ffmpeg.git
2 years agoavutil/random_seed: Improve get_generic_seed() with higher precission clock()
Michael Niedermayer [Thu, 22 Dec 2016 02:59:03 +0000 (03:59 +0100)]
avutil/random_seed: Improve get_generic_seed() with higher precission clock()

Tested-by: Thomas Turner <thomastdt@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit da73d95bad4736c5e0a6b4b1a811f4dd4525bb4c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/mp3dec: fix msan warning when verifying mpa header
Chris Cunningham [Tue, 22 Nov 2016 21:54:50 +0000 (13:54 -0800)]
avformat/mp3dec: fix msan warning when verifying mpa header

MPEG Audio frame header must be 4 bytes. If we fail to read
4 bytes bail early to avoid Use-of-uninitialized-value msan error.
Reference https://crbug.com/666874.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ab87df9a47cd31bfcae9acd84c04705a149dfc14)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/utils: Print verbose error message if stream count exceeds max_streams
Michael Niedermayer [Sat, 10 Dec 2016 19:15:13 +0000 (20:15 +0100)]
avformat/utils: Print verbose error message if stream count exceeds max_streams

Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f0bdd538712d8ed34120ab2b7bd1409fcc99fb45)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/options_table: Set the default maximum number of streams to 1000
Michael Niedermayer [Sat, 10 Dec 2016 19:15:12 +0000 (20:15 +0100)]
avformat/options_table: Set the default maximum number of streams to 1000

Fixes CVE-2016-9561, Note the security relevance of this is disputed as
running out of memory can happen with valid files

Suggested-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 30581c51e72a7a7ea1572c1c6039f6e4c590a55c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agolavf/chromaprint: Update for version 1.4
Georgi D. Sotirov [Tue, 6 Dec 2016 20:07:59 +0000 (21:07 +0100)]
lavf/chromaprint: Update for version 1.4

Fixes ticket #5997.
(cherry picked from commit 581f93f37ef2e7a00662828ed0348d1edb9041fe)

Fixes Debian bug 841501.

2 years agoavutil: Add av_image_check_size2()
Michael Niedermayer [Sat, 10 Dec 2016 20:05:14 +0000 (21:05 +0100)]
avutil: Add av_image_check_size2()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f542b152aa2086b30d1089162d79f5c136905c0c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat: Add max_streams option
Michael Niedermayer [Fri, 18 Nov 2016 16:00:30 +0000 (17:00 +0100)]
avformat: Add max_streams option

This allows user apps to stop OOM due to excessive number of streams

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1296f844955e513d19051c962656f829479d4fb9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated
Michael Niedermayer [Thu, 8 Dec 2016 22:51:45 +0000 (23:51 +0100)]
avcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated

We are checking during encoding if there is enough space as version 4 needs that
check.

Fixes Ticket6005

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 38a7834bbb24ef62466b076715e0add60e1d6962)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory()
Michael Niedermayer [Fri, 9 Dec 2016 16:01:14 +0000 (17:01 +0100)]
avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory()

Fixes: part of 670190.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8258e363851434ad5662c19d036fddb3e3f27683)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/oggdec: Skip streams in duration correction that did not had their duration...
Michael Niedermayer [Fri, 9 Dec 2016 16:01:14 +0000 (17:01 +0100)]
avformat/oggdec: Skip streams in duration correction that did not had their duration set.

Fixes: part of 670190.ogg
Fixes integer overflow

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ee2a6f5df8c6a151c3e3826872f1b0a07401c62a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ffv1enc: Fix size of first slice
Michael Niedermayer [Thu, 8 Dec 2016 23:19:19 +0000 (00:19 +0100)]
avcodec/ffv1enc: Fix size of first slice

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cff1c0edaa797eca96663d9b83e4b8c1b609ff19)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoffplay: fix sws_scale possible out of bounds array access
Marton Balint [Sat, 10 Dec 2016 11:46:54 +0000 (12:46 +0100)]
ffplay: fix sws_scale possible out of bounds array access

As I used simple RGBA formats for subtitles and for the video texture if
avfilter is disabled I kind of assumed that sws_scale won't access data
pointers and strides above index 0, but apparently that is not the case.

Fixes Coverity CID 1396737, 1396738, 1396739, 1396740.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Marton Balint <cus@passwd.hu>
2 years agoavfilter/vf_hwupload_cuda: Add min/max limits for the 'device' option
Srinath K R [Sat, 3 Dec 2016 11:38:40 +0000 (17:08 +0530)]
avfilter/vf_hwupload_cuda: Add min/max limits for the 'device' option

Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
2 years agoUpdate for 3.2.2 n3.2.2
Michael Niedermayer [Mon, 5 Dec 2016 23:09:40 +0000 (00:09 +0100)]
Update for 3.2.2

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoffserver: Check chunk size
Michael Niedermayer [Mon, 5 Dec 2016 16:27:45 +0000 (17:27 +0100)]
ffserver: Check chunk size

Fixes out of array access

Fixes: poc_ffserver.py
Found-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoAvoid using the term "file" and prefer "url" in some docs and comments
Michael Niedermayer [Mon, 5 Dec 2016 11:54:21 +0000 (12:54 +0100)]
Avoid using the term "file" and prefer "url" in some docs and comments

This should make it less ambigous that these are URLs

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5f27a9c3aa973c543bd8bbf2a78363700bbc03e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/rtmppkt: Check for packet size mismatches
Michael Niedermayer [Mon, 5 Dec 2016 10:14:51 +0000 (11:14 +0100)]
avformat/rtmppkt: Check for packet size mismatches

Fixes out of array access

Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7d57ca4d9a75562fa32e40766211de150f8b3ee7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agozmqsend: Initialize ret to 0
Timothy Gu [Mon, 5 Dec 2016 18:04:57 +0000 (10:04 -0800)]
zmqsend: Initialize ret to 0

Fixes CID1396857.

(cherry picked from commit d903b4e3ad4a81b3dd79f12c2f3b9cb16e511173)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flacdec: Fix undefined shift in decode_subframe()
Michael Niedermayer [Sat, 3 Dec 2016 23:11:17 +0000 (00:11 +0100)]
avcodec/flacdec: Fix undefined shift in decode_subframe()

Fixes undefined behavior
Fixes: 639961-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1f5630af51f24d79053b6bef5b8b3ba93d637306)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/get_bits: Fix get_sbits_long(0)
Michael Niedermayer [Sat, 3 Dec 2016 22:44:56 +0000 (23:44 +0100)]
avcodec/get_bits: Fix get_sbits_long(0)

Fixes undefined behavior
Fixes: 640889-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c72fa432349881d5a445cd110abf698cc94d490d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/ffmdec: Check media type for chunks
Michael Niedermayer [Sat, 3 Dec 2016 12:39:56 +0000 (13:39 +0100)]
avformat/ffmdec: Check media type for chunks

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e706e2e775730db5dfa9103628cd70704dd13cef)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed()
Michael Niedermayer [Sat, 3 Dec 2016 16:05:43 +0000 (17:05 +0100)]
avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed()

Fixes undefined behavior
Fixes: 640912-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 83a75bf6c31b3c0ce2ca7e1426d1f2e3df634239)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c
Michael Niedermayer [Sat, 3 Dec 2016 15:43:10 +0000 (16:43 +0100)]
avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c

Fixes: left shift of negative value
Fixes: 668346-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit acc163c6ab52d2235767852262c64c7f6b273d1c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/oggparsespeex: Check frames_per_packet and packet_size
Michael Niedermayer [Sat, 3 Dec 2016 02:40:55 +0000 (03:40 +0100)]
avformat/oggparsespeex: Check frames_per_packet and packet_size

The speex specification does not seem to restrict these values, thus
the limits where choosen so as to avoid multiplicative overflow

Fixes undefined behavior
Fixes: 635422.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit afcf15b0dbb4b6429be5083e50b296cdca61875e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/utils: Check start/end before computing duration in update_stream_timings()
Michael Niedermayer [Sat, 3 Dec 2016 02:02:41 +0000 (03:02 +0100)]
avformat/utils: Check start/end before computing duration in update_stream_timings()

Fixes undefined behavior
Fixes: 637428.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 90da187f1d334422477886a19eca3c1da29c59a7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flac_parser: Update nb_headers_buffered
Michael Niedermayer [Thu, 24 Nov 2016 14:29:52 +0000 (15:29 +0100)]
avcodec/flac_parser: Update nb_headers_buffered

Fixes infinite loop
Fixes: fuzz.flac

Found-by: Frank Liberato <liberato@google.com>
Reviewed-by: Frank Liberato <liberato@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2475858889cde6221677473b663df6f985add33d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/idroqdec: Check chunk_size for being too large
Michael Niedermayer [Tue, 29 Nov 2016 01:58:34 +0000 (02:58 +0100)]
avformat/idroqdec: Check chunk_size for being too large

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 744a0b5206634e5de04d5c31f08cc3640faf800d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/me_cmp: Fix median_sad size
Michael Niedermayer [Sun, 27 Nov 2016 13:34:57 +0000 (14:34 +0100)]
avcodec/me_cmp: Fix median_sad size

Fixes out of array read
Fixes: COV1396255

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d9883ded3450e456df5b7214fe464b4b92e917ef)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/utils: Fix type mismatch
Michael Niedermayer [Sun, 27 Nov 2016 02:39:20 +0000 (03:39 +0100)]
avformat/utils: Fix type mismatch

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a06e84b56e936ff3ca090f53d81f9cbc3514e0e0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoconfigure: check for strtoull on msvc
James Almer [Mon, 5 Dec 2016 16:07:10 +0000 (13:07 -0300)]
configure: check for strtoull on msvc

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit b52d3574d466e745834d1283b55570dee1e2d4cd)

2 years agohttp: move chunk handling from http_read_stream() to http_buf_read().
Ronald S. Bultje [Mon, 5 Dec 2016 15:18:10 +0000 (10:18 -0500)]
http: move chunk handling from http_read_stream() to http_buf_read().

(cherry picked from commit 845bb401781ef04e342bd558df16a8dbf5f800f9)

2 years agohttp: make length/offset-related variables unsigned.
Ronald S. Bultje [Mon, 5 Dec 2016 13:02:33 +0000 (08:02 -0500)]
http: make length/offset-related variables unsigned.

Fixes #5992, reported and found by Paul Cher <paulcher@icloud.com>.

(cherry picked from commit 2a05c8f813de6f2278827734bf8102291e7484aa)

2 years agoavcodec/aac_adtstoasc_bsf: validate and forward extradata if the stream is already ASC n3.2.1
James Almer [Fri, 25 Nov 2016 00:10:47 +0000 (21:10 -0300)]
avcodec/aac_adtstoasc_bsf: validate and forward extradata if the stream is already ASC

Fixes ticket #5973

Reviewed-by: Hendrik Leppkes <h.leppkes@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 6e1902bab4349a79c45807af18ebf5b50f7b436b)

2 years agoUpdate Changelog
Andreas Cadhalpun [Fri, 25 Nov 2016 21:23:39 +0000 (22:23 +0100)]
Update Changelog

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agomss2: only use error correction for matching block counts
Andreas Cadhalpun [Thu, 24 Nov 2016 22:57:46 +0000 (23:57 +0100)]
mss2: only use error correction for matching block counts

This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2
with coded_width/coded_height larger than width/height.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 2566ad98b01538ea589e5ee07b69fc566aadc348)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosoftfloat: decrease MIN_EXP to cover full float range
Andreas Cadhalpun [Thu, 24 Nov 2016 23:26:51 +0000 (00:26 +0100)]
softfloat: decrease MIN_EXP to cover full float range

floats are not necessarily normalized, so a normalized softfloat needs
MIN_EXP lowered by 23 to cover that range.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 2d6f46d801bab990b7e742b8a8e5c5b0cb70a80e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agolibopusdec: default to stereo for invalid number of channels
Andreas Cadhalpun [Mon, 14 Nov 2016 20:41:45 +0000 (21:41 +0100)]
libopusdec: default to stereo for invalid number of channels

This fixes an out-of-bounds read if avc->channels is 0.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 8c8f543b81aa2b50bb6a6cfd370a0061281492a3)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoflvdec: require need_context_update when changing codec id
Andreas Cadhalpun [Fri, 4 Nov 2016 20:37:13 +0000 (21:37 +0100)]
flvdec: require need_context_update when changing codec id

Otherwise the codec context and codecpar might disagree on the codec id,
triggering asserts in av_parser_parse2.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 98b3a7979f2ff64cacfba4d8925faa28fc657c51)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agopgssubdec: only set w/h/linesize when allocating data
Andreas Cadhalpun [Wed, 9 Nov 2016 22:23:16 +0000 (23:23 +0100)]
pgssubdec: only set w/h/linesize when allocating data

Rects with positive w/h/linesize but no data are invalid.

Reviewed-by: Petri Hintukainen <phintuka@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 995512328ed84bb737bc364e4ef6fba1994f062a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosbgdec: prevent NULL pointer access
Andreas Cadhalpun [Thu, 10 Nov 2016 21:21:20 +0000 (22:21 +0100)]
sbgdec: prevent NULL pointer access

Reviewed-by: Josh de Kock <josh@itanimul.li>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit dbefbb61b785cd77810c032f5cdb499d2a92df07)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agormdec: validate block alignment
Andreas Cadhalpun [Thu, 17 Nov 2016 21:46:40 +0000 (22:46 +0100)]
rmdec: validate block alignment

This fixes division by zero crashes.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit de4ded06366e5767d0af277a61d9a56b8c8f9c19)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosmacker: limit recursion depth of smacker_decode_bigtree
Andreas Cadhalpun [Sat, 19 Nov 2016 13:21:11 +0000 (14:21 +0100)]
smacker: limit recursion depth of smacker_decode_bigtree

This fixes segmentation faults due to stack-overflow caused by too deep
recursion.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 946ecd19ea752399bccc751c9339ff74b815587e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agomxfdec: fix NULL pointer dereference in mxf_read_packet_old
Andreas Cadhalpun [Thu, 17 Nov 2016 21:53:51 +0000 (22:53 +0100)]
mxfdec: fix NULL pointer dereference in mxf_read_packet_old

Metadata streams have priv_data set to NULL.

Reviewed-by: Josh de Kock <josh@itanimul.li>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit fdb8c455b637f86e2e85503b7e090fa448164398)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoffmdec: validate codec parameters
Andreas Cadhalpun [Wed, 16 Nov 2016 23:04:57 +0000 (00:04 +0100)]
ffmdec: validate codec parameters

A negative extradata size for example gets passed to memcpy in
avcodec_parameters_from_context causing a segmentation fault.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1c7da19a4b45f5623cb3955b29b9a581026e3c61)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoUpdate for 3.2.1
Michael Niedermayer [Fri, 25 Nov 2016 20:12:44 +0000 (21:12 +0100)]
Update for 3.2.1

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/mpeg: Adjust vid probe threshold to correct mis-detection
Michael Niedermayer [Tue, 15 Nov 2016 19:06:42 +0000 (20:06 +0100)]
avformat/mpeg: Adjust vid probe threshold to correct mis-detection

Fixes: _ij.mp3

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4e5049a2303ae7fe74216a83206239e4de42c965)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ass_split: Change order of operations in ass_split_section()
Michael Niedermayer [Thu, 17 Nov 2016 16:45:03 +0000 (17:45 +0100)]
avcodec/ass_split: Change order of operations in ass_split_section()

This matches the other branch
Fixes out of array read
Fixes: 4d142ca76d39fe685effcf5017098723/asan_heap-oob_31ae824_8611_348fdb64f9009b63c8a8eae9a0e497c5.mkv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ae514b1254318ae5e76be2c17055f14b4084ccf0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/rawdec: check for side data before checking its size
James Almer [Fri, 4 Nov 2016 01:34:58 +0000 (22:34 -0300)]
avcodec/rawdec: check for side data before checking its size

Fixes valgrind warnings about usage of uninitialized values.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 51e329918dc1826de7451541cb15bef3b9bfe138)

2 years agoavcodec/avpacket: fix leak on realloc in av_packet_add_side_data()
James Almer [Sat, 19 Nov 2016 15:38:44 +0000 (12:38 -0300)]
avcodec/avpacket: fix leak on realloc in av_packet_add_side_data()

If realloc fails, the pointer is overwritten and the previously allocated
buffer is leaked, which goes against the expected behavior of keeping the
packet unchanged in case of error.

Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 574929d8b6de32ae712fcca7ab09f01a3e4616be)

2 years agoavformat/apngenc: use the stream parameters extradata if available
James Almer [Fri, 18 Nov 2016 15:21:54 +0000 (12:21 -0300)]
avformat/apngenc: use the stream parameters extradata if available

Fixes remuxing apng streams coming from the apng demuxer, which sends extradata
during init.

Signed-off-by: James Almer <jamrial@gmail.com>
2 years agoRevert "apngdec: use side data to pass extradata to the decoder"
James Almer [Fri, 18 Nov 2016 15:08:54 +0000 (12:08 -0300)]
Revert "apngdec: use side data to pass extradata to the decoder"

This reverts commit e0c6b32046f4bab7d34be77dd2f03b2a80c86d39.

Said commit changed the behavior of the demuxer and decoder in a non
backwards compatible way.
Demuxers should make extradata available at init if possible, and send
new extradata as side data within a packet if needed.

A better fix for the remuxing crash will follow.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 16c429166ddf1736972b6ccce84bd3509ec16a34)

2 years agoffprobe: fix crash in case -of is specified with an empty string
Stefano Sabatini [Thu, 17 Nov 2016 11:11:13 +0000 (12:11 +0100)]
ffprobe: fix crash in case -of is specified with an empty string

Fix trac issue #5957.

(cherry picked from commit 427a47abcddab15e10ce26d971f712d90c53884b)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agolibavcodec/exr : fix channel size calculation for uint32 channel
Martin Vignali [Wed, 16 Nov 2016 22:15:27 +0000 (23:15 +0100)]
libavcodec/exr : fix channel size calculation for uint32 channel

uint32 need 4 bytes not 1.
Fix decoding when there is half/float and uint32 channel.

This fixes crashes due to pointer corruption caused by invalid writes.

The problem was introduced in commit
03152e74dfdc7f438cb4a10402c4de744e807e22.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 52da3f6f70b1e95589a152aaf224811756fb9665)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoexr: fix out-of-bounds read
Andreas Cadhalpun [Wed, 16 Nov 2016 19:46:56 +0000 (20:46 +0100)]
exr: fix out-of-bounds read

channel_index can be -1.

This problem was introduced in commit
2dd7b46132e2801ef34fe1b5c27e0113cdcfa2f9.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ffdc5d09e498bee8176c9e35df101c01c546a738)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agolibschroedingerdec: fix leaking of framewithpts
Andreas Cadhalpun [Sun, 13 Nov 2016 22:10:06 +0000 (23:10 +0100)]
libschroedingerdec: fix leaking of framewithpts

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 3c0328d58d98664b05efdd377d3fe66a569d385e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agolibschroedingerdec: don't produce empty frames
Andreas Cadhalpun [Sun, 13 Nov 2016 21:59:47 +0000 (22:59 +0100)]
libschroedingerdec: don't produce empty frames

They are not valid and can cause problems/crashes for API users.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit a86ebbf7f641bc797002ddea7fb517759722cd1b)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agodds: limit 4 bpp handling to AV_PIX_FMT_PAL8
Andreas Cadhalpun [Tue, 15 Nov 2016 21:11:05 +0000 (22:11 +0100)]
dds: limit 4 bpp handling to AV_PIX_FMT_PAL8

This fixes NULL pointer dereferencing for formats, where frame->data[1]
is not allocated.

The problem was introduced in commit
257fbc3af4cba08ac471dab68924182160bde6fd.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 90ebf3c428352eb1d4116bf97b470ceca295d7d6)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agomlz: limit next_code to data buffer size
Andreas Cadhalpun [Mon, 14 Nov 2016 23:11:30 +0000 (00:11 +0100)]
mlz: limit next_code to data buffer size

This fixes a heap-buffer-overflow detected by AddressSanitizer.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1abcd972c4c0e16f1e83be2fd32a251f51b2946d)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosoftfloat: handle -INT_MAX correctly
Andreas Cadhalpun [Sun, 13 Nov 2016 19:52:02 +0000 (20:52 +0100)]
softfloat: handle -INT_MAX correctly

This is similar to commit 9ac61e73d0843ec4b83f4e3d47eded73234e406e.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 0edd569466eb45b134690b9f4efbb57eda86f58d)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agofilmstripdec: correctly check image dimensions
Andreas Cadhalpun [Sun, 13 Nov 2016 17:22:12 +0000 (18:22 +0100)]
filmstripdec: correctly check image dimensions

This prevents a division by zero in read_packet.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 25012c56448a48487cdc9699465e640871dbcd60)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agopnmdec: make sure v is capped by maxval
Andreas Cadhalpun [Wed, 9 Nov 2016 00:09:35 +0000 (01:09 +0100)]
pnmdec: make sure v is capped by maxval

Otherwise put_bits can be called with a value that doesn't fit in the
sample_len, causing an assertion failure.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit cdb5479c9ddc886f0b8661db585405ebab343e80)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosmvjpegdec: make sure cur_frame is not negative
Andreas Cadhalpun [Thu, 10 Nov 2016 21:09:03 +0000 (22:09 +0100)]
smvjpegdec: make sure cur_frame is not negative

This fixes a heap-buffer-overflow detected by AddressSanitizer.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 360bc0d90aa66cf21e9f488e77d21db18e01ec9c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoicodec: correctly check avio_read return value
Andreas Cadhalpun [Tue, 8 Nov 2016 22:29:28 +0000 (23:29 +0100)]
icodec: correctly check avio_read return value

It can read less than the requested amount, in which case buf contains
uninitialized data, causing problems like segmentation faults later on.

Also make sure that image->size is positive, so that it can't match a
negative error code.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 89eb398c7fc4cb9a15e55bdf2ab6435b5332e377)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoicodec: fix leaking pkt on error
Andreas Cadhalpun [Tue, 8 Nov 2016 22:53:52 +0000 (23:53 +0100)]
icodec: fix leaking pkt on error

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 467eece1bea5c8325c6974190ba61f1bba88a3f3)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agodvbsubdec: fix division by zero in compute_default_clut
Andreas Cadhalpun [Tue, 8 Nov 2016 21:32:42 +0000 (22:32 +0100)]
dvbsubdec: fix division by zero in compute_default_clut

This problem was introduced in commit
4b90dcb8493552c17a811c8b1e6538dae4061f9d.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit c82b8ef0e4f226423ddd644bfe37e6a15d070924)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoproresdec_lgpl: explicitly check coff[3] against slice_data_size
Andreas Cadhalpun [Wed, 9 Nov 2016 22:49:46 +0000 (23:49 +0100)]
proresdec_lgpl: explicitly check coff[3] against slice_data_size

The implicit checks via v_data_size and a_data_size don't work in the case
'(hdr_size > 7) && !ctx->alpha_info'.

This fixes segmentation faults due to invalid reads.

This problem was introduced in commit
547c2f002a87f4412a83c23b0d60364be5e7ce58.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1e33035ee7a8d9fb7a4b8b6cc54842e72b36ed70)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoescape124: reject codebook size 0
Andreas Cadhalpun [Tue, 8 Nov 2016 23:38:50 +0000 (00:38 +0100)]
escape124: reject codebook size 0

It causes a cb_depth of 32, leading to assertion failures in get_bits.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 226d35c84591f1901c2a13819031549909faa1f5)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agompegts: prevent division by zero
Andreas Cadhalpun [Mon, 7 Nov 2016 22:37:59 +0000 (23:37 +0100)]
mpegts: prevent division by zero

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1bbb18fe82fc77a10d45fa53bd2738d2c54de6c6)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agomatroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header
Andreas Cadhalpun [Mon, 7 Nov 2016 23:42:23 +0000 (00:42 +0100)]
matroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header

The code assumes that s->streams[0] is valid.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ff100c9dd97d2f1f456ff38b192edf84f9744738)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agompegaudio_parser: don't return AVERROR_PATCHWELCOME
Andreas Cadhalpun [Mon, 7 Nov 2016 00:16:14 +0000 (01:16 +0100)]
mpegaudio_parser: don't return AVERROR_PATCHWELCOME

The API does not allow returning AVERROR codes.

It triggers an assert in av_parser_parse2.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 5249706e9d2ec5ed1b07d8ffdbb8fb9104261f6d)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agomxfdec: fix NULL pointer dereference
Andreas Cadhalpun [Fri, 4 Nov 2016 23:17:53 +0000 (00:17 +0100)]
mxfdec: fix NULL pointer dereference

Metadata streams have priv_data set to NULL.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 0efb6106118c17308b3fdc3190f5e5bf84b01d5c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agolzf: update pointer p after realloc
Andreas Cadhalpun [Fri, 4 Nov 2016 21:58:49 +0000 (22:58 +0100)]
lzf: update pointer p after realloc

This fixes heap-use-after-free detected by AddressSanitizer.

Reviewed-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit bb6a7b6f75ac544c956e3eefee297700ef4d3468)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agodiracdec: check return code of get_buffer_with_edge
Andreas Cadhalpun [Fri, 4 Nov 2016 18:00:17 +0000 (19:00 +0100)]
diracdec: check return code of get_buffer_with_edge

If it fails, buffers aren't allocated, causing NULL pointer dereferencing.

Reviewed-by: Rostislav Pehlivanov <atomnuker@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit db79dedb1ae5dd38432eee3f09155e26f3f2d95a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agodiracdec: clear slice_params_num_buf on allocation failure
Andreas Cadhalpun [Fri, 4 Nov 2016 18:00:01 +0000 (19:00 +0100)]
diracdec: clear slice_params_num_buf on allocation failure

Otherwise it can be non-zero next time decode_lowdelay is called, causing
slice_params_buf not to be allocated, leading to a NULL pointer dereference.

The problem was introduced in commit
dcad4677d637cd2f701917e38361fa96b8c9a418.

Reviewed-by: Rostislav Pehlivanov <atomnuker@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 24d20496d2e6e1df6456c5231d892269dd1fcf38)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agodiracdec: use correct buffer for slice_params_buf realloc
Andreas Cadhalpun [Fri, 4 Nov 2016 17:59:31 +0000 (18:59 +0100)]
diracdec: use correct buffer for slice_params_buf realloc

This fixes a double-free detected by AddressSanitizer.

The problem was introduced in commit
dcad4677d637cd2f701917e38361fa96b8c9a418.

Reviewed-by: Rostislav Pehlivanov <atomnuker@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 8a4ea9644833d43fdfe8579c0cb569f8a0930206)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoppc: pixblockdsp: do unaligned block accesses correctly again
Andreas Cadhalpun [Wed, 2 Nov 2016 20:28:49 +0000 (21:28 +0100)]
ppc: pixblockdsp: do unaligned block accesses correctly again

This was broken by the following Libav commit:
4c387c7 ppc: dsputil: do unaligned block accesses correctly

The following tests fail due to this:
fate-checkasm
fate-vsynth1-dnxhd-2k-hr-hq fate-vsynth1-dnxhd-edge1-hr
fate-vsynth1-dnxhd-edge2-hr fate-vsynth1-dnxhd-edge3-hr
fate-vsynth1-dnxhd-hr-sq-mov fate-vsynth1-dnxhd-hr-hq-mov
fate-vsynth2-dnxhd-2k-hr-hq fate-vsynth2-dnxhd-edge1-hr
fate-vsynth2-dnxhd-edge2-hr fate-vsynth2-dnxhd-edge3-hr
fate-vsynth2-dnxhd-hr-sq-mov fate-vsynth2-dnxhd-hr-hq-mov
fate-vsynth3-dnxhd-2k-hr-hq fate-vsynth3-dnxhd-edge1-hr
fate-vsynth3-dnxhd-edge2-hr fate-vsynth3-dnxhd-edge3-hr
fate-vsynth3-dnxhd-hr-sq-mov fate-vsynth3-dnxhd-hr-hq-mov

Fixes trac ticket #5508.

Reviewed-by: Carl Eugen Hoyos <ceffmpeg@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 3932ccc472ad4f4d370dcfc1c2f574b0f3acb88c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoavformat: close parser if codec changed
Andreas Cadhalpun [Mon, 17 Oct 2016 18:26:51 +0000 (20:26 +0200)]
avformat: close parser if codec changed

The parser depends on the codec and thus must not be used with a different one.
If it is, the 'avctx->codec_id == s->parser->codec_ids[0] ...' assert in
av_parser_parse2 gets triggered.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit f84ae3f04aa074afeaeafe6b478d603ce46df55e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agofate: add streamcopy test for apng
Andreas Cadhalpun [Tue, 1 Nov 2016 16:36:47 +0000 (17:36 +0100)]
fate: add streamcopy test for apng

Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 719c15aa9ad6983200b78e5dbc17443f649c8af9)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoapngdec: use side data to pass extradata to the decoder
Andreas Cadhalpun [Tue, 1 Nov 2016 16:06:51 +0000 (17:06 +0100)]
apngdec: use side data to pass extradata to the decoder

Fixes remuxing apng streams coming from the apng demuxer.
This is a regression since 940b8908b94404a65f9f55e33efb4ccc6c81383c.

Found-by: James Almer <jamrial@gmail.com>
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit e0c6b32046f4bab7d34be77dd2f03b2a80c86d39)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agomov: immediately return from mov_fix_index without old index entries
Andreas Cadhalpun [Tue, 1 Nov 2016 00:05:01 +0000 (01:05 +0100)]
mov: immediately return from mov_fix_index without old index entries

If there are no index entries, e_old = st->index_entries is only one
byte large, since it was created by av_realloc called with size 0.

Thus accessing e_old[0].timestamp causes a heap buffer overflow.

Reviewed-by: Sasi Inguva <isasi@google.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 9d83b209d8861f1daf55f6719b1e0c226ed7269a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agointerplayacm: increase bitstream buffer size by AV_INPUT_BUFFER_PADDING_SIZE
Andreas Cadhalpun [Sun, 30 Oct 2016 20:18:20 +0000 (21:18 +0100)]
interplayacm: increase bitstream buffer size by AV_INPUT_BUFFER_PADDING_SIZE

This fixes out-of-bounds reads by the bitstream reader.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 60178e78f2fe9a7bfb9da0abc985835e2ebfd2f1)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agointerplayacm: validate number of channels
Andreas Cadhalpun [Sun, 30 Oct 2016 20:41:11 +0000 (21:41 +0100)]
interplayacm: validate number of channels

The number of channels is used as divisor in decode_frame, so it must
not be zero to avoid SIGFPE crashes.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 5540d6c1343e6d1e06d6601b7d35884761711e3e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agointerplayacm: check for too large b
Andreas Cadhalpun [Sun, 30 Oct 2016 19:47:22 +0000 (20:47 +0100)]
interplayacm: check for too large b

This fixes out-of-bounds reads.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 14e4e26559697cfdea584767be4e68474a0a9c7f)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agodoc: fix spelling errors
Andreas Cadhalpun [Sat, 29 Oct 2016 14:55:14 +0000 (16:55 +0200)]
doc: fix spelling errors

Reviewed-by: Lou Logan <lou@lrcd.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1e660fe88d2dd8fdcb0136b4cee3152f61ebc6c5)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoconfigure: make sure LTO does not optimize out the test functions
Andreas Cadhalpun [Tue, 25 Oct 2016 17:09:46 +0000 (19:09 +0200)]
configure: make sure LTO does not optimize out the test functions

Fixes trac ticket #5909

Bud-Id: https://bugs.gentoo.org/show_bug.cgi?id=598054
Acked-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 890eb3d7c477b9fd2c6b1fa0785aca1d02a12e29)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agofate: add apng encoding/muxing test
Andreas Cadhalpun [Thu, 27 Oct 2016 23:38:51 +0000 (01:38 +0200)]
fate: add apng encoding/muxing test

Also test the fallback to png creation for a single frame.

Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 97792e85c338d129342f5812e2a52048373e57d6)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoapng: use side data to pass extradata to muxer
Andreas Cadhalpun [Thu, 27 Oct 2016 20:34:48 +0000 (22:34 +0200)]
apng: use side data to pass extradata to muxer

This fixes creating apng files, which is broken since commit
5ef19590802f000299e418143fc2301e3f43affe.

Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 940b8908b94404a65f9f55e33efb4ccc6c81383c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoavcodec/mpeg4videodec: Workaround interlaced mpeg4 edge MC bug
Michael Niedermayer [Sat, 12 Nov 2016 11:31:35 +0000 (12:31 +0100)]
avcodec/mpeg4videodec: Workaround interlaced mpeg4 edge MC bug

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2c9106257ffca8faef367a410c16bd8220942f6e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mpegvideo: Fix edge emu buffer overlap with interlaced mpeg4
Michael Niedermayer [Sat, 12 Nov 2016 11:31:34 +0000 (12:31 +0100)]
avcodec/mpegvideo: Fix edge emu buffer overlap with interlaced mpeg4

Fixes Ticket5936
Regression since c5fc8ae12622a507d7b9ee30ddcd3734e6de6b1d

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 85407c7e63722a2d723257e8cf5f281a8c9f34a4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/rv40: Test remaining space in loop of get_dimension()
Michael Niedermayer [Tue, 15 Nov 2016 21:50:35 +0000 (22:50 +0100)]
avcodec/rv40: Test remaining space in loop of get_dimension()

Fixes infinite loop
Fixes: 178/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_RV40_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1546d487cf12da37d90a080813f8d57ac33036bf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ituh263dec: Avoid spending a long time in slice sync
Michael Niedermayer [Tue, 15 Nov 2016 17:05:33 +0000 (18:05 +0100)]
avcodec/ituh263dec: Avoid spending a long time in slice sync

Fixes: 177/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_FLV1_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2baf36caed98cfdc7f6a2086fbf26f1a172f16cf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/movtextdec: Add error message for tsmb_size check
Michael Niedermayer [Tue, 15 Nov 2016 13:54:47 +0000 (14:54 +0100)]
avcodec/movtextdec: Add error message for tsmb_size check

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0eb319800567b79ca6b4cf0d90904318641b9e50)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/movtextdec: Fix tsmb_size check==0 check
Michael Niedermayer [Tue, 15 Nov 2016 13:52:21 +0000 (14:52 +0100)]
avcodec/movtextdec: Fix tsmb_size check==0 check

Fixes: 173/fuzz-3-ffmpeg_SUBTITLE_AV_CODEC_ID_MOV_TEXT_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a609905723c01e356d35146425c3d45c090aae7b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/movtextdec: Fix potential integer overflow
Michael Niedermayer [Tue, 15 Nov 2016 13:46:16 +0000 (14:46 +0100)]
avcodec/movtextdec: Fix potential integer overflow

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6ea27157682200e5f78cadcabdb009eccd9dd9b1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoffmpeg: Fix bsf corrupting merged side data
Michael Niedermayer [Thu, 3 Nov 2016 13:55:56 +0000 (14:55 +0100)]
ffmpeg: Fix bsf corrupting merged side data

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 11f24e71ff2b598d973fd24bcf950eebaea9b3e6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/sunrast: Fix input buffer pointer check
Michael Niedermayer [Tue, 1 Nov 2016 18:24:49 +0000 (19:24 +0100)]
avcodec/sunrast: Fix input buffer pointer check

Fixes: out of array read
Fixes: poc.dat

Found-by: Bingchang, Liu @VARAS of IIE
Tested-by: bc L <l.bing.chang.bc@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 37138338ff602803d174b13fecd363a083bc2f9a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/tscc: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/tscc:  Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 979bca513424879ed0c653cb1b55fc4156a89576)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/rscc: Fix constant
Michael Niedermayer [Mon, 31 Oct 2016 22:01:09 +0000 (23:01 +0100)]
avcodec/rscc: Fix constant

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e167610794db8f2202f9dbe013c54f6b34d7f7a0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/rawdec: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/rawdec: Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5f0bc0215a0f7099a2bcba5dced2e045e70fee61)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/rscc: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/rscc: Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0f64b6cd22411f574cbc75cab3b6db7dba023ed6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>