Your message dated Tue, 23 May 2017 19:23:00 +0000 with message-id <932b2f4e-8ae3-d901-3ce3-3eb3ea8762ac@thykier.net> and subject line Re: Bug#863196: unblock: ffmpeg/7:3.2.5-1 has caused the Debian Bug report #863196, regarding unblock: ffmpeg/7:3.2.5-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 863196: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863196 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: ffmpeg/7:3.2.5-1
- From: Sebastian Ramacher <sramacher@debian.org>
- Date: Tue, 23 May 2017 11:46:04 +0200
- Message-id: <[🔎] 20170523094604.g5snwlkzc7fa4yjv@ramacher.at>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ffmpeg version 7:3.2.5-1. ffmpeg 3.2.5 is the lastest stable bugfix release of the 3.2.x branch. The release contains fixes for multiple integer overflows, shifts with undefined behavior, null pointer deferences, out-of-bounds writes, and many other issues: version 3.2.5: - avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int' - avcodec/svq3: Fix runtime error: left shift of negative value -6 - avcodec/tiff: reset sampling[] if its invalid - avcodec/aacps: Fix undefined behavior - avcodec/opus_silk: Fix integer overflow and out of array read - avcodec/flacdec: Return error code instead of 0 for failures - avcodec/snowdec: Check width - avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame() - avcodec/webp: Factor update_canvas_size() out - avcodec/cllc: Check prefix - avcodec/rscc: Check pixel_size for overflow - avcodec/dds: Fix runtime error: left shift of 210 by 24 places cannot be represented in type 'int' - avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode - avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]' - avcodec/hqxdsp: Fix runtime error: signed integer overflow: -196264 * 11585 cannot be represented in type 'int' - avcodec/g723_1dec: Fix LCG type - libswscale/tests/swscale: Fix uninitialized variables - avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int' - avcodec/webp: Fix signedness in prefix_code check - avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int' - avcodec/mlpdec: Check that there is enough data for headers - avcodec/ac3dec: Keep track of band structure - avcodec/webp: Add missing input padding - avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1 - avcodec/aacsbr_template: Do not change bs_num_env before its checked - avcodec/mlp: Fix multiple runtime error: left shift of negative value -1 - avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int' - avcodec/avcodec: Limit the number of side data elements per packet - avcodec/texturedsp: Fix runtime error: left shift of 255 by 24 places cannot be represented in type 'int' - avcodec/g723_1dec: Fix runtime error: left shift of negative value -1 - avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int' - avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610 - avcodec/msmpeg4dec: Check for cbpy VLC errors - avcodec/cllc: Check num_bits - avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers - avcodec/dvbsubdec: Check entry_id - avcodec/aacdec_fixed: Fix multiple shift exponent 33 is too large for 32-bit type 'int' - avcodec/mpeg12dec: Fixes runtime error: division by zero - avcodec/webp: Always set pix_fmt - avfilter/vf_uspp: Fix currently unused input frame dimensions - avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1 - avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int' - avcodec/dss_sp: Fix runtime error: signed integer overflow: 2147481189 + 4096 cannot be represented in type 'int' - avformat/wavdec: Check chunk_size - avcodec/cavs: Check updated MV - avcodec/y41pdec: Fix width in input buffer size check - avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int' - avcodec/texturedsp: Fix runtime error: left shift of 218 by 24 places cannot be represented in type 'int' - avcodec/lagarith: Check scale_factor - avcodec/lagarith: Fix runtime error: left shift of negative value -1 - avcodec/takdec: Fix multiple runtime error: left shift of negative value -1 - avcodec/indeo2: Check for invalid VLCs - avcodec/g723_1dec: Fix several integer related cases of undefined behaviour - avcodec/htmlsubtitles: Check for string truncation and return error - avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int' - avcodec/dss_sp: Fix multiple runtime error: signed integer overflow: -15699 * -164039 cannot be represented in type 'int' - avcodec/dvbsubdec: check region dimensions - avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int' - avcodec/hqxdsp: Fix multiple runtime error: signed integer overflow: 248220 * 21407 cannot be represented in type 'int' in idct_col() - avcodec/cavsdec: Check sym_factor - avcodec/cdxl: Check format for BGR24 - avcodec/ffv1dec: Fix copying planes of paletted formats - avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int' - avcodec/xwddec: Check bpp more completely - avcodec/aacdec_template: Do not decode 2nd PCE if it will lead to failure - avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int' - avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int' - avcodec/g726: Fix runtime error: left shift of negative value -2 - avcodec/ra144: Fix runtime error: left shift of negative value -798 - avcodec/mss34dsp: Fix multiple signed integer overflow - avcodec/targa_y216dec: Fix width type - avcodec/texturedsp: Fix multiple runtime error: left shift of 255 by 24 places cannot be represented in type 'int' - avcodec/ivi_dsp: Fix multiple left shift of negative value -2 - avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int' - avcodec/msmpeg4dec: Correct table depth - avcodec/dds: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' - avcodec/cdxl: Check format parameter - avutil/softfloat: Fix overflow in av_div_sf() - avcodec/hq_hqa: Fix runtime error: left shift of negative value -207 - avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from - avcodec/shorten: Check k in get_uint() - avcodec/webp: Fix null pointer dereference - avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' - avcodec/g723_1: Fix multiple runtime error: left shift of negative value - avcodec/mimic: Fix runtime error: left shift of negative value -1 - avcodec/fic: Fix multiple left shift of negative value -15 - avcodec/mlpdec: Fix runtime error: left shift of negative value -22 - avcodec/snowdec: Check qbias - avutil/softfloat: Fix multiple runtime error: left shift of negative value -8 - avcodec/aacsbr_template: Do not leave bs_num_env invalid - avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int' - avcodec/dfa: Fix off by 1 error - avcodec/nellymoser: Fix multiple left shift of negative value -8591 - avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int' - avcodec/g722: Fix multiple runtime error: left shift of negative value -1 - avcodec/dss_sp: Fix multiple left shift of negative value -466 - avcodec/wnv1: Fix runtime error: left shift of negative value -1 - avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so - avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int' - avcodec/cavsdec: Fix undefined behavior from integer overflow - avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int' - libavcodec/mpeg4videodec: Convert sprite_offset to 64bit - avcodec/pngdec: Use ff_set_dimensions() - avcodec/msvideo1: Check buffer size before re-getting the frame - avcodec/h264_cavlc: Fix undefined behavior on qscale overflow - avcodec/dcadsp: Fix runtime error: signed integer overflow - avcodec/svq3: Reject dx/dy beyond 16bit - avcodec/svq3: Increase offsets to prevent integer overflows - avcodec/indeo2: Check remaining bits in ir2_decode_plane() - avcodec/vp3: Check remaining bits in unpack_dct_coeffs() - doc/developer: Add terse documentation of assumed C implementation defined behavior - avcodec/mdec: Fix runtime error: left shift of negative value -127 - avcodec/x86/vc1dsp_init: Fix build failure with --disable-optimizations and clang - libavcodec/exr : fix float to uint16 conversion for negative float value - avformat/webmdashenc: Validate the 'streams' adaptation sets parameter - avformat/webmdashenc: Require the 'adaptation_sets' option to be set - avformat/oggparseogm: Check ff_alloc_extradata() for failure - avformat/oggparseogm: Check available data before reading global header - avformat/mov: Check creation_time for overflow - avcodec/dvdsubdec: Fixes 2 runtime error: left shift of 170 by 24 places cannot be represented in type 'int' - avcodec/h264: Check weight values to be within the specs limits. - libavformat/mov: Fix memory leak, need to free the chapter tracks array - avformat/oggparsedaala: Do not leave an invalid value in gpshift - avformat/oggparsedaala: Check duration for AV_NOPTS_VALUE - avformat/libopenmpt: Check for avio_size() failure - avfilter/af_sofalizer: Fix bad shift - avcodec: fix uninitialized variable read - avfilter/avfiltergraph: Add assert to write down in machine readable form what is assumed about sample rates in swap_samplerates_on_filter() - avcodec/tiff: Perform multiply in tiff_unpack_lzma() as 64bit - avformat/test/fifo_muxer: add check for FailingMuxerPacketData alloc - omx: Fix OOM check - avcodec/vdpau_hevc: Fix potential out-of-bounds write - avcodec/h264_ps: Fix runtime error: signed integer overflow: 2147483647 + 26 cannot be represented in type 'int' - avcodec/tiff: Check geotag count for being non zero - avcodec/vp56: Check avctx->error_concealment before enabling EC - avcodec/tiff: Check stripsize strippos for overflow - avcodec/mpegaudiodec_template: Make l3_unscale() work with e=0 - avcodec/tiff: Check for multiple geo key directories - avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' - avcodec/rv34: Fix runtime error: signed integer overflow: 36880 * 66288 cannot be represented in type 'int' - avcodec/amrwbdec: Fix runtime error: left shift of negative value -1 - avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: -135088512 * 16 cannot be represented in type 'int' - avcodec/h264_mvpred: Fix runtime error: left shift of negative value -1 - avcodec/mjpegdec: Fix runtime error: left shift of negative value -127 - avcodec/wavpack: Fix runtime error: left shift of negative value -5 - avcodec/wavpack: Fix runtime error: left shift of negative value -2 - avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 134527392 * 16 cannot be represented in type 'int' - avcodec/mpeg12dec: Fix runtime error: left shift of negative value -13 - avcodec/h264_mvpred: Fix multiple runtime error: left shift of negative value - avcodec/adxdec: Fix runtime error: left shift of negative value -1 - avcodec/mpeg4videodec: Improve the overflow checks in mpeg4_decode_sprite_trajectory() - avcodec/mjpegdec: Fix runtime error: left shift of negative value -511 - avcodec/h264_direct: Fix runtime error: left shift of negative value -14 - avcodec/pictordec: Check plane value before doing value/mask computations - avcodec/mpeg4videodec: Fix runtime error: left shift of negative value -2650 - avcodec/eac3dec: Fix runtime error: left shift of negative value -3 - avcodec/mpeg12dec: Fix runtime error: left shift of negative value -2 - avcodec/mpeg4videodec: Check the other 3 sprite points for intermediate overflows - avcodec/mpeg4videodec: Check sprite_offset in addition to shifts - avcodec/mpeg4video: Fix runtime error: left shift of negative value - avcodec/ituh263dec: Fix runtime error: left shift of negative value -22 - avcodec/rv40: Fix runtime error: left shift of negative value - avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int' - avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative - avcodec/mjpegdec: Fix runtime error: left shift of negative value -507 - avcodec/eac3dec: Fix runtime error: left shift of negative value - avcodec/htmlsubtitles: Fix reading one byte beyond the array - avcodec/vp6: clear dimensions on failed resolution change in vp6_parse_header() - avcodec/vp56: Reset have_undamaged_frame on resolution changes - avcodec/vp8: Fix hang with slice threads - avcodec/vp8: Check for the bitstream end per MB in decode_mb_row_no_filter() - avcodec/vp568: Check that there is enough data for ff_vp56_init_range_decoder() - avcodec/vp8: remove redundant check - avcodec/vp56: Require a correctly decoded frame before using vp56_conceal_mb() - avcodec/vp3: Do not return random positive values but the buf size - avcodec/vp8: Check for bitsteam end in decode_mb_row_no_filter() - avcodec/vp56: Factorize vp56_render_mb() out - avcodec/vp3dsp: Fix multiple signed integer overflow: 46341 * 47523 cannot be represented in type 'int' - Add CHECK/SUINT code - avcodec/mpeg12dec: Fix runtime error: left shift of negative value -1 - avcodec/vp56: Clear dimensions in case of failure in the middle of a resolution change - avcodec/vp56: Implement very basic error concealment - avcodec/amrwbdec: Fix 2 runtime errors: left shift of negative value -1 - avcodec/pngdec: Fix runtime error: left shift of 152 by 24 places cannot be represented in type 'int' - avcodec/vp56: Fix sign typo - avcodec/mpegaudiodec_template: Correct return code on id3 tag discarding - avcodec/rv34: Simplify and factor get_slice_offset() code - avcodec/pictordec: Do not read more than nb_planes - avcodec/srtdec: Fix signed integer overflow: 1811992524 * 384 cannot be represented in type 'int' - avcodec/pngdec: Check bit depth for validity - avcodec/mpeg12dec: Fix runtime error: left shift of negative value - avcodec/wavpacl: Fix runtime error: left shift of negative value -1 - avformat/http: Check for truncated buffers in http_connect() - avformat/utils: free AVStream.codec properly in free_stream() - avcodec/options: do a more thorough clean up in avcodec_copy_context() - avcodec/options: factorize avcodec_copy_context() cleanup code - avformat/concatdec: fix the h264 annexb extradata check - hwcontext_vdpau: Fix missing subscripts - lavf/flacdec: Return maximum score if the streaminfo header is valid. - avcodec/dnxhd_parser: take into account compressed frame size and skip it - avformat/apng: fix setting frame delay when max_fps is set to no limit - swresample/resample: free existing ResampleContext on reinit - swresample/resample: move resample_free() higher in the file - avformat/matroskaenc: don't write DisplayUnit with value Unknown on WebM files - lavfi/buffersrc: fix directly setting channel layout - lavf/mpeg: Initialize a stack variable used by memcmp(). - lavc/avpacket: Initialize a variable in error path. The full debdiff is attached. unblock ffmpeg/7:3.2.5-1 Cheers -- Sebastian Ramacherdiff --git a/Changelog b/Changelog index 1e0f8612..5468e4fa 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,216 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.2.5: +- avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int' +- avcodec/svq3: Fix runtime error: left shift of negative value -6 +- avcodec/tiff: reset sampling[] if its invalid +- avcodec/aacps: Fix undefined behavior +- avcodec/opus_silk: Fix integer overflow and out of array read +- avcodec/flacdec: Return error code instead of 0 for failures +- avcodec/snowdec: Check width +- avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame() +- avcodec/webp: Factor update_canvas_size() out +- avcodec/cllc: Check prefix +- avcodec/rscc: Check pixel_size for overflow +- avcodec/dds: Fix runtime error: left shift of 210 by 24 places cannot be represented in type 'int' +- avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode +- avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]' +- avcodec/hqxdsp: Fix runtime error: signed integer overflow: -196264 * 11585 cannot be represented in type 'int' +- avcodec/g723_1dec: Fix LCG type +- libswscale/tests/swscale: Fix uninitialized variables +- avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int' +- avcodec/webp: Fix signedness in prefix_code check +- avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int' +- avcodec/mlpdec: Check that there is enough data for headers +- avcodec/ac3dec: Keep track of band structure +- avcodec/webp: Add missing input padding +- avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1 +- avcodec/aacsbr_template: Do not change bs_num_env before its checked +- avcodec/mlp: Fix multiple runtime error: left shift of negative value -1 +- avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int' +- avcodec/avcodec: Limit the number of side data elements per packet +- avcodec/texturedsp: Fix runtime error: left shift of 255 by 24 places cannot be represented in type 'int' +- avcodec/g723_1dec: Fix runtime error: left shift of negative value -1 +- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int' +- avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610 +- avcodec/msmpeg4dec: Check for cbpy VLC errors +- avcodec/cllc: Check num_bits +- avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers +- avcodec/dvbsubdec: Check entry_id +- avcodec/aacdec_fixed: Fix multiple shift exponent 33 is too large for 32-bit type 'int' +- avcodec/mpeg12dec: Fixes runtime error: division by zero +- avcodec/webp: Always set pix_fmt +- avfilter/vf_uspp: Fix currently unused input frame dimensions +- avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1 +- avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int' +- avcodec/dss_sp: Fix runtime error: signed integer overflow: 2147481189 + 4096 cannot be represented in type 'int' +- avformat/wavdec: Check chunk_size +- avcodec/cavs: Check updated MV +- avcodec/y41pdec: Fix width in input buffer size check +- avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int' +- avcodec/texturedsp: Fix runtime error: left shift of 218 by 24 places cannot be represented in type 'int' +- avcodec/lagarith: Check scale_factor +- avcodec/lagarith: Fix runtime error: left shift of negative value -1 +- avcodec/takdec: Fix multiple runtime error: left shift of negative value -1 +- avcodec/indeo2: Check for invalid VLCs +- avcodec/g723_1dec: Fix several integer related cases of undefined behaviour +- avcodec/htmlsubtitles: Check for string truncation and return error +- avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int' +- avcodec/dss_sp: Fix multiple runtime error: signed integer overflow: -15699 * -164039 cannot be represented in type 'int' +- avcodec/dvbsubdec: check region dimensions +- avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int' +- avcodec/hqxdsp: Fix multiple runtime error: signed integer overflow: 248220 * 21407 cannot be represented in type 'int' in idct_col() +- avcodec/cavsdec: Check sym_factor +- avcodec/cdxl: Check format for BGR24 +- avcodec/ffv1dec: Fix copying planes of paletted formats +- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int' +- avcodec/xwddec: Check bpp more completely +- avcodec/aacdec_template: Do not decode 2nd PCE if it will lead to failure +- avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int' +- avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int' +- avcodec/g726: Fix runtime error: left shift of negative value -2 +- avcodec/ra144: Fix runtime error: left shift of negative value -798 +- avcodec/mss34dsp: Fix multiple signed integer overflow +- avcodec/targa_y216dec: Fix width type +- avcodec/texturedsp: Fix multiple runtime error: left shift of 255 by 24 places cannot be represented in type 'int' +- avcodec/ivi_dsp: Fix multiple left shift of negative value -2 +- avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int' +- avcodec/msmpeg4dec: Correct table depth +- avcodec/dds: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/cdxl: Check format parameter +- avutil/softfloat: Fix overflow in av_div_sf() +- avcodec/hq_hqa: Fix runtime error: left shift of negative value -207 +- avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from +- avcodec/shorten: Check k in get_uint() +- avcodec/webp: Fix null pointer dereference +- avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' +- avcodec/g723_1: Fix multiple runtime error: left shift of negative value +- avcodec/mimic: Fix runtime error: left shift of negative value -1 +- avcodec/fic: Fix multiple left shift of negative value -15 +- avcodec/mlpdec: Fix runtime error: left shift of negative value -22 +- avcodec/snowdec: Check qbias +- avutil/softfloat: Fix multiple runtime error: left shift of negative value -8 +- avcodec/aacsbr_template: Do not leave bs_num_env invalid +- avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int' +- avcodec/dfa: Fix off by 1 error +- avcodec/nellymoser: Fix multiple left shift of negative value -8591 +- avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int' +- avcodec/g722: Fix multiple runtime error: left shift of negative value -1 +- avcodec/dss_sp: Fix multiple left shift of negative value -466 +- avcodec/wnv1: Fix runtime error: left shift of negative value -1 +- avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so +- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int' +- avcodec/cavsdec: Fix undefined behavior from integer overflow +- avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int' +- libavcodec/mpeg4videodec: Convert sprite_offset to 64bit +- avcodec/pngdec: Use ff_set_dimensions() +- avcodec/msvideo1: Check buffer size before re-getting the frame +- avcodec/h264_cavlc: Fix undefined behavior on qscale overflow +- avcodec/dcadsp: Fix runtime error: signed integer overflow +- avcodec/svq3: Reject dx/dy beyond 16bit +- avcodec/svq3: Increase offsets to prevent integer overflows +- avcodec/indeo2: Check remaining bits in ir2_decode_plane() +- avcodec/vp3: Check remaining bits in unpack_dct_coeffs() +- doc/developer: Add terse documentation of assumed C implementation defined behavior +- avcodec/mdec: Fix runtime error: left shift of negative value -127 +- avcodec/x86/vc1dsp_init: Fix build failure with --disable-optimizations and clang +- libavcodec/exr : fix float to uint16 conversion for negative float value +- avformat/webmdashenc: Validate the 'streams' adaptation sets parameter +- avformat/webmdashenc: Require the 'adaptation_sets' option to be set +- avformat/oggparseogm: Check ff_alloc_extradata() for failure +- avformat/oggparseogm: Check available data before reading global header +- avformat/mov: Check creation_time for overflow +- avcodec/dvdsubdec: Fixes 2 runtime error: left shift of 170 by 24 places cannot be represented in type 'int' +- avcodec/h264: Check weight values to be within the specs limits. +- libavformat/mov: Fix memory leak, need to free the chapter tracks array +- avformat/oggparsedaala: Do not leave an invalid value in gpshift +- avformat/oggparsedaala: Check duration for AV_NOPTS_VALUE +- avformat/libopenmpt: Check for avio_size() failure +- avfilter/af_sofalizer: Fix bad shift +- avcodec: fix uninitialized variable read +- avfilter/avfiltergraph: Add assert to write down in machine readable form what is assumed about sample rates in swap_samplerates_on_filter() +- avcodec/tiff: Perform multiply in tiff_unpack_lzma() as 64bit +- avformat/test/fifo_muxer: add check for FailingMuxerPacketData alloc +- omx: Fix OOM check +- avcodec/vdpau_hevc: Fix potential out-of-bounds write +- avcodec/h264_ps: Fix runtime error: signed integer overflow: 2147483647 + 26 cannot be represented in type 'int' +- avcodec/tiff: Check geotag count for being non zero +- avcodec/vp56: Check avctx->error_concealment before enabling EC +- avcodec/tiff: Check stripsize strippos for overflow +- avcodec/mpegaudiodec_template: Make l3_unscale() work with e=0 +- avcodec/tiff: Check for multiple geo key directories +- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' +- avcodec/rv34: Fix runtime error: signed integer overflow: 36880 * 66288 cannot be represented in type 'int' +- avcodec/amrwbdec: Fix runtime error: left shift of negative value -1 +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: -135088512 * 16 cannot be represented in type 'int' +- avcodec/h264_mvpred: Fix runtime error: left shift of negative value -1 +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -127 +- avcodec/wavpack: Fix runtime error: left shift of negative value -5 +- avcodec/wavpack: Fix runtime error: left shift of negative value -2 +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 134527392 * 16 cannot be represented in type 'int' +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -13 +- avcodec/h264_mvpred: Fix multiple runtime error: left shift of negative value +- avcodec/adxdec: Fix runtime error: left shift of negative value -1 +- avcodec/mpeg4videodec: Improve the overflow checks in mpeg4_decode_sprite_trajectory() +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -511 +- avcodec/h264_direct: Fix runtime error: left shift of negative value -14 +- avcodec/pictordec: Check plane value before doing value/mask computations +- avcodec/mpeg4videodec: Fix runtime error: left shift of negative value -2650 +- avcodec/eac3dec: Fix runtime error: left shift of negative value -3 +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -2 +- avcodec/mpeg4videodec: Check the other 3 sprite points for intermediate overflows +- avcodec/mpeg4videodec: Check sprite_offset in addition to shifts +- avcodec/mpeg4video: Fix runtime error: left shift of negative value +- avcodec/ituh263dec: Fix runtime error: left shift of negative value -22 +- avcodec/rv40: Fix runtime error: left shift of negative value +- avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int' +- avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -507 +- avcodec/eac3dec: Fix runtime error: left shift of negative value +- avcodec/htmlsubtitles: Fix reading one byte beyond the array +- avcodec/vp6: clear dimensions on failed resolution change in vp6_parse_header() +- avcodec/vp56: Reset have_undamaged_frame on resolution changes +- avcodec/vp8: Fix hang with slice threads +- avcodec/vp8: Check for the bitstream end per MB in decode_mb_row_no_filter() +- avcodec/vp568: Check that there is enough data for ff_vp56_init_range_decoder() +- avcodec/vp8: remove redundant check +- avcodec/vp56: Require a correctly decoded frame before using vp56_conceal_mb() +- avcodec/vp3: Do not return random positive values but the buf size +- avcodec/vp8: Check for bitsteam end in decode_mb_row_no_filter() +- avcodec/vp56: Factorize vp56_render_mb() out +- avcodec/vp3dsp: Fix multiple signed integer overflow: 46341 * 47523 cannot be represented in type 'int' +- Add CHECK/SUINT code +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -1 +- avcodec/vp56: Clear dimensions in case of failure in the middle of a resolution change +- avcodec/vp56: Implement very basic error concealment +- avcodec/amrwbdec: Fix 2 runtime errors: left shift of negative value -1 +- avcodec/pngdec: Fix runtime error: left shift of 152 by 24 places cannot be represented in type 'int' +- avcodec/vp56: Fix sign typo +- avcodec/mpegaudiodec_template: Correct return code on id3 tag discarding +- avcodec/rv34: Simplify and factor get_slice_offset() code +- avcodec/pictordec: Do not read more than nb_planes +- avcodec/srtdec: Fix signed integer overflow: 1811992524 * 384 cannot be represented in type 'int' +- avcodec/pngdec: Check bit depth for validity +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value +- avcodec/wavpacl: Fix runtime error: left shift of negative value -1 +- avformat/http: Check for truncated buffers in http_connect() +- avformat/utils: free AVStream.codec properly in free_stream() +- avcodec/options: do a more thorough clean up in avcodec_copy_context() +- avcodec/options: factorize avcodec_copy_context() cleanup code +- avformat/concatdec: fix the h264 annexb extradata check +- hwcontext_vdpau: Fix missing subscripts +- lavf/flacdec: Return maximum score if the streaminfo header is valid. +- avcodec/dnxhd_parser: take into account compressed frame size and skip it +- avformat/apng: fix setting frame delay when max_fps is set to no limit +- swresample/resample: free existing ResampleContext on reinit +- swresample/resample: move resample_free() higher in the file +- avformat/matroskaenc: don't write DisplayUnit with value Unknown on WebM files +- lavfi/buffersrc: fix directly setting channel layout +- lavf/mpeg: Initialize a stack variable used by memcmp(). +- lavc/avpacket: Initialize a variable in error path. + + version 3.2.4: - avcodec/h264_slice: Clear ref_counts on redundant slices - lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid diff --git a/RELEASE b/RELEASE index 351227fc..5ae69bd5 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -3.2.4 +3.2.5 diff --git a/VERSION b/VERSION index 351227fc..5ae69bd5 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.2.4 +3.2.5 diff --git a/debian/changelog b/debian/changelog index 3010e1c6..ad75f8a4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ffmpeg (7:3.2.5-1) unstable; urgency=medium + + * Team upload. + * New upstream release. + + -- Sebastian Ramacher <sramacher@debian.org> Mon, 22 May 2017 22:03:36 +0200 + ffmpeg (7:3.2.4-1) unstable; urgency=medium * Import new upstream bugfix release 3.2.4. diff --git a/doc/Doxyfile b/doc/Doxyfile index 14267723..34f6d182 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.2.4 +PROJECT_NUMBER = 3.2.5 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a diff --git a/doc/developer.texi b/doc/developer.texi index dbe1f542..98540c8f 100644 --- a/doc/developer.texi +++ b/doc/developer.texi @@ -131,6 +131,11 @@ designated struct initializers (@samp{struct s x = @{ .i = 17 @};}); @item compound literals (@samp{x = (struct s) @{ 17, 23 @};}). + +@item +Implementation defined behavior for signed integers is assumed to match the +expected behavior for two's complement. Non representable values in integer +casts are binary truncated. Shift right of signed values uses sign extension. @end itemize These features are supported by all compilers we care about, so we will not diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index acb81783..1b5e8aa3 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -125,7 +125,7 @@ static inline int *DEC_SQUAD(int *dst, unsigned idx) static inline int *DEC_UPAIR(int *dst, unsigned idx, unsigned sign) { dst[0] = (idx & 15) * (1 - (sign & 0xFFFFFFFE)); - dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) << 1)); + dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) * 2)); return dst + 2; } @@ -134,16 +134,16 @@ static inline int *DEC_UQUAD(int *dst, unsigned idx, unsigned sign) { unsigned nz = idx >> 12; - dst[0] = (idx & 3) * (1 + (((int)sign >> 31) << 1)); + dst[0] = (idx & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) * 2)); return dst + 4; } @@ -171,7 +171,11 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len) s = offset - (s >> 2); - if (s > 0) { + if (s > 31) { + for (i=0; i<len; i++) { + dst[i] = 0; + } + } else if (s > 0) { round = 1 << (s-1); for (i=0; i<len; i++) { out = (int)(((int64_t)src[i] * c) >> 32); diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 883ed527..f730ad93 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -406,11 +406,15 @@ static uint64_t sniff_channel_order(uint8_t (*layout_map)[3], int tags) /** * Save current output configuration if and only if it has been locked. */ -static void push_output_configuration(AACContext *ac) { +static int push_output_configuration(AACContext *ac) { + int pushed = 0; + if (ac->oc[1].status == OC_LOCKED || ac->oc[0].status == OC_NONE) { ac->oc[0] = ac->oc[1]; + pushed = 1; } ac->oc[1].status = OC_NONE; + return pushed; } /** @@ -3002,7 +3006,13 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data, case TYPE_PCE: { uint8_t layout_map[MAX_ELEM_ID*4][3]; int tags; - push_output_configuration(ac); + + int pushed = push_output_configuration(ac); + if (pce_found && !pushed) { + err = AVERROR_INVALIDDATA; + goto fail; + } + tags = decode_pce(avctx, &ac->oc[1].m4ac, layout_map, gb); if (tags < 0) { err = tags; diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index ccc79ffc..48b595ad 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -975,7 +975,7 @@ static void stereo_processing(PSContext *ps, INTFLOAT (*l)[32][2], INTFLOAT (*r) h_step[1][3] = AAC_MSUB31_V3(H22[1][e+1][b], h[1][3], width); } ps->dsp.stereo_interpolate[!PS_BASELINE && ps->enable_ipdopd]( - l[k] + start + 1, r[k] + start + 1, + l[k] + 1 + start, r[k] + 1 + start, h, h_step, stop - start); } } diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c index 51105427..f69c2d61 100644 --- a/libavcodec/aacsbr_template.c +++ b/libavcodec/aacsbr_template.c @@ -623,24 +623,26 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, int abs_bord_trail = 16; int num_rel_lead, num_rel_trail; unsigned bs_num_env_old = ch_data->bs_num_env; + int bs_frame_class, bs_num_env; ch_data->bs_freq_res[0] = ch_data->bs_freq_res[ch_data->bs_num_env]; ch_data->bs_amp_res = sbr->bs_amp_res_header; ch_data->t_env_num_env_old = ch_data->t_env[bs_num_env_old]; - switch (ch_data->bs_frame_class = get_bits(gb, 2)) { + switch (bs_frame_class = get_bits(gb, 2)) { case FIXFIX: - ch_data->bs_num_env = 1 << get_bits(gb, 2); - num_rel_lead = ch_data->bs_num_env - 1; - if (ch_data->bs_num_env == 1) - ch_data->bs_amp_res = 0; - - if (ch_data->bs_num_env > 4) { + bs_num_env = 1 << get_bits(gb, 2); + if (bs_num_env > 4) { av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", - ch_data->bs_num_env); + bs_num_env); return -1; } + ch_data->bs_num_env = bs_num_env; + num_rel_lead = ch_data->bs_num_env - 1; + if (ch_data->bs_num_env == 1) + ch_data->bs_amp_res = 0; + ch_data->t_env[0] = 0; ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail; @@ -688,14 +690,15 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, abs_bord_trail += get_bits(gb, 2); num_rel_lead = get_bits(gb, 2); num_rel_trail = get_bits(gb, 2); - ch_data->bs_num_env = num_rel_lead + num_rel_trail + 1; + bs_num_env = num_rel_lead + num_rel_trail + 1; - if (ch_data->bs_num_env > 5) { + if (bs_num_env > 5) { av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n", - ch_data->bs_num_env); + bs_num_env); return -1; } + ch_data->bs_num_env = bs_num_env; ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail; @@ -710,6 +713,7 @@ static int read_sbr_grid(AACContext *ac, SpectralBandReplication *sbr, get_bits1_vector(gb, ch_data->bs_freq_res + 1, ch_data->bs_num_env); break; } + ch_data->bs_frame_class = bs_frame_class; av_assert0(bs_pointer >= 0); if (bs_pointer > ch_data->bs_num_env + 1) { diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index a95c2049..28b31471 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -747,30 +747,31 @@ static void ac3_upmix_delay(AC3DecodeContext *s) * @param[in] default_band_struct default band structure table * @param[out] num_bands number of bands (optionally NULL) * @param[out] band_sizes array containing the number of bins in each band (optionally NULL) + * @param[in,out] band_struct current band structure */ static void decode_band_structure(GetBitContext *gbc, int blk, int eac3, int ecpl, int start_subband, int end_subband, const uint8_t *default_band_struct, - int *num_bands, uint8_t *band_sizes) + int *num_bands, uint8_t *band_sizes, + uint8_t *band_struct, int band_struct_size) { int subbnd, bnd, n_subbands, n_bands=0; uint8_t bnd_sz[22]; - uint8_t coded_band_struct[22]; - const uint8_t *band_struct; n_subbands = end_subband - start_subband; + if (!blk) + memcpy(band_struct, default_band_struct, band_struct_size); + + av_assert0(band_struct_size >= start_subband + n_subbands); + + band_struct += start_subband + 1; + /* decode band structure from bitstream or use default */ if (!eac3 || get_bits1(gbc)) { for (subbnd = 0; subbnd < n_subbands - 1; subbnd++) { - coded_band_struct[subbnd] = get_bits1(gbc); + band_struct[subbnd] = get_bits1(gbc); } - band_struct = coded_band_struct; - } else if (!blk) { - band_struct = &default_band_struct[start_subband+1]; - } else { - /* no change in band structure */ - return; } /* calculate number of bands and band sizes based on band structure. @@ -897,7 +898,8 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) start_subband, end_subband, ff_eac3_default_spx_band_struct, &s->num_spx_bands, - s->spx_band_sizes); + s->spx_band_sizes, + s->spx_band_struct, sizeof(s->spx_band_struct)); } } if (!s->eac3 || !s->spx_in_use) { @@ -1031,7 +1033,8 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) decode_band_structure(gbc, blk, s->eac3, 0, cpl_start_subband, cpl_end_subband, ff_eac3_default_cpl_band_struct, - &s->num_cpl_bands, s->cpl_band_sizes); + &s->num_cpl_bands, s->cpl_band_sizes, + s->cpl_band_struct, sizeof(s->cpl_band_struct)); } else { /* coupling not in use */ for (ch = 1; ch <= fbw_channels; ch++) { @@ -1331,7 +1334,7 @@ static int decode_audio_block(AC3DecodeContext *s, int blk) for (ch = 1; ch <= s->channels; ch++) { int audio_channel = 0; INTFLOAT gain; - if (s->channel_mode == AC3_CHMODE_DUALMONO) + if (s->channel_mode == AC3_CHMODE_DUALMONO && ch <= 2) audio_channel = 2-ch; if (s->heavy_compression && s->compression_exists[audio_channel]) gain = s->heavy_dynamic_range[audio_channel]; diff --git a/libavcodec/ac3dec.h b/libavcodec/ac3dec.h index 6cd67c0f..b93f4d0c 100644 --- a/libavcodec/ac3dec.h +++ b/libavcodec/ac3dec.h @@ -128,6 +128,7 @@ typedef struct AC3DecodeContext { int phase_flags_in_use; ///< phase flags in use (phsflginu) int phase_flags[AC3_MAX_CPL_BANDS]; ///< phase flags (phsflg) int num_cpl_bands; ///< number of coupling bands (ncplbnd) + uint8_t cpl_band_struct[AC3_MAX_CPL_BANDS]; uint8_t cpl_band_sizes[AC3_MAX_CPL_BANDS]; ///< number of coeffs in each coupling band int firstchincpl; ///< first channel in coupling int first_cpl_coords[AC3_MAX_CHANNELS]; ///< first coupling coordinates states (firstcplcos) @@ -144,6 +145,7 @@ typedef struct AC3DecodeContext { int spx_dst_start_freq; ///< spx starting frequency bin for copying (copystartmant) ///< the copy region ends at the start of the spx region. int num_spx_bands; ///< number of spx bands (nspxbnds) + uint8_t spx_band_struct[SPX_MAX_BANDS]; uint8_t spx_band_sizes[SPX_MAX_BANDS]; ///< number of bins in each spx band uint8_t first_spx_coords[AC3_MAX_CHANNELS]; ///< first spx coordinates states (firstspxcos) INTFLOAT spx_noise_blend[AC3_MAX_CHANNELS][SPX_MAX_BANDS]; ///< spx noise blending factor (nblendfact) diff --git a/libavcodec/adxdec.c b/libavcodec/adxdec.c index 32cc0f00..178ea99d 100644 --- a/libavcodec/adxdec.c +++ b/libavcodec/adxdec.c @@ -81,7 +81,7 @@ static int adx_decode(ADXContext *c, int16_t *out, int offset, s2 = prev->s2; for (i = 0; i < BLOCK_SAMPLES; i++) { d = get_sbits(&gb, 4); - s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; + s0 = ((d * (1 << COEFF_BITS)) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; s2 = s1; s1 = av_clip_int16(s0); *out++ = s1; diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 7d0c135c..57aed874 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -262,7 +262,7 @@ static void decode_pitch_lag_high(int *lag_int, int *lag_frac, int pitch_index, *lag_frac = pitch_index - (*lag_int << 2) + 136; } else if (pitch_index < 440) { *lag_int = (pitch_index + 257 - 376) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) << 1; + *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) * 2; /* the actual resolution is 1/2 but expressed as 1/4 */ } else { *lag_int = pitch_index - 280; @@ -292,7 +292,7 @@ static void decode_pitch_lag_low(int *lag_int, int *lag_frac, int pitch_index, if (subframe == 0 || (subframe == 2 && mode != MODE_6k60)) { if (pitch_index < 116) { *lag_int = (pitch_index + 69) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1) + 68) << 1; + *lag_frac = (pitch_index - (*lag_int << 1) + 68) * 2; } else { *lag_int = pitch_index - 24; *lag_frac = 0; @@ -302,7 +302,7 @@ static void decode_pitch_lag_low(int *lag_int, int *lag_frac, int pitch_index, AMRWB_P_DELAY_MIN, AMRWB_P_DELAY_MAX - 15); } else { *lag_int = (pitch_index + 1) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1)) << 1; + *lag_frac = (pitch_index - (*lag_int << 1)) * 2; *lag_int += *base_lag_int; } } diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h index e5e7f422..10068db1 100644 --- a/libavcodec/avcodec.h +++ b/libavcodec/avcodec.h @@ -1536,7 +1536,17 @@ enum AVPacketSideDataType { * should be associated with a video stream and containts data in the form * of the AVMasteringDisplayMetadata struct. */ - AV_PKT_DATA_MASTERING_DISPLAY_METADATA + AV_PKT_DATA_MASTERING_DISPLAY_METADATA, + + /** + * The number of side data elements (in fact a bit more than it). + * This is not part of the public API/ABI in the sense that it may + * change when new side data types are added. + * This must stay the last enum value. + * If its value becomes huge, some code using it + * needs to be updated as it assumes it to be smaller than other limits. + */ + AV_PKT_DATA_NB }; #define AV_PKT_DATA_QUALITY_FACTOR AV_PKT_DATA_QUALITY_STATS //DEPRECATED diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c index e5a8bdbe..de20a8b9 100644 --- a/libavcodec/avpacket.c +++ b/libavcodec/avpacket.c @@ -298,7 +298,7 @@ int av_packet_add_side_data(AVPacket *pkt, enum AVPacketSideDataType type, AVPacketSideData *tmp; int elems = pkt->side_data_elems; - if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data)) + if ((unsigned)elems + 1 > AV_PKT_DATA_NB) return AVERROR(ERANGE); tmp = av_realloc(pkt->side_data, (elems + 1) * sizeof(*tmp)); @@ -348,6 +348,8 @@ uint8_t *av_packet_get_side_data(AVPacket *pkt, enum AVPacketSideDataType type, return pkt->side_data[i].data; } } + if (size) + *size = 0; return NULL; } @@ -431,6 +433,9 @@ int av_packet_split_side_data(AVPacket *pkt){ p-= size+5; } + if (i > AV_PKT_DATA_NB) + return AVERROR(ERANGE); + pkt->side_data = av_malloc_array(i, sizeof(*pkt->side_data)); if (!pkt->side_data) return AVERROR(ENOMEM); diff --git a/libavcodec/bmvvideo.c b/libavcodec/bmvvideo.c index 97f850db..cf7f0a05 100644 --- a/libavcodec/bmvvideo.c +++ b/libavcodec/bmvvideo.c @@ -107,7 +107,7 @@ static int decode_bmv_frame(const uint8_t *source, int src_len, uint8_t *frame, if (src < source || src >= source_end) return AVERROR_INVALIDDATA; shift += 2; - val |= *src << shift; + val |= (unsigned)*src << shift; if (*src & 0xC) break; } diff --git a/libavcodec/cavs.c b/libavcodec/cavs.c index 10e118e5..8542b124 100644 --- a/libavcodec/cavs.c +++ b/libavcodec/cavs.c @@ -613,8 +613,15 @@ void ff_cavs_mv(AVSContext *h, enum cavs_mv_loc nP, enum cavs_mv_loc nC, mv_pred_median(h, mvP, mvA, mvB, mvC); if (mode < MV_PRED_PSKIP) { - mvP->x += get_se_golomb(&h->gb); - mvP->y += get_se_golomb(&h->gb); + int mx = get_se_golomb(&h->gb) + (unsigned)mvP->x; + int my = get_se_golomb(&h->gb) + (unsigned)mvP->y; + + if (mx != (int16_t)mx || my != (int16_t)my) { + av_log(h->avctx, AV_LOG_ERROR, "MV %d %d out of supported range\n", mx, my); + } else { + mvP->x = mx; + mvP->y = my; + } } set_mvs(mvP, size); } diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 73a923df..55e78554 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -465,7 +465,7 @@ static inline void mv_pred_direct(AVSContext *h, cavs_vector *pmv_fw, cavs_vector *col_mv) { cavs_vector *pmv_bw = pmv_fw + MV_BWD_OFFS; - int den = h->direct_den[col_mv->ref]; + unsigned den = h->direct_den[col_mv->ref]; int m = FF_SIGNBIT(col_mv->x); pmv_fw->dist = h->dist[1]; @@ -1031,6 +1031,10 @@ static int decode_pic(AVSContext *h) h->scale_den[1] = h->dist[1] ? 512/h->dist[1] : 0; if (h->cur.f->pict_type == AV_PICTURE_TYPE_B) { h->sym_factor = h->dist[0] * h->scale_den[1]; + if (FFABS(h->sym_factor) > 32768) { + av_log(h->avctx, AV_LOG_ERROR, "sym_factor %d too large\n", h->sym_factor); + return AVERROR_INVALIDDATA; + } } else { h->direct_den[0] = h->dist[0] ? 16384 / h->dist[0] : 0; h->direct_den[1] = h->dist[1] ? 16384 / h->dist[1] : 0; diff --git a/libavcodec/cdxl.c b/libavcodec/cdxl.c index c8d66b58..78f5d501 100644 --- a/libavcodec/cdxl.c +++ b/libavcodec/cdxl.c @@ -275,11 +275,11 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data, else aligned_width = FFALIGN(c->avctx->width, 16); c->padded_bits = aligned_width - c->avctx->width; - if (c->video_size < aligned_width * avctx->height * c->bpp / 8) + if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8) return AVERROR_INVALIDDATA; - if (!encoding && c->palette_size && c->bpp <= 8) { + if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) { + } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8) && c->format != CHUNKY) { if (c->palette_size != (1 << (c->bpp - 1))) return AVERROR_INVALIDDATA; avctx->pix_fmt = AV_PIX_FMT_BGR24; diff --git a/libavcodec/cllc.c b/libavcodec/cllc.c index 1c6902af..97d3ae40 100644 --- a/libavcodec/cllc.c +++ b/libavcodec/cllc.c @@ -29,6 +29,10 @@ #include "avcodec.h" #include "internal.h" +#define VLC_BITS 7 +#define VLC_DEPTH 2 + + typedef struct CLLCContext { AVCodecContext *avctx; BswapDSPContext bdsp; @@ -51,6 +55,13 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) num_lens = get_bits(gb, 5); + if (num_lens > VLC_BITS * VLC_DEPTH) { + vlc->table = NULL; + + av_log(ctx->avctx, AV_LOG_ERROR, "To long VLCs %d\n", num_lens); + return AVERROR_INVALIDDATA; + } + for (i = 0; i < num_lens; i++) { num_codes = get_bits(gb, 9); num_codes_sum += num_codes; @@ -70,11 +81,15 @@ static int read_code_table(CLLCContext *ctx, GetBitContext *gb, VLC *vlc) count++; } + if (prefix > (65535 - 256)/2) { + vlc->table = NULL; + return AVERROR_INVALIDDATA; + } prefix <<= 1; } - return ff_init_vlc_sparse(vlc, 7, count, bits, 1, 1, + return ff_init_vlc_sparse(vlc, VLC_BITS, count, bits, 1, 1, codes, 2, 2, symbols, 1, 1, 0); } @@ -101,7 +116,7 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left, for (i = 0; i < ctx->avctx->width; i++) { /* Always get the alpha component */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[0].table, 7, 2); + GET_VLC(code, bits, gb, vlc[0].table, VLC_BITS, VLC_DEPTH); pred[0] += code; dst[0] = pred[0]; @@ -110,21 +125,21 @@ static int read_argb_line(CLLCContext *ctx, GetBitContext *gb, int *top_left, if (dst[0]) { /* Red */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[1].table, 7, 2); + GET_VLC(code, bits, gb, vlc[1].table, VLC_BITS, VLC_DEPTH); pred[1] += code; dst[1] = pred[1]; /* Green */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[2].table, 7, 2); + GET_VLC(code, bits, gb, vlc[2].table, VLC_BITS, VLC_DEPTH); pred[2] += code; dst[2] = pred[2]; /* Blue */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[3].table, 7, 2); + GET_VLC(code, bits, gb, vlc[3].table, VLC_BITS, VLC_DEPTH); pred[3] += code; dst[3] = pred[3]; @@ -166,7 +181,7 @@ static int read_rgb24_component_line(CLLCContext *ctx, GetBitContext *gb, /* Simultaneously read and restore the line */ for (i = 0; i < ctx->avctx->width; i++) { UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc->table, 7, 2); + GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH); pred += code; dst[0] = pred; @@ -195,7 +210,7 @@ static int read_yuv_component_line(CLLCContext *ctx, GetBitContext *gb, /* Simultaneously read and restore the line */ for (i = 0; i < ctx->avctx->width >> is_chroma; i++) { UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc->table, 7, 2); + GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH); pred += code; outbuf[i] = pred; diff --git a/libavcodec/dcadsp.c b/libavcodec/dcadsp.c index 1cd2e4ed..4cb7fab9 100644 --- a/libavcodec/dcadsp.c +++ b/libavcodec/dcadsp.c @@ -320,7 +320,7 @@ static void dmix_sub_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t le int i; for (i = 0; i < len; i++) - dst[i] -= mul15(src[i], coeff); + dst[i] -= (unsigned)mul15(src[i], coeff); } static void dmix_add_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t len) diff --git a/libavcodec/dds.c b/libavcodec/dds.c index fa0f34d7..02d53d58 100644 --- a/libavcodec/dds.c +++ b/libavcodec/dds.c @@ -39,7 +39,7 @@ #define DDPF_FOURCC (1 << 2) #define DDPF_PALETTE (1 << 5) -#define DDPF_NORMALMAP (1 << 31) +#define DDPF_NORMALMAP (1U << 31) enum DDSPostProc { DDS_NONE = 0, @@ -722,7 +722,7 @@ static int dds_decode(AVCodecContext *avctx, void *data, (frame->data[1][2+i*4]<<0)+ (frame->data[1][1+i*4]<<8)+ (frame->data[1][0+i*4]<<16)+ - (frame->data[1][3+i*4]<<24) + ((unsigned)frame->data[1][3+i*4]<<24) ); frame->palette_has_changed = 1; diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index f45d019a..3ea12f05 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -67,7 +67,8 @@ static int decode_tsw1(GetByteContext *gb, uint8_t *frame, int width, int height const uint8_t *frame_start = frame; const uint8_t *frame_end = frame + width * height; int mask = 0x10000, bitbuf = 0; - int v, count, segments; + int v, count; + unsigned segments; unsigned offset; segments = bytestream2_get_le32(gb); @@ -175,7 +176,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height return AVERROR_INVALIDDATA; frame += v; } else { - if (frame_end - frame < width + 3) + if (frame_end - frame < width + 4) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index e0604af1..f334f313 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -2041,9 +2041,9 @@ static int get_delayed_pic(DiracContext *s, AVFrame *picture, int *got_frame) if (out) { out->reference ^= DELAYED_PIC_REF; - *got_frame = 1; if((ret = av_frame_ref(picture, out->avframe)) < 0) return ret; + *got_frame = 1; } return 0; diff --git a/libavcodec/dnxhd_parser.c b/libavcodec/dnxhd_parser.c index 033b8ee7..4f9bbcee 100644 --- a/libavcodec/dnxhd_parser.c +++ b/libavcodec/dnxhd_parser.c @@ -31,8 +31,24 @@ typedef struct { ParseContext pc; int interlaced; int cur_field; /* first field is 0, second is 1 */ + int cur_byte; + int remaining; + int w, h; } DNXHDParserContext; +static int dnxhd_get_hr_frame_size(int cid, int w, int h) +{ + int result, i = ff_dnxhd_get_cid_table(cid); + + if (i < 0) + return i; + + result = ((h + 15) / 16) * ((w + 15) / 16) * ff_dnxhd_cid_table[i].packet_scale.num / ff_dnxhd_cid_table[i].packet_scale.den; + result = (result + 2048) / 4096 * 4096; + + return FFMAX(result, 8192); +} + static int dnxhd_find_frame_end(DNXHDParserContext *dctx, const uint8_t *buf, int buf_size) { @@ -51,30 +67,65 @@ static int dnxhd_find_frame_end(DNXHDParserContext *dctx, pic_found = 1; interlaced = (state&2)>>1; /* byte following the 5-byte header prefix */ cur_field = state&1; + dctx->cur_byte = 0; + dctx->remaining = 0; break; } } } - if (pic_found) { + if (pic_found && !dctx->remaining) { if (!buf_size) /* EOF considered as end of frame */ return 0; for (; i < buf_size; i++) { + dctx->cur_byte++; state = (state << 8) | buf[i]; - if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) { - if (!interlaced || dctx->cur_field) { + + if (dctx->cur_byte == 24) { + dctx->h = (state >> 32) & 0xFFFF; + } else if (dctx->cur_byte == 26) { + dctx->w = (state >> 32) & 0xFFFF; + } else if (dctx->cur_byte == 42) { + int cid = (state >> 32) & 0xFFFFFFFF; + + if (cid <= 0) + continue; + + dctx->remaining = avpriv_dnxhd_get_frame_size(cid); + if (dctx->remaining <= 0) { + dctx->remaining = dnxhd_get_hr_frame_size(cid, dctx->w, dctx->h); + if (dctx->remaining <= 0) + return dctx->remaining; + } + if (buf_size - i >= dctx->remaining && (!dctx->interlaced || dctx->cur_field)) { + int remaining = dctx->remaining; + pc->frame_start_found = 0; pc->state64 = -1; dctx->interlaced = interlaced; dctx->cur_field = 0; - return i - 5; + dctx->cur_byte = 0; + dctx->remaining = 0; + return remaining; } else { - /* continue, to get the second field */ - dctx->interlaced = interlaced = (state&2)>>1; - dctx->cur_field = cur_field = state&1; + dctx->remaining -= buf_size; } } } + } else if (pic_found) { + if (dctx->remaining > buf_size) { + dctx->remaining -= buf_size; + } else { + int remaining = dctx->remaining; + + pc->frame_start_found = 0; + pc->state64 = -1; + dctx->interlaced = interlaced; + dctx->cur_field = 0; + dctx->cur_byte = 0; + dctx->remaining = 0; + return remaining; + } } pc->frame_start_found = pic_found; pc->state64 = state; diff --git a/libavcodec/dss_sp.c b/libavcodec/dss_sp.c index ddea4830..14025fcd 100644 --- a/libavcodec/dss_sp.c +++ b/libavcodec/dss_sp.c @@ -33,7 +33,7 @@ #define DSS_SP_FRAME_SIZE 42 #define DSS_SP_SAMPLE_COUNT (66 * SUBFRAMES) -#define DSS_SP_FORMULA(a, b, c) (((((a) << 15) + (b) * (c)) + 0x4000) >> 15) +#define DSS_SP_FORMULA(a, b, c) ((int)((((a) * (1 << 15)) + (b) * (unsigned)(c)) + 0x4000) >> 15) typedef struct DssSpSubframe { int16_t gain; @@ -499,7 +499,7 @@ static void dss_sp_scale_vector(int32_t *vec, int bits, int size) vec[i] = vec[i] >> -bits; else for (i = 0; i < size; i++) - vec[i] = vec[i] << bits; + vec[i] = vec[i] * (1 << bits); } static void dss_sp_update_buf(int32_t *hist, int32_t *vector) @@ -524,12 +524,12 @@ static void dss_sp_shift_sq_sub(const int32_t *filter_buf, tmp = dst[a] * filter_buf[0]; for (i = 14; i > 0; i--) - tmp -= error_buf[i] * filter_buf[i]; + tmp -= error_buf[i] * (unsigned)filter_buf[i]; for (i = 14; i > 0; i--) error_buf[i] = error_buf[i - 1]; - tmp = (tmp + 4096) >> 13; + tmp = (int)(tmp + 4096U) >> 13; error_buf[1] = tmp; diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c index bf3b1a10..9525cb78 100644 --- a/libavcodec/dvbsubdec.c +++ b/libavcodec/dvbsubdec.c @@ -24,6 +24,7 @@ #include "bytestream.h" #include "internal.h" #include "libavutil/colorspace.h" +#include "libavutil/imgutils.h" #include "libavutil/opt.h" #define DVBSUB_PAGE_SEGMENT 0x10 @@ -1217,9 +1218,9 @@ static int dvbsub_parse_clut_segment(AVCodecContext *avctx, return AVERROR_INVALIDDATA; } - if (depth & 0x80) + if (depth & 0x80 && entry_id < 4) clut->clut4[entry_id] = RGBA(r,g,b,255 - alpha); - else if (depth & 0x40) + else if (depth & 0x40 && entry_id < 16) clut->clut16[entry_id] = RGBA(r,g,b,255 - alpha); else if (depth & 0x20) clut->clut256[entry_id] = RGBA(r,g,b,255 - alpha); @@ -1242,6 +1243,7 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx, DVBSubObject *object; DVBSubObjectDisplay *display; int fill; + int ret; if (buf_size < 10) return AVERROR_INVALIDDATA; @@ -1270,6 +1272,12 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx, region->height = AV_RB16(buf); buf += 2; + ret = av_image_check_size(region->width, region->height, 0, avctx); + if (ret < 0) { + region->width= region->height= 0; + return ret; + } + if (region->width * region->height != region->buf_size) { av_free(region->pbuf); diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index e91d63ea..0c73fb2b 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -60,7 +60,7 @@ static void yuv_a_to_rgba(const uint8_t *ycbcr, const uint8_t *alpha, uint32_t * cb = *ycbcr++; YUV_TO_RGB1_CCIR(cb, cr); YUV_TO_RGB2_CCIR(r, g, b, y); - *rgba++ = (*alpha++ << 24) | (r << 16) | (g << 8) | b; + *rgba++ = ((unsigned)*alpha++ << 24) | (r << 16) | (g << 8) | b; } } @@ -189,12 +189,12 @@ static void guess_palette(DVDSubContext* ctx, r = (((subtitle_color >> 16) & 0xff) * level) >> 8; g = (((subtitle_color >> 8) & 0xff) * level) >> 8; b = (((subtitle_color >> 0) & 0xff) * level) >> 8; - rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17) << 24); + rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17U) << 24); color_used[colormap[i]] = (i + 1); j++; } else { rgba_palette[i] = (rgba_palette[color_used[colormap[i]] - 1] & 0x00ffffff) | - ((alpha[i] * 17) << 24); + ((alpha[i] * 17U) << 24); } } } diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c index 83a54bcf..c971879b 100644 --- a/libavcodec/eac3dec.c +++ b/libavcodec/eac3dec.c @@ -252,7 +252,7 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) /* Vector Quantization */ int v = get_bits(gbc, bits); for (blk = 0; blk < 6; blk++) { - s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] << 8; + s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] * (1 << 8); } } else { /* Gain Adaptive Quantization */ @@ -271,16 +271,16 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch) int b; int mbits = bits - (2 - log_gain); mant = get_sbits(gbc, mbits); - mant <<= (23 - (mbits - 1)); + mant = ((unsigned)mant) << (23 - (mbits - 1)); /* remap mantissa value to correct for asymmetric quantization */ if (mant >= 0) b = 1 << (23 - log_gain); else - b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] << 8; + b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] * (1 << 8); mant += ((ff_eac3_gaq_remap_2_4_a[hebap-8][log_gain-1] * (int64_t)mant) >> 15) + b; } else { /* small mantissa, no GAQ, or Gk=1 */ - mant <<= 24 - bits; + mant *= (1 << 24 - bits); if (!log_gain) { /* remap mantissa value for no GAQ or Gk=1 */ mant += (ff_eac3_gaq_remap_1[hebap-8] * (int64_t)mant) >> 15; diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index bb0f0053..c28fd11d 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -284,7 +284,7 @@ static int decode_frame(AVCodecContext *avctx, if (avctx->width != width || avctx->height != height) { av_frame_unref(s->last_frame); - if((width * height)/2048*7 > bytestream2_get_bytes_left(&gb)) + if((width * (int64_t)height)/2048*7 > bytestream2_get_bytes_left(&gb)) return AVERROR_INVALIDDATA; if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; diff --git a/libavcodec/eatqi.c b/libavcodec/eatqi.c index 8fd5cdb1..92b23d00 100644 --- a/libavcodec/eatqi.c +++ b/libavcodec/eatqi.c @@ -112,7 +112,7 @@ static inline void tqi_idct_put(AVCodecContext *avctx, AVFrame *frame, static void tqi_calculate_qtable(TqiContext *t, int quant) { - const int qscale = (215 - 2*quant)*5; + const int64_t qscale = (215 - 2*quant)*5; int i; t->intra_matrix[0] = (ff_inv_aanscales[0] * ff_mpeg1_default_intra_matrix[0]) >> 11; diff --git a/libavcodec/exr.c b/libavcodec/exr.c index bc7e7218..47d30fa8 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -218,9 +218,9 @@ static union av_intfloat32 exr_half2float(uint16_t hf) * * @return normalized 16-bit unsigned int */ -static inline uint16_t exr_flt2uint(uint32_t v) +static inline uint16_t exr_flt2uint(int32_t v) { - unsigned int exp = v >> 23; + int32_t exp = v >> 23; // "HACK": negative values result in exp< 0, so clipping them to 0 // is also handled by this condition, avoids explicit check for sign bit. if (exp <= 127 + 7 - 24) // we would shift out all bits anyway diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c index d8f35c34..a57ec536 100644 --- a/libavcodec/ffv1dec.c +++ b/libavcodec/ffv1dec.c @@ -45,7 +45,8 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state, if (get_rac(c, state + 0)) return 0; else { - int i, e, a; + int i, e; + unsigned a; e = 0; while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10 e++; @@ -883,7 +884,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac const uint8_t *src[4]; uint8_t *dst[4]; ff_thread_await_progress(&f->last_picture, INT_MAX, 0); - for (j = 0; j < 4; j++) { + for (j = 0; j < desc->nb_components; j++) { int pixshift = desc->comp[j].depth > 8; int sh = (j == 1 || j == 2) ? f->chroma_h_shift : 0; int sv = (j == 1 || j == 2) ? f->chroma_v_shift : 0; @@ -891,6 +892,12 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac (fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift); src[j] = f->last_picture.f->data[j] + f->last_picture.f->linesize[j] * (fs->slice_y >> sv) + ((fs->slice_x >> sh) << pixshift); + + } + if (desc->flags & AV_PIX_FMT_FLAG_PAL || + desc->flags & AV_PIX_FMT_FLAG_PSEUDOPAL) { + dst[1] = p->data[1]; + src[1] = f->last_picture.f->data[1]; } av_image_copy(dst, p->linesize, src, f->last_picture.f->linesize, diff --git a/libavcodec/fic.c b/libavcodec/fic.c index d3952a4c..1e28f59d 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -94,8 +94,8 @@ static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd const int t7 = t3 - t1; const int t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; const int t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; - const int tA = (blk[0 * step] - blk[4 * step] << 15) + rnd; - const int tB = (blk[0 * step] + blk[4 * step] << 15) + rnd; + const int tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; + const int tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; blk[0 * step] = ( t4 + t9 + tB) >> shift; blk[1 * step] = ( t6 + t7 + t8 + tA) >> shift; blk[2 * step] = ( t6 - t7 - t8 + tA) >> shift; diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c index 4dde0e05..c372c1b9 100644 --- a/libavcodec/flacdec.c +++ b/libavcodec/flacdec.c @@ -201,12 +201,12 @@ static int get_metadata_size(const uint8_t *buf, int buf_size) buf += 4; do { if (buf_end - buf < 4) - return 0; + return AVERROR_INVALIDDATA; flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size); buf += 4; if (buf_end - buf < metadata_size) { /* need more data in order to read the complete header */ - return 0; + return AVERROR_INVALIDDATA; } buf += metadata_size; } while (!metadata_last); diff --git a/libavcodec/g722.c b/libavcodec/g722.c index ee3b85f8..ef7ca6d4 100644 --- a/libavcodec/g722.c +++ b/libavcodec/g722.c @@ -88,14 +88,14 @@ static inline void s_zero(int cur_diff, struct G722Band *band) ACCUM(3, band->diff_mem[2], 1); ACCUM(2, band->diff_mem[1], 1); ACCUM(1, band->diff_mem[0], 1); - ACCUM(0, cur_diff << 1, 1); + ACCUM(0, cur_diff * 2, 1); } else { ACCUM(5, band->diff_mem[4], 0); ACCUM(4, band->diff_mem[3], 0); ACCUM(3, band->diff_mem[2], 0); ACCUM(2, band->diff_mem[1], 0); ACCUM(1, band->diff_mem[0], 0); - ACCUM(0, cur_diff << 1, 0); + ACCUM(0, cur_diff * 2, 0); } #undef ACCUM band->s_zero = s_zero; @@ -119,14 +119,14 @@ static void do_adaptive_prediction(struct G722Band *band, const int cur_diff) band->part_reconst_mem[0] = cur_part_reconst; band->pole_mem[1] = av_clip((sg[0] * av_clip(band->pole_mem[0], -8191, 8191) >> 5) + - (sg[1] << 7) + (band->pole_mem[1] * 127 >> 7), -12288, 12288); + (sg[1] * 128) + (band->pole_mem[1] * 127 >> 7), -12288, 12288); limit = 15360 - band->pole_mem[1]; band->pole_mem[0] = av_clip(-192 * sg[0] + (band->pole_mem[0] * 255 >> 8), -limit, limit); s_zero(cur_diff, band); - cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) << 1); + cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) * 2); band->s_predictor = av_clip_int16(band->s_zero + (band->pole_mem[0] * cur_qtzd_reconst >> 15) + (band->pole_mem[1] * band->prev_qtzd_reconst >> 15)); diff --git a/libavcodec/g723_1.c b/libavcodec/g723_1.c index a11fec8a..78ce9222 100644 --- a/libavcodec/g723_1.c +++ b/libavcodec/g723_1.c @@ -41,7 +41,7 @@ int ff_g723_1_scale_vector(int16_t *dst, const int16_t *vector, int length) bits= FFMAX(bits, 0); for (i = 0; i < length; i++) - dst[i] = vector[i] << bits >> 3; + dst[i] = (vector[i] * (1 << bits)) >> 3; return bits - 3; } @@ -125,9 +125,9 @@ static void lsp2lpc(int16_t *lpc) for (j = 0; j < LPC_ORDER; j++) { int index = (lpc[j] >> 7) & 0x1FF; int offset = lpc[j] & 0x7f; - int temp1 = cos_tab[index] << 16; + int temp1 = cos_tab[index] * (1 << 16); int temp2 = (cos_tab[index + 1] - cos_tab[index]) * - ((offset << 8) + 0x80) << 1; + (((offset << 8) + 0x80) << 1); lpc[j] = -(av_sat_dadd32(1 << 15, temp1 + temp2) >> 16); } @@ -138,11 +138,11 @@ static void lsp2lpc(int16_t *lpc) */ /* Initialize with values in Q28 */ f1[0] = 1 << 28; - f1[1] = (lpc[0] << 14) + (lpc[2] << 14); + f1[1] = (lpc[0] + lpc[2]) * (1 << 14); f1[2] = lpc[0] * lpc[2] + (2 << 28); f2[0] = 1 << 28; - f2[1] = (lpc[1] << 14) + (lpc[3] << 14); + f2[1] = (lpc[1] + lpc[3]) * (1 << 14); f2[2] = lpc[1] * lpc[3] + (2 << 28); /* @@ -162,8 +162,8 @@ static void lsp2lpc(int16_t *lpc) f1[0] >>= 1; f2[0] >>= 1; - f1[1] = ((lpc[2 * i] << 16 >> i) + f1[1]) >> 1; - f2[1] = ((lpc[2 * i + 1] << 16 >> i) + f2[1]) >> 1; + f1[1] = ((lpc[2 * i] * 65536 >> i) + f1[1]) >> 1; + f2[1] = ((lpc[2 * i + 1] * 65536 >> i) + f2[1]) >> 1; } /* Convert polynomial coefficients to LPC coefficients */ @@ -171,8 +171,8 @@ static void lsp2lpc(int16_t *lpc) int64_t ff1 = f1[i + 1] + f1[i]; int64_t ff2 = f2[i + 1] - f2[i]; - lpc[i] = av_clipl_int32(((ff1 + ff2) << 3) + (1 << 15)) >> 16; - lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) << 3) + + lpc[i] = av_clipl_int32(((ff1 + ff2) * 8) + (1 << 15)) >> 16; + lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) * 8) + (1 << 15)) >> 16; } } diff --git a/libavcodec/g723_1.h b/libavcodec/g723_1.h index 40d6e700..f833af01 100644 --- a/libavcodec/g723_1.h +++ b/libavcodec/g723_1.h @@ -55,7 +55,7 @@ * @param b 16 bit multiplier */ #define MULL2(a, b) \ - ((((a) >> 16) * (b) << 1) + (((a) & 0xffff) * (b) >> 15)) + ((((a) >> 16) * (b) * 2) + (((a) & 0xffff) * (b) >> 15)) /** * G723.1 frame types diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index e9896b5e..aaa26c24 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -488,7 +488,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag, (FRAME_LEN - lag) * sizeof(*out)); } else { /* Unvoiced */ for (i = 0; i < FRAME_LEN; i++) { - *rseed = *rseed * 521 + 259; + *rseed = (int16_t)(*rseed * 521 + 259); out[i] = gain * *rseed >> 15; } memset(buf, 0, (FRAME_LEN + PITCH_MAX) * sizeof(*buf)); @@ -517,7 +517,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag, (iir_coef)[n - 1] * ((dest)[m - n] >> in_shift);\ }\ \ - (dest)[m] = av_clipl_int32(((src)[m] << 16) + (filter << 3) +\ + (dest)[m] = av_clipl_int32(((src)[m] * 65536) + (filter * 8) +\ (1 << 15)) >> res_shift;\ }\ } @@ -664,7 +664,7 @@ static int estimate_sid_gain(G723_1_Context *p) t = p->sid_gain << shift; else t = p->sid_gain >> -shift; - x = t * cng_filt[0] >> 16; + x = av_clipl_int32(t * (int64_t)cng_filt[0] >> 16); if (x >= cng_bseg[2]) return 0x3F; @@ -695,13 +695,13 @@ static int estimate_sid_gain(G723_1_Context *p) if (y <= 0) { t = seg * 32 + (val + 1 << seg2); t = t * t - x; - val = (seg2 - 1 << 4) + val; + val = (seg2 - 1) * 16 + val; if (t >= y) val++; } else { t = seg * 32 + (val - 1 << seg2); t = t * t - x; - val = (seg2 - 1 << 4) + val; + val = (seg2 - 1) * 16 + val; if (t >= y) val--; } @@ -733,7 +733,7 @@ static void generate_noise(G723_1_Context *p) off[i * 2 + 1] = ((t >> 1) & 1) + SUBFRAME_LEN; t >>= 2; for (j = 0; j < 11; j++) { - signs[i * 11 + j] = (t & 1) * 2 - 1 << 14; + signs[i * 11 + j] = ((t & 1) * 2 - 1) * (1 << 14); t >>= 1; } } @@ -777,7 +777,7 @@ static void generate_noise(G723_1_Context *p) sum = 0; if (shift < 0) { for (j = 0; j < SUBFRAME_LEN * 2; j++) { - t = vector_ptr[j] << -shift; + t = vector_ptr[j] * (1 << -shift); sum += t * t; tmp[j] = t; } @@ -815,7 +815,7 @@ static void generate_noise(G723_1_Context *p) if (shift < 0) x >>= -shift; else - x <<= shift; + x *= 1 << shift; x = av_clip(x, -10000, 10000); for (j = 0; j < 11; j++) { @@ -904,7 +904,7 @@ static int g723_1_decode_frame(AVCodecContext *avctx, void *data, &p->subframe[i], p->cur_rate); /* Get the total excitation */ for (j = 0; j < SUBFRAME_LEN; j++) { - int v = av_clip_int16(vector_ptr[j] << 1); + int v = av_clip_int16(vector_ptr[j] * 2); vector_ptr[j] = av_clip_int16(v + acb_vector[j]); } vector_ptr += SUBFRAME_LEN; diff --git a/libavcodec/g726.c b/libavcodec/g726.c index ca7f856e..6922b40f 100644 --- a/libavcodec/g726.c +++ b/libavcodec/g726.c @@ -269,7 +269,7 @@ static int16_t g726_decode(G726Context* c, int I) c->se += mult(i2f(c->a[i] >> 2, &f), &c->sr[i]); c->se >>= 1; - return av_clip(re_signal << 2, -0xffff, 0xffff); + return av_clip(re_signal * 4, -0xffff, 0xffff); } static av_cold int g726_reset(G726Context *c) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index fe83425d..17a4bdad 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1743,7 +1743,7 @@ decode_cabac_residual_internal(const H264Context *h, H264SliceContext *sl, while( j-- ) { \ coeff_abs += coeff_abs + get_cabac_bypass( CC ); \ } \ - coeff_abs+= 14; \ + coeff_abs+= 14U; \ } \ \ if( is_dc ) { \ diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 069b5212..72dfaaab 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -1112,7 +1112,7 @@ decode_intra_mb: dquant= get_se_golomb(&sl->gb); - sl->qscale += dquant; + sl->qscale += (unsigned)dquant; if (((unsigned)sl->qscale) > max_qp){ if (sl->qscale < 0) sl->qscale += max_qp + 1; diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c index 107c905d..cbb84665 100644 --- a/libavcodec/h264_direct.c +++ b/libavcodec/h264_direct.c @@ -614,7 +614,7 @@ single_col: { const int16_t *mv_col = l1mv[x8 * 3 + y8 * b4_stride]; - int my_col = (mv_col[1] << y_shift) / 2; + int my_col = (mv_col[1] * (1 << y_shift)) / 2; int mx = (scale * mv_col[0] + 128) >> 8; int my = (scale * my_col + 128) >> 8; fill_rectangle(&sl->mv_cache[0][scan8[i8 * 4]], 2, 2, 8, diff --git a/libavcodec/h264_mvpred.h b/libavcodec/h264_mvpred.h index 24f250d7..bf395e3f 100644 --- a/libavcodec/h264_mvpred.h +++ b/libavcodec/h264_mvpred.h @@ -68,7 +68,7 @@ static av_always_inline int fetch_diagonal_mv(const H264Context *h, H264SliceCon } if (MB_FIELD(sl) && !IS_INTERLACED(sl->left_type[0])) { // left shift will turn LIST_NOT_USED into PART_NOT_AVAILABLE, but that's OK. - SET_DIAG_MV(/ 2, << 1, sl->left_mb_xy[i >= 36], ((i >> 2)) & 3); + SET_DIAG_MV(/ 2, *2, sl->left_mb_xy[i >= 36], ((i >> 2)) & 3); } } #undef SET_DIAG_MV @@ -248,7 +248,7 @@ static av_always_inline void pred_8x16_motion(const H264Context *const h, if (IS_INTERLACED(type)) { \ refn >>= 1; \ AV_COPY32(mvbuf[idx], mvn); \ - mvbuf[idx][1] <<= 1; \ + mvbuf[idx][1] *= 2; \ mvn = mvbuf[idx]; \ } \ } \ diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c index 0c873196..ea202e75 100644 --- a/libavcodec/h264_parse.c +++ b/libavcodec/h264_parse.c @@ -59,6 +59,9 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, if (luma_weight_flag) { pwt->luma_weight[i][list][0] = get_se_golomb(gb); pwt->luma_weight[i][list][1] = get_se_golomb(gb); + if ((int8_t)pwt->luma_weight[i][list][0] != pwt->luma_weight[i][list][0] || + (int8_t)pwt->luma_weight[i][list][1] != pwt->luma_weight[i][list][1]) + goto out_range_weight; if (pwt->luma_weight[i][list][0] != luma_def || pwt->luma_weight[i][list][1] != 0) { pwt->use_weight = 1; @@ -76,6 +79,9 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, for (j = 0; j < 2; j++) { pwt->chroma_weight[i][list][j][0] = get_se_golomb(gb); pwt->chroma_weight[i][list][j][1] = get_se_golomb(gb); + if ((int8_t)pwt->chroma_weight[i][list][j][0] != pwt->chroma_weight[i][list][j][0] || + (int8_t)pwt->chroma_weight[i][list][j][1] != pwt->chroma_weight[i][list][j][1]) + goto out_range_weight; if (pwt->chroma_weight[i][list][j][0] != chroma_def || pwt->chroma_weight[i][list][j][1] != 0) { pwt->use_weight_chroma = 1; @@ -104,6 +110,9 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, } pwt->use_weight = pwt->use_weight || pwt->use_weight_chroma; return 0; +out_range_weight: + avpriv_request_sample(logctx, "Out of range weight\n"); + return AVERROR_INVALIDDATA; } /** diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 4a5f66e1..41e63c74 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -812,8 +812,8 @@ int ff_h264_decode_picture_parameter_set(GetBitContext *gb, AVCodecContext *avct pps->weighted_pred = get_bits1(gb); pps->weighted_bipred_idc = get_bits(gb, 2); - pps->init_qp = get_se_golomb(gb) + 26 + qp_bd_offset; - pps->init_qs = get_se_golomb(gb) + 26 + qp_bd_offset; + pps->init_qp = get_se_golomb(gb) + 26U + qp_bd_offset; + pps->init_qs = get_se_golomb(gb) + 26U + qp_bd_offset; pps->chroma_qp_index_offset[0] = get_se_golomb(gb); pps->deblocking_filter_parameters_present = get_bits1(gb); pps->constrained_intra_pred = get_bits1(gb); diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 8aaa3704..b47d9570 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1684,9 +1684,12 @@ static int h264_slice_header_parse(const H264Context *h, H264SliceContext *sl, } if ((pps->weighted_pred && sl->slice_type_nos == AV_PICTURE_TYPE_P) || (pps->weighted_bipred_idc == 1 && - sl->slice_type_nos == AV_PICTURE_TYPE_B)) - ff_h264_pred_weight_table(&sl->gb, sps, sl->ref_count, + sl->slice_type_nos == AV_PICTURE_TYPE_B)) { + ret = ff_h264_pred_weight_table(&sl->gb, sps, sl->ref_count, sl->slice_type_nos, &sl->pwt, h->avctx); + if (ret < 0) + return ret; + } sl->explicit_ref_marking = 0; if (nal->ref_idc) { diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index 5cf5fcfe..80dc6b5d 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -68,11 +68,11 @@ static int hq_decode_block(HQContext *c, GetBitContext *gb, int16_t block[64], memset(block, 0, 64 * sizeof(*block)); if (!is_hqa) { - block[0] = get_sbits(gb, 9) << 6; + block[0] = get_sbits(gb, 9) * 64; q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)]; } else { q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)]; - block[0] = get_sbits(gb, 9) << 6; + block[0] = get_sbits(gb, 9) * 64; } for (;;) { diff --git a/libavcodec/hqxdsp.c b/libavcodec/hqxdsp.c index feff9c0b..7f8044e4 100644 --- a/libavcodec/hqxdsp.c +++ b/libavcodec/hqxdsp.c @@ -39,18 +39,18 @@ static inline void idct_col(int16_t *blk, const uint8_t *quant) s6 = (int) blk[6 * 8] * quant[6 * 8]; s7 = (int) blk[7 * 8] * quant[7 * 8]; - t0 = (s3 * 19266 + s5 * 12873) >> 15; - t1 = (s5 * 19266 - s3 * 12873) >> 15; - t2 = ((s7 * 4520 + s1 * 22725) >> 15) - t0; - t3 = ((s1 * 4520 - s7 * 22725) >> 15) - t1; + t0 = (int)(s3 * 19266U + s5 * 12873U) >> 15; + t1 = (int)(s5 * 19266U - s3 * 12873U) >> 15; + t2 = ((int)(s7 * 4520U + s1 * 22725U) >> 15) - t0; + t3 = ((int)(s1 * 4520U - s7 * 22725U) >> 15) - t1; t4 = t0 * 2 + t2; t5 = t1 * 2 + t3; t6 = t2 - t3; t7 = t3 * 2 + t6; - t8 = (t6 * 11585) >> 14; - t9 = (t7 * 11585) >> 14; - tA = (s2 * 8867 - s6 * 21407) >> 14; - tB = (s6 * 8867 + s2 * 21407) >> 14; + t8 = (int)(t6 * 11585U) >> 14; + t9 = (int)(t7 * 11585U) >> 14; + tA = (int)(s2 * 8867U - s6 * 21407U) >> 14; + tB = (int)(s6 * 8867U + s2 * 21407U) >> 14; tC = (s0 >> 1) - (s4 >> 1); tD = (s4 >> 1) * 2 + tC; tE = tC - (tA >> 1); diff --git a/libavcodec/htmlsubtitles.c b/libavcodec/htmlsubtitles.c index a2cd40fa..16295daa 100644 --- a/libavcodec/htmlsubtitles.c +++ b/libavcodec/htmlsubtitles.c @@ -46,11 +46,12 @@ typedef struct SrtStack { static void rstrip_spaces_buf(AVBPrint *buf) { - while (buf->len > 0 && buf->str[buf->len - 1] == ' ') - buf->str[--buf->len] = 0; + if (av_bprint_is_complete(buf)) + while (buf->len > 0 && buf->str[buf->len - 1] == ' ') + buf->str[--buf->len] = 0; } -void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) +int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) { char *param, buffer[128], tmp[128]; int len, tag_close, sptr = 1, line_start = 1, an = 0, end = 0; @@ -146,7 +147,7 @@ void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) if (stack[sptr].param[i][0]) av_bprintf(dst, "%s", stack[sptr].param[i]); } - } else if (!tagname[1] && strspn(tagname, "bisu") == 1) { + } else if (tagname[0] && !tagname[1] && strspn(tagname, "bisu") == 1) { av_bprintf(dst, "{\\%c%d}", tagname[0], !tag_close); } else { unknown = 1; @@ -171,8 +172,13 @@ void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in) line_start = 0; } + if (!av_bprint_is_complete(dst)) + return AVERROR(ENOMEM); + while (dst->len >= 2 && !strncmp(&dst->str[dst->len - 2], "\\N", 2)) dst->len -= 2; dst->str[dst->len] = 0; rstrip_spaces_buf(dst); + + return 0; } diff --git a/libavcodec/htmlsubtitles.h b/libavcodec/htmlsubtitles.h index e10cdda2..f3a8ef5d 100644 --- a/libavcodec/htmlsubtitles.h +++ b/libavcodec/htmlsubtitles.h @@ -23,6 +23,6 @@ #include "libavutil/bprint.h" -void ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in); +int ff_htmlmarkup_to_ass(void *log_ctx, AVBPrint *dst, const char *in); #endif /* AVCODEC_HTMLSUBTITLES_H */ diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c index c8984523..4971b843 100644 --- a/libavcodec/indeo2.c +++ b/libavcodec/indeo2.c @@ -69,6 +69,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst for (i = 0; i < c * 2; i++) dst[out++] = 0x80; } else { /* copy two values from table */ + if (c <= 0) + return AVERROR_INVALIDDATA; dst[out++] = table[c * 2]; dst[out++] = table[(c * 2) + 1]; } @@ -77,6 +79,8 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst for (j = 1; j < height; j++) { out = 0; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; while (out < width) { int c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ @@ -88,7 +92,10 @@ static int ir2_decode_plane(Ir2Context *ctx, int width, int height, uint8_t *dst out++; } } else { /* add two deltas from table */ - int t = dst[out - pitch] + (table[c * 2] - 128); + int t; + if (c <= 0) + return AVERROR_INVALIDDATA; + t = dst[out - pitch] + (table[c * 2] - 128); t = av_clip_uint8(t); dst[out] = t; out++; @@ -116,12 +123,16 @@ static int ir2_decode_plane_inter(Ir2Context *ctx, int width, int height, uint8_ for (j = 0; j < height; j++) { out = 0; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; while (out < width) { c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ c -= 0x7F; out += c * 2; } else { /* add two deltas from table */ + if (c <= 0) + return AVERROR_INVALIDDATA; t = dst[out] + (((table[c * 2] - 128)*3) >> 2); t = av_clip_uint8(t); dst[out] = t; diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 5e3c0eac..228f6ace 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -524,7 +524,7 @@ retry: }else{ level = SHOW_UBITS(re, &s->gb, 5); SKIP_CACHE(re, &s->gb, 5); - level |= SHOW_SBITS(re, &s->gb, 6)<<5; + level |= SHOW_SBITS(re, &s->gb, 6) * (1<<5); SKIP_COUNTER(re, &s->gb, 5 + 6); } } diff --git a/libavcodec/ivi_dsp.c b/libavcodec/ivi_dsp.c index 52112695..2cfccf82 100644 --- a/libavcodec/ivi_dsp.c +++ b/libavcodec/ivi_dsp.c @@ -243,7 +243,7 @@ void ff_ivi_recompose_haar(const IVIPlaneDesc *plane, uint8_t *dst, #define INV_HAAR8(s1, s5, s3, s7, s2, s4, s6, s8,\ d1, d2, d3, d4, d5, d6, d7, d8,\ t0, t1, t2, t3, t4, t5, t6, t7, t8) {\ - t1 = (s1) << 1; t5 = (s5) << 1;\ + t1 = (s1) * 2; t5 = (s5) * 2;\ IVI_HAAR_BFLY(t1, t5, t1, t5, t0); IVI_HAAR_BFLY(t1, s3, t1, t3, t0);\ IVI_HAAR_BFLY(t5, s7, t5, t7, t0); IVI_HAAR_BFLY(t1, s2, t1, t2, t0);\ IVI_HAAR_BFLY(t3, s4, t3, t4, t0); IVI_HAAR_BFLY(t5, s6, t5, t6, t0);\ @@ -284,10 +284,10 @@ void ff_ivi_inverse_haar_8x8(const int32_t *in, int16_t *out, uint32_t pitch, if (flags[i]) { /* pre-scaling */ shift = !(i & 4); - sp1 = src[ 0] << shift; - sp2 = src[ 8] << shift; - sp3 = src[16] << shift; - sp4 = src[24] << shift; + sp1 = src[ 0] * (1 << shift); + sp2 = src[ 8] * (1 << shift); + sp3 = src[16] * (1 << shift); + sp4 = src[24] * (1 << shift); INV_HAAR8( sp1, sp2, sp3, sp4, src[32], src[40], src[48], src[56], dst[ 0], dst[ 8], dst[16], dst[24], diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 93d13448..2ad6c61c 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -98,7 +98,7 @@ static uint32_t softfloat_mul(uint32_t x, uint64_t mantissa) static uint8_t lag_calc_zero_run(int8_t x) { - return (x << 1) ^ (x >> 7); + return (x * 2) ^ (x >> 7); } static int lag_decode_prob(GetBitContext *gb, uint32_t *value) @@ -191,7 +191,9 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb) } scale_factor++; - cumulative_target = 1 << scale_factor; + if (scale_factor >= 32U) + return AVERROR_INVALIDDATA; + cumulative_target = 1U << scale_factor; if (scaled_cumul_prob > cumulative_target) { av_log(rac->avctx, AV_LOG_ERROR, diff --git a/libavcodec/mdec.c b/libavcodec/mdec.c index 1cc4ca47..8e28aa04 100644 --- a/libavcodec/mdec.c +++ b/libavcodec/mdec.c @@ -73,7 +73,7 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) if (diff >= 0xffff) return AVERROR_INVALIDDATA; a->last_dc[component] += diff; - block[0] = a->last_dc[component] << 3; + block[0] = a->last_dc[component] * (1 << 3); } i = 0; @@ -111,11 +111,11 @@ static inline int mdec_decode_block_intra(MDECContext *a, int16_t *block, int n) j = scantable[i]; if (level < 0) { level = -level; - level = (level * qscale * quant_matrix[j]) >> 3; + level = (level * (unsigned)qscale * quant_matrix[j]) >> 3; level = (level - 1) | 1; level = -level; } else { - level = (level * qscale * quant_matrix[j]) >> 3; + level = (level * (unsigned)qscale * quant_matrix[j]) >> 3; level = (level - 1) | 1; } } diff --git a/libavcodec/mimic.c b/libavcodec/mimic.c index 06fb393b..ce649c60 100644 --- a/libavcodec/mimic.c +++ b/libavcodec/mimic.c @@ -262,7 +262,7 @@ static int vlc_decode_block(MimicContext *ctx, int num_coeffs, int qscale) coeff = vlcdec_lookup[num_bits][value]; if (pos < 3) - coeff <<= 4; + coeff *= 16; else /* TODO Use >> 10 instead of / 1001 */ coeff = (coeff * qscale) / 1001; diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 4f23fc9d..f2feac02 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -753,7 +753,8 @@ static int decode_block_progressive(MJpegDecodeContext *s, int16_t *block, int16_t *quant_matrix, int ss, int se, int Al, int *EOBRUN) { - int code, i, j, level, val, run; + int code, i, j, val, run; + unsigned level; if (*EOBRUN) { (*EOBRUN)--; @@ -1137,7 +1138,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, if (s->interlaced && s->bottom_field) ptr += linesize >> 1; pred &= mask; - *ptr= pred + (dc << point_transform); + *ptr= pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap if(y==0 && toprow){ @@ -1157,7 +1158,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, if (s->interlaced && s->bottom_field) ptr16 += linesize >> 1; pred &= mask; - *ptr16= pred + (dc << point_transform); + *ptr16= pred + ((unsigned)dc << point_transform); } if (++x == h) { x = 0; @@ -1196,13 +1197,13 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, PREDICT(pred, ptr[-linesize-1], ptr[-linesize], ptr[-1], predictor); pred &= mask; - *ptr = pred + (dc << point_transform); + *ptr = pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap PREDICT(pred, ptr16[-linesize-1], ptr16[-linesize], ptr16[-1], predictor); pred &= mask; - *ptr16= pred + (dc << point_transform); + *ptr16= pred + ((unsigned)dc << point_transform); } if (++x == h) { diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index c93b058d..fa4347fb 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -264,7 +264,7 @@ static inline int read_huff_channels(MLPDecodeContext *m, GetBitContext *gbp, result = (result << lsb_bits) + get_bits(gbp, lsb_bits); result += cp->sign_huff_offset; - result <<= quant_step_size; + result *= 1 << quant_step_size; m->sample_buffer[pos + s->blockpos][channel] = result; } @@ -684,7 +684,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp, } for (i = 0; i < order; i++) - fcoeff[i] = get_sbits(gbp, coeff_bits) << coeff_shift; + fcoeff[i] = get_sbits(gbp, coeff_bits) * (1 << coeff_shift); if (get_bits1(gbp)) { int state_bits, state_shift; @@ -999,8 +999,8 @@ static void generate_2_noise_channels(MLPDecodeContext *m, unsigned int substr) for (i = 0; i < s->blockpos; i++) { uint16_t seed_shr7 = seed >> 7; - m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) << s->noise_shift; - m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) << s->noise_shift; + m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) * (1 << s->noise_shift); + m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) * (1 << s->noise_shift); seed = (seed << 16) ^ seed_shr7 ^ (seed_shr7 << 5); } @@ -1162,6 +1162,11 @@ static int read_access_unit(AVCodecContext *avctx, void* data, substr_header_size += 2; } + if (length < header_size + substr_header_size) { + av_log(m->avctx, AV_LOG_ERROR, "Insuffient data for headers\n"); + goto error; + } + if (!(nonrestart_substr ^ m->is_major_sync_unit)) { av_log(m->avctx, AV_LOG_ERROR, "Invalid nonrestart_substr.\n"); goto error; diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c index 3ae8c377..2fc453c1 100644 --- a/libavcodec/mlpdsp.c +++ b/libavcodec/mlpdsp.c @@ -113,8 +113,8 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data, for (i = 0; i < blockpos; i++) { for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) { int mat_ch = ch_assign[out_ch]; - int32_t sample = sample_buffer[i][mat_ch] - << output_shift[mat_ch]; + int32_t sample = sample_buffer[i][mat_ch] * + (1 << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) *data_32++ = sample << 8; diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index ac8160da..132b6b04 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -497,7 +497,7 @@ static inline int mpeg2_decode_block_intra(MpegEncContext *s, dc = s->last_dc[component]; dc += diff; s->last_dc[component] = dc; - block[0] = dc << (3 - s->intra_dc_precision); + block[0] = dc * (1 << (3 - s->intra_dc_precision)); ff_tlog(s->avctx, "dc=%d\n", block[0]); mismatch = block[0] ^ 1; i = 0; @@ -865,8 +865,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) s->last_mv[i][0][1]); /* full_pel: only for MPEG-1 */ if (s->full_pel[i]) { - s->mv[i][0][0] <<= 1; - s->mv[i][0][1] <<= 1; + s->mv[i][0][0] *= 2; + s->mv[i][0][1] *= 2; } } } @@ -948,8 +948,8 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) dmy = get_dmv(s); - s->last_mv[i][0][1] = my << my_shift; - s->last_mv[i][1][1] = my << my_shift; + s->last_mv[i][0][1] = my * (1 << my_shift); + s->last_mv[i][1][1] = my * (1 << my_shift); s->mv[i][0][0] = mx; s->mv[i][0][1] = my; @@ -994,7 +994,7 @@ static int mpeg_decode_mb(MpegEncContext *s, int16_t block[12][64]) cbp = get_vlc2(&s->gb, ff_mb_pat_vlc.table, MB_PAT_VLC_BITS, 1); if (mb_block_count > 6) { - cbp <<= mb_block_count - 6; + cbp *= 1 << mb_block_count - 6; cbp |= get_bits(&s->gb, mb_block_count - 6); s->bdsp.clear_blocks(s->block[6]); } @@ -1242,7 +1242,8 @@ static int mpeg_decode_postinit(AVCodecContext *avctx) if (avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO) { // MPEG-1 aspect - avctx->sample_aspect_ratio = av_d2q(1.0 / ff_mpeg1_aspect[s->aspect_ratio_info], 255); + AVRational aspect_inv = av_d2q(ff_mpeg1_aspect[s->aspect_ratio_info], 255); + avctx->sample_aspect_ratio = (AVRational) { aspect_inv.den, aspect_inv.num }; } else { // MPEG-2 // MPEG-2 aspect if (s->aspect_ratio_info > 1) { diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 0e0cf276..aa0bb654 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -178,6 +178,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g int min_ab, i, w2, h2, w3, h3; int sprite_ref[4][2]; int virtual_ref[2][2]; + int64_t sprite_offset[2][2]; // only true for rectangle shapes const int vop_ref[4][2] = { { 0, 0 }, { s->width, 0 }, @@ -257,10 +258,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g switch (ctx->num_sprite_warping_points) { case 0: - s->sprite_offset[0][0] = - s->sprite_offset[0][1] = - s->sprite_offset[1][0] = - s->sprite_offset[1][1] = 0; + sprite_offset[0][0] = + sprite_offset[0][1] = + sprite_offset[1][0] = + sprite_offset[1][1] = 0; s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = s->sprite_delta[1][0] = 0; @@ -269,11 +270,11 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 1: // GMC only - s->sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0]; - s->sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1]; - s->sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) - + sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0]; + sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1]; + sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) - a * (vop_ref[0][0] / 2); - s->sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - + sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - a * (vop_ref[0][1] / 2); s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = @@ -283,22 +284,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g ctx->sprite_shift[1] = 0; break; case 2: - s->sprite_offset[0][0] = (sprite_ref[0][0] << (alpha + rho)) + + sprite_offset[0][0] = (sprite_ref[0][0] * (1 << alpha + rho)) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-vop_ref[0][0]) + (r * sprite_ref[0][1] - virtual_ref[0][1]) * (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] << (alpha + rho)) + + sprite_offset[0][1] = (sprite_ref[0][1] * (1 << alpha + rho)) + (-r * sprite_ref[0][1] + virtual_ref[0][1]) * (-vop_ref[0][0]) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * + sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-2 * vop_ref[0][0] + 1) + (r * sprite_ref[0][1] - virtual_ref[0][1]) * (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); - s->sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * + sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * (-2 * vop_ref[0][0] + 1) + (-r * sprite_ref[0][0] + virtual_ref[0][0]) * (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * @@ -315,30 +316,22 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g min_ab = FFMIN(alpha, beta); w3 = w2 >> min_ab; h3 = h2 >> min_ab; - s->sprite_offset[0][0] = (sprite_ref[0][0] * (1<<(alpha + beta + rho - min_ab))) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - h3 * (-vop_ref[0][0]) + - (-r * sprite_ref[0][0] + virtual_ref[1][0]) * - w3 * (-vop_ref[0][1]) + - (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + - (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - h3 * (-vop_ref[0][0]) + - (-r * sprite_ref[0][1] + virtual_ref[1][1]) * - w3 * (-vop_ref[0][1]) + - (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[1][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - h3 * (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][0] + virtual_ref[1][0]) * - w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 * - r * sprite_ref[0][0] - 16 * w2 * h3 + - (1 << (alpha + beta + rho - min_ab + 1)); - s->sprite_offset[1][1] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - h3 * (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][1] + virtual_ref[1][1]) * - w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 * - r * sprite_ref[0][1] - 16 * w2 * h3 + - (1 << (alpha + beta + rho - min_ab + 1)); + sprite_offset[0][0] = ((int64_t)sprite_ref[0][0] * (1 << (alpha + beta + rho - min_ab))) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-vop_ref[0][0]) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-vop_ref[0][1]) + + ((int64_t)1 << (alpha + beta + rho - min_ab - 1)); + sprite_offset[0][1] = ((int64_t)sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-vop_ref[0][0]) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-vop_ref[0][1]) + + ((int64_t)1 << (alpha + beta + rho - min_ab - 1)); + sprite_offset[1][0] = ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-2 * vop_ref[0][1] + 1) + + (int64_t)2 * w2 * h3 * r * sprite_ref[0][0] - 16 * w2 * h3 + + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); + sprite_offset[1][1] = ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-2 * vop_ref[0][1] + 1) + + (int64_t)2 * w2 * h3 * r * sprite_ref[0][1] - 16 * w2 * h3 + + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3; s->sprite_delta[0][1] = (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3; s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3; @@ -353,10 +346,10 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g s->sprite_delta[0][1] == 0 && s->sprite_delta[1][0] == 0 && s->sprite_delta[1][1] == a << ctx->sprite_shift[0]) { - s->sprite_offset[0][0] >>= ctx->sprite_shift[0]; - s->sprite_offset[0][1] >>= ctx->sprite_shift[0]; - s->sprite_offset[1][0] >>= ctx->sprite_shift[1]; - s->sprite_offset[1][1] >>= ctx->sprite_shift[1]; + sprite_offset[0][0] >>= ctx->sprite_shift[0]; + sprite_offset[0][1] >>= ctx->sprite_shift[0]; + sprite_offset[1][0] >>= ctx->sprite_shift[1]; + sprite_offset[1][1] >>= ctx->sprite_shift[1]; s->sprite_delta[0][0] = a; s->sprite_delta[0][1] = 0; s->sprite_delta[1][0] = 0; @@ -367,17 +360,59 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g } else { int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; + + if (shift_c < 0 || shift_y < 0 || + FFABS(sprite_offset[0][0]) >= INT_MAX >> shift_y || + FFABS(sprite_offset[1][0]) >= INT_MAX >> shift_c || + FFABS(sprite_offset[0][1]) >= INT_MAX >> shift_y || + FFABS(sprite_offset[1][1]) >= INT_MAX >> shift_c + ) { + avpriv_request_sample(s->avctx, "Too large sprite shift or offset"); + goto overflow; + } + for (i = 0; i < 2; i++) { - s->sprite_offset[0][i] *= 1 << shift_y; - s->sprite_offset[1][i] *= 1 << shift_c; + sprite_offset[0][i] *= 1 << shift_y; + sprite_offset[1][i] *= 1 << shift_c; s->sprite_delta[0][i] *= 1 << shift_y; s->sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; + + } + for (i = 0; i < 2; i++) { + int64_t sd[2] = { + s->sprite_delta[i][0] - a * (1LL<<16), + s->sprite_delta[i][1] - a * (1LL<<16) + }; + + if (llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + s->sprite_delta[i][0] * (w+16LL) + s->sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(s->sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(s->sprite_delta[i][1] * (w+16LL)) >= INT_MAX || + llabs(sd[0]) >= INT_MAX || + llabs(sd[1]) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX + ) { + avpriv_request_sample(s->avctx, "Overflow on sprite points"); + goto overflow; + } } s->real_sprite_warping_points = ctx->num_sprite_warping_points; } + s->sprite_offset[0][0] = sprite_offset[0][0]; + s->sprite_offset[0][1] = sprite_offset[0][1]; + s->sprite_offset[1][0] = sprite_offset[1][0]; + s->sprite_offset[1][1] = sprite_offset[1][1]; + return 0; +overflow: + memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); + memset(s->sprite_delta, 0, sizeof(s->sprite_delta)); + return AVERROR_PATCHWELCOME; } static int decode_new_pred(Mpeg4DecContext *ctx, GetBitContext *gb) { @@ -504,7 +539,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) if (ctx->divx_version == 500 && ctx->divx_build == 413) sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample)); else - sum = RSHIFT(s->sprite_offset[0][n] << s->quarter_sample, a); + sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a); } else { dx = s->sprite_delta[n][0]; dy = s->sprite_delta[n][1]; @@ -2420,16 +2455,20 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) ff_init_scantable(s->idsp.idct_permutation, &s->intra_v_scantable, ff_alternate_vertical_scan); } - if (s->pict_type == AV_PICTURE_TYPE_S && - (ctx->vol_sprite_usage == STATIC_SPRITE || - ctx->vol_sprite_usage == GMC_SPRITE)) { - if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0) - return AVERROR_INVALIDDATA; - if (ctx->sprite_brightness_change) - av_log(s->avctx, AV_LOG_ERROR, - "sprite_brightness_change not supported\n"); - if (ctx->vol_sprite_usage == STATIC_SPRITE) - av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); + if (s->pict_type == AV_PICTURE_TYPE_S) { + if((ctx->vol_sprite_usage == STATIC_SPRITE || + ctx->vol_sprite_usage == GMC_SPRITE)) { + if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0) + return AVERROR_INVALIDDATA; + if (ctx->sprite_brightness_change) + av_log(s->avctx, AV_LOG_ERROR, + "sprite_brightness_change not supported\n"); + if (ctx->vol_sprite_usage == STATIC_SPRITE) + av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); + } else { + memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); + memset(s->sprite_delta, 0, sizeof(s->sprite_delta)); + } } if (ctx->shape != BIN_ONLY_SHAPE) { diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index 1114428f..37b1af9b 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -253,7 +253,7 @@ static inline int l3_unscale(int value, int exponent) #endif if (e > 31) return 0; - m = (m + (1 << (e - 1))) >> e; + m = (m + ((1U << e)>>1)) >> e; return m; } @@ -1665,7 +1665,7 @@ static int decode_frame(AVCodecContext * avctx, void *data, int *got_frame_ptr, header = AV_RB32(buf); if (header>>8 == AV_RB32("TAG")>>8) { av_log(avctx, AV_LOG_DEBUG, "discarding ID3 tag\n"); - return buf_size; + return buf_size + skipped; } ret = avpriv_mpegaudio_decode_header((MPADecodeHeader *)s, header); if (ret < 0) { diff --git a/libavcodec/mpegvideo_motion.c b/libavcodec/mpegvideo_motion.c index a310bd46..0cb13385 100644 --- a/libavcodec/mpegvideo_motion.c +++ b/libavcodec/mpegvideo_motion.c @@ -48,8 +48,8 @@ static void gmc1_motion(MpegEncContext *s, motion_y = s->sprite_offset[0][1]; src_x = s->mb_x * 16 + (motion_x >> (s->sprite_warping_accuracy + 1)); src_y = s->mb_y * 16 + (motion_y >> (s->sprite_warping_accuracy + 1)); - motion_x <<= (3 - s->sprite_warping_accuracy); - motion_y <<= (3 - s->sprite_warping_accuracy); + motion_x *= 1 << (3 - s->sprite_warping_accuracy); + motion_y *= 1 << (3 - s->sprite_warping_accuracy); src_x = av_clip(src_x, -16, s->width); if (src_x == s->width) motion_x = 0; @@ -95,8 +95,8 @@ static void gmc1_motion(MpegEncContext *s, motion_y = s->sprite_offset[1][1]; src_x = s->mb_x * 8 + (motion_x >> (s->sprite_warping_accuracy + 1)); src_y = s->mb_y * 8 + (motion_y >> (s->sprite_warping_accuracy + 1)); - motion_x <<= (3 - s->sprite_warping_accuracy); - motion_y <<= (3 - s->sprite_warping_accuracy); + motion_x *= 1 << (3 - s->sprite_warping_accuracy); + motion_y *= 1 << (3 - s->sprite_warping_accuracy); src_x = av_clip(src_x, -8, s->width >> 1); if (src_x == s->width >> 1) motion_x = 0; diff --git a/libavcodec/msmpeg4dec.c b/libavcodec/msmpeg4dec.c index 77e8509f..26f29280 100644 --- a/libavcodec/msmpeg4dec.c +++ b/libavcodec/msmpeg4dec.c @@ -140,7 +140,7 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64]) if(s->msmpeg4_version==2) cbp= get_vlc2(&s->gb, v2_intra_cbpc_vlc.table, V2_INTRA_CBPC_VLC_BITS, 1); else - cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 1); + cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 2); if(cbp<0 || cbp>3){ av_log(s->avctx, AV_LOG_ERROR, "cbpc %d invalid at %d %d\n", cbp, s->mb_x, s->mb_y); return -1; @@ -169,12 +169,23 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, int16_t block[6][64]) s->mv[0][0][1] = my; *mb_type_ptr = MB_TYPE_L0 | MB_TYPE_16x16; } else { + int v; if(s->msmpeg4_version==2){ s->ac_pred = get_bits1(&s->gb); - cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors + v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1); + if (v < 0) { + av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n"); + return -1; + } + cbp|= v<<2; } else{ s->ac_pred = 0; - cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors + v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1); + if (v < 0) { + av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n"); + return -1; + } + cbp|= v<<2; if(s->pict_type==AV_PICTURE_TYPE_P) cbp^=0x3C; } *mb_type_ptr = MB_TYPE_INTRA; diff --git a/libavcodec/mss3.c b/libavcodec/mss3.c index 01941967..8344bfe8 100644 --- a/libavcodec/mss3.c +++ b/libavcodec/mss3.c @@ -356,8 +356,9 @@ static int rac_get_model2_sym(RangeCoder *c, Model2 *m) static int rac_get_model_sym(RangeCoder *c, Model *m) { - int prob, prob2, helper, val; + int val; int end, end2; + unsigned prob, prob2, helper; prob = 0; prob2 = c->range; diff --git a/libavcodec/mss34dsp.c b/libavcodec/mss34dsp.c index 0397add1..4965ac51 100644 --- a/libavcodec/mss34dsp.c +++ b/libavcodec/mss34dsp.c @@ -62,30 +62,30 @@ void ff_mss34_gen_quant_mat(uint16_t *qmat, int quality, int luma) } #define DCT_TEMPLATE(blk, step, SOP, shift) \ - const int t0 = -39409 * blk[7 * step] - 58980 * blk[1 * step]; \ - const int t1 = 39410 * blk[1 * step] - 58980 * blk[7 * step]; \ - const int t2 = -33410 * blk[5 * step] - 167963 * blk[3 * step]; \ - const int t3 = 33410 * blk[3 * step] - 167963 * blk[5 * step]; \ - const int t4 = blk[3 * step] + blk[7 * step]; \ - const int t5 = blk[1 * step] + blk[5 * step]; \ - const int t6 = 77062 * t4 + 51491 * t5; \ - const int t7 = 77062 * t5 - 51491 * t4; \ - const int t8 = 35470 * blk[2 * step] - 85623 * blk[6 * step]; \ - const int t9 = 35470 * blk[6 * step] + 85623 * blk[2 * step]; \ - const int tA = SOP(blk[0 * step] - blk[4 * step]); \ - const int tB = SOP(blk[0 * step] + blk[4 * step]); \ + const unsigned t0 =-39409U * blk[7 * step] - 58980U * blk[1 * step]; \ + const unsigned t1 = 39410U * blk[1 * step] - 58980U * blk[7 * step]; \ + const unsigned t2 =-33410U * blk[5 * step] -167963U * blk[3 * step]; \ + const unsigned t3 = 33410U * blk[3 * step] -167963U * blk[5 * step]; \ + const unsigned t4 = blk[3 * step] + blk[7 * step]; \ + const unsigned t5 = blk[1 * step] + blk[5 * step]; \ + const unsigned t6 = 77062U * t4 + 51491U * t5; \ + const unsigned t7 = 77062U * t5 - 51491U * t4; \ + const unsigned t8 = 35470U * blk[2 * step] - 85623U * blk[6 * step]; \ + const unsigned t9 = 35470U * blk[6 * step] + 85623U * blk[2 * step]; \ + const unsigned tA = SOP(blk[0 * step] - blk[4 * step]); \ + const unsigned tB = SOP(blk[0 * step] + blk[4 * step]); \ \ - blk[0 * step] = ( t1 + t6 + t9 + tB) >> shift; \ - blk[1 * step] = ( t3 + t7 + t8 + tA) >> shift; \ - blk[2 * step] = ( t2 + t6 - t8 + tA) >> shift; \ - blk[3 * step] = ( t0 + t7 - t9 + tB) >> shift; \ - blk[4 * step] = (-(t0 + t7) - t9 + tB) >> shift; \ - blk[5 * step] = (-(t2 + t6) - t8 + tA) >> shift; \ - blk[6 * step] = (-(t3 + t7) + t8 + tA) >> shift; \ - blk[7 * step] = (-(t1 + t6) + t9 + tB) >> shift; \ + blk[0 * step] = (int)( t1 + t6 + t9 + tB) >> shift; \ + blk[1 * step] = (int)( t3 + t7 + t8 + tA) >> shift; \ + blk[2 * step] = (int)( t2 + t6 - t8 + tA) >> shift; \ + blk[3 * step] = (int)( t0 + t7 - t9 + tB) >> shift; \ + blk[4 * step] = (int)(-(t0 + t7) - t9 + tB) >> shift; \ + blk[5 * step] = (int)(-(t2 + t6) - t8 + tA) >> shift; \ + blk[6 * step] = (int)(-(t3 + t7) + t8 + tA) >> shift; \ + blk[7 * step] = (int)(-(t1 + t6) + t9 + tB) >> shift; \ -#define SOP_ROW(a) (((a) << 16) + 0x2000) -#define SOP_COL(a) (((a) + 32) << 16) +#define SOP_ROW(a) (((a) * (1U << 16)) + 0x2000) +#define SOP_COL(a) (((a) + 32) * (1U << 16)) void ff_mss34_dct_put(uint8_t *dst, int stride, int *block) { diff --git a/libavcodec/msvideo1.c b/libavcodec/msvideo1.c index a49b9be3..29700f54 100644 --- a/libavcodec/msvideo1.c +++ b/libavcodec/msvideo1.c @@ -301,6 +301,12 @@ static int msvideo1_decode_frame(AVCodecContext *avctx, s->buf = buf; s->size = buf_size; + // Discard frame if its smaller than the minimum frame size + if (buf_size < (avctx->width/4) * (avctx->height/4) / 512) { + av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); + return AVERROR_INVALIDDATA; + } + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; diff --git a/libavcodec/nellymoser.c b/libavcodec/nellymoser.c index 027726e0..5ff6583c 100644 --- a/libavcodec/nellymoser.c +++ b/libavcodec/nellymoser.c @@ -84,7 +84,7 @@ const int16_t ff_nelly_delta_table[32] = { static inline int signed_shift(int i, int shift) { if (shift > 0) - return i << shift; + return (unsigned)i << shift; return i >> -shift; } @@ -108,7 +108,7 @@ static int headroom(int *la) return 31; } l = 30 - av_log2(FFABS(*la)); - *la <<= l; + *la *= 1<<l; return l; } diff --git a/libavcodec/omx.c b/libavcodec/omx.c index 2fe21429..16df50e4 100644 --- a/libavcodec/omx.c +++ b/libavcodec/omx.c @@ -352,12 +352,12 @@ static av_cold int find_component(OMXContext *omx_context, void *logctx, av_log(logctx, AV_LOG_WARNING, "No component for role %s found\n", role); return AVERROR_ENCODER_NOT_FOUND; } - components = av_mallocz(sizeof(char*) * num); + components = av_mallocz_array(num, sizeof(*components)); if (!components) return AVERROR(ENOMEM); for (i = 0; i < num; i++) { components[i] = av_mallocz(OMX_MAX_STRINGNAME_SIZE); - if (!components) { + if (!components[i]) { ret = AVERROR(ENOMEM); goto end; } diff --git a/libavcodec/options.c b/libavcodec/options.c index d8e3dbfa..e124fb44 100644 --- a/libavcodec/options.c +++ b/libavcodec/options.c @@ -187,6 +187,30 @@ void avcodec_free_context(AVCodecContext **pavctx) } #if FF_API_COPY_CONTEXT +static void copy_context_reset(AVCodecContext *avctx) +{ + int i; + + av_opt_free(avctx); +#if FF_API_CODED_FRAME +FF_DISABLE_DEPRECATION_WARNINGS + av_frame_free(&avctx->coded_frame); +FF_ENABLE_DEPRECATION_WARNINGS +#endif + av_freep(&avctx->rc_override); + av_freep(&avctx->intra_matrix); + av_freep(&avctx->inter_matrix); + av_freep(&avctx->extradata); + av_freep(&avctx->subtitle_header); + av_buffer_unref(&avctx->hw_frames_ctx); + for (i = 0; i < avctx->nb_coded_side_data; i++) + av_freep(&avctx->coded_side_data[i].data); + av_freep(&avctx->coded_side_data); + avctx->subtitle_header_size = 0; + avctx->nb_coded_side_data = 0; + avctx->extradata_size = 0; +} + int avcodec_copy_context(AVCodecContext *dest, const AVCodecContext *src) { const AVCodec *orig_codec = dest->codec; @@ -199,12 +223,7 @@ int avcodec_copy_context(AVCodecContext *dest, const AVCodecContext *src) return AVERROR(EINVAL); } - av_opt_free(dest); - av_freep(&dest->rc_override); - av_freep(&dest->intra_matrix); - av_freep(&dest->inter_matrix); - av_freep(&dest->extradata); - av_freep(&dest->subtitle_header); + copy_context_reset(dest); memcpy(dest, src, sizeof(*dest)); av_opt_copy(dest, src); @@ -229,11 +248,13 @@ FF_ENABLE_DEPRECATION_WARNINGS /* reallocate values that should be allocated separately */ dest->extradata = NULL; + dest->coded_side_data = NULL; dest->intra_matrix = NULL; dest->inter_matrix = NULL; dest->rc_override = NULL; dest->subtitle_header = NULL; dest->hw_frames_ctx = NULL; + dest->nb_coded_side_data = 0; #define alloc_and_copy_or_fail(obj, size, pad) \ if (src->obj && size > 0) { \ @@ -263,15 +284,7 @@ FF_ENABLE_DEPRECATION_WARNINGS return 0; fail: - av_freep(&dest->subtitle_header); - av_freep(&dest->rc_override); - av_freep(&dest->intra_matrix); - av_freep(&dest->inter_matrix); - av_freep(&dest->extradata); - av_buffer_unref(&dest->hw_frames_ctx); - dest->subtitle_header_size = 0; - dest->extradata_size = 0; - av_opt_free(dest); + copy_context_reset(dest); return AVERROR(ENOMEM); } #endif diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 9c30b122..1274a144 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -851,8 +851,7 @@ static inline void silk_stabilize_lsf(int16_t nlsf[16], int order, const uint16_ if (nlsf[0] < min_delta[0]) nlsf[0] = min_delta[0]; for (i = 1; i < order; i++) - if (nlsf[i] < nlsf[i - 1] + min_delta[i]) - nlsf[i] = nlsf[i - 1] + min_delta[i]; + nlsf[i] = FFMAX(nlsf[i], FFMIN(nlsf[i - 1] + min_delta[i], 32767)); /* push backwards to increase distance */ if (nlsf[order-1] > 32768 - min_delta[order]) diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index 0cfc7858..a09ee379 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -77,10 +77,10 @@ static void picmemset(PicContext *s, AVFrame *frame, int value, int run, if (*y < 0) { *y = s->height - 1; *plane += 1; + if (*plane >= s->nb_planes) + return; value <<= bits_per_plane; mask <<= bits_per_plane; - if (*plane >= s->nb_planes) - break; } } } @@ -236,7 +236,7 @@ static int decode_frame(AVCodecContext *avctx, } } - if (x < avctx->width) { + if (plane < s->nb_planes && x < avctx->width) { int run = (y + 1) * avctx->width - x; if (bits_per_plane == 8) picmemset_8bpp(s, frame, val, run, &x, &y); diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index bf8f27f6..52b872a0 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -559,6 +559,11 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; } s->bit_depth = bytestream2_get_byte(&s->gb); + if (s->bit_depth != 1 && s->bit_depth != 2 && s->bit_depth != 4 && + s->bit_depth != 8 && s->bit_depth != 16) { + av_log(avctx, AV_LOG_ERROR, "Invalid bit depth\n"); + goto error; + } s->color_type = bytestream2_get_byte(&s->gb); s->compression_type = bytestream2_get_byte(&s->gb); s->filter_type = bytestream2_get_byte(&s->gb); @@ -572,6 +577,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, s->compression_type, s->filter_type, s->interlace_type); return 0; +error: + s->cur_w = s->cur_h = s->width = s->height = 0; + s->bit_depth = 8; + return AVERROR_INVALIDDATA; } static int decode_phys_chunk(AVCodecContext *avctx, PNGDecContext *s) @@ -602,8 +611,9 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, } if (!(s->state & PNG_IDAT)) { /* init image info */ - avctx->width = s->width; - avctx->height = s->height; + ret = ff_set_dimensions(avctx, s->width, s->height); + if (ret < 0) + return ret; s->channels = ff_png_get_nb_channels(s->color_type); s->bits_per_pixel = s->bit_depth * s->channels; @@ -787,7 +797,7 @@ static int decode_trns_chunk(AVCodecContext *avctx, PNGDecContext *s, return AVERROR_INVALIDDATA; for (i = 0; i < length; i++) { - v = bytestream2_get_byte(&s->gb); + unsigned v = bytestream2_get_byte(&s->gb); s->palette[i] = (s->palette[i] & 0x00ffffff) | (v << 24); } } else if (s->color_type == PNG_COLOR_TYPE_GRAY || s->color_type == PNG_COLOR_TYPE_RGB) { diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index ceec32d7..690f7ff3 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1598,7 +1598,7 @@ void ff_eval_coefs(int *coefs, const int *refl) int i, j; for (i=0; i < LPC_ORDER; i++) { - b1[i] = refl[i] << 4; + b1[i] = refl[i] * 16; for (j=0; j < i; j++) b1[j] = ((refl[i] * b2[i-j-1]) >> 12) + b2[j]; diff --git a/libavcodec/rscc.c b/libavcodec/rscc.c index d01f05c0..97822b09 100644 --- a/libavcodec/rscc.c +++ b/libavcodec/rscc.c @@ -210,6 +210,12 @@ static int rscc_decode_frame(AVCodecContext *avctx, void *data, ctx->tiles[i].y = bytestream2_get_le16(gbc); ctx->tiles[i].h = bytestream2_get_le16(gbc); + if (pixel_size + ctx->tiles[i].w * (int64_t)ctx->tiles[i].h * ctx->component_size > INT_MAX) { + av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions\n"); + ret = AVERROR_INVALIDDATA; + goto end; + } + pixel_size += ctx->tiles[i].w * ctx->tiles[i].h * ctx->component_size; ff_dlog(avctx, "tile %d orig(%d,%d) %dx%d.\n", i, diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index aca8382f..c9cedfe8 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1585,10 +1585,13 @@ int ff_rv34_decode_update_thread_context(AVCodecContext *dst, const AVCodecConte return ff_mpeg_update_thread_context(dst, src); } -static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n) +static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n, int slice_count, int buf_size) { - if(avctx->slice_count) return avctx->slice_offset[n]; - else return AV_RL32(buf + n*8 - 4) == 1 ? AV_RL32(buf + n*8) : AV_RB32(buf + n*8); + if (n < slice_count) { + if(avctx->slice_count) return avctx->slice_offset[n]; + else return AV_RL32(buf + n*8 - 4) == 1 ? AV_RL32(buf + n*8) : AV_RB32(buf + n*8); + } else + return buf_size; } static int finish_frame(AVCodecContext *avctx, AVFrame *pict) @@ -1627,7 +1630,7 @@ static AVRational update_sar(int old_w, int old_h, AVRational sar, int new_w, in if (!sar.num) sar = (AVRational){1, 1}; - sar = av_mul_q(sar, (AVRational){new_h * old_w, new_w * old_h}); + sar = av_mul_q(sar, av_mul_q((AVRational){new_h, new_w}, (AVRational){old_w, old_h})); return sar; } @@ -1646,6 +1649,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, const uint8_t *slices_hdr = NULL; int last = 0; int faulty_b = 0; + int offset; /* no supplementary picture */ if (buf_size == 0) { @@ -1668,13 +1672,13 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, }else slice_count = avctx->slice_count; + offset = get_slice_offset(avctx, slices_hdr, 0, slice_count, buf_size); //parse first slice header to check whether this frame can be decoded - if(get_slice_offset(avctx, slices_hdr, 0) < 0 || - get_slice_offset(avctx, slices_hdr, 0) > buf_size){ + if(offset < 0 || offset > buf_size){ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); return AVERROR_INVALIDDATA; } - init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); + init_get_bits(&s->gb, buf+offset, (buf_size-offset)*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){ av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n"); return AVERROR_INVALIDDATA; @@ -1777,40 +1781,32 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, return AVERROR_INVALIDDATA; for(i = 0; i < slice_count; i++){ - int offset = get_slice_offset(avctx, slices_hdr, i); + int offset = get_slice_offset(avctx, slices_hdr, i , slice_count, buf_size); + int offset1 = get_slice_offset(avctx, slices_hdr, i+1, slice_count, buf_size); int size; - if(i+1 == slice_count) - size = buf_size - offset; - else - size = get_slice_offset(avctx, slices_hdr, i+1) - offset; - if(offset < 0 || offset > buf_size){ + if(offset < 0 || offset > offset1 || offset1 > buf_size){ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } + size = offset1 - offset; r->si.end = s->mb_width * s->mb_height; s->mb_num_left = r->s.mb_x + r->s.mb_y*r->s.mb_width - r->si.start; if(i+1 < slice_count){ - if (get_slice_offset(avctx, slices_hdr, i+1) < 0 || - get_slice_offset(avctx, slices_hdr, i+1) > buf_size) { + int offset2 = get_slice_offset(avctx, slices_hdr, i+2, slice_count, buf_size); + if (offset2 < offset1 || offset2 > buf_size) { av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } - init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8); + init_get_bits(&s->gb, buf+offset1, (buf_size-offset1)*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0){ - if(i+2 < slice_count) - size = get_slice_offset(avctx, slices_hdr, i+2) - offset; - else - size = buf_size - offset; + size = offset2 - offset; }else r->si.end = si.start; } - if (size < 0 || size > buf_size - offset) { - av_log(avctx, AV_LOG_ERROR, "Slice size is invalid\n"); - break; - } + av_assert0 (size >= 0 && size <= buf_size - offset); last = rv34_decode_slice(r, r->si.end, buf + offset, size); if(last) break; diff --git a/libavcodec/rv40.c b/libavcodec/rv40.c index e5ba215b..dfeebda8 100644 --- a/libavcodec/rv40.c +++ b/libavcodec/rv40.c @@ -189,7 +189,7 @@ static int rv40_decode_intra_types(RV34DecContext *r, GetBitContext *gb, int8_t A = ptr[-r->intra_types_stride + 1]; // it won't be used for the last coefficient in a row B = ptr[-r->intra_types_stride]; C = ptr[-1]; - pattern = A + (B << 4) + (C << 8); + pattern = A + B * (1 << 4) + C * (1 << 8); for(k = 0; k < MODE2_PATTERNS_NUM; k++) if(pattern == rv40_aic_table_index[k]) break; diff --git a/libavcodec/rv40dsp.c b/libavcodec/rv40dsp.c index 19b0e936..95ba0a92 100644 --- a/libavcodec/rv40dsp.c +++ b/libavcodec/rv40dsp.c @@ -449,7 +449,7 @@ static av_always_inline void rv40_weak_loop_filter(uint8_t *src, if (u > 3 - (filter_p1 && filter_q1)) continue; - t <<= 2; + t *= 1 << 2; if (filter_p1 && filter_q1) t += src[-2*step] - src[1*step]; diff --git a/libavcodec/s302m.c b/libavcodec/s302m.c index ccfb5913..a68ac79f 100644 --- a/libavcodec/s302m.c +++ b/libavcodec/s302m.c @@ -120,10 +120,10 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, if (avctx->bits_per_raw_sample == 24) { uint32_t *o = (uint32_t *)frame->data[0]; for (; buf_size > 6; buf_size -= 7) { - *o++ = (ff_reverse[buf[2]] << 24) | + *o++ = ((unsigned)ff_reverse[buf[2]] << 24) | (ff_reverse[buf[1]] << 16) | (ff_reverse[buf[0]] << 8); - *o++ = (ff_reverse[buf[6] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[6] & 0xf0] << 28) | (ff_reverse[buf[5]] << 20) | (ff_reverse[buf[4]] << 12) | (ff_reverse[buf[3] & 0x0f] << 4); @@ -142,10 +142,10 @@ static int s302m_decode_frame(AVCodecContext *avctx, void *data, } else if (avctx->bits_per_raw_sample == 20) { uint32_t *o = (uint32_t *)frame->data[0]; for (; buf_size > 5; buf_size -= 6) { - *o++ = (ff_reverse[buf[2] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[2] & 0xf0] << 28) | (ff_reverse[buf[1]] << 20) | (ff_reverse[buf[0]] << 12); - *o++ = (ff_reverse[buf[5] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[5] & 0xf0] << 28) | (ff_reverse[buf[4]] << 20) | (ff_reverse[buf[3]] << 12); buf += 6; diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index e4cef618..388d8dee 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -155,8 +155,11 @@ static int allocate_buffers(ShortenContext *s) static inline unsigned int get_uint(ShortenContext *s, int k) { - if (s->version != 0) + if (s->version != 0) { k = get_ur_golomb_shorten(&s->gb, ULONGSIZE); + if (k > 31U) + return AVERROR_INVALIDDATA; + } return get_ur_golomb_shorten(&s->gb, k); } diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 042aecbb..022e9693 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -384,6 +384,10 @@ static int decode_header(SnowContext *s){ av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_count %d too large for size\n", s->spatial_decomposition_count); return AVERROR_INVALIDDATA; } + if (s->avctx->width > 65536-4) { + av_log(s->avctx, AV_LOG_ERROR, "Width %d is too large\n", s->avctx->width); + return AVERROR_INVALIDDATA; + } s->qlog += get_symbol(&s->c, s->header_state, 1); @@ -395,6 +399,11 @@ static int decode_header(SnowContext *s){ s->block_max_depth= 0; return AVERROR_INVALIDDATA; } + if (FFABS(s->qbias) > 127) { + av_log(s->avctx, AV_LOG_ERROR, "qbias %d is too large\n", s->qbias); + s->qbias = 0; + return AVERROR_INVALIDDATA; + } return 0; } diff --git a/libavcodec/srtdec.c b/libavcodec/srtdec.c index 30930c8e..862ab476 100644 --- a/libavcodec/srtdec.c +++ b/libavcodec/srtdec.c @@ -38,13 +38,13 @@ static void srt_to_ass(AVCodecContext *avctx, AVBPrint *dst, /* text rectangle defined, write the text at the center of the rectangle */ const int cx = x1 + (x2 - x1)/2; const int cy = y1 + (y2 - y1)/2; - const int scaled_x = cx * ASS_DEFAULT_PLAYRESX / 720; - const int scaled_y = cy * ASS_DEFAULT_PLAYRESY / 480; + const int scaled_x = cx * (int64_t)ASS_DEFAULT_PLAYRESX / 720; + const int scaled_y = cy * (int64_t)ASS_DEFAULT_PLAYRESY / 480; av_bprintf(dst, "{\\an5}{\\pos(%d,%d)}", scaled_x, scaled_y); } else { /* only the top left corner, assume the text starts in that corner */ - const int scaled_x = x1 * ASS_DEFAULT_PLAYRESX / 720; - const int scaled_y = y1 * ASS_DEFAULT_PLAYRESY / 480; + const int scaled_x = x1 * (int64_t)ASS_DEFAULT_PLAYRESX / 720; + const int scaled_y = y1 * (int64_t)ASS_DEFAULT_PLAYRESY / 480; av_bprintf(dst, "{\\an1}{\\pos(%d,%d)}", scaled_x, scaled_y); } } diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 5aedc1e6..01998652 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -223,7 +223,7 @@ static int svq3_decode_end(AVCodecContext *avctx); static void svq3_luma_dc_dequant_idct_c(int16_t *output, int16_t *input, int qp) { - const int qmul = svq3_dequant_coeff[qp]; + const unsigned qmul = svq3_dequant_coeff[qp]; #define stride 16 int i; int temp[16]; @@ -248,10 +248,10 @@ static void svq3_luma_dc_dequant_idct_c(int16_t *output, int16_t *input, int qp) const int z2 = 7 * temp[4 * 1 + i] - 17 * temp[4 * 3 + i]; const int z3 = 17 * temp[4 * 1 + i] + 7 * temp[4 * 3 + i]; - output[stride * 0 + offset] = (z0 + z3) * qmul + 0x80000 >> 20; - output[stride * 2 + offset] = (z1 + z2) * qmul + 0x80000 >> 20; - output[stride * 8 + offset] = (z1 - z2) * qmul + 0x80000 >> 20; - output[stride * 10 + offset] = (z0 - z3) * qmul + 0x80000 >> 20; + output[stride * 0 + offset] = (int)((z0 + z3) * qmul + 0x80000) >> 20; + output[stride * 2 + offset] = (int)((z1 + z2) * qmul + 0x80000) >> 20; + output[stride * 8 + offset] = (int)((z1 - z2) * qmul + 0x80000) >> 20; + output[stride * 10 + offset] = (int)((z0 - z3) * qmul + 0x80000) >> 20; } } #undef stride @@ -263,7 +263,7 @@ static void svq3_add_idct_c(uint8_t *dst, int16_t *block, int i; if (dc) { - dc = 13 * 13 * (dc == 1 ? 1538 * block[0] + dc = 13 * 13 * (dc == 1 ? 1538U* block[0] : qmul * (block[0] >> 3) / 2); block[0] = 0; } @@ -281,16 +281,16 @@ static void svq3_add_idct_c(uint8_t *dst, int16_t *block, } for (i = 0; i < 4; i++) { - const int z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]); - const int z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); - const int z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; - const int z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; + const unsigned z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]); + const unsigned z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); + const unsigned z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; + const unsigned z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; const int rr = (dc + 0x80000); - dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((z0 + z3) * qmul + rr >> 20)); - dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((z1 + z2) * qmul + rr >> 20)); - dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((z1 - z2) * qmul + rr >> 20)); - dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((z0 - z3) * qmul + rr >> 20)); + dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((int)((z0 + z3) * qmul + rr) >> 20)); + dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((int)((z1 + z2) * qmul + rr) >> 20)); + dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((int)((z1 - z2) * qmul + rr) >> 20)); + dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((int)((z0 - z3) * qmul + rr) >> 20)); } memset(block, 0, 16 * sizeof(int16_t)); @@ -524,8 +524,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, if (mode != PREDICT_MODE) { svq3_pred_motion(s, k, part_width >> 2, dir, 1, &mx, &my); } else { - mx = s->next_pic->motion_val[0][b_xy][0] << 1; - my = s->next_pic->motion_val[0][b_xy][1] << 1; + mx = s->next_pic->motion_val[0][b_xy][0] * 2; + my = s->next_pic->motion_val[0][b_xy][1] * 2; if (dir == 0) { mx = mx * s->frame_num_offset / @@ -551,7 +551,7 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, dy = get_interleaved_se_golomb(&s->gb_slice); dx = get_interleaved_se_golomb(&s->gb_slice); - if (dx == INVALID_VLC || dy == INVALID_VLC) { + if (dx != (int16_t)dx || dy != (int16_t)dy) { av_log(s->avctx, AV_LOG_ERROR, "invalid MV vlc\n"); return -1; } @@ -562,8 +562,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, int fx, fy; mx = (mx + 1 >> 1) + dx; my = (my + 1 >> 1) + dy; - fx = (unsigned)(mx + 0x3000) / 3 - 0x1000; - fy = (unsigned)(my + 0x3000) / 3 - 0x1000; + fx = (unsigned)(mx + 0x30000) / 3 - 0x10000; + fy = (unsigned)(my + 0x30000) / 3 - 0x10000; dxy = (mx - 3 * fx) + 4 * (my - 3 * fy); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -571,8 +571,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, mx += mx; my += my; } else if (mode == HALFPEL_MODE || mode == PREDICT_MODE) { - mx = (unsigned)(mx + 1 + 0x3000) / 3 + dx - 0x1000; - my = (unsigned)(my + 1 + 0x3000) / 3 + dy - 0x1000; + mx = (unsigned)(mx + 1 + 0x30000) / 3 + dx - 0x10000; + my = (unsigned)(my + 1 + 0x30000) / 3 + dy - 0x10000; dxy = (mx & 1) + 2 * (my & 1); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -580,8 +580,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, mx *= 3; my *= 3; } else { - mx = (unsigned)(mx + 3 + 0x6000) / 6 + dx - 0x1000; - my = (unsigned)(my + 3 + 0x6000) / 6 + dy - 0x1000; + mx = (unsigned)(mx + 3 + 0x60000) / 6 + dx - 0x10000; + my = (unsigned)(my + 3 + 0x60000) / 6 + dy - 0x10000; svq3_mc_dir_part(s, x, y, part_width, part_height, mx, my, 0, 0, dir, avg); diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 97732813..61e66b05 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -433,19 +433,19 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, s->predictors[0] = get_sbits(gb, 10); s->predictors[1] = get_sbits(gb, 10); - s->predictors[2] = get_sbits(gb, size) << (10 - size); - s->predictors[3] = get_sbits(gb, size) << (10 - size); + s->predictors[2] = get_sbits(gb, size) * (1 << (10 - size)); + s->predictors[3] = get_sbits(gb, size) * (1 << (10 - size)); if (filter_order > 4) { int tmp = size - get_bits1(gb); for (i = 4; i < filter_order; i++) { if (!(i & 3)) x = tmp - get_bits(gb, 2); - s->predictors[i] = get_sbits(gb, x) << (10 - size); + s->predictors[i] = get_sbits(gb, x) * (1 << (10 - size)); } } - tfilter[0] = s->predictors[0] << 6; + tfilter[0] = s->predictors[0] * 64; for (i = 1; i < filter_order; i++) { int32_t *p1 = &tfilter[0]; int32_t *p2 = &tfilter[i - 1]; @@ -457,7 +457,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, p2--; } - tfilter[i] = s->predictors[i] << 6; + tfilter[i] = s->predictors[i] * 64; } x = 1 << (32 - (15 - filter_quant)); @@ -491,7 +491,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, s->residues[i + j + 1] * s->filter[j + 1] + s->residues[i + j ] * s->filter[j ]; } - v = (av_clip_intp2(v >> filter_quant, 13) << dshift) - *decoded; + v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - *decoded; *decoded++ = v; s->residues[filter_order + i] = v >> dshift; } diff --git a/libavcodec/targa_y216dec.c b/libavcodec/targa_y216dec.c index 21b3d35d..443d48a9 100644 --- a/libavcodec/targa_y216dec.c +++ b/libavcodec/targa_y216dec.c @@ -35,7 +35,8 @@ static int y216_decode_frame(AVCodecContext *avctx, void *data, { AVFrame *pic = data; const uint16_t *src = (uint16_t *)avpkt->data; - uint16_t *y, *u, *v, aligned_width = FFALIGN(avctx->width, 4); + uint16_t *y, *u, *v; + int aligned_width = FFALIGN(avctx->width, 4); int i, j, ret; if (avpkt->size < 4 * avctx->height * aligned_width) { diff --git a/libavcodec/texturedsp.c b/libavcodec/texturedsp.c index 5012245a..90b1eb4f 100644 --- a/libavcodec/texturedsp.c +++ b/libavcodec/texturedsp.c @@ -35,7 +35,7 @@ #define RGBA(r, g, b, a) (((uint8_t)(r) << 0) | \ ((uint8_t)(g) << 8) | \ ((uint8_t)(b) << 16) | \ - ((uint8_t)(a) << 24)) + ((unsigned)(uint8_t)(a) << 24)) static av_always_inline void extract_color(uint32_t colors[4], uint16_t color0, @@ -158,7 +158,7 @@ static inline void dxt3_block_internal(uint8_t *dst, ptrdiff_t stride, for (x = 0; x < 4; x++) { uint8_t alpha = alpha_values[x]; - uint32_t pixel = colors[code & 3] | (alpha << 24); + uint32_t pixel = colors[code & 3] | ((unsigned)alpha << 24); code >>= 2; AV_WL32(dst + x * 4, pixel); @@ -291,7 +291,7 @@ static inline void dxt5_block_internal(uint8_t *dst, ptrdiff_t stride, } } } - pixel = colors[code & 3] | (alpha << 24); + pixel = colors[code & 3] | ((unsigned)alpha << 24); code >>= 2; AV_WL32(dst + x * 4, pixel); } diff --git a/libavcodec/tiertexseqv.c b/libavcodec/tiertexseqv.c index 06c5fd6b..af39f74d 100644 --- a/libavcodec/tiertexseqv.c +++ b/libavcodec/tiertexseqv.c @@ -213,10 +213,15 @@ static int seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int static av_cold int seqvideo_decode_init(AVCodecContext *avctx) { SeqVideoContext *seq = avctx->priv_data; + int ret; seq->avctx = avctx; avctx->pix_fmt = AV_PIX_FMT_PAL8; + ret = ff_set_dimensions(avctx, 256, 128); + if (ret < 0) + return ret; + seq->frame = av_frame_alloc(); if (!seq->frame) return AVERROR(ENOMEM); diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 4721e944..a0f4bff5 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -408,7 +408,7 @@ static int tiff_unpack_lzma(TiffContext *s, AVFrame *p, uint8_t *dst, int stride const uint8_t *src, int size, int width, int lines, int strip_start, int is_yuv) { - uint64_t outlen = width * lines; + uint64_t outlen = width * (uint64_t)lines; int ret, line; uint8_t *buf = av_malloc(outlen); if (!buf) @@ -905,6 +905,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) break; case TIFF_STRIP_OFFS: if (count == 1) { + if (value > INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, + "strippos %u too large\n", value); + return AVERROR_INVALIDDATA; + } s->strippos = 0; s->stripoff = value; } else @@ -916,6 +921,11 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) break; case TIFF_STRIP_SIZE: if (count == 1) { + if (value > INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, + "stripsize %u too large\n", value); + return AVERROR_INVALIDDATA; + } s->stripsizesoff = 0; s->stripsize = value; s->strips = 1; @@ -1009,6 +1019,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->subsampling[i] = ff_tget(&s->gb, type, s->le); if (s->subsampling[i] <= 0) { av_log(s->avctx, AV_LOG_ERROR, "subsampling %d is invalid\n", s->subsampling[i]); + s->subsampling[i] = 1; return AVERROR_INVALIDDATA; } } @@ -1036,6 +1047,10 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) ADD_METADATA(count, "ModelTiepointTag", NULL); break; case TIFF_GEO_KEY_DIRECTORY: + if (s->geotag_count) { + avpriv_request_sample(s->avctx, "Multiple geo key directories\n"); + return AVERROR_INVALIDDATA; + } ADD_METADATA(1, "GeoTIFF_Version", NULL); ADD_METADATA(2, "GeoTIFF_Key_Revision", "."); s->geotag_count = ff_tget_short(&s->gb, s->le); @@ -1043,7 +1058,8 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) s->geotag_count = count / 4 - 1; av_log(s->avctx, AV_LOG_WARNING, "GeoTIFF key directory buffer shorter than specified\n"); } - if (bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4) { + if ( bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4 + || s->geotag_count == 0) { s->geotag_count = 0; return -1; } diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c index da843c44..28dccaae 100644 --- a/libavcodec/truemotion1.c +++ b/libavcodec/truemotion1.c @@ -177,10 +177,10 @@ static int make_ydt15_entry(int p1, int p2, int16_t *ydt) int lo, hi; lo = ydt[p1]; - lo += (lo << 5) + (lo << 10); + lo += (lo * 32) + (lo * 1024); hi = ydt[p2]; - hi += (hi << 5) + (hi << 10); - return (lo + (hi << 16)) << 1; + hi += (hi * 32) + (hi * 1024); + return (lo + (hi * (1U << 16))) * 2; } static int make_cdt15_entry(int p1, int p2, int16_t *cdt) @@ -188,9 +188,9 @@ static int make_cdt15_entry(int p1, int p2, int16_t *cdt) int r, b, lo; b = cdt[p2]; - r = cdt[p1] << 10; + r = cdt[p1] * 1024; lo = b + r; - return (lo + (lo << 16)) << 1; + return (lo + (lo * (1U << 16))) * 2; } #if HAVE_BIGENDIAN diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 2031d01b..2d57aea4 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -2771,7 +2771,7 @@ void avsubtitle_free(AVSubtitle *sub) static int do_decode(AVCodecContext *avctx, AVPacket *pkt) { - int got_frame; + int got_frame = 0; int ret; av_assert0(!avctx->internal->buffer_frame->buf[0]); diff --git a/libavcodec/vdpau_hevc.c b/libavcodec/vdpau_hevc.c index 03c61dc6..ce2610f6 100644 --- a/libavcodec/vdpau_hevc.c +++ b/libavcodec/vdpau_hevc.c @@ -234,7 +234,7 @@ static int vdpau_hevc_start_frame(AVCodecContext *avctx, const HEVCFrame *frame = &h->DPB[i]; if (frame != h->ref && (frame->flags & (HEVC_FRAME_FLAG_LONG_REF | HEVC_FRAME_FLAG_SHORT_REF))) { - if (j > 16) { + if (j > 15) { av_log(avctx, AV_LOG_WARNING, "VDPAU only supports up to 16 references in the DPB. " "This frame may not be decoded correctly.\n"); diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index fa749be0..b10cb39f 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -1071,6 +1071,9 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) s->dct_tokens[0][0] = s->dct_tokens_base; + if (get_bits_left(gb) < 16) + return AVERROR_INVALIDDATA; + /* fetch the DC table indexes */ dc_y_table = get_bits(gb, 4); dc_c_table = get_bits(gb, 4); @@ -1080,6 +1083,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) 0, residual_eob_run); if (residual_eob_run < 0) return residual_eob_run; + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; /* reverse prediction of the Y-plane DC coefficients */ reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]); @@ -1102,6 +1107,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb) s->fragment_width[1], s->fragment_height[1]); } + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; /* fetch the AC table indexes */ ac_y_table = get_bits(gb, 4); ac_c_table = get_bits(gb, 4); @@ -2022,8 +2029,9 @@ static int vp3_decode_frame(AVCodecContext *avctx, ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); + return ret; } - return ret; + return buf_size; } else if (type == 2) { vp3_decode_end(avctx); ret = theora_decode_tables(avctx, &gb); @@ -2031,8 +2039,9 @@ static int vp3_decode_frame(AVCodecContext *avctx, ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); + return ret; } - return ret; + return buf_size; } av_log(avctx, AV_LOG_ERROR, diff --git a/libavcodec/vp3dsp.c b/libavcodec/vp3dsp.c index 814c78e3..4b6c838b 100644 --- a/libavcodec/vp3dsp.c +++ b/libavcodec/vp3dsp.c @@ -41,7 +41,7 @@ #define xC6S2 25080 #define xC7S1 12785 -#define M(a, b) (((a) * (b)) >> 16) +#define M(a, b) ((int)((SUINT)(a) * (b)) >> 16) static av_always_inline void idct(uint8_t *dst, int stride, int16_t *input, int type) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index aba177c8..b5f06a09 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -38,8 +38,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) { VP56RangeCoder *c = &s->c; int rows, cols; + int ret; - ff_vp56_init_range_decoder(&s->c, buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->c, buf, buf_size); + if (ret < 0) + return ret; s->frames[VP56_FRAME_CURRENT]->key_frame = !vp56_rac_get(c); vp56_rac_get(c); ff_vp56_init_dequant(s, vp56_rac_gets(c, 6)); @@ -180,7 +183,7 @@ static int vp5_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx, ctx_last; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end >= c->buffer && c->bits >= 0) { + if (c->end <= c->buffer && c->bits >= 0) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index d8fe994b..bfc3d3bc 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -261,6 +261,25 @@ static VP56mb vp56_decode_mv(VP56Context *s, int row, int col) return s->mb_type; } +static VP56mb vp56_conceal_mv(VP56Context *s, int row, int col) +{ + VP56mv *mv, vect = {0,0}; + int b; + + s->mb_type = VP56_MB_INTER_NOVEC_PF; + s->macroblocks[row * s->mb_width + col].type = s->mb_type; + + mv = &vect; + + s->macroblocks[row*s->mb_width + col].mv = *mv; + + /* same vector for all blocks */ + for (b=0; b<6; b++) + s->mv[b] = *mv; + + return s->mb_type; +} + static void vp56_add_predictors_dc(VP56Context *s, VP56Frame ref_frame) { int idx = s->idct_scantable[0]; @@ -381,30 +400,18 @@ static void vp56_mc(VP56Context *s, int b, int plane, uint8_t *src, } } -static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +static av_always_inline void vp56_render_mb(VP56Context *s, int row, int col, int is_alpha, VP56mb mb_type) { - AVFrame *frame_current, *frame_ref; - VP56mb mb_type; - VP56Frame ref_frame; int b, ab, b_max, plane, off; - int ret; - - if (s->frames[VP56_FRAME_CURRENT]->key_frame) - mb_type = VP56_MB_INTRA; - else - mb_type = vp56_decode_mv(s, row, col); - ref_frame = ff_vp56_reference_frame[mb_type]; - - ret = s->parse_coeff(s); - if (ret < 0) - return ret; + AVFrame *frame_current, *frame_ref; + VP56Frame ref_frame = ff_vp56_reference_frame[mb_type]; vp56_add_predictors_dc(s, ref_frame); frame_current = s->frames[VP56_FRAME_CURRENT]; frame_ref = s->frames[ref_frame]; if (mb_type != VP56_MB_INTRA && !frame_ref->data[0]) - return 0; + return; ab = 6*is_alpha; b_max = 6 - 2*is_alpha; @@ -454,6 +461,38 @@ static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) s->block_coeff[4][0] = 0; s->block_coeff[5][0] = 0; } +} + +static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +{ + VP56mb mb_type; + int ret; + + if (s->frames[VP56_FRAME_CURRENT]->key_frame) + mb_type = VP56_MB_INTRA; + else + mb_type = vp56_decode_mv(s, row, col); + + ret = s->parse_coeff(s); + if (ret < 0) + return ret; + + vp56_render_mb(s, row, col, is_alpha, mb_type); + + return 0; +} + +static int vp56_conceal_mb(VP56Context *s, int row, int col, int is_alpha) +{ + VP56mb mb_type; + + if (s->frames[VP56_FRAME_CURRENT]->key_frame) + mb_type = VP56_MB_INTRA; + else + mb_type = vp56_conceal_mv(s, row, col); + + vp56_render_mb(s, row, col, is_alpha, mb_type); + return 0; } @@ -468,6 +507,8 @@ static int vp56_size_changed(VP56Context *s) s->plane_height[0] = s->plane_height[3] = avctx->coded_height; s->plane_height[1] = s->plane_height[2] = avctx->coded_height/2; + s->have_undamaged_frame = 0; + for (i=0; i<4; i++) s->stride[i] = s->flip * s->frames[VP56_FRAME_CURRENT]->linesize[i]; @@ -533,13 +574,18 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } ret = ff_get_buffer(avctx, p, AV_GET_BUFFER_FLAG_REF); - if (ret < 0) + if (ret < 0) { + if (res == VP56_SIZE_CHANGE) + ff_set_dimensions(avctx, 0, 0); return ret; + } if (avctx->pix_fmt == AV_PIX_FMT_YUVA420P) { av_frame_unref(s->alpha_context->frames[VP56_FRAME_CURRENT]); if ((ret = av_frame_ref(s->alpha_context->frames[VP56_FRAME_CURRENT], p)) < 0) { av_frame_unref(p); + if (res == VP56_SIZE_CHANGE) + ff_set_dimensions(avctx, 0, 0); return ret; } } @@ -573,8 +619,12 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } } + s->discard_frame = 0; avctx->execute2(avctx, ff_vp56_decode_mbs, 0, 0, (avctx->pix_fmt == AV_PIX_FMT_YUVA420P) + 1); + if (s->discard_frame) + return AVERROR_INVALIDDATA; + if ((res = av_frame_ref(data, p)) < 0) return res; *got_frame = 1; @@ -593,6 +643,7 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, int block, y, uv; ptrdiff_t stride_y, stride_uv; int res; + int damaged = 0; if (p->key_frame) { p->pict_type = AV_PICTURE_TYPE_I; @@ -657,9 +708,18 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, s->block_offset[5] = s->block_offset[4]; for (mb_col=0; mb_col<s->mb_width; mb_col++) { - int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); - if (ret < 0) - return ret; + if (!damaged) { + int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); + if (ret < 0) { + damaged = 1; + if (!s->have_undamaged_frame || !avctx->error_concealment) { + s->discard_frame = 1; + return AVERROR_INVALIDDATA; + } + } + } + if (damaged) + vp56_conceal_mb(s, mb_row, mb_col, is_alpha); for (y=0; y<4; y++) { s->above_block_idx[y] += 2; @@ -673,6 +733,9 @@ static int ff_vp56_decode_mbs(AVCodecContext *avctx, void *data, } } + if (!damaged) + s->have_undamaged_frame = 1; + next: if (p->key_frame || s->golden_frame) { av_frame_unref(s->frames[VP56_FRAME_GOLDEN]); diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 34d48228..c049399d 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -203,6 +203,9 @@ struct vp56_context { VLC runv_vlc[2]; VLC ract_vlc[2][3][6]; unsigned int nb_null[2][2]; /* number of consecutive NULL DC/AC */ + + int have_undamaged_frame; + int discard_frame; }; @@ -221,7 +224,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, */ extern const uint8_t ff_vp56_norm_shift[256]; -void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size); +int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size); static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c) { diff --git a/libavcodec/vp56rac.c b/libavcodec/vp56rac.c index 6061b7ee..e70302bf 100644 --- a/libavcodec/vp56rac.c +++ b/libavcodec/vp56rac.c @@ -37,11 +37,14 @@ const uint8_t ff_vp56_norm_shift[256]= { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, }; -void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size) +int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size) { c->high = 255; c->bits = -16; c->buffer = buf; c->end = buf + buf_size; + if (buf_size < 1) + return AVERROR_INVALIDDATA; c->code_word = bytestream_get_be24(&c->buffer); + return 0; } diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 7f0a9b7d..4afd67b3 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -52,6 +52,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) int sub_version; int rows, cols; int res = 0; + int ret; int separated_coeff = buf[0] & 1; s->frames[VP56_FRAME_CURRENT]->key_frame = !(buf[0] & 0x80); @@ -93,7 +94,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) s->avctx->coded_width = 16 * cols; s->avctx->coded_height = 16 * rows; } else { - int ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows); + ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows); if (ret < 0) return ret; @@ -105,7 +106,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) res = VP56_SIZE_CHANGE; } - ff_vp56_init_range_decoder(c, buf+6, buf_size-6); + ret = ff_vp56_init_range_decoder(c, buf+6, buf_size-6); + if (ret < 0) + goto fail; vp56_rac_gets(c, 2); parse_filter_info = s->filter_header; @@ -122,7 +125,9 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) buf += 2; buf_size -= 2; } - ff_vp56_init_range_decoder(c, buf+1, buf_size-1); + ret = ff_vp56_init_range_decoder(c, buf+1, buf_size-1); + if (ret < 0) + return ret; s->golden_frame = vp56_rac_get(c); if (s->filter_header) { @@ -157,15 +162,16 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) buf += coeff_offset; buf_size -= coeff_offset; if (buf_size < 0) { - if (s->frames[VP56_FRAME_CURRENT]->key_frame) - ff_set_dimensions(s->avctx, 0, 0); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (s->use_huffman) { s->parse_coeff = vp6_parse_coeff_huffman; init_get_bits(&s->gb, buf, buf_size<<3); } else { - ff_vp56_init_range_decoder(&s->cc, buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->cc, buf, buf_size); + if (ret < 0) + goto fail; s->ccp = &s->cc; } } else { @@ -173,6 +179,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size) } return res; +fail: + if (res == VP56_SIZE_CHANGE) + ff_set_dimensions(s->avctx, 0, 0); + return ret; } static void vp6_coeff_order_table_init(VP56Context *s) @@ -450,7 +460,7 @@ static int vp6_parse_coeff(VP56Context *s) int b, i, cg, idx, ctx; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end >= c->buffer && c->bits >= 0) { + if (c->end <= c->buffer && c->bits >= 0) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index c1c3eb70..63e78492 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -261,6 +261,7 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size) { const uint8_t *sizes = buf; int i; + int ret; s->num_coeff_partitions = 1 << vp8_rac_get_uint(&s->c, 2); @@ -274,13 +275,13 @@ static int setup_partitions(VP8Context *s, const uint8_t *buf, int buf_size) if (buf_size - size < 0) return -1; - ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size); + ret = ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size); + if (ret < 0) + return ret; buf += size; buf_size -= size; } - ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size); - - return 0; + return ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size); } static void vp7_get_quants(VP8Context *s) @@ -518,7 +519,9 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si memcpy(s->put_pixels_tab, s->vp8dsp.put_vp8_epel_pixels_tab, sizeof(s->put_pixels_tab)); - ff_vp56_init_range_decoder(c, buf, part1_size); + ret = ff_vp56_init_range_decoder(c, buf, part1_size); + if (ret < 0) + return ret; buf += part1_size; buf_size -= part1_size; @@ -570,7 +573,9 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si s->lf_delta.enabled = 0; s->num_coeff_partitions = 1; - ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size); + if (ret < 0) + return ret; if (!s->macroblocks_base || /* first frame */ width != s->avctx->width || height != s->avctx->height || @@ -699,7 +704,9 @@ static int vp8_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si memset(&s->lf_delta, 0, sizeof(s->lf_delta)); } - ff_vp56_init_range_decoder(c, buf, header_size); + ret = ff_vp56_init_range_decoder(c, buf, header_size); + if (ret < 0) + return ret; buf += header_size; buf_size -= header_size; @@ -2275,7 +2282,7 @@ static void vp8_decode_mv_mb_modes(AVCodecContext *avctx, VP8Frame *cur_frame, #define update_pos(td, mb_y, mb_x) while(0) #endif -static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr, int is_vp7) { VP8Context *s = avctx->priv_data; @@ -2291,6 +2298,10 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void curframe->tf.f->data[1] + 8 * mb_y * s->uvlinesize, curframe->tf.f->data[2] + 8 * mb_y * s->uvlinesize }; + + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; + if (mb_y == 0) prev_td = td; else @@ -2319,6 +2330,8 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void s->mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; // Wait for previous thread to read mb_x+2, and reach mb_y-1. if (prev_td != td) { if (threadnr != 0) { @@ -2394,18 +2407,19 @@ static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void update_pos(td, mb_y, mb_x); } } + return 0; } -static void vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static int vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr) { - decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1); + return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1); } -static void vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static int vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr) { - decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0); + return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0); } static av_always_inline void filter_mb_row(AVCodecContext *avctx, void *tdata, @@ -2488,13 +2502,16 @@ int vp78_decode_mb_row_sliced(AVCodecContext *avctx, void *tdata, int jobnr, VP8ThreadData *next_td = NULL, *prev_td = NULL; VP8Frame *curframe = s->curframe; int mb_y, num_jobs = s->num_jobs; + int ret; td->thread_nr = threadnr; for (mb_y = jobnr; mb_y < s->mb_height; mb_y += num_jobs) { - if (mb_y >= s->mb_height) - break; td->thread_mb_pos = mb_y << 16; - s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); + ret = s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); + if (ret < 0) { + update_pos(td, s->mb_height, INT_MAX & 0xFFFF); + return ret; + } if (s->deblock_filter) s->filter_mb_row(avctx, tdata, jobnr, threadnr); update_pos(td, mb_y, INT_MAX & 0xFFFF); @@ -2531,6 +2548,8 @@ int vp78_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, enum AVDiscard skip_thresh; VP8Frame *av_uninit(curframe), *prev_frame; + av_assert0(avctx->pix_fmt == AV_PIX_FMT_YUVA420P || avctx->pix_fmt == AV_PIX_FMT_YUV420P); + if (is_vp7) ret = vp7_decode_frame_header(s, avpkt->data, avpkt->size); else diff --git a/libavcodec/vp8.h b/libavcodec/vp8.h index 374e1388..6218fe05 100644 --- a/libavcodec/vp8.h +++ b/libavcodec/vp8.h @@ -275,7 +275,7 @@ typedef struct VP8Context { */ int mb_layout; - void (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); + int (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); void (*filter_mb_row)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); int vp7; diff --git a/libavcodec/vp8dsp.c b/libavcodec/vp8dsp.c index 07bea69c..fed5c67a 100644 --- a/libavcodec/vp8dsp.c +++ b/libavcodec/vp8dsp.c @@ -53,7 +53,8 @@ static void name ## _idct_dc_add4y_c(uint8_t *dst, int16_t block[4][16], \ #if CONFIG_VP7_DECODER static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) { - int i, a1, b1, c1, d1; + int i; + unsigned a1, b1, c1, d1; int16_t tmp[16]; for (i = 0; i < 4; i++) { @@ -61,10 +62,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) b1 = (dc[i * 4 + 0] - dc[i * 4 + 2]) * 23170; c1 = dc[i * 4 + 1] * 12540 - dc[i * 4 + 3] * 30274; d1 = dc[i * 4 + 1] * 30274 + dc[i * 4 + 3] * 12540; - tmp[i * 4 + 0] = (a1 + d1) >> 14; - tmp[i * 4 + 3] = (a1 - d1) >> 14; - tmp[i * 4 + 1] = (b1 + c1) >> 14; - tmp[i * 4 + 2] = (b1 - c1) >> 14; + tmp[i * 4 + 0] = (int)(a1 + d1) >> 14; + tmp[i * 4 + 3] = (int)(a1 - d1) >> 14; + tmp[i * 4 + 1] = (int)(b1 + c1) >> 14; + tmp[i * 4 + 2] = (int)(b1 - c1) >> 14; } for (i = 0; i < 4; i++) { @@ -73,10 +74,10 @@ static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274; d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540; AV_ZERO64(dc + i * 4); - block[0][i][0] = (a1 + d1 + 0x20000) >> 18; - block[3][i][0] = (a1 - d1 + 0x20000) >> 18; - block[1][i][0] = (b1 + c1 + 0x20000) >> 18; - block[2][i][0] = (b1 - c1 + 0x20000) >> 18; + block[0][i][0] = (int)(a1 + d1 + 0x20000) >> 18; + block[3][i][0] = (int)(a1 - d1 + 0x20000) >> 18; + block[1][i][0] = (int)(b1 + c1 + 0x20000) >> 18; + block[2][i][0] = (int)(b1 - c1 + 0x20000) >> 18; } } @@ -95,7 +96,8 @@ static void vp7_luma_dc_wht_dc_c(int16_t block[4][4][16], int16_t dc[16]) static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) { - int i, a1, b1, c1, d1; + int i; + unsigned a1, b1, c1, d1; int16_t tmp[16]; for (i = 0; i < 4; i++) { @@ -104,10 +106,10 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) c1 = block[i * 4 + 1] * 12540 - block[i * 4 + 3] * 30274; d1 = block[i * 4 + 1] * 30274 + block[i * 4 + 3] * 12540; AV_ZERO64(block + i * 4); - tmp[i * 4 + 0] = (a1 + d1) >> 14; - tmp[i * 4 + 3] = (a1 - d1) >> 14; - tmp[i * 4 + 1] = (b1 + c1) >> 14; - tmp[i * 4 + 2] = (b1 - c1) >> 14; + tmp[i * 4 + 0] = (int)(a1 + d1) >> 14; + tmp[i * 4 + 3] = (int)(a1 - d1) >> 14; + tmp[i * 4 + 1] = (int)(b1 + c1) >> 14; + tmp[i * 4 + 2] = (int)(b1 - c1) >> 14; } for (i = 0; i < 4; i++) { @@ -116,13 +118,13 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274; d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540; dst[0 * stride + i] = av_clip_uint8(dst[0 * stride + i] + - ((a1 + d1 + 0x20000) >> 18)); + ((int)(a1 + d1 + 0x20000) >> 18)); dst[3 * stride + i] = av_clip_uint8(dst[3 * stride + i] + - ((a1 - d1 + 0x20000) >> 18)); + ((int)(a1 - d1 + 0x20000) >> 18)); dst[1 * stride + i] = av_clip_uint8(dst[1 * stride + i] + - ((b1 + c1 + 0x20000) >> 18)); + ((int)(b1 + c1 + 0x20000) >> 18)); dst[2 * stride + i] = av_clip_uint8(dst[2 * stride + i] + - ((b1 - c1 + 0x20000) >> 18)); + ((int)(b1 - c1 + 0x20000) >> 18)); } } diff --git a/libavcodec/vp9.c b/libavcodec/vp9.c index 1aab6ba0..f4974ea9 100644 --- a/libavcodec/vp9.c +++ b/libavcodec/vp9.c @@ -844,7 +844,10 @@ static int decode_frame_header(AVCodecContext *ctx, av_log(ctx, AV_LOG_ERROR, "Invalid compressed header size\n"); return AVERROR_INVALIDDATA; } - ff_vp56_init_range_decoder(&s->c, data2, size2); + res = ff_vp56_init_range_decoder(&s->c, data2, size2); + if (res < 0) + return res; + if (vp56_rac_get_prob_branchy(&s->c, 128)) { // marker bit av_log(ctx, AV_LOG_ERROR, "Marker bit was set\n"); return AVERROR_INVALIDDATA; @@ -4133,7 +4136,9 @@ FF_ENABLE_DEPRECATION_WARNINGS ff_thread_report_progress(&s->s.frames[CUR_FRAME].tf, INT_MAX, 0); return AVERROR_INVALIDDATA; } - ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size); + res = ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size); + if (res < 0) + return res; if (vp56_rac_get_prob_branchy(&s->c_b[tile_col], 128)) { // marker bit ff_thread_report_progress(&s->s.frames[CUR_FRAME].tf, INT_MAX, 0); return AVERROR_INVALIDDATA; diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 071e2be7..ccdc6752 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -267,7 +267,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, int bit; if (s->extra_bits) { - S <<= s->extra_bits; + S *= 1 << s->extra_bits; if (s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits) { @@ -682,7 +682,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, s->hybrid_bitrate = s->frame_flags & WV_HYBRID_BITRATE; s->post_shift = bpp * 8 - orig_bpp + ((s->frame_flags >> 13) & 0x1f); s->hybrid_maxclip = ((1LL << (orig_bpp - 1)) - 1); - s->hybrid_minclip = ((-1LL << (orig_bpp - 1))); + s->hybrid_minclip = ((-1UL << (orig_bpp - 1))); s->CRC = bytestream2_get_le32(&gb); // parse metadata blocks @@ -736,13 +736,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, } for (i = 0; i < weights; i++) { t = (int8_t)bytestream2_get_byte(&gb); - s->decorr[s->terms - i - 1].weightA = t << 3; + s->decorr[s->terms - i - 1].weightA = t * (1 << 3); if (s->decorr[s->terms - i - 1].weightA > 0) s->decorr[s->terms - i - 1].weightA += (s->decorr[s->terms - i - 1].weightA + 64) >> 7; if (s->stereo_in) { t = (int8_t)bytestream2_get_byte(&gb); - s->decorr[s->terms - i - 1].weightB = t << 3; + s->decorr[s->terms - i - 1].weightB = t * (1 << 3); if (s->decorr[s->terms - i - 1].weightB > 0) s->decorr[s->terms - i - 1].weightB += (s->decorr[s->terms - i - 1].weightB + 64) >> 7; @@ -837,7 +837,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no, continue; } bytestream2_get_buffer(&gb, val, 4); - if (val[0] > 32) { + if (val[0] > 31) { av_log(avctx, AV_LOG_ERROR, "Invalid INT32INFO, extra_bits = %d (> 32)\n", val[0]); continue; diff --git a/libavcodec/webp.c b/libavcodec/webp.c index 45abfdc3..ef7b26c4 100644 --- a/libavcodec/webp.c +++ b/libavcodec/webp.c @@ -694,7 +694,7 @@ static int decode_entropy_coded_image(WebPContext *s, enum ImageRole role, length = offset + get_bits(&s->gb, extra_bits) + 1; } prefix_code = huff_reader_get_symbol(&hg[HUFF_IDX_DIST], &s->gb); - if (prefix_code > 39) { + if (prefix_code > 39U) { av_log(s->avctx, AV_LOG_ERROR, "distance prefix code too large: %d\n", prefix_code); return AVERROR_INVALIDDATA; @@ -1043,7 +1043,7 @@ static int apply_color_indexing_transform(WebPContext *s) uint8_t *line; int pixel_bits = 8 >> pal->size_reduction; - line = av_malloc(img->frame->linesize[0]); + line = av_malloc(img->frame->linesize[0] + AV_INPUT_BUFFER_PADDING_SIZE); if (!line) return AVERROR(ENOMEM); @@ -1099,6 +1099,21 @@ static int apply_color_indexing_transform(WebPContext *s) return 0; } +static void update_canvas_size(AVCodecContext *avctx, int w, int h) +{ + WebPContext *s = avctx->priv_data; + if (s->width && s->width != w) { + av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n", + s->width, w); + } + s->width = w; + if (s->height && s->height != h) { + av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n", + s->height, h); + } + s->height = h; +} + static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, int *got_frame, uint8_t *data_start, unsigned int data_size, int is_alpha_chunk) @@ -1123,16 +1138,8 @@ static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, w = get_bits(&s->gb, 14) + 1; h = get_bits(&s->gb, 14) + 1; - if (s->width && s->width != w) { - av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n", - s->width, w); - } - s->width = w; - if (s->height && s->height != h) { - av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n", - s->width, w); - } - s->height = h; + + update_canvas_size(avctx, w, h); ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) @@ -1327,9 +1334,8 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, if (!s->initialized) { ff_vp8_decode_init(avctx); s->initialized = 1; - if (s->has_alpha) - avctx->pix_fmt = AV_PIX_FMT_YUVA420P; } + avctx->pix_fmt = s->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P; s->lossless = 0; if (data_size > INT_MAX) { @@ -1342,6 +1348,11 @@ static int vp8_lossy_decode_frame(AVCodecContext *avctx, AVFrame *p, pkt.size = data_size; ret = ff_vp8_decode_frame(avctx, p, got_frame, &pkt); + if (ret < 0) + return ret; + + update_canvas_size(avctx, avctx->width, avctx->height); + if (s->has_alpha) { ret = vp8_lossy_decode_alpha(avctx, p, s->alpha_data, s->alpha_data_size); diff --git a/libavcodec/wmv2dsp.c b/libavcodec/wmv2dsp.c index 40e0bef0..7b59d10a 100644 --- a/libavcodec/wmv2dsp.c +++ b/libavcodec/wmv2dsp.c @@ -48,8 +48,8 @@ static void wmv2_idct_row(short * b) a4 = W0 * b[0] - W0 * b[4]; /* step 2 */ - s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7 - s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8; + s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7 + s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8; /* step 3 */ b[0] = (a0 + a2 + a1 + a5 + (1 << 7)) >> 8; @@ -78,8 +78,8 @@ static void wmv2_idct_col(short * b) a4 = (W0 * b[8 * 0] - W0 * b[8 * 4] ) >> 3; /* step 2 */ - s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8; - s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8; + s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8; + s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8; /* step 3 */ b[8 * 0] = (a0 + a2 + a1 + a5 + (1 << 13)) >> 14; diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c index 9ff99b2f..126c01a0 100644 --- a/libavcodec/wnv1.c +++ b/libavcodec/wnv1.c @@ -52,7 +52,7 @@ static inline int wnv1_get_code(WNV1Context *w, int base_value) if (v == 15) return ff_reverse[get_bits(&w->gb, 8 - w->shift)]; else - return base_value + ((v - 7) << w->shift); + return base_value + ((v - 7U) << w->shift); } static int decode_frame(AVCodecContext *avctx, diff --git a/libavcodec/x86/vc1dsp_init.c b/libavcodec/x86/vc1dsp_init.c index c8943fa2..c53a1328 100644 --- a/libavcodec/x86/vc1dsp_init.c +++ b/libavcodec/x86/vc1dsp_init.c @@ -106,10 +106,12 @@ av_cold void ff_vc1dsp_init_x86(VC1DSPContext *dsp) { int cpu_flags = av_get_cpu_flags(); - if (HAVE_6REGS && INLINE_MMX(cpu_flags) && EXTERNAL_MMX(cpu_flags)) + if (HAVE_6REGS && INLINE_MMX(cpu_flags)) + if (EXTERNAL_MMX(cpu_flags)) ff_vc1dsp_init_mmx(dsp); - if (HAVE_6REGS && INLINE_MMXEXT(cpu_flags) && EXTERNAL_MMXEXT(cpu_flags)) + if (HAVE_6REGS && INLINE_MMXEXT(cpu_flags)) + if (EXTERNAL_MMXEXT(cpu_flags)) ff_vc1dsp_init_mmxext(dsp); #define ASSIGN_LF(EXT) \ diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 64cd8418..8b0845fc 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -157,9 +157,9 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, case XWD_GRAY_SCALE: if (bpp != 1 && bpp != 8) return AVERROR_INVALIDDATA; - if (pixdepth == 1) { + if (bpp == 1 && pixdepth == 1) { avctx->pix_fmt = AV_PIX_FMT_MONOWHITE; - } else if (pixdepth == 8) { + } else if (bpp == 8 && pixdepth == 8) { avctx->pix_fmt = AV_PIX_FMT_GRAY8; } break; diff --git a/libavcodec/y41pdec.c b/libavcodec/y41pdec.c index 1b177d42..85a39e4a 100644 --- a/libavcodec/y41pdec.c +++ b/libavcodec/y41pdec.c @@ -43,7 +43,7 @@ static int y41p_decode_frame(AVCodecContext *avctx, void *data, uint8_t *y, *u, *v; int i, j, ret; - if (avpkt->size < 3LL * avctx->height * avctx->width / 2) { + if (avpkt->size < 3LL * avctx->height * FFALIGN(avctx->width, 8) / 2) { av_log(avctx, AV_LOG_ERROR, "Insufficient input data.\n"); return AVERROR(EINVAL); } diff --git a/libavfilter/af_sofalizer.c b/libavfilter/af_sofalizer.c index 7558f57e..f4197250 100644 --- a/libavfilter/af_sofalizer.c +++ b/libavfilter/af_sofalizer.c @@ -448,7 +448,7 @@ static int get_speaker_pos(AVFilterContext *ctx, /* set speaker positions according to input channel configuration: */ for (m = 0, ch = 0; ch < n_conv && m < 64; m++) { - uint64_t mask = channels_layout & (1 << m); + uint64_t mask = channels_layout & (1ULL << m); switch (mask) { case AV_CH_FRONT_LEFT: azim[ch] = 30; break; diff --git a/libavfilter/avfiltergraph.c b/libavfilter/avfiltergraph.c index 3af698d4..e3546b50 100644 --- a/libavfilter/avfiltergraph.c +++ b/libavfilter/avfiltergraph.c @@ -871,6 +871,8 @@ static void swap_samplerates_on_filter(AVFilterContext *filter) for (j = 0; j < outlink->in_samplerates->nb_formats; j++) { int diff = abs(sample_rate - outlink->in_samplerates->formats[j]); + av_assert0(diff < INT_MAX); // This would lead to the use of uninitialized best_diff but is only possible with invalid sample rates + if (diff < best_diff) { best_diff = diff; best_idx = j; diff --git a/libavfilter/buffersrc.c b/libavfilter/buffersrc.c index 9294811d..ba872112 100644 --- a/libavfilter/buffersrc.c +++ b/libavfilter/buffersrc.c @@ -316,14 +316,16 @@ static av_cold int init_audio(AVFilterContext *ctx) return AVERROR(EINVAL); } - if (s->channel_layout_str) { + if (s->channel_layout_str || s->channel_layout) { int n; - s->channel_layout = av_get_channel_layout(s->channel_layout_str); if (!s->channel_layout) { - av_log(ctx, AV_LOG_ERROR, "Invalid channel layout %s.\n", - s->channel_layout_str); - return AVERROR(EINVAL); + s->channel_layout = av_get_channel_layout(s->channel_layout_str); + if (!s->channel_layout) { + av_log(ctx, AV_LOG_ERROR, "Invalid channel layout %s.\n", + s->channel_layout_str); + return AVERROR(EINVAL); + } } n = av_get_channel_layout_nb_channels(s->channel_layout); if (s->channels) { diff --git a/libavfilter/vf_uspp.c b/libavfilter/vf_uspp.c index 8a6d0fbb..02d98e4a 100644 --- a/libavfilter/vf_uspp.c +++ b/libavfilter/vf_uspp.c @@ -228,8 +228,8 @@ static void filter(USPPContext *p, uint8_t *dst[3], uint8_t *src[3], p->frame->quality = ff_norm_qscale((qpsum + qpcount/2) / qpcount, p->qscale_type) * FF_QP2LAMBDA; } // init per MB qscale stuff FIXME - p->frame->height = height; - p->frame->width = width; + p->frame->height = height + BLOCK; + p->frame->width = width + BLOCK; for (i = 0; i < count; i++) { const int x1 = offset[i+count-1][0]; diff --git a/libavformat/apngdec.c b/libavformat/apngdec.c index bb17896e..7a284e32 100644 --- a/libavformat/apngdec.c +++ b/libavformat/apngdec.c @@ -269,7 +269,7 @@ static int decode_fctl_chunk(AVFormatContext *s, APNGDemuxContext *ctx, AVPacket /* default is hundredths of seconds */ if (!delay_den) delay_den = 100; - if (!delay_num || delay_den / delay_num > ctx->max_fps) { + if (!delay_num || (ctx->max_fps && delay_den / delay_num > ctx->max_fps)) { delay_num = 1; delay_den = ctx->default_fps; } diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c index 5cc239a1..3d843173 100644 --- a/libavformat/concatdec.c +++ b/libavformat/concatdec.c @@ -199,8 +199,11 @@ static int detect_stream_specific(AVFormatContext *avf, int idx) AVBitStreamFilterContext *bsf; int ret; - if (cat->auto_convert && st->codecpar->codec_id == AV_CODEC_ID_H264 && - (st->codecpar->extradata_size < 4 || AV_RB32(st->codecpar->extradata) != 1)) { + if (cat->auto_convert && st->codecpar->codec_id == AV_CODEC_ID_H264) { + if (!st->codecpar->extradata_size || + (st->codecpar->extradata_size >= 3 && AV_RB24(st->codecpar->extradata) == 1) || + (st->codecpar->extradata_size >= 4 && AV_RB32(st->codecpar->extradata) == 1)) + return 0; av_log(cat->avf, AV_LOG_INFO, "Auto-inserting h264_mp4toannexb bitstream filter\n"); if (!(bsf = av_bitstream_filter_init("h264_mp4toannexb"))) { diff --git a/libavformat/flacdec.c b/libavformat/flacdec.c index 66baba59..fee46fcf 100644 --- a/libavformat/flacdec.c +++ b/libavformat/flacdec.c @@ -233,7 +233,14 @@ static int flac_probe(AVProbeData *p) return raw_flac_probe(p); if (p->buf_size < 4 || memcmp(p->buf, "fLaC", 4)) return 0; - return AVPROBE_SCORE_EXTENSION; + if ( p->buf[4] & 0x7f != FLAC_METADATA_TYPE_STREAMINFO + || AV_RB24(p->buf + 5) != FLAC_STREAMINFO_SIZE + || AV_RB16(p->buf + 8) < 16 + || AV_RB16(p->buf + 8) > AV_RB16(p->buf + 10) + || !(AV_RB24(p->buf + 18) >> 4) + || AV_RB24(p->buf + 18) >> 4 > 655350) + return AVPROBE_SCORE_EXTENSION; + return AVPROBE_SCORE_MAX; } static av_unused int64_t flac_read_timestamp(AVFormatContext *s, int stream_index, diff --git a/libavformat/http.c b/libavformat/http.c index 944a6cf3..bd1be3f7 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -1011,6 +1011,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, int len = 0; const char *method; int send_expect_100 = 0; + int ret; /* send http header */ post = h->flags & AVIO_FLAG_WRITE; @@ -1107,7 +1108,7 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, if (s->headers) av_strlcpy(headers + len, s->headers, sizeof(headers) - len); - snprintf(s->buffer, sizeof(s->buffer), + ret = snprintf(s->buffer, sizeof(s->buffer), "%s %s HTTP/1.1\r\n" "%s" "%s" @@ -1123,6 +1124,14 @@ static int http_connect(URLContext *h, const char *path, const char *local_path, av_log(h, AV_LOG_DEBUG, "request: %s\n", s->buffer); + if (strlen(headers) + 1 == sizeof(headers) || + ret >= sizeof(s->buffer)) { + av_log(h, AV_LOG_ERROR, "overlong headers\n"); + err = AVERROR(EINVAL); + goto done; + } + + if ((err = ffurl_write(s->hd, s->buffer, strlen(s->buffer))) < 0) goto done; diff --git a/libavformat/libopenmpt.c b/libavformat/libopenmpt.c index 35fd28f5..a7e38595 100644 --- a/libavformat/libopenmpt.c +++ b/libavformat/libopenmpt.c @@ -73,7 +73,7 @@ static int read_header_openmpt(AVFormatContext *s) AVStream *st; OpenMPTContext *openmpt = s->priv_data; int64_t size = avio_size(s->pb); - if (!size) + if (size <= 0) return AVERROR_INVALIDDATA; char *buf = av_malloc(size); int ret; diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index d91055f8..bbfdd4ff 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -1202,7 +1202,7 @@ static int mkv_write_track(AVFormatContext *s, MatroskaMuxContext *mkv, } else if (display_width_div != 1 || display_height_div != 1) { put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYWIDTH , par->width / display_width_div); put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYHEIGHT, par->height / display_height_div); - } else + } else if (mkv->mode != MODE_WEBM) put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYUNIT, MATROSKA_VIDEO_DISPLAYUNIT_UNKNOWN); if (par->codec_id == AV_CODEC_ID_RAWVIDEO) { diff --git a/libavformat/mov.c b/libavformat/mov.c index ce7e2ec2..24a76a0d 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1182,6 +1182,12 @@ static void mov_metadata_creation_time(AVDictionary **metadata, int64_t time) if (time) { if(time >= 2082844800) time -= 2082844800; /* seconds between 1904-01-01 and Epoch */ + + if ((int64_t)(time * 1000000ULL) / 1000000 != time) { + av_log(NULL, AV_LOG_DEBUG, "creation_time is not representable\n"); + return; + } + avpriv_dict_set_timestamp(metadata, "creation_time", time * 1000000); } } @@ -5309,6 +5315,7 @@ static int mov_read_close(AVFormatContext *s) av_freep(&mov->fragment_index_data); av_freep(&mov->aes_decrypt); + av_freep(&mov->chapter_tracks); return 0; } diff --git a/libavformat/mpeg.c b/libavformat/mpeg.c index 423877e9..a651cb3e 100644 --- a/libavformat/mpeg.c +++ b/libavformat/mpeg.c @@ -138,7 +138,7 @@ typedef struct MpegDemuxContext { static int mpegps_read_header(AVFormatContext *s) { MpegDemuxContext *m = s->priv_data; - char buffer[7]; + char buffer[7] = { 0 }; int64_t last_pos = avio_tell(s->pb); m->header_state = 0xff; diff --git a/libavformat/oggparsedaala.c b/libavformat/oggparsedaala.c index 89bda589..a373b41b 100644 --- a/libavformat/oggparsedaala.c +++ b/libavformat/oggparsedaala.c @@ -126,6 +126,7 @@ static int daala_header(AVFormatContext *s, int idx) if (hdr->gpshift >= 32) { av_log(s, AV_LOG_ERROR, "Too large gpshift %d (>= 32).\n", hdr->gpshift); + hdr->gpshift = 0; return AVERROR_INVALIDDATA; } hdr->gpmask = (1U << hdr->gpshift) - 1; @@ -232,7 +233,7 @@ static int daala_packet(AVFormatContext *s, int idx) os->lastpts = os->lastdts = daala_gptopts(s, idx, os->granule, NULL) - duration; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; - if (s->streams[idx]->duration) + if (s->streams[idx]->duration != AV_NOPTS_VALUE) s->streams[idx]->duration -= s->streams[idx]->start_time; } } diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index f8e656dc..e7a501b5 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -108,7 +108,10 @@ ogm_header(AVFormatContext *s, int idx) if (size > 52) { av_assert0(AV_INPUT_BUFFER_PADDING_SIZE <= 52); size -= 52; - ff_alloc_extradata(st->codecpar, size); + if (bytestream2_get_bytes_left(&p) < size) + return AVERROR_INVALIDDATA; + if (ff_alloc_extradata(st->codecpar, size) < 0) + return AVERROR(ENOMEM); bytestream2_get_buffer(&p, st->codecpar->extradata, st->codecpar->extradata_size); } } diff --git a/libavformat/tests/fifo_muxer.c b/libavformat/tests/fifo_muxer.c index 9659198f..e20bd6e7 100644 --- a/libavformat/tests/fifo_muxer.c +++ b/libavformat/tests/fifo_muxer.c @@ -25,6 +25,7 @@ #include "libavutil/avassert.h" #include "libavformat/avformat.h" #include "libavformat/url.h" +#include "libavformat/network.h" #define MAX_TST_PACKETS 128 #define SLEEPTIME_50_MS 50000 @@ -150,6 +151,9 @@ static int prepare_packet(AVPacket *pkt,const FailingMuxerPacketData *pkt_data, { int ret; FailingMuxerPacketData *data = av_malloc(sizeof(*data)); + if (!data) { + return AVERROR(ENOMEM); + } memcpy(data, pkt_data, sizeof(FailingMuxerPacketData)); ret = av_packet_from_data(pkt, (uint8_t*) data, sizeof(*data)); diff --git a/libavformat/utils.c b/libavformat/utils.c index 55f23bab..6d0f888a 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4120,9 +4120,7 @@ static void free_stream(AVStream **pst) av_freep(&st->index_entries); #if FF_API_LAVF_AVCTX FF_DISABLE_DEPRECATION_WARNINGS - av_freep(&st->codec->extradata); - av_freep(&st->codec->subtitle_header); - av_freep(&st->codec); + avcodec_free_context(&st->codec); FF_ENABLE_DEPRECATION_WARNINGS #endif av_freep(&st->priv_data); diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c index 7176cd6f..8bbb301a 100644 --- a/libavformat/wavdec.c +++ b/libavformat/wavdec.c @@ -829,6 +829,8 @@ static int w64_read_header(AVFormatContext *s) chunk_key[4] = 0; avio_read(pb, chunk_key, 4); chunk_size = avio_rl32(pb); + if (chunk_size == UINT32_MAX) + return AVERROR_INVALIDDATA; value = av_mallocz(chunk_size + 1); if (!value) diff --git a/libavformat/webmdashenc.c b/libavformat/webmdashenc.c index d4b31467..9dc9b36d 100644 --- a/libavformat/webmdashenc.c +++ b/libavformat/webmdashenc.c @@ -428,6 +428,10 @@ static int parse_adaptation_sets(AVFormatContext *s) char *p = w->adaptation_sets; char *q; enum { new_set, parsed_id, parsing_streams } state; + if (!w->adaptation_sets) { + av_log(s, AV_LOG_ERROR, "The 'adaptation_sets' option must be set.\n"); + return AVERROR(EINVAL); + } // syntax id=0,streams=0,1,2 id=1,streams=3,4 and so on state = new_set; while (p < w->adaptation_sets + strlen(w->adaptation_sets)) { @@ -458,7 +462,11 @@ static int parse_adaptation_sets(AVFormatContext *s) if (as->streams == NULL) return AVERROR(ENOMEM); as->streams[as->nb_streams - 1] = to_integer(p, q - p + 1); - if (as->streams[as->nb_streams - 1] < 0) return -1; + if (as->streams[as->nb_streams - 1] < 0 || + as->streams[as->nb_streams - 1] >= s->nb_streams) { + av_log(s, AV_LOG_ERROR, "Invalid value for 'streams' in adapation_sets.\n"); + return AVERROR(EINVAL); + } if (*q == '\0') break; if (*q == ' ') state = new_set; p = ++q; diff --git a/libavutil/hwcontext_vdpau.c b/libavutil/hwcontext_vdpau.c index 49c44fed..cce53960 100644 --- a/libavutil/hwcontext_vdpau.c +++ b/libavutil/hwcontext_vdpau.c @@ -305,7 +305,7 @@ static int vdpau_transfer_data_from(AVHWFramesContext *ctx, AVFrame *dst, for (i = 0; i< FF_ARRAY_ELEMS(data) && dst->data[i]; i++) { data[i] = dst->data[i]; - if (dst->linesize[i] < 0 || (uint64_t)dst->linesize > UINT32_MAX) { + if (dst->linesize[i] < 0 || dst->linesize[i] > UINT32_MAX) { av_log(ctx, AV_LOG_ERROR, "The linesize %d cannot be represented as uint32\n", dst->linesize[i]); @@ -356,7 +356,7 @@ static int vdpau_transfer_data_to(AVHWFramesContext *ctx, AVFrame *dst, for (i = 0; i< FF_ARRAY_ELEMS(data) && src->data[i]; i++) { data[i] = src->data[i]; - if (src->linesize[i] < 0 || (uint64_t)src->linesize > UINT32_MAX) { + if (src->linesize[i] < 0 || src->linesize[i] > UINT32_MAX) { av_log(ctx, AV_LOG_ERROR, "The linesize %d cannot be represented as uint32\n", src->linesize[i]); diff --git a/libavutil/internal.h b/libavutil/internal.h index e995af97..7b859ed6 100644 --- a/libavutil/internal.h +++ b/libavutil/internal.h @@ -30,6 +30,10 @@ # define NDEBUG #endif +#if defined(DEBUG) && !defined(CHECKED) +# define CHECKED +#endif + #include <limits.h> #include <stdint.h> #include <stddef.h> @@ -258,6 +262,16 @@ void avpriv_request_sample(void *avc, # define ff_dlog(ctx, ...) do { if (0) av_log(ctx, AV_LOG_DEBUG, __VA_ARGS__); } while (0) #endif +// For debuging we use signed operations so overflows can be detected (by ubsan) +// For production we use unsigned so there are no undefined operations +#ifdef CHECKED +#define SUINT int +#define SUINT32 int32_t +#else +#define SUINT unsigned +#define SUINT32 uint32_t +#endif + /** * Clip and convert a double value into the long long amin-amax range. * This function is needed because conversion of floating point to integers when diff --git a/libavutil/softfloat.h b/libavutil/softfloat.h index fa91d1e1..daf91a55 100644 --- a/libavutil/softfloat.h +++ b/libavutil/softfloat.h @@ -114,8 +114,15 @@ static inline av_const SoftFloat av_mul_sf(SoftFloat a, SoftFloat b){ * @return Will not be more denormalized than a. */ static inline av_const SoftFloat av_div_sf(SoftFloat a, SoftFloat b){ + int64_t temp = (int64_t)a.mant * (1<<(ONE_BITS+1)); + temp /= b.mant; a.exp -= b.exp; - a.mant = ((int64_t)a.mant<<(ONE_BITS+1)) / b.mant; + a.mant = temp; + while (a.mant != temp) { + temp /= 2; + a.exp--; + a.mant = temp; + } a = av_normalize1_sf(a); if (!a.mant || a.exp < MIN_EXP) return FLOAT_0; @@ -235,12 +242,12 @@ static av_unused void av_sincos_sf(int a, int *s, int *c) int st, ct; idx = a >> 26; - sign = (idx << 27) >> 31; + sign = (int32_t)((unsigned)idx << 27) >> 31; cv = av_costbl_1_sf[idx & 0xf]; cv = (cv ^ sign) - sign; idx -= 8; - sign = (idx << 27) >> 31; + sign = (int32_t)((unsigned)idx << 27) >> 31; sv = av_costbl_1_sf[idx & 0xf]; sv = (sv ^ sign) - sign; diff --git a/libswresample/resample.c b/libswresample/resample.c index 8635bf1b..46e5a267 100644 --- a/libswresample/resample.c +++ b/libswresample/resample.c @@ -300,6 +300,14 @@ fail: return ret; } +static void resample_free(ResampleContext **cc){ + ResampleContext *c = *cc; + if(!c) + return; + av_freep(&c->filter_bank); + av_freep(cc); +} + static ResampleContext *resample_init(ResampleContext *c, int out_rate, int in_rate, int filter_size, int phase_shift, int linear, double cutoff0, enum AVSampleFormat format, enum SwrFilterType filter_type, double kaiser_beta, double precision, int cheby, int exact_rational) @@ -322,6 +330,7 @@ static ResampleContext *resample_init(ResampleContext *c, int out_rate, int in_r if (!c || c->phase_count != phase_count || c->linear!=linear || c->factor != factor || c->filter_length != FFMAX((int)ceil(filter_size/factor), 1) || c->format != format || c->filter_type != filter_type || c->kaiser_beta != kaiser_beta) { + resample_free(&c); c = av_mallocz(sizeof(*c)); if (!c) return NULL; @@ -391,13 +400,6 @@ error: return NULL; } -static void resample_free(ResampleContext **c){ - if(!*c) - return; - av_freep(&(*c)->filter_bank); - av_freep(c); -} - static int rebuild_filter_bank_with_compensation(ResampleContext *c) { uint8_t *new_filter_bank; diff --git a/libswscale/tests/swscale.c b/libswscale/tests/swscale.c index da6a41b7..be4cd9a0 100644 --- a/libswscale/tests/swscale.c +++ b/libswscale/tests/swscale.c @@ -309,10 +309,10 @@ static int fileTest(uint8_t *ref[4], int refStride[4], int w, int h, FILE *fp, struct Results r; enum AVPixelFormat srcFormat; char srcStr[12]; - int srcW, srcH; + int srcW = 0, srcH = 0; enum AVPixelFormat dstFormat; char dstStr[12]; - int dstW, dstH; + int dstW = 0, dstH = 0; int flags; int ret; diff --git a/tests/ref/fate/vp5 b/tests/ref/fate/vp5 index 2116fb9b..2469a3ec 100644 --- a/tests/ref/fate/vp5 +++ b/tests/ref/fate/vp5 @@ -249,4 +249,4 @@ 0, 243, 243, 1, 233472, 0x6f530ac6 0, 244, 244, 1, 233472, 0x94f7466c 0, 245, 245, 1, 233472, 0xa8c1d365 -0, 246, 246, 1, 233472, 0xedcff050 +0, 246, 246, 1, 233472, 0xbf73f1b7 diff --git a/tests/ref/vsynth/vsynth1-dnxhd-720p-hr-lb b/tests/ref/vsynth/vsynth1-dnxhd-720p-hr-lb index 3490d4ae..27e59312 100644 --- a/tests/ref/vsynth/vsynth1-dnxhd-720p-hr-lb +++ b/tests/ref/vsynth/vsynth1-dnxhd-720p-hr-lb @@ -1,4 +1,4 @@ 08cbfe9b9f671cdb9dddc9307121d107 *tests/data/fate/vsynth1-dnxhd-720p-hr-lb.dnxhd 409600 tests/data/fate/vsynth1-dnxhd-720p-hr-lb.dnxhd -22eb87f0f8a50278355006fef70073a9 *tests/data/fate/vsynth1-dnxhd-720p-hr-lb.out.rawvideo -stddev: 7.49 PSNR: 30.63 MAXDIFF: 64 bytes: 7603200/ 608256 +77e510e3538313b1cbafb86ed248d2df *tests/data/fate/vsynth1-dnxhd-720p-hr-lb.out.rawvideo +stddev: 7.50 PSNR: 30.62 MAXDIFF: 64 bytes: 7603200/ 760320Attachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: Sebastian Ramacher <sramacher@debian.org>, 863196-done@bugs.debian.org
- Subject: Re: Bug#863196: unblock: ffmpeg/7:3.2.5-1
- From: Niels Thykier <niels@thykier.net>
- Date: Tue, 23 May 2017 19:23:00 +0000
- Message-id: <932b2f4e-8ae3-d901-3ce3-3eb3ea8762ac@thykier.net>
- In-reply-to: <[🔎] 20170523094604.g5snwlkzc7fa4yjv@ramacher.at>
- References: <[🔎] 20170523094604.g5snwlkzc7fa4yjv@ramacher.at>
Sebastian Ramacher: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > > Please unblock package ffmpeg version 7:3.2.5-1. ffmpeg 3.2.5 is the lastest > stable bugfix release of the 3.2.x branch. The release contains fixes for > multiple integer overflows, shifts with undefined behavior, null pointer > deferences, out-of-bounds writes, and many other issues: > > version 3.2.5: > [...] > > The full debdiff is attached. > > unblock ffmpeg/7:3.2.5-1 > > Cheers > Unblocked, thanks. ~Niels
--- End Message ---