The value should be always 3, as it follows from the specification.
Fix a stack buffer overflow in exponents_from_scale_factors as reported
by asan. Thanks to Dale Curtis for the sample vector.
I was sadly unable to find a non fuzzed mp3 that uses the
feature that contained the bug (and i searched hard ...), thus
while this fixes the security issue. It may or may not fix
mixed blocks in 8khz mp3s, i cant say due to lack of samples to test.
Security issue exists since: b37d945dd4
Reported-by: Dale Curtis <dalecurtis@google.com>
(Probably) Found-by: inferno@chromium.org
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master: (23 commits)
build: cosmetics: Reorder some lists in a more logical fashion
x86: pngdsp: Fix assembly for OS/2
fate: add test for RTjpeg in nuv with frameheader
rtmp: send check_bw as notification
g723_1: clip argument for 15-bit version of normalize_bits()
g723_1: use all LPC vectors in formant postfilter
id3v2: Support v2.2 PIC
avplay: fix build with lavfi disabled.
avconv: split configuring filter configuration to a separate file.
avconv: split option parsing into a separate file.
mpc8: do not leave padding after last frame in buffer for the next decode call
mpegaudioenc: list supported channel layouts.
mpegaudiodec: don't print an error on > 1 frame in a packet.
api-example: update to new audio encoding API.
configure: add --enable/disable-random option
doc: cygwin: Update list of FATE package requirements
build: Remove all installed headers and header directories on uninstall
build: change checkheaders to use regular build rules
rtmp: Add a new option 'rtmp_subscribe'
rtmp: Add support for subscribing live streams
...
Conflicts:
Makefile
common.mak
configure
doc/examples/decoding_encoding.c
ffmpeg.c
libavcodec/g723_1.c
libavcodec/mpegaudiodec.c
libavcodec/x86/pngdsp.asm
libavformat/version.h
library.mak
tests/fate/video.mak
Merged-by: Michael Niedermayer <michaelni@gmx.at>
The assert can be false with some invalid inputs, the check is
too expensive to always do though for just a warning message.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
MP3 fixed and floating point decoders are optimized
for MIPS architecture.
Signed-off-by: Nedeljko Babic <nbabic@mips.com>
Reviewed-by: Vitor Sessak <vitor1001@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
indeo: Make ivi_calc_band_checksum() static, it is only used in one file.
indeo: Drop unused debug function ivi_check_band().
avcodec/utils: cast a function argument to shut up a compiler warning
truemotion1: remove disabled code
fix typo in comment
fate: fix dependencies for non-SAMPLES avconv tests
indeo: check for invalid motion vectors
indeo: check that band output buffer exists
indeo: clear allocated band buffers
indeo: track tile macroblock size
indeo: check custom Huffman tables for errors
factor out common decoding code for Indeo 4 and Indeo 5
mp3: fix start band index for block type 2 in 8kHz audio
lavf: change some (de)muxer names to lowercase
lavf: make output format matching case insensitive
Conflicts:
libavcodec/indeo4.c
libavcodec/indeo5.c
libavcodec/ivi_common.c
libavcodec/utils.c
tests/fate/video.mak
Merged-by: Michael Niedermayer <michaelni@gmx.at>
In hybrid frames long window part ends at 36 samples for most of the cases
but at 72 for 8kHz case. For some reason decoder assumed it's 48 or even 36
samples, which caused wrong bitstream decoding for such blocks.
l3_25207.mpg from conformance suite demonstrates it the best.
* qatar/master:
ppc: drop unused function dct_quantize_altivec()
mpegaudiodec: Do not discard mp_decode_frame() return value.
matroska: do not set invalid default duration if frame rate is zero
mkv: use av_reduce instead of av_d2q for framerate estimation
mkv: report average framerate as minimal as well
avcodec_string: Favor AVCodecContext.codec over the default codec.
cook: Make constants passed to AV_BE2NE32C() unsigned to avoid signed overflow.
Conflicts:
libavcodec/cook.c
libavcodec/ppc/mpegvideo_altivec.c
libavcodec/utils.c
libavformat/matroskadec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
mp3dec: perform I/S and M/S only when frame mode is joint stereo.
id3v2: add another mimetype for JPEG image
lzw: prevent buffer overreads.
WMAL: Remove inaccurate and unnecessary doxy
h264: fix cabac-on-stack after safe cabac reader.
truemotion2: convert packet header reading to bytestream2.
Conflicts:
libavcodec/lzw.c
libavcodec/truemotion2.c
libavformat/id3v2.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Looks like some LAME versions produce dual stereo mode MP3s with
flags for intensity and middle stereo set. In this mode those flags
should be ignored like the reference decoder and derived ones do.
* qatar/master:
asf: only set index_read if the index contained entries.
cabac: add overread protection to BRANCHLESS_GET_CABAC().
cabac: increment jump locations by one in callers of BRANCHLESS_GET_CABAC().
cabac: remove unused argument from BRANCHLESS_GET_CABAC_UPDATE().
cabac: use struct+offset instead of memory operand in BRANCHLESS_GET_CABAC().
h264: add overread protection to get_cabac_bypass_sign_x86().
h264: reindent get_cabac_bypass_sign_x86().
h264: use struct offsets in get_cabac_bypass_sign_x86().
h264: fix overreads in cabac reader.
wmall: fix seeking.
lagarith: fix buffer overreads.
dvdec: drop unnecessary dv_tablegen.h #include
build: fix doc generation errors in parallel builds
Replace memset(0) by zero initializations.
faandct: Remove FAAN_POSTSCALE define and related code.
dvenc: print allowed profiles if the video doesn't conform to any of them.
avcodec_encode_{audio,video}: only reallocate output packet when it has non-zero size.
FATE: add a test for vp8 with changing frame size.
fate: add kgv1 fate test.
oggdec: calculate correct timestamps in Ogg/FLAC
Conflicts:
libavcodec/4xm.c
libavcodec/cook.c
libavcodec/dvdata.c
libavcodec/dvdsubdec.c
libavcodec/lagarith.c
libavcodec/lagarithrac.c
libavcodec/utils.c
tests/fate/video.mak
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master: (27 commits)
cmdutils: use new avcodec_is_decoder/encoder() functions.
lavc: make codec_is_decoder/encoder() public.
lavc: deprecate AVCodecContext.sub_id.
libcdio: add a forgotten AVClass to the private context.
swscale: remove "cpu flags" from -sws_flags description.
proresenc: give user a possibility to alter some encoding parameters
vorbisenc: add output buffer overwrite protection
libopencore-amrnbenc: fix end-of-stream handling
ra144enc: fix end-of-stream handling
nellymoserenc: zero any leftover packet bytes
nellymoserenc: use proper MDCT overlap delay
qpeg: Use bytestream2 functions to prevent buffer overreads.
swscale: make %rep unconditional.
vp8: convert simple loopfilter x86 assembly to use named arguments.
vp8: convert idct x86 assembly to use named arguments.
vp8: convert mc x86 assembly to use named arguments.
vp8: convert loopfilter x86 assembly to use cpuflags().
vp8: convert idct/mc x86 assembly to use cpuflags().
swscale: remove now unnecessary hack.
x86inc: don't "bake" stack_offset in named arguments.
...
Conflicts:
cmdutils.c
doc/APIchanges
libavcodec/mpeg12.c
libavcodec/options.c
libavcodec/qpeg.c
libavcodec/utils.c
libavcodec/version.h
libavdevice/libcdio.c
tests/lavf-regression.sh
Merged-by: Michael Niedermayer <michaelni@gmx.at>
In most places where it's used, it's as a pointless write-only field.
Only rv10 decoder actually reads from it, but it stores some internal
version info in it. There is no reason for it to be in a public field.
It appears there are corner cases with damaged input that can lead
to small overreads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Code ported from qatar/master, please see there for per line authorship.
Main authors AFAIK are Ronald and Justin. I have no authorship on this.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master: (58 commits)
amrnbdec: check frame size before decoding.
cscd: use negative error values to indicate decode_init() failures.
h264: prevent overreads in intra PCM decoding.
FATE: do not decode audio in the nuv test.
dxa: set audio stream time base using the sample rate
psx-str: do not allow seeking by bytes
asfdec: Do not set AVCodecContext.frame_size
vqf: set packet parameters after av_new_packet()
mpegaudiodec: use DSPUtil.butterflies_float().
FATE: add mp3 test for sample that exhibited false overreads
fate: add cdxl test for bit line plane arrangement
vmnc: return error on decode_init() failure.
libvorbis: add/update error messages
libvorbis: use AVFifoBuffer for output packet buffer
libvorbis: remove unneeded e_o_s check
libvorbis: check return values for functions that can return errors
libvorbis: use float input instead of s16
libvorbis: do not flush libvorbis analysis if dsp state was not initialized
libvorbis: use VBR by default, with default quality of 3
libvorbis: fix use of minrate/maxrate AVOptions
...
Conflicts:
Changelog
doc/APIchanges
libavcodec/avcodec.h
libavcodec/dpxenc.c
libavcodec/libvorbis.c
libavcodec/vmnc.c
libavformat/asfdec.c
libavformat/id3v2enc.c
libavformat/internal.h
libavformat/mp3enc.c
libavformat/utils.c
libavformat/version.h
libswscale/utils.c
tests/fate/video.mak
tests/ref/fate/nuv
tests/ref/fate/prores-alpha
tests/ref/lavf/ffm
tests/ref/vsynth1/prores
tests/ref/vsynth2/prores
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
docs: use -bsf:[vas] instead of -[vas]bsf.
mpegaudiodec: Prevent premature clipping of mp3 input buffer.
lavf: move the packet keyframe setting code.
oggenc: free comment header for all codecs
lcl: error out if uncompressed input buffer is smaller than framesize.
mjpeg: abort decoding if packet is too large.
golomb: use HAVE_BITS_REMAINING() macro to prevent infloop on EOF.
get_bits: add HAVE_BITS_REMAINING macro.
lavf/output-example: use new audio encoding API correctly.
lavf/output-example: more proper usage of the new API.
tiff: Prevent overreads in the type_sizes array.
tiff: Make the TIFF_LONG and TIFF_SHORT types unsigned.
apetag: do not leak memory if avio_read() fails
apetag: propagate errors.
SBR DSP x86: implement SSE sbr_hf_g_filt
SBR DSP x86: implement SSE sbr_sum_square_sse
SBR DSP: use intptr_t for the ixh parameter.
Conflicts:
doc/bitstream_filters.texi
doc/examples/muxing.c
doc/ffmpeg.texi
libavcodec/golomb.h
libavcodec/x86/Makefile
libavformat/oggenc.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Instead of clipping extrasize based on EXTRABYTES, clip based on the
amount of buffer actually left. Without this fix, there are warbles
and other distortions in the test case below.
http://kevincennis.com/mix/assets/sounds/1901_voxfx.mp3
* qatar/master:
mov: Use defines for sample flags in fragments
mov: Use defines for trun flags
mov: Use defines for tfhd flags
proresenc: force bitrate not to exceed given limit
vc1parse: call vc1_init_common().
wma: don't return 0 on invalid packets.
asf: prevent packet_size_left from going negative if hdrlen > pktlen.
mjpegb: don't return 0 at the end of frame decoding.
rtpdec: Identify incorrectly signalled H263
vp8dsp: split long line.
aiff: don't skip block_align==0 check on COMM-after-SSND files.
dpcm: ignore extra unpaired bytes in stereo streams.
mp3on4: require a minimum framesize.
mpc7: assign an error level + context to av_log() msg.
huffyuv: error out on bit overrun.
dct-test: Add the missing ff_ prefix to the altivec functions
dct-test: Remove a stray declaration of a nonexistent function
movenc: Write the unknown duration as 64 bit fields in ismv
movenc: Write track durations with all bits set if duration is unknown
Conflicts:
libavcodec/dct-test.c
libavcodec/wmadec.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
If bufsize < headersize, init_get_bits() will be called with a negative
number, causing it to fail and any subsequent call to get_bits() will
crash because it reads from a NULL pointer.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
* qatar/master: (29 commits)
fate: add golomb-test
golomb-test: K&R formatting cosmetics
h264: Split h264-test off into a separate file - golomb-test.c.
h264-test: cleanup: drop timer invocations, commented out code and other cruft
h264-test: Remove unused DSP and AVCodec contexts and related init calls.
adpcm: Add missing stdint.h #include to fix standalone header compilation.
lavf: add functions for accessing the fourcc<->CodecID mapping tables.
lavc: set AVCodecContext.codec in avcodec_get_context_defaults3().
lavc: make avcodec_close() work properly on unopened codecs.
lavc: add avcodec_is_open().
lavf: rename AVInputFormat.value to raw_codec_id.
lavf: remove the pointless value field from flv and iv8
lavc/lavf: remove unnecessary symbols from the symbol version script.
lavc: reorder AVCodec fields.
lavf: reorder AVInput/OutputFormat fields.
mp3dec: Fix a heap-buffer-overflow
adpcmenc: remove some unneeded casts
adpcmenc: use int16_t and uint8_t instead of short and unsigned char.
adpcmenc: fix adpcm_ms extradata allocation
adpcmenc: return proper AVERROR codes instead of -1
...
Conflicts:
doc/APIchanges
libavcodec/Makefile
libavcodec/adpcmenc.c
libavcodec/avcodec.h
libavcodec/h264.c
libavcodec/libavcodec.v
libavcodec/mpc7.c
libavcodec/mpegaudiodec.c
libavcodec/options.c
libavformat/Makefile
libavformat/avformat.h
libavformat/flvdec.c
libavformat/libavformat.v
Merged-by: Michael Niedermayer <michaelni@gmx.at>
In some cases, what is left to read from ptr is smaller than EXTRABYTES.
Based on a patch by Thierry Foucu <tfoucu@gmail.com>.
Signed-off-by: Alex Converse <alex.converse@gmail.com>
* qatar/master:
rtpdec: Use our own SSRC in the SDES field when sending RRs
Finalize changelog for 0.8 Release
Prepare for 0.8 Release
threads: change the default for threads back to 1
threads: update slice_count and slice_offset from user context
aviocat: Remove useless includes
doc/APIChanges: fill in missing dates and hashes
Revert "avserver: fix build after the next bump."
mpegaudiodec: switch error detection check to AV_EF_BUFFER
lavf: rename fer option and document resulting (f_)err_detect options
lavc: rename err_filter option to err_detect and document it
mpegvideo: fix invalid memory access for small video dimensions
movenc: Reorder entries in the MOVIentry struct, for tigheter packing
rtsp: Remove extern declarations for variables that don't exist
aviocat: Flush the output before closing
Conflicts:
Changelog
RELEASE
libavcodec/mpegaudiodec.c
libavcodec/pthread.c
libavformat/options.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
fate: Add tests for more AAC features.
aacps: Add missing newline in error message.
fate: Add tests for vc1/wmapro in ism.
aacdec: Add a fate test for 5.1 channel SBR.
aacdec: Turn off PS for multichannel files that use PCE based configs.
cabac: remove put_cabac_u/ueg from cabac-test.
swscale: RGB4444 and BGR444 input
FATE: add test for xWMA demuxer.
FATE: add test for SMJPEG demuxer and associated IMA ADPCM audio decoder.
mpegaudiodec: optimized iMDCT transform
mpegaudiodec: change imdct window arrangment for better pointer alignment
mpegaudiodec: move imdct and windowing function to mpegaudiodsp
mpegaudiodec: interleave iMDCT buffer to simplify future SIMD implementations
swscale: convert yuy2/uyvy/nv12/nv21ToY/UV from inline asm to yasm.
FATE: test to exercise WTV demuxer.
mjpegdec: K&R formatting cosmetics
swscale: K&R formatting cosmetics for code examples
swscale: K&R reformatting cosmetics for header files
FATE test: cvid-grayscale; ensures that the grayscale Cinepak variant is exercised.
Conflicts:
libavcodec/cabac.c
libavcodec/mjpegdec.c
libavcodec/mpegaudiodec.c
libavcodec/mpegaudiodsp.c
libavcodec/mpegaudiodsp.h
libavcodec/mpegaudiodsp_template.c
libavcodec/x86/Makefile
libavcodec/x86/imdct36_sse.asm
libavcodec/x86/mpegaudiodec_mmx.c
libswscale/swscale-test.c
libswscale/swscale.c
libswscale/swscale_internal.h
libswscale/x86/swscale_template.c
tests/fate/demux.mak
tests/fate/microsoft.mak
tests/fate/video.mak
tests/fate/wma.mak
tests/ref/lavfi/pixfmts_scale
Merged-by: Michael Niedermayer <michaelni@gmx.at>