ffmpeg.git
3 years agoavformat: Add integer fps from 31 to 60 to get_std_framerate()
Michael Niedermayer [Sat, 9 Jan 2016 09:49:23 +0000 (10:49 +0100)]
avformat: Add integer fps from 31 to 60 to get_std_framerate()

Fixes Ticket 5106

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2039b3e7511ef183dae206575114e15b6d99c134)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/mpegvideo_enc: Clip bits_per_raw_sample within valid range
Michael Niedermayer [Wed, 6 Jan 2016 23:22:56 +0000 (00:22 +0100)]
avcodec/mpegvideo_enc: Clip bits_per_raw_sample within valid range

Fixes out of array read
Fixes: test_case-mdc.264 (b47be15a120979f5a1a945c938cbef33)

Found-by: Tyson Smith <twsmith@mozilla.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 13f266b50cc7554028d22480b7e4383968e64a63)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavfilter/vf_scale: set proper out frame color range
Thomas Mundt [Wed, 30 Dec 2015 23:01:21 +0000 (00:01 +0100)]
avfilter/vf_scale: set proper out frame color range

Prevents that following scalers in the filter chain will do unintentional color range conversions.
Fixes Ticket #5096

Signed-off-by: Thomas Mundt <loudmax@yahoo.de>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 73ce8162f3499cf0e86d1d80dea53324bd62bcb3)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/motion_est: Fix mv_penalty table size
Michael Niedermayer [Tue, 5 Jan 2016 13:41:04 +0000 (14:41 +0100)]
avcodec/motion_est: Fix mv_penalty table size

Fixes out of array read

Found-by: Tyson Smith <twsmith@mozilla.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5b4da8a38a5ed211df9504c85ce401c30af86b97)

Conflicts:

libavcodec/motion_est.h

3 years agoavcodec/h264_slice: Fix integer overflow in implicit weight computation
Michael Niedermayer [Tue, 5 Jan 2016 00:06:18 +0000 (01:06 +0100)]
avcodec/h264_slice: Fix integer overflow in implicit weight computation

Fixes mozilla bug 1230423

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7cc01c25727a96eaaa0c177234b626e47c8ea491)

Conflicts:

libavcodec/h264_slice.c

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoswscale/utils: Use normal bilinear scaler if fast cannot be used due to tiny dimensions
Michael Niedermayer [Mon, 4 Jan 2016 22:22:25 +0000 (23:22 +0100)]
swscale/utils: Use normal bilinear scaler if fast cannot be used due to tiny dimensions

Fixes Ticket4960

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1edf129cbc897447a289ca8b045853df5df1bab3)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/put_bits: Always check buffer end before writing
Michael Niedermayer [Fri, 1 Jan 2016 01:41:06 +0000 (02:41 +0100)]
avcodec/put_bits: Always check buffer end before writing

This causes a overall slowdown of 0.1 % (tested with mpeg4 single thread encoding of matrixbench at QP=3)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cccb0ffccc3723acc7aab3a859b24743596dd9c0)

Conflicts:

libavcodec/put_bits.h

3 years agomjpegdec: extend check for incompatible values of s->rgb and s->ls
Andreas Cadhalpun [Thu, 31 Dec 2015 15:55:43 +0000 (16:55 +0100)]
mjpegdec: extend check for incompatible values of s->rgb and s->ls

This can happen if s->ls changes from 0 to 1, but picture allocation is
skipped due to s->interlaced.

In that case ff_jpegls_decode_picture could be called even though the
s->picture_ptr frame has the wrong pixel format and thus a wrong
linesize, which results in a too small zero buffer being allocated.

This fixes an out-of-bounds read in ls_decode_line.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 7ea2db6eafa0a8a9497aab20be2cfc8742a59072)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoswscale/utils: Fix intermediate format for cascaded alpha downscaling
Michael Niedermayer [Thu, 24 Dec 2015 20:46:15 +0000 (21:46 +0100)]
swscale/utils: Fix intermediate format for cascaded alpha downscaling

Fixes Ticket4926

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b83d8be6bff7d645469a623aee0b380541da15cf)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/h264_refs: Fix long_idx check
Michael Niedermayer [Sat, 19 Dec 2015 20:59:42 +0000 (21:59 +0100)]
avcodec/h264_refs: Fix long_idx check

Fixes out of array read
Fixes mozilla bug 1233606

Found-by: Tyson Smith
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b92b4775a0d07cacfdd2b4be6511f3cb362c977b)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavfilter/vf_mpdecimate: Add missing emms_c()
Michael Niedermayer [Mon, 14 Dec 2015 17:56:13 +0000 (18:56 +0100)]
avfilter/vf_mpdecimate: Add missing emms_c()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 997de2e8107cc4256e50611463d609b18fe9619f)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavformat/mxfenc: Do not crash if there is no packet in the first stream
Michael Niedermayer [Sun, 13 Dec 2015 15:13:22 +0000 (16:13 +0100)]
avformat/mxfenc: Do not crash if there is no packet in the first stream

Fixes: Ticket4914

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b51e7554e74cbf007a1cab83c7bed3ad9fa2793a)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid...
Rainer Hochecker [Sun, 15 Nov 2015 12:58:50 +0000 (13:58 +0100)]
avformat/utils: estimate_timings_from_pts - increase retry counter, fixes invalid duration for ts files with hevc codec

Fixes a mpegts file with hevc that fails estimating duration. Increasing number of
retries fixes the issue.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2d8c2f1a28073d451c7db31291c333cb15ca3d0b)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavformat/matroskaenc: Check codecdelay before use
Michael Niedermayer [Wed, 9 Dec 2015 15:16:46 +0000 (16:16 +0100)]
avformat/matroskaenc: Check codecdelay before use

Fixes CID1238790

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e6971db12b8ae49712b77378fa8141de4904082b)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavutil/mathematics: Fix division by 0
Michael Niedermayer [Wed, 9 Dec 2015 16:39:38 +0000 (17:39 +0100)]
avutil/mathematics: Fix division by 0

Fixes: CID1341571

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bc8b1e694cc395fdf5e2917377ef11263c937d85)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agox86/float_dsp: zero extend offset from ff_scalarproduct_float_sse
James Almer [Fri, 8 Jan 2016 15:08:56 +0000 (12:08 -0300)]
x86/float_dsp: zero extend offset from ff_scalarproduct_float_sse

Reviewed-by: Christophe Gisquet <christophe.gisquet@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit dc79824deb6ac0ce236589c618744b33629201cd)

3 years agoavcodec/mpeg4videodec: also for empty partitioned slices
Michael Niedermayer [Sat, 19 Dec 2015 22:21:33 +0000 (23:21 +0100)]
avcodec/mpeg4videodec: also for empty partitioned slices

Fixes assertion failure
Fixes: id_acf3e47f864e1ee4c7b86c0653e0ff31e5bde56e.m4v

Found-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 70f13abb4f9a376ddc0d2c566739bc3c6a0c47e7)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
3 years agonuv: sanitize negative fps rate
Andreas Cadhalpun [Wed, 16 Dec 2015 19:52:39 +0000 (20:52 +0100)]
nuv: sanitize negative fps rate

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit f6830cf5ba03fdcfcd81a0358eb32d4081a2fcce)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
3 years agorawdec: only exempt BIT0 with need_copy from buffer sanity check
Andreas Cadhalpun [Sat, 19 Dec 2015 22:45:06 +0000 (23:45 +0100)]
rawdec: only exempt BIT0 with need_copy from buffer sanity check

Otherwise the too small buffer is directly used in the frame, causing
segmentation faults, when trying to use the frame.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 699e68371ec7e381e5cc48e3d96e29c669261af7)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
3 years agomlvdec: check that index_entries exist
Andreas Cadhalpun [Sat, 19 Dec 2015 22:44:53 +0000 (23:44 +0100)]
mlvdec: check that index_entries exist

This fixes NULL pointer dereferencing.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 9fcfe4a3cdf9a5af0c37758b178965b7b99582d4)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
3 years agonutdec: reject negative value_len in read_sm_data
Andreas Cadhalpun [Sat, 19 Dec 2015 11:02:56 +0000 (12:02 +0100)]
nutdec: reject negative value_len in read_sm_data

If it is negative, it can cause the byte position to move backwards in
avio_skip, which in turn makes sm_size negative and thus size larger
than the size of the packet buffer, causing invalid writes in avio_read.

Also fix potential overflow of avio_tell(bc) + value_len.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ce10f572c12b0d172c72d31d8c979afce602bf0c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
3 years agoxwddec: prevent overflow of lsize * avctx->height
Andreas Cadhalpun [Fri, 18 Dec 2015 18:28:51 +0000 (19:28 +0100)]
xwddec: prevent overflow of lsize * avctx->height

This is used to check if the input buffer is large enough, so if this
overflows it can cause a false negative leading to a segmentation fault
in bytestream2_get_bufferu.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 9d38f06d05efbb9d6196c27668eb943e934943ae)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
3 years agonutdec: only copy the header if it exists
Andreas Cadhalpun [Fri, 18 Dec 2015 14:18:47 +0000 (15:18 +0100)]
nutdec: only copy the header if it exists

Fixes ubsan runtime error: null pointer passed as argument 2, which is
declared to never be null

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 9f82506c79874edd7b09707ab63d9e72078de8f9)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
3 years agoexr: fix out of bounds read in get_code
Andreas Cadhalpun [Sun, 13 Dec 2015 22:17:09 +0000 (23:17 +0100)]
exr: fix out of bounds read in get_code

This macro unconditionally used out[-1], which causes an out of bounds
read, if out is the very beginning of the buffer.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 90b99a81071d10e6b5efe86a4602d54d4f45bbcb)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
3 years agoon2avc: limit number of bits to 30 in get_egolomb
Andreas Cadhalpun [Wed, 16 Dec 2015 15:48:19 +0000 (16:48 +0100)]
on2avc: limit number of bits to 30 in get_egolomb

More don't fit into the integer output.

Also use get_bits_long, since get_bits only supports reading up to 25
bits, while get_bits_long supports the full integer range.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 4d5c3b02e9d2c9a630ca433fabca43285879e0b8)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
3 years agosonic: make sure num_taps * channels is not larger than frame_size
Andreas Cadhalpun [Tue, 15 Dec 2015 22:43:03 +0000 (23:43 +0100)]
sonic: make sure num_taps * channels is not larger than frame_size

If that is the case, the loop setting predictor_state in
sonic_decode_frame causes out of bounds reads of int_samples, which has
only frame_size number of elements.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 9637c2531f7eb040ad1c3cb46cb40a63dfc77b80)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
3 years agoopus_silk: fix typo causing overflow in silk_stabilize_lsf
Andreas Cadhalpun [Tue, 15 Dec 2015 21:00:31 +0000 (22:00 +0100)]
opus_silk: fix typo causing overflow in silk_stabilize_lsf

Due to this typo max_center can be too large, causing nlsf to be set to
too large values, which in turn can cause nlsf[i - 1] + min_delta[i] to
overflow to a negative value, which is not allowed for nlsf and can
cause an out of bounds read in silk_lsf2lpc.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit f61d44b74aaae1d306d8a0d38b7b3d4292c89ced)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
3 years agoffm: reject invalid codec_id and codec_type
Andreas Cadhalpun [Mon, 14 Dec 2015 21:11:55 +0000 (22:11 +0100)]
ffm: reject invalid codec_id and codec_type

A negative codec_id cannot be handled by the found_decoder API of
AVStream->info: if the codec_id is not recognized, found_decoder is set
to -codec_id, which has to be '<0' according to the API documentation.

This can cause NULL pointer dereferencing in try_decode_frame.

Also make sure the codec_type matches the expected one for codec_id.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ecf63b7cc24b9fd3e6d604313325dd1ada4db662)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
3 years agoaaccoder: prevent crash of anmr coder
Andreas Cadhalpun [Fri, 4 Dec 2015 17:13:07 +0000 (18:13 +0100)]
aaccoder: prevent crash of anmr coder

If minq is negative, the range of sf_idx can be larger than
SCALE_MAX_DIFF allows, causing assertion failures later in
encode_scale_factors.

Reviewed-by: Claudio Freire <klaussfreire@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 7a4652dd5da0502ff21c183b5ca7d76b1cfd6c51)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
3 years agoffmdec: reject zero-sized chunks
Andreas Cadhalpun [Wed, 2 Dec 2015 21:47:12 +0000 (22:47 +0100)]
ffmdec: reject zero-sized chunks

If size is zero, avio_get_str fails, leaving the buffer uninitialized.
This causes invalid reads in av_set_options_string.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit a611375db532c3d5363d97b10fadd0211811a4fd)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
3 years agoswscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the alignment...
Michael Niedermayer [Tue, 15 Dec 2015 01:50:20 +0000 (02:50 +0100)]
swscale/x86/rgb2rgb_template: Fallback to mmx in interleaveBytes() if the alignment is insufficient for SSE*

This also as a sideeffect fixes the non aligned case

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a066ff89bcbae6033c2ffda9271cad84f6c1b807)

3 years agoswscale/x86/rgb2rgb_template: Do not crash on misaligend stride
Michael Niedermayer [Tue, 15 Dec 2015 01:06:04 +0000 (02:06 +0100)]
swscale/x86/rgb2rgb_template: Do not crash on misaligend stride

Fixes Ticket5013

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 80bfce35ccd11458e97f68f417fc094c5347070c)

3 years agomjpegdec: consider chroma subsampling in size check n2.5.9
Andreas Cadhalpun [Wed, 2 Dec 2015 20:52:23 +0000 (21:52 +0100)]
mjpegdec: consider chroma subsampling in size check

If the chroma components are subsampled, smaller buffers are allocated
for them. In that case the maximal block_offset for the chroma
components is not as large as for the luma component.

This fixes out of bounds writes causing segmentation faults or memory
corruption.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 5adb5d9d894aa495e7bf9557b4c78350cbfc9d32)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoUpdate Changelog
Michael Niedermayer [Sun, 6 Dec 2015 01:31:14 +0000 (02:31 +0100)]
Update Changelog

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/hevc: Check max ctb addresses for WPP
Michael Niedermayer [Sat, 28 Nov 2015 12:42:05 +0000 (13:42 +0100)]
avcodec/hevc: Check max ctb addresses for WPP

Fixes out of array read
Fixes: 2f95ddd996db8a6281d2e18c184595a7/asan_heap-oob_192fe91_3330_58e4441181e30a66c19f743dcb392347.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit dad354f38ddc9bfc834bc21358a1d0ad41532ca0)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Conflicts:

libavcodec/hevc.c

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/vp3: ensure header is parsed successfully before tables
Michael Niedermayer [Wed, 2 Dec 2015 21:59:56 +0000 (22:59 +0100)]
avcodec/vp3: ensure header is parsed successfully before tables

Fixes assertion failure
Fixes: 266ee543812e934f7b4a72923a2701d4/signal_sigabrt_7ffff6ae7cc9_7322_85218d61759d461bdf7387180e8000c9.ogg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 26379d4fddc17cac853ef297ff327b58c44edbad)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/jpeg2000dec: Check bpno in decode_cblk()
Michael Niedermayer [Fri, 4 Dec 2015 15:23:24 +0000 (16:23 +0100)]
avcodec/jpeg2000dec: Check bpno in decode_cblk()

Fixes: undefined shift
Fixes: c409ef86f892335a0a164b5871174d5a/asan_heap-oob_1dff564_2159_162b7234616deab02b544410455eb07b.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a85b02dcf70f62a6a433a607143f1f78fa5648bb)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented in type int
Michael Niedermayer [Fri, 4 Dec 2015 20:38:12 +0000 (21:38 +0100)]
avcodec/pgssubdec: Fix left shift of 255 by 24 places cannot be represented in type int

Fixes: b293a6479bb4b5286cff24d356bfd955/asan_generic_225c3c9_7819_cc526b657450c6cdef1371b526499626.mkv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4f2419888ba49245761f4ab343679c38e7880cfe)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoswscale/utils: Fix for runtime error: left shift of negative value -1
Michael Niedermayer [Fri, 4 Dec 2015 20:44:05 +0000 (21:44 +0100)]
swscale/utils: Fix for runtime error: left shift of negative value -1

Fixes: c106b36fa36db8ff8f3ed0c82be7bea2/asan_heap-oob_32699f0_6321_467b9a1d7e03d7cfd310b7e65dc53bcc.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 325b59368dae3c3f2f5cc39873002b4cf133ccbc)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/hevc: Fix integer overflow of entry_point_offset
Michael Niedermayer [Sat, 5 Dec 2015 21:08:59 +0000 (22:08 +0100)]
avcodec/hevc: Fix integer overflow of entry_point_offset

Fixes out of array read
Fixes: d41d8cd98f00b204e9800998ecf8427e/signal_sigsegv_321165b_7641_077dfcd8cbc80b1c0b470c8554cd6ffb.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 214085852491448631dcecb008b5d172c11b8892)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/dirac_parser: Check that there is a previous PU before accessing it
Michael Niedermayer [Sat, 5 Dec 2015 16:15:38 +0000 (17:15 +0100)]
avcodec/dirac_parser: Check that there is a previous PU before accessing it

Fixes out of array read
Fixes: 99d142c47e6ba3510a74b872a1a2ae72/asan_heap-oob_11b36f4_3811_0f5c69e7609a88a580135678de1df844.dxa

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a08681f1e614152184615e2bcd71c3d63835f810)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/dirac_parser: Add basic validity checks for next_pu_offset and prev_pu_offset
Michael Niedermayer [Sat, 5 Dec 2015 16:14:36 +0000 (17:14 +0100)]
avcodec/dirac_parser: Add basic validity checks for next_pu_offset and prev_pu_offset

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c7d6ec947c053699950af90f695413a5640b3872)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/dirac_parser: Fix potential overflows in pointer checks
Michael Niedermayer [Sat, 5 Dec 2015 16:11:54 +0000 (17:11 +0100)]
avcodec/dirac_parser: Fix potential overflows in pointer checks

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 79798f7c57b098c78e0bbc6becd64b9888b013d1)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/wmaprodec: Check bits per sample to be within the range not causing integer...
Michael Niedermayer [Sat, 5 Dec 2015 12:48:06 +0000 (13:48 +0100)]
avcodec/wmaprodec: Check bits per sample to be within the range not causing integer overflows

Fixes: 549d5aab1480d10f2a775ed90b0342f1/signal_sigabrt_7ffff6ae7cc9_5643_96bbb0cfe3e28be1dadfce1075016345.wma

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 66e05f6ff5e5c105bdd7bf3a49234ddac1b592c5)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/wmaprodec: Fix overflow of cutoff
Michael Niedermayer [Sat, 5 Dec 2015 12:11:23 +0000 (13:11 +0100)]
avcodec/wmaprodec: Fix overflow of cutoff

Fixes: 129ca3e28d73af7b1e24a9d4118e7a2d/signal_sigabrt_7ffff6ae7cc9_836_762b310fc3ef6087bd7771e5d8e90b9b.asf

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0c56f8303e676556ea09bfac73d881c6c9057259)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavformat/smacker: fix integer overflow with pts_inc
Michael Niedermayer [Sat, 5 Dec 2015 12:06:16 +0000 (13:06 +0100)]
avformat/smacker: fix integer overflow with pts_inc

Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7ed47e97297fd5ef473d0cc93f0455adbadaac83)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/vp3: Fix "runtime error: left shift of negative value"
Michael Niedermayer [Fri, 4 Dec 2015 11:47:20 +0000 (12:47 +0100)]
avcodec/vp3: Fix "runtime error: left shift of negative value"

Fixes: 5c6129154b356b80bcab86f9e3ee5d29/signal_sigabrt_7ffff6ae7cc9_7322_d26ac6d7cb6567db1b8be0159b387d0b.ogg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 18268f761bffb37552f59f87542fef3d5c80618c)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agompegencts: Fix overflow in cbr mode period calculations
Timo Teräs [Sat, 28 Nov 2015 06:27:39 +0000 (08:27 +0200)]
mpegencts: Fix overflow in cbr mode period calculations

ts->mux_rate is int (signed 32-bit) type. The period calculations
will start to overflow when mux_rate > 5mbps. This fixes overflows
by converting first to 64-bit type.

Fixes #5044.

Signed-off-by: Timo Teräs <timo.teras@iki.fi>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 64f7db554ee83846f207e82a08946a6a5a6acfe2)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavutil/timecode: Fix fps check
Michael Niedermayer [Thu, 3 Dec 2015 02:14:11 +0000 (03:14 +0100)]
avutil/timecode: Fix fps check

The fps variable is explicitly set to -1 in case of some errors, the check must
thus be signed or the code setting it needs to use 0 as error code
the type of the field could be changed as well but its in an installed header

Fixes: integer overflow
Fixes: 9982cc157b1ea90429435640a989122f/asan_generic_3ad004a_3799_22cf198d9cd09928e2d9ad250474fa58.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b46dcd5209a77254345ae098b83a872634c5591b)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() for...
Michael Niedermayer [Tue, 1 Dec 2015 12:32:31 +0000 (13:32 +0100)]
avutil/mathematics: return INT64_MIN (=AV_NOPTS_VALUE) from av_rescale_rnd() for overflows

Fixes integer overflow
Fixes: mozilla bug 1229167

Found-by: Tyson Smith
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f03c2ceec174877e03bb302f5971fbe9ffbe4856)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/apedec: Check length in long_filter_high_3800()
Michael Niedermayer [Wed, 2 Dec 2015 20:16:27 +0000 (21:16 +0100)]
avcodec/apedec: Check length in long_filter_high_3800()

Fixes out of array read
Fixes: 0a7ff0c1d93da9cef28a315ec91b692a/asan_heap-oob_4a52e5_3604_9c56dbb20e308f4faeef7b35f688521a.ape

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cd7524fdd13dc8d0cf22e2cfd8300a245542b13a)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/vp3: always set pix_fmt in theora_decode_header()
Michael Niedermayer [Mon, 30 Nov 2015 02:32:36 +0000 (03:32 +0100)]
avcodec/vp3: always set pix_fmt in theora_decode_header()

Fixes assertion failure
Fixes: d0bb0662da342ec65f8f2a081222e6b9/signal_sigabrt_7ffff6ae7cc9_5471_82964f0a9ac2f4d3d59390c15473f6f7.ogg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a814f1d364ba912adf61adef158168c5f7604e93)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/mpeg4videodec: Check available data before reading custom matrix
Michael Niedermayer [Sun, 29 Nov 2015 22:44:40 +0000 (23:44 +0100)]
avcodec/mpeg4videodec: Check available data before reading custom matrix

Fixes: out of array read
Fixes: 76c515fc3779d1b838667c61ea13ce92/asan_heap-oob_1fc0d07_8913_794a4629a264ebdb25b58d3a94ed1785.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 891dc8f87536ac2ec695c70d081345224524ad99)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd
Michael Niedermayer [Tue, 1 Dec 2015 11:44:23 +0000 (12:44 +0100)]
avutil/mathematics: Do not treat INT64_MIN as positive in av_rescale_rnd

The code expects actual positive numbers and gives completely wrong
results if INT64_MIN is treated as positive
Instead clip it into the valid range that is add 1 and treat it as
negative

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 25e37f5ea92d4201976a59ae306ce848d257a7e6)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavutil/integer: Fix av_mod_i() with negative dividend
Michael Niedermayer [Tue, 1 Dec 2015 11:41:43 +0000 (12:41 +0100)]
avutil/integer: Fix av_mod_i() with negative dividend

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3a9cb18855d29c96a5d9d2f5ad30448cae3a2ddf)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavformat/dump: Fix integer overflow in av_dump_format()
Michael Niedermayer [Tue, 1 Dec 2015 11:40:32 +0000 (12:40 +0100)]
avformat/dump: Fix integer overflow in av_dump_format()

Fixes part of mozilla bug 1229167

Found-by: Tyson Smith
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8e7f4520226d2d9ad6a58ad6c32d1455a8b244b2)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/utils: Clear dimensions in ff_get_buffer() on failure
Michael Niedermayer [Sat, 28 Nov 2015 19:08:46 +0000 (20:08 +0100)]
avcodec/utils: Clear dimensions in ff_get_buffer() on failure

Fixes out of array access
Fixes: 482d8f2fd17c9f532b586458a33f267c/asan_heap-oob_4a52b6_7417_1d08d477736d66cdadd833d146bb8bae.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit abee0a1c60612e8638640a8a3738fffb65e16dbf)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string()
Michael Niedermayer [Sat, 28 Nov 2015 16:26:05 +0000 (17:26 +0100)]
avcodec/utils: Use 64bit for aspect ratio calculation in avcodec_string()

Fixes integer overflow
Fixes: 3a45b2ae02f2cf12b7bd99543cdcdae5/asan_heap-oob_1dff502_8022_899f75e1e81046ebd7b6c2394a1419f4.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4f03bebc79f76df3a3e5bb9e1bc32baabfb7797c)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/vp3: Clear context on reinitialization failure
Michael Niedermayer [Fri, 27 Nov 2015 23:23:54 +0000 (00:23 +0100)]
avcodec/vp3: Clear context on reinitialization failure

Fixes null pointer dereference
Fixes: 1536b9b096a8f95b742bae9d3d761cc6/signal_sigsegv_294aaed_2039_8d1797aeb823ea43858d0fa45c9eb899.ogv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6105b7219a90438deae71b0dc5a034c71ee30fc0)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/hevc: allocate entries unconditionally
Michael Niedermayer [Fri, 27 Nov 2015 22:33:03 +0000 (23:33 +0100)]
avcodec/hevc: allocate entries unconditionally

Fixes out of array access
Fixes: 08664a2a7921ef48172f26495c7455be/asan_heap-oob_23036c6_3301_523388ef84285a0270caf67a43247b59.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d85aa76115214183e7e3b7d65e950da61474959a)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Conflicts:

libavcodec/hevc.c

3 years agoavcodec/hevc_cabac: Fix multiple integer overflows
Michael Niedermayer [Fri, 27 Nov 2015 21:45:46 +0000 (22:45 +0100)]
avcodec/hevc_cabac: Fix multiple integer overflows

Fixes: 04ec80eefa77aecd7a49a442cc02baea/asan_heap-oob_19544fa_3303_1905796cd9d8e15f86d664332caabc00.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d5028f61e44b7607b6a547f218f7d85217490a5b)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*()
Michael Niedermayer [Fri, 27 Nov 2015 20:02:13 +0000 (21:02 +0100)]
avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_encode*()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit feb3f39614b88c113211a98dda1bc2fe5c3c6957)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*()
Michael Niedermayer [Fri, 27 Nov 2015 19:52:39 +0000 (20:52 +0100)]
avcodec/jpeg2000dwt: Check ndeclevels before calling dwt_decode*()

Fixes out of array access
Fixes: 01859c9a9ac6cd60a008274123275574/asan_heap-oob_1dff571_8250_50d3d1611e294c3519fd1fa82198b69b.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 75422280fbcdfbe9dc56bde5525b4d8b280f1bc5)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/hevc: Check entry_point_offsets
Michael Niedermayer [Fri, 27 Nov 2015 17:30:05 +0000 (18:30 +0100)]
avcodec/hevc: Check entry_point_offsets

Fixes out of array read
Fixes: 007c4a36608ebdf27ee260ad60a81184/asan_heap-oob_32076b4_2243_116b1cb29d91cc4974d6680e3d10bd91.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ef9f7bbfa47317f9d46bf46982a394d2be78503c)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/cabac: Check initial cabac decoder state
Michael Niedermayer [Fri, 27 Nov 2015 12:37:50 +0000 (13:37 +0100)]
avcodec/cabac: Check initial cabac decoder state

Fixes integer overflows
Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Found-by: xiedingbao (Ticket4727)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8000d484b83aafa752d84fbdbfb352ffe0dc64f8)

Conflicts:

libavcodec/cabac.h

Conflicts:

libavcodec/h264_cabac.c
libavcodec/h264_slice.c

3 years agoavcodec/cabac_functions: Fix "left shift of negative value -31767"
Michael Niedermayer [Fri, 27 Nov 2015 11:11:29 +0000 (12:11 +0100)]
avcodec/cabac_functions: Fix "left shift of negative value -31767"

Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2340_591e9810c7b09efe501ad84638c9e9f8.264

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Found-by: xiedingbao (Ticket4727)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a1f6b05f5228979dab0e149deca7a30d22e98af5)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/ffv1dec: Clear quant_table_count if its invalid
Michael Niedermayer [Sat, 14 Nov 2015 12:21:58 +0000 (13:21 +0100)]
avcodec/ffv1dec: Clear quant_table_count if its invalid

Fixes deallocation of corrupted pointer
Fixes: 343dfbe142a38b521ed069dc4ea7c03b/signal_sigsegv_421427_4074_ffb11959610278cd40dbc153464aa254.avi
No releases affected

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e04126072e984f8db5db9da9303c89ae01f7d6bb)

Fixes ticket #5052.

3 years agoavcodec/ffv1dec: Print an error if the quant table count is invalid
Michael Niedermayer [Thu, 5 Nov 2015 00:25:50 +0000 (01:25 +0100)]
avcodec/ffv1dec: Print an error if the quant table count is invalid

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a8b254e436dce2f5c8c6459108dab4b02cc6b79b)

3 years agodoc/filters/drawtext: fix centering example
Andrey Utkin [Tue, 1 Dec 2015 19:15:53 +0000 (21:15 +0200)]
doc/filters/drawtext: fix centering example

Signed-off-by: Andrey Utkin <andrey.od.utkin@gmail.com>
Signed-off-by: Lou Logan <lou@lrcd.com>
(cherry picked from commit 648b26acc5e25ab40c43fddc54b50e9f0b13ebd8)
Signed-off-by: Timothy Gu <timothygu99@gmail.com>
3 years agoUpdate for 2.5.9
Michael Niedermayer [Thu, 26 Nov 2015 16:55:08 +0000 (17:55 +0100)]
Update for 2.5.9

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/h264_slice: Limit max_contexts when slice_context_count is initialized
Michael Niedermayer [Tue, 24 Nov 2015 21:12:37 +0000 (22:12 +0100)]
avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized

Fixes out of array access
Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2049_f2192b6829ab6e0eefcb035329c03c60.264

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4ea4d2f438c9a7eba37980c9a87be4b34943e4d5)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup
Michael Niedermayer [Wed, 30 Sep 2015 11:10:48 +0000 (13:10 +0200)]
avcodec/vp8: Do not use num_coeff_partitions in thread/buffer setup

The variable is not a constant and can lead to race conditions

Fixes: repro.webm (not reproducable with FFmpeg alone)

Found-by: Dale Curtis <dalecurtis@google.com>
Tested-by: Dale Curtis <dalecurtis@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit dabea74d0e82ea80cd344f630497cafcb3ef872c)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agortmpcrypt: Do the xtea decryption in little endian mode
Martin Storsjö [Wed, 11 Nov 2015 19:42:02 +0000 (21:42 +0200)]
rtmpcrypt: Do the xtea decryption in little endian mode

The XTEA algorithm operates on 32 bit numbers, not on byte sequences.
The XTEA implementation in libavutil is written assuming big endian
numbers, while the rtmpe signature encryption assumes little endian.

This fixes rtmpe communication with rtmpe servers that use signature
type 8 (XTEA), e.g. crunchyroll.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit e7728319b92dbb4fb949155e33de7ff5358ddff3)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavformat/matroskadec: Check subtitle stream before dereferencing
Michael Niedermayer [Tue, 17 Nov 2015 17:19:01 +0000 (18:19 +0100)]
avformat/matroskadec: Check subtitle stream before dereferencing

Unrecognized streams are not allocated
Fixes: flicker-1.color1.vp91447030769.08.webm

Found-by: Chris Cunningham <chcunningham@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5034b324cad4c29d47ef285a30b0705e6eb0384)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavformat/utils: Do not init parser if probing is unfinished
Michael Niedermayer [Sun, 15 Nov 2015 22:41:14 +0000 (23:41 +0100)]
avformat/utils: Do not init parser if probing is unfinished

Fixes assertion failure
Fixes: 136f8b8d47af7892306625e597dee655/signal_sigabrt_7ffff6ae7cc9_8941_ab11bea57c84796418f481f873dc31ba.dvr_ms

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1ef336e912a7a3a13a9933825a56c421f891e44b)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/jpeg2000dec: Fix potential integer overflow with tile dimensions
Michael Niedermayer [Sun, 15 Nov 2015 20:17:05 +0000 (21:17 +0100)]
avcodec/jpeg2000dec: Fix potential integer overflow with tile dimensions

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 65d3359fb366ea265a8468d76a111cb7352f0b55)

Conflicts:

libavcodec/jpeg2000dec.c

3 years agoavcodec/jpeg2000dec: Check SIZ dimensions to be within the supported range
Michael Niedermayer [Sun, 15 Nov 2015 20:12:50 +0000 (21:12 +0100)]
avcodec/jpeg2000dec: Check SIZ dimensions to be within the supported range

Fixes potential integer overflows
Fixes: 03e0abe721b1174856d41a1eb5d6a896/signal_sigabrt_7ffff6ae7cc9_3813_e71bf3541abed3ccba031cd5ba0269a4.avi

This fix is choosen to be simple to backport, better solution
for master is planed

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6ef819c40bcc2175edba7ce9e20c3036c01b36b9)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/jpeg2000: Check comp coords to be within the supported size
Michael Niedermayer [Sun, 15 Nov 2015 19:49:17 +0000 (20:49 +0100)]
avcodec/jpeg2000: Check comp coords to be within the supported size

Fixes assertion failure
Fixes: 03e0abe721b1174856d41a1eb5d6a896/signal_sigabrt_7ffff6ae7cc9_3813_e71bf3541abed3ccba031cd5ba0269a4.avi

This fix is choosen to be simple to backport, better solution
for master is planed

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a1a8cbcb35ef2759a66b4f0875785e4b3f277057)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/jpeg2000: Use av_image_check_size() in ff_jpeg2000_init_component()
Michael Niedermayer [Sun, 15 Nov 2015 19:03:39 +0000 (20:03 +0100)]
avcodec/jpeg2000: Use av_image_check_size() in ff_jpeg2000_init_component()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 016fd413f9168816924f21c0c1ffb578f7226221)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/wmaprodec: Check for overread in decode_packet()
Michael Niedermayer [Sun, 15 Nov 2015 17:18:40 +0000 (18:18 +0100)]
avcodec/wmaprodec: Check for overread in decode_packet()

Fixes assertion failure
Fixes: 0256e92df2df7e933b43a2c70e4c8040/signal_sigabrt_7ffff6ae7cc9_1358_999ac18684788221490757582ce9af84.wma

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7ad698e24e6b9dde57c4e01c145bcddfe9d6e4a3)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/smacker: Check that the data size is a multiple of a sample vector
Michael Niedermayer [Sun, 15 Nov 2015 13:52:08 +0000 (14:52 +0100)]
avcodec/smacker: Check that the data size is a multiple of a sample vector

Fixes out of array access
Fixes: ce19e41f0ef1e52a23edc488faecdb58/asan_heap-oob_2504e97_4202_ffa0df1baed14022b9bfd4f8ac23d0cb.smk

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4a9af07a49295e014b059c1ab624c40345af5892)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/takdec: Skip last p2 sample (which is unused)
Michael Niedermayer [Sun, 15 Nov 2015 00:22:31 +0000 (01:22 +0100)]
avcodec/takdec: Skip last p2 sample (which is unused)

Fixes out of array read
Fixes: cb3f38b08b4541523974667c7d1eee9e/asan_heap-oob_2659e18_9838_021fd5cd635bf76cede6398cd9ecbcdd.tak

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 08b520636e96ba6888b669b9b3f4c414631ea1d2)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/dxtory: Fix input size check in dxtory_decode_v1_410()
Michael Niedermayer [Sat, 14 Nov 2015 23:25:11 +0000 (00:25 +0100)]
avcodec/dxtory: Fix input size check in dxtory_decode_v1_410()

Fixes potential out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 76b6f4b7d91901929177cc61d9810dcca0bb40c1)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/dxtory: Fix input size check in dxtory_decode_v1_420()
Michael Niedermayer [Sat, 14 Nov 2015 23:25:11 +0000 (00:25 +0100)]
avcodec/dxtory: Fix input size check in dxtory_decode_v1_420()

Fixes out of array read
Fixes: c50c4aa6cefda71b19a31ea12302980c/asan_heap-oob_12be5fd_7011_33ebd015a74976215934add72b9c8352.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9caa9414ccf2dcf8aee2695377dee830a5024c82)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/error_resilience: avoid accessing previous or next frames tables beyond height
Michael Niedermayer [Sat, 14 Nov 2015 20:11:52 +0000 (21:11 +0100)]
avcodec/error_resilience: avoid accessing previous or next frames tables beyond height

The height of tables can be rounded up for MBAFF but this does not imply that is also true
for the previous frames

Fixes out of array reads
Fixes: c106b36fa36db8ff8f3ed0c82be7bea2/asan_heap-oob_32699f0_6321_467b9a1d7e03d7cfd310b7e65dc53bcc.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a105f52855d08e4ab1ed7306da8e32fc90d6d647)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/dpx: Move need_align to act per line
Michael Niedermayer [Sat, 14 Nov 2015 13:29:02 +0000 (14:29 +0100)]
avcodec/dpx: Move need_align to act per line

Fixes out of array read
Fixes: 61cf123c081ee2bb774d307c75bdb99e/asan_heap-oob_1224f76_5546_bee833ffae73f752b489b9eeaac52db7.dpx

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c8aaae8e0f1519bc99bd717ea3067c9cfdb68def)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/flashsv: Check size before updating it
Michael Niedermayer [Sat, 14 Nov 2015 12:34:02 +0000 (13:34 +0100)]
avcodec/flashsv: Check size before updating it

Fixes out of array read
Fixes: 3c857d4d90365731524716e6d051e43a/signal_sigsegv_7f4f59bcc29e_1386_20abd2c8e655cb9c75b24368e65fe3b1.flv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 17705f5d4f57c15f9b9bb9cfcbbb4621fed2fc70)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/ivi: Check image dimensions
Michael Niedermayer [Sat, 14 Nov 2015 01:36:22 +0000 (02:36 +0100)]
avcodec/ivi: Check image dimensions

Fixes integer overflow
Fixes: 1e32c6c591d940337c20b197ec1c4d3d/asan_heap-oob_4a52e5_8946_0bb0d9e863def56005e49f1d89bdc94d.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit df91aa034b82b77a3c4e01791f4a2b2ff6c82066)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/utils: Better check for channels in av_get_audio_frame_duration()
Michael Niedermayer [Sat, 14 Nov 2015 00:35:08 +0000 (01:35 +0100)]
avcodec/utils: Better check for channels in av_get_audio_frame_duration()

Fixes integer overflow
Fixes: 0c2625f236ced104d402b4a03c0d65c7/asan_generic_274e1ce_5990_9314e7a67c26aecf011b178ade9f217c.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4e16ad2868a1819de6680fc355a8eb20164adaea)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/jpeg2000dec: Check for duplicate SIZ marker
Michael Niedermayer [Fri, 13 Nov 2015 23:51:56 +0000 (00:51 +0100)]
avcodec/jpeg2000dec: Check for duplicate SIZ marker

Fixes: 0231a17345734228011c6f35a64e4594/asan_heap-oob_1d92a72_3218_1213809a9e3affec77e4c191fdfdc0a9.mov

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 44a7f17d0b20e6f8d836b2957e3e357b639f19a2)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/jpeg2000dec: Clip all tile coordinates
Michael Niedermayer [Sat, 7 Nov 2015 01:16:11 +0000 (02:16 +0100)]
avcodec/jpeg2000dec: Clip all tile coordinates

Fixes out of array access
Fixes: b877a6b788a25c70e8b1d014f8628549/asan_heap-oob_1da2c3f_2324_5a1b329b0b3c4bb6b1d775660ac56717.r3d

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 43492ff3ab68a343c1264801baa1d5a02de10167)

Conflicts:

libavcodec/jpeg2000dec.c

3 years agoavcodec/microdvddec: Check for string end in 'P' case
Michael Niedermayer [Fri, 6 Nov 2015 21:24:23 +0000 (22:24 +0100)]
avcodec/microdvddec: Check for string end in 'P' case

Fixes out of array read
Fixes: a9502b60f4cecc19475382aee255f73c/asan_heap-oob_1e87fba_2548_a8ad47f6dde36644fe9cdc444d4632d0.sub

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c719cd6cf79ec21d974b81ba874580f4b8e9eb90)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/dirac_parser: Fix undefined memcpy() use
Michael Niedermayer [Fri, 6 Nov 2015 20:58:42 +0000 (21:58 +0100)]
avcodec/dirac_parser: Fix undefined memcpy() use

Fixes: 9d375e415486edd1a0c826f2307d89a4/asan_generic_4a5159_1577_faa333e83dacdd9e4dd322380aeed537.iss

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit daefd8ab2f2aeb90cd53cb75445faffdc7a3cc79)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavformat/xmv: Discard remainder of packet on error
Michael Niedermayer [Fri, 6 Nov 2015 01:13:36 +0000 (02:13 +0100)]
avformat/xmv: Discard remainder of packet on error

Fixes infinite loop
Fixes: 9c48ae2680c5f23bca3d20ff0f325fd8/asan_generic_4c254d_1374_993f1e5967dd6f844b8d72f978ce2a6c.pss

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 79c4a338e4b2bf0bc6f81c9f455994f673a92f78)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavformat/xmv: factor return check out of if/else
Michael Niedermayer [Fri, 6 Nov 2015 01:11:01 +0000 (02:11 +0100)]
avformat/xmv: factor return check out of if/else

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9b6fac11da470274d4b93d46ef66527aa1824179)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agolibavutil/channel_layout: Check strtol*() for failure
Michael Niedermayer [Thu, 5 Nov 2015 18:24:33 +0000 (19:24 +0100)]
libavutil/channel_layout: Check strtol*() for failure

Fixes assertion failure
Fixes: 4f5814bb15d2dda6fc18ef9791b13816/signal_sigabrt_7ffff6ae7cc9_65_7209d160d168b76f311be6cd64a548eb.wv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c9bfd6a8c35a2102e730aca12f6e09d1627f76b3)

Conflicts:

libavutil/channel_layout.c

3 years agoavcodec/ffv1dec: Check for 0 quant tables
Michael Niedermayer [Wed, 4 Nov 2015 23:36:59 +0000 (00:36 +0100)]
avcodec/ffv1dec: Check for 0 quant tables

Fixes assertion failure
Fixes: 07ec1fc3c1cbf2d3edcd7d9b52ca156c/asan_heap-oob_13624c5_491_ecd4720a03e697ba750b235690656c8f.avi

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5745cf799a4389bc5d14f2b4daf32fe4631c50bc)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavcodec/mjpegdec: Reinitialize IDCT on BPP changes
Michael Niedermayer [Wed, 4 Nov 2015 20:27:04 +0000 (21:27 +0100)]
avcodec/mjpegdec: Reinitialize IDCT on BPP changes

Fixes misaligned access
Fixes: dc9262a469f6f315f74c087a7b3a7f35/signal_sigsegv_2e95bcd_9_9c0f9f4a9ba82aa9b3ab2b91ce4d5277.jpg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cc35f6f4768ffe57cc4fcfa56ecb89aee409e3d5)

Conflicts:

libavcodec/mjpegdec.c

3 years agoavcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it
Michael Niedermayer [Wed, 4 Nov 2015 17:08:52 +0000 (18:08 +0100)]
avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it

Fixes: 04715144ba237443010554be0d05343f/asan_heap-oob_1eafc76_1737_c685b48041a563461839e4e7ab97abb8.jpg
Fixes out of array access

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d24888ef19ba38b787b11d1ee091a3d94920c76a)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
3 years agoavutil/file_open: avoid file handle inheritance on Windows
Tobias Rapp [Thu, 29 Oct 2015 08:11:37 +0000 (09:11 +0100)]
avutil/file_open: avoid file handle inheritance on Windows

Avoids inheritance of file handles on Windows systems similar to the
O_CLOEXEC/FD_CLOEXEC flag on Linux.

Fixes file lock issues in Windows applications when a child process
is started with handle inheritance enabled (standard input/output
redirection) while a FFmpeg transcoding is running in the parent
process.

Links relevant to the subject:

https://msdn.microsoft.com/en-us/library/w7sa2b22.aspx

Describes the _wsopen() function and the O_NOINHERIT flag. File handles
opened by _wsopen() are inheritable by default.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425%28v=vs.85%29.aspx

Describes handle inheritance when creating new processes. Handle
inheritance must be enabled (bInheritHandles = TRUE) e.g. when you want
to pass handles for stdin/stdout via lpStartupInfo.

Signed-off-by: Tobias Rapp <t.rapp@noa-audio.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 474665346616e446ecd1407002fdf5f88201bf72)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>