--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear Release Team,
The new FFmpeg upstream release contains bug fixes incuding fixes for
security issues. I believe most non-security releated issues would
deserve important severity, too.
I would like to upload the new upstream release to unstable and ship it
in Stretch, but I can also cherry-pick most fixes to the current package
it this would be acceptable.
Please share your opinion about the options.
Cheers,
Balint
unblock ffmpeg/7:3.2.4-1
diff -Nru ffmpeg-3.2.2/Changelog ffmpeg-3.2.4/Changelog
--- ffmpeg-3.2.2/Changelog 2016-12-06 00:28:58.000000000 +0100
+++ ffmpeg-3.2.4/Changelog 2017-02-10 14:25:37.000000000 +0100
@@ -1,6 +1,51 @@
Entries are sorted chronologically from oldest to youngest within each release,
releases are sorted from youngest to oldest.
+version 3.2.4:
+- avcodec/h264_slice: Clear ref_counts on redundant slices
+- lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
+- lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr
+- avcodec/pictordec: Fix logic error
+- ffserver_config: Setup codecpar in add_codec()
+- Changelog: fix typos
+
+version 3.2.3:
+- avcodec/movtextdec: Fix decode_styl() cleanup
+- lavf/matroskadec: fix is_keyframe for early Blocks
+- configure: bump year
+- avcodec/pngdec: Check trns more completely
+- avcodec/interplayvideo: Move parameter change check up
+- avcodec/dca_lbr: Fix off by 1 error in freq check
+- avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac()
+- pgssubdec: reset rle_data_len/rle_remaining_len on allocation error
+- swscale: save ebx register when it is not available
+- avformat/flacdec: Check avio_read result when reading flac block header.
+- avcodec/utils: correct align value for interplay
+- avcodec/vp56: Check for the bitstream end, pass error codes on
+- avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan()
+- avcodec/pngdec: Fix off by 1 size in decode_zbuf()
+- libopenmpt: add missing avio_read return value check
+- avcodec/bsf: Fix av_bsf_list_free()
+- avcodec/omx: Do not pass negative value into av_malloc()
+- avformat/avidec: skip odml master index chunks in avi_sync
+- avcodec/mjpegdec: Check for rgb before flipping
+- lavf/utils.c Protect against accessing entries[nb_entries]
+- avutil/random_seed: Reduce the time needed on systems with very low precision clock()
+- swscale/swscale: Fix dereference of stride array before null check
+- avutil/random_seed: Improve get_generic_seed() with higher precision clock()
+- avformat/mp3dec: fix msan warning when verifying mpa header
+- avformat/utils: Print verbose error message if stream count exceeds max_streams
+- avformat/options_table: Set the default maximum number of streams to 1000
+- lavf/chromaprint: Update for version 1.4
+- avutil: Add av_image_check_size2()
+- avformat: Add max_streams option
+- avcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated
+- avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory()
+- avformat/oggdec: Skip streams in duration correction that did not had their duration set.
+- avcodec/ffv1enc: Fix size of first slice
+- ffplay: fix sws_scale possible out of bounds array access
+- avfilter/vf_hwupload_cuda: Add min/max limits for the 'device' option
+
version 3.2.2:
- ffserver: Check chunk size
- Avoid using the term "file" and prefer "url" in some docs and comments
diff -Nru ffmpeg-3.2.2/configure ffmpeg-3.2.4/configure
--- ffmpeg-3.2.2/configure 2016-12-06 00:28:58.000000000 +0100
+++ ffmpeg-3.2.4/configure 2017-02-10 14:25:25.000000000 +0100
@@ -6703,7 +6703,7 @@
#define FFMPEG_CONFIG_H
#define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)"
#define FFMPEG_LICENSE "$(c_escape $license)"
-#define CONFIG_THIS_YEAR 2016
+#define CONFIG_THIS_YEAR 2017
#define FFMPEG_DATADIR "$(eval c_escape $datadir)"
#define AVCONV_DATADIR "$(eval c_escape $datadir)"
#define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})"
diff -Nru ffmpeg-3.2.2/debian/changelog ffmpeg-3.2.4/debian/changelog
--- ffmpeg-3.2.2/debian/changelog 2017-01-22 00:01:34.000000000 +0100
+++ ffmpeg-3.2.4/debian/changelog 2017-02-10 22:26:43.000000000 +0100
@@ -1,3 +1,14 @@
+ffmpeg (7:3.2.4-1) unstable; urgency=medium
+
+ * Import new upstream bugfix release 3.2.4.
+ - Fixes CVE-2016-9561, CVE-2017-5024 and CVE-2017-5025.
+ * Drop patches, included upstream:
+ - lavf-chromaprint-Update-for-version-1.4.patch
+ - libopenmpt-add-missing-avio_read-return-value-check.patch
+ - swscale-save-ebx-register-when-it-is-not-available.patch
+
+ -- Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Fri, 10 Feb 2017 22:24:45 +0100
+
ffmpeg (7:3.2.2-2) unstable; urgency=medium
* Cherry-pick patches from upstream:
diff -Nru ffmpeg-3.2.2/debian/patches/lavf-chromaprint-Update-for-version-1.4.patch ffmpeg-3.2.4/debian/patches/lavf-chromaprint-Update-for-version-1.4.patch
--- ffmpeg-3.2.2/debian/patches/lavf-chromaprint-Update-for-version-1.4.patch 2017-01-22 00:01:34.000000000 +0100
+++ ffmpeg-3.2.4/debian/patches/lavf-chromaprint-Update-for-version-1.4.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,25 +0,0 @@
-From: "Georgi D. Sotirov" <gdsotirov@dir.bg>
-Date: Tue, 6 Dec 2016 21:07:59 +0100
-Subject: lavf/chromaprint: Update for version 1.4
-
-Fixes ticket #5997.
----
- libavformat/chromaprint.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/libavformat/chromaprint.c b/libavformat/chromaprint.c
-index 8c9a6c01..4da02bef 100644
---- a/libavformat/chromaprint.c
-+++ b/libavformat/chromaprint.c
-@@ -39,7 +39,11 @@ typedef struct ChromaprintMuxContext {
- int silence_threshold;
- int algorithm;
- FingerprintFormat fp_format;
-+#if CPR_VERSION_INT >= AV_VERSION_INT(1, 4, 0)
-+ ChromaprintContext *ctx;
-+#else
- ChromaprintContext ctx;
-+#endif
- } ChromaprintMuxContext;
-
- static void cleanup(ChromaprintMuxContext *cpr)
diff -Nru ffmpeg-3.2.2/debian/patches/libopenmpt-add-missing-avio_read-return-value-check.patch ffmpeg-3.2.4/debian/patches/libopenmpt-add-missing-avio_read-return-value-check.patch
--- ffmpeg-3.2.2/debian/patches/libopenmpt-add-missing-avio_read-return-value-check.patch 2017-01-22 00:01:34.000000000 +0100
+++ ffmpeg-3.2.4/debian/patches/libopenmpt-add-missing-avio_read-return-value-check.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,33 +0,0 @@
-From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
-Date: Sun, 1 Jan 2017 20:27:50 +0100
-Subject: libopenmpt: add missing avio_read return value check
-MIME-Version: 1.0
-Content-Type: text/plain; charset="utf-8"
-Content-Transfer-Encoding: 8bit
-
-This fixes heap-buffer-overflows in libopenmpt caused by interpreting
-the negative size value as unsigned size_t.
-
-Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
-Reviewed-by: Jörn Heusipp <osmanx@problemloesungsmaschine.de>
-Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
----
- libavformat/libopenmpt.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/libavformat/libopenmpt.c b/libavformat/libopenmpt.c
-index e7091ef9..35fd28f5 100644
---- a/libavformat/libopenmpt.c
-+++ b/libavformat/libopenmpt.c
-@@ -82,6 +82,11 @@ static int read_header_openmpt(AVFormatContext *s)
- if (!buf)
- return AVERROR(ENOMEM);
- size = avio_read(s->pb, buf, size);
-+ if (size < 0) {
-+ av_log(s, AV_LOG_ERROR, "Reading input buffer failed.\n");
-+ av_freep(&buf);
-+ return size;
-+ }
-
- openmpt->module = openmpt_module_create_from_memory(buf, size, openmpt_logfunc, s, NULL);
- av_freep(&buf);
diff -Nru ffmpeg-3.2.2/debian/patches/series ffmpeg-3.2.4/debian/patches/series
--- ffmpeg-3.2.2/debian/patches/series 2017-01-22 00:01:34.000000000 +0100
+++ ffmpeg-3.2.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-lavf-chromaprint-Update-for-version-1.4.patch
-swscale-save-ebx-register-when-it-is-not-available.patch
-libopenmpt-add-missing-avio_read-return-value-check.patch
diff -Nru ffmpeg-3.2.2/debian/patches/swscale-save-ebx-register-when-it-is-not-available.patch ffmpeg-3.2.4/debian/patches/swscale-save-ebx-register-when-it-is-not-available.patch
--- ffmpeg-3.2.2/debian/patches/swscale-save-ebx-register-when-it-is-not-available.patch 2017-01-22 00:01:34.000000000 +0100
+++ ffmpeg-3.2.4/debian/patches/swscale-save-ebx-register-when-it-is-not-available.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,107 +0,0 @@
-From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
-Date: Fri, 16 Dec 2016 02:29:56 +0100
-Subject: swscale: save ebx register when it is not available
-
-Configure checks if the ebx register can be used for asm and it has to
-be saved if and only if this is not the case.
-Without this the build fails when configuring with --toolchain=hardened
---disable-pic on i386 using gcc 4.8:
-error: PIC register clobbered by '%ebx' in 'asm'
-
-In that case gcc 4.8 reserves the ebx register for the GOT needed for
-PIE, so it can't be used in asm directly.
-
-Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
-Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
----
- libswscale/x86/hscale_fast_bilinear_simd.c | 20 ++++++++++----------
- 1 file changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/libswscale/x86/hscale_fast_bilinear_simd.c b/libswscale/x86/hscale_fast_bilinear_simd.c
-index 2cba5f0a..60a2cbfc 100644
---- a/libswscale/x86/hscale_fast_bilinear_simd.c
-+++ b/libswscale/x86/hscale_fast_bilinear_simd.c
-@@ -199,7 +199,7 @@ void ff_hyscale_fast_mmxext(SwsContext *c, int16_t *dst,
- #if ARCH_X86_64
- uint64_t retsave;
- #else
--#if defined(PIC)
-+#if !HAVE_EBX_AVAILABLE
- uint64_t ebxsave;
- #endif
- #endif
-@@ -209,7 +209,7 @@ void ff_hyscale_fast_mmxext(SwsContext *c, int16_t *dst,
- "mov -8(%%rsp), %%"FF_REG_a" \n\t"
- "mov %%"FF_REG_a", %5 \n\t" // retsave
- #else
--#if defined(PIC)
-+#if !HAVE_EBX_AVAILABLE
- "mov %%"FF_REG_b", %5 \n\t" // ebxsave
- #endif
- #endif
-@@ -255,7 +255,7 @@ void ff_hyscale_fast_mmxext(SwsContext *c, int16_t *dst,
- "mov %5, %%"FF_REG_a" \n\t"
- "mov %%"FF_REG_a", -8(%%rsp) \n\t"
- #else
--#if defined(PIC)
-+#if !HAVE_EBX_AVAILABLE
- "mov %5, %%"FF_REG_b" \n\t"
- #endif
- #endif
-@@ -264,12 +264,12 @@ void ff_hyscale_fast_mmxext(SwsContext *c, int16_t *dst,
- #if ARCH_X86_64
- ,"m"(retsave)
- #else
--#if defined(PIC)
-+#if !HAVE_EBX_AVAILABLE
- ,"m" (ebxsave)
- #endif
- #endif
- : "%"FF_REG_a, "%"FF_REG_c, "%"FF_REG_d, "%"FF_REG_S, "%"FF_REG_D
--#if ARCH_X86_64 || !defined(PIC)
-+#if ARCH_X86_64 || HAVE_EBX_AVAILABLE
- ,"%"FF_REG_b
- #endif
- );
-@@ -289,7 +289,7 @@ void ff_hcscale_fast_mmxext(SwsContext *c, int16_t *dst1, int16_t *dst2,
- #if ARCH_X86_64
- DECLARE_ALIGNED(8, uint64_t, retsave);
- #else
--#if defined(PIC)
-+#if !HAVE_EBX_AVAILABLE
- DECLARE_ALIGNED(8, uint64_t, ebxsave);
- #endif
- #endif
-@@ -298,7 +298,7 @@ void ff_hcscale_fast_mmxext(SwsContext *c, int16_t *dst1, int16_t *dst2,
- "mov -8(%%rsp), %%"FF_REG_a" \n\t"
- "mov %%"FF_REG_a", %7 \n\t" // retsave
- #else
--#if defined(PIC)
-+#if !HAVE_EBX_AVAILABLE
- "mov %%"FF_REG_b", %7 \n\t" // ebxsave
- #endif
- #endif
-@@ -332,7 +332,7 @@ void ff_hcscale_fast_mmxext(SwsContext *c, int16_t *dst1, int16_t *dst2,
- "mov %7, %%"FF_REG_a" \n\t"
- "mov %%"FF_REG_a", -8(%%rsp) \n\t"
- #else
--#if defined(PIC)
-+#if !HAVE_EBX_AVAILABLE
- "mov %7, %%"FF_REG_b" \n\t"
- #endif
- #endif
-@@ -341,12 +341,12 @@ void ff_hcscale_fast_mmxext(SwsContext *c, int16_t *dst1, int16_t *dst2,
- #if ARCH_X86_64
- ,"m"(retsave)
- #else
--#if defined(PIC)
-+#if !HAVE_EBX_AVAILABLE
- ,"m" (ebxsave)
- #endif
- #endif
- : "%"FF_REG_a, "%"FF_REG_c, "%"FF_REG_d, "%"FF_REG_S, "%"FF_REG_D
--#if ARCH_X86_64 || !defined(PIC)
-+#if ARCH_X86_64 || HAVE_EBX_AVAILABLE
- ,"%"FF_REG_b
- #endif
- );
diff -Nru ffmpeg-3.2.2/doc/Doxyfile ffmpeg-3.2.4/doc/Doxyfile
--- ffmpeg-3.2.2/doc/Doxyfile 2016-12-06 00:28:58.000000000 +0100
+++ ffmpeg-3.2.4/doc/Doxyfile 2017-02-10 14:25:37.000000000 +0100
@@ -38,7 +38,7 @@
# could be handy for archiving the generated documentation or if some version
# control system is used.
-PROJECT_NUMBER = 3.2.2
+PROJECT_NUMBER = 3.2.4
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
diff -Nru ffmpeg-3.2.2/doc/formats.texi ffmpeg-3.2.4/doc/formats.texi
--- ffmpeg-3.2.2/doc/formats.texi 2016-12-06 00:28:53.000000000 +0100
+++ ffmpeg-3.2.4/doc/formats.texi 2017-02-10 14:25:26.000000000 +0100
@@ -209,6 +209,10 @@
ffprobe -dump_separator "
" -i ~/videos/matrixbench_mpeg2.mpg
@end example
+
+@item max_streams @var{integer} (@emph{input})
+Specifies the maximum number of streams. This can be used to reject files that
+would require too many resources due to a large number of streams.
@end table
@c man end FORMAT OPTIONS
diff -Nru ffmpeg-3.2.2/ffplay.c ffmpeg-3.2.4/ffplay.c
--- ffmpeg-3.2.2/ffplay.c 2016-12-06 00:28:53.000000000 +0100
+++ ffmpeg-3.2.4/ffplay.c 2017-02-10 14:25:26.000000000 +0100
@@ -874,11 +874,11 @@
frame->width, frame->height, frame->format, frame->width, frame->height,
AV_PIX_FMT_BGRA, sws_flags, NULL, NULL, NULL);
if (*img_convert_ctx != NULL) {
- uint8_t *pixels;
- int pitch;
- if (!SDL_LockTexture(tex, NULL, (void **)&pixels, &pitch)) {
+ uint8_t *pixels[4];
+ int pitch[4];
+ if (!SDL_LockTexture(tex, NULL, (void **)pixels, pitch)) {
sws_scale(*img_convert_ctx, (const uint8_t * const *)frame->data, frame->linesize,
- 0, frame->height, &pixels, &pitch);
+ 0, frame->height, pixels, pitch);
SDL_UnlockTexture(tex);
}
} else {
@@ -904,8 +904,8 @@
if (vp->pts >= sp->pts + ((float) sp->sub.start_display_time / 1000)) {
if (!sp->uploaded) {
- uint8_t *pixels;
- int pitch;
+ uint8_t* pixels[4];
+ int pitch[4];
int i;
if (!sp->width || !sp->height) {
sp->width = vp->width;
@@ -930,9 +930,9 @@
av_log(NULL, AV_LOG_FATAL, "Cannot initialize the conversion context\n");
return;
}
- if (!SDL_LockTexture(is->sub_texture, (SDL_Rect *)sub_rect, (void **)&pixels, &pitch)) {
+ if (!SDL_LockTexture(is->sub_texture, (SDL_Rect *)sub_rect, (void **)pixels, pitch)) {
sws_scale(is->sub_convert_ctx, (const uint8_t * const *)sub_rect->data, sub_rect->linesize,
- 0, sub_rect->h, &pixels, &pitch);
+ 0, sub_rect->h, pixels, pitch);
SDL_UnlockTexture(is->sub_texture);
}
}
diff -Nru ffmpeg-3.2.2/ffserver_config.c ffmpeg-3.2.4/ffserver_config.c
--- ffmpeg-3.2.2/ffserver_config.c 2016-12-06 00:28:53.000000000 +0100
+++ ffmpeg-3.2.4/ffserver_config.c 2017-02-10 14:25:37.000000000 +0100
@@ -323,6 +323,8 @@
av_dict_free(&recommended);
av_stream_set_recommended_encoder_configuration(st, enc_config);
st->codec = av;
+ st->codecpar = avcodec_parameters_alloc();
+ avcodec_parameters_from_context(st->codecpar, av);
stream->streams[stream->nb_streams++] = st;
}
diff -Nru ffmpeg-3.2.2/libavcodec/bsf.c ffmpeg-3.2.4/libavcodec/bsf.c
--- ffmpeg-3.2.2/libavcodec/bsf.c 2016-12-06 00:28:53.000000000 +0100
+++ ffmpeg-3.2.4/libavcodec/bsf.c 2017-02-10 14:25:26.000000000 +0100
@@ -403,7 +403,7 @@
{
int i;
- if (*lst)
+ if (!*lst)
return;
for (i = 0; i < (*lst)->nb_bsfs; ++i)
diff -Nru ffmpeg-3.2.2/libavcodec/dca_lbr.c ffmpeg-3.2.4/libavcodec/dca_lbr.c
--- ffmpeg-3.2.2/libavcodec/dca_lbr.c 2016-12-06 00:28:53.000000000 +0100
+++ ffmpeg-3.2.4/libavcodec/dca_lbr.c 2017-02-10 14:25:26.000000000 +0100
@@ -310,7 +310,7 @@
break; // End of subframe
freq += diff - 2;
- if (freq >> (5 - group) > s->nsubbands * 4 - 5) {
+ if (freq >> (5 - group) > s->nsubbands * 4 - 6) {
av_log(s->avctx, AV_LOG_ERROR, "Invalid spectral line offset\n");
return -1;
}
diff -Nru ffmpeg-3.2.2/libavcodec/ffv1enc.c ffmpeg-3.2.4/libavcodec/ffv1enc.c
--- ffmpeg-3.2.2/libavcodec/ffv1enc.c 2016-12-06 00:28:53.000000000 +0100
+++ ffmpeg-3.2.4/libavcodec/ffv1enc.c 2017-02-10 14:25:26.000000000 +0100
@@ -1089,7 +1089,6 @@
FFV1Context *f = avctx->priv_data;
RangeCoder *const c = &f->slice_context[0]->c;
AVFrame *const p = f->picture.f;
- int used_count = 0;
uint8_t keystate = 128;
uint8_t *buf_p;
int i, ret;
@@ -1145,6 +1144,11 @@
if (f->version > 3)
maxsize = AV_INPUT_BUFFER_MIN_SIZE + avctx->width*avctx->height*3LL*4;
+ if (maxsize > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - 32) {
+ av_log(avctx, AV_LOG_WARNING, "Cannot allocate worst case packet size, the encoding could fail\n");
+ maxsize = INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE - 32;
+ }
+
if ((ret = ff_alloc_packet2(avctx, pkt, maxsize, 0)) < 0)
return ret;
@@ -1178,11 +1182,17 @@
}
}
- for (i = 1; i < f->slice_count; i++) {
+ for (i = 0; i < f->slice_count; i++) {
FFV1Context *fs = f->slice_context[i];
- uint8_t *start = pkt->data + (pkt->size - used_count) * (int64_t)i / f->slice_count;
+ uint8_t *start = pkt->data + pkt->size * (int64_t)i / f->slice_count;
int len = pkt->size / f->slice_count;
- ff_init_range_encoder(&fs->c, start, len);
+ if (i) {
+ ff_init_range_encoder(&fs->c, start, len);
+ } else {
+ av_assert0(fs->c.bytestream_end >= fs->c.bytestream_start + len);
+ av_assert0(fs->c.bytestream < fs->c.bytestream_start + len);
+ fs->c.bytestream_end = fs->c.bytestream_start + len;
+ }
}
avctx->execute(avctx, encode_slice, &f->slice_context[0], NULL,
f->slice_count, sizeof(void *));
diff -Nru ffmpeg-3.2.2/libavcodec/h264_slice.c ffmpeg-3.2.4/libavcodec/h264_slice.c
--- ffmpeg-3.2.2/libavcodec/h264_slice.c 2016-12-06 00:28:53.000000000 +0100
+++ ffmpeg-3.2.4/libavcodec/h264_slice.c 2017-02-10 14:25:37.000000000 +0100
@@ -1771,8 +1771,10 @@
return ret;
// discard redundant pictures
- if (sl->redundant_pic_count > 0)
+ if (sl->redundant_pic_count > 0) {
+ sl->ref_count[0] = sl->ref_count[1] = 0;
return 0;
+ }
if (sl->first_mb_addr == 0 || !h->current_slice) {
if (h->setup_finished) {
diff -Nru ffmpeg-3.2.2/libavcodec/interplayvideo.c ffmpeg-3.2.4/libavcodec/interplayvideo.c
--- ffmpeg-3.2.2/libavcodec/interplayvideo.c 2016-12-06 00:28:53.000000000 +0100
+++ ffmpeg-3.2.4/libavcodec/interplayvideo.c 2017-02-10 14:25:26.000000000 +0100
@@ -989,6 +989,11 @@
AVFrame *frame = data;
int ret;
+ if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) {
+ av_frame_unref(s->last_frame);
+ av_frame_unref(s->second_last_frame);
+ }
+
if (buf_size < 2)
return AVERROR_INVALIDDATA;
@@ -1000,10 +1005,6 @@
if (buf_size < s->decoding_map_size + 2)
return buf_size;
- if (av_packet_get_side_data(avpkt, AV_PKT_DATA_PARAM_CHANGE, NULL)) {
- av_frame_unref(s->last_frame);
- av_frame_unref(s->second_last_frame);
- }
s->decoding_map = buf + 2;
bytestream2_init(&s->stream_ptr, buf + 2 + s->decoding_map_size,
diff -Nru ffmpeg-3.2.2/libavcodec/mjpegdec.c ffmpeg-3.2.4/libavcodec/mjpegdec.c
--- ffmpeg-3.2.2/libavcodec/mjpegdec.c 2016-12-06 00:28:53.000000000 +0100
+++ ffmpeg-3.2.4/libavcodec/mjpegdec.c 2017-02-10 14:25:27.000000000 +0100
@@ -1082,6 +1082,10 @@
for (mb_y = 0; mb_y < s->mb_height; mb_y++) {
for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
+ if (get_bits_left(&s->gb) < 1) {
+ av_log(s->avctx, AV_LOG_ERROR, "bitstream end in yuv_scan\n");
+ return AVERROR_INVALIDDATA;
+ }
if (s->restart_interval && !s->restart_count){
s->restart_count = s->restart_interval;
resync_mb_x = mb_x;
@@ -1393,6 +1397,10 @@
int block_idx = mb_y * s->block_stride[c];
int16_t (*block)[64] = &s->blocks[c][block_idx];
uint8_t *last_nnz = &s->last_nnz[c][block_idx];
+ if (get_bits_left(&s->gb) <= 0) {
+ av_log(s->avctx, AV_LOG_ERROR, "bitstream truncated in mjpeg_decode_scan_progressive_ac\n");
+ return AVERROR_INVALIDDATA;
+ }
for (mb_x = 0; mb_x < s->mb_width; mb_x++, block++, last_nnz++) {
int ret;
if (s->restart_interval && !s->restart_count)
@@ -2386,7 +2394,7 @@
}
}
}
- if (s->flipped) {
+ if (s->flipped && !s->rgb) {
int j;
avcodec_get_chroma_sub_sample(s->avctx->pix_fmt, &hshift, &vshift);
av_assert0(s->nb_components == av_pix_fmt_count_planes(s->picture_ptr->format));
diff -Nru ffmpeg-3.2.2/libavcodec/movtextdec.c ffmpeg-3.2.4/libavcodec/movtextdec.c
--- ffmpeg-3.2.2/libavcodec/movtextdec.c 2016-12-06 00:28:53.000000000 +0100
+++ ffmpeg-3.2.4/libavcodec/movtextdec.c 2017-02-10 14:25:27.000000000 +0100
@@ -116,6 +116,8 @@
av_freep(&m->s[i]);
}
av_freep(&m->s);
+ m->count_s = 0;
+ m->style_entries = 0;
}
}
@@ -279,12 +281,14 @@
static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt)
{
int i;
- m->style_entries = AV_RB16(tsmb);
+ int style_entries = AV_RB16(tsmb);
tsmb += 2;
// A single style record is of length 12 bytes.
- if (m->tracksize + m->size_var + 2 + m->style_entries * 12 > avpkt->size)
+ if (m->tracksize + m->size_var + 2 + style_entries * 12 > avpkt->size)
return -1;
+ m->style_entries = style_entries;
+
m->box_flags |= STYL_BOX;
for(i = 0; i < m->style_entries; i++) {
m->s_temp = av_malloc(sizeof(*m->s_temp));
diff -Nru ffmpeg-3.2.2/libavcodec/mpeg4videodec.c ffmpeg-3.2.4/libavcodec/mpeg4videodec.c
--- ffmpeg-3.2.2/libavcodec/mpeg4videodec.c 2016-12-06 00:28:53.000000000 +0100
+++ ffmpeg-3.2.4/libavcodec/mpeg4videodec.c 2017-02-10 14:25:27.000000000 +0100
@@ -315,13 +315,13 @@
min_ab = FFMIN(alpha, beta);
w3 = w2 >> min_ab;
h3 = h2 >> min_ab;
- s->sprite_offset[0][0] = (sprite_ref[0][0] << (alpha + beta + rho - min_ab)) +
+ s->sprite_offset[0][0] = (sprite_ref[0][0] * (1<<(alpha + beta + rho - min_ab))) +
(-r * sprite_ref[0][0] + virtual_ref[0][0]) *
h3 * (-vop_ref[0][0]) +
(-r * sprite_ref[0][0] + virtual_ref[1][0]) *
w3 * (-vop_ref[0][1]) +
(1 << (alpha + beta + rho - min_ab - 1));
- s->sprite_offset[0][1] = (sprite_ref[0][1] << (alpha + beta + rho - min_ab)) +
+ s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) +
(-r * sprite_ref[0][1] + virtual_ref[0][1]) *
h3 * (-vop_ref[0][0]) +
(-r * sprite_ref[0][1] + virtual_ref[1][1]) *
@@ -368,10 +368,10 @@
int shift_y = 16 - ctx->sprite_shift[0];
int shift_c = 16 - ctx->sprite_shift[1];
for (i = 0; i < 2; i++) {
- s->sprite_offset[0][i] <<= shift_y;
- s->sprite_offset[1][i] <<= shift_c;
- s->sprite_delta[0][i] <<= shift_y;
- s->sprite_delta[1][i] <<= shift_y;
+ s->sprite_offset[0][i] *= 1 << shift_y;
+ s->sprite_offset[1][i] *= 1 << shift_c;
+ s->sprite_delta[0][i] *= 1 << shift_y;
+ s->sprite_delta[1][i] *= 1 << shift_y;
ctx->sprite_shift[i] = 16;
}
s->real_sprite_warping_points = ctx->num_sprite_warping_points;
diff -Nru ffmpeg-3.2.2/libavcodec/omx.c ffmpeg-3.2.4/libavcodec/omx.c
--- ffmpeg-3.2.2/libavcodec/omx.c 2016-12-06 00:28:53.000000000 +0100
+++ ffmpeg-3.2.4/libavcodec/omx.c 2017-02-10 14:25:27.000000000 +0100
@@ -761,7 +761,10 @@
} else {
// If not, we need to allocate a new buffer with the right
// size and copy the input frame into it.
- uint8_t *buf = av_malloc(av_image_get_buffer_size(avctx->pix_fmt, s->stride, s->plane_size, 1));
+ uint8_t *buf = NULL;
+ int image_buffer_size = av_image_get_buffer_size(avctx->pix_fmt, s->stride, s->plane_size, 1);
+ if (image_buffer_size >= 0)
+ buf = av_malloc(image_buffer_size);
if (!buf) {
// Return the buffer to the queue so it's not lost
append_buffer(&s->input_mutex, &s->input_cond, &s->num_free_in_buffers, s->free_in_buffers, buffer);
diff -Nru ffmpeg-3.2.2/libavcodec/pgssubdec.c ffmpeg-3.2.4/libavcodec/pgssubdec.c
--- ffmpeg-3.2.2/libavcodec/pgssubdec.c 2016-12-06 00:28:53.000000000 +0100
+++ ffmpeg-3.2.4/libavcodec/pgssubdec.c 2017-02-10 14:25:27.000000000 +0100
@@ -300,8 +300,11 @@
av_fast_padded_malloc(&object->rle, &object->rle_buffer_size, rle_bitmap_len);
- if (!object->rle)
+ if (!object->rle) {
+ object->rle_data_len = 0;
+ object->rle_remaining_len = 0;
return AVERROR(ENOMEM);
+ }
memcpy(object->rle, buf, buf_size);
object->rle_data_len = buf_size;
diff -Nru ffmpeg-3.2.2/libavcodec/pictordec.c ffmpeg-3.2.4/libavcodec/pictordec.c
--- ffmpeg-3.2.2/libavcodec/pictordec.c 2016-06-27 01:54:29.000000000 +0200
+++ ffmpeg-3.2.4/libavcodec/pictordec.c 2017-02-10 14:25:37.000000000 +0100
@@ -142,7 +142,7 @@
if (av_image_check_size(s->width, s->height, 0, avctx) < 0)
return -1;
- if (s->width != avctx->width && s->height != avctx->height) {
+ if (s->width != avctx->width || s->height != avctx->height) {
ret = ff_set_dimensions(avctx, s->width, s->height);
if (ret < 0)
return ret;
diff -Nru ffmpeg-3.2.2/libavcodec/pngdec.c ffmpeg-3.2.4/libavcodec/pngdec.c
--- ffmpeg-3.2.2/libavcodec/pngdec.c 2016-12-06 00:28:53.000000000 +0100
+++ ffmpeg-3.2.4/libavcodec/pngdec.c 2017-02-10 14:25:27.000000000 +0100
@@ -437,13 +437,13 @@
av_bprint_init(bp, 0, -1);
while (zstream.avail_in > 0) {
- av_bprint_get_buffer(bp, 1, &buf, &buf_size);
- if (!buf_size) {
+ av_bprint_get_buffer(bp, 2, &buf, &buf_size);
+ if (buf_size < 2) {
ret = AVERROR(ENOMEM);
goto fail;
}
zstream.next_out = buf;
- zstream.avail_out = buf_size;
+ zstream.avail_out = buf_size - 1;
ret = inflate(&zstream, Z_PARTIAL_FLUSH);
if (ret != Z_OK && ret != Z_STREAM_END) {
ret = AVERROR_EXTERNAL;
@@ -772,6 +772,16 @@
{
int v, i;
+ if (!(s->state & PNG_IHDR)) {
+ av_log(avctx, AV_LOG_ERROR, "trns before IHDR\n");
+ return AVERROR_INVALIDDATA;
+ }
+
+ if (s->state & PNG_IDAT) {
+ av_log(avctx, AV_LOG_ERROR, "trns after IDAT\n");
+ return AVERROR_INVALIDDATA;
+ }
+
if (s->color_type == PNG_COLOR_TYPE_PALETTE) {
if (length > 256 || !(s->state & PNG_PLTE))
return AVERROR_INVALIDDATA;
@@ -782,7 +792,8 @@
}
} else if (s->color_type == PNG_COLOR_TYPE_GRAY || s->color_type == PNG_COLOR_TYPE_RGB) {
if ((s->color_type == PNG_COLOR_TYPE_GRAY && length != 2) ||
- (s->color_type == PNG_COLOR_TYPE_RGB && length != 6))
+ (s->color_type == PNG_COLOR_TYPE_RGB && length != 6) ||
+ s->bit_depth == 1)
return AVERROR_INVALIDDATA;
for (i = 0; i < length / 2; i++) {
@@ -1241,6 +1252,8 @@
size_t raw_bpp = s->bpp - byte_depth;
unsigned x, y;
+ av_assert0(s->bit_depth > 1);
+
for (y = 0; y < s->height; ++y) {
uint8_t *row = &s->image_buf[s->image_linesize * y];
diff -Nru ffmpeg-3.2.2/libavcodec/utils.c ffmpeg-3.2.4/libavcodec/utils.c
--- ffmpeg-3.2.2/libavcodec/utils.c 2016-12-06 00:28:53.000000000 +0100
+++ ffmpeg-3.2.4/libavcodec/utils.c 2017-02-10 14:25:27.000000000 +0100
@@ -376,6 +376,10 @@
w_align = 4;
h_align = 4;
}
+ if (s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) {
+ w_align = 8;
+ h_align = 8;
+ }
break;
case AV_PIX_FMT_PAL8:
case AV_PIX_FMT_BGR8:
@@ -385,7 +389,8 @@
w_align = 4;
h_align = 4;
}
- if (s->codec_id == AV_CODEC_ID_JV) {
+ if (s->codec_id == AV_CODEC_ID_JV ||
+ s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) {
w_align = 8;
h_align = 8;
}
diff -Nru ffmpeg-3.2.2/libavcodec/vp56.c ffmpeg-3.2.4/libavcodec/vp56.c
--- ffmpeg-3.2.2/libavcodec/vp56.c 2016-03-29 04:25:23.000000000 +0200
+++ ffmpeg-3.2.4/libavcodec/vp56.c 2017-02-09 17:14:55.000000000 +0100
@@ -381,12 +381,13 @@
}
}
-static void vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha)
+static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha)
{
AVFrame *frame_current, *frame_ref;
VP56mb mb_type;
VP56Frame ref_frame;
int b, ab, b_max, plane, off;
+ int ret;
if (s->frames[VP56_FRAME_CURRENT]->key_frame)
mb_type = VP56_MB_INTRA;
@@ -394,14 +395,16 @@
mb_type = vp56_decode_mv(s, row, col);
ref_frame = ff_vp56_reference_frame[mb_type];
- s->parse_coeff(s);
+ ret = s->parse_coeff(s);
+ if (ret < 0)
+ return ret;
vp56_add_predictors_dc(s, ref_frame);
frame_current = s->frames[VP56_FRAME_CURRENT];
frame_ref = s->frames[ref_frame];
if (mb_type != VP56_MB_INTRA && !frame_ref->data[0])
- return;
+ return 0;
ab = 6*is_alpha;
b_max = 6 - 2*is_alpha;
@@ -451,6 +454,7 @@
s->block_coeff[4][0] = 0;
s->block_coeff[5][0] = 0;
}
+ return 0;
}
static int vp56_size_changed(VP56Context *s)
@@ -653,7 +657,9 @@
s->block_offset[5] = s->block_offset[4];
for (mb_col=0; mb_col<s->mb_width; mb_col++) {
- vp56_decode_mb(s, mb_row, mb_col, is_alpha);
+ int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha);
+ if (ret < 0)
+ return ret;
for (y=0; y<4; y++) {
s->above_block_idx[y] += 2;
diff -Nru ffmpeg-3.2.2/libavcodec/vp56.h ffmpeg-3.2.4/libavcodec/vp56.h
--- ffmpeg-3.2.2/libavcodec/vp56.h 2016-03-29 04:25:23.000000000 +0200
+++ ffmpeg-3.2.4/libavcodec/vp56.h 2017-02-09 17:14:55.000000000 +0100
@@ -74,7 +74,7 @@
typedef void (*VP56Filter)(VP56Context *s, uint8_t *dst, uint8_t *src,
int offset1, int offset2, int stride,
VP56mv mv, int mask, int select, int luma);
-typedef void (*VP56ParseCoeff)(VP56Context *s);
+typedef int (*VP56ParseCoeff)(VP56Context *s);
typedef void (*VP56DefaultModelsInit)(VP56Context *s);
typedef void (*VP56ParseVectorModels)(VP56Context *s);
typedef int (*VP56ParseCoeffModels)(VP56Context *s);
diff -Nru ffmpeg-3.2.2/libavcodec/vp5.c ffmpeg-3.2.4/libavcodec/vp5.c
--- ffmpeg-3.2.2/libavcodec/vp5.c 2016-12-06 00:28:53.000000000 +0100
+++ ffmpeg-3.2.4/libavcodec/vp5.c 2017-02-10 14:25:27.000000000 +0100
@@ -170,7 +170,7 @@
return 0;
}
-static void vp5_parse_coeff(VP56Context *s)
+static int vp5_parse_coeff(VP56Context *s)
{
VP56RangeCoder *c = &s->c;
VP56Model *model = s->modelp;
@@ -180,6 +180,11 @@
int b, i, cg, idx, ctx, ctx_last;
int pt = 0; /* plane type (0 for Y, 1 for U or V) */
+ if (c->end >= c->buffer && c->bits >= 0) {
+ av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n");
+ return AVERROR_INVALIDDATA;
+ }
+
for (b=0; b<6; b++) {
int ct = 1; /* code type */
@@ -245,6 +250,7 @@
s->coeff_ctx[ff_vp56_b6to4[b]][i] = 5;
s->above_blocks[s->above_block_idx[b]].not_null_dc = s->coeff_ctx[ff_vp56_b6to4[b]][0];
}
+ return 0;
}
static void vp5_default_models_init(VP56Context *s)
diff -Nru ffmpeg-3.2.2/libavcodec/vp6.c ffmpeg-3.2.4/libavcodec/vp6.c
--- ffmpeg-3.2.2/libavcodec/vp6.c 2016-06-27 01:54:29.000000000 +0200
+++ ffmpeg-3.2.4/libavcodec/vp6.c 2017-02-09 17:14:55.000000000 +0100
@@ -40,8 +40,8 @@
#define VP6_MAX_HUFF_SIZE 12
-static void vp6_parse_coeff(VP56Context *s);
-static void vp6_parse_coeff_huffman(VP56Context *s);
+static int vp6_parse_coeff(VP56Context *s);
+static int vp6_parse_coeff_huffman(VP56Context *s);
static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
{
@@ -380,7 +380,7 @@
return val;
}
-static void vp6_parse_coeff_huffman(VP56Context *s)
+static int vp6_parse_coeff_huffman(VP56Context *s)
{
VP56Model *model = s->modelp;
uint8_t *permute = s->idct_scantable;
@@ -402,7 +402,7 @@
break;
} else {
if (get_bits_left(&s->gb) <= 0)
- return;
+ return AVERROR_INVALIDDATA;
coeff = get_vlc2(&s->gb, vlc_coeff->table, FF_HUFFMAN_BITS, 3);
if (coeff == 0) {
if (coeff_idx) {
@@ -437,9 +437,10 @@
vlc_coeff = &s->ract_vlc[pt][ct][cg];
}
}
+ return 0;
}
-static void vp6_parse_coeff(VP56Context *s)
+static int vp6_parse_coeff(VP56Context *s)
{
VP56RangeCoder *c = s->ccp;
VP56Model *model = s->modelp;
@@ -449,6 +450,11 @@
int b, i, cg, idx, ctx;
int pt = 0; /* plane type (0 for Y, 1 for U or V) */
+ if (c->end >= c->buffer && c->bits >= 0) {
+ av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n");
+ return AVERROR_INVALIDDATA;
+ }
+
for (b=0; b<6; b++) {
int ct = 1; /* code type */
int run = 1;
@@ -512,6 +518,7 @@
s->left_block[ff_vp56_b6to4[b]].not_null_dc =
s->above_blocks[s->above_block_idx[b]].not_null_dc = !!s->block_coeff[b][0];
}
+ return 0;
}
static int vp6_block_variance(uint8_t *src, int stride)
diff -Nru ffmpeg-3.2.2/libavfilter/vf_hwupload_cuda.c ffmpeg-3.2.4/libavfilter/vf_hwupload_cuda.c
--- ffmpeg-3.2.2/libavfilter/vf_hwupload_cuda.c 2016-12-06 00:28:54.000000000 +0100
+++ ffmpeg-3.2.4/libavfilter/vf_hwupload_cuda.c 2017-02-10 14:25:27.000000000 +0100
@@ -191,7 +191,7 @@
#define OFFSET(x) offsetof(CudaUploadContext, x)
#define FLAGS (AV_OPT_FLAG_FILTERING_PARAM | AV_OPT_FLAG_VIDEO_PARAM)
static const AVOption cudaupload_options[] = {
- { "device", "Number of the device to use", OFFSET(device_idx), AV_OPT_TYPE_INT, { .i64 = 0 }, .flags = FLAGS },
+ { "device", "Number of the device to use", OFFSET(device_idx), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, INT_MAX, FLAGS },
{ NULL },
};
diff -Nru ffmpeg-3.2.2/libavformat/avformat.h ffmpeg-3.2.4/libavformat/avformat.h
--- ffmpeg-3.2.2/libavformat/avformat.h 2016-12-06 00:28:54.000000000 +0100
+++ ffmpeg-3.2.4/libavformat/avformat.h 2017-02-10 14:25:27.000000000 +0100
@@ -1899,6 +1899,13 @@
* - decoding: set by user through AVOptions (NO direct access)
*/
char *protocol_blacklist;
+
+ /**
+ * The maximum number of streams.
+ * - encoding: unused
+ * - decoding: set by user through AVOptions (NO direct access)
+ */
+ int max_streams;
} AVFormatContext;
int av_format_get_probe_score(const AVFormatContext *s);
diff -Nru ffmpeg-3.2.2/libavformat/avidec.c ffmpeg-3.2.4/libavformat/avidec.c
--- ffmpeg-3.2.2/libavformat/avidec.c 2016-12-06 00:28:54.000000000 +0100
+++ ffmpeg-3.2.4/libavformat/avidec.c 2017-02-10 14:25:27.000000000 +0100
@@ -1203,7 +1203,8 @@
if ((d[0] == 'i' && d[1] == 'x' && n < s->nb_streams) ||
// parse JUNK
(d[0] == 'J' && d[1] == 'U' && d[2] == 'N' && d[3] == 'K') ||
- (d[0] == 'i' && d[1] == 'd' && d[2] == 'x' && d[3] == '1')) {
+ (d[0] == 'i' && d[1] == 'd' && d[2] == 'x' && d[3] == '1') ||
+ (d[0] == 'i' && d[1] == 'n' && d[2] == 'd' && d[3] == 'x')) {
avio_skip(pb, size);
goto start_sync;
}
diff -Nru ffmpeg-3.2.2/libavformat/chromaprint.c ffmpeg-3.2.4/libavformat/chromaprint.c
--- ffmpeg-3.2.2/libavformat/chromaprint.c 2016-12-06 00:28:54.000000000 +0100
+++ ffmpeg-3.2.4/libavformat/chromaprint.c 2017-02-10 14:25:27.000000000 +0100
@@ -39,7 +39,11 @@
int silence_threshold;
int algorithm;
FingerprintFormat fp_format;
+#if CPR_VERSION_INT >= AV_VERSION_INT(1, 4, 0)
+ ChromaprintContext *ctx;
+#else
ChromaprintContext ctx;
+#endif
} ChromaprintMuxContext;
static void cleanup(ChromaprintMuxContext *cpr)
diff -Nru ffmpeg-3.2.2/libavformat/flacdec.c ffmpeg-3.2.4/libavformat/flacdec.c
--- ffmpeg-3.2.2/libavformat/flacdec.c 2016-12-06 00:28:54.000000000 +0100
+++ ffmpeg-3.2.4/libavformat/flacdec.c 2017-02-10 14:25:27.000000000 +0100
@@ -65,7 +65,8 @@
/* process metadata blocks */
while (!avio_feof(s->pb) && !metadata_last) {
- avio_read(s->pb, header, 4);
+ if (avio_read(s->pb, header, 4) != 4)
+ return AVERROR(AVERROR_INVALIDDATA);
flac_parse_block_header(header, &metadata_last, &metadata_type,
&metadata_size);
switch (metadata_type) {
diff -Nru ffmpeg-3.2.2/libavformat/libopenmpt.c ffmpeg-3.2.4/libavformat/libopenmpt.c
--- ffmpeg-3.2.2/libavformat/libopenmpt.c 2016-12-06 00:28:54.000000000 +0100
+++ ffmpeg-3.2.4/libavformat/libopenmpt.c 2017-02-10 14:25:27.000000000 +0100
@@ -82,6 +82,11 @@
if (!buf)
return AVERROR(ENOMEM);
size = avio_read(s->pb, buf, size);
+ if (size < 0) {
+ av_log(s, AV_LOG_ERROR, "Reading input buffer failed.\n");
+ av_freep(&buf);
+ return size;
+ }
openmpt->module = openmpt_module_create_from_memory(buf, size, openmpt_logfunc, s, NULL);
av_freep(&buf);
diff -Nru ffmpeg-3.2.2/libavformat/matroskadec.c ffmpeg-3.2.4/libavformat/matroskadec.c
--- ffmpeg-3.2.2/libavformat/matroskadec.c 2016-12-06 00:28:54.000000000 +0100
+++ ffmpeg-3.2.4/libavformat/matroskadec.c 2017-02-10 14:25:27.000000000 +0100
@@ -88,6 +88,7 @@
int list_elem_size;
int data_offset;
union {
+ int64_t i;
uint64_t u;
double f;
const char *s;
@@ -676,7 +677,7 @@
{ MATROSKA_ID_SIMPLEBLOCK, EBML_BIN, 0, offsetof(MatroskaBlock, bin) },
{ MATROSKA_ID_BLOCKDURATION, EBML_UINT, 0, offsetof(MatroskaBlock, duration) },
{ MATROSKA_ID_DISCARDPADDING, EBML_SINT, 0, offsetof(MatroskaBlock, discard_padding) },
- { MATROSKA_ID_BLOCKREFERENCE, EBML_SINT, 0, offsetof(MatroskaBlock, reference) },
+ { MATROSKA_ID_BLOCKREFERENCE, EBML_SINT, 0, offsetof(MatroskaBlock, reference), { .i = INT64_MIN } },
{ MATROSKA_ID_CODECSTATE, EBML_NONE },
{ 1, EBML_UINT, 0, offsetof(MatroskaBlock, non_simple), { .u = 1 } },
{ 0 }
@@ -1051,6 +1052,9 @@
for (i = 0; syntax[i].id; i++)
switch (syntax[i].type) {
+ case EBML_SINT:
+ *(int64_t *) ((char *) data + syntax[i].data_offset) = syntax[i].def.i;
+ break;
case EBML_UINT:
*(uint64_t *) ((char *) data + syntax[i].data_offset) = syntax[i].def.u;
break;
@@ -3289,7 +3293,7 @@
matroska->current_cluster_num_blocks = blocks_list->nb_elem;
i = blocks_list->nb_elem - 1;
if (blocks[i].bin.size > 0 && blocks[i].bin.data) {
- int is_keyframe = blocks[i].non_simple ? !blocks[i].reference : -1;
+ int is_keyframe = blocks[i].non_simple ? blocks[i].reference == INT64_MIN : -1;
uint8_t* additional = blocks[i].additional.size > 0 ?
blocks[i].additional.data : NULL;
if (!blocks[i].non_simple)
@@ -3327,7 +3331,7 @@
blocks = blocks_list->elem;
for (i = 0; i < blocks_list->nb_elem; i++)
if (blocks[i].bin.size > 0 && blocks[i].bin.data) {
- int is_keyframe = blocks[i].non_simple ? !blocks[i].reference : -1;
+ int is_keyframe = blocks[i].non_simple ? blocks[i].reference == INT64_MIN : -1;
res = matroska_parse_block(matroska, blocks[i].bin.data,
blocks[i].bin.size, blocks[i].bin.pos,
cluster.timecode, blocks[i].duration,
diff -Nru ffmpeg-3.2.2/libavformat/mov.c ffmpeg-3.2.4/libavformat/mov.c
--- ffmpeg-3.2.2/libavformat/mov.c 2016-12-06 00:28:54.000000000 +0100
+++ ffmpeg-3.2.4/libavformat/mov.c 2017-02-10 14:25:37.000000000 +0100
@@ -404,11 +404,11 @@
return ret;
} else if (!key && c->found_hdlr_mdta && c->meta_keys) {
uint32_t index = AV_RB32(&atom.type);
- if (index < c->meta_keys_count) {
+ if (index < c->meta_keys_count && index > 0) {
key = c->meta_keys[index];
} else {
av_log(c->fc, AV_LOG_WARNING,
- "The index of 'data' is out of range: %d >= %d.\n",
+ "The index of 'data' is out of range: %d < 1 or >= %d.\n",
index, c->meta_keys_count);
}
}
@@ -739,6 +739,8 @@
title_size = atom.size - 24;
if (title_size > 0) {
+ if (title_size > FFMIN(INT_MAX, SIZE_MAX-1))
+ return AVERROR_INVALIDDATA;
title_str = av_malloc(title_size + 1); /* Add null terminator */
if (!title_str)
return AVERROR(ENOMEM);
@@ -4434,7 +4436,7 @@
0x9c, 0x71, 0x99, 0x94, 0x91, 0xe3, 0xaf, 0xac
};
- if (atom.size < sizeof(uuid) || atom.size == INT64_MAX)
+ if (atom.size < sizeof(uuid) || atom.size >= FFMIN(INT_MAX, SIZE_MAX))
return AVERROR_INVALIDDATA;
ret = avio_read(pb, uuid, sizeof(uuid));
@@ -4597,8 +4599,8 @@
avio_rb32(pb); /* entries */
- if (atom.size < 8) {
- av_log(c->fc, AV_LOG_ERROR, "senc atom size %"PRId64" too small\n", atom.size);
+ if (atom.size < 8 || atom.size > FFMIN(INT_MAX, SIZE_MAX)) {
+ av_log(c->fc, AV_LOG_ERROR, "senc atom size %"PRId64" invalid\n", atom.size);
return AVERROR_INVALIDDATA;
}
@@ -4666,6 +4668,11 @@
return 0;
}
+ if (atom.size > FFMIN(INT_MAX, SIZE_MAX)) {
+ av_log(c->fc, AV_LOG_ERROR, "saiz atom auxiliary_info_sizes size %"PRId64" invalid\n", atom.size);
+ return AVERROR_INVALIDDATA;
+ }
+
/* save the auxiliary info sizes as is */
data_size = atom.size - atom_header_size;
diff -Nru ffmpeg-3.2.2/libavformat/mp3dec.c ffmpeg-3.2.4/libavformat/mp3dec.c
--- ffmpeg-3.2.2/libavformat/mp3dec.c 2016-12-06 00:28:54.000000000 +0100
+++ ffmpeg-3.2.4/libavformat/mp3dec.c 2017-02-10 14:25:27.000000000 +0100
@@ -457,7 +457,8 @@
return CHECK_SEEK_FAILED;
ret = avio_read(pb, &header_buf[0], 4);
- if (ret < 0)
+ /* We should always find four bytes for a valid mpa header. */
+ if (ret < 4)
return CHECK_SEEK_FAILED;
header = AV_RB32(&header_buf[0]);
diff -Nru ffmpeg-3.2.2/libavformat/oggdec.c ffmpeg-3.2.4/libavformat/oggdec.c
--- ffmpeg-3.2.2/libavformat/oggdec.c 2016-12-06 00:28:54.000000000 +0100
+++ ffmpeg-3.2.4/libavformat/oggdec.c 2017-02-10 14:25:27.000000000 +0100
@@ -643,6 +643,8 @@
int64_t pts;
if (i < 0) continue;
pts = ogg_calc_pts(s, i, NULL);
+ if (s->streams[i]->duration == AV_NOPTS_VALUE)
+ continue;
if (pts != AV_NOPTS_VALUE && s->streams[i]->start_time == AV_NOPTS_VALUE && !ogg->streams[i].got_start) {
s->streams[i]->duration -= pts;
ogg->streams[i].got_start= 1;
diff -Nru ffmpeg-3.2.2/libavformat/options_table.h ffmpeg-3.2.4/libavformat/options_table.h
--- ffmpeg-3.2.2/libavformat/options_table.h 2016-12-06 00:28:54.000000000 +0100
+++ ffmpeg-3.2.4/libavformat/options_table.h 2017-02-10 14:25:27.000000000 +0100
@@ -105,6 +105,7 @@
{"format_whitelist", "List of demuxers that are allowed to be used", OFFSET(format_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D },
{"protocol_whitelist", "List of protocols that are allowed to be used", OFFSET(protocol_whitelist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D },
{"protocol_blacklist", "List of protocols that are not allowed to be used", OFFSET(protocol_blacklist), AV_OPT_TYPE_STRING, { .str = NULL }, CHAR_MIN, CHAR_MAX, D },
+{"max_streams", "maximum number of streams", OFFSET(max_streams), AV_OPT_TYPE_INT, { .i64 = 1000 }, 0, INT_MAX, D },
{NULL},
};
diff -Nru ffmpeg-3.2.2/libavformat/utils.c ffmpeg-3.2.4/libavformat/utils.c
--- ffmpeg-3.2.2/libavformat/utils.c 2016-12-06 00:28:58.000000000 +0100
+++ ffmpeg-3.2.4/libavformat/utils.c 2017-02-10 14:25:27.000000000 +0100
@@ -1980,7 +1980,7 @@
m = (a + b) >> 1;
// Search for the next non-discarded packet.
- while ((entries[m].flags & AVINDEX_DISCARD_FRAME) && m < b) {
+ while ((entries[m].flags & AVINDEX_DISCARD_FRAME) && m < b && m < nb_entries - 1) {
m++;
if (m == b && entries[m].timestamp >= wanted_timestamp) {
m = b - 1;
@@ -4213,8 +4213,11 @@
int i;
AVStream **streams;
- if (s->nb_streams >= INT_MAX/sizeof(*streams))
+ if (s->nb_streams >= FFMIN(s->max_streams, INT_MAX/sizeof(*streams))) {
+ if (s->max_streams < INT_MAX/sizeof(*streams))
+ av_log(s, AV_LOG_ERROR, "Number of streams exceeds max_streams parameter (%d), see the documentation if you wish to increase it\n", s->max_streams);
return NULL;
+ }
streams = av_realloc_array(s->streams, s->nb_streams + 1, sizeof(*streams));
if (!streams)
return NULL;
diff -Nru ffmpeg-3.2.2/libavformat/version.h ffmpeg-3.2.4/libavformat/version.h
--- ffmpeg-3.2.2/libavformat/version.h 2016-12-06 00:28:54.000000000 +0100
+++ ffmpeg-3.2.4/libavformat/version.h 2017-02-10 14:25:27.000000000 +0100
@@ -33,7 +33,7 @@
// Also please add any ticket numbers that you believe might be affected here
#define LIBAVFORMAT_VERSION_MAJOR 57
#define LIBAVFORMAT_VERSION_MINOR 56
-#define LIBAVFORMAT_VERSION_MICRO 100
+#define LIBAVFORMAT_VERSION_MICRO 101
#define LIBAVFORMAT_VERSION_INT AV_VERSION_INT(LIBAVFORMAT_VERSION_MAJOR, \
LIBAVFORMAT_VERSION_MINOR, \
diff -Nru ffmpeg-3.2.2/libavutil/imgutils.c ffmpeg-3.2.4/libavutil/imgutils.c
--- ffmpeg-3.2.2/libavutil/imgutils.c 2016-12-06 00:28:54.000000000 +0100
+++ ffmpeg-3.2.4/libavutil/imgutils.c 2017-02-10 14:25:28.000000000 +0100
@@ -248,19 +248,38 @@
.parent_log_context_offset = offsetof(ImgUtils, log_ctx),
};
-int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx)
+int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enum AVPixelFormat pix_fmt, int log_offset, void *log_ctx)
{
ImgUtils imgutils = {
.class = &imgutils_class,
.log_offset = log_offset,
.log_ctx = log_ctx,
};
+ int64_t stride = av_image_get_linesize(pix_fmt, w, 0);
+ if (stride <= 0)
+ stride = 8LL*w;
+ stride += 128*8;
+
+ if ((int)w<=0 || (int)h<=0 || stride >= INT_MAX || stride*(uint64_t)(h+128) >= INT_MAX) {
+ av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h);
+ return AVERROR(EINVAL);
+ }
+
+ if (max_pixels < INT64_MAX) {
+ if (w*(int64_t)h > max_pixels) {
+ av_log(&imgutils, AV_LOG_ERROR,
+ "Picture size %ux%u exceeds specified max pixel count %"PRId64", see the documentation if you wish to increase it\n",
+ w, h, max_pixels);
+ return AVERROR(EINVAL);
+ }
+ }
- if ((int)w>0 && (int)h>0 && (w+128)*(uint64_t)(h+128) < INT_MAX/8)
- return 0;
+ return 0;
+}
- av_log(&imgutils, AV_LOG_ERROR, "Picture size %ux%u is invalid\n", w, h);
- return AVERROR(EINVAL);
+int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx)
+{
+ return av_image_check_size2(w, h, INT64_MAX, AV_PIX_FMT_NONE, log_offset, log_ctx);
}
int av_image_check_sar(unsigned int w, unsigned int h, AVRational sar)
diff -Nru ffmpeg-3.2.2/libavutil/imgutils.h ffmpeg-3.2.4/libavutil/imgutils.h
--- ffmpeg-3.2.2/libavutil/imgutils.h 2016-03-29 04:25:32.000000000 +0200
+++ ffmpeg-3.2.4/libavutil/imgutils.h 2017-02-09 17:14:55.000000000 +0100
@@ -192,6 +192,20 @@
int av_image_check_size(unsigned int w, unsigned int h, int log_offset, void *log_ctx);
/**
+ * Check if the given dimension of an image is valid, meaning that all
+ * bytes of the image can be addressed with a signed int.
+ *
+ * @param w the width of the picture
+ * @param h the height of the picture
+ * @param max_pixels the maximum number of pixels the user wants to accept
+ * @param pix_fmt the pixel format, can be AV_PIX_FMT_NONE if unknown.
+ * @param log_offset the offset to sum to the log level for logging with log_ctx
+ * @param log_ctx the parent logging context, it may be NULL
+ * @return >= 0 if valid, a negative error code otherwise
+ */
+int av_image_check_size2(unsigned int w, unsigned int h, int64_t max_pixels, enum AVPixelFormat pix_fmt, int log_offset, void *log_ctx);
+
+/**
* Check if the given sample aspect ratio of an image is valid.
*
* It is considered invalid if the denominator is 0 or if applying the ratio
diff -Nru ffmpeg-3.2.2/libavutil/random_seed.c ffmpeg-3.2.4/libavutil/random_seed.c
--- ffmpeg-3.2.2/libavutil/random_seed.c 2016-12-06 00:28:54.000000000 +0100
+++ ffmpeg-3.2.4/libavutil/random_seed.c 2017-02-10 14:25:28.000000000 +0100
@@ -67,6 +67,7 @@
uint8_t tmp[120];
struct AVSHA *sha = (void*)tmp;
clock_t last_t = 0;
+ clock_t last_td = 0;
static uint64_t i = 0;
static uint32_t buffer[512] = { 0 };
unsigned char digest[20];
@@ -86,11 +87,12 @@
for (;;) {
clock_t t = clock();
-
- if (last_t == t) {
- buffer[i & 511]++;
+ if (last_t + 2*last_td + (CLOCKS_PER_SEC > 1000) >= t) {
+ last_td = t - last_t;
+ buffer[i & 511] = 1664525*buffer[i & 511] + 1013904223 + (last_td % 3294638521U);
} else {
- buffer[++i & 511] += (t - last_t) % 3294638521U;
+ last_td = t - last_t;
+ buffer[++i & 511] += last_td % 3294638521U;
if (last_i && i - last_i > 4 || i - last_i > 64 || TEST && i - last_i > 8)
break;
}
diff -Nru ffmpeg-3.2.2/libavutil/version.h ffmpeg-3.2.4/libavutil/version.h
--- ffmpeg-3.2.2/libavutil/version.h 2016-12-06 00:28:54.000000000 +0100
+++ ffmpeg-3.2.4/libavutil/version.h 2017-02-10 14:25:28.000000000 +0100
@@ -80,7 +80,7 @@
#define LIBAVUTIL_VERSION_MAJOR 55
#define LIBAVUTIL_VERSION_MINOR 34
-#define LIBAVUTIL_VERSION_MICRO 100
+#define LIBAVUTIL_VERSION_MICRO 101
#define LIBAVUTIL_VERSION_INT AV_VERSION_INT(LIBAVUTIL_VERSION_MAJOR, \
LIBAVUTIL_VERSION_MINOR, \
diff -Nru ffmpeg-3.2.2/libswscale/swscale.c ffmpeg-3.2.4/libswscale/swscale.c
--- ffmpeg-3.2.2/libswscale/swscale.c 2016-12-06 00:28:54.000000000 +0100
+++ ffmpeg-3.2.4/libswscale/swscale.c 2017-02-10 14:25:28.000000000 +0100
@@ -762,10 +762,8 @@
uint8_t *rgb0_tmp = NULL;
int macro_height = isBayer(c->srcFormat) ? 2 : (1 << c->chrSrcVSubSample);
// copy strides, so they can safely be modified
- int srcStride2[4] = { srcStride[0], srcStride[1], srcStride[2],
- srcStride[3] };
- int dstStride2[4] = { dstStride[0], dstStride[1], dstStride[2],
- dstStride[3] };
+ int srcStride2[4];
+ int dstStride2[4];
int srcSliceY_internal = srcSliceY;
if (!srcStride || !dstStride || !dst || !srcSlice) {
@@ -773,6 +771,11 @@
return 0;
}
+ for (i=0; i<4; i++) {
+ srcStride2[i] = srcStride[i];
+ dstStride2[i] = dstStride[i];
+ }
+
if ((srcSliceY & (macro_height-1)) ||
((srcSliceH& (macro_height-1)) && srcSliceY + srcSliceH != c->srcH) ||
srcSliceY + srcSliceH > c->srcH) {
diff -Nru ffmpeg-3.2.2/libswscale/x86/hscale_fast_bilinear_simd.c ffmpeg-3.2.4/libswscale/x86/hscale_fast_bilinear_simd.c
--- ffmpeg-3.2.2/libswscale/x86/hscale_fast_bilinear_simd.c 2016-12-06 00:28:54.000000000 +0100
+++ ffmpeg-3.2.4/libswscale/x86/hscale_fast_bilinear_simd.c 2017-02-10 14:25:28.000000000 +0100
@@ -199,7 +199,7 @@
#if ARCH_X86_64
uint64_t retsave;
#else
-#if defined(PIC)
+#if !HAVE_EBX_AVAILABLE
uint64_t ebxsave;
#endif
#endif
@@ -209,7 +209,7 @@
"mov -8(%%rsp), %%"FF_REG_a" \n\t"
"mov %%"FF_REG_a", %5 \n\t" // retsave
#else
-#if defined(PIC)
+#if !HAVE_EBX_AVAILABLE
"mov %%"FF_REG_b", %5 \n\t" // ebxsave
#endif
#endif
@@ -255,7 +255,7 @@
"mov %5, %%"FF_REG_a" \n\t"
"mov %%"FF_REG_a", -8(%%rsp) \n\t"
#else
-#if defined(PIC)
+#if !HAVE_EBX_AVAILABLE
"mov %5, %%"FF_REG_b" \n\t"
#endif
#endif
@@ -264,12 +264,12 @@
#if ARCH_X86_64
,"m"(retsave)
#else
-#if defined(PIC)
+#if !HAVE_EBX_AVAILABLE
,"m" (ebxsave)
#endif
#endif
: "%"FF_REG_a, "%"FF_REG_c, "%"FF_REG_d, "%"FF_REG_S, "%"FF_REG_D
-#if ARCH_X86_64 || !defined(PIC)
+#if ARCH_X86_64 || HAVE_EBX_AVAILABLE
,"%"FF_REG_b
#endif
);
@@ -289,7 +289,7 @@
#if ARCH_X86_64
DECLARE_ALIGNED(8, uint64_t, retsave);
#else
-#if defined(PIC)
+#if !HAVE_EBX_AVAILABLE
DECLARE_ALIGNED(8, uint64_t, ebxsave);
#endif
#endif
@@ -298,7 +298,7 @@
"mov -8(%%rsp), %%"FF_REG_a" \n\t"
"mov %%"FF_REG_a", %7 \n\t" // retsave
#else
-#if defined(PIC)
+#if !HAVE_EBX_AVAILABLE
"mov %%"FF_REG_b", %7 \n\t" // ebxsave
#endif
#endif
@@ -332,7 +332,7 @@
"mov %7, %%"FF_REG_a" \n\t"
"mov %%"FF_REG_a", -8(%%rsp) \n\t"
#else
-#if defined(PIC)
+#if !HAVE_EBX_AVAILABLE
"mov %7, %%"FF_REG_b" \n\t"
#endif
#endif
@@ -341,12 +341,12 @@
#if ARCH_X86_64
,"m"(retsave)
#else
-#if defined(PIC)
+#if !HAVE_EBX_AVAILABLE
,"m" (ebxsave)
#endif
#endif
: "%"FF_REG_a, "%"FF_REG_c, "%"FF_REG_d, "%"FF_REG_S, "%"FF_REG_D
-#if ARCH_X86_64 || !defined(PIC)
+#if ARCH_X86_64 || HAVE_EBX_AVAILABLE
,"%"FF_REG_b
#endif
);
diff -Nru ffmpeg-3.2.2/RELEASE ffmpeg-3.2.4/RELEASE
--- ffmpeg-3.2.2/RELEASE 2016-12-06 00:28:58.000000000 +0100
+++ ffmpeg-3.2.4/RELEASE 2017-02-10 14:25:37.000000000 +0100
@@ -1 +1 @@
-3.2.2
+3.2.4
diff -Nru ffmpeg-3.2.2/VERSION ffmpeg-3.2.4/VERSION
--- ffmpeg-3.2.2/VERSION 2016-12-06 00:28:58.000000000 +0100
+++ ffmpeg-3.2.4/VERSION 2017-02-10 14:25:37.000000000 +0100
@@ -1 +1 @@
-3.2.2
+3.2.4
--- End Message ---