Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ffmpeg version 7:3.2.5-1. ffmpeg 3.2.5 is the lastest stable bugfix release of the 3.2.x branch. The release contains fixes for multiple integer overflows, shifts with undefined behavior, null pointer deferences, out-of-bounds writes, and many other issues: version 3.2.5: - avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int' - avcodec/svq3: Fix runtime error: left shift of negative value -6 - avcodec/tiff: reset sampling[] if its invalid - avcodec/aacps: Fix undefined behavior - avcodec/opus_silk: Fix integer overflow and out of array read - avcodec/flacdec: Return error code instead of 0 for failures - avcodec/snowdec: Check width - avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame() - avcodec/webp: Factor update_canvas_size() out - avcodec/cllc: Check prefix - avcodec/rscc: Check pixel_size for overflow - avcodec/dds: Fix runtime error: left shift of 210 by 24 places cannot be represented in type 'int' - avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode - avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]' - avcodec/hqxdsp: Fix runtime error: signed integer overflow: -196264 * 11585 cannot be represented in type 'int' - avcodec/g723_1dec: Fix LCG type - libswscale/tests/swscale: Fix uninitialized variables - avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int' - avcodec/webp: Fix signedness in prefix_code check - avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int' - avcodec/mlpdec: Check that there is enough data for headers - avcodec/ac3dec: Keep track of band structure - avcodec/webp: Add missing input padding - avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1 - avcodec/aacsbr_template: Do not change bs_num_env before its checked - avcodec/mlp: Fix multiple runtime error: left shift of negative value -1 - avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int' - avcodec/avcodec: Limit the number of side data elements per packet - avcodec/texturedsp: Fix runtime error: left shift of 255 by 24 places cannot be represented in type 'int' - avcodec/g723_1dec: Fix runtime error: left shift of negative value -1 - avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int' - avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610 - avcodec/msmpeg4dec: Check for cbpy VLC errors - avcodec/cllc: Check num_bits - avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers - avcodec/dvbsubdec: Check entry_id - avcodec/aacdec_fixed: Fix multiple shift exponent 33 is too large for 32-bit type 'int' - avcodec/mpeg12dec: Fixes runtime error: division by zero - avcodec/webp: Always set pix_fmt - avfilter/vf_uspp: Fix currently unused input frame dimensions - avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1 - avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int' - avcodec/dss_sp: Fix runtime error: signed integer overflow: 2147481189 + 4096 cannot be represented in type 'int' - avformat/wavdec: Check chunk_size - avcodec/cavs: Check updated MV - avcodec/y41pdec: Fix width in input buffer size check - avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int' - avcodec/texturedsp: Fix runtime error: left shift of 218 by 24 places cannot be represented in type 'int' - avcodec/lagarith: Check scale_factor - avcodec/lagarith: Fix runtime error: left shift of negative value -1 - avcodec/takdec: Fix multiple runtime error: left shift of negative value -1 - avcodec/indeo2: Check for invalid VLCs - avcodec/g723_1dec: Fix several integer related cases of undefined behaviour - avcodec/htmlsubtitles: Check for string truncation and return error - avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int' - avcodec/dss_sp: Fix multiple runtime error: signed integer overflow: -15699 * -164039 cannot be represented in type 'int' - avcodec/dvbsubdec: check region dimensions - avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int' - avcodec/hqxdsp: Fix multiple runtime error: signed integer overflow: 248220 * 21407 cannot be represented in type 'int' in idct_col() - avcodec/cavsdec: Check sym_factor - avcodec/cdxl: Check format for BGR24 - avcodec/ffv1dec: Fix copying planes of paletted formats - avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int' - avcodec/xwddec: Check bpp more completely - avcodec/aacdec_template: Do not decode 2nd PCE if it will lead to failure - avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int' - avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int' - avcodec/g726: Fix runtime error: left shift of negative value -2 - avcodec/ra144: Fix runtime error: left shift of negative value -798 - avcodec/mss34dsp: Fix multiple signed integer overflow - avcodec/targa_y216dec: Fix width type - avcodec/texturedsp: Fix multiple runtime error: left shift of 255 by 24 places cannot be represented in type 'int' - avcodec/ivi_dsp: Fix multiple left shift of negative value -2 - avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int' - avcodec/msmpeg4dec: Correct table depth - avcodec/dds: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' - avcodec/cdxl: Check format parameter - avutil/softfloat: Fix overflow in av_div_sf() - avcodec/hq_hqa: Fix runtime error: left shift of negative value -207 - avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from - avcodec/shorten: Check k in get_uint() - avcodec/webp: Fix null pointer dereference - avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' - avcodec/g723_1: Fix multiple runtime error: left shift of negative value - avcodec/mimic: Fix runtime error: left shift of negative value -1 - avcodec/fic: Fix multiple left shift of negative value -15 - avcodec/mlpdec: Fix runtime error: left shift of negative value -22 - avcodec/snowdec: Check qbias - avutil/softfloat: Fix multiple runtime error: left shift of negative value -8 - avcodec/aacsbr_template: Do not leave bs_num_env invalid - avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int' - avcodec/dfa: Fix off by 1 error - avcodec/nellymoser: Fix multiple left shift of negative value -8591 - avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int' - avcodec/g722: Fix multiple runtime error: left shift of negative value -1 - avcodec/dss_sp: Fix multiple left shift of negative value -466 - avcodec/wnv1: Fix runtime error: left shift of negative value -1 - avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so - avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int' - avcodec/cavsdec: Fix undefined behavior from integer overflow - avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int' - libavcodec/mpeg4videodec: Convert sprite_offset to 64bit - avcodec/pngdec: Use ff_set_dimensions() - avcodec/msvideo1: Check buffer size before re-getting the frame - avcodec/h264_cavlc: Fix undefined behavior on qscale overflow - avcodec/dcadsp: Fix runtime error: signed integer overflow - avcodec/svq3: Reject dx/dy beyond 16bit - avcodec/svq3: Increase offsets to prevent integer overflows - avcodec/indeo2: Check remaining bits in ir2_decode_plane() - avcodec/vp3: Check remaining bits in unpack_dct_coeffs() - doc/developer: Add terse documentation of assumed C implementation defined behavior - avcodec/mdec: Fix runtime error: left shift of negative value -127 - avcodec/x86/vc1dsp_init: Fix build failure with --disable-optimizations and clang - libavcodec/exr : fix float to uint16 conversion for negative float value - avformat/webmdashenc: Validate the 'streams' adaptation sets parameter - avformat/webmdashenc: Require the 'adaptation_sets' option to be set - avformat/oggparseogm: Check ff_alloc_extradata() for failure - avformat/oggparseogm: Check available data before reading global header - avformat/mov: Check creation_time for overflow - avcodec/dvdsubdec: Fixes 2 runtime error: left shift of 170 by 24 places cannot be represented in type 'int' - avcodec/h264: Check weight values to be within the specs limits. - libavformat/mov: Fix memory leak, need to free the chapter tracks array - avformat/oggparsedaala: Do not leave an invalid value in gpshift - avformat/oggparsedaala: Check duration for AV_NOPTS_VALUE - avformat/libopenmpt: Check for avio_size() failure - avfilter/af_sofalizer: Fix bad shift - avcodec: fix uninitialized variable read - avfilter/avfiltergraph: Add assert to write down in machine readable form what is assumed about sample rates in swap_samplerates_on_filter() - avcodec/tiff: Perform multiply in tiff_unpack_lzma() as 64bit - avformat/test/fifo_muxer: add check for FailingMuxerPacketData alloc - omx: Fix OOM check - avcodec/vdpau_hevc: Fix potential out-of-bounds write - avcodec/h264_ps: Fix runtime error: signed integer overflow: 2147483647 + 26 cannot be represented in type 'int' - avcodec/tiff: Check geotag count for being non zero - avcodec/vp56: Check avctx->error_concealment before enabling EC - avcodec/tiff: Check stripsize strippos for overflow - avcodec/mpegaudiodec_template: Make l3_unscale() work with e=0 - avcodec/tiff: Check for multiple geo key directories - avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' - avcodec/rv34: Fix runtime error: signed integer overflow: 36880 * 66288 cannot be represented in type 'int' - avcodec/amrwbdec: Fix runtime error: left shift of negative value -1 - avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: -135088512 * 16 cannot be represented in type 'int' - avcodec/h264_mvpred: Fix runtime error: left shift of negative value -1 - avcodec/mjpegdec: Fix runtime error: left shift of negative value -127 - avcodec/wavpack: Fix runtime error: left shift of negative value -5 - avcodec/wavpack: Fix runtime error: left shift of negative value -2 - avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 134527392 * 16 cannot be represented in type 'int' - avcodec/mpeg12dec: Fix runtime error: left shift of negative value -13 - avcodec/h264_mvpred: Fix multiple runtime error: left shift of negative value - avcodec/adxdec: Fix runtime error: left shift of negative value -1 - avcodec/mpeg4videodec: Improve the overflow checks in mpeg4_decode_sprite_trajectory() - avcodec/mjpegdec: Fix runtime error: left shift of negative value -511 - avcodec/h264_direct: Fix runtime error: left shift of negative value -14 - avcodec/pictordec: Check plane value before doing value/mask computations - avcodec/mpeg4videodec: Fix runtime error: left shift of negative value -2650 - avcodec/eac3dec: Fix runtime error: left shift of negative value -3 - avcodec/mpeg12dec: Fix runtime error: left shift of negative value -2 - avcodec/mpeg4videodec: Check the other 3 sprite points for intermediate overflows - avcodec/mpeg4videodec: Check sprite_offset in addition to shifts - avcodec/mpeg4video: Fix runtime error: left shift of negative value - avcodec/ituh263dec: Fix runtime error: left shift of negative value -22 - avcodec/rv40: Fix runtime error: left shift of negative value - avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int' - avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative - avcodec/mjpegdec: Fix runtime error: left shift of negative value -507 - avcodec/eac3dec: Fix runtime error: left shift of negative value - avcodec/htmlsubtitles: Fix reading one byte beyond the array - avcodec/vp6: clear dimensions on failed resolution change in vp6_parse_header() - avcodec/vp56: Reset have_undamaged_frame on resolution changes - avcodec/vp8: Fix hang with slice threads - avcodec/vp8: Check for the bitstream end per MB in decode_mb_row_no_filter() - avcodec/vp568: Check that there is enough data for ff_vp56_init_range_decoder() - avcodec/vp8: remove redundant check - avcodec/vp56: Require a correctly decoded frame before using vp56_conceal_mb() - avcodec/vp3: Do not return random positive values but the buf size - avcodec/vp8: Check for bitsteam end in decode_mb_row_no_filter() - avcodec/vp56: Factorize vp56_render_mb() out - avcodec/vp3dsp: Fix multiple signed integer overflow: 46341 * 47523 cannot be represented in type 'int' - Add CHECK/SUINT code - avcodec/mpeg12dec: Fix runtime error: left shift of negative value -1 - avcodec/vp56: Clear dimensions in case of failure in the middle of a resolution change - avcodec/vp56: Implement very basic error concealment - avcodec/amrwbdec: Fix 2 runtime errors: left shift of negative value -1 - avcodec/pngdec: Fix runtime error: left shift of 152 by 24 places cannot be represented in type 'int' - avcodec/vp56: Fix sign typo - avcodec/mpegaudiodec_template: Correct return code on id3 tag discarding - avcodec/rv34: Simplify and factor get_slice_offset() code - avcodec/pictordec: Do not read more than nb_planes - avcodec/srtdec: Fix signed integer overflow: 1811992524 * 384 cannot be represented in type 'int' - avcodec/pngdec: Check bit depth for validity - avcodec/mpeg12dec: Fix runtime error: left shift of negative value - avcodec/wavpacl: Fix runtime error: left shift of negative value -1 - avformat/http: Check for truncated buffers in http_connect() - avformat/utils: free AVStream.codec properly in free_stream() - avcodec/options: do a more thorough clean up in avcodec_copy_context() - avcodec/options: factorize avcodec_copy_context() cleanup code - avformat/concatdec: fix the h264 annexb extradata check - hwcontext_vdpau: Fix missing subscripts - lavf/flacdec: Return maximum score if the streaminfo header is valid. - avcodec/dnxhd_parser: take into account compressed frame size and skip it - avformat/apng: fix setting frame delay when max_fps is set to no limit - swresample/resample: free existing ResampleContext on reinit - swresample/resample: move resample_free() higher in the file - avformat/matroskaenc: don't write DisplayUnit with value Unknown on WebM files - lavfi/buffersrc: fix directly setting channel layout - lavf/mpeg: Initialize a stack variable used by memcmp(). - lavc/avpacket: Initialize a variable in error path. The full debdiff is attached. unblock ffmpeg/7:3.2.5-1 Cheers -- Sebastian Ramacher
diff --git a/Changelog b/Changelog
index 1e0f8612..5468e4fa 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,216 @@
Entries are sorted chronologically from oldest to youngest within each release,
releases are sorted from youngest to oldest.
+version 3.2.5:
+- avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int'
+- avcodec/svq3: Fix runtime error: left shift of negative value -6
+- avcodec/tiff: reset sampling[] if its invalid
+- avcodec/aacps: Fix undefined behavior
+- avcodec/opus_silk: Fix integer overflow and out of array read
+- avcodec/flacdec: Return error code instead of 0 for failures
+- avcodec/snowdec: Check width
+- avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame()
+- avcodec/webp: Factor update_canvas_size() out
+- avcodec/cllc: Check prefix
+- avcodec/rscc: Check pixel_size for overflow
+- avcodec/dds: Fix runtime error: left shift of 210 by 24 places cannot be represented in type 'int'
+- avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode
+- avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]'
+- avcodec/hqxdsp: Fix runtime error: signed integer overflow: -196264 * 11585 cannot be represented in type 'int'
+- avcodec/g723_1dec: Fix LCG type
+- libswscale/tests/swscale: Fix uninitialized variables
+- avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int'
+- avcodec/webp: Fix signedness in prefix_code check
+- avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int'
+- avcodec/mlpdec: Check that there is enough data for headers
+- avcodec/ac3dec: Keep track of band structure
+- avcodec/webp: Add missing input padding
+- avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1
+- avcodec/aacsbr_template: Do not change bs_num_env before its checked
+- avcodec/mlp: Fix multiple runtime error: left shift of negative value -1
+- avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int'
+- avcodec/avcodec: Limit the number of side data elements per packet
+- avcodec/texturedsp: Fix runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
+- avcodec/g723_1dec: Fix runtime error: left shift of negative value -1
+- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int'
+- avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610
+- avcodec/msmpeg4dec: Check for cbpy VLC errors
+- avcodec/cllc: Check num_bits
+- avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers
+- avcodec/dvbsubdec: Check entry_id
+- avcodec/aacdec_fixed: Fix multiple shift exponent 33 is too large for 32-bit type 'int'
+- avcodec/mpeg12dec: Fixes runtime error: division by zero
+- avcodec/webp: Always set pix_fmt
+- avfilter/vf_uspp: Fix currently unused input frame dimensions
+- avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1
+- avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int'
+- avcodec/dss_sp: Fix runtime error: signed integer overflow: 2147481189 + 4096 cannot be represented in type 'int'
+- avformat/wavdec: Check chunk_size
+- avcodec/cavs: Check updated MV
+- avcodec/y41pdec: Fix width in input buffer size check
+- avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int'
+- avcodec/texturedsp: Fix runtime error: left shift of 218 by 24 places cannot be represented in type 'int'
+- avcodec/lagarith: Check scale_factor
+- avcodec/lagarith: Fix runtime error: left shift of negative value -1
+- avcodec/takdec: Fix multiple runtime error: left shift of negative value -1
+- avcodec/indeo2: Check for invalid VLCs
+- avcodec/g723_1dec: Fix several integer related cases of undefined behaviour
+- avcodec/htmlsubtitles: Check for string truncation and return error
+- avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int'
+- avcodec/dss_sp: Fix multiple runtime error: signed integer overflow: -15699 * -164039 cannot be represented in type 'int'
+- avcodec/dvbsubdec: check region dimensions
+- avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int'
+- avcodec/hqxdsp: Fix multiple runtime error: signed integer overflow: 248220 * 21407 cannot be represented in type 'int' in idct_col()
+- avcodec/cavsdec: Check sym_factor
+- avcodec/cdxl: Check format for BGR24
+- avcodec/ffv1dec: Fix copying planes of paletted formats
+- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int'
+- avcodec/xwddec: Check bpp more completely
+- avcodec/aacdec_template: Do not decode 2nd PCE if it will lead to failure
+- avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int'
+- avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int'
+- avcodec/g726: Fix runtime error: left shift of negative value -2
+- avcodec/ra144: Fix runtime error: left shift of negative value -798
+- avcodec/mss34dsp: Fix multiple signed integer overflow
+- avcodec/targa_y216dec: Fix width type
+- avcodec/texturedsp: Fix multiple runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
+- avcodec/ivi_dsp: Fix multiple left shift of negative value -2
+- avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int'
+- avcodec/msmpeg4dec: Correct table depth
+- avcodec/dds: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
+- avcodec/cdxl: Check format parameter
+- avutil/softfloat: Fix overflow in av_div_sf()
+- avcodec/hq_hqa: Fix runtime error: left shift of negative value -207
+- avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from
+- avcodec/shorten: Check k in get_uint()
+- avcodec/webp: Fix null pointer dereference
+- avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
+- avcodec/g723_1: Fix multiple runtime error: left shift of negative value
+- avcodec/mimic: Fix runtime error: left shift of negative value -1
+- avcodec/fic: Fix multiple left shift of negative value -15
+- avcodec/mlpdec: Fix runtime error: left shift of negative value -22
+- avcodec/snowdec: Check qbias
+- avutil/softfloat: Fix multiple runtime error: left shift of negative value -8
+- avcodec/aacsbr_template: Do not leave bs_num_env invalid
+- avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int'
+- avcodec/dfa: Fix off by 1 error
+- avcodec/nellymoser: Fix multiple left shift of negative value -8591
+- avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int'
+- avcodec/g722: Fix multiple runtime error: left shift of negative value -1
+- avcodec/dss_sp: Fix multiple left shift of negative value -466
+- avcodec/wnv1: Fix runtime error: left shift of negative value -1
+- avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so
+- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int'
+- avcodec/cavsdec: Fix undefined behavior from integer overflow
+- avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int'
+- libavcodec/mpeg4videodec: Convert sprite_offset to 64bit
+- avcodec/pngdec: Use ff_set_dimensions()
+- avcodec/msvideo1: Check buffer size before re-getting the frame
+- avcodec/h264_cavlc: Fix undefined behavior on qscale overflow
+- avcodec/dcadsp: Fix runtime error: signed integer overflow
+- avcodec/svq3: Reject dx/dy beyond 16bit
+- avcodec/svq3: Increase offsets to prevent integer overflows
+- avcodec/indeo2: Check remaining bits in ir2_decode_plane()
+- avcodec/vp3: Check remaining bits in unpack_dct_coeffs()
+- doc/developer: Add terse documentation of assumed C implementation defined behavior
+- avcodec/mdec: Fix runtime error: left shift of negative value -127
+- avcodec/x86/vc1dsp_init: Fix build failure with --disable-optimizations and clang
+- libavcodec/exr : fix float to uint16 conversion for negative float value
+- avformat/webmdashenc: Validate the 'streams' adaptation sets parameter
+- avformat/webmdashenc: Require the 'adaptation_sets' option to be set
+- avformat/oggparseogm: Check ff_alloc_extradata() for failure
+- avformat/oggparseogm: Check available data before reading global header
+- avformat/mov: Check creation_time for overflow
+- avcodec/dvdsubdec: Fixes 2 runtime error: left shift of 170 by 24 places cannot be represented in type 'int'
+- avcodec/h264: Check weight values to be within the specs limits.
+- libavformat/mov: Fix memory leak, need to free the chapter tracks array
+- avformat/oggparsedaala: Do not leave an invalid value in gpshift
+- avformat/oggparsedaala: Check duration for AV_NOPTS_VALUE
+- avformat/libopenmpt: Check for avio_size() failure
+- avfilter/af_sofalizer: Fix bad shift
+- avcodec: fix uninitialized variable read
+- avfilter/avfiltergraph: Add assert to write down in machine readable form what is assumed about sample rates in swap_samplerates_on_filter()
+- avcodec/tiff: Perform multiply in tiff_unpack_lzma() as 64bit
+- avformat/test/fifo_muxer: add check for FailingMuxerPacketData alloc
+- omx: Fix OOM check
+- avcodec/vdpau_hevc: Fix potential out-of-bounds write
+- avcodec/h264_ps: Fix runtime error: signed integer overflow: 2147483647 + 26 cannot be represented in type 'int'
+- avcodec/tiff: Check geotag count for being non zero
+- avcodec/vp56: Check avctx->error_concealment before enabling EC
+- avcodec/tiff: Check stripsize strippos for overflow
+- avcodec/mpegaudiodec_template: Make l3_unscale() work with e=0
+- avcodec/tiff: Check for multiple geo key directories
+- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int'
+- avcodec/rv34: Fix runtime error: signed integer overflow: 36880 * 66288 cannot be represented in type 'int'
+- avcodec/amrwbdec: Fix runtime error: left shift of negative value -1
+- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: -135088512 * 16 cannot be represented in type 'int'
+- avcodec/h264_mvpred: Fix runtime error: left shift of negative value -1
+- avcodec/mjpegdec: Fix runtime error: left shift of negative value -127
+- avcodec/wavpack: Fix runtime error: left shift of negative value -5
+- avcodec/wavpack: Fix runtime error: left shift of negative value -2
+- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 134527392 * 16 cannot be represented in type 'int'
+- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -13
+- avcodec/h264_mvpred: Fix multiple runtime error: left shift of negative value
+- avcodec/adxdec: Fix runtime error: left shift of negative value -1
+- avcodec/mpeg4videodec: Improve the overflow checks in mpeg4_decode_sprite_trajectory()
+- avcodec/mjpegdec: Fix runtime error: left shift of negative value -511
+- avcodec/h264_direct: Fix runtime error: left shift of negative value -14
+- avcodec/pictordec: Check plane value before doing value/mask computations
+- avcodec/mpeg4videodec: Fix runtime error: left shift of negative value -2650
+- avcodec/eac3dec: Fix runtime error: left shift of negative value -3
+- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -2
+- avcodec/mpeg4videodec: Check the other 3 sprite points for intermediate overflows
+- avcodec/mpeg4videodec: Check sprite_offset in addition to shifts
+- avcodec/mpeg4video: Fix runtime error: left shift of negative value
+- avcodec/ituh263dec: Fix runtime error: left shift of negative value -22
+- avcodec/rv40: Fix runtime error: left shift of negative value
+- avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int'
+- avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative
+- avcodec/mjpegdec: Fix runtime error: left shift of negative value -507
+- avcodec/eac3dec: Fix runtime error: left shift of negative value
+- avcodec/htmlsubtitles: Fix reading one byte beyond the array
+- avcodec/vp6: clear dimensions on failed resolution change in vp6_parse_header()
+- avcodec/vp56: Reset have_undamaged_frame on resolution changes
+- avcodec/vp8: Fix hang with slice threads
+- avcodec/vp8: Check for the bitstream end per MB in decode_mb_row_no_filter()
+- avcodec/vp568: Check that there is enough data for ff_vp56_init_range_decoder()
+- avcodec/vp8: remove redundant check
+- avcodec/vp56: Require a correctly decoded frame before using vp56_conceal_mb()
+- avcodec/vp3: Do not return random positive values but the buf size
+- avcodec/vp8: Check for bitsteam end in decode_mb_row_no_filter()
+- avcodec/vp56: Factorize vp56_render_mb() out
+- avcodec/vp3dsp: Fix multiple signed integer overflow: 46341 * 47523 cannot be represented in type 'int'
+- Add CHECK/SUINT code
+- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -1
+- avcodec/vp56: Clear dimensions in case of failure in the middle of a resolution change
+- avcodec/vp56: Implement very basic error concealment
+- avcodec/amrwbdec: Fix 2 runtime errors: left shift of negative value -1
+- avcodec/pngdec: Fix runtime error: left shift of 152 by 24 places cannot be represented in type 'int'
+- avcodec/vp56: Fix sign typo
+- avcodec/mpegaudiodec_template: Correct return code on id3 tag discarding
+- avcodec/rv34: Simplify and factor get_slice_offset() code
+- avcodec/pictordec: Do not read more than nb_planes
+- avcodec/srtdec: Fix signed integer overflow: 1811992524 * 384 cannot be represented in type 'int'
+- avcodec/pngdec: Check bit depth for validity
+- avcodec/mpeg12dec: Fix runtime error: left shift of negative value
+- avcodec/wavpacl: Fix runtime error: left shift of negative value -1
+- avformat/http: Check for truncated buffers in http_connect()
+- avformat/utils: free AVStream.codec properly in free_stream()
+- avcodec/options: do a more thorough clean up in avcodec_copy_context()
+- avcodec/options: factorize avcodec_copy_context() cleanup code
+- avformat/concatdec: fix the h264 annexb extradata check
+- hwcontext_vdpau: Fix missing subscripts
+- lavf/flacdec: Return maximum score if the streaminfo header is valid.
+- avcodec/dnxhd_parser: take into account compressed frame size and skip it
+- avformat/apng: fix setting frame delay when max_fps is set to no limit
+- swresample/resample: free existing ResampleContext on reinit
+- swresample/resample: move resample_free() higher in the file
+- avformat/matroskaenc: don't write DisplayUnit with value Unknown on WebM files
+- lavfi/buffersrc: fix directly setting channel layout
+- lavf/mpeg: Initialize a stack variable used by memcmp().
+- lavc/avpacket: Initialize a variable in error path.
+
+
version 3.2.4:
- avcodec/h264_slice: Clear ref_counts on redundant slices
- lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
diff --git a/RELEASE b/RELEASE
index 351227fc..5ae69bd5 100644
--- a/RELEASE
+++ b/RELEASE
@@ -1 +1 @@
-3.2.4
+3.2.5
diff --git a/VERSION b/VERSION
index 351227fc..5ae69bd5 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-3.2.4
+3.2.5
diff --git a/debian/changelog b/debian/changelog
index 3010e1c6..ad75f8a4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ffmpeg (7:3.2.5-1) unstable; urgency=medium
+
+ * Team upload.
+ * New upstream release.
+
+ -- Sebastian Ramacher <sramacher@debian.org> Mon, 22 May 2017 22:03:36 +0200
+
ffmpeg (7:3.2.4-1) unstable; urgency=medium
* Import new upstream bugfix release 3.2.4.
diff --git a/doc/Doxyfile b/doc/Doxyfile
index 14267723..34f6d182 100644
--- a/doc/Doxyfile
+++ b/doc/Doxyfile
@@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg
# could be handy for archiving the generated documentation or if some version
# control system is used.
-PROJECT_NUMBER = 3.2.4
+PROJECT_NUMBER = 3.2.5
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
diff --git a/doc/developer.texi b/doc/developer.texi
index dbe1f542..98540c8f 100644
--- a/doc/developer.texi
+++ b/doc/developer.texi
@@ -131,6 +131,11 @@ designated struct initializers (@samp{struct s x = @{ .i = 17 @};});
@item
compound literals (@samp{x = (struct s) @{ 17, 23 @};}).
+
+@item
+Implementation defined behavior for signed integers is assumed to match the
+expected behavior for two's complement. Non representable values in integer
+casts are binary truncated. Shift right of signed values uses sign extension.
@end itemize
These features are supported by all compilers we care about, so we will not
diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index acb81783..1b5e8aa3 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -125,7 +125,7 @@ static inline int *DEC_SQUAD(int *dst, unsigned idx)
static inline int *DEC_UPAIR(int *dst, unsigned idx, unsigned sign)
{
dst[0] = (idx & 15) * (1 - (sign & 0xFFFFFFFE));
- dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) << 1));
+ dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) * 2));
return dst + 2;
}
@@ -134,16 +134,16 @@ static inline int *DEC_UQUAD(int *dst, unsigned idx, unsigned sign)
{
unsigned nz = idx >> 12;
- dst[0] = (idx & 3) * (1 + (((int)sign >> 31) << 1));
+ dst[0] = (idx & 3) * (1 + (((int)sign >> 31) * 2));
sign <<= nz & 1;
nz >>= 1;
- dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) << 1));
+ dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) * 2));
sign <<= nz & 1;
nz >>= 1;
- dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) << 1));
+ dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) * 2));
sign <<= nz & 1;
nz >>= 1;
- dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) << 1));
+ dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) * 2));
return dst + 4;
}
@@ -171,7 +171,11 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len)
s = offset - (s >> 2);
- if (s > 0) {
+ if (s > 31) {
+ for (i=0; i<len; i++) {
+ dst[i] = 0;
+ }
+ } else if (s > 0) {
round = 1 << (s-1);
for (i=0; i<len; i++) {
out = (int)(((int64_t)src[i] * c) >> 32);
diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c
index 883ed527..f730ad93 100644
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -406,11 +406,15 @@ static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags)
/**
* Save current output configuration if and only if it has been locked.
*/
-static void push_output_configuration(AACContext *ac) {
+static int push_output_configuration(AACContext *ac) {
+ int pushed = 0;
+
if (ac->oc[1].status == OC_LOCKED || ac->oc[0].status == OC_NONE) {
ac->oc[0] = ac->oc[1];
+ pushed = 1;
}
ac->oc[1].status = OC_NONE;
+ return pushed;
}
/**
@@ -3002,7 +3006,13 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data,
case TYPE_PCE: {
uint8_t layout_map[MAX_ELEM_ID*4][3];
int tags;
- push_output_configuration(ac);
+
+ int pushed = push_output_configuration(ac);
+ if (pce_found && !pushed) {
+ err = AVERROR_INVALIDDATA;
+ goto fail;
+ }
+
tags = decode_pce(avctx, &ac->oc[1].m4ac, layout_map, gb);
if (tags < 0) {
err = tags;
diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c
index ccc79ffc..48b595ad 100644
--- a/libavcodec/aacps.c
+++ b/libavcodec/aacps.c
@@ -975,7 +975,7 @@ static void stereo_processing(PSContext *ps, INTFLOAT (*l)[32][2], INTFLOAT (*r)
h_step[1][3] = AAC_MSUB31_V3(H22[1][e+1][b], h[1][3], width);
}
ps->dsp.stereo_interpolate[!PS_BASELINE && ps->enable_ipdopd](
- l[k] + start + 1, r[k] + start + 1,
+ l[k] + 1 + start, r[k] + 1 + start,
h, h_step, stop - start);
}
}
diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c
index 51105427..f69c2d61 100644
--- a/libavcodec/aacsbr_template.c
+++ b/libavcodec/aacsbr_template.c
@@ -623,24 +623,26 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
int abs_bord_trail = 16;
int num_rel_lead, num_rel_trail;
unsigned bs_num_env_old = ch_data->bs_num_env;
+ int bs_frame_class, bs_num_env;
ch_data->bs_freq_res[0] = ch_data->bs_freq_res[ch_data->bs_num_env];
ch_data->bs_amp_res = sbr->bs_amp_res_header;
ch_data->t_env_num_env_old = ch_data->t_env[bs_num_env_old];
- switch (ch_data->bs_frame_class = get_bits(gb, 2)) {
+ switch (bs_frame_class = get_bits(gb, 2)) {
case FIXFIX:
- ch_data->bs_num_env = 1 << get_bits(gb, 2);
- num_rel_lead = ch_data->bs_num_env - 1;
- if (ch_data->bs_num_env == 1)
- ch_data->bs_amp_res = 0;
-
- if (ch_data->bs_num_env > 4) {
+ bs_num_env = 1 << get_bits(gb, 2);
+ if (bs_num_env > 4) {
av_log(ac->avctx, AV_LOG_ERROR,
"Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n",
- ch_data->bs_num_env);
+ bs_num_env);
return -1;
}
+ ch_data->bs_num_env = bs_num_env;
+ num_rel_lead = ch_data->bs_num_env - 1;
+ if (ch_data->bs_num_env == 1)
+ ch_data->bs_amp_res = 0;
+
ch_data->t_env[0] = 0;
ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail;
@@ -688,14 +690,15 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
abs_bord_trail += get_bits(gb, 2);
num_rel_lead = get_bits(gb, 2);
num_rel_trail = get_bits(gb, 2);
- ch_data->bs_num_env = num_rel_lead + num_rel_trail + 1;
+ bs_num_env = num_rel_lead + num_rel_trail + 1;
- if (ch_data->bs_num_env > 5) {
+ if (bs_num_env > 5) {
av_log(ac->avctx, AV_LOG_ERROR,
"Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n",
- ch_data->bs_num_env);
+ bs_num_env);
return -1;
}
+ ch_data->bs_num_env = bs_num_env;
ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail;
@@ -710,6 +713,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr,
get_bits1_vector(gb, ch_data->bs_freq_res + 1, ch_data->bs_num_env);
break;
}
+ ch_data->bs_frame_class = bs_frame_class;
av_assert0(bs_pointer >= 0);
if (bs_pointer > ch_data->bs_num_env + 1) {
diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c
index a95c2049..28b31471 100644
--- a/libavcodec/ac3dec.c
+++ b/libavcodec/ac3dec.c
@@ -747,30 +747,31 @@ static void ac3_upmix_delay(AC3DecodeContext *s)
* @param[in] default_band_struct default band structure table
* @param[out] num_bands number of bands (optionally NULL)
* @param[out] band_sizes array containing the number of bins in each band (optionally NULL)
+ * @param[in,out] band_struct current band structure
*/
static void decode_band_structure(GetBitContext *gbc, int blk, int eac3,
int ecpl, int start_subband, int end_subband,
const uint8_t *default_band_struct,
- int *num_bands, uint8_t *band_sizes)
+ int *num_bands, uint8_t *band_sizes,
+ uint8_t *band_struct, int band_struct_size)
{
int subbnd, bnd, n_subbands, n_bands=0;
uint8_t bnd_sz[22];
- uint8_t coded_band_struct[22];
- const uint8_t *band_struct;
n_subbands = end_subband - start_subband;
+ if (!blk)
+ memcpy(band_struct, default_band_struct, band_struct_size);
+
+ av_assert0(band_struct_size >= start_subband + n_subbands);
+
+ band_struct += start_subband + 1;
+
/* decode band structure from bitstream or use default */
if (!eac3 || get_bits1(gbc)) {
for (subbnd = 0; subbnd < n_subbands - 1; subbnd++) {
- coded_band_struct[subbnd] = get_bits1(gbc);
+ band_struct[subbnd] = get_bits1(gbc);
}
- band_struct = coded_band_struct;
- } else if (!blk) {
- band_struct = &default_band_struct[start_subband+1];
- } else {
- /* no change in band structure */
- return;
}
/* calculate number of bands and band sizes based on band structure.
@@ -897,7 +898,8 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
start_subband, end_subband,
ff_eac3_default_spx_band_struct,
&s->num_spx_bands,
- s->spx_band_sizes);
+ s->spx_band_sizes,
+ s->spx_band_struct, sizeof(s->spx_band_struct));
}
}
if (!s->eac3 || !s->spx_in_use) {
@@ -1031,7 +1033,8 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
decode_band_structure(gbc, blk, s->eac3, 0, cpl_start_subband,
cpl_end_subband,
ff_eac3_default_cpl_band_struct,
- &s->num_cpl_bands, s->cpl_band_sizes);
+ &s->num_cpl_bands, s->cpl_band_sizes,
+ s->cpl_band_struct, sizeof(s->cpl_band_struct));
} else {
/* coupling not in use */
for (ch = 1; ch <= fbw_channels; ch++) {
@@ -1331,7 +1334,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk)
for (ch = 1; ch <= s->channels; ch++) {
int audio_channel = 0;
INTFLOAT gain;
- if (s->channel_mode == AC3_CHMODE_DUALMONO)
+ if (s->channel_mode == AC3_CHMODE_DUALMONO && ch <= 2)
audio_channel = 2-ch;
if (s->heavy_compression && s->compression_exists[audio_channel])
gain = s->heavy_dynamic_range[audio_channel];
diff --git a/libavcodec/ac3dec.h b/libavcodec/ac3dec.h
index 6cd67c0f..b93f4d0c 100644
--- a/libavcodec/ac3dec.h
+++ b/libavcodec/ac3dec.h
@@ -128,6 +128,7 @@ typedef struct AC3DecodeContext {
int phase_flags_in_use; ///< phase flags in use (phsflginu)
int phase_flags[AC3_MAX_CPL_BANDS]; ///< phase flags (phsflg)
int num_cpl_bands; ///< number of coupling bands (ncplbnd)
+ uint8_t cpl_band_struct[AC3_MAX_CPL_BANDS];
uint8_t cpl_band_sizes[AC3_MAX_CPL_BANDS]; ///< number of coeffs in each coupling band
int firstchincpl; ///< first channel in coupling
int first_cpl_coords[AC3_MAX_CHANNELS]; ///< first coupling coordinates states (firstcplcos)
@@ -144,6 +145,7 @@ typedef struct AC3DecodeContext {
int spx_dst_start_freq; ///< spx starting frequency bin for copying (copystartmant)
///< the copy region ends at the start of the spx region.
int num_spx_bands; ///< number of spx bands (nspxbnds)
+ uint8_t spx_band_struct[SPX_MAX_BANDS];
uint8_t spx_band_sizes[SPX_MAX_BANDS]; ///< number of bins in each spx band
uint8_t first_spx_coords[AC3_MAX_CHANNELS]; ///< first spx coordinates states (firstspxcos)
INTFLOAT spx_noise_blend[AC3_MAX_CHANNELS][SPX_MAX_BANDS]; ///< spx noise blending factor (nblendfact)
diff --git a/libavcodec/adxdec.c b/libavcodec/adxdec.c
index 32cc0f00..178ea99d 100644
--- a/libavcodec/adxdec.c
+++ b/libavcodec/adxdec.c
@@ -81,7 +81,7 @@ static int adx_decode(ADXContext *c, int16_t *out, int offset,
s2 = prev->s2;
for (i = 0; i < BLOCK_SAMPLES; i++) {
d = get_sbits(&gb, 4);
- s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS;
+ s0 = ((d * (1 << COEFF_BITS)) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS;
s2 = s1;
s1 = av_clip_int16(s0);
*out++ = s1;
diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c
index 7d0c135c..57aed874 100644
--- a/libavcodec/amrwbdec.c
+++ b/libavcodec/amrwbdec.c
@@ -262,7 +262,7 @@ static void decode_pitch_lag_high(int *lag_int, int *lag_frac, int pitch_index,
*lag_frac = pitch_index - (*lag_int << 2) + 136;
} else if (pitch_index < 440) {
*lag_int = (pitch_index + 257 - 376) >> 1;
- *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) << 1;
+ *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) * 2;
/* the actual resolution is 1/2 but expressed as 1/4 */
} else {
*lag_int = pitch_index - 280;
@@ -292,7 +292,7 @@ static void decode_pitch_lag_low(int *lag_int, int *lag_frac, int pitch_index,
if (subframe == 0 || (subframe == 2 && mode != MODE_6k60)) {
if (pitch_index < 116) {
*lag_int = (pitch_index + 69) >> 1;
- *lag_frac = (pitch_index - (*lag_int << 1) + 68) << 1;
+ *lag_frac = (pitch_index - (*lag_int << 1) + 68) * 2;
} else {
*lag_int = pitch_index - 24;
*lag_frac = 0;
@@ -302,7 +302,7 @@ static void decode_pitch_lag_low(int *lag_int, int *lag_frac, int pitch_index,
AMRWB_P_DELAY_MIN, AMRWB_P_DELAY_MAX - 15);
} else {
*lag_int = (pitch_index + 1) >> 1;
- *lag_frac = (pitch_index - (*lag_int << 1)) << 1;
+ *lag_frac = (pitch_index - (*lag_int << 1)) * 2;
*lag_int += *base_lag_int;
}
}
diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h
index e5e7f422..10068db1 100644
--- a/libavcodec/avcodec.h
+++ b/libavcodec/avcodec.h
@@ -1536,7 +1536,17 @@ enum AVPacketSideDataType {
* should be associated with a video stream and containts data in the form
* of the AVMasteringDisplayMetadata struct.
*/
- AV_PKT_DATA_MASTERING_DISPLAY_METADATA
+ AV_PKT_DATA_MASTERING_DISPLAY_METADATA,
+
+ /**
+ * The number of side data elements (in fact a bit more than it).
+ * This is not part of the public API/ABI in the sense that it may
+ * change when new side data types are added.
+ * This must stay the last enum value.
+ * If its value becomes huge, some code using it
+ * needs to be updated as it assumes it to be smaller than other limits.
+ */
+ AV_PKT_DATA_NB
};
#define AV_PKT_DATA_QUALITY_FACTOR AV_PKT_DATA_QUALITY_STATS //DEPRECATED
diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c
index e5a8bdbe..de20a8b9 100644
--- a/libavcodec/avpacket.c
+++ b/libavcodec/avpacket.c
@@ -298,7 +298,7 @@ int av_packet_add_side_data(AVPacket *pkt, enum AVPacketSideDataType type,
AVPacketSideData *tmp;
int elems = pkt->side_data_elems;
- if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data))
+ if ((unsigned)elems + 1 > AV_PKT_DATA_NB)
return AVERROR(ERANGE);
tmp = av_realloc(pkt->side_data, (elems + 1) * sizeof(*tmp));
@@ -348,6 +348,8 @@ uint8_t *av_packet_get_side_data(AVPacket *pkt, enum AVPacketSideDataType type,
return pkt->side_data[i].data;
}
}
+ if (size)
+ *size = 0;
return NULL;
}
@@ -431,6 +433,9 @@ int av_packet_split_side_data(AVPacket *pkt){
p-= size+5;
}
+ if (i > AV_PKT_DATA_NB)
+ return AVERROR(ERANGE);
+
pkt->side_data = av_malloc_array(i, sizeof(*pkt->side_data));
if (!pkt->side_data)
return AVERROR(ENOMEM);
diff --git a/libavcodec/bmvvideo.c b/libavcodec/bmvvideo.c
index 97f850db..cf7f0a05 100644
--- a/libavcodec/bmvvideo.c
+++ b/libavcodec/bmvvideo.c
@@ -107,7 +107,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame,
if (src < source || src >= source_end)
return AVERROR_INVALIDDATA;
shift += 2;
- val |= *src << shift;
+ val |= (unsigned)*src << shift;
if (*src & 0xC)
break;
}
diff --git a/libavcodec/cavs.c b/libavcodec/cavs.c
index 10e118e5..8542b124 100644
--- a/libavcodec/cavs.c
+++ b/libavcodec/cavs.c
@@ -613,8 +613,15 @@ void ff_cavs_mv(AVSContext *h, enum cavs_mv_loc nP, enum cavs_mv_loc nC,
mv_pred_median(h, mvP, mvA, mvB, mvC);
if (mode < MV_PRED_PSKIP) {
- mvP->x += get_se_golomb(&h->gb);
- mvP->y += get_se_golomb(&h->gb);
+ int mx = get_se_golomb(&h->gb) + (unsigned)mvP->x;
+ int my = get_se_golomb(&h->gb) + (unsigned)mvP->y;
+
+ if (mx != (int16_t)mx || my != (int16_t)my) {
+ av_log(h->avctx, AV_LOG_ERROR, "MV %d %d out of supported range\n", mx, my);
+ } else {
+ mvP->x = mx;
+ mvP->y = my;
+ }
}
set_mvs(mvP, size);
}
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 73a923df..55e78554 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -465,7 +465,7 @@ static inline void mv_pred_direct(AVSContext *h, cavs_vector *pmv_fw,
cavs_vector *col_mv)
{
cavs_vector *pmv_bw = pmv_fw + MV_BWD_OFFS;
- int den = h->direct_den[col_mv->ref];
+ unsigned den = h->direct_den[col_mv->ref];
int m = FF_SIGNBIT(col_mv->x);
pmv_fw->dist = h->dist[1];
@@ -1031,6 +1031,10 @@ static int decode_pic(AVSContext *h)
h->scale_den[1] = h->dist[1] ? 512/h->dist[1] : 0;
if (h->cur.f->pict_type == AV_PICTURE_TYPE_B) {
h->sym_factor = h->dist[0] * h->scale_den[1];
+ if (FFABS(h->sym_factor) > 32768) {
+ av_log(h->avctx, AV_LOG_ERROR, "sym_factor %d too large\n", h->sym_factor);
+ return AVERROR_INVALIDDATA;
+ }
} else {
h->direct_den[0] = h->dist[0] ? 16384 / h->dist[0] : 0;
h->direct_den[1] = h->dist[1] ? 16384 / h->dist[1] : 0;
diff --git a/libavcodec/cdxl.c b/libavcodec/cdxl.c
index c8d66b58..78f5d501 100644
--- a/libavcodec/cdxl.c
+++ b/libavcodec/cdxl.c
@@ -275,11 +275,11 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data,
else
aligned_width = FFALIGN(c->avctx->width, 16);
c->padded_bits = aligned_width - c->avctx->width;
- if (c->video_size < aligned_width * avctx->height * c->bpp / 8)
+ if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8)
return AVERROR_INVALIDDATA;
- if (!encoding && c->palette_size && c->bpp <= 8) {
+ if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) {
avctx->pix_fmt = AV_PIX_FMT_PAL8;
- } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) {
+ } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8) && c->format != CHUNKY) {
if (c->palette_size != (1 << (c->bpp - 1)))
return AVERROR_INVALIDDATA;
avctx->pix_fmt = AV_PIX_FMT_BGR24;
diff --git a/libavcodec/cllc.c b/libavcodec/cllc.c
index 1c6902af..97d3ae40 100644
--- a/libavcodec/cllc.c
+++ b/libavcodec/cllc.c
@@ -29,6 +29,10 @@
#include "avcodec.h"
#include "internal.h"
+#define VLC_BITS 7
+#define VLC_DEPTH 2
+
+
typedef struct CLLCContext {
AVCodecContext *avctx;
BswapDSPContext bdsp;
@@ -51,6 +55,13 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc)
num_lens = get_bits(gb, 5);
+ if (num_lens > VLC_BITS * VLC_DEPTH) {
+ vlc->table = NULL;
+
+ av_log(ctx->avctx, AV_LOG_ERROR, "To long VLCs %d\n", num_lens);
+ return AVERROR_INVALIDDATA;
+ }
+
for (i = 0; i < num_lens; i++) {
num_codes = get_bits(gb, 9);
num_codes_sum += num_codes;
@@ -70,11 +81,15 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc)
count++;
}
+ if (prefix > (65535 - 256)/2) {
+ vlc->table = NULL;
+ return AVERROR_INVALIDDATA;
+ }
prefix <<= 1;
}
- return ff_init_vlc_sparse(vlc, 7, count, bits, 1, 1,
+ return ff_init_vlc_sparse(vlc, VLC_BITS, count, bits, 1, 1,
codes, 2, 2, symbols, 1, 1, 0);
}
@@ -101,7 +116,7 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left,
for (i = 0; i < ctx->avctx->width; i++) {
/* Always get the alpha component */
UPDATE_CACHE(bits, gb);
- GET_VLC(code, bits, gb, vlc[0].table, 7, 2);
+ GET_VLC(code, bits, gb, vlc[0].table, VLC_BITS, VLC_DEPTH);
pred[0] += code;
dst[0] = pred[0];
@@ -110,21 +125,21 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left,
if (dst[0]) {
/* Red */
UPDATE_CACHE(bits, gb);
- GET_VLC(code, bits, gb, vlc[1].table, 7, 2);
+ GET_VLC(code, bits, gb, vlc[1].table, VLC_BITS, VLC_DEPTH);
pred[1] += code;
dst[1] = pred[1];
/* Green */
UPDATE_CACHE(bits, gb);
- GET_VLC(code, bits, gb, vlc[2].table, 7, 2);
+ GET_VLC(code, bits, gb, vlc[2].table, VLC_BITS, VLC_DEPTH);
pred[2] += code;
dst[2] = pred[2];
/* Blue */
UPDATE_CACHE(bits, gb);
- GET_VLC(code, bits, gb, vlc[3].table, 7, 2);
+ GET_VLC(code, bits, gb, vlc[3].table, VLC_BITS, VLC_DEPTH);
pred[3] += code;
dst[3] = pred[3];
@@ -166,7 +181,7 @@ static int read_rgb24_component_line(CLLCContext *ctx, GetBitContext *gb,
/* Simultaneously read and restore the line */
for (i = 0; i < ctx->avctx->width; i++) {
UPDATE_CACHE(bits, gb);
- GET_VLC(code, bits, gb, vlc->table, 7, 2);
+ GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH);
pred += code;
dst[0] = pred;
@@ -195,7 +210,7 @@ static int read_yuv_component_line(CLLCContext *ctx, GetBitContext *gb,
/* Simultaneously read and restore the line */
for (i = 0; i < ctx->avctx->width >> is_chroma; i++) {
UPDATE_CACHE(bits, gb);
- GET_VLC(code, bits, gb, vlc->table, 7, 2);
+ GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH);
pred += code;
outbuf[i] = pred;
diff --git a/libavcodec/dcadsp.c b/libavcodec/dcadsp.c
index 1cd2e4ed..4cb7fab9 100644
--- a/libavcodec/dcadsp.c
+++ b/libavcodec/dcadsp.c
@@ -320,7 +320,7 @@ static void dmix_sub_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t le
int i;
for (i = 0; i < len; i++)
- dst[i] -= mul15(src[i], coeff);
+ dst[i] -= (unsigned)mul15(src[i], coeff);
}
static void dmix_add_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t len)
diff --git a/libavcodec/dds.c b/libavcodec/dds.c
index fa0f34d7..02d53d58 100644
--- a/libavcodec/dds.c
+++ b/libavcodec/dds.c
@@ -39,7 +39,7 @@
#define DDPF_FOURCC (1 << 2)
#define DDPF_PALETTE (1 << 5)
-#define DDPF_NORMALMAP (1 << 31)
+#define DDPF_NORMALMAP (1U << 31)
enum DDSPostProc {
DDS_NONE = 0,
@@ -722,7 +722,7 @@ static int dds_decode(AVCodecContext *avctx, void *data,
(frame->data[1][2+i*4]<<0)+
(frame->data[1][1+i*4]<<8)+
(frame->data[1][0+i*4]<<16)+
- (frame->data[1][3+i*4]<<24)
+ ((unsigned)frame->data[1][3+i*4]<<24)
);
frame->palette_has_changed = 1;
diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c
index f45d019a..3ea12f05 100644
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -67,7 +67,8 @@ static int decode_tsw1(GetByteContext *gb, uint8_t *frame, int width, int height
const uint8_t *frame_start = frame;
const uint8_t *frame_end = frame + width * height;
int mask = 0x10000, bitbuf = 0;
- int v, count, segments;
+ int v, count;
+ unsigned segments;
unsigned offset;
segments = bytestream2_get_le32(gb);
@@ -175,7 +176,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
return AVERROR_INVALIDDATA;
frame += v;
} else {
- if (frame_end - frame < width + 3)
+ if (frame_end - frame < width + 4)
return AVERROR_INVALIDDATA;
frame[0] = frame[1] =
frame[width] = frame[width + 1] = bytestream2_get_byte(gb);
diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index e0604af1..f334f313 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -2041,9 +2041,9 @@ static int get_delayed_pic(DiracContext *s, AVFrame *picture, int *got_frame)
if (out) {
out->reference ^= DELAYED_PIC_REF;
- *got_frame = 1;
if((ret = av_frame_ref(picture, out->avframe)) < 0)
return ret;
+ *got_frame = 1;
}
return 0;
diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c
index 033b8ee7..4f9bbcee 100644
--- a/libavcodec/dnxhd_parser.c
+++ b/libavcodec/dnxhd_parser.c
@@ -31,8 +31,24 @@ typedef struct {
ParseContext pc;
int interlaced;
int cur_field; /* first field is 0, second is 1 */
+ int cur_byte;
+ int remaining;
+ int w, h;
} DNXHDParserContext;
+static int dnxhd_get_hr_frame_size(int cid, int w, int h)
+{
+ int result, i = ff_dnxhd_get_cid_table(cid);
+
+ if (i < 0)
+ return i;
+
+ result = ((h + 15) / 16) * ((w + 15) / 16) * ff_dnxhd_cid_table[i].packet_scale.num / ff_dnxhd_cid_table[i].packet_scale.den;
+ result = (result + 2048) / 4096 * 4096;
+
+ return FFMAX(result, 8192);
+}
+
static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
const uint8_t *buf, int buf_size)
{
@@ -51,30 +67,65 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx,
pic_found = 1;
interlaced = (state&2)>>1; /* byte following the 5-byte header prefix */
cur_field = state&1;
+ dctx->cur_byte = 0;
+ dctx->remaining = 0;
break;
}
}
}
- if (pic_found) {
+ if (pic_found && !dctx->remaining) {
if (!buf_size) /* EOF considered as end of frame */
return 0;
for (; i < buf_size; i++) {
+ dctx->cur_byte++;
state = (state << 8) | buf[i];
- if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) {
- if (!interlaced || dctx->cur_field) {
+
+ if (dctx->cur_byte == 24) {
+ dctx->h = (state >> 32) & 0xFFFF;
+ } else if (dctx->cur_byte == 26) {
+ dctx->w = (state >> 32) & 0xFFFF;
+ } else if (dctx->cur_byte == 42) {
+ int cid = (state >> 32) & 0xFFFFFFFF;
+
+ if (cid <= 0)
+ continue;
+
+ dctx->remaining = avpriv_dnxhd_get_frame_size(cid);
+ if (dctx->remaining <= 0) {
+ dctx->remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h);
+ if (dctx->remaining <= 0)
+ return dctx->remaining;
+ }
+ if (buf_size - i >= dctx->remaining && (!dctx->interlaced || dctx->cur_field)) {
+ int remaining = dctx->remaining;
+
pc->frame_start_found = 0;
pc->state64 = -1;
dctx->interlaced = interlaced;
dctx->cur_field = 0;
- return i - 5;
+ dctx->cur_byte = 0;
+ dctx->remaining = 0;
+ return remaining;
} else {
- /* continue, to get the second field */
- dctx->interlaced = interlaced = (state&2)>>1;
- dctx->cur_field = cur_field = state&1;
+ dctx->remaining -= buf_size;
}
}
}
+ } else if (pic_found) {
+ if (dctx->remaining > buf_size) {
+ dctx->remaining -= buf_size;
+ } else {
+ int remaining = dctx->remaining;
+
+ pc->frame_start_found = 0;
+ pc->state64 = -1;
+ dctx->interlaced = interlaced;
+ dctx->cur_field = 0;
+ dctx->cur_byte = 0;
+ dctx->remaining = 0;
+ return remaining;
+ }
}
pc->frame_start_found = pic_found;
pc->state64 = state;
diff --git a/libavcodec/dss_sp.c b/libavcodec/dss_sp.c
index ddea4830..14025fcd 100644
--- a/libavcodec/dss_sp.c
+++ b/libavcodec/dss_sp.c
@@ -33,7 +33,7 @@
#define DSS_SP_FRAME_SIZE 42
#define DSS_SP_SAMPLE_COUNT (66 * SUBFRAMES)
-#define DSS_SP_FORMULA(a, b, c) (((((a) << 15) + (b) * (c)) + 0x4000) >> 15)
+#define DSS_SP_FORMULA(a, b, c) ((int)((((a) * (1 << 15)) + (b) * (unsigned)(c)) + 0x4000) >> 15)
typedef struct DssSpSubframe {
int16_t gain;
@@ -499,7 +499,7 @@ static void dss_sp_scale_vector(int32_t *vec, int bits, int size)
vec[i] = vec[i] >> -bits;
else
for (i = 0; i < size; i++)
- vec[i] = vec[i] << bits;
+ vec[i] = vec[i] * (1 << bits);
}
static void dss_sp_update_buf(int32_t *hist, int32_t *vector)
@@ -524,12 +524,12 @@ static void dss_sp_shift_sq_sub(const int32_t *filter_buf,
tmp = dst[a] * filter_buf[0];
for (i = 14; i > 0; i--)
- tmp -= error_buf[i] * filter_buf[i];
+ tmp -= error_buf[i] * (unsigned)filter_buf[i];
for (i = 14; i > 0; i--)
error_buf[i] = error_buf[i - 1];
- tmp = (tmp + 4096) >> 13;
+ tmp = (int)(tmp + 4096U) >> 13;
error_buf[1] = tmp;
diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c
index bf3b1a10..9525cb78 100644
--- a/libavcodec/dvbsubdec.c
+++ b/libavcodec/dvbsubdec.c
@@ -24,6 +24,7 @@
#include "bytestream.h"
#include "internal.h"
#include "libavutil/colorspace.h"
+#include "libavutil/imgutils.h"
#include "libavutil/opt.h"
#define DVBSUB_PAGE_SEGMENT 0x10
@@ -1217,9 +1218,9 @@ static int dvbsub_parse_clut_segment(AVCodecContext *avctx,
return AVERROR_INVALIDDATA;
}
- if (depth & 0x80)
+ if (depth & 0x80 && entry_id < 4)
clut->clut4[entry_id] = RGBA(r,g,b,255 - alpha);
- else if (depth & 0x40)
+ else if (depth & 0x40 && entry_id < 16)
clut->clut16[entry_id] = RGBA(r,g,b,255 - alpha);
else if (depth & 0x20)
clut->clut256[entry_id] = RGBA(r,g,b,255 - alpha);
@@ -1242,6 +1243,7 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx,
DVBSubObject *object;
DVBSubObjectDisplay *display;
int fill;
+ int ret;
if (buf_size < 10)
return AVERROR_INVALIDDATA;
@@ -1270,6 +1272,12 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx,
region->height = AV_RB16(buf);
buf += 2;
+ ret = av_image_check_size(region->width, region->height, 0, avctx);
+ if (ret < 0) {
+ region->width= region->height= 0;
+ return ret;
+ }
+
if (region->width * region->height != region->buf_size) {
av_free(region->pbuf);
diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index e91d63ea..0c73fb2b 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -60,7 +60,7 @@ static void yuv_a_to_rgba(const uint8_t *ycbcr, const uint8_t *alpha, uint32_t *
cb = *ycbcr++;
YUV_TO_RGB1_CCIR(cb, cr);
YUV_TO_RGB2_CCIR(r, g, b, y);
- *rgba++ = (*alpha++ << 24) | (r << 16) | (g << 8) | b;
+ *rgba++ = ((unsigned)*alpha++ << 24) | (r << 16) | (g << 8) | b;
}
}
@@ -189,12 +189,12 @@ static void guess_palette(DVDSubContext* ctx,
r = (((subtitle_color >> 16) & 0xff) * level) >> 8;
g = (((subtitle_color >> 8) & 0xff) * level) >> 8;
b = (((subtitle_color >> 0) & 0xff) * level) >> 8;
- rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17) << 24);
+ rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17U) << 24);
color_used[colormap[i]] = (i + 1);
j++;
} else {
rgba_palette[i] = (rgba_palette[color_used[colormap[i]] - 1] & 0x00ffffff) |
- ((alpha[i] * 17) << 24);
+ ((alpha[i] * 17U) << 24);
}
}
}
diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c
index 83a54bcf..c971879b 100644
--- a/libavcodec/eac3dec.c
+++ b/libavcodec/eac3dec.c
@@ -252,7 +252,7 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch)
/* Vector Quantization */
int v = get_bits(gbc, bits);
for (blk = 0; blk < 6; blk++) {
- s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] << 8;
+ s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] * (1 << 8);
}
} else {
/* Gain Adaptive Quantization */
@@ -271,16 +271,16 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch)
int b;
int mbits = bits - (2 - log_gain);
mant = get_sbits(gbc, mbits);
- mant <<= (23 - (mbits - 1));
+ mant = ((unsigned)mant) << (23 - (mbits - 1));
/* remap mantissa value to correct for asymmetric quantization */
if (mant >= 0)
b = 1 << (23 - log_gain);
else
- b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] << 8;
+ b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] * (1 << 8);
mant += ((ff_eac3_gaq_remap_2_4_a[hebap-8][log_gain-1] * (int64_t)mant) >> 15) + b;
} else {
/* small mantissa, no GAQ, or Gk=1 */
- mant <<= 24 - bits;
+ mant *= (1 << 24 - bits);
if (!log_gain) {
/* remap mantissa value for no GAQ or Gk=1 */
mant += (ff_eac3_gaq_remap_1[hebap-8] * (int64_t)mant) >> 15;
diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c
index bb0f0053..c28fd11d 100644
--- a/libavcodec/eamad.c
+++ b/libavcodec/eamad.c
@@ -284,7 +284,7 @@ static int decode_frame(AVCodecContext *avctx,
if (avctx->width != width || avctx->height != height) {
av_frame_unref(s->last_frame);
- if((width * height)/2048*7 > bytestream2_get_bytes_left(&gb))
+ if((width * (int64_t)height)/2048*7 > bytestream2_get_bytes_left(&gb))
return AVERROR_INVALIDDATA;
if ((ret = ff_set_dimensions(avctx, width, height)) < 0)
return ret;
diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c
index 8fd5cdb1..92b23d00 100644
--- a/libavcodec/eatqi.c
+++ b/libavcodec/eatqi.c
@@ -112,7 +112,7 @@ static inline void tqi_idct_put(AVCodecContext *avctx, AVFrame *frame,
static void tqi_calculate_qtable(TqiContext *t, int quant)
{
- const int qscale = (215 - 2*quant)*5;
+ const int64_t qscale = (215 - 2*quant)*5;
int i;
t->intra_matrix[0] = (ff_inv_aanscales[0] * ff_mpeg1_default_intra_matrix[0]) >> 11;
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index bc7e7218..47d30fa8 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -218,9 +218,9 @@ static union av_intfloat32 exr_half2float(uint16_t hf)
*
* @return normalized 16-bit unsigned int
*/
-static inline uint16_t exr_flt2uint(uint32_t v)
+static inline uint16_t exr_flt2uint(int32_t v)
{
- unsigned int exp = v >> 23;
+ int32_t exp = v >> 23;
// "HACK": negative values result in exp< 0, so clipping them to 0
// is also handled by this condition, avoids explicit check for sign bit.
if (exp <= 127 + 7 - 24) // we would shift out all bits anyway
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index d8f35c34..a57ec536 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -45,7 +45,8 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state,
if (get_rac(c, state + 0))
return 0;
else {
- int i, e, a;
+ int i, e;
+ unsigned a;
e = 0;
while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10
e++;
@@ -883,7 +884,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
const uint8_t *src[4];
uint8_t *dst[4];
ff_thread_await_progress(&f->last_picture, INT_MAX, 0);
- for (j = 0; j < 4; j++) {
+ for (j = 0; j < desc->nb_components; j++) {
int pixshift = desc->comp[j].depth > 8;
int sh = (j == 1 || j == 2) ? f->chroma_h_shift : 0;
int sv = (j == 1 || j == 2) ? f->chroma_v_shift : 0;
@@ -891,6 +892,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
(fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift);
src[j] = f->last_picture.f->data[j] + f->last_picture.f->linesize[j] *
(fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift);
+
+ }
+ if (desc->flags & AV_PIX_FMT_FLAG_PAL ||
+ desc->flags & AV_PIX_FMT_FLAG_PSEUDOPAL) {
+ dst[1] = p->data[1];
+ src[1] = f->last_picture.f->data[1];
}
av_image_copy(dst, p->linesize, src,
f->last_picture.f->linesize,
diff --git a/libavcodec/fic.c b/libavcodec/fic.c
index d3952a4c..1e28f59d 100644
--- a/libavcodec/fic.c
+++ b/libavcodec/fic.c
@@ -94,8 +94,8 @@ static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd
const int t7 = t3 - t1;
const int t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step];
const int t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step];
- const int tA = (blk[0 * step] - blk[4 * step] << 15) + rnd;
- const int tB = (blk[0 * step] + blk[4 * step] << 15) + rnd;
+ const int tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd;
+ const int tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd;
blk[0 * step] = ( t4 + t9 + tB) >> shift;
blk[1 * step] = ( t6 + t7 + t8 + tA) >> shift;
blk[2 * step] = ( t6 - t7 - t8 + tA) >> shift;
diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
index 4dde0e05..c372c1b9 100644
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -201,12 +201,12 @@ static int get_metadata_size(const uint8_t *buf, int buf_size)
buf += 4;
do {
if (buf_end - buf < 4)
- return 0;
+ return AVERROR_INVALIDDATA;
flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size);
buf += 4;
if (buf_end - buf < metadata_size) {
/* need more data in order to read the complete header */
- return 0;
+ return AVERROR_INVALIDDATA;
}
buf += metadata_size;
} while (!metadata_last);
diff --git a/libavcodec/g722.c b/libavcodec/g722.c
index ee3b85f8..ef7ca6d4 100644
--- a/libavcodec/g722.c
+++ b/libavcodec/g722.c
@@ -88,14 +88,14 @@ static inline void s_zero(int cur_diff, struct G722Band *band)
ACCUM(3, band->diff_mem[2], 1);
ACCUM(2, band->diff_mem[1], 1);
ACCUM(1, band->diff_mem[0], 1);
- ACCUM(0, cur_diff << 1, 1);
+ ACCUM(0, cur_diff * 2, 1);
} else {
ACCUM(5, band->diff_mem[4], 0);
ACCUM(4, band->diff_mem[3], 0);
ACCUM(3, band->diff_mem[2], 0);
ACCUM(2, band->diff_mem[1], 0);
ACCUM(1, band->diff_mem[0], 0);
- ACCUM(0, cur_diff << 1, 0);
+ ACCUM(0, cur_diff * 2, 0);
}
#undef ACCUM
band->s_zero = s_zero;
@@ -119,14 +119,14 @@ static void do_adaptive_prediction(struct G722Band *band, const int cur_diff)
band->part_reconst_mem[0] = cur_part_reconst;
band->pole_mem[1] = av_clip((sg[0] * av_clip(band->pole_mem[0], -8191, 8191) >> 5) +
- (sg[1] << 7) + (band->pole_mem[1] * 127 >> 7), -12288, 12288);
+ (sg[1] * 128) + (band->pole_mem[1] * 127 >> 7), -12288, 12288);
limit = 15360 - band->pole_mem[1];
band->pole_mem[0] = av_clip(-192 * sg[0] + (band->pole_mem[0] * 255 >> 8), -limit, limit);
s_zero(cur_diff, band);
- cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) << 1);
+ cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) * 2);
band->s_predictor = av_clip_int16(band->s_zero +
(band->pole_mem[0] * cur_qtzd_reconst >> 15) +
(band->pole_mem[1] * band->prev_qtzd_reconst >> 15));
diff --git a/libavcodec/g723_1.c b/libavcodec/g723_1.c
index a11fec8a..78ce9222 100644
--- a/libavcodec/g723_1.c
+++ b/libavcodec/g723_1.c
@@ -41,7 +41,7 @@ int ff_g723_1_scale_vector(int16_t *dst, const int16_t *vector, int length)
bits= FFMAX(bits, 0);
for (i = 0; i < length; i++)
- dst[i] = vector[i] << bits >> 3;
+ dst[i] = (vector[i] * (1 << bits)) >> 3;
return bits - 3;
}
@@ -125,9 +125,9 @@ static void lsp2lpc(int16_t *lpc)
for (j = 0; j < LPC_ORDER; j++) {
int index = (lpc[j] >> 7) & 0x1FF;
int offset = lpc[j] & 0x7f;
- int temp1 = cos_tab[index] << 16;
+ int temp1 = cos_tab[index] * (1 << 16);
int temp2 = (cos_tab[index + 1] - cos_tab[index]) *
- ((offset << 8) + 0x80) << 1;
+ (((offset << 8) + 0x80) << 1);
lpc[j] = -(av_sat_dadd32(1 << 15, temp1 + temp2) >> 16);
}
@@ -138,11 +138,11 @@ static void lsp2lpc(int16_t *lpc)
*/
/* Initialize with values in Q28 */
f1[0] = 1 << 28;
- f1[1] = (lpc[0] << 14) + (lpc[2] << 14);
+ f1[1] = (lpc[0] + lpc[2]) * (1 << 14);
f1[2] = lpc[0] * lpc[2] + (2 << 28);
f2[0] = 1 << 28;
- f2[1] = (lpc[1] << 14) + (lpc[3] << 14);
+ f2[1] = (lpc[1] + lpc[3]) * (1 << 14);
f2[2] = lpc[1] * lpc[3] + (2 << 28);
/*
@@ -162,8 +162,8 @@ static void lsp2lpc(int16_t *lpc)
f1[0] >>= 1;
f2[0] >>= 1;
- f1[1] = ((lpc[2 * i] << 16 >> i) + f1[1]) >> 1;
- f2[1] = ((lpc[2 * i + 1] << 16 >> i) + f2[1]) >> 1;
+ f1[1] = ((lpc[2 * i] * 65536 >> i) + f1[1]) >> 1;
+ f2[1] = ((lpc[2 * i + 1] * 65536 >> i) + f2[1]) >> 1;
}
/* Convert polynomial coefficients to LPC coefficients */
@@ -171,8 +171,8 @@ static void lsp2lpc(int16_t *lpc)
int64_t ff1 = f1[i + 1] + f1[i];
int64_t ff2 = f2[i + 1] - f2[i];
- lpc[i] = av_clipl_int32(((ff1 + ff2) << 3) + (1 << 15)) >> 16;
- lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) << 3) +
+ lpc[i] = av_clipl_int32(((ff1 + ff2) * 8) + (1 << 15)) >> 16;
+ lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) * 8) +
(1 << 15)) >> 16;
}
}
diff --git a/libavcodec/g723_1.h b/libavcodec/g723_1.h
index 40d6e700..f833af01 100644
--- a/libavcodec/g723_1.h
+++ b/libavcodec/g723_1.h
@@ -55,7 +55,7 @@
* @param b 16 bit multiplier
*/
#define MULL2(a, b) \
- ((((a) >> 16) * (b) << 1) + (((a) & 0xffff) * (b) >> 15))
+ ((((a) >> 16) * (b) * 2) + (((a) & 0xffff) * (b) >> 15))
/**
* G723.1 frame types
diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c
index e9896b5e..aaa26c24 100644
--- a/libavcodec/g723_1dec.c
+++ b/libavcodec/g723_1dec.c
@@ -488,7 +488,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag,
(FRAME_LEN - lag) * sizeof(*out));
} else { /* Unvoiced */
for (i = 0; i < FRAME_LEN; i++) {
- *rseed = *rseed * 521 + 259;
+ *rseed = (int16_t)(*rseed * 521 + 259);
out[i] = gain * *rseed >> 15;
}
memset(buf, 0, (FRAME_LEN + PITCH_MAX) * sizeof(*buf));
@@ -517,7 +517,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag,
(iir_coef)[n - 1] * ((dest)[m - n] >> in_shift);\
}\
\
- (dest)[m] = av_clipl_int32(((src)[m] << 16) + (filter << 3) +\
+ (dest)[m] = av_clipl_int32(((src)[m] * 65536) + (filter * 8) +\
(1 << 15)) >> res_shift;\
}\
}
@@ -664,7 +664,7 @@ static int estimate_sid_gain(G723_1_Context *p)
t = p->sid_gain << shift;
else
t = p->sid_gain >> -shift;
- x = t * cng_filt[0] >> 16;
+ x = av_clipl_int32(t * (int64_t)cng_filt[0] >> 16);
if (x >= cng_bseg[2])
return 0x3F;
@@ -695,13 +695,13 @@ static int estimate_sid_gain(G723_1_Context *p)
if (y <= 0) {
t = seg * 32 + (val + 1 << seg2);
t = t * t - x;
- val = (seg2 - 1 << 4) + val;
+ val = (seg2 - 1) * 16 + val;
if (t >= y)
val++;
} else {
t = seg * 32 + (val - 1 << seg2);
t = t * t - x;
- val = (seg2 - 1 << 4) + val;
+ val = (seg2 - 1) * 16 + val;
if (t >= y)
val--;
}
@@ -733,7 +733,7 @@ static void generate_noise(G723_1_Context *p)
off[i * 2 + 1] = ((t >> 1) & 1) + SUBFRAME_LEN;
t >>= 2;
for (j = 0; j < 11; j++) {
- signs[i * 11 + j] = (t & 1) * 2 - 1 << 14;
+ signs[i * 11 + j] = ((t & 1) * 2 - 1) * (1 << 14);
t >>= 1;
}
}
@@ -777,7 +777,7 @@ static void generate_noise(G723_1_Context *p)
sum = 0;
if (shift < 0) {
for (j = 0; j < SUBFRAME_LEN * 2; j++) {
- t = vector_ptr[j] << -shift;
+ t = vector_ptr[j] * (1 << -shift);
sum += t * t;
tmp[j] = t;
}
@@ -815,7 +815,7 @@ static void generate_noise(G723_1_Context *p)
if (shift < 0)
x >>= -shift;
else
- x <<= shift;
+ x *= 1 << shift;
x = av_clip(x, -10000, 10000);
for (j = 0; j < 11; j++) {
@@ -904,7 +904,7 @@ static int g723_1_decode_frame(AVCodecContext *avctx, void *data,
&p->subframe[i], p->cur_rate);
/* Get the total excitation */
for (j = 0; j < SUBFRAME_LEN; j++) {
- int v = av_clip_int16(vector_ptr[j] << 1);
+ int v = av_clip_int16(vector_ptr[j] * 2);
vector_ptr[j] = av_clip_int16(v + acb_vector[j]);
}
vector_ptr += SUBFRAME_LEN;
diff --git a/libavcodec/g726.c b/libavcodec/g726.c
index ca7f856e..6922b40f 100644
--- a/libavcodec/g726.c
+++ b/libavcodec/g726.c
@@ -269,7 +269,7 @@ static int16_t g726_decode(G726Context* c, int I)
c->se += mult(i2f(c->a[i] >> 2, &f), &c->sr[i]);
c->se >>= 1;
- return av_clip(re_signal << 2, -0xffff, 0xffff);
+ return av_clip(re_signal * 4, -0xffff, 0xffff);
}
static av_cold int g726_reset(G726Context *c)
diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c
index fe83425d..17a4bdad 100644
--- a/libavcodec/h264_cabac.c
+++ b/libavcodec/h264_cabac.c
@@ -1743,7 +1743,7 @@ decode_cabac_residual_internal(const H264Context *h, H264SliceContext *sl,
while( j-- ) { \
coeff_abs += coeff_abs + get_cabac_bypass( CC ); \
} \
- coeff_abs+= 14; \
+ coeff_abs+= 14U; \
} \
\
if( is_dc ) { \
diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index 069b5212..72dfaaab 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -1112,7 +1112,7 @@ decode_intra_mb:
dquant= get_se_golomb(&sl->gb);
- sl->qscale += dquant;
+ sl->qscale += (unsigned)dquant;
if (((unsigned)sl->qscale) > max_qp){
if (sl->qscale < 0) sl->qscale += max_qp + 1;
diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c
index 107c905d..cbb84665 100644
--- a/libavcodec/h264_direct.c
+++ b/libavcodec/h264_direct.c
@@ -614,7 +614,7 @@ single_col:
{
const int16_t *mv_col = l1mv[x8 * 3 + y8 * b4_stride];
- int my_col = (mv_col[1] << y_shift) / 2;
+ int my_col = (mv_col[1] * (1 << y_shift)) / 2;
int mx = (scale * mv_col[0] + 128) >> 8;
int my = (scale * my_col + 128) >> 8;
fill_rectangle(&sl->mv_cache[0][scan8[i8 * 4]], 2, 2, 8,
diff --git a/libavcodec/h264_mvpred.h b/libavcodec/h264_mvpred.h
index 24f250d7..bf395e3f 100644
--- a/libavcodec/h264_mvpred.h
+++ b/libavcodec/h264_mvpred.h
@@ -68,7 +68,7 @@ static av_always_inline int fetch_diagonal_mv(const H264Context *h, H264SliceCon
}
if (MB_FIELD(sl) && !IS_INTERLACED(sl->left_type[0])) {
// left shift will turn LIST_NOT_USED into PART_NOT_AVAILABLE, but that's OK.
- SET_DIAG_MV(/ 2, << 1, sl->left_mb_xy[i >= 36], ((i >> 2)) & 3);
+ SET_DIAG_MV(/ 2, *2, sl->left_mb_xy[i >= 36], ((i >> 2)) & 3);
}
}
#undef SET_DIAG_MV
@@ -248,7 +248,7 @@ static av_always_inline void pred_8x16_motion(const H264Context *const h,
if (IS_INTERLACED(type)) { \
refn >>= 1; \
AV_COPY32(mvbuf[idx], mvn); \
- mvbuf[idx][1] <<= 1; \
+ mvbuf[idx][1] *= 2; \
mvn = mvbuf[idx]; \
} \
} \
diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c
index 0c873196..ea202e75 100644
--- a/libavcodec/h264_parse.c
+++ b/libavcodec/h264_parse.c
@@ -59,6 +59,9 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps,
if (luma_weight_flag) {
pwt->luma_weight[i][list][0] = get_se_golomb(gb);
pwt->luma_weight[i][list][1] = get_se_golomb(gb);
+ if ((int8_t)pwt->luma_weight[i][list][0] != pwt->luma_weight[i][list][0] ||
+ (int8_t)pwt->luma_weight[i][list][1] != pwt->luma_weight[i][list][1])
+ goto out_range_weight;
if (pwt->luma_weight[i][list][0] != luma_def ||
pwt->luma_weight[i][list][1] != 0) {
pwt->use_weight = 1;
@@ -76,6 +79,9 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps,
for (j = 0; j < 2; j++) {
pwt->chroma_weight[i][list][j][0] = get_se_golomb(gb);
pwt->chroma_weight[i][list][j][1] = get_se_golomb(gb);
+ if ((int8_t)pwt->chroma_weight[i][list][j][0] != pwt->chroma_weight[i][list][j][0] ||
+ (int8_t)pwt->chroma_weight[i][list][j][1] != pwt->chroma_weight[i][list][j][1])
+ goto out_range_weight;
if (pwt->chroma_weight[i][list][j][0] != chroma_def ||
pwt->chroma_weight[i][list][j][1] != 0) {
pwt->use_weight_chroma = 1;
@@ -104,6 +110,9 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps,
}
pwt->use_weight = pwt->use_weight || pwt->use_weight_chroma;
return 0;
+out_range_weight:
+ avpriv_request_sample(logctx, "Out of range weight\n");
+ return AVERROR_INVALIDDATA;
}
/**
diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index 4a5f66e1..41e63c74 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -812,8 +812,8 @@ int ff_h264_decode_picture_parameter_set(GetBitContext *gb, AVCodecContext *avct
pps->weighted_pred = get_bits1(gb);
pps->weighted_bipred_idc = get_bits(gb, 2);
- pps->init_qp = get_se_golomb(gb) + 26 + qp_bd_offset;
- pps->init_qs = get_se_golomb(gb) + 26 + qp_bd_offset;
+ pps->init_qp = get_se_golomb(gb) + 26U + qp_bd_offset;
+ pps->init_qs = get_se_golomb(gb) + 26U + qp_bd_offset;
pps->chroma_qp_index_offset[0] = get_se_golomb(gb);
pps->deblocking_filter_parameters_present = get_bits1(gb);
pps->constrained_intra_pred = get_bits1(gb);
diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index 8aaa3704..b47d9570 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1684,9 +1684,12 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl,
}
if ((pps->weighted_pred && sl->slice_type_nos == AV_PICTURE_TYPE_P) ||
(pps->weighted_bipred_idc == 1 &&
- sl->slice_type_nos == AV_PICTURE_TYPE_B))
- ff_h264_pred_weight_table(&sl->gb, sps, sl->ref_count,
+ sl->slice_type_nos == AV_PICTURE_TYPE_B)) {
+ ret = ff_h264_pred_weight_table(&sl->gb, sps, sl->ref_count,
sl->slice_type_nos, &sl->pwt, h->avctx);
+ if (ret < 0)
+ return ret;
+ }
sl->explicit_ref_marking = 0;
if (nal->ref_idc) {
diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c
index 5cf5fcfe..80dc6b5d 100644
--- a/libavcodec/hq_hqa.c
+++ b/libavcodec/hq_hqa.c
@@ -68,11 +68,11 @@ static int hq_decode_block(HQContext *c, GetBitContext *gb, int16_t block[64],
memset(block, 0, 64 * sizeof(*block));
if (!is_hqa) {
- block[0] = get_sbits(gb, 9) << 6;
+ block[0] = get_sbits(gb, 9) * 64;
q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)];
} else {
q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)];
- block[0] = get_sbits(gb, 9) << 6;
+ block[0] = get_sbits(gb, 9) * 64;
}
for (;;) {
diff --git a/libavcodec/hqxdsp.c b/libavcodec/hqxdsp.c
index feff9c0b..7f8044e4 100644
--- a/libavcodec/hqxdsp.c
+++ b/libavcodec/hqxdsp.c
@@ -39,18 +39,18 @@ static inline void idct_col(int16_t *blk, const uint8_t *quant)
s6 = (int) blk[6 * 8] * quant[6 * 8];
s7 = (int) blk[7 * 8] * quant[7 * 8];
- t0 = (s3 * 19266 + s5 * 12873) >> 15;
- t1 = (s5 * 19266 - s3 * 12873) >> 15;
- t2 = ((s7 * 4520 + s1 * 22725) >> 15) - t0;
- t3 = ((s1 * 4520 - s7 * 22725) >> 15) - t1;
+ t0 = (int)(s3 * 19266U + s5 * 12873U) >> 15;
+ t1 = (int)(s5 * 19266U - s3 * 12873U) >> 15;
+ t2 = ((int)(s7 * 4520U + s1 * 22725U) >> 15) - t0;
+ t3 = ((int)(s1 * 4520U - s7 * 22725U) >> 15) - t1;
t4 = t0 * 2 + t2;
t5 = t1 * 2 + t3;
t6 = t2 - t3;
t7 = t3 * 2 + t6;
- t8 = (t6 * 11585) >> 14;
- t9 = (t7 * 11585) >> 14;
- tA = (s2 * 8867 - s6 * 21407) >> 14;
- tB = (s6 * 8867 + s2 * 21407) >> 14;
+ t8 = (int)(t6 * 11585U) >> 14;
+ t9 = (int)(t7 * 11585U) >> 14;
+ tA = (int)(s2 * 8867U - s6 * 21407U) >> 14;
+ tB = (int)(s6 * 8867U + s2 * 21407U) >> 14;
tC = (s0 >> 1) - (s4 >> 1);
tD = (s4 >> 1) * 2 + tC;
tE = tC - (tA >> 1);
diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c
index a2cd40fa..16295daa 100644
--- a/libavcodec/htmlsubtitles.c
+++ b/libavcodec/htmlsubtitles.c
@@ -46,11 +46,12 @@ typedef struct SrtStack {
static void rstrip_spaces_buf(AVBPrint *buf)
{
- while (buf->len > 0 && buf->str[buf->len - 1] == ' ')
- buf->str[--buf->len] = 0;
+ if (av_bprint_is_complete(buf))
+ while (buf->len > 0 && buf->str[buf->len - 1] == ' ')
+ buf->str[--buf->len] = 0;
}
-void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
+int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
{
char *param, buffer[128], tmp[128];
int len, tag_close, sptr = 1, line_start = 1, an = 0, end = 0;
@@ -146,7 +147,7 @@ void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
if (stack[sptr].param[i][0])
av_bprintf(dst, "%s", stack[sptr].param[i]);
}
- } else if (!tagname[1] && strspn(tagname, "bisu") == 1) {
+ } else if (tagname[0] && !tagname[1] && strspn(tagname, "bisu") == 1) {
av_bprintf(dst, "{\\%c%d}", tagname[0], !tag_close);
} else {
unknown = 1;
@@ -171,8 +172,13 @@ void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in)
line_start = 0;
}
+ if (!av_bprint_is_complete(dst))
+ return AVERROR(ENOMEM);
+
while (dst->len >= 2 && !strncmp(&dst->str[dst->len - 2], "\\N", 2))
dst->len -= 2;
dst->str[dst->len] = 0;
rstrip_spaces_buf(dst);
+
+ return 0;
}
diff --git a/libavcodec/htmlsubtitles.h b/libavcodec/htmlsubtitles.h
index e10cdda2..f3a8ef5d 100644
--- a/libavcodec/htmlsubtitles.h
+++ b/libavcodec/htmlsubtitles.h
@@ -23,6 +23,6 @@
#include "libavutil/bprint.h"
-void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in);
+int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in);
#endif /* AVCODEC_HTMLSUBTITLES_H */
diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c
index c8984523..4971b843 100644
--- a/libavcodec/indeo2.c
+++ b/libavcodec/indeo2.c
@@ -69,6 +69,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst
for (i = 0; i < c * 2; i++)
dst[out++] = 0x80;
} else { /* copy two values from table */
+ if (c <= 0)
+ return AVERROR_INVALIDDATA;
dst[out++] = table[c * 2];
dst[out++] = table[(c * 2) + 1];
}
@@ -77,6 +79,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst
for (j = 1; j < height; j++) {
out = 0;
+ if (get_bits_left(&ctx->gb) <= 0)
+ return AVERROR_INVALIDDATA;
while (out < width) {
int c = ir2_get_code(&ctx->gb);
if (c >= 0x80) { /* we have a skip */
@@ -88,7 +92,10 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst
out++;
}
} else { /* add two deltas from table */
- int t = dst[out - pitch] + (table[c * 2] - 128);
+ int t;
+ if (c <= 0)
+ return AVERROR_INVALIDDATA;
+ t = dst[out - pitch] + (table[c * 2] - 128);
t = av_clip_uint8(t);
dst[out] = t;
out++;
@@ -116,12 +123,16 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_
for (j = 0; j < height; j++) {
out = 0;
+ if (get_bits_left(&ctx->gb) <= 0)
+ return AVERROR_INVALIDDATA;
while (out < width) {
c = ir2_get_code(&ctx->gb);
if (c >= 0x80) { /* we have a skip */
c -= 0x7F;
out += c * 2;
} else { /* add two deltas from table */
+ if (c <= 0)
+ return AVERROR_INVALIDDATA;
t = dst[out] + (((table[c * 2] - 128)*3) >> 2);
t = av_clip_uint8(t);
dst[out] = t;
diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c
index 5e3c0eac..228f6ace 100644
--- a/libavcodec/ituh263dec.c
+++ b/libavcodec/ituh263dec.c
@@ -524,7 +524,7 @@ retry:
}else{
level = SHOW_UBITS(re, &s->gb, 5);
SKIP_CACHE(re, &s->gb, 5);
- level |= SHOW_SBITS(re, &s->gb, 6)<<5;
+ level |= SHOW_SBITS(re, &s->gb, 6) * (1<<5);
SKIP_COUNTER(re, &s->gb, 5 + 6);
}
}
diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c
index 52112695..2cfccf82 100644
--- a/libavcodec/ivi_dsp.c
+++ b/libavcodec/ivi_dsp.c
@@ -243,7 +243,7 @@ void ff_ivi_recompose_haar(const IVIPlaneDesc *plane, uint8_t *dst,
#define INV_HAAR8(s1, s5, s3, s7, s2, s4, s6, s8,\
d1, d2, d3, d4, d5, d6, d7, d8,\
t0, t1, t2, t3, t4, t5, t6, t7, t8) {\
- t1 = (s1) << 1; t5 = (s5) << 1;\
+ t1 = (s1) * 2; t5 = (s5) * 2;\
IVI_HAAR_BFLY(t1, t5, t1, t5, t0); IVI_HAAR_BFLY(t1, s3, t1, t3, t0);\
IVI_HAAR_BFLY(t5, s7, t5, t7, t0); IVI_HAAR_BFLY(t1, s2, t1, t2, t0);\
IVI_HAAR_BFLY(t3, s4, t3, t4, t0); IVI_HAAR_BFLY(t5, s6, t5, t6, t0);\
@@ -284,10 +284,10 @@ void ff_ivi_inverse_haar_8x8(const int32_t *in, int16_t *out, uint32_t pitch,
if (flags[i]) {
/* pre-scaling */
shift = !(i & 4);
- sp1 = src[ 0] << shift;
- sp2 = src[ 8] << shift;
- sp3 = src[16] << shift;
- sp4 = src[24] << shift;
+ sp1 = src[ 0] * (1 << shift);
+ sp2 = src[ 8] * (1 << shift);
+ sp3 = src[16] * (1 << shift);
+ sp4 = src[24] * (1 << shift);
INV_HAAR8( sp1, sp2, sp3, sp4,
src[32], src[40], src[48], src[56],
dst[ 0], dst[ 8], dst[16], dst[24],
diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c
index 93d13448..2ad6c61c 100644
--- a/libavcodec/lagarith.c
+++ b/libavcodec/lagarith.c
@@ -98,7 +98,7 @@ static uint32_t softfloat_mul(uint32_t x, uint64_t mantissa)
static uint8_t lag_calc_zero_run(int8_t x)
{
- return (x << 1) ^ (x >> 7);
+ return (x * 2) ^ (x >> 7);
}
static int lag_decode_prob(GetBitContext *gb, uint32_t *value)
@@ -191,7 +191,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
}
scale_factor++;
- cumulative_target = 1 << scale_factor;
+ if (scale_factor >= 32U)
+ return AVERROR_INVALIDDATA;
+ cumulative_target = 1U << scale_factor;
if (scaled_cumul_prob > cumulative_target) {
av_log(rac->avctx, AV_LOG_ERROR,
diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c
index 1cc4ca47..8e28aa04 100644
--- a/libavcodec/mdec.c
+++ b/libavcodec/mdec.c
@@ -73,7 +73,7 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n)
if (diff >= 0xffff)
return AVERROR_INVALIDDATA;
a->last_dc[component] += diff;
- block[0] = a->last_dc[component] << 3;
+ block[0] = a->last_dc[component] * (1 << 3);
}
i = 0;
@@ -111,11 +111,11 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n)
j = scantable[i];
if (level < 0) {
level = -level;
- level = (level * qscale * quant_matrix[j]) >> 3;
+ level = (level * (unsigned)qscale * quant_matrix[j]) >> 3;
level = (level - 1) | 1;
level = -level;
} else {
- level = (level * qscale * quant_matrix[j]) >> 3;
+ level = (level * (unsigned)qscale * quant_matrix[j]) >> 3;
level = (level - 1) | 1;
}
}
diff --git a/libavcodec/mimic.c b/libavcodec/mimic.c
index 06fb393b..ce649c60 100644
--- a/libavcodec/mimic.c
+++ b/libavcodec/mimic.c
@@ -262,7 +262,7 @@ static int vlc_decode_block(MimicContext *ctx, int num_coeffs, int qscale)
coeff = vlcdec_lookup[num_bits][value];
if (pos < 3)
- coeff <<= 4;
+ coeff *= 16;
else /* TODO Use >> 10 instead of / 1001 */
coeff = (coeff * qscale) / 1001;
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 4f23fc9d..f2feac02 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -753,7 +753,8 @@ static int decode_block_progressive(MJpegDecodeContext *s, int16_t *block,
int16_t *quant_matrix,
int ss, int se, int Al, int *EOBRUN)
{
- int code, i, j, level, val, run;
+ int code, i, j, val, run;
+ unsigned level;
if (*EOBRUN) {
(*EOBRUN)--;
@@ -1137,7 +1138,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
if (s->interlaced && s->bottom_field)
ptr += linesize >> 1;
pred &= mask;
- *ptr= pred + (dc << point_transform);
+ *ptr= pred + ((unsigned)dc << point_transform);
}else{
ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap
if(y==0 && toprow){
@@ -1157,7 +1158,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
if (s->interlaced && s->bottom_field)
ptr16 += linesize >> 1;
pred &= mask;
- *ptr16= pred + (dc << point_transform);
+ *ptr16= pred + ((unsigned)dc << point_transform);
}
if (++x == h) {
x = 0;
@@ -1196,13 +1197,13 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
PREDICT(pred, ptr[-linesize-1], ptr[-linesize], ptr[-1], predictor);
pred &= mask;
- *ptr = pred + (dc << point_transform);
+ *ptr = pred + ((unsigned)dc << point_transform);
}else{
ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap
PREDICT(pred, ptr16[-linesize-1], ptr16[-linesize], ptr16[-1], predictor);
pred &= mask;
- *ptr16= pred + (dc << point_transform);
+ *ptr16= pred + ((unsigned)dc << point_transform);
}
if (++x == h) {
diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c
index c93b058d..fa4347fb 100644
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -264,7 +264,7 @@ static inline int read_huff_channels(MLPDecodeContext *m, GetBitContext *gbp,
result = (result << lsb_bits) + get_bits(gbp, lsb_bits);
result += cp->sign_huff_offset;
- result <<= quant_step_size;
+ result *= 1 << quant_step_size;
m->sample_buffer[pos + s->blockpos][channel] = result;
}
@@ -684,7 +684,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp,
}
for (i = 0; i < order; i++)
- fcoeff[i] = get_sbits(gbp, coeff_bits) << coeff_shift;
+ fcoeff[i] = get_sbits(gbp, coeff_bits) * (1 << coeff_shift);
if (get_bits1(gbp)) {
int state_bits, state_shift;
@@ -999,8 +999,8 @@ static void generate_2_noise_channels(MLPDecodeContext *m, unsigned int substr)
for (i = 0; i < s->blockpos; i++) {
uint16_t seed_shr7 = seed >> 7;
- m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) << s->noise_shift;
- m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) << s->noise_shift;
+ m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) * (1 << s->noise_shift);
+ m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) * (1 << s->noise_shift);
seed = (seed << 16) ^ seed_shr7 ^ (seed_shr7 << 5);
}
@@ -1162,6 +1162,11 @@ static int read_access_unit(AVCodecContext *avctx, void* data,
substr_header_size += 2;
}
+ if (length < header_size + substr_header_size) {
+ av_log(m->avctx, AV_LOG_ERROR, "Insuffient data for headers\n");
+ goto error;
+ }
+
if (!(nonrestart_substr ^ m->is_major_sync_unit)) {
av_log(m->avctx, AV_LOG_ERROR, "Invalid nonrestart_substr.\n");
goto error;
diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c
index 3ae8c377..2fc453c1 100644
--- a/libavcodec/mlpdsp.c
+++ b/libavcodec/mlpdsp.c
@@ -113,8 +113,8 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data,
for (i = 0; i < blockpos; i++) {
for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) {
int mat_ch = ch_assign[out_ch];
- int32_t sample = sample_buffer[i][mat_ch]
- << output_shift[mat_ch];
+ int32_t sample = sample_buffer[i][mat_ch] *
+ (1 << output_shift[mat_ch]);
lossless_check_data ^= (sample & 0xffffff) << mat_ch;
if (is32)
*data_32++ = sample << 8;
diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c
index ac8160da..132b6b04 100644
--- a/libavcodec/mpeg12dec.c
+++ b/libavcodec/mpeg12dec.c
@@ -497,7 +497,7 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s,
dc = s->last_dc[component];
dc += diff;
s->last_dc[component] = dc;
- block[0] = dc << (3 - s->intra_dc_precision);
+ block[0] = dc * (1 << (3 - s->intra_dc_precision));
ff_tlog(s->avctx, "dc=%d\n", block[0]);
mismatch = block[0] ^ 1;
i = 0;
@@ -865,8 +865,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64])
s->last_mv[i][0][1]);
/* full_pel: only for MPEG-1 */
if (s->full_pel[i]) {
- s->mv[i][0][0] <<= 1;
- s->mv[i][0][1] <<= 1;
+ s->mv[i][0][0] *= 2;
+ s->mv[i][0][1] *= 2;
}
}
}
@@ -948,8 +948,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64])
dmy = get_dmv(s);
- s->last_mv[i][0][1] = my << my_shift;
- s->last_mv[i][1][1] = my << my_shift;
+ s->last_mv[i][0][1] = my * (1 << my_shift);
+ s->last_mv[i][1][1] = my * (1 << my_shift);
s->mv[i][0][0] = mx;
s->mv[i][0][1] = my;
@@ -994,7 +994,7 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64])
cbp = get_vlc2(&s->gb, ff_mb_pat_vlc.table, MB_PAT_VLC_BITS, 1);
if (mb_block_count > 6) {
- cbp <<= mb_block_count - 6;
+ cbp *= 1 << mb_block_count - 6;
cbp |= get_bits(&s->gb, mb_block_count - 6);
s->bdsp.clear_blocks(s->block[6]);
}
@@ -1242,7 +1242,8 @@ static int mpeg_decode_postinit(AVCodecContext *avctx)
if (avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO) {
// MPEG-1 aspect
- avctx->sample_aspect_ratio = av_d2q(1.0 / ff_mpeg1_aspect[s->aspect_ratio_info], 255);
+ AVRational aspect_inv = av_d2q(ff_mpeg1_aspect[s->aspect_ratio_info], 255);
+ avctx->sample_aspect_ratio = (AVRational) { aspect_inv.den, aspect_inv.num };
} else { // MPEG-2
// MPEG-2 aspect
if (s->aspect_ratio_info > 1) {
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 0e0cf276..aa0bb654 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -178,6 +178,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
int min_ab, i, w2, h2, w3, h3;
int sprite_ref[4][2];
int virtual_ref[2][2];
+ int64_t sprite_offset[2][2];
// only true for rectangle shapes
const int vop_ref[4][2] = { { 0, 0 }, { s->width, 0 },
@@ -257,10 +258,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
switch (ctx->num_sprite_warping_points) {
case 0:
- s->sprite_offset[0][0] =
- s->sprite_offset[0][1] =
- s->sprite_offset[1][0] =
- s->sprite_offset[1][1] = 0;
+ sprite_offset[0][0] =
+ sprite_offset[0][1] =
+ sprite_offset[1][0] =
+ sprite_offset[1][1] = 0;
s->sprite_delta[0][0] = a;
s->sprite_delta[0][1] =
s->sprite_delta[1][0] = 0;
@@ -269,11 +270,11 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
ctx->sprite_shift[1] = 0;
break;
case 1: // GMC only
- s->sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0];
- s->sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1];
- s->sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) -
+ sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0];
+ sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1];
+ sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) -
a * (vop_ref[0][0] / 2);
- s->sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) -
+ sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) -
a * (vop_ref[0][1] / 2);
s->sprite_delta[0][0] = a;
s->sprite_delta[0][1] =
@@ -283,22 +284,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
ctx->sprite_shift[1] = 0;
break;
case 2:
- s->sprite_offset[0][0] = (sprite_ref[0][0] << (alpha + rho)) +
+ sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) +
(-r * sprite_ref[0][0] + virtual_ref[0][0]) *
(-vop_ref[0][0]) +
(r * sprite_ref[0][1] - virtual_ref[0][1]) *
(-vop_ref[0][1]) + (1 << (alpha + rho - 1));
- s->sprite_offset[0][1] = (sprite_ref[0][1] << (alpha + rho)) +
+ sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) +
(-r * sprite_ref[0][1] + virtual_ref[0][1]) *
(-vop_ref[0][0]) +
(-r * sprite_ref[0][0] + virtual_ref[0][0]) *
(-vop_ref[0][1]) + (1 << (alpha + rho - 1));
- s->sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) *
+ sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) *
(-2 * vop_ref[0][0] + 1) +
(r * sprite_ref[0][1] - virtual_ref[0][1]) *
(-2 * vop_ref[0][1] + 1) + 2 * w2 * r *
sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1)));
- s->sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) *
+ sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) *
(-2 * vop_ref[0][0] + 1) +
(-r * sprite_ref[0][0] + virtual_ref[0][0]) *
(-2 * vop_ref[0][1] + 1) + 2 * w2 * r *
@@ -315,30 +316,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
min_ab = FFMIN(alpha, beta);
w3 = w2 >> min_ab;
h3 = h2 >> min_ab;
- s->sprite_offset[0][0] = (sprite_ref[0][0] * (1<<(alpha + beta + rho - min_ab))) +
- (-r * sprite_ref[0][0] + virtual_ref[0][0]) *
- h3 * (-vop_ref[0][0]) +
- (-r * sprite_ref[0][0] + virtual_ref[1][0]) *
- w3 * (-vop_ref[0][1]) +
- (1 << (alpha + beta + rho - min_ab - 1));
- s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) +
- (-r * sprite_ref[0][1] + virtual_ref[0][1]) *
- h3 * (-vop_ref[0][0]) +
- (-r * sprite_ref[0][1] + virtual_ref[1][1]) *
- w3 * (-vop_ref[0][1]) +
- (1 << (alpha + beta + rho - min_ab - 1));
- s->sprite_offset[1][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) *
- h3 * (-2 * vop_ref[0][0] + 1) +
- (-r * sprite_ref[0][0] + virtual_ref[1][0]) *
- w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 *
- r * sprite_ref[0][0] - 16 * w2 * h3 +
- (1 << (alpha + beta + rho - min_ab + 1));
- s->sprite_offset[1][1] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) *
- h3 * (-2 * vop_ref[0][0] + 1) +
- (-r * sprite_ref[0][1] + virtual_ref[1][1]) *
- w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 *
- r * sprite_ref[0][1] - 16 * w2 * h3 +
- (1 << (alpha + beta + rho - min_ab + 1));
+ sprite_offset[0][0] = ((int64_t)sprite_ref[0][0] * (1 << (alpha + beta + rho - min_ab))) +
+ ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-vop_ref[0][0]) +
+ ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-vop_ref[0][1]) +
+ ((int64_t)1 << (alpha + beta + rho - min_ab - 1));
+ sprite_offset[0][1] = ((int64_t)sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) +
+ ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-vop_ref[0][0]) +
+ ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-vop_ref[0][1]) +
+ ((int64_t)1 << (alpha + beta + rho - min_ab - 1));
+ sprite_offset[1][0] = ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-2 * vop_ref[0][0] + 1) +
+ ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-2 * vop_ref[0][1] + 1) +
+ (int64_t)2 * w2 * h3 * r * sprite_ref[0][0] - 16 * w2 * h3 +
+ ((int64_t)1 << (alpha + beta + rho - min_ab + 1));
+ sprite_offset[1][1] = ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-2 * vop_ref[0][0] + 1) +
+ ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-2 * vop_ref[0][1] + 1) +
+ (int64_t)2 * w2 * h3 * r * sprite_ref[0][1] - 16 * w2 * h3 +
+ ((int64_t)1 << (alpha + beta + rho - min_ab + 1));
s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3;
s->sprite_delta[0][1] = (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3;
s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3;
@@ -353,10 +346,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
s->sprite_delta[0][1] == 0 &&
s->sprite_delta[1][0] == 0 &&
s->sprite_delta[1][1] == a << ctx->sprite_shift[0]) {
- s->sprite_offset[0][0] >>= ctx->sprite_shift[0];
- s->sprite_offset[0][1] >>= ctx->sprite_shift[0];
- s->sprite_offset[1][0] >>= ctx->sprite_shift[1];
- s->sprite_offset[1][1] >>= ctx->sprite_shift[1];
+ sprite_offset[0][0] >>= ctx->sprite_shift[0];
+ sprite_offset[0][1] >>= ctx->sprite_shift[0];
+ sprite_offset[1][0] >>= ctx->sprite_shift[1];
+ sprite_offset[1][1] >>= ctx->sprite_shift[1];
s->sprite_delta[0][0] = a;
s->sprite_delta[0][1] = 0;
s->sprite_delta[1][0] = 0;
@@ -367,17 +360,59 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
} else {
int shift_y = 16 - ctx->sprite_shift[0];
int shift_c = 16 - ctx->sprite_shift[1];
+
+ if (shift_c < 0 || shift_y < 0 ||
+ FFABS(sprite_offset[0][0]) >= INT_MAX >> shift_y ||
+ FFABS(sprite_offset[1][0]) >= INT_MAX >> shift_c ||
+ FFABS(sprite_offset[0][1]) >= INT_MAX >> shift_y ||
+ FFABS(sprite_offset[1][1]) >= INT_MAX >> shift_c
+ ) {
+ avpriv_request_sample(s->avctx, "Too large sprite shift or offset");
+ goto overflow;
+ }
+
for (i = 0; i < 2; i++) {
- s->sprite_offset[0][i] *= 1 << shift_y;
- s->sprite_offset[1][i] *= 1 << shift_c;
+ sprite_offset[0][i] *= 1 << shift_y;
+ sprite_offset[1][i] *= 1 << shift_c;
s->sprite_delta[0][i] *= 1 << shift_y;
s->sprite_delta[1][i] *= 1 << shift_y;
ctx->sprite_shift[i] = 16;
+
+ }
+ for (i = 0; i < 2; i++) {
+ int64_t sd[2] = {
+ s->sprite_delta[i][0] - a * (1LL<<16),
+ s->sprite_delta[i][1] - a * (1LL<<16)
+ };
+
+ if (llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
+ llabs(sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
+ llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX ||
+ llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX ||
+ llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX ||
+ llabs(sd[0]) >= INT_MAX ||
+ llabs(sd[1]) >= INT_MAX ||
+ llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX ||
+ llabs(sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX ||
+ llabs(sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX
+ ) {
+ avpriv_request_sample(s->avctx, "Overflow on sprite points");
+ goto overflow;
+ }
}
s->real_sprite_warping_points = ctx->num_sprite_warping_points;
}
+ s->sprite_offset[0][0] = sprite_offset[0][0];
+ s->sprite_offset[0][1] = sprite_offset[0][1];
+ s->sprite_offset[1][0] = sprite_offset[1][0];
+ s->sprite_offset[1][1] = sprite_offset[1][1];
+
return 0;
+overflow:
+ memset(s->sprite_offset, 0, sizeof(s->sprite_offset));
+ memset(s->sprite_delta, 0, sizeof(s->sprite_delta));
+ return AVERROR_PATCHWELCOME;
}
static int decode_new_pred(Mpeg4DecContext *ctx, GetBitContext *gb) {
@@ -504,7 +539,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n)
if (ctx->divx_version == 500 && ctx->divx_build == 413)
sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample));
else
- sum = RSHIFT(s->sprite_offset[0][n] << s->quarter_sample, a);
+ sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a);
} else {
dx = s->sprite_delta[n][0];
dy = s->sprite_delta[n][1];
@@ -2420,16 +2455,20 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb)
ff_init_scantable(s->idsp.idct_permutation, &s->intra_v_scantable, ff_alternate_vertical_scan);
}
- if (s->pict_type == AV_PICTURE_TYPE_S &&
- (ctx->vol_sprite_usage == STATIC_SPRITE ||
- ctx->vol_sprite_usage == GMC_SPRITE)) {
- if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0)
- return AVERROR_INVALIDDATA;
- if (ctx->sprite_brightness_change)
- av_log(s->avctx, AV_LOG_ERROR,
- "sprite_brightness_change not supported\n");
- if (ctx->vol_sprite_usage == STATIC_SPRITE)
- av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n");
+ if (s->pict_type == AV_PICTURE_TYPE_S) {
+ if((ctx->vol_sprite_usage == STATIC_SPRITE ||
+ ctx->vol_sprite_usage == GMC_SPRITE)) {
+ if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0)
+ return AVERROR_INVALIDDATA;
+ if (ctx->sprite_brightness_change)
+ av_log(s->avctx, AV_LOG_ERROR,
+ "sprite_brightness_change not supported\n");
+ if (ctx->vol_sprite_usage == STATIC_SPRITE)
+ av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n");
+ } else {
+ memset(s->sprite_offset, 0, sizeof(s->sprite_offset));
+ memset(s->sprite_delta, 0, sizeof(s->sprite_delta));
+ }
}
if (ctx->shape != BIN_ONLY_SHAPE) {
diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c
index 1114428f..37b1af9b 100644
--- a/libavcodec/mpegaudiodec_template.c
+++ b/libavcodec/mpegaudiodec_template.c
@@ -253,7 +253,7 @@ static inline int l3_unscale(int value, int exponent)
#endif
if (e > 31)
return 0;
- m = (m + (1 << (e - 1))) >> e;
+ m = (m + ((1U << e)>>1)) >> e;
return m;
}
@@ -1665,7 +1665,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr,
header = AV_RB32(buf);
if (header>>8 == AV_RB32("TAG")>>8) {
av_log(avctx, AV_LOG_DEBUG, "discarding ID3 tag\n");
- return buf_size;
+ return buf_size + skipped;
}
ret = avpriv_mpegaudio_decode_header((MPADecodeHeader *)s, header);
if (ret < 0) {
diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c
index a310bd46..0cb13385 100644
--- a/libavcodec/mpegvideo_motion.c
+++ b/libavcodec/mpegvideo_motion.c
@@ -48,8 +48,8 @@ static void gmc1_motion(MpegEncContext *s,
motion_y = s->sprite_offset[0][1];
src_x = s->mb_x * 16 + (motion_x >> (s->sprite_warping_accuracy + 1));
src_y = s->mb_y * 16 + (motion_y >> (s->sprite_warping_accuracy + 1));
- motion_x <<= (3 - s->sprite_warping_accuracy);
- motion_y <<= (3 - s->sprite_warping_accuracy);
+ motion_x *= 1 << (3 - s->sprite_warping_accuracy);
+ motion_y *= 1 << (3 - s->sprite_warping_accuracy);
src_x = av_clip(src_x, -16, s->width);
if (src_x == s->width)
motion_x = 0;
@@ -95,8 +95,8 @@ static void gmc1_motion(MpegEncContext *s,
motion_y = s->sprite_offset[1][1];
src_x = s->mb_x * 8 + (motion_x >> (s->sprite_warping_accuracy + 1));
src_y = s->mb_y * 8 + (motion_y >> (s->sprite_warping_accuracy + 1));
- motion_x <<= (3 - s->sprite_warping_accuracy);
- motion_y <<= (3 - s->sprite_warping_accuracy);
+ motion_x *= 1 << (3 - s->sprite_warping_accuracy);
+ motion_y *= 1 << (3 - s->sprite_warping_accuracy);
src_x = av_clip(src_x, -8, s->width >> 1);
if (src_x == s->width >> 1)
motion_x = 0;
diff --git a/libavcodec/msmpeg4dec.c b/libavcodec/msmpeg4dec.c
index 77e8509f..26f29280 100644
--- a/libavcodec/msmpeg4dec.c
+++ b/libavcodec/msmpeg4dec.c
@@ -140,7 +140,7 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64])
if(s->msmpeg4_version==2)
cbp= get_vlc2(&s->gb, v2_intra_cbpc_vlc.table, V2_INTRA_CBPC_VLC_BITS, 1);
else
- cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 1);
+ cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 2);
if(cbp<0 || cbp>3){
av_log(s->avctx, AV_LOG_ERROR, "cbpc %d invalid at %d %d\n", cbp, s->mb_x, s->mb_y);
return -1;
@@ -169,12 +169,23 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64])
s->mv[0][0][1] = my;
*mb_type_ptr = MB_TYPE_L0 | MB_TYPE_16x16;
} else {
+ int v;
if(s->msmpeg4_version==2){
s->ac_pred = get_bits1(&s->gb);
- cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors
+ v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1);
+ if (v < 0) {
+ av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n");
+ return -1;
+ }
+ cbp|= v<<2;
} else{
s->ac_pred = 0;
- cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors
+ v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1);
+ if (v < 0) {
+ av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n");
+ return -1;
+ }
+ cbp|= v<<2;
if(s->pict_type==AV_PICTURE_TYPE_P) cbp^=0x3C;
}
*mb_type_ptr = MB_TYPE_INTRA;
diff --git a/libavcodec/mss3.c b/libavcodec/mss3.c
index 01941967..8344bfe8 100644
--- a/libavcodec/mss3.c
+++ b/libavcodec/mss3.c
@@ -356,8 +356,9 @@ static int rac_get_model2_sym(RangeCoder *c, Model2 *m)
static int rac_get_model_sym(RangeCoder *c, Model *m)
{
- int prob, prob2, helper, val;
+ int val;
int end, end2;
+ unsigned prob, prob2, helper;
prob = 0;
prob2 = c->range;
diff --git a/libavcodec/mss34dsp.c b/libavcodec/mss34dsp.c
index 0397add1..4965ac51 100644
--- a/libavcodec/mss34dsp.c
+++ b/libavcodec/mss34dsp.c
@@ -62,30 +62,30 @@ void ff_mss34_gen_quant_mat(uint16_t *qmat, int quality, int luma)
}
#define DCT_TEMPLATE(blk, step, SOP, shift) \
- const int t0 = -39409 * blk[7 * step] - 58980 * blk[1 * step]; \
- const int t1 = 39410 * blk[1 * step] - 58980 * blk[7 * step]; \
- const int t2 = -33410 * blk[5 * step] - 167963 * blk[3 * step]; \
- const int t3 = 33410 * blk[3 * step] - 167963 * blk[5 * step]; \
- const int t4 = blk[3 * step] + blk[7 * step]; \
- const int t5 = blk[1 * step] + blk[5 * step]; \
- const int t6 = 77062 * t4 + 51491 * t5; \
- const int t7 = 77062 * t5 - 51491 * t4; \
- const int t8 = 35470 * blk[2 * step] - 85623 * blk[6 * step]; \
- const int t9 = 35470 * blk[6 * step] + 85623 * blk[2 * step]; \
- const int tA = SOP(blk[0 * step] - blk[4 * step]); \
- const int tB = SOP(blk[0 * step] + blk[4 * step]); \
+ const unsigned t0 =-39409U * blk[7 * step] - 58980U * blk[1 * step]; \
+ const unsigned t1 = 39410U * blk[1 * step] - 58980U * blk[7 * step]; \
+ const unsigned t2 =-33410U * blk[5 * step] -167963U * blk[3 * step]; \
+ const unsigned t3 = 33410U * blk[3 * step] -167963U * blk[5 * step]; \
+ const unsigned t4 = blk[3 * step] + blk[7 * step]; \
+ const unsigned t5 = blk[1 * step] + blk[5 * step]; \
+ const unsigned t6 = 77062U * t4 + 51491U * t5; \
+ const unsigned t7 = 77062U * t5 - 51491U * t4; \
+ const unsigned t8 = 35470U * blk[2 * step] - 85623U * blk[6 * step]; \
+ const unsigned t9 = 35470U * blk[6 * step] + 85623U * blk[2 * step]; \
+ const unsigned tA = SOP(blk[0 * step] - blk[4 * step]); \
+ const unsigned tB = SOP(blk[0 * step] + blk[4 * step]); \
\
- blk[0 * step] = ( t1 + t6 + t9 + tB) >> shift; \
- blk[1 * step] = ( t3 + t7 + t8 + tA) >> shift; \
- blk[2 * step] = ( t2 + t6 - t8 + tA) >> shift; \
- blk[3 * step] = ( t0 + t7 - t9 + tB) >> shift; \
- blk[4 * step] = (-(t0 + t7) - t9 + tB) >> shift; \
- blk[5 * step] = (-(t2 + t6) - t8 + tA) >> shift; \
- blk[6 * step] = (-(t3 + t7) + t8 + tA) >> shift; \
- blk[7 * step] = (-(t1 + t6) + t9 + tB) >> shift; \
+ blk[0 * step] = (int)( t1 + t6 + t9 + tB) >> shift; \
+ blk[1 * step] = (int)( t3 + t7 + t8 + tA) >> shift; \
+ blk[2 * step] = (int)( t2 + t6 - t8 + tA) >> shift; \
+ blk[3 * step] = (int)( t0 + t7 - t9 + tB) >> shift; \
+ blk[4 * step] = (int)(-(t0 + t7) - t9 + tB) >> shift; \
+ blk[5 * step] = (int)(-(t2 + t6) - t8 + tA) >> shift; \
+ blk[6 * step] = (int)(-(t3 + t7) + t8 + tA) >> shift; \
+ blk[7 * step] = (int)(-(t1 + t6) + t9 + tB) >> shift; \
-#define SOP_ROW(a) (((a) << 16) + 0x2000)
-#define SOP_COL(a) (((a) + 32) << 16)
+#define SOP_ROW(a) (((a) * (1U << 16)) + 0x2000)
+#define SOP_COL(a) (((a) + 32) * (1U << 16))
void ff_mss34_dct_put(uint8_t *dst, int stride, int *block)
{
diff --git a/libavcodec/msvideo1.c b/libavcodec/msvideo1.c
index a49b9be3..29700f54 100644
--- a/libavcodec/msvideo1.c
+++ b/libavcodec/msvideo1.c
@@ -301,6 +301,12 @@ static int msvideo1_decode_frame(AVCodecContext *avctx,
s->buf = buf;
s->size = buf_size;
+ // Discard frame if its smaller than the minimum frame size
+ if (buf_size < (avctx->width/4) * (avctx->height/4) / 512) {
+ av_log(avctx, AV_LOG_ERROR, "Packet is too small\n");
+ return AVERROR_INVALIDDATA;
+ }
+
if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
return ret;
diff --git a/libavcodec/nellymoser.c b/libavcodec/nellymoser.c
index 027726e0..5ff6583c 100644
--- a/libavcodec/nellymoser.c
+++ b/libavcodec/nellymoser.c
@@ -84,7 +84,7 @@ const int16_t ff_nelly_delta_table[32] = {
static inline int signed_shift(int i, int shift) {
if (shift > 0)
- return i << shift;
+ return (unsigned)i << shift;
return i >> -shift;
}
@@ -108,7 +108,7 @@ static int headroom(int *la)
return 31;
}
l = 30 - av_log2(FFABS(*la));
- *la <<= l;
+ *la *= 1<<l;
return l;
}
diff --git a/libavcodec/omx.c b/libavcodec/omx.c
index 2fe21429..16df50e4 100644
--- a/libavcodec/omx.c
+++ b/libavcodec/omx.c
@@ -352,12 +352,12 @@ static av_cold int find_component(OMXContext *omx_context, void *logctx,
av_log(logctx, AV_LOG_WARNING, "No component for role %s found\n", role);
return AVERROR_ENCODER_NOT_FOUND;
}
- components = av_mallocz(sizeof(char*) * num);
+ components = av_mallocz_array(num, sizeof(*components));
if (!components)
return AVERROR(ENOMEM);
for (i = 0; i < num; i++) {
components[i] = av_mallocz(OMX_MAX_STRINGNAME_SIZE);
- if (!components) {
+ if (!components[i]) {
ret = AVERROR(ENOMEM);
goto end;
}
diff --git a/libavcodec/options.c b/libavcodec/options.c
index d8e3dbfa..e124fb44 100644
--- a/libavcodec/options.c
+++ b/libavcodec/options.c
@@ -187,6 +187,30 @@ void avcodec_free_context(AVCodecContext **pavctx)
}
#if FF_API_COPY_CONTEXT
+static void copy_context_reset(AVCodecContext *avctx)
+{
+ int i;
+
+ av_opt_free(avctx);
+#if FF_API_CODED_FRAME
+FF_DISABLE_DEPRECATION_WARNINGS
+ av_frame_free(&avctx->coded_frame);
+FF_ENABLE_DEPRECATION_WARNINGS
+#endif
+ av_freep(&avctx->rc_override);
+ av_freep(&avctx->intra_matrix);
+ av_freep(&avctx->inter_matrix);
+ av_freep(&avctx->extradata);
+ av_freep(&avctx->subtitle_header);
+ av_buffer_unref(&avctx->hw_frames_ctx);
+ for (i = 0; i < avctx->nb_coded_side_data; i++)
+ av_freep(&avctx->coded_side_data[i].data);
+ av_freep(&avctx->coded_side_data);
+ avctx->subtitle_header_size = 0;
+ avctx->nb_coded_side_data = 0;
+ avctx->extradata_size = 0;
+}
+
int avcodec_copy_context(AVCodecContext *dest, const AVCodecContext *src)
{
const AVCodec *orig_codec = dest->codec;
@@ -199,12 +223,7 @@ int avcodec_copy_context(AVCodecContext *dest, const AVCodecContext *src)
return AVERROR(EINVAL);
}
- av_opt_free(dest);
- av_freep(&dest->rc_override);
- av_freep(&dest->intra_matrix);
- av_freep(&dest->inter_matrix);
- av_freep(&dest->extradata);
- av_freep(&dest->subtitle_header);
+ copy_context_reset(dest);
memcpy(dest, src, sizeof(*dest));
av_opt_copy(dest, src);
@@ -229,11 +248,13 @@ FF_ENABLE_DEPRECATION_WARNINGS
/* reallocate values that should be allocated separately */
dest->extradata = NULL;
+ dest->coded_side_data = NULL;
dest->intra_matrix = NULL;
dest->inter_matrix = NULL;
dest->rc_override = NULL;
dest->subtitle_header = NULL;
dest->hw_frames_ctx = NULL;
+ dest->nb_coded_side_data = 0;
#define alloc_and_copy_or_fail(obj, size, pad) \
if (src->obj && size > 0) { \
@@ -263,15 +284,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
return 0;
fail:
- av_freep(&dest->subtitle_header);
- av_freep(&dest->rc_override);
- av_freep(&dest->intra_matrix);
- av_freep(&dest->inter_matrix);
- av_freep(&dest->extradata);
- av_buffer_unref(&dest->hw_frames_ctx);
- dest->subtitle_header_size = 0;
- dest->extradata_size = 0;
- av_opt_free(dest);
+ copy_context_reset(dest);
return AVERROR(ENOMEM);
}
#endif
diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c
index 9c30b122..1274a144 100644
--- a/libavcodec/opus_silk.c
+++ b/libavcodec/opus_silk.c
@@ -851,8 +851,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_
if (nlsf[0] < min_delta[0])
nlsf[0] = min_delta[0];
for (i = 1; i < order; i++)
- if (nlsf[i] < nlsf[i - 1] + min_delta[i])
- nlsf[i] = nlsf[i - 1] + min_delta[i];
+ nlsf[i] = FFMAX(nlsf[i], FFMIN(nlsf[i - 1] + min_delta[i], 32767));
/* push backwards to increase distance */
if (nlsf[order-1] > 32768 - min_delta[order])
diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c
index 0cfc7858..a09ee379 100644
--- a/libavcodec/pictordec.c
+++ b/libavcodec/pictordec.c
@@ -77,10 +77,10 @@ static void picmemset(PicContext *s, AVFrame *frame, int value, int run,
if (*y < 0) {
*y = s->height - 1;
*plane += 1;
+ if (*plane >= s->nb_planes)
+ return;
value <<= bits_per_plane;
mask <<= bits_per_plane;
- if (*plane >= s->nb_planes)
- break;
}
}
}
@@ -236,7 +236,7 @@ static int decode_frame(AVCodecContext *avctx,
}
}
- if (x < avctx->width) {
+ if (plane < s->nb_planes && x < avctx->width) {
int run = (y + 1) * avctx->width - x;
if (bits_per_plane == 8)
picmemset_8bpp(s, frame, val, run, &x, &y);
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index bf8f27f6..52b872a0 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -559,6 +559,11 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s,
return AVERROR_INVALIDDATA;
}
s->bit_depth = bytestream2_get_byte(&s->gb);
+ if (s->bit_depth != 1 && s->bit_depth != 2 && s->bit_depth != 4 &&
+ s->bit_depth != 8 && s->bit_depth != 16) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid bit depth\n");
+ goto error;
+ }
s->color_type = bytestream2_get_byte(&s->gb);
s->compression_type = bytestream2_get_byte(&s->gb);
s->filter_type = bytestream2_get_byte(&s->gb);
@@ -572,6 +577,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s,
s->compression_type, s->filter_type, s->interlace_type);
return 0;
+error:
+ s->cur_w = s->cur_h = s->width = s->height = 0;
+ s->bit_depth = 8;
+ return AVERROR_INVALIDDATA;
}
static int decode_phys_chunk(AVCodecContext *avctx, PNGDecContext *s)
@@ -602,8 +611,9 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s,
}
if (!(s->state & PNG_IDAT)) {
/* init image info */
- avctx->width = s->width;
- avctx->height = s->height;
+ ret = ff_set_dimensions(avctx, s->width, s->height);
+ if (ret < 0)
+ return ret;
s->channels = ff_png_get_nb_channels(s->color_type);
s->bits_per_pixel = s->bit_depth * s->channels;
@@ -787,7 +797,7 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s,
return AVERROR_INVALIDDATA;
for (i = 0; i < length; i++) {
- v = bytestream2_get_byte(&s->gb);
+ unsigned v = bytestream2_get_byte(&s->gb);
s->palette[i] = (s->palette[i] & 0x00ffffff) | (v << 24);
}
} else if (s->color_type == PNG_COLOR_TYPE_GRAY || s->color_type == PNG_COLOR_TYPE_RGB) {
diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c
index ceec32d7..690f7ff3 100644
--- a/libavcodec/ra144.c
+++ b/libavcodec/ra144.c
@@ -1598,7 +1598,7 @@ void ff_eval_coefs(int *coefs, const int *refl)
int i, j;
for (i=0; i < LPC_ORDER; i++) {
- b1[i] = refl[i] << 4;
+ b1[i] = refl[i] * 16;
for (j=0; j < i; j++)
b1[j] = ((refl[i] * b2[i-j-1]) >> 12) + b2[j];
diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c
index d01f05c0..97822b09 100644
--- a/libavcodec/rscc.c
+++ b/libavcodec/rscc.c
@@ -210,6 +210,12 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data,
ctx->tiles[i].y = bytestream2_get_le16(gbc);
ctx->tiles[i].h = bytestream2_get_le16(gbc);
+ if (pixel_size + ctx->tiles[i].w * (int64_t)ctx->tiles[i].h * ctx->component_size > INT_MAX) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions\n");
+ ret = AVERROR_INVALIDDATA;
+ goto end;
+ }
+
pixel_size += ctx->tiles[i].w * ctx->tiles[i].h * ctx->component_size;
ff_dlog(avctx, "tile %d orig(%d,%d) %dx%d.\n", i,
diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
index aca8382f..c9cedfe8 100644
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1585,10 +1585,13 @@ int ff_rv34_decode_update_thread_context(AVCodecContext *dst, const AVCodecConte
return ff_mpeg_update_thread_context(dst, src);
}
-static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n)
+static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n, int slice_count, int buf_size)
{
- if(avctx->slice_count) return avctx->slice_offset[n];
- else return AV_RL32(buf + n*8 - 4) == 1 ? AV_RL32(buf + n*8) : AV_RB32(buf + n*8);
+ if (n < slice_count) {
+ if(avctx->slice_count) return avctx->slice_offset[n];
+ else return AV_RL32(buf + n*8 - 4) == 1 ? AV_RL32(buf + n*8) : AV_RB32(buf + n*8);
+ } else
+ return buf_size;
}
static int finish_frame(AVCodecContext *avctx, AVFrame *pict)
@@ -1627,7 +1630,7 @@ static AVRational update_sar(int old_w, int old_h, AVRational sar, int new_w, in
if (!sar.num)
sar = (AVRational){1, 1};
- sar = av_mul_q(sar, (AVRational){new_h * old_w, new_w * old_h});
+ sar = av_mul_q(sar, av_mul_q((AVRational){new_h, new_w}, (AVRational){old_w, old_h}));
return sar;
}
@@ -1646,6 +1649,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
const uint8_t *slices_hdr = NULL;
int last = 0;
int faulty_b = 0;
+ int offset;
/* no supplementary picture */
if (buf_size == 0) {
@@ -1668,13 +1672,13 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
}else
slice_count = avctx->slice_count;
+ offset = get_slice_offset(avctx, slices_hdr, 0, slice_count, buf_size);
//parse first slice header to check whether this frame can be decoded
- if(get_slice_offset(avctx, slices_hdr, 0) < 0 ||
- get_slice_offset(avctx, slices_hdr, 0) > buf_size){
+ if(offset < 0 || offset > buf_size){
av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
return AVERROR_INVALIDDATA;
}
- init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8);
+ init_get_bits(&s->gb, buf+offset, (buf_size-offset)*8);
if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){
av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n");
return AVERROR_INVALIDDATA;
@@ -1777,40 +1781,32 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
return AVERROR_INVALIDDATA;
for(i = 0; i < slice_count; i++){
- int offset = get_slice_offset(avctx, slices_hdr, i);
+ int offset = get_slice_offset(avctx, slices_hdr, i , slice_count, buf_size);
+ int offset1 = get_slice_offset(avctx, slices_hdr, i+1, slice_count, buf_size);
int size;
- if(i+1 == slice_count)
- size = buf_size - offset;
- else
- size = get_slice_offset(avctx, slices_hdr, i+1) - offset;
- if(offset < 0 || offset > buf_size){
+ if(offset < 0 || offset > offset1 || offset1 > buf_size){
av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
break;
}
+ size = offset1 - offset;
r->si.end = s->mb_width * s->mb_height;
s->mb_num_left = r->s.mb_x + r->s.mb_y*r->s.mb_width - r->si.start;
if(i+1 < slice_count){
- if (get_slice_offset(avctx, slices_hdr, i+1) < 0 ||
- get_slice_offset(avctx, slices_hdr, i+1) > buf_size) {
+ int offset2 = get_slice_offset(avctx, slices_hdr, i+2, slice_count, buf_size);
+ if (offset2 < offset1 || offset2 > buf_size) {
av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
break;
}
- init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8);
+ init_get_bits(&s->gb, buf+offset1, (buf_size-offset1)*8);
if(r->parse_slice_header(r, &r->s.gb, &si) < 0){
- if(i+2 < slice_count)
- size = get_slice_offset(avctx, slices_hdr, i+2) - offset;
- else
- size = buf_size - offset;
+ size = offset2 - offset;
}else
r->si.end = si.start;
}
- if (size < 0 || size > buf_size - offset) {
- av_log(avctx, AV_LOG_ERROR, "Slice size is invalid\n");
- break;
- }
+ av_assert0 (size >= 0 && size <= buf_size - offset);
last = rv34_decode_slice(r, r->si.end, buf + offset, size);
if(last)
break;
diff --git a/libavcodec/rv40.c b/libavcodec/rv40.c
index e5ba215b..dfeebda8 100644
--- a/libavcodec/rv40.c
+++ b/libavcodec/rv40.c
@@ -189,7 +189,7 @@ static int rv40_decode_intra_types(RV34DecContext *r, GetBitContext *gb, int8_t
A = ptr[-r->intra_types_stride + 1]; // it won't be used for the last coefficient in a row
B = ptr[-r->intra_types_stride];
C = ptr[-1];
- pattern = A + (B << 4) + (C << 8);
+ pattern = A + B * (1 << 4) + C * (1 << 8);
for(k = 0; k < MODE2_PATTERNS_NUM; k++)
if(pattern == rv40_aic_table_index[k])
break;
diff --git a/libavcodec/rv40dsp.c b/libavcodec/rv40dsp.c
index 19b0e936..95ba0a92 100644
--- a/libavcodec/rv40dsp.c
+++ b/libavcodec/rv40dsp.c
@@ -449,7 +449,7 @@ static av_always_inline void rv40_weak_loop_filter(uint8_t *src,
if (u > 3 - (filter_p1 && filter_q1))
continue;
- t <<= 2;
+ t *= 1 << 2;
if (filter_p1 && filter_q1)
t += src[-2*step] - src[1*step];
diff --git a/libavcodec/s302m.c b/libavcodec/s302m.c
index ccfb5913..a68ac79f 100644
--- a/libavcodec/s302m.c
+++ b/libavcodec/s302m.c
@@ -120,10 +120,10 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data,
if (avctx->bits_per_raw_sample == 24) {
uint32_t *o = (uint32_t *)frame->data[0];
for (; buf_size > 6; buf_size -= 7) {
- *o++ = (ff_reverse[buf[2]] << 24) |
+ *o++ = ((unsigned)ff_reverse[buf[2]] << 24) |
(ff_reverse[buf[1]] << 16) |
(ff_reverse[buf[0]] << 8);
- *o++ = (ff_reverse[buf[6] & 0xf0] << 28) |
+ *o++ = ((unsigned)ff_reverse[buf[6] & 0xf0] << 28) |
(ff_reverse[buf[5]] << 20) |
(ff_reverse[buf[4]] << 12) |
(ff_reverse[buf[3] & 0x0f] << 4);
@@ -142,10 +142,10 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data,
} else if (avctx->bits_per_raw_sample == 20) {
uint32_t *o = (uint32_t *)frame->data[0];
for (; buf_size > 5; buf_size -= 6) {
- *o++ = (ff_reverse[buf[2] & 0xf0] << 28) |
+ *o++ = ((unsigned)ff_reverse[buf[2] & 0xf0] << 28) |
(ff_reverse[buf[1]] << 20) |
(ff_reverse[buf[0]] << 12);
- *o++ = (ff_reverse[buf[5] & 0xf0] << 28) |
+ *o++ = ((unsigned)ff_reverse[buf[5] & 0xf0] << 28) |
(ff_reverse[buf[4]] << 20) |
(ff_reverse[buf[3]] << 12);
buf += 6;
diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index e4cef618..388d8dee 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -155,8 +155,11 @@ static int allocate_buffers(ShortenContext *s)
static inline unsigned int get_uint(ShortenContext *s, int k)
{
- if (s->version != 0)
+ if (s->version != 0) {
k = get_ur_golomb_shorten(&s->gb, ULONGSIZE);
+ if (k > 31U)
+ return AVERROR_INVALIDDATA;
+ }
return get_ur_golomb_shorten(&s->gb, k);
}
diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 042aecbb..022e9693 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -384,6 +384,10 @@ static int decode_header(SnowContext *s){
av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_count %d too large for size\n", s->spatial_decomposition_count);
return AVERROR_INVALIDDATA;
}
+ if (s->avctx->width > 65536-4) {
+ av_log(s->avctx, AV_LOG_ERROR, "Width %d is too large\n", s->avctx->width);
+ return AVERROR_INVALIDDATA;
+ }
s->qlog += get_symbol(&s->c, s->header_state, 1);
@@ -395,6 +399,11 @@ static int decode_header(SnowContext *s){
s->block_max_depth= 0;
return AVERROR_INVALIDDATA;
}
+ if (FFABS(s->qbias) > 127) {
+ av_log(s->avctx, AV_LOG_ERROR, "qbias %d is too large\n", s->qbias);
+ s->qbias = 0;
+ return AVERROR_INVALIDDATA;
+ }
return 0;
}
diff --git a/libavcodec/srtdec.c b/libavcodec/srtdec.c
index 30930c8e..862ab476 100644
--- a/libavcodec/srtdec.c
+++ b/libavcodec/srtdec.c
@@ -38,13 +38,13 @@ static void srt_to_ass(AVCodecContext *avctx, AVBPrint *dst,
/* text rectangle defined, write the text at the center of the rectangle */
const int cx = x1 + (x2 - x1)/2;
const int cy = y1 + (y2 - y1)/2;
- const int scaled_x = cx * ASS_DEFAULT_PLAYRESX / 720;
- const int scaled_y = cy * ASS_DEFAULT_PLAYRESY / 480;
+ const int scaled_x = cx * (int64_t)ASS_DEFAULT_PLAYRESX / 720;
+ const int scaled_y = cy * (int64_t)ASS_DEFAULT_PLAYRESY / 480;
av_bprintf(dst, "{\\an5}{\\pos(%d,%d)}", scaled_x, scaled_y);
} else {
/* only the top left corner, assume the text starts in that corner */
- const int scaled_x = x1 * ASS_DEFAULT_PLAYRESX / 720;
- const int scaled_y = y1 * ASS_DEFAULT_PLAYRESY / 480;
+ const int scaled_x = x1 * (int64_t)ASS_DEFAULT_PLAYRESX / 720;
+ const int scaled_y = y1 * (int64_t)ASS_DEFAULT_PLAYRESY / 480;
av_bprintf(dst, "{\\an1}{\\pos(%d,%d)}", scaled_x, scaled_y);
}
}
diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c
index 5aedc1e6..01998652 100644
--- a/libavcodec/svq3.c
+++ b/libavcodec/svq3.c
@@ -223,7 +223,7 @@ static int svq3_decode_end(AVCodecContext *avctx);
static void svq3_luma_dc_dequant_idct_c(int16_t *output, int16_t *input, int qp)
{
- const int qmul = svq3_dequant_coeff[qp];
+ const unsigned qmul = svq3_dequant_coeff[qp];
#define stride 16
int i;
int temp[16];
@@ -248,10 +248,10 @@ static void svq3_luma_dc_dequant_idct_c(int16_t *output, int16_t *input, int qp)
const int z2 = 7 * temp[4 * 1 + i] - 17 * temp[4 * 3 + i];
const int z3 = 17 * temp[4 * 1 + i] + 7 * temp[4 * 3 + i];
- output[stride * 0 + offset] = (z0 + z3) * qmul + 0x80000 >> 20;
- output[stride * 2 + offset] = (z1 + z2) * qmul + 0x80000 >> 20;
- output[stride * 8 + offset] = (z1 - z2) * qmul + 0x80000 >> 20;
- output[stride * 10 + offset] = (z0 - z3) * qmul + 0x80000 >> 20;
+ output[stride * 0 + offset] = (int)((z0 + z3) * qmul + 0x80000) >> 20;
+ output[stride * 2 + offset] = (int)((z1 + z2) * qmul + 0x80000) >> 20;
+ output[stride * 8 + offset] = (int)((z1 - z2) * qmul + 0x80000) >> 20;
+ output[stride * 10 + offset] = (int)((z0 - z3) * qmul + 0x80000) >> 20;
}
}
#undef stride
@@ -263,7 +263,7 @@ static void svq3_add_idct_c(uint8_t *dst, int16_t *block,
int i;
if (dc) {
- dc = 13 * 13 * (dc == 1 ? 1538 * block[0]
+ dc = 13 * 13 * (dc == 1 ? 1538U* block[0]
: qmul * (block[0] >> 3) / 2);
block[0] = 0;
}
@@ -281,16 +281,16 @@ static void svq3_add_idct_c(uint8_t *dst, int16_t *block,
}
for (i = 0; i < 4; i++) {
- const int z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]);
- const int z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]);
- const int z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3];
- const int z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3];
+ const unsigned z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]);
+ const unsigned z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]);
+ const unsigned z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3];
+ const unsigned z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3];
const int rr = (dc + 0x80000);
- dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((z0 + z3) * qmul + rr >> 20));
- dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((z1 + z2) * qmul + rr >> 20));
- dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((z1 - z2) * qmul + rr >> 20));
- dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((z0 - z3) * qmul + rr >> 20));
+ dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((int)((z0 + z3) * qmul + rr) >> 20));
+ dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((int)((z1 + z2) * qmul + rr) >> 20));
+ dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((int)((z1 - z2) * qmul + rr) >> 20));
+ dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((int)((z0 - z3) * qmul + rr) >> 20));
}
memset(block, 0, 16 * sizeof(int16_t));
@@ -524,8 +524,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode,
if (mode != PREDICT_MODE) {
svq3_pred_motion(s, k, part_width >> 2, dir, 1, &mx, &my);
} else {
- mx = s->next_pic->motion_val[0][b_xy][0] << 1;
- my = s->next_pic->motion_val[0][b_xy][1] << 1;
+ mx = s->next_pic->motion_val[0][b_xy][0] * 2;
+ my = s->next_pic->motion_val[0][b_xy][1] * 2;
if (dir == 0) {
mx = mx * s->frame_num_offset /
@@ -551,7 +551,7 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode,
dy = get_interleaved_se_golomb(&s->gb_slice);
dx = get_interleaved_se_golomb(&s->gb_slice);
- if (dx == INVALID_VLC || dy == INVALID_VLC) {
+ if (dx != (int16_t)dx || dy != (int16_t)dy) {
av_log(s->avctx, AV_LOG_ERROR, "invalid MV vlc\n");
return -1;
}
@@ -562,8 +562,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode,
int fx, fy;
mx = (mx + 1 >> 1) + dx;
my = (my + 1 >> 1) + dy;
- fx = (unsigned)(mx + 0x3000) / 3 - 0x1000;
- fy = (unsigned)(my + 0x3000) / 3 - 0x1000;
+ fx = (unsigned)(mx + 0x30000) / 3 - 0x10000;
+ fy = (unsigned)(my + 0x30000) / 3 - 0x10000;
dxy = (mx - 3 * fx) + 4 * (my - 3 * fy);
svq3_mc_dir_part(s, x, y, part_width, part_height,
@@ -571,8 +571,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode,
mx += mx;
my += my;
} else if (mode == HALFPEL_MODE || mode == PREDICT_MODE) {
- mx = (unsigned)(mx + 1 + 0x3000) / 3 + dx - 0x1000;
- my = (unsigned)(my + 1 + 0x3000) / 3 + dy - 0x1000;
+ mx = (unsigned)(mx + 1 + 0x30000) / 3 + dx - 0x10000;
+ my = (unsigned)(my + 1 + 0x30000) / 3 + dy - 0x10000;
dxy = (mx & 1) + 2 * (my & 1);
svq3_mc_dir_part(s, x, y, part_width, part_height,
@@ -580,8 +580,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode,
mx *= 3;
my *= 3;
} else {
- mx = (unsigned)(mx + 3 + 0x6000) / 6 + dx - 0x1000;
- my = (unsigned)(my + 3 + 0x6000) / 6 + dy - 0x1000;
+ mx = (unsigned)(mx + 3 + 0x60000) / 6 + dx - 0x10000;
+ my = (unsigned)(my + 3 + 0x60000) / 6 + dy - 0x10000;
svq3_mc_dir_part(s, x, y, part_width, part_height,
mx, my, 0, 0, dir, avg);
diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c
index 97732813..61e66b05 100644
--- a/libavcodec/takdec.c
+++ b/libavcodec/takdec.c
@@ -433,19 +433,19 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded,
s->predictors[0] = get_sbits(gb, 10);
s->predictors[1] = get_sbits(gb, 10);
- s->predictors[2] = get_sbits(gb, size) << (10 - size);
- s->predictors[3] = get_sbits(gb, size) << (10 - size);
+ s->predictors[2] = get_sbits(gb, size) * (1 << (10 - size));
+ s->predictors[3] = get_sbits(gb, size) * (1 << (10 - size));
if (filter_order > 4) {
int tmp = size - get_bits1(gb);
for (i = 4; i < filter_order; i++) {
if (!(i & 3))
x = tmp - get_bits(gb, 2);
- s->predictors[i] = get_sbits(gb, x) << (10 - size);
+ s->predictors[i] = get_sbits(gb, x) * (1 << (10 - size));
}
}
- tfilter[0] = s->predictors[0] << 6;
+ tfilter[0] = s->predictors[0] * 64;
for (i = 1; i < filter_order; i++) {
int32_t *p1 = &tfilter[0];
int32_t *p2 = &tfilter[i - 1];
@@ -457,7 +457,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded,
p2--;
}
- tfilter[i] = s->predictors[i] << 6;
+ tfilter[i] = s->predictors[i] * 64;
}
x = 1 << (32 - (15 - filter_quant));
@@ -491,7 +491,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded,
s->residues[i + j + 1] * s->filter[j + 1] +
s->residues[i + j ] * s->filter[j ];
}
- v = (av_clip_intp2(v >> filter_quant, 13) << dshift) - *decoded;
+ v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - *decoded;
*decoded++ = v;
s->residues[filter_order + i] = v >> dshift;
}
diff --git a/libavcodec/targa_y216dec.c b/libavcodec/targa_y216dec.c
index 21b3d35d..443d48a9 100644
--- a/libavcodec/targa_y216dec.c
+++ b/libavcodec/targa_y216dec.c
@@ -35,7 +35,8 @@ static int y216_decode_frame(AVCodecContext *avctx, void *data,
{
AVFrame *pic = data;
const uint16_t *src = (uint16_t *)avpkt->data;
- uint16_t *y, *u, *v, aligned_width = FFALIGN(avctx->width, 4);
+ uint16_t *y, *u, *v;
+ int aligned_width = FFALIGN(avctx->width, 4);
int i, j, ret;
if (avpkt->size < 4 * avctx->height * aligned_width) {
diff --git a/libavcodec/texturedsp.c b/libavcodec/texturedsp.c
index 5012245a..90b1eb4f 100644
--- a/libavcodec/texturedsp.c
+++ b/libavcodec/texturedsp.c
@@ -35,7 +35,7 @@
#define RGBA(r, g, b, a) (((uint8_t)(r) << 0) | \
((uint8_t)(g) << 8) | \
((uint8_t)(b) << 16) | \
- ((uint8_t)(a) << 24))
+ ((unsigned)(uint8_t)(a) << 24))
static av_always_inline void extract_color(uint32_t colors[4],
uint16_t color0,
@@ -158,7 +158,7 @@ static inline void dxt3_block_internal(uint8_t *dst, ptrdiff_t stride,
for (x = 0; x < 4; x++) {
uint8_t alpha = alpha_values[x];
- uint32_t pixel = colors[code & 3] | (alpha << 24);
+ uint32_t pixel = colors[code & 3] | ((unsigned)alpha << 24);
code >>= 2;
AV_WL32(dst + x * 4, pixel);
@@ -291,7 +291,7 @@ static inline void dxt5_block_internal(uint8_t *dst, ptrdiff_t stride,
}
}
}
- pixel = colors[code & 3] | (alpha << 24);
+ pixel = colors[code & 3] | ((unsigned)alpha << 24);
code >>= 2;
AV_WL32(dst + x * 4, pixel);
}
diff --git a/libavcodec/tiertexseqv.c b/libavcodec/tiertexseqv.c
index 06c5fd6b..af39f74d 100644
--- a/libavcodec/tiertexseqv.c
+++ b/libavcodec/tiertexseqv.c
@@ -213,10 +213,15 @@ static int seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int
static av_cold int seqvideo_decode_init(AVCodecContext *avctx)
{
SeqVideoContext *seq = avctx->priv_data;
+ int ret;
seq->avctx = avctx;
avctx->pix_fmt = AV_PIX_FMT_PAL8;
+ ret = ff_set_dimensions(avctx, 256, 128);
+ if (ret < 0)
+ return ret;
+
seq->frame = av_frame_alloc();
if (!seq->frame)
return AVERROR(ENOMEM);
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 4721e944..a0f4bff5 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -408,7 +408,7 @@ static int tiff_unpack_lzma(TiffContext *s, AVFrame *p, uint8_t *dst, int stride
const uint8_t *src, int size, int width, int lines,
int strip_start, int is_yuv)
{
- uint64_t outlen = width * lines;
+ uint64_t outlen = width * (uint64_t)lines;
int ret, line;
uint8_t *buf = av_malloc(outlen);
if (!buf)
@@ -905,6 +905,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
break;
case TIFF_STRIP_OFFS:
if (count == 1) {
+ if (value > INT_MAX) {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "strippos %u too large\n", value);
+ return AVERROR_INVALIDDATA;
+ }
s->strippos = 0;
s->stripoff = value;
} else
@@ -916,6 +921,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
break;
case TIFF_STRIP_SIZE:
if (count == 1) {
+ if (value > INT_MAX) {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "stripsize %u too large\n", value);
+ return AVERROR_INVALIDDATA;
+ }
s->stripsizesoff = 0;
s->stripsize = value;
s->strips = 1;
@@ -1009,6 +1019,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
s->subsampling[i] = ff_tget(&s->gb, type, s->le);
if (s->subsampling[i] <= 0) {
av_log(s->avctx, AV_LOG_ERROR, "subsampling %d is invalid\n", s->subsampling[i]);
+ s->subsampling[i] = 1;
return AVERROR_INVALIDDATA;
}
}
@@ -1036,6 +1047,10 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
ADD_METADATA(count, "ModelTiepointTag", NULL);
break;
case TIFF_GEO_KEY_DIRECTORY:
+ if (s->geotag_count) {
+ avpriv_request_sample(s->avctx, "Multiple geo key directories\n");
+ return AVERROR_INVALIDDATA;
+ }
ADD_METADATA(1, "GeoTIFF_Version", NULL);
ADD_METADATA(2, "GeoTIFF_Key_Revision", ".");
s->geotag_count = ff_tget_short(&s->gb, s->le);
@@ -1043,7 +1058,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame)
s->geotag_count = count / 4 - 1;
av_log(s->avctx, AV_LOG_WARNING, "GeoTIFF key directory buffer shorter than specified\n");
}
- if (bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4) {
+ if ( bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4
+ || s->geotag_count == 0) {
s->geotag_count = 0;
return -1;
}
diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c
index da843c44..28dccaae 100644
--- a/libavcodec/truemotion1.c
+++ b/libavcodec/truemotion1.c
@@ -177,10 +177,10 @@ static int make_ydt15_entry(int p1, int p2, int16_t *ydt)
int lo, hi;
lo = ydt[p1];
- lo += (lo << 5) + (lo << 10);
+ lo += (lo * 32) + (lo * 1024);
hi = ydt[p2];
- hi += (hi << 5) + (hi << 10);
- return (lo + (hi << 16)) << 1;
+ hi += (hi * 32) + (hi * 1024);
+ return (lo + (hi * (1U << 16))) * 2;
}
static int make_cdt15_entry(int p1, int p2, int16_t *cdt)
@@ -188,9 +188,9 @@ static int make_cdt15_entry(int p1, int p2, int16_t *cdt)
int r, b, lo;
b = cdt[p2];
- r = cdt[p1] << 10;
+ r = cdt[p1] * 1024;
lo = b + r;
- return (lo + (lo << 16)) << 1;
+ return (lo + (lo * (1U << 16))) * 2;
}
#if HAVE_BIGENDIAN
diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 2031d01b..2d57aea4 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -2771,7 +2771,7 @@ void avsubtitle_free(AVSubtitle *sub)
static int do_decode(AVCodecContext *avctx, AVPacket *pkt)
{
- int got_frame;
+ int got_frame = 0;
int ret;
av_assert0(!avctx->internal->buffer_frame->buf[0]);
diff --git a/libavcodec/vdpau_hevc.c b/libavcodec/vdpau_hevc.c
index 03c61dc6..ce2610f6 100644
--- a/libavcodec/vdpau_hevc.c
+++ b/libavcodec/vdpau_hevc.c
@@ -234,7 +234,7 @@ static int vdpau_hevc_start_frame(AVCodecContext *avctx,
const HEVCFrame *frame = &h->DPB[i];
if (frame != h->ref && (frame->flags & (HEVC_FRAME_FLAG_LONG_REF |
HEVC_FRAME_FLAG_SHORT_REF))) {
- if (j > 16) {
+ if (j > 15) {
av_log(avctx, AV_LOG_WARNING,
"VDPAU only supports up to 16 references in the DPB. "
"This frame may not be decoded correctly.\n");
diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index fa749be0..b10cb39f 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -1071,6 +1071,9 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
s->dct_tokens[0][0] = s->dct_tokens_base;
+ if (get_bits_left(gb) < 16)
+ return AVERROR_INVALIDDATA;
+
/* fetch the DC table indexes */
dc_y_table = get_bits(gb, 4);
dc_c_table = get_bits(gb, 4);
@@ -1080,6 +1083,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
0, residual_eob_run);
if (residual_eob_run < 0)
return residual_eob_run;
+ if (get_bits_left(gb) < 8)
+ return AVERROR_INVALIDDATA;
/* reverse prediction of the Y-plane DC coefficients */
reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]);
@@ -1102,6 +1107,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
s->fragment_width[1], s->fragment_height[1]);
}
+ if (get_bits_left(gb) < 8)
+ return AVERROR_INVALIDDATA;
/* fetch the AC table indexes */
ac_y_table = get_bits(gb, 4);
ac_c_table = get_bits(gb, 4);
@@ -2022,8 +2029,9 @@ static int vp3_decode_frame(AVCodecContext *avctx,
ret = vp3_decode_init(avctx);
if (ret < 0) {
vp3_decode_end(avctx);
+ return ret;
}
- return ret;
+ return buf_size;
} else if (type == 2) {
vp3_decode_end(avctx);
ret = theora_decode_tables(avctx, &gb);
@@ -2031,8 +2039,9 @@ static int vp3_decode_frame(AVCodecContext *avctx,
ret = vp3_decode_init(avctx);
if (ret < 0) {
vp3_decode_end(avctx);
+ return ret;
}
- return ret;
+ return buf_size;
}
av_log(avctx, AV_LOG_ERROR,
diff --git a/libavcodec/vp3dsp.c b/libavcodec/vp3dsp.c
index 814c78e3..4b6c838b 100644
--- a/libavcodec/vp3dsp.c
+++ b/libavcodec/vp3dsp.c
@@ -41,7 +41,7 @@
#define xC6S2 25080
#define xC7S1 12785
-#define M(a, b) (((a) * (b)) >> 16)
+#define M(a, b) ((int)((SUINT)(a) * (b)) >> 16)
static av_always_inline void idct(uint8_t *dst, int stride,
int16_t *input, int type)
diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c
index aba177c8..b5f06a09 100644
--- a/libavcodec/vp5.c
+++ b/libavcodec/vp5.c
@@ -38,8 +38,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
{
VP56RangeCoder *c = &s->c;
int rows, cols;
+ int ret;
- ff_vp56_init_range_decoder(&s->c, buf, buf_size);
+ ret = ff_vp56_init_range_decoder(&s->c, buf, buf_size);
+ if (ret < 0)
+ return ret;
s->frames[VP56_FRAME_CURRENT]->key_frame = !vp56_rac_get(c);
vp56_rac_get(c);
ff_vp56_init_dequant(s, vp56_rac_gets(c, 6));
@@ -180,7 +183,7 @@ static int vp5_parse_coeff(VP56Context *s)
int b, i, cg, idx, ctx, ctx_last;
int pt = 0; /* plane type (0 for Y, 1 for U or V) */
- if (c->end >= c->buffer && c->bits >= 0) {
+ if (c->end <= c->buffer && c->bits >= 0) {
av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n");
return AVERROR_INVALIDDATA;
}
diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
index d8fe994b..bfc3d3bc 100644
--- a/libavcodec/vp56.c
+++ b/libavcodec/vp56.c
@@ -261,6 +261,25 @@ static VP56mb vp56_decode_mv(VP56Context *s, int row, int col)
return s->mb_type;
}
+static VP56mb vp56_conceal_mv(VP56Context *s, int row, int col)
+{
+ VP56mv *mv, vect = {0,0};
+ int b;
+
+ s->mb_type = VP56_MB_INTER_NOVEC_PF;
+ s->macroblocks[row * s->mb_width + col].type = s->mb_type;
+
+ mv = &vect;
+
+ s->macroblocks[row*s->mb_width + col].mv = *mv;
+
+ /* same vector for all blocks */
+ for (b=0; b<6; b++)
+ s->mv[b] = *mv;
+
+ return s->mb_type;
+}
+
static void vp56_add_predictors_dc(VP56Context *s, VP56Frame ref_frame)
{
int idx = s->idct_scantable[0];
@@ -381,30 +400,18 @@ static void vp56_mc(VP56Context *s, int b, int plane, uint8_t *src,
}
}
-static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha)
+static av_always_inline void vp56_render_mb(VP56Context *s, int row, int col, int is_alpha, VP56mb mb_type)
{
- AVFrame *frame_current, *frame_ref;
- VP56mb mb_type;
- VP56Frame ref_frame;
int b, ab, b_max, plane, off;
- int ret;
-
- if (s->frames[VP56_FRAME_CURRENT]->key_frame)
- mb_type = VP56_MB_INTRA;
- else
- mb_type = vp56_decode_mv(s, row, col);
- ref_frame = ff_vp56_reference_frame[mb_type];
-
- ret = s->parse_coeff(s);
- if (ret < 0)
- return ret;
+ AVFrame *frame_current, *frame_ref;
+ VP56Frame ref_frame = ff_vp56_reference_frame[mb_type];
vp56_add_predictors_dc(s, ref_frame);
frame_current = s->frames[VP56_FRAME_CURRENT];
frame_ref = s->frames[ref_frame];
if (mb_type != VP56_MB_INTRA && !frame_ref->data[0])
- return 0;
+ return;
ab = 6*is_alpha;
b_max = 6 - 2*is_alpha;
@@ -454,6 +461,38 @@ static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha)
s->block_coeff[4][0] = 0;
s->block_coeff[5][0] = 0;
}
+}
+
+static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha)
+{
+ VP56mb mb_type;
+ int ret;
+
+ if (s->frames[VP56_FRAME_CURRENT]->key_frame)
+ mb_type = VP56_MB_INTRA;
+ else
+ mb_type = vp56_decode_mv(s, row, col);
+
+ ret = s->parse_coeff(s);
+ if (ret < 0)
+ return ret;
+
+ vp56_render_mb(s, row, col, is_alpha, mb_type);
+
+ return 0;
+}
+
+static int vp56_conceal_mb(VP56Context *s, int row, int col, int is_alpha)
+{
+ VP56mb mb_type;
+
+ if (s->frames[VP56_FRAME_CURRENT]->key_frame)
+ mb_type = VP56_MB_INTRA;
+ else
+ mb_type = vp56_conceal_mv(s, row, col);
+
+ vp56_render_mb(s, row, col, is_alpha, mb_type);
+
return 0;
}
@@ -468,6 +507,8 @@ static int vp56_size_changed(VP56Context *s)
s->plane_height[0] = s->plane_height[3] = avctx->coded_height;
s->plane_height[1] = s->plane_height[2] = avctx->coded_height/2;
+ s->have_undamaged_frame = 0;
+
for (i=0; i<4; i++)
s->stride[i] = s->flip * s->frames[VP56_FRAME_CURRENT]->linesize[i];
@@ -533,13 +574,18 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
}
ret = ff_get_buffer(avctx, p, AV_GET_BUFFER_FLAG_REF);
- if (ret < 0)
+ if (ret < 0) {
+ if (res == VP56_SIZE_CHANGE)
+ ff_set_dimensions(avctx, 0, 0);
return ret;
+ }
if (avctx->pix_fmt == AV_PIX_FMT_YUVA420P) {
av_frame_unref(s->alpha_context->frames[VP56_FRAME_CURRENT]);
if ((ret = av_frame_ref(s->alpha_context->frames[VP56_FRAME_CURRENT], p)) < 0) {
av_frame_unref(p);
+ if (res == VP56_SIZE_CHANGE)
+ ff_set_dimensions(avctx, 0, 0);
return ret;
}
}
@@ -573,8 +619,12 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
}
}
+ s->discard_frame = 0;
avctx->execute2(avctx, ff_vp56_decode_mbs, 0, 0, (avctx->pix_fmt == AV_PIX_FMT_YUVA420P) + 1);
+ if (s->discard_frame)
+ return AVERROR_INVALIDDATA;
+
if ((res = av_frame_ref(data, p)) < 0)
return res;
*got_frame = 1;
@@ -593,6 +643,7 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data,
int block, y, uv;
ptrdiff_t stride_y, stride_uv;
int res;
+ int damaged = 0;
if (p->key_frame) {
p->pict_type = AV_PICTURE_TYPE_I;
@@ -657,9 +708,18 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data,
s->block_offset[5] = s->block_offset[4];
for (mb_col=0; mb_col<s->mb_width; mb_col++) {
- int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha);
- if (ret < 0)
- return ret;
+ if (!damaged) {
+ int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha);
+ if (ret < 0) {
+ damaged = 1;
+ if (!s->have_undamaged_frame || !avctx->error_concealment) {
+ s->discard_frame = 1;
+ return AVERROR_INVALIDDATA;
+ }
+ }
+ }
+ if (damaged)
+ vp56_conceal_mb(s, mb_row, mb_col, is_alpha);
for (y=0; y<4; y++) {
s->above_block_idx[y] += 2;
@@ -673,6 +733,9 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data,
}
}
+ if (!damaged)
+ s->have_undamaged_frame = 1;
+
next:
if (p->key_frame || s->golden_frame) {
av_frame_unref(s->frames[VP56_FRAME_GOLDEN]);
diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h
index 34d48228..c049399d 100644
--- a/libavcodec/vp56.h
+++ b/libavcodec/vp56.h
@@ -203,6 +203,9 @@ struct vp56_context {
VLC runv_vlc[2];
VLC ract_vlc[2][3][6];
unsigned int nb_null[2][2]; /* number of consecutive NULL DC/AC */
+
+ int have_undamaged_frame;
+ int discard_frame;
};
@@ -221,7 +224,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
*/
extern const uint8_t ff_vp56_norm_shift[256];
-void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size);
+int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size);
static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c)
{
diff --git a/libavcodec/vp56rac.c b/libavcodec/vp56rac.c
index 6061b7ee..e70302bf 100644
--- a/libavcodec/vp56rac.c
+++ b/libavcodec/vp56rac.c
@@ -37,11 +37,14 @@ const uint8_t ff_vp56_norm_shift[256]= {
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
};
-void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size)
+int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size)
{
c->high = 255;
c->bits = -16;
c->buffer = buf;
c->end = buf + buf_size;
+ if (buf_size < 1)
+ return AVERROR_INVALIDDATA;
c->code_word = bytestream_get_be24(&c->buffer);
+ return 0;
}
diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c
index 7f0a9b7d..4afd67b3 100644
--- a/libavcodec/vp6.c
+++ b/libavcodec/vp6.c
@@ -52,6 +52,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
int sub_version;
int rows, cols;
int res = 0;
+ int ret;
int separated_coeff = buf[0] & 1;
s->frames[VP56_FRAME_CURRENT]->key_frame = !(buf[0] & 0x80);
@@ -93,7 +94,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
s->avctx->coded_width = 16 * cols;
s->avctx->coded_height = 16 * rows;
} else {
- int ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows);
+ ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows);
if (ret < 0)
return ret;
@@ -105,7 +106,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
res = VP56_SIZE_CHANGE;
}
- ff_vp56_init_range_decoder(c, buf+6, buf_size-6);
+ ret = ff_vp56_init_range_decoder(c, buf+6, buf_size-6);
+ if (ret < 0)
+ goto fail;
vp56_rac_gets(c, 2);
parse_filter_info = s->filter_header;
@@ -122,7 +125,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
buf += 2;
buf_size -= 2;
}
- ff_vp56_init_range_decoder(c, buf+1, buf_size-1);
+ ret = ff_vp56_init_range_decoder(c, buf+1, buf_size-1);
+ if (ret < 0)
+ return ret;
s->golden_frame = vp56_rac_get(c);
if (s->filter_header) {
@@ -157,15 +162,16 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
buf += coeff_offset;
buf_size -= coeff_offset;
if (buf_size < 0) {
- if (s->frames[VP56_FRAME_CURRENT]->key_frame)
- ff_set_dimensions(s->avctx, 0, 0);
- return AVERROR_INVALIDDATA;
+ ret = AVERROR_INVALIDDATA;
+ goto fail;
}
if (s->use_huffman) {
s->parse_coeff = vp6_parse_coeff_huffman;
init_get_bits(&s->gb, buf, buf_size<<3);
} else {
- ff_vp56_init_range_decoder(&s->cc, buf, buf_size);
+ ret = ff_vp56_init_range_decoder(&s->cc, buf, buf_size);
+ if (ret < 0)
+ goto fail;
s->ccp = &s->cc;
}
} else {
@@ -173,6 +179,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size)
}
return res;
+fail:
+ if (res == VP56_SIZE_CHANGE)
+ ff_set_dimensions(s->avctx, 0, 0);
+ return ret;
}
static void vp6_coeff_order_table_init(VP56Context *s)
@@ -450,7 +460,7 @@ static int vp6_parse_coeff(VP56Context *s)
int b, i, cg, idx, ctx;
int pt = 0; /* plane type (0 for Y, 1 for U or V) */
- if (c->end >= c->buffer && c->bits >= 0) {
+ if (c->end <= c->buffer && c->bits >= 0) {
av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n");
return AVERROR_INVALIDDATA;
}
diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c
index c1c3eb70..63e78492 100644
--- a/libavcodec/vp8.c
+++ b/libavcodec/vp8.c
@@ -261,6 +261,7 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size)
{
const uint8_t *sizes = buf;
int i;
+ int ret;
s->num_coeff_partitions = 1 << vp8_rac_get_uint(&s->c, 2);
@@ -274,13 +275,13 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size)
if (buf_size - size < 0)
return -1;
- ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size);
+ ret = ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size);
+ if (ret < 0)
+ return ret;
buf += size;
buf_size -= size;
}
- ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size);
-
- return 0;
+ return ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size);
}
static void vp7_get_quants(VP8Context *s)
@@ -518,7 +519,9 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si
memcpy(s->put_pixels_tab, s->vp8dsp.put_vp8_epel_pixels_tab, sizeof(s->put_pixels_tab));
- ff_vp56_init_range_decoder(c, buf, part1_size);
+ ret = ff_vp56_init_range_decoder(c, buf, part1_size);
+ if (ret < 0)
+ return ret;
buf += part1_size;
buf_size -= part1_size;
@@ -570,7 +573,9 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si
s->lf_delta.enabled = 0;
s->num_coeff_partitions = 1;
- ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size);
+ ret = ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size);
+ if (ret < 0)
+ return ret;
if (!s->macroblocks_base || /* first frame */
width != s->avctx->width || height != s->avctx->height ||
@@ -699,7 +704,9 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si
memset(&s->lf_delta, 0, sizeof(s->lf_delta));
}
- ff_vp56_init_range_decoder(c, buf, header_size);
+ ret = ff_vp56_init_range_decoder(c, buf, header_size);
+ if (ret < 0)
+ return ret;
buf += header_size;
buf_size -= header_size;
@@ -2275,7 +2282,7 @@ static void vp8_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *cur_frame,
#define update_pos(td, mb_y, mb_x) while(0)
#endif
-static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata,
+static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata,
int jobnr, int threadnr, int is_vp7)
{
VP8Context *s = avctx->priv_data;
@@ -2291,6 +2298,10 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void
curframe->tf.f->data[1] + 8 * mb_y * s->uvlinesize,
curframe->tf.f->data[2] + 8 * mb_y * s->uvlinesize
};
+
+ if (c->end <= c->buffer && c->bits >= 0)
+ return AVERROR_INVALIDDATA;
+
if (mb_y == 0)
prev_td = td;
else
@@ -2319,6 +2330,8 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void
s->mv_max.x = ((s->mb_width - 1) << 6) + MARGIN;
for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) {
+ if (c->end <= c->buffer && c->bits >= 0)
+ return AVERROR_INVALIDDATA;
// Wait for previous thread to read mb_x+2, and reach mb_y-1.
if (prev_td != td) {
if (threadnr != 0) {
@@ -2394,18 +2407,19 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void
update_pos(td, mb_y, mb_x);
}
}
+ return 0;
}
-static void vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata,
+static int vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata,
int jobnr, int threadnr)
{
- decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1);
+ return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1);
}
-static void vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata,
+static int vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata,
int jobnr, int threadnr)
{
- decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0);
+ return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0);
}
static av_always_inline void filter_mb_row(AVCodecContext *avctx, void *tdata,
@@ -2488,13 +2502,16 @@ int vp78_decode_mb_row_sliced(AVCodecContext *avctx, void *tdata, int jobnr,
VP8ThreadData *next_td = NULL, *prev_td = NULL;
VP8Frame *curframe = s->curframe;
int mb_y, num_jobs = s->num_jobs;
+ int ret;
td->thread_nr = threadnr;
for (mb_y = jobnr; mb_y < s->mb_height; mb_y += num_jobs) {
- if (mb_y >= s->mb_height)
- break;
td->thread_mb_pos = mb_y << 16;
- s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr);
+ ret = s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr);
+ if (ret < 0) {
+ update_pos(td, s->mb_height, INT_MAX & 0xFFFF);
+ return ret;
+ }
if (s->deblock_filter)
s->filter_mb_row(avctx, tdata, jobnr, threadnr);
update_pos(td, mb_y, INT_MAX & 0xFFFF);
@@ -2531,6 +2548,8 @@ int vp78_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
enum AVDiscard skip_thresh;
VP8Frame *av_uninit(curframe), *prev_frame;
+ av_assert0(avctx->pix_fmt == AV_PIX_FMT_YUVA420P || avctx->pix_fmt == AV_PIX_FMT_YUV420P);
+
if (is_vp7)
ret = vp7_decode_frame_header(s, avpkt->data, avpkt->size);
else
diff --git a/libavcodec/vp8.h b/libavcodec/vp8.h
index 374e1388..6218fe05 100644
--- a/libavcodec/vp8.h
+++ b/libavcodec/vp8.h
@@ -275,7 +275,7 @@ typedef struct VP8Context {
*/
int mb_layout;
- void (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr);
+ int (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr);
void (*filter_mb_row)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr);
int vp7;
diff --git a/libavcodec/vp8dsp.c b/libavcodec/vp8dsp.c
index 07bea69c..fed5c67a 100644
--- a/libavcodec/vp8dsp.c
+++ b/libavcodec/vp8dsp.c
@@ -53,7 +53,8 @@ static void name ## _idct_dc_add4y_c(uint8_t *dst, int16_t block[4][16], \
#if CONFIG_VP7_DECODER
static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16])
{
- int i, a1, b1, c1, d1;
+ int i;
+ unsigned a1, b1, c1, d1;
int16_t tmp[16];
for (i = 0; i < 4; i++) {
@@ -61,10 +62,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16])
b1 = (dc[i * 4 + 0] - dc[i * 4 + 2]) * 23170;
c1 = dc[i * 4 + 1] * 12540 - dc[i * 4 + 3] * 30274;
d1 = dc[i * 4 + 1] * 30274 + dc[i * 4 + 3] * 12540;
- tmp[i * 4 + 0] = (a1 + d1) >> 14;
- tmp[i * 4 + 3] = (a1 - d1) >> 14;
- tmp[i * 4 + 1] = (b1 + c1) >> 14;
- tmp[i * 4 + 2] = (b1 - c1) >> 14;
+ tmp[i * 4 + 0] = (int)(a1 + d1) >> 14;
+ tmp[i * 4 + 3] = (int)(a1 - d1) >> 14;
+ tmp[i * 4 + 1] = (int)(b1 + c1) >> 14;
+ tmp[i * 4 + 2] = (int)(b1 - c1) >> 14;
}
for (i = 0; i < 4; i++) {
@@ -73,10 +74,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16])
c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274;
d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540;
AV_ZERO64(dc + i * 4);
- block[0][i][0] = (a1 + d1 + 0x20000) >> 18;
- block[3][i][0] = (a1 - d1 + 0x20000) >> 18;
- block[1][i][0] = (b1 + c1 + 0x20000) >> 18;
- block[2][i][0] = (b1 - c1 + 0x20000) >> 18;
+ block[0][i][0] = (int)(a1 + d1 + 0x20000) >> 18;
+ block[3][i][0] = (int)(a1 - d1 + 0x20000) >> 18;
+ block[1][i][0] = (int)(b1 + c1 + 0x20000) >> 18;
+ block[2][i][0] = (int)(b1 - c1 + 0x20000) >> 18;
}
}
@@ -95,7 +96,8 @@ static void vp7_luma_dc_wht_dc_c(int16_t block[4][4][16], int16_t dc[16])
static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride)
{
- int i, a1, b1, c1, d1;
+ int i;
+ unsigned a1, b1, c1, d1;
int16_t tmp[16];
for (i = 0; i < 4; i++) {
@@ -104,10 +106,10 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride)
c1 = block[i * 4 + 1] * 12540 - block[i * 4 + 3] * 30274;
d1 = block[i * 4 + 1] * 30274 + block[i * 4 + 3] * 12540;
AV_ZERO64(block + i * 4);
- tmp[i * 4 + 0] = (a1 + d1) >> 14;
- tmp[i * 4 + 3] = (a1 - d1) >> 14;
- tmp[i * 4 + 1] = (b1 + c1) >> 14;
- tmp[i * 4 + 2] = (b1 - c1) >> 14;
+ tmp[i * 4 + 0] = (int)(a1 + d1) >> 14;
+ tmp[i * 4 + 3] = (int)(a1 - d1) >> 14;
+ tmp[i * 4 + 1] = (int)(b1 + c1) >> 14;
+ tmp[i * 4 + 2] = (int)(b1 - c1) >> 14;
}
for (i = 0; i < 4; i++) {
@@ -116,13 +118,13 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride)
c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274;
d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540;
dst[0 * stride + i] = av_clip_uint8(dst[0 * stride + i] +
- ((a1 + d1 + 0x20000) >> 18));
+ ((int)(a1 + d1 + 0x20000) >> 18));
dst[3 * stride + i] = av_clip_uint8(dst[3 * stride + i] +
- ((a1 - d1 + 0x20000) >> 18));
+ ((int)(a1 - d1 + 0x20000) >> 18));
dst[1 * stride + i] = av_clip_uint8(dst[1 * stride + i] +
- ((b1 + c1 + 0x20000) >> 18));
+ ((int)(b1 + c1 + 0x20000) >> 18));
dst[2 * stride + i] = av_clip_uint8(dst[2 * stride + i] +
- ((b1 - c1 + 0x20000) >> 18));
+ ((int)(b1 - c1 + 0x20000) >> 18));
}
}
diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c
index 1aab6ba0..f4974ea9 100644
--- a/libavcodec/vp9.c
+++ b/libavcodec/vp9.c
@@ -844,7 +844,10 @@ static int decode_frame_header(AVCodecContext *ctx,
av_log(ctx, AV_LOG_ERROR, "Invalid compressed header size\n");
return AVERROR_INVALIDDATA;
}
- ff_vp56_init_range_decoder(&s->c, data2, size2);
+ res = ff_vp56_init_range_decoder(&s->c, data2, size2);
+ if (res < 0)
+ return res;
+
if (vp56_rac_get_prob_branchy(&s->c, 128)) { // marker bit
av_log(ctx, AV_LOG_ERROR, "Marker bit was set\n");
return AVERROR_INVALIDDATA;
@@ -4133,7 +4136,9 @@ FF_ENABLE_DEPRECATION_WARNINGS
ff_thread_report_progress(&s->s.frames[CUR_FRAME].tf, INT_MAX, 0);
return AVERROR_INVALIDDATA;
}
- ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size);
+ res = ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size);
+ if (res < 0)
+ return res;
if (vp56_rac_get_prob_branchy(&s->c_b[tile_col], 128)) { // marker bit
ff_thread_report_progress(&s->s.frames[CUR_FRAME].tf, INT_MAX, 0);
return AVERROR_INVALIDDATA;
diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 071e2be7..ccdc6752 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -267,7 +267,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc,
int bit;
if (s->extra_bits) {
- S <<= s->extra_bits;
+ S *= 1 << s->extra_bits;
if (s->got_extra_bits &&
get_bits_left(&s->gb_extra_bits) >= s->extra_bits) {
@@ -682,7 +682,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
s->hybrid_bitrate = s->frame_flags & WV_HYBRID_BITRATE;
s->post_shift = bpp * 8 - orig_bpp + ((s->frame_flags >> 13) & 0x1f);
s->hybrid_maxclip = ((1LL << (orig_bpp - 1)) - 1);
- s->hybrid_minclip = ((-1LL << (orig_bpp - 1)));
+ s->hybrid_minclip = ((-1UL << (orig_bpp - 1)));
s->CRC = bytestream2_get_le32(&gb);
// parse metadata blocks
@@ -736,13 +736,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
}
for (i = 0; i < weights; i++) {
t = (int8_t)bytestream2_get_byte(&gb);
- s->decorr[s->terms - i - 1].weightA = t << 3;
+ s->decorr[s->terms - i - 1].weightA = t * (1 << 3);
if (s->decorr[s->terms - i - 1].weightA > 0)
s->decorr[s->terms - i - 1].weightA +=
(s->decorr[s->terms - i - 1].weightA + 64) >> 7;
if (s->stereo_in) {
t = (int8_t)bytestream2_get_byte(&gb);
- s->decorr[s->terms - i - 1].weightB = t << 3;
+ s->decorr[s->terms - i - 1].weightB = t * (1 << 3);
if (s->decorr[s->terms - i - 1].weightB > 0)
s->decorr[s->terms - i - 1].weightB +=
(s->decorr[s->terms - i - 1].weightB + 64) >> 7;
@@ -837,7 +837,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
continue;
}
bytestream2_get_buffer(&gb, val, 4);
- if (val[0] > 32) {
+ if (val[0] > 31) {
av_log(avctx, AV_LOG_ERROR,
"Invalid INT32INFO, extra_bits = %d (> 32)\n", val[0]);
continue;
diff --git a/libavcodec/webp.c b/libavcodec/webp.c
index 45abfdc3..ef7b26c4 100644
--- a/libavcodec/webp.c
+++ b/libavcodec/webp.c
@@ -694,7 +694,7 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role,
length = offset + get_bits(&s->gb, extra_bits) + 1;
}
prefix_code = huff_reader_get_symbol(&hg[HUFF_IDX_DIST], &s->gb);
- if (prefix_code > 39) {
+ if (prefix_code > 39U) {
av_log(s->avctx, AV_LOG_ERROR,
"distance prefix code too large: %d\n", prefix_code);
return AVERROR_INVALIDDATA;
@@ -1043,7 +1043,7 @@ static int apply_color_indexing_transform(WebPContext *s)
uint8_t *line;
int pixel_bits = 8 >> pal->size_reduction;
- line = av_malloc(img->frame->linesize[0]);
+ line = av_malloc(img->frame->linesize[0] + AV_INPUT_BUFFER_PADDING_SIZE);
if (!line)
return AVERROR(ENOMEM);
@@ -1099,6 +1099,21 @@ static int apply_color_indexing_transform(WebPContext *s)
return 0;
}
+static void update_canvas_size(AVCodecContext *avctx, int w, int h)
+{
+ WebPContext *s = avctx->priv_data;
+ if (s->width && s->width != w) {
+ av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n",
+ s->width, w);
+ }
+ s->width = w;
+ if (s->height && s->height != h) {
+ av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n",
+ s->height, h);
+ }
+ s->height = h;
+}
+
static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p,
int *got_frame, uint8_t *data_start,
unsigned int data_size, int is_alpha_chunk)
@@ -1123,16 +1138,8 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p,
w = get_bits(&s->gb, 14) + 1;
h = get_bits(&s->gb, 14) + 1;
- if (s->width && s->width != w) {
- av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n",
- s->width, w);
- }
- s->width = w;
- if (s->height && s->height != h) {
- av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n",
- s->width, w);
- }
- s->height = h;
+
+ update_canvas_size(avctx, w, h);
ret = ff_set_dimensions(avctx, s->width, s->height);
if (ret < 0)
@@ -1327,9 +1334,8 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p,
if (!s->initialized) {
ff_vp8_decode_init(avctx);
s->initialized = 1;
- if (s->has_alpha)
- avctx->pix_fmt = AV_PIX_FMT_YUVA420P;
}
+ avctx->pix_fmt = s->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P;
s->lossless = 0;
if (data_size > INT_MAX) {
@@ -1342,6 +1348,11 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p,
pkt.size = data_size;
ret = ff_vp8_decode_frame(avctx, p, got_frame, &pkt);
+ if (ret < 0)
+ return ret;
+
+ update_canvas_size(avctx, avctx->width, avctx->height);
+
if (s->has_alpha) {
ret = vp8_lossy_decode_alpha(avctx, p, s->alpha_data,
s->alpha_data_size);
diff --git a/libavcodec/wmv2dsp.c b/libavcodec/wmv2dsp.c
index 40e0bef0..7b59d10a 100644
--- a/libavcodec/wmv2dsp.c
+++ b/libavcodec/wmv2dsp.c
@@ -48,8 +48,8 @@ static void wmv2_idct_row(short * b)
a4 = W0 * b[0] - W0 * b[4];
/* step 2 */
- s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7
- s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8;
+ s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7
+ s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8;
/* step 3 */
b[0] = (a0 + a2 + a1 + a5 + (1 << 7)) >> 8;
@@ -78,8 +78,8 @@ static void wmv2_idct_col(short * b)
a4 = (W0 * b[8 * 0] - W0 * b[8 * 4] ) >> 3;
/* step 2 */
- s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8;
- s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8;
+ s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8;
+ s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8;
/* step 3 */
b[8 * 0] = (a0 + a2 + a1 + a5 + (1 << 13)) >> 14;
diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c
index 9ff99b2f..126c01a0 100644
--- a/libavcodec/wnv1.c
+++ b/libavcodec/wnv1.c
@@ -52,7 +52,7 @@ static inline int wnv1_get_code(WNV1Context *w, int base_value)
if (v == 15)
return ff_reverse[get_bits(&w->gb, 8 - w->shift)];
else
- return base_value + ((v - 7) << w->shift);
+ return base_value + ((v - 7U) << w->shift);
}
static int decode_frame(AVCodecContext *avctx,
diff --git a/libavcodec/x86/vc1dsp_init.c b/libavcodec/x86/vc1dsp_init.c
index c8943fa2..c53a1328 100644
--- a/libavcodec/x86/vc1dsp_init.c
+++ b/libavcodec/x86/vc1dsp_init.c
@@ -106,10 +106,12 @@ av_cold void ff_vc1dsp_init_x86(VC1DSPContext *dsp)
{
int cpu_flags = av_get_cpu_flags();
- if (HAVE_6REGS && INLINE_MMX(cpu_flags) && EXTERNAL_MMX(cpu_flags))
+ if (HAVE_6REGS && INLINE_MMX(cpu_flags))
+ if (EXTERNAL_MMX(cpu_flags))
ff_vc1dsp_init_mmx(dsp);
- if (HAVE_6REGS && INLINE_MMXEXT(cpu_flags) && EXTERNAL_MMXEXT(cpu_flags))
+ if (HAVE_6REGS && INLINE_MMXEXT(cpu_flags))
+ if (EXTERNAL_MMXEXT(cpu_flags))
ff_vc1dsp_init_mmxext(dsp);
#define ASSIGN_LF(EXT) \
diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c
index 64cd8418..8b0845fc 100644
--- a/libavcodec/xwddec.c
+++ b/libavcodec/xwddec.c
@@ -157,9 +157,9 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data,
case XWD_GRAY_SCALE:
if (bpp != 1 && bpp != 8)
return AVERROR_INVALIDDATA;
- if (pixdepth == 1) {
+ if (bpp == 1 && pixdepth == 1) {
avctx->pix_fmt = AV_PIX_FMT_MONOWHITE;
- } else if (pixdepth == 8) {
+ } else if (bpp == 8 && pixdepth == 8) {
avctx->pix_fmt = AV_PIX_FMT_GRAY8;
}
break;
diff --git a/libavcodec/y41pdec.c b/libavcodec/y41pdec.c
index 1b177d42..85a39e4a 100644
--- a/libavcodec/y41pdec.c
+++ b/libavcodec/y41pdec.c
@@ -43,7 +43,7 @@ static int y41p_decode_frame(AVCodecContext *avctx, void *data,
uint8_t *y, *u, *v;
int i, j, ret;
- if (avpkt->size < 3LL * avctx->height * avctx->width / 2) {
+ if (avpkt->size < 3LL * avctx->height * FFALIGN(avctx->width, 8) / 2) {
av_log(avctx, AV_LOG_ERROR, "Insufficient input data.\n");
return AVERROR(EINVAL);
}
diff --git a/libavfilter/af_sofalizer.c b/libavfilter/af_sofalizer.c
index 7558f57e..f4197250 100644
--- a/libavfilter/af_sofalizer.c
+++ b/libavfilter/af_sofalizer.c
@@ -448,7 +448,7 @@ static int get_speaker_pos(AVFilterContext *ctx,
/* set speaker positions according to input channel configuration: */
for (m = 0, ch = 0; ch < n_conv && m < 64; m++) {
- uint64_t mask = channels_layout & (1 << m);
+ uint64_t mask = channels_layout & (1ULL << m);
switch (mask) {
case AV_CH_FRONT_LEFT: azim[ch] = 30; break;
diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c
index 3af698d4..e3546b50 100644
--- a/libavfilter/avfiltergraph.c
+++ b/libavfilter/avfiltergraph.c
@@ -871,6 +871,8 @@ static void swap_samplerates_on_filter(AVFilterContext *filter)
for (j = 0; j < outlink->in_samplerates->nb_formats; j++) {
int diff = abs(sample_rate - outlink->in_samplerates->formats[j]);
+ av_assert0(diff < INT_MAX); // This would lead to the use of uninitialized best_diff but is only possible with invalid sample rates
+
if (diff < best_diff) {
best_diff = diff;
best_idx = j;
diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c
index 9294811d..ba872112 100644
--- a/libavfilter/buffersrc.c
+++ b/libavfilter/buffersrc.c
@@ -316,14 +316,16 @@ static av_cold int init_audio(AVFilterContext *ctx)
return AVERROR(EINVAL);
}
- if (s->channel_layout_str) {
+ if (s->channel_layout_str || s->channel_layout) {
int n;
- s->channel_layout = av_get_channel_layout(s->channel_layout_str);
if (!s->channel_layout) {
- av_log(ctx, AV_LOG_ERROR, "Invalid channel layout %s.\n",
- s->channel_layout_str);
- return AVERROR(EINVAL);
+ s->channel_layout = av_get_channel_layout(s->channel_layout_str);
+ if (!s->channel_layout) {
+ av_log(ctx, AV_LOG_ERROR, "Invalid channel layout %s.\n",
+ s->channel_layout_str);
+ return AVERROR(EINVAL);
+ }
}
n = av_get_channel_layout_nb_channels(s->channel_layout);
if (s->channels) {
diff --git a/libavfilter/vf_uspp.c b/libavfilter/vf_uspp.c
index 8a6d0fbb..02d98e4a 100644
--- a/libavfilter/vf_uspp.c
+++ b/libavfilter/vf_uspp.c
@@ -228,8 +228,8 @@ static void filter(USPPContext *p, uint8_t *dst[3], uint8_t *src[3],
p->frame->quality = ff_norm_qscale((qpsum + qpcount/2) / qpcount, p->qscale_type) * FF_QP2LAMBDA;
}
// init per MB qscale stuff FIXME
- p->frame->height = height;
- p->frame->width = width;
+ p->frame->height = height + BLOCK;
+ p->frame->width = width + BLOCK;
for (i = 0; i < count; i++) {
const int x1 = offset[i+count-1][0];
diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c
index bb17896e..7a284e32 100644
--- a/libavformat/apngdec.c
+++ b/libavformat/apngdec.c
@@ -269,7 +269,7 @@ static int decode_fctl_chunk(AVFormatContext *s, APNGDemuxContext *ctx, AVPacket
/* default is hundredths of seconds */
if (!delay_den)
delay_den = 100;
- if (!delay_num || delay_den / delay_num > ctx->max_fps) {
+ if (!delay_num || (ctx->max_fps && delay_den / delay_num > ctx->max_fps)) {
delay_num = 1;
delay_den = ctx->default_fps;
}
diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c
index 5cc239a1..3d843173 100644
--- a/libavformat/concatdec.c
+++ b/libavformat/concatdec.c
@@ -199,8 +199,11 @@ static int detect_stream_specific(AVFormatContext *avf, int idx)
AVBitStreamFilterContext *bsf;
int ret;
- if (cat->auto_convert && st->codecpar->codec_id == AV_CODEC_ID_H264 &&
- (st->codecpar->extradata_size < 4 || AV_RB32(st->codecpar->extradata) != 1)) {
+ if (cat->auto_convert && st->codecpar->codec_id == AV_CODEC_ID_H264) {
+ if (!st->codecpar->extradata_size ||
+ (st->codecpar->extradata_size >= 3 && AV_RB24(st->codecpar->extradata) == 1) ||
+ (st->codecpar->extradata_size >= 4 && AV_RB32(st->codecpar->extradata) == 1))
+ return 0;
av_log(cat->avf, AV_LOG_INFO,
"Auto-inserting h264_mp4toannexb bitstream filter\n");
if (!(bsf = av_bitstream_filter_init("h264_mp4toannexb"))) {
diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c
index 66baba59..fee46fcf 100644
--- a/libavformat/flacdec.c
+++ b/libavformat/flacdec.c
@@ -233,7 +233,14 @@ static int flac_probe(AVProbeData *p)
return raw_flac_probe(p);
if (p->buf_size < 4 || memcmp(p->buf, "fLaC", 4))
return 0;
- return AVPROBE_SCORE_EXTENSION;
+ if ( p->buf[4] & 0x7f != FLAC_METADATA_TYPE_STREAMINFO
+ || AV_RB24(p->buf + 5) != FLAC_STREAMINFO_SIZE
+ || AV_RB16(p->buf + 8) < 16
+ || AV_RB16(p->buf + 8) > AV_RB16(p->buf + 10)
+ || !(AV_RB24(p->buf + 18) >> 4)
+ || AV_RB24(p->buf + 18) >> 4 > 655350)
+ return AVPROBE_SCORE_EXTENSION;
+ return AVPROBE_SCORE_MAX;
}
static av_unused int64_t flac_read_timestamp(AVFormatContext *s, int stream_index,
diff --git a/libavformat/http.c b/libavformat/http.c
index 944a6cf3..bd1be3f7 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -1011,6 +1011,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path,
int len = 0;
const char *method;
int send_expect_100 = 0;
+ int ret;
/* send http header */
post = h->flags & AVIO_FLAG_WRITE;
@@ -1107,7 +1108,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path,
if (s->headers)
av_strlcpy(headers + len, s->headers, sizeof(headers) - len);
- snprintf(s->buffer, sizeof(s->buffer),
+ ret = snprintf(s->buffer, sizeof(s->buffer),
"%s %s HTTP/1.1\r\n"
"%s"
"%s"
@@ -1123,6 +1124,14 @@ static int http_connect(URLContext *h, const char *path, const char *local_path,
av_log(h, AV_LOG_DEBUG, "request: %s\n", s->buffer);
+ if (strlen(headers) + 1 == sizeof(headers) ||
+ ret >= sizeof(s->buffer)) {
+ av_log(h, AV_LOG_ERROR, "overlong headers\n");
+ err = AVERROR(EINVAL);
+ goto done;
+ }
+
+
if ((err = ffurl_write(s->hd, s->buffer, strlen(s->buffer))) < 0)
goto done;
diff --git a/libavformat/libopenmpt.c b/libavformat/libopenmpt.c
index 35fd28f5..a7e38595 100644
--- a/libavformat/libopenmpt.c
+++ b/libavformat/libopenmpt.c
@@ -73,7 +73,7 @@ static int read_header_openmpt(AVFormatContext *s)
AVStream *st;
OpenMPTContext *openmpt = s->priv_data;
int64_t size = avio_size(s->pb);
- if (!size)
+ if (size <= 0)
return AVERROR_INVALIDDATA;
char *buf = av_malloc(size);
int ret;
diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c
index d91055f8..bbfdd4ff 100644
--- a/libavformat/matroskaenc.c
+++ b/libavformat/matroskaenc.c
@@ -1202,7 +1202,7 @@ static int mkv_write_track(AVFormatContext *s, MatroskaMuxContext *mkv,
} else if (display_width_div != 1 || display_height_div != 1) {
put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYWIDTH , par->width / display_width_div);
put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYHEIGHT, par->height / display_height_div);
- } else
+ } else if (mkv->mode != MODE_WEBM)
put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYUNIT, MATROSKA_VIDEO_DISPLAYUNIT_UNKNOWN);
if (par->codec_id == AV_CODEC_ID_RAWVIDEO) {
diff --git a/libavformat/mov.c b/libavformat/mov.c
index ce7e2ec2..24a76a0d 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1182,6 +1182,12 @@ static void mov_metadata_creation_time(AVDictionary **metadata, int64_t time)
if (time) {
if(time >= 2082844800)
time -= 2082844800; /* seconds between 1904-01-01 and Epoch */
+
+ if ((int64_t)(time * 1000000ULL) / 1000000 != time) {
+ av_log(NULL, AV_LOG_DEBUG, "creation_time is not representable\n");
+ return;
+ }
+
avpriv_dict_set_timestamp(metadata, "creation_time", time * 1000000);
}
}
@@ -5309,6 +5315,7 @@ static int mov_read_close(AVFormatContext *s)
av_freep(&mov->fragment_index_data);
av_freep(&mov->aes_decrypt);
+ av_freep(&mov->chapter_tracks);
return 0;
}
diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c
index 423877e9..a651cb3e 100644
--- a/libavformat/mpeg.c
+++ b/libavformat/mpeg.c
@@ -138,7 +138,7 @@ typedef struct MpegDemuxContext {
static int mpegps_read_header(AVFormatContext *s)
{
MpegDemuxContext *m = s->priv_data;
- char buffer[7];
+ char buffer[7] = { 0 };
int64_t last_pos = avio_tell(s->pb);
m->header_state = 0xff;
diff --git a/libavformat/oggparsedaala.c b/libavformat/oggparsedaala.c
index 89bda589..a373b41b 100644
--- a/libavformat/oggparsedaala.c
+++ b/libavformat/oggparsedaala.c
@@ -126,6 +126,7 @@ static int daala_header(AVFormatContext *s, int idx)
if (hdr->gpshift >= 32) {
av_log(s, AV_LOG_ERROR, "Too large gpshift %d (>= 32).\n",
hdr->gpshift);
+ hdr->gpshift = 0;
return AVERROR_INVALIDDATA;
}
hdr->gpmask = (1U << hdr->gpshift) - 1;
@@ -232,7 +233,7 @@ static int daala_packet(AVFormatContext *s, int idx)
os->lastpts = os->lastdts = daala_gptopts(s, idx, os->granule, NULL) - duration;
if(s->streams[idx]->start_time == AV_NOPTS_VALUE) {
s->streams[idx]->start_time = os->lastpts;
- if (s->streams[idx]->duration)
+ if (s->streams[idx]->duration != AV_NOPTS_VALUE)
s->streams[idx]->duration -= s->streams[idx]->start_time;
}
}
diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c
index f8e656dc..e7a501b5 100644
--- a/libavformat/oggparseogm.c
+++ b/libavformat/oggparseogm.c
@@ -108,7 +108,10 @@ ogm_header(AVFormatContext *s, int idx)
if (size > 52) {
av_assert0(AV_INPUT_BUFFER_PADDING_SIZE <= 52);
size -= 52;
- ff_alloc_extradata(st->codecpar, size);
+ if (bytestream2_get_bytes_left(&p) < size)
+ return AVERROR_INVALIDDATA;
+ if (ff_alloc_extradata(st->codecpar, size) < 0)
+ return AVERROR(ENOMEM);
bytestream2_get_buffer(&p, st->codecpar->extradata, st->codecpar->extradata_size);
}
}
diff --git a/libavformat/tests/fifo_muxer.c b/libavformat/tests/fifo_muxer.c
index 9659198f..e20bd6e7 100644
--- a/libavformat/tests/fifo_muxer.c
+++ b/libavformat/tests/fifo_muxer.c
@@ -25,6 +25,7 @@
#include "libavutil/avassert.h"
#include "libavformat/avformat.h"
#include "libavformat/url.h"
+#include "libavformat/network.h"
#define MAX_TST_PACKETS 128
#define SLEEPTIME_50_MS 50000
@@ -150,6 +151,9 @@ static int prepare_packet(AVPacket *pkt,const FailingMuxerPacketData *pkt_data,
{
int ret;
FailingMuxerPacketData *data = av_malloc(sizeof(*data));
+ if (!data) {
+ return AVERROR(ENOMEM);
+ }
memcpy(data, pkt_data, sizeof(FailingMuxerPacketData));
ret = av_packet_from_data(pkt, (uint8_t*) data, sizeof(*data));
diff --git a/libavformat/utils.c b/libavformat/utils.c
index 55f23bab..6d0f888a 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -4120,9 +4120,7 @@ static void free_stream(AVStream **pst)
av_freep(&st->index_entries);
#if FF_API_LAVF_AVCTX
FF_DISABLE_DEPRECATION_WARNINGS
- av_freep(&st->codec->extradata);
- av_freep(&st->codec->subtitle_header);
- av_freep(&st->codec);
+ avcodec_free_context(&st->codec);
FF_ENABLE_DEPRECATION_WARNINGS
#endif
av_freep(&st->priv_data);
diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c
index 7176cd6f..8bbb301a 100644
--- a/libavformat/wavdec.c
+++ b/libavformat/wavdec.c
@@ -829,6 +829,8 @@ static int w64_read_header(AVFormatContext *s)
chunk_key[4] = 0;
avio_read(pb, chunk_key, 4);
chunk_size = avio_rl32(pb);
+ if (chunk_size == UINT32_MAX)
+ return AVERROR_INVALIDDATA;
value = av_mallocz(chunk_size + 1);
if (!value)
diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c
index d4b31467..9dc9b36d 100644
--- a/libavformat/webmdashenc.c
+++ b/libavformat/webmdashenc.c
@@ -428,6 +428,10 @@ static int parse_adaptation_sets(AVFormatContext *s)
char *p = w->adaptation_sets;
char *q;
enum { new_set, parsed_id, parsing_streams } state;
+ if (!w->adaptation_sets) {
+ av_log(s, AV_LOG_ERROR, "The 'adaptation_sets' option must be set.\n");
+ return AVERROR(EINVAL);
+ }
// syntax id=0,streams=0,1,2 id=1,streams=3,4 and so on
state = new_set;
while (p < w->adaptation_sets + strlen(w->adaptation_sets)) {
@@ -458,7 +462,11 @@ static int parse_adaptation_sets(AVFormatContext *s)
if (as->streams == NULL)
return AVERROR(ENOMEM);
as->streams[as->nb_streams - 1] = to_integer(p, q - p + 1);
- if (as->streams[as->nb_streams - 1] < 0) return -1;
+ if (as->streams[as->nb_streams - 1] < 0 ||
+ as->streams[as->nb_streams - 1] >= s->nb_streams) {
+ av_log(s, AV_LOG_ERROR, "Invalid value for 'streams' in adapation_sets.\n");
+ return AVERROR(EINVAL);
+ }
if (*q == '\0') break;
if (*q == ' ') state = new_set;
p = ++q;
diff --git a/libavutil/hwcontext_vdpau.c b/libavutil/hwcontext_vdpau.c
index 49c44fed..cce53960 100644
--- a/libavutil/hwcontext_vdpau.c
+++ b/libavutil/hwcontext_vdpau.c
@@ -305,7 +305,7 @@ static int vdpau_transfer_data_from(AVHWFramesContext *ctx, AVFrame *dst,
for (i = 0; i< FF_ARRAY_ELEMS(data) && dst->data[i]; i++) {
data[i] = dst->data[i];
- if (dst->linesize[i] < 0 || (uint64_t)dst->linesize > UINT32_MAX) {
+ if (dst->linesize[i] < 0 || dst->linesize[i] > UINT32_MAX) {
av_log(ctx, AV_LOG_ERROR,
"The linesize %d cannot be represented as uint32\n",
dst->linesize[i]);
@@ -356,7 +356,7 @@ static int vdpau_transfer_data_to(AVHWFramesContext *ctx, AVFrame *dst,
for (i = 0; i< FF_ARRAY_ELEMS(data) && src->data[i]; i++) {
data[i] = src->data[i];
- if (src->linesize[i] < 0 || (uint64_t)src->linesize > UINT32_MAX) {
+ if (src->linesize[i] < 0 || src->linesize[i] > UINT32_MAX) {
av_log(ctx, AV_LOG_ERROR,
"The linesize %d cannot be represented as uint32\n",
src->linesize[i]);
diff --git a/libavutil/internal.h b/libavutil/internal.h
index e995af97..7b859ed6 100644
--- a/libavutil/internal.h
+++ b/libavutil/internal.h
@@ -30,6 +30,10 @@
# define NDEBUG
#endif
+#if defined(DEBUG) && !defined(CHECKED)
+# define CHECKED
+#endif
+
#include <limits.h>
#include <stdint.h>
#include <stddef.h>
@@ -258,6 +262,16 @@ void avpriv_request_sample(void *avc,
# define ff_dlog(ctx, ...) do { if (0) av_log(ctx, AV_LOG_DEBUG, __VA_ARGS__); } while (0)
#endif
+// For debuging we use signed operations so overflows can be detected (by ubsan)
+// For production we use unsigned so there are no undefined operations
+#ifdef CHECKED
+#define SUINT int
+#define SUINT32 int32_t
+#else
+#define SUINT unsigned
+#define SUINT32 uint32_t
+#endif
+
/**
* Clip and convert a double value into the long long amin-amax range.
* This function is needed because conversion of floating point to integers when
diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h
index fa91d1e1..daf91a55 100644
--- a/libavutil/softfloat.h
+++ b/libavutil/softfloat.h
@@ -114,8 +114,15 @@ static inline av_const SoftFloat av_mul_sf(SoftFloat a, SoftFloat b){
* @return Will not be more denormalized than a.
*/
static inline av_const SoftFloat av_div_sf(SoftFloat a, SoftFloat b){
+ int64_t temp = (int64_t)a.mant * (1<<(ONE_BITS+1));
+ temp /= b.mant;
a.exp -= b.exp;
- a.mant = ((int64_t)a.mant<<(ONE_BITS+1)) / b.mant;
+ a.mant = temp;
+ while (a.mant != temp) {
+ temp /= 2;
+ a.exp--;
+ a.mant = temp;
+ }
a = av_normalize1_sf(a);
if (!a.mant || a.exp < MIN_EXP)
return FLOAT_0;
@@ -235,12 +242,12 @@ static av_unused void av_sincos_sf(int a, int *s, int *c)
int st, ct;
idx = a >> 26;
- sign = (idx << 27) >> 31;
+ sign = (int32_t)((unsigned)idx << 27) >> 31;
cv = av_costbl_1_sf[idx & 0xf];
cv = (cv ^ sign) - sign;
idx -= 8;
- sign = (idx << 27) >> 31;
+ sign = (int32_t)((unsigned)idx << 27) >> 31;
sv = av_costbl_1_sf[idx & 0xf];
sv = (sv ^ sign) - sign;
diff --git a/libswresample/resample.c b/libswresample/resample.c
index 8635bf1b..46e5a267 100644
--- a/libswresample/resample.c
+++ b/libswresample/resample.c
@@ -300,6 +300,14 @@ fail:
return ret;
}
+static void resample_free(ResampleContext **cc){
+ ResampleContext *c = *cc;
+ if(!c)
+ return;
+ av_freep(&c->filter_bank);
+ av_freep(cc);
+}
+
static ResampleContext *resample_init(ResampleContext *c, int out_rate, int in_rate, int filter_size, int phase_shift, int linear,
double cutoff0, enum AVSampleFormat format, enum SwrFilterType filter_type, double kaiser_beta,
double precision, int cheby, int exact_rational)
@@ -322,6 +330,7 @@ static ResampleContext *resample_init(ResampleContext *c, int out_rate, int in_r
if (!c || c->phase_count != phase_count || c->linear!=linear || c->factor != factor
|| c->filter_length != FFMAX((int)ceil(filter_size/factor), 1) || c->format != format
|| c->filter_type != filter_type || c->kaiser_beta != kaiser_beta) {
+ resample_free(&c);
c = av_mallocz(sizeof(*c));
if (!c)
return NULL;
@@ -391,13 +400,6 @@ error:
return NULL;
}
-static void resample_free(ResampleContext **c){
- if(!*c)
- return;
- av_freep(&(*c)->filter_bank);
- av_freep(c);
-}
-
static int rebuild_filter_bank_with_compensation(ResampleContext *c)
{
uint8_t *new_filter_bank;
diff --git a/libswscale/tests/swscale.c b/libswscale/tests/swscale.c
index da6a41b7..be4cd9a0 100644
--- a/libswscale/tests/swscale.c
+++ b/libswscale/tests/swscale.c
@@ -309,10 +309,10 @@ static int fileTest(uint8_t *ref[4], int refStride[4], int w, int h, FILE *fp,
struct Results r;
enum AVPixelFormat srcFormat;
char srcStr[12];
- int srcW, srcH;
+ int srcW = 0, srcH = 0;
enum AVPixelFormat dstFormat;
char dstStr[12];
- int dstW, dstH;
+ int dstW = 0, dstH = 0;
int flags;
int ret;
diff --git a/tests/ref/fate/vp5 b/tests/ref/fate/vp5
index 2116fb9b..2469a3ec 100644
--- a/tests/ref/fate/vp5
+++ b/tests/ref/fate/vp5
@@ -249,4 +249,4 @@
0, 243, 243, 1, 233472, 0x6f530ac6
0, 244, 244, 1, 233472, 0x94f7466c
0, 245, 245, 1, 233472, 0xa8c1d365
-0, 246, 246, 1, 233472, 0xedcff050
+0, 246, 246, 1, 233472, 0xbf73f1b7
diff --git a/tests/ref/vsynth/vsynth1-dnxhd-720p-hr-lb b/tests/ref/vsynth/vsynth1-dnxhd-720p-hr-lb
index 3490d4ae..27e59312 100644
--- a/tests/ref/vsynth/vsynth1-dnxhd-720p-hr-lb
+++ b/tests/ref/vsynth/vsynth1-dnxhd-720p-hr-lb
@@ -1,4 +1,4 @@
08cbfe9b9f671cdb9dddc9307121d107 *tests/data/fate/vsynth1-dnxhd-720p-hr-lb.dnxhd
409600 tests/data/fate/vsynth1-dnxhd-720p-hr-lb.dnxhd
-22eb87f0f8a50278355006fef70073a9 *tests/data/fate/vsynth1-dnxhd-720p-hr-lb.out.rawvideo
-stddev: 7.49 PSNR: 30.63 MAXDIFF: 64 bytes: 7603200/ 608256
+77e510e3538313b1cbafb86ed248d2df *tests/data/fate/vsynth1-dnxhd-720p-hr-lb.out.rawvideo
+stddev: 7.50 PSNR: 30.62 MAXDIFF: 64 bytes: 7603200/ 760320
Attachment:
signature.asc
Description: PGP signature