS+1)) < c->low) + return AVERROR_INVALIDDATA; + return 0; } void ff_init_cabac_states(void) diff --git a/libavcodec/cabac.h b/libavcodec/cabac.h index f9eafed105..857211c9d9 100644 --- a/libavcodec/cabac.h +++ b/libavcodec/cabac.h @@ -56,7 +56,7 @@ typedef struct CABACContext{ }CABACContext; void ff_init_cabac_encoder(CABACContext *c, uint8_t *buf, int buf_size); -void ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); +int ff_init_cabac_decoder(CABACContext *c, const uint8_t *buf, int buf_size); void ff_init_cabac_states(void); #endif /* AVCODEC_CABAC_H */ diff --git a/libavcodec/cabac_functions.h b/libavcodec/cabac_functions.h index 4e132535e1..2d1d2a6b89 100644 --- a/libavcodec/cabac_functions.h +++ b/libavcodec/cabac_functions.h @@ -191,7 +191,8 @@ static av_unused const uint8_t* skip_bytes(CABACContext *c, int n) { #endif if ((int) (c->bytestream_end - ptr) < n) return NULL; - ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n); + if (ff_init_cabac_decoder(c, ptr + n, c->bytestream_end - ptr - n) < 0) + return NULL; return ptr; } diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index c1c8b80855..04d412b74b 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -2026,6 +2026,7 @@ decode_intra_mb: const int mb_size = ff_h264_mb_sizes[h->sps.chroma_format_idc] * h->sps.bit_depth_luma >> 3; const uint8_t *ptr; + int ret; // We assume these blocks are very rare so we do not optimize it. // FIXME The two following lines get the bitstream position in the cabac @@ -2042,7 +2043,9 @@ decode_intra_mb: sl->intra_pcm_ptr = ptr; ptr += mb_size; - ff_init_cabac_decoder(&sl->cabac, ptr, sl->cabac.bytestream_end - ptr); + ret = ff_init_cabac_decoder(&sl->cabac, ptr, sl->cabac.bytestream_end - ptr); + if (ret < 0) + return ret; // All blocks are present h->cbp_table[mb_xy] = 0xf7ef; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 041acfcd35..843cfd0979 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -2372,9 +2372,11 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) align_get_bits(&sl->gb); /* init cabac */ - ff_init_cabac_decoder(&sl->cabac, + ret = ff_init_cabac_decoder(&sl->cabac, sl->gb.buffer + get_bits_count(&sl->gb) / 8, (get_bits_left(&sl->gb) + 7) / 8); + if (ret < 0) + return ret; ff_h264_init_cabac_states(h, sl); -- cgit v1.2.3 From a353cc44a654257d321a307406cb10cd03148171 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 14:29:04 +0100 Subject: Update for 2.8.3 Signed-off-by: Michael Niedermayer --- Changelog | 37 +++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index f539e63479..7e70b1120f 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,43 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.8.3 +- avcodec/cabac: Check initial cabac decoder state +- avcodec/cabac_functions: Fix "left shift of negative value -31767" +- avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized +- rtmpcrypt: Do the xtea decryption in little endian mode +- avformat/matroskadec: Check subtitle stream before dereferencing +- avcodec/pngdec: Replace assert by request for sample for unsupported TRNS cases +- avformat/utils: Do not init parser if probing is unfinished +- avcodec/jpeg2000dec: Fix potential integer overflow with tile dimensions +- avcodec/jpeg2000: Use av_image_check_size() in ff_jpeg2000_init_component() +- avcodec/wmaprodec: Check for overread in decode_packet() +- avcodec/smacker: Check that the data size is a multiple of a sample vector +- avcodec/takdec: Skip last p2 sample (which is unused) +- avcodec/dxtory: Fix input size check in dxtory_decode_v1_410() +- avcodec/dxtory: Fix input size check in dxtory_decode_v1_420() +- avcodec/error_resilience: avoid accessing previous or next frames tables beyond height +- avcodec/dpx: Move need_align to act per line +- avcodec/flashsv: Check size before updating it +- avcodec/ivi: Check image dimensions +- avcodec/utils: Better check for channels in av_get_audio_frame_duration() +- avcodec/jpeg2000dec: Check for duplicate SIZ marker +- aacsbr: don't call sbr_dequant twice without intermediate read_sbr_data +- hqx: correct type and size check of info_offset +- mxfdec: check edit_rate also for physical_track +- avcodec/jpeg2000: Change coord to 32bit to support larger than 32k width or height +- avcodec/jpeg2000dec: Check SIZ dimensions to be within the supported range +- avcodec/jpeg2000: Check comp coords to be within the supported size +- mpegvideo: clear overread in clear_context +- avcodec/avrndec: Use the AVFrame format instead of the context +- dds: disable palette flag for compressed images +- dds: validate compressed source buffer size +- dds: validate source buffer size before copying +- dvdsubdec: validate offset2 similar to offset1 +- brstm: reject negative sample rate +- aacps: avoid division by zero in stereo_processing +- softfloat: assert when the argument of av_sqrt_sf is negative + version 2.8.2 - various fixes in the aac_fixed decoder - various fixes in softfloat diff --git a/RELEASE b/RELEASE index 1817afea41..9f8d8a9164 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.8.2 +2.8.3 diff --git a/doc/Doxyfile b/doc/Doxyfile index 5e9a9033b2..f4e3ca8eb4 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.8.2 +PROJECT_NUMBER = 2.8.3 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 -- cgit v1.2.3 From 644296e736ee219cd02f7b7d7b7b4c7c5a464217 Mon Sep 17 00:00:00 2001 From: James Almer Date: Mon, 9 Nov 2015 23:16:17 -0300 Subject: avutil/softfloat: use abort() instead of av_assert0(0) Fixes compilation of host tool aacps_fixed_tablegen. Reviewed-by: Michael Niedermayer Signed-off-by: James Almer (cherry picked from commit 9f4a41bf991916e105be9d78ed38612d3ffa4881) Signed-off-by: Michael Niedermayer --- libavutil/softfloat.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index 5b285e3d9b..7488753d64 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -180,7 +180,7 @@ static av_always_inline SoftFloat av_sqrt_sf(SoftFloat val) if (val.mant == 0) val.exp = MIN_EXP; else if (val.mant < 0) - av_assert0(0); + abort(); else { tabIndex = (val.mant - 0x20000000) >> 20; -- cgit v1.2.3 From 482bece29bc35d9cf5be05259e82103532881768 Mon Sep 17 00:00:00 2001 From: Andrey Utkin Date: Tue, 1 Dec 2015 21:15:53 +0200 Subject: doc/filters/drawtext: fix centering example Signed-off-by: Andrey Utkin Signed-off-by: Lou Logan (cherry picked from commit 648b26acc5e25ab40c43fddc54b50e9f0b13ebd8) Signed-off-by: Timothy Gu --- doc/filters.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/filters.texi b/doc/filters.texi index d714a2713d..2a2fab61a0 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -4967,7 +4967,7 @@ within the parameter list. @item Show the text at the center of the video frame: @example -drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h-line_h)/2" +drawtext="fontsize=30:fontfile=FreeSerif.ttf:text='hello world':x=(w-text_w)/2:y=(h-text_h)/2" @end example @item -- cgit v1.2.3 From 1c6243228c343132e094cdab1cb048e20899806c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Nov 2015 01:25:50 +0100 Subject: avcodec/ffv1dec: Print an error if the quant table count is invalid Signed-off-by: Michael Niedermayer (cherry picked from commit a8b254e436dce2f5c8c6459108dab4b02cc6b79b) --- libavcodec/ffv1dec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 680abcf042..1f7bfbd2dd 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -569,8 +569,10 @@ static int read_extra_header(FFV1Context *f) } f->quant_table_count = get_symbol(c, state, 0); - if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) + if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { + av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); return AVERROR_INVALIDDATA; + } for (i = 0; i < f->quant_table_count; i++) { f->context_count[i] = read_quant_tables(c, f->quant_tables[i]); -- cgit v1.2.3 From ff3e717003efe3a3f06aa0371be5d40826fa0f03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Nov 2015 13:21:58 +0100 Subject: avcodec/ffv1dec: Clear quant_table_count if its invalid Fixes deallocation of corrupted pointer Fixes: 343dfbe142a38b521ed069dc4ea7c03b/signal_sigsegv_421427_4074_ffb11959610278cd40dbc153464aa254.avi No releases affected Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit e04126072e984f8db5db9da9303c89ae01f7d6bb) Fixes ticket #5052. --- libavcodec/ffv1dec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index 1f7bfbd2dd..9c941fab9a 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -571,6 +571,7 @@ static int read_extra_header(FFV1Context *f) f->quant_table_count = get_symbol(c, state, 0); if (f->quant_table_count > (unsigned)MAX_QUANT_TABLES || !f->quant_table_count) { av_log(f->avctx, AV_LOG_ERROR, "quant table count %d is invalid\n", f->quant_table_count); + f->quant_table_count = 0; return AVERROR_INVALIDDATA; } -- cgit v1.2.3 From aa3101a9e825dc8b57624f3b9d07844c34c7c9a7 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 2 Dec 2015 14:56:53 +0100 Subject: lavf/rtpenc_jpeg: Less strict check for standard Huffman tables. There can be one or more Huffman table segments DHT. Reported-by: Andrey Utkin --- libavformat/rtpenc_jpeg.c | 83 +++++++++++++++++++++++++++++++++++++---------- 1 file changed, 66 insertions(+), 17 deletions(-) diff --git a/libavformat/rtpenc_jpeg.c b/libavformat/rtpenc_jpeg.c index a6f2b32df4..60629cf179 100644 --- a/libavformat/rtpenc_jpeg.c +++ b/libavformat/rtpenc_jpeg.c @@ -36,6 +36,7 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size) int off = 0; /* fragment offset of the current JPEG frame */ int len; int i; + int default_huffman_tables = 0; s->buf_ptr = s->buf; s->timestamp = s->cur_timestamp; @@ -90,23 +91,66 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size) return; } } else if (buf[i + 1] == DHT) { - if ( AV_RB16(&buf[i + 2]) < 418 - || i + 420 >= size - || buf[i + 4] != 0x00 - || buf[i + 33] != 0x01 - || buf[i + 62] != 0x10 - || buf[i + 241] != 0x11 - || memcmp(buf + i + 5, avpriv_mjpeg_bits_dc_luminance + 1, 16) - || memcmp(buf + i + 21, avpriv_mjpeg_val_dc, 12) - || memcmp(buf + i + 34, avpriv_mjpeg_bits_dc_chrominance + 1, 16) - || memcmp(buf + i + 50, avpriv_mjpeg_val_dc, 12) - || memcmp(buf + i + 63, avpriv_mjpeg_bits_ac_luminance + 1, 16) - || memcmp(buf + i + 79, avpriv_mjpeg_val_ac_luminance, 162) - || memcmp(buf + i + 242, avpriv_mjpeg_bits_ac_chrominance + 1, 16) - || memcmp(buf + i + 258, avpriv_mjpeg_val_ac_chrominance, 162)) { - av_log(s1, AV_LOG_ERROR, - "RFC 2435 requires standard Huffman tables for jpeg\n"); - return; + int dht_size = AV_RB16(&buf[i + 2]); + default_huffman_tables |= 1 << 4; + i += 3; + dht_size -= 2; + if (i + dht_size >= size) + continue; + while (dht_size > 0) + switch (buf[i + 1]) { + case 0x00: + if ( dht_size >= 29 + && !memcmp(buf + i + 2, avpriv_mjpeg_bits_dc_luminance + 1, 16) + && !memcmp(buf + i + 18, avpriv_mjpeg_val_dc, 12)) { + default_huffman_tables |= 1; + i += 29; + dht_size -= 29; + } else { + i += dht_size; + dht_size = 0; + } + break; + case 0x01: + if ( dht_size >= 29 + && !memcmp(buf + i + 2, avpriv_mjpeg_bits_dc_chrominance + 1, 16) + && !memcmp(buf + i + 18, avpriv_mjpeg_val_dc, 12)) { + default_huffman_tables |= 1 << 1; + i += 29; + dht_size -= 29; + } else { + i += dht_size; + dht_size = 0; + } + break; + case 0x10: + if ( dht_size >= 179 + && !memcmp(buf + i + 2, avpriv_mjpeg_bits_ac_luminance + 1, 16) + && !memcmp(buf + i + 18, avpriv_mjpeg_val_ac_luminance, 162)) { + default_huffman_tables |= 1 << 2; + i += 179; + dht_size -= 179; + } else { + i += dht_size; + dht_size = 0; + } + break; + case 0x11: + if ( dht_size >= 179 + && !memcmp(buf + i + 2, avpriv_mjpeg_bits_ac_chrominance + 1, 16) + && !memcmp(buf + i + 18, avpriv_mjpeg_val_ac_chrominance, 162)) { + default_huffman_tables |= 1 << 3; + i += 179; + dht_size -= 179; + } else { + i += dht_size; + dht_size = 0; + } + break; + default: + i += dht_size; + dht_size = 0; + continue; } } else if (buf[i + 1] == SOS) { /* SOS is last marker in the header */ @@ -119,6 +163,11 @@ void ff_rtp_send_jpeg(AVFormatContext *s1, const uint8_t *buf, int size) break; } } + if (default_huffman_tables && default_huffman_tables != 31) { + av_log(s1, AV_LOG_ERROR, + "RFC 2435 requires standard Huffman tables for jpeg\n"); + return; + } if (nb_qtables && nb_qtables != 2) av_log(s1, AV_LOG_WARNING, "RFC 2435 suggests two quantization tables, %d provided\n", -- cgit v1.2.3 From 31e54f41a023d426909d55b54275cd33faf20296 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 18:30:05 +0100 Subject: avcodec/hevc: Check entry_point_offsets Fixes out of array read Fixes: 007c4a36608ebdf27ee260ad60a81184/asan_heap-oob_32076b4_2243_116b1cb29d91cc4974d6680e3d10bd91.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ef9f7bbfa47317f9d46bf46982a394d2be78503c) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index e8c78b012e..8ee2abc13c 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2440,7 +2440,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const HEVCNAL *nal) HEVCLocalContext *lc = s->HEVClc; int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); - int offset; + int64_t offset; int startheader, cmpt = 0; int i, j, res = 0; @@ -2487,6 +2487,11 @@ static int hls_slice_data_wpp(HEVCContext *s, const HEVCNAL *nal) } if (s->sh.num_entry_point_offsets != 0) { offset += s->sh.entry_point_offset[s->sh.num_entry_point_offsets - 1] - cmpt; + if (length < offset) { + av_log(s->avctx, AV_LOG_ERROR, "entry_point_offset table is corrupted\n"); + res = AVERROR_INVALIDDATA; + goto error; + } s->sh.size[s->sh.num_entry_point_offsets - 1] = length - offset; s->sh.offset[s->sh.num_entry_point_offsets - 1] = offset; @@ -2513,6 +2518,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const HEVCNAL *nal) for (i = 0; i <= s->sh.num_entry_point_offsets; i++) res += ret[i]; +error: av_free(ret); av_free(arg); return res; -- cgit v1.2.3 From 9d5bdca3d8af5dd86d27f300ff19180a295fa934 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 20:52:39 +0100 Subject: avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*() Fixes out of array access Fixes: 01859c9a9ac6cd60a008274123275574/asan_heap-oob_1dff571_8250_50d3d1611e294c3519fd1fa82198b69b.avi Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 75422280fbcdfbe9dc56bde5525b4d8b280f1bc5) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index 2bf25a8c4e..36e443d478 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -595,6 +595,9 @@ int ff_dwt_encode(DWTContext *s, void *t) int ff_dwt_decode(DWTContext *s, void *t) { + if (s->ndeclevels == 0) + return 0; + switch (s->type) { case FF_DWT97: dwt_decode97_float(s, t); -- cgit v1.2.3 From 9ce96a688b180d23f2c6de7d1a90858451af80f8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 21:02:13 +0100 Subject: avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*() Signed-off-by: Michael Niedermayer (cherry picked from commit feb3f39614b88c113211a98dda1bc2fe5c3c6957) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dwt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index 36e443d478..a46c93a9b2 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -580,6 +580,9 @@ int ff_jpeg2000_dwt_init(DWTContext *s, int border[2][2], int ff_dwt_encode(DWTContext *s, void *t) { + if (s->ndeclevels == 0) + return 0; + switch(s->type){ case FF_DWT97: dwt_encode97_float(s, t); break; -- cgit v1.2.3 From e3487695442914c1f220b931e466af4e08ad7529 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 22:45:46 +0100 Subject: avcodec/hevc_cabac: Fix multiple integer overflows Fixes: 04ec80eefa77aecd7a49a442cc02baea/asan_heap-oob_19544fa_3303_1905796cd9d8e15f86d664332caabc00.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d5028f61e44b7607b6a547f218f7d85217490a5b) Signed-off-by: Michael Niedermayer --- libavcodec/hevc_cabac.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index ffff87d4f0..d1bef8320f 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -831,11 +831,13 @@ static av_always_inline int mvd_decode(HEVCContext *s) int k = 1; while (k < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) { - ret += 1 << k; + ret += 1U << k; k++; } - if (k == CABAC_MAX_BIN) + if (k == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); + return 0; + } while (k--) ret += get_cabac_bypass(&s->HEVClc->cc) << k; return get_cabac_bypass_sign(&s->HEVClc->cc, -ret); @@ -973,8 +975,10 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int while (prefix < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) prefix++; - if (prefix == CABAC_MAX_BIN) + if (prefix == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); + return 0; + } if (prefix < 3) { for (i = 0; i < rc_rice_param; i++) suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc); -- cgit v1.2.3 From 1cbc2cb5084e732d89a56792133576149040f693 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 27 Nov 2015 23:33:03 +0100 Subject: avcodec/hevc: allocate entries unconditionally Fixes out of array access Fixes: 08664a2a7921ef48172f26495c7455be/asan_heap-oob_23036c6_3301_523388ef84285a0270caf67a43247b59.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit d85aa76115214183e7e3b7d65e950da61474959a) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 8ee2abc13c..f7ede4db6b 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2450,11 +2450,9 @@ static int hls_slice_data_wpp(HEVCContext *s, const HEVCNAL *nal) return AVERROR(ENOMEM); } + ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); if (!s->sList[1]) { - ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); - - for (i = 1; i < s->threads_number; i++) { s->sList[i] = av_malloc(sizeof(HEVCContext)); memcpy(s->sList[i], s, sizeof(HEVCContext)); -- cgit v1.2.3 From d32c9723a626701a5a508db7ceba9e8b8a774921 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2015 00:23:54 +0100 Subject: avcodec/vp3: Clear context on reinitialization failure Fixes null pointer dereference Fixes: 1536b9b096a8f95b742bae9d3d761cc6/signal_sigsegv_294aaed_2039_8d1797aeb823ea43858d0fa45c9eb899.ogv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 6105b7219a90438deae71b0dc5a034c71ee30fc0) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 09e6f75ec4..59cd7251bc 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2016,17 +2016,19 @@ static int vp3_decode_frame(AVCodecContext *avctx, vp3_decode_end(avctx); ret = theora_decode_header(avctx, &gb); + if (ret >= 0) + ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); - } else - ret = vp3_decode_init(avctx); + } return ret; } else if (type == 2) { ret = theora_decode_tables(avctx, &gb); + if (ret >= 0) + ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); - } else - ret = vp3_decode_init(avctx); + } return ret; } -- cgit v1.2.3 From ce6dd54711b383ab0de1555c369e876ac1906dd8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2015 13:42:05 +0100 Subject: avcodec/hevc: Check max ctb addresses for WPP Fixes out of array read Fixes: 2f95ddd996db8a6281d2e18c184595a7/asan_heap-oob_192fe91_3330_58e4441181e30a66c19f743dcb392347.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit dad354f38ddc9bfc834bc21358a1d0ad41532ca0) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index f7ede4db6b..1f9069b4e6 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -2450,6 +2450,15 @@ static int hls_slice_data_wpp(HEVCContext *s, const HEVCNAL *nal) return AVERROR(ENOMEM); } + if (s->sh.slice_ctb_addr_rs + s->sh.num_entry_point_offsets * s->ps.sps->ctb_width >= s->ps.sps->ctb_width * s->ps.sps->ctb_height) { + av_log(s->avctx, AV_LOG_ERROR, "WPP ctb addresses are wrong (%d %d %d %d)\n", + s->sh.slice_ctb_addr_rs, s->sh.num_entry_point_offsets, + s->ps.sps->ctb_width, s->ps.sps->ctb_height + ); + res = AVERROR_INVALIDDATA; + goto error; + } + ff_alloc_entries(s->avctx, s->sh.num_entry_point_offsets + 1); if (!s->sList[1]) { -- cgit v1.2.3 From fe89682d7c61fde1b121209da6ebc7aa27449590 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2015 17:26:05 +0100 Subject: avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string() Fixes integer overflow Fixes: 3a45b2ae02f2cf12b7bd99543cdcdae5/asan_heap-oob_1dff502_8022_899f75e1e81046ebd7b6c2394a1419f4.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4f03bebc79f76df3a3e5bb9e1bc32baabfb7797c) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 735e71a044..2037667bc4 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -3178,8 +3178,8 @@ void avcodec_string(char *buf, int buf_size, AVCodecContext *enc, int encode) if (enc->sample_aspect_ratio.num) { av_reduce(&display_aspect_ratio.num, &display_aspect_ratio.den, - enc->width * enc->sample_aspect_ratio.num, - enc->height * enc->sample_aspect_ratio.den, + enc->width * (int64_t)enc->sample_aspect_ratio.num, + enc->height * (int64_t)enc->sample_aspect_ratio.den, 1024 * 1024); snprintf(buf + strlen(buf), buf_size - strlen(buf), " [SAR %d:%d DAR %d:%d]", -- cgit v1.2.3 From 7372b42b184d8c90f82dbb21695bbfe2e7e4ac03 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 28 Nov 2015 20:08:46 +0100 Subject: avcodec/utils: Clear dimensions in ff_get_buffer() on failure Fixes out of array access Fixes: 482d8f2fd17c9f532b586458a33f267c/asan_heap-oob_4a52b6_7417_1d08d477736d66cdadd833d146bb8bae.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit abee0a1c60612e8638640a8a3738fffb65e16dbf) Signed-off-by: Michael Niedermayer --- libavcodec/utils.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 2037667bc4..892ddb911c 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1040,8 +1040,10 @@ end: int ff_get_buffer(AVCodecContext *avctx, AVFrame *frame, int flags) { int ret = get_buffer_internal(avctx, frame, flags); - if (ret < 0) + if (ret < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); + frame->width = frame->height = 0; + } return ret; } -- cgit v1.2.3 From 2fbf723585178d1d8eb9fad4be653b3353aacbe2 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Nov 2015 03:25:41 +0100 Subject: avcodec/h264_refs: Check that long references match before use Fixes out of array read Fixes: 59bb925e90201fa0f87f0a31945d43b5/asan_heap-oob_4a52e5_3388_66027f11e3d072f1e02401ecc6193361.jvt Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit aa427537b529cd584cd73222980286d36a00fe28) Signed-off-by: Michael Niedermayer --- libavcodec/h264_refs.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 619f2edf84..a81ee76cfd 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -122,6 +122,14 @@ static int add_sorted(H264Picture **sorted, H264Picture **src, int len, int limi return out_i; } +static int mismatches_ref(H264Context *h, H264Picture *pic) +{ + AVFrame *f = pic->f; + return (h->cur_pic_ptr->f->width != f->width || + h->cur_pic_ptr->f->height != f->height || + h->cur_pic_ptr->f->format != f->format); +} + int ff_h264_fill_default_ref_list(H264Context *h, H264SliceContext *sl) { int i, len; @@ -193,10 +201,7 @@ int ff_h264_fill_default_ref_list(H264Context *h, H264SliceContext *sl) for (j = 0; j<1+(sl->slice_type_nos == AV_PICTURE_TYPE_B); j++) { for (i = 0; i < sl->ref_count[j]; i++) { if (h->default_ref_list[j][i].parent) { - AVFrame *f = h->default_ref_list[j][i].parent->f; - if (h->cur_pic_ptr->f->width != f->width || - h->cur_pic_ptr->f->height != f->height || - h->cur_pic_ptr->f->format != f->format) { + if (mismatches_ref(h, h->default_ref_list[j][i].parent)) { av_log(h->avctx, AV_LOG_ERROR, "Discarding mismatching reference\n"); memset(&h->default_ref_list[j][i], 0, sizeof(h->default_ref_list[j][i])); } @@ -305,7 +310,7 @@ int ff_h264_decode_ref_pic_list_reordering(H264Context *h, H264SliceContext *sl) } ref = h->long_ref[long_idx]; assert(!(ref && !ref->reference)); - if (ref && (ref->reference & pic_structure)) { + if (ref && (ref->reference & pic_structure) && !mismatches_ref(h, ref)) { ref->pic_id = pic_id; assert(ref->long_ref); i = 0; -- cgit v1.2.3 From 3d69716baefdbff3e5584f9de665bbba884667d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Dec 2015 12:40:32 +0100 Subject: avformat/dump: Fix integer overflow in av_dump_format() Fixes part of mozilla bug 1229167 Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit 8e7f4520226d2d9ad6a58ad6c32d1455a8b244b2) Signed-off-by: Michael Niedermayer --- libavformat/dump.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/dump.c b/libavformat/dump.c index 705da82148..08b86935e4 100644 --- a/libavformat/dump.c +++ b/libavformat/dump.c @@ -496,7 +496,7 @@ void av_dump_format(AVFormatContext *ic, int index, av_log(NULL, AV_LOG_INFO, " Duration: "); if (ic->duration != AV_NOPTS_VALUE) { int hours, mins, secs, us; - int64_t duration = ic->duration + 5000; + int64_t duration = ic->duration + (ic->duration <= INT64_MAX - 5000 ? 5000 : 0); secs = duration / AV_TIME_BASE; us = duration % AV_TIME_BASE; mins = secs / 60; -- cgit v1.2.3 From 4d9999705f406b508e4ba017cd804b8688b64d68 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Dec 2015 12:41:43 +0100 Subject: avutil/integer: Fix av_mod_i() with negative dividend Signed-off-by: Michael Niedermayer (cherry picked from commit 3a9cb18855d29c96a5d9d2f5ad30448cae3a2ddf) Signed-off-by: Michael Niedermayer --- libavutil/integer.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavutil/integer.c b/libavutil/integer.c index 5bcde0dc6e..6d6855fa1b 100644 --- a/libavutil/integer.c +++ b/libavutil/integer.c @@ -29,6 +29,8 @@ #include "integer.h" #include "avassert.h" +static const AVInteger zero_i; + AVInteger av_add_i(AVInteger a, AVInteger b){ int i, carry=0; @@ -111,6 +113,12 @@ AVInteger av_mod_i(AVInteger *quot, AVInteger a, AVInteger b){ AVInteger quot_temp; if(!quot) quot = "_temp; + if ((int16_t)a.v[AV_INTEGER_SIZE-1] < 0) { + a = av_mod_i(quot, av_sub_i(zero_i, a), b); + *quot = av_sub_i(zero_i, *quot); + return av_sub_i(zero_i, a); + } + av_assert2((int16_t)a.v[AV_INTEGER_SIZE-1] >= 0 && (int16_t)b.v[AV_INTEGER_SIZE-1] >= 0); av_assert2(av_log2_i(b)>=0); -- cgit v1.2.3 From 460710500e172042144784a3152aa8d1c5c29cf6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Dec 2015 12:44:23 +0100 Subject: avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd The code expects actual positive numbers and gives completely wrong results if INT64_MIN is treated as positive Instead clip it into the valid range that is add 1 and treat it as negative Signed-off-by: Michael Niedermayer (cherry picked from commit 25e37f5ea92d4201976a59ae306ce848d257a7e6) Signed-off-by: Michael Niedermayer --- libavutil/mathematics.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index 126cffc3f0..b1ffd652de 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -76,8 +76,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) rnd -= AV_ROUND_PASS_MINMAX; } - if (a < 0 && a != INT64_MIN) - return -av_rescale_rnd(-a, b, c, rnd ^ ((rnd >> 1) & 1)); + if (a < 0) + return -av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1)); if (rnd == AV_ROUND_NEAR_INF) r = c / 2; -- cgit v1.2.3 From 8cd3def81d11c20052a0044d59c67da3e1a1a5c8 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 29 Nov 2015 23:44:40 +0100 Subject: avcodec/mpeg4videodec: Check available data before reading custom matrix Fixes: out of array read Fixes: 76c515fc3779d1b838667c61ea13ce92/asan_heap-oob_1fc0d07_8913_794a4629a264ebdb25b58d3a94ed1785.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 891dc8f87536ac2ec695c70d081345224524ad99) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index f15747f6ab..7d664cc844 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1881,6 +1881,10 @@ static int decode_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) int last = 0; for (i = 0; i < 64; i++) { int j; + if (get_bits_left(gb) < 8) { + av_log(s->avctx, AV_LOG_ERROR, "insufficient data for custom matrix\n"); + return AVERROR_INVALIDDATA; + } v = get_bits(gb, 8); if (v == 0) break; @@ -1904,6 +1908,10 @@ static int decode_vol_header(Mpeg4DecContext *ctx, GetBitContext *gb) int last = 0; for (i = 0; i < 64; i++) { int j; + if (get_bits_left(gb) < 8) { + av_log(s->avctx, AV_LOG_ERROR, "insufficient data for custom matrix\n"); + return AVERROR_INVALIDDATA; + } v = get_bits(gb, 8); if (v == 0) break; -- cgit v1.2.3 From aab65146afd83240087523636fa761724b0e9670 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 30 Nov 2015 03:32:36 +0100 Subject: avcodec/vp3: always set pix_fmt in theora_decode_header() Fixes assertion failure Fixes: d0bb0662da342ec65f8f2a081222e6b9/signal_sigabrt_7ffff6ae7cc9_5471_82964f0a9ac2f4d3d59390c15473f6f7.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a814f1d364ba912adf61adef158168c5f7604e93) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 59cd7251bc..f8865c8678 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2323,7 +2323,8 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) return AVERROR_INVALIDDATA; } skip_bits(gb, 3); /* reserved */ - } + } else + avctx->pix_fmt = AV_PIX_FMT_YUV420P; ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) -- cgit v1.2.3 From d295ddffe138de7a17337bc88c39425e13fd073a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Dec 2015 21:16:27 +0100 Subject: avcodec/apedec: Check length in long_filter_high_3800() Fixes out of array read Fixes: 0a7ff0c1d93da9cef28a315ec91b692a/asan_heap-oob_4a52e5_3604_9c56dbb20e308f4faeef7b35f688521a.ape Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit cd7524fdd13dc8d0cf22e2cfd8300a245542b13a) Signed-off-by: Michael Niedermayer --- libavcodec/apedec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 5536e0f8b1..c6eae55c4e 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -892,6 +892,9 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len int32_t dotprod, sign; int32_t coeffs[256], delay[256]; + if (order >= length) + return; + memset(coeffs, 0, order * sizeof(*coeffs)); for (i = 0; i < order; i++) delay[i] = buffer[i]; -- cgit v1.2.3 From e04b039b1528f4c7df5c2b93865651bfea168a19 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 1 Dec 2015 13:32:31 +0100 Subject: avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() for overflows Fixes integer overflow Fixes: mozilla bug 1229167 Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit f03c2ceec174877e03bb302f5971fbe9ffbe4856) Signed-off-by: Michael Niedermayer --- libavutil/mathematics.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index b1ffd652de..4d8467b8c8 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -77,7 +77,7 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) } if (a < 0) - return -av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1)); + return -(uint64_t)av_rescale_rnd(-FFMAX(a, -INT64_MAX), b, c, rnd ^ ((rnd >> 1) & 1)); if (rnd == AV_ROUND_NEAR_INF) r = c / 2; @@ -87,8 +87,13 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) if (b <= INT_MAX && c <= INT_MAX) { if (a <= INT_MAX) return (a * b + r) / c; - else - return a / c * b + (a % c * b + r) / c; + else { + int64_t ad = a / c; + int64_t a2 = (a % c * b + r) / c; + if (ad >= INT32_MAX && ad > (INT64_MAX - a2) / b) + return INT64_MIN; + return ad * b + a2; + } } else { #if 1 uint64_t a0 = a & 0xFFFFFFFF; @@ -112,6 +117,8 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) t1++; } } + if (t1 > INT64_MAX) + return INT64_MIN; return t1; } #else -- cgit v1.2.3 From f2258e98991c392a23ad089fcbff76f972699103 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Dec 2015 03:14:11 +0100 Subject: avutil/timecode: Fix fps check The fps variable is explicitly set to -1 in case of some errors, the check must thus be signed or the code setting it needs to use 0 as error code the type of the field could be changed as well but its in an installed header Fixes: integer overflow Fixes: 9982cc157b1ea90429435640a989122f/asan_generic_3ad004a_3799_22cf198d9cd09928e2d9ad250474fa58.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit b46dcd5209a77254345ae098b83a872634c5591b) Signed-off-by: Michael Niedermayer --- libavutil/timecode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/timecode.c b/libavutil/timecode.c index 1dfd040868..bf463ed515 100644 --- a/libavutil/timecode.c +++ b/libavutil/timecode.c @@ -151,7 +151,7 @@ static int check_fps(int fps) static int check_timecode(void *log_ctx, AVTimecode *tc) { - if (tc->fps <= 0) { + if ((int)tc->fps <= 0) { av_log(log_ctx, AV_LOG_ERROR, "Timecode frame rate must be specified\n"); return AVERROR(EINVAL); } -- cgit v1.2.3 From aa9ac199b8c7bf28bcd4d4ff1fc7f68e3fff5123 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Sat, 28 Nov 2015 08:27:39 +0200 Subject: mpegencts: Fix overflow in cbr mode period calculations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ts->mux_rate is int (signed 32-bit) type. The period calculations will start to overflow when mux_rate > 5mbps. This fixes overflows by converting first to 64-bit type. Fixes #5044. Signed-off-by: Timo Teräs Signed-off-by: Michael Niedermayer (cherry picked from commit 64f7db554ee83846f207e82a08946a6a5a6acfe2) Signed-off-by: Michael Niedermayer --- libavformat/mpegtsenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/mpegtsenc.c b/libavformat/mpegtsenc.c index 45bab1ce01..9b5864d1ef 100644 --- a/libavformat/mpegtsenc.c +++ b/libavformat/mpegtsenc.c @@ -756,11 +756,11 @@ static int mpegts_write_header(AVFormatContext *s) ts_st = pcr_st->priv_data; if (ts->mux_rate > 1) { - service->pcr_packet_period = (ts->mux_rate * ts->pcr_period) / + service->pcr_packet_period = (int64_t)ts->mux_rate * ts->pcr_period / (TS_PACKET_SIZE * 8 * 1000); - ts->sdt_packet_period = (ts->mux_rate * SDT_RETRANS_TIME) / + ts->sdt_packet_period = (int64_t)ts->mux_rate * SDT_RETRANS_TIME / (TS_PACKET_SIZE * 8 * 1000); - ts->pat_packet_period = (ts->mux_rate * PAT_RETRANS_TIME) / + ts->pat_packet_period = (int64_t)ts->mux_rate * PAT_RETRANS_TIME / (TS_PACKET_SIZE * 8 * 1000); if (ts->copyts < 1) -- cgit v1.2.3 From b8621a2e98601df227423ace37f2241555ea8189 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 3 Dec 2015 20:16:00 +0100 Subject: avformat/riffdec: Initialize bitrate Fixes CID1338334 Signed-off-by: Michael Niedermayer (cherry picked from commit 32bf6550cb9cc9f487a6722fe2bfc272a93c1065) Signed-off-by: Michael Niedermayer --- libavformat/riffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/riffdec.c b/libavformat/riffdec.c index 7eecdb24b8..bd9bca01c0 100644 --- a/libavformat/riffdec.c +++ b/libavformat/riffdec.c @@ -87,7 +87,7 @@ int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, AVCodecContext *codec, int size, int big_endian) { int id; - uint64_t bitrate; + uint64_t bitrate = 0; if (size < 14) { avpriv_request_sample(codec, "wav header size < 14"); -- cgit v1.2.3 From 73966b01618ebc9c5b68a3e09c47fb0cc15ed329 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2015 12:47:20 +0100 Subject: avcodec/vp3: Fix "runtime error: left shift of negative value" Fixes: 5c6129154b356b80bcab86f9e3ee5d29/signal_sigabrt_7ffff6ae7cc9_7322_d26ac6d7cb6567db1b8be0159b387d0b.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 18268f761bffb37552f59f87542fef3d5c80618c) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index f8865c8678..6ff01fb282 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -209,8 +209,8 @@ typedef struct Vp3DecodeContext { int16_t *dct_tokens[3][64]; int16_t *dct_tokens_base; #define TOKEN_EOB(eob_run) ((eob_run) << 2) -#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) << 9) + ((zero_run) << 2) + 1) -#define TOKEN_COEFF(coeff) (((coeff) << 2) + 2) +#define TOKEN_ZERO_RUN(coeff, zero_run) (((coeff) * 512) + ((zero_run) << 2) + 1) +#define TOKEN_COEFF(coeff) (((coeff) * 4) + 2) /** * number of blocks that contain DCT coefficients at -- cgit v1.2.3 From 0e3ec7db5334e580b2d85153d025042c8236901e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 13:06:16 +0100 Subject: avformat/smacker: fix integer overflow with pts_inc Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 7ed47e97297fd5ef473d0cc93f0455adbadaac83) Signed-off-by: Michael Niedermayer --- libavformat/smacker.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 5dcf4adafe..de8bbdb07a 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -120,6 +120,11 @@ static int smacker_read_header(AVFormatContext *s) smk->height = avio_rl32(pb); smk->frames = avio_rl32(pb); smk->pts_inc = (int32_t)avio_rl32(pb); + if (smk->pts_inc > INT_MAX / 100) { + av_log(s, AV_LOG_ERROR, "pts_inc %d is too large\n", smk->pts_inc); + return AVERROR_INVALIDDATA; + } + smk->flags = avio_rl32(pb); if(smk->flags & SMACKER_FLAG_RING_FRAME) smk->frames++; -- cgit v1.2.3 From 16c5da92d997d80168ed15d78d4a6bc309c81f3f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 13:11:23 +0100 Subject: avcodec/wmaprodec: Fix overflow of cutoff Fixes: 129ca3e28d73af7b1e24a9d4118e7a2d/signal_sigabrt_7ffff6ae7cc9_836_762b310fc3ef6087bd7771e5d8e90b9b.asf Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0c56f8303e676556ea09bfac73d881c6c9057259) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 7f6d3edd24..dc581dc6e5 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -477,7 +477,7 @@ static av_cold int decode_init(AVCodecContext *avctx) /** calculate subwoofer cutoff values */ for (i = 0; i < num_possible_block_sizes; i++) { int block_size = s->samples_per_frame >> i; - int cutoff = (440*block_size + 3 * (s->avctx->sample_rate >> 1) - 1) + int cutoff = (440*block_size + 3LL * (s->avctx->sample_rate >> 1) - 1) / s->avctx->sample_rate; s->subwoofer_cutoffs[i] = av_clip(cutoff, 4, block_size); } -- cgit v1.2.3 From ded0a0415377e2696d006a019f86eab6f1deb8d4 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 13:48:06 +0100 Subject: avcodec/wmaprodec: Check bits per sample to be within the range not causing integer overflows Fixes: 549d5aab1480d10f2a775ed90b0342f1/signal_sigabrt_7ffff6ae7cc9_5643_96bbb0cfe3e28be1dadfce1075016345.wma Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 66e05f6ff5e5c105bdd7bf3a49234ddac1b592c5) Signed-off-by: Michael Niedermayer --- libavcodec/wmaprodec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index dc581dc6e5..6f5a1706e2 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -300,6 +300,12 @@ static av_cold int decode_init(AVCodecContext *avctx) s->decode_flags = AV_RL16(edata_ptr+14); channel_mask = AV_RL32(edata_ptr+2); s->bits_per_sample = AV_RL16(edata_ptr); + + if (s->bits_per_sample > 32 || s->bits_per_sample < 1) { + avpriv_request_sample(avctx, "bits per sample is %d", s->bits_per_sample); + return AVERROR_PATCHWELCOME; + } + /** dump the extradata */ for (i = 0; i < avctx->extradata_size; i++) ff_dlog(avctx, "[%x] ", avctx->extradata[i]); -- cgit v1.2.3 From b253035ab23d4f6d4ad1f40572ad17dbd703b5e6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 17:11:54 +0100 Subject: avcodec/dirac_parser: Fix potential overflows in pointer checks Signed-off-by: Michael Niedermayer (cherry picked from commit 79798f7c57b098c78e0bbc6becd64b9888b013d1) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 83c35a2010..12f1a60145 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -100,10 +100,12 @@ typedef struct DiracParseUnit { static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc, int offset) { - uint8_t *start = pc->buffer + offset; - uint8_t *end = pc->buffer + pc->index; - if (start < pc->buffer || (start + 13 > end)) + int8_t *start; + + if (offset < 0 || pc->index - 13 < offset) return 0; + + start = pc->buffer + offset; pu->pu_type = start[4]; pu->next_pu_offset = AV_RB32(start + 5); -- cgit v1.2.3 From cf79fd0317ed22dcf1fefe877f4e543fe58d6f7c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 17:14:36 +0100 Subject: avcodec/dirac_parser: Add basic validity checks for next_pu_offset and prev_pu_offset Signed-off-by: Michael Niedermayer (cherry picked from commit c7d6ec947c053699950af90f695413a5640b3872) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index 12f1a60145..c7c4b697c8 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -114,6 +114,15 @@ static int unpack_parse_unit(DiracParseUnit *pu, DiracParseContext *pc, if (pu->pu_type == 0x10 && pu->next_pu_offset == 0) pu->next_pu_offset = 13; + if (pu->next_pu_offset && pu->next_pu_offset < 13) { + av_log(NULL, AV_LOG_ERROR, "next_pu_offset %d is invalid\n", pu->next_pu_offset); + return 0; + } + if (pu->prev_pu_offset && pu->prev_pu_offset < 13) { + av_log(NULL, AV_LOG_ERROR, "prev_pu_offset %d is invalid\n", pu->prev_pu_offset); + return 0; + } + return 1; } -- cgit v1.2.3 From 0fa92fee43388dc257bceb15a67f28a40b3d6a49 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 17:15:38 +0100 Subject: avcodec/dirac_parser: Check that there is a previous PU before accessing it Fixes out of array read Fixes: 99d142c47e6ba3510a74b872a1a2ae72/asan_heap-oob_11b36f4_3811_0f5c69e7609a88a580135678de1df844.dxa Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a08681f1e614152184615e2bcd71c3d63835f810) Signed-off-by: Michael Niedermayer --- libavcodec/dirac_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dirac_parser.c b/libavcodec/dirac_parser.c index c7c4b697c8..1ca7e31f1c 100644 --- a/libavcodec/dirac_parser.c +++ b/libavcodec/dirac_parser.c @@ -201,7 +201,7 @@ static int dirac_combine_frame(AVCodecParserContext *s, AVCodecContext *avctx, } /* Get the picture number to set the pts and dts*/ - if (parse_timing_info) { + if (parse_timing_info && pu1.prev_pu_offset >= 13) { uint8_t *cur_pu = pc->buffer + pc->index - 13 - pu1.prev_pu_offset; int pts = AV_RB32(cur_pu + 13); -- cgit v1.2.3 From 10fc3d690c8b6c326e3fb11694e17519e4226722 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 5 Dec 2015 22:08:59 +0100 Subject: avcodec/hevc: Fix integer overflow of entry_point_offset Fixes out of array read Fixes: d41d8cd98f00b204e9800998ecf8427e/signal_sigsegv_321165b_7641_077dfcd8cbc80b1c0b470c8554cd6ffb.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 214085852491448631dcecb008b5d172c11b8892) Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 4 ++-- libavcodec/hevc.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 1f9069b4e6..5f777612c2 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -744,7 +744,7 @@ static int hls_slice_header(HEVCContext *s) av_freep(&sh->entry_point_offset); av_freep(&sh->offset); av_freep(&sh->size); - sh->entry_point_offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); + sh->entry_point_offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(unsigned)); sh->offset = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); sh->size = av_malloc_array(sh->num_entry_point_offsets, sizeof(int)); if (!sh->entry_point_offset || !sh->offset || !sh->size) { @@ -2441,7 +2441,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const HEVCNAL *nal) int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int)); int64_t offset; - int startheader, cmpt = 0; + int64_t startheader, cmpt = 0; int i, j, res = 0; if (!ret || !arg) { diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index 66b9a2f0fc..d84e661600 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -622,7 +622,7 @@ typedef struct SliceHeader { unsigned int max_num_merge_cand; ///< 5 - 5_minus_max_num_merge_cand - int *entry_point_offset; + unsigned *entry_point_offset; int * offset; int * size; int num_entry_point_offsets; -- cgit v1.2.3 From af4454561338dd9bccf83c9e96e4c48de4dc0119 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2015 21:44:05 +0100 Subject: swscale/utils: Fix for runtime error: left shift of negative value -1 Fixes: c106b36fa36db8ff8f3ed0c82be7bea2/asan_heap-oob_32699f0_6321_467b9a1d7e03d7cfd310b7e65dc53bcc.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 325b59368dae3c3f2f5cc39873002b4cf133ccbc) Signed-off-by: Michael Niedermayer --- libswscale/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswscale/utils.c b/libswscale/utils.c index 0c4b4d7977..2a88dc96f7 100644 --- a/libswscale/utils.c +++ b/libswscale/utils.c @@ -385,7 +385,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t **filterPos, xDstInSrc = ((dstPos*(int64_t)xInc)>>7) - ((srcPos*0x10000LL)>>7); for (i = 0; i < dstW; i++) { - int xx = (xDstInSrc - ((int64_t)(filterSize - 2) << 16)) / (1 << 17); + int xx = (xDstInSrc - (filterSize - 2) * (1LL<<16)) / (1 << 17); int j; (*filterPos)[i] = xx; for (j = 0; j < filterSize; j++) { -- cgit v1.2.3 From e5a404477153278382a49bc44a15931f1073b840 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2015 21:38:12 +0100 Subject: avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented in type int Fixes: b293a6479bb4b5286cff24d356bfd955/asan_generic_225c3c9_7819_cc526b657450c6cdef1371b526499626.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 4f2419888ba49245761f4ab343679c38e7880cfe) Signed-off-by: Michael Niedermayer --- libavcodec/pgssubdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pgssubdec.c b/libavcodec/pgssubdec.c index 0d307f5302..e567f53ab4 100644 --- a/libavcodec/pgssubdec.c +++ b/libavcodec/pgssubdec.c @@ -33,7 +33,7 @@ #include "libavutil/imgutils.h" #include "libavutil/opt.h" -#define RGBA(r,g,b,a) (((a) << 24) | ((r) << 16) | ((g) << 8) | (b)) +#define RGBA(r,g,b,a) (((unsigned)(a) << 24) | ((r) << 16) | ((g) << 8) | (b)) #define MAX_EPOCH_PALETTES 8 // Max 8 allowed per PGS epoch #define MAX_EPOCH_OBJECTS 64 // Max 64 allowed per PGS epoch #define MAX_OBJECT_REFS 2 // Max objects per display set -- cgit v1.2.3 From ea4d9cb3e559d0ad31ec648097216f30462095fd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 4 Dec 2015 16:23:24 +0100 Subject: avcodec/jpeg2000dec: Check bpno in decode_cblk() Fixes: undefined shift Fixes: c409ef86f892335a0a164b5871174d5a/asan_heap-oob_1dff564_2159_162b7234616deab02b544410455eb07b.mov Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a85b02dcf70f62a6a433a607143f1f78fa5648bb) Signed-off-by: Michael Niedermayer --- libavcodec/jpeg2000dec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 214ff056d7..36ef001672 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1489,6 +1489,10 @@ static int decode_cblk(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty, ff_mqc_initdec(&t1->mqc, cblk->data, 0, 1); while (passno--) { + if (bpno < 0) { + av_log(s->avctx, AV_LOG_ERROR, "bpno became negative\n"); + return AVERROR_INVALIDDATA; + } switch(pass_t) { case 0: decode_sigpass(t1, width, height, bpno + 1, bandpos, -- cgit v1.2.3 From d27d59fef7e32ab4b7ac640511b0441d270da5a7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 2 Dec 2015 22:59:56 +0100 Subject: avcodec/vp3: ensure header is parsed successfully before tables Fixes assertion failure Fixes: 266ee543812e934f7b4a72923a2701d4/signal_sigabrt_7ffff6ae7cc9_7322_85218d61759d461bdf7387180e8000c9.ogg Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 26379d4fddc17cac853ef297ff327b58c44edbad) Signed-off-by: Michael Niedermayer --- libavcodec/vp3.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 6ff01fb282..9bdbbb87dd 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -131,7 +131,7 @@ static const uint8_t hilbert_offset[16][2] = { typedef struct Vp3DecodeContext { AVCodecContext *avctx; - int theora, theora_tables; + int theora, theora_tables, theora_header; int version; int width, height; int chroma_x_shift, chroma_y_shift; @@ -2253,6 +2253,7 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) int ret; AVRational fps, aspect; + s->theora_header = 0; s->theora = get_bits_long(gb, 24); av_log(avctx, AV_LOG_DEBUG, "Theora bitstream version %X\n", s->theora); @@ -2358,6 +2359,7 @@ static int theora_decode_header(AVCodecContext *avctx, GetBitContext *gb) avctx->color_trc = AVCOL_TRC_BT709; } + s->theora_header = 1; return 0; } @@ -2366,6 +2368,9 @@ static int theora_decode_tables(AVCodecContext *avctx, GetBitContext *gb) Vp3DecodeContext *s = avctx->priv_data; int i, n, matrices, inter, plane; + if (!s->theora_header) + return AVERROR_INVALIDDATA; + if (s->theora >= 0x030200) { n = get_bits(gb, 3); /* loop filter limit values table */ -- cgit v1.2.3 From cb4985ea9aa222d40d1eb71af62184f0be639f65 Mon Sep 17 00:00:00 2001 From: James Zern Date: Mon, 19 Oct 2015 22:44:11 -0700 Subject: libvpxenc: remove some unused ctrl id mappings VP8E_UPD_ENTROPY, VP8E_UPD_REFERENCE, VP8E_USE_REFERENCE were removed from libvpx and the remaining values were never used here Reviewed-by: Michael Niedermayer Signed-off-by: James Zern (cherry picked from commit 6540fe04a3f9a11ba7084a49b3ee5fa2fc5b32ab) Signed-off-by: Michael Niedermayer --- libavcodec/libvpxenc.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c index 5f39783087..992122c982 100644 --- a/libavcodec/libvpxenc.c +++ b/libavcodec/libvpxenc.c @@ -104,19 +104,11 @@ typedef struct VP8EncoderContext { /** String mappings for enum vp8e_enc_control_id */ static const char *const ctlidstr[] = { - [VP8E_UPD_ENTROPY] = "VP8E_UPD_ENTROPY", - [VP8E_UPD_REFERENCE] = "VP8E_UPD_REFERENCE", - [VP8E_USE_REFERENCE] = "VP8E_USE_REFERENCE", - [VP8E_SET_ROI_MAP] = "VP8E_SET_ROI_MAP", - [VP8E_SET_ACTIVEMAP] = "VP8E_SET_ACTIVEMAP", - [VP8E_SET_SCALEMODE] = "VP8E_SET_SCALEMODE", [VP8E_SET_CPUUSED] = "VP8E_SET_CPUUSED", [VP8E_SET_ENABLEAUTOALTREF] = "VP8E_SET_ENABLEAUTOALTREF", [VP8E_SET_NOISE_SENSITIVITY] = "VP8E_SET_NOISE_SENSITIVITY", - [VP8E_SET_SHARPNESS] = "VP8E_SET_SHARPNESS", [VP8E_SET_STATIC_THRESHOLD] = "VP8E_SET_STATIC_THRESHOLD", [VP8E_SET_TOKEN_PARTITIONS] = "VP8E_SET_TOKEN_PARTITIONS", - [VP8E_GET_LAST_QUANTIZER] = "VP8E_GET_LAST_QUANTIZER", [VP8E_SET_ARNR_MAXFRAMES] = "VP8E_SET_ARNR_MAXFRAMES", [VP8E_SET_ARNR_STRENGTH] = "VP8E_SET_ARNR_STRENGTH", [VP8E_SET_ARNR_TYPE] = "VP8E_SET_ARNR_TYPE", -- cgit v1.2.3 From 913c642c21dd608cc53ea2482e9b4d3141bcd542 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 6 Dec 2015 10:42:02 +0100 Subject: Update for 2.8.4 Signed-off-by: Michael Niedermayer --- Changelog | 40 ++++++++++++++++++++++++++++++++++++++++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 42 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 7e70b1120f..2ea072758f 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,46 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.8.4 +- libvpxenc: remove some unused ctrl id mappings +- avcodec/vp3: ensure header is parsed successfully before tables +- avcodec/jpeg2000dec: Check bpno in decode_cblk() +- avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented in type int +- swscale/utils: Fix for runtime error: left shift of negative value -1 +- avcodec/hevc: Fix integer overflow of entry_point_offset +- avcodec/dirac_parser: Check that there is a previous PU before accessing it +- avcodec/dirac_parser: Add basic validity checks for next_pu_offset and prev_pu_offset +- avcodec/dirac_parser: Fix potential overflows in pointer checks +- avcodec/wmaprodec: Check bits per sample to be within the range not causing integer overflows +- avcodec/wmaprodec: Fix overflow of cutoff +- avformat/smacker: fix integer overflow with pts_inc +- avcodec/vp3: Fix "runtime error: left shift of negative value" +- avformat/riffdec: Initialize bitrate +- mpegencts: Fix overflow in cbr mode period calculations +- avutil/timecode: Fix fps check +- avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() for overflows +- avcodec/apedec: Check length in long_filter_high_3800() +- avcodec/vp3: always set pix_fmt in theora_decode_header() +- avcodec/mpeg4videodec: Check available data before reading custom matrix +- avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd +- avutil/integer: Fix av_mod_i() with negative dividend +- avformat/dump: Fix integer overflow in av_dump_format() +- avcodec/h264_refs: Check that long references match before use +- avcodec/utils: Clear dimensions in ff_get_buffer() on failure +- avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string() +- avcodec/hevc: Check max ctb addresses for WPP +- avcodec/vp3: Clear context on reinitialization failure +- avcodec/hevc: allocate entries unconditionally +- avcodec/hevc_cabac: Fix multiple integer overflows +- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*() +- avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*() +- avcodec/hevc: Check entry_point_offsets +- lavf/rtpenc_jpeg: Less strict check for standard Huffman tables. +- avcodec/ffv1dec: Clear quant_table_count if its invalid +- avcodec/ffv1dec: Print an error if the quant table count is invalid +- doc/filters/drawtext: fix centering example + + version 2.8.3 - avcodec/cabac: Check initial cabac decoder state - avcodec/cabac_functions: Fix "left shift of negative value -31767" diff --git a/RELEASE b/RELEASE index 9f8d8a9164..2701a226a2 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -2.8.3 +2.8.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index f4e3ca8eb4..5c4b4660f6 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.8.3 +PROJECT_NUMBER = 2.8.4 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 -- cgit v1.2.3 From 2e54b8c379bad54599f82d63de26af7c934ccff6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 2 Dec 2015 21:52:23 +0100 Subject: mjpegdec: consider chroma subsampling in size check If the chroma components are subsampled, smaller buffers are allocated for them. In that case the maximal block_offset for the chroma components is not as large as for the luma component. This fixes out of bounds writes causing segmentation faults or memory corruption. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 5adb5d9d894aa495e7bf9557b4c78350cbfc9d32) Signed-off-by: Michael Niedermayer --- libavcodec/mjpegdec.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 6c6598ffd3..3f81fdfc68 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1246,7 +1246,7 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, int mb_bitmask_size, const AVFrame *reference) { - int i, mb_x, mb_y; + int i, mb_x, mb_y, chroma_h_shift, chroma_v_shift, chroma_width, chroma_height; uint8_t *data[MAX_COMPONENTS]; const uint8_t *reference_data[MAX_COMPONENTS]; int linesize[MAX_COMPONENTS]; @@ -1263,6 +1263,11 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, s->restart_count = 0; + av_pix_fmt_get_chroma_sub_sample(s->avctx->pix_fmt, &chroma_h_shift, + &chroma_v_shift); + chroma_width = FF_CEIL_RSHIFT(s->width, chroma_h_shift); + chroma_height = FF_CEIL_RSHIFT(s->height, chroma_v_shift); + for (i = 0; i < nb_components; i++) { int c = s->comp_index[i]; data[c] = s->picture_ptr->data[c]; @@ -1299,8 +1304,8 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, if (s->interlaced && s->bottom_field) block_offset += linesize[c] >> 1; - if ( 8*(h * mb_x + x) < s->width - && 8*(v * mb_y + y) < s->height) { + if ( 8*(h * mb_x + x) < ((c == 1) || (c == 2) ? chroma_width : s->width) + && 8*(v * mb_y + y) < ((c == 1) || (c == 2) ? chroma_height : s->height)) { ptr = data[c] + block_offset; } else ptr = NULL; -- cgit v1.2.3 From 4608cc176b34a0268785508a915c9860bbdd1f25 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Dec 2015 17:39:38 +0100 Subject: avutil/mathematics: Fix division by 0 Fixes: CID1341571 Signed-off-by: Michael Niedermayer (cherry picked from commit bc8b1e694cc395fdf5e2917377ef11263c937d85) Signed-off-by: Michael Niedermayer --- libavutil/mathematics.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c index 4d8467b8c8..78a87d8457 100644 --- a/libavutil/mathematics.c +++ b/libavutil/mathematics.c @@ -90,7 +90,7 @@ int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd) else { int64_t ad = a / c; int64_t a2 = (a % c * b + r) / c; - if (ad >= INT32_MAX && ad > (INT64_MAX - a2) / b) + if (ad >= INT32_MAX && b && ad > (INT64_MAX - a2) / b) return INT64_MIN; return ad * b + a2; } -- cgit v1.2.3 From a9c721da12e39396066e28ddd6e35b8fc538f294 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Dec 2015 16:16:46 +0100 Subject: avformat/matroskaenc: Check codecdelay before use Fixes CID1238790 Signed-off-by: Michael Niedermayer (cherry picked from commit e6971db12b8ae49712b77378fa8141de4904082b) Signed-off-by: Michael Niedermayer --- libavformat/matroskaenc.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 2b2d034e00..7918346aee 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -926,14 +926,18 @@ static int mkv_write_track(AVFormatContext *s, MatroskaMuxContext *mkv, } if (codec->codec_type == AVMEDIA_TYPE_AUDIO && codec->initial_padding && codec->codec_id == AV_CODEC_ID_OPUS) { + int64_t codecdelay = av_rescale_q(codec->initial_padding, + (AVRational){ 1, codec->sample_rate }, + (AVRational){ 1, 1000000000 }); + if (codecdelay < 0) { + av_log(s, AV_LOG_ERROR, "Initial padding is invalid\n"); + return AVERROR(EINVAL); + } // mkv->tracks[i].ts_offset = av_rescale_q(codec->initial_padding, // (AVRational){ 1, codec->sample_rate }, // st->time_base); - put_ebml_uint(pb, MATROSKA_ID_CODECDELAY, - av_rescale_q(codec->initial_padding, - (AVRational){ 1, codec->sample_rate }, - (AVRational){ 1, 1000000000 })); + put_ebml_uint(pb, MATROSKA_ID_CODECDELAY, codecdelay); } if (codec->codec_id == AV_CODEC_ID_OPUS) { put_ebml_uint(pb, MATROSKA_ID_SEEKPREROLL, OPUS_SEEK_PREROLL); -- cgit v1.2.3 From 5e105aca0145f0affc7e7115b64406e352811bc4 Mon Sep 17 00:00:00 2001 From: Rainer Hochecker Date: Sun, 15 Nov 2015 13:58:50 +0100 Subject: avformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid duration for ts files with hevc codec Fixes a mpegts file with hevc that fails estimating duration. Increasing number of retries fixes the issue. Signed-off-by: Michael Niedermayer (cherry picked from commit 2d8c2f1a28073d451c7db31291c333cb15ca3d0b) Signed-off-by: Michael Niedermayer --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 386ce37a77..30567fa2ec 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -2451,7 +2451,7 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic) } #define DURATION_MAX_READ_SIZE 250000LL -#define DURATION_MAX_RETRY 4 +#define DURATION_MAX_RETRY 6 /* only usable for MPEG-PS streams */ static void estimate_timings_from_pts(AVFormatContext *ic, int64_t old_offset) -- cgit v1.2.3 From cd83f899c94f691b045697d12efa21f83eb2329f Mon Sep 17 00:00:00 2001 From: zjh8890 <243186085@qq.com> Date: Sun, 22 Nov 2015 00:07:35 +0800 Subject: avcodec/aarch64/neon.S: Update neon.s for transpose_4x4H The transpose_4x4H is wrong which cost me much time to find this bug. The orders of r2 and r3 are wrong, this bug waste me much time while I make aarch64 arm instruction which used the function. (cherry picked from commit c18176bd551b4616757080376707637e30547fd0) Signed-off-by: Michael Niedermayer --- libavcodec/aarch64/neon.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aarch64/neon.S b/libavcodec/aarch64/neon.S index 619aec6426..a227cbd3f6 100644 --- a/libavcodec/aarch64/neon.S +++ b/libavcodec/aarch64/neon.S @@ -107,8 +107,8 @@ .macro transpose_4x4H r0, r1, r2, r3, r4, r5, r6, r7 trn1 \r4\().4H, \r0\().4H, \r1\().4H trn2 \r5\().4H, \r0\().4H, \r1\().4H - trn1 \r7\().4H, \r3\().4H, \r2\().4H - trn2 \r6\().4H, \r3\().4H, \r2\().4H + trn1 \r7\().4H, \r2\().4H, \r3\().4H + trn2 \r6\().4H, \r2\().4H, \r3\().4H trn1 \r0\().2S, \r4\().2S, \r7\().2S trn2 \r3\().2S, \r4\().2S, \r7\().2S trn1 \r1\().2S, \r5\().2S, \r6\().2S -- cgit v1.2.3 From f87d2617d52c1400cf2fb115eae5f76dfd0cf40e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 12 Dec 2015 23:25:12 +0100 Subject: Changelog: Update Signed-off-by: Michael Niedermayer --- Changelog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Changelog b/Changelog index 2ea072758f..7646dac39b 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,11 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 2.8.4 +- avcodec/aarch64/neon.S: Update neon.s for transpose_4x4H +- avformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid duration for ts files with hevc codec +- avformat/matroskaenc: Check codecdelay before use +- avutil/mathematics: Fix division by 0 +- mjpegdec: consider chroma subsampling in size check - libvpxenc: remove some unused ctrl id mappings - avcodec/vp3: ensure header is parsed successfully before tables - avcodec/jpeg2000dec: Check bpno in decode_cblk() -- cgit v1.2.3 From e3f08d9359c35745baa03acffb53154944f43053 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Dec 2015 18:13:25 +0100 Subject: avformat/mxfenc: Fix integer overflow in length computation Fixes: CID1341577 Signed-off-by: Michael Niedermayer (cherry picked from commit 537e901fe66c326f78e916ee9393830ee366131d) Signed-off-by: Michael Niedermayer --- libavformat/mxfenc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index 66e1f071f9..9e23bed1c0 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -1266,11 +1266,11 @@ static void mxf_write_package(AVFormatContext *s, enum MXFMetadataSetType type, user_comment_count = mxf_write_user_comments(s, s->metadata); mxf_write_metadata_key(pb, 0x013600); PRINT_KEY(s, "Material Package key", pb->buf_ptr - 16); - klv_encode_ber_length(pb, 92 + name_size + (16*track_count) + (16*user_comment_count) + 12*mxf->store_user_comments); + klv_encode_ber_length(pb, 92 + name_size + (16*track_count) + (16*user_comment_count) + 12LL*mxf->store_user_comments); } else { mxf_write_metadata_key(pb, 0x013700); PRINT_KEY(s, "Source Package key", pb->buf_ptr - 16); - klv_encode_ber_length(pb, 112 + name_size + (16*track_count) + 12*mxf->store_user_comments); // 20 bytes length for descriptor reference + klv_encode_ber_length(pb, 112 + name_size + (16*track_count) + 12LL*mxf->store_user_comments); // 20 bytes length for descriptor reference } // write uid -- cgit v1.2.3 From 07b43fb69afdcd091af7fd32228c2608fd4821cb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Dec 2015 21:45:07 +0100 Subject: avformat/mov: Enable parser for mp3s by old HandBrake Fixes Ticket5047 Signed-off-by: Michael Niedermayer (cherry picked from commit 861f47ddf463926da2cba9e12665e7f004419f4b) Signed-off-by: Michael Niedermayer --- libavformat/isom.h | 1 + libavformat/mov.c | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/libavformat/isom.h b/libavformat/isom.h index 6e921c04a0..1f466f0286 100644 --- a/libavformat/isom.h +++ b/libavformat/isom.h @@ -184,6 +184,7 @@ typedef struct MOVContext { MOVTrackExt *trex_data; unsigned trex_count; int itunes_metadata; ///< metadata are itunes style + int handbrake_version; int chapter_track; int use_absolute_path; int ignore_editlist; diff --git a/libavformat/mov.c b/libavformat/mov.c index 735e956b62..4ce4e2dddd 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -419,6 +419,12 @@ retry: snprintf(key2, sizeof(key2), "%s-%s", key, language); av_dict_set(&c->fc->metadata, key2, str, 0); } + if (!strcmp(key, "encoder")) { + int major, minor, micro; + if (sscanf(str, "HandBrake %d.%d.%d", &major, &minor, µ) == 3) { + c->handbrake_version = 1000000*major + 1000*minor + micro; + } + } } av_log(c->fc, AV_LOG_TRACE, "lang \"%3s\" ", language); av_log(c->fc, AV_LOG_TRACE, "tag \"%s\" value \"%s\" atom \"%.4s\" %d %"PRId64"\n", @@ -4528,6 +4534,13 @@ static int mov_read_header(AVFormatContext *s) return err; } } + if (mov->handbrake_version && + mov->handbrake_version <= 1000000*0 + 1000*10 + 0 && // 0.10.0 + st->codec->codec_id == AV_CODEC_ID_MP3 + ) { + av_log(s, AV_LOG_VERBOSE, "Forcing full parsing for mp3 stream\n"); + st->need_parsing = AVSTREAM_PARSE_FULL; + } } if (mov->trex_data) { -- cgit v1.2.3 From d07f6582018d3388716340b08f1b1461c2f05bda Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Dec 2015 02:28:13 +0100 Subject: avformat/hlsenc: Check the return code of avformat_write_header() Fixes: segfault Fixes: Ticket5067 Signed-off-by: Michael Niedermayer (cherry picked from commit c62d1780fff8a1997dd1707bbc557efc8fe41e3c) Signed-off-by: Michael Niedermayer --- libavformat/hlsenc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 6827b796f4..ebc5e1117b 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -548,8 +548,11 @@ static int hls_start(AVFormatContext *s) if (oc->oformat->priv_class && oc->priv_data) av_opt_set(oc->priv_data, "mpegts_flags", "resend_headers", 0); - if (c->vtt_basename) - avformat_write_header(vtt_oc,NULL); + if (c->vtt_basename) { + err = avformat_write_header(vtt_oc,NULL); + if (err < 0) + return err; + } return 0; } -- cgit v1.2.3 From 1450a39ad495ad086b1110d15f999c0eeca92ef8 Mon Sep 17 00:00:00 2001 From: Nicolas George Date: Sat, 10 Oct 2015 15:19:43 +0200 Subject: lavf/tee: fix side data double free. Similar to 33fefdb44. Fix trac ticket #4921. Signed-off-by: Nicolas George Signed-off-by: Michael Niedermayer (cherry picked from commit 1acc90eaa54ad82a21474ed759b8ed3a0f3d482d) Conflicts: libavformat/tee.c Signed-off-by: Michael Niedermayer --- libavformat/tee.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/tee.c b/libavformat/tee.c index bc2e522f7c..a916841066 100644 --- a/libavformat/tee.c +++ b/libavformat/tee.c @@ -409,6 +409,8 @@ FF_ENABLE_DEPRECATION_WARNINGS } if (ret > 0) { + pkt->side_data = NULL; + pkt->side_data_elems = 0; av_free_packet(pkt); new_pkt.buf = av_buffer_create(new_pkt.data, new_pkt.size, av_buffer_default_free, NULL, 0); -- cgit v1.2.3 From 95a144ae62b1cc724f8e9cbcfbb6e9195599a37f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 13 Dec 2015 16:13:22 +0100 Subject: avformat/mxfenc: Do not crash if there is no packet in the first stream Fixes: Ticket4914 Signed-off-by: Michael Niedermayer (cherry picked from commit b51e7554e74cbf007a1cab83c7bed3ad9fa2793a) Signed-off-by: Michael Niedermayer --- libavformat/mxfenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index 9e23bed1c0..4013be024d 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -2467,6 +2467,10 @@ static int mxf_write_packet(AVFormatContext *s, AVPacket *pkt) } mxf->edit_units_count++; } else if (!mxf->edit_unit_byte_count && st->index == 1) { + if (!mxf->edit_units_count) { + av_log(s, AV_LOG_ERROR, "No packets in first stream\n"); + return AVERROR_PATCHWELCOME; + } mxf->index_entries[mxf->edit_units_count-1].slice_offset = mxf->body_offset - mxf->index_entries[mxf->edit_units_count-1].offset; } -- cgit v1.2.3 From 31aeb9653360f4c42d05bf88b94b20bdd17bdd4a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Dec 2015 02:06:04 +0100 Subject: swscale/x86/rgb2rgb_template: Do not crash on misaligend stride Fixes Ticket5013 Signed-off-by: Michael Niedermayer (cherry picked from commit 80bfce35ccd11458e97f68f417fc094c5347070c) --- libswscale/x86/rgb2rgb_template.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index e97ba4fe82..6524461d1b 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1887,8 +1887,10 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; - if (width >= 16) + if (width >= 16 #if COMPILE_TEMPLATE_SSE2 + && !((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15) + ) __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1908,6 +1910,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui : "memory", XMM_CLOBBERS("xmm0", "xmm1", "xmm2",) "%"REG_a ); #else + ) __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" -- cgit v1.2.3 From 20a48eaaf18b073eee9a3128642929e211c4e054 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 15 Dec 2015 02:50:20 +0100 Subject: swscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the alignment is insufficient for SSE* This also as a sideeffect fixes the non aligned case Signed-off-by: Michael Niedermayer (cherry picked from commit a066ff89bcbae6033c2ffda9271cad84f6c1b807) --- libswscale/x86/rgb2rgb_template.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/libswscale/x86/rgb2rgb_template.c b/libswscale/x86/rgb2rgb_template.c index 6524461d1b..a10f268009 100644 --- a/libswscale/x86/rgb2rgb_template.c +++ b/libswscale/x86/rgb2rgb_template.c @@ -1887,10 +1887,9 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui for (h=0; h < height; h++) { int w; - if (width >= 16 + if (width >= 16) { #if COMPILE_TEMPLATE_SSE2 - && !((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15) - ) + if (!((((intptr_t)src1) | ((intptr_t)src2) | ((intptr_t)dest))&15)) { __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1909,8 +1908,8 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui ::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15) : "memory", XMM_CLOBBERS("xmm0", "xmm1", "xmm2",) "%"REG_a ); -#else - ) + } else +#endif __asm__( "xor %%"REG_a", %%"REG_a" \n\t" "1: \n\t" @@ -1936,7 +1935,8 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui ::"r"(dest), "r"(src1), "r"(src2), "r" ((x86_reg)width-15) : "memory", "%"REG_a ); -#endif + + } for (w= (width&(~15)); w < width; w++) { dest[2*w+0] = src1[w]; dest[2*w+1] = src2[w]; @@ -1946,9 +1946,7 @@ static void RENAME(interleaveBytes)(const uint8_t *src1, const uint8_t *src2, ui src2 += src2Stride; } __asm__( -#if !COMPILE_TEMPLATE_SSE2 EMMS" \n\t" -#endif SFENCE" \n\t" ::: "memory" ); -- cgit v1.2.3 From 76af12f5429b72820afd3b448cb38e9709993b03 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 2 Dec 2015 22:47:12 +0100 Subject: ffmdec: reject zero-sized chunks If size is zero, avio_get_str fails, leaving the buffer uninitialized. This causes invalid reads in av_set_options_string. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit a611375db532c3d5363d97b10fadd0211811a4fd) Signed-off-by: Andreas Cadhalpun --- libavformat/ffmdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index b743c872c0..7fa66ba631 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -415,7 +415,7 @@ static int ffm2_read_header(AVFormatContext *s) } break; case MKBETAG('S', '2', 'V', 'I'): - if (f_stvi++) { + if (f_stvi++ || !size) { ret = AVERROR(EINVAL); goto fail; } @@ -430,7 +430,7 @@ static int ffm2_read_header(AVFormatContext *s) goto fail; break; case MKBETAG('S', '2', 'A', 'U'): - if (f_stau++) { + if (f_stau++ || !size) { ret = AVERROR(EINVAL); goto fail; } -- cgit v1.2.3 From 507e0314c0d9107f6e17753950f9aceb6ed3b8d5 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 4 Dec 2015 18:13:07 +0100 Subject: aaccoder: prevent crash of anmr coder If minq is negative, the range of sf_idx can be larger than SCALE_MAX_DIFF allows, causing assertion failures later in encode_scale_factors. Reviewed-by: Claudio Freire Signed-off-by: Andreas Cadhalpun (cherry picked from commit 7a4652dd5da0502ff21c183b5ca7d76b1cfd6c51) Signed-off-by: Andreas Cadhalpun --- libavcodec/aaccoder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c index 86d598f021..e6b57aa980 100644 --- a/libavcodec/aaccoder.c +++ b/libavcodec/aaccoder.c @@ -499,7 +499,7 @@ static void search_for_quantizers_anmr(AVCodecContext *avctx, AACEncContext *s, } while (idx) { sce->sf_idx[bandaddr[idx]] = minq + q0; - minq = paths[idx][minq].prev; + minq = FFMAX(paths[idx][minq].prev, 0); idx--; } //set the same quantizers inside window groups -- cgit v1.2.3 From dcd837e41c83c6eac52d64b8d8f6a96aacf674cb Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 6 Dec 2015 21:35:08 +0100 Subject: aacenc: update max_sfb when num_swb changes This fixes out-of-bounds reads in avoid_clipping. Reviewed-by: Rostislav Pehlivanov Signed-off-by: Andreas Cadhalpun (cherry picked from commit 5b0da6999fdd0135b6f269d3691d74720f773c85) Signed-off-by: Andreas Cadhalpun --- libavcodec/aacenc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c index 9cce1a2ff0..a7c73369c8 100644 --- a/libavcodec/aacenc.c +++ b/libavcodec/aacenc.c @@ -547,6 +547,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, ics->num_windows = wi[ch].num_windows; ics->swb_sizes = s->psy.bands [ics->num_windows == 8]; ics->num_swb = tag == TYPE_LFE ? ics->num_swb : s->psy.num_bands[ics->num_windows == 8]; + ics->max_sfb = FFMIN(ics->max_sfb, ics->num_swb); ics->swb_offset = wi[ch].window_type[0] == EIGHT_SHORT_SEQUENCE ? ff_swb_offset_128 [s->samplerate_index]: ff_swb_offset_1024[s->samplerate_index]; -- cgit v1.2.3 From cb44683a8c5cb0effdf99cc1378e998e5c86d271 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 8 Nov 2015 19:31:00 +0100 Subject: aacsbr: ensure strictly monotone time borders This fixes a division by zero in the aac_fixed decoder. Signed-off-by: Andreas Cadhalpun (cherry picked from commit ff8816f7172b94028131ee2426ba35e875d973ae) Signed-off-by: Andreas Cadhalpun --- libavcodec/aacsbr_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index a49940a076..4f845ee6f8 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -718,8 +718,8 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, } for (i = 1; i <= ch_data->bs_num_env; i++) { - if (ch_data->t_env[i-1] > ch_data->t_env[i]) { - av_log(ac->avctx, AV_LOG_ERROR, "Non monotone time borders\n"); + if (ch_data->t_env[i-1] >= ch_data->t_env[i]) { + av_log(ac->avctx, AV_LOG_ERROR, "Not strictly monotone time borders\n"); return -1; } } -- cgit v1.2.3 From 7e94ea3dd1e5cbf56926c2b769738a0a51bd35bc Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 17 Nov 2015 22:58:27 +0100 Subject: sbrdsp_fixed: assert that input values are in the valid range Signed-off-by: Andreas Cadhalpun (cherry picked from commit a9c20e922cee435c9ad2dc78f6c50651f353329c) Signed-off-by: Andreas Cadhalpun --- libavcodec/sbrdsp_fixed.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index 5b7b7a6f9b..f4e3de0c71 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -38,9 +38,14 @@ static SoftFloat sbr_sum_square_c(int (*x)[2], int n) int i, nz, round; for (i = 0; i < n; i += 2) { + // Larger values are inavlid and could cause overflows of accu. + av_assert2(FFABS(x[i + 0][0]) >> 29 == 0); accu += (int64_t)x[i + 0][0] * x[i + 0][0]; + av_assert2(FFABS(x[i + 0][1]) >> 29 == 0); accu += (int64_t)x[i + 0][1] * x[i + 0][1]; + av_assert2(FFABS(x[i + 1][0]) >> 29 == 0); accu += (int64_t)x[i + 1][0] * x[i + 1][0]; + av_assert2(FFABS(x[i + 1][1]) >> 29 == 0); accu += (int64_t)x[i + 1][1] * x[i + 1][1]; } -- cgit v1.2.3 From b9087aa651674ce94853d824aedb1691d75bd9fd Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 18 Nov 2015 13:43:01 +0100 Subject: sbr_qmf_analysis: sanitize input for 32-bit imdct If the input contains too many too large values, the imdct can overflow. Even if it didn't, the output would be larger than the valid range of 29 bits. Note that this is a very delicate limit: Allowing values up to 1<<25 does not prevent input larger than 1<<29 from arriving at sbr_sum_square, while limiting values to 1<<23 breaks the fate-aac-fixed-al_sbr_hq_cm_48_5.1 test. Signed-off-by: Andreas Cadhalpun (cherry picked from commit fdc94db37e89165964fdf34f1cd7632e44108bd0) Signed-off-by: Andreas Cadhalpun --- libavcodec/aacsbr_template.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index 4f845ee6f8..b36c266ad1 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -1154,6 +1154,9 @@ static void sbr_qmf_analysis(AVFloatDSPContext *dsp, FFTContext *mdct, INTFLOAT z[320], INTFLOAT W[2][32][32][2], int buf_idx) { int i; +#if USE_FIXED + int j; +#endif memcpy(x , x+1024, (320-32)*sizeof(x[0])); memcpy(x+288, in, 1024*sizeof(x[0])); for (i = 0; i < 32; i++) { // numTimeSlots*RATE = 16*2 as 960 sample frames @@ -1161,6 +1164,21 @@ static void sbr_qmf_analysis(AVFloatDSPContext *dsp, FFTContext *mdct, dsp->vector_fmul_reverse(z, sbr_qmf_window_ds, x, 320); sbrdsp->sum64x5(z); sbrdsp->qmf_pre_shuffle(z); +#if USE_FIXED + for (j = 64; j < 128; j++) { + if (z[j] > 1<<24) { + av_log(NULL, AV_LOG_WARNING, + "sbr_qmf_analysis: value %09d too large, setting to %09d\n", + z[j], 1<<24); + z[j] = 1<<24; + } else if (z[j] < -(1<<24)) { + av_log(NULL, AV_LOG_WARNING, + "sbr_qmf_analysis: value %09d too small, setting to %09d\n", + z[j], -(1<<24)); + z[j] = -(1<<24); + } + } +#endif mdct->imdct_half(mdct, z, z+64); sbrdsp->qmf_post_shuffle(W[buf_idx][i], z); x += 32; -- cgit v1.2.3 From a79a5c32f92400fda48e2b6c5372a0d49ace4f7a Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 13 Dec 2015 21:02:16 +0100 Subject: golomb: always check for invalid UE golomb codes in get_ue_golomb Also correct the check to reject log < 7, because UPDATE_CACHE only guarantees 25 meaningful bits. This fixes undefined behavior: runtime error: shift exponent is negative Testing with START/STOP timers in get_ue_golomb, one for the first branch (A) and one for the second (B), shows that there is practically no slowdown, e.g. for the cavs decoder: With the check in the B branch: 629 decicycles in get_ue_golomb B, 4194260 runs, 44 skips 433 decicycles in get_ue_golomb A,268434102 runs, 1354 skips Without the check: 624 decicycles in get_ue_golomb B, 4194273 runs, 31 skips 433 decicycles in get_ue_golomb A,268434203 runs, 1253 skips Since the B branch is executed far less often than the A branch, this change is negligible, even more so for the h264 decoder, where the ratio B/A is a lot smaller. Fixes: mozilla bug 1230239 Fixes: fbeb8b2c7c996e9b91c6b1af319d7ebc/asan_heap-oob_195450f_2743_e8856ece4579ea486670be2b236099a0.bit Found-by: Tyson Smith Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 22e960ad478e568f4094971a58c6ad8f549c0180) Signed-off-by: Andreas Cadhalpun --- libavcodec/golomb.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h index d30bb6bc86..5136a04845 100644 --- a/libavcodec/golomb.h +++ b/libavcodec/golomb.h @@ -68,7 +68,7 @@ static inline int get_ue_golomb(GetBitContext *gb) int log = 2 * av_log2(buf) - 31; LAST_SKIP_BITS(re, gb, 32 - log); CLOSE_READER(re, gb); - if (CONFIG_FTRAPV && log < 0) { + if (log < 7) { av_log(NULL, AV_LOG_ERROR, "Invalid UE golomb code\n"); return AVERROR_INVALIDDATA; } -- cgit v1.2.3 From 0b24a0e0f12f0a57a54bfbbf9637855ef8b2f698 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Mon, 14 Dec 2015 22:11:55 +0100 Subject: ffm: reject invalid codec_id and codec_type A negative codec_id cannot be handled by the found_decoder API of AVStream->info: if the codec_id is not recognized, found_decoder is set to -codec_id, which has to be '<0' according to the API documentation. This can cause NULL pointer dereferencing in try_decode_frame. Also make sure the codec_type matches the expected one for codec_id. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ecf63b7cc24b9fd3e6d604313325dd1ada4db662) Signed-off-by: Andreas Cadhalpun --- libavformat/ffmdec.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/libavformat/ffmdec.c b/libavformat/ffmdec.c index 7fa66ba631..db9fb6b7b9 100644 --- a/libavformat/ffmdec.c +++ b/libavformat/ffmdec.c @@ -268,6 +268,7 @@ static int ffm2_read_header(AVFormatContext *s) AVStream *st; AVIOContext *pb = s->pb; AVCodecContext *codec; + const AVCodecDescriptor *codec_desc; int ret; int f_main = 0, f_cprv = -1, f_stvi = -1, f_stau = -1; AVCodec *enc; @@ -322,7 +323,20 @@ static int ffm2_read_header(AVFormatContext *s) codec = st->codec; /* generic info */ codec->codec_id = avio_rb32(pb); + codec_desc = avcodec_descriptor_get(codec->codec_id); + if (!codec_desc) { + av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); + codec->codec_id = AV_CODEC_ID_NONE; + goto fail; + } codec->codec_type = avio_r8(pb); + if (codec->codec_type != codec_desc->type) { + av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n", + codec_desc->type, codec->codec_type); + codec->codec_id = AV_CODEC_ID_NONE; + codec->codec_type = AVMEDIA_TYPE_UNKNOWN; + goto fail; + } codec->bit_rate = avio_rb32(pb); codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); @@ -471,6 +485,7 @@ static int ffm_read_header(AVFormatContext *s) AVStream *st; AVIOContext *pb = s->pb; AVCodecContext *codec; + const AVCodecDescriptor *codec_desc; int i, nb_streams; uint32_t tag; @@ -508,7 +523,20 @@ static int ffm_read_header(AVFormatContext *s) codec = st->codec; /* generic info */ codec->codec_id = avio_rb32(pb); + codec_desc = avcodec_descriptor_get(codec->codec_id); + if (!codec_desc) { + av_log(s, AV_LOG_ERROR, "Invalid codec id: %d\n", codec->codec_id); + codec->codec_id = AV_CODEC_ID_NONE; + goto fail; + } codec->codec_type = avio_r8(pb); /* codec_type */ + if (codec->codec_type != codec_desc->type) { + av_log(s, AV_LOG_ERROR, "Codec type mismatch: expected %d, found %d\n", + codec_desc->type, codec->codec_type); + codec->codec_id = AV_CODEC_ID_NONE; + codec->codec_type = AVMEDIA_TYPE_UNKNOWN; + goto fail; + } codec->bit_rate = avio_rb32(pb); codec->flags = avio_rb32(pb); codec->flags2 = avio_rb32(pb); -- cgit v1.2.3 From 796f1a24f59b55cebea779e8360a50f56f3f20fe Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 15 Dec 2015 22:00:31 +0100 Subject: opus_silk: fix typo causing overflow in silk_stabilize_lsf Due to this typo max_center can be too large, causing nlsf to be set to too large values, which in turn can cause nlsf[i - 1] + min_delta[i] to overflow to a negative value, which is not allowed for nlsf and can cause an out of bounds read in silk_lsf2lpc. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit f61d44b74aaae1d306d8a0d38b7b3d4292c89ced) Signed-off-by: Andreas Cadhalpun --- libavcodec/opus_silk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 841d1ed25c..73526f9800 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -824,7 +824,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_ /* upper extent */ for (i = order; i > k; i--) - max_center -= min_delta[k]; + max_center -= min_delta[i]; max_center -= min_delta[k] >> 1; /* move apart */ -- cgit v1.2.3 From 748d5fa2edfe93e6e584853883402f64a831c23f Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Tue, 15 Dec 2015 23:43:03 +0100 Subject: sonic: make sure num_taps * channels is not larger than frame_size If that is the case, the loop setting predictor_state in sonic_decode_frame causes out of bounds reads of int_samples, which has only frame_size number of elements. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9637c2531f7eb040ad1c3cb46cb40a63dfc77b80) Signed-off-by: Andreas Cadhalpun --- libavcodec/sonic.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 4ec7d89fde..2e3ca79fdd 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -928,6 +928,13 @@ static av_cold int sonic_decode_init(AVCodecContext *avctx) s->frame_size = s->channels*s->block_align*s->downsampling; // avctx->frame_size = s->block_align; + if (s->num_taps * s->channels > s->frame_size) { + av_log(avctx, AV_LOG_ERROR, + "number of taps times channels (%d * %d) larger than frame size %d\n", + s->num_taps, s->channels, s->frame_size); + return AVERROR_INVALIDDATA; + } + av_log(avctx, AV_LOG_INFO, "Sonic: ver: %d.%d ls: %d dr: %d taps: %d block: %d frame: %d downsamp: %d\n", s->version, s->minor_version, s->lossless, s->decorrelation, s->num_taps, s->block_align, s->frame_size, s->downsampling); -- cgit v1.2.3 From e4a6a8553ed800601298b0cca76ce1d674ec9fa5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 14 Dec 2015 18:56:13 +0100 Subject: avfilter/vf_mpdecimate: Add missing emms_c() Signed-off-by: Michael Niedermayer (cherry picked from commit 997de2e8107cc4256e50611463d609b18fe9619f) Signed-off-by: Michael Niedermayer --- libavfilter/vf_mpdecimate.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_mpdecimate.c b/libavfilter/vf_mpdecimate.c index 25efacfeeb..20b15a20f0 100644 --- a/libavfilter/vf_mpdecimate.c +++ b/libavfilter/vf_mpdecimate.c @@ -131,10 +131,13 @@ static int decimate_frame(AVFilterContext *ctx, cur->data[plane], cur->linesize[plane], ref->data[plane], ref->linesize[plane], FF_CEIL_RSHIFT(ref->width, hsub), - FF_CEIL_RSHIFT(ref->height, vsub))) + FF_CEIL_RSHIFT(ref->height, vsub))) { + emms_c(); return 0; + } } + emms_c(); return 1; } -- cgit v1.2.3 From 1dddd5371a6a60525e9c9c4f5e2534456f84b9d6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Dec 2015 21:14:45 +0100 Subject: Revert "avcodec/aarch64/neon.S: Update neon.s for transpose_4x4H" The change was not correct and broke H264 This reverts commit cd83f899c94f691b045697d12efa21f83eb2329f. (cherry picked from commit 95b59bfb9d9e47de8438183a035e02667946f27c) Signed-off-by: Michael Niedermayer --- libavcodec/aarch64/neon.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/aarch64/neon.S b/libavcodec/aarch64/neon.S index a227cbd3f6..619aec6426 100644 --- a/libavcodec/aarch64/neon.S +++ b/libavcodec/aarch64/neon.S @@ -107,8 +107,8 @@ .macro transpose_4x4H r0, r1, r2, r3, r4, r5, r6, r7 trn1 \r4\().4H, \r0\().4H, \r1\().4H trn2 \r5\().4H, \r0\().4H, \r1\().4H - trn1 \r7\().4H, \r2\().4H, \r3\().4H - trn2 \r6\().4H, \r2\().4H, \r3\().4H + trn1 \r7\().4H, \r3\().4H, \r2\().4H + trn2 \r6\().4H, \r3\().4H, \r2\().4H trn1 \r0\().2S, \r4\().2S, \r7\().2S trn2 \r3\().2S, \r4\().2S, \r7\().2S trn1 \r1\().2S, \r5\().2S, \r6\().2S -- cgit v1.2.3 From cfbf608c0af6e45254e7d66903a31daf5452c2de Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 17 Dec 2015 22:51:00 +0100 Subject: avcodec/h264_slice: Simplify ref2frm indexing This also suppresses a ubsan warning Fixes Mozilla bug 1230247 Signed-off-by: Michael Niedermayer (cherry picked from commit ef8f6464a55db730cab8c48a1a51fa4e6ca12107) Signed-off-by: Michael Niedermayer --- libavcodec/h264_slice.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 843cfd0979..8be803b7fd 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1993,12 +1993,12 @@ static av_always_inline void fill_filter_caches_inter(const H264Context *h, if (USES_LIST(top_type, list)) { const int b_xy = h->mb2b_xy[top_xy] + 3 * b_stride; const int b8_xy = 4 * top_xy + 2; - int (*ref2frm)[64] = (void*)(sl->ref2frm[h->slice_table[top_xy] & (MAX_SLICES - 1)][0] + (MB_MBAFF(sl) ? 20 : 2)); + int *ref2frm = sl->ref2frm[h->slice_table[top_xy] & (MAX_SLICES - 1)][list] + (MB_MBAFF(sl) ? 20 : 2); AV_COPY128(mv_dst - 1 * 8, h->cur_pic.motion_val[list][b_xy + 0]); ref_cache[0 - 1 * 8] = - ref_cache[1 - 1 * 8] = ref2frm[list][h->cur_pic.ref_index[list][b8_xy + 0]]; + ref_cache[1 - 1 * 8] = ref2frm[h->cur_pic.ref_index[list][b8_xy + 0]]; ref_cache[2 - 1 * 8] = - ref_cache[3 - 1 * 8] = ref2frm[list][h->cur_pic.ref_index[list][b8_xy + 1]]; + ref_cache[3 - 1 * 8] = ref2frm[h->cur_pic.ref_index[list][b8_xy + 1]]; } else { AV_ZERO128(mv_dst - 1 * 8); AV_WN32A(&ref_cache[0 - 1 * 8], ((LIST_NOT_USED) & 0xFF) * 0x01010101u); @@ -2008,15 +2008,15 @@ static av_always_inline void fill_filter_caches_inter(const H264Context *h, if (USES_LIST(left_type[LTOP], list)) { const int b_xy = h->mb2b_xy[left_xy[LTOP]] + 3; const int b8_xy = 4 * left_xy[LTOP] + 1; - int (*ref2frm)[64] =(void*)( sl->ref2frm[h->slice_table[left_xy[LTOP]] & (MAX_SLICES - 1)][0] + (MB_MBAFF(sl) ? 20 : 2)); + int *ref2frm = sl->ref2frm[h->slice_table[left_xy[LTOP]] & (MAX_SLICES - 1)][list] + (MB_MBAFF(sl) ? 20 : 2); AV_COPY32(mv_dst - 1 + 0, h->cur_pic.motion_val[list][b_xy + b_stride * 0]); AV_COPY32(mv_dst - 1 + 8, h->cur_pic.motion_val[list][b_xy + b_stride * 1]); AV_COPY32(mv_dst - 1 + 16, h->cur_pic.motion_val[list][b_xy + b_stride * 2]); AV_COPY32(mv_dst - 1 + 24, h->cur_pic.motion_val[list][b_xy + b_stride * 3]); ref_cache[-1 + 0] = - ref_cache[-1 + 8] = ref2frm[list][h->cur_pic.ref_index[list][b8_xy + 2 * 0]]; + ref_cache[-1 + 8] = ref2frm[h->cur_pic.ref_index[list][b8_xy + 2 * 0]]; ref_cache[-1 + 16] = - ref_cache[-1 + 24] = ref2frm[list][h->cur_pic.ref_index[list][b8_xy + 2 * 1]]; + ref_cache[-1 + 24] = ref2frm[h->cur_pic.ref_index[list][b8_xy + 2 * 1]]; } else { AV_ZERO32(mv_dst - 1 + 0); AV_ZERO32(mv_dst - 1 + 8); @@ -2041,9 +2041,9 @@ static av_always_inline void fill_filter_caches_inter(const H264Context *h, { int8_t *ref = &h->cur_pic.ref_index[list][4 * mb_xy]; - int (*ref2frm)[64] = (void*)(sl->ref2frm[sl->slice_num & (MAX_SLICES - 1)][0] + (MB_MBAFF(sl) ? 20 : 2)); - uint32_t ref01 = (pack16to32(ref2frm[list][ref[0]], ref2frm[list][ref[1]]) & 0x00FF00FF) * 0x0101; - uint32_t ref23 = (pack16to32(ref2frm[list][ref[2]], ref2frm[list][ref[3]]) & 0x00FF00FF) * 0x0101; + int *ref2frm = sl->ref2frm[sl->slice_num & (MAX_SLICES - 1)][list] + (MB_MBAFF(sl) ? 20 : 2); + uint32_t ref01 = (pack16to32(ref2frm[ref[0]], ref2frm[ref[1]]) & 0x00FF00FF) * 0x0101; + uint32_t ref23 = (pack16to32(ref2frm[ref[2]], ref2frm[ref[3]]) & 0x00FF00FF) * 0x0101; AV_WN32A(&ref_cache[0 * 8], ref01); AV_WN32A(&ref_cache[1 * 8], ref01); AV_WN32A(&ref_cache[2 * 8], ref23); -- cgit v1.2.3 From cabd9ae5be8797bbafb8db15be5edd266d9efd7a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 18 Dec 2015 00:20:51 +0100 Subject: avcodec/h264_mc_template: prefetch list1 only if it is used in the MB Fixes ubsan warning Fixes Mozilla bug 1230276 Signed-off-by: Michael Niedermayer (cherry picked from commit c8ea57664fe3ad611c9ecd234670544ddff7ca55) Signed-off-by: Michael Niedermayer --- libavcodec/h264_mc_template.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_mc_template.c b/libavcodec/h264_mc_template.c index eaead35bb2..e4333a733c 100644 --- a/libavcodec/h264_mc_template.c +++ b/libavcodec/h264_mc_template.c @@ -158,6 +158,7 @@ static void MCFUNC(hl_motion)(const H264Context *h, H264SliceContext *sl, } } - prefetch_motion(h, sl, 1, PIXEL_SHIFT, CHROMA_IDC); + if (USES_LIST(mb_type, 1)) + prefetch_motion(h, sl, 1, PIXEL_SHIFT, CHROMA_IDC); } -- cgit v1.2.3 From 3a3be0220834b1bb1de2e68da47cc944cbf5f746 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2015 21:59:42 +0100 Subject: avcodec/h264_refs: Fix long_idx check Fixes out of array read Fixes mozilla bug 1233606 Found-by: Tyson Smith Signed-off-by: Michael Niedermayer (cherry picked from commit b92b4775a0d07cacfdd2b4be6511f3cb362c977b) Signed-off-by: Michael Niedermayer --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index a81ee76cfd..a3de6b2f35 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -303,7 +303,7 @@ int ff_h264_decode_ref_pic_list_reordering(H264Context *h, H264SliceContext *sl) long_idx = pic_num_extract(h, pic_id, &pic_structure); - if (long_idx > 31) { + if (long_idx > 31U) { av_log(h->avctx, AV_LOG_ERROR, "long_term_pic_idx overflow\n"); return AVERROR_INVALIDDATA; -- cgit v1.2.3 From bdc6ba460429d78a805c39fecaf7d101df36d11f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Dec 2015 23:21:33 +0100 Subject: avcodec/mpeg4videodec: also for empty partitioned slices Fixes assertion failure Fixes: id_acf3e47f864e1ee4c7b86c0653e0ff31e5bde56e.m4v Found-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer (cherry picked from commit 70f13abb4f9a376ddc0d2c566739bc3c6a0c47e7) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 7d664cc844..2c34d21a14 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -883,7 +883,7 @@ int ff_mpeg4_decode_partitions(Mpeg4DecContext *ctx) const int part_a_end = s->pict_type == AV_PICTURE_TYPE_I ? (ER_DC_END | ER_MV_END) : ER_MV_END; mb_num = mpeg4_decode_partition_a(ctx); - if (mb_num < 0) { + if (mb_num <= 0) { ff_er_add_slice(&s->er, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, part_a_error); return -1; -- cgit v1.2.3 From 63ecbb82fc1d6db23cda10b313c0435866d16384 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 19 Dec 2015 23:47:54 +0100 Subject: mlvdec: check that index_entries exist This fixes NULL pointer dereferencing. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer --- libavformat/mlvdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 48a429eb23..4b3bdc1eca 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -365,6 +365,11 @@ static int read_header(AVFormatContext *avctx) if (ast) ast->duration = ast->nb_index_entries; + if ((vst && !vst->nb_index_entries) || (ast && !ast->nb_index_entries)) { + av_log(avctx, AV_LOG_ERROR, "no index entries found\n"); + return AVERROR_INVALIDDATA; + } + if (vst && ast) avio_seek(pb, FFMIN(vst->index_entries[0].pos, ast->index_entries[0].pos), SEEK_SET); else if (vst) -- cgit v1.2.3 From 9be3441c311c8b09fe3af38169a3ad4c5cb5cac8 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 19 Dec 2015 23:49:14 +0100 Subject: rawdec: only exempt BIT0 with need_copy from buffer sanity check Otherwise the too samll buffer is directly used in the frame, causing segmentation faults, when trying to use the frame. Signed-off-by: Andreas Cadhalpun Signed-off-by: Michael Niedermayer --- libavcodec/rawdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c index d8d77fceed..af764ab41e 100644 --- a/libavcodec/rawdec.c +++ b/libavcodec/rawdec.c @@ -258,7 +258,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame, buf += buf_size - context->frame_size; len = context->frame_size - (avctx->pix_fmt==AV_PIX_FMT_PAL8 ? AVPALETTE_SIZE : 0); - if (buf_size < len && (avctx->codec_tag & 0xFFFFFF) != MKTAG('B','I','T', 0)) { + if (buf_size < len && ((avctx->codec_tag & 0xFFFFFF) != MKTAG('B','I','T', 0) || !need_copy)) { av_log(avctx, AV_LOG_ERROR, "Invalid buffer size, packet size %d < expected frame_size %d\n", buf_size, len); av_buffer_unref(&frame->buf[0]); return AVERROR(EINVAL); -- cgit v1.2.3 From 644179e0d4155ae8f5ddd5c3f6bd003e2e13cf94 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Dec 2015 02:58:41 +0100 Subject: Update Changelog Signed-off-by: Michael Niedermayer --- Changelog | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 7646dac39b..b7f32b1d20 100644 --- a/Changelog +++ b/Changelog @@ -2,7 +2,30 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 2.8.4 -- avcodec/aarch64/neon.S: Update neon.s for transpose_4x4H +- rawdec: only exempt BIT0 with need_copy from buffer sanity check +- mlvdec: check that index_entries exist +- avcodec/mpeg4videodec: also for empty partitioned slices +- avcodec/h264_refs: Fix long_idx check +- avcodec/h264_mc_template: prefetch list1 only if it is used in the MB +- avcodec/h264_slice: Simplify ref2frm indexing +- avfilter/vf_mpdecimate: Add missing emms_c() +- sonic: make sure num_taps * channels is not larger than frame_size +- opus_silk: fix typo causing overflow in silk_stabilize_lsf +- ffm: reject invalid codec_id and codec_type +- golomb: always check for invalid UE golomb codes in get_ue_golomb +- sbr_qmf_analysis: sanitize input for 32-bit imdct +- sbrdsp_fixed: assert that input values are in the valid range +- aacsbr: ensure strictly monotone time borders +- aacenc: update max_sfb when num_swb changes +- aaccoder: prevent crash of anmr coder +- ffmdec: reject zero-sized chunks +- swscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the alignment is insufficient for SSE* +- swscale/x86/rgb2rgb_template: Do not crash on misaligend stride +- avformat/mxfenc: Do not crash if there is no packet in the first stream +- lavf/tee: fix side data double free. +- avformat/hlsenc: Check the return code of avformat_write_header() +- avformat/mov: Enable parser for mp3s by old HandBrake +- avformat/mxfenc: Fix integer overflow in length computation - avformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid duration for ts files with hevc codec - avformat/matroskaenc: Check codecdelay before use - avutil/mathematics: Fix division by 0 -- cgit v1.2.3 From 6d7b4dbcb4103a0c54d486d3a51aa3122a4914b6 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 16 Dec 2015 16:48:19 +0100 Subject: on2avc: limit number of bits to 30 in get_egolomb More don't fit into the integer output. Also use get_bits_long, since get_bits only supports reading up to 25 bits, while get_bits_long supports the full integer range. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 4d5c3b02e9d2c9a630ca433fabca43285879e0b8) Signed-off-by: Andreas Cadhalpun --- libavcodec/on2avc.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c index 15f4dd1c66..04c8e410a8 100644 --- a/libavcodec/on2avc.c +++ b/libavcodec/on2avc.c @@ -211,9 +211,16 @@ static inline int get_egolomb(GetBitContext *gb) { int v = 4; - while (get_bits1(gb)) v++; + while (get_bits1(gb)) { + v++; + if (v > 30) { + av_log(NULL, AV_LOG_WARNING, "Too large golomb code in get_egolomb.\n"); + v = 30; + break; + } + } - return (1 << v) + get_bits(gb, v); + return (1 << v) + get_bits_long(gb, v); } static int on2avc_decode_pairs(On2AVCContext *c, GetBitContext *gb, float *dst, -- cgit v1.2.3 From 945ae04fab4513ee724751d908e87a3447c3e609 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sun, 13 Dec 2015 23:17:09 +0100 Subject: exr: fix out of bounds read in get_code This macro unconditionally used out[-1], which causes an out of bounds read, if out is the very beginning of the buffer. Signed-off-by: Andreas Cadhalpun (cherry picked from commit 90b99a81071d10e6b5efe86a4602d54d4f45bbcb) Signed-off-by: Andreas Cadhalpun --- libavcodec/exr.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index b9de7c1c0a..8feb9bddef 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -459,7 +459,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, lc += 8; \ } -#define get_code(po, rlc, c, lc, gb, out, oe) \ +#define get_code(po, rlc, c, lc, gb, out, oe, outb) \ { \ if (po == rlc) { \ if (lc < 8) \ @@ -468,7 +468,7 @@ static int huf_build_dec_table(const uint64_t *hcode, int im, \ cs = c >> lc; \ \ - if (out + cs > oe) \ + if (out + cs > oe || out == outb) \ return AVERROR_INVALIDDATA; \ \ s = out[-1]; \ @@ -501,7 +501,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; - get_code(pl.lit, rlc, c, lc, gb, out, oe); + get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { int j; @@ -518,7 +518,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if ((hcode[pl.p[j]] >> 6) == ((c >> (lc - l)) & ((1LL << l) - 1))) { lc -= l; - get_code(pl.p[j], rlc, c, lc, gb, out, oe); + get_code(pl.p[j], rlc, c, lc, gb, out, oe, outb); break; } } @@ -539,7 +539,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, if (pl.len) { lc -= pl.len; - get_code(pl.lit, rlc, c, lc, gb, out, oe); + get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { return AVERROR_INVALIDDATA; } -- cgit v1.2.3 From 38f8c80901033042488579c8975efb39ab153793 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 18 Dec 2015 15:18:47 +0100 Subject: nutdec: only copy the header if it exists Fixes ubsan runtime error: null pointer passed as argument 2, which is declared to never be null Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9f82506c79874edd7b09707ab63d9e72078de8f9) Signed-off-by: Andreas Cadhalpun --- libavformat/nutdec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 63b0cd2fb9..201c34e0e9 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -1126,7 +1126,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code) ret = av_new_packet(pkt, size + nut->header_len[header_idx]); if (ret < 0) return ret; - memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); + if (nut->header[header_idx]) + memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); pkt->pos = avio_tell(bc); // FIXME if (stc->last_flags & FLAG_SM_DATA) { int sm_size; -- cgit v1.2.3 From 778c8de40f2c8d8bdbdf9a52306c59b6a425d401 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 18 Dec 2015 19:28:51 +0100 Subject: xwddec: prevent overflow of lsize * avctx->height This is used to check if the input buffer is large enough, so if this overflows it can cause a false negative leading to a segmentation fault in bytestream2_get_bufferu. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit 9d38f06d05efbb9d6196c27668eb943e934943ae) Signed-off-by: Andreas Cadhalpun --- libavcodec/xwddec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 2febedc4aa..64cd8418a2 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, return AVERROR_INVALIDDATA; } - if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + avctx->height * lsize) { + if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + (uint64_t)avctx->height * lsize) { av_log(avctx, AV_LOG_ERROR, "input buffer too small\n"); return AVERROR_INVALIDDATA; } -- cgit v1.2.3 From 174ec7d744d3e45bdb74c4c568f7bc5f689d4304 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Sat, 19 Dec 2015 12:02:56 +0100 Subject: nutdec: reject negative value_len in read_sm_data If it is negative, it can cause the byte position to move backwards in avio_skip, which in turn makes sm_size negative and thus size larger than the size of the packet buffer, causing invalid writes in avio_read. Also fix potential overflow of avio_tell(bc) + value_len. Reviewed-by: Michael Niedermayer Signed-off-by: Andreas Cadhalpun (cherry picked from commit ce10f572c12b0d172c72d31d8c979afce602bf0c) Signed-off-by: Andreas Cadhalpun --- libavformat/nutdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 201c34e0e9..bfa2bade27 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -927,7 +927,7 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int return ret; } value_len = ffio_read_varlen(bc); - if (avio_tell(bc) + value_len >= maxpos) + if (value_len < 0 || value_len >= maxpos - avio_tell(bc)) return AVERROR_INVALIDDATA; if (!strcmp(name, "Palette")) { dst = av_packet_new_side_data(pkt, AV_PKT_DATA_PALETTE, value_len); -- cgit v1.2.3 From 79f407b79a825c3123aff65cef64b383eca5a95e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 16 Dec 2015 20:52:39 +0100 Subject: nuv: sanitize negative fps rate Signed-off-by: Andreas Cadhalpun (cherry picked from commit f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce) Signed-off-by: Andreas Cadhalpun --- libavformat/nuv.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavformat/nuv.c b/libavformat/nuv.c index 001d9c8860..cb51511943 100644 --- a/libavformat/nuv.c +++ b/libavformat/nuv.c @@ -172,6 +172,15 @@ static int nuv_header(AVFormatContext *s) if (aspect > 0.9999 && aspect < 1.0001) aspect = 4.0 / 3.0; fps = av_int2double(avio_rl64(pb)); + if (fps < 0.0f) { + if (s->error_recognition & AV_EF_EXPLODE) { + av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps); + return AVERROR_INVALIDDATA; + } else { + av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 0.\n", fps); + fps = 0.0f; + } + } // number of packets per stream type, -1 means unknown, e.g. streaming v_packs = avio_rl32(pb); -- cgit v1.2.3