From 20ca827019a72bfacb38e73d0b8590e651818272 Mon Sep 17 00:00:00 2001 From: Piotr Kaczuba Date: Mon, 30 May 2011 13:19:35 +0200 Subject: [PATCH 01/64] postprocess.c: filter name needs to be double 0 terminated Signed-off-by: Reinhard Tartler (cherry picked from commit f4f3300c09bb13eb7922e60888b55e3e0fb325e7) --- libpostproc/postprocess.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c index dd50daf21e..eacf262ccd 100644 --- a/libpostproc/postprocess.c +++ b/libpostproc/postprocess.c @@ -763,7 +763,8 @@ pp_mode *pp_get_mode_by_name_and_quality(const char *name, int quality) ppMode->maxClippedThreshold= 0.01; ppMode->error=0; - av_strlcpy(temp, name, GET_MODE_BUFFER_SIZE); + memset(temp, 0, GET_MODE_BUFFER_SIZE); + av_strlcpy(temp, name, GET_MODE_BUFFER_SIZE - 1); av_log(NULL, AV_LOG_DEBUG, "pp: %s\n", name); @@ -819,7 +820,7 @@ pp_mode *pp_get_mode_by_name_and_quality(const char *name, int quality) plen= strlen(p); spaceLeft= p - temp + plen; - if(spaceLeft + newlen >= GET_MODE_BUFFER_SIZE){ + if(spaceLeft + newlen >= GET_MODE_BUFFER_SIZE - 1){ ppMode->error++; break; } From acf2d3293c305c96ac0afda28bd55233af4ce61c Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 26 Jun 2011 15:52:00 -0700 Subject: [PATCH 02/64] swscale: don't use planar output functions to write to NV12/21. This prevents a crash when converting to NV12/21 without the bitexact flags enabled. (cherry picked from commit 0d994b2f45c08794899057ee7ca54f48218c0a53) Signed-off-by: Anton Khirnov --- libswscale/x86/swscale_template.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libswscale/x86/swscale_template.c b/libswscale/x86/swscale_template.c index 8fad257ddf..dc92cddff5 100644 --- a/libswscale/x86/swscale_template.c +++ b/libswscale/x86/swscale_template.c @@ -2203,7 +2203,8 @@ static av_cold void RENAME(sws_init_swScale)(SwsContext *c) enum PixelFormat srcFormat = c->srcFormat, dstFormat = c->dstFormat; - if (!is16BPS(dstFormat) && !is9_OR_10BPS(dstFormat)) { + if (!is16BPS(dstFormat) && !is9_OR_10BPS(dstFormat) && + dstFormat != PIX_FMT_NV12 && dstFormat != PIX_FMT_NV21) { if (!(c->flags & SWS_BITEXACT)) { if (c->flags & SWS_ACCURATE_RND) { c->yuv2yuv1 = RENAME(yuv2yuv1_ar ); From fa38ed8ac07402d9ab268eee0eb475e7e473a0c3 Mon Sep 17 00:00:00 2001 From: Jason Garrett-Glaser Date: Mon, 4 Jul 2011 06:05:34 -0700 Subject: [PATCH 03/64] H.264: fix overreads of qscale_table filter_mb_fast assumed that qscale_table was padded like many of the other tables. (cherry picked from commit 5029a406334ad0eaf92130e23d596e405a8a5aa0) Signed-off-by: Anton Khirnov --- libavcodec/mpegvideo.c | 5 +++-- libavcodec/mpegvideo.h | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c index 4978d28b49..ceed41f230 100644 --- a/libavcodec/mpegvideo.c +++ b/libavcodec/mpegvideo.c @@ -285,9 +285,10 @@ int ff_alloc_picture(MpegEncContext *s, Picture *pic, int shared){ } FF_ALLOCZ_OR_GOTO(s->avctx, pic->mbskip_table , mb_array_size * sizeof(uint8_t)+2, fail) //the +2 is for the slice end check - FF_ALLOCZ_OR_GOTO(s->avctx, pic->qscale_table , mb_array_size * sizeof(uint8_t) , fail) + FF_ALLOCZ_OR_GOTO(s->avctx, pic->qscale_table_base , (big_mb_num + s->mb_stride) * sizeof(uint8_t) , fail) FF_ALLOCZ_OR_GOTO(s->avctx, pic->mb_type_base , (big_mb_num + s->mb_stride) * sizeof(uint32_t), fail) pic->mb_type= pic->mb_type_base + 2*s->mb_stride+1; + pic->qscale_table = pic->qscale_table_base + 2*s->mb_stride + 1; if(s->out_format == FMT_H264){ for(i=0; i<2; i++){ FF_ALLOCZ_OR_GOTO(s->avctx, pic->motion_val_base[i], 2 * (b4_array_size+4) * sizeof(int16_t), fail) @@ -339,7 +340,7 @@ static void free_picture(MpegEncContext *s, Picture *pic){ av_freep(&pic->mc_mb_var); av_freep(&pic->mb_mean); av_freep(&pic->mbskip_table); - av_freep(&pic->qscale_table); + av_freep(&pic->qscale_table_base); av_freep(&pic->mb_type_base); av_freep(&pic->dct_coeff); av_freep(&pic->pan_scan); diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h index 6ce7faa235..f37977c941 100644 --- a/libavcodec/mpegvideo.h +++ b/libavcodec/mpegvideo.h @@ -88,6 +88,7 @@ typedef struct Picture{ * halfpel luma planes. */ uint8_t *interpolated[3]; + int8_t *qscale_table_base; int16_t (*motion_val_base[2])[2]; uint32_t *mb_type_base; #define MB_TYPE_INTRA MB_TYPE_INTRA4x4 //default mb_type if there is just one type From 0ab69793fc76b0653315b055fbfae4738a40d115 Mon Sep 17 00:00:00 2001 From: John Stebbins Date: Mon, 4 Jul 2011 09:55:19 -0700 Subject: [PATCH 04/64] dca: set AVCodecContext frame_size for DTS audio Set the frame size when decoding DTS audio. This has the side effect of fixing the computation of timestamps for DTS-HD in compute_pkt_fields. Since frame_size is not currently set, the duration of a frame is being guessed based on the streams bitrate. But for DTS-HD, the bitrate currently used is the rate of the DTS core which is much different than the whole DTS-HD stream and leads to a wildly inaccurate frame duration estimate. Signed-off-by: Ronald S. Bultje (cherry picked from commit 49c7006c7e815d4330247624a9e6ba30e288cd02) Signed-off-by: Anton Khirnov --- libavcodec/dca.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/dca.c b/libavcodec/dca.c index a9b2c9b0c9..fad6bce7a9 100644 --- a/libavcodec/dca.c +++ b/libavcodec/dca.c @@ -1650,6 +1650,7 @@ static int dca_decode_frame(AVCodecContext * avctx, //set AVCodec values with parsed data avctx->sample_rate = s->sample_rate; avctx->bit_rate = s->bit_rate; + avctx->frame_size = s->sample_blocks * 32; s->profile = FF_PROFILE_DTS; From 694279bfd2452c58a7b7ce6424dfba785a99fedd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Mon, 4 Jul 2011 10:19:46 +0200 Subject: [PATCH 05/64] mxfenc: fix ignored drop flag in binary timecode representation. Signed-off-by: Ronald S. Bultje (cherry picked from commit 4d5e7ab5c48451404038706ef3113c9925a83087) Signed-off-by: Anton Khirnov --- libavformat/mxfenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c index c448e14b00..387263e1a1 100644 --- a/libavformat/mxfenc.c +++ b/libavformat/mxfenc.c @@ -1539,7 +1539,7 @@ static const uint8_t system_metadata_package_set_key[] = { 0x06,0x0E,0x2B,0x34,0 static uint32_t ff_framenum_to_12m_time_code(unsigned frame, int drop, int fps) { return (0 << 31) | // color frame flag - (0 << 30) | // drop frame flag + (drop << 30) | // drop frame flag ( ((frame % fps) / 10) << 28) | // tens of frames ( ((frame % fps) % 10) << 24) | // units of frames (0 << 23) | // field phase (NTSC), b0 (PAL) From 266ec41f77da6a44fe18e3774f08c9d4551137ac Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Tue, 5 Jul 2011 18:29:35 +0100 Subject: [PATCH 06/64] ARM: workaround for bug in GNU assembler Some versions of the GNU assembler do not handle 64-bit immediate operands containing arithmetic. Writing the value out in full works correctly. Signed-off-by: Mans Rullgard (cherry picked from commit fce1e43410bdc032c4cf2b1c66166a9ed99cc8f1) Signed-off-by: Anton Khirnov --- libavcodec/arm/fft_fixed_neon.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/arm/fft_fixed_neon.S b/libavcodec/arm/fft_fixed_neon.S index 14884d3736..63d8159359 100644 --- a/libavcodec/arm/fft_fixed_neon.S +++ b/libavcodec/arm/fft_fixed_neon.S @@ -56,7 +56,7 @@ vhsub.s16 \r0, \d0, \d1 @ t3, t4, t8, t7 vhsub.s16 \r1, \d1, \d0 vhadd.s16 \d0, \d0, \d1 @ t1, t2, t6, t5 - vmov.i64 \d1, #0xffff<<32 + vmov.i64 \d1, #0xffff00000000 vbit \r0, \r1, \d1 vrev64.16 \r1, \r0 @ t7, t8, t4, t3 vtrn.32 \r0, \r1 @ t3, t4, t7, t8 From 2649439bbdbf32af2bd07160c8a85ba55112af11 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 5 Jul 2011 18:10:48 -0700 Subject: [PATCH 07/64] eval: fix memleak. (cherry picked from commit fe277b16f0861a327e1f6c00c0dbb8b00806d60d) Signed-off-by: Anton Khirnov --- libavutil/eval.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavutil/eval.c b/libavutil/eval.c index a3788210e3..8bcba3632d 100644 --- a/libavutil/eval.c +++ b/libavutil/eval.c @@ -488,6 +488,7 @@ int av_expr_parse(AVExpr **expr, const char *s, if ((ret = parse_expr(&e, &p)) < 0) goto end; if (*p.s) { + av_expr_free(e); av_log(&p, AV_LOG_ERROR, "Invalid chars '%s' at the end of expression '%s'\n", p.s, s0); ret = AVERROR(EINVAL); goto end; From baec70e16fd98c72a7ec9eaec70453a9279ad46c Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 29 Jun 2011 13:41:47 -0700 Subject: [PATCH 08/64] adts: Fix PCE copying. Parse the extension flag bit when reading the MPEG4 AudioSpecificConfig. This has nothing to do with SBR/PS contradictory to what was noted when it was removed. (cherry picked from commit 7f01a4192cdf4565eadee457f76e6b5196e35e0b) Signed-off-by: Anton Khirnov --- libavformat/adtsenc.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavformat/adtsenc.c b/libavformat/adtsenc.c index e858a81d92..75649e24dc 100644 --- a/libavformat/adtsenc.c +++ b/libavformat/adtsenc.c @@ -59,6 +59,10 @@ int ff_adts_decode_extradata(AVFormatContext *s, ADTSContext *adts, uint8_t *buf av_log(s, AV_LOG_ERROR, "Scalable configurations are not allowed in ADTS\n"); return -1; } + if (get_bits(&gb, 1)) { + av_log(s, AV_LOG_ERROR, "Extension flag is not allowed in ADTS\n"); + return -1; + } if (!adts->channel_conf) { init_put_bits(&pb, adts->pce_data, MAX_PCE_SIZE); From fa750933812f742bdc1e208e109b8b72305ca1a2 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 11 Sep 2011 12:27:51 +0200 Subject: [PATCH 09/64] Revert "ffmpeg: get rid of useless AVInputStream.nb_streams." This reverts commit 2cf8355f98681bdd726b739008acd5483f82f8d7. AVInputStream.nb_streams tracks number of streams found at the beginning, new streams may appear that ffmpeg doesn't know about. Fixes crash in this case. Signed-off-by: Anton Khirnov --- ffmpeg.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index c1db3d5679..76d1cf363c 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -329,6 +329,7 @@ typedef struct AVInputFile { int eof_reached; /* true if eof reached */ int ist_index; /* index of first stream in ist_table */ int buffer_size; /* current total buffer size */ + int nb_streams; /* nb streams we are aware of */ } AVInputFile; static AVInputStream *input_streams = NULL; @@ -1983,7 +1984,7 @@ static int transcode(AVFormatContext **output_files, int si = stream_maps[i].stream_index; if (fi < 0 || fi > nb_input_files - 1 || - si < 0 || si > input_files[fi].ctx->nb_streams - 1) { + si < 0 || si > input_files[fi].nb_streams - 1) { fprintf(stderr,"Could not find input stream #%d.%d\n", fi, si); ret = AVERROR(EINVAL); goto fail; @@ -1991,7 +1992,7 @@ static int transcode(AVFormatContext **output_files, fi = stream_maps[i].sync_file_index; si = stream_maps[i].sync_stream_index; if (fi < 0 || fi > nb_input_files - 1 || - si < 0 || si > input_files[fi].ctx->nb_streams - 1) { + si < 0 || si > input_files[fi].nb_streams - 1) { fprintf(stderr,"Could not find sync stream #%d.%d\n", fi, si); ret = AVERROR(EINVAL); goto fail; @@ -2607,7 +2608,7 @@ static int transcode(AVFormatContext **output_files, } /* the following test is needed in case new streams appear dynamically in stream : we ignore them */ - if (pkt.stream_index >= input_files[file_index].ctx->nb_streams) + if (pkt.stream_index >= input_files[file_index].nb_streams) goto discard_packet; ist_index = input_files[file_index].ist_index + pkt.stream_index; ist = &input_streams[ist_index]; @@ -3365,6 +3366,7 @@ static int opt_input_file(const char *opt, const char *filename) input_files = grow_array(input_files, sizeof(*input_files), &nb_input_files, nb_input_files + 1); input_files[nb_input_files - 1].ctx = ic; input_files[nb_input_files - 1].ist_index = nb_input_streams - ic->nb_streams; + input_files[nb_input_files - 1].nb_streams = ic->nb_streams; frame_rate = (AVRational){0, 0}; frame_pix_fmt = PIX_FMT_NONE; From 91f9c7917c830982f9122dc16d1d865cf82d8382 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomas=20H=C3=A4rdin?= Date: Thu, 23 Jun 2011 15:59:33 +0200 Subject: [PATCH 10/64] gxf: Fix 25 fps DV material in GXF being misdetected as 50 fps Set DV packet durations using fields_per_frame. This requires turning gxf_stream_info into the demuxer's context for access to the value in gxf_packet(). Since MPEG-2 seems to work fine this done only for DV. Signed-off-by: Anton Khirnov (cherry picked from commit 99fecc64b064a013559d3d61f7d9790e3c95c80e) Signed-off-by: Anton Khirnov --- libavformat/gxf.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/libavformat/gxf.c b/libavformat/gxf.c index 74d925fe60..d77fd18b37 100644 --- a/libavformat/gxf.c +++ b/libavformat/gxf.c @@ -264,7 +264,7 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) { int map_len; int len; AVRational main_timebase = {0, 0}; - struct gxf_stream_info si; + struct gxf_stream_info *si = s->priv_data; int i; if (!parse_packet_header(pb, &pkt_type, &map_len) || pkt_type != PKT_MAP) { av_log(s, AV_LOG_ERROR, "map packet not found\n"); @@ -282,7 +282,7 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) { return 0; } map_len -= len; - gxf_material_tags(pb, &len, &si); + gxf_material_tags(pb, &len, si); avio_skip(pb, len); map_len -= 2; len = avio_rb16(pb); // length of track description @@ -300,7 +300,7 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) { track_id = avio_r8(pb); track_len = avio_rb16(pb); len -= track_len; - gxf_track_tags(pb, &track_len, &si); + gxf_track_tags(pb, &track_len, si); avio_skip(pb, track_len); if (!(track_type & 0x80)) { av_log(s, AV_LOG_ERROR, "invalid track type %x\n", track_type); @@ -316,12 +316,12 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) { if (idx < 0) continue; st = s->streams[idx]; if (!main_timebase.num || !main_timebase.den) { - main_timebase.num = si.frames_per_second.den; - main_timebase.den = si.frames_per_second.num * 2; + main_timebase.num = si->frames_per_second.den; + main_timebase.den = si->frames_per_second.num * 2; } - st->start_time = si.first_field; - if (si.first_field != AV_NOPTS_VALUE && si.last_field != AV_NOPTS_VALUE) - st->duration = si.last_field - si.first_field; + st->start_time = si->first_field; + if (si->first_field != AV_NOPTS_VALUE && si->last_field != AV_NOPTS_VALUE) + st->duration = si->last_field - si->first_field; } if (len < 0) av_log(s, AV_LOG_ERROR, "invalid track description length specified\n"); @@ -422,6 +422,8 @@ static int gxf_packet(AVFormatContext *s, AVPacket *pkt) { AVIOContext *pb = s->pb; GXFPktType pkt_type; int pkt_len; + struct gxf_stream_info *si = s->priv_data; + while (!pb->eof_reached) { AVStream *st; int track_type, track_id, ret; @@ -473,6 +475,11 @@ static int gxf_packet(AVFormatContext *s, AVPacket *pkt) { avio_skip(pb, skip); pkt->stream_index = stream_index; pkt->dts = field_nr; + + //set duration manually for DV or else lavf misdetects the frame rate + if (st->codec->codec_id == CODEC_ID_DVVIDEO) + pkt->duration = si->fields_per_frame; + return ret; } return AVERROR(EIO); @@ -518,7 +525,7 @@ static int64_t gxf_read_timestamp(AVFormatContext *s, int stream_index, AVInputFormat ff_gxf_demuxer = { "gxf", NULL_IF_CONFIG_SMALL("GXF format"), - 0, + sizeof(struct gxf_stream_info), gxf_probe, gxf_header, gxf_packet, From 9bf76932e5e4dffd5199084cab810b6c8203fce1 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 22 Jun 2011 15:33:56 -0400 Subject: [PATCH 11/64] alsa: fallback to buffer_size/4 for period_size. buffer_size/4 is the value used by aplay. This fixes output to null devices, e.g. writing ALSA output to a file. (cherry picked from commit 8bfd7f6a475225a0595bf657f8b99a8fffb461e4) Signed-off-by: Anton Khirnov --- libavdevice/alsa-audio-common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavdevice/alsa-audio-common.c b/libavdevice/alsa-audio-common.c index baa6ac79ca..4c7c881300 100644 --- a/libavdevice/alsa-audio-common.c +++ b/libavdevice/alsa-audio-common.c @@ -146,6 +146,8 @@ av_cold int ff_alsa_open(AVFormatContext *ctx, snd_pcm_stream_t mode, } snd_pcm_hw_params_get_period_size_min(hw_params, &period_size, NULL); + if (!period_size) + period_size = buffer_size / 4; res = snd_pcm_hw_params_set_period_size_near(h, hw_params, &period_size, NULL); if (res < 0) { av_log(ctx, AV_LOG_ERROR, "cannot set ALSA period size (%s)\n", From 207db36a4fa234f6d5123601cceb96f261588fb7 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 22 Jun 2011 16:38:20 -0400 Subject: [PATCH 12/64] alsa: limit buffer_size to 32768 frames. In testing, the file output plugin gave a max buffer size of about 20 million frames, which is way more than what is really needed and causes a memory allocation error on my system. (cherry picked from commit e35c674d13a7f180412cfe058530a2e7f1d49a90) Signed-off-by: Anton Khirnov --- libavdevice/alsa-audio-common.c | 1 + libavdevice/alsa-audio.h | 2 ++ 2 files changed, 3 insertions(+) diff --git a/libavdevice/alsa-audio-common.c b/libavdevice/alsa-audio-common.c index 4c7c881300..825fcb1dbd 100644 --- a/libavdevice/alsa-audio-common.c +++ b/libavdevice/alsa-audio-common.c @@ -137,6 +137,7 @@ av_cold int ff_alsa_open(AVFormatContext *ctx, snd_pcm_stream_t mode, } snd_pcm_hw_params_get_buffer_size_max(hw_params, &buffer_size); + buffer_size = FFMIN(buffer_size, ALSA_BUFFER_SIZE_MAX); /* TODO: maybe use ctx->max_picture_buffer somehow */ res = snd_pcm_hw_params_set_buffer_size_near(h, hw_params, &buffer_size); if (res < 0) { diff --git a/libavdevice/alsa-audio.h b/libavdevice/alsa-audio.h index 32c07426ef..c8c6ea4aff 100644 --- a/libavdevice/alsa-audio.h +++ b/libavdevice/alsa-audio.h @@ -40,6 +40,8 @@ other formats */ #define DEFAULT_CODEC_ID AV_NE(CODEC_ID_PCM_S16BE, CODEC_ID_PCM_S16LE) +#define ALSA_BUFFER_SIZE_MAX 32768 + typedef struct { AVClass *class; snd_pcm_t *h; From e308a91c9cf3d93188cd30fc5ec7ef2ce0fbfc45 Mon Sep 17 00:00:00 2001 From: Jindrich Makovicka Date: Thu, 30 Jun 2011 09:03:15 +0000 Subject: [PATCH 13/64] mpegts: fix Continuity Counter error detection According to MPEG-TS specs, the continuity_counter shall not be incremented when the adaptation_field_control of the packet equals '00' or '10'. Signed-off-by: Jindrich Makovicka Signed-off-by: Anton Khirnov (cherry picked from commit 8923cfa328e8eb565aebcfe8672b276fd1c19bf7) Signed-off-by: Anton Khirnov --- libavformat/mpegts.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c index e9b8b3513a..608cbe710f 100644 --- a/libavformat/mpegts.c +++ b/libavformat/mpegts.c @@ -1247,7 +1247,7 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet) { AVFormatContext *s = ts->stream; MpegTSFilter *tss; - int len, pid, cc, cc_ok, afc, is_start; + int len, pid, cc, expected_cc, cc_ok, afc, is_start; const uint8_t *p, *p_end; int64_t pos; @@ -1265,7 +1265,8 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet) /* continuity check (currently not used) */ cc = (packet[3] & 0xf); - cc_ok = (tss->last_cc < 0) || ((((tss->last_cc + 1) & 0x0f) == cc)); + expected_cc = (packet[3] & 0x10) ? (tss->last_cc + 1) & 0x0f : tss->last_cc; + cc_ok = (tss->last_cc < 0) || (expected_cc == cc); tss->last_cc = cc; /* skip adaptation field */ From dc3ab8ca438e7033cd7e049398f78d87d3b6fc55 Mon Sep 17 00:00:00 2001 From: Oskar Arvidsson Date: Tue, 12 Jul 2011 10:52:19 +0200 Subject: [PATCH 14/64] pix_fmt: Fix number of bits per component in yuv444p9be Signed-off-by: Ronald S. Bultje (cherry picked from commit e59d6b4d7255d6d3dc89580f534e18af1433fe25) Signed-off-by: Anton Khirnov --- libavutil/pixdesc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavutil/pixdesc.c b/libavutil/pixdesc.c index efc7c7ea0e..c70a41347b 100644 --- a/libavutil/pixdesc.c +++ b/libavutil/pixdesc.c @@ -918,9 +918,9 @@ const AVPixFmtDescriptor av_pix_fmt_descriptors[PIX_FMT_NB] = { .log2_chroma_w= 0, .log2_chroma_h= 0, .comp = { - {0,1,1,0,9}, /* Y */ - {1,1,1,0,9}, /* U */ - {2,1,1,0,9}, /* V */ + {0,1,1,0,8}, /* Y */ + {1,1,1,0,8}, /* U */ + {2,1,1,0,8}, /* V */ }, .flags = PIX_FMT_BE, }, From 44b3f053090bfb4bae50d3f92d4e70335066f91c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 12 Jul 2011 22:42:18 +0200 Subject: [PATCH 15/64] lavf: fix segfault in av_open_input_stream() ic is NULL in case of error. (cherry picked from commit 13551ad1e336573e3732fdeaf25607c47244bb80) Signed-off-by: Anton Khirnov --- libavformat/utils.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 0e6b00195b..2cb096e373 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -465,7 +465,8 @@ int av_open_input_stream(AVFormatContext **ic_ptr, else ic->pb = pb; - err = avformat_open_input(&ic, filename, fmt, &opts); + if ((err = avformat_open_input(&ic, filename, fmt, &opts)) < 0) + goto fail; ic->pb = ic->pb ? ic->pb : pb; // don't leak custom pb if it wasn't set above *ic_ptr = ic; From fe7deb7cc40b4f5a91d5a5b22e5532fd14cdf123 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Fri, 15 Jul 2011 22:38:10 +0100 Subject: [PATCH 16/64] aacps: skip some memcpy() if src and dst would be equal Signed-off-by: Mans Rullgard (cherry picked from commit e5902d60ce8f7cf10b6e87a57eec536b316261a3) Signed-off-by: Anton Khirnov --- libavcodec/aacps.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index 724c13256a..3f1424bcf2 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -813,14 +813,17 @@ static void stereo_processing(PSContext *ps, float (*l)[32][2], float (*r)[32][2 const float (*H_LUT)[8][4] = (PS_BASELINE || ps->icc_mode < 3) ? HA : HB; //Remapping - memcpy(H11[0][0], H11[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[0][0][0])); - memcpy(H11[1][0], H11[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[1][0][0])); - memcpy(H12[0][0], H12[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[0][0][0])); - memcpy(H12[1][0], H12[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[1][0][0])); - memcpy(H21[0][0], H21[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[0][0][0])); - memcpy(H21[1][0], H21[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[1][0][0])); - memcpy(H22[0][0], H22[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[0][0][0])); - memcpy(H22[1][0], H22[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[1][0][0])); + if (ps->num_env_old) { + memcpy(H11[0][0], H11[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[0][0][0])); + memcpy(H11[1][0], H11[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[1][0][0])); + memcpy(H12[0][0], H12[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[0][0][0])); + memcpy(H12[1][0], H12[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[1][0][0])); + memcpy(H21[0][0], H21[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[0][0][0])); + memcpy(H21[1][0], H21[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[1][0][0])); + memcpy(H22[0][0], H22[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[0][0][0])); + memcpy(H22[1][0], H22[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[1][0][0])); + } + if (is34) { remap34(&iid_mapped, ps->iid_par, ps->nr_iid_par, ps->num_env, 1); remap34(&icc_mapped, ps->icc_par, ps->nr_icc_par, ps->num_env, 1); From 3b80fb50d815fe399ff7b69e7e646b4597a0bf84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C3=ABl=20Carr=C3=A9?= Date: Sat, 16 Jul 2011 11:41:08 -0400 Subject: [PATCH 17/64] Do not decode RV30 files if the extradata is too small Signed-off-by: Diego Biurrun (cherry picked from commit 289c60001fb0a9a1d7a97c876d8a42b84c6874ac) Signed-off-by: Anton Khirnov --- libavcodec/rv30.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c index 62177dda78..2b423cc0d2 100644 --- a/libavcodec/rv30.c +++ b/libavcodec/rv30.c @@ -256,6 +256,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx) if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){ av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n", 6 + r->rpr * 2, avctx->extradata_size); + return EINVAL; } r->parse_slice_header = rv30_parse_slice_header; r->decode_intra_types = rv30_decode_intra_types; From ba19cb688596a95d84617bb5e6551ea4ec364648 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 20 Jul 2011 09:55:48 +0100 Subject: [PATCH 18/64] Fix incorrect max_lowres values Signed-off-by: Mans Rullgard (cherry picked from commit e23a05ab0605693aa715b95120bc0132079ded06) Signed-off-by: Anton Khirnov --- libavcodec/cdgraphics.c | 1 - libavcodec/kgv1dec.c | 1 - libavcodec/pngdec.c | 1 - libavcodec/pnmdec.c | 5 ----- libavcodec/sp5xdec.c | 2 +- 5 files changed, 1 insertion(+), 9 deletions(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index 2f8e98ca3d..bcfb6e9be5 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -377,6 +377,5 @@ AVCodec ff_cdgraphics_decoder = { cdg_decode_end, cdg_decode_frame, CODEC_CAP_DR1, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("CD Graphics video"), }; diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index 57684340af..88c54bf817 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -173,6 +173,5 @@ AVCodec ff_kgv1_decoder = { NULL, decode_end, decode_frame, - .max_lowres = 1, .long_name = NULL_IF_CONFIG_SMALL("Kega Game Video"), }; diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 7477f6746b..1268c9e781 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -667,6 +667,5 @@ AVCodec ff_png_decoder = { decode_frame, CODEC_CAP_DR1 /*| CODEC_CAP_DRAW_HORIZ_BAND*/, NULL, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PNG image"), }; diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c index b9f20c0569..988ea0c267 100644 --- a/libavcodec/pnmdec.c +++ b/libavcodec/pnmdec.c @@ -199,7 +199,6 @@ AVCodec ff_pgm_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_GRAY8, PIX_FMT_GRAY16BE, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PGM (Portable GrayMap) image"), }; #endif @@ -216,7 +215,6 @@ AVCodec ff_pgmyuv_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_YUV420P, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PGMYUV (Portable GrayMap YUV) image"), }; #endif @@ -233,7 +231,6 @@ AVCodec ff_ppm_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_RGB24, PIX_FMT_RGB48BE, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PPM (Portable PixelMap) image"), }; #endif @@ -250,7 +247,6 @@ AVCodec ff_pbm_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_MONOWHITE, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PBM (Portable BitMap) image"), }; #endif @@ -267,7 +263,6 @@ AVCodec ff_pam_decoder = { pnm_decode_frame, CODEC_CAP_DR1, .pix_fmts = (const enum PixelFormat[]){PIX_FMT_RGB24, PIX_FMT_RGB32, PIX_FMT_GRAY8, PIX_FMT_MONOWHITE, PIX_FMT_NONE}, - .max_lowres = 5, .long_name = NULL_IF_CONFIG_SMALL("PAM (Portable AnyMap) image"), }; #endif diff --git a/libavcodec/sp5xdec.c b/libavcodec/sp5xdec.c index 6726c18ca9..ae25733530 100644 --- a/libavcodec/sp5xdec.c +++ b/libavcodec/sp5xdec.c @@ -104,7 +104,7 @@ AVCodec ff_sp5x_decoder = { sp5x_decode_frame, CODEC_CAP_DR1, NULL, - .max_lowres = 5, + .max_lowres = 3, .long_name = NULL_IF_CONFIG_SMALL("Sunplus JPEG (SP5X)"), }; From 8e0a53bd34829f594574ff810f410cc47bfac620 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Thu, 21 Jul 2011 14:25:01 +0200 Subject: [PATCH 19/64] rv30: return AVERROR(EINVAL) instead of EINVAL On some platforms EINVAL could be positive, ensure we return negative values. (cherry picked from commit e5985185d2eda942333ebbb72bd7d043ffe40be7) Signed-off-by: Anton Khirnov --- libavcodec/rv30.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c index 2b423cc0d2..b7f43a4bd0 100644 --- a/libavcodec/rv30.c +++ b/libavcodec/rv30.c @@ -256,7 +256,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx) if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){ av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n", 6 + r->rpr * 2, avctx->extradata_size); - return EINVAL; + return AVERROR(EINVAL); } r->parse_slice_header = rv30_parse_slice_header; r->decode_intra_types = rv30_decode_intra_types; From 8abaa83d2c5ddc1cfe3f5e3eabcaac2b33cd5f12 Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Tue, 26 Jul 2011 10:58:29 -0700 Subject: [PATCH 20/64] vp3/theora: flush after seek. (cherry picked from commit 8dcf5184307f072d55fb29373be05ef8b0fd02df) Signed-off-by: Anton Khirnov --- libavcodec/vp3.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index c3dff7f89f..c117a64084 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2321,6 +2321,26 @@ static av_cold int theora_decode_init(AVCodecContext *avctx) return vp3_decode_init(avctx); } +static void vp3_decode_flush(AVCodecContext *avctx) +{ + Vp3DecodeContext *s = avctx->priv_data; + + if (s->golden_frame.data[0]) { + if (s->golden_frame.data[0] == s->last_frame.data[0]) + memset(&s->last_frame, 0, sizeof(AVFrame)); + if (s->current_frame.data[0] == s->golden_frame.data[0]) + memset(&s->current_frame, 0, sizeof(AVFrame)); + ff_thread_release_buffer(avctx, &s->golden_frame); + } + if (s->last_frame.data[0]) { + if (s->current_frame.data[0] == s->last_frame.data[0]) + memset(&s->current_frame, 0, sizeof(AVFrame)); + ff_thread_release_buffer(avctx, &s->last_frame); + } + if (s->current_frame.data[0]) + ff_thread_release_buffer(avctx, &s->current_frame); +} + AVCodec ff_theora_decoder = { "theora", AVMEDIA_TYPE_VIDEO, @@ -2332,6 +2352,7 @@ AVCodec ff_theora_decoder = { vp3_decode_frame, CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS, NULL, + .flush = vp3_decode_flush, .long_name = NULL_IF_CONFIG_SMALL("Theora"), .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) }; @@ -2348,6 +2369,7 @@ AVCodec ff_vp3_decoder = { vp3_decode_frame, CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS, NULL, + .flush = vp3_decode_flush, .long_name = NULL_IF_CONFIG_SMALL("On2 VP3"), .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context) }; From c5388d680e62db36ab235b5076d3b0c1eb5a04f4 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 29 Jul 2011 15:27:36 -0700 Subject: [PATCH 21/64] mxfdec: Include FF_INPUT_BUFFER_PADDING_SIZE when allocating extradata. This prevents out of bounds reads when extradata is being decoded. (cherry picked from commit 1f6f58d5855288492fc2640a9f1035c01c75d356) Signed-off-by: Anton Khirnov --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 82daa2a002..fcee7a7b83 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -599,7 +599,7 @@ static int mxf_read_generic_descriptor(void *arg, AVIOContext *pb, int tag, int default: /* Private uid used by SONY C0023S01.mxf */ if (IS_KLV_KEY(uid, mxf_sony_mpeg4_extradata)) { - descriptor->extradata = av_malloc(size); + descriptor->extradata = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE); if (!descriptor->extradata) return -1; descriptor->extradata_size = size; From 82d7ad3344e11a33ab639052fcda6b30a378546a Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 29 Jul 2011 15:49:11 -0700 Subject: [PATCH 22/64] aac: Remove some suspicious illegal memcpy()s from LTP. (cherry picked from commit a6c49f18abacb9bf52d4d808a2a56561a5b5445c) Signed-off-by: Anton Khirnov --- libavcodec/aacdec.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index 69aacb86d6..f94b109de5 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -1753,12 +1753,10 @@ static void windowing_and_mdct_ltp(AACContext *ac, float *out, } else { memset(in, 0, 448 * sizeof(float)); ac->dsp.vector_fmul(in + 448, in + 448, swindow_prev, 128); - memcpy(in + 576, in + 576, 448 * sizeof(float)); } if (ics->window_sequence[0] != LONG_START_SEQUENCE) { ac->dsp.vector_fmul_reverse(in + 1024, in + 1024, lwindow, 1024); } else { - memcpy(in + 1024, in + 1024, 448 * sizeof(float)); ac->dsp.vector_fmul_reverse(in + 1024 + 448, in + 1024 + 448, swindow, 128); memset(in + 1024 + 576, 0, 448 * sizeof(float)); } From b8fa424ce2e2f7206bdf37f2da8410764358cab3 Mon Sep 17 00:00:00 2001 From: Baptiste Coudurier Date: Sat, 29 Jan 2011 17:05:42 -0800 Subject: [PATCH 23/64] libx264: do not set pic quality if no frame is output Avoids uninitialized reads. Signed-off-by: Anton Khirnov (cherry picked from commit 5caa2de19ece830e32c95731bc92a423d55cff0c) Signed-off-by: Anton Khirnov --- libavcodec/libx264.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c index e5fac00469..74ee1d45e0 100644 --- a/libavcodec/libx264.c +++ b/libavcodec/libx264.c @@ -138,7 +138,8 @@ static int X264_frame(AVCodecContext *ctx, uint8_t *buf, } x4->out_pic.key_frame = pic_out.b_keyframe; - x4->out_pic.quality = (pic_out.i_qpplus1 - 1) * FF_QP2LAMBDA; + if (bufsize) + x4->out_pic.quality = (pic_out.i_qpplus1 - 1) * FF_QP2LAMBDA; return bufsize; } From f629fcd308059a41f55a6022afee0f737af5fc02 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 10 Aug 2011 14:07:35 -0400 Subject: [PATCH 24/64] Remove incorrect info in documentation of AVCodecContext.bits_per_raw_sample. bits_per_raw_sample is used in video as well, where sample_fmt is not used. (cherry picked from commit d271d5b2152cafe540f3ab71d3be6ce8636d2fd6) Signed-off-by: Anton Khirnov --- libavcodec/avcodec.h | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index 9a3076ae27..0269892028 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -2559,7 +2559,6 @@ typedef struct AVCodecContext { /** * Bits per sample/pixel of internal libavcodec pixel/sample format. - * This field is applicable only when sample_fmt is AV_SAMPLE_FMT_S32. * - encoding: set by user. * - decoding: set by libavcodec. */ From cc4718196ad6cfe765fa1e8db0adef0e5bb09664 Mon Sep 17 00:00:00 2001 From: Dustin Brody Date: Thu, 11 Aug 2011 08:57:58 -0400 Subject: [PATCH 25/64] h264: notice memory allocation failure Signed-off-by: Ronald S. Bultje (cherry picked from commit bac3ab13ea6a9dd8853e79ef3eacf51d234c8774) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 2c000a3420..99be210d13 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1165,7 +1165,10 @@ static int decode_update_thread_context(AVCodecContext *dst, const AVCodecContex memcpy(&h->s + 1, &h1->s + 1, sizeof(H264Context) - sizeof(MpegEncContext)); //copy all fields after MpegEnc memset(h->sps_buffers, 0, sizeof(h->sps_buffers)); memset(h->pps_buffers, 0, sizeof(h->pps_buffers)); - ff_h264_alloc_tables(h); + if (ff_h264_alloc_tables(h) < 0) { + av_log(dst, AV_LOG_ERROR, "Could not allocate memory for h264\n"); + return AVERROR(ENOMEM); + } context_init(h); for(i=0; i<2; i++){ @@ -2635,7 +2638,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ h->prev_interlaced_frame = 1; init_scan_tables(h); - ff_h264_alloc_tables(h); + if (ff_h264_alloc_tables(h) < 0) { + av_log(h->s.avctx, AV_LOG_ERROR, "Could not allocate memory for h264\n"); + return AVERROR(ENOMEM); + } if (!HAVE_THREADS || !(s->avctx->active_thread_type&FF_THREAD_SLICE)) { if (context_init(h) < 0) { From 210d8f4ca23b97bcb34b18a92c6a66b243e86021 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Sat, 13 Aug 2011 11:58:18 +0200 Subject: [PATCH 26/64] VC-1: fix reading of custom PAR. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Custom PAR num/denum are in 1-256 range. Signed-off-by: Reimar Döffinger Signed-off-by: Diego Biurrun (cherry picked from commit 0e8696551414d4ea0aab2559f9475d1fe49d08f3) Signed-off-by: Anton Khirnov --- libavcodec/vc1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 32869b97d1..5e53680ec6 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -485,8 +485,8 @@ static int decode_sequence_header_adv(VC1Context *v, GetBitContext *gb) if(ar && ar < 14){ v->s.avctx->sample_aspect_ratio = ff_vc1_pixel_aspect[ar]; }else if(ar == 15){ - w = get_bits(gb, 8); - h = get_bits(gb, 8); + w = get_bits(gb, 8) + 1; + h = get_bits(gb, 8) + 1; v->s.avctx->sample_aspect_ratio = (AVRational){w, h}; } av_log(v->s.avctx, AV_LOG_DEBUG, "Aspect: %i:%i\n", v->s.avctx->sample_aspect_ratio.num, v->s.avctx->sample_aspect_ratio.den); From e30e0a16af274f87c028ce4884d5b2e415517902 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 8 Jun 2011 14:32:07 +0000 Subject: [PATCH 27/64] flvenc: use int64_t to store offsets Metadata currently is written only at the start of the file in normal cases, when transcoding from a rtmp source metadata could be written later and the offset recorded can exceed 32bit. Signed-off-by: Anton Khirnov (cherry picked from commit 7f5bf4fbaf1f2142547321a16358f9871fabdcc6) Signed-off-by: Anton Khirnov --- libavformat/flvenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index 487993cd9a..bd1a1f49fe 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -177,7 +177,7 @@ static int flv_write_header(AVFormatContext *s) AVCodecContext *audio_enc = NULL, *video_enc = NULL; int i; double framerate = 0.0; - int metadata_size_pos, data_size; + int64_t metadata_size_pos, data_size; AVDictionaryEntry *tag = NULL; for(i=0; inb_streams; i++){ From 303e48e6a24bbc34148457137cfffc53185fa7d3 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Wed, 17 Aug 2011 10:36:33 +0200 Subject: [PATCH 28/64] rv10/20: tell decoder to use edge emulation This removes out-of-edge motion compensation artifacts (easily spotted green blocks in avplay, gray blocks in transcoding), for example here: http://samples.libav.org/samples/real/tv_watching_t1.rm Signed-off-by: Diego Biurrun (cherry picked from commit 331971116d7d36743601bd2dc5384c5211d3bb48) Signed-off-by: Anton Khirnov --- libavcodec/rv10.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 6227dc6f6c..78f97b16b1 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -438,6 +438,7 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx) s->avctx= avctx; s->out_format = FMT_H263; s->codec_id= avctx->codec_id; + avctx->flags |= CODEC_FLAG_EMU_EDGE; s->orig_width = s->width = avctx->coded_width; s->orig_height= s->height = avctx->coded_height; From 5925e25218cb8f053bc81591995d78728ab096f2 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 16 Aug 2011 11:03:26 -0700 Subject: [PATCH 29/64] aac: Only output configure if audio was found. Audio found is not triggered on a CCE because a CCE alone has no output. Signed-off-by: Luca Barbato (cherry picked from commit d8425ed4af6d8fce62ff363cc590f85e57bac06b) Signed-off-by: Anton Khirnov --- libavcodec/aacdec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index f94b109de5..2958ddbe72 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -2074,7 +2074,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, ChannelElement *che = NULL, *che_prev = NULL; enum RawDataBlockType elem_type, elem_type_prev = TYPE_END; int err, elem_id, data_size_tmp; - int samples = 0, multiplier; + int samples = 0, multiplier, audio_found = 0; if (show_bits(gb, 12) == 0xfff) { if (parse_adts_frame_header(ac, gb) < 0) { @@ -2105,10 +2105,12 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, case TYPE_SCE: err = decode_ics(ac, &che->ch[0], gb, 0, 0); + audio_found = 1; break; case TYPE_CPE: err = decode_cpe(ac, gb, che); + audio_found = 1; break; case TYPE_CCE: @@ -2117,6 +2119,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, case TYPE_LFE: err = decode_ics(ac, &che->ch[0], gb, 0, 0); + audio_found = 1; break; case TYPE_DSE: @@ -2193,7 +2196,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, samples, avctx->channels); } - if (ac->output_configured) + if (ac->output_configured && audio_found) ac->output_configured = OC_LOCKED; return 0; From cb9ccc89c5e3d950fdce88e84e29ad8234240c15 Mon Sep 17 00:00:00 2001 From: Jeff Downs Date: Tue, 5 Jul 2011 14:21:54 -0400 Subject: [PATCH 30/64] h264: correct the check for invalid long term frame index in MMCO decode The current check on MMCO parameters prohibits a "max long term frame index plus 1" of 16 (frame idx of 15) for the "set max long term frame index" MMCO. Fix this off-by-one error to allow the full range of legal values. Signed-off-by: Diego Biurrun (cherry picked from commit 29a09eae9a827f4dbc9c4517180d8fe2ecef321a) Signed-off-by: Anton Khirnov --- libavcodec/h264_refs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index a025f7d352..b1c27ec810 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -678,7 +678,7 @@ int ff_h264_decode_ref_pic_marking(H264Context *h, GetBitContext *gb){ } if(opcode==MMCO_SHORT2LONG || opcode==MMCO_LONG2UNUSED || opcode==MMCO_LONG || opcode==MMCO_SET_MAX_LONG){ unsigned int long_arg= get_ue_golomb_31(gb); - if(long_arg >= 32 || (long_arg >= 16 && !(opcode == MMCO_LONG2UNUSED && FIELD_PICTURE))){ + if(long_arg >= 32 || (long_arg >= 16 && !(opcode == MMCO_SET_MAX_LONG && long_arg == 16) && !(opcode == MMCO_LONG2UNUSED && FIELD_PICTURE))){ av_log(h->s.avctx, AV_LOG_ERROR, "illegal long ref in memory management control operation %d\n", opcode); return -1; } From 767efcb46e6be63bca6856c4c6028746cc2f4360 Mon Sep 17 00:00:00 2001 From: Jeff Downs Date: Wed, 6 Jul 2011 11:54:36 -0400 Subject: [PATCH 31/64] h264: correct implicit weight table computation for long ref pics Correct computation of implicit weight tables when referencing pictures that are marked for long reference. Signed-off-by: Diego Biurrun (cherry picked from commit 87cf70eb237e7586cc7399627dafa1b980ec0b7d) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 99be210d13..1c60de7023 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2198,15 +2198,17 @@ static void implicit_weight_table(H264Context *h, int field){ for(ref0=ref_start; ref0 < ref_count0; ref0++){ int poc0 = h->ref_list[0][ref0].poc; for(ref1=ref_start; ref1 < ref_count1; ref1++){ - int poc1 = h->ref_list[1][ref1].poc; - int td = av_clip(poc1 - poc0, -128, 127); - int w= 32; - if(td){ - int tb = av_clip(cur_poc - poc0, -128, 127); - int tx = (16384 + (FFABS(td) >> 1)) / td; - int dist_scale_factor = (tb*tx + 32) >> 8; - if(dist_scale_factor >= -64 && dist_scale_factor <= 128) - w = 64 - dist_scale_factor; + int w = 32; + if (!h->ref_list[0][ref0].long_ref && !h->ref_list[1][ref1].long_ref) { + int poc1 = h->ref_list[1][ref1].poc; + int td = av_clip(poc1 - poc0, -128, 127); + if(td){ + int tb = av_clip(cur_poc - poc0, -128, 127); + int tx = (16384 + (FFABS(td) >> 1)) / td; + int dist_scale_factor = (tb*tx + 32) >> 8; + if(dist_scale_factor >= -64 && dist_scale_factor <= 128) + w = 64 - dist_scale_factor; + } } if(field<0){ h->implicit_weight[ref0][ref1][0]= From 566d26923ec59d9897cd7c73e3689484135a78c6 Mon Sep 17 00:00:00 2001 From: Jeff Downs Date: Tue, 5 Jul 2011 13:20:06 -0400 Subject: [PATCH 32/64] h264: fix PCM intra-coded blocks in monochrome case Signed-off-by: Diego Biurrun (cherry picked from commit 6581e161c5f46733a5619208483de29416eb9a51) Signed-off-by: Anton Khirnov --- libavcodec/h264.c | 46 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 1c60de7023..75075f6b3c 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -1851,15 +1851,30 @@ static av_always_inline void hl_decode_mb_internal(H264Context *h, int simple, i tmp_y[j] = get_bits(&gb, bit_depth); } if(simple || !CONFIG_GRAY || !(s->flags&CODEC_FLAG_GRAY)){ - for (i = 0; i < 8; i++) { - uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize); - for (j = 0; j < 8; j++) - tmp_cb[j] = get_bits(&gb, bit_depth); - } - for (i = 0; i < 8; i++) { - uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize); - for (j = 0; j < 8; j++) - tmp_cr[j] = get_bits(&gb, bit_depth); + if (!h->sps.chroma_format_idc) { + for (i = 0; i < 8; i++) { + uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize); + for (j = 0; j < 8; j++) { + tmp_cb[j] = 1 << (bit_depth - 1); + } + } + for (i = 0; i < 8; i++) { + uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize); + for (j = 0; j < 8; j++) { + tmp_cr[j] = 1 << (bit_depth - 1); + } + } + } else { + for (i = 0; i < 8; i++) { + uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize); + for (j = 0; j < 8; j++) + tmp_cb[j] = get_bits(&gb, bit_depth); + } + for (i = 0; i < 8; i++) { + uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize); + for (j = 0; j < 8; j++) + tmp_cr[j] = get_bits(&gb, bit_depth); + } } } } else { @@ -1867,9 +1882,16 @@ static av_always_inline void hl_decode_mb_internal(H264Context *h, int simple, i memcpy(dest_y + i* linesize, h->mb + i*8, 16); } if(simple || !CONFIG_GRAY || !(s->flags&CODEC_FLAG_GRAY)){ - for (i=0; i<8; i++) { - memcpy(dest_cb+ i*uvlinesize, h->mb + 128 + i*4, 8); - memcpy(dest_cr+ i*uvlinesize, h->mb + 160 + i*4, 8); + if (!h->sps.chroma_format_idc) { + for (i = 0; i < 8; i++) { + memset(dest_cb + i*uvlinesize, 128, 8); + memset(dest_cr + i*uvlinesize, 128, 8); + } + } else { + for (i = 0; i < 8; i++) { + memcpy(dest_cb + i*uvlinesize, h->mb + 128 + i*4, 8); + memcpy(dest_cr + i*uvlinesize, h->mb + 160 + i*4, 8); + } } } } From f45cfb4751eb1012bb2c4e5303b7558593a17127 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 23 Aug 2011 17:28:33 +0200 Subject: [PATCH 33/64] lavc: remove vbv_delay option It's broken and serves no purpose as it's a read-only field. (cherry picked from commit 8ee18b4bee24f99e733cf1425894e82c25d02426) Signed-off-by: Anton Khirnov --- libavcodec/options.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libavcodec/options.c b/libavcodec/options.c index ae9e0c902d..792bb5941c 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -449,7 +449,6 @@ static const AVOption options[]={ {"thread_type", "select multithreading type", OFFSET(thread_type), FF_OPT_TYPE_INT, {.dbl = FF_THREAD_SLICE|FF_THREAD_FRAME }, 0, INT_MAX, V|E|D, "thread_type"}, {"slice", NULL, 0, FF_OPT_TYPE_CONST, {.dbl = FF_THREAD_SLICE }, INT_MIN, INT_MAX, V|E|D, "thread_type"}, {"frame", NULL, 0, FF_OPT_TYPE_CONST, {.dbl = FF_THREAD_FRAME }, INT_MIN, INT_MAX, V|E|D, "thread_type"}, -{"vbv_delay", "initial buffer fill time in periods of 27Mhz clock", 0, FF_OPT_TYPE_INT64, {.dbl = 0 }, 0, INT64_MAX}, {"audio_service_type", "audio service type", OFFSET(audio_service_type), FF_OPT_TYPE_INT, {.dbl = AV_AUDIO_SERVICE_TYPE_MAIN }, 0, AV_AUDIO_SERVICE_TYPE_NB-1, A|E, "audio_service_type"}, {"ma", "Main Audio Service", 0, FF_OPT_TYPE_CONST, {.dbl = AV_AUDIO_SERVICE_TYPE_MAIN }, INT_MIN, INT_MAX, A|E, "audio_service_type"}, {"ef", "Effects", 0, FF_OPT_TYPE_CONST, {.dbl = AV_AUDIO_SERVICE_TYPE_EFFECTS }, INT_MIN, INT_MAX, A|E, "audio_service_type"}, From a8edc1cbc76f2c8144796f3f984bc4607fb0d71d Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Wed, 24 Aug 2011 14:36:16 -0700 Subject: [PATCH 34/64] vc1: properly zero coded_block[] edges on new slice entry. Previously, we would leave the left edge uninitialized, which led to CBP prediction errors on slice edges, e.g. in SA10098.vc1. (cherry picked from commit d4b9974465baf893e90527a366e7a7411ded1ef8) Signed-off-by: Anton Khirnov --- libavcodec/vc1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 8fca2da738..b17ce30b5c 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -3020,7 +3020,7 @@ static void vc1_decode_i_blocks_adv(VC1Context *v) s->mb_x = 0; ff_init_block_index(s); memset(&s->coded_block[s->block_index[0]-s->b8_stride], 0, - s->b8_stride * sizeof(*s->coded_block)); + (1 + s->b8_stride) * sizeof(*s->coded_block)); } for(; s->mb_y < s->end_mb_y; s->mb_y++) { s->mb_x = 0; From 526f24e3fd731e11b5c19bccf26b392d7a007327 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alberto=20Delm=C3=A1s?= Date: Thu, 25 Aug 2011 11:00:37 +0200 Subject: [PATCH 35/64] VC1: Fix first/last row checks with slices In some places 0/mb_height were used in place of start_mb_y/end_mb_y. Fixes SA00049, SA00058, SA10091, SA10097, SA10131, SA20021, SA30030 Improves PSNR in SA00054, SA00059, SA00060, SA10096, SA10098, SA20022, SA30031, SA30032, SA40012, SA40013 Signed-off-by: Ronald S. Bultje (cherry picked from commit 1cf82cab0840d669198ea76ab0363aa661950647) Signed-off-by: Anton Khirnov --- libavcodec/vc1dec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index b17ce30b5c..c87558bc50 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -243,7 +243,7 @@ static void vc1_loop_filter_iblk(VC1Context *v, int pq) } v->vc1dsp.vc1_v_loop_filter16(s->dest[0] + 8*s->linesize, s->linesize, pq); - if (s->mb_y == s->mb_height-1) { + if (s->mb_y == s->end_mb_y-1) { if (s->mb_x) { v->vc1dsp.vc1_h_loop_filter16(s->dest[0], s->linesize, pq); v->vc1dsp.vc1_h_loop_filter8(s->dest[1], s->uvlinesize, pq); @@ -295,7 +295,7 @@ static void vc1_loop_filter_iblk_delayed(VC1Context *v, int pq) v->vc1dsp.vc1_v_loop_filter16(s->dest[0] - 8 * s->linesize, s->linesize, pq); } - if (s->mb_y == s->mb_height) { + if (s->mb_y == s->end_mb_y) { if (s->mb_x) { if (s->mb_x >= 2) v->vc1dsp.vc1_h_loop_filter16(s->dest[0] - 16 * s->linesize - 16, s->linesize, pq); @@ -2330,7 +2330,7 @@ static av_always_inline void vc1_apply_p_v_loop_filter(VC1Context *v, int block_ } else { dst = s->dest[0] + (block_num & 1) * 8 + ((block_num & 2) * 4 - 8) * linesize; } - if (s->mb_y != s->mb_height || block_num < 2) { + if (s->mb_y != s->end_mb_y || block_num < 2) { int16_t (*mv)[2]; int mv_stride; @@ -3096,7 +3096,7 @@ static void vc1_decode_i_blocks_adv(VC1Context *v) if(v->s.loop_filter) vc1_loop_filter_iblk_delayed(v, v->pq); } if (v->s.loop_filter) - ff_draw_horiz_band(s, (s->mb_height-1)*16, 16); + ff_draw_horiz_band(s, (s->end_mb_y-1)*16, 16); ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, (AC_END|DC_END|MV_END)); } @@ -3219,7 +3219,7 @@ static void vc1_decode_b_blocks(VC1Context *v) s->first_slice_line = 0; } if (v->s.loop_filter) - ff_draw_horiz_band(s, (s->mb_height-1)*16, 16); + ff_draw_horiz_band(s, (s->end_mb_y-1)*16, 16); ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, (AC_END|DC_END|MV_END)); } @@ -3227,9 +3227,9 @@ static void vc1_decode_skip_blocks(VC1Context *v) { MpegEncContext *s = &v->s; - ff_er_add_slice(s, 0, 0, s->mb_width - 1, s->mb_height - 1, (AC_END|DC_END|MV_END)); + ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, (AC_END|DC_END|MV_END)); s->first_slice_line = 1; - for(s->mb_y = 0; s->mb_y < s->mb_height; s->mb_y++) { + for(s->mb_y = s->start_mb_y; s->mb_y < s->end_mb_y; s->mb_y++) { s->mb_x = 0; ff_init_block_index(s); ff_update_block_index(s); From a7d35b2f99365b56937c144d05ca36ebe5458154 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 9 Mar 2011 03:30:24 +0100 Subject: [PATCH 36/64] vf_scale: don't leak SWS context. Signed-off-by: Anton Khirnov (cherry picked from commit 52982dbe474663709033e1ad259f8ff7a5a2eefa) Signed-off-by: Anton Khirnov --- libavfilter/vf_scale.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 65fe01c9ae..5288d32116 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -205,6 +205,8 @@ static int config_props(AVFilterLink *outlink) scale->input_is_pal = av_pix_fmt_descriptors[inlink->format].flags & PIX_FMT_PAL; + if (scale->sws) + sws_freeContext(scale->sws); scale->sws = sws_getContext(inlink ->w, inlink ->h, inlink ->format, outlink->w, outlink->h, outlink->format, scale->flags, NULL, NULL, NULL); From fe9dae6df8be03ed5e62819ba98f16bfeb510abd Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Mon, 25 Jul 2011 18:51:02 -0400 Subject: [PATCH 37/64] cpu detection: avoid a signed overflow 1<<31 overflows because 1 is signed, so force it to unsigned. Signed-off-by: Ronald S. Bultje (cherry picked from commit 5938e02185430ca711106aaec9b5622dbf588af3) Signed-off-by: Anton Khirnov --- libavutil/x86/cpu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/x86/cpu.c b/libavutil/x86/cpu.c index 78aeadf0a1..f747e4dba8 100644 --- a/libavutil/x86/cpu.c +++ b/libavutil/x86/cpu.c @@ -113,7 +113,7 @@ int ff_get_cpu_flags_x86(void) if(max_ext_level >= 0x80000001){ cpuid(0x80000001, eax, ebx, ecx, ext_caps); - if (ext_caps & (1<<31)) + if (ext_caps & (1U<<31)) rval |= AV_CPU_FLAG_3DNOW; if (ext_caps & (1<<30)) rval |= AV_CPU_FLAG_3DNOWEXT; From de33e8675c9a67c223ca5e4e14532b217149a9c9 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 23 Aug 2011 07:46:51 +0200 Subject: [PATCH 38/64] AVOptions: fix av_set_string3() doxy to match reality. Fixes bug 28. (cherry picked from commit e955a682e125d44143415ff2b96a99a4dac78da2) Signed-off-by: Anton Khirnov --- libavutil/opt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/opt.h b/libavutil/opt.h index 30aa54f5b6..ce65865069 100644 --- a/libavutil/opt.h +++ b/libavutil/opt.h @@ -134,7 +134,7 @@ const AVOption *av_find_opt(void *obj, const char *name, const char *unit, int m * when 0 then no av_free() nor av_strdup() will be used * @return 0 if the value has been set, or an AVERROR code in case of * error: - * AVERROR(ENOENT) if no matching option exists + * AVERROR_OPTION_NOT_FOUND if no matching option exists * AVERROR(ERANGE) if the value is out of range * AVERROR(EINVAL) if the value is not valid */ From 7850a9b384d06d41bdde4a79d087509cad6c46c5 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 4 Sep 2011 09:56:47 +0200 Subject: [PATCH 39/64] lavc: fix type for thread_type option It should be flags, not int. (cherry picked from commit fb47997edb9d8ff16fc380d005a08c0545624aa6) Signed-off-by: Anton Khirnov --- libavcodec/options.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/options.c b/libavcodec/options.c index 792bb5941c..411094ba11 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -446,7 +446,7 @@ static const AVOption options[]={ {"lpc_passes", "deprecated, use flac-specific options", OFFSET(lpc_passes), FF_OPT_TYPE_INT, {.dbl = -1 }, INT_MIN, INT_MAX, A|E}, #endif {"slices", "number of slices, used in parallelized decoding", OFFSET(slices), FF_OPT_TYPE_INT, {.dbl = 0 }, 0, INT_MAX, V|E}, -{"thread_type", "select multithreading type", OFFSET(thread_type), FF_OPT_TYPE_INT, {.dbl = FF_THREAD_SLICE|FF_THREAD_FRAME }, 0, INT_MAX, V|E|D, "thread_type"}, +{"thread_type", "select multithreading type", OFFSET(thread_type), FF_OPT_TYPE_FLAGS, {.dbl = FF_THREAD_SLICE|FF_THREAD_FRAME }, 0, INT_MAX, V|E|D, "thread_type"}, {"slice", NULL, 0, FF_OPT_TYPE_CONST, {.dbl = FF_THREAD_SLICE }, INT_MIN, INT_MAX, V|E|D, "thread_type"}, {"frame", NULL, 0, FF_OPT_TYPE_CONST, {.dbl = FF_THREAD_FRAME }, INT_MIN, INT_MAX, V|E|D, "thread_type"}, {"audio_service_type", "audio service type", OFFSET(audio_service_type), FF_OPT_TYPE_INT, {.dbl = AV_AUDIO_SERVICE_TYPE_MAIN }, 0, AV_AUDIO_SERVICE_TYPE_NB-1, A|E, "audio_service_type"}, From a652bb2857a753a18181fb2e1373f4bf7cf04a46 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 23:12:32 +0200 Subject: [PATCH 40/64] Fixed invalid access in wavpack decoder on corrupted extra bits sub-blocks. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit beefafda639dd53fc59c21d8a7cf8334da9a1062) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index e4fe217f59..64725c72c0 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -385,7 +385,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, in if(s->extra_bits){ S <<= s->extra_bits; - if(s->got_extra_bits){ + if(s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits){ S |= get_bits(&s->gb_extra_bits, s->extra_bits); *crc = *crc * 9 + (S&0xffff) * 3 + ((unsigned)S>>16); } From 46d9dd6980bb630a2067ec92e5dd4c46949ed46c Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 22:17:39 +0200 Subject: [PATCH 41/64] Fixed invalid writes in wavpack decoder on corrupted bitstreams. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 0aedab03405849962b469277afe047aa2c61a87f) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 64725c72c0..5bd677e45e 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1113,7 +1113,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int16_t *dst = (int16_t*)samples + 1; int16_t *src = (int16_t*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1122,7 +1122,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int32_t *dst = (int32_t*)samples + 1; int32_t *src = (int32_t*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1131,7 +1131,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, float *dst = (float*)samples + 1; float *src = (float*)samples; int cnt = samplecount; - while(cnt--){ + while(cnt-- > 0){ *dst = *src; src += channel_stride; dst += channel_stride; From 94af9cf46bc14c5b912c35e87c409c321c18ceac Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 22:02:55 +0200 Subject: [PATCH 42/64] Fixed invalid access in wavpack decoder on corrupted bitstream. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 55354b7de21e7bb4bbeb1c12ff55ea17f807c70c) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 49 +++++++++++++++++++++++++++++++------------- 1 file changed, 35 insertions(+), 14 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 5bd677e45e..343120f494 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -292,7 +292,14 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } }else{ t = get_unary_0_33(gb); - if(t >= 2) t = get_bits(gb, t - 1) | (1 << (t-1)); + if(t >= 2){ + if(get_bits_left(gb) < t-1) + goto error; + t = get_bits(gb, t - 1) | (1 << (t-1)); + }else{ + if(get_bits_left(gb) < 0) + goto error; + } ctx->zeroes = t; if(ctx->zeroes){ memset(ctx->ch[0].median, 0, sizeof(ctx->ch[0].median)); @@ -303,24 +310,24 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } } - if(get_bits_count(gb) >= ctx->data_size){ - *last = 1; - return 0; - } - if(ctx->zero){ t = 0; ctx->zero = 0; }else{ t = get_unary_0_33(gb); - if(get_bits_count(gb) >= ctx->data_size){ - *last = 1; - return 0; - } + if(get_bits_left(gb) < 0) + goto error; if(t == 16) { t2 = get_unary_0_33(gb); - if(t2 < 2) t += t2; - else t += get_bits(gb, t2 - 1) | (1 << (t2 - 1)); + if(t2 < 2){ + if(get_bits_left(gb) < 0) + goto error; + t += t2; + }else{ + if(get_bits_left(gb) < t2 - 1) + goto error; + t += get_bits(gb, t2 - 1) | (1 << (t2 - 1)); + } } if(ctx->one){ @@ -360,9 +367,13 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel } if(!c->error_limit){ ret = base + get_tail(gb, add); + if (get_bits_left(gb) <= 0) + goto error; }else{ int mid = (base*2 + add + 1) >> 1; while(add > c->error_limit){ + if(get_bits_left(gb) <= 0) + goto error; if(get_bits1(gb)){ add -= (mid - base); base = mid; @@ -376,6 +387,10 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel if(ctx->hybrid_bitrate) c->slow_level += wp_log2(ret) - LEVEL_DECAY(c->slow_level); return sign ? ~ret : ret; + +error: + *last = 1; + return 0; } static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, int S) @@ -580,7 +595,10 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, vo count++; }while(!last && count < s->max_samples); - s->samples_left -= count; + if (last) + s->samples_left = 0; + else + s->samples_left -= count; if(!s->samples_left){ if(crc != s->CRC){ av_log(s->avctx, AV_LOG_ERROR, "CRC error\n"); @@ -658,7 +676,10 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb, void count++; }while(!last && count < s->max_samples); - s->samples_left -= count; + if (last) + s->samples_left = 0; + else + s->samples_left -= count; if(!s->samples_left){ if(crc != s->CRC){ av_log(s->avctx, AV_LOG_ERROR, "CRC error\n"); From a460d9e1f7e85759f2cf4db136ff00b758549c47 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Thu, 8 Sep 2011 11:02:43 -0700 Subject: [PATCH 43/64] wavpack: Check error codes rather than working around error conditions. (cherry picked from commit dba2b63a98bdcac7bda1a8a2c48950518c075e17) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 343120f494..f614c7afec 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -1119,6 +1119,10 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_S32); else samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); + + if (samplecount < 0) + return -1; + samplecount >>= 1; }else{ const int channel_stride = avctx->channels; @@ -1130,11 +1134,14 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, else samplecount = wv_unpack_mono(s, &s->gb, samples, AV_SAMPLE_FMT_FLT); + if (samplecount < 0) + return -1; + if(s->stereo && avctx->sample_fmt == AV_SAMPLE_FMT_S16){ int16_t *dst = (int16_t*)samples + 1; int16_t *src = (int16_t*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1143,7 +1150,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, int32_t *dst = (int32_t*)samples + 1; int32_t *src = (int32_t*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; @@ -1152,7 +1159,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, float *dst = (float*)samples + 1; float *src = (float*)samples; int cnt = samplecount; - while(cnt-- > 0){ + while(cnt--){ *dst = *src; src += channel_stride; dst += channel_stride; From 144c80042b05b7e89abc16efcd52304548958d58 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 9 Sep 2011 22:04:09 +0200 Subject: [PATCH 44/64] ffv1: Fixed size given to init_get_bits() in decoder. init_get_bits() takes a number of bits and not a number of bytes as its size argument. Signed-off-by: Alex Converse (cherry picked from commit 46b004959bb7870a361a57272cd5fa7eea34250b) Signed-off-by: Anton Khirnov --- libavcodec/ffv1.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c index 50f1062ad4..ab2cc6e7cd 100644 --- a/libavcodec/ffv1.c +++ b/libavcodec/ffv1.c @@ -1765,7 +1765,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac bytes_read = c->bytestream - c->bytestream_start - 1; if(bytes_read ==0) av_log(avctx, AV_LOG_ERROR, "error at end of AC stream\n"); //FIXME //printf("pos=%d\n", bytes_read); - init_get_bits(&f->slice_context[0]->gb, buf + bytes_read, buf_size - bytes_read); + init_get_bits(&f->slice_context[0]->gb, buf + bytes_read, (buf_size - bytes_read) * 8); } else { bytes_read = 0; /* avoid warning */ } @@ -1782,7 +1782,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac if(fs->ac){ ff_init_range_decoder(&fs->c, buf_p, v); }else{ - init_get_bits(&fs->gb, buf_p, v); + init_get_bits(&fs->gb, buf_p, v * 8); } } From 1656dd7a4e72fcf3405f08b56d7293d87a329d7b Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 13:24:19 -0700 Subject: [PATCH 45/64] indeo2: init_get_bits size in bits instead of bytes (cherry picked from commit 68ca330cbd479111db9cb7649d7530ad59f04cc8) Signed-off-by: Anton Khirnov --- libavcodec/indeo2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 0e588c3966..6cf893b15e 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -165,7 +165,7 @@ static int ir2_decode_frame(AVCodecContext *avctx, #endif start = 48; /* hardcoded for now */ - init_get_bits(&s->gb, buf + start, buf_size - start); + init_get_bits(&s->gb, buf + start, (buf_size - start) * 8); if (s->decode_delta) { /* intraframe */ ir2_decode_plane(s, avctx->width, avctx->height, From 6b1af6a3284e7146b619dff96d88492d47645050 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 13:26:49 -0700 Subject: [PATCH 46/64] indeo2: fail if input buffer too small (cherry picked from commit b7ce4f1d1c3add86ece7ca595ea6c4a10b471055) Signed-off-by: Anton Khirnov --- libavcodec/indeo2.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index 6cf893b15e..544f476774 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -156,6 +156,13 @@ static int ir2_decode_frame(AVCodecContext *avctx, return -1; } + start = 48; /* hardcoded for now */ + + if (start >= buf_size) { + av_log(s->avctx, AV_LOG_ERROR, "input buffer size too small (%d)\n", buf_size); + return AVERROR_INVALIDDATA; + } + s->decode_delta = buf[18]; /* decide whether frame uses deltas or not */ @@ -163,7 +170,6 @@ static int ir2_decode_frame(AVCodecContext *avctx, for (i = 0; i < buf_size; i++) buf[i] = av_reverse[buf[i]]; #endif - start = 48; /* hardcoded for now */ init_get_bits(&s->gb, buf + start, (buf_size - start) * 8); From dd6334a1e425953dc1b0163e7e19b3d94e250ef5 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 14:50:33 -0700 Subject: [PATCH 47/64] cljr: init_get_bits size in bits instead of bytes (cherry picked from commit 0c1f5b93d9b97c4cc3684ba91a040e90bfc760d2) Signed-off-by: Anton Khirnov --- libavcodec/cljr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cljr.c b/libavcodec/cljr.c index e2b01e2a6a..b83919e71d 100644 --- a/libavcodec/cljr.c +++ b/libavcodec/cljr.c @@ -67,7 +67,7 @@ static int decode_frame(AVCodecContext *avctx, p->pict_type= AV_PICTURE_TYPE_I; p->key_frame= 1; - init_get_bits(&a->gb, buf, buf_size); + init_get_bits(&a->gb, buf, buf_size * 8); for(y=0; yheight; y++){ uint8_t *luma= &a->picture.data[0][ y*a->picture.linesize[0] ]; From c11d360ebc86e994e223b646b62f471b0fbbe8d3 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Wed, 7 Sep 2011 21:43:03 +0200 Subject: [PATCH 48/64] Fixed segfault with wavpack decoder on corrupted decorrelation terms sub-blocks. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 8bfea4ab4e2cb32bc7bf6f697ee30a238c65d296) Signed-off-by: Anton Khirnov --- libavcodec/wavpack.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index f614c7afec..155633f3ac 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -862,12 +862,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, } switch(id & WP_IDF_MASK){ case WP_ID_DECTERMS: - s->terms = size; - if(s->terms > MAX_TERMS){ + if(size > MAX_TERMS){ av_log(avctx, AV_LOG_ERROR, "Too many decorrelation terms\n"); + s->terms = 0; buf += ssize; continue; } + s->terms = size; for(i = 0; i < s->terms; i++) { s->decorr[s->terms - i - 1].value = (*buf & 0x1F) - 5; s->decorr[s->terms - i - 1].delta = *buf >> 5; From 1125f26f83da490c9740cd84f52060a5ffb34e5b Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Mon, 12 Sep 2011 09:40:42 +0200 Subject: [PATCH 49/64] smacker demuxer: handle possible av_realloc() failure. Signed-off-by: Anton Khirnov (cherry picked from commit 47a8589f7bc69d1a29da1dfdfbd0dfa78a9e31fd) Signed-off-by: Anton Khirnov --- libavformat/smacker.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index db9a02bb6c..135b4ae708 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -286,11 +286,16 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) for(i = 0; i < 7; i++) { if(flags & 1) { int size; + uint8_t *tmpbuf; + size = avio_rl32(s->pb) - 4; frame_size -= size; frame_size -= 4; smk->curstream++; - smk->bufs[smk->curstream] = av_realloc(smk->bufs[smk->curstream], size); + tmpbuf = av_realloc(smk->bufs[smk->curstream], size); + if (!tmpbuf) + return AVERROR(ENOMEM); + smk->bufs[smk->curstream] = tmpbuf; smk->buf_sizes[smk->curstream] = size; ret = avio_read(s->pb, smk->bufs[smk->curstream], size); if(ret != size) From bb0c352ec550f19b8ced2675ebd266305ca25a99 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 10 Sep 2011 00:32:12 +0200 Subject: [PATCH 50/64] Fixed size given to init_get_bits() in xan decoder. (cherry picked from commit 393d5031c6aaaf8c2dda4eb5d676974c349fae85) Signed-off-by: Anton Khirnov --- libavcodec/xan.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 876a9a5558..521764fd1c 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -95,17 +95,18 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) return 0; } -static int xan_huffman_decode(unsigned char *dest, const unsigned char *src, - int dest_len) +static int xan_huffman_decode(unsigned char *dest, int dest_len, + const unsigned char *src, int src_len) { unsigned char byte = *src++; unsigned char ival = byte + 0x16; const unsigned char * ptr = src + byte*2; + int ptr_len = src_len - 1 - byte*2; unsigned char val = ival; unsigned char *dest_end = dest + dest_len; GetBitContext gb; - init_get_bits(&gb, ptr, 0); // FIXME: no src size available + init_get_bits(&gb, ptr, ptr_len * 8); while ( val != 0x16 ) { val = src[val - 0x17 + get_bits1(&gb) * byte]; @@ -270,7 +271,8 @@ static void xan_wc3_decode_frame(XanContext *s) { vector_segment = s->buf + AV_RL16(&s->buf[4]); imagedata_segment = s->buf + AV_RL16(&s->buf[6]); - xan_huffman_decode(opcode_buffer, huffman_segment, opcode_buffer_size); + xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - (huffman_segment - s->buf) ); if (imagedata_segment[0] == 2) xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); From dc6ee1836392b6046cc3314a7fa8c58473318890 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Fri, 9 Sep 2011 16:10:03 -0700 Subject: [PATCH 51/64] xan: Add some buffer checks (cherry picked from commit 0872bb23b4bd2d94a8ba91070f706d1bc1c3ced8) Signed-off-by: Anton Khirnov --- libavcodec/xan.c | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/libavcodec/xan.c b/libavcodec/xan.c index 521764fd1c..88a9adbc30 100644 --- a/libavcodec/xan.c +++ b/libavcodec/xan.c @@ -106,6 +106,9 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len, unsigned char *dest_end = dest + dest_len; GetBitContext gb; + if (ptr_len < 0) + return AVERROR_INVALIDDATA; + init_get_bits(&gb, ptr, ptr_len * 8); while ( val != 0x16 ) { @@ -245,7 +248,7 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s, } } -static void xan_wc3_decode_frame(XanContext *s) { +static int xan_wc3_decode_frame(XanContext *s) { int width = s->avctx->width; int height = s->avctx->height; @@ -265,14 +268,30 @@ static void xan_wc3_decode_frame(XanContext *s) { const unsigned char *size_segment; const unsigned char *vector_segment; const unsigned char *imagedata_segment; + int huffman_offset, size_offset, vector_offset, imagedata_offset; - huffman_segment = s->buf + AV_RL16(&s->buf[0]); - size_segment = s->buf + AV_RL16(&s->buf[2]); - vector_segment = s->buf + AV_RL16(&s->buf[4]); - imagedata_segment = s->buf + AV_RL16(&s->buf[6]); + if (s->size < 8) + return AVERROR_INVALIDDATA; - xan_huffman_decode(opcode_buffer, opcode_buffer_size, - huffman_segment, s->size - (huffman_segment - s->buf) ); + huffman_offset = AV_RL16(&s->buf[0]); + size_offset = AV_RL16(&s->buf[2]); + vector_offset = AV_RL16(&s->buf[4]); + imagedata_offset = AV_RL16(&s->buf[6]); + + if (huffman_offset >= s->size || + size_offset >= s->size || + vector_offset >= s->size || + imagedata_offset >= s->size) + return AVERROR_INVALIDDATA; + + huffman_segment = s->buf + huffman_offset; + size_segment = s->buf + size_offset; + vector_segment = s->buf + vector_offset; + imagedata_segment = s->buf + imagedata_offset; + + if (xan_huffman_decode(opcode_buffer, opcode_buffer_size, + huffman_segment, s->size - huffman_offset) < 0) + return AVERROR_INVALIDDATA; if (imagedata_segment[0] == 2) xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size); @@ -358,6 +377,7 @@ static void xan_wc3_decode_frame(XanContext *s) { y += (x + size) / width; x = (x + size) % width; } + return 0; } #if RUNTIME_GAMMA @@ -519,7 +539,8 @@ static int xan_decode_frame(AVCodecContext *avctx, s->buf = buf; s->size = buf_size; - xan_wc3_decode_frame(s); + if (xan_wc3_decode_frame(s) < 0) + return AVERROR_INVALIDDATA; /* release the last frame if it is allocated */ if (s->last_frame.data[0]) From 1486e99b9039f380619f7eb516a5503ad3ad04c8 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 11 Sep 2011 19:17:40 +0200 Subject: [PATCH 52/64] ape demuxer: fix segfault on memory allocation failure. Signed-off-by: Anton Khirnov (cherry picked from commit 273aab99bf7be2bcda95dd64101c2317ee0fcb99) Signed-off-by: Anton Khirnov --- libavformat/ape.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/ape.c b/libavformat/ape.c index 90b02619e0..b0841002a2 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -270,6 +270,8 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap) if (ape->seektablelength > 0) { ape->seektable = av_malloc(ape->seektablelength); + if (!ape->seektable) + return AVERROR(ENOMEM); for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++) ape->seektable[i] = avio_rl32(pb); } From 2ac3aa129e7dbee5d6e19e27794706c8f2ee8345 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 20:50:13 +0200 Subject: [PATCH 53/64] Check for invalid packet size in the smacker demuxer. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit e055932f5636a82275837968eea9c8fcb5bca474) Signed-off-by: Anton Khirnov --- libavformat/smacker.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 135b4ae708..87c59a3049 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -304,6 +304,8 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) } flags >>= 1; } + if (frame_size < 0) + return AVERROR_INVALIDDATA; if (av_new_packet(pkt, frame_size + 768)) return AVERROR(ENOMEM); if(smk->frm_size[smk->cur_frame] & 1) From 4482ee9d9c5b6e8e12b06a208f2b7b52d0bcee81 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 20:50:34 +0200 Subject: [PATCH 54/64] Fixed off by one packet size allocation in the smacker demuxer. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit a92d0fa5d234582583d41b67dddecffc2c819573) Signed-off-by: Anton Khirnov --- libavformat/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/smacker.c b/libavformat/smacker.c index 87c59a3049..a817c31355 100644 --- a/libavformat/smacker.c +++ b/libavformat/smacker.c @@ -306,7 +306,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt) } if (frame_size < 0) return AVERROR_INVALIDDATA; - if (av_new_packet(pkt, frame_size + 768)) + if (av_new_packet(pkt, frame_size + 769)) return AVERROR(ENOMEM); if(smk->frm_size[smk->cur_frame] & 1) palchange |= 2; From bc2dd37e4f6fb549c1b16e9a9791e7b8f31ed112 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 23:46:49 +0200 Subject: [PATCH 55/64] Check and propagate errors when VLC trees cannot be built in smacker decoder. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 9676ffba8346791f494451e68d2a3b37a2918a9b) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 8060e1cee7..e8de0d89c5 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -134,10 +134,10 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx return -1; } b1 = get_bits_count(gb); - i1 = get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3); + i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0; b1 = get_bits_count(gb) - b1; b2 = get_bits_count(gb); - i2 = get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3); + i2 = ctx->v2->table ? get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3) : 0; b2 = get_bits_count(gb) - b2; val = ctx->recode1[i1] | (ctx->recode2[i2] << 8); if(val == ctx->escapes[0]) { @@ -290,7 +290,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->mmap_tbl[0] = 0; smk->mmap_last[0] = smk->mmap_last[1] = smk->mmap_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size); + if (smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size)) + return -1; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping MCLR tree\n"); @@ -298,7 +299,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->mclr_tbl[0] = 0; smk->mclr_last[0] = smk->mclr_last[1] = smk->mclr_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size); + if (smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size)) + return -1; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping FULL tree\n"); @@ -306,7 +308,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->full_tbl[0] = 0; smk->full_last[0] = smk->full_last[1] = smk->full_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size); + if (smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size)) + return -1; } if(!get_bits1(&gb)) { av_log(smk->avctx, AV_LOG_INFO, "Skipping TYPE tree\n"); @@ -314,7 +317,8 @@ static int decode_header_trees(SmackVContext *smk) { smk->type_tbl[0] = 0; smk->type_last[0] = smk->type_last[1] = smk->type_last[2] = 1; } else { - smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size); + if (smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size)) + return -1; } return 0; @@ -522,8 +526,8 @@ static av_cold int decode_init(AVCodecContext *avctx) return -1; } - decode_header_trees(c); - + if (decode_header_trees(c)) + return -1; return 0; } From a5107aab98bf67ba32eb8b6a3a7478e620b7d3b3 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 12 Sep 2011 23:49:36 +0200 Subject: [PATCH 56/64] Check for invalid VLC value in smacker decoder. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 6489455495fc5bfbebcfe3f57e5d4fdd6a781091) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index e8de0d89c5..9628b07492 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -139,6 +139,8 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx b2 = get_bits_count(gb); i2 = ctx->v2->table ? get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3) : 0; b2 = get_bits_count(gb) - b2; + if (i1 < 0 || i2 < 0) + return -1; val = ctx->recode1[i1] | (ctx->recode2[i2] << 8); if(val == ctx->escapes[0]) { ctx->last[0] = hc->current; From c34968c6d49496d318591f1b4492fdd9c143aaeb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 13 Sep 2011 23:24:56 +0200 Subject: [PATCH 57/64] smacker: fix a few off by 1 errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit stereo & 16bit is untested due to lack of samples Signed-off-by: Martin Storsjö (cherry picked from commit 5166376f24545207607f61ed8ff4e1b0572ff320) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 8 +-- tests/ref/fate/smacker | 160 ++++++++++++++++++++--------------------- 2 files changed, 84 insertions(+), 84 deletions(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index 9628b07492..1fa40def62 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -624,9 +624,9 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, if(bits) { //decode 16-bit data for(i = stereo; i >= 0; i--) pred[i] = av_bswap16(get_bits(&gb, 16)); - for(i = 0; i < stereo; i++) + for(i = 0; i <= stereo; i++) *samples++ = pred[i]; - for(i = 0; i < unp_size / 2; i++) { + for(; i < unp_size / 2; i++) { if(i & stereo) { if(vlc[2].table) res = get_vlc2(&gb, vlc[2].table, SMKTREE_BITS, 3); @@ -658,9 +658,9 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } else { //8-bit data for(i = stereo; i >= 0; i--) pred[i] = get_bits(&gb, 8); - for(i = 0; i < stereo; i++) + for(i = 0; i <= stereo; i++) *samples8++ = pred[i]; - for(i = 0; i < unp_size; i++) { + for(; i < unp_size; i++) { if(i & stereo){ if(vlc[1].table) res = get_vlc2(&gb, vlc[1].table, SMKTREE_BITS, 3); diff --git a/tests/ref/fate/smacker b/tests/ref/fate/smacker index 85c4a9817c..df88a4ae8a 100644 --- a/tests/ref/fate/smacker +++ b/tests/ref/fate/smacker @@ -1,5 +1,5 @@ 0, 0, 192000, 0x8926d7fc -1, 0, 47240, 0xad778a78 +1, 0, 47240, 0x9974897c 0, 6390, 192000, 0x2506d384 0, 12780, 192000, 0x9a8dc93a 0, 19170, 192000, 0x4badb7f2 @@ -15,163 +15,163 @@ 0, 83070, 192000, 0x1a3d7971 0, 89460, 192000, 0xa1a65bd5 0, 95850, 192000, 0x344957b9 -1, 96408, 3128, 0x4c1564ae +1, 96408, 3128, 0x7e4064b4 0, 102240, 192000, 0xe23b5f4e -1, 102792, 3128, 0x34553309 +1, 102792, 3128, 0x80883301 0, 108630, 192000, 0xb5c2710b -1, 109176, 3136, 0xb474d246 +1, 109176, 3136, 0x2ad2d341 0, 115020, 192000, 0x7a25938f -1, 115576, 3128, 0x87b868ea +1, 115576, 3128, 0xda8468e3 0, 121410, 192000, 0x0a84e4c9 -1, 121959, 3136, 0xf1516dc3 +1, 121959, 3136, 0x9d6f6cdf 0, 127800, 192000, 0x94209b0d -1, 128359, 3128, 0x867563cb +1, 128359, 3128, 0x1aaa64b5 0, 134190, 192000, 0xf940e51f -1, 134743, 3128, 0x5200728c +1, 134743, 3128, 0x9182728b 0, 140580, 192000, 0xb9fdec42 -1, 141127, 3136, 0xeda118a0 +1, 141127, 3136, 0xfa8e17b3 0, 146970, 192000, 0x7b04a376 -1, 147527, 3128, 0x03e2c1d6 +1, 147527, 3128, 0x0dc3c1cf 0, 153360, 192000, 0x5fe0026b -1, 153910, 3136, 0xc3e862b6 +1, 153910, 3136, 0x0109639d 0, 159750, 192000, 0x775aca39 -1, 160310, 3128, 0x937a13be +1, 160310, 3128, 0x6d8a12d9 0, 166140, 192000, 0xae14fb32 -1, 166694, 3128, 0x7b1b9577 +1, 166694, 3128, 0x4b9a9597 0, 172530, 192000, 0x661106e5 -1, 173078, 3136, 0x042c7113 +1, 173078, 3136, 0x9112710e 0, 178920, 192000, 0xe8658dbf -1, 179478, 3128, 0xac48f451 +1, 179478, 3128, 0x8cccf522 0, 185310, 192000, 0x5359f0f9 -1, 185861, 3128, 0x018fbbe9 +1, 185861, 3128, 0x6594bbf3 0, 191700, 192000, 0xc1ec80f4 -1, 192245, 3136, 0xc62aa7ce +1, 192245, 3136, 0xd878a7d5 0, 198090, 192000, 0xca53806b -1, 198645, 3128, 0x106e3924 +1, 198645, 3128, 0xaa6e3905 0, 204480, 192000, 0xf0766b2e -1, 205029, 3136, 0xfeb82ecc +1, 205029, 3136, 0x2a062e04 0, 210870, 192000, 0x39962da8 -1, 211429, 3128, 0x7e7c005b +1, 211429, 3128, 0x84e4006a 0, 217260, 192000, 0x4171c37f -1, 217812, 3128, 0x949d3560 +1, 217812, 3128, 0x85183633 0, 223650, 192000, 0x3abf3b46 -1, 224196, 3136, 0x02bd4aff +1, 224196, 3136, 0xb62d4b02 0, 230040, 192000, 0xecc68313 -1, 230596, 3128, 0x4aaf4715 +1, 230596, 3128, 0xe209462a 0, 236430, 192000, 0xea339baf -1, 236980, 3136, 0x2958825f +1, 236980, 3136, 0x57c4824b 0, 242820, 192000, 0x616b8f16 -1, 243380, 3128, 0x99a5914d +1, 243380, 3128, 0x664a9163 0, 249210, 192000, 0xf77a8581 -1, 249763, 3128, 0xe67277a4 +1, 249763, 3128, 0xb4287874 0, 255600, 192000, 0xb315678b -1, 256147, 3136, 0x11296973 +1, 256147, 3136, 0xde626885 0, 261990, 192000, 0x0a4a5218 -1, 262547, 3128, 0x5cc362f7 +1, 262547, 3128, 0x919763c2 0, 268380, 192000, 0x98802be4 -1, 268931, 3128, 0x0c5e6586 +1, 268931, 3128, 0xa4f664e1 0, 274770, 192000, 0xa2f0fd94 -1, 275314, 3136, 0xe940b0f9 +1, 275314, 3136, 0xa0bab0d4 0, 281160, 192000, 0x6671c84f -1, 281714, 3128, 0x2c9292cc +1, 281714, 3128, 0xe938939c 0, 287550, 192000, 0x38327e31 -1, 288098, 3136, 0xa807c096 +1, 288098, 3136, 0x3679bfc7 0, 293940, 192000, 0xb85d3e08 -1, 294498, 3128, 0x9d2254d8 +1, 294498, 3128, 0xc96c55c3 0, 300330, 192000, 0xdc69eba9 -1, 300882, 3128, 0xe68015b0 +1, 300882, 3128, 0x119114d6 0, 306720, 192000, 0x8955a0b3 -1, 307265, 3136, 0x65d58029 +1, 307265, 3136, 0x42f3800f 0, 313110, 192000, 0x714a548b -1, 313665, 3128, 0xcffcc48c +1, 313665, 3128, 0x4250c4ad 0, 319500, 192000, 0xc0471de9 -1, 320049, 3136, 0x8c704944 +1, 320049, 3136, 0x5cdd4925 0, 325890, 192000, 0x2e16e039 -1, 326449, 3128, 0x1459231d +1, 326449, 3128, 0xa4c12360 0, 332280, 192000, 0x9fa4b033 -1, 332833, 3128, 0x7dde4839 +1, 332833, 3128, 0x849f48de 0, 338670, 192000, 0x4a0f9402 -1, 339216, 3136, 0xbb6890e2 +1, 339216, 3136, 0x6acd8ff9 0, 345060, 192000, 0x1f3e6843 -1, 345616, 3128, 0xcd9a8524 +1, 345616, 3128, 0xb2758556 0, 351450, 192000, 0x31774850 -1, 352000, 3128, 0xa244fc31 +1, 352000, 3128, 0x10f2fcb1 0, 357840, 192000, 0x9d5336a2 -1, 358384, 3136, 0x504e2bd9 +1, 358384, 3136, 0xf0f02b23 0, 364230, 192000, 0xf7de27a2 -1, 364784, 3128, 0x655858d8 +1, 364784, 3128, 0x64f759c6 0, 370620, 192000, 0x98c717ce -1, 371167, 3136, 0x46027610 +1, 371167, 3136, 0x7ec075e3 0, 377010, 192000, 0x615b10b8 -1, 377567, 3128, 0x4192d5e3 +1, 377567, 3128, 0xf981d51e 0, 383400, 192000, 0xd5bc0e7e -1, 383951, 3128, 0x21d2e7fe +1, 383951, 3128, 0xc622e8b9 0, 389790, 192000, 0xd5bc0e7e -1, 390335, 3136, 0x7c93e329 +1, 390335, 3136, 0xf632e2f8 0, 396180, 192000, 0xd5bc0e7e -1, 396735, 3128, 0xa67718c0 +1, 396735, 3128, 0xda561864 0, 402570, 192000, 0xd5bc0e7e -1, 403118, 3136, 0x9bb6e8a3 +1, 403118, 3136, 0x14d2e888 0, 408960, 192000, 0xd5bc0e7e -1, 409518, 3128, 0x0933b7a6 +1, 409518, 3128, 0x015bb869 0, 415350, 192000, 0xd5bc0e7e -1, 415902, 3128, 0x07f1fb57 +1, 415902, 3128, 0xedb1fb62 0, 421740, 192000, 0xd5bc0e7e -1, 422286, 3136, 0x8a050cfd +1, 422286, 3136, 0xe0560c41 0, 428130, 192000, 0xd5bc0e7e -1, 428686, 3128, 0xdb773c0b +1, 428686, 3128, 0x14773c9a 0, 434520, 192000, 0xd5bc0e7e -1, 435069, 3136, 0xd1281c53 +1, 435069, 3136, 0x850f1c82 0, 440910, 192000, 0xd5bc0e7e -1, 441469, 3128, 0x9f395324 +1, 441469, 3128, 0xb0bd5347 0, 447300, 192000, 0xd5bc0e7e -1, 447853, 3128, 0x5f13edec +1, 447853, 3128, 0x8f82edbf 0, 453690, 192000, 0xd5bc0e7e -1, 454237, 3136, 0x871cbecf +1, 454237, 3136, 0x493abee2 0, 460080, 192000, 0xd5bc0e7e -1, 460637, 3128, 0x799eff3e +1, 460637, 3128, 0xf5daff3f 0, 466470, 192000, 0xd5bc0e7e -1, 467020, 3128, 0x3f902762 +1, 467020, 3128, 0x78ad2690 0, 472860, 192000, 0xd5bc0e7e -1, 473404, 3136, 0x29f8bb04 +1, 473404, 3136, 0x490ebafc 0, 479250, 192000, 0xd5bc0e7e -1, 479804, 3128, 0xf3523ee9 +1, 479804, 3128, 0x70333fd2 0, 485640, 192000, 0xd5bc0e7e -1, 486188, 3136, 0x4405c435 +1, 486188, 3136, 0x8cb1c350 0, 492030, 192000, 0xd5bc0e7e -1, 492588, 3128, 0x892957cb +1, 492588, 3128, 0x8bd057cb 0, 498420, 192000, 0xd5bc0e7e -1, 498971, 3128, 0xdf483dbd +1, 498971, 3128, 0x161b3dbc 0, 504810, 192000, 0xd5bc0e7e -1, 505355, 3136, 0x5e8ab797 +1, 505355, 3136, 0xb47fb88a 0, 511200, 192000, 0xd5bc0e7e -1, 511755, 3128, 0x92e13820 +1, 511755, 3128, 0x474b381e 0, 517590, 192000, 0xd5bc0e7e -1, 518139, 3136, 0xfde719b6 +1, 518139, 3136, 0x07c519bb 0, 523980, 192000, 0xd5bc0e7e -1, 524539, 3128, 0x442f17ae +1, 524539, 3128, 0x15b916c8 0, 530370, 192000, 0xd5bc0e7e -1, 530922, 3128, 0x011af61f +1, 530922, 3128, 0x0ed7f6fb 0, 536760, 192000, 0xd5bc0e7e -1, 537306, 3136, 0x4e3e3a6d +1, 537306, 3136, 0x54d6397b 0, 543150, 192000, 0xd5bc0e7e -1, 543706, 3128, 0xc11242b9 +1, 543706, 3128, 0x437242bb 0, 549540, 192000, 0xd5bc0e7e -1, 550090, 3128, 0x01415b59 +1, 550090, 3128, 0x38f05c4d 0, 555930, 192000, 0xd5bc0e7e -1, 556473, 3136, 0x302e0e55 +1, 556473, 3136, 0x5d000e59 0, 562320, 192000, 0xd5bc0e7e -1, 562873, 3128, 0x20522d04 +1, 562873, 3128, 0xdeab2d04 0, 568710, 192000, 0xd5bc0e7e -1, 569257, 3136, 0x316a697d +1, 569257, 3136, 0x77de6880 0, 575100, 192000, 0xd5bc0e7e -1, 575657, 3128, 0x6d75ee27 +1, 575657, 3128, 0xbc87ef25 0, 581490, 192000, 0xd5bc0e7e -1, 582041, 3128, 0xcb008ae8 +1, 582041, 3128, 0xc1638ade 0, 587880, 192000, 0xd5bc0e7e -1, 588424, 3136, 0xd2664b51 +1, 588424, 3136, 0xcfb64a5f 0, 594270, 192000, 0xd5bc0e7e -1, 594824, 3128, 0xdfcab728 +1, 594824, 3128, 0x90b1b826 0, 600660, 192000, 0xd5bc0e7e 1, 601208, 3136, 0x00000000 0, 607050, 192000, 0xd5bc0e7e From 6ddb12b6889dd13c3bb514838c71d2f70114b3c1 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Fri, 9 Sep 2011 23:46:00 +0200 Subject: [PATCH 58/64] Fixed size given to init_get_bits(). init_get_bits() takes a number of bits and not a number of bytes as its size argument. Signed-off-by: Alex Converse (cherry picked from commit b59efc94347ccf0cbc2ff14a5a9e99819c5bdc4d) Signed-off-by: Anton Khirnov --- libavcodec/aac_adtstoasc_bsf.c | 2 +- libavcodec/avs.c | 2 +- libavcodec/jvdec.c | 2 +- libavcodec/rv34.c | 2 +- libavcodec/tta.c | 2 +- libavformat/movenc.c | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/aac_adtstoasc_bsf.c b/libavcodec/aac_adtstoasc_bsf.c index fbb86f8af7..d1310c4149 100644 --- a/libavcodec/aac_adtstoasc_bsf.c +++ b/libavcodec/aac_adtstoasc_bsf.c @@ -72,7 +72,7 @@ static int aac_adtstoasc_filter(AVBitStreamFilterContext *bsfc, int pce_size = 0; uint8_t pce_data[MAX_PCE_SIZE]; if (!hdr.chan_config) { - init_get_bits(&gb, buf, buf_size); + init_get_bits(&gb, buf, buf_size * 8); if (get_bits(&gb, 3) != 5) { av_log_missing_feature(avctx, "PCE based channel configuration, where the PCE is not the first syntax element is", 0); return -1; diff --git a/libavcodec/avs.c b/libavcodec/avs.c index 1c2682b338..1a5e44401c 100644 --- a/libavcodec/avs.c +++ b/libavcodec/avs.c @@ -117,7 +117,7 @@ avs_decode_frame(AVCodecContext * avctx, table = buf + (256 * vect_w * vect_h); if (sub_type != AVS_I_FRAME) { int map_size = ((318 / vect_w + 7) / 8) * (198 / vect_h); - init_get_bits(&change_map, table, map_size); + init_get_bits(&change_map, table, map_size * 8); table += map_size; } diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c index 0c346486f5..5249764347 100644 --- a/libavcodec/jvdec.c +++ b/libavcodec/jvdec.c @@ -150,7 +150,7 @@ static int decode_frame(AVCodecContext *avctx, if (video_type == 0 || video_type == 1) { GetBitContext gb; - init_get_bits(&gb, buf, FFMIN(video_size, buf_end - buf)); + init_get_bits(&gb, buf, FFMIN(video_size, (buf_end - buf) * 8)); for (j = 0; j < avctx->height; j += 8) for (i = 0; i < avctx->width; i += 8) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index c5dcfdcba4..910b933dd9 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1444,7 +1444,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n"); return -1; } - init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), buf_size-get_slice_offset(avctx, slices_hdr, 0)); + init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){ av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n"); return -1; diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 57f5818d7b..fd5aa46670 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -216,7 +216,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx) if (avctx->extradata_size < 30) return -1; - init_get_bits(&s->gb, avctx->extradata, avctx->extradata_size); + init_get_bits(&s->gb, avctx->extradata, avctx->extradata_size * 8); if (show_bits_long(&s->gb, 32) == AV_RL32("TTA1")) { /* signature */ diff --git a/libavformat/movenc.c b/libavformat/movenc.c index dcc5581443..0cf837c9b1 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -206,7 +206,7 @@ static int mov_write_ac3_tag(AVIOContext *pb, MOVTrack *track) avio_wb32(pb, 11); ffio_wfourcc(pb, "dac3"); - init_get_bits(&gbc, track->vosData+4, track->vosLen-4); + init_get_bits(&gbc, track->vosData+4, (track->vosLen-4) * 8); fscod = get_bits(&gbc, 2); frmsizecod = get_bits(&gbc, 6); bsid = get_bits(&gbc, 5); From 8c987d8291587959bd67728121ced38a0c7691d0 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 11 Sep 2011 23:26:12 +0200 Subject: [PATCH 59/64] oggdec: fix out of bound write in the ogg demuxer Between ogg_save() and ogg_restore() calls, the number of streams could have been reduced. Signed-off-by: Luca Barbato (cherry picked from commit 0e7efb9d23c3641d50caa288818e8c27647ce74d) Signed-off-by: Anton Khirnov --- libavformat/oggdec.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 25f5cd8b2d..18201677b8 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -92,14 +92,24 @@ static int ogg_restore(AVFormatContext *s, int discard) ogg->state = ost->next; if (!discard){ + struct ogg_stream *old_streams = ogg->streams; + for (i = 0; i < ogg->nstreams; i++) av_free (ogg->streams[i].buf); avio_seek (bc, ost->pos, SEEK_SET); ogg->curidx = ost->curidx; ogg->nstreams = ost->nstreams; - memcpy(ogg->streams, ost->streams, - ost->nstreams * sizeof(*ogg->streams)); + ogg->streams = av_realloc (ogg->streams, + ogg->nstreams * sizeof (*ogg->streams)); + + if (ogg->streams) { + memcpy(ogg->streams, ost->streams, + ost->nstreams * sizeof(*ogg->streams)); + } else { + av_free(old_streams); + ogg->nstreams = 0; + } } av_free (ost); From dd606be909437c6fac8a91ffb9dacfd6e81a1ac0 Mon Sep 17 00:00:00 2001 From: David Goldwich Date: Sat, 17 Sep 2011 13:50:35 +0200 Subject: [PATCH 60/64] lavf: Fix context pointer in av_open_input_stream when avformat_open_input fails Signed-off-by: David Goldwich Signed-off-by: Anton Khirnov (cherry picked from commit 63d64228a7f31d534e3bcae87cbd37f4a0ae2dd6) Signed-off-by: Anton Khirnov --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 2cb096e373..d9d154e3ab 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -469,8 +469,8 @@ int av_open_input_stream(AVFormatContext **ic_ptr, goto fail; ic->pb = ic->pb ? ic->pb : pb; // don't leak custom pb if it wasn't set above - *ic_ptr = ic; fail: + *ic_ptr = ic; av_dict_free(&opts); return err; } From bb6702f20675868fba91f6be5e5120b5d8ef031f Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sun, 18 Sep 2011 00:03:08 +0200 Subject: [PATCH 61/64] rv10: Reject slices that does not have the same type as the first one MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This prevents crashes with some corrupted bitstreams. Signed-off-by: Martin Storsjö (cherry picked from commit 4a29b471869353c3077fb4b25b6518eb1047afb7) Signed-off-by: Anton Khirnov --- libavcodec/rv10.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 78f97b16b1..223500c356 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -543,6 +543,11 @@ static int rv10_decode_packet(AVCodecContext *avctx, if(MPV_frame_start(s, avctx) < 0) return -1; ff_er_frame_start(s); + } else { + if (s->current_picture_ptr->pict_type != s->pict_type) { + av_log(s->avctx, AV_LOG_ERROR, "Slice type mismatch\n"); + return -1; + } } av_dlog(avctx, "qscale=%d\n", s->qscale); From 11b72c073c7f59ee19067ddaa7ea7755b972d793 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 17 Sep 2011 23:43:58 +0200 Subject: [PATCH 62/64] rv34: Avoid NULL dereference on corrupted bitstream MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit rv34_decode_slice() can return without allocating any pictures. Signed-off-by: Martin Storsjö (cherry picked from commit d0f6ab0298f2309c6104626787ed73416298b019) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 910b933dd9..2383903625 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1486,7 +1486,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, break; } - if(last){ + if(last && s->current_picture_ptr){ if(r->loop_filter) r->loop_filter(r, s->mb_height - 1); ff_er_frame_end(s); From a01387bb3524846d925a8862f077be91deb5f42d Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Sat, 17 Sep 2011 16:56:30 +0200 Subject: [PATCH 63/64] rv34: Fix potential overreads MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit b4ed3d78cb6c41c9d3ee5918c326ab925edd6a89) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 2383903625..87fca5c23e 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1436,6 +1436,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, slice_count = (*buf++) + 1; slices_hdr = buf + 4; buf += 8 * slice_count; + buf_size -= 1 + 8 * slice_count; }else slice_count = avctx->slice_count; @@ -1454,7 +1455,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, if( (avctx->skip_frame >= AVDISCARD_NONREF && si.type==AV_PICTURE_TYPE_B) || (avctx->skip_frame >= AVDISCARD_NONKEY && si.type!=AV_PICTURE_TYPE_I) || avctx->skip_frame >= AVDISCARD_ALL) - return buf_size; + return avpkt->size; for(i=0; icurrent_picture_ptr= NULL; //so we can detect if frame_end wasnt called (find some nicer solution...) } - return buf_size; + return avpkt->size; } av_cold int ff_rv34_decode_end(AVCodecContext *avctx) From d805b8f454f57451277a052cc1bda49e6caf6cd7 Mon Sep 17 00:00:00 2001 From: Laurent Aimar Date: Mon, 19 Sep 2011 22:48:53 +0200 Subject: [PATCH 64/64] rv34: Check for invalid slice offsets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit 4cc7732386eb36661ed22d1200339b38a5fa60bc) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index 87fca5c23e..70c35ef4ff 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1441,8 +1441,9 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, slice_count = avctx->slice_count; //parse first slice header to check whether this frame can be decoded - if(get_slice_offset(avctx, slices_hdr, 0) > buf_size){ - av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n"); + if(get_slice_offset(avctx, slices_hdr, 0) < 0 || + get_slice_offset(avctx, slices_hdr, 0) > buf_size){ + av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); return -1; } init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); @@ -1465,8 +1466,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, else size= get_slice_offset(avctx, slices_hdr, i+1) - offset; - if(offset > buf_size){ - av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n"); + if(offset < 0 || offset > buf_size || size < 0){ + av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; }