From b102d5d97daedb717c023ec7bfa43047d97de284 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 30 May 2012 04:04:54 +0100 Subject: h264: allow cropping to AVCodecContext.width/height Override the frame size from the SPS with AVCodecContext values if the latter specify a size smaller by less than one macroblock. This is required for correct cropping of MOV files from Canon cameras. Signed-off-by: Mans Rullgard (cherry picked from commit 30f515091c323da59c0f1b533703dedca2f4b95d) Conflicts: libavcodec/h264.c (cherry picked from commit e1608014c50eeb9f4744a53de0794eb6bb1269a2) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index beb89a07e1..90293f17f4 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2599,6 +2599,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ else s->height= 16*s->mb_height - (4>>CHROMA444)*FFMIN(h->sps.crop_bottom, (8<avctx->width, 16) == s->width && + FFALIGN(s->avctx->height, 16) == s->height) { + s->width = s->avctx->width; + s->height = s->avctx->height; + } + if (s->context_initialized && ( s->width != s->avctx->width || s->height != s->avctx->height || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) { -- cgit v1.2.3 From 0054d70f23edd1f61a10a1c2c687b3a04831feb9 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 30 May 2012 04:06:00 +0100 Subject: mov: set AVCodecContext.width/height for h264 This is required for correct cropping of files from Canon cameras. Signed-off-by: Mans Rullgard (cherry picked from commit 8aa93e900449c88c3169ff5636fed03f41779cac) Signed-off-by: Reinhard Tartler (cherry picked from commit 2fb4be9a99a2c2a9435339830e3d940171cc0d9b) Signed-off-by: Reinhard Tartler --- libavformat/mov.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index c720440472..b1458775aa 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1818,9 +1818,6 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) #if CONFIG_H263_DECODER case CODEC_ID_H263: #endif -#if CONFIG_H264_DECODER - case CODEC_ID_H264: -#endif #if CONFIG_MPEG4_DECODER case CODEC_ID_MPEG4: #endif -- cgit v1.2.3 From c497d71a026a6c946529d661e72b7542203b26b6 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Fri, 31 Aug 2012 14:17:33 +0200 Subject: Clarify that -passlogfile has a different syntax when used with -vcodec libx264. --- doc/ffmpeg.texi | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/ffmpeg.texi b/doc/ffmpeg.texi index daf5d36de8..95b405ccb3 100644 --- a/doc/ffmpeg.texi +++ b/doc/ffmpeg.texi @@ -299,6 +299,10 @@ prefix is ``ffmpeg2pass''. The complete file name will be @file{PREFIX-N.log}, where N is a number specific to the output stream. +Note that this option is overwritten by a local option of the same name +when using @code{-vcodec libx264}. That option maps to the x264 option stats +which has a different syntax. + @item -newvideo Add a new video stream to the current output stream. -- cgit v1.2.3 From 9a5e81235e6293cd5ac94e629cb2d8712dfcecfc Mon Sep 17 00:00:00 2001 From: "Ronald S. Bultje" Date: Sun, 24 Jun 2012 11:17:13 +0100 Subject: dxva2: include dxva.h if found MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Apparently, some build environments require dxva.h even for dxva2, while others lack this header entirely. Including it conditionally allows building in both cases. Signed-off-by: Martin Storsjö (cherry picked from commit fa84506177f0246b30d4ea6a99ee5d419f3e4550) Signed-off-by: Michael Niedermayer --- configure | 2 ++ libavcodec/dxva2_internal.h | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/configure b/configure index 822c500eab..4fde69c0cc 100755 --- a/configure +++ b/configure @@ -1057,6 +1057,7 @@ HAVE_LIST=" dlfcn_h dlopen dos_paths + dxva_h ebp_available ebx_available exp2 @@ -2859,6 +2860,7 @@ check_func_headers windows.h MapViewOfFile check_func_headers windows.h VirtualAlloc check_header dlfcn.h +check_header dxva.h check_header dxva2api.h check_header libcrystalhd/libcrystalhd_if.h check_header malloc.h diff --git a/libavcodec/dxva2_internal.h b/libavcodec/dxva2_internal.h index 23d4d87522..fcf45bc664 100644 --- a/libavcodec/dxva2_internal.h +++ b/libavcodec/dxva2_internal.h @@ -25,7 +25,14 @@ #define _WIN32_WINNT 0x0600 #define COBJMACROS + +#include "config.h" + #include "dxva2.h" +#if HAVE_DXVA_H +#include +#endif + #include "avcodec.h" #include "mpegvideo.h" -- cgit v1.2.3 From 8582e6e9a3ce72fd7475c2ae8ed4c5198dc02a79 Mon Sep 17 00:00:00 2001 From: Carl Eugen Hoyos Date: Wed, 12 Sep 2012 13:08:27 +0200 Subject: Fix muxing mjpeg in swf. (cherry picked from commit 7680d99b4302e476076cc1b8f2567f47c2aaef4d) --- libavformat/swfenc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/swfenc.c b/libavformat/swfenc.c index 09c2d61f28..7d7daacee1 100644 --- a/libavformat/swfenc.c +++ b/libavformat/swfenc.c @@ -498,8 +498,10 @@ static int swf_write_trailer(AVFormatContext *s) avio_wl32(pb, file_size); avio_seek(pb, swf->duration_pos, SEEK_SET); avio_wl16(pb, swf->video_frame_number); + if (swf->vframes_pos) { avio_seek(pb, swf->vframes_pos, SEEK_SET); avio_wl16(pb, swf->video_frame_number); + } avio_seek(pb, file_size, SEEK_SET); } return 0; -- cgit v1.2.3 From a60eb6ef12df472554e93916aaeae729b0c8db03 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 6 Oct 2012 09:21:29 +0200 Subject: ffmpeg: fix -force_key_frames Based on commit 19ad567311b29a42e308317b5329218c590afac8 in master. --- ffmpeg.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 76d1cf363c..30ff5382ba 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -298,6 +298,7 @@ typedef struct AVOutputStream { #endif int sws_flags; + char *forced_key_frames; } AVOutputStream; static AVOutputStream **output_streams_for_file[MAX_FILES] = { NULL }; @@ -2254,6 +2255,9 @@ static int transcode(AVFormatContext **output_files, } codec->time_base = (AVRational){ost->frame_rate.den, ost->frame_rate.num}; + if (ost->forced_key_frames) + parse_forced_key_frames(ost->forced_key_frames, ost, codec); + #if CONFIG_AVFILTER if (configure_video_filters(ist, ost)) { fprintf(stderr, "Error opening filters!\n"); @@ -2729,6 +2733,7 @@ static int transcode(AVFormatContext **output_files, av_freep(&ost->st->codec->subtitle_header); av_free(ost->pict_tmp.data[0]); av_free(ost->forced_kf_pts); + av_free(ost->forced_key_frames); if (ost->video_resample) sws_freeContext(ost->img_resample_ctx); if (ost->resample) @@ -3550,8 +3555,10 @@ static void new_video_stream(AVFormatContext *oc, int file_idx) } } - if (forced_key_frames) - parse_forced_key_frames(forced_key_frames, ost, video_enc); + if (forced_key_frames) { + ost->forced_key_frames = forced_key_frames; + forced_key_frames = NULL; + } } if (video_language) { av_dict_set(&st->metadata, "language", video_language, 0); @@ -3561,7 +3568,6 @@ static void new_video_stream(AVFormatContext *oc, int file_idx) /* reset some key parameters */ video_disable = 0; av_freep(&video_codec_name); - av_freep(&forced_key_frames); video_stream_copy = 0; frame_pix_fmt = PIX_FMT_NONE; } -- cgit v1.2.3 From 0173a7966b331105158a88f96b9afcc431d2fef8 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Thu, 27 Sep 2012 19:25:06 +0200 Subject: vc1dec: add flush function for WMV9 and VC-1 decoders CC: libav-stable@libav.org (cherry picked from commit 4dc8c8386eef942dba35c4f2fb3210e22b511a5b) Signed-off-by: Anton Khirnov (cherry picked from commit 02b72394627933dc8ce26445231a69f00dba491b) Conflicts: libavcodec/vc1dec.c Signed-off-by: Anton Khirnov --- libavcodec/vc1dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index c87558bc50..1474e9fedd 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -3831,6 +3831,7 @@ AVCodec ff_vc1_decoder = { vc1_decode_frame, CODEC_CAP_DR1 | CODEC_CAP_DELAY, NULL, + .flush = ff_mpeg_flush, .long_name = NULL_IF_CONFIG_SMALL("SMPTE VC-1"), .pix_fmts = ff_hwaccel_pixfmt_list_420, .profiles = NULL_IF_CONFIG_SMALL(profiles) @@ -3848,6 +3849,7 @@ AVCodec ff_wmv3_decoder = { vc1_decode_frame, CODEC_CAP_DR1 | CODEC_CAP_DELAY, NULL, + .flush = ff_mpeg_flush, .long_name = NULL_IF_CONFIG_SMALL("Windows Media Video 9"), .pix_fmts = ff_hwaccel_pixfmt_list_420, .profiles = NULL_IF_CONFIG_SMALL(profiles) -- cgit v1.2.3 From f31170d4e7f9671e019315391160d454b18d7296 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 6 Aug 2012 13:59:04 +0200 Subject: nuv: check RTjpeg header for validity CC: libav-stable@libav.org (cherry picked from commit 859a579e9bbf47fae2e09494c43bcf813dcb2fad) Signed-off-by: Anton Khirnov (cherry picked from commit 6704522ca9dd32c858ee474492be568c386910f9) Signed-off-by: Anton Khirnov --- libavcodec/nuv.c | 9 +++++---- libavcodec/rtjpeg.h | 3 +++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 0c5e42fe78..00767c5873 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -184,17 +184,18 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, } if (c->codec_frameheader) { int w, h, q; - if (buf_size < 12) { + if (buf_size < RTJPEG_HEADER_SIZE || buf[4] != RTJPEG_HEADER_SIZE || + buf[5] != RTJPEG_FILE_VERSION) { av_log(avctx, AV_LOG_ERROR, "invalid nuv video frame\n"); - return -1; + return AVERROR_INVALIDDATA; } w = AV_RL16(&buf[6]); h = AV_RL16(&buf[8]); q = buf[10]; if (!codec_reinit(avctx, w, h, q)) return -1; - buf = &buf[12]; - buf_size -= 12; + buf = &buf[RTJPEG_HEADER_SIZE]; + buf_size -= RTJPEG_HEADER_SIZE; } if (keyframe && c->pic.data[0]) diff --git a/libavcodec/rtjpeg.h b/libavcodec/rtjpeg.h index d537c93ff4..4b46689f9c 100644 --- a/libavcodec/rtjpeg.h +++ b/libavcodec/rtjpeg.h @@ -25,6 +25,9 @@ #include #include "dsputil.h" +#define RTJPEG_FILE_VERSION 0 +#define RTJPEG_HEADER_SIZE 12 + typedef struct { int w, h; DSPContext *dsp; -- cgit v1.2.3 From 8812b5f164109553f009ce385e17a1af16b6ea53 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 2 Jul 2012 10:46:39 +0200 Subject: imgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt CC: libav-stable@libav.org (cherry picked from commit 39bb27bf79bc4c2d8beaed637a14176264cb1916) Signed-off-by: Anton Khirnov (cherry picked from commit 7a7229b52d1900279041991fadbd29b27e8dfe95) Signed-off-by: Anton Khirnov --- libavcodec/imgconvert.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 351ed7ada7..8da11a5c98 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -615,7 +615,8 @@ static enum PixelFormat avcodec_find_best_pix_fmt1(int64_t pix_fmt_mask, /* find exact color match with smallest size */ dst_pix_fmt = PIX_FMT_NONE; min_dist = 0x7fffffff; - for(i = 0;i < PIX_FMT_NB; i++) { + /* test only the first 64 pixel formats to avoid undefined behaviour */ + for (i = 0; i < 64; i++) { if (pix_fmt_mask & (1ULL << i)) { loss = avcodec_get_pix_fmt_loss(i, src_pix_fmt, has_alpha) & loss_mask; if (loss == 0) { -- cgit v1.2.3 From 899d95efe12f1e250b361837c1c8c06df9ac9b86 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Nov 2011 17:19:25 +0100 Subject: mpegvideo: Don't use ff_mspel_motion() for vc1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Using ff_mspel_motion assumes that s (a MpegEncContext poiinter) really is a Wmv2Context. This fixes crashes in error resilience on vc1/wmv3 videos. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 18f2d5cb9c48d06895960f37467576725c9dc2d1) Signed-off-by: Anton Khirnov (cherry picked from commit da0c457663479bc1828918e1bb3e4a5e4de0d557) Signed-off-by: Anton Khirnov --- libavcodec/mpegvideo_common.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_common.h b/libavcodec/mpegvideo_common.h index d0093ce8d2..dfedc6bade 100644 --- a/libavcodec/mpegvideo_common.h +++ b/libavcodec/mpegvideo_common.h @@ -725,7 +725,8 @@ static av_always_inline void MPV_motion_internal(MpegEncContext *s, 0, 0, 0, ref_picture, pix_op, qpix_op, s->mv[dir][0][0], s->mv[dir][0][1], 16); - }else if(!is_mpeg12 && (CONFIG_WMV2_DECODER || CONFIG_WMV2_ENCODER) && s->mspel){ + } else if (!is_mpeg12 && (CONFIG_WMV2_DECODER || CONFIG_WMV2_ENCODER) && + s->mspel && s->codec_id == CODEC_ID_WMV2) { ff_mspel_motion(s, dest_y, dest_cb, dest_cr, ref_picture, pix_op, s->mv[dir][0][0], s->mv[dir][0][1], 16); -- cgit v1.2.3 From 77d43bf42d76a1a3ccd8ea25937664c7f9d4bcac Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 15 Jun 2012 19:58:11 +0200 Subject: lavf: don't segfault when a NULL filename is passed to avformat_open_input() This can easily happen when the caller is using a custom AVIOContext. Behave as if the filename was an empty string in this case. CC: libav-stable@libav.org (cherry picked from commit a5db8e4a1a5449cc7a61e963c9fa698a4f22131b) Signed-off-by: Anton Khirnov (cherry picked from commit 7124fa5d3640e5b8089dd13b22a09038b2ec5216) Signed-off-by: Anton Khirnov --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 57fc836c64..5f3da495fd 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -622,7 +622,7 @@ int avformat_open_input(AVFormatContext **ps, const char *filename, AVInputForma } s->duration = s->start_time = AV_NOPTS_VALUE; - av_strlcpy(s->filename, filename, sizeof(s->filename)); + av_strlcpy(s->filename, filename ? filename : "", sizeof(s->filename)); /* allocate private data */ if (s->iformat->priv_data_size > 0) { -- cgit v1.2.3 From b6ba39f931a82561389553ab2ac0ddb61b73a1e3 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Mar 2012 01:39:13 +0100 Subject: alsdec: check opt_order. Fixes out of array write in quant_cof. Also make sure no invalid opt_order stays in the context. Fixes CVE-2012-2775 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 9853e41aa0a6cfff629ff7009685eb8bf8d64e7f) Signed-off-by: Anton Khirnov (cherry picked from commit a1b127515bb79c715933d0d4201e4ef3152b3dcb) Signed-off-by: Anton Khirnov --- libavcodec/alsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index f2944c6038..cdf2a7c0f1 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -662,6 +662,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int opt_order_length = av_ceil_log2(av_clip((bd->block_length >> 3) - 1, 2, sconf->max_order + 1)); *bd->opt_order = get_bits(gb, opt_order_length); + if (*bd->opt_order > sconf->max_order) { + *bd->opt_order = sconf->max_order; + av_log(avctx, AV_LOG_ERROR, "Predictor order too large!\n"); + return AVERROR_INVALIDDATA; + } } else { *bd->opt_order = sconf->max_order; } -- cgit v1.2.3 From b6c5848a1f8fc2755ea70d325acaddae9fac45ab Mon Sep 17 00:00:00 2001 From: Mina Nagy Zaki Date: Wed, 8 Jun 2011 19:24:25 +0300 Subject: lavfi: avfilter_merge_formats: handle case where inputs are same This fixes a double-free crash if lists are the same due to the two merge_ref() calls at the end of the (useless) merging that happens. Signed-off-by: Anton Khirnov (cherry picked from commit 11b6a82412bcd372adf694a26d83b07d337e1325) Conflicts: libavfilter/formats.c Signed-off-by: Reinhard Tartler (cherry picked from commit e5f4e249422834f727bcd432b73af971277f1371) Signed-off-by: Anton Khirnov --- libavfilter/formats.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/formats.c b/libavfilter/formats.c index ae916cf16c..1b58b50e9f 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -44,6 +44,9 @@ AVFilterFormats *avfilter_merge_formats(AVFilterFormats *a, AVFilterFormats *b) AVFilterFormats *ret; unsigned i, j, k = 0; + if (a == b) + return a; + ret = av_mallocz(sizeof(AVFilterFormats)); /* merge list of formats */ -- cgit v1.2.3 From 61ece41372989cca40634a4f32ff6131d19f99a2 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 22 Feb 2012 19:23:18 -0500 Subject: vorbisenc: check all allocations for failure (cherry picked from commit be8d812c9635f31f69c30dff9ebf565a07a7dab7) Signed-off-by: Anton Khirnov (cherry picked from commit e46cf805b10070327026f8e2880fe29e5e9ac1af) Signed-off-by: Anton Khirnov --- libavcodec/vorbisenc.c | 127 +++++++++++++++++++++++++++++++++++-------------- 1 file changed, 92 insertions(+), 35 deletions(-) diff --git a/libavcodec/vorbisenc.c b/libavcodec/vorbisenc.c index 67d094b37d..ad69c61695 100644 --- a/libavcodec/vorbisenc.c +++ b/libavcodec/vorbisenc.c @@ -155,7 +155,7 @@ static int cb_lookup_vals(int lookup, int dimentions, int entries) return 0; } -static void ready_codebook(vorbis_enc_codebook *cb) +static int ready_codebook(vorbis_enc_codebook *cb) { int i; @@ -167,6 +167,8 @@ static void ready_codebook(vorbis_enc_codebook *cb) int vals = cb_lookup_vals(cb->lookup, cb->ndimentions, cb->nentries); cb->dimentions = av_malloc(sizeof(float) * cb->nentries * cb->ndimentions); cb->pow2 = av_mallocz(sizeof(float) * cb->nentries); + if (!cb->dimentions || !cb->pow2) + return AVERROR(ENOMEM); for (i = 0; i < cb->nentries; i++) { float last = 0; int j; @@ -187,13 +189,16 @@ static void ready_codebook(vorbis_enc_codebook *cb) cb->pow2[i] /= 2.; } } + return 0; } -static void ready_residue(vorbis_enc_residue *rc, vorbis_enc_context *venc) +static int ready_residue(vorbis_enc_residue *rc, vorbis_enc_context *venc) { int i; assert(rc->type == 2); rc->maxes = av_mallocz(sizeof(float[2]) * rc->classifications); + if (!rc->maxes) + return AVERROR(ENOMEM); for (i = 0; i < rc->classifications; i++) { int j; vorbis_enc_codebook * cb; @@ -223,15 +228,16 @@ static void ready_residue(vorbis_enc_residue *rc, vorbis_enc_context *venc) rc->maxes[i][0] += 0.8; rc->maxes[i][1] += 0.8; } + return 0; } -static void create_vorbis_context(vorbis_enc_context *venc, - AVCodecContext *avccontext) +static int create_vorbis_context(vorbis_enc_context *venc, + AVCodecContext *avccontext) { vorbis_enc_floor *fc; vorbis_enc_residue *rc; vorbis_enc_mapping *mc; - int i, book; + int i, book, ret; venc->channels = avccontext->channels; venc->sample_rate = avccontext->sample_rate; @@ -239,6 +245,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, venc->ncodebooks = FF_ARRAY_ELEMS(cvectors); venc->codebooks = av_malloc(sizeof(vorbis_enc_codebook) * venc->ncodebooks); + if (!venc->codebooks) + return AVERROR(ENOMEM); // codebook 0..14 - floor1 book, values 0..255 // codebook 15 residue masterbook @@ -255,27 +263,36 @@ static void create_vorbis_context(vorbis_enc_context *venc, cb->lens = av_malloc(sizeof(uint8_t) * cb->nentries); cb->codewords = av_malloc(sizeof(uint32_t) * cb->nentries); + if (!cb->lens || !cb->codewords) + return AVERROR(ENOMEM); memcpy(cb->lens, cvectors[book].clens, cvectors[book].len); memset(cb->lens + cvectors[book].len, 0, cb->nentries - cvectors[book].len); if (cb->lookup) { vals = cb_lookup_vals(cb->lookup, cb->ndimentions, cb->nentries); cb->quantlist = av_malloc(sizeof(int) * vals); + if (!cb->quantlist) + return AVERROR(ENOMEM); for (i = 0; i < vals; i++) cb->quantlist[i] = cvectors[book].quant[i]; } else { cb->quantlist = NULL; } - ready_codebook(cb); + if ((ret = ready_codebook(cb)) < 0) + return ret; } venc->nfloors = 1; venc->floors = av_malloc(sizeof(vorbis_enc_floor) * venc->nfloors); + if (!venc->floors) + return AVERROR(ENOMEM); // just 1 floor fc = &venc->floors[0]; fc->partitions = NUM_FLOOR_PARTITIONS; fc->partition_to_class = av_malloc(sizeof(int) * fc->partitions); + if (!fc->partition_to_class) + return AVERROR(ENOMEM); fc->nclasses = 0; for (i = 0; i < fc->partitions; i++) { static const int a[] = {0, 1, 2, 2, 3, 3, 4, 4}; @@ -284,6 +301,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, } fc->nclasses++; fc->classes = av_malloc(sizeof(vorbis_enc_floor_class) * fc->nclasses); + if (!fc->classes) + return AVERROR(ENOMEM); for (i = 0; i < fc->nclasses; i++) { vorbis_enc_floor_class * c = &fc->classes[i]; int j, books; @@ -292,6 +311,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, c->masterbook = floor_classes[i].masterbook; books = (1 << c->subclass); c->books = av_malloc(sizeof(int) * books); + if (!c->books) + return AVERROR(ENOMEM); for (j = 0; j < books; j++) c->books[j] = floor_classes[i].nbooks[j]; } @@ -303,6 +324,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, fc->values += fc->classes[fc->partition_to_class[i]].dim; fc->list = av_malloc(sizeof(vorbis_floor1_entry) * fc->values); + if (!fc->list) + return AVERROR(ENOMEM); fc->list[0].x = 0; fc->list[1].x = 1 << fc->rangebits; for (i = 2; i < fc->values; i++) { @@ -317,6 +340,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, venc->nresidues = 1; venc->residues = av_malloc(sizeof(vorbis_enc_residue) * venc->nresidues); + if (!venc->residues) + return AVERROR(ENOMEM); // single residue rc = &venc->residues[0]; @@ -327,6 +352,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, rc->classifications = 10; rc->classbook = 15; rc->books = av_malloc(sizeof(*rc->books) * rc->classifications); + if (!rc->books) + return AVERROR(ENOMEM); { static const int8_t a[10][8] = { { -1, -1, -1, -1, -1, -1, -1, -1, }, @@ -342,19 +369,26 @@ static void create_vorbis_context(vorbis_enc_context *venc, }; memcpy(rc->books, a, sizeof a); } - ready_residue(rc, venc); + if ((ret = ready_residue(rc, venc)) < 0) + return ret; venc->nmappings = 1; venc->mappings = av_malloc(sizeof(vorbis_enc_mapping) * venc->nmappings); + if (!venc->mappings) + return AVERROR(ENOMEM); // single mapping mc = &venc->mappings[0]; mc->submaps = 1; mc->mux = av_malloc(sizeof(int) * venc->channels); + if (!mc->mux) + return AVERROR(ENOMEM); for (i = 0; i < venc->channels; i++) mc->mux[i] = 0; mc->floor = av_malloc(sizeof(int) * mc->submaps); mc->residue = av_malloc(sizeof(int) * mc->submaps); + if (!mc->floor || !mc->residue) + return AVERROR(ENOMEM); for (i = 0; i < mc->submaps; i++) { mc->floor[i] = 0; mc->residue[i] = 0; @@ -362,6 +396,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, mc->coupling_steps = venc->channels == 2 ? 1 : 0; mc->magnitude = av_malloc(sizeof(int) * mc->coupling_steps); mc->angle = av_malloc(sizeof(int) * mc->coupling_steps); + if (!mc->magnitude || !mc->angle) + return AVERROR(ENOMEM); if (mc->coupling_steps) { mc->magnitude[0] = 0; mc->angle[0] = 1; @@ -369,6 +405,8 @@ static void create_vorbis_context(vorbis_enc_context *venc, venc->nmodes = 1; venc->modes = av_malloc(sizeof(vorbis_enc_mode) * venc->nmodes); + if (!venc->modes) + return AVERROR(ENOMEM); // single mode venc->modes[0].blockflag = 0; @@ -379,12 +417,18 @@ static void create_vorbis_context(vorbis_enc_context *venc, venc->samples = av_malloc(sizeof(float) * venc->channels * (1 << venc->log2_blocksize[1])); venc->floor = av_malloc(sizeof(float) * venc->channels * (1 << venc->log2_blocksize[1]) / 2); venc->coeffs = av_malloc(sizeof(float) * venc->channels * (1 << venc->log2_blocksize[1]) / 2); + if (!venc->saved || !venc->samples || !venc->floor || !venc->coeffs) + return AVERROR(ENOMEM); venc->win[0] = ff_vorbis_vwin[venc->log2_blocksize[0] - 6]; venc->win[1] = ff_vorbis_vwin[venc->log2_blocksize[1] - 6]; - ff_mdct_init(&venc->mdct[0], venc->log2_blocksize[0], 0, 1.0); - ff_mdct_init(&venc->mdct[1], venc->log2_blocksize[1], 0, 1.0); + if ((ret = ff_mdct_init(&venc->mdct[0], venc->log2_blocksize[0], 0, 1.0)) < 0) + return ret; + if ((ret = ff_mdct_init(&venc->mdct[1], venc->log2_blocksize[1], 0, 1.0)) < 0) + return ret; + + return 0; } static void put_float(PutBitContext *pb, float f) @@ -647,6 +691,8 @@ static int put_main_header(vorbis_enc_context *venc, uint8_t **out) len = hlens[0] + hlens[1] + hlens[2]; p = *out = av_mallocz(64 + len + len/255); + if (!p) + return AVERROR(ENOMEM); *p++ = 2; p += av_xiphlacing(p, hlens[0]); @@ -952,32 +998,6 @@ static int apply_window_and_mdct(vorbis_enc_context *venc, const signed short *a return 1; } -static av_cold int vorbis_encode_init(AVCodecContext *avccontext) -{ - vorbis_enc_context *venc = avccontext->priv_data; - - if (avccontext->channels != 2) { - av_log(avccontext, AV_LOG_ERROR, "Current Libav Vorbis encoder only supports 2 channels.\n"); - return -1; - } - - create_vorbis_context(venc, avccontext); - - if (avccontext->flags & CODEC_FLAG_QSCALE) - venc->quality = avccontext->global_quality / (float)FF_QP2LAMBDA / 10.; - else - venc->quality = 0.03; - venc->quality *= venc->quality; - - avccontext->extradata_size = put_main_header(venc, (uint8_t**)&avccontext->extradata); - - avccontext->frame_size = 1 << (venc->log2_blocksize[0] - 1); - - avccontext->coded_frame = avcodec_alloc_frame(); - avccontext->coded_frame->key_frame = 1; - - return 0; -} static int vorbis_encode_frame(AVCodecContext *avccontext, unsigned char *packets, @@ -1102,6 +1122,43 @@ static av_cold int vorbis_encode_close(AVCodecContext *avccontext) return 0 ; } +static av_cold int vorbis_encode_init(AVCodecContext *avccontext) +{ + vorbis_enc_context *venc = avccontext->priv_data; + int ret; + + if (avccontext->channels != 2) { + av_log(avccontext, AV_LOG_ERROR, "Current Libav Vorbis encoder only supports 2 channels.\n"); + return -1; + } + + if ((ret = create_vorbis_context(venc, avccontext)) < 0) + goto error; + + if (avccontext->flags & CODEC_FLAG_QSCALE) + venc->quality = avccontext->global_quality / (float)FF_QP2LAMBDA / 10.; + else + venc->quality = 0.03; + venc->quality *= venc->quality; + + if ((ret = put_main_header(venc, (uint8_t**)&avccontext->extradata)) < 0) + goto error; + avccontext->extradata_size = ret; + + avccontext->frame_size = 1 << (venc->log2_blocksize[0] - 1); + + avccontext->coded_frame = avcodec_alloc_frame(); + if (!avccontext->coded_frame) { + ret = AVERROR(ENOMEM); + goto error; + } + + return 0; +error: + vorbis_encode_close(avccontext); + return ret; +} + AVCodec ff_vorbis_encoder = { "vorbis", AVMEDIA_TYPE_AUDIO, -- cgit v1.2.3 From d6e250abfc36b239ef0c1fc9d45d588b853bfcb9 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Mon, 4 Jun 2012 18:27:03 -0700 Subject: vorbis: Validate that the floor 1 X values contain no duplicates. Duplicate values in this vector are explicitly banned by the Vorbis I spec and cause divide-by-zero crashes later on. (cherry picked from commit ecf79c4d3e8baaf2f303278ef81db6f8407656bc) Signed-off-by: Reinhard Tartler (cherry picked from commit 9aaaeba45c41cf2b3fa4100abbdee7437428f93c) Signed-off-by: Anton Khirnov --- libavcodec/vorbis.c | 9 ++++++++- libavcodec/vorbis.h | 3 ++- libavcodec/vorbisdec.c | 6 +++++- libavcodec/vorbisenc.c | 3 ++- 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c index 20be707313..e0eda46f71 100644 --- a/libavcodec/vorbis.c +++ b/libavcodec/vorbis.c @@ -117,7 +117,8 @@ int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num) return 0; } -void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) +int ff_vorbis_ready_floor1_list(AVCodecContext *avccontext, + vorbis_floor1_entry *list, int values) { int i; list[0].sort = 0; @@ -141,6 +142,11 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) for (i = 0; i < values - 1; i++) { int j; for (j = i + 1; j < values; j++) { + if (list[i].x == list[j].x) { + av_log(avccontext, AV_LOG_ERROR, + "Duplicate value found in floor 1 X coordinates\n"); + return AVERROR_INVALIDDATA; + } if (list[list[i].sort].x > list[list[j].sort].x) { int tmp = list[i].sort; list[i].sort = list[j].sort; @@ -148,6 +154,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values) } } } + return 0; } static inline void render_line_unrolled(intptr_t x, int y, int x1, diff --git a/libavcodec/vorbis.h b/libavcodec/vorbis.h index 8501e0a178..b4346fbbe7 100644 --- a/libavcodec/vorbis.h +++ b/libavcodec/vorbis.h @@ -36,7 +36,8 @@ typedef struct { uint16_t high; } vorbis_floor1_entry; -void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values); +int ff_vorbis_ready_floor1_list(AVCodecContext *avccontext, + vorbis_floor1_entry *list, int values); unsigned int ff_vorbis_nth_root(unsigned int x, unsigned int n); // x^(1/n) int ff_vorbis_len2vlc(uint8_t *bits, uint32_t *codes, unsigned num); void ff_vorbis_floor1_render_list(vorbis_floor1_entry * list, int values, diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index d6850b7f48..3805d27627 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -559,7 +559,11 @@ static int vorbis_parse_setup_hdr_floors(vorbis_context *vc) } // Precalculate order of x coordinates - needed for decode - ff_vorbis_ready_floor1_list(floor_setup->data.t1.list, floor_setup->data.t1.x_list_dim); + if (ff_vorbis_ready_floor1_list(vc->avccontext, + floor_setup->data.t1.list, + floor_setup->data.t1.x_list_dim)) { + return AVERROR_INVALIDDATA; + } } else if (floor_setup->floor_type == 0) { unsigned max_codebook_dim = 0; diff --git a/libavcodec/vorbisenc.c b/libavcodec/vorbisenc.c index ad69c61695..7311c05d36 100644 --- a/libavcodec/vorbisenc.c +++ b/libavcodec/vorbisenc.c @@ -336,7 +336,8 @@ static int create_vorbis_context(vorbis_enc_context *venc, }; fc->list[i].x = a[i - 2]; } - ff_vorbis_ready_floor1_list(fc->list, fc->values); + if (ff_vorbis_ready_floor1_list(avccontext, fc->list, fc->values)) + return AVERROR(EINVAL); venc->nresidues = 1; venc->residues = av_malloc(sizeof(vorbis_enc_residue) * venc->nresidues); -- cgit v1.2.3 From 7b91e52eb9fd6012a0804febc7821b9484e6faa6 Mon Sep 17 00:00:00 2001 From: Diego Biurrun Date: Sun, 11 Nov 2012 22:41:46 +0100 Subject: x86: Require an assembler able to cope with AVX instructions All modern assemblers have this capability. Older NASM versions that lack the capability produce code that crashes at runtime, so it's better to error out during the build process instead. (cherry picked from commit e287201c77dc7a7a9759d56d8f48ae719b7e69a9) Signed-off-by: Diego Biurrun --- configure | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/configure b/configure index f4c327439a..6a2ff4fa01 100755 --- a/configure +++ b/configure @@ -2739,9 +2739,8 @@ EOF elf*) enabled debug && append YASMFLAGS $yasm_debug ;; esac - check_yasm "pextrd [eax], xmm0, 1" && enable yasm || + check_yasm "vextractf128 xmm0, ymm0, 0" && enable yasm || die "yasm not found, use --disable-yasm for a crippled build" - check_yasm "vextractf128 xmm0, ymm0, 0" || disable avx fi case "$cpu" in -- cgit v1.2.3 From 80b8dc30dc96190b6f9c3ab1d9263490232b328b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= Date: Sun, 30 Dec 2012 06:53:48 +0100 Subject: lavc/ass_split: check for NULL pointer in ff_ass_split_override_codes(). This is consistent with the other ff_ass_split_* functions. It also fixes a crash when trying to split a dialog with text=NULL (which seems to happen when the text of the dialog is empty); basically, this commit fixes crashes when trying to encode an empty text subtitle dialog (see subrip and mov_text encoders). Fixes Ticket2048. (cherry picked from commit c83002a4f8042ccfa0688a9a18e8fa0369c1fda8) --- libavcodec/ass_split.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ass_split.c b/libavcodec/ass_split.c index 2a3b76445e..33c1c2714f 100644 --- a/libavcodec/ass_split.c +++ b/libavcodec/ass_split.c @@ -366,7 +366,7 @@ int ff_ass_split_override_codes(const ASSCodesCallbacks *callbacks, void *priv, char new_line[2]; int text_len = 0; - while (*buf) { + while (buf && *buf) { if (text && callbacks->text && (sscanf(buf, "\\%1[nN]", new_line) == 1 || !strncmp(buf, "{\\", 2))) { -- cgit v1.2.3 From a2ae183a382f063c5403922b5151d865ce7252a2 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Wed, 30 May 2012 04:04:54 +0100 Subject: h264: allow cropping to AVCodecContext.width/height Override the frame size from the SPS with AVCodecContext values if the latter specify a size smaller by less than one macroblock. This is required for correct cropping of MOV files from Canon cameras. Signed-off-by: Mans Rullgard (cherry picked from commit 30f515091c323da59c0f1b533703dedca2f4b95d) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 90293f17f4..ac7eb20f35 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2605,6 +2605,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ s->height = s->avctx->height; } + if (FFALIGN(s->avctx->width, 16) == s->width && + FFALIGN(s->avctx->height, 16) == s->height) { + s->width = s->avctx->width; + s->height = s->avctx->height; + } + if (s->context_initialized && ( s->width != s->avctx->width || s->height != s->avctx->height || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) { -- cgit v1.2.3 From e39fc137aeace9420690c264067c37ff516b4743 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Thu, 27 Sep 2012 19:25:06 +0200 Subject: vc1dec: add flush function for WMV9 and VC-1 decoders CC: libav-stable@libav.org (cherry picked from commit 4dc8c8386eef942dba35c4f2fb3210e22b511a5b) Signed-off-by: Anton Khirnov --- libavcodec/vc1dec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 1474e9fedd..34bf04fae0 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -3834,7 +3834,8 @@ AVCodec ff_vc1_decoder = { .flush = ff_mpeg_flush, .long_name = NULL_IF_CONFIG_SMALL("SMPTE VC-1"), .pix_fmts = ff_hwaccel_pixfmt_list_420, - .profiles = NULL_IF_CONFIG_SMALL(profiles) + .profiles = NULL_IF_CONFIG_SMALL(profiles), + .flush = ff_mpeg_flush, }; #if CONFIG_WMV3_DECODER @@ -3852,7 +3853,8 @@ AVCodec ff_wmv3_decoder = { .flush = ff_mpeg_flush, .long_name = NULL_IF_CONFIG_SMALL("Windows Media Video 9"), .pix_fmts = ff_hwaccel_pixfmt_list_420, - .profiles = NULL_IF_CONFIG_SMALL(profiles) + .profiles = NULL_IF_CONFIG_SMALL(profiles), + .flush = ff_mpeg_flush, }; #endif -- cgit v1.2.3 From d3e2f35f7addb6cb3a59aa823b716c8fa0b32b51 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 16 Sep 2012 08:33:09 +0200 Subject: bmpdec: only initialize palette for pal8. Gray8 is not considered to be paletted, so this would cause an invalid write. Fixes bug 367. CC: libav-stable@libav.org (cherry picked from commit 8b78c2969a5b7dca939d93bf525aa2bcd737b5d9) Signed-off-by: Anton Khirnov --- libavcodec/bmp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/bmp.c b/libavcodec/bmp.c index b7fee130bc..51947adad8 100644 --- a/libavcodec/bmp.c +++ b/libavcodec/bmp.c @@ -219,9 +219,6 @@ static int bmp_decode_frame(AVCodecContext *avctx, if(comp == BMP_RLE4 || comp == BMP_RLE8) memset(p->data[0], 0, avctx->height * p->linesize[0]); - if(depth == 4 || depth == 8) - memset(p->data[1], 0, 1024); - if(height > 0){ ptr = p->data[0] + (avctx->height - 1) * p->linesize[0]; linesize = -p->linesize[0]; @@ -232,6 +229,9 @@ static int bmp_decode_frame(AVCodecContext *avctx, if(avctx->pix_fmt == PIX_FMT_PAL8){ int colors = 1 << depth; + + memset(p->data[1], 0, 1024); + if(ihsize >= 36){ int t; buf = buf0 + 46; -- cgit v1.2.3 From 0892a6340f86ff6ae4346fbb86d339ec1c58877b Mon Sep 17 00:00:00 2001 From: Max Lazarov Date: Fri, 30 Mar 2012 23:56:56 -0700 Subject: eval: fix swapping of lt() and lte() CC: libav-stable@libav.org (cherry picked from commit caac3ab6efde4fc9769e8a7472269356f262970a) Signed-off-by: Anton Khirnov --- libavutil/eval.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/eval.c b/libavutil/eval.c index 8bcba3632d..7dd1d03a26 100644 --- a/libavutil/eval.c +++ b/libavutil/eval.c @@ -273,8 +273,8 @@ static int parse_primary(AVExpr **e, Parser *p) else if (strmatch(next, "eq" )) d->type = e_eq; else if (strmatch(next, "gte" )) d->type = e_gte; else if (strmatch(next, "gt" )) d->type = e_gt; - else if (strmatch(next, "lte" )) { AVExpr *tmp = d->param[1]; d->param[1] = d->param[0]; d->param[0] = tmp; d->type = e_gt; } - else if (strmatch(next, "lt" )) { AVExpr *tmp = d->param[1]; d->param[1] = d->param[0]; d->param[0] = tmp; d->type = e_gte; } + else if (strmatch(next, "lte" )) { AVExpr *tmp = d->param[1]; d->param[1] = d->param[0]; d->param[0] = tmp; d->type = e_gte; } + else if (strmatch(next, "lt" )) { AVExpr *tmp = d->param[1]; d->param[1] = d->param[0]; d->param[0] = tmp; d->type = e_gt; } else if (strmatch(next, "ld" )) d->type = e_ld; else if (strmatch(next, "isnan" )) d->type = e_isnan; else if (strmatch(next, "st" )) d->type = e_st; -- cgit v1.2.3 From a81c1ea2eb6621995bdab5e7b7ebdab020fbff5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Thu, 9 Feb 2012 11:28:46 +0200 Subject: h263: Add ff_ prefix to nonstatic symbols MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Martin Storsjö (cherry picked from commit ddce8953a5056800ec795df2dfd84fc17a11b5fc) Signed-off-by: Anton Khirnov --- libavcodec/h263.c | 8 ++--- libavcodec/h263.h | 42 ++++++++++++------------- libavcodec/h263data.h | 24 +++++++------- libavcodec/h263dec.c | 4 +-- libavcodec/intelh263dec.c | 4 +-- libavcodec/ituh263dec.c | 78 +++++++++++++++++++++++----------------------- libavcodec/ituh263enc.c | 44 +++++++++++++------------- libavcodec/mpeg4videodec.c | 50 ++++++++++++++--------------- libavcodec/mpeg4videoenc.c | 6 ++-- libavcodec/mpegvideo_enc.c | 10 +++--- libavcodec/msmpeg4.c | 16 +++++----- libavcodec/msmpeg4data.c | 12 +++---- libavcodec/rv10.c | 2 +- libavcodec/rv34data.h | 2 +- libavcodec/snow.c | 2 +- libavcodec/svq1dec.c | 6 ++-- libavcodec/svq1enc.c | 4 +-- libavcodec/wmv2enc.c | 2 +- 18 files changed, 158 insertions(+), 158 deletions(-) diff --git a/libavcodec/h263.c b/libavcodec/h263.c index 5c25df2272..ad045af7a5 100644 --- a/libavcodec/h263.c +++ b/libavcodec/h263.c @@ -98,7 +98,7 @@ void ff_h263_update_motion_val(MpegEncContext * s){ } } -int h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr) +int ff_h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr) { int x, y, wrap, a, c, pred_dc; int16_t *dc_val; @@ -226,7 +226,7 @@ void ff_h263_loop_filter(MpegEncContext * s){ } } -void h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n) +void ff_h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n) { int x, y, wrap, a, c, pred_dc, scale, i; int16_t *dc_val, *ac_val, *ac_val1; @@ -313,8 +313,8 @@ void h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n) ac_val1[8 + i] = block[s->dsp.idct_permutation[i ]]; } -int16_t *h263_pred_motion(MpegEncContext * s, int block, int dir, - int *px, int *py) +int16_t *ff_h263_pred_motion(MpegEncContext * s, int block, int dir, + int *px, int *py) { int wrap; int16_t *A, *B, *C, (*mot_val)[2]; diff --git a/libavcodec/h263.h b/libavcodec/h263.h index 1dc300709e..77f7c3bc52 100644 --- a/libavcodec/h263.h +++ b/libavcodec/h263.h @@ -38,16 +38,16 @@ extern const AVRational ff_h263_pixel_aspect[16]; extern const uint8_t ff_h263_cbpy_tab[16][2]; -extern const uint8_t cbpc_b_tab[4][2]; +extern const uint8_t ff_cbpc_b_tab[4][2]; -extern const uint8_t mvtab[33][2]; +extern const uint8_t ff_mvtab[33][2]; extern const uint8_t ff_h263_intra_MCBPC_code[9]; extern const uint8_t ff_h263_intra_MCBPC_bits[9]; extern const uint8_t ff_h263_inter_MCBPC_code[28]; extern const uint8_t ff_h263_inter_MCBPC_bits[28]; -extern const uint8_t h263_mbtype_b_tab[15][2]; +extern const uint8_t ff_h263_mbtype_b_tab[15][2]; extern VLC ff_h263_intra_MCBPC_vlc; extern VLC ff_h263_inter_MCBPC_vlc; @@ -55,41 +55,41 @@ extern VLC ff_h263_cbpy_vlc; extern RLTable ff_h263_rl_inter; -extern RLTable rl_intra_aic; +extern RLTable ff_rl_intra_aic; -extern const uint16_t h263_format[8][2]; -extern const uint8_t modified_quant_tab[2][32]; +extern const uint16_t ff_h263_format[8][2]; +extern const uint8_t ff_modified_quant_tab[2][32]; extern uint16_t ff_mba_max[6]; extern uint8_t ff_mba_length[7]; extern uint8_t ff_h263_static_rl_table_store[2][2][2*MAX_RUN + MAX_LEVEL + 3]; -int h263_decode_motion(MpegEncContext * s, int pred, int f_code); +int ff_h263_decode_motion(MpegEncContext * s, int pred, int f_code); av_const int ff_h263_aspect_to_info(AVRational aspect); int ff_h263_decode_init(AVCodecContext *avctx); int ff_h263_decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt); int ff_h263_decode_end(AVCodecContext *avctx); -void h263_encode_mb(MpegEncContext *s, - DCTELEM block[6][64], - int motion_x, int motion_y); -void h263_encode_picture_header(MpegEncContext *s, int picture_number); -void h263_encode_gob_header(MpegEncContext * s, int mb_line); -int16_t *h263_pred_motion(MpegEncContext * s, int block, int dir, - int *px, int *py); -void h263_encode_init(MpegEncContext *s); -void h263_decode_init_vlc(MpegEncContext *s); -int h263_decode_picture_header(MpegEncContext *s); +void ff_h263_encode_mb(MpegEncContext *s, + DCTELEM block[6][64], + int motion_x, int motion_y); +void ff_h263_encode_picture_header(MpegEncContext *s, int picture_number); +void ff_h263_encode_gob_header(MpegEncContext * s, int mb_line); +int16_t *ff_h263_pred_motion(MpegEncContext * s, int block, int dir, + int *px, int *py); +void ff_h263_encode_init(MpegEncContext *s); +void ff_h263_decode_init_vlc(MpegEncContext *s); +int ff_h263_decode_picture_header(MpegEncContext *s); int ff_h263_decode_gob_header(MpegEncContext *s); void ff_h263_update_motion_val(MpegEncContext * s); void ff_h263_loop_filter(MpegEncContext * s); int ff_h263_decode_mba(MpegEncContext *s); void ff_h263_encode_mba(MpegEncContext *s); void ff_init_qscale_tab(MpegEncContext *s); -int h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr); -void h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n); +int ff_h263_pred_dc(MpegEncContext * s, int n, int16_t **dc_val_ptr); +void ff_h263_pred_acdc(MpegEncContext * s, DCTELEM *block, int n); /** @@ -119,7 +119,7 @@ static inline int h263_get_motion_length(MpegEncContext * s, int val, int f_code int l, bit_size, code; if (val == 0) { - return mvtab[0][1]; + return ff_mvtab[0][1]; } else { bit_size = f_code - 1; /* modulo encoding */ @@ -128,7 +128,7 @@ static inline int h263_get_motion_length(MpegEncContext * s, int val, int f_code val--; code = (val >> bit_size) + 1; - return mvtab[code][1] + 1 + bit_size; + return ff_mvtab[code][1] + 1 + bit_size; } } diff --git a/libavcodec/h263data.h b/libavcodec/h263data.h index 966da56110..e3b83ad2e4 100644 --- a/libavcodec/h263data.h +++ b/libavcodec/h263data.h @@ -57,7 +57,7 @@ const uint8_t ff_h263_inter_MCBPC_bits[28] = { 11, 13, 13, 13,/* inter4Q*/ }; -const uint8_t h263_mbtype_b_tab[15][2] = { +const uint8_t ff_h263_mbtype_b_tab[15][2] = { {1, 1}, {3, 3}, {1, 5}, @@ -75,7 +75,7 @@ const uint8_t h263_mbtype_b_tab[15][2] = { {1, 8}, }; -const uint8_t cbpc_b_tab[4][2] = { +const uint8_t ff_cbpc_b_tab[4][2] = { {0, 1}, {2, 2}, {7, 3}, @@ -88,7 +88,7 @@ const uint8_t ff_h263_cbpy_tab[16][2] = {2,5}, {3,6}, {5,4}, {10,4}, {4,4}, {8,4}, {6,4}, {3,2} }; -const uint8_t mvtab[33][2] = +const uint8_t ff_mvtab[33][2] = { {1,1}, {1,2}, {1,3}, {1,4}, {3,6}, {5,7}, {4,7}, {3,7}, {11,9}, {10,9}, {9,9}, {17,10}, {16,10}, {15,10}, {14,10}, {13,10}, @@ -98,7 +98,7 @@ const uint8_t mvtab[33][2] = }; /* third non intra table */ -const uint16_t inter_vlc[103][2] = { +const uint16_t ff_inter_vlc[103][2] = { { 0x2, 2 },{ 0xf, 4 },{ 0x15, 6 },{ 0x17, 7 }, { 0x1f, 8 },{ 0x25, 9 },{ 0x24, 9 },{ 0x21, 10 }, { 0x20, 10 },{ 0x7, 11 },{ 0x6, 11 },{ 0x20, 11 }, @@ -127,7 +127,7 @@ const uint16_t inter_vlc[103][2] = { { 0x5e, 12 },{ 0x5f, 12 },{ 0x3, 7 }, }; -const int8_t inter_level[102] = { +const int8_t ff_inter_level[102] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 1, 2, 3, 4, 5, 6, 1, 2, 3, 4, 1, 2, @@ -143,7 +143,7 @@ const int8_t inter_level[102] = { 1, 1, 1, 1, 1, 1, }; -const int8_t inter_run[102] = { +const int8_t ff_inter_run[102] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, @@ -162,9 +162,9 @@ const int8_t inter_run[102] = { RLTable ff_h263_rl_inter = { 102, 58, - inter_vlc, - inter_run, - inter_level, + ff_inter_vlc, + ff_inter_run, + ff_inter_level, }; static const uint16_t intra_vlc_aic[103][2] = { @@ -228,7 +228,7 @@ static const int8_t intra_level_aic[102] = { 1, 1, 1, 1, 1, 1, }; -RLTable rl_intra_aic = { +RLTable ff_rl_intra_aic = { 102, 58, intra_vlc_aic, @@ -236,7 +236,7 @@ RLTable rl_intra_aic = { intra_level_aic, }; -const uint16_t h263_format[8][2] = { +const uint16_t ff_h263_format[8][2] = { { 0, 0 }, { 128, 96 }, { 176, 144 }, @@ -250,7 +250,7 @@ const uint8_t ff_aic_dc_scale_table[32]={ 0, 2, 4, 6, 8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58,60,62 }; -const uint8_t modified_quant_tab[2][32]={ +const uint8_t ff_modified_quant_tab[2][32]={ // 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 { 0, 3, 1, 2, 3, 4, 5, 6, 7, 8, 9, 9,10,11,12,13,14,15,16,17,18,18,19,20,21,22,23,24,25,26,27,28 diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 15fc724e54..38fd85abe2 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -111,7 +111,7 @@ av_cold int ff_h263_decode_init(AVCodecContext *avctx) if (MPV_common_init(s) < 0) return -1; - h263_decode_init_vlc(s); + ff_h263_decode_init_vlc(s); return 0; } @@ -417,7 +417,7 @@ retry: } else if (CONFIG_FLV_DECODER && s->h263_flv) { ret = ff_flv_decode_picture_header(s); } else { - ret = h263_decode_picture_header(s); + ret = ff_h263_decode_picture_header(s); } if(ret==FRAME_SKIPPED) return get_consumed_bytes(s, buf_size); diff --git a/libavcodec/intelh263dec.c b/libavcodec/intelh263dec.c index 83049bcc6f..0a2431ecd6 100644 --- a/libavcodec/intelh263dec.c +++ b/libavcodec/intelh263dec.c @@ -65,8 +65,8 @@ int ff_intel_h263_decode_picture_header(MpegEncContext *s) s->pb_frame = get_bits1(&s->gb); if (format < 6) { - s->width = h263_format[format][0]; - s->height = h263_format[format][1]; + s->width = ff_h263_format[format][0]; + s->height = ff_h263_format[format][1]; s->avctx->sample_aspect_ratio.num = 12; s->avctx->sample_aspect_ratio.den = 11; } else { diff --git a/libavcodec/ituh263dec.c b/libavcodec/ituh263dec.c index 0bb92da833..1359c0026f 100644 --- a/libavcodec/ituh263dec.c +++ b/libavcodec/ituh263dec.c @@ -100,7 +100,7 @@ static VLC cbpc_b_vlc; /* init vlcs */ /* XXX: find a better solution to handle static init */ -void h263_decode_init_vlc(MpegEncContext *s) +void ff_h263_decode_init_vlc(MpegEncContext *s) { static int done = 0; @@ -117,18 +117,18 @@ void h263_decode_init_vlc(MpegEncContext *s) &ff_h263_cbpy_tab[0][1], 2, 1, &ff_h263_cbpy_tab[0][0], 2, 1, 64); INIT_VLC_STATIC(&mv_vlc, MV_VLC_BITS, 33, - &mvtab[0][1], 2, 1, - &mvtab[0][0], 2, 1, 538); + &ff_mvtab[0][1], 2, 1, + &ff_mvtab[0][0], 2, 1, 538); init_rl(&ff_h263_rl_inter, ff_h263_static_rl_table_store[0]); - init_rl(&rl_intra_aic, ff_h263_static_rl_table_store[1]); + init_rl(&ff_rl_intra_aic, ff_h263_static_rl_table_store[1]); INIT_VLC_RL(ff_h263_rl_inter, 554); - INIT_VLC_RL(rl_intra_aic, 554); + INIT_VLC_RL(ff_rl_intra_aic, 554); INIT_VLC_STATIC(&h263_mbtype_b_vlc, H263_MBTYPE_B_VLC_BITS, 15, - &h263_mbtype_b_tab[0][1], 2, 1, - &h263_mbtype_b_tab[0][0], 2, 1, 80); + &ff_h263_mbtype_b_tab[0][1], 2, 1, + &ff_h263_mbtype_b_tab[0][0], 2, 1, 80); INIT_VLC_STATIC(&cbpc_b_vlc, CBPC_B_VLC_BITS, 4, - &cbpc_b_tab[0][1], 2, 1, - &cbpc_b_tab[0][0], 2, 1, 8); + &ff_cbpc_b_tab[0][1], 2, 1, + &ff_cbpc_b_tab[0][0], 2, 1, 8); } } @@ -268,7 +268,7 @@ int ff_h263_resync(MpegEncContext *s){ return -1; } -int h263_decode_motion(MpegEncContext * s, int pred, int f_code) +int ff_h263_decode_motion(MpegEncContext * s, int pred, int f_code) { int code, val, sign, shift, l; code = get_vlc2(&s->gb, mv_vlc.table, MV_VLC_BITS, 2); @@ -379,16 +379,16 @@ static void preview_obmc(MpegEncContext *s){ if ((cbpc & 16) == 0) { s->current_picture.mb_type[xy]= MB_TYPE_16x16 | MB_TYPE_L0; /* 16x16 motion prediction */ - mot_val= h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + mot_val= ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); if (s->umvplus) mx = h263p_decode_umotion(s, pred_x); else - mx = h263_decode_motion(s, pred_x, 1); + mx = ff_h263_decode_motion(s, pred_x, 1); if (s->umvplus) my = h263p_decode_umotion(s, pred_y); else - my = h263_decode_motion(s, pred_y, 1); + my = ff_h263_decode_motion(s, pred_y, 1); mot_val[0 ]= mot_val[2 ]= mot_val[0+stride]= mot_val[2+stride]= mx; @@ -397,16 +397,16 @@ static void preview_obmc(MpegEncContext *s){ } else { s->current_picture.mb_type[xy]= MB_TYPE_8x8 | MB_TYPE_L0; for(i=0;i<4;i++) { - mot_val = h263_pred_motion(s, i, 0, &pred_x, &pred_y); + mot_val = ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); if (s->umvplus) mx = h263p_decode_umotion(s, pred_x); else - mx = h263_decode_motion(s, pred_x, 1); + mx = ff_h263_decode_motion(s, pred_x, 1); if (s->umvplus) my = h263p_decode_umotion(s, pred_y); else - my = h263_decode_motion(s, pred_y, 1); + my = ff_h263_decode_motion(s, pred_y, 1); if (s->umvplus && (mx - pred_x) == 1 && (my - pred_y) == 1) skip_bits1(&s->gb); /* Bit stuffing to prevent PSC */ mot_val[0] = mx; @@ -430,7 +430,7 @@ static void h263_decode_dquant(MpegEncContext *s){ if(s->modified_quant){ if(get_bits1(&s->gb)) - s->qscale= modified_quant_tab[get_bits1(&s->gb)][ s->qscale ]; + s->qscale= ff_modified_quant_tab[get_bits1(&s->gb)][ s->qscale ]; else s->qscale= get_bits(&s->gb, 5); }else @@ -448,7 +448,7 @@ static int h263_decode_block(MpegEncContext * s, DCTELEM * block, scan_table = s->intra_scantable.permutated; if (s->h263_aic && s->mb_intra) { - rl = &rl_intra_aic; + rl = &ff_rl_intra_aic; i = 0; if (s->ac_pred) { if (s->h263_aic_dir) @@ -537,7 +537,7 @@ retry: if (i >= 64){ if(s->alt_inter_vlc && rl == &ff_h263_rl_inter && !s->mb_intra){ //Looks like a hack but no, it's the way it is supposed to work ... - rl = &rl_intra_aic; + rl = &ff_rl_intra_aic; i = 0; s->gb= gb; s->dsp.clear_block(block); @@ -554,7 +554,7 @@ retry: } not_coded: if (s->mb_intra && s->h263_aic) { - h263_pred_acdc(s, block, n); + ff_h263_pred_acdc(s, block, n); i = 63; } s->block_last_index[n] = i; @@ -653,11 +653,11 @@ int ff_h263_decode_mb(MpegEncContext *s, s->current_picture.mb_type[xy]= MB_TYPE_16x16 | MB_TYPE_L0; /* 16x16 motion prediction */ s->mv_type = MV_TYPE_16X16; - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); if (s->umvplus) mx = h263p_decode_umotion(s, pred_x); else - mx = h263_decode_motion(s, pred_x, 1); + mx = ff_h263_decode_motion(s, pred_x, 1); if (mx >= 0xffff) return -1; @@ -665,7 +665,7 @@ int ff_h263_decode_mb(MpegEncContext *s, if (s->umvplus) my = h263p_decode_umotion(s, pred_y); else - my = h263_decode_motion(s, pred_y, 1); + my = ff_h263_decode_motion(s, pred_y, 1); if (my >= 0xffff) return -1; @@ -678,18 +678,18 @@ int ff_h263_decode_mb(MpegEncContext *s, s->current_picture.mb_type[xy]= MB_TYPE_8x8 | MB_TYPE_L0; s->mv_type = MV_TYPE_8X8; for(i=0;i<4;i++) { - mot_val = h263_pred_motion(s, i, 0, &pred_x, &pred_y); + mot_val = ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); if (s->umvplus) mx = h263p_decode_umotion(s, pred_x); else - mx = h263_decode_motion(s, pred_x, 1); + mx = ff_h263_decode_motion(s, pred_x, 1); if (mx >= 0xffff) return -1; if (s->umvplus) my = h263p_decode_umotion(s, pred_y); else - my = h263_decode_motion(s, pred_y, 1); + my = ff_h263_decode_motion(s, pred_y, 1); if (my >= 0xffff) return -1; s->mv[0][i][0] = mx; @@ -761,11 +761,11 @@ int ff_h263_decode_mb(MpegEncContext *s, //FIXME UMV if(USES_LIST(mb_type, 0)){ - int16_t *mot_val= h263_pred_motion(s, 0, 0, &mx, &my); + int16_t *mot_val= ff_h263_pred_motion(s, 0, 0, &mx, &my); s->mv_dir = MV_DIR_FORWARD; - mx = h263_decode_motion(s, mx, 1); - my = h263_decode_motion(s, my, 1); + mx = ff_h263_decode_motion(s, mx, 1); + my = ff_h263_decode_motion(s, my, 1); s->mv[0][0][0] = mx; s->mv[0][0][1] = my; @@ -774,11 +774,11 @@ int ff_h263_decode_mb(MpegEncContext *s, } if(USES_LIST(mb_type, 1)){ - int16_t *mot_val= h263_pred_motion(s, 0, 1, &mx, &my); + int16_t *mot_val= ff_h263_pred_motion(s, 0, 1, &mx, &my); s->mv_dir |= MV_DIR_BACKWARD; - mx = h263_decode_motion(s, mx, 1); - my = h263_decode_motion(s, my, 1); + mx = ff_h263_decode_motion(s, mx, 1); + my = ff_h263_decode_motion(s, my, 1); s->mv[1][0][0] = mx; s->mv[1][0][1] = my; @@ -829,8 +829,8 @@ intra: } while(pb_mv_count--){ - h263_decode_motion(s, 0, 1); - h263_decode_motion(s, 0, 1); + ff_h263_decode_motion(s, 0, 1); + ff_h263_decode_motion(s, 0, 1); } /* decode each block */ @@ -864,7 +864,7 @@ end: } /* most is hardcoded. should extend to handle all h263 streams */ -int h263_decode_picture_header(MpegEncContext *s) +int ff_h263_decode_picture_header(MpegEncContext *s) { int format, width, height, i; uint32_t startcode; @@ -916,8 +916,8 @@ int h263_decode_picture_header(MpegEncContext *s) if (format != 7 && format != 6) { s->h263_plus = 0; /* H.263v1 */ - width = h263_format[format][0]; - height = h263_format[format][1]; + width = ff_h263_format[format][0]; + height = ff_h263_format[format][1]; if (!width) return -1; @@ -1024,8 +1024,8 @@ int h263_decode_picture_header(MpegEncContext *s) s->avctx->sample_aspect_ratio= ff_h263_pixel_aspect[s->aspect_ratio_info]; } } else { - width = h263_format[format][0]; - height = h263_format[format][1]; + width = ff_h263_format[format][0]; + height = ff_h263_format[format][1]; s->avctx->sample_aspect_ratio= (AVRational){12,11}; } if ((width == 0) || (height == 0)) diff --git a/libavcodec/ituh263enc.c b/libavcodec/ituh263enc.c index cadf389866..1c7c1a1e83 100644 --- a/libavcodec/ituh263enc.c +++ b/libavcodec/ituh263enc.c @@ -102,7 +102,7 @@ av_const int ff_h263_aspect_to_info(AVRational aspect){ return FF_ASPECT_EXTENDED; } -void h263_encode_picture_header(MpegEncContext * s, int picture_number) +void ff_h263_encode_picture_header(MpegEncContext * s, int picture_number) { int format, coded_frame_rate, coded_frame_rate_base, i, temp_ref; int best_clock_code=1; @@ -141,7 +141,7 @@ void h263_encode_picture_header(MpegEncContext * s, int picture_number) put_bits(&s->pb, 1, 0); /* camera off */ put_bits(&s->pb, 1, 0); /* freeze picture release off */ - format = ff_match_2uint16(h263_format, FF_ARRAY_ELEMS(h263_format), s->width, s->height); + format = ff_match_2uint16(ff_h263_format, FF_ARRAY_ELEMS(ff_h263_format), s->width, s->height); if (!s->h263_plus) { /* H.263v1 */ put_bits(&s->pb, 3, format); @@ -247,7 +247,7 @@ void h263_encode_picture_header(MpegEncContext * s, int picture_number) /** * Encode a group of blocks header. */ -void h263_encode_gob_header(MpegEncContext * s, int mb_line) +void ff_h263_encode_gob_header(MpegEncContext * s, int mb_line) { put_bits(&s->pb, 17, 1); /* GBSC */ @@ -333,7 +333,7 @@ static void h263_encode_block(MpegEncContext * s, DCTELEM * block, int n) } else { i = 0; if (s->h263_aic && s->mb_intra) - rl = &rl_intra_aic; + rl = &ff_rl_intra_aic; if(s->alt_inter_vlc && !s->mb_intra){ int aic_vlc_bits=0; @@ -353,14 +353,14 @@ static void h263_encode_block(MpegEncContext * s, DCTELEM * block, int n) if(level<0) level= -level; code = get_rl_index(rl, last, run, level); - aic_code = get_rl_index(&rl_intra_aic, last, run, level); + aic_code = get_rl_index(&ff_rl_intra_aic, last, run, level); inter_vlc_bits += rl->table_vlc[code][1]+1; - aic_vlc_bits += rl_intra_aic.table_vlc[aic_code][1]+1; + aic_vlc_bits += ff_rl_intra_aic.table_vlc[aic_code][1]+1; if (code == rl->n) { inter_vlc_bits += 1+6+8-1; } - if (aic_code == rl_intra_aic.n) { + if (aic_code == ff_rl_intra_aic.n) { aic_vlc_bits += 1+6+8-1; wrong_pos += run + 1; }else @@ -370,7 +370,7 @@ static void h263_encode_block(MpegEncContext * s, DCTELEM * block, int n) } i = 0; if(aic_vlc_bits < inter_vlc_bits && wrong_pos > 63) - rl = &rl_intra_aic; + rl = &ff_rl_intra_aic; } } @@ -454,9 +454,9 @@ static void h263p_encode_umotion(MpegEncContext * s, int val) } } -void h263_encode_mb(MpegEncContext * s, - DCTELEM block[6][64], - int motion_x, int motion_y) +void ff_h263_encode_mb(MpegEncContext * s, + DCTELEM block[6][64], + int motion_x, int motion_y) { int cbpc, cbpy, i, cbp, pred_x, pred_y; int16_t pred_dc; @@ -500,7 +500,7 @@ void h263_encode_mb(MpegEncContext * s, } /* motion vectors: 16x16 mode */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); if (!s->umvplus) { ff_h263_encode_motion_vector(s, motion_x - pred_x, @@ -527,7 +527,7 @@ void h263_encode_mb(MpegEncContext * s, for(i=0; i<4; i++){ /* motion vectors: 8x8 mode*/ - h263_pred_motion(s, i, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); motion_x= s->current_picture.motion_val[0][ s->block_index[i] ][0]; motion_y= s->current_picture.motion_val[0][ s->block_index[i] ][1]; @@ -561,7 +561,7 @@ void h263_encode_mb(MpegEncContext * s, if(i<4) scale= s->y_dc_scale; else scale= s->c_dc_scale; - pred_dc = h263_pred_dc(s, i, &dc_ptr[i]); + pred_dc = ff_h263_pred_dc(s, i, &dc_ptr[i]); level -= pred_dc; /* Quant */ if (level >= 0) @@ -662,7 +662,7 @@ void ff_h263_encode_motion(MpegEncContext * s, int val, int f_code) if (val == 0) { /* zero vector */ code = 0; - put_bits(&s->pb, mvtab[code][1], mvtab[code][0]); + put_bits(&s->pb, ff_mvtab[code][1], ff_mvtab[code][0]); } else { bit_size = f_code - 1; range = 1 << bit_size; @@ -677,7 +677,7 @@ void ff_h263_encode_motion(MpegEncContext * s, int val, int f_code) code = (val >> bit_size) + 1; bits = val & (range - 1); - put_bits(&s->pb, mvtab[code][1] + 1, (mvtab[code][0] << 1) | sign); + put_bits(&s->pb, ff_mvtab[code][1] + 1, (ff_mvtab[code][0] << 1) | sign); if (bit_size > 0) { put_bits(&s->pb, bit_size, bits); } @@ -693,7 +693,7 @@ static void init_mv_penalty_and_fcode(MpegEncContext *s) for(mv=-MAX_MV; mv<=MAX_MV; mv++){ int len; - if(mv==0) len= mvtab[0][1]; + if(mv==0) len= ff_mvtab[0][1]; else{ int val, bit_size, code; @@ -705,9 +705,9 @@ static void init_mv_penalty_and_fcode(MpegEncContext *s) val--; code = (val >> bit_size) + 1; if(code<33){ - len= mvtab[code][1] + 1 + bit_size; + len= ff_mvtab[code][1] + 1 + bit_size; }else{ - len= mvtab[32][1] + av_log2(code>>5) + 2 + bit_size; + len= ff_mvtab[32][1] + av_log2(code>>5) + 2 + bit_size; } } @@ -769,7 +769,7 @@ static void init_uni_h263_rl_tab(RLTable *rl, uint32_t *bits_tab, uint8_t *len_t } } -void h263_encode_init(MpegEncContext *s) +void ff_h263_encode_init(MpegEncContext *s) { static int done = 0; @@ -777,9 +777,9 @@ void h263_encode_init(MpegEncContext *s) done = 1; init_rl(&ff_h263_rl_inter, ff_h263_static_rl_table_store[0]); - init_rl(&rl_intra_aic, ff_h263_static_rl_table_store[1]); + init_rl(&ff_rl_intra_aic, ff_h263_static_rl_table_store[1]); - init_uni_h263_rl_tab(&rl_intra_aic, NULL, uni_h263_intra_aic_rl_len); + init_uni_h263_rl_tab(&ff_rl_intra_aic, NULL, uni_h263_intra_aic_rl_len); init_uni_h263_rl_tab(&ff_h263_rl_inter , NULL, uni_h263_inter_rl_len); init_mv_penalty_and_fcode(s); diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 22d7ace789..96f077a55c 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -651,13 +651,13 @@ try_again: if ((cbpc & 16) == 0) { /* 16x16 motion prediction */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); if(!s->mcsel){ - mx = h263_decode_motion(s, pred_x, s->f_code); + mx = ff_h263_decode_motion(s, pred_x, s->f_code); if (mx >= 0xffff) return -1; - my = h263_decode_motion(s, pred_y, s->f_code); + my = ff_h263_decode_motion(s, pred_y, s->f_code); if (my >= 0xffff) return -1; s->current_picture.mb_type[xy]= MB_TYPE_16x16 | MB_TYPE_L0; @@ -675,12 +675,12 @@ try_again: int i; s->current_picture.mb_type[xy]= MB_TYPE_8x8 | MB_TYPE_L0; for(i=0;i<4;i++) { - int16_t *mot_val= h263_pred_motion(s, i, 0, &pred_x, &pred_y); - mx = h263_decode_motion(s, pred_x, s->f_code); + int16_t *mot_val= ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); + mx = ff_h263_decode_motion(s, pred_x, s->f_code); if (mx >= 0xffff) return -1; - my = h263_decode_motion(s, pred_y, s->f_code); + my = ff_h263_decode_motion(s, pred_y, s->f_code); if (my >= 0xffff) return -1; mot_val[0] = mx; @@ -1245,14 +1245,14 @@ static int mpeg4_decode_mb(MpegEncContext *s, s->field_select[0][0]= get_bits1(&s->gb); s->field_select[0][1]= get_bits1(&s->gb); - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); for(i=0; i<2; i++){ - mx = h263_decode_motion(s, pred_x, s->f_code); + mx = ff_h263_decode_motion(s, pred_x, s->f_code); if (mx >= 0xffff) return -1; - my = h263_decode_motion(s, pred_y/2, s->f_code); + my = ff_h263_decode_motion(s, pred_y/2, s->f_code); if (my >= 0xffff) return -1; @@ -1263,13 +1263,13 @@ static int mpeg4_decode_mb(MpegEncContext *s, s->current_picture.mb_type[xy]= MB_TYPE_16x16 | MB_TYPE_L0; /* 16x16 motion prediction */ s->mv_type = MV_TYPE_16X16; - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); - mx = h263_decode_motion(s, pred_x, s->f_code); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + mx = ff_h263_decode_motion(s, pred_x, s->f_code); if (mx >= 0xffff) return -1; - my = h263_decode_motion(s, pred_y, s->f_code); + my = ff_h263_decode_motion(s, pred_y, s->f_code); if (my >= 0xffff) return -1; @@ -1280,12 +1280,12 @@ static int mpeg4_decode_mb(MpegEncContext *s, s->current_picture.mb_type[xy]= MB_TYPE_8x8 | MB_TYPE_L0; s->mv_type = MV_TYPE_8X8; for(i=0;i<4;i++) { - mot_val = h263_pred_motion(s, i, 0, &pred_x, &pred_y); - mx = h263_decode_motion(s, pred_x, s->f_code); + mot_val = ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); + mx = ff_h263_decode_motion(s, pred_x, s->f_code); if (mx >= 0xffff) return -1; - my = h263_decode_motion(s, pred_y, s->f_code); + my = ff_h263_decode_motion(s, pred_y, s->f_code); if (my >= 0xffff) return -1; s->mv[0][i][0] = mx; @@ -1381,8 +1381,8 @@ static int mpeg4_decode_mb(MpegEncContext *s, if(USES_LIST(mb_type, 0)){ s->mv_dir = MV_DIR_FORWARD; - mx = h263_decode_motion(s, s->last_mv[0][0][0], s->f_code); - my = h263_decode_motion(s, s->last_mv[0][0][1], s->f_code); + mx = ff_h263_decode_motion(s, s->last_mv[0][0][0], s->f_code); + my = ff_h263_decode_motion(s, s->last_mv[0][0][1], s->f_code); s->last_mv[0][1][0]= s->last_mv[0][0][0]= s->mv[0][0][0] = mx; s->last_mv[0][1][1]= s->last_mv[0][0][1]= s->mv[0][0][1] = my; } @@ -1390,8 +1390,8 @@ static int mpeg4_decode_mb(MpegEncContext *s, if(USES_LIST(mb_type, 1)){ s->mv_dir |= MV_DIR_BACKWARD; - mx = h263_decode_motion(s, s->last_mv[1][0][0], s->b_code); - my = h263_decode_motion(s, s->last_mv[1][0][1], s->b_code); + mx = ff_h263_decode_motion(s, s->last_mv[1][0][0], s->b_code); + my = ff_h263_decode_motion(s, s->last_mv[1][0][1], s->b_code); s->last_mv[1][1][0]= s->last_mv[1][0][0]= s->mv[1][0][0] = mx; s->last_mv[1][1][1]= s->last_mv[1][0][1]= s->mv[1][0][1] = my; } @@ -1402,8 +1402,8 @@ static int mpeg4_decode_mb(MpegEncContext *s, s->mv_dir = MV_DIR_FORWARD; for(i=0; i<2; i++){ - mx = h263_decode_motion(s, s->last_mv[0][i][0] , s->f_code); - my = h263_decode_motion(s, s->last_mv[0][i][1]/2, s->f_code); + mx = ff_h263_decode_motion(s, s->last_mv[0][i][0] , s->f_code); + my = ff_h263_decode_motion(s, s->last_mv[0][i][1]/2, s->f_code); s->last_mv[0][i][0]= s->mv[0][i][0] = mx; s->last_mv[0][i][1]= (s->mv[0][i][1] = my)*2; } @@ -1413,8 +1413,8 @@ static int mpeg4_decode_mb(MpegEncContext *s, s->mv_dir |= MV_DIR_BACKWARD; for(i=0; i<2; i++){ - mx = h263_decode_motion(s, s->last_mv[1][i][0] , s->b_code); - my = h263_decode_motion(s, s->last_mv[1][i][1]/2, s->b_code); + mx = ff_h263_decode_motion(s, s->last_mv[1][i][0] , s->b_code); + my = ff_h263_decode_motion(s, s->last_mv[1][i][1]/2, s->b_code); s->last_mv[1][i][0]= s->mv[1][i][0] = mx; s->last_mv[1][i][1]= (s->mv[1][i][1] = my)*2; } @@ -1426,8 +1426,8 @@ static int mpeg4_decode_mb(MpegEncContext *s, if(IS_SKIP(mb_type)) mx=my=0; else{ - mx = h263_decode_motion(s, 0, 1); - my = h263_decode_motion(s, 0, 1); + mx = ff_h263_decode_motion(s, 0, 1); + my = ff_h263_decode_motion(s, 0, 1); } s->mv_dir = MV_DIR_FORWARD | MV_DIR_BACKWARD | MV_DIRECT; diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index 8a9bd198df..9d33ff9f3b 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -715,7 +715,7 @@ void mpeg4_encode_mb(MpegEncContext * s, } /* motion vectors: 16x16 mode */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); ff_h263_encode_motion_vector(s, motion_x - pred_x, motion_y - pred_y, s->f_code); @@ -739,7 +739,7 @@ void mpeg4_encode_mb(MpegEncContext * s, } /* motion vectors: 16x8 interlaced mode */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); pred_y /=2; put_bits(&s->pb, 1, s->field_select[0][0]); @@ -767,7 +767,7 @@ void mpeg4_encode_mb(MpegEncContext * s, for(i=0; i<4; i++){ /* motion vectors: 8x8 mode*/ - h263_pred_motion(s, i, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, i, 0, &pred_x, &pred_y); ff_h263_encode_motion_vector(s, s->current_picture.motion_val[0][ s->block_index[i] ][0] - pred_x, s->current_picture.motion_val[0][ s->block_index[i] ][1] - pred_y, s->f_code); diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index ab717ebf4e..61d00ede29 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -581,7 +581,7 @@ av_cold int MPV_encode_init(AVCodecContext *avctx) break; case CODEC_ID_H263: if (!CONFIG_H263_ENCODER) return -1; - if (ff_match_2uint16(h263_format, FF_ARRAY_ELEMS(h263_format), s->width, s->height) == 8) { + if (ff_match_2uint16(ff_h263_format, FF_ARRAY_ELEMS(ff_h263_format), s->width, s->height) == 8) { av_log(avctx, AV_LOG_INFO, "The specified picture size of %dx%d is not valid for the H.263 codec.\nValid sizes are 128x96, 176x144, 352x288, 704x576, and 1408x1152. Try H.263+.\n", s->width, s->height); return -1; } @@ -707,7 +707,7 @@ av_cold int MPV_encode_init(AVCodecContext *avctx) if (CONFIG_H261_ENCODER && s->out_format == FMT_H261) ff_h261_encode_init(s); if (CONFIG_H263_ENCODER && s->out_format == FMT_H263) - h263_encode_init(s); + ff_h263_encode_init(s); if (CONFIG_MSMPEG4_ENCODER && s->msmpeg4_version) ff_msmpeg4_encode_init(s); if ((CONFIG_MPEG1VIDEO_ENCODER || CONFIG_MPEG2VIDEO_ENCODER) @@ -1767,7 +1767,7 @@ static av_always_inline void encode_mb_internal(MpegEncContext *s, int motion_x, case CODEC_ID_RV10: case CODEC_ID_RV20: if (CONFIG_H263_ENCODER) - h263_encode_mb(s, s->block, motion_x, motion_y); + ff_h263_encode_mb(s, s->block, motion_x, motion_y); break; case CODEC_ID_MJPEG: if (CONFIG_MJPEG_ENCODER) @@ -2199,7 +2199,7 @@ static int encode_thread(AVCodecContext *c, void *arg){ case CODEC_ID_H263: case CODEC_ID_H263P: if (CONFIG_H263_ENCODER) - h263_encode_gob_header(s, mb_y); + ff_h263_encode_gob_header(s, mb_y); break; } @@ -2949,7 +2949,7 @@ static int encode_picture(MpegEncContext *s, int picture_number) else if (CONFIG_FLV_ENCODER && s->codec_id == CODEC_ID_FLV1) ff_flv_encode_picture_header(s, picture_number); else if (CONFIG_H263_ENCODER) - h263_encode_picture_header(s, picture_number); + ff_h263_encode_picture_header(s, picture_number); break; case FMT_MPEG1: if (CONFIG_MPEG1VIDEO_ENCODER || CONFIG_MPEG2VIDEO_ENCODER) diff --git a/libavcodec/msmpeg4.c b/libavcodec/msmpeg4.c index c740cfa0bd..f055f64a1c 100644 --- a/libavcodec/msmpeg4.c +++ b/libavcodec/msmpeg4.c @@ -511,7 +511,7 @@ static void msmpeg4v2_encode_motion(MpegEncContext * s, int val) if (val == 0) { /* zero vector */ code = 0; - put_bits(&s->pb, mvtab[code][1], mvtab[code][0]); + put_bits(&s->pb, ff_mvtab[code][1], ff_mvtab[code][0]); } else { bit_size = s->f_code - 1; range = 1 << bit_size; @@ -530,7 +530,7 @@ static void msmpeg4v2_encode_motion(MpegEncContext * s, int val) code = (val >> bit_size) + 1; bits = val & (range - 1); - put_bits(&s->pb, mvtab[code][1] + 1, (mvtab[code][0] << 1) | sign); + put_bits(&s->pb, ff_mvtab[code][1] + 1, (ff_mvtab[code][0] << 1) | sign); if (bit_size > 0) { put_bits(&s->pb, bit_size, bits); } @@ -579,7 +579,7 @@ void msmpeg4_encode_mb(MpegEncContext * s, s->misc_bits += get_bits_diff(s); - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); msmpeg4v2_encode_motion(s, motion_x - pred_x); msmpeg4v2_encode_motion(s, motion_y - pred_y); }else{ @@ -590,7 +590,7 @@ void msmpeg4_encode_mb(MpegEncContext * s, s->misc_bits += get_bits_diff(s); /* motion vector */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); ff_msmpeg4_encode_motion(s, motion_x - pred_x, motion_y - pred_y); } @@ -1138,7 +1138,7 @@ static int msmpeg4v12_decode_mb(MpegEncContext *s, DCTELEM block[6][64]) cbp|= cbpy<<2; if(s->msmpeg4_version==1 || (cbp&3) != 3) cbp^= 0x3C; - h263_pred_motion(s, 0, 0, &mx, &my); + ff_h263_pred_motion(s, 0, 0, &mx, &my); mx= msmpeg4v2_decode_motion(s, mx, 1); my= msmpeg4v2_decode_motion(s, my, 1); @@ -1224,7 +1224,7 @@ static int msmpeg4v34_decode_mb(MpegEncContext *s, DCTELEM block[6][64]) s->rl_table_index = decode012(&s->gb); s->rl_chroma_table_index = s->rl_table_index; } - h263_pred_motion(s, 0, 0, &mx, &my); + ff_h263_pred_motion(s, 0, 0, &mx, &my); if (ff_msmpeg4_decode_motion(s, &mx, &my) < 0) return -1; s->mv_dir = MV_DIR_FORWARD; @@ -1320,8 +1320,8 @@ av_cold int ff_msmpeg4_decode_init(AVCodecContext *avctx) &v2_mb_type[0][1], 2, 1, &v2_mb_type[0][0], 2, 1, 128); INIT_VLC_STATIC(&v2_mv_vlc, V2_MV_VLC_BITS, 33, - &mvtab[0][1], 2, 1, - &mvtab[0][0], 2, 1, 538); + &ff_mvtab[0][1], 2, 1, + &ff_mvtab[0][0], 2, 1, 538); INIT_VLC_STATIC(&ff_mb_non_intra_vlc[0], MB_NON_INTRA_VLC_BITS, 128, &wmv2_inter_table[0][0][1], 8, 4, diff --git a/libavcodec/msmpeg4data.c b/libavcodec/msmpeg4data.c index eeb812297d..811086364c 100644 --- a/libavcodec/msmpeg4data.c +++ b/libavcodec/msmpeg4data.c @@ -592,9 +592,9 @@ static const int8_t table4_run[168] = { 29, 30, 31, 32, 33, 34, 35, 36, }; -extern const uint16_t inter_vlc[103][2]; -extern const int8_t inter_level[102]; -extern const int8_t inter_run[102]; +extern const uint16_t ff_inter_vlc[103][2]; +extern const int8_t ff_inter_level[102]; +extern const int8_t ff_inter_run[102]; extern const uint16_t ff_mpeg4_intra_vlc[103][2]; extern const int8_t ff_mpeg4_intra_level[102]; @@ -647,9 +647,9 @@ RLTable rl_table[NB_RL_TABLES] = { { 102, 58, - inter_vlc, - inter_run, - inter_level, + ff_inter_vlc, + ff_inter_run, + ff_inter_level, }, }; diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c index 3ac0378d7d..8d5b62f925 100644 --- a/libavcodec/rv10.c +++ b/libavcodec/rv10.c @@ -482,7 +482,7 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx) if (MPV_common_init(s) < 0) return -1; - h263_decode_init_vlc(s); + ff_h263_decode_init_vlc(s); /* init rv vlc */ if (!done) { diff --git a/libavcodec/rv34data.h b/libavcodec/rv34data.h index f8f941d061..d7e177d189 100644 --- a/libavcodec/rv34data.h +++ b/libavcodec/rv34data.h @@ -123,7 +123,7 @@ static const uint8_t rv34_quant_to_vlc_set[2][31] = { /** * table for obtaining the quantizer difference - * @todo Use with modified_quant_tab from h263data.h. + * @todo Use with ff_modified_quant_tab from h263data.h. */ static const uint8_t rv34_dquant_tab[2][32]={ // 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 diff --git a/libavcodec/snow.c b/libavcodec/snow.c index 28f04f119b..ac27637f08 100644 --- a/libavcodec/snow.c +++ b/libavcodec/snow.c @@ -2301,7 +2301,7 @@ static av_cold int encode_init(AVCodecContext *avctx) s->m.me.map = av_mallocz(ME_MAP_SIZE*sizeof(uint32_t)); s->m.me.score_map = av_mallocz(ME_MAP_SIZE*sizeof(uint32_t)); s->m.obmc_scratchpad= av_mallocz(MB_SIZE*MB_SIZE*12*sizeof(uint32_t)); - h263_encode_init(&s->m); //mv_penalty + ff_h263_encode_init(&s->m); //mv_penalty s->max_ref_frames = FFMAX(FFMIN(avctx->refs, MAX_REF_FRAMES), 1); diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c index 325cc1289b..b5159df4b8 100644 --- a/libavcodec/svq1dec.c +++ b/libavcodec/svq1dec.c @@ -43,7 +43,7 @@ #undef NDEBUG #include -extern const uint8_t mvtab[33][2]; +extern const uint8_t ff_mvtab[33][2]; static VLC svq1_block_type; static VLC svq1_motion_component; @@ -768,8 +768,8 @@ static av_cold int svq1_decode_init(AVCodecContext *avctx) &ff_svq1_block_type_vlc[0][0], 2, 1, 6); INIT_VLC_STATIC(&svq1_motion_component, 7, 33, - &mvtab[0][1], 2, 1, - &mvtab[0][0], 2, 1, 176); + &ff_mvtab[0][1], 2, 1, + &ff_mvtab[0][0], 2, 1, 176); for (i = 0; i < 6; i++) { static const uint8_t sizes[2][6] = {{14, 10, 14, 18, 16, 18}, {10, 10, 14, 14, 14, 16}}; diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index fbeca803f0..d8980c6927 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -406,7 +406,7 @@ static int svq1_encode_plane(SVQ1Context *s, int plane, unsigned char *src_plane int mx, my, pred_x, pred_y, dxy; int16_t *motion_ptr; - motion_ptr= h263_pred_motion(&s->m, 0, 0, &pred_x, &pred_y); + motion_ptr= ff_h263_pred_motion(&s->m, 0, 0, &pred_x, &pred_y); if(s->m.mb_type[x + y*s->m.mb_stride]&CANDIDATE_MB_TYPE_INTER){ for(i=0; i<6; i++) init_put_bits(&s->reorder_pb[i], reorder_buffer[1][i], 7*32); @@ -496,7 +496,7 @@ static av_cold int svq1_encode_init(AVCodecContext *avctx) s->m.me.score_map = av_mallocz(ME_MAP_SIZE*sizeof(uint32_t)); s->mb_type = av_mallocz((s->y_block_width+1)*s->y_block_height*sizeof(int16_t)); s->dummy = av_mallocz((s->y_block_width+1)*s->y_block_height*sizeof(int32_t)); - h263_encode_init(&s->m); //mv_penalty + ff_h263_encode_init(&s->m); //mv_penalty return 0; } diff --git a/libavcodec/wmv2enc.c b/libavcodec/wmv2enc.c index 9b7890c0f0..6a3ac3e983 100644 --- a/libavcodec/wmv2enc.c +++ b/libavcodec/wmv2enc.c @@ -171,7 +171,7 @@ void ff_wmv2_encode_mb(MpegEncContext * s, wmv2_inter_table[w->cbp_table_index][cbp + 64][0]); /* motion vector */ - h263_pred_motion(s, 0, 0, &pred_x, &pred_y); + ff_h263_pred_motion(s, 0, 0, &pred_x, &pred_y); ff_msmpeg4_encode_motion(s, motion_x - pred_x, motion_y - pred_y); } else { -- cgit v1.2.3 From 99008ba3667a28af5efe0934aa20aa37df8dbd86 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 13 Feb 2012 21:14:19 +0100 Subject: rv34: use AVERROR return values in ff_rv34_decode_frame() Also adds an error message. (cherry picked from commit 29330721b0e8514f9f8b4d54be75a662a2b79e44) Signed-off-by: Anton Khirnov --- libavcodec/rv34.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index cc1cae2616..a20a9892b8 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1444,15 +1444,20 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, if(get_slice_offset(avctx, slices_hdr, 0) < 0 || get_slice_offset(avctx, slices_hdr, 0) > buf_size){ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); - return -1; + return AVERROR_INVALIDDATA; } init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){ av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n"); - return -1; + return AVERROR_INVALIDDATA; } - if((!s->last_picture_ptr || !s->last_picture_ptr->data[0]) && si.type == AV_PICTURE_TYPE_B) - return -1; + if ((!s->last_picture_ptr || !s->last_picture_ptr->data[0]) && + si.type == AV_PICTURE_TYPE_B) { + av_log(avctx, AV_LOG_ERROR, "Invalid decoder state: B-frame without " + "reference data.\n"); + return AVERROR_INVALIDDATA; + } + if( (avctx->skip_frame >= AVDISCARD_NONREF && si.type==AV_PICTURE_TYPE_B) || (avctx->skip_frame >= AVDISCARD_NONKEY && si.type!=AV_PICTURE_TYPE_I) || avctx->skip_frame >= AVDISCARD_ALL) -- cgit v1.2.3 From 10c244cc89e80e1e924d442ccf40935bd7162178 Mon Sep 17 00:00:00 2001 From: Mina Nagy Zaki Date: Wed, 8 Jun 2011 19:24:25 +0300 Subject: lavfi: avfilter_merge_formats: handle case where inputs are same This fixes a double-free crash if lists are the same due to the two merge_ref() calls at the end of the (useless) merging that happens. Signed-off-by: Anton Khirnov (cherry picked from commit 11b6a82412bcd372adf694a26d83b07d337e1325) Conflicts: libavfilter/formats.c Signed-off-by: Reinhard Tartler --- libavfilter/formats.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/formats.c b/libavfilter/formats.c index 1b58b50e9f..79baed03dc 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -44,6 +44,9 @@ AVFilterFormats *avfilter_merge_formats(AVFilterFormats *a, AVFilterFormats *b) AVFilterFormats *ret; unsigned i, j, k = 0; + if (a == b) + return a; + if (a == b) return a; -- cgit v1.2.3 From 7a0ff7566b66da0b75dfaaca4347c7b41970f0ef Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 20 Apr 2012 17:42:18 +0200 Subject: avsdec: Set dimensions instead of relying on the demuxer. The decode function assumes that the video will have those dimensions. Fixes CVE-2012-2801 CC:libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit 85f477935cd6b34e6ec2716b20e15ce748277a89) Signed-off-by: Reinhard Tartler --- libavcodec/avs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/avs.c b/libavcodec/avs.c index 3ad3d879b5..628a6e3d68 100644 --- a/libavcodec/avs.c +++ b/libavcodec/avs.c @@ -158,6 +158,7 @@ avs_decode_frame(AVCodecContext * avctx, static av_cold int avs_decode_init(AVCodecContext * avctx) { avctx->pix_fmt = PIX_FMT_PAL8; + avcodec_set_dimensions(avctx, 318, 198); return 0; } -- cgit v1.2.3 From 42c3a3719b055836291eec5765857872fb75a1f8 Mon Sep 17 00:00:00 2001 From: Aneesh Dogra Date: Tue, 20 Dec 2011 03:54:50 +0530 Subject: bytestream: add a new set of bytestream functions with overread checking Signed-off-by: Justin Ruggles --- libavcodec/bytestream.h | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/libavcodec/bytestream.h b/libavcodec/bytestream.h index 98f00879be..ba3e4e8802 100644 --- a/libavcodec/bytestream.h +++ b/libavcodec/bytestream.h @@ -26,6 +26,10 @@ #include "libavutil/common.h" #include "libavutil/intreadwrite.h" +typedef struct { + const uint8_t *buffer, *buffer_end; +} GetByteContext; + #define DEF_T(type, name, bytes, read, write) \ static av_always_inline type bytestream_get_ ## name(const uint8_t **b){\ (*b) += bytes;\ @@ -34,6 +38,18 @@ static av_always_inline type bytestream_get_ ## name(const uint8_t **b){\ static av_always_inline void bytestream_put_ ##name(uint8_t **b, const type value){\ write(*b, value);\ (*b) += bytes;\ +}\ +static av_always_inline type bytestream2_get_ ## name(GetByteContext *g)\ +{\ + if (g->buffer_end - g->buffer < bytes)\ + return 0;\ + return bytestream_get_ ## name(&g->buffer);\ +}\ +static av_always_inline type bytestream2_peek_ ## name(GetByteContext *g)\ +{\ + if (g->buffer_end - g->buffer < bytes)\ + return 0;\ + return read(g->buffer);\ } #define DEF(name, bytes, read, write) \ @@ -55,6 +71,34 @@ DEF (byte, 1, AV_RB8 , AV_WB8 ) #undef DEF64 #undef DEF_T +static av_always_inline void bytestream2_init(GetByteContext *g, + const uint8_t *buf, int buf_size) +{ + g->buffer = buf; + g->buffer_end = buf + buf_size; +} + +static av_always_inline unsigned int bytestream2_get_bytes_left(GetByteContext *g) +{ + return g->buffer_end - g->buffer; +} + +static av_always_inline void bytestream2_skip(GetByteContext *g, + unsigned int size) +{ + g->buffer += FFMIN(g->buffer_end - g->buffer, size); +} + +static av_always_inline unsigned int bytestream2_get_buffer(GetByteContext *g, + uint8_t *dst, + unsigned int size) +{ + int size2 = FFMIN(g->buffer_end - g->buffer, size); + memcpy(dst, g->buffer, size2); + g->buffer += size2; + return size2; +} + static av_always_inline unsigned int bytestream_get_buffer(const uint8_t **b, uint8_t *dst, unsigned int size) { memcpy(dst, *b, size); -- cgit v1.2.3 From 4c849c69910c6c59ba57022ef28aaf70192a0e12 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 28 Sep 2012 14:47:56 +0200 Subject: dfa: check that the caller set width/height properly. Fixes CVE-2012-2786. (cherry picked from commit ee715f49a06bf3898246d01b056284a9bb1bcbb9) Signed-off-by: Reinhard Tartler --- libavcodec/dfa.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 919375baf0..1cb97dc017 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -23,6 +23,8 @@ #include "avcodec.h" #include "libavutil/intreadwrite.h" #include "bytestream.h" + +#include "libavutil/imgutils.h" #include "libavutil/lzo.h" // for av_memcpy_backptr typedef struct DfaContext { @@ -35,9 +37,13 @@ typedef struct DfaContext { static av_cold int dfa_decode_init(AVCodecContext *avctx) { DfaContext *s = avctx->priv_data; + int ret; avctx->pix_fmt = PIX_FMT_PAL8; + if ((ret = av_image_check_size(avctx->width, avctx->height, 0, avctx)) < 0) + return ret; + s->frame_buf = av_mallocz(avctx->width * avctx->height + AV_LZO_OUTPUT_PADDING); if (!s->frame_buf) return AVERROR(ENOMEM); -- cgit v1.2.3 From 2d63f9b4effc062138537190d4b9201d5e51cb8d Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Thu, 3 May 2012 20:10:36 +0200 Subject: dfa: add some checks to ensure that decoder won't write past frame end (cherry picked from commit 8099187e897ddc90cb3902332c76fb2542dac308) Signed-off-by: Reinhard Tartler --- libavcodec/dfa.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 1cb97dc017..eeb96cf7b1 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -176,6 +176,8 @@ static int decode_dds1(uint8_t *frame, int width, int height, } else if (bitbuf & (mask << 1)) { frame += bytestream_get_le16(&src) * 2; } else { + if (frame_end - frame < width + 2) + return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = *src++; frame += 2; @@ -237,6 +239,7 @@ static int decode_wdlt(uint8_t *frame, int width, int height, const uint8_t *frame_end = frame + width * height; uint8_t *line_ptr; int count, i, v, lines, segments; + int y = 0; lines = bytestream_get_le16(&src); if (lines > height || src >= src_end) @@ -245,10 +248,12 @@ static int decode_wdlt(uint8_t *frame, int width, int height, while (lines--) { segments = bytestream_get_le16(&src); while ((segments & 0xC000) == 0xC000) { + unsigned skip_lines = -(int16_t)segments; unsigned delta = -((int16_t)segments * width); - if (frame_end - frame <= delta) + if (frame_end - frame <= delta || y + lines + skip_lines > height) return -1; frame += delta; + y += skip_lines; segments = bytestream_get_le16(&src); } if (segments & 0x8000) { @@ -257,6 +262,7 @@ static int decode_wdlt(uint8_t *frame, int width, int height, } line_ptr = frame; frame += width; + y++; while (segments--) { if (src_end - src < 2) return -1; -- cgit v1.2.3 From c0df6a24ce9e1557208c33a907346e2d709b1816 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sat, 19 May 2012 12:39:49 +0200 Subject: indeo: check custom Huffman tables for errors (cherry picked from commit fe7a37c36febd71576cbefc385d995a8d6e444e7) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index bd3d4e6fd4..dac8d696d4 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -123,6 +123,10 @@ int ff_ivi_dec_huff_desc(GetBitContext *gb, int desc_coded, int which_tab, if (huff_tab->tab_sel == 7) { /* custom huffman table (explicitly encoded) */ new_huff.num_rows = get_bits(gb, 4); + if (!new_huff.num_rows) { + av_log(avctx, AV_LOG_ERROR, "Empty custom Huffman table!\n"); + return AVERROR_INVALIDDATA; + } for (i = 0; i < new_huff.num_rows; i++) new_huff.xbits[i] = get_bits(gb, 4); @@ -136,9 +140,10 @@ int ff_ivi_dec_huff_desc(GetBitContext *gb, int desc_coded, int which_tab, result = ff_ivi_create_huff_from_desc(&huff_tab->cust_desc, &huff_tab->cust_tab, 0); if (result) { + huff_tab->cust_desc.num_rows = 0; // reset faulty description av_log(avctx, AV_LOG_ERROR, "Error while initializing custom vlc table!\n"); - return -1; + return result; } } huff_tab->tab = &huff_tab->cust_tab; -- cgit v1.2.3 From 601fa565823b00424b51b66c414331fe33f18d1d Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sat, 19 May 2012 13:39:15 +0200 Subject: indeo: clear allocated band buffers (cherry picked from commit 23ba1503f2b11057c65052b4a07961236d8d69c7) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index dac8d696d4..2cd65e5552 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -212,14 +212,14 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) band->width = b_width; band->height = b_height; band->pitch = width_aligned; - band->bufs[0] = av_malloc(buf_size); - band->bufs[1] = av_malloc(buf_size); + band->bufs[0] = av_mallocz(buf_size); + band->bufs[1] = av_mallocz(buf_size); if (!band->bufs[0] || !band->bufs[1]) return AVERROR(ENOMEM); /* allocate the 3rd band buffer for scalability mode */ if (cfg->luma_bands > 1) { - band->bufs[2] = av_malloc(buf_size); + band->bufs[2] = av_mallocz(buf_size); if (!band->bufs[2]) return AVERROR(ENOMEM); } -- cgit v1.2.3 From 3c0f84402b2b12a9982e59d584768a3a5ef454f5 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Sat, 19 May 2012 16:07:42 +0200 Subject: indeo: check for invalid motion vectors (cherry picked from commit cf61aaaca16810b9b3a28395ed48fda8db0e87d9) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 16 ++++++++++++++++ libavcodec/ivi_common.h | 1 + 2 files changed, 17 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 2cd65e5552..22af3a7314 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -212,6 +212,7 @@ int av_cold ff_ivi_init_planes(IVIPlaneDesc *planes, const IVIPicConfig *cfg) band->width = b_width; band->height = b_height; band->pitch = width_aligned; + band->aheight = height_aligned; band->bufs[0] = av_mallocz(buf_size); band->bufs[1] = av_mallocz(buf_size); if (!band->bufs[0] || !band->bufs[1]) @@ -382,6 +383,21 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) mv_x >>= 1; mv_y >>= 1; /* convert halfpel vectors into fullpel ones */ } + if (mb->type) { + int dmv_x, dmv_y, cx, cy; + + dmv_x = mb->mv_x >> band->is_halfpel; + dmv_y = mb->mv_y >> band->is_halfpel; + cx = mb->mv_x & band->is_halfpel; + cy = mb->mv_y & band->is_halfpel; + + if ( mb->xpos + dmv_x < 0 + || mb->xpos + dmv_x + band->mb_size + cx > band->pitch + || mb->ypos + dmv_y < 0 + || mb->ypos + dmv_y + band->mb_size + cy > band->aheight) { + return AVERROR_INVALIDDATA; + } + } } for (blk = 0; blk < num_blocks; blk++) { diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h index fd3d82515a..cd9847d08a 100644 --- a/libavcodec/ivi_common.h +++ b/libavcodec/ivi_common.h @@ -132,6 +132,7 @@ typedef struct { int band_num; ///< band number int width; int height; + int aheight; ///< aligned band height const uint8_t *data_ptr; ///< ptr to the first byte of the band data int data_size; ///< size of the band data int16_t *buf; ///< pointer to the output buffer for this band -- cgit v1.2.3 From 8148833193c6773b3db9b1759e62c2295d487ec7 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 23 Jan 2012 21:33:34 +0100 Subject: indeo5: prevent null pointer dereference on broken files Found by John Villamil (cherry picked from commit 366ac22ea5a8bab63c7f46cdad2ddb2ff22cdbed) Signed-off-by: Reinhard Tartler --- libavcodec/indeo5.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index ba1bc18eff..c3f73ea1f5 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -453,6 +453,10 @@ static int decode_mb_info(IVI5DecContext *ctx, IVIBandDesc *band, ref_mb = tile->ref_mbs; offs = tile->ypos * band->pitch + tile->xpos; + if (!ref_mb && + ((band->qdelta_present && band->inherit_qdelta) || band->inherit_mv)) + return AVERROR_INVALIDDATA; + /* scale factor for motion vectors */ mv_scale = (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3); mv_x = mv_y = 0; -- cgit v1.2.3 From aa097b4d5fd41679cda6780fd8d70a3de33c6820 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 15 Apr 2012 14:11:50 +0200 Subject: indeo5: check tile size in decode_mb_info(). This prevents writing into a too small array if some parameters changed without the tile being reallocated. Fixes CVE-2012-2794 CC:libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit 2d09cdbaf2f449ba23d54e97e94bd97ca22208c6) Signed-off-by: Reinhard Tartler --- libavcodec/indeo5.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index c3f73ea1f5..e12cd61419 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -457,6 +457,12 @@ static int decode_mb_info(IVI5DecContext *ctx, IVIBandDesc *band, ((band->qdelta_present && band->inherit_qdelta) || band->inherit_mv)) return AVERROR_INVALIDDATA; + if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) { + av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches parameters %d\n", + tile->num_MBs, IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)); + return AVERROR_INVALIDDATA; + } + /* scale factor for motion vectors */ mv_scale = (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3); mv_x = mv_y = 0; -- cgit v1.2.3 From 44da556815fc02ed0c763e8e8bda3ea7824b7954 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Apr 2012 18:28:31 +0200 Subject: lagarith: check count before writing zeros. Fixes CVE-2012-2793 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit b631e4ed64f7d1b9ca8f897fda31140e8d1fad81) Signed-off-by: Reinhard Tartler --- libavcodec/lagarith.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c index 3d53536d13..5e00a75b5a 100644 --- a/libavcodec/lagarith.c +++ b/libavcodec/lagarith.c @@ -322,6 +322,11 @@ static int lag_decode_zero_run_line(LagarithContext *l, uint8_t *dst, output_zeros: if (l->zeros_rem) { count = FFMIN(l->zeros_rem, width - i); + if (end - dst < count) { + av_log(l->avctx, AV_LOG_ERROR, "Too many zeros remaining.\n"); + return AVERROR_INVALIDDATA; + } + memset(dst, 0, count); l->zeros_rem -= count; dst += count; -- cgit v1.2.3 From 4a636a5e43685637129efbf2ac65f4bdad011e37 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 14 Apr 2012 11:07:11 +0200 Subject: wmaprodec: check num_vec_coeffs for validity Fixes CVE-2012-2789 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit 99f392a584dd10b553facc8e819f2c7e982e176d) Signed-off-by: Reinhard Tartler --- libavcodec/wmaprodec.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 8fa1573354..0ae73070d2 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -1158,7 +1158,12 @@ static int decode_subframe(WMAProDecodeCtx *s) int num_bits = av_log2((s->subframe_len + 3)/4) + 1; for (i = 0; i < s->channels_for_cur_subframe; i++) { int c = s->channel_indexes_for_cur_subframe[i]; - s->channel[c].num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; + int num_vec_coeffs = get_bits(&s->gb, num_bits) << 2; + if (num_vec_coeffs > WMAPRO_BLOCK_MAX_SIZE) { + av_log(s->avctx, AV_LOG_ERROR, "num_vec_coeffs %d is too large\n", num_vec_coeffs); + return AVERROR_INVALIDDATA; + } + s->channel[c].num_vec_coeffs = num_vec_coeffs; } } else { for (i = 0; i < s->channels_for_cur_subframe; i++) { -- cgit v1.2.3 From 05f5a2eb62db2ffb802b2c317cb48c769ab02b3b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 28 Sep 2012 15:42:29 +0200 Subject: avidec: use actually read size instead of requested size Fixes CVE-2012-2788 (cherry picked from commit 0af49a63c7f87876486ab09482d5b26b95abce60) Signed-off-by: Reinhard Tartler --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 85fc794362..a35290b19f 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -984,7 +984,7 @@ resync: } ast->frame_offset += get_duration(ast, pkt->size); } - ast->remaining -= size; + ast->remaining -= err; if(!ast->remaining){ avi->stream_index= -1; ast->packet_size= 0; -- cgit v1.2.3 From 6996a2f796898753b85d9465653f995148ebc753 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Mar 2012 02:40:24 +0100 Subject: cavsdec: check for changing w/h. Our decoder does not support changing w/h. Fixes CVE-2012-2777 and CVE-2012-2784. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit c20a69630619d14ae92c5541d52c579d7c8f3e94) Signed-off-by: Reinhard Tartler --- libavcodec/cavsdec.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 35c37d0768..93e2539f31 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -608,12 +608,21 @@ static int decode_pic(AVSContext *h) { static int decode_seq_header(AVSContext *h) { MpegEncContext *s = &h->s; int frame_rate_code; + int width, height; h->profile = get_bits(&s->gb,8); h->level = get_bits(&s->gb,8); skip_bits1(&s->gb); //progressive sequence - s->width = get_bits(&s->gb,14); - s->height = get_bits(&s->gb,14); + + width = get_bits(&s->gb, 14); + height = get_bits(&s->gb, 14); + if ((s->width || s->height) && (s->width != width || s->height != height)) { + av_log_missing_feature(s, "Width/height changing in CAVS is", 0); + return AVERROR_PATCHWELCOME; + } + s->width = width; + s->height = height; + skip_bits(&s->gb,2); //chroma format skip_bits(&s->gb,3); //sample_precision h->aspect_ratio = get_bits(&s->gb,4); -- cgit v1.2.3 From e3e369f6962cb73ead3ca5d49a5cc313eb85e5fc Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 29 Feb 2012 06:10:17 +0100 Subject: alsdec: Check that quantized parcor coeffs are within range. ALS spec: 11.6.3.1.1 Quantization and encoding of parcor coefficients ... In all cases the resulting quantized values ak are restricted to the range [-64,63]. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 5b051ec3bdc78f3d89e8d1425674cde8fd6c9ccc) Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index cfe8fd37cb..4f4176ecee 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -704,6 +704,10 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int rice_param = parcor_rice_table[sconf->coef_table][k][1]; int offset = parcor_rice_table[sconf->coef_table][k][0]; quant_cof[k] = decode_rice(gb, rice_param) + offset; + if (quant_cof[k] < -64 || quant_cof[k] > 63) { + av_log(avctx, AV_LOG_ERROR, "quant_cof %d is out of range\n", quant_cof[k]); + return AVERROR_INVALIDDATA; + } } // read coefficients 20 to 126 -- cgit v1.2.3 From 1b48a426a96f361ee659f2054a48da312f69fc8a Mon Sep 17 00:00:00 2001 From: Thilo Borgmann Date: Sun, 11 Mar 2012 16:56:23 +0100 Subject: alsdec: Fix out of ltp_gain_values read. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 97f0efbfb86d24f081b2caa39f6249e05c95c2ef) Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 4f4176ecee..25a9c5433e 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -740,7 +740,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) bd->ltp_gain[0] = decode_rice(gb, 1) << 3; bd->ltp_gain[1] = decode_rice(gb, 2) << 3; - r = get_unary(gb, 0, 4); + r = get_unary(gb, 0, 3); c = get_bits(gb, 2); bd->ltp_gain[2] = ltp_gain_values[r][c]; -- cgit v1.2.3 From 7e070cf2025fe7d0d7f296b7c7592e2c9b8cd1e5 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Sun, 1 Jul 2012 13:36:30 +0100 Subject: alsdec: remove dead assignments Signed-off-by: Mans Rullgard (cherry picked from commit 4ca6d206d1b5beea42c4290d2ee801aaf5cd31f0) Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index 25a9c5433e..a7d7fd732f 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -769,7 +769,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int delta[8]; unsigned int k [8]; unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5); - unsigned int i = start; + unsigned int i; // read most significant bits unsigned int high; @@ -780,7 +780,7 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) current_res = bd->raw_samples + start; - for (sb = 0; sb < sub_blocks; sb++, i = 0) { + for (sb = 0; sb < sub_blocks; sb++) { k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb]; -- cgit v1.2.3 From 9474c93028444f0524e8a09a115fbdc3a3756cd0 Mon Sep 17 00:00:00 2001 From: Thilo Borgmann Date: Sun, 15 Apr 2012 18:07:12 +0200 Subject: alsdec: fix number of decoded samples in first sub-block in BGMC mode. Fixes CVE-2012-2790 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 66197988b1ee914825afbc3084e6da63f862068a) Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index a7d7fd732f..6678daadac 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -769,7 +769,6 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) int delta[8]; unsigned int k [8]; unsigned int b = av_clip((av_ceil_log2(bd->block_length) - 3) >> 1, 0, 5); - unsigned int i; // read most significant bits unsigned int high; @@ -781,28 +780,29 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) current_res = bd->raw_samples + start; for (sb = 0; sb < sub_blocks; sb++) { + unsigned int sb_len = sb_length - (sb ? 0 : start); + k [sb] = s[sb] > b ? s[sb] - b : 0; delta[sb] = 5 - s[sb] + k[sb]; - ff_bgmc_decode(gb, sb_length, current_res, + ff_bgmc_decode(gb, sb_len, current_res, delta[sb], sx[sb], &high, &low, &value, ctx->bgmc_lut, ctx->bgmc_lut_status); - current_res += sb_length; + current_res += sb_len; } ff_bgmc_decode_end(gb); // read least significant bits and tails - i = start; current_res = bd->raw_samples + start; - for (sb = 0; sb < sub_blocks; sb++, i = 0) { + for (sb = 0; sb < sub_blocks; sb++, start = 0) { unsigned int cur_tail_code = tail_code[sx[sb]][delta[sb]]; unsigned int cur_k = k[sb]; unsigned int cur_s = s[sb]; - for (; i < sb_length; i++) { + for (; start < sb_length; start++) { int32_t res = *current_res; if (res == cur_tail_code) { -- cgit v1.2.3 From dd14723602f278966bdc1b5a39c34fcc8b9afa0e Mon Sep 17 00:00:00 2001 From: Sean McGovern Date: Thu, 2 Aug 2012 15:37:28 -0400 Subject: wmapro: prevent division by zero when sample rate is unspecified This fixes Bugzilla #327: Signed-off-by: Kostya Shishkov (cherry picked from commit 3680b2435101a5de56821718a71c828320d535a0) Signed-off-by: Anton Khirnov --- libavcodec/wmaprodec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c index 0ae73070d2..91972c9f5c 100644 --- a/libavcodec/wmaprodec.c +++ b/libavcodec/wmaprodec.c @@ -326,6 +326,11 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } + if (s->avctx->sample_rate <= 0) { + av_log(avctx, AV_LOG_ERROR, "invalid sample rate\n"); + return AVERROR_INVALIDDATA; + } + s->num_channels = avctx->channels; if (s->num_channels < 0) { -- cgit v1.2.3 From 562d6fd5b577aeab7218ce5d1cb8547aa1f4b66c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 28 Sep 2012 15:26:48 +0200 Subject: avidec: return 0, not packet size from read_packet(). (cherry picked from commit eeade678f0a2bac127aeed2fb68d8717a6463420) Signed-off-by: Anton Khirnov --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index a35290b19f..2083f28708 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -990,7 +990,7 @@ resync: ast->packet_size= 0; } - return size; + return 0; } memset(d, -1, sizeof(int)*8); -- cgit v1.2.3 From 8168a7cec951b34947c55bb14a1ba2f987ab13a3 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sun, 8 Jul 2012 17:01:17 +0200 Subject: vf_pad: don't give up its own reference to the output buffer. Conflicts: libavfilter/vf_pad.c Fixes Bug 245 Signed-off-by: Anton Khirnov --- libavfilter/vf_pad.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_pad.c b/libavfilter/vf_pad.c index d4d2b205d3..ef7cc88625 100644 --- a/libavfilter/vf_pad.c +++ b/libavfilter/vf_pad.c @@ -299,6 +299,7 @@ static void start_frame(AVFilterLink *inlink, AVFilterBufferRef *inpicref) { PadContext *pad = inlink->dst->priv; AVFilterBufferRef *outpicref = avfilter_ref_buffer(inpicref, ~0); + AVFilterBufferRef *for_next_filter; int plane; for (plane = 0; plane < 4 && outpicref->data[plane]; plane++) { @@ -335,12 +336,14 @@ static void start_frame(AVFilterLink *inlink, AVFilterBufferRef *inpicref) outpicref->video->w = pad->w; outpicref->video->h = pad->h; - avfilter_start_frame(inlink->dst->outputs[0], outpicref); + for_next_filter = avfilter_ref_buffer(outpicref, ~0); + avfilter_start_frame(inlink->dst->outputs[0], for_next_filter); } static void end_frame(AVFilterLink *link) { avfilter_end_frame(link->dst->outputs[0]); + avfilter_unref_buffer(link->dst->outputs[0]->out_buf); avfilter_unref_buffer(link->cur_buf); } -- cgit v1.2.3 From fb3189ce8b8a5ddc44b460f9fb1b5b4e8ddea2f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Franz=20Brau=C3=9Fe?= Date: Fri, 30 Mar 2012 14:40:14 -0400 Subject: smacker audio: sign-extend the initial 16-bit predicted value Fixes Bug #265 Signed-off-by: Justin Ruggles (cherry picked from commit 12cbbbb4abda2de0ea123282ccf7ebee61517f7d) Signed-off-by: Anton Khirnov --- libavcodec/smacker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c index eb4427c100..ff2cdebf1e 100644 --- a/libavcodec/smacker.c +++ b/libavcodec/smacker.c @@ -644,7 +644,7 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size, } if(bits) { //decode 16-bit data for(i = stereo; i >= 0; i--) - pred[i] = av_bswap16(get_bits(&gb, 16)); + pred[i] = sign_extend(av_bswap16(get_bits(&gb, 16)), 16); for(i = 0; i <= stereo; i++) *samples++ = pred[i]; for(; i < unp_size / 2; i++) { -- cgit v1.2.3 From 5754176b5bfb4a298c376b4bdcce218848d15936 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 5 Oct 2012 15:53:32 +0200 Subject: yuv4mpeg: return proper error codes. Fixes Bug 373. CC:libav-stable@libav.org (cherry picked from commit d3a72becc6371563185a509b94f5daf32ddbb485) Signed-off-by: Reinhard Tartler --- libavformat/yuv4mpeg.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/libavformat/yuv4mpeg.c b/libavformat/yuv4mpeg.c index 9a6a0c8315..dd785c674f 100644 --- a/libavformat/yuv4mpeg.c +++ b/libavformat/yuv4mpeg.c @@ -347,7 +347,7 @@ static int yuv4_read_packet(AVFormatContext *s, AVPacket *pkt) { int i; char header[MAX_FRAME_HEADER+1]; - int packet_size, width, height; + int packet_size, width, height, ret; AVStream *st = s->streams[0]; struct frame_attributes *s1 = s->priv_data; @@ -358,18 +358,28 @@ static int yuv4_read_packet(AVFormatContext *s, AVPacket *pkt) break; } } - if (i == MAX_FRAME_HEADER) return -1; - if (strncmp(header, Y4M_FRAME_MAGIC, strlen(Y4M_FRAME_MAGIC))) return -1; + if (s->pb->error) + return s->pb->error; + else if (s->pb->eof_reached) + return AVERROR_EOF; + else if (i == MAX_FRAME_HEADER) + return AVERROR_INVALIDDATA; + + if (strncmp(header, Y4M_FRAME_MAGIC, strlen(Y4M_FRAME_MAGIC))) + return AVERROR_INVALIDDATA; width = st->codec->width; height = st->codec->height; packet_size = avpicture_get_size(st->codec->pix_fmt, width, height); if (packet_size < 0) - return -1; + return packet_size; - if (av_get_packet(s->pb, pkt, packet_size) != packet_size) - return AVERROR(EIO); + ret = av_get_packet(s->pb, pkt, packet_size); + if (ret < 0) + return ret; + else if (ret != packet_size) + return s->pb->eof_reached ? AVERROR_EOF : AVERROR(EIO); if (s->streams[0]->codec->coded_frame) { s->streams[0]->codec->coded_frame->interlaced_frame = s1->interlaced_frame; -- cgit v1.2.3 From 11ecd8574a2edd482c687123f374f22c3390c6dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jind=C5=99ich=20Makovi=C4=8Dka?= Date: Sat, 29 Sep 2012 11:16:45 +0200 Subject: h264: avoid stuck buffer pointer in decode_nal_units MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When decode_nal_units() previously encountered a NAL_END_SEQUENCE, and there are some junk bytes left in the input buffer, but no start codes, buf_index gets stuck 3 bytes before the end of the buffer. This can trigger an infinite loop in the caller code, eg. in try_decode_trame(), as avcodec_decode_video() then keeps returning zeroes, with 3 bytes of the input packet still available. With this change, the remaining bytes are skipped so the whole packet gets consumed. CC:libav-stable@libav.org Signed-off-by: Jindřich Makovička Signed-off-by: Anton Khirnov (cherry picked from commit 1a8c6917f68f7378465e18f7615762bfd22704c2) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index ac7eb20f35..adb01d4a5e 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3700,7 +3700,11 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ break; } - if(buf_index+3 >= buf_size) break; + + if (buf_index + 3 >= buf_size) { + buf_index = buf_size; + break; + } buf_index+=3; if(buf_index >= next_avc) continue; -- cgit v1.2.3 From ec6719f6551db6e93d8af9bffdaf0163b5d59b5b Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 28 Sep 2012 14:38:13 +0200 Subject: mpegaudiodec: fix short_start calculation The value should be always 3, as it follows from the specification. Fix a stack buffer overflow in exponents_from_scale_factors as reported by asan. Thanks to Dale Curtis for the sample vector. (cherry picked from commit 97cfa55eea39cef30abe14682c56c1e4e7f6f10d) Signed-off-by: Reinhard Tartler --- libavcodec/mpegaudiodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c index 033d76e049..fd94fb1dcc 100644 --- a/libavcodec/mpegaudiodec.c +++ b/libavcodec/mpegaudiodec.c @@ -210,7 +210,7 @@ static void ff_compute_band_indexes(MPADecodeContext *s, GranuleDef *g){ else g->long_end = 4; /* 8000 Hz */ - g->short_start = 2 + (s->sample_rate_index != 8); + g->short_start = 3; } else { g->long_end = 0; g->short_start = 0; -- cgit v1.2.3 From 549b8083d6e049061a063df68b49e0bae4340601 Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Wed, 19 Sep 2012 11:12:58 -0700 Subject: tiffenc: Check av_malloc() results. (cherry picked from commit b92dfb56d4582633571db18c3d904f8602eaa2a6) Conflicts: libavcodec/tiffenc.c Signed-off-by: Reinhard Tartler --- libavcodec/tiffenc.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/libavcodec/tiffenc.c b/libavcodec/tiffenc.c index 5cff13bca0..4d3e6debc9 100644 --- a/libavcodec/tiffenc.c +++ b/libavcodec/tiffenc.c @@ -305,6 +305,10 @@ static int encode_frame(AVCodecContext * avctx, unsigned char *buf, strip_sizes = av_mallocz(sizeof(*strip_sizes) * strips); strip_offsets = av_mallocz(sizeof(*strip_offsets) * strips); + if (!strip_sizes || !strip_offsets) { + ret = AVERROR(ENOMEM); + goto fail; + } bytes_per_row = (((s->width - 1)/s->subsampling[0] + 1) * s->bpp * s->subsampling[0] * s->subsampling[1] + 7) >> 3; @@ -312,6 +316,7 @@ static int encode_frame(AVCodecContext * avctx, unsigned char *buf, yuv_line = av_malloc(bytes_per_row); if (yuv_line == NULL){ av_log(s->avctx, AV_LOG_ERROR, "Not enough memory\n"); + ret = AVERROR(ENOMEM); goto fail; } } @@ -324,6 +329,10 @@ static int encode_frame(AVCodecContext * avctx, unsigned char *buf, zlen = bytes_per_row * s->rps; zbuf = av_malloc(zlen); + if (!zbuf) { + ret = AVERROR(ENOMEM); + goto fail; + } strip_offsets[0] = ptr - buf; zn = 0; for (j = 0; j < s->rps; j++) { @@ -348,8 +357,13 @@ static int encode_frame(AVCodecContext * avctx, unsigned char *buf, } else #endif { - if(s->compr == TIFF_LZW) + if (s->compr == TIFF_LZW) { s->lzws = av_malloc(ff_lzw_encode_state_size); + if (!s->lzws) { + ret = AVERROR(ENOMEM); + goto fail; + } + } for (i = 0; i < s->height; i++) { if (strip_sizes[i / s->rps] == 0) { if(s->compr == TIFF_LZW){ -- cgit v1.2.3 From aa45b90804ab21175b8c116bd8e5eb4b4e85fbcb Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 7 Apr 2012 17:25:47 +0200 Subject: alsdec: Check k used for rice decoder. Values that fail this check will cause failure of decode_rice() Signed-off-by: Michael Niedermayer Signed-off-by: Justin Ruggles (cherry picked from commit 23aae62c2cb4504a09ceb8cd0cabc1c8b260f521) Signed-off-by: Reinhard Tartler --- libavcodec/alsdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index cdf2a7c0f1..cfe8fd37cb 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -650,6 +650,11 @@ static int read_var_block_data(ALSDecContext *ctx, ALSBlockData *bd) for (k = 1; k < sub_blocks; k++) s[k] = s[k - 1] + decode_rice(gb, 0); } + for (k = 1; k < sub_blocks; k++) + if (s[k] > 32) { + av_log(avctx, AV_LOG_ERROR, "k invalid for rice code.\n"); + return AVERROR_INVALIDDATA; + } if (get_bits1(gb)) *bd->shift_lsbs = get_bits(gb, 4) + 1; -- cgit v1.2.3 From 642d758a2d829e62e32f08ae3369b41299a5bcc1 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Wed, 2 Jan 2013 22:14:36 +0100 Subject: Update RELEASE file for 0.7.7 --- RELEASE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RELEASE b/RELEASE index c006218557..879be8a98f 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.7.6 +0.7.7 -- cgit v1.2.3 From fe9cbf582b094dff507df287bfa61b54755fa6c9 Mon Sep 17 00:00:00 2001 From: Piotr Bandurski Date: Sun, 6 Jan 2013 01:56:23 +0100 Subject: tiffdec: Use the correct height field. Fixes Ticket913 Signed-off-by: Michael Niedermayer (cherry picked from commit 4784a135b2b0fe4d1b4c6256bd37265fc45aed3d) Conflicts: libavcodec/tiff.c (cherry picked from commit fe0e64ca6431c2f606bc702c1a4e230f22531a4f) --- libavcodec/tiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index e43cecb22c..2ca6d5ca62 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -396,7 +396,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t * break; case TIFF_ROWSPERSTRIP: if (type == TIFF_LONG && value == UINT_MAX) - value = s->avctx->height; + value = s->height; if(value < 1){ av_log(s->avctx, AV_LOG_ERROR, "Incorrect value of rows per strip\n"); return -1; -- cgit v1.2.3 From 9f8071245491b7060fac823b8060e06e14ca403b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 13 Dec 2012 19:38:20 +0100 Subject: ivi_common: check that scan pattern is set before using it. Fixes CVE-2012-2791. CC: libav-stable@libav.org (cherry picked from commit deabb52ab4c1fdb3dd319f3980b1489a182011f1) Signed-off-by: Reinhard Tartler --- libavcodec/ivi_common.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index 22af3a7314..f55371cf73 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -410,6 +410,11 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) } if (cbp & 1) { /* block coded ? */ + if (!band->scan) { + av_log(NULL, AV_LOG_ERROR, "Scan pattern is not set.\n"); + return AVERROR_INVALIDDATA; + } + scan_pos = -1; memset(trvec, 0, num_coeffs*sizeof(trvec[0])); /* zero transform vector */ memset(col_flags, 0, sizeof(col_flags)); /* zero column flags */ -- cgit v1.2.3 From 700fb8c8dd0622fcadb1a35eb2363e1e4c94e663 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 14 Dec 2012 08:22:06 +0100 Subject: vp56: make parse_header return standard error codes Returning 0 for failure is misleading. CC: libav-stable@libav.org (cherry picked from commit bb675d3ac6d722d5e117ae9042a996b55ca05b1d) Signed-off-by: Reinhard Tartler --- libavcodec/vp5.c | 12 ++++++------ libavcodec/vp56.c | 8 ++++---- libavcodec/vp56.h | 2 ++ libavcodec/vp6.c | 12 ++++++------ 4 files changed, 18 insertions(+), 16 deletions(-) diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c index 2b975801d0..bb6c224309 100644 --- a/libavcodec/vp5.c +++ b/libavcodec/vp5.c @@ -47,18 +47,18 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, { vp56_rac_gets(c, 8); if(vp56_rac_gets(c, 5) > 5) - return 0; + return AVERROR_INVALIDDATA; vp56_rac_gets(c, 2); if (vp56_rac_get(c)) { av_log(s->avctx, AV_LOG_ERROR, "interlacing not supported\n"); - return 0; + return AVERROR_PATCHWELCOME; } rows = vp56_rac_gets(c, 8); /* number of stored macroblock rows */ cols = vp56_rac_gets(c, 8); /* number of stored macroblock cols */ if (!rows || !cols) { av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", cols << 4, rows << 4); - return 0; + return AVERROR_INVALIDDATA; } vp56_rac_gets(c, 8); /* number of displayed macroblock rows */ vp56_rac_gets(c, 8); /* number of displayed macroblock cols */ @@ -67,11 +67,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, 16*cols != s->avctx->coded_width || 16*rows != s->avctx->coded_height) { avcodec_set_dimensions(s->avctx, 16*cols, 16*rows); - return 2; + return VP56_SIZE_CHANGE; } } else if (!s->macroblocks) - return 0; - return 1; + return AVERROR_INVALIDDATA; + return 0; } static void vp5_parse_vector_adjustment(VP56Context *s, VP56mv *vect) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index dd9dd77527..96f40a1bd0 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -511,10 +511,10 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, s->modelp = &s->models[is_alpha]; res = s->parse_header(s, buf, remaining_buf_size, &golden_frame); - if (!res) - return -1; + if (res < 0) + return res; - if (res == 2) { + if (res == VP56_SIZE_CHANGE) { int i; for (i = 0; i < 4; i++) { if (s->frames[i].data[0]) @@ -533,7 +533,7 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, return -1; } - if (res == 2) + if (res == VP56_SIZE_CHANGE) if (vp56_size_changed(avctx)) { avctx->release_buffer(avctx, p); return -1; diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h index 0c34438c8f..ad6977351a 100644 --- a/libavcodec/vp56.h +++ b/libavcodec/vp56.h @@ -38,6 +38,8 @@ typedef struct { int16_t y; } DECLARE_ALIGNED(4, , VP56mv); +#define VP56_SIZE_CHANGE 1 + typedef void (*VP56ParseVectorAdjustment)(VP56Context *s, VP56mv *vect); typedef void (*VP56Filter)(VP56Context *s, uint8_t *dst, uint8_t *src, diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index b0d8642465..7347f9fac2 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -50,7 +50,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, int vrt_shift = 0; int sub_version; int rows, cols; - int res = 1; + int res = 0; int separated_coeff = buf[0] & 1; s->framep[VP56_FRAME_CURRENT]->key_frame = !(buf[0] & 0x80); @@ -59,7 +59,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, if (s->framep[VP56_FRAME_CURRENT]->key_frame) { sub_version = buf[1] >> 3; if (sub_version > 8) - return 0; + return AVERROR_INVALIDDATA; s->filter_header = buf[1] & 0x06; if (buf[1] & 1) { av_log(s->avctx, AV_LOG_ERROR, "interlacing not supported\n"); @@ -77,7 +77,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, /* buf[5] is number of displayed macroblock cols */ if (!rows || !cols) { av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", cols << 4, rows << 4); - return 0; + return AVERROR_INVALIDDATA; } if (!s->macroblocks || /* first frame */ @@ -88,7 +88,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, s->avctx->width -= s->avctx->extradata[0] >> 4; s->avctx->height -= s->avctx->extradata[0] & 0x0F; } - res = 2; + res = VP56_SIZE_CHANGE; } ff_vp56_init_range_decoder(c, buf+6, buf_size-6); @@ -100,7 +100,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, s->sub_version = sub_version; } else { if (!s->sub_version || !s->avctx->coded_width || !s->avctx->coded_height) - return 0; + return AVERROR_INVALIDDATA; if (separated_coeff || !s->filter_header) { coeff_offset = AV_RB16(buf+1) - 2; @@ -144,7 +144,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, if (buf_size < 0) { if (s->framep[VP56_FRAME_CURRENT]->key_frame) avcodec_set_dimensions(s->avctx, 0, 0); - return 0; + return AVERROR_INVALIDDATA; } if (s->use_huffman) { s->parse_coeff = vp6_parse_coeff_huffman; -- cgit v1.2.3 From 7fd7950174f9f2935fbf5bf1435fd0dc37be5c61 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 14 Dec 2012 09:55:04 +0100 Subject: vp56: release frames on error Fixes CVE-2012-2783 CC: libav-stable@libav.org (cherry picked from commit f33b5ba63eee96c9d1c7f0e568169cb0c3694238) Signed-off-by: Reinhard Tartler --- libavcodec/vp56.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c index 96f40a1bd0..b06ea7a5b2 100644 --- a/libavcodec/vp56.c +++ b/libavcodec/vp56.c @@ -511,8 +511,14 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size, s->modelp = &s->models[is_alpha]; res = s->parse_header(s, buf, remaining_buf_size, &golden_frame); - if (res < 0) + if (res < 0) { + int i; + for (i = 0; i < 4; i++) { + if (s->frames[i].data[0]) + avctx->release_buffer(avctx, &s->frames[i]); + } return res; + } if (res == VP56_SIZE_CHANGE) { int i; -- cgit v1.2.3 From bfbff1c7483cd423ef7e0618cd67adf7d988376a Mon Sep 17 00:00:00 2001 From: Sami Pietila Date: Fri, 12 Oct 2012 07:12:49 -0700 Subject: vp8: reset loopfilter delta values at keyframes. Signed-off-by: Ronald S. Bultje (cherry picked from commit 0bf511d579c7b21f1244eec688abf571ca1235bd) Signed-off-by: Reinhard Tartler --- libavcodec/vp8.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 7e82bbbe82..e00389a4ba 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -269,6 +269,7 @@ static int decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_size) memcpy(s->prob->pred8x8c , vp8_pred8x8c_prob_inter , sizeof(s->prob->pred8x8c)); memcpy(s->prob->mvc , vp8_mv_default_prob , sizeof(s->prob->mvc)); memset(&s->segmentation, 0, sizeof(s->segmentation)); + memset(&s->lf_delta, 0, sizeof(s->lf_delta)); } if (!s->macroblocks_base || /* first frame */ -- cgit v1.2.3 From f3f22f183fa298f73b1c6a27a19436a22d7ff23a Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Fri, 26 Oct 2012 22:55:04 +0200 Subject: yuv4mpeg: reject unsupported codecs The muxer already rejects unsupported pixel formats, reject also unsupported codecs to prevent dangerous misuses. (cherry picked from commit 424b1e764263b1493de4c34365ef367ddae856db) Conflicts: libavformat/yuv4mpeg.c Signed-off-by: Reinhard Tartler --- libavformat/yuv4mpeg.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavformat/yuv4mpeg.c b/libavformat/yuv4mpeg.c index dd785c674f..e4b1e12266 100644 --- a/libavformat/yuv4mpeg.c +++ b/libavformat/yuv4mpeg.c @@ -154,6 +154,11 @@ static int yuv4_write_header(AVFormatContext *s) if (s->nb_streams != 1) return AVERROR(EIO); + if (s->streams[0]->codec->codec_id != CODEC_ID_RAWVIDEO) { + av_log(s, AV_LOG_ERROR, "ERROR: Only rawvideo supported.\n"); + return AVERROR_INVALIDDATA; + } + if (s->streams[0]->codec->pix_fmt == PIX_FMT_YUV411P) { av_log(s, AV_LOG_ERROR, "Warning: generating rarely used 4:1:1 YUV stream, some mjpegtools might not work.\n"); } -- cgit v1.2.3 From 3d0c9c9af687fd2dd4fbaefdb4d7d85c59f7d19f Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 7 Nov 2012 14:48:28 -0500 Subject: flacenc: ensure the order is within the min/max range in LPC order search This fixes use of uninitialized values when the FLAC encoder uses the 2-level, 4-level, and 8-level search methods. Fixes failure of the fate-flac-24-comp-8 test when run using valgrind. (cherry picked from commit 3a2731cbd31d0c5681ddbc7c78edd5c53c4d0032) Conflicts: libavcodec/flacenc.c Signed-off-by: Reinhard Tartler --- libavcodec/flacenc.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/flacenc.c b/libavcodec/flacenc.c index be775cabd3..1c10d2b585 100644 --- a/libavcodec/flacenc.c +++ b/libavcodec/flacenc.c @@ -915,14 +915,16 @@ static int encode_residual_ch(FlacEncodeContext *s, int ch) omethod == ORDER_METHOD_8LEVEL) { int levels = 1 << omethod; uint32_t bits[1 << ORDER_METHOD_8LEVEL]; - int order; + int order = -1; int opt_index = levels-1; opt_order = max_order-1; bits[opt_index] = UINT32_MAX; for (i = levels-1; i >= 0; i--) { + int last_order = order; order = min_order + (((max_order-min_order+1) * (i+1)) / levels)-1; - if (order < 0) - order = 0; + order = av_clip(order, min_order - 1, max_order - 1); + if (order == last_order) + continue; encode_residual_lpc(res, smp, n, order+1, coefs[order], shift[order]); bits[i] = find_subframe_rice_params(s, sub, order+1); if (bits[i] < bits[opt_index]) { -- cgit v1.2.3 From ce8910d861c14a7fcc1c550380e1011a3a3b3e8c Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 12 Jan 2013 19:22:22 +0100 Subject: h264: Fix parameters to ff_er_add_slice() call s->mb_x is reset to zero a couple of lines above. It does not make sense to call ff_er_add_slice() with 0 as endx when the end of the macroblock row was reached. Fixes unnecessary and counterproductive error resilience in https://bugzilla.libav.org/show_bug.cgi?id=394. (cherry picked from commit e6160bda98641b7d4f86de15761ad2a962f21a36) Conflicts: libavcodec/h264.c Signed-off-by: Reinhard Tartler Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index adb01d4a5e..0940335edf 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3539,7 +3539,9 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg){ return 0; }else{ - ff_er_add_slice(s, s->resync_mb_x, s->resync_mb_y, s->mb_x, s->mb_y, (AC_END|DC_END|MV_END)&part_mask); + ff_er_add_slice(s, s->resync_mb_x, s->resync_mb_y, + s->mb_x - 1, s->mb_y, + (AC_END|DC_END|MV_END)&part_mask); return -1; } -- cgit v1.2.3 From 4ede95e69cf964cd46b1e9fcd48da80d8d92c433 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Thu, 13 Dec 2012 16:20:19 +0100 Subject: vp6: properly fail on unsupported feature Interlacing is not supported at all and mismanaged down the normal codepaths causing possible buffer management issues. Fixes: CVE-2012-2783 (cherry picked from commit be75fed9755c1285ba084574aff2d7ee0f81110d) Signed-off-by: Reinhard Tartler --- libavcodec/vp6.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c index 7347f9fac2..309e856de3 100644 --- a/libavcodec/vp6.c +++ b/libavcodec/vp6.c @@ -62,8 +62,8 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size, return AVERROR_INVALIDDATA; s->filter_header = buf[1] & 0x06; if (buf[1] & 1) { - av_log(s->avctx, AV_LOG_ERROR, "interlacing not supported\n"); - return 0; + av_log_missing_feature(s->avctx, "Interlacing", 0); + return AVERROR_PATCHWELCOME; } if (separated_coeff || !s->filter_header) { coeff_offset = AV_RB16(buf+2) - 2; -- cgit v1.2.3 From 10ff052c601368f129466e6de19e9862aaaec7d1 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 23 Nov 2012 14:05:36 +0100 Subject: lavf: avoid integer overflow in ff_compute_frame_duration() Scaling the denominator instead of the numerator if it is too large loses precision. Fixes an assert caused by a negative frame duration in the fuzzed sample nasa-8s2.ts_s202310. CC: libav-stable@libav.org (cherry picked from commit 7709ce029a7bc101b9ac1ceee607cda10dcb89dc) Signed-off-by: Reinhard Tartler --- libavformat/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 5f3da495fd..be679258a0 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -813,7 +813,10 @@ static void compute_frame_duration(int *pnum, int *pden, AVStream *st, *pnum = st->codec->time_base.num; *pden = st->codec->time_base.den; if (pc && pc->repeat_pict) { - *pnum = (*pnum) * (1 + pc->repeat_pict); + if (*pnum > INT_MAX / (1 + pc->repeat_pict)) + *pden /= 1 + pc->repeat_pict; + else + *pnum *= 1 + pc->repeat_pict; } //If this codec can be interlaced or progressive then we need a parser to compute duration of a packet //Thus if we have no parser in such case leave duration undefined. -- cgit v1.2.3 From b143844ea0f6246e0d5a938d743e2e8a98453bec Mon Sep 17 00:00:00 2001 From: Alex Converse Date: Tue, 11 Dec 2012 17:26:10 -0800 Subject: aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN. Found-by: pawlkt CC: libav-stable@libav.org Fixes: CVE-2012-5144 (cherry picked from commit 6d5b0092678b2a95dfe209a207550bd2fe9ef646) Signed-off-by: Reinhard Tartler --- libavcodec/aacdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index cf7b43d53f..d479c947a9 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -1692,7 +1692,7 @@ static void apply_tns(float coef[1024], TemporalNoiseShaping *tns, int w, filt, m, i; int bottom, top, order, start, end, size, inc; float lpc[TNS_MAX_ORDER]; - float tmp[TNS_MAX_ORDER]; + float tmp[TNS_MAX_ORDER + 1]; for (w = 0; w < ics->num_windows; w++) { bottom = ics->num_swb; -- cgit v1.2.3 From 5fa739e685bcbd29dd83139c245935099112beed Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 16 Nov 2012 14:31:09 +0100 Subject: h264: enable low delay only if no delayed frames were seen Dropping frames is undesirable but that is the only way by which the decoder could return to low delay mode. Instead emit a warning and continue with delayed frames. Fixes a crash in fuzzed sample nasa-8s2.ts_s20033 caused by a larger than expected has_b_frames value. Low delay keeps getting re-enabled from a presumely broken SPS. CC: libav-stable@libav.org (cherry picked from commit 706acb558a38eba633056773280155d66c2f4b24) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 0940335edf..98c68d873f 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3847,9 +3847,16 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ init_get_bits(&s->gb, ptr, bit_length); ff_h264_decode_seq_parameter_set(h); - if (s->flags& CODEC_FLAG_LOW_DELAY || - (h->sps.bitstream_restriction_flag && !h->sps.num_reorder_frames)) - s->low_delay=1; + if (s->flags & CODEC_FLAG_LOW_DELAY || + (h->sps.bitstream_restriction_flag && + !h->sps.num_reorder_frames)) { + if (s->avctx->has_b_frames > 1 || h->delayed_pic[0]) + av_log(avctx, AV_LOG_WARNING, "Delayed frames seen " + "reenabling low delay requires a codec " + "flush.\n"); + else + s->low_delay = 1; + } if(avctx->has_b_frames < 2) avctx->has_b_frames= !s->low_delay; -- cgit v1.2.3 From 08d9fd611eac18be52e0bd3430ba6acb740cd79f Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 3 Dec 2012 22:53:30 +0100 Subject: ppc: always use pic for shared libraries CC: libav-stable@libav.org (cherry picked from commit 1944d532a8a1c4b12222f0acfeb1153630dbc996) Conflicts: configure --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 6a2ff4fa01..05a7161ef8 100755 --- a/configure +++ b/configure @@ -2342,7 +2342,7 @@ check_host_cflags -std=c99 check_host_cflags -Wall case "$arch" in - alpha|ia64|mips|parisc|sparc) + alpha|ia64|mips|parisc|ppc|sparc) spic=$shared ;; x86) -- cgit v1.2.3 From 4457e6137d83d3b65d919608cd0f12bc62d57c67 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sun, 25 Nov 2012 12:56:04 +0100 Subject: h264: check sps.log2_max_frame_num for validity Fixes infinite or long taking loop in frame num gap code in the fuzzed sample bipbop234.ts_s223302. CC: libav-stable@libav.org (cherry picked from commit d7d6efe42b0d2057e67999b96b9a391f533d2333) Signed-off-by: Reinhard Tartler --- libavcodec/h264_ps.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 9eeff59762..367138a8c0 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -37,6 +37,9 @@ //#undef NDEBUG #include +#define MAX_LOG2_MAX_FRAME_NUM (12 + 4) +#define MIN_LOG2_MAX_FRAME_NUM 4 + static const AVRational pixel_aspect[17]={ {0, 1}, {1, 1}, @@ -298,7 +301,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ MpegEncContext * const s = &h->s; int profile_idc, level_idc, constraint_set_flags = 0; unsigned int sps_id; - int i; + int i, log2_max_frame_num_minus4; SPS *sps; profile_idc= get_bits(&s->gb, 8); @@ -345,7 +348,16 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ sps->bit_depth_chroma = 8; } - sps->log2_max_frame_num= get_ue_golomb(&s->gb) + 4; + log2_max_frame_num_minus4 = get_ue_golomb(&s->gb); + if (log2_max_frame_num_minus4 < MIN_LOG2_MAX_FRAME_NUM - 4 || + log2_max_frame_num_minus4 > MAX_LOG2_MAX_FRAME_NUM - 4) { + av_log(h->s.avctx, AV_LOG_ERROR, + "log2_max_frame_num_minus4 out of range (0-12): %d\n", + log2_max_frame_num_minus4); + return AVERROR_INVALIDDATA; + } + sps->log2_max_frame_num = log2_max_frame_num_minus4 + 4; + sps->poc_type= get_ue_golomb_31(&s->gb); if(sps->poc_type == 0){ //FIXME #define -- cgit v1.2.3 From 884a9b0d298acfba29c01690e27419ab646fa51a Mon Sep 17 00:00:00 2001 From: Victor Lopez Date: Wed, 19 Dec 2012 09:12:24 +0100 Subject: h264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles Fixes bug 396. CC: libav-stable@libav.org (cherry picked from commit 1c8bf3bfed5ff5c504c8e3de96188a977f67cce0) Signed-off-by: Reinhard Tartler --- libavcodec/h264_ps.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 367138a8c0..26db079af3 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -330,7 +330,11 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ memset(sps->scaling_matrix8, 16, sizeof(sps->scaling_matrix8)); sps->scaling_matrix_present = 0; - if(sps->profile_idc >= 100){ //high profile + if (sps->profile_idc == 100 || sps->profile_idc == 110 || + sps->profile_idc == 122 || sps->profile_idc == 244 || + sps->profile_idc == 44 || sps->profile_idc == 83 || + sps->profile_idc == 86 || sps->profile_idc == 118 || + sps->profile_idc == 128 || sps->profile_idc == 144) { sps->chroma_format_idc= get_ue_golomb_31(&s->gb); if(sps->chroma_format_idc > 3) { av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc (%u) out of range\n", sps->chroma_format_idc); -- cgit v1.2.3 From a39c6bf1b878f6667697225299707ef08a9482c8 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Sat, 22 Dec 2012 01:21:09 -0500 Subject: alacdec: do not be too strict about the extradata size Sometimes the extradata has duplicate atoms, but that shouldn't prevent decoding. Just ensure that it is at least 36 bytes as a sanity check. CC: libav-stable@libav.org (cherry picked from commit 68a04b0ccee66f57516e129dd3ec457fd50b4bec) Signed-off-by: Reinhard Tartler --- libavcodec/alac.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 4ea3f7ee84..37e957eed5 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -664,10 +664,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx) alac->numchannels = alac->avctx->channels; /* initialize from the extradata */ - if (alac->avctx->extradata_size != ALAC_EXTRADATA_SIZE) { - av_log(avctx, AV_LOG_ERROR, "alac: expected %d extradata bytes\n", - ALAC_EXTRADATA_SIZE); - return -1; + if (alac->avctx->extradata_size < ALAC_EXTRADATA_SIZE) { + av_log(avctx, AV_LOG_ERROR, "alac: extradata is too small\n"); + return AVERROR_INVALIDDATA; } if (alac_set_info(alac)) { av_log(avctx, AV_LOG_ERROR, "alac: set_info failed\n"); -- cgit v1.2.3 From 808187965570012cca99a7c0fdf1d93652947285 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 7 Jan 2013 18:39:04 +0200 Subject: rtsp: Recheck the reordering queue if getting a new packet MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If we timed out and consumed a packet from the reordering queue, but didn't return a packet to the caller, recheck the queue status. Otherwise, we could end up in an infinite loop, trying to consume a queued packet that has already been consumed. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 8729698d50739524665090e083d1bfdf28235724) Signed-off-by: Reinhard Tartler --- libavformat/rtsp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 80cd587144..25aba7de67 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1641,6 +1641,7 @@ int ff_rtsp_fetch_packet(AVFormatContext *s, AVPacket *pkt) rt->cur_transport_priv = NULL; } +redo: if (rt->transport == RTSP_TRANSPORT_RTP) { int i; int64_t first_queue_time = 0; @@ -1656,12 +1657,15 @@ int ff_rtsp_fetch_packet(AVFormatContext *s, AVPacket *pkt) first_queue_st = rt->rtsp_streams[i]; } } - if (first_queue_time) + if (first_queue_time) { wait_end = first_queue_time + s->max_delay; + } else { + wait_end = 0; + first_queue_st = NULL; + } } /* read next RTP packet */ - redo: if (!rt->recvbuf) { rt->recvbuf = av_malloc(RECVBUF_SIZE); if (!rt->recvbuf) -- cgit v1.2.3 From 55065315caf138223b1f2f4e168fc64f601d1352 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Wed, 7 Mar 2012 14:26:58 -0800 Subject: Fix uninitialized reads on malformed ogg files. The ogg decoder wasn't padding the input buffer with the appropriate FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in various pieces of parsing code when they thought they had more data than they actually did. Signed-off-by: Dale Curtis Signed-off-by: Ronald S. Bultje (cherry picked from commit ef0d779706c77ca9007527bd8d41e9400682f4e4) Signed-off-by: Reinhard Tartler --- libavformat/oggdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 18201677b8..8c94f4e618 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -69,8 +69,7 @@ static int ogg_save(AVFormatContext *s) for (i = 0; i < ogg->nstreams; i++){ struct ogg_stream *os = ogg->streams + i; - os->buf = av_malloc (os->bufsize); - memset (os->buf, 0, os->bufsize); + os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); memcpy (os->buf, ost->streams[i].buf, os->bufpos); } @@ -167,7 +166,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) os = ogg->streams + idx; os->serial = serial; os->bufsize = DECODER_BUFFER_SIZE; - os->buf = av_malloc(os->bufsize); + os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); os->header = -1; if (new_avstream) { @@ -184,7 +183,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) static int ogg_new_buf(struct ogg *ogg, int idx) { struct ogg_stream *os = ogg->streams + idx; - uint8_t *nb = av_malloc(os->bufsize); + uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); int size = os->bufpos - os->pstart; if(os->buf){ memcpy(nb, os->buf + os->pstart, size); @@ -293,7 +292,7 @@ static int ogg_read_page(AVFormatContext *s, int *str) } if (os->bufsize - os->bufpos < size){ - uint8_t *nb = av_malloc (os->bufsize *= 2); + uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE); memcpy (nb, os->buf, os->bufpos); av_free (os->buf); os->buf = nb; @@ -306,6 +305,7 @@ static int ogg_read_page(AVFormatContext *s, int *str) os->granule = gp; os->flags = flags; + memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE); if (str) *str = idx; -- cgit v1.2.3 From 910c1f2352830f1c0e7505cc96c77eac556df083 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 22 Dec 2012 17:58:24 +0100 Subject: oggdec: check memory allocation (cherry picked from commit ba064ebe48376e199f353ef0b335ed8a39c638c5) Conflicts: libavformat/oggdec.c --- libavformat/oggdec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 8c94f4e618..a28232a04e 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -160,8 +160,13 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) AVStream *st; struct ogg_stream *os; - ogg->streams = av_realloc (ogg->streams, - ogg->nstreams * sizeof (*ogg->streams)); + os = av_realloc (ogg->streams, ogg->nstreams * sizeof (*ogg->streams)); + + if (!os) + return AVERROR(ENOMEM); + + ogg->streams = os; + memset (ogg->streams + idx, 0, sizeof (*ogg->streams)); os = ogg->streams + idx; os->serial = serial; @@ -293,6 +298,8 @@ static int ogg_read_page(AVFormatContext *s, int *str) if (os->bufsize - os->bufpos < size){ uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE); + if (!nb) + return AVERROR(ENOMEM); memcpy (nb, os->buf, os->bufpos); av_free (os->buf); os->buf = nb; -- cgit v1.2.3 From 3bc9cfe66e1a34c6d9dc45fde2a44aa38e6363ce Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 12 Jan 2013 19:36:27 +0100 Subject: oggdec: free the ogg streams on read_header failure Plug an annoying memory leak on broken files. (cherry picked from commit 89b51b570daa80e6e3790fcd449fe61fc5574e07) Signed-off-by: Luca Barbato (cherry picked from commit 42bd6d9cf681306d14c92af97a40116fe4eb2522) Conflicts: libavformat/oggdec.c Conflicts: libavformat/oggdec.c --- libavformat/oggdec.c | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index a28232a04e..cab6da7b13 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -492,14 +492,29 @@ static int ogg_get_length(AVFormatContext *s) return 0; } -static int ogg_read_header(AVFormatContext *s, AVFormatParameters *ap) +static int ogg_read_close(AVFormatContext *s) { struct ogg *ogg = s->priv_data; int i; + + for (i = 0; i < ogg->nstreams; i++) { + av_free(ogg->streams[i].buf); + av_free(ogg->streams[i].private); + } + av_free(ogg->streams); + return 0; +} + +static int ogg_read_header(AVFormatContext *s) +{ + struct ogg *ogg = s->priv_data; + int i, ret; ogg->curidx = -1; //linear headers seek from start - if (ogg_get_headers (s) < 0){ - return -1; + ret = ogg_get_headers(s); + if (ret < 0) { + ogg_read_close(s); + return ret; } for (i = 0; i < ogg->nstreams; i++) @@ -583,19 +598,6 @@ retry: return psize; } -static int ogg_read_close(AVFormatContext *s) -{ - struct ogg *ogg = s->priv_data; - int i; - - for (i = 0; i < ogg->nstreams; i++){ - av_free (ogg->streams[i].buf); - av_free (ogg->streams[i].private); - } - av_free (ogg->streams); - return 0; -} - static int64_t ogg_read_timestamp(AVFormatContext *s, int stream_index, int64_t *pos_arg, int64_t pos_limit) { -- cgit v1.2.3 From ad025377462cd01c11f1fe67d087804999af9d49 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 28 Nov 2012 22:17:14 +0100 Subject: h264: check context state before decoding slice data partitions Fixes mov_h264_aac__Demo_FlagOfOurFathers.mov.SIGSEGV.4e9.656. Found-by: Mateusz "j00ru" Jurczyk CC: libav-stable@libav.org (cherry-picked from commit c1fcf563b13051f280db169ba41c6a1b21b25e08) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 98c68d873f..1f85eea24d 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3832,6 +3832,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ hx->inter_gb_ptr= &hx->inter_gb; if(hx->redundant_pic_count==0 && hx->intra_gb_ptr && hx->s.data_partitioning + && s->current_picture_ptr && s->context_initialized && (avctx->skip_frame < AVDISCARD_NONREF || hx->nal_ref_idc) && (avctx->skip_frame < AVDISCARD_BIDIR || hx->slice_type_nos!=AV_PICTURE_TYPE_B) -- cgit v1.2.3 From dd0c5e0fa909bac905ea8baa49b704892792a1c9 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sat, 12 Jan 2013 17:22:50 +0100 Subject: h264: check ref_count validity for num_ref_idx_active_override_flag Fixes segfault in the fuzzed sample bipbop234.ts_s226407. CC: libav-stable@libav.org (cherry-picked from commit 6e5cdf26281945ddea3aaf5eca4d127791f23ca8) Signed-off-by: Janne Grunau --- libavcodec/h264.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 1f85eea24d..739b9d2e51 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2890,8 +2890,13 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ if(num_ref_idx_active_override_flag){ h->ref_count[0]= get_ue_golomb(&s->gb) + 1; - if(h->slice_type_nos==AV_PICTURE_TYPE_B) + if (h->ref_count[0] < 1) + return AVERROR_INVALIDDATA; + if (h->slice_type_nos == AV_PICTURE_TYPE_B) { h->ref_count[1]= get_ue_golomb(&s->gb) + 1; + if (h->ref_count[1] < 1) + return AVERROR_INVALIDDATA; + } } if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) { -- cgit v1.2.3 From 56cc629a645e479c233750a60a35264b4aa9a651 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 19 Jan 2013 13:34:41 +0100 Subject: Revert "h264: allow cropping to AVCodecContext.width/height" This reverts commit a2ae183a382f063c5403922b5151d865ce7252a2. This removes a duplicate hunk Found-by: Joakim Plate --- libavcodec/h264.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 8c7ebcab55..97b46fdcd7 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2623,12 +2623,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ s->height = s->avctx->height; } - if (FFALIGN(s->avctx->width, 16) == s->width && - FFALIGN(s->avctx->height, 16) == s->height) { - s->width = s->avctx->width; - s->height = s->avctx->height; - } - if (s->context_initialized && ( s->width != s->avctx->width || s->height != s->avctx->height || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) { -- cgit v1.2.3 From e163d884ef6ccc52f02a176105098d15c451d6af Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Tue, 22 Jan 2013 17:49:29 -0500 Subject: rtmp: fix multiple broken overflow checks Sanity checks like `data + size >= data_end || data + size < data' are broken, because `data + size < data' assumes pointer overflow, which is undefined behavior in C. Many compilers such as gcc/clang optimize such checks away. Use `size < 0 || size >= data_end - data' instead. Signed-off-by: Xi Wang Signed-off-by: Michael Niedermayer (cherry picked from commit 902cfe2f74d777a7dc20ac68f2393b9f84b790c1) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 4b6d549f74..5e75e3bd27 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -278,11 +278,11 @@ int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) data++; break; } - if (data + size >= data_end || data + size < data) + if (size < 0 || size >= data_end - data) return -1; data += size; t = ff_amf_tag_size(data, data_end); - if (t < 0 || data + t >= data_end) + if (t < 0 || t >= data_end - data) return -1; data += t; } @@ -311,7 +311,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, int size = bytestream_get_be16(&data); if (!size) break; - if (data + size >= data_end || data + size < data) + if (size < 0 || size >= data_end - data) return -1; data += size; if (size == namelen && !memcmp(data-size, name, namelen)) { @@ -332,7 +332,7 @@ int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, return 0; } len = ff_amf_tag_size(data, data_end); - if (len < 0 || data + len >= data_end || data + len < data) + if (len < 0 || len >= data_end - data) return -1; data += len; } @@ -403,13 +403,13 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d data++; break; } - if (data + size >= data_end || data + size < data) + if (size < 0 || size >= data_end - data) return; data += size; av_log(ctx, AV_LOG_DEBUG, " %s: ", buf); ff_amf_tag_contents(ctx, data, data_end); t = ff_amf_tag_size(data, data_end); - if (t < 0 || data + t >= data_end) + if (t < 0 || t >= data_end - data) return; data += t; } -- cgit v1.2.3 From b59ee5dcf119f900a3e9f45098f9e992a5f26fd0 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Tue, 22 Jan 2013 21:40:05 -0500 Subject: rtmp: fix buffer overflows in ff_amf_tag_contents() A negative `size' will bypass FFMIN(). In the subsequent memcpy() call, `size' will be considered as a large positive value, leading to a buffer overflow. Change the type of `size' to unsigned int to avoid buffer overflow, and simplify overflow checks accordingly. Signed-off-by: Xi Wang Signed-off-by: Michael Niedermayer (cherry picked from commit 4e692374f7962ea358c329de38c380103f8991b6) Signed-off-by: Michael Niedermayer --- libavformat/rtmppkt.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/libavformat/rtmppkt.c b/libavformat/rtmppkt.c index 5e75e3bd27..c65cfc1439 100644 --- a/libavformat/rtmppkt.c +++ b/libavformat/rtmppkt.c @@ -362,7 +362,7 @@ static const char* rtmp_packet_type(int type) static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *data_end) { - int size; + unsigned int size; char buf[1024]; if (data >= data_end) @@ -381,7 +381,7 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d } else { size = bytestream_get_be32(&data); } - size = FFMIN(size, 1023); + size = FFMIN(size, sizeof(buf) - 1); memcpy(buf, data, size); buf[size] = 0; av_log(ctx, AV_LOG_DEBUG, " string '%s'\n", buf); @@ -394,16 +394,15 @@ static void ff_amf_tag_contents(void *ctx, const uint8_t *data, const uint8_t *d case AMF_DATA_TYPE_OBJECT: av_log(ctx, AV_LOG_DEBUG, " {\n"); for (;;) { - int size = bytestream_get_be16(&data); int t; - memcpy(buf, data, size); - buf[size] = 0; + size = bytestream_get_be16(&data); + av_strlcpy(buf, data, FFMIN(sizeof(buf), size + 1)); if (!size) { av_log(ctx, AV_LOG_DEBUG, " }\n"); data++; break; } - if (size < 0 || size >= data_end - data) + if (size >= data_end - data) return; data += size; av_log(ctx, AV_LOG_DEBUG, " %s: ", buf); -- cgit v1.2.3 From 801eff785aa1c791d75afaa59233e9b5e9e0f4c7 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 23 Mar 2012 22:30:38 +0100 Subject: rv34: error out on size changes with frame threading (cherry picked from commit cb7190cd2c691fd93e4d3664f3fce6c19ee001dd) Fixes: CVE-2012-2772 (according to Ubuntu) --- libavcodec/rv34.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index a20a9892b8..95ad5dd06e 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1280,6 +1280,14 @@ static int rv34_decode_slice(RV34DecContext *r, int end, const uint8_t* buf, int if ((s->mb_x == 0 && s->mb_y == 0) || s->current_picture_ptr==NULL) { if(s->width != r->si.width || s->height != r->si.height){ + + if (HAVE_THREADS && + (s->avctx->active_thread_type & FF_THREAD_FRAME)) { + av_log_missing_feature(s->avctx, "Width/height changing with " + "frame threading is", 0); + return AVERROR_PATCHWELCOME; + } + av_log(s->avctx, AV_LOG_DEBUG, "Changing dimensions to %dx%d\n", r->si.width,r->si.height); MPV_common_end(s); s->width = r->si.width; -- cgit v1.2.3 From 03ddc260668beaf62f6f7fe64a08b5a71be5bb27 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Mar 2012 17:43:55 +0100 Subject: indeo5dec: Make sure we have had a valid gop header. This prevents decoding happening on a half initialized context. Fixes CVE-2012-2779 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Anton Khirnov (cherry picked from commit 891918431db628db17885ed947ee387b29826a64) Conflicts: libavcodec/ivi_common.c libavcodec/ivi_common.h --- libavcodec/indeo5.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index e12cd61419..bb491fe15a 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -76,6 +76,8 @@ typedef struct { int is_scalable; uint32_t lock_word; IVIPicConfig pic_conf; + + int gop_invalid; } IVI5DecContext; @@ -335,8 +337,12 @@ static int decode_pic_hdr(IVI5DecContext *ctx, AVCodecContext *avctx) ctx->frame_num = get_bits(&ctx->gb, 8); if (ctx->frame_type == FRAMETYPE_INTRA) { - if (decode_gop_header(ctx, avctx)) - return -1; + ctx->gop_invalid = 1; + if (decode_gop_header(ctx, avctx)) { + av_log(avctx, AV_LOG_ERROR, "Invalid GOP header, skipping frames.\n"); + return AVERROR_INVALIDDATA; + } + ctx->gop_invalid = 0; } if (ctx->frame_type != FRAMETYPE_NULL) { @@ -759,6 +765,8 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, "Error while decoding picture header: %d\n", result); return -1; } + if (ctx->gop_invalid) + return AVERROR_INVALIDDATA; if (ctx->gop_flags & IVI5_IS_PROTECTED) { av_log(avctx, AV_LOG_ERROR, "Password-protected clip!\n"); -- cgit v1.2.3 From 604d72aa0d050a95aefdc15fc57743415af8283b Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 29 Sep 2012 13:25:28 +0200 Subject: dfa: improve boundary checks in decode_dds1() Fixes CVE-2012-2798 CC:libav-stable@libav.org (cherry picked from commit d05f72c75445969cd7bdb1d860635c9880c67fb6) Conflicts: libavcodec/dfa.c --- libavcodec/dfa.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index eeb96cf7b1..9c80b3c4e8 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -159,8 +159,7 @@ static int decode_dds1(uint8_t *frame, int width, int height, bitbuf = bytestream_get_le16(&src); mask = 1; } - if (src_end - src < 2 || frame_end - frame < 2) - return -1; + if (bitbuf & mask) { v = bytestream_get_le16(&src); offset = (v & 0x1FFF) << 2; @@ -174,9 +173,12 @@ static int decode_dds1(uint8_t *frame, int width, int height, frame += 2; } } else if (bitbuf & (mask << 1)) { - frame += bytestream_get_le16(&src) * 2; + v = bytestream_get_le16(&src)*2; + if (frame - frame_end < v) + return AVERROR_INVALIDDATA; + frame += v; } else { - if (frame_end - frame < width + 2) + if (frame_end - frame < width + 3) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = *src++; -- cgit v1.2.3 From 440e98574bde9ca606dfea60c7dda8de555067f7 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 29 Sep 2012 11:07:58 +0200 Subject: indeo4/5: check empty tile size in decode_mb_info(). This prevents writing into a too small array if some parameters changed without the tile being reallocated. Based on a patch by Michael Niedermayer Fixes CVE-2012-2800 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind (cherry picked from commit ae3da0ae5550053583a6f281ea7fd940497ea0d1) Conflicts: libavcodec/ivi_common.c --- libavcodec/indeo5.c | 4 +++- libavcodec/ivi_common.c | 11 ++++++++++- libavcodec/ivi_common.h | 2 +- 3 files changed, 14 insertions(+), 3 deletions(-) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index bb491fe15a..45460a40fd 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -619,8 +619,10 @@ static int decode_band(IVI5DecContext *ctx, int plane_num, tile->is_empty = get_bits1(&ctx->gb); if (tile->is_empty) { - ff_ivi_process_empty_tile(avctx, band, tile, + result = ff_ivi_process_empty_tile(avctx, band, tile, (ctx->planes[0].bands[0].mb_size >> 3) - (band->mb_size >> 3)); + if (result < 0) + break; } else { tile->data_size = ff_ivi_dec_tile_data_size(&ctx->gb); diff --git a/libavcodec/ivi_common.c b/libavcodec/ivi_common.c index f55371cf73..38cb3a8b33 100644 --- a/libavcodec/ivi_common.c +++ b/libavcodec/ivi_common.c @@ -495,7 +495,7 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile) return 0; } -void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, +int ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, IVITile *tile, int32_t mv_scale) { int x, y, need_mc, mbn, blk, num_blocks, mv_x, mv_y, mc_type; @@ -506,6 +506,13 @@ void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, void (*mc_no_delta_func)(int16_t *buf, const int16_t *ref_buf, uint32_t pitch, int mc_type); + if (tile->num_MBs != IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)) { + av_log(avctx, AV_LOG_ERROR, "Allocated tile size %d mismatches " + "parameters %d in ivi_process_empty_tile()\n", + tile->num_MBs, IVI_MBs_PER_TILE(tile->width, tile->height, band->mb_size)); + return AVERROR_INVALIDDATA; + } + offs = tile->ypos * band->pitch + tile->xpos; mb = tile->mbs; ref_mb = tile->ref_mbs; @@ -586,6 +593,8 @@ void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, dst += band->pitch; } } + + return 0; } diff --git a/libavcodec/ivi_common.h b/libavcodec/ivi_common.h index cd9847d08a..3a328c469a 100644 --- a/libavcodec/ivi_common.h +++ b/libavcodec/ivi_common.h @@ -325,7 +325,7 @@ int ff_ivi_decode_blocks(GetBitContext *gb, IVIBandDesc *band, IVITile *tile); * @param[in] tile pointer to the tile descriptor * @param[in] mv_scale scaling factor for motion vectors */ -void ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, +int ff_ivi_process_empty_tile(AVCodecContext *avctx, IVIBandDesc *band, IVITile *tile, int32_t mv_scale); /** -- cgit v1.2.3 From 301761792a693a1f3303a2af34a0fb066a03c10c Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Thu, 13 Dec 2012 17:53:31 +0100 Subject: mpeg12: do not decode extradata more than once. Fixes CVE-2012-2803. (cherry picked from commit 582368626188c070d4300913c6da5efa4c24cfb2) Conflicts: libavcodec/mpeg12.c libavcodec/mpeg12.h --- libavcodec/mpeg12.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg12.c b/libavcodec/mpeg12.c index 03c95c191d..047c38f18a 100644 --- a/libavcodec/mpeg12.c +++ b/libavcodec/mpeg12.c @@ -1147,6 +1147,7 @@ typedef struct Mpeg1Context { int save_width, save_height, save_progressive_seq; AVRational frame_rate_ext; ///< MPEG-2 specific framerate modificator int sync; ///< Did we reach a sync point like a GOP/SEQ/KEYFrame? + int extradata_decoded; } Mpeg1Context; static av_cold int mpeg_decode_init(AVCodecContext *avctx) @@ -2279,8 +2280,10 @@ static int mpeg_decode_frame(AVCodecContext *avctx, s->slice_count= 0; - if(avctx->extradata && !avctx->frame_number) + if (avctx->extradata && !s->extradata_decoded) { decode_chunks(avctx, picture, data_size, avctx->extradata, avctx->extradata_size); + s->extradata_decoded = 1; + } return decode_chunks(avctx, picture, data_size, buf, buf_size); } -- cgit v1.2.3 From db5b454c3d20f0e2e7fff8f0091e776ae9757725 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 24 Jan 2013 14:01:42 +0100 Subject: Update changelog for 0.7.7 release --- Changelog | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/Changelog b/Changelog index f434aa13b5..a7410d9dc3 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,38 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 0.7.7: + +Security Updates: + +- aacdec: Fix an off-by-one overwrite when switching to LTP profile from MAIN (CVE-2012-5144) +- alsdec: check opt_order (CVE-2012-2775) +- alsdec: fix number of decoded samples in first sub-block in BGMC mode (CVE-2012-2790) +- avidec: use actually read size instead of requested size (CVE-2012-2788) +- avsdec: Set dimensions instead of relying on the demuxer (CVE-2012-2801) +- cavsdec: check for changing w/h (CVE-2012-2777 and CVE-2012-2784) +- dfa: check that the caller set width/height properly (CVE-2012-2786) +- dfa: improve boundary checks in decode_dds1() (CVE-2012-2798) +- indeo4/5: check empty tile size in decode_mb_info() (CVE-2012-2800) +- indeo5: Make sure we have had a valid gop header (CVE-2012-2779) +- indeo5: check tile size in decode_mb_info() (CVE-2012-2794) +- ivi_common: check that scan pattern is set before using it (CVE-2012-2791) +- lagarith: check count before writing zeros (CVE-2012-2793) +- mpeg12: do not decode extradata more than once (CVE-2012-2803) +- rv34: error out on size changes with frame threading (CVE-2012-2772) +- vp56: release frames on error (CVE-2012-2783) +- wmaprodec: check num_vec_coeffs for validity (CVE-2012-2789) + + +Further bugfixes in the following codecs: + h264, vc1, nuv, imgconvert, vorbisenc, flacenc + +Other noteworthy changes: +- fix segfault in avformat_open_input() +- rtsp: Recheck the reordering queue if getting a new packet +- fix uninitialized reads and memory leaks on malformed ogg files + + version 0.7.6: Security Updates: -- cgit v1.2.3 From e4831bb9a678dea50b535638aa81eaf4aea0184c Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Jan 2013 18:29:41 +0100 Subject: huffyuvdec: Check init_vlc() return codes. Prevents out of array writes Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit f67a0d115254461649470452058fa3c28c0df294) Signed-off-by: Michael Niedermayer (cherry picked from commit 95ab8d33e1a680f30a5a9605175112008ab81afc) Conflicts: libavcodec/huffyuv.c (cherry picked from commit 277def59fce10d91e3113e5c0f63e22bc4abfa88) Conflicts: libavcodec/huffyuv.c (cherry picked from commit adf022f458d75e2c8041262e1906a249366ad518) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuv.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c index b69be258f9..db9a346996 100644 --- a/libavcodec/huffyuv.c +++ b/libavcodec/huffyuv.c @@ -28,6 +28,7 @@ * huffyuv codec for libavcodec. */ +#include "libavutil/avassert.h" #include "avcodec.h" #include "get_bits.h" #include "put_bits.h" @@ -289,6 +290,7 @@ static void generate_joint_tables(HYuvContext *s){ int len1 = s->len[p][u]; if(len1 > limit) continue; + av_assert0(i < (1 << VLC_BITS)); len[i] = len0 + len1; bits[i] = (s->bits[0][y] << len1) + s->bits[p][u]; symbols[i] = (y<<8) + u; @@ -322,6 +324,7 @@ static void generate_joint_tables(HYuvContext *s){ int len2 = s->len[2][r&255]; if(len2 > limit1) continue; + av_assert0(i < (1 << VLC_BITS)); len[i] = len0 + len1 + len2; bits[i] = (code << len2) + s->bits[2][r&255]; if(s->decorrelate){ @@ -345,6 +348,7 @@ static void generate_joint_tables(HYuvContext *s){ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){ GetBitContext gb; int i; + int ret; init_get_bits(&gb, src, length*8); @@ -355,7 +359,8 @@ static int read_huffman_tables(HYuvContext *s, const uint8_t *src, int length){ return -1; } free_vlc(&s->vlc[i]); - init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0); + if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0)) < 0) + return ret; } generate_joint_tables(s); @@ -367,6 +372,7 @@ static int read_old_huffman_tables(HYuvContext *s){ #if 1 GetBitContext gb; int i; + int ret; init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size*8); if(read_len_table(s->len[0], &gb)<0) @@ -387,7 +393,8 @@ static int read_old_huffman_tables(HYuvContext *s){ for(i=0; i<3; i++){ free_vlc(&s->vlc[i]); - init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0); + if ((ret = init_vlc(&s->vlc[i], VLC_BITS, 256, s->len[i], 1, 1, s->bits[i], 4, 4, 0)) < 0) + return ret; } generate_joint_tables(s); -- cgit v1.2.3 From 4f91c45644931064901986bca70a8903c7956564 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 29 Jan 2013 19:22:33 +0100 Subject: huffyuvdec: Skip len==0 cases Fixes vlc decoding for hypothetical files that would contain such cases. Signed-off-by: Michael Niedermayer (cherry picked from commit 0dfc01c2bbf4b71bb56201bc4a393321e15d1b31) Signed-off-by: Michael Niedermayer (cherry picked from commit 5ff41ffeb4cb9ea6df49757dc859619dc3d3ab4f) Conflicts: libavcodec/huffyuv.c (cherry picked from commit 9bc70fe1ae50fd2faa0b9429d47cfbda01a92ebc) Signed-off-by: Michael Niedermayer --- libavcodec/huffyuv.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c index db9a346996..20589652ff 100644 --- a/libavcodec/huffyuv.c +++ b/libavcodec/huffyuv.c @@ -284,11 +284,11 @@ static void generate_joint_tables(HYuvContext *s){ for(i=y=0; y<256; y++){ int len0 = s->len[0][y]; int limit = VLC_BITS - len0; - if(limit <= 0) + if(limit <= 0 || !len0) continue; for(u=0; u<256; u++){ int len1 = s->len[p][u]; - if(len1 > limit) + if (len1 > limit || !len1) continue; av_assert0(i < (1 << VLC_BITS)); len[i] = len0 + len1; @@ -312,17 +312,17 @@ static void generate_joint_tables(HYuvContext *s){ for(i=0, g=-16; g<16; g++){ int len0 = s->len[p0][g&255]; int limit0 = VLC_BITS - len0; - if(limit0 < 2) + if (limit0 < 2 || !len0) continue; for(b=-16; b<16; b++){ int len1 = s->len[p1][b&255]; int limit1 = limit0 - len1; - if(limit1 < 1) + if (limit1 < 1 || !len1) continue; code = (s->bits[p0][g&255] << len1) + s->bits[p1][b&255]; for(r=-16; r<16; r++){ int len2 = s->len[2][r&255]; - if(len2 > limit1) + if (len2 > limit1 || !len2) continue; av_assert0(i < (1 << VLC_BITS)); len[i] = len0 + len1 + len2; -- cgit v1.2.3 From 760929117df0d6349a2cb56af084d8a13ee7f33a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 12 Dec 2012 12:28:45 +0100 Subject: alsdec: check block length Fix writing over the end Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 0ceca269b66ec12a23bf0907bd2c220513cdbf16) Signed-off-by: Michael Niedermayer --- libavcodec/alsdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c index cb679d9955..8cb5a6089c 100644 --- a/libavcodec/alsdec.c +++ b/libavcodec/alsdec.c @@ -551,12 +551,15 @@ static void get_block_sizes(ALSDecContext *ctx, unsigned int *div_blocks, /** Read the block data for a constant block */ -static void read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd) +static int read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd) { ALSSpecificConfig *sconf = &ctx->sconf; AVCodecContext *avctx = ctx->avctx; GetBitContext *gb = &ctx->gb; + if (bd->block_length <= 0) + return -1; + *bd->raw_samples = 0; *bd->const_block = get_bits1(gb); // 1 = constant value, 0 = zero block (silence) bd->js_blocks = get_bits1(gb); @@ -571,6 +574,8 @@ static void read_const_block_data(ALSDecContext *ctx, ALSBlockData *bd) // ensure constant block decoding by reusing this field *bd->const_block = 1; + + return 0; } @@ -970,7 +975,8 @@ static int read_block(ALSDecContext *ctx, ALSBlockData *bd) if (read_var_block_data(ctx, bd)) return -1; } else { - read_const_block_data(ctx, bd); + if (read_const_block_data(ctx, bd) < 0) + return -1; } return 0; -- cgit v1.2.3 From caeca53a09fd5d23e7da2725fb2fba27b9429d72 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 30 Nov 2012 23:59:40 +0100 Subject: qdm2: check array index before use, fix out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed) Signed-off-by: Michael Niedermayer --- libavcodec/qdm2.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index e237157f48..e311afdeee 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1238,6 +1238,11 @@ static void qdm2_decode_super_block (QDM2Context *q) for (i = 0; packet_bytes > 0; i++) { int j; + if (i>=FF_ARRAY_ELEMS(q->sub_packet_list_A)) { + SAMPLES_NEEDED_2("too many packet bytes"); + return; + } + q->sub_packet_list_A[i].next = NULL; if (i > 0) { -- cgit v1.2.3 From 391e0fc6c90ced6656b74f50f3a487b6dc76ea63 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 29 Nov 2012 15:18:17 +0100 Subject: roqvideodec: check dimensions validity Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 3ae610451170cd5a28b33950006ff0bd23036845) Signed-off-by: Michael Niedermayer --- libavcodec/roqvideodec.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c index f0977f6491..4e34231aa4 100644 --- a/libavcodec/roqvideodec.c +++ b/libavcodec/roqvideodec.c @@ -157,6 +157,12 @@ static av_cold int roq_decode_init(AVCodecContext *avctx) RoqContext *s = avctx->priv_data; s->avctx = avctx; + + if (avctx->width%16 || avctx->height%16) { + av_log_ask_for_sample(avctx, "dimensions not being a multiple of 16 are unsupported\n"); + return AVERROR_PATCHWELCOME; + } + s->width = avctx->width; s->height = avctx->height; avcodec_get_frame_defaults(&s->frames[0]); -- cgit v1.2.3 From af343f5cddc5b40cea53ea7c38e582dc9caae15b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 17 Nov 2012 16:26:55 +0100 Subject: eamad: fix out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 63ac64864c6e0e84355aa3caa5b92208997a9a8d) Signed-off-by: Michael Niedermayer --- libavcodec/eamad.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/eamad.c b/libavcodec/eamad.c index 602bbfcf93..a431bbcdd5 100644 --- a/libavcodec/eamad.c +++ b/libavcodec/eamad.c @@ -249,7 +249,7 @@ static int decode_frame(AVCodecContext *avctx, int chunk_type; int inter; - if (buf_size < 17) { + if (buf_size < 26) { av_log(avctx, AV_LOG_ERROR, "Input buffer too small\n"); *data_size = 0; return -1; -- cgit v1.2.3 From 2cac35086c9e103fa98960c546d5017e7363803a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 25 Jan 2013 06:11:59 +0100 Subject: vqavideo: check chunk sizes before reading chunks Fixes out of array writes Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit ab6c9332bfa1e20127a16392a0b85a4aa4840889) Signed-off-by: Michael Niedermayer --- libavcodec/vqavideo.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index d1eab5bfa1..6e1ce6c0d2 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -527,6 +527,11 @@ static void vqa_decode_chunk(VqaContext *s) chunk_size = AV_RB32(&s->buf[cbp0_chunk + 4]); cbp0_chunk += CHUNK_PREAMBLE_SIZE; + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { + av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (0x%X bytes)\n", chunk_size); + return AVERROR_INVALIDDATA; + } + /* accumulate partial codebook */ memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index], &s->buf[cbp0_chunk], chunk_size); @@ -550,6 +555,11 @@ static void vqa_decode_chunk(VqaContext *s) chunk_size = AV_RB32(&s->buf[cbpz_chunk + 4]); cbpz_chunk += CHUNK_PREAMBLE_SIZE; + if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) { + av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (0x%X bytes)\n", chunk_size); + return AVERROR_INVALIDDATA; + } + /* accumulate partial codebook */ memcpy(&s->next_codebook_buffer[s->next_codebook_buffer_index], &s->buf[cbpz_chunk], chunk_size); -- cgit v1.2.3 From e6ac11e41734cbb24ec5e6c73264d030e5f07a64 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 27 Jan 2013 20:37:27 +0100 Subject: aacdec: check channel count Prevent out of array accesses Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 96f452ac647dae33c53c242ef3266b65a9beafb6) Signed-off-by: Michael Niedermayer --- libavcodec/aacdec.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c index a0f5344bee..78176d0053 100644 --- a/libavcodec/aacdec.c +++ b/libavcodec/aacdec.c @@ -568,6 +568,11 @@ static av_cold int aac_decode_init(AVCodecContext *avctx) output_scale_factor = 1.0; } + if (avctx->channels > MAX_CHANNELS) { + av_log(avctx, AV_LOG_ERROR, "Too many channels\n"); + return AVERROR_INVALIDDATA; + } + AAC_INIT_VLC_STATIC( 0, 304); AAC_INIT_VLC_STATIC( 1, 270); AAC_INIT_VLC_STATIC( 2, 550); -- cgit v1.2.3 From 41eda870483fd1f2dc6f7f17cd68e360626180c9 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 Feb 2013 19:53:40 +0100 Subject: pngdec/filter: dont access out of array elements at the end Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer (cherry picked from commit 1ac0fa50eff30d413206cffa5f47f7fe6d4849b1) Signed-off-by: Michael Niedermayer --- libavcodec/pngdec.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 3c6284fc10..ae932991d3 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -148,7 +148,7 @@ static void add_paeth_prediction_c(uint8_t *dst, uint8_t *src, uint8_t *top, int if(bpp >= 2) g = dst[1];\ if(bpp >= 3) b = dst[2];\ if(bpp >= 4) a = dst[3];\ - for(; i < size; i+=bpp) {\ + for(; i <= size - bpp; i+=bpp) {\ dst[i+0] = r = op(r, src[i+0], last[i+0]);\ if(bpp == 1) continue;\ dst[i+1] = g = op(g, src[i+1], last[i+1]);\ @@ -164,13 +164,9 @@ static void add_paeth_prediction_c(uint8_t *dst, uint8_t *src, uint8_t *top, int else if(bpp == 2) UNROLL1(2, op)\ else if(bpp == 3) UNROLL1(3, op)\ else if(bpp == 4) UNROLL1(4, op)\ - else {\ - for (; i < size; i += bpp) {\ - int j;\ - for (j = 0; j < bpp; j++)\ - dst[i+j] = op(dst[i+j-bpp], src[i+j], last[i+j]);\ - }\ - } + for (; i < size; i++) {\ + dst[i] = op(dst[i-bpp], src[i], last[i]);\ + }\ /* NOTE: 'dst' can be equal to 'last' */ static void png_filter_row(PNGDecContext *s, uint8_t *dst, int filter_type, -- cgit v1.2.3 From 377fabc9e687a3c73fdb235f773f6e9151378ca5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 17 Feb 2013 23:41:01 +0100 Subject: Update for 0.8.13 Signed-off-by: Michael Niedermayer --- Doxyfile | 2 +- RELEASE | 2 +- VERSION | 2 +- cmdutils.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Doxyfile b/Doxyfile index 887b874e78..e28a87ee64 100644 --- a/Doxyfile +++ b/Doxyfile @@ -31,7 +31,7 @@ PROJECT_NAME = FFmpeg # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 0.8.12 +PROJECT_NUMBER = 0.8.13 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) # base path where the generated documentation will be put. diff --git a/RELEASE b/RELEASE index 7eff8ab952..c2f73c6ecf 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -0.8.12 +0.8.13 diff --git a/VERSION b/VERSION index 7eff8ab952..c2f73c6ecf 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.8.12 +0.8.13 diff --git a/cmdutils.c b/cmdutils.c index 62fe6e96ab..b919bae92e 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -57,7 +57,7 @@ AVFormatContext *avformat_opts; struct SwsContext *sws_opts; AVDictionary *format_opts, *video_opts, *audio_opts, *sub_opts; -static const int this_year = 2011; +static const int this_year = 2013; void init_opts(void) { -- cgit v1.2.3