ffmpeg.git
5 years agomatroskaenc: do not write negative timestamps
Anton Khirnov [Sun, 1 Jun 2014 10:40:20 +0000 (12:40 +0200)]
matroskaenc: do not write negative timestamps

Bug-Id: 597, 341

5 years agoupdate Changelog
Rafaël Carré [Tue, 27 Aug 2013 15:35:49 +0000 (17:35 +0200)]
update Changelog

5 years agoUpdate Changelog for v9.13
Reinhard Tartler [Sun, 4 May 2014 14:37:49 +0000 (10:37 -0400)]
Update Changelog for v9.13

5 years agoswscale: Fix an undefined behaviour
Luca Barbato [Thu, 1 May 2014 22:21:23 +0000 (00:21 +0200)]
swscale: Fix an undefined behaviour

Prevent a division by zero down the codepath.

Sample-Id: 00001721-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 3a177a9cca924e097265b32f9282814f6b653e08)
(cherry picked from commit 0499f7809c1fcc33ed710cdf771a18b374702135)

5 years agomatroska: add the Opus mapping
Anton Khirnov [Sun, 27 Apr 2014 11:40:11 +0000 (13:40 +0200)]
matroska: add the Opus mapping

(cherry picked from commit 141fdc763c2841b572d29a2ad78513e8d5325870)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 79041d92ee7421853ee8c57fc13891cb0c272e0e)

5 years agomp3enc: Properly write bitrate value in XING header
Michael Niedermayer [Wed, 9 Apr 2014 16:22:53 +0000 (18:22 +0200)]
mp3enc: Properly write bitrate value in XING header

Instead of using a fixed bitrate_idx, calculate a matching bitrate for
the XING header.

Using a fixed bitrate_idx causes tools such as file(1) and mediainfo(1)
to report wrong bitrate and bitrate mode when using CBR.

Bug-Id: https://bugs.debian.org/736088

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 617a1a98a6be3e59db6fbfc21afab2fb9a049c03)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0f6e309b97e3da83a0fa75fbf1c4b50cd72047eb)

5 years agooggdec: add support for Opus in Ogg demuxing
Nicolas George [Sun, 24 Jun 2012 09:38:18 +0000 (11:38 +0200)]
oggdec: add support for Opus in Ogg demuxing

Fixes: https://bugzilla.libav.org/show_bug.cgi?id=603
Fixes: http://bugs.debian.org/720563

(cherry picked from commit ecab1c77410f023b437c6ed3a3281be8f039e574)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoapedec: do not buffer decoded samples over AVPackets
Rafaël Carré [Tue, 27 Aug 2013 15:35:49 +0000 (17:35 +0200)]
apedec: do not buffer decoded samples over AVPackets

Only consume an AVPacket when all the samples have been read.

When the rate of samples output is limited (by the default value
of max_samples), consuming the first packet immediately will cause
timing problems:

- The first packet with PTS 0 will output 4608 samples and be
consumed entirely
- The second packet with PTS 64 will output the remaining samples
(typically, a lot, that's why max_samples exist) until the decoded
samples of the first packet have been exhausted, at which point the
samples of the second packet will be decoded and output when
av_decode_frame is called with the next packet).

That means there's a PTS jump since the first packet is 'decoded'
immediately, which can be seen with avplay or mplayer: the timing
jumps immediately to 6.2s (which is the size of a packet).

Sample: http://streams.videolan.org/issues/6348/Goldwave-MAClib.ape

Bug-Debian: http://bugs.debian.org/744901
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 91d4cfb8127f1de6c4ad173a30fffe584700046d)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoisom: lpcm in mov default to big endian
Mark Himsley [Fri, 1 Nov 2013 11:22:53 +0000 (11:22 +0000)]
isom: lpcm in mov default to big endian

It is my understanding that "Unless otherwise stated, all data in a
QuickTime movie is stored in big-endian byte ordering" [1] in MOV files.

I have a couple of thousand files, which technically are invalid because
their sound sample description element 4CC is 'lpcm' but its version is
0 - and "Version 0 supports only uncompressed audio in raw ('raw ') or
twos-complement ('twos') format" [2]

Because isom.c only contains a mapping for 4CC 'lpcm' to
AV_CODEC_ID_PCM_S16LE, these files have their audio decoded as LE when
it is actually BE.

This commit adds AV_CODEC_ID_PCM_S16BE as the first match for 4CC 'lpcm'.

[1]
https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf
page 21
[2]
https://developer.apple.com/library/mac/documentation/quicktime/QTFF/qtff.pdf
page 178

Reviewed-by: Yusuke Nakamura <muken.the.vfrmaniac@gmail.com>
(cherry picked from commit 360022bd3b894cc01ea112b275fa4c8f53881808)
(cherry picked from commit d37fac6dbbdddb76225aa691b83ffd9a0c7dae6b)

5 years agomovdec: handle 0x7fff langcode as macintosh per the specs
Baptiste Coudurier [Wed, 21 Mar 2012 21:18:16 +0000 (14:18 -0700)]
movdec: handle 0x7fff langcode as macintosh per the specs

The correct point that seperates ISO and MAC language codes is 0x400
according to the current QT spec. Old QT specs did not list where this
seperation is but apparently only defined the meaning of the first 137.

(cherry picked from commit 9e71cc81f3655cacf0f91860fba3043f13b64059)
(cherry picked from commit 7940306a47df602be4f57a62175706265bbfd0aa)

5 years agoh264: reset next_output_pic earlier in start_frame()
Anton Khirnov [Wed, 23 Apr 2014 20:26:40 +0000 (22:26 +0200)]
h264: reset next_output_pic earlier in start_frame()

In case start_frame() fails, this potentially invalid frame can still be
output to the caller.

Bug-Id: 672
Bug-Id: debian/741240
Bug-Id: ubuntu/1288206

5 years agoRevert "pthread: flush all threads on flush, not just the first one"
Anton Khirnov [Thu, 24 Apr 2014 05:40:34 +0000 (07:40 +0200)]
Revert "pthread: flush all threads on flush, not just the first one"

This reverts commit 2eb15cdeef29eb8a0a32658154decba94b4b89cb.

It does not work correctly in pre-refcounting threading code.

5 years agoconfigure: Support older version of openjpeg1
Luca Barbato [Wed, 12 Mar 2014 09:30:07 +0000 (09:30 +0000)]
configure: Support older version of openjpeg1

It should work best for debian stable and people not installing the .pc
file.
(cherry picked from commit aa807425395caa17a85ed2833133278e8bd44a76)

Conflicts:
configure

Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agoconfigure: Use the right pkgconf file for openjpeg
Luca Barbato [Mon, 10 Mar 2014 10:48:04 +0000 (11:48 +0100)]
configure: Use the right pkgconf file for openjpeg

The current release of version 1 uses libopenjpeg1.
(cherry picked from commit 4a8562394b685e83ae4a38a93eef43625755a231)

Conflicts:
configure

Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agortmpproto: Make sure to pass on the error code if read_connect failed
Martin Storsjö [Sun, 13 Apr 2014 10:44:03 +0000 (13:44 +0300)]
rtmpproto: Make sure to pass on the error code if read_connect failed

Previously, if read_connect failed, the ret variable was unmodified
and had the value 0, indicating success, which then was returned from
the rtmp_open function, even though it actually failed.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 6477139721f559b26eafd415e23e13ea2b0c27e1)

5 years agolavr: allocate the resampling buffer with a positive size
Anton Khirnov [Thu, 20 Mar 2014 19:40:24 +0000 (20:40 +0100)]
lavr: allocate the resampling buffer with a positive size

This fixes cases where very few input samples (fewer than needed for one
output sample) are passed to lavr at the beginning.
CC:libav-stable@libav.org
(cherry picked from commit ac976ed91e323754e9a84509873ebdb437372797)

5 years agotiffdec: use bytestream2 to simplify overread/overwrite protection
Justin Ruggles [Sun, 29 Sep 2013 23:47:55 +0000 (19:47 -0400)]
tiffdec: use bytestream2 to simplify overread/overwrite protection

Based on a patch by Paul B Mahol <onemda@gmail.com>

CC:libav-stable@libav.org

5 years agobytestream: add bytestream2_copy_buffer() functions
Justin Ruggles [Sun, 29 Sep 2013 23:45:57 +0000 (19:45 -0400)]
bytestream: add bytestream2_copy_buffer() functions

This is basically an overread/overwrite-safe memcpy between a
GetByteContext and a PutByteContext.

CC:libav-stable@libav.org
(cherry picked from commit 5748faf291fec297ef25d81962b52b3438f54278)

5 years agobytestream: add functions for accessing size of buffer
Paul B Mahol [Wed, 21 Mar 2012 00:10:18 +0000 (00:10 +0000)]
bytestream: add functions for accessing size of buffer

Signed-off-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
CC:libav-stable@libav.org
(cherry picked from commit de9d2705f61ef569487ec5f8974a9c7ce34ec783)

5 years agoresample: fix avresample_get_delay() return value
Anton Khirnov [Tue, 4 Mar 2014 20:18:27 +0000 (21:18 +0100)]
resample: fix avresample_get_delay() return value

The correct "next" input sample is not the first sample of the
resampling buffer, but the center sample of the filter_length-sized
block at the beginning.

CC:libav-stable@libav.org

5 years agoavi: Improve non-interleaved detection
Michael Niedermayer [Wed, 2 Apr 2014 07:11:10 +0000 (09:11 +0200)]
avi: Improve non-interleaved detection

Additional fixes by Nigel Touati-Evans <nigel.touatievans@gmail.com>.

Check the index for streams with a time drift of 2s or a buffer drift
of 64MB.

Bug-Id: 666
CC: libav-stable@libav.org
Sample-Id: yet-another-broken-interleaved-avi.avi

Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Diego Biurrun <diego@biurrun.de>
5 years agoaf_channelmap: fix ONE_STR mapping mode
Anton Khirnov [Tue, 4 Mar 2014 06:19:46 +0000 (07:19 +0100)]
af_channelmap: fix ONE_STR mapping mode

get_channel() returns 0 on success

CC:libav-stable@libav.org

5 years agomovenc: allow override of "writing application" tag
John Stebbins [Mon, 3 Mar 2014 20:20:15 +0000 (20:20 +0000)]
movenc: allow override of "writing application" tag

Signed-off-by: Tim Walker <tdskywalker@gmail.com>
CC: libav-stable@libav.org
(cherry picked from commit 565e0c6d866ce08d4b06427456d3d1f4fd856e9c)

5 years agomatroskaenc: allow override of "writing application" tag
John Stebbins [Mon, 3 Mar 2014 20:20:14 +0000 (20:20 +0000)]
matroskaenc: allow override of "writing application" tag

Signed-off-by: Tim Walker <tdskywalker@gmail.com>
CC: libav-stable@libav.org
(cherry picked from commit 0092c1dd8dac2d9e185b58503b447a0d3fb5230d)

5 years agoavfilter: Add missing emms_c when needed
Luca Barbato [Wed, 5 Mar 2014 09:41:33 +0000 (10:41 +0100)]
avfilter: Add missing emms_c when needed

Arch specific calls should have an emms_c following to keep the cpu
state consistent.

Reported-By: wm4
CC: libav-stable@libav.org
(cherry picked from commit e995cf1bccc6e91bbaa6a8771e23fb3ab259c110)

5 years agobuild: Use pkg-config for openjpeg
Pierre Lejeune [Sat, 8 Mar 2014 12:19:17 +0000 (12:19 +0000)]
build: Use pkg-config for openjpeg

Bug-Id: 387
CC: libav-stable@libav.org
5 years agopthread: flush all threads on flush, not just the first one
Diego Biurrun [Wed, 19 Feb 2014 19:33:28 +0000 (20:33 +0100)]
pthread: flush all threads on flush, not just the first one

avcodec_flush_buffers() must release all internally held references
according to its documentation, for which all the threads need to be
flushed.

CC:libav-stable@libav.org
Bug-Id: vlc/9665

5 years agompeg12: check scantable indices in all decode_block functions
Janne Grunau [Fri, 24 Jan 2014 15:22:44 +0000 (16:22 +0100)]
mpeg12: check scantable indices in all decode_block functions

Add checks to the fast functions used with CODEC_FLAGS2_FAST and move
the check for all other functions to before the invalid memory is
accessed. Fixes https://trac.videolan.org/vlc/ticket/9713 with
CODEC_FLAGS2_FAST.

CC: libav-stable@libav.org
5 years agosgidec: fix buffer size check in expand_rle_row()
Anton Khirnov [Thu, 2 Jan 2014 08:34:20 +0000 (09:34 +0100)]
sgidec: fix buffer size check in expand_rle_row()

Right now it will spuriously fail if the linesize is exactly equal to
the data width.

CC:libav-stable@libav.org

5 years agoadx: check that the offset is not negative
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
adx: check that the offset is not negative

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 5569146d48f06564e8fa393424782cceed510916)

5 years agompegvideo: set reference/pict_type on generated reference frames
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
mpegvideo: set reference/pict_type on generated reference frames

Otherwise the generic code will unref them, which can then result in
last_picture_ptr == current_picture_ptr, which causes deadlocks at least
in rv40.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: reset data partitioning at the beginning of each decode call
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reset data partitioning at the beginning of each decode call

Prevents using GetBitContexts with data from previous calls.

Fixes access to freed memory.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: reset ref count if decoding the slice header fails
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reset ref count if decoding the slice header fails

Otherwise the ER code might try to use some already freed references.

Fixes possible access to freed memory.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: reset first_field if frame_start() fails for missing refs
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reset first_field if frame_start() fails for missing refs

In this case we may not have a current frame, while first_field being
set implies we do.

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: limit allowed pred modes in ff_h264_check_intra_pred_mode() to 3

Higher modes are not allowed for 16x16/chroma, which is what this
function is used for. Otherwise this function would return 0 (vertical
prediction) for invalid higher modes, which could result in invalid
reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: reject mismatching luma/chroma bit depths during sps parsing
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reject mismatching luma/chroma bit depths during sps parsing

There is no point in delaying the check and it avoids bugs with a
half-initialized context.

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: check that execute_decode_slices() is not called too many times
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: check that execute_decode_slices() is not called too many times

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 9eef9eb3014b2ed9c3ff4aac510a9f04edb555cf)

5 years agoh264: do not use 422 functions for monochrome
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: do not use 422 functions for monochrome

Fixes invalid memory access.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: reset data_partitioning if decoding the slice header for NAL_DPA fails
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reset data_partitioning if decoding the slice header for NAL_DPA fails

If it was set before then we can end up trying to decode a slice without
a valid slice header, which can lead to invalid memory access.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 58312b2472d3a44d7458865c459d59ef2e02bf1a)

5 years agoh264_refs: make sure not to write over the bounds of the default ref list
Anton Khirnov [Fri, 15 Nov 2013 18:06:23 +0000 (19:06 +0100)]
h264_refs: make sure not to write over the bounds of the default ref list

Fixes invalid writes.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh264: check buffer size before accessing it
Anton Khirnov [Fri, 15 Nov 2013 09:15:24 +0000 (10:15 +0100)]
h264: check buffer size before accessing it

Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agocmdutils: update copyright year to 2014.
Johan Andersson [Sat, 4 Jan 2014 19:47:32 +0000 (20:47 +0100)]
cmdutils: update copyright year to 2014.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 7ce88e5ec41484c452da56853a6897803da9c2a5)

5 years agoPrepare for 9.13 Release
Reinhard Tartler [Sat, 29 Mar 2014 17:10:29 +0000 (13:10 -0400)]
Prepare for 9.13 Release

5 years agodoc: Point to the correct, actually maintained gas-preprocessor repo
Martin Storsjö [Wed, 12 Mar 2014 11:46:04 +0000 (13:46 +0200)]
doc: Point to the correct, actually maintained gas-preprocessor repo

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d15c536123a44362ace6299c391a492c90b83fc7)
Signed-off-by: Martin Storsjö <martin@martin.st>
5 years agoUpdate Changelog for 9.12
Reinhard Tartler [Fri, 14 Mar 2014 00:57:03 +0000 (20:57 -0400)]
Update Changelog for 9.12

5 years agoconfigure: Update freetype check to follow upstream
Luca Barbato [Sat, 21 Dec 2013 16:59:59 +0000 (17:59 +0100)]
configure: Update freetype check to follow upstream

The freetype tutorial suggests to use #include FT_FREETYPE_H.

Bug-Id: 616
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit e61b8fa5605b16a02a2a0ea75afbfc31d7832bba)

5 years agodrawtext: Drop pointless header
Luca Barbato [Sun, 5 Jan 2014 11:30:45 +0000 (12:30 +0100)]
drawtext: Drop pointless header

It should be forward compatible with newer freetype.

(cherry picked from commit d68dc3c9446e38b4d686cc0f55433c9e8d7c128b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agoconfigure: Support preprocessor macros as header names
Diego Biurrun [Mon, 23 Dec 2013 00:03:48 +0000 (01:03 +0100)]
configure: Support preprocessor macros as header names

New versions of FreeType have moved the location of their API
header(s) and hide the location behind a macro.

Since the location changes between versions and no other way
to know the location exists, this workaround becomes necessary.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 52ccc4a0ece88030e67254418317d72089a0ecc8)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agoarm: hpeldsp: fix put_pixels8_y2_{,no_rnd_}armv6
Janne Grunau [Sat, 8 Mar 2014 10:52:14 +0000 (11:52 +0100)]
arm: hpeldsp: fix put_pixels8_y2_{,no_rnd_}armv6

The overread avoidance fix in cbddee1cca0ebd01e8c5aa694d31228eb4de4b41
broke the computation for the last row since it prevented the safe
reading from the height+1-th row.

5 years agoqt-faststart: Check offset_count before reading from the moov_atom buffer
Michael Niedermayer [Thu, 13 Dec 2012 14:07:20 +0000 (15:07 +0100)]
qt-faststart: Check offset_count before reading from the moov_atom buffer

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit bb95334c34d0d9abccea370ae25c4765d7764ab8)
(cherry picked from commit 7754d4838178a5c09c3c3953bb2b90d1abc639e3)

5 years agoarm: hpeldsp: prevent overreads in armv6 asm
Janne Grunau [Wed, 5 Mar 2014 11:44:57 +0000 (12:44 +0100)]
arm: hpeldsp: prevent overreads in armv6 asm

Based on a patch by Russel King <rmk+libav@arm.linux.org.uk>

Bug-Id: 646
CC: libav-stable@libav.org
5 years agoconfigure: enable PIC on s390(x)
Reinhard Tartler [Sun, 2 Mar 2014 07:11:05 +0000 (02:11 -0500)]
configure: enable PIC on s390(x)

The s390 architecture requires shared libraries to be built in PIC mode.
Otherwise applications will get wrong relocations at run-time, leading
to confusing segmentation faults.

CC: libav-stable@libav.org
(cherry picked from commit 5ddc9f5052316608799b932c604f9e7561f8ce24)
(cherry picked from commit 7509c2c4ea2180733cc60ab1a0e0fe4ce2f02a69)

5 years agoituh263: reject b-frame with pp_time = 0
Keiji Costantini [Sat, 1 Mar 2014 18:17:04 +0000 (18:17 +0000)]
ituh263: reject b-frame with pp_time = 0

Avoid a division by 0 in ff_mpeg4_set_one_direct_mv.

Sample-Id: 00000168-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
(cherry picked from commit 9514440337875e0c63b409abcd616b68c518283f)
(cherry picked from commit 5df52b0131d3d4d804ad6e221bc9a2cd8b201ef2)

5 years agolagarith: reallocate rgb_planes when needed
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
lagarith: reallocate rgb_planes when needed

Fixes invalid writes on pixel format changes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 4c3e1956ee35fdcc5ffdb28782050164b4623c0b)

5 years agotruemotion1: check the header size
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
truemotion1: check the header size

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 2240e2078d53d3cfce8ff1dda64e58fa72038602)

5 years agoshorten: pad the internal bitstream buffer
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
shorten: pad the internal bitstream buffer

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 1713eec29add37b654ec6bf262b843d139c1ffc6)

5 years agosamplefmt: avoid integer overflow in av_samples_get_buffer_size()
Justin Ruggles [Thu, 30 Jan 2014 19:08:38 +0000 (14:08 -0500)]
samplefmt: avoid integer overflow in av_samples_get_buffer_size()

CC:libav-stable@libav.org
(cherry picked from commit 0e830094ad0dc251613a0aa3234d9c5c397e02e6)

5 years agoh264: Fix a typo from the previous commit
Luca Barbato [Sat, 22 Feb 2014 10:19:03 +0000 (11:19 +0100)]
h264: Fix a typo from the previous commit

f777504f640260337974848c7d5d7a3f064bbb45 changed a - in +

CC: libav-stable@libav.org
(cherry picked from commit d922c5a5fbaf0b6c73bd8c81ae059bc6e406961c)
(cherry picked from commit 3ce77e04c2ca4b9e7fa6b94b51e8d7c5f188da86)

5 years agoh264: Lower bound check for slice offsets
Vittorio Giovara [Thu, 20 Feb 2014 01:38:32 +0000 (02:38 +0100)]
h264: Lower bound check for slice offsets

And use the value from the specification.

Sample-Id: 00000451-google
Found-by: Mateusz j00ru Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit f777504f640260337974848c7d5d7a3f064bbb45)
(cherry picked from commit 5bd083d0216d9ee649039c84999fb61386536ac1)

Conflicts:
libavcodec/h264.c

5 years agoAdd missing header to fix compilation after d2a0654
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
Add missing header to fix compilation after d2a0654

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoPrepare for 9.12 RELEASE
Reinhard Tartler [Sat, 1 Mar 2014 00:22:56 +0000 (19:22 -0500)]
Prepare for 9.12 RELEASE

5 years agoconfigure: Add missing dependency of Snow decoder on videodsp
Diego Biurrun [Fri, 21 Feb 2014 09:31:39 +0000 (10:31 +0100)]
configure: Add missing dependency of Snow decoder on videodsp

5 years agorpza: limit the number of blocks to the total remaining blocks in the frame
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
rpza: limit the number of blocks to the total remaining blocks in the frame

Fixes invalid writes.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 77bb0004bbe18f1498cfecdc68db5f10808b6599)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agoUpdate Changelog for 9.11
Reinhard Tartler [Sun, 2 Feb 2014 18:08:08 +0000 (13:08 -0500)]
Update Changelog for 9.11

5 years agooggparseogm: check timing variables
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
oggparseogm: check timing variables

Fixes a potential divide by zero.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 75647dea6f7db79b409bad66a119f5c73da730f3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agomathematics: remove asserts from av_rescale_rnd()
Anton Khirnov [Thu, 12 Dec 2013 06:34:13 +0000 (07:34 +0100)]
mathematics: remove asserts from av_rescale_rnd()

It is a public function, it must not assert on its parameters.

(cherry picked from commit 94a417acc05cc5151b473abc0bf51fad26f8c5a0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agovc1: Always reset numref when parsing a new frame header.
Michael Niedermayer [Sun, 19 Jan 2014 15:28:25 +0000 (15:28 +0000)]
vc1: Always reset numref when parsing a new frame header.

Fixes an issue where the B-frame coding mode switches from interlaced
fields to interlaced frames, causing incorrect decisions in the motion
compensation code and resulting in visual artifacts.

CC: libav-stable@libav.org
Signed-off-by: Tim Walker <tdskywalker@gmail.com>
(cherry picked from commit dd2d0039b6405dc724e4fef0d5b8f49530eea3aa)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoh264: reset num_reorder_frames if it is invalid
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: reset num_reorder_frames if it is invalid

An invalid VUI is not considered a fatal error, so the SPS containing it
may still be used. Leaving an invalid value of num_reorder_frames there
can result in writing over the bounds of H264Context.delayed_pic.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 9ecabd7892ff073ae60ded3fc0a1290f5914ed5c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/h264_ps.c

5 years agoh264: check that an IDR NAL only contains I slices
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
h264: check that an IDR NAL only contains I slices

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 8b2e5e42bb9d6a59ede5af2e6df4aaf7750d1195)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agomov: Free an earlier allocated array if allocating a new one
Martin Storsjö [Mon, 13 Jan 2014 12:46:07 +0000 (14:46 +0200)]
mov: Free an earlier allocated array if allocating a new one

It could probably also be considered an error if the pointer isn't
null at this point, but then we might risk rejecting some
slightly broken files that we might have handled so far.

Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 2620df13104ddaa136158eb6bb1195adbf9d7692)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agomov: Free intermediate arrays in the normal cleanup function
Martin Storsjö [Mon, 13 Jan 2014 12:43:23 +0000 (14:43 +0200)]
mov: Free intermediate arrays in the normal cleanup function

These arrays are normally freed at the end of mov_read_trak,
but make sure they're freed in case mov_read_trak returned
early (due to errors) or in case the atoms that allocate arrays
are encountered at some other point than within a trak (which
we don't have checks against).

Sample-Id: 00000496-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d51f09962d5b4bc999fb70c040f330dd1873212e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agosegafilm: fix leaks if reading the header fails
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
segafilm: fix leaks if reading the header fails

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 6892d145a0c80249bd61ee7dd31ec851c5076bcd)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoh264_cavlc: check the size of the intra PCM data.
Anton Khirnov [Fri, 15 Nov 2013 08:42:26 +0000 (09:42 +0100)]
h264_cavlc: check the size of the intra PCM data.

Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agoh263: Check init_get_bits return value
Michael Niedermayer [Sat, 26 Oct 2013 17:02:34 +0000 (19:02 +0200)]
h263: Check init_get_bits return value

And use init_get_bits8 to check for integer overflows while at it.

CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agocavsdec: check ff_get_buffer() return value
Anton Khirnov [Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)]
cavsdec: check ff_get_buffer() return value

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

5 years agocavs: Check for negative cbp
Luca Barbato [Sun, 13 Oct 2013 01:30:06 +0000 (03:30 +0200)]
cavs: Check for negative cbp

Sample-Id: 00000647-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
5 years agoavi: DV in AVI must be considered single stream
Luca Barbato [Tue, 6 Aug 2013 01:38:12 +0000 (03:38 +0200)]
avi: DV in AVI must be considered single stream

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
5 years agovmnc: Check the cursor dimensions
Luca Barbato [Wed, 9 Oct 2013 03:51:20 +0000 (05:51 +0200)]
vmnc: Check the cursor dimensions

And manage the reallocation failure path.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5e992a4682d2c09eed3839c6cacf70db3b65c2f4)

5 years agovmnc: Port to bytestream2
Luca Barbato [Wed, 9 Oct 2013 03:13:59 +0000 (05:13 +0200)]
vmnc: Port to bytestream2

Fix some buffer overreads.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
5 years agovmnc: K&R formatting cosmetics
Luca Barbato [Wed, 9 Oct 2013 10:58:42 +0000 (12:58 +0200)]
vmnc: K&R formatting cosmetics

Signed-off-by: Diego Biurrun <diego@biurrun.de>
5 years agoflashsv: Check diff_start diff_height values
Michael Niedermayer [Tue, 20 Aug 2013 21:18:48 +0000 (23:18 +0200)]
flashsv: Check diff_start diff_height values

Fix out of array accesses.

Found-by: ami_stuff
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Adresses: CVE-2013-7015
(cherry picked from commit 57070b1468edc6ac8cb3696c817f3c943975d4c1)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agodsputil/pngdsp: fix signed/unsigned type in end comparison
Michael Niedermayer [Fri, 30 Aug 2013 21:14:32 +0000 (23:14 +0200)]
dsputil/pngdsp: fix signed/unsigned type in end comparison

Fixes out of array accesses and integer overflows.

(cherry picked from commit d1916d13e28b87f4b1b214231149e12e1d536b4b)
Adresses: CVE-2013-7010, CVE-2013-7014

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agolavf: make av_probe_input_buffer more robust
Anton Khirnov [Mon, 13 Jan 2014 12:47:07 +0000 (13:47 +0100)]
lavf: make av_probe_input_buffer more robust

Always use the actually read size as the offset instead of making
possibly invalid assumptions.

Addresses: CVE-2012-6618

(cherry picked from commit 2115a3597457231a6e5c0527fe0ff8550f64b733)

Conflicts:
libavformat/utils.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agolavf: use a fixed width type
Anton Khirnov [Mon, 13 Jan 2014 10:56:59 +0000 (11:56 +0100)]
lavf: use a fixed width type

It's shorter and more consistent with the rest of the code.

(cherry picked from commit 8b76362836f3c373c3aadc544522edcbef16dd5f)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agolavf: simplify handling of offset in av_probe_input_buffer()
Anton Khirnov [Mon, 13 Jan 2014 10:55:18 +0000 (11:55 +0100)]
lavf: simplify handling of offset in av_probe_input_buffer()

(cherry picked from commit c1868e7ee7b07b40a0fe15f50df89fe499a01a50)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
5 years agoprores: Error out only on surely incomplete ac_coeffs
Luca Barbato [Thu, 10 Oct 2013 08:26:31 +0000 (10:26 +0200)]
prores: Error out only on surely incomplete ac_coeffs

(cherry picked from commit 2df7f7714a12a59d31058aba15fb1e348e36b0ab)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
5 years agoshorten: Fix out-of-array read
Tim Walker [Wed, 9 Oct 2013 09:47:04 +0000 (11:47 +0200)]
shorten: Fix out-of-array read

pred_order == FF_ARRAY_ELEMS(fixed_coeffs) is invalid too.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 5f5ada3dbf97e306a74250ba8dcf8619ad59b020)
Signed-off-by: Tim Walker <tdskywalker@gmail.com>
5 years agoprores: Add a codepath for decoding errors
Luca Barbato [Thu, 10 Oct 2013 06:40:39 +0000 (08:40 +0200)]
prores: Add a codepath for decoding errors

(cherry picked from commit 44690dfa683f620c77e9f0e8e9bc5682608636b1)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
5 years agonut: Fix unchecked allocations
Derek Buitenhuis [Tue, 22 Oct 2013 15:11:11 +0000 (16:11 +0100)]
nut: Fix unchecked allocations

CC: libav-stable@libav.org
(cherry picked from commit b1fcdc08ceb5df69fac34aa0d57c56905d32b8b4)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
5 years agoavi: directly resync on DV in AVI read failure
Luca Barbato [Tue, 6 Aug 2013 01:52:48 +0000 (03:52 +0200)]
avi: directly resync on DV in AVI read failure

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit ceec6e792e4b5baaa23b220f4fd33417631f5288)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agomov: Don't allocate arrays with av_malloc that will be realloced
Martin Storsjö [Fri, 4 Oct 2013 06:52:02 +0000 (09:52 +0300)]
mov: Don't allocate arrays with av_malloc that will be realloced

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit b698542ad83284fbb8c22404e3cafeb2dd739d38)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoshorten: Extend fixed_coeffs to properly support pred_order 0
Luca Barbato [Wed, 4 Sep 2013 17:26:36 +0000 (19:26 +0200)]
shorten: Extend fixed_coeffs to properly support pred_order 0

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit b2148faca9e9e553c14b27844b56e367c85a777e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoPrepare for 9.11 RELEASE
Reinhard Tartler [Sun, 5 Jan 2014 22:23:12 +0000 (17:23 -0500)]
Prepare for 9.11 RELEASE

5 years agoavi: properly fail if the dv demuxer is missing
Luca Barbato [Mon, 5 Aug 2013 23:39:07 +0000 (01:39 +0200)]
avi: properly fail if the dv demuxer is missing

CC: libav-stable@libav.org
(cherry picked from commit 1cac9accbd1f9b8596122d0735e37b97a844c514)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoprores: Reject negative run and level values
Luca Barbato [Thu, 10 Oct 2013 19:02:10 +0000 (21:02 +0200)]
prores: Reject negative run and level values

Sample-Id: 00000611-google

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c0de9a23c7080e2fac8f879b9d9a0ce2b64ea953)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoaudio_mix: fix channel order in mix_1_to_2_fltp_flt_c
Anton Khirnov [Wed, 2 Oct 2013 14:40:02 +0000 (16:40 +0200)]
audio_mix: fix channel order in mix_1_to_2_fltp_flt_c

CC:libav-stable@libav.org
(cherry picked from commit df6737a55f5dc7c0ae5272bc5fa6182836d5481c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoindeo4: Check the inherited quant_mat
Luca Barbato [Fri, 11 Oct 2013 09:34:03 +0000 (11:34 +0200)]
indeo4: Check the inherited quant_mat

Invalidate it if not supported.

Sample-Id: 00000262-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c9ef6b09326a24010bf86d6b0d19cfa42df4d546)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/indeo4.c

5 years agoindeo4: Check the block size if reusing the band configuration
Luca Barbato [Fri, 11 Oct 2013 08:51:53 +0000 (10:51 +0200)]
indeo4: Check the block size if reusing the band configuration

Sample-Id: 00000287-google

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 0cb83c563848bf8f8365e7bd30e7e6b57ef360f0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoffv1: Assume bitdepth 0 means 8bit
Luca Barbato [Sun, 13 Oct 2013 13:34:47 +0000 (15:34 +0200)]
ffv1: Assume bitdepth 0 means 8bit

CC: libav-stable@libav.org
Reported-by: debian/726189
(cherry picked from commit a90905db2e6ab1840890f3a88bfd3bf008b9d886)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
5 years agoalsa-audio-dec: explicitly cast the delay to a signed int64
Anton Khirnov [Sun, 1 Dec 2013 08:27:01 +0000 (09:27 +0100)]
alsa-audio-dec: explicitly cast the delay to a signed int64

Otherwise the expression will be evaluated as unsigned, which will break
when the result should be negative.
CC:libav-stable@libav.org

(cherry picked from commit 089fac77a6bf9199a5ec161e9c27850f0a680541)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>