aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2011-10-02 21:37:59 +0200
committerMichael Niedermayer <michaelni@gmx.at>2011-10-02 21:37:59 +0200
commit7fc85451fd47a4607f3cc47d1daa84ae122f5a46 (patch)
treef94ae472ddeea47eee50ef33ee6ecdd3e7e1e501
parent42c8fdb943b210b2f79e2510a91ca0f542c9bad0 (diff)
parentb89a0c9d7f4c4a23d709761033ad5e2f9c2881fa (diff)
downloadffmpeg-7fc85451fd47a4607f3cc47d1daa84ae122f5a46.tar.gz
Merge branch 'release/0.8' into release/0.7
* release/0.8: (185 commits) h264: fix intra 16x16 mode check when using mbaff and constrained_intra_pred. h264: check for invalid bit depth value. h264: add entries for 11 and 12 bits in ff_h264_chroma_qp[][] h264: fix the check for invalid SPS:num_ref_frames. h264: do not let invalid values in h->ref_count on ff_h264_decode_ref_pic_list_reordering() errors. Reject video with non multiple of 16 width/height in the 4xm decoder. 4xm decoder: fix data size for i2 frames. 4xm decoder: print some error messages in case of errors. Check for out of bound accesses in the 4xm decoder. Prevent block size from inreasing in the shorten decoder. Check for out of bound reads in PTX decoder. Clear FF_INPUT_BUFFER_PADDING_SIZE bytes at the end of the temporary buffers used in 4xm decoder. Fix the check for missing references in ff_er_frame_end() for H264. Prevent NULL dereference when the huffman table is invalid in the 4xm decoder. Fix use of uninitialized memory in 4X Technologies demuxer. h264: increase ref_poc size to 32 as it can be per field. h264: set unused ref_counts to 0 as a precautionary meassure. Remove Chnagelog it has nothing to do with reality fate: fix motion pixels checksum change caused by backported bugfix avienc: Add a limit on the number of skiped frames muxed in a row. ... Conflicts: Doxyfile RELEASE VERSION libavformat/utils.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--Changelog720
-rw-r--r--LICENSE6
-rw-r--r--Makefile7
-rwxr-xr-xconfigure19
-rw-r--r--doc/filters.texi6
-rw-r--r--doc/general.texi4
-rw-r--r--ffmpeg.c4
-rw-r--r--libavcodec/4xm.c96
-rw-r--r--libavcodec/Makefile1
-rw-r--r--libavcodec/aacsbr.c2
-rw-r--r--libavcodec/adpcm.c6
-rw-r--r--libavcodec/allcodecs.c1
-rw-r--r--libavcodec/anm.c2
-rw-r--r--libavcodec/avs.c11
-rw-r--r--libavcodec/bink.c27
-rw-r--r--libavcodec/bitstream.c4
-rw-r--r--libavcodec/dca.c5
-rw-r--r--libavcodec/dsicinav.c4
-rw-r--r--libavcodec/eacmv.c18
-rw-r--r--libavcodec/error_resilience.c2
-rw-r--r--libavcodec/flacdec.c4
-rw-r--r--libavcodec/flicvideo.c44
-rw-r--r--libavcodec/h264.c64
-rw-r--r--libavcodec/h264.h13
-rw-r--r--libavcodec/h264_cabac.c4
-rw-r--r--libavcodec/h264_cavlc.c4
-rw-r--r--libavcodec/h264_parser.c2
-rw-r--r--libavcodec/h264_ps.c22
-rw-r--r--libavcodec/h264_refs.c2
-rw-r--r--libavcodec/j2k_dwt.c2
-rw-r--r--libavcodec/j2kdec.c9
-rw-r--r--libavcodec/libaacplus.c136
-rw-r--r--libavcodec/libvpxenc.c4
-rw-r--r--libavcodec/libx264.c10
-rw-r--r--libavcodec/motionpixels.c9
-rw-r--r--libavcodec/mpc8.c4
-rw-r--r--libavcodec/mpegvideo.c4
-rw-r--r--libavcodec/mpegvideo.h2
-rw-r--r--libavcodec/mpegvideo_enc.c5
-rw-r--r--libavcodec/ppc/asm.S23
-rw-r--r--libavcodec/ppc/fft_altivec_s.S7
-rw-r--r--libavcodec/ptx.c8
-rw-r--r--libavcodec/qdm2.c6
-rw-r--r--libavcodec/qdrw.c12
-rw-r--r--libavcodec/shorten.c12
-rw-r--r--libavcodec/sunrast.c30
-rw-r--r--libavcodec/svq3.c4
-rw-r--r--libavcodec/tiertexseqv.c65
-rw-r--r--libavcodec/tiff.c40
-rw-r--r--libavcodec/tiffenc.c2
-rw-r--r--libavcodec/utils.c5
-rw-r--r--libavcodec/vmdav.c96
-rw-r--r--libavcodec/vp56.c5
-rw-r--r--libavcodec/vp6.c5
-rw-r--r--libavcodec/wavpack.c14
-rw-r--r--libavcodec/wmaprodec.c24
-rw-r--r--libavcodec/wmavoice.c10
-rw-r--r--libavcodec/ws-snd1.c80
-rw-r--r--libavcodec/x86/fft_3dn2.c4
-rw-r--r--libavcodec/x86/fft_sse.c4
-rw-r--r--libavcodec/xan.c53
-rw-r--r--libavfilter/vf_scale.c2
-rw-r--r--libavfilter/vf_unsharp.c10
-rw-r--r--libavformat/4xm.c9
-rw-r--r--libavformat/anm.c23
-rw-r--r--libavformat/avidec.c2
-rw-r--r--libavformat/avienc.c7
-rw-r--r--libavformat/aviobuf.c4
-rw-r--r--libavformat/avs.c4
-rw-r--r--libavformat/gxfenc.c10
-rw-r--r--libavformat/matroskadec.c15
-rw-r--r--libavformat/mov.c36
-rw-r--r--libavformat/movenc.c5
-rw-r--r--libavformat/mpc8.c2
-rw-r--r--libavformat/psxstr.c54
-rw-r--r--libavformat/utils.c24
-rw-r--r--libavutil/mem.c22
-rw-r--r--libavutil/mem.h38
-rw-r--r--libswscale/Makefile2
-rw-r--r--libswscale/ppc/swscale_altivec.c6
-rw-r--r--libswscale/x86/swscale_template.c10
-rw-r--r--tests/fate.mak2
-rwxr-xr-xtests/lavf-regression.sh3
-rw-r--r--tests/ref/acodec/alac2
-rw-r--r--tests/ref/acodec/pcm8
-rw-r--r--tests/ref/fate/motionpixels2
-rw-r--r--tests/ref/lavf/mov2
-rw-r--r--tests/ref/lavf/mxf3
-rw-r--r--tests/ref/lavf/mxf_d103
89 files changed, 1058 insertions, 1050 deletions
diff --git a/Changelog b/Changelog
deleted file mode 100644
index 0b38b880f6..0000000000
--- a/Changelog
+++ /dev/null
@@ -1,720 +0,0 @@
-Entries are sorted chronologically from oldest to youngest within each release,
-releases are sorted from youngest to oldest.
-
-
-version 0.7.1:
-
-- added various additional FOURCC codec identifiers
-- H.264 4:4:4 fixes
-- build system and compilation fixes
-- Doxygen and general documentation corrections and improvements
-- fixed segfault in ffprobe
-- behavioral fix in av_open_input_stream()
-- Licensing clarification for LGPL'ed vf_gradfun
-- bugfixes while seeking in multithreaded decoding
-- support newer versions of OpenCV
-- ffmpeg: fix operation with --disable-avfilter
-- fixed integer underflow in matroska decoder
-
-version 0.7:
-
-- many many things we forgot because we rather write code than changelogs
-- libmpcodecs video filter support (3 times as many filters than before)
-- mpeg2 aspect ratio dection fixed
-- libxvid aspect pickiness fixed
-- Frame multithreaded decoding
-- E-AC-3 audio encoder
-- ac3enc: add channel coupling support
-- floating-point sample format support for (E-)AC-3, DCA, AAC, Vorbis decoders
-- H.264/MPEG frame-level multithreading
-- av_metadata_* functions renamed to av_dict_* and moved to libavutil
-- 4:4:4 H.264 decoding support
-- 10-bit H.264 optimizations for x86
-- lut, lutrgb, and lutyuv filters added
-- buffersink libavfilter sink added
-- bump libswscale for recently reported ABI break
-
-
-version 0.7_beta2:
-
-- VP8 frame-level multithreading
-- NEON optimizations for VP8
-- removed a lot of deprecated API cruft
-- FFT and IMDCT optimizations for AVX (Sandy Bridge) processors
-- showinfo filter added
-- DPX image encoder
-- SMPTE 302M AES3 audio decoder
-- Apple Core Audio Format muxer
-- 9bit and 10bit per sample support in the H.264 decoder
-- 9bit and 10bit FFV1 encoding / decoding
-- split filter added
-- select filter added
-- sdl output device added
-
-
-version 0.7_beta1:
-
-- WebM support in Matroska de/muxer
-- low overhead Ogg muxing
-- MMS-TCP support
-- VP8 de/encoding via libvpx
-- Demuxer for On2's IVF format
-- Pictor/PC Paint decoder
-- HE-AAC v2 decoder
-- libfaad2 wrapper removed
-- DTS-ES extension (XCh) decoding support
-- native VP8 decoder
-- RTSP tunneling over HTTP
-- RTP depacketization of SVQ3
-- -strict inofficial replaced by -strict unofficial
-- ffplay -exitonkeydown and -exitonmousedown options added
-- native GSM / GSM MS decoder
-- RTP depacketization of QDM2
-- ANSI/ASCII art playback system
-- Lego Mindstorms RSO de/muxer
-- libavcore added
-- SubRip subtitle file muxer and demuxer
-- Chinese AVS encoding via libxavs
-- ffprobe -show_packets option added
-- RTP packetization of Theora and Vorbis
-- RTP depacketization of MP4A-LATM
-- RTP packetization and depacketization of VP8
-- hflip filter
-- Apple HTTP Live Streaming demuxer
-- a64 codec
-- MMS-HTTP support
-- G.722 ADPCM audio encoder/decoder
-- R10k video decoder
-- ocv_smooth filter
-- frei0r wrapper filter
-- change crop filter syntax to width:height:x:y
-- make the crop filter accept parametric expressions
-- make ffprobe accept AVFormatContext options
-- yadif filter
-- blackframe filter
-- Demuxer for Leitch/Harris' VR native stream format (LXF)
-- RTP depacketization of the X-QT QuickTime format
-- SAP (Session Announcement Protocol, RFC 2974) muxer and demuxer
-- cropdetect filter
-- ffmpeg -crop* options removed
-- transpose filter added
-- ffmpeg -force_key_frames option added
-- demuxer for receiving raw rtp:// URLs without an SDP description
-- single stream LATM/LOAS decoder
-- setpts filter added
-- Win64 support for optimized x86 assembly functions
-- MJPEG/AVI1 to JPEG/JFIF bitstream filter
-- ASS subtitle encoder and decoder
-- IEC 61937 encapsulation for E-AC-3, TrueHD, DTS-HD (for HDMI passthrough)
-- overlay filter added
-- rename aspect filter to setdar, and pixelaspect to setsar
-- IEC 61937 demuxer
-- Mobotix .mxg demuxer
-- frei0r source added
-- hqdn3d filter added
-- RTP depacketization of QCELP
-- FLAC parser added
-- gradfun filter added
-- AMR-WB decoder
-- replace the ocv_smooth filter with a more generic ocv filter
-- Windows Televison (WTV) demuxer
-- FFmpeg metadata format muxer and demuxer
-- SubRip (srt) subtitle encoder and decoder
-- floating-point AC-3 encoder added
-- Lagarith decoder
-- ffmpeg -copytb option added
-- IVF muxer added
-- Wing Commander IV movies decoder added
-- movie source added
-- Bink version 'b' audio and video decoder
-- Bitmap Brothers JV playback system
-- Apple HTTP Live Streaming protocol handler
-- sndio support for playback and record
-- Linux framebuffer input device added
-- Chronomaster DFA decoder
-- DPX image encoder
-- MicroDVD subtitle file muxer and demuxer
-- Playstation Portable PMP format demuxer
-- fieldorder video filter added
-- AAC encoding via libvo-aacenc
-- AMR-WB encoding via libvo-amrwbenc
-- xWMA demuxer
-- Mobotix MxPEG decoder
-
-
-version 0.6:
-
-- PB-frame decoding for H.263
-- deprecated vhook subsystem removed
-- deprecated old scaler removed
-- VQF demuxer
-- Alpha channel scaler
-- PCX encoder
-- RTP packetization of H.263
-- RTP packetization of AMR
-- RTP depacketization of Vorbis
-- CorePNG decoding support
-- Cook multichannel decoding support
-- introduced avlanguage helpers in libavformat
-- 8088flex TMV demuxer and decoder
-- per-stream language-tags extraction in asfdec
-- V210 decoder and encoder
-- remaining GPL parts in AC-3 decoder converted to LGPL
-- QCP demuxer
-- SoX native format muxer and demuxer
-- AMR-NB decoding/encoding, AMR-WB decoding via OpenCORE libraries
-- DPX image decoder
-- Electronic Arts Madcow decoder
-- DivX (XSUB) subtitle encoder
-- nonfree libamr support for AMR-NB/WB decoding/encoding removed
-- experimental AAC encoder
-- RTP depacketization of ASF and RTSP from WMS servers
-- RTMP support in libavformat
-- noX handling for OPT_BOOL X options
-- Wave64 demuxer
-- IEC-61937 compatible Muxer
-- TwinVQ decoder
-- Bluray (PGS) subtitle decoder
-- LPCM support in MPEG-TS (HDMV RID as found on Blu-ray disks)
-- WMA Pro decoder
-- Core Audio Format demuxer
-- Atrac1 decoder
-- MD STUDIO audio demuxer
-- RF64 support in WAV demuxer
-- MPEG-4 Audio Lossless Coding (ALS) decoder
-- -formats option split into -formats, -codecs, -bsfs, and -protocols
-- IV8 demuxer
-- CDG demuxer and decoder
-- R210 decoder
-- Auravision Aura 1 and 2 decoders
-- Deluxe Paint Animation playback system
-- SIPR decoder
-- Adobe Filmstrip muxer and demuxer
-- RTP depacketization of H.263
-- Bink demuxer and audio/video decoders
-- enable symbol versioning by default for linkers that support it
-- IFF PBM/ILBM bitmap decoder
-- concat protocol
-- Indeo 5 decoder
-- RTP depacketization of AMR
-- WMA Voice decoder
-- ffprobe tool
-- AMR-NB decoder
-- RTSP muxer
-- HE-AAC v1 decoder
-- Kega Game Video (KGV1) decoder
-- VorbisComment writing for FLAC, Ogg FLAC and Ogg Speex files
-- RTP depacketization of Theora
-- HTTP Digest authentication
-- RTMP/RTMPT/RTMPS/RTMPE/RTMPTE protocol support via librtmp
-- Psygnosis YOP demuxer and video decoder
-- spectral extension support in the E-AC-3 decoder
-- unsharp video filter
-- RTP hinting in the mov/3gp/mp4 muxer
-- Dirac in Ogg demuxing
-- seek to keyframes in Ogg
-- 4:2:2 and 4:4:4 Theora decoding
-- 35% faster VP3/Theora decoding
-- faster AAC decoding
-- faster H.264 decoding
-- RealAudio 1.0 (14.4K) encoder
-
-
-version 0.5:
-
-- DV50 AKA DVCPRO50 encoder, decoder, muxer and demuxer
-- TechSmith Camtasia (TSCC) video decoder
-- IBM Ultimotion (ULTI) video decoder
-- Sierra Online audio file demuxer and decoder
-- Apple QuickDraw (qdrw) video decoder
-- Creative ADPCM audio decoder (16 bits as well as 8 bits schemes)
-- Electronic Arts Multimedia (WVE/UV2/etc.) file demuxer
-- Miro VideoXL (VIXL) video decoder
-- H.261 video encoder
-- QPEG video decoder
-- Nullsoft Video (NSV) file demuxer
-- Shorten audio decoder
-- LOCO video decoder
-- Apple Lossless Audio Codec (ALAC) decoder
-- Winnov WNV1 video decoder
-- Autodesk Animator Studio Codec (AASC) decoder
-- Indeo 2 video decoder
-- Fraps FPS1 video decoder
-- Snow video encoder/decoder
-- Sonic audio encoder/decoder
-- Vorbis audio decoder
-- Macromedia ADPCM decoder
-- Duck TrueMotion 2 video decoder
-- support for decoding FLX and DTA extensions in FLIC files
-- H.264 custom quantization matrices support
-- ffserver fixed, it should now be usable again
-- QDM2 audio decoder
-- Real Cooker audio decoder
-- TrueSpeech audio decoder
-- WMA2 audio decoder fixed, now all files should play correctly
-- RealAudio 14.4 and 28.8 decoders fixed
-- JPEG-LS decoder
-- build system improvements
-- tabs and trailing whitespace removed from the codebase
-- CamStudio video decoder
-- AIFF/AIFF-C audio format, encoding and decoding
-- ADTS AAC file reading and writing
-- Creative VOC file reading and writing
-- American Laser Games multimedia (*.mm) playback system
-- Zip Motion Blocks Video decoder
-- improved Theora/VP3 decoder
-- True Audio (TTA) decoder
-- AVS demuxer and video decoder
-- JPEG-LS encoder
-- Smacker demuxer and decoder
-- NuppelVideo/MythTV demuxer and RTjpeg decoder
-- KMVC decoder
-- MPEG-2 intra VLC support
-- MPEG-2 4:2:2 encoder
-- Flash Screen Video decoder
-- GXF demuxer
-- Chinese AVS decoder
-- GXF muxer
-- MXF demuxer
-- VC-1/WMV3/WMV9 video decoder
-- MacIntel support
-- AVISynth support
-- VMware video decoder
-- VP5 video decoder
-- VP6 video decoder
-- WavPack lossless audio decoder
-- Targa (.TGA) picture decoder
-- Vorbis audio encoder
-- Delphine Software .cin demuxer/audio and video decoder
-- Tiertex .seq demuxer/video decoder
-- MTV demuxer
-- TIFF picture encoder and decoder
-- GIF picture decoder
-- Intel Music Coder decoder
-- Zip Motion Blocks Video encoder
-- Musepack decoder
-- Flash Screen Video encoder
-- Theora encoding via libtheora
-- BMP encoder
-- WMA encoder
-- GSM-MS encoder and decoder
-- DCA decoder
-- DXA demuxer and decoder
-- DNxHD decoder
-- Gamecube movie (.THP) playback system
-- Blackfin optimizations
-- Interplay C93 demuxer and video decoder
-- Bethsoft VID demuxer and video decoder
-- CRYO APC demuxer
-- Atrac3 decoder
-- V.Flash PTX decoder
-- RoQ muxer, RoQ audio encoder
-- Renderware TXD demuxer and decoder
-- extern C declarations for C++ removed from headers
-- sws_flags command line option
-- codebook generator
-- RoQ video encoder
-- QTRLE encoder
-- OS/2 support removed and restored again
-- AC-3 decoder
-- NUT muxer
-- additional SPARC (VIS) optimizations
-- Matroska muxer
-- slice-based parallel H.264 decoding
-- Monkey's Audio demuxer and decoder
-- AMV audio and video decoder
-- DNxHD encoder
-- H.264 PAFF decoding
-- Nellymoser ASAO decoder
-- Beam Software SIFF demuxer and decoder
-- libvorbis Vorbis decoding removed in favor of native decoder
-- IntraX8 (J-Frame) subdecoder for WMV2 and VC-1
-- Ogg (Theora, Vorbis and FLAC) muxer
-- The "device" muxers and demuxers are now in a new libavdevice library
-- PC Paintbrush PCX decoder
-- Sun Rasterfile decoder
-- TechnoTrend PVA demuxer
-- Linux Media Labs MPEG-4 (LMLM4) demuxer
-- AVM2 (Flash 9) SWF muxer
-- QT variant of IMA ADPCM encoder
-- VFW grabber
-- iPod/iPhone compatible mp4 muxer
-- Mimic decoder
-- MSN TCP Webcam stream demuxer
-- RL2 demuxer / decoder
-- IFF demuxer
-- 8SVX audio decoder
-- non-recursive Makefiles
-- BFI demuxer
-- MAXIS EA XA (.xa) demuxer / decoder
-- BFI video decoder
-- OMA demuxer
-- MLP/TrueHD decoder
-- Electronic Arts CMV decoder
-- Motion Pixels Video decoder
-- Motion Pixels MVI demuxer
-- removed animated GIF decoder/demuxer
-- D-Cinema audio muxer
-- Electronic Arts TGV decoder
-- Apple Lossless Audio Codec (ALAC) encoder
-- AAC decoder
-- floating point PCM encoder/decoder
-- MXF muxer
-- DV100 AKA DVCPRO HD decoder and demuxer
-- E-AC-3 support added to AC-3 decoder
-- Nellymoser ASAO encoder
-- ASS and SSA demuxer and muxer
-- liba52 wrapper removed
-- SVQ3 watermark decoding support
-- Speex decoding via libspeex
-- Electronic Arts TGQ decoder
-- RV40 decoder
-- QCELP / PureVoice decoder
-- RV30 decoder
-- hybrid WavPack support
-- R3D REDCODE demuxer
-- ALSA support for playback and record
-- Electronic Arts TQI decoder
-- OpenJPEG based JPEG 2000 decoder
-- NC (NC4600) camera file demuxer
-- Gopher client support
-- MXF D-10 muxer
-- generic metadata API
-- flash ScreenVideo2 encoder
-
-
-version 0.4.9-pre1:
-
-- DV encoder, DV muxer
-- Microsoft RLE video decoder
-- Microsoft Video-1 decoder
-- Apple Animation (RLE) decoder
-- Apple Graphics (SMC) decoder
-- Apple Video (RPZA) decoder
-- Cinepak decoder
-- Sega FILM (CPK) file demuxer
-- Westwood multimedia support (VQA & AUD files)
-- Id Quake II CIN playback support
-- 8BPS video decoder
-- FLIC playback support
-- RealVideo 2.0 (RV20) decoder
-- Duck TrueMotion v1 (DUCK) video decoder
-- Sierra VMD demuxer and video decoder
-- MSZH and ZLIB decoder support
-- SVQ1 video encoder
-- AMR-WB support
-- PPC optimizations
-- rate distortion optimal cbp support
-- rate distorted optimal ac prediction for MPEG-4
-- rate distorted optimal lambda->qp support
-- AAC encoding with libfaac
-- Sunplus JPEG codec (SP5X) support
-- use Lagrange multipler instead of QP for ratecontrol
-- Theora/VP3 decoding support
-- XA and ADX ADPCM codecs
-- export MPEG-2 active display area / pan scan
-- Add support for configuring with IBM XLC
-- floating point AAN DCT
-- initial support for zygo video (not complete)
-- RGB ffv1 support
-- new audio/video parser API
-- av_log() system
-- av_read_frame() and av_seek_frame() support
-- missing last frame fixes
-- seek by mouse in ffplay
-- noise reduction of DCT coefficients
-- H.263 OBMC & 4MV support
-- H.263 alternative inter vlc support
-- H.263 loop filter
-- H.263 slice structured mode
-- interlaced DCT support for MPEG-2 encoding
-- stuffing to stay above min_bitrate
-- MB type & QP visualization
-- frame stepping for ffplay
-- interlaced motion estimation
-- alternate scantable support
-- SVCD scan offset support
-- closed GOP support
-- SSE2 FDCT
-- quantizer noise shaping
-- G.726 ADPCM audio codec
-- MS ADPCM encoding
-- multithreaded/SMP motion estimation
-- multithreaded/SMP encoding for MPEG-1/MPEG-2/MPEG-4/H.263
-- multithreaded/SMP decoding for MPEG-2
-- FLAC decoder
-- Metrowerks CodeWarrior suppport
-- H.263+ custom pcf support
-- nicer output for 'ffmpeg -formats'
-- Matroska demuxer
-- SGI image format, encoding and decoding
-- H.264 loop filter support
-- H.264 CABAC support
-- nicer looking arrows for the motion vector visualization
-- improved VCD support
-- audio timestamp drift compensation
-- MPEG-2 YUV 422/444 support
-- polyphase kaiser windowed sinc and blackman nuttall windowed sinc audio resample
-- better image scaling
-- H.261 support
-- correctly interleave packets during encoding
-- VIS optimized motion compensation
-- intra_dc_precision>0 encoding support
-- support reuse of motion vectors/MB types/field select values of the source video
-- more accurate deblock filter
-- padding support
-- many optimizations and bugfixes
-- FunCom ISS audio file demuxer and according ADPCM decoding
-
-
-version 0.4.8:
-
-- MPEG-2 video encoding (Michael)
-- Id RoQ playback subsystem (Mike Melanson and Tim Ferguson)
-- Wing Commander III Movie (.mve) file playback subsystem (Mike Melanson
- and Mario Brito)
-- Xan DPCM audio decoder (Mario Brito)
-- Interplay MVE playback subsystem (Mike Melanson)
-- Duck DK3 and DK4 ADPCM audio decoders (Mike Melanson)
-
-
-version 0.4.7:
-
-- RealAudio 1.0 (14_4) and 2.0 (28_8) native decoders. Author unknown, code from mplayerhq
- (originally from public domain player for Amiga at http://www.honeypot.net/audio)
-- current version now also compiles with older GCC (Fabrice)
-- 4X multimedia playback system including 4xm file demuxer (Mike
- Melanson), and 4X video and audio codecs (Michael)
-- Creative YUV (CYUV) decoder (Mike Melanson)
-- FFV1 codec (our very simple lossless intra only codec, compresses much better
- than HuffYUV) (Michael)
-- ASV1 (Asus), H.264, Intel indeo3 codecs have been added (various)
-- tiny PNG encoder and decoder, tiny GIF decoder, PAM decoder (PPM with
- alpha support), JPEG YUV colorspace support. (Fabrice Bellard)
-- ffplay has been replaced with a newer version which uses SDL (optionally)
- for multiplatform support (Fabrice)
-- Sorenson Version 3 codec (SVQ3) support has been added (decoding only) - donated
- by anonymous
-- AMR format has been added (Johannes Carlsson)
-- 3GP support has been added (Johannes Carlsson)
-- VP3 codec has been added (Mike Melanson)
-- more MPEG-1/2 fixes
-- better multiplatform support, MS Visual Studio fixes (various)
-- AltiVec optimizations (Magnus Damn and others)
-- SH4 processor support has been added (BERO)
-- new public interfaces (avcodec_get_pix_fmt) (Roman Shaposhnick)
-- VOB streaming support (Brian Foley)
-- better MP3 autodetection (Andriy Rysin)
-- qpel encoding (Michael)
-- 4mv+b frames encoding finally fixed (Michael)
-- chroma ME (Michael)
-- 5 comparison functions for ME (Michael)
-- B-frame encoding speedup (Michael)
-- WMV2 codec (unfinished - Michael)
-- user specified diamond size for EPZS (Michael)
-- Playstation STR playback subsystem, still experimental (Mike and Michael)
-- ASV2 codec (Michael)
-- CLJR decoder (Alex)
-
-.. And lots more new enhancements and fixes.
-
-
-version 0.4.6:
-
-- completely new integer only MPEG audio layer 1/2/3 decoder rewritten
- from scratch
-- Recoded DCT and motion vector search with gcc (no longer depends on nasm)
-- fix quantization bug in AC3 encoder
-- added PCM codecs and format. Corrected WAV/AVI/ASF PCM issues
-- added prototype ffplay program
-- added GOB header parsing on H.263/H.263+ decoder (Juanjo)
-- bug fix on MCBPC tables of H.263 (Juanjo)
-- bug fix on DC coefficients of H.263 (Juanjo)
-- added Advanced Prediction Mode on H.263/H.263+ decoder (Juanjo)
-- now we can decode H.263 streams found in QuickTime files (Juanjo)
-- now we can decode H.263 streams found in VIVO v1 files(Juanjo)
-- preliminary RTP "friendly" mode for H.263/H.263+ coding. (Juanjo)
-- added GOB header for H.263/H.263+ coding on RTP mode (Juanjo)
-- now H.263 picture size is returned on the first decoded frame (Juanjo)
-- added first regression tests
-- added MPEG-2 TS demuxer
-- new demux API for libav
-- more accurate and faster IDCT (Michael)
-- faster and entropy-controlled motion search (Michael)
-- two pass video encoding (Michael)
-- new video rate control (Michael)
-- added MSMPEG4V1, MSMPEGV2 and WMV1 support (Michael)
-- great performance improvement of video encoders and decoders (Michael)
-- new and faster bit readers and vlc parsers (Michael)
-- high quality encoding mode: tries all macroblock/VLC types (Michael)
-- added DV video decoder
-- preliminary RTP/RTSP support in ffserver and libavformat
-- H.263+ AIC decoding/encoding support (Juanjo)
-- VCD MPEG-PS mode (Juanjo)
-- PSNR stuff (Juanjo)
-- simple stats output (Juanjo)
-- 16-bit and 15-bit RGB/BGR/GBR support (Bisqwit)
-
-
-version 0.4.5:
-
-- some header fixes (Zdenek Kabelac <kabi at informatics.muni.cz>)
-- many MMX optimizations (Nick Kurshev <nickols_k at mail.ru>)
-- added configure system (actually a small shell script)
-- added MPEG audio layer 1/2/3 decoding using LGPL'ed mpglib by
- Michael Hipp (temporary solution - waiting for integer only
- decoder)
-- fixed VIDIOCSYNC interrupt
-- added Intel H.263 decoding support ('I263' AVI fourCC)
-- added Real Video 1.0 decoding (needs further testing)
-- simplified image formats again. Added PGM format (=grey
- pgm). Renamed old PGM to PGMYUV.
-- fixed msmpeg4 slice issues (tell me if you still find problems)
-- fixed OpenDivX bugs with newer versions (added VOL header decoding)
-- added support for MPlayer interface
-- added macroblock skip optimization
-- added MJPEG decoder
-- added mmx/mmxext IDCT from libmpeg2
-- added pgmyuvpipe, ppm, and ppm_pipe formats (original patch by Celer
- <celer at shell.scrypt.net>)
-- added pixel format conversion layer (e.g. for MJPEG or PPM)
-- added deinterlacing option
-- MPEG-1/2 fixes
-- MPEG-4 vol header fixes (Jonathan Marsden <snmjbm at pacbell.net>)
-- ARM optimizations (Lionel Ulmer <lionel.ulmer at free.fr>).
-- Windows porting of file converter
-- added MJPEG raw format (input/ouput)
-- added JPEG image format support (input/output)
-
-
-version 0.4.4:
-
-- fixed some std header definitions (Bjorn Lindgren
- <bjorn.e.lindgren at telia.com>).
-- added MPEG demuxer (MPEG-1 and 2 compatible).
-- added ASF demuxer
-- added prototype RM demuxer
-- added AC3 decoding (done with libac3 by Aaron Holtzman)
-- added decoding codec parameter guessing (.e.g. for MPEG, because the
- header does not include them)
-- fixed header generation in MPEG-1, AVI and ASF muxer: wmplayer can now
- play them (only tested video)
-- fixed H.263 white bug
-- fixed phase rounding in img resample filter
-- add MMX code for polyphase img resample filter
-- added CPU autodetection
-- added generic title/author/copyright/comment string handling (ASF and RM
- use them)
-- added SWF demux to extract MP3 track (not usable yet because no MP3
- decoder)
-- added fractional frame rate support
-- codecs are no longer searched by read_header() (should fix ffserver
- segfault)
-
-
-version 0.4.3:
-
-- BGR24 patch (initial patch by Jeroen Vreeken <pe1rxq at amsat.org>)
-- fixed raw yuv output
-- added motion rounding support in MPEG-4
-- fixed motion bug rounding in MSMPEG4
-- added B-frame handling in video core
-- added full MPEG-1 decoding support
-- added partial (frame only) MPEG-2 support
-- changed the FOURCC code for H.263 to "U263" to be able to see the
- +AVI/H.263 file with the UB Video H.263+ decoder. MPlayer works with
- this +codec ;) (JuanJo).
-- Halfpel motion estimation after MB type selection (JuanJo)
-- added pgm and .Y.U.V output format
-- suppressed 'img:' protocol. Simply use: /tmp/test%d.[pgm|Y] as input or
- output.
-- added pgmpipe I/O format (original patch from Martin Aumueller
- <lists at reserv.at>, but changed completely since we use a format
- instead of a protocol)
-
-
-version 0.4.2:
-
-- added H.263/MPEG-4/MSMPEG4 decoding support. MPEG-4 decoding support
- (for OpenDivX) is almost complete: 8x8 MVs and rounding are
- missing. MSMPEG4 support is complete.
-- added prototype MPEG-1 decoder. Only I- and P-frames handled yet (it
- can decode ffmpeg MPEGs :-)).
-- added libavcodec API documentation (see apiexample.c).
-- fixed image polyphase bug (the bottom of some images could be
- greenish)
-- added support for non clipped motion vectors (decoding only)
- and image sizes non-multiple of 16
-- added support for AC prediction (decoding only)
-- added file overwrite confirmation (can be disabled with -y)
-- added custom size picture to H.263 using H.263+ (Juanjo)
-
-
-version 0.4.1:
-
-- added MSMPEG4 (aka DivX) compatible encoder. Changed default codec
- of AVI and ASF to DIV3.
-- added -me option to set motion estimation method
- (default=log). suppressed redundant -hq option.
-- added options -acodec and -vcodec to force a given codec (useful for
- AVI for example)
-- fixed -an option
-- improved dct_quantize speed
-- factorized some motion estimation code
-
-
-version 0.4.0:
-
-- removing grab code from ffserver and moved it to ffmpeg. Added
- multistream support to ffmpeg.
-- added timeshifting support for live feeds (option ?date=xxx in the
- URL)
-- added high quality image resize code with polyphase filter (need
- mmx/see optimization). Enable multiple image size support in ffserver.
-- added multi live feed support in ffserver
-- suppressed master feature from ffserver (it should be done with an
- external program which opens the .ffm url and writes it to another
- ffserver)
-- added preliminary support for video stream parsing (WAV and AVI half
- done). Added proper support for audio/video file conversion in
- ffmpeg.
-- added preliminary support for video file sending from ffserver
-- redesigning I/O subsystem: now using URL based input and output
- (see avio.h)
-- added WAV format support
-- added "tty user interface" to ffmpeg to stop grabbing gracefully
-- added MMX/SSE optimizations to SAD (Sums of Absolutes Differences)
- (Juan J. Sierralta P. a.k.a. "Juanjo" <juanjo at atmlab.utfsm.cl>)
-- added MMX DCT from mpeg2_movie 1.5 (Juanjo)
-- added new motion estimation algorithms, log and phods (Juanjo)
-- changed directories: libav for format handling, libavcodec for
- codecs
-
-
-version 0.3.4:
-
-- added stereo in MPEG audio encoder
-
-
-version 0.3.3:
-
-- added 'high quality' mode which use motion vectors. It can be used in
- real time at low resolution.
-- fixed rounding problems which caused quality problems at high
- bitrates and large GOP size
-
-
-version 0.3.2: small fixes
-
-- ASF fixes
-- put_seek bug fix
-
-
-version 0.3.1: added avi/divx support
-
-- added AVI support
-- added MPEG-4 codec compatible with OpenDivX. It is based on the H.263 codec
-- added sound for flash format (not tested)
-
-
-version 0.3: initial public release
diff --git a/LICENSE b/LICENSE
index 8d4d6515b0..7272b90f8d 100644
--- a/LICENSE
+++ b/LICENSE
@@ -41,6 +41,6 @@ is incompatible with the LGPL v2.1 and the GPL v2, but not with version 3 of
those licenses. So to combine the OpenCORE libraries with FFmpeg, the license
version needs to be upgraded by passing --enable-version3 to configure.
-The nonfree external library libfaac can be hooked up in FFmpeg. You need to
-pass --enable-nonfree to configure to enable it. Employ this option with care
-as FFmpeg then becomes nonfree and unredistributable.
+The nonfree external libraries libfaac and libaacplus can be hooked up in FFmpeg.
+You need to pass --enable-nonfree to configure to enable it. Employ this option
+with care as FFmpeg then becomes nonfree and unredistributable.
diff --git a/Makefile b/Makefile
index 9b8426c464..820baea99a 100644
--- a/Makefile
+++ b/Makefile
@@ -258,9 +258,12 @@ FATE_SEEK = $(SEEK_TESTS:seek_%=fate-seek-%)
FATE = $(FATE_ACODEC) \
$(FATE_VCODEC) \
$(FATE_LAVF) \
- $(FATE_LAVFI) \
$(FATE_SEEK) \
+FATE-$(CONFIG_AVFILTER) += $(FATE_LAVFI)
+
+FATE += $(FATE-yes)
+
$(filter-out %-aref,$(FATE_ACODEC)): $(AREF)
$(filter-out %-vref,$(FATE_VCODEC)): $(VREF)
$(FATE_LAVF): $(REFS)
@@ -282,7 +285,7 @@ fate-lavfi: $(FATE_LAVFI)
fate-seek: $(FATE_SEEK)
ifdef SAMPLES
-FATE += $(FATE_TESTS)
+FATE += $(FATE_TESTS) $(FATE_TESTS-yes)
fate-rsync:
rsync -vaLW rsync://fate-suite.libav.org/fate-suite/ $(SAMPLES)
else
diff --git a/configure b/configure
index ef3697e3c4..576daf045b 100755
--- a/configure
+++ b/configure
@@ -162,6 +162,7 @@ External library support:
--enable-bzlib enable bzlib [autodetect]
--enable-libcelt enable CELT/Opus decoding via libcelt [no]
--enable-frei0r enable frei0r video filtering
+ --enable-libaacplus enable AAC+ encoding via libaacplus [no]
--enable-libopencore-amrnb enable AMR-NB de/encoding via libopencore-amrnb [no]
--enable-libopencore-amrwb enable AMR-WB decoding via libopencore-amrwb [no]
--enable-libopencv enable video filtering via libopencv [no]
@@ -927,6 +928,8 @@ CONFIG_LIST="
h264pred
hardcoded_tables
huffman
+ libaacplus
+ libcdio
libcelt
libdc1394
libdirac
@@ -1401,6 +1404,7 @@ vdpau_deps="vdpau_vdpau_h vdpau_vdpau_x11_h"
h264_parser_select="golomb h264dsp h264pred"
# external libraries
+libaacplus_encoder_deps="libaacplus"
libcelt_decoder_deps="libcelt"
libdirac_decoder_deps="libdirac !libschroedinger"
libdirac_encoder_deps="libdirac"
@@ -1532,7 +1536,7 @@ test_deps(){
dep=${v%=*}
tests=${v#*=}
for name in ${tests}; do
- eval ${name}_test_deps="'${dep}$suf1 ${dep}$suf2'"
+ append ${name}_test_deps ${dep}$suf1 ${dep}$suf2
done
done
}
@@ -1542,6 +1546,9 @@ set_ne_test_deps(){
eval ${1}_le_test_deps="!bigendian"
}
+mxf_d10_test_deps="avfilter"
+seek_lavf_mxf_d10_test_deps="mxf_d10_test"
+
test_deps _encoder _decoder \
adpcm_g726=g726 \
adpcm_ima_qt \
@@ -1604,7 +1611,7 @@ test_deps _muxer _demuxer \
mmf \
mov \
pcm_mulaw=mulaw \
- mxf \
+ mxf="mxf mxf_d10" \
nut \
ogg \
rawvideo=pixfmt \
@@ -2584,6 +2591,7 @@ die_license_disabled gpl libxavs
die_license_disabled gpl libxvid
die_license_disabled gpl x11grab
+die_license_disabled nonfree libaacplus
die_license_disabled nonfree libfaac
die_license_disabled version3 libopencore_amrnb
@@ -2916,6 +2924,7 @@ check_mathfunc truncf
enabled avisynth && require2 vfw32 "windows.h vfw.h" AVIFileInit -lavifil32
enabled libcelt && require libcelt celt/celt.h celt_decode -lcelt0
enabled frei0r && { check_header frei0r.h || die "ERROR: frei0r.h header not found"; }
+enabled libaacplus && require "libaacplus >= 2.0.0" aacplus.h aacplusEncOpen -laacplus
enabled libdc1394 && require_pkg_config libdc1394-2 dc1394/dc1394.h dc1394_new
enabled libdirac && require_pkg_config dirac \
"libdirac_decoder/dirac_parser.h libdirac_encoder/dirac_encoder.h" \
@@ -3073,6 +3082,10 @@ else
fi
check_cflags -fno-math-errno
check_cflags -fno-signed-zeros
+check_cc -mno-red-zone <<EOF && noredzone_flags="-mno-red-zone"
+int x;
+EOF
+
if enabled icc; then
# Just warnings, no remarks
@@ -3223,6 +3236,7 @@ echo "frei0r enabled ${frei0r-no}"
echo "libdc1394 support ${libdc1394-no}"
echo "libdirac enabled ${libdirac-no}"
echo "libfaac enabled ${libfaac-no}"
+echo "libaacplus enabled ${libaacplus-no}"
echo "libgsm enabled ${libgsm-no}"
echo "libmp3lame enabled ${libmp3lame-no}"
echo "libnut enabled ${libnut-no}"
@@ -3383,6 +3397,7 @@ SLIB_EXTRA_CMD=${SLIB_EXTRA_CMD}
SLIB_INSTALL_EXTRA_CMD=${SLIB_INSTALL_EXTRA_CMD}
SLIB_UNINSTALL_EXTRA_CMD=${SLIB_UNINSTALL_EXTRA_CMD}
SAMPLES:=${samples:-\$(FATE_SAMPLES)}
+NOREDZONE_FLAGS=$noredzone_flags
EOF
get_version(){
diff --git a/doc/filters.texi b/doc/filters.texi
index eb31714486..e4873fafb2 100644
--- a/doc/filters.texi
+++ b/doc/filters.texi
@@ -1683,7 +1683,7 @@ It accepts the following parameters:
Negative values for the amount will blur the input video, while positive
values will sharpen. All parameters are optional and default to the
-equivalent of the string '5:5:1.0:0:0:0.0'.
+equivalent of the string '5:5:1.0:5:5:0.0'.
@table @option
@@ -1701,11 +1701,11 @@ and 5.0, default value is 1.0.
@item chroma_msize_x
Set the chroma matrix horizontal size. It can be an integer between 3
-and 13, default value is 0.
+and 13, default value is 5.
@item chroma_msize_y
Set the chroma matrix vertical size. It can be an integer between 3
-and 13, default value is 0.
+and 13, default value is 5.
@item luma_amount
Set the chroma effect strength. It can be a float number between -2.0
diff --git a/doc/general.texi b/doc/general.texi
index b193240b01..db78efef78 100644
--- a/doc/general.texi
+++ b/doc/general.texi
@@ -542,6 +542,8 @@ following image formats are supported:
@multitable @columnfractions .4 .1 .1 .4
@item Name @tab Encoding @tab Decoding @tab Comments
@item 8SVX audio @tab @tab X
+@item AAC+ @tab E @tab X
+ @tab encoding supported through external library libaacplus
@item AAC @tab E @tab X
@tab encoding supported through external library libfaac and libvo-aacenc
@item AC-3 @tab IX @tab X
@@ -1060,7 +1062,7 @@ These library packages are only available from Cygwin Ports
(@url{http://sourceware.org/cygwinports/}) :
@example
-yasm, libSDL-devel, libdirac-devel, libfaac-devel, libgsm-devel,
+yasm, libSDL-devel, libdirac-devel, libfaac-devel, libaacplus-devel, libgsm-devel,
libmp3lame-devel, libschroedinger1.0-devel, speex-devel, libtheora-devel,
libxvidcore-devel
@end example
diff --git a/ffmpeg.c b/ffmpeg.c
index 4681bf2867..a913485a7b 100644
--- a/ffmpeg.c
+++ b/ffmpeg.c
@@ -2380,9 +2380,9 @@ static int transcode(AVFormatContext **output_files,
}
}
if(codec->codec_type == AVMEDIA_TYPE_VIDEO){
- /* maximum video buffer size is 6-bytes per pixel, plus DPX header size */
+ /* maximum video buffer size is 6-bytes per pixel, plus DPX header size (1664)*/
int size= codec->width * codec->height;
- bit_buffer_size= FFMAX(bit_buffer_size, 6*size + 1664);
+ bit_buffer_size= FFMAX(bit_buffer_size, 7*size + 10000);
}
}
diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index d89b494b09..7344f4cd1f 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -133,7 +133,9 @@ typedef struct FourXContext{
GetBitContext pre_gb; ///< ac/dc prefix
GetBitContext gb;
const uint8_t *bytestream;
+ const uint8_t *bytestream_end;
const uint16_t *wordstream;
+ const uint16_t *wordstream_end;
int mv[256];
VLC pre_vlc;
int last_dc;
@@ -328,6 +330,10 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo
assert(code>=0 && code<=6);
if(code == 0){
+ if (f->bytestream_end - f->bytestream < 1){
+ av_log(f->avctx, AV_LOG_ERROR, "bytestream overread\n");
+ return;
+ }
src += f->mv[ *f->bytestream++ ];
if(start > src || src > end){
av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
@@ -345,15 +351,31 @@ static void decode_p_block(FourXContext *f, uint16_t *dst, uint16_t *src, int lo
}else if(code == 3 && f->version<2){
mcdc(dst, src, log2w, h, stride, 1, 0);
}else if(code == 4){
+ if (f->bytestream_end - f->bytestream < 1){
+ av_log(f->avctx, AV_LOG_ERROR, "bytestream overread\n");
+ return;
+ }
src += f->mv[ *f->bytestream++ ];
if(start > src || src > end){
av_log(f->avctx, AV_LOG_ERROR, "mv out of pic\n");
return;
}
+ if (f->wordstream_end - f->wordstream < 1){
+ av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n");
+ return;
+ }
mcdc(dst, src, log2w, h, stride, 1, av_le2ne16(*f->wordstream++));
}else if(code == 5){
+ if (f->wordstream_end - f->wordstream < 1){
+ av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n");
+ return;
+ }
mcdc(dst, src, log2w, h, stride, 0, av_le2ne16(*f->wordstream++));
}else if(code == 6){
+ if (f->wordstream_end - f->wordstream < 2){
+ av_log(f->avctx, AV_LOG_ERROR, "wordstream overread\n");
+ return;
+ }
if(log2w){
dst[0] = av_le2ne16(*f->wordstream++);
dst[1] = av_le2ne16(*f->wordstream++);
@@ -375,6 +397,8 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){
if(f->version>1){
extra=20;
+ if (length < extra)
+ return -1;
bitstream_size= AV_RL32(buf+8);
wordstream_size= AV_RL32(buf+12);
bytestream_size= AV_RL32(buf+16);
@@ -385,11 +409,10 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){
bytestream_size= FFMAX(length - bitstream_size - wordstream_size, 0);
}
- if(bitstream_size+ bytestream_size+ wordstream_size + extra != length
- || bitstream_size > (1<<26)
- || bytestream_size > (1<<26)
- || wordstream_size > (1<<26)
- ){
+ if (bitstream_size > length ||
+ bytestream_size > length - bitstream_size ||
+ wordstream_size > length - bytestream_size - bitstream_size ||
+ extra > length - bytestream_size - bitstream_size - wordstream_size){
av_log(f->avctx, AV_LOG_ERROR, "lengths %d %d %d %d\n", bitstream_size, bytestream_size, wordstream_size,
bitstream_size+ bytestream_size+ wordstream_size - length);
return -1;
@@ -399,10 +422,13 @@ static int decode_p_frame(FourXContext *f, const uint8_t *buf, int length){
if (!f->bitstream_buffer)
return AVERROR(ENOMEM);
f->dsp.bswap_buf(f->bitstream_buffer, (const uint32_t*)(buf + extra), bitstream_size/4);
+ memset((uint8_t*)f->bitstream_buffer + bitstream_size, 0, FF_INPUT_BUFFER_PADDING_SIZE);
init_get_bits(&f->gb, f->bitstream_buffer, 8*bitstream_size);
f->wordstream= (const uint16_t*)(buf + extra + bitstream_size);
+ f->wordstream_end= f->wordstream + wordstream_size/2;
f->bytestream= buf + extra + bitstream_size + wordstream_size;
+ f->bytestream_end = f->bytestream + bytestream_size;
init_mv(f);
@@ -531,7 +557,7 @@ static int decode_i_mb(FourXContext *f){
return 0;
}
-static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf){
+static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const buf, int buf_size){
int frequency[512];
uint8_t flag[512];
int up[512];
@@ -539,6 +565,7 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const
int bits_tab[257];
int start, end;
const uint8_t *ptr= buf;
+ const uint8_t *ptr_end = buf + buf_size;
int j;
memset(frequency, 0, sizeof(frequency));
@@ -549,6 +576,8 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const
for(;;){
int i;
+ if (start <= end && ptr_end - ptr < end - start + 1 + 1)
+ return NULL;
for(i=start; i<=end; i++){
frequency[i]= *ptr++;
}
@@ -601,9 +630,10 @@ static const uint8_t *read_huffman_tables(FourXContext *f, const uint8_t * const
len_tab[j]= len;
}
- init_vlc(&f->pre_vlc, ACDC_VLC_BITS, 257,
- len_tab , 1, 1,
- bits_tab, 4, 4, 0);
+ if (init_vlc(&f->pre_vlc, ACDC_VLC_BITS, 257,
+ len_tab , 1, 1,
+ bits_tab, 4, 4, 0))
+ return NULL;
return ptr;
}
@@ -621,10 +651,13 @@ static int decode_i2_frame(FourXContext *f, const uint8_t *buf, int length){
const int height= f->avctx->height;
uint16_t *dst= (uint16_t*)f->current_picture.data[0];
const int stride= f->current_picture.linesize[0]>>1;
+ const uint8_t *buf_end = buf + length;
for(y=0; y<height; y+=16){
for(x=0; x<width; x+=16){
unsigned int color[4], bits;
+ if (buf_end - buf < 8)
+ return -1;
memset(color, 0, sizeof(color));
//warning following is purely guessed ...
color[0]= bytestream_get_le16(&buf);
@@ -658,18 +691,23 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
uint16_t *dst= (uint16_t*)f->current_picture.data[0];
const int stride= f->current_picture.linesize[0]>>1;
const unsigned int bitstream_size= AV_RL32(buf);
- const int token_count av_unused = AV_RL32(buf + bitstream_size + 8);
- unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4);
- const uint8_t *prestream= buf + bitstream_size + 12;
+ unsigned int prestream_size;
+ const uint8_t *prestream;
+
+ if (bitstream_size > (1<<26) || length < bitstream_size + 12)
+ return -1;
+ prestream_size = 4*AV_RL32(buf + bitstream_size + 4);
+ prestream = buf + bitstream_size + 12;
- if(prestream_size + bitstream_size + 12 != length
- || bitstream_size > (1<<26)
- || prestream_size > (1<<26)){
+ if (prestream_size > (1<<26) ||
+ prestream_size != length - (bitstream_size + 12)){
av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d %d\n", prestream_size, bitstream_size, length);
return -1;
}
- prestream= read_huffman_tables(f, prestream);
+ prestream= read_huffman_tables(f, prestream, buf + length - prestream);
+ if (!prestream)
+ return -1;
init_get_bits(&f->gb, buf + 4, 8*bitstream_size);
@@ -679,6 +717,7 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
if (!f->bitstream_buffer)
return AVERROR(ENOMEM);
f->dsp.bswap_buf(f->bitstream_buffer, (const uint32_t*)prestream, prestream_size/4);
+ memset((uint8_t*)f->bitstream_buffer + prestream_size, 0, FF_INPUT_BUFFER_PADDING_SIZE);
init_get_bits(&f->pre_gb, f->bitstream_buffer, 8*prestream_size);
f->last_dc= 0*128*8*8;
@@ -710,6 +749,8 @@ static int decode_frame(AVCodecContext *avctx,
AVFrame *p, temp;
int i, frame_4cc, frame_size;
+ if (buf_size < 12)
+ return AVERROR_INVALIDDATA;
frame_4cc= AV_RL32(buf);
if(buf_size != AV_RL32(buf+4)+8 || buf_size < 20){
av_log(f->avctx, AV_LOG_ERROR, "size mismatch %d %d\n", buf_size, AV_RL32(buf+4));
@@ -722,6 +763,11 @@ static int decode_frame(AVCodecContext *avctx,
const int whole_size= AV_RL32(buf+16);
CFrameBuffer *cfrm;
+ if (data_size < 0 || whole_size < 0){
+ av_log(f->avctx, AV_LOG_ERROR, "sizes invalid\n");
+ return AVERROR_INVALIDDATA;
+ }
+
for(i=0; i<CFRAME_BUFFER_COUNT; i++){
if(f->cfrm[i].id && f->cfrm[i].id < avctx->frame_number)
av_log(f->avctx, AV_LOG_ERROR, "lost c frame %d\n", f->cfrm[i].id);
@@ -738,6 +784,8 @@ static int decode_frame(AVCodecContext *avctx,
}
cfrm= &f->cfrm[i];
+ if (data_size > UINT_MAX - cfrm->size - FF_INPUT_BUFFER_PADDING_SIZE)
+ return AVERROR_INVALIDDATA;
cfrm->data= av_fast_realloc(cfrm->data, &cfrm->allocated_size, cfrm->size + data_size + FF_INPUT_BUFFER_PADDING_SIZE);
if(!cfrm->data){ //explicit check needed as memcpy below might not catch a NULL
av_log(f->avctx, AV_LOG_ERROR, "realloc falure");
@@ -781,12 +829,16 @@ static int decode_frame(AVCodecContext *avctx,
if(frame_4cc == AV_RL32("ifr2")){
p->pict_type= AV_PICTURE_TYPE_I;
- if(decode_i2_frame(f, buf-4, frame_size) < 0)
+ if(decode_i2_frame(f, buf-4, frame_size+4) < 0){
+ av_log(f->avctx, AV_LOG_ERROR, "decode i2 frame failed\n");
return -1;
+ }
}else if(frame_4cc == AV_RL32("ifrm")){
p->pict_type= AV_PICTURE_TYPE_I;
- if(decode_i_frame(f, buf, frame_size) < 0)
+ if(decode_i_frame(f, buf, frame_size) < 0){
+ av_log(f->avctx, AV_LOG_ERROR, "decode i frame failed\n");
return -1;
+ }
}else if(frame_4cc == AV_RL32("pfrm") || frame_4cc == AV_RL32("pfr2")){
if(!f->last_picture.data[0]){
f->last_picture.reference= 1;
@@ -797,8 +849,10 @@ static int decode_frame(AVCodecContext *avctx,
}
p->pict_type= AV_PICTURE_TYPE_P;
- if(decode_p_frame(f, buf, frame_size) < 0)
+ if(decode_p_frame(f, buf, frame_size) < 0){
+ av_log(f->avctx, AV_LOG_ERROR, "decode p frame failed\n");
return -1;
+ }
}else if(frame_4cc == AV_RL32("snd_")){
av_log(avctx, AV_LOG_ERROR, "ignoring snd_ chunk length:%d\n", buf_size);
}else{
@@ -831,6 +885,10 @@ static av_cold int decode_init(AVCodecContext *avctx){
av_log(avctx, AV_LOG_ERROR, "extradata wrong or missing\n");
return 1;
}
+ if((avctx->width % 16) || (avctx->height % 16)) {
+ av_log(avctx, AV_LOG_ERROR, "unsupported width/height\n");
+ return AVERROR_INVALIDDATA;
+ }
avcodec_get_frame_defaults(&f->current_picture);
avcodec_get_frame_defaults(&f->last_picture);
diff --git a/libavcodec/Makefile b/libavcodec/Makefile
index 175e6a0d2a..e30be95e77 100644
--- a/libavcodec/Makefile
+++ b/libavcodec/Makefile
@@ -568,6 +568,7 @@ OBJS-$(CONFIG_WEBM_MUXER) += xiph.o mpeg4audio.o \
OBJS-$(CONFIG_WTV_DEMUXER) += mpeg4audio.o mpegaudiodata.o
# external codec libraries
+OBJS-$(CONFIG_LIBAACPLUS_ENCODER) += libaacplus.o
OBJS-$(CONFIG_LIBCELT_DECODER) += libcelt_dec.o
OBJS-$(CONFIG_LIBDIRAC_DECODER) += libdiracdec.o
OBJS-$(CONFIG_LIBDIRAC_ENCODER) += libdiracenc.o libdirac_libschro.o
diff --git a/libavcodec/aacsbr.c b/libavcodec/aacsbr.c
index 82092b385d..10b8daf280 100644
--- a/libavcodec/aacsbr.c
+++ b/libavcodec/aacsbr.c
@@ -33,6 +33,7 @@
#include "fft.h"
#include "aacps.h"
#include "libavutil/libm.h"
+#include "libavutil/avassert.h"
#include <stdint.h>
#include <float.h>
@@ -1457,6 +1458,7 @@ static void sbr_mapping(AACContext *ac, SpectralBandReplication *sbr,
uint16_t *table = ch_data->bs_freq_res[e + 1] ? sbr->f_tablehigh : sbr->f_tablelow;
int k;
+ av_assert0(sbr->kx[1] <= table[0]);
for (i = 0; i < ilim; i++)
for (m = table[i]; m < table[i + 1]; m++)
sbr->e_origmapped[e][m - sbr->kx[1]] = ch_data->env_facs[e+1][i];
diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index ba312558b0..de7bc7a45b 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -1333,10 +1333,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
buf_size -= 128;
}
break;
- case CODEC_ID_ADPCM_IMA_EA_EACS:
+ case CODEC_ID_ADPCM_IMA_EA_EACS: {
+ unsigned header_size = 4 + (8<<st);
samples_in_chunk = bytestream_get_le32(&src) >> (1-st);
- if (samples_in_chunk > buf_size-4-(8<<st)) {
+ if (buf_size < header_size || samples_in_chunk > buf_size - header_size) {
src += buf_size - 4;
break;
}
@@ -1351,6 +1352,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
*samples++ = adpcm_ima_expand_nibble(&c->status[st], *src&0x0F, 3);
}
break;
+ }
case CODEC_ID_ADPCM_IMA_EA_SEAD:
for (; src < buf+buf_size; src++) {
*samples++ = adpcm_ima_expand_nibble(&c->status[0], src[0] >> 4, 6);
diff --git a/libavcodec/allcodecs.c b/libavcodec/allcodecs.c
index f1c664f5d1..c038524f75 100644
--- a/libavcodec/allcodecs.c
+++ b/libavcodec/allcodecs.c
@@ -370,6 +370,7 @@ void avcodec_register_all(void)
REGISTER_ENCDEC (XSUB, xsub);
/* external libraries */
+ REGISTER_ENCODER (LIBAACPLUS, libaacplus);
REGISTER_DECODER (LIBCELT, libcelt);
REGISTER_ENCDEC (LIBDIRAC, libdirac);
REGISTER_ENCODER (LIBFAAC, libfaac);
diff --git a/libavcodec/anm.c b/libavcodec/anm.c
index 02244f70e1..8e40059576 100644
--- a/libavcodec/anm.c
+++ b/libavcodec/anm.c
@@ -79,6 +79,8 @@ static inline int op(uint8_t **dst, const uint8_t *dst_end,
int striplen = FFMIN(count, remaining);
if (buf) {
striplen = FFMIN(striplen, buf_end - *buf);
+ if (*buf >= buf_end)
+ goto exhausted;
memcpy(*dst, *buf, striplen);
*buf += striplen;
} else if (pixel >= 0)
diff --git a/libavcodec/avs.c b/libavcodec/avs.c
index 354b53c241..c7dcf0e2dc 100644
--- a/libavcodec/avs.c
+++ b/libavcodec/avs.c
@@ -47,6 +47,7 @@ avs_decode_frame(AVCodecContext * avctx,
void *data, int *data_size, AVPacket *avpkt)
{
const uint8_t *buf = avpkt->data;
+ const uint8_t *buf_end = avpkt->data + avpkt->size;
int buf_size = avpkt->size;
AvsContext *const avs = avctx->priv_data;
AVFrame *picture = data;
@@ -69,6 +70,8 @@ avs_decode_frame(AVCodecContext * avctx,
out = avs->picture.data[0];
stride = avs->picture.linesize[0];
+ if (buf_end - buf < 4)
+ return AVERROR_INVALIDDATA;
sub_type = buf[0];
type = buf[1];
buf += 4;
@@ -79,6 +82,8 @@ avs_decode_frame(AVCodecContext * avctx,
first = AV_RL16(buf);
last = first + AV_RL16(buf + 2);
+ if (first >= 256 || last > 256 || buf_end - buf < 4 + 4 + 3 * (last - first))
+ return AVERROR_INVALIDDATA;
buf += 4;
for (i=first; i<last; i++, buf+=3)
pal[i] = (buf[0] << 18) | (buf[1] << 10) | (buf[2] << 2);
@@ -114,9 +119,13 @@ avs_decode_frame(AVCodecContext * avctx,
return -1;
}
+ if (buf_end - buf < 256 * vect_w * vect_h)
+ return AVERROR_INVALIDDATA;
table = buf + (256 * vect_w * vect_h);
if (sub_type != AVS_I_FRAME) {
int map_size = ((318 / vect_w + 7) / 8) * (198 / vect_h);
+ if (buf_end - table < map_size)
+ return AVERROR_INVALIDDATA;
init_get_bits(&change_map, table, map_size * 8);
table += map_size;
}
@@ -124,6 +133,8 @@ avs_decode_frame(AVCodecContext * avctx,
for (y=0; y<198; y+=vect_h) {
for (x=0; x<318; x+=vect_w) {
if (sub_type == AVS_I_FRAME || get_bits1(&change_map)) {
+ if (buf_end - table < 1)
+ return AVERROR_INVALIDDATA;
vect = &buf[*table++ * (vect_w * vect_h)];
for (j=0; j<vect_w; j++) {
out[(y + 0) * stride + x + j] = vect[(0 * vect_w) + j];
diff --git a/libavcodec/bink.c b/libavcodec/bink.c
index 4328a43525..63f17eb577 100644
--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -246,7 +246,7 @@ static void read_tree(GetBitContext *gb, Tree *tree)
tree->syms[i] = get_bits(gb, 4);
tmp1[tree->syms[i]] = 1;
}
- for (i = 0; i < 16; i++)
+ for (i = 0; i < 16 && len < 16 - 1; i++)
if (!tmp1[i])
tree->syms[++len] = i;
} else {
@@ -343,14 +343,14 @@ static int read_motion_values(AVCodecContext *avctx, GetBitContext *gb, Bundle *
memset(b->cur_dec, v, t);
b->cur_dec += t;
} else {
- do {
+ while (b->cur_dec < dec_end) {
v = GET_HUFF(gb, b->tree);
if (v) {
sign = -get_bits1(gb);
v = (v ^ sign) - sign;
}
*b->cur_dec++ = v;
- } while (b->cur_dec < dec_end);
+ }
}
return 0;
}
@@ -374,7 +374,7 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b)
memset(b->cur_dec, v, t);
b->cur_dec += t;
} else {
- do {
+ while (b->cur_dec < dec_end) {
v = GET_HUFF(gb, b->tree);
if (v < 12) {
last = v;
@@ -382,10 +382,12 @@ static int read_block_types(AVCodecContext *avctx, GetBitContext *gb, Bundle *b)
} else {
int run = bink_rlelens[v - 12];
+ if (dec_end - b->cur_dec < run)
+ return -1;
memset(b->cur_dec, last, run);
b->cur_dec += run;
}
- } while (b->cur_dec < dec_end);
+ }
}
return 0;
}
@@ -456,6 +458,7 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b,
{
int i, j, len, len2, bsize, sign, v, v2;
int16_t *dst = (int16_t*)b->cur_dec;
+ int16_t *dst_end =( int16_t*)b->data_end;
CHECK_READ_VAL(gb, b, len);
v = get_bits(gb, start_bits - has_sign);
@@ -463,10 +466,14 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b,
sign = -get_bits1(gb);
v = (v ^ sign) - sign;
}
+ if (dst_end - dst < 1)
+ return -1;
*dst++ = v;
len--;
for (i = 0; i < len; i += 8) {
len2 = FFMIN(len - i, 8);
+ if (dst_end - dst < len2)
+ return -1;
bsize = get_bits(gb, 4);
if (bsize) {
for (j = 0; j < len2; j++) {
@@ -534,6 +541,8 @@ static int binkb_read_bundle(BinkContext *c, GetBitContext *gb, int bundle_num)
int i, len;
CHECK_READ_VAL(gb, b, len);
+ if (b->data_end - b->cur_dec < len * (1 + (bits > 8)))
+ return -1;
if (bits <= 8) {
if (!issigned) {
for (i = 0; i < len; i++)
@@ -964,8 +973,9 @@ static int bink_decode_plane(BinkContext *c, GetBitContext *gb, int plane_idx,
for (i = 0; i < BINK_NB_SRC; i++)
read_bundle(gb, c, i);
- ref_start = c->last.data[plane_idx];
- ref_end = c->last.data[plane_idx]
+ ref_start = c->last.data[plane_idx] ? c->last.data[plane_idx]
+ : c->pic.data[plane_idx];
+ ref_end = ref_start
+ (bw - 1 + c->last.linesize[plane_idx] * (bh - 1)) * 8;
for (i = 0; i < 64; i++)
@@ -994,7 +1004,8 @@ static int bink_decode_plane(BinkContext *c, GetBitContext *gb, int plane_idx,
if (by == bh)
break;
dst = c->pic.data[plane_idx] + 8*by*stride;
- prev = c->last.data[plane_idx] + 8*by*stride;
+ prev = (c->last.data[plane_idx] ? c->last.data[plane_idx]
+ : c->pic.data[plane_idx]) + 8*by*stride;
for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) {
blk = get_value(c, BINK_SRC_BLOCK_TYPES);
// 16x16 block type on odd line means part of the already decoded block, so skip it
diff --git a/libavcodec/bitstream.c b/libavcodec/bitstream.c
index f0fa9652c6..e2a3d56d05 100644
--- a/libavcodec/bitstream.c
+++ b/libavcodec/bitstream.c
@@ -109,8 +109,8 @@ static int alloc_table(VLC *vlc, int size, int use_static)
if(use_static)
abort(); //cant do anything, init_vlc() is used with too little memory
vlc->table_allocated += (1 << vlc->bits);
- vlc->table = av_realloc(vlc->table,
- sizeof(VLC_TYPE) * 2 * vlc->table_allocated);
+ vlc->table = av_realloc_f(vlc->table,
+ vlc->table_allocated, sizeof(VLC_TYPE) * 2);
if (!vlc->table)
return -1;
}
diff --git a/libavcodec/dca.c b/libavcodec/dca.c
index 5166fc5337..69df8f4597 100644
--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -898,6 +898,9 @@ static void qmf_32_subbands(DCAContext * s, int chans,
else /* Perfect reconstruction */
prCoeff = fir_32bands_perfect;
+ for (i = sb_act; i < 32; i++)
+ s->raXin[i] = 0.0;
+
/* Reconstructed channel sample index */
for (subindex = 0; subindex < 8; subindex++) {
/* Load in one sample from each subband and clear inactive subbands */
@@ -905,8 +908,6 @@ static void qmf_32_subbands(DCAContext * s, int chans,
uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ ((i-1)&2)<<30;
AV_WN32A(&s->raXin[i], v);
}
- for (; i < 32; i++)
- s->raXin[i] = 0.0;
s->synth.synth_filter_float(&s->imdct,
s->subband_fir_hist[chans], &s->hist_index[chans],
diff --git a/libavcodec/dsicinav.c b/libavcodec/dsicinav.c
index f12560714a..faca821c7d 100644
--- a/libavcodec/dsicinav.c
+++ b/libavcodec/dsicinav.c
@@ -217,7 +217,11 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
bitmap_frame_size = buf_size - 4;
/* handle palette */
+ if (bitmap_frame_size < palette_colors_count * (3 + (palette_type != 0)))
+ return AVERROR_INVALIDDATA;
if (palette_type == 0) {
+ if (palette_colors_count > 256)
+ return AVERROR_INVALIDDATA;
for (i = 0; i < palette_colors_count; ++i) {
cin->palette[i] = bytestream_get_le24(&buf);
bitmap_frame_size -= 3;
diff --git a/libavcodec/eacmv.c b/libavcodec/eacmv.c
index 408d948812..4cd6a6fd1f 100644
--- a/libavcodec/eacmv.c
+++ b/libavcodec/eacmv.c
@@ -56,7 +56,7 @@ static void cmv_decode_intra(CmvContext * s, const uint8_t *buf, const uint8_t *
unsigned char *dst = s->frame.data[0];
int i;
- for (i=0; i < s->avctx->height && buf+s->avctx->width<=buf_end; i++) {
+ for (i=0; i < s->avctx->height && buf_end - buf >= s->avctx->width; i++) {
memcpy(dst, buf, s->avctx->width);
dst += s->frame.linesize[0];
buf += s->avctx->width;
@@ -88,7 +88,7 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t *
i = 0;
for(y=0; y<s->avctx->height/4; y++)
- for(x=0; x<s->avctx->width/4 && buf+i<buf_end; x++) {
+ for(x=0; x<s->avctx->width/4 && buf_end - buf > i; x++) {
if (buf[i]==0xFF) {
unsigned char *dst = s->frame.data[0] + (y*4)*s->frame.linesize[0] + x*4;
if (raw+16<buf_end && *raw==0xFF) { /* intra */
@@ -110,9 +110,10 @@ static void cmv_decode_inter(CmvContext * s, const uint8_t *buf, const uint8_t *
}else{ /* inter using last frame as reference */
int xoffset = (buf[i] & 0xF) - 7;
int yoffset = ((buf[i] >> 4)) - 7;
- cmv_motcomp(s->frame.data[0], s->frame.linesize[0],
- s->last_frame.data[0], s->last_frame.linesize[0],
- x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height);
+ if (s->last_frame.data[0])
+ cmv_motcomp(s->frame.data[0], s->frame.linesize[0],
+ s->last_frame.data[0], s->last_frame.linesize[0],
+ x*4, y*4, xoffset, yoffset, s->avctx->width, s->avctx->height);
}
i++;
}
@@ -122,7 +123,7 @@ static void cmv_process_header(CmvContext *s, const uint8_t *buf, const uint8_t
{
int pal_start, pal_count, i;
- if(buf+16>=buf_end) {
+ if(buf_end - buf < 16) {
av_log(s->avctx, AV_LOG_WARNING, "truncated header\n");
return;
}
@@ -139,7 +140,7 @@ static void cmv_process_header(CmvContext *s, const uint8_t *buf, const uint8_t
pal_count = AV_RL16(&buf[14]);
buf += 16;
- for (i=pal_start; i<pal_start+pal_count && i<AVPALETTE_COUNT && buf+2<buf_end; i++) {
+ for (i=pal_start; i<pal_start+pal_count && i<AVPALETTE_COUNT && buf_end - buf >= 3; i++) {
s->palette[i] = AV_RB24(buf);
buf += 3;
}
@@ -157,6 +158,9 @@ static int cmv_decode_frame(AVCodecContext *avctx,
CmvContext *s = avctx->priv_data;
const uint8_t *buf_end = buf + buf_size;
+ if (buf_end - buf < EA_PREAMBLE_SIZE)
+ return AVERROR_INVALIDDATA;
+
if (AV_RL32(buf)==MVIh_TAG||AV_RB32(buf)==MVIh_TAG) {
cmv_process_header(s, buf+EA_PREAMBLE_SIZE, buf_end);
return buf_size;
diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c
index d6ac81f009..0e410f96e8 100644
--- a/libavcodec/error_resilience.c
+++ b/libavcodec/error_resilience.c
@@ -660,7 +660,7 @@ static int is_intra_more_likely(MpegEncContext *s){
if(s->codec_id == CODEC_ID_H264){
H264Context *h= (void*)s;
- if(h->ref_count[0] <= 0 || !h->ref_list[0][0].data[0])
+ if (h->list_count <= 0 || h->ref_count[0] <= 0 || !h->ref_list[0][0].data[0])
return 1;
}
diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
index ece095cf09..011c75faae 100644
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -228,9 +228,11 @@ static int get_metadata_size(const uint8_t *buf, int buf_size)
buf += 4;
do {
+ if (buf_end - buf < 4)
+ return 0;
ff_flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size);
buf += 4;
- if (buf + metadata_size > buf_end) {
+ if (buf_end - buf < metadata_size) {
/* need more data in order to read the complete header */
return 0;
}
diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c
index 8cc72e241e..2055596503 100644
--- a/libavcodec/flicvideo.c
+++ b/libavcodec/flicvideo.c
@@ -132,7 +132,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
FlicDecodeContext *s = avctx->priv_data;
int stream_ptr = 0;
- int stream_ptr_after_color_chunk;
int pixel_ptr;
int palette_ptr;
unsigned char palette_idx1;
@@ -172,7 +171,11 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
pixels = s->frame.data[0];
pixel_limit = s->avctx->height * s->frame.linesize[0];
+ if (buf_size < 16 || buf_size > INT_MAX - (3 * 256 + FF_INPUT_BUFFER_PADDING_SIZE))
+ return AVERROR_INVALIDDATA;
frame_size = AV_RL32(&buf[stream_ptr]);
+ if (frame_size > buf_size)
+ frame_size = buf_size;
stream_ptr += 6; /* skip the magic number */
num_chunks = AV_RL16(&buf[stream_ptr]);
stream_ptr += 10; /* skip padding */
@@ -180,13 +183,16 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
frame_size -= 16;
/* iterate through the chunks */
- while ((frame_size > 0) && (num_chunks > 0)) {
+ while ((frame_size >= 6) && (num_chunks > 0)) {
+ int stream_ptr_after_chunk;
chunk_size = AV_RL32(&buf[stream_ptr]);
if (chunk_size > frame_size) {
av_log(avctx, AV_LOG_WARNING,
"Invalid chunk_size = %u > frame_size = %u\n", chunk_size, frame_size);
chunk_size = frame_size;
}
+ stream_ptr_after_chunk = stream_ptr + chunk_size;
+
stream_ptr += 4;
chunk_type = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
@@ -194,8 +200,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
switch (chunk_type) {
case FLI_256_COLOR:
case FLI_COLOR:
- stream_ptr_after_color_chunk = stream_ptr + chunk_size - 6;
-
/* check special case: If this file is from the Magic Carpet
* game and uses 6-bit colors even though it reports 256-color
* chunks in a 0xAF12-type file (fli_type is set to 0xAF13 during
@@ -219,6 +223,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
if (color_changes == 0)
color_changes = 256;
+ if (stream_ptr + color_changes * 3 > stream_ptr_after_chunk)
+ break;
+
for (j = 0; j < color_changes; j++) {
unsigned int entry;
@@ -235,13 +242,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
s->palette[palette_ptr++] = entry;
}
}
-
- /* color chunks sometimes have weird 16-bit alignment issues;
- * therefore, take the hardline approach and set the stream_ptr
- * to the value calculated w.r.t. the size specified by the color
- * chunk header */
- stream_ptr = stream_ptr_after_color_chunk;
-
break;
case FLI_DELTA:
@@ -249,6 +249,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
compressed_lines = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
while (compressed_lines > 0) {
+ if (stream_ptr + 2 > stream_ptr_after_chunk)
+ break;
line_packets = AV_RL16(&buf[stream_ptr]);
stream_ptr += 2;
if ((line_packets & 0xC000) == 0xC000) {
@@ -268,6 +270,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
CHECK_PIXEL_PTR(0);
pixel_countdown = s->avctx->width;
for (i = 0; i < line_packets; i++) {
+ if (stream_ptr + 2 > stream_ptr_after_chunk)
+ break;
/* account for the skip bytes */
pixel_skip = buf[stream_ptr++];
pixel_ptr += pixel_skip;
@@ -284,6 +288,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
}
} else {
CHECK_PIXEL_PTR(byte_run * 2);
+ if (stream_ptr + byte_run * 2 > stream_ptr_after_chunk)
+ break;
for (j = 0; j < byte_run * 2; j++, pixel_countdown--) {
palette_idx1 = buf[stream_ptr++];
pixels[pixel_ptr++] = palette_idx1;
@@ -310,6 +316,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
CHECK_PIXEL_PTR(0);
pixel_countdown = s->avctx->width;
line_packets = buf[stream_ptr++];
+ if (stream_ptr + 2 * line_packets > stream_ptr_after_chunk)
+ break;
if (line_packets > 0) {
for (i = 0; i < line_packets; i++) {
/* account for the skip bytes */
@@ -319,6 +327,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
byte_run = (signed char)(buf[stream_ptr++]);
if (byte_run > 0) {
CHECK_PIXEL_PTR(byte_run);
+ if (stream_ptr + byte_run > stream_ptr_after_chunk)
+ break;
for (j = 0; j < byte_run; j++, pixel_countdown--) {
palette_idx1 = buf[stream_ptr++];
pixels[pixel_ptr++] = palette_idx1;
@@ -356,6 +366,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
stream_ptr++;
pixel_countdown = s->avctx->width;
while (pixel_countdown > 0) {
+ if (stream_ptr + 1 > stream_ptr_after_chunk)
+ break;
byte_run = (signed char)(buf[stream_ptr++]);
if (byte_run > 0) {
palette_idx1 = buf[stream_ptr++];
@@ -370,6 +382,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
} else { /* copy bytes if byte_run < 0 */
byte_run = -byte_run;
CHECK_PIXEL_PTR(byte_run);
+ if (stream_ptr + byte_run > stream_ptr_after_chunk)
+ break;
for (j = 0; j < byte_run; j++) {
palette_idx1 = buf[stream_ptr++];
pixels[pixel_ptr++] = palette_idx1;
@@ -387,10 +401,9 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
case FLI_COPY:
/* copy the chunk (uncompressed frame) */
- if (chunk_size - 6 > s->avctx->width * s->avctx->height) {
+ if (chunk_size - 6 != s->avctx->width * s->avctx->height) {
av_log(avctx, AV_LOG_ERROR, "In chunk FLI_COPY : source data (%d bytes) " \
- "bigger than image, skipping chunk\n", chunk_size - 6);
- stream_ptr += chunk_size - 6;
+ "has incorrect size, skipping chunk\n", chunk_size - 6);
} else {
for (y_ptr = 0; y_ptr < s->frame.linesize[0] * s->avctx->height;
y_ptr += s->frame.linesize[0]) {
@@ -403,7 +416,6 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
case FLI_MINI:
/* some sort of a thumbnail? disregard this chunk... */
- stream_ptr += chunk_size - 6;
break;
default:
@@ -411,6 +423,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
break;
}
+ stream_ptr = stream_ptr_after_chunk;
+
frame_size -= chunk_size;
num_chunks--;
}
diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 0ac20a60c0..47ac9f02c6 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -106,12 +106,9 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h){
}
return 0;
-} //FIXME cleanup like ff_h264_check_intra_pred_mode
+} //FIXME cleanup like check_intra_pred_mode
-/**
- * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
- */
-int ff_h264_check_intra_pred_mode(H264Context *h, int mode){
+static int check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
MpegEncContext * const s = &h->s;
static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1};
static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8};
@@ -131,7 +128,7 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode){
if((h->left_samples_available&0x8080) != 0x8080){
mode= left[ mode ];
- if(h->left_samples_available&0x8080){ //mad cow disease mode, aka MBAFF + constrained_intra_pred
+ if(is_chroma && (h->left_samples_available&0x8080)){ //mad cow disease mode, aka MBAFF + constrained_intra_pred
mode= ALZHEIMER_DC_L0T_PRED8x8 + (!(h->left_samples_available&0x8000)) + 2*(mode == DC_128_PRED8x8);
}
if(mode<0){
@@ -143,6 +140,23 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode){
return mode;
}
+/**
+ * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
+ */
+int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode)
+{
+ return check_intra_pred_mode(h, mode, 0);
+}
+
+/**
+ * checks if the top & left blocks are available if needed & changes the dc mode so it only uses the available blocks.
+ */
+int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode)
+{
+ return check_intra_pred_mode(h, mode, 1);
+}
+
+
const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src, int *dst_length, int *consumed, int length){
int i, si, di;
uint8_t *dst;
@@ -1018,17 +1032,20 @@ static av_cold void common_init(H264Context *h){
memset(h->pps.scaling_matrix8, 16, 2*64*sizeof(uint8_t));
}
-int ff_h264_decode_extradata(H264Context *h)
+int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size)
{
AVCodecContext *avctx = h->s.avctx;
- if(avctx->extradata[0] == 1){
+ if(!buf || size <= 0)
+ return -1;
+
+ if(buf[0] == 1){
int i, cnt, nalsize;
- unsigned char *p = avctx->extradata;
+ const unsigned char *p = buf;
h->is_avc = 1;
- if(avctx->extradata_size < 7) {
+ if(size < 7) {
av_log(avctx, AV_LOG_ERROR, "avcC too short\n");
return -1;
}
@@ -1040,6 +1057,8 @@ int ff_h264_decode_extradata(H264Context *h)
p += 6;
for (i = 0; i < cnt; i++) {
nalsize = AV_RB16(p) + 2;
+ if(nalsize > size - (p-buf))
+ return -1;
if(decode_nal_units(h, p, nalsize) < 0) {
av_log(avctx, AV_LOG_ERROR, "Decoding sps %d from avcC failed\n", i);
return -1;
@@ -1050,6 +1069,8 @@ int ff_h264_decode_extradata(H264Context *h)
cnt = *(p++); // Number of pps
for (i = 0; i < cnt; i++) {
nalsize = AV_RB16(p) + 2;
+ if(nalsize > size - (p-buf))
+ return -1;
if (decode_nal_units(h, p, nalsize) < 0) {
av_log(avctx, AV_LOG_ERROR, "Decoding pps %d from avcC failed\n", i);
return -1;
@@ -1057,10 +1078,10 @@ int ff_h264_decode_extradata(H264Context *h)
p += nalsize;
}
// Now store right nal length size, that will be use to parse all other nals
- h->nal_length_size = (avctx->extradata[4] & 0x03) + 1;
+ h->nal_length_size = (buf[4] & 0x03) + 1;
} else {
h->is_avc = 0;
- if(decode_nal_units(h, avctx->extradata, avctx->extradata_size) < 0)
+ if(decode_nal_units(h, buf, size) < 0)
return -1;
}
return 0;
@@ -1104,7 +1125,7 @@ av_cold int ff_h264_decode_init(AVCodecContext *avctx){
}
if(avctx->extradata_size > 0 && avctx->extradata &&
- ff_h264_decode_extradata(h))
+ ff_h264_decode_extradata(h, avctx->extradata, avctx->extradata_size))
return -1;
if(h->sps.bitstream_restriction_flag && s->avctx->has_b_frames < h->sps.num_reorder_frames){
@@ -2872,6 +2893,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
h->ref_count[1]= h->pps.ref_count[1];
if(h->slice_type_nos != AV_PICTURE_TYPE_I){
+ unsigned max= (16<<(s->picture_structure != PICT_FRAME))-1;
if(h->slice_type_nos == AV_PICTURE_TYPE_B){
h->direct_spatial_mv_pred= get_bits1(&s->gb);
}
@@ -2882,25 +2904,27 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
if(h->slice_type_nos==AV_PICTURE_TYPE_B)
h->ref_count[1]= get_ue_golomb(&s->gb) + 1;
- if(h->ref_count[0]-1 > 32-1 || h->ref_count[1]-1 > 32-1){
- av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
- h->ref_count[0]= h->ref_count[1]= 1;
- return -1;
- }
+ }
+ if(h->ref_count[0]-1 > max || h->ref_count[1]-1 > max){
+ av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
+ h->ref_count[0]= h->ref_count[1]= 1;
+ return -1;
}
if(h->slice_type_nos == AV_PICTURE_TYPE_B)
h->list_count= 2;
else
h->list_count= 1;
}else
- h->list_count= 0;
+ h->ref_count[1]= h->ref_count[0]= h->list_count= 0;
if(!default_ref_list_done){
ff_h264_fill_default_ref_list(h);
}
- if(h->slice_type_nos!=AV_PICTURE_TYPE_I && ff_h264_decode_ref_pic_list_reordering(h) < 0)
+ if(h->slice_type_nos!=AV_PICTURE_TYPE_I && ff_h264_decode_ref_pic_list_reordering(h) < 0) {
+ h->ref_count[1]= h->ref_count[0]= 0;
return -1;
+ }
if(h->slice_type_nos!=AV_PICTURE_TYPE_I){
s->last_picture_ptr= &h->ref_list[0][0];
diff --git a/libavcodec/h264.h b/libavcodec/h264.h
index 76e9832975..0a380e03c1 100644
--- a/libavcodec/h264.h
+++ b/libavcodec/h264.h
@@ -101,7 +101,7 @@
*/
#define DELAYED_PIC_REF 4
-#define QP_MAX_NUM (51 + 2*6) // The maximum supported qp
+#define QP_MAX_NUM (51 + 4*6) // The maximum supported qp
/* NAL unit types */
enum {
@@ -584,7 +584,7 @@ typedef struct H264Context{
}H264Context;
-extern const uint8_t ff_h264_chroma_qp[3][QP_MAX_NUM+1]; ///< One chroma qp table for each supported bit depth (8, 9, 10).
+extern const uint8_t ff_h264_chroma_qp[5][QP_MAX_NUM+1]; ///< One chroma qp table for each possible bit depth (8-12).
/**
* Decode SEI
@@ -658,12 +658,17 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h);
/**
* Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks.
*/
-int ff_h264_check_intra_pred_mode(H264Context *h, int mode);
+int ff_h264_check_intra16x16_pred_mode(H264Context *h, int mode);
+
+/**
+ * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks.
+ */
+int ff_h264_check_intra_chroma_pred_mode(H264Context *h, int mode);
void ff_h264_write_back_intra_pred_mode(H264Context *h);
void ff_h264_hl_decode_mb(H264Context *h);
int ff_h264_frame_start(H264Context *h);
-int ff_h264_decode_extradata(H264Context *h);
+int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size);
av_cold int ff_h264_decode_init(AVCodecContext *avctx);
av_cold int ff_h264_decode_end(AVCodecContext *avctx);
av_cold void ff_h264_decode_init_vlc(void);
diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c
index 3975a61699..7aaecf3c2e 100644
--- a/libavcodec/h264_cabac.c
+++ b/libavcodec/h264_cabac.c
@@ -2003,14 +2003,14 @@ decode_intra_mb:
ff_h264_write_back_intra_pred_mode(h);
if( ff_h264_check_intra4x4_pred_mode(h) < 0 ) return -1;
} else {
- h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode );
+ h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode( h, h->intra16x16_pred_mode );
if( h->intra16x16_pred_mode < 0 ) return -1;
}
if(decode_chroma){
h->chroma_pred_mode_table[mb_xy] =
pred_mode = decode_cabac_mb_chroma_pre_mode( h );
- pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode );
+ pred_mode= ff_h264_check_intra_chroma_pred_mode( h, pred_mode );
if( pred_mode < 0 ) return -1;
h->chroma_pred_mode= pred_mode;
} else {
diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index 0ddc430661..92cae7fa93 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -735,12 +735,12 @@ decode_intra_mb:
if( ff_h264_check_intra4x4_pred_mode(h) < 0)
return -1;
}else{
- h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode);
+ h->intra16x16_pred_mode= ff_h264_check_intra16x16_pred_mode(h, h->intra16x16_pred_mode);
if(h->intra16x16_pred_mode < 0)
return -1;
}
if(decode_chroma){
- pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb));
+ pred_mode= ff_h264_check_intra_chroma_pred_mode(h, get_ue_golomb_31(&s->gb));
if(pred_mode < 0)
return -1;
h->chroma_pred_mode= pred_mode;
diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c
index 080b6a93b5..d560d3f86a 100644
--- a/libavcodec/h264_parser.c
+++ b/libavcodec/h264_parser.c
@@ -251,7 +251,7 @@ static int h264_parse(AVCodecParserContext *s,
h->got_first = 1;
if (avctx->extradata_size) {
h->s.avctx = avctx;
- ff_h264_decode_extradata(h);
+ ff_h264_decode_extradata(h, avctx->extradata, avctx->extradata_size);
}
}
diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index 61fb12ce0c..423f54b324 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -70,7 +70,7 @@ static const AVRational pixel_aspect[17]={
QP(37,d), QP(37,d), QP(37,d), QP(38,d), QP(38,d), QP(38,d),\
QP(39,d), QP(39,d), QP(39,d), QP(39,d)
-const uint8_t ff_h264_chroma_qp[3][QP_MAX_NUM+1] = {
+const uint8_t ff_h264_chroma_qp[5][QP_MAX_NUM+1] = {
{
CHROMA_QP_TABLE_END(8)
},
@@ -83,6 +83,19 @@ const uint8_t ff_h264_chroma_qp[3][QP_MAX_NUM+1] = {
6, 7, 8, 9, 10, 11,
CHROMA_QP_TABLE_END(10)
},
+ {
+ 0, 1, 2, 3, 4, 5,
+ 6, 7, 8, 9, 10, 11,
+ 12,13,14,15, 16, 17,
+ CHROMA_QP_TABLE_END(11)
+ },
+ {
+ 0, 1, 2, 3, 4, 5,
+ 6, 7, 8, 9, 10, 11,
+ 12,13,14,15, 16, 17,
+ 18,19,20,21, 22, 23,
+ CHROMA_QP_TABLE_END(12)
+ },
};
static const uint8_t default_scaling4[2][16]={
@@ -333,6 +346,11 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
sps->residual_color_transform_flag = get_bits1(&s->gb);
sps->bit_depth_luma = get_ue_golomb(&s->gb) + 8;
sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8;
+ if (sps->bit_depth_luma > 12U || sps->bit_depth_chroma > 12U) {
+ av_log(h->s.avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n",
+ sps->bit_depth_luma, sps->bit_depth_chroma);
+ goto fail;
+ }
sps->transform_bypass = get_bits1(&s->gb);
decode_scaling_matrices(h, sps, NULL, 1, sps->scaling_matrix4, sps->scaling_matrix8);
}else{
@@ -365,7 +383,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
}
sps->ref_frame_count= get_ue_golomb_31(&s->gb);
- if(sps->ref_frame_count > MAX_PICTURE_COUNT-2 || sps->ref_frame_count >= 32U){
+ if(sps->ref_frame_count > MAX_PICTURE_COUNT-2 || sps->ref_frame_count > 16U){
av_log(h->s.avctx, AV_LOG_ERROR, "too many reference frames\n");
goto fail;
}
diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c
index 83a5564e4c..063ac97955 100644
--- a/libavcodec/h264_refs.c
+++ b/libavcodec/h264_refs.c
@@ -301,7 +301,7 @@ int ff_h264_decode_ref_pic_list_reordering(H264Context *h){
void ff_h264_fill_mbaff_ref_list(H264Context *h){
int list, i, j;
- for(list=0; list<2; list++){ //FIXME try list_count
+ for(list=0; list<h->list_count; list++){
for(i=0; i<h->ref_count[list]; i++){
Picture *frame = &h->ref_list[list][i];
Picture *field = &h->ref_list[list][16+2*i];
diff --git a/libavcodec/j2k_dwt.c b/libavcodec/j2k_dwt.c
index 9ba770ad83..ab7a1ab757 100644
--- a/libavcodec/j2k_dwt.c
+++ b/libavcodec/j2k_dwt.c
@@ -321,6 +321,8 @@ int ff_j2k_dwt_init(DWTContext *s, uint16_t border[2][2], int decomp_levels, int
int i, j, lev = decomp_levels, maxlen,
b[2][2];
+ if (decomp_levels >= FF_DWT_MAX_DECLVLS)
+ return AVERROR_INVALIDDATA;
s->ndeclevels = decomp_levels;
s->type = type;
diff --git a/libavcodec/j2kdec.c b/libavcodec/j2kdec.c
index 73af6a73df..96b4f64098 100644
--- a/libavcodec/j2kdec.c
+++ b/libavcodec/j2kdec.c
@@ -961,18 +961,20 @@ static int decode_codestream(J2kDecoderContext *s)
static int jp2_find_codestream(J2kDecoderContext *s)
{
- int32_t atom_size;
+ uint32_t atom_size;
int found_codestream = 0, search_range = 10;
// skip jpeg2k signature atom
s->buf += 12;
- while(!found_codestream && search_range) {
+ while(!found_codestream && search_range && s->buf_end - s->buf >= 8) {
atom_size = AV_RB32(s->buf);
if(AV_RB32(s->buf + 4) == JP2_CODESTREAM) {
found_codestream = 1;
s->buf += 8;
} else {
+ if (s->buf_end - s->buf < atom_size)
+ return 0;
s->buf += atom_size;
search_range--;
}
@@ -1005,7 +1007,8 @@ static int decode_frame(AVCodecContext *avctx,
return AVERROR(EINVAL);
// check if the image is in jp2 format
- if((AV_RB32(s->buf) == 12) && (AV_RB32(s->buf + 4) == JP2_SIG_TYPE) &&
+ if(s->buf_end - s->buf >= 12 &&
+ (AV_RB32(s->buf) == 12) && (AV_RB32(s->buf + 4) == JP2_SIG_TYPE) &&
(AV_RB32(s->buf + 8) == JP2_SIG_VALUE)) {
if(!jp2_find_codestream(s)) {
av_log(avctx, AV_LOG_ERROR, "couldn't find jpeg2k codestream atom\n");
diff --git a/libavcodec/libaacplus.c b/libavcodec/libaacplus.c
new file mode 100644
index 0000000000..c8c87be549
--- /dev/null
+++ b/libavcodec/libaacplus.c
@@ -0,0 +1,136 @@
+/*
+ * Interface to libaacplus for aac+ (sbr+ps) encoding
+ * Copyright (c) 2010 tipok <piratfm@gmail.com>
+ *
+ * This file is part of FFmpeg.
+ *
+ * FFmpeg is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * FFmpeg is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with FFmpeg; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/**
+ * @file
+ * Interface to libaacplus for aac+ (sbr+ps) encoding.
+ */
+
+#include "avcodec.h"
+#include <aacplus.h>
+
+typedef struct aacPlusAudioContext {
+ aacplusEncHandle aacplus_handle;
+} aacPlusAudioContext;
+
+static av_cold int aacPlus_encode_init(AVCodecContext *avctx)
+{
+ aacPlusAudioContext *s = avctx->priv_data;
+ aacplusEncConfiguration *aacplus_cfg;
+ unsigned long samples_input, max_bytes_output;
+
+ /* number of channels */
+ if (avctx->channels < 1 || avctx->channels > 2) {
+ av_log(avctx, AV_LOG_ERROR, "encoding %d channel(s) is not allowed\n", avctx->channels);
+ return -1;
+ }
+
+ s->aacplus_handle = aacplusEncOpen(avctx->sample_rate,
+ avctx->channels,
+ &samples_input, &max_bytes_output);
+ if(!s->aacplus_handle) {
+ av_log(avctx, AV_LOG_ERROR, "can't open encoder\n");
+ return -1;
+ }
+
+ /* check aacplus version */
+ aacplus_cfg = aacplusEncGetCurrentConfiguration(s->aacplus_handle);
+
+ /* put the options in the configuration struct */
+ if(avctx->profile != FF_PROFILE_AAC_LOW && avctx->profile != FF_PROFILE_UNKNOWN) {
+ av_log(avctx, AV_LOG_ERROR, "invalid AAC profile: %d, only LC supported\n", avctx->profile);
+ aacplusEncClose(s->aacplus_handle);
+ return -1;
+ }
+
+ aacplus_cfg->bitRate = avctx->bit_rate;
+ aacplus_cfg->bandWidth = avctx->cutoff;
+ if (avctx->flags & CODEC_FLAG_GLOBAL_HEADER) {
+ aacplus_cfg->outputFormat = 0; //raw aac
+ }
+ aacplus_cfg->inputFormat = AACPLUS_INPUT_16BIT;
+ if (!aacplusEncSetConfiguration(s->aacplus_handle, aacplus_cfg)) {
+ av_log(avctx, AV_LOG_ERROR, "libaacplus doesn't support this output format!\n");
+ return -1;
+ }
+
+ avctx->frame_size = samples_input / avctx->channels;
+
+ avctx->coded_frame= avcodec_alloc_frame();
+ avctx->coded_frame->key_frame= 1;
+
+ /* Set decoder specific info */
+ avctx->extradata_size = 0;
+ if (avctx->flags & CODEC_FLAG_GLOBAL_HEADER) {
+
+ unsigned char *buffer = NULL;
+ unsigned long decoder_specific_info_size;
+
+ if (aacplusEncGetDecoderSpecificInfo(s->aacplus_handle, &buffer,
+ &decoder_specific_info_size) == 1) {
+ avctx->extradata = av_malloc(decoder_specific_info_size + FF_INPUT_BUFFER_PADDING_SIZE);
+ avctx->extradata_size = decoder_specific_info_size;
+ memcpy(avctx->extradata, buffer, avctx->extradata_size);
+ }
+#undef free
+ free(buffer);
+#define free please_use_av_free
+ }
+ return 0;
+}
+
+static int aacPlus_encode_frame(AVCodecContext *avctx,
+ unsigned char *frame, int buf_size, void *data)
+{
+ aacPlusAudioContext *s = avctx->priv_data;
+ int bytes_written;
+
+ bytes_written = aacplusEncEncode(s->aacplus_handle,
+ data,
+ avctx->frame_size * avctx->channels,
+ frame,
+ buf_size);
+
+ return bytes_written;
+}
+
+static av_cold int aacPlus_encode_close(AVCodecContext *avctx)
+{
+ aacPlusAudioContext *s = avctx->priv_data;
+
+ av_freep(&avctx->coded_frame);
+ av_freep(&avctx->extradata);
+
+ aacplusEncClose(s->aacplus_handle);
+ return 0;
+}
+
+AVCodec ff_libaacplus_encoder = {
+ "libaacplus",
+ AVMEDIA_TYPE_AUDIO,
+ CODEC_ID_AAC,
+ sizeof(aacPlusAudioContext),
+ aacPlus_encode_init,
+ aacPlus_encode_frame,
+ aacPlus_encode_close,
+ .sample_fmts = (const enum SampleFormat[]){SAMPLE_FMT_S16,SAMPLE_FMT_NONE},
+ .long_name = NULL_IF_CONFIG_SMALL("libaacplus AAC+ (Advanced Audio Codec with SBR+PS)"),
+};
diff --git a/libavcodec/libvpxenc.c b/libavcodec/libvpxenc.c
index ac1b79fcc7..990badb87b 100644
--- a/libavcodec/libvpxenc.c
+++ b/libavcodec/libvpxenc.c
@@ -481,8 +481,8 @@ static int queue_frames(AVCodecContext *avctx, uint8_t *buf, int buf_size,
break;
case VPX_CODEC_STATS_PKT: {
struct vpx_fixed_buf *stats = &ctx->twopass_stats;
- stats->buf = av_realloc(stats->buf,
- stats->sz + pkt->data.twopass_stats.sz);
+ stats->buf = av_realloc_f(stats->buf, 1,
+ stats->sz + pkt->data.twopass_stats.sz);
if (!stats->buf) {
av_log(avctx, AV_LOG_ERROR, "Stat buffer realloc failed\n");
return AVERROR(ENOMEM);
diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c
index cc5b9837f8..bf542accdf 100644
--- a/libavcodec/libx264.c
+++ b/libavcodec/libx264.c
@@ -70,9 +70,14 @@ static int encode_nals(AVCodecContext *ctx, uint8_t *buf, int size,
/* Write the SEI as part of the first frame. */
if (x4->sei_size > 0 && nnal > 0) {
+ if (x4->sei_size > size) {
+ av_log(ctx, AV_LOG_ERROR, "Error: nal buffer is too small\n");
+ return -1;
+ }
memcpy(p, x4->sei, x4->sei_size);
p += x4->sei_size;
x4->sei_size = 0;
+ // why is x4->sei not freed?
}
for (i = 0; i < nnal; i++){
@@ -83,6 +88,11 @@ static int encode_nals(AVCodecContext *ctx, uint8_t *buf, int size,
memcpy(x4->sei, nals[i].p_payload, nals[i].i_payload);
continue;
}
+ if (nals[i].i_payload > (size - (p - buf))) {
+ // return only complete nals which fit in buf
+ av_log(ctx, AV_LOG_ERROR, "Error: nal buffer is too small\n");
+ break;
+ }
memcpy(p, nals[i].p_payload, nals[i].i_payload);
p += nals[i].i_payload;
}
diff --git a/libavcodec/motionpixels.c b/libavcodec/motionpixels.c
index b18efa6b9c..635a7d14a1 100644
--- a/libavcodec/motionpixels.c
+++ b/libavcodec/motionpixels.c
@@ -52,14 +52,16 @@ typedef struct MotionPixelsContext {
static av_cold int mp_decode_init(AVCodecContext *avctx)
{
MotionPixelsContext *mp = avctx->priv_data;
+ int w4 = (avctx->width + 3) & ~3;
+ int h4 = (avctx->height + 3) & ~3;
motionpixels_tableinit();
mp->avctx = avctx;
dsputil_init(&mp->dsp, avctx);
- mp->changes_map = av_mallocz(avctx->width * avctx->height);
+ mp->changes_map = av_mallocz(avctx->width * h4);
mp->offset_bits_len = av_log2(avctx->width * avctx->height) + 1;
mp->vpt = av_mallocz(avctx->height * sizeof(YuvPixel));
- mp->hpt = av_mallocz(avctx->height * avctx->width / 16 * sizeof(YuvPixel));
+ mp->hpt = av_mallocz(h4 * w4 / 16 * sizeof(YuvPixel));
avctx->pix_fmt = PIX_FMT_RGB555;
avcodec_get_frame_defaults(&mp->frame);
return 0;
@@ -253,6 +255,7 @@ static int mp_decode_frame(AVCodecContext *avctx,
mp->dsp.bswap_buf((uint32_t *)mp->bswapbuf, (const uint32_t *)buf, buf_size / 4);
if (buf_size & 3)
memcpy(mp->bswapbuf + (buf_size & ~3), buf + (buf_size & ~3), buf_size & 3);
+ memset(mp->bswapbuf + buf_size, 0, FF_INPUT_BUFFER_PADDING_SIZE);
init_get_bits(&gb, mp->bswapbuf, buf_size * 8);
memset(mp->changes_map, 0, avctx->width * avctx->height);
@@ -279,6 +282,8 @@ static int mp_decode_frame(AVCodecContext *avctx,
if (sz == 0)
goto end;
+ if (mp->max_codes_bits <= 0)
+ goto end;
if (init_vlc(&mp->vlc, mp->max_codes_bits, mp->codes_count, &mp->codes[0].size, sizeof(HuffCode), 1, &mp->codes[0].code, sizeof(HuffCode), 4, 0))
goto end;
mp_decode_frame_helper(mp, &gb);
diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c
index 2864b1a010..bca57451ca 100644
--- a/libavcodec/mpc8.c
+++ b/libavcodec/mpc8.c
@@ -127,6 +127,8 @@ static av_cold int mpc8_decode_init(AVCodecContext * avctx)
skip_bits(&gb, 3);//sample rate
c->maxbands = get_bits(&gb, 5) + 1;
+ if (c->maxbands >= BANDS)
+ return AVERROR_INVALIDDATA;
channels = get_bits(&gb, 4) + 1;
if (channels > 2) {
av_log_missing_feature(avctx, "Multichannel MPC SV8", 1);
@@ -260,6 +262,8 @@ static int mpc8_decode_frame(AVCodecContext * avctx,
maxband = c->last_max_band + get_vlc2(gb, band_vlc.table, MPC8_BANDS_BITS, 2);
if(maxband > 32) maxband -= 33;
}
+ if(maxband > c->maxbands)
+ return AVERROR_INVALIDDATA;
c->last_max_band = maxband;
/* read subband indexes */
diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c
index 458ac19980..f4743c5000 100644
--- a/libavcodec/mpegvideo.c
+++ b/libavcodec/mpegvideo.c
@@ -366,8 +366,8 @@ static int init_duplicate_context(MpegEncContext *s, MpegEncContext *base){
int i;
// edge emu needs blocksize + filter length - 1 (=17x17 for halfpel / 21x21 for h264)
- FF_ALLOCZ_OR_GOTO(s->avctx, s->allocated_edge_emu_buffer, (s->width+64)*2*21*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance
- s->edge_emu_buffer= s->allocated_edge_emu_buffer + (s->width+64)*2*21;
+ FF_ALLOCZ_OR_GOTO(s->avctx, s->allocated_edge_emu_buffer, (s->width+64)*2*21*2*2, fail); //(width + edge + align)*interlaced*MBsize*tolerance
+ s->edge_emu_buffer= s->allocated_edge_emu_buffer + (s->width+64)*2*21*2;
//FIXME should be linesize instead of s->width*2 but that is not known before get_buffer()
FF_ALLOCZ_OR_GOTO(s->avctx, s->me.scratchpad, (s->width+64)*4*16*2*sizeof(uint8_t), fail)
diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h
index 57cc59c6e1..3d0d8b0e0b 100644
--- a/libavcodec/mpegvideo.h
+++ b/libavcodec/mpegvideo.h
@@ -123,7 +123,7 @@ typedef struct Picture{
int pic_id; /**< h264 pic_num (short -> no wrap version of pic_num,
pic_num & max_pic_num; long -> long_pic_num) */
int long_ref; ///< 1->long term reference 0->short term reference
- int ref_poc[2][2][16]; ///< h264 POCs of the frames used as reference (FIXME need per slice)
+ int ref_poc[2][2][32]; ///< h264 POCs of the frames/fields used as reference (FIXME need per slice)
int ref_count[2][2]; ///< number of entries in ref_poc (FIXME need per slice)
int mbaff; ///< h264 1 -> MBAFF frame 0-> not MBAFF
int field_picture; ///< whether or not the picture was encoded in seperate fields
diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c
index a6e9c7c7be..3c92aa93f4 100644
--- a/libavcodec/mpegvideo_enc.c
+++ b/libavcodec/mpegvideo_enc.c
@@ -411,9 +411,10 @@ av_cold int MPV_encode_init(AVCodecContext *avctx)
if ((s->codec_id == CODEC_ID_MPEG4 || s->codec_id == CODEC_ID_H263 ||
s->codec_id == CODEC_ID_H263P) &&
(avctx->sample_aspect_ratio.num > 255 || avctx->sample_aspect_ratio.den > 255)) {
- av_log(avctx, AV_LOG_ERROR, "Invalid pixel aspect ratio %i/%i, limit is 255/255\n",
+ av_log(avctx, AV_LOG_WARNING, "Invalid pixel aspect ratio %i/%i, limit is 255/255 reducing\n",
avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den);
- return -1;
+ av_reduce(&avctx->sample_aspect_ratio.num, &avctx->sample_aspect_ratio.den,
+ avctx->sample_aspect_ratio.num, avctx->sample_aspect_ratio.den, 255);
}
if((s->flags & (CODEC_FLAG_INTERLACED_DCT|CODEC_FLAG_INTERLACED_ME|CODEC_FLAG_ALT_SCAN))
diff --git a/libavcodec/ppc/asm.S b/libavcodec/ppc/asm.S
index 2706d6b1d8..bbbf8a4a66 100644
--- a/libavcodec/ppc/asm.S
+++ b/libavcodec/ppc/asm.S
@@ -44,10 +44,13 @@ X(\name):
L(\name):
.endm
-.macro movrel rd, sym
+.macro movrel rd, sym, gp
ld \rd, \sym@got(r2)
.endm
+.macro get_got rd
+.endm
+
#else /* ARCH_PPC64 */
#define PTR .int
@@ -65,19 +68,25 @@ X(\name):
\name:
.endm
-.macro movrel rd, sym
+.macro movrel rd, sym, gp
#if CONFIG_PIC
- bcl 20, 31, lab_pic_\@
-lab_pic_\@:
- mflr \rd
- addis \rd, \rd, (\sym - lab_pic_\@)@ha
- addi \rd, \rd, (\sym - lab_pic_\@)@l
+ lwz \rd, \sym@got(\gp)
#else
lis \rd, \sym@ha
la \rd, \sym@l(\rd)
#endif
.endm
+.macro get_got rd
+#if CONFIG_PIC
+ bcl 20, 31, .Lgot\@
+.Lgot\@:
+ mflr \rd
+ addis \rd, \rd, _GLOBAL_OFFSET_TABLE_ - .Lgot\@@ha
+ addi \rd, \rd, _GLOBAL_OFFSET_TABLE_ - .Lgot\@@l
+#endif
+.endm
+
#endif /* ARCH_PPC64 */
#if HAVE_IBM_ASM
diff --git a/libavcodec/ppc/fft_altivec_s.S b/libavcodec/ppc/fft_altivec_s.S
index 5d3c5406c3..16ce838c97 100644
--- a/libavcodec/ppc/fft_altivec_s.S
+++ b/libavcodec/ppc/fft_altivec_s.S
@@ -353,6 +353,7 @@ extfunc ff_fft_calc\interleave\()_altivec
mflr r0
stp r0, 2*PS(r1)
stpu r1, -(160+16*PS)(r1)
+ get_got r11
addi r6, r1, 16*PS
stvm r6, v20, v21, v22, v23, v24, v25, v26, v27, v28, v29
mfvrsave r0
@@ -360,14 +361,14 @@ extfunc ff_fft_calc\interleave\()_altivec
li r6, 0xfffffffc
mtvrsave r6
- movrel r6, fft_data
+ movrel r6, fft_data, r11
lvm r6, v14, v15, v16, v17, v18, v19, v20, v21
lvm r6, v22, v23, v24, v25, v26, v27, v28, v29
li r9, 16
- movrel r12, X(ff_cos_tabs)
+ movrel r12, X(ff_cos_tabs), r11
- movrel r6, fft_dispatch_tab\interleave\()_altivec
+ movrel r6, fft_dispatch_tab\interleave\()_altivec, r11
lwz r3, 0(r3)
subi r3, r3, 2
slwi r3, r3, 2+ARCH_PPC64
diff --git a/libavcodec/ptx.c b/libavcodec/ptx.c
index 3273fd2f8e..756dbcd58b 100644
--- a/libavcodec/ptx.c
+++ b/libavcodec/ptx.c
@@ -39,12 +39,15 @@ static av_cold int ptx_init(AVCodecContext *avctx) {
static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
AVPacket *avpkt) {
const uint8_t *buf = avpkt->data;
+ const uint8_t *buf_end = avpkt->data + avpkt->size;
PTXContext * const s = avctx->priv_data;
AVFrame *picture = data;
AVFrame * const p = &s->picture;
unsigned int offset, w, h, y, stride, bytes_per_pixel;
uint8_t *ptr;
+ if (buf_end - buf < 14)
+ return AVERROR_INVALIDDATA;
offset = AV_RL16(buf);
w = AV_RL16(buf+8);
h = AV_RL16(buf+10);
@@ -57,6 +60,9 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
avctx->pix_fmt = PIX_FMT_RGB555;
+
+ if (buf_end - buf < offset)
+ return AVERROR_INVALIDDATA;
if (offset != 0x2c)
av_log_ask_for_sample(avctx, "offset != 0x2c\n");
@@ -80,6 +86,8 @@ static int ptx_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
stride = p->linesize[0];
for (y=0; y<h; y++) {
+ if (buf_end - buf < w * bytes_per_pixel)
+ break;
#if HAVE_BIGENDIAN
unsigned int x;
for (x=0; x<w*bytes_per_pixel; x+=bytes_per_pixel)
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 6eb836456c..1665c8daed 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -1353,6 +1353,8 @@ static void qdm2_fft_decode_tones (QDM2Context *q, int duration, GetBitContext *
return;
local_int_14 = (offset >> local_int_8);
+ if (local_int_14 >= FF_ARRAY_ELEMS(fft_level_index_table))
+ return;
if (q->nb_channels > 1) {
channel = get_bits1(gb);
@@ -1797,6 +1799,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
avctx->channels = s->nb_channels = s->channels = AV_RB32(extradata);
extradata += 4;
+ if (s->channels > MPA_MAX_CHANNELS)
+ return AVERROR_INVALIDDATA;
avctx->sample_rate = AV_RB32(extradata);
extradata += 4;
@@ -1818,6 +1822,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
// something like max decodable tones
s->group_order = av_log2(s->group_size) + 1;
s->frame_size = s->group_size / 16; // 16 iterations per super block
+ if (s->frame_size > FF_ARRAY_ELEMS(s->output_buffer) / 2)
+ return AVERROR_INVALIDDATA;
s->sub_sampling = s->fft_order - 7;
s->frequency_range = 255 / (1 << (2 - s->sub_sampling));
diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c
index cd3146388e..6432728cb8 100644
--- a/libavcodec/qdrw.c
+++ b/libavcodec/qdrw.c
@@ -37,6 +37,7 @@ static int decode_frame(AVCodecContext *avctx,
AVPacket *avpkt)
{
const uint8_t *buf = avpkt->data;
+ const uint8_t *buf_end = avpkt->data + avpkt->size;
int buf_size = avpkt->size;
QdrawContext * const a = avctx->priv_data;
AVFrame * const p= (AVFrame*)&a->pic;
@@ -59,6 +60,8 @@ static int decode_frame(AVCodecContext *avctx,
outdata = a->pic.data[0];
+ if (buf_end - buf < 0x68 + 4)
+ return AVERROR_INVALIDDATA;
buf += 0x68; /* jump to palette */
colors = AV_RB32(buf);
buf += 4;
@@ -67,6 +70,8 @@ static int decode_frame(AVCodecContext *avctx,
av_log(avctx, AV_LOG_ERROR, "Error color count - %i(0x%X)\n", colors, colors);
return -1;
}
+ if (buf_end - buf < (colors + 1) * 8)
+ return AVERROR_INVALIDDATA;
pal = (uint32_t*)p->data[1];
for (i = 0; i <= colors; i++) {
@@ -89,6 +94,8 @@ static int decode_frame(AVCodecContext *avctx,
}
p->palette_has_changed = 1;
+ if (buf_end - buf < 18)
+ return AVERROR_INVALIDDATA;
buf += 18; /* skip unneeded data */
for (i = 0; i < avctx->height; i++) {
int size, left, code, pix;
@@ -100,6 +107,9 @@ static int decode_frame(AVCodecContext *avctx,
out = outdata;
size = AV_RB16(buf); /* size of packed line */
buf += 2;
+ if (buf_end - buf < size)
+ return AVERROR_INVALIDDATA;
+
left = size;
next = buf + size;
while (left > 0) {
@@ -115,6 +125,8 @@ static int decode_frame(AVCodecContext *avctx,
} else { /* copy */
if ((out + code) > (outdata + a->pic.linesize[0]))
break;
+ if (buf_end - buf < code + 1)
+ return AVERROR_INVALIDDATA;
memcpy(out, buf, code + 1);
out += code + 1;
buf += code + 1;
diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index f593d0a164..4c1abe8e4c 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -155,7 +155,7 @@ static void fix_bitshift(ShortenContext *s, int32_t *buffer)
if (s->bitshift != 0)
for (i = 0; i < s->blocksize; i++)
- buffer[s->nwrap + i] <<= s->bitshift;
+ buffer[i] <<= s->bitshift;
}
@@ -483,9 +483,15 @@ static int shorten_decode_frame(AVCodecContext *avctx,
case FN_BITSHIFT:
s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE);
break;
- case FN_BLOCKSIZE:
- s->blocksize = get_uint(s, av_log2(s->blocksize));
+ case FN_BLOCKSIZE: {
+ int blocksize = get_uint(s, av_log2(s->blocksize));
+ if (blocksize > s->blocksize) {
+ av_log(avctx, AV_LOG_ERROR, "Increasing block size is not supported\n");
+ return AVERROR_PATCHWELCOME;
+ }
+ s->blocksize = blocksize;
break;
+ }
case FN_QUIT:
*data_size = 0;
return buf_size;
diff --git a/libavcodec/sunrast.c b/libavcodec/sunrast.c
index 558b0edd8f..209d2c0ad3 100644
--- a/libavcodec/sunrast.c
+++ b/libavcodec/sunrast.c
@@ -46,6 +46,7 @@ static av_cold int sunrast_init(AVCodecContext *avctx) {
static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
int *data_size, AVPacket *avpkt) {
const uint8_t *buf = avpkt->data;
+ const uint8_t *buf_end = avpkt->data + avpkt->size;
SUNRASTContext * const s = avctx->priv_data;
AVFrame *picture = data;
AVFrame * const p = &s->picture;
@@ -53,6 +54,9 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
uint8_t *ptr;
const uint8_t *bufstart = buf;
+ if (avpkt->size < 32)
+ return AVERROR_INVALIDDATA;
+
if (AV_RB32(buf) != 0x59a66a95) {
av_log(avctx, AV_LOG_ERROR, "this is not sunras encoded data\n");
return -1;
@@ -64,13 +68,14 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
type = AV_RB32(buf+20);
maptype = AV_RB32(buf+24);
maplength = AV_RB32(buf+28);
+ buf += 32;
- if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) {
- av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n");
+ if (type < RT_OLD || type > RT_FORMAT_IFF) {
+ av_log(avctx, AV_LOG_ERROR, "invalid (compression) type\n");
return -1;
}
- if (type > RT_FORMAT_IFF) {
- av_log(avctx, AV_LOG_ERROR, "invalid (compression) type\n");
+ if (av_image_check_size(w, h, 0, avctx)) {
+ av_log(avctx, AV_LOG_ERROR, "invalid image size\n");
return -1;
}
if (maptype & ~1) {
@@ -78,7 +83,10 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
return -1;
}
- buf += 32;
+ if (type == RT_FORMAT_TIFF || type == RT_FORMAT_IFF) {
+ av_log(avctx, AV_LOG_ERROR, "unsupported (compression) type\n");
+ return -1;
+ }
switch (depth) {
case 1:
@@ -98,8 +106,6 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
if (p->data[0])
avctx->release_buffer(avctx, p);
- if (av_image_check_size(w, h, 0, avctx))
- return -1;
if (w != avctx->width || h != avctx->height)
avcodec_set_dimensions(avctx, w, h);
if (avctx->get_buffer(avctx, p) < 0) {
@@ -109,6 +115,9 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
p->pict_type = AV_PICTURE_TYPE_I;
+ if (buf_end - buf < maplength)
+ return AVERROR_INVALIDDATA;
+
if (depth != 8 && maplength) {
av_log(avctx, AV_LOG_WARNING, "useless colormap found or file is corrupted, trying to recover\n");
@@ -143,8 +152,11 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
uint8_t *end = ptr + h*stride;
x = 0;
- while (ptr != end) {
+ while (ptr != end && buf < buf_end) {
run = 1;
+ if (buf_end - buf < 1)
+ return AVERROR_INVALIDDATA;
+
if ((value = *buf++) == 0x80) {
run = *buf++ + 1;
if (run != 1)
@@ -163,6 +175,8 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
}
} else {
for (y=0; y<h; y++) {
+ if (buf_end - buf < len)
+ break;
memcpy(ptr, buf, len);
ptr += stride;
buf += alen;
diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c
index e7839be8b5..92d84b0f82 100644
--- a/libavcodec/svq3.c
+++ b/libavcodec/svq3.c
@@ -612,7 +612,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type)
dir = i_mb_type_info[mb_type - 8].pred_mode;
dir = (dir >> 1) ^ 3*(dir & 1) ^ 1;
- if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir)) == -1){
+ if ((h->intra16x16_pred_mode = ff_h264_check_intra16x16_pred_mode(h, dir)) == -1){
av_log(h->s.avctx, AV_LOG_ERROR, "check_intra_pred_mode = -1\n");
return -1;
}
@@ -711,7 +711,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type)
s->current_picture.mb_type[mb_xy] = mb_type;
if (IS_INTRA(mb_type)) {
- h->chroma_pred_mode = ff_h264_check_intra_pred_mode(h, DC_PRED8x8);
+ h->chroma_pred_mode = ff_h264_check_intra_chroma_pred_mode(h, DC_PRED8x8);
}
return 0;
diff --git a/libavcodec/tiertexseqv.c b/libavcodec/tiertexseqv.c
index f3a044882e..160da8c630 100644
--- a/libavcodec/tiertexseqv.c
+++ b/libavcodec/tiertexseqv.c
@@ -35,15 +35,19 @@ typedef struct SeqVideoContext {
} SeqVideoContext;
-static const unsigned char *seq_unpack_rle_block(const unsigned char *src, unsigned char *dst, int dst_size)
+static const unsigned char *seq_unpack_rle_block(const unsigned char *src,
+ const unsigned char *src_end,
+ unsigned char *dst, int dst_size)
{
int i, len, sz;
GetBitContext gb;
int code_table[64];
- /* get the rle codes (at most 64 bytes) */
- init_get_bits(&gb, src, 64 * 8);
+ /* get the rle codes */
+ init_get_bits(&gb, src, (src_end - src) * 8);
for (i = 0, sz = 0; i < 64 && sz < dst_size; i++) {
+ if (get_bits_left(&gb) < 4)
+ return NULL;
code_table[i] = get_sbits(&gb, 4);
sz += FFABS(code_table[i]);
}
@@ -54,8 +58,12 @@ static const unsigned char *seq_unpack_rle_block(const unsigned char *src, unsig
len = code_table[i];
if (len < 0) {
len = -len;
+ if (src_end - src < 1)
+ return NULL;
memset(dst, *src++, FFMIN(len, dst_size));
} else {
+ if (src_end - src < len)
+ return NULL;
memcpy(dst, src, FFMIN(len, dst_size));
src += len;
}
@@ -65,25 +73,30 @@ static const unsigned char *seq_unpack_rle_block(const unsigned char *src, unsig
return src;
}
-static const unsigned char *seq_decode_op1(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst)
+static const unsigned char *seq_decode_op1(SeqVideoContext *seq,
+ const unsigned char *src,
+ const unsigned char *src_end,
+ unsigned char *dst)
{
const unsigned char *color_table;
int b, i, len, bits;
GetBitContext gb;
unsigned char block[8 * 8];
+ if (src_end - src < 1)
+ return NULL;
len = *src++;
if (len & 0x80) {
switch (len & 3) {
case 1:
- src = seq_unpack_rle_block(src, block, sizeof(block));
+ src = seq_unpack_rle_block(src, src_end, block, sizeof(block));
for (b = 0; b < 8; b++) {
memcpy(dst, &block[b * 8], 8);
dst += seq->frame.linesize[0];
}
break;
case 2:
- src = seq_unpack_rle_block(src, block, sizeof(block));
+ src = seq_unpack_rle_block(src, src_end, block, sizeof(block));
for (i = 0; i < 8; i++) {
for (b = 0; b < 8; b++)
dst[b * seq->frame.linesize[0]] = block[i * 8 + b];
@@ -92,9 +105,13 @@ static const unsigned char *seq_decode_op1(SeqVideoContext *seq, const unsigned
break;
}
} else {
+ if (len <= 0)
+ return NULL;
+ bits = ff_log2_tab[len - 1] + 1;
+ if (src_end - src < len + 8 * bits)
+ return NULL;
color_table = src;
src += len;
- bits = ff_log2_tab[len - 1] + 1;
init_get_bits(&gb, src, bits * 8 * 8); src += bits * 8;
for (b = 0; b < 8; b++) {
for (i = 0; i < 8; i++)
@@ -106,10 +123,16 @@ static const unsigned char *seq_decode_op1(SeqVideoContext *seq, const unsigned
return src;
}
-static const unsigned char *seq_decode_op2(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst)
+static const unsigned char *seq_decode_op2(SeqVideoContext *seq,
+ const unsigned char *src,
+ const unsigned char *src_end,
+ unsigned char *dst)
{
int i;
+ if (src_end - src < 8 * 8)
+ return NULL;
+
for (i = 0; i < 8; i++) {
memcpy(dst, src, 8);
src += 8;
@@ -119,11 +142,16 @@ static const unsigned char *seq_decode_op2(SeqVideoContext *seq, const unsigned
return src;
}
-static const unsigned char *seq_decode_op3(SeqVideoContext *seq, const unsigned char *src, unsigned char *dst)
+static const unsigned char *seq_decode_op3(SeqVideoContext *seq,
+ const unsigned char *src,
+ const unsigned char *src_end,
+ unsigned char *dst)
{
int pos, offset;
do {
+ if (src_end - src < 2)
+ return NULL;
pos = *src++;
offset = ((pos >> 3) & 7) * seq->frame.linesize[0] + (pos & 7);
dst[offset] = *src++;
@@ -132,8 +160,9 @@ static const unsigned char *seq_decode_op3(SeqVideoContext *seq, const unsigned
return src;
}
-static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int data_size)
+static int seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int data_size)
{
+ const unsigned char *data_end = data + data_size;
GetBitContext gb;
int flags, i, j, x, y, op;
unsigned char c[3];
@@ -144,6 +173,8 @@ static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int
if (flags & 1) {
palette = (uint32_t *)seq->frame.data[1];
+ if (data_end - data < 256 * 3)
+ return AVERROR_INVALIDDATA;
for (i = 0; i < 256; i++) {
for (j = 0; j < 3; j++, data++)
c[j] = (*data << 2) | (*data >> 4);
@@ -153,6 +184,8 @@ static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int
}
if (flags & 2) {
+ if (data_end - data < 128)
+ return AVERROR_INVALIDDATA;
init_get_bits(&gb, data, 128 * 8); data += 128;
for (y = 0; y < 128; y += 8)
for (x = 0; x < 256; x += 8) {
@@ -160,17 +193,20 @@ static void seqvideo_decode(SeqVideoContext *seq, const unsigned char *data, int
op = get_bits(&gb, 2);
switch (op) {
case 1:
- data = seq_decode_op1(seq, data, dst);
+ data = seq_decode_op1(seq, data, data_end, dst);
break;
case 2:
- data = seq_decode_op2(seq, data, dst);
+ data = seq_decode_op2(seq, data, data_end, dst);
break;
case 3:
- data = seq_decode_op3(seq, data, dst);
+ data = seq_decode_op3(seq, data, data_end, dst);
break;
}
+ if (!data)
+ return AVERROR_INVALIDDATA;
}
}
+ return 0;
}
static av_cold int seqvideo_decode_init(AVCodecContext *avctx)
@@ -202,7 +238,8 @@ static int seqvideo_decode_frame(AVCodecContext *avctx,
return -1;
}
- seqvideo_decode(seq, buf, buf_size);
+ if (seqvideo_decode(seq, buf, buf_size))
+ return AVERROR_INVALIDDATA;
*data_size = sizeof(AVFrame);
*(AVFrame *)data = seq->frame;
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index c54eaee346..ed01b70147 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -170,6 +170,8 @@ static int tiff_unpack_strip(TiffContext *s, uint8_t* dst, int stride, const uin
}
switch(s->compr){
case TIFF_RAW:
+ if (ssrc + size - src < width)
+ return AVERROR_INVALIDDATA;
if (!s->fill_order) {
memcpy(dst, src, width);
} else {
@@ -277,6 +279,8 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
uint32_t *pal;
const uint8_t *rp, *gp, *bp;
+ if (end_buf - buf < 12)
+ return -1;
tag = tget_short(&buf, s->le);
type = tget_short(&buf, s->le);
count = tget_long(&buf, s->le);
@@ -336,7 +340,7 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
case TIFF_SHORT:
case TIFF_LONG:
s->bpp = 0;
- for(i = 0; i < count; i++) s->bpp += tget(&buf, type, s->le);
+ for(i = 0; i < count && buf < end_buf; i++) s->bpp += tget(&buf, type, s->le);
break;
default:
s->bpp = -1;
@@ -450,6 +454,8 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
case TIFF_PAL:
pal = (uint32_t *) s->palette;
off = type_sizes[type];
+ if (count / 3 > 256 || end_buf - buf < count / 3 * off * 3)
+ return -1;
rp = buf;
gp = buf + count / 3 * off;
bp = buf + count / 3 * off * 2;
@@ -493,12 +499,16 @@ static int decode_frame(AVCodecContext *avctx,
AVFrame *picture = data;
AVFrame * const p= (AVFrame*)&s->picture;
const uint8_t *orig_buf = buf, *end_buf = buf + buf_size;
- int id, le, off, ret;
+ unsigned off;
+ int id, le, ret;
int i, j, entries;
- int stride, soff, ssize;
+ int stride;
+ unsigned soff, ssize;
uint8_t *dst;
//parse image header
+ if (end_buf - buf < 8)
+ return AVERROR_INVALIDDATA;
id = AV_RL16(buf); buf += 2;
if(id == 0x4949) le = 1;
else if(id == 0x4D4D) le = 0;
@@ -518,9 +528,9 @@ static int decode_frame(AVCodecContext *avctx,
}
/* parse image file directory */
off = tget_long(&buf, le);
- if(orig_buf + off + 14 >= end_buf){
+ if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) {
av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n");
- return -1;
+ return AVERROR_INVALIDDATA;
}
buf = orig_buf + off;
entries = tget_short(&buf, le);
@@ -544,23 +554,23 @@ static int decode_frame(AVCodecContext *avctx,
stride = p->linesize[0];
dst = p->data[0];
for(i = 0; i < s->height; i += s->rps){
- if(s->stripsizes)
+ if(s->stripsizes) {
+ if (s->stripsizes >= end_buf)
+ return AVERROR_INVALIDDATA;
ssize = tget(&s->stripsizes, s->sstype, s->le);
- else
+ } else
ssize = s->stripsize;
- if (ssize > buf_size) {
- av_log(avctx, AV_LOG_ERROR, "Buffer size is smaller than strip size\n");
- return -1;
- }
-
if(s->stripdata){
+ if (s->stripdata >= end_buf)
+ return AVERROR_INVALIDDATA;
soff = tget(&s->stripdata, s->sot, s->le);
}else
soff = s->stripoff;
- if (soff < 0) {
- av_log(avctx, AV_LOG_ERROR, "Invalid stripoff: %d\n", soff);
- return AVERROR(EINVAL);
+
+ if (soff > buf_size || ssize > buf_size - soff) {
+ av_log(avctx, AV_LOG_ERROR, "Invalid strip size/offset\n");
+ return -1;
}
if(tiff_unpack_strip(s, dst, stride, orig_buf + soff, ssize, FFMIN(s->rps, s->height - i)) < 0)
break;
diff --git a/libavcodec/tiffenc.c b/libavcodec/tiffenc.c
index f7228f128f..97e1dd38c4 100644
--- a/libavcodec/tiffenc.c
+++ b/libavcodec/tiffenc.c
@@ -42,6 +42,7 @@ static const uint8_t type_sizes2[6] = {
};
typedef struct TiffEncoderContext {
+ AVClass *avclass;
AVCodecContext *avctx;
AVFrame picture;
@@ -216,6 +217,7 @@ static int encode_frame(AVCodecContext * avctx, unsigned char *buf,
uint8_t *yuv_line = NULL;
int shift_h, shift_v;
+ s->avctx = avctx;
s->buf_start = buf;
s->buf = &ptr;
s->buf_size = buf_size;
diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 5520ede336..7247932248 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -829,6 +829,11 @@ int attribute_align_arg avcodec_decode_audio3(AVCodecContext *avctx, int16_t *sa
avctx->pkt = avpkt;
+ if (!avpkt->data && avpkt->size) {
+ av_log(avctx, AV_LOG_ERROR, "invalid packet: NULL data, size != 0\n");
+ return AVERROR(EINVAL);
+ }
+
if((avctx->codec->capabilities & CODEC_CAP_DELAY) || avpkt->size){
//FIXME remove the check below _after_ ensuring that all audio check that the available space is enough
if(*frame_size_ptr < AVCODEC_MAX_AUDIO_FRAME_SIZE){
diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c
index b9acfe921c..1f9694ea29 100644
--- a/libavcodec/vmdav.c
+++ b/libavcodec/vmdav.c
@@ -72,9 +72,11 @@ typedef struct VmdVideoContext {
#define QUEUE_SIZE 0x1000
#define QUEUE_MASK 0x0FFF
-static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_len)
+static void lz_unpack(const unsigned char *src, int src_len,
+ unsigned char *dest, int dest_len)
{
const unsigned char *s;
+ const unsigned char *s_end;
unsigned char *d;
unsigned char *d_end;
unsigned char queue[QUEUE_SIZE];
@@ -87,8 +89,12 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le
unsigned int i, j;
s = src;
+ s_end = src + src_len;
d = dest;
d_end = d + dest_len;
+
+ if (s_end - s < 8)
+ return;
dataleft = AV_RL32(s);
s += 4;
memset(queue, 0x20, QUEUE_SIZE);
@@ -101,10 +107,10 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le
speclen = 100; /* no speclen */
}
- while (dataleft > 0) {
+ while (s_end - s > 0 && dataleft > 0) {
tag = *s++;
if ((tag == 0xFF) && (dataleft > 8)) {
- if (d + 8 > d_end)
+ if (d_end - d < 8 || s_end - s < 8)
return;
for (i = 0; i < 8; i++) {
queue[qpos++] = *d++ = *s++;
@@ -116,18 +122,23 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le
if (dataleft == 0)
break;
if (tag & 0x01) {
- if (d + 1 > d_end)
+ if (d_end - d < 1 || s_end - s < 1)
return;
queue[qpos++] = *d++ = *s++;
qpos &= QUEUE_MASK;
dataleft--;
} else {
+ if (s_end - s < 2)
+ return;
chainofs = *s++;
chainofs |= ((*s & 0xF0) << 4);
chainlen = (*s++ & 0x0F) + 3;
- if (chainlen == speclen)
+ if (chainlen == speclen) {
+ if (s_end - s < 1)
+ return;
chainlen = *s++ + 0xF + 3;
- if (d + chainlen > d_end)
+ }
+ if (d_end - d < chainlen)
return;
for (j = 0; j < chainlen; j++) {
*d = queue[chainofs++ & QUEUE_MASK];
@@ -142,32 +153,39 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le
}
}
-static int rle_unpack(const unsigned char *src, unsigned char *dest,
- int src_len, int dest_len)
+static int rle_unpack(const unsigned char *src, int src_len, int src_count,
+ unsigned char *dest, int dest_len)
{
const unsigned char *ps;
+ const unsigned char *ps_end;
unsigned char *pd;
int i, l;
unsigned char *dest_end = dest + dest_len;
ps = src;
+ ps_end = src + src_len;
pd = dest;
- if (src_len & 1)
+ if (src_count & 1) {
+ if (ps_end - ps < 1)
+ return 0;
*pd++ = *ps++;
+ }
- src_len >>= 1;
+ src_count >>= 1;
i = 0;
do {
+ if (ps_end - ps < 1)
+ break;
l = *ps++;
if (l & 0x80) {
l = (l & 0x7F) * 2;
- if (pd + l > dest_end)
+ if (dest_end - pd < l || ps_end - ps < l)
return ps - src;
memcpy(pd, ps, l);
ps += l;
pd += l;
} else {
- if (pd + i > dest_end)
+ if (dest_end - pd < i || ps_end - ps < 2)
return ps - src;
for (i = 0; i < l; i++) {
*pd++ = ps[0];
@@ -176,7 +194,7 @@ static int rle_unpack(const unsigned char *src, unsigned char *dest,
ps += 2;
}
i += l;
- } while (i < src_len);
+ } while (i < src_count);
return ps - src;
}
@@ -189,8 +207,10 @@ static void vmd_decode(VmdVideoContext *s)
/* point to the start of the encoded data */
const unsigned char *p = s->buf + 16;
+ const unsigned char *p_end = s->buf + s->size;
const unsigned char *pb;
+ const unsigned char *pb_end;
unsigned char meth;
unsigned char *dp; /* pointer to current frame */
unsigned char *pp; /* pointer to previous frame */
@@ -204,6 +224,16 @@ static void vmd_decode(VmdVideoContext *s)
frame_y = AV_RL16(&s->buf[8]);
frame_width = AV_RL16(&s->buf[10]) - frame_x + 1;
frame_height = AV_RL16(&s->buf[12]) - frame_y + 1;
+ if (frame_x < 0 || frame_width < 0 ||
+ frame_x >= s->avctx->width ||
+ frame_width > s->avctx->width ||
+ frame_x + frame_width > s->avctx->width)
+ return;
+ if (frame_y < 0 || frame_height < 0 ||
+ frame_y >= s->avctx->height ||
+ frame_height > s->avctx->height ||
+ frame_y + frame_height > s->avctx->height)
+ return;
if ((frame_width == s->avctx->width && frame_height == s->avctx->height) &&
(frame_x || frame_y)) {
@@ -216,8 +246,9 @@ static void vmd_decode(VmdVideoContext *s)
/* if only a certain region will be updated, copy the entire previous
* frame before the decode */
- if (frame_x || frame_y || (frame_width != s->avctx->width) ||
- (frame_height != s->avctx->height)) {
+ if (s->prev_frame.data[0] &&
+ (frame_x || frame_y || (frame_width != s->avctx->width) ||
+ (frame_height != s->avctx->height))) {
memcpy(s->frame.data[0], s->prev_frame.data[0],
s->avctx->height * s->frame.linesize[0]);
@@ -225,6 +256,8 @@ static void vmd_decode(VmdVideoContext *s)
/* check if there is a new palette */
if (s->buf[15] & 0x02) {
+ if (p_end - p < 2 + 3 * PALETTE_COUNT)
+ return;
p += 2;
palette32 = (unsigned int *)s->palette;
for (i = 0; i < PALETTE_COUNT; i++) {
@@ -233,16 +266,17 @@ static void vmd_decode(VmdVideoContext *s)
b = *p++ * 4;
palette32[i] = (r << 16) | (g << 8) | (b);
}
- s->size -= (256 * 3 + 2);
}
- if (s->size >= 0) {
+ if (p < p_end) {
/* originally UnpackFrame in VAG's code */
pb = p;
+ pb_end = p_end;
meth = *pb++;
if (meth & 0x80) {
- lz_unpack(pb, s->unpack_buffer, s->unpack_buffer_size);
+ lz_unpack(pb, p_end - pb, s->unpack_buffer, s->unpack_buffer_size);
meth &= 0x7F;
pb = s->unpack_buffer;
+ pb_end = s->unpack_buffer + s->unpack_buffer_size;
}
dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x];
@@ -252,17 +286,19 @@ static void vmd_decode(VmdVideoContext *s)
for (i = 0; i < frame_height; i++) {
ofs = 0;
do {
+ if (pb_end - pb < 1)
+ return;
len = *pb++;
if (len & 0x80) {
len = (len & 0x7F) + 1;
- if (ofs + len > frame_width)
+ if (ofs + len > frame_width || pb_end - pb < len)
return;
memcpy(&dp[ofs], pb, len);
pb += len;
ofs += len;
} else {
/* interframe pixel copy */
- if (ofs + len + 1 > frame_width)
+ if (ofs + len + 1 > frame_width || !s->prev_frame.data[0])
return;
memcpy(&dp[ofs], &pp[ofs], len + 1);
ofs += len + 1;
@@ -280,6 +316,8 @@ static void vmd_decode(VmdVideoContext *s)
case 2:
for (i = 0; i < frame_height; i++) {
+ if (pb_end -pb < frame_width)
+ return;
memcpy(dp, pb, frame_width);
pb += frame_width;
dp += s->frame.linesize[0];
@@ -291,18 +329,25 @@ static void vmd_decode(VmdVideoContext *s)
for (i = 0; i < frame_height; i++) {
ofs = 0;
do {
+ if (pb_end - pb < 1)
+ return;
len = *pb++;
if (len & 0x80) {
len = (len & 0x7F) + 1;
+ if (pb_end - pb < 1)
+ return;
if (*pb++ == 0xFF)
- len = rle_unpack(pb, &dp[ofs], len, frame_width - ofs);
- else
+ len = rle_unpack(pb, pb_end - pb, len, &dp[ofs], frame_width - ofs);
+ else {
+ if (pb_end - pb < len)
+ return;
memcpy(&dp[ofs], pb, len);
+ }
pb += len;
ofs += len;
} else {
/* interframe pixel copy */
- if (ofs + len + 1 > frame_width)
+ if (ofs + len + 1 > frame_width || !s->prev_frame.data[0])
return;
memcpy(&dp[ofs], &pp[ofs], len + 1);
ofs += len + 1;
@@ -523,7 +568,10 @@ static int vmdaudio_decode_frame(AVCodecContext *avctx,
silent_chunks = 0;
if (block_type == BLOCK_TYPE_INITIAL) {
- uint32_t flags = AV_RB32(buf);
+ uint32_t flags;
+ if (buf_size < 4)
+ return -1;
+ flags = AV_RB32(buf);
silent_chunks = av_popcount(flags);
buf += 4;
buf_size -= 4;
diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
index 30f3efbc46..5b787b6135 100644
--- a/libavcodec/vp56.c
+++ b/libavcodec/vp56.c
@@ -465,6 +465,7 @@ static int vp56_size_changed(AVCodecContext *avctx)
s->mb_height = (avctx->coded_height+15) / 16;
if (s->mb_width > 1000 || s->mb_height > 1000) {
+ avcodec_set_dimensions(avctx, 0, 0);
av_log(avctx, AV_LOG_ERROR, "picture too big\n");
return -1;
}
@@ -519,8 +520,10 @@ int ff_vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
if (s->frames[i].data[0])
avctx->release_buffer(avctx, &s->frames[i]);
}
- if (is_alpha)
+ if (is_alpha) {
+ avcodec_set_dimensions(avctx, 0, 0);
return -1;
+ }
}
if (!is_alpha) {
diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c
index d05a3618f7..3721d52192 100644
--- a/libavcodec/vp6.c
+++ b/libavcodec/vp6.c
@@ -137,8 +137,11 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
if (coeff_offset) {
buf += coeff_offset;
buf_size -= coeff_offset;
- if (buf_size < 0)
+ if (buf_size < 0) {
+ if (s->framep[VP56_FRAME_CURRENT]->key_frame)
+ avcodec_set_dimensions(s->avctx, 0, 0);
return 0;
+ }
if (s->use_huffman) {
s->parse_coeff = vp6_parse_coeff_huffman;
init_get_bits(&s->gb, buf, buf_size<<3);
diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index a785b90046..28e866356d 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -1173,6 +1173,15 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
return samplecount * bpp;
}
+static void wavpack_decode_flush(AVCodecContext *avctx)
+{
+ WavpackContext *s = avctx->priv_data;
+ int i;
+
+ for (i = 0; i < s->fdec_num; i++)
+ wv_reset_saved_context(s->fdec[i]);
+}
+
static int wavpack_decode_frame(AVCodecContext *avctx,
void *data, int *data_size,
AVPacket *avpkt)
@@ -1205,11 +1214,14 @@ static int wavpack_decode_frame(AVCodecContext *avctx,
if(frame_size < 0 || frame_size > buf_size){
av_log(avctx, AV_LOG_ERROR, "Block %d has invalid size (size %d vs. %d bytes left)\n",
s->block, frame_size, buf_size);
+ wavpack_decode_flush(avctx);
return -1;
}
if((samplecount = wavpack_decode_block(avctx, s->block, data,
- data_size, buf, frame_size)) < 0)
+ data_size, buf, frame_size)) < 0) {
+ wavpack_decode_flush(avctx);
return -1;
+ }
s->block++;
buf += frame_size; buf_size -= frame_size;
}
diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c
index b0b98f1d98..03fb4a67e1 100644
--- a/libavcodec/wmaprodec.c
+++ b/libavcodec/wmaprodec.c
@@ -309,10 +309,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
s->samples_per_frame = 1 << ff_wma_get_frame_len_bits(avctx->sample_rate,
3, s->decode_flags);
- /** init previous block len */
- for (i = 0; i < avctx->channels; i++)
- s->channel[i].prev_block_len = s->samples_per_frame;
-
/** subframe info */
log2_max_num_subframes = ((s->decode_flags & 0x38) >> 3);
s->max_num_subframes = 1 << log2_max_num_subframes;
@@ -332,6 +328,18 @@ static av_cold int decode_init(AVCodecContext *avctx)
s->num_channels = avctx->channels;
+ if (s->num_channels < 0) {
+ av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", s->num_channels);
+ return AVERROR_INVALIDDATA;
+ } else if (s->num_channels > WMAPRO_MAX_CHANNELS) {
+ av_log_ask_for_sample(avctx, "unsupported number of channels\n");
+ return AVERROR_PATCHWELCOME;
+ }
+
+ /** init previous block len */
+ for (i = 0; i < s->num_channels; i++)
+ s->channel[i].prev_block_len = s->samples_per_frame;
+
/** extract lfe channel position */
s->lfe_channel = -1;
@@ -343,14 +351,6 @@ static av_cold int decode_init(AVCodecContext *avctx)
}
}
- if (s->num_channels < 0) {
- av_log(avctx, AV_LOG_ERROR, "invalid number of channels %d\n", s->num_channels);
- return AVERROR_INVALIDDATA;
- } else if (s->num_channels > WMAPRO_MAX_CHANNELS) {
- av_log_ask_for_sample(avctx, "unsupported number of channels\n");
- return AVERROR_PATCHWELCOME;
- }
-
INIT_VLC_STATIC(&sf_vlc, SCALEVLCBITS, HUFF_SCALE_SIZE,
scale_huffbits, 1, 1,
scale_huffcodes, 2, 2, 616);
diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
index 002c529a30..c343080b36 100644
--- a/libavcodec/wmavoice.c
+++ b/libavcodec/wmavoice.c
@@ -401,6 +401,10 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx)
s->min_pitch_val = ((ctx->sample_rate << 8) / 400 + 50) >> 8;
s->max_pitch_val = ((ctx->sample_rate << 8) * 37 / 2000 + 50) >> 8;
pitch_range = s->max_pitch_val - s->min_pitch_val;
+ if (pitch_range <= 0) {
+ av_log(ctx, AV_LOG_ERROR, "Invalid pitch range; broken extradata?\n");
+ return -1;
+ }
s->pitch_nbits = av_ceil_log2(pitch_range);
s->last_pitch_val = 40;
s->last_acb_type = ACB_TYPE_NONE;
@@ -422,6 +426,10 @@ static av_cold int wmavoice_decode_init(AVCodecContext *ctx)
s->block_conv_table[2] = (pitch_range * 44) >> 6;
s->block_conv_table[3] = s->max_pitch_val - 1;
s->block_delta_pitch_hrange = (pitch_range >> 3) & ~0xF;
+ if (s->block_delta_pitch_hrange <= 0) {
+ av_log(ctx, AV_LOG_ERROR, "Invalid delta pitch hrange; broken extradata?\n");
+ return -1;
+ }
s->block_delta_pitch_nbits = 1 + av_ceil_log2(s->block_delta_pitch_hrange);
s->block_pitch_range = s->block_conv_table[2] +
s->block_conv_table[3] + 1 +
@@ -1880,6 +1888,8 @@ static void copy_bits(PutBitContext *pb,
rmn_bits = rmn_bytes = get_bits_left(gb);
if (rmn_bits < nbits)
return;
+ if (nbits > pb->size_in_bits - put_bits_count(pb))
+ return;
rmn_bits &= 7; rmn_bytes >>= 3;
if ((rmn_bits = FFMIN(rmn_bits, nbits)) > 0)
put_bits(pb, rmn_bits, get_bits(gb, rmn_bits));
diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c
index d6a60d441f..f92c3531e0 100644
--- a/libavcodec/ws-snd1.c
+++ b/libavcodec/ws-snd1.c
@@ -37,13 +37,16 @@ static const int8_t ws_adpcm_4bit[] = {
-9, -8, -6, -5, -4, -3, -2, -1,
0, 1, 2, 3, 4, 5, 6, 8 };
-#define CLIP8(a) if(a>127)a=127;if(a<-128)a=-128;
-
static av_cold int ws_snd_decode_init(AVCodecContext * avctx)
{
// WSSNDContext *c = avctx->priv_data;
- avctx->sample_fmt = AV_SAMPLE_FMT_S16;
+ if (avctx->channels != 1) {
+ av_log_ask_for_sample(avctx, "unsupported number of channels\n");
+ return AVERROR(EINVAL);
+ }
+
+ avctx->sample_fmt = AV_SAMPLE_FMT_U8;
return 0;
}
@@ -56,15 +59,19 @@ static int ws_snd_decode_frame(AVCodecContext *avctx,
// WSSNDContext *c = avctx->priv_data;
int in_size, out_size;
- int sample = 0;
+ int sample = 128;
int i;
- short *samples = data;
+ uint8_t *samples = data;
if (!buf_size)
return 0;
+ if (buf_size < 4) {
+ av_log(avctx, AV_LOG_ERROR, "packet is too small\n");
+ return AVERROR(EINVAL);
+ }
+
out_size = AV_RL16(&buf[0]);
- *data_size = out_size * 2;
in_size = AV_RL16(&buf[2]);
buf += 4;
@@ -76,34 +83,54 @@ static int ws_snd_decode_frame(AVCodecContext *avctx,
av_log(avctx, AV_LOG_ERROR, "Frame data is larger than input buffer\n");
return -1;
}
+
if (in_size == out_size) {
for (i = 0; i < out_size; i++)
- *samples++ = (*buf++ - 0x80) << 8;
+ *samples++ = *buf++;
+ *data_size = out_size;
return buf_size;
}
- while (out_size > 0) {
- int code;
+ while (out_size > 0 && buf - avpkt->data < buf_size) {
+ int code, smp, size;
uint8_t count;
code = (*buf) >> 6;
count = (*buf) & 0x3F;
buf++;
+
+ /* make sure we don't write more than out_size samples */
+ switch (code) {
+ case 0: smp = 4; break;
+ case 1: smp = 2; break;
+ case 2: smp = (count & 0x20) ? 1 : count + 1; break;
+ default: smp = count + 1; break;
+ }
+ if (out_size < smp) {
+ out_size = 0;
+ break;
+ }
+
+ /* make sure we don't read past the input buffer */
+ size = ((code == 2 && (count & 0x20)) || code == 3) ? 0 : count + 1;
+ if ((buf - avpkt->data) + size > buf_size)
+ break;
+
switch(code) {
case 0: /* ADPCM 2-bit */
for (count++; count > 0; count--) {
code = *buf++;
sample += ws_adpcm_2bit[code & 0x3];
- CLIP8(sample);
- *samples++ = sample << 8;
+ sample = av_clip_uint8(sample);
+ *samples++ = sample;
sample += ws_adpcm_2bit[(code >> 2) & 0x3];
- CLIP8(sample);
- *samples++ = sample << 8;
+ sample = av_clip_uint8(sample);
+ *samples++ = sample;
sample += ws_adpcm_2bit[(code >> 4) & 0x3];
- CLIP8(sample);
- *samples++ = sample << 8;
+ sample = av_clip_uint8(sample);
+ *samples++ = sample;
sample += ws_adpcm_2bit[(code >> 6) & 0x3];
- CLIP8(sample);
- *samples++ = sample << 8;
+ sample = av_clip_uint8(sample);
+ *samples++ = sample;
out_size -= 4;
}
break;
@@ -111,11 +138,11 @@ static int ws_snd_decode_frame(AVCodecContext *avctx,
for (count++; count > 0; count--) {
code = *buf++;
sample += ws_adpcm_4bit[code & 0xF];
- CLIP8(sample);
- *samples++ = sample << 8;
+ sample = av_clip_uint8(sample);
+ *samples++ = sample;
sample += ws_adpcm_4bit[code >> 4];
- CLIP8(sample);
- *samples++ = sample << 8;
+ sample = av_clip_uint8(sample);
+ *samples++ = sample;
out_size -= 2;
}
break;
@@ -125,24 +152,27 @@ static int ws_snd_decode_frame(AVCodecContext *avctx,
t = count;
t <<= 3;
sample += t >> 3;
- *samples++ = sample << 8;
+ sample = av_clip_uint8(sample);
+ *samples++ = sample;
out_size--;
} else { /* copy */
for (count++; count > 0; count--) {
- *samples++ = (*buf++ - 0x80) << 8;
+ *samples++ = *buf++;
out_size--;
}
- sample = buf[-1] - 0x80;
+ sample = buf[-1];
}
break;
default: /* run */
for(count++; count > 0; count--) {
- *samples++ = sample << 8;
+ *samples++ = sample;
out_size--;
}
}
}
+ *data_size = samples - (uint8_t *)data;
+
return buf_size;
}
diff --git a/libavcodec/x86/fft_3dn2.c b/libavcodec/x86/fft_3dn2.c
index 2abb8cfbd7..7a6cac14c4 100644
--- a/libavcodec/x86/fft_3dn2.c
+++ b/libavcodec/x86/fft_3dn2.c
@@ -23,7 +23,7 @@
#include "libavcodec/dsputil.h"
#include "fft.h"
-DECLARE_ALIGNED(8, static const int, m1m1)[2] = { 1<<31, 1<<31 };
+DECLARE_ALIGNED(8, static const unsigned int, m1m1)[2] = { 1U<<31, 1U<<31 };
#ifdef EMULATE_3DNOWEXT
#define PSWAPD(s,d)\
@@ -70,7 +70,7 @@ void ff_imdct_half_3dn2(FFTContext *s, FFTSample *output, const FFTSample *input
in1 = input;
in2 = input + n2 - 1;
#ifdef EMULATE_3DNOWEXT
- __asm__ volatile("movd %0, %%mm7" ::"r"(1<<31));
+ __asm__ volatile("movd %0, %%mm7" ::"r"(1U<<31));
#endif
for(k = 0; k < n4; k++) {
// FIXME a single block is faster, but gcc 2.95 and 3.4.x on 32bit can't compile it
diff --git a/libavcodec/x86/fft_sse.c b/libavcodec/x86/fft_sse.c
index 26b933c810..43f19fff3b 100644
--- a/libavcodec/x86/fft_sse.c
+++ b/libavcodec/x86/fft_sse.c
@@ -24,8 +24,8 @@
#include "fft.h"
#include "config.h"
-DECLARE_ASM_CONST(16, int, ff_m1m1m1m1)[4] =
- { 1 << 31, 1 << 31, 1 << 31, 1 << 31 };
+DECLARE_ASM_CONST(16, unsigned int, ff_m1m1m1m1)[4] =
+ { 1U << 31, 1U << 31, 1U << 31, 1U << 31 };
void ff_fft_dispatch_sse(FFTComplex *z, int nbits);
void ff_fft_dispatch_interleave_sse(FFTComplex *z, int nbits);
diff --git a/libavcodec/xan.c b/libavcodec/xan.c
index 357593bf2d..fe9eece61a 100644
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -114,7 +114,10 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len,
init_get_bits(&gb, ptr, ptr_len * 8);
while ( val != 0x16 ) {
- val = src[val - 0x17 + get_bits1(&gb) * byte];
+ unsigned idx = val - 0x17 + get_bits1(&gb) * byte;
+ if (idx >= 2 * byte)
+ return -1;
+ val = src[idx];
if ( val < 0x16 ) {
if (dest >= dest_end)
@@ -132,13 +135,16 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len,
*
* @param dest destination buffer of dest_len, must be padded with at least 130 bytes
*/
-static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_len)
+static void xan_unpack(unsigned char *dest, int dest_len,
+ const unsigned char *src, int src_len)
{
unsigned char opcode;
int size;
+ unsigned char *dest_org = dest;
unsigned char *dest_end = dest + dest_len;
+ const unsigned char *src_end = src + src_len;
- while (dest < dest_end) {
+ while (dest < dest_end && src < src_end) {
opcode = *src++;
if (opcode < 0xe0) {
@@ -163,9 +169,11 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l
back = ((opcode & 0x10) << 12) + bytestream_get_be16(&src) + 1;
size2 = ((opcode & 0x0c) << 6) + *src++ + 5;
- if (size + size2 > dest_end - dest)
- return;
}
+ if (dest_end - dest < size + size2 ||
+ dest + size - dest_org < back ||
+ src_end - src < size)
+ return;
memcpy(dest, src, size); dest += size; src += size;
av_memcpy_backptr(dest, back, size2);
dest += size2;
@@ -173,6 +181,8 @@ static void xan_unpack(unsigned char *dest, const unsigned char *src, int dest_l
int finish = opcode >= 0xfc;
size = finish ? opcode & 3 : ((opcode & 0x1f) << 2) + 4;
+ if (dest_end - dest < size || src_end - src < size)
+ return;
memcpy(dest, src, size); dest += size; src += size;
if (finish)
return;
@@ -220,15 +230,23 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s,
int width = s->avctx->width;
unsigned char *palette_plane, *prev_palette_plane;
+ if ( y + motion_y < 0 || y + motion_y >= s->avctx->height ||
+ x + motion_x < 0 || x + motion_x >= s->avctx->width)
+ return;
+
palette_plane = s->current_frame.data[0];
prev_palette_plane = s->last_frame.data[0];
+ if (!prev_palette_plane)
+ prev_palette_plane = palette_plane;
stride = s->current_frame.linesize[0];
line_inc = stride - width;
curframe_index = y * stride + x;
curframe_x = x;
prevframe_index = (y + motion_y) * stride + x + motion_x;
prevframe_x = x + motion_x;
- while(pixel_count && (curframe_index < s->frame_size)) {
+ while(pixel_count &&
+ curframe_index < s->frame_size &&
+ prevframe_index < s->frame_size) {
int count = FFMIN3(pixel_count, width - curframe_x, width - prevframe_x);
memcpy(palette_plane + curframe_index, prev_palette_plane + prevframe_index, count);
@@ -262,6 +280,7 @@ static int xan_wc3_decode_frame(XanContext *s) {
int x, y;
unsigned char *opcode_buffer = s->buffer1;
+ unsigned char *opcode_buffer_end = s->buffer1 + s->buffer1_size;
int opcode_buffer_size = s->buffer1_size;
const unsigned char *imagedata_buffer = s->buffer2;
@@ -270,7 +289,7 @@ static int xan_wc3_decode_frame(XanContext *s) {
const unsigned char *size_segment;
const unsigned char *vector_segment;
const unsigned char *imagedata_segment;
- int huffman_offset, size_offset, vector_offset, imagedata_offset;
+ int huffman_offset, size_offset, vector_offset, imagedata_offset, imagedata_size;
if (s->size < 8)
return AVERROR_INVALIDDATA;
@@ -295,14 +314,18 @@ static int xan_wc3_decode_frame(XanContext *s) {
huffman_segment, s->size - huffman_offset) < 0)
return AVERROR_INVALIDDATA;
- if (imagedata_segment[0] == 2)
- xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size);
- else
+ if (imagedata_segment[0] == 2) {
+ xan_unpack(s->buffer2, s->buffer2_size,
+ &imagedata_segment[1], s->size - imagedata_offset - 1);
+ imagedata_size = s->buffer2_size;
+ } else {
+ imagedata_size = s->size - imagedata_offset - 1;
imagedata_buffer = &imagedata_segment[1];
+ }
/* use the decoded data segments to build the frame */
x = y = 0;
- while (total_pixels) {
+ while (total_pixels && opcode_buffer < opcode_buffer_end) {
opcode = *opcode_buffer++;
size = 0;
@@ -351,6 +374,8 @@ static int xan_wc3_decode_frame(XanContext *s) {
size_segment += 3;
break;
}
+ if (size > total_pixels)
+ break;
if (opcode < 12) {
flag ^= 1;
@@ -359,8 +384,11 @@ static int xan_wc3_decode_frame(XanContext *s) {
xan_wc3_copy_pixel_run(s, x, y, size, 0, 0);
} else {
/* output a run of pixels from imagedata_buffer */
+ if (imagedata_size < size)
+ break;
xan_wc3_output_pixel_run(s, imagedata_buffer, x, y, size);
imagedata_buffer += size;
+ imagedata_size -= size;
}
} else {
/* run-based motion compensation from last frame */
@@ -527,6 +555,9 @@ static int xan_decode_frame(AVCodecContext *avctx,
}
buf_size = buf_end - buf;
}
+ if (s->palettes_count <= 0)
+ return AVERROR_INVALIDDATA;
+
if ((ret = avctx->get_buffer(avctx, &s->current_frame))) {
av_log(s->avctx, AV_LOG_ERROR, "get_buffer() failed\n");
return ret;
diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c
index ba8f9e1e82..8f2f1d5f52 100644
--- a/libavfilter/vf_scale.c
+++ b/libavfilter/vf_scale.c
@@ -229,7 +229,7 @@ static int config_props(AVFilterLink *outlink)
scale->isws[1] = sws_getContext(inlink ->w, inlink ->h/2, inlink ->format,
outlink->w, outlink->h/2, outlink->format,
scale->flags, NULL, NULL, NULL);
- if (!scale->sws)
+ if (!scale->sws || !scale->isws[0] || !scale->isws[1])
return AVERROR(EINVAL);
if (inlink->sample_aspect_ratio.num){
diff --git a/libavfilter/vf_unsharp.c b/libavfilter/vf_unsharp.c
index 3542ca3eac..3a58a480b9 100644
--- a/libavfilter/vf_unsharp.c
+++ b/libavfilter/vf_unsharp.c
@@ -70,6 +70,7 @@ static void unsharpen(uint8_t *dst, const uint8_t *src, int dst_stride, int src_
int32_t res;
int x, y, z;
+ const uint8_t *src2;
if (!fp->amount) {
if (dst_stride == src_stride)
@@ -84,9 +85,12 @@ static void unsharpen(uint8_t *dst, const uint8_t *src, int dst_stride, int src_
memset(sc[y], 0, sizeof(sc[y][0]) * (width + 2 * fp->steps_x));
for (y = -fp->steps_y; y < height + fp->steps_y; y++) {
+ if (y < height)
+ src2 = src;
+
memset(sr, 0, sizeof(sr[0]) * (2 * fp->steps_x - 1));
for (x = -fp->steps_x; x < width + fp->steps_x; x++) {
- tmp1 = x <= 0 ? src[0] : x >= width ? src[width-1] : src[x];
+ tmp1 = x <= 0 ? src2[0] : x >= width ? src2[width-1] : src2[x];
for (z = 0; z < fp->steps_x * 2; z += 2) {
tmp2 = sr[z + 0] + tmp1; sr[z + 0] = tmp1;
tmp1 = sr[z + 1] + tmp2; sr[z + 1] = tmp2;
@@ -125,8 +129,8 @@ static void set_filter_param(FilterParam *fp, int msize_x, int msize_y, double a
static av_cold int init(AVFilterContext *ctx, const char *args, void *opaque)
{
UnsharpContext *unsharp = ctx->priv;
- int lmsize_x = 5, cmsize_x = 0;
- int lmsize_y = 5, cmsize_y = 0;
+ int lmsize_x = 5, cmsize_x = 5;
+ int lmsize_y = 5, cmsize_y = 5;
double lamount = 1.0f, camount = 0.0f;
if (args)
diff --git a/libavformat/4xm.c b/libavformat/4xm.c
index 0b79c761a5..e3b696d57b 100644
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -172,13 +172,16 @@ static int fourxm_read_header(AVFormatContext *s,
goto fail;
}
if (current_track + 1 > fourxm->track_count) {
- fourxm->track_count = current_track + 1;
- fourxm->tracks = av_realloc(fourxm->tracks,
- fourxm->track_count * sizeof(AudioTrack));
+ fourxm->tracks = av_realloc_f(fourxm->tracks,
+ sizeof(AudioTrack),
+ current_track + 1);
if (!fourxm->tracks) {
ret= AVERROR(ENOMEM);
goto fail;
}
+ memset(&fourxm->tracks[fourxm->track_count], 0,
+ sizeof(AudioTrack) * (current_track + 1 - fourxm->track_count));
+ fourxm->track_count = current_track + 1;
}
fourxm->tracks[current_track].adpcm = AV_RL32(&header[i + 12]);
fourxm->tracks[current_track].channels = AV_RL32(&header[i + 36]);
diff --git a/libavformat/anm.c b/libavformat/anm.c
index 269e325e42..1210e67dc7 100644
--- a/libavformat/anm.c
+++ b/libavformat/anm.c
@@ -134,18 +134,17 @@ static int read_header(AVFormatContext *s,
/* color cycling and palette data */
st->codec->extradata_size = 16*8 + 4*256;
st->codec->extradata = av_mallocz(st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
- if (!st->codec->extradata) {
- ret = AVERROR(ENOMEM);
- goto close_and_return;
- }
+ if (!st->codec->extradata)
+ return AVERROR(ENOMEM);
+
ret = avio_read(pb, st->codec->extradata, st->codec->extradata_size);
if (ret < 0)
- goto close_and_return;
+ return ret;
/* read page table */
ret = avio_seek(pb, anm->page_table_offset, SEEK_SET);
if (ret < 0)
- goto close_and_return;
+ return ret;
for (i = 0; i < MAX_PAGES; i++) {
Page *p = &anm->pt[i];
@@ -156,21 +155,15 @@ static int read_header(AVFormatContext *s,
/* find page of first frame */
anm->page = find_record(anm, 0);
- if (anm->page < 0) {
- ret = anm->page;
- goto close_and_return;
- }
+ if (anm->page < 0)
+ return anm->page;
anm->record = -1;
return 0;
invalid:
av_log_ask_for_sample(s, NULL);
- ret = AVERROR_INVALIDDATA;
-
-close_and_return:
- av_close_input_stream(s);
- return ret;
+ return AVERROR_INVALIDDATA;
}
static int read_packet(AVFormatContext *s,
diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index 1ed03e4696..a06ed546d8 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -636,7 +636,7 @@ static int avi_read_header(AVFormatContext *s, AVFormatParameters *ap)
if(st->codec->codec_tag==0 && st->codec->height > 0 && st->codec->extradata_size < 1U<<30){
st->codec->extradata_size+= 9;
- st->codec->extradata= av_realloc(st->codec->extradata, st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
+ st->codec->extradata= av_realloc_f(st->codec->extradata, 1, st->codec->extradata_size + FF_INPUT_BUFFER_PADDING_SIZE);
if(st->codec->extradata)
memcpy(st->codec->extradata + st->codec->extradata_size - 9, "BottomUp", 9);
}
diff --git a/libavformat/avienc.c b/libavformat/avienc.c
index 8a53bb53d3..1c8eedad09 100644
--- a/libavformat/avienc.c
+++ b/libavformat/avienc.c
@@ -523,6 +523,11 @@ static int avi_write_packet(AVFormatContext *s, AVPacket *pkt)
while(enc->block_align==0 && pkt->dts != AV_NOPTS_VALUE && pkt->dts > avist->packet_count){
AVPacket empty_packet;
+ if(pkt->dts - avist->packet_count > 60000){
+ av_log(s, AV_LOG_ERROR, "Too large number of skiped frames %Ld\n", pkt->dts - avist->packet_count);
+ return AVERROR(EINVAL);
+ }
+
av_init_packet(&empty_packet);
empty_packet.size= 0;
empty_packet.data= NULL;
@@ -558,7 +563,7 @@ static int avi_write_packet(AVFormatContext *s, AVPacket *pkt)
int cl = idx->entry / AVI_INDEX_CLUSTER_SIZE;
int id = idx->entry % AVI_INDEX_CLUSTER_SIZE;
if (idx->ents_allocated <= idx->entry) {
- idx->cluster = av_realloc(idx->cluster, (cl+1)*sizeof(void*));
+ idx->cluster = av_realloc_f(idx->cluster, sizeof(void*), cl+1);
if (!idx->cluster)
return -1;
idx->cluster[cl] = av_malloc(AVI_INDEX_CLUSTER_SIZE*sizeof(AVIIentry));
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index c6cea6adfb..0d13a9f02c 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -932,7 +932,7 @@ int ffio_rewind_with_probe_data(AVIOContext *s, unsigned char *buf, int buf_size
alloc_size = FFMAX(s->buffer_size, new_size);
if (alloc_size > buf_size)
- if (!(buf = av_realloc(buf, alloc_size)))
+ if (!(buf = av_realloc_f(buf, 1, alloc_size)))
return AVERROR(ENOMEM);
if (new_size > buf_size) {
@@ -1101,7 +1101,7 @@ static int dyn_buf_write(void *opaque, uint8_t *buf, int buf_size)
}
if (new_allocated_size > d->allocated_size) {
- d->buffer = av_realloc(d->buffer, new_allocated_size);
+ d->buffer = av_realloc_f(d->buffer, 1, new_allocated_size);
if(d->buffer == NULL)
return AVERROR(ENOMEM);
d->allocated_size = new_allocated_size;
diff --git a/libavformat/avs.c b/libavformat/avs.c
index 355ae31f35..127639e7ee 100644
--- a/libavformat/avs.c
+++ b/libavformat/avs.c
@@ -163,10 +163,14 @@ static int avs_read_packet(AVFormatContext * s, AVPacket * pkt)
sub_type = avio_r8(s->pb);
type = avio_r8(s->pb);
size = avio_rl16(s->pb);
+ if (size < 4)
+ return AVERROR_INVALIDDATA;
avs->remaining_frame_size -= size;
switch (type) {
case AVS_PALETTE:
+ if (size - 4 > sizeof(palette))
+ return AVERROR_INVALIDDATA;
ret = avio_read(s->pb, palette, size - 4);
if (ret < size - 4)
return AVERROR(EIO);
diff --git a/libavformat/gxfenc.c b/libavformat/gxfenc.c
index 3f7d7851f7..36e2c91ef6 100644
--- a/libavformat/gxfenc.c
+++ b/libavformat/gxfenc.c
@@ -340,8 +340,9 @@ static int gxf_write_map_packet(AVFormatContext *s, int rewrite)
if (!rewrite) {
if (!(gxf->map_offsets_nb % 30)) {
- gxf->map_offsets = av_realloc(gxf->map_offsets,
- (gxf->map_offsets_nb+30)*sizeof(*gxf->map_offsets));
+ gxf->map_offsets = av_realloc_f(gxf->map_offsets,
+ sizeof(*gxf->map_offsets),
+ gxf->map_offsets_nb+30);
if (!gxf->map_offsets) {
av_log(s, AV_LOG_ERROR, "could not realloc map offsets\n");
return -1;
@@ -876,8 +877,9 @@ static int gxf_write_packet(AVFormatContext *s, AVPacket *pkt)
if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO) {
if (!(gxf->flt_entries_nb % 500)) {
- gxf->flt_entries = av_realloc(gxf->flt_entries,
- (gxf->flt_entries_nb+500)*sizeof(*gxf->flt_entries));
+ gxf->flt_entries = av_realloc_f(gxf->flt_entries,
+ sizeof(*gxf->flt_entries),
+ gxf->flt_entries_nb+500);
if (!gxf->flt_entries) {
av_log(s, AV_LOG_ERROR, "could not reallocate flt entries\n");
return -1;
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 7e9b750959..14b1c1f120 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -964,6 +964,7 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
uint8_t* data = *buf;
int isize = *buf_size;
uint8_t* pkt_data = NULL;
+ uint8_t* newpktdata;
int pkt_size = isize;
int result = 0;
int olen;
@@ -993,7 +994,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
zstream.avail_in = isize;
do {
pkt_size *= 3;
- pkt_data = av_realloc(pkt_data, pkt_size);
+ newpktdata = av_realloc(pkt_data, pkt_size);
+ if (!newpktdata) {
+ inflateEnd(&zstream);
+ goto failed;
+ }
+ pkt_data = newpktdata;
zstream.avail_out = pkt_size - zstream.total_out;
zstream.next_out = pkt_data + zstream.total_out;
if (pkt_data) {
@@ -1017,7 +1023,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
bzstream.avail_in = isize;
do {
pkt_size *= 3;
- pkt_data = av_realloc(pkt_data, pkt_size);
+ newpktdata = av_realloc(pkt_data, pkt_size);
+ if (!newpktdata) {
+ BZ2_bzDecompressEnd(&bzstream);
+ goto failed;
+ }
+ pkt_data = newpktdata;
bzstream.avail_out = pkt_size - bzstream.total_out_lo32;
bzstream.next_out = pkt_data + bzstream.total_out_lo32;
if (pkt_data) {
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 63144d15ea..b083a4985f 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -755,7 +755,8 @@ static int mov_read_enda(MOVContext *c, AVIOContext *pb, MOVAtom atom)
}
/* FIXME modify qdm2/svq3/h264 decoders to take full atom as extradata */
-static int mov_read_extradata(MOVContext *c, AVIOContext *pb, MOVAtom atom)
+static int mov_read_extradata(MOVContext *c, AVIOContext *pb, MOVAtom atom,
+ enum CodecID codec_id)
{
AVStream *st;
uint64_t size;
@@ -764,6 +765,10 @@ static int mov_read_extradata(MOVContext *c, AVIOContext *pb, MOVAtom atom)
if (c->fc->nb_streams < 1) // will happen with jp2 files
return 0;
st= c->fc->streams[c->fc->nb_streams-1];
+
+ if (st->codec->codec_id != codec_id)
+ return 0; /* unexpected codec_id - don't mess with extradata */
+
size= (uint64_t)st->codec->extradata_size + atom.size + 8 + FF_INPUT_BUFFER_PADDING_SIZE;
if(size > INT_MAX || (uint64_t)atom.size > INT_MAX)
return -1;
@@ -779,6 +784,27 @@ static int mov_read_extradata(MOVContext *c, AVIOContext *pb, MOVAtom atom)
return 0;
}
+/* wrapper functions for reading ALAC/AVS/MJPEG/MJPEG2000 extradata atoms only for those codecs */
+static int mov_read_alac(MOVContext *c, AVIOContext *pb, MOVAtom atom)
+{
+ return mov_read_extradata(c, pb, atom, CODEC_ID_ALAC);
+}
+
+static int mov_read_avss(MOVContext *c, AVIOContext *pb, MOVAtom atom)
+{
+ return mov_read_extradata(c, pb, atom, CODEC_ID_AVS);
+}
+
+static int mov_read_fiel(MOVContext *c, AVIOContext *pb, MOVAtom atom)
+{
+ return mov_read_extradata(c, pb, atom, CODEC_ID_MJPEG);
+}
+
+static int mov_read_jp2h(MOVContext *c, AVIOContext *pb, MOVAtom atom)
+{
+ return mov_read_extradata(c, pb, atom, CODEC_ID_JPEG2000);
+}
+
static int mov_read_wave(MOVContext *c, AVIOContext *pb, MOVAtom atom)
{
AVStream *st;
@@ -2229,7 +2255,7 @@ static int mov_read_chan(MOVContext *c, AVIOContext *pb, MOVAtom atom)
}
static const MOVParseTableEntry mov_default_parse_table[] = {
-{ MKTAG('a','v','s','s'), mov_read_extradata },
+{ MKTAG('a','v','s','s'), mov_read_avss },
{ MKTAG('c','h','p','l'), mov_read_chpl },
{ MKTAG('c','o','6','4'), mov_read_stco },
{ MKTAG('c','t','t','s'), mov_read_ctts }, /* composition time to sample */
@@ -2238,12 +2264,12 @@ static const MOVParseTableEntry mov_default_parse_table[] = {
{ MKTAG('e','d','t','s'), mov_read_default },
{ MKTAG('e','l','s','t'), mov_read_elst },
{ MKTAG('e','n','d','a'), mov_read_enda },
-{ MKTAG('f','i','e','l'), mov_read_extradata },
+{ MKTAG('f','i','e','l'), mov_read_fiel },
{ MKTAG('f','t','y','p'), mov_read_ftyp },
{ MKTAG('g','l','b','l'), mov_read_glbl },
{ MKTAG('h','d','l','r'), mov_read_hdlr },
{ MKTAG('i','l','s','t'), mov_read_ilst },
-{ MKTAG('j','p','2','h'), mov_read_extradata },
+{ MKTAG('j','p','2','h'), mov_read_jp2h },
{ MKTAG('m','d','a','t'), mov_read_mdat },
{ MKTAG('m','d','h','d'), mov_read_mdhd },
{ MKTAG('m','d','i','a'), mov_read_default },
@@ -2254,7 +2280,7 @@ static const MOVParseTableEntry mov_default_parse_table[] = {
{ MKTAG('m','v','e','x'), mov_read_default },
{ MKTAG('m','v','h','d'), mov_read_mvhd },
{ MKTAG('S','M','I',' '), mov_read_smi }, /* Sorenson extension ??? */
-{ MKTAG('a','l','a','c'), mov_read_extradata }, /* alac specific atom */
+{ MKTAG('a','l','a','c'), mov_read_alac }, /* alac specific atom */
{ MKTAG('a','v','c','C'), mov_read_glbl },
{ MKTAG('p','a','s','p'), mov_read_pasp },
{ MKTAG('s','t','b','l'), mov_read_default },
diff --git a/libavformat/movenc.c b/libavformat/movenc.c
index 463dd5b601..4448628eb1 100644
--- a/libavformat/movenc.c
+++ b/libavformat/movenc.c
@@ -1223,7 +1223,8 @@ static int mov_write_tkhd_tag(AVIOContext *pb, MOVTrack *track, AVStream *st)
avio_wb32(pb, 0); /* reserved */
avio_wb32(pb, 0); /* reserved */
- avio_wb32(pb, 0x0); /* reserved (Layer & Alternate group) */
+ avio_wb16(pb, 0); /* layer */
+ avio_wb16(pb, st ? st->codec->codec_type : 0); /* alternate group) */
/* Volume, only for audio */
if(track->enc->codec_type == AVMEDIA_TYPE_AUDIO)
avio_wb16(pb, 0x0100);
@@ -2058,7 +2059,7 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt)
}
if (!(trk->entry % MOV_INDEX_CLUSTER_SIZE)) {
- trk->cluster = av_realloc(trk->cluster, (trk->entry + MOV_INDEX_CLUSTER_SIZE) * sizeof(*trk->cluster));
+ trk->cluster = av_realloc_f(trk->cluster, sizeof(*trk->cluster), (trk->entry + MOV_INDEX_CLUSTER_SIZE));
if (!trk->cluster)
return -1;
}
diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index b18726c6db..db23781613 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -264,7 +264,7 @@ static int mpc8_read_packet(AVFormatContext *s, AVPacket *pkt)
return AVERROR(EIO);
mpc8_handle_chunk(s, tag, pos, size);
}
- return 0;
+ return AVERROR_EOF;
}
static int mpc8_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp, int flags)
diff --git a/libavformat/psxstr.c b/libavformat/psxstr.c
index 744ae94459..b65bddd5c1 100644
--- a/libavformat/psxstr.c
+++ b/libavformat/psxstr.c
@@ -68,6 +68,8 @@ static const char sync_header[12] = {0x00,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xf
static int str_probe(AVProbeData *p)
{
uint8_t *sector= p->buf;
+ uint8_t *end= sector + p->buf_size;
+ int aud=0, vid=0;
if (p->buf_size < RAW_CD_SECTOR_SIZE)
return 0;
@@ -79,20 +81,52 @@ static int str_probe(AVProbeData *p)
sector += RIFF_HEADER_SIZE;
}
- /* look for CD sync header (00, 0xFF x 10, 00) */
- if (memcmp(sector,sync_header,sizeof(sync_header)))
- return 0;
+ while (end - sector >= RAW_CD_SECTOR_SIZE) {
+ /* look for CD sync header (00, 0xFF x 10, 00) */
+ if (memcmp(sector,sync_header,sizeof(sync_header)))
+ return 0;
- if(sector[0x11] >= 32)
- return 0;
- if( (sector[0x12] & CDXA_TYPE_MASK) != CDXA_TYPE_VIDEO
- && (sector[0x12] & CDXA_TYPE_MASK) != CDXA_TYPE_AUDIO
- && (sector[0x12] & CDXA_TYPE_MASK) != CDXA_TYPE_DATA)
- return 0;
+ if (sector[0x11] >= 32)
+ return 0;
+
+ switch (sector[0x12] & CDXA_TYPE_MASK) {
+ case CDXA_TYPE_DATA:
+ case CDXA_TYPE_VIDEO: {
+ int current_sector = AV_RL16(&sector[0x1C]);
+ int sector_count = AV_RL16(&sector[0x1E]);
+ int frame_size = AV_RL32(&sector[0x24]);
+
+ if(!( frame_size>=0
+ && current_sector < sector_count
+ && sector_count*VIDEO_DATA_CHUNK_SIZE >=frame_size)){
+ return 0;
+ }
+ /*st->codec->width = AV_RL16(&sector[0x28]);
+ st->codec->height = AV_RL16(&sector[0x2A]);*/
+
+// if (current_sector == sector_count-1) {
+ vid++;
+// }
+
+ }
+ break;
+ case CDXA_TYPE_AUDIO:
+ if(sector[0x13]&0x2A)
+ return 0;
+ aud++;
+ break;
+ default:
+ if(sector[0x12] & CDXA_TYPE_MASK)
+ return 0;
+ }
+ sector += RAW_CD_SECTOR_SIZE;
+ }
/* MPEG files (like those ripped from VCDs) can also look like this;
* only return half certainty */
- return 50;
+ if(vid+aud > 3) return 50;
+ else if(vid+aud) return 1;
+ else return 0;
}
static int str_read_header(AVFormatContext *s,
diff --git a/libavformat/utils.c b/libavformat/utils.c
index 1019d915cc..3490270395 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -2728,16 +2728,16 @@ void avformat_free_context(AVFormatContext *s)
av_free_packet(&st->cur_pkt);
}
av_dict_free(&st->metadata);
- av_free(st->index_entries);
- av_free(st->codec->extradata);
- av_free(st->codec->subtitle_header);
- av_free(st->codec);
+ av_freep(&st->index_entries);
+ av_freep(&st->codec->extradata);
+ av_freep(&st->codec->subtitle_header);
+ av_freep(&st->codec);
#if FF_API_OLD_METADATA
- av_free(st->filename);
+ av_freep(&st->filename);
#endif
- av_free(st->priv_data);
- av_free(st->info);
- av_free(st);
+ av_freep(&st->priv_data);
+ av_freep(&st->info);
+ av_freep(&st);
}
for(i=s->nb_programs-1; i>=0; i--) {
#if FF_API_OLD_METADATA
@@ -2755,7 +2755,7 @@ void avformat_free_context(AVFormatContext *s)
av_free(s->chapters[s->nb_chapters]->title);
#endif
av_dict_free(&s->chapters[s->nb_chapters]->metadata);
- av_free(s->chapters[s->nb_chapters]);
+ av_freep(&s->chapters[s->nb_chapters]);
}
av_freep(&s->chapters);
av_metadata_free(&s->metadata);
@@ -3048,7 +3048,9 @@ int avformat_write_header(AVFormatContext *s, AVDictionary **options)
ret = AVERROR(EINVAL);
goto fail;
}
- if(av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio)){
+ if(av_cmp_q(st->sample_aspect_ratio, st->codec->sample_aspect_ratio)
+ && FFABS(av_q2d(st->sample_aspect_ratio) - av_q2d(st->codec->sample_aspect_ratio)) > 0.001
+ ){
av_log(s, AV_LOG_ERROR, "Aspect ratio mismatch between encoder and muxer layer\n");
ret = AVERROR(EINVAL);
goto fail;
@@ -3529,7 +3531,7 @@ void av_dump_format(AVFormatContext *ic,
int is_output)
{
int i;
- uint8_t *printed = av_mallocz(ic->nb_streams);
+ uint8_t *printed = ic->nb_streams ? av_mallocz(ic->nb_streams) : NULL;
if (ic->nb_streams && !printed)
return;
diff --git a/libavutil/mem.c b/libavutil/mem.c
index fa2c388ff4..9c2e1201e1 100644
--- a/libavutil/mem.c
+++ b/libavutil/mem.c
@@ -143,6 +143,21 @@ void *av_realloc(void *ptr, FF_INTERNAL_MEM_TYPE size)
#endif
}
+void *av_realloc_f(void *ptr, size_t nelem, size_t elsize)
+{
+ size_t size;
+ void *r;
+
+ if (av_size_mult(elsize, nelem, &size)) {
+ av_free(ptr);
+ return NULL;
+ }
+ r = av_realloc(ptr, size);
+ if (!r && size)
+ av_free(ptr);
+ return r;
+}
+
void av_free(void *ptr)
{
#if CONFIG_MEMALIGN_HACK
@@ -168,6 +183,13 @@ void *av_mallocz(FF_INTERNAL_MEM_TYPE size)
return ptr;
}
+void *av_calloc(size_t nmemb, size_t size)
+{
+ if (size <= 0 || nmemb >= INT_MAX / size)
+ return NULL;
+ return av_mallocz(nmemb * size);
+}
+
char *av_strdup(const char *s)
{
char *ptr= NULL;
diff --git a/libavutil/mem.h b/libavutil/mem.h
index b4059dc32c..95e776a8a5 100644
--- a/libavutil/mem.h
+++ b/libavutil/mem.h
@@ -27,6 +27,7 @@
#define AVUTIL_MEM_H
#include "attributes.h"
+#include "error.h"
#include "avutil.h"
#if defined(__INTEL_COMPILER) && __INTEL_COMPILER < 1110 || defined(__SUNPRO_C)
@@ -95,6 +96,16 @@ void *av_malloc(FF_INTERNAL_MEM_TYPE size) av_malloc_attrib av_alloc_size(1);
void *av_realloc(void *ptr, FF_INTERNAL_MEM_TYPE size) av_alloc_size(2);
/**
+ * Allocate or reallocate a block of memory.
+ * This function does the same thing as av_realloc, except:
+ * - It takes two arguments and checks the result of the multiplication for
+ * integer overflow.
+ * - It frees the input block in case of failure, thus avoiding the memory
+ * leak with the classic "buf = realloc(buf); if (!buf) return -1;".
+ */
+void *av_realloc_f(void *ptr, size_t nelem, size_t elsize);
+
+/**
* Free a memory block which has been allocated with av_malloc(z)() or
* av_realloc().
* @param ptr Pointer to the memory block which should be freed.
@@ -115,6 +126,18 @@ void av_free(void *ptr);
void *av_mallocz(FF_INTERNAL_MEM_TYPE size) av_malloc_attrib av_alloc_size(1);
/**
+ * Allocate a block of nmemb * size bytes with alignment suitable for all
+ * memory accesses (including vectors if available on the CPU) and
+ * zero all the bytes of the block.
+ * The allocation will fail if nmemb * size is greater than or equal
+ * to INT_MAX.
+ * @param nmemb
+ * @param size
+ * @return Pointer to the allocated block, NULL if it cannot be allocated.
+ */
+void *av_calloc(size_t nmemb, size_t size) av_malloc_attrib;
+
+/**
* Duplicate the string s.
* @param s string to be duplicated
* @return Pointer to a newly allocated string containing a
@@ -140,4 +163,19 @@ void av_freep(void *ptr);
*/
void av_dynarray_add(void *tab_ptr, int *nb_ptr, void *elem);
+/**
+ * Multiply two size_t values checking for overflow.
+ * @return 0 if success, AVERROR(EINVAL) if overflow.
+ */
+static inline int av_size_mult(size_t a, size_t b, size_t *r)
+{
+ size_t t = a * b;
+ /* Hack inspired from glibc: only try the division if nelem and elsize
+ * are both greater than sqrt(SIZE_MAX). */
+ if ((a | b) >= ((size_t)1 << (sizeof(size_t) * 4)) && a && t / a != b)
+ return AVERROR(EINVAL);
+ *r = t;
+ return 0;
+}
+
#endif /* AVUTIL_MEM_H */
diff --git a/libswscale/Makefile b/libswscale/Makefile
index 8bb06baae2..11017f6580 100644
--- a/libswscale/Makefile
+++ b/libswscale/Makefile
@@ -20,6 +20,8 @@ OBJS-$(HAVE_MMX) += x86/rgb2rgb.o \
x86/yuv2rgb_mmx.o
OBJS-$(HAVE_VIS) += sparc/yuv2rgb_vis.o
+$(SUBDIR)x86/swscale_mmx.o: CFLAGS += $(NOREDZONE_FLAGS)
+
TESTPROGS = colorspace swscale
DIRS = bfin mlib ppc sparc x86
diff --git a/libswscale/ppc/swscale_altivec.c b/libswscale/ppc/swscale_altivec.c
index 197000beb9..13b21b5b8d 100644
--- a/libswscale/ppc/swscale_altivec.c
+++ b/libswscale/ppc/swscale_altivec.c
@@ -251,7 +251,7 @@ static void hScale_altivec_real(int16_t *dst, int dstW,
vector unsigned char src_v1, src_vF;
vector signed short src_v, filter_v;
vector signed int val_vEven, val_s;
- if ((((int)src + srcPos)% 16) > 12) {
+ if ((((uintptr_t)src + srcPos) % 16) > 12) {
src_v1 = vec_ld(srcPos + 16, src);
}
src_vF = vec_perm(src_v0, src_v1, vec_lvsl(srcPos, src));
@@ -290,7 +290,7 @@ static void hScale_altivec_real(int16_t *dst, int dstW,
vector unsigned char src_v1, src_vF;
vector signed short src_v, filter_v;
vector signed int val_v, val_s;
- if ((((int)src + srcPos)% 16) > 8) {
+ if ((((uintptr_t)src + srcPos) % 16) > 8) {
src_v1 = vec_ld(srcPos + 16, src);
}
src_vF = vec_perm(src_v0, src_v1, vec_lvsl(srcPos, src));
@@ -376,7 +376,7 @@ static void hScale_altivec_real(int16_t *dst, int dstW,
//vector unsigned char src_v0 = vec_ld(srcPos + j, src);
vector unsigned char src_v1, src_vF;
vector signed short src_v, filter_v1R, filter_v;
- if ((((int)src + srcPos)% 16) > 8) {
+ if ((((uintptr_t)src + srcPos) % 16) > 8) {
src_v1 = vec_ld(srcPos + j + 16, src);
}
src_vF = vec_perm(src_v0, src_v1, permS);
diff --git a/libswscale/x86/swscale_template.c b/libswscale/x86/swscale_template.c
index e715270714..25399fadef 100644
--- a/libswscale/x86/swscale_template.c
+++ b/libswscale/x86/swscale_template.c
@@ -2240,10 +2240,6 @@ static void RENAME(hyscale_fast)(SwsContext *c, int16_t *dst,
#if defined(PIC)
DECLARE_ALIGNED(8, uint64_t, ebxsave);
#endif
- // HACK: gcc 4.6 no longer decrements esp,
- // use this to make it reserve space for the call
- // return address
- void *dummy;
__asm__ volatile(
#if defined(PIC)
@@ -2295,7 +2291,6 @@ static void RENAME(hyscale_fast)(SwsContext *c, int16_t *dst,
#if defined(PIC)
,"m" (ebxsave)
#endif
- ,"m" (dummy)
: "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D
#if !defined(PIC)
,"%"REG_b
@@ -2317,10 +2312,6 @@ static void RENAME(hcscale_fast)(SwsContext *c, int16_t *dst1, int16_t *dst2,
#if defined(PIC)
DECLARE_ALIGNED(8, uint64_t, ebxsave);
#endif
- // HACK: gcc 4.6 no longer decrements esp,
- // use this to make it reserve space for the call
- // return address
- void *dummy;
__asm__ volatile(
#if defined(PIC)
@@ -2360,7 +2351,6 @@ static void RENAME(hcscale_fast)(SwsContext *c, int16_t *dst1, int16_t *dst2,
#if defined(PIC)
,"m" (ebxsave)
#endif
- ,"m" (dummy)
: "%"REG_a, "%"REG_c, "%"REG_d, "%"REG_S, "%"REG_D
#if !defined(PIC)
,"%"REG_b
diff --git a/tests/fate.mak b/tests/fate.mak
index 0e3331178b..cf6c44e8e4 100644
--- a/tests/fate.mak
+++ b/tests/fate.mak
@@ -128,7 +128,7 @@ FATE_TESTS += fate-id-cin-video
fate-id-cin-video: CMD = framecrc -i $(SAMPLES)/idcin/idlog-2MB.cin -pix_fmt rgb24
FATE_TESTS += fate-idroq-video-dpcm
fate-idroq-video-dpcm: CMD = framecrc -i $(SAMPLES)/idroq/idlogo.roq
-FATE_TESTS += fate-idroq-video-encode
+FATE_TESTS-$(CONFIG_AVFILTER) += fate-idroq-video-encode
fate-idroq-video-encode: CMD = md5 -t 0.2 -f image2 -vcodec pgmyuv -i $(SAMPLES)/ffmpeg-synthetic/vsynth1/%02d.pgm -sws_flags +bitexact -vf pad=512:512:80:112 -f RoQ
FATE_TESTS += fate-iff-byterun1
fate-iff-byterun1: CMD = framecrc -i $(SAMPLES)/iff/ASH.LBM -pix_fmt rgb24
diff --git a/tests/lavf-regression.sh b/tests/lavf-regression.sh
index 39e752b3c6..07dedb2ef2 100755
--- a/tests/lavf-regression.sh
+++ b/tests/lavf-regression.sh
@@ -66,6 +66,9 @@ fi
if [ -n "$do_mxf" ] ; then
do_lavf mxf "-ar 48000 -bf 2 -timecode_frame_start 264363"
+fi
+
+if [ -n "$do_mxf_d10" ]; then
do_lavf mxf_d10 "-ar 48000 -ac 2 -r 25 -s 720x576 -vf pad=720:608:0:32 -vcodec mpeg2video -intra -flags +ildct+low_delay -dc 10 -flags2 +ivlc+non_linear_q -qscale 1 -ps 1 -qmin 1 -rc_max_vbv_use 1 -rc_min_vbv_use 1 -pix_fmt yuv422p -minrate 30000k -maxrate 30000k -b 30000k -bufsize 1200000 -top 1 -rc_init_occupancy 1200000 -qmax 12 -f mxf_d10"
fi
diff --git a/tests/ref/acodec/alac b/tests/ref/acodec/alac
index 1f4b264b87..35a1d8e1bf 100644
--- a/tests/ref/acodec/alac
+++ b/tests/ref/acodec/alac
@@ -1,4 +1,4 @@
-c68f649777ab8e7c9a0f1f221451d3ad *./tests/data/acodec/alac.m4a
+b25bcc7ec3f5c19cdfc01a6bbd32edb8 *./tests/data/acodec/alac.m4a
389386 ./tests/data/acodec/alac.m4a
95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/alac.acodec.out.wav
stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400
diff --git a/tests/ref/acodec/pcm b/tests/ref/acodec/pcm
index 033f8bc8c6..fc9dd8f29d 100644
--- a/tests/ref/acodec/pcm
+++ b/tests/ref/acodec/pcm
@@ -6,7 +6,7 @@ f443a8eeb1647ec1eeb8370c939e52d4 *./tests/data/acodec/pcm_mulaw.wav
529256 ./tests/data/acodec/pcm_mulaw.wav
1c3eeaa8814ebd4916780dff80ed6dc5 *./tests/data/pcm.acodec.out.wav
stddev: 103.38 PSNR: 56.04 MAXDIFF: 644 bytes: 1058400/ 1058400
-b7936d7170e0efefb379349d81aed360 *./tests/data/acodec/pcm_s8.mov
+760f85fb9f4e8aba326fb44ae84c9507 *./tests/data/acodec/pcm_s8.mov
530837 ./tests/data/acodec/pcm_s8.mov
652edf30f35ad89bf27bcc9d2f9c7b53 *./tests/data/pcm.acodec.out.wav
stddev: 147.89 PSNR: 52.93 MAXDIFF: 255 bytes: 1058400/ 1058400
@@ -14,7 +14,7 @@ stddev: 147.89 PSNR: 52.93 MAXDIFF: 255 bytes: 1058400/ 1058400
529244 ./tests/data/acodec/pcm_u8.wav
652edf30f35ad89bf27bcc9d2f9c7b53 *./tests/data/pcm.acodec.out.wav
stddev: 147.89 PSNR: 52.93 MAXDIFF: 255 bytes: 1058400/ 1058400
-c42b9c04305455250366c84e17c1023f *./tests/data/acodec/pcm_s16be.mov
+a4e18d1ca9ef5b8132a84d43625ddc47 *./tests/data/acodec/pcm_s16be.mov
1060037 ./tests/data/acodec/pcm_s16be.mov
95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav
stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400
@@ -30,7 +30,7 @@ c4f51bf32fad2f7af8ea5beedb56168b *./tests/data/acodec/pcm_s16le.mkv
1060638 ./tests/data/acodec/pcm_s16le.mkv
95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav
stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400
-07ffe7ffb78f3648b6524debdde5aec1 *./tests/data/acodec/pcm_s24be.mov
+971d2d2633e41a0326fe2d04a2d0350f *./tests/data/acodec/pcm_s24be.mov
1589237 ./tests/data/acodec/pcm_s24be.mov
95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav
stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400
@@ -38,7 +38,7 @@ a85380fb79b0d4fff38e24ac1e34bb94 *./tests/data/acodec/pcm_s24le.wav
1587668 ./tests/data/acodec/pcm_s24le.wav
95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav
stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400
-d7792f0343cd66fda8b50b569e2bcc48 *./tests/data/acodec/pcm_s32be.mov
+fc4f4e3e195bbde037ed31021d229f12 *./tests/data/acodec/pcm_s32be.mov
2118437 ./tests/data/acodec/pcm_s32be.mov
95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav
stddev: 0.00 PSNR:999.99 MAXDIFF: 0 bytes: 1058400/ 1058400
diff --git a/tests/ref/fate/motionpixels b/tests/ref/fate/motionpixels
index e588ed3e18..70413880f8 100644
--- a/tests/ref/fate/motionpixels
+++ b/tests/ref/fate/motionpixels
@@ -109,4 +109,4 @@
0, 648003, 230400, 0xb343f372
0, 654003, 230400, 0xf7f1e588
0, 660003, 230400, 0x9682bdb2
-0, 666003, 230400, 0x538a3db8
+0, 666003, 230400, 0x009f4640
diff --git a/tests/ref/lavf/mov b/tests/ref/lavf/mov
index 940e518b5f..2071c5a743 100644
--- a/tests/ref/lavf/mov
+++ b/tests/ref/lavf/mov
@@ -1,3 +1,3 @@
-a901cd05609080e8f5c09ca5da7290f0 *./tests/data/lavf/lavf.mov
+2e2529d01dbe42e4dd63580a351898f5 *./tests/data/lavf/lavf.mov
357681 ./tests/data/lavf/lavf.mov
./tests/data/lavf/lavf.mov CRC=0x2f6a9b26
diff --git a/tests/ref/lavf/mxf b/tests/ref/lavf/mxf
index 58e75d17cd..869e40fd77 100644
--- a/tests/ref/lavf/mxf
+++ b/tests/ref/lavf/mxf
@@ -1,6 +1,3 @@
785e38ddd2466046f30aa36399b8f8fa *./tests/data/lavf/lavf.mxf
525881 ./tests/data/lavf/lavf.mxf
./tests/data/lavf/lavf.mxf CRC=0x4ace0849
-b3174e2db508564c1cce0b5e3c1bc1bd *./tests/data/lavf/lavf.mxf_d10
-5330989 ./tests/data/lavf/lavf.mxf_d10
-./tests/data/lavf/lavf.mxf_d10 CRC=0xc3f4f92e
diff --git a/tests/ref/lavf/mxf_d10 b/tests/ref/lavf/mxf_d10
new file mode 100644
index 0000000000..2582022d17
--- /dev/null
+++ b/tests/ref/lavf/mxf_d10
@@ -0,0 +1,3 @@
+b3174e2db508564c1cce0b5e3c1bc1bd *./tests/data/lavf/lavf.mxf_d10
+5330989 ./tests/data/lavf/lavf.mxf_d10
+./tests/data/lavf/lavf.mxf_d10 CRC=0xc3f4f92e