diff --git a/Changelog b/Changelog index 0b32c1e4..86f547c9 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,52 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 5.1.2: +- avcodec/dstdec: Check for overflow in build_filter() +- avformat/spdifdec: Use 64bit to compute bit rate +- avformat/rpl: Use 64bit for duration computation +- avformat/xwma: Use av_rescale() for duration computation +- avformat/sdsdec: Use av_rescale() to avoid intermediate overflow in duration calculation +- avformat/sbgdec: Check ts_int in genrate_intervals +- avformat/sbgdec: clamp end_ts +- avformat/rmdec: check tag_size +- avformat/nutdec: Check fields +- avformat/flvdec: Use 64bit for sum_flv_tag_size +- avformat/jacosubdec: Fix overflow in get_shift() +- avformat/genh: Check nb_channels for IMA ADPCM +- avformat/dxa: avoid bpc overflows +- avformat/dhav: Use 64bit seek_back +- avformat/cafdec: Check that nb_frasmes fits within 64bit +- avformat/asfdec_o: Limit packet offset +- avformat/apm: Use 64bit for bit_rate computation +- avformat/ape: Check frames size +- avformat/icodec: Check nb_pal +- avformat/aiffdec: Use 64bit for block_duration use +- avformat/aiffdec: Check block_duration +- avformat/mxfdec: only probe max run in +- avformat/mxfdec: Check run_in is within 65536 +- avcodec/mjpegdec: Check for unsupported bayer case +- avcodec/apedec: Fix integer overflow in filter_3800() +- avcodec/tta: Check 24bit scaling for overflow +- avcodec/mobiclip: Check quantizer for overflow +- avcodec/exr: Check preview psize +- avcodec/tiff: Fix loop detection +- libavformat/hls: Free keys +- avcodec/fmvc: Move frame allocation to a later stage +- avfilter/vf_showinfo: remove backspaces +- avcodec/speedhq: Check width +- avcodec/bink: disallow odd positioned scaled blocks +- avformat/cafenc: derive Opus frame size from the relevant stream parameters +- avformat/dashdec: Fix crash on invalid input/ENOMEM, fix leak +- lavc/videotoolbox: do not pass AVCodecContext to decoder output callback +- lavc/pthread_frame: always transfer stashed hwaccel state +- avcodec/arm/sbcenc: avoid callee preserved vfp registers +- avformat/riffdec: don't unconditionally overwrite WAVEFORMATEXTENSIBLE layout +- avfilter/vf_scale: overwrite the width and height expressions with the original values +- lavc/pthread_frame: avoid leaving stale hwaccel state in worker threads +- avutil/tests/.gitignore: Add channel_layout testtool + + version 5.1.1: - avformat/asfdec_o: limit recursion depth in asf_read_unknown() - avformat/mov: Check count sums in build_open_gop_key_points() diff --git a/RELEASE b/RELEASE index ac14c3df..61fcc873 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -5.1.1 +5.1.2 diff --git a/VERSION b/VERSION index ac14c3df..61fcc873 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -5.1.1 +5.1.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index 4314fceb..6c24f81f 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 5.1.1 +PROJECT_NUMBER = 5.1.2 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index a7c38bce..24877c55 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -934,7 +934,7 @@ static av_always_inline int filter_3800(APEPredictor *p, p->coeffsB[filter][0] += (((d3 >> 29) & 4) - 2) * sign; p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign; - p->filterB[filter] = p->lastA[filter] + (predictionB >> shift); + p->filterB[filter] = p->lastA[filter] + (unsigned)(predictionB >> shift); p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5); return p->filterA[filter]; diff --git a/libavcodec/arm/sbcdsp_neon.S b/libavcodec/arm/sbcdsp_neon.S index d83d21d2..914abfb6 100644 --- a/libavcodec/arm/sbcdsp_neon.S +++ b/libavcodec/arm/sbcdsp_neon.S @@ -38,49 +38,49 @@ function ff_sbc_analyze_4_neon, export=1 /* TODO: merge even and odd cases (or even merge all four calls to this * function) in order to have only aligned reads from 'in' array * and reduce number of load instructions */ - vld1.16 {d4, d5}, [r0, :64]! - vld1.16 {d8, d9}, [r2, :128]! + vld1.16 {d16, d17}, [r0, :64]! + vld1.16 {d20, d21}, [r2, :128]! - vmull.s16 q0, d4, d8 - vld1.16 {d6, d7}, [r0, :64]! - vmull.s16 q1, d5, d9 - vld1.16 {d10, d11}, [r2, :128]! + vmull.s16 q0, d16, d20 + vld1.16 {d18, d19}, [r0, :64]! + vmull.s16 q1, d17, d21 + vld1.16 {d22, d23}, [r2, :128]! - vmlal.s16 q0, d6, d10 - vld1.16 {d4, d5}, [r0, :64]! - vmlal.s16 q1, d7, d11 - vld1.16 {d8, d9}, [r2, :128]! + vmlal.s16 q0, d18, d22 + vld1.16 {d16, d17}, [r0, :64]! + vmlal.s16 q1, d19, d23 + vld1.16 {d20, d21}, [r2, :128]! - vmlal.s16 q0, d4, d8 - vld1.16 {d6, d7}, [r0, :64]! - vmlal.s16 q1, d5, d9 - vld1.16 {d10, d11}, [r2, :128]! + vmlal.s16 q0, d16, d20 + vld1.16 {d18, d19}, [r0, :64]! + vmlal.s16 q1, d17, d21 + vld1.16 {d22, d23}, [r2, :128]! - vmlal.s16 q0, d6, d10 - vld1.16 {d4, d5}, [r0, :64]! - vmlal.s16 q1, d7, d11 - vld1.16 {d8, d9}, [r2, :128]! + vmlal.s16 q0, d18, d22 + vld1.16 {d16, d17}, [r0, :64]! + vmlal.s16 q1, d19, d23 + vld1.16 {d20, d21}, [r2, :128]! - vmlal.s16 q0, d4, d8 - vmlal.s16 q1, d5, d9 + vmlal.s16 q0, d16, d20 + vmlal.s16 q1, d17, d21 vpadd.s32 d0, d0, d1 vpadd.s32 d1, d2, d3 vrshrn.s32 d0, q0, SBC_PROTO_FIXED_SCALE - vld1.16 {d2, d3, d4, d5}, [r2, :128]! + vld1.16 {d16, d17, d18, d19}, [r2, :128]! vdup.i32 d1, d0[1] /* TODO: can be eliminated */ vdup.i32 d0, d0[0] /* TODO: can be eliminated */ - vmull.s16 q3, d2, d0 - vmull.s16 q4, d3, d0 - vmlal.s16 q3, d4, d1 - vmlal.s16 q4, d5, d1 + vmull.s16 q10, d16, d0 + vmull.s16 q11, d17, d0 + vmlal.s16 q10, d18, d1 + vmlal.s16 q11, d19, d1 - vpadd.s32 d0, d6, d7 /* TODO: can be eliminated */ - vpadd.s32 d1, d8, d9 /* TODO: can be eliminated */ + vpadd.s32 d0, d20, d21 /* TODO: can be eliminated */ + vpadd.s32 d1, d22, d23 /* TODO: can be eliminated */ vst1.32 {d0, d1}, [r1, :128] @@ -91,57 +91,57 @@ function ff_sbc_analyze_8_neon, export=1 /* TODO: merge even and odd cases (or even merge all four calls to this * function) in order to have only aligned reads from 'in' array * and reduce number of load instructions */ - vld1.16 {d4, d5}, [r0, :64]! - vld1.16 {d8, d9}, [r2, :128]! + vld1.16 {d16, d17}, [r0, :64]! + vld1.16 {d20, d21}, [r2, :128]! - vmull.s16 q6, d4, d8 - vld1.16 {d6, d7}, [r0, :64]! - vmull.s16 q7, d5, d9 - vld1.16 {d10, d11}, [r2, :128]! - vmull.s16 q8, d6, d10 - vld1.16 {d4, d5}, [r0, :64]! - vmull.s16 q9, d7, d11 - vld1.16 {d8, d9}, [r2, :128]! + vmull.s16 q12, d16, d20 + vld1.16 {d18, d19}, [r0, :64]! + vmull.s16 q13, d17, d21 + vld1.16 {d22, d23}, [r2, :128]! + vmull.s16 q14, d18, d22 + vld1.16 {d16, d17}, [r0, :64]! + vmull.s16 q15, d19, d23 + vld1.16 {d20, d21}, [r2, :128]! - vmlal.s16 q6, d4, d8 - vld1.16 {d6, d7}, [r0, :64]! - vmlal.s16 q7, d5, d9 - vld1.16 {d10, d11}, [r2, :128]! - vmlal.s16 q8, d6, d10 - vld1.16 {d4, d5}, [r0, :64]! - vmlal.s16 q9, d7, d11 - vld1.16 {d8, d9}, [r2, :128]! + vmlal.s16 q12, d16, d20 + vld1.16 {d18, d19}, [r0, :64]! + vmlal.s16 q13, d17, d21 + vld1.16 {d22, d23}, [r2, :128]! + vmlal.s16 q14, d18, d22 + vld1.16 {d16, d17}, [r0, :64]! + vmlal.s16 q15, d19, d23 + vld1.16 {d20, d21}, [r2, :128]! - vmlal.s16 q6, d4, d8 - vld1.16 {d6, d7}, [r0, :64]! - vmlal.s16 q7, d5, d9 - vld1.16 {d10, d11}, [r2, :128]! - vmlal.s16 q8, d6, d10 - vld1.16 {d4, d5}, [r0, :64]! - vmlal.s16 q9, d7, d11 - vld1.16 {d8, d9}, [r2, :128]! + vmlal.s16 q12, d16, d20 + vld1.16 {d18, d19}, [r0, :64]! + vmlal.s16 q13, d17, d21 + vld1.16 {d22, d23}, [r2, :128]! + vmlal.s16 q14, d18, d22 + vld1.16 {d16, d17}, [r0, :64]! + vmlal.s16 q15, d19, d23 + vld1.16 {d20, d21}, [r2, :128]! - vmlal.s16 q6, d4, d8 - vld1.16 {d6, d7}, [r0, :64]! - vmlal.s16 q7, d5, d9 - vld1.16 {d10, d11}, [r2, :128]! - vmlal.s16 q8, d6, d10 - vld1.16 {d4, d5}, [r0, :64]! - vmlal.s16 q9, d7, d11 - vld1.16 {d8, d9}, [r2, :128]! + vmlal.s16 q12, d16, d20 + vld1.16 {d18, d19}, [r0, :64]! + vmlal.s16 q13, d17, d21 + vld1.16 {d22, d23}, [r2, :128]! + vmlal.s16 q14, d18, d22 + vld1.16 {d16, d17}, [r0, :64]! + vmlal.s16 q15, d19, d23 + vld1.16 {d20, d21}, [r2, :128]! - vmlal.s16 q6, d4, d8 - vld1.16 {d6, d7}, [r0, :64]! - vmlal.s16 q7, d5, d9 - vld1.16 {d10, d11}, [r2, :128]! + vmlal.s16 q12, d16, d20 + vld1.16 {d18, d19}, [r0, :64]! + vmlal.s16 q13, d17, d21 + vld1.16 {d22, d23}, [r2, :128]! - vmlal.s16 q8, d6, d10 - vmlal.s16 q9, d7, d11 + vmlal.s16 q14, d18, d22 + vmlal.s16 q15, d19, d23 - vpadd.s32 d0, d12, d13 - vpadd.s32 d1, d14, d15 - vpadd.s32 d2, d16, d17 - vpadd.s32 d3, d18, d19 + vpadd.s32 d0, d24, d25 + vpadd.s32 d1, d26, d27 + vpadd.s32 d2, d28, d29 + vpadd.s32 d3, d30, d31 vrshr.s32 q0, q0, SBC_PROTO_FIXED_SCALE vrshr.s32 q1, q1, SBC_PROTO_FIXED_SCALE @@ -153,38 +153,38 @@ function ff_sbc_analyze_8_neon, export=1 vdup.i32 d1, d0[1] /* TODO: can be eliminated */ vdup.i32 d0, d0[0] /* TODO: can be eliminated */ - vld1.16 {d4, d5}, [r2, :128]! - vmull.s16 q6, d4, d0 - vld1.16 {d6, d7}, [r2, :128]! - vmull.s16 q7, d5, d0 - vmull.s16 q8, d6, d0 - vmull.s16 q9, d7, d0 + vld1.16 {d16, d17}, [r2, :128]! + vmull.s16 q12, d16, d0 + vld1.16 {d18, d19}, [r2, :128]! + vmull.s16 q13, d17, d0 + vmull.s16 q14, d18, d0 + vmull.s16 q15, d19, d0 - vld1.16 {d4, d5}, [r2, :128]! - vmlal.s16 q6, d4, d1 - vld1.16 {d6, d7}, [r2, :128]! - vmlal.s16 q7, d5, d1 - vmlal.s16 q8, d6, d1 - vmlal.s16 q9, d7, d1 + vld1.16 {d16, d17}, [r2, :128]! + vmlal.s16 q12, d16, d1 + vld1.16 {d18, d19}, [r2, :128]! + vmlal.s16 q13, d17, d1 + vmlal.s16 q14, d18, d1 + vmlal.s16 q15, d19, d1 - vld1.16 {d4, d5}, [r2, :128]! - vmlal.s16 q6, d4, d2 - vld1.16 {d6, d7}, [r2, :128]! - vmlal.s16 q7, d5, d2 - vmlal.s16 q8, d6, d2 - vmlal.s16 q9, d7, d2 + vld1.16 {d16, d17}, [r2, :128]! + vmlal.s16 q12, d16, d2 + vld1.16 {d18, d19}, [r2, :128]! + vmlal.s16 q13, d17, d2 + vmlal.s16 q14, d18, d2 + vmlal.s16 q15, d19, d2 - vld1.16 {d4, d5}, [r2, :128]! - vmlal.s16 q6, d4, d3 - vld1.16 {d6, d7}, [r2, :128]! - vmlal.s16 q7, d5, d3 - vmlal.s16 q8, d6, d3 - vmlal.s16 q9, d7, d3 + vld1.16 {d16, d17}, [r2, :128]! + vmlal.s16 q12, d16, d3 + vld1.16 {d18, d19}, [r2, :128]! + vmlal.s16 q13, d17, d3 + vmlal.s16 q14, d18, d3 + vmlal.s16 q15, d19, d3 - vpadd.s32 d0, d12, d13 /* TODO: can be eliminated */ - vpadd.s32 d1, d14, d15 /* TODO: can be eliminated */ - vpadd.s32 d2, d16, d17 /* TODO: can be eliminated */ - vpadd.s32 d3, d18, d19 /* TODO: can be eliminated */ + vpadd.s32 d0, d24, d25 /* TODO: can be eliminated */ + vpadd.s32 d1, d26, d27 /* TODO: can be eliminated */ + vpadd.s32 d2, d28, d29 /* TODO: can be eliminated */ + vpadd.s32 d3, d30, d31 /* TODO: can be eliminated */ vst1.32 {d0, d1, d2, d3}, [r1, :128] diff --git a/libavcodec/bink.c b/libavcodec/bink.c index ae2c65f1..3ba3068e 100644 --- a/libavcodec/bink.c +++ b/libavcodec/bink.c @@ -1088,7 +1088,7 @@ static int bink_decode_plane(BinkContext *c, AVFrame *frame, GetBitContext *gb, for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) { blk = get_value(c, BINK_SRC_BLOCK_TYPES); // 16x16 block type on odd line means part of the already decoded block, so skip it - if ((by & 1) && blk == SCALED_BLOCK) { + if (((by & 1) || (bx & 1)) && blk == SCALED_BLOCK) { bx++; dst += 8; prev += 8; diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c index 93642e34..ba6651b0 100644 --- a/libavcodec/dstdec.c +++ b/libavcodec/dstdec.c @@ -216,7 +216,7 @@ static uint8_t prob_dst_x_bit(int c) return (ff_reverse[c & 127] >> 1) + 1; } -static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets) +static int build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets) { int i, j, k, l; @@ -227,14 +227,17 @@ static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table * int total = av_clip(length - j * 8, 0, 8); for (k = 0; k < 256; k++) { - int v = 0; + int64_t v = 0; for (l = 0; l < total; l++) v += (((k >> l) & 1) * 2 - 1) * fsets->coeff[i][j * 8 + l]; + if ((int16_t)v != v) + return AVERROR_INVALIDDATA; table[i][j][k] = v; } } } + return 0; } static int decode_frame(AVCodecContext *avctx, AVFrame *frame, @@ -329,7 +332,9 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, return AVERROR_INVALIDDATA; ac_init(ac, gb); - build_filter(s->filter, &s->fsets); + ret = build_filter(s->filter, &s->fsets); + if (ret < 0) + return ret; memset(s->status, 0xAA, sizeof(s->status)); memset(dsd, 0, frame->nb_samples * 4 * channels); diff --git a/libavcodec/exr.c b/libavcodec/exr.c index c25bae8c..91a567cd 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1951,9 +1951,12 @@ static int decode_header(EXRContext *s, AVFrame *frame) "preview", 16)) >= 0) { uint32_t pw = bytestream2_get_le32(gb); uint32_t ph = bytestream2_get_le32(gb); - int64_t psize = 4LL * pw * ph; + uint64_t psize = pw * ph; + if (psize > INT64_MAX / 4) + return AVERROR_INVALIDDATA; + psize *= 4; - if (psize >= bytestream2_get_bytes_left(gb)) + if ((int64_t)psize >= bytestream2_get_bytes_left(gb)) return AVERROR_INVALIDDATA; bytestream2_skip(gb, psize); diff --git a/libavcodec/fmvc.c b/libavcodec/fmvc.c index 4abf6d70..912ad8fc 100644 --- a/libavcodec/fmvc.c +++ b/libavcodec/fmvc.c @@ -401,20 +401,17 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, GetByteContext *gb = &s->gb; PutByteContext *pb = &s->pb; int ret, y, x; + int key_frame; if (avpkt->size < 8) return AVERROR_INVALIDDATA; - if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) - return ret; - bytestream2_init(gb, avpkt->data, avpkt->size); bytestream2_skip(gb, 2); - frame->key_frame = !!bytestream2_get_le16(gb); - frame->pict_type = frame->key_frame ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P; + key_frame = !!bytestream2_get_le16(gb); - if (frame->key_frame) { + if (key_frame) { const uint8_t *src; unsigned type, size; uint8_t *dst; @@ -434,6 +431,12 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, return AVERROR_PATCHWELCOME; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + + frame->key_frame = 1; + frame->pict_type = AV_PICTURE_TYPE_I; + src = s->buffer; dst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; for (y = 0; y < avctx->height; y++) { @@ -514,6 +517,12 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame, dst = &rect[block_h * s->stride]; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + + frame->key_frame = 0; + frame->pict_type = AV_PICTURE_TYPE_P; + ssrc = s->buffer; ddst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; for (y = 0; y < avctx->height; y++) { diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 869aee42..f5ad3256 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1212,6 +1212,8 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p ptr[3*mb_x + 2] = buffer[mb_x][2] + ptr[3*mb_x + 1]; } } else if (s->bayer) { + if (s->bits <= 8) + return AVERROR_PATCHWELCOME; if (nb_components == 1) { /* Leave decoding to the TIFF/DNG decoder (see comment in ff_mjpeg_decode_sof) */ for (mb_x = 0; mb_x < width; mb_x++) diff --git a/libavcodec/mobiclip.c b/libavcodec/mobiclip.c index dcf788c6..a1e5dca1 100644 --- a/libavcodec/mobiclip.c +++ b/libavcodec/mobiclip.c @@ -330,7 +330,7 @@ static av_cold int mobiclip_init(AVCodecContext *avctx) return 0; } -static int setup_qtables(AVCodecContext *avctx, int quantizer) +static int setup_qtables(AVCodecContext *avctx, int64_t quantizer) { MobiClipContext *s = avctx->priv_data; int qx, qy; @@ -1256,7 +1256,7 @@ static int mobiclip_decode(AVCodecContext *avctx, AVFrame *rframe, frame->key_frame = 0; s->dct_tab_idx = 0; - ret = setup_qtables(avctx, s->quantizer + get_se_golomb(gb)); + ret = setup_qtables(avctx, s->quantizer + (int64_t)get_se_golomb(gb)); if (ret < 0) return ret; diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c index 8faea75a..43d6cc8f 100644 --- a/libavcodec/pthread_frame.c +++ b/libavcodec/pthread_frame.c @@ -147,6 +147,12 @@ typedef struct FrameThreadContext { * Set for the first N packets, where N is the number of threads. * While it is set, ff_thread_en/decode_frame won't return any results. */ + + /* hwaccel state is temporarily stored here in order to transfer its ownership + * to the next decoding thread without the need for extra synchronization */ + const AVHWAccel *stash_hwaccel; + void *stash_hwaccel_context; + void *stash_hwaccel_priv; } FrameThreadContext; #if FF_API_THREAD_SAFE_CALLBACKS @@ -227,9 +233,17 @@ FF_ENABLE_DEPRECATION_WARNINGS ff_thread_finish_setup(avctx); if (p->hwaccel_serializing) { + /* wipe hwaccel state to avoid stale pointers lying around; + * the state was transferred to FrameThreadContext in + * ff_thread_finish_setup(), so nothing is leaked */ + avctx->hwaccel = NULL; + avctx->hwaccel_context = NULL; + avctx->internal->hwaccel_priv_data = NULL; + p->hwaccel_serializing = 0; pthread_mutex_unlock(&p->parent->hwaccel_mutex); } + av_assert0(!avctx->hwaccel); if (p->async_serializing) { p->async_serializing = 0; @@ -293,9 +307,6 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src, dst->color_range = src->color_range; dst->chroma_sample_location = src->chroma_sample_location; - dst->hwaccel = src->hwaccel; - dst->hwaccel_context = src->hwaccel_context; - dst->sample_rate = src->sample_rate; dst->sample_fmt = src->sample_fmt; #if FF_API_OLD_CHANNEL_LAYOUT @@ -308,8 +319,6 @@ FF_ENABLE_DEPRECATION_WARNINGS if (err < 0) return err; - dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data; - if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx || (dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) { av_buffer_unref(&dst->hw_frames_ctx); @@ -451,6 +460,12 @@ static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx, } } + /* transfer the stashed hwaccel state, if any */ + av_assert0(!p->avctx->hwaccel); + FFSWAP(const AVHWAccel*, p->avctx->hwaccel, fctx->stash_hwaccel); + FFSWAP(void*, p->avctx->hwaccel_context, fctx->stash_hwaccel_context); + FFSWAP(void*, p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv); + av_packet_unref(p->avpkt); ret = av_packet_ref(p->avpkt, avpkt); if (ret < 0) { @@ -654,6 +669,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) { async_lock(p->parent); } + /* save hwaccel state for passing to the next thread; + * this is done here so that this worker thread can wipe its own hwaccel + * state after decoding, without requiring synchronization */ + av_assert0(!p->parent->stash_hwaccel); + p->parent->stash_hwaccel = avctx->hwaccel; + p->parent->stash_hwaccel_context = avctx->hwaccel_context; + p->parent->stash_hwaccel_priv = avctx->internal->hwaccel_priv_data; + pthread_mutex_lock(&p->progress_mutex); if(atomic_load(&p->state) == STATE_SETUP_FINISHED){ av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n"); @@ -707,13 +730,6 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) park_frame_worker_threads(fctx, thread_count); - if (fctx->prev_thread && avctx->internal->hwaccel_priv_data != - fctx->prev_thread->avctx->internal->hwaccel_priv_data) { - if (update_context_from_thread(avctx, fctx->prev_thread->avctx, 1) < 0) { - av_log(avctx, AV_LOG_ERROR, "Failed to update user thread.\n"); - } - } - for (i = 0; i < thread_count; i++) { PerThreadContext *p = &fctx->threads[i]; AVCodecContext *ctx = p->avctx; @@ -760,6 +776,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) av_freep(&fctx->threads); ff_pthread_free(fctx, thread_ctx_offsets); + /* if we have stashed hwaccel state, move it to the user-facing context, + * so it will be freed in avcodec_close() */ + av_assert0(!avctx->hwaccel); + FFSWAP(const AVHWAccel*, avctx->hwaccel, fctx->stash_hwaccel); + FFSWAP(void*, avctx->hwaccel_context, fctx->stash_hwaccel_context); + FFSWAP(void*, avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv); + av_freep(&avctx->internal->thread_ctx); } diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c index 4cfd4ce7..e158061b 100644 --- a/libavcodec/speedhq.c +++ b/libavcodec/speedhq.c @@ -499,7 +499,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx, AVFrame *frame, uint32_t second_field_offset; int ret; - if (buf_size < 4 || avctx->width < 8) + if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0) return AVERROR_INVALIDDATA; quality = buf[0]; diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 2d40626c..e7a2576b 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1750,7 +1750,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p, int *got_frame, AVPacket *avpkt) { TiffContext *const s = avctx->priv_data; - unsigned off, last_off; + unsigned off, last_off = 0; int le, ret, plane, planes; int i, j, entries, stride; unsigned soff, ssize; @@ -1815,7 +1815,6 @@ again: /** whether we should process this multi-page IFD's next page */ retry_for_page = s->get_page && s->cur_page + 1 < s->get_page; // get_page is 1-indexed - last_off = off; if (retry_for_page) { // set offset to the next IFD off = ff_tget_long(&s->gb, le); @@ -1833,6 +1832,7 @@ again: avpriv_request_sample(s->avctx, "non increasing IFD offset"); return AVERROR_INVALIDDATA; } + last_off = off; if (off >= UINT_MAX - 14 || avpkt->size < off + 14) { av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n"); return AVERROR_INVALIDDATA; diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 74be140d..0fc639b1 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -377,8 +377,15 @@ static int tta_decode_frame(AVCodecContext *avctx, AVFrame *frame, case 3: { // shift samples for 24-bit sample format int32_t *samples = (int32_t *)frame->data[0]; - for (i = 0; i < framelen * s->channels; i++) - *samples++ *= 256; + int overflow = 0; + + for (i = 0; i < framelen * s->channels; i++) { + int scaled = *samples * 256U; + overflow += (scaled >> 8 != *samples); + *samples++ = scaled; + } + if (overflow) + av_log(avctx, AV_LOG_WARNING, "%d overflows occurred on 24bit upscale\n", overflow); // reset decode buffer s->decode_buffer = NULL; break; diff --git a/libavcodec/videotoolbox.c b/libavcodec/videotoolbox.c index ce83c259..d61d3106 100644 --- a/libavcodec/videotoolbox.c +++ b/libavcodec/videotoolbox.c @@ -690,8 +690,7 @@ static void videotoolbox_decoder_callback(void *opaque, CMTime pts, CMTime duration) { - AVCodecContext *avctx = opaque; - VTContext *vtctx = avctx->internal->hwaccel_priv_data; + VTContext *vtctx = opaque; if (vtctx->frame) { CVPixelBufferRelease(vtctx->frame); @@ -699,7 +698,8 @@ static void videotoolbox_decoder_callback(void *opaque, } if (!image_buffer) { - av_log(avctx, status ? AV_LOG_WARNING : AV_LOG_DEBUG, "vt decoder cb: output image buffer is null: %i\n", status); + av_log(vtctx->logctx, status ? AV_LOG_WARNING : AV_LOG_DEBUG, + "vt decoder cb: output image buffer is null: %i\n", status); return; } @@ -949,7 +949,7 @@ static int videotoolbox_start(AVCodecContext *avctx) videotoolbox->cv_pix_fmt_type); decoder_cb.decompressionOutputCallback = videotoolbox_decoder_callback; - decoder_cb.decompressionOutputRefCon = avctx; + decoder_cb.decompressionOutputRefCon = avctx->internal->hwaccel_priv_data; status = VTDecompressionSessionCreate(NULL, // allocator videotoolbox->cm_fmt_desc, // videoFormatDescription @@ -1179,6 +1179,8 @@ int ff_videotoolbox_common_init(AVCodecContext *avctx) AVHWFramesContext *hw_frames; int err; + vtctx->logctx = avctx; + // Old API - do nothing. if (avctx->hwaccel_context) return 0; diff --git a/libavcodec/vt_internal.h b/libavcodec/vt_internal.h index 54a11fd1..9502d7c7 100644 --- a/libavcodec/vt_internal.h +++ b/libavcodec/vt_internal.h @@ -45,6 +45,8 @@ typedef struct VTContext { // Current H264 parameters (used to trigger decoder restart on SPS changes). uint8_t sps[3]; bool reconfig_needed; + + void *logctx; } VTContext; int ff_videotoolbox_alloc_frame(AVCodecContext *avctx, AVFrame *frame); diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c index 996f7aaa..2b12cf28 100644 --- a/libavfilter/vf_scale.c +++ b/libavfilter/vf_scale.c @@ -491,19 +491,19 @@ static int config_props(AVFilterLink *outlink) if ((ret = scale_eval_dimensions(ctx)) < 0) goto fail; - ff_scale_adjust_dimensions(inlink, &scale->w, &scale->h, + outlink->w = scale->w; + outlink->h = scale->h; + + ff_scale_adjust_dimensions(inlink, &outlink->w, &outlink->h, scale->force_original_aspect_ratio, scale->force_divisible_by); - if (scale->w > INT_MAX || - scale->h > INT_MAX || - (scale->h * inlink->w) > INT_MAX || - (scale->w * inlink->h) > INT_MAX) + if (outlink->w > INT_MAX || + outlink->h > INT_MAX || + (outlink->h * inlink->w) > INT_MAX || + (outlink->w * inlink->h) > INT_MAX) av_log(ctx, AV_LOG_ERROR, "Rescaled value for width or height is too big.\n"); - outlink->w = scale->w; - outlink->h = scale->h; - /* TODO: make algorithm configurable */ scale->input_is_pal = desc->flags & AV_PIX_FMT_FLAG_PAL; @@ -718,9 +718,9 @@ static int scale_frame(AVFilterLink *link, AVFrame *in, AVFrame **frame_out) goto scale; if (scale->eval_mode == EVAL_MODE_INIT) { - snprintf(buf, sizeof(buf)-1, "%d", outlink->w); + snprintf(buf, sizeof(buf) - 1, "%d", scale->w); av_opt_set(scale, "w", buf, 0); - snprintf(buf, sizeof(buf)-1, "%d", outlink->h); + snprintf(buf, sizeof(buf) - 1, "%d", scale->h); av_opt_set(scale, "h", buf, 0); ret = scale_parse_expr(ctx, NULL, &scale->w_pexpr, "width", scale->w_expr); diff --git a/libavfilter/vf_showinfo.c b/libavfilter/vf_showinfo.c index 6efcafce..68fbe8cc 100644 --- a/libavfilter/vf_showinfo.c +++ b/libavfilter/vf_showinfo.c @@ -730,12 +730,15 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *frame) av_log(ctx, AV_LOG_INFO, " %08"PRIX32, plane_checksum[plane]); av_log(ctx, AV_LOG_INFO, "] mean:["); for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) - av_log(ctx, AV_LOG_INFO, "%"PRId64" ", (sum[plane] + pixelcount[plane]/2) / pixelcount[plane]); - av_log(ctx, AV_LOG_INFO, "\b] stdev:["); + av_log(ctx, AV_LOG_INFO, "%s%"PRId64, + plane ? " ":"", + (sum[plane] + pixelcount[plane]/2) / pixelcount[plane]); + av_log(ctx, AV_LOG_INFO, "] stdev:["); for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) - av_log(ctx, AV_LOG_INFO, "%3.1f ", + av_log(ctx, AV_LOG_INFO, "%s%3.1f", + plane ? " ":"", sqrt((sum2[plane] - sum[plane]*(double)sum[plane]/pixelcount[plane])/pixelcount[plane])); - av_log(ctx, AV_LOG_INFO, "\b]"); + av_log(ctx, AV_LOG_INFO, "]"); } av_log(ctx, AV_LOG_INFO, "\n"); diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index 0487d3f0..80733e58 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -372,6 +372,8 @@ got_sound: av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n"); return AVERROR_INVALIDDATA; } + if (aiff->block_duration < 0) + return AVERROR_INVALIDDATA; /* Now positioned, get the sound data start and end */ avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); @@ -426,7 +428,7 @@ static int aiff_read_packet(AVFormatContext *s, pkt->flags &= ~AV_PKT_FLAG_CORRUPT; /* Only one stream in an AIFF file */ pkt->stream_index = 0; - pkt->duration = (res / st->codecpar->block_align) * aiff->block_duration; + pkt->duration = (res / st->codecpar->block_align) * (int64_t) aiff->block_duration; return 0; } diff --git a/libavformat/ape.c b/libavformat/ape.c index bf1254e7..d6c8ec23 100644 --- a/libavformat/ape.c +++ b/libavformat/ape.c @@ -298,6 +298,8 @@ static int ape_read_header(AVFormatContext * s) ape->frames[i].pos -= ape->frames[i].skip; ape->frames[i].size += ape->frames[i].skip; } + if (ape->frames[i].size > INT_MAX - 3) + return AVERROR_INVALIDDATA; ape->frames[i].size = (ape->frames[i].size + 3) & ~3; } if (ape->fileversion < 3810) { diff --git a/libavformat/apm.c b/libavformat/apm.c index baf7d2f9..a3ddc08e 100644 --- a/libavformat/apm.c +++ b/libavformat/apm.c @@ -148,7 +148,7 @@ static int apm_read_header(AVFormatContext *s) par->codec_id = AV_CODEC_ID_ADPCM_IMA_APM; par->format = AV_SAMPLE_FMT_S16; par->bit_rate = par->ch_layout.nb_channels * - par->sample_rate * + (int64_t)par->sample_rate * par->bits_per_coded_sample; if ((ret = avio_read(s->pb, buf, APM_FILE_EXTRADATA_SIZE)) < 0) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 48b7d173..e837ca62 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -1242,6 +1242,8 @@ static int asf_read_packet_header(AVFormatContext *s) unsigned char error_flags, len_flags, pay_flags; asf->packet_offset = avio_tell(pb); + if (asf->packet_offset > INT64_MAX/2) + asf->packet_offset = 0; error_flags = avio_r8(pb); // read Error Correction Flags if (error_flags & ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT) { if (!(error_flags & ASF_ERROR_CORRECTION_LENGTH_TYPE)) { diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index d5b8c38c..e0a9031c 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -387,7 +387,7 @@ static int read_header(AVFormatContext *s) found_data: if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) { - if (caf->data_size > 0) + if (caf->data_size > 0 && caf->data_size / caf->bytes_per_packet < INT64_MAX / caf->frames_per_packet) st->nb_frames = (caf->data_size / caf->bytes_per_packet) * caf->frames_per_packet; } else if (ffstream(st)->nb_index_entries && st->duration > 0) { if (st->codecpar->sample_rate && caf->data_size / st->duration > INT64_MAX / st->codecpar->sample_rate / 8) { diff --git a/libavformat/cafenc.c b/libavformat/cafenc.c index fedb430b..b90811d4 100644 --- a/libavformat/cafenc.c +++ b/libavformat/cafenc.c @@ -53,7 +53,11 @@ static uint32_t codec_flags(enum AVCodecID codec_id) { } } -static uint32_t samples_per_packet(enum AVCodecID codec_id, int channels, int block_align) { +static uint32_t samples_per_packet(const AVCodecParameters *par) { + enum AVCodecID codec_id = par->codec_id; + int channels = par->ch_layout.nb_channels, block_align = par->block_align; + int frame_size = par->frame_size, sample_rate = par->sample_rate; + switch (codec_id) { case AV_CODEC_ID_PCM_S8: case AV_CODEC_ID_PCM_S16LE: @@ -83,6 +87,8 @@ static uint32_t samples_per_packet(enum AVCodecID codec_id, int channels, int bl return 320; case AV_CODEC_ID_MP1: return 384; + case AV_CODEC_ID_OPUS: + return frame_size * 48000 / sample_rate; case AV_CODEC_ID_MP2: case AV_CODEC_ID_MP3: return 1152; @@ -110,7 +116,7 @@ static int caf_write_header(AVFormatContext *s) AVDictionaryEntry *t = NULL; unsigned int codec_tag = ff_codec_get_tag(ff_codec_caf_tags, par->codec_id); int64_t chunk_size = 0; - int frame_size = par->frame_size; + int frame_size = par->frame_size, sample_rate = par->sample_rate; if (s->nb_streams != 1) { av_log(s, AV_LOG_ERROR, "CAF files have exactly one stream\n"); @@ -139,7 +145,10 @@ static int caf_write_header(AVFormatContext *s) } if (par->codec_id != AV_CODEC_ID_MP3 || frame_size != 576) - frame_size = samples_per_packet(par->codec_id, par->ch_layout.nb_channels, par->block_align); + frame_size = samples_per_packet(par); + + if (par->codec_id == AV_CODEC_ID_OPUS) + sample_rate = 48000; ffio_wfourcc(pb, "caff"); //< mFileType avio_wb16(pb, 1); //< mFileVersion @@ -147,7 +156,7 @@ static int caf_write_header(AVFormatContext *s) ffio_wfourcc(pb, "desc"); //< Audio Description chunk avio_wb64(pb, 32); //< mChunkSize - avio_wb64(pb, av_double2int(par->sample_rate)); //< mSampleRate + avio_wb64(pb, av_double2int(sample_rate)); //< mSampleRate avio_wl32(pb, codec_tag); //< mFormatID avio_wb32(pb, codec_flags(par->codec_id)); //< mFormatFlags avio_wb32(pb, par->block_align); //< mBytesPerPacket @@ -248,7 +257,7 @@ static int caf_write_trailer(AVFormatContext *s) avio_seek(pb, caf->data, SEEK_SET); avio_wb64(pb, file_size - caf->data - 8); if (!par->block_align) { - int packet_size = samples_per_packet(par->codec_id, par->ch_layout.nb_channels, par->block_align); + int packet_size = samples_per_packet(par); if (!packet_size) { packet_size = st->duration / (caf->packets - 1); avio_seek(pb, FRAME_SIZE_OFFSET, SEEK_SET); diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c index 63bf7e96..2ca91bea 100644 --- a/libavformat/dashdec.c +++ b/libavformat/dashdec.c @@ -956,7 +956,11 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, xmlFree(val); } if (adaptionset_supplementalproperty_node) { - if (!av_strcasecmp(xmlGetProp(adaptionset_supplementalproperty_node,"schemeIdUri"), "http://dashif.org/guidelines/last-segment-number")) { + char *scheme_id_uri = xmlGetProp(adaptionset_supplementalproperty_node, "schemeIdUri"); + if (scheme_id_uri) { + int is_last_segment_number = !av_strcasecmp(scheme_id_uri, "http://dashif.org/guidelines/last-segment-number"); + xmlFree(scheme_id_uri); + if (is_last_segment_number) { val = xmlGetProp(adaptionset_supplementalproperty_node,"value"); if (!val) { av_log(s, AV_LOG_ERROR, "Missing value attribute in adaptionset_supplementalproperty_node\n"); @@ -965,6 +969,7 @@ static int parse_manifest_representation(AVFormatContext *s, const char *url, xmlFree(val); } } + } } fragment_timeline_node = find_child_node_by_name(representation_segmenttemplate_node, "SegmentTimeline"); diff --git a/libavformat/dhav.c b/libavformat/dhav.c index 9d26efe8..4e720f2a 100644 --- a/libavformat/dhav.c +++ b/libavformat/dhav.c @@ -242,7 +242,7 @@ static int64_t get_duration(AVFormatContext *s) avio_seek(s->pb, avio_size(s->pb) - 8, SEEK_SET); while (avio_tell(s->pb) > 12 && max_interations--) { if (avio_rl32(s->pb) == MKTAG('d','h','a','v')) { - int seek_back = avio_rl32(s->pb); + int64_t seek_back = avio_rl32(s->pb); avio_seek(s->pb, -seek_back, SEEK_CUR); read_chunk(s); diff --git a/libavformat/dxa.c b/libavformat/dxa.c index 16fbb081..474b8527 100644 --- a/libavformat/dxa.c +++ b/libavformat/dxa.c @@ -118,9 +118,12 @@ static int dxa_read_header(AVFormatContext *s) if(tag == MKTAG('d', 'a', 't', 'a')) break; avio_skip(pb, fsize); } - c->bpc = (fsize + c->frames - 1) / c->frames; - if(ast->codecpar->block_align) + c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames; + if(ast->codecpar->block_align) { + if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) + return AVERROR_INVALIDDATA; c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; + } c->bytes_left = fsize; c->wavpos = avio_tell(pb); avio_seek(pb, c->vidpos, SEEK_SET); diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 8dba9266..7242296f 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -65,7 +65,7 @@ typedef struct FLVContext { uint8_t resync_buffer[2*RESYNC_BUFFER_SIZE]; int broken_sizes; - int sum_flv_tag_size; + int64_t sum_flv_tag_size; int last_keyframe_stream_index; int keyframe_count; @@ -1030,7 +1030,7 @@ retry: type = (avio_r8(s->pb) & 0x1F); orig_size = size = avio_rb24(s->pb); - flv->sum_flv_tag_size += size + 11; + flv->sum_flv_tag_size += size + 11LL; dts = avio_rb24(s->pb); dts |= (unsigned)avio_r8(s->pb) << 24; av_log(s, AV_LOG_TRACE, "type:%d, size:%d, last:%d, dts:%"PRId64" pos:%"PRId64"\n", type, size, last, dts, avio_tell(s->pb)); @@ -1330,7 +1330,7 @@ leave: !avio_feof(s->pb) && (last != orig_size || !last) && last != flv->sum_flv_tag_size && !flv->broken_sizes) { - av_log(s, AV_LOG_ERROR, "Packet mismatch %d %d %d\n", last, orig_size + 11, flv->sum_flv_tag_size); + av_log(s, AV_LOG_ERROR, "Packet mismatch %d %d %"PRId64"\n", last, orig_size + 11, flv->sum_flv_tag_size); avio_seek(s->pb, pos + 1, SEEK_SET); ret = resync(s); av_packet_unref(pkt); diff --git a/libavformat/genh.c b/libavformat/genh.c index a25d4d62..1f707b55 100644 --- a/libavformat/genh.c +++ b/libavformat/genh.c @@ -78,6 +78,8 @@ static int genh_read_header(AVFormatContext *s) case 0: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_PSX; break; case 1: case 11: st->codecpar->bits_per_coded_sample = 4; + if (st->codecpar->ch_layout.nb_channels > INT_MAX / 36) + return AVERROR_INVALIDDATA; st->codecpar->block_align = 36 * st->codecpar->ch_layout.nb_channels; st->codecpar->codec_id = AV_CODEC_ID_ADPCM_IMA_WAV; break; case 2: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_DTK; break; diff --git a/libavformat/hls.c b/libavformat/hls.c index 3dc7bd39..e622425e 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -250,6 +250,7 @@ static void free_init_section_list(struct playlist *pls) { int i; for (i = 0; i < pls->n_init_sections; i++) { + av_freep(&pls->init_sections[i]->key); av_freep(&pls->init_sections[i]->url); av_freep(&pls->init_sections[i]); } diff --git a/libavformat/icodec.c b/libavformat/icodec.c index 290f658d..85dab3bc 100644 --- a/libavformat/icodec.c +++ b/libavformat/icodec.c @@ -196,6 +196,9 @@ static int read_packet(AVFormatContext *s, AVPacket *pkt) AV_WL32(buf + 32, image->nb_pal); } + if (image->nb_pal > INT_MAX / 4 - 14 - 40) + return AVERROR_INVALIDDATA; + AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4); AV_WL32(buf + 8, AV_RL32(buf + 8) / 2); } diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c index 0ee4820f..61b1316d 100644 --- a/libavformat/jacosubdec.c +++ b/libavformat/jacosubdec.c @@ -144,7 +144,7 @@ static int get_shift(int timeres, const char *buf) ret = 0; switch (n) { case 4: - ret = sign * (((int64_t)a*3600 + b*60 + c) * timeres + d); + ret = sign * (((int64_t)a*3600 + (int64_t)b*60 + c) * timeres + d); break; case 3: ret = sign * (( (int64_t)a*60 + b) * timeres + c); diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 400941c3..4a314908 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -64,6 +64,7 @@ #include "mxf.h" #define MXF_MAX_CHUNK_SIZE (32 << 20) +#define RUN_IN_MAX (65535+1) // S377m-2004 section 5.5 and S377-1-2009 section 6.5, the +1 is to be slightly more tolerant typedef enum { Header, @@ -3632,6 +3633,7 @@ static int mxf_read_header(AVFormatContext *s) KLVPacket klv; int64_t essence_offset = 0; int ret; + int64_t run_in; mxf->last_forward_tell = INT64_MAX; @@ -3641,7 +3643,10 @@ static int mxf_read_header(AVFormatContext *s) } avio_seek(s->pb, -14, SEEK_CUR); mxf->fc = s; - mxf->run_in = avio_tell(s->pb); + run_in = avio_tell(s->pb); + if (run_in < 0 || run_in > RUN_IN_MAX) + return AVERROR_INVALIDDATA; + mxf->run_in = run_in; mxf_read_random_index_pack(s); @@ -4047,7 +4052,7 @@ static int mxf_read_close(AVFormatContext *s) static int mxf_probe(const AVProbeData *p) { const uint8_t *bufp = p->buf; - const uint8_t *end = p->buf + p->buf_size; + const uint8_t *end = p->buf + FFMIN(p->buf_size, RUN_IN_MAX + 1 + sizeof(mxf_header_partition_pack_key)); if (p->buf_size < sizeof(mxf_header_partition_pack_key)) return 0; diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 8cc56615..24dedc47 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -245,6 +245,11 @@ static int decode_main_header(NUTContext *nut) for (i = 0; i < 256;) { int tmp_flags = ffio_read_varlen(bc); int tmp_fields = ffio_read_varlen(bc); + if (tmp_fields < 0) { + av_log(s, AV_LOG_ERROR, "fields %d is invalid\n", tmp_fields); + ret = AVERROR_INVALIDDATA; + goto fail; + } if (tmp_fields > 0) tmp_pts = get_s(bc); diff --git a/libavformat/riffdec.c b/libavformat/riffdec.c index 3946ecb7..c1e4a045 100644 --- a/libavformat/riffdec.c +++ b/libavformat/riffdec.c @@ -102,6 +102,8 @@ int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, return AVERROR_INVALIDDATA; } + av_channel_layout_uninit(&par->ch_layout); + par->codec_type = AVMEDIA_TYPE_AUDIO; if (!big_endian) { id = avio_rl16(pb); @@ -189,9 +191,12 @@ int ff_get_wav_header(AVFormatContext *s, AVIOContext *pb, if (par->codec_id == AV_CODEC_ID_ADPCM_G726 && par->sample_rate) par->bits_per_coded_sample = par->bit_rate / par->sample_rate; - av_channel_layout_uninit(&par->ch_layout); - par->ch_layout.order = AV_CHANNEL_ORDER_UNSPEC; - par->ch_layout.nb_channels = channels; + /* ignore WAVEFORMATEXTENSIBLE layout if different from channel count */ + if (channels != par->ch_layout.nb_channels) { + av_channel_layout_uninit(&par->ch_layout); + par->ch_layout.order = AV_CHANNEL_ORDER_UNSPEC; + par->ch_layout.nb_channels = channels; + } return 0; } diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 881d7002..0f1534b5 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -563,6 +563,8 @@ static int rm_read_header(AVFormatContext *s) } tag_size = avio_rb32(pb); + if (tag_size < 0) + return AVERROR_INVALIDDATA; avio_skip(pb, tag_size - 8); for(;;) { diff --git a/libavformat/rpl.c b/libavformat/rpl.c index d025589b..3ef6fda3 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -279,7 +279,7 @@ static int rpl_read_header(AVFormatContext *s) error |= read_line(pb, line, sizeof(line)); // size of "helpful" sprite if (vst) { error |= read_line(pb, line, sizeof(line)); // offset to key frame list - vst->duration = number_of_chunks * rpl->frames_per_chunk; + vst->duration = number_of_chunks * (int64_t)rpl->frames_per_chunk; } // Read the index diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c index 8a6d6790..5edb9664 100644 --- a/libavformat/sbgdec.c +++ b/libavformat/sbgdec.c @@ -1317,6 +1317,8 @@ static int generate_intervals(void *log, struct sbg_script *s, int sample_rate, /* Pseudo event before the first one */ ev0 = s->events[s->nb_events - 1]; + if (av_sat_sub64(ev0.ts_int, period) != (uint64_t)ev0.ts_int - period) + return AVERROR_INVALIDDATA; ev0.ts_int -= period; ev0.ts_trans -= period; ev0.ts_next -= period; @@ -1478,7 +1480,7 @@ static int sbg_read_packet(AVFormatContext *avf, AVPacket *packet) int ret; ts = ffstream(avf->streams[0])->cur_dts; - end_ts = ts + avf->streams[0]->codecpar->frame_size; + end_ts = av_sat_add64(ts, avf->streams[0]->codecpar->frame_size); if (avf->streams[0]->duration != AV_NOPTS_VALUE) end_ts = FFMIN(avf->streams[0]->start_time + avf->streams[0]->duration, end_ts); diff --git a/libavformat/sdsdec.c b/libavformat/sdsdec.c index f98096dc..d296500b 100644 --- a/libavformat/sdsdec.c +++ b/libavformat/sdsdec.c @@ -112,7 +112,7 @@ static int sds_read_header(AVFormatContext *ctx) st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->ch_layout.nb_channels = 1; st->codecpar->sample_rate = sample_period ? 1000000000 / sample_period : 16000; - st->duration = (avio_size(pb) - 21) / (127) * s->size / 4; + st->duration = av_rescale((avio_size(pb) - 21) / 127, s->size, 4); avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); diff --git a/libavformat/spdifdec.c b/libavformat/spdifdec.c index 2af75ca9..67213358 100644 --- a/libavformat/spdifdec.c +++ b/libavformat/spdifdec.c @@ -226,7 +226,7 @@ int ff_spdif_read_packet(AVFormatContext *s, AVPacket *pkt) if (!s->bit_rate && s->streams[0]->codecpar->sample_rate) /* stream bitrate matches 16-bit stereo PCM bitrate for currently supported codecs */ - s->bit_rate = 2 * 16 * s->streams[0]->codecpar->sample_rate; + s->bit_rate = 2 * 16LL * s->streams[0]->codecpar->sample_rate; return 0; } diff --git a/libavformat/xwma.c b/libavformat/xwma.c index c16ff1be..12689f37 100644 --- a/libavformat/xwma.c +++ b/libavformat/xwma.c @@ -278,7 +278,7 @@ static int xwma_read_header(AVFormatContext *s) * the total duration using the average bits per sample and the * total data length. */ - st->duration = (size<<3) * st->codecpar->sample_rate / st->codecpar->bit_rate; + st->duration = av_rescale((size<<3), st->codecpar->sample_rate, st->codecpar->bit_rate); } fail: