Fixes out of array read
Fixes: asan_static-oob_30328b6_719_cov_3325483287_H264_artifacts_motion.h264
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'cba4e6062a02d5bf684e13a770be88aa1fec717e':
More correct printf format specifiers
Conflicts:
libavcodec/h264_ps.c
libavcodec/h264_refs.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'e70ab7c1f5005041bba0e4efc1165410f83495b2':
h264: add MVCD to the list of High profiles in SPS
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '614b9e4db8f3d7c23fc0410fc04745a727a82f4e':
h264: use avpriv_request_sample for chroma_format_idc
Conflicts:
libavcodec/h264_ps.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '3a0576702825423abecb32627c530dbc4c0f73bc':
h264: store current_sps_id inside the current sps
Conflicts:
libavcodec/h264.c
libavcodec/h264_ps.c
The current_sps_id is not removed as it used in security related code.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '73e8fab31dc19c4371499e612856accbc00b2820':
h264: print values in case of error
Conflicts:
libavcodec/h264.c
libavcodec/h264_ps.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '9ecabd7892ff073ae60ded3fc0a1290f5914ed5c':
h264: reset num_reorder_frames if it is invalid
Note, num_reorder_frames is not used in the failure case
Merged-by: Michael Niedermayer <michaelni@gmx.at>
An invalid VUI is not considered a fatal error, so the SPS containing it
may still be used. Leaving an invalid value of num_reorder_frames there
can result in writing over the bounds of H264Context.delayed_pic.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
There is no point in delaying the check and it avoids bugs with a
half-initialized context.
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
* commit '94603feb1b3ad01a821a1a1cef1570b13f471821':
h264_ps: when parsing a VUI fails, only abort when explode is set
Merge only for metadata, ignoring invalid data can put the context
into an invalid state and can possibly be used for remote code
execution exploits.
Also we support all non standard VUIs that have been reported so
ignoring parsing failure makes no sense for us unless theres
some issue that has not been reported
Merged-by: Michael Niedermayer <michaelni@gmx.at>
A VUI doesn't contain anything strictly necessary for decoding.
Apparently there are many samples with truncated VUIs in the wild, this
commit should allow decoding them.
* commit 'c18838f5eb7d7001a9dc653f5162868c04c1b2a1':
h264_ps: Use more meaningful error values
Conflicts:
libavcodec/h264_ps.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Most of the changes are just trivial are just trivial replacements of
fields from MpegEncContext with equivalent fields in H264Context.
Everything in h264* other than h264.c are those trivial changes.
The nontrivial parts are:
1) extracting a simplified version of the frame management code from
mpegvideo.c. We don't need last/next_picture anymore, since h264 uses
its own more complex system already and those were set only to appease
the mpegvideo parts.
2) some tables that need to be allocated/freed in appropriate places.
3) hwaccels -- mostly trivial replacements.
for dxva, the draw_horiz_band() call is moved from
ff_dxva2_common_end_frame() to per-codec end_frame() callbacks,
because it's now different for h264 and MpegEncContext-based
decoders.
4) svq3 -- it does not use h264 complex reference system, so I just
added some very simplistic frame management instead and dropped the
use of ff_h264_frame_start(). Because of this I also had to move some
initialization code to svq3.
Additional fixes for chroma format and bit depth changes by
Janne Grunau <janne-libav@jannau.net>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
* commit 'c661cb6672af5ebcb900ec8766b24761bd2ab011':
cmdutils: pass number of groups to split_commandline().
mov: handle h263 and flv1 for codec_tag 'H','2','6','3'
h264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles
Conflicts:
libavcodec/h264_ps.c
libavformat/isom.c
libavformat/mov.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit '072be3e8969f24113d599444be4d6a0ed04a6602':
h264: set parameters from SPS whenever it changes
asyncts: cosmetics: reindent
Conflicts:
libavcodec/h264.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* commit 'd7d6efe42b0d2057e67999b96b9a391f533d2333':
h264: check sps.log2_max_frame_num for validity
mov: validate number of DataReferenceBox entries against box size
mov: compute avg_frame_rate only if duration is known
flac: change minimum and default of lpc_passes option to 1
Conflicts:
libavcodec/h264_ps.c
libavformat/mov.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
avformat: Drop pointless "format" from container long names
swscale: bury one more piece of inline asm under HAVE_INLINE_ASM.
wv: K&R formatting cosmetics
configure: Add missing descriptions to help output
h264_ps: declare array of colorspace strings on its own line.
fate: amix: specify f32 sample format for comparison
tiny_psnr: support 32-bit float samples
eamad/eatgq/eatqi: call special EA IDCT directly
eamad: remove use of MpegEncContext
mpegvideo: remove unnecessary inclusions of faandct.h
af_asyncts: avoid overflow in out_size with large delta values
af_asyncts: add first_pts option
Conflicts:
configure
libavcodec/eamad.c
libavcodec/h264_ps.c
libavformat/crcenc.c
libavformat/ffmdec.c
libavformat/ffmenc.c
libavformat/framecrcenc.c
libavformat/md5enc.c
libavformat/nutdec.c
libavformat/rawenc.c
libavformat/yuv4mpeg.c
tests/tiny_psnr.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
mpeg12: fixed parsing in some mpeg2 streams
Add SMPTE240M transfer characteristics flag.
mpegts: Some additional HDMV types and reg descriptors for mpegts
motionpixels: Clip YUV values after applying a gradient.
jpeg: handle progressive in second field of interlaced.
ituh263dec: Implement enough of Annex O (scalability) to fix a FPE.
h263: more strictly forbid frame size changes with frame-mt.
h264: additional protection against unsupported size/bitdepth changes.
tta: prevents overflows for 32bit integers in header.
configure: remove malloc_aligned.
vp8: update frame size changes on thread context switches.
snowdsp: explicitily state instruction size.
wmall: fix reconstructing audio with uncoded channels
WMAL cosmetics: fix indentation
gitignore: add Win32 library suffixes
Conflicts:
configure
libavcodec/h263dec.c
libavcodec/h264.c
libavcodec/ituh263dec.c
libavcodec/mjpegdec.c
libavcodec/wmalosslessdec.c
libavcodec/x86/snowdsp_mmx.c
libavformat/mpegts.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
doc/general: update supported devices table.
doc/general: add missing @tab to codecs table.
h264: Fix invalid interlaced/progressive MB combinations for direct mode prediction.
avconv: reindent
avconv: link '-passlogfile' option to libx264 'stats' AVOption.
libx264: add 'stats' private option for setting 2pass stats filename.
libx264: fix help text for slice-max-size option.
http: Clear the auth state on redirects
http: Retry auth if it failed due to being stale
rtsp: Resend new keepalive commands if they used stale auth
rtsp: Retry authentication if failed due to being stale
httpauth: Parse the stale field in digest auth
dxva2_vc1: pass the overlap flag to the decoder
dxva2_vc1: fix decoding of BI frames
FATE: add shorthand to wavpack test
dfa: convert to bytestream2 API
anm decoder: move buffer allocation from decode_init() to decode_frame()
h264: improve parsing of broken AVC SPS
Conflicts:
ffmpeg.c
libavcodec/anm.c
libavcodec/dfa.c
libavcodec/h264.c
libavcodec/h264_direct.c
libavcodec/h264_ps.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Parsing the entire NAL as SPS fixes decoding of some AVC bitstreams
with broken escaping. Since the size of the NAL unit is known and
checked against the buffer end we can parse it entirely without buffer
overreads.
Fixes playback of
http://streams.videolan.org/streams/mp4/Mr_MrsSmith-h264_aac.mp4
Signed-off-by: Janne Grunau <janne-libav@jannau.net>
* qatar/master: (31 commits)
cdxl demux: do not create packets with uninitialized data at EOF.
Replace computations of remaining bits with calls to get_bits_left().
amrnb/amrwb: Remove get_bits usage.
cosmetics: reindent
avformat: do not require a pixel/sample format if there is no decoder
avformat: do not fill-in audio packet duration in compute_pkt_fields()
lavf: Use av_get_audio_frame_duration() in get_audio_frame_size()
dca_parser: parse the sample rate and frame durations
libspeexdec: do not set AVCodecContext.frame_size
libopencore-amr: do not set AVCodecContext.frame_size
alsdec: do not set AVCodecContext.frame_size
siff: do not set AVCodecContext.frame_size
amr demuxer: do not set AVCodecContext.frame_size.
aiffdec: do not set AVCodecContext.frame_size
mov: do not set AVCodecContext.frame_size
ape: do not set AVCodecContext.frame_size.
rdt: remove workaround for infinite loop with aac
avformat: do not require frame_size in avformat_find_stream_info() for CELT
avformat: do not require frame_size in avformat_find_stream_info() for MP1/2/3
avformat: do not require frame_size in avformat_find_stream_info() for AAC
...
Conflicts:
doc/APIchanges
libavcodec/Makefile
libavcodec/avcodec.h
libavcodec/h264.c
libavcodec/h264_ps.c
libavcodec/utils.c
libavcodec/version.h
libavcodec/x86/dsputil_mmx.c
libavformat/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master: (35 commits)
flvdec: Do not call parse_keyframes_index with a NULL stream
libspeexdec: include system headers before local headers
libspeexdec: return meaningful error codes
libspeexdec: cosmetics: reindent
libspeexdec: decode one frame at a time.
swscale: fix signed shift overflows in ff_yuv2rgb_c_init_tables()
Move timefilter code from lavf to lavd.
mov: add support for hdvd and pgapmetadata atoms
mov: rename function _stik, some indentation cosmetics
mov: rename function _int8 to remove ambiguity, some indentation cosmetics
mov: parse the gnre atom
mp3on4: check for allocation failures in decode_init_mp3on4()
mp3on4: create a separate flush function for MP3onMP4.
mp3on4: ensure that the frame channel count does not exceed the codec channel count.
mp3on4: set channel layout
mp3on4: fix the output channel order
mp3on4: allocate temp buffer with av_malloc() instead of on the stack.
mp3on4: copy MPADSPContext from first context to all contexts.
fmtconvert: port float_to_int16_interleave() 2-channel x86 inline asm to yasm
fmtconvert: port int32_to_float_fmul_scalar() x86 inline asm to yasm
...
Conflicts:
libavcodec/arm/h264dsp_init_arm.c
libavcodec/h264.c
libavcodec/h264.h
libavcodec/h264_cabac.c
libavcodec/h264_cavlc.c
libavcodec/h264_ps.c
libavcodec/h264dsp_template.c
libavcodec/h264idct_template.c
libavcodec/h264pred.c
libavcodec/h264pred_template.c
libavcodec/x86/h264dsp_mmx.c
libavdevice/Makefile
libavdevice/jack_audio.c
libavformat/Makefile
libavformat/flvdec.c
libavformat/flvenc.c
libavutil/pixfmt.h
libswscale/utils.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master: (23 commits)
fix AC3ENC_OPT_MODE_ON/OFF
h264: fix HRD parameters parsing
prores: implement multithreading.
prores: idct sse2/sse4 optimizations.
swscale: use aligned move for storage into temporary buffer.
prores: extract idct into its own dspcontext and merge with put_pixels.
h264: fix invalid shifts in init_cavlc_level_tab()
intfloat_readwrite: fix signed addition overflows
mov: do not misreport empty stts
mov: cosmetics, fix for and if spacing
id3v2: fix NULL pointer dereference
mov: read album_artist atom
mov: fix disc/track numbers and totals
doc: fix references to obsolete presets directories for avconv/ffmpeg
flashsv: return more meaningful error value
flashsv: fix typo in av_log() message
smacker: validate channels and sample format.
smacker: check buffer size before reading output size
smacker: validate number of channels
smacker: Separate audio flags from sample rates in smacker demuxer.
...
Conflicts:
cmdutils.h
doc/ffmpeg.texi
libavcodec/Makefile
libavcodec/motion_est_template.c
libavformat/id3v2.c
libavformat/mov.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The bit_rate_value_minus1 and cpb_size_value_minus1 elements
allow a wider range than get_ue_golomb() supports. This
adds a get_ue_golomb_long() function supporting up to 31
leading zeros, which is the maximum for these syntax
elements, and uses it in decode_hrd_parameters().
Signed-off-by: Mans Rullgard <mans@mansr.com>
The PPS may contain a few trailing elements whose presence is
only signalled by data remaining after the the mandatory part
has been parsed. The current code fails to take into account
the rbsp_trailing_bits() when deciding whether to parse these
optional elements. Assuming no unnecessary padding bytes are
passed to this function, the optional elements are present if
either more than 8 extra bits remain or the remaining bits do
not form a valid rbsp_trailing_bits() after the mandatory PPS
elements have been parsed.
Signed-off-by: Mans Rullgard <mans@mansr.com>
This patch set the limit to 16.
For information, thoses previous commits:
41f7e2d11d5cbb0e70a0
assumed it was either 30 or 32.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This fixes ticket #348 for the few users who have a playback application
that supports Sisvel 3D. The other 99% have to wait until FFmpeg
supports arbitrary cropping.