diff -Nru ffmpeg-4.4/Changelog ffmpeg-4.4.2/Changelog --- ffmpeg-4.4/Changelog 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/Changelog 2022-04-14 21:13:48.000000000 +0100 @@ -1,7 +1,311 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. -version : +version 4.4.2: +- fate: update reference files after the recent dash manifest muxer changes +- avformat/webmdashenc: fix on-demand profile string +- Update for FFmpeg 4.4.2 +- avcodec/exr: Avoid signed overflow in displayWindow +- avcodec/diracdec: avoid signed integer overflow in global mv +- avcodec/takdsp: Fix integer overflow in decorrelate_sf() +- avcodec/apedec: fix a integer overflow in long_filter_high_3800() +- avfilter/vf_subtitles: pass storage size to libass +- avformat/aqtitledec: Skip unrepresentable durations +- avformat/cafdec: Do not store empty keys in read_info_chunk() +- avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before writing +- avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array() +- avformat/mxfdec: Check count in mxf_read_strong_ref_array() +- avformat/hls: Check target_duration +- avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn() +- avformat/matroskadec: Check pre_ns +- avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior +- avcodec/libuavs3d: Check ff_set_dimensions() for failure +- avcodec/mjpegbdec: Set buf_size +- avformat/matroskadec: Use rounded down duration in get_cue_desc() check +- avcodec/argo: Check packet size +- avcodec/g729_parser: Check channels +- avformat/avidec: Check height +- avformat/rmdec: Better duplicate tags check +- avformat/mov: Disallow empty sidx +- avformat/argo_asf: Fix order of operations in error check in argo_asf_write_trailer() +- avformat/matroskadec: Check duration +- avformat/mov: Corner case encryption error cleanup in mov_read_senc() +- avcodec/jpeglsdec: Fix if( code style +- avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error +- avcodec/motion_est: fix indention of ff_get_best_fcode() +- avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode() +- avformat/hls: Use unsigned for iv computation +- avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned +- avformat/matroskadec: Check desc_bytes +- avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value() +- avformat/matroskadec: Fix infinite loop with bz decompression +- avformat/mov: Check size before subtraction +- avcodec/cfhd: Avoid signed integer overflow in coeff +- avcodec/apedec: Fix integer overflows in predictor_update_3930() +- avcodec/apedec: fix integer overflow in 8bit samples +- avformat/flvdec: timestamps cannot use the full int64 range +- avcodec/tiff: Remove messing with jpeg context +- avcodec/tiff: Use ff_set_dimensions() for setting up mjpeg context dimensions +- avcodec/tiff: Pass max_pixels to mjpeg context +- avcodec/vqavideo: reset accounting on error +- avcodec/alacdsp: fix integer overflow in decorrelate_stereo() +- avformat/4xm: Check for duplicate track ids +- avformat/4xm: Consider max_streams on reallocating tracks array +- avformat/mov: Check next offset in mov_read_dref() +- avformat/vivo: Favor setting fps from explicit fractions +- avformat/vivo: Do not use the general expression evaluator for parsing a floating point value +- avformat/mxfdec: Check for duplicate mxf_read_index_entry_array() +- avcodec/apedec: Change avg to uint32_t +- avformat/mxfdec: Check component_depth in mxf_get_color_range() +- avformat/mov: Disallow duplicate smdm +- avformat/mov: Check for EOF in mov_read_glbl() +- avcodec/vp3: Check version in all cases when VP4 code is not built +- avformat/mov: Check channels for mov_parse_stsd_audio() +- avformat/avidec: Check read_odml_index() for failure +- avformat/aiffdec: Use av_rescale() for bitrate +- avformat/aiffdec: sanity check block_align +- avformat/aiffdec: Check sample_rate +- avcodec/libdav1d: free the Dav1dData packet on dav1d_send_data() failure +- avcodec/zmbvenc: Fix memleak upon init error +- avcodec/dnxhdenc: Fix segfault when using too many slice threads +- avcodec/wma(dec|enc): Fix memleaks upon allocation error +- avfilter/avfilter: Actually error out on init error +- avcodec/opus_silk: Remove wrong size information in function declaration +- avformat/omadec: Don't output uninitialized values +- avformat/jacosubenc: Fix writing extradata +- avformat/cafenc: Fix memleak when trailer is never written +- avformat/cafenc: Don't segfault upon allocation error +- avformat/cafenc: Fix potential integer overflow +- avformat/movenc: Limit ism_lookahead to a sane value +- avutil/utils: Remove racy check from avutil_version() +- avformat/sccdec: Don't use uninitialized data, fix crash, simplify logic +- avformat/subtitles: Honour ff_subtitles_read_line() documentation +- avformat/tee: Fix leak of FIFO-options dictionary +- avformat/tee: Fix leak of strings +- avcodec/rasc: Fix potential use of uninitialized value +- avfilter/vf_w3fdif: Fix segfault on allocation error +- avfilter/af_surround: Fix memleaks upon allocation error +- avfilter/af_vibrato: Fix segfault upon allocation error +- avfilter/aeval: Fix leak of expressions upon reallocation error +- avdevice/xv: Increase array size +- avfilter/asrc_flite: Fix use-after-frees +- avfilter/asrc_flite: Don't segfault when using list_voices option +- Revert "avfilter/vf_idet: reduce noisyness if the filter has been auto inserted" +- avformat/matroskadec: Don't unnecessarily reduce aspect ratio +- avcodec/h263: Fix global-buffer-overflow with noout flag2 set +- avcodec/vaapi_encode: Fix segfault upon closing uninitialized encoder +- avcodec/movtextenc: Fix infinite loop due to variable truncation +- avcodec/libopenh264dec: Increase array sizes, fix stack-buffer overread +- avcodec/libkvazaar: Increase array size +- avformat/aadec: Don't use the same loop counter in inner and outer loop +- avformat/moflex: Don't use uninitialized timebase for data stream +- lavf/udp: do not return an uninitialized value from udp_open() +- avcodec/nvenc: zero-initialize NV_ENC_REGISTER_RESOURCE struct +- configure: Add missing libshine->mpegaudioheader dependency +- avcodec/Makefile: Add missing entry for ADPCM_IMA_AMV_ENCODER +- avcodec/Makefile: Only compile nvenc.o if needed +- avcodec/av1_vaapi: improve decode quality +- avcodec/av1_vaapi: enable segmentation features +- avcodec/av1_vaapi: setting 2 output surface for film grain +- avcodec/vaapi: increase av1 decode pool size +- avcodec/dxva2_av1: fix global motion params +- avcodec/av1_vaapi: add gm params valid check +- avcodec/av1dec: support setup shear process +- avcodec/av1: extend some definitions in spec section 3 +- cbs_av1: fix incorrect data type +- avcodec/libdav1d: let libdav1d choose optimal max frame delay +- avcodec/libdav1d: pass auto threads value to libdav1d + +version 4.4.1: +- avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE +- avcodec/ttadsp: Fix integer overflows in tta_filter_process_c() +- avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results +- avcodec/utils: Ensure 8x8 alignment for ARGO in avcodec_align_dimensions2() +- avformat/matroskadec: Reset state also on failure in matroska_reset_status() +- avformat/wavdec: Check smv_block_size +- avformat/rmdec: Check for multiple audio_stream_info +- avcodec/apedec: Use 64bit to avoid overflow +- avcodec/apedec: Fix undefined integer overflow in long_filter_ehigh_3830() +- oavformat/avidec: Check offset in odml +- avformat/mpegts: use actually read packet size in mpegts_resync special case +- fftools/ffmpeg: Fix crash when flushing non-fully setup output stream +- avfilter/scale_npp: fix non-aligned output frame dimensions +- Revert "avformat/hlsenc: compute video_keyframe_size after write keyframe" +- Changelog: update +- swscale/alphablend: Fix slice handling +- avcodec/apedec: Fix integer overflow in filter_fast_3320() +- avformat/mov: Fix last mfra check +- avcodec/mxpegdec: Check for AVDISCARD_ALL +- avcodec/flicvideo: Check remaining bytes in FLI*COPY +- avcodec/utils: ARGO writes 4x4 blocks without regard to the image dimensions +- avcodec/cbs_h265_syntax_template: Limit sps_num_palette_predictor_initializer_minus1 to 127 +- avcodec/snowdec: Maintain avmv buffer +- avcodec/mpeg12dec: Do not put mpeg_f_code into an invalid state on error return +- avcodec/mpegvideo_enc: Limit bitrate tolerance to the representable +- avcodec/apedec: Fix integer overflow in intermediate +- avformat/mvdec: Do not set invalid sample rate +- avformat/sbgdec: Check for t0 overflow in expand_tseq() +- avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4 +- avformat/sbgdec: Check opt_duration and start for overflow +- avcodec/exr: Fix undefined integer multiplication +- avformat/mov: Check for duplicate clli +- avformat/utils: Ignore negative duration in codec_info_duration computation +- avformat/jacosubdec: Check for min in t overflow in get_shift() +- avformat/mxfdec: check channel number in mxf_get_d10_aes3_packet() +- (origin/release/4.4) avcodec/wmadec: handle run_level_decode error +- avcodec/wma: Return specific error code +- avcodec/dxva2_av1: fix superres_denom parameter +- avcodec/libdav1d: fix compilation after recent libdav1d API changes +- Changelog: update +- avcodec/utils: don't return negative values in av_get_audio_frame_duration() +- avcodec/jpeg2000dec: Check that atom header is within bytsetream +- avcodec/apedec: Fix 2 integer overflows in filter_3800() +- avcodec/xpmdec: Move allocations down after more error checks +- avcodec/argo: Move U, fix shift +- avformat/mov: Check dts for overflow in mov_read_trun() +- avformat/avidec: Use 64bit for frame number in odml index parsing +- avcodec/mjpegbdec: Skip SOS on AVDISCARD_ALL as does mjpeg +- avcodec/mjpegdec: Check for bits left in mjpeg_decode_scan_progressive_ac() +- avformat/adtsenc: return value check for init_get_bits in adts_decode_extradata +- avcodec/webp: Check available space in loop in decode_entropy_coded_image() +- avcodec/h264dec: use picture parameters in ff_print_debug_info2() +- avcodec/vc1dec: ff_print_debug_info() does not support WMV3 field_mode +- avcodec/frame_thread_encoder: Free AVCodecContext structure on error during init +- avcodec/faxcompr: Check for end of input in cmode == 1 in decode_group3_2d_line() +- avcodec/vc1dec: Disable error concealment for *IMAGE +- avcodec/sbrdsp_fixed: Fix negation overflow in sbr_neg_odd_64_c() +- avcodec/argo: Check for even dimensions +- avformat/wtvdec: Check for EOF before seeking back in parse_media_type() +- avformat/mpc8: Check first keyframe position for overflow +- avcodec/exr: Check ac_count +- avformat/wavdec: Use 64bit in new_pos computation +- avformat/sbgdec: Check for overflow in timestamp preparation +- avformat/dsicin: Check packet size for overflow +- avformat/dsfdec: Change order of operations in bitrate computation +- avformat/bfi: check nframes +- avformat/avidec: fix position overflow in avi_load_index() +- avformat/asfdec_f: Check sizeX against padding +- avformat/aiffdec: Check for size overflow in header parsing +- avcodec/aaccoder: Add minimal bias in search_for_ms() +- avformat/mov: Fix incorrect overflow detection in mov_read_sidx() +- avformat/mov: Avoid undefined overflow in time_offset calculation +- avfilter/af_drmeter: Check that there is data +- avfilter/vf_fftdnoiz: Use lrintf() in export_row8() +- avfilter/vf_mestimate: Check b_count +- avformat/mov: do not ignore errors in mov_metadata_hmmt() +- avformat/mxfdec: Check size for shrinking +- avcodec/dnxhddec: check and propagate function return value +- swscale/slice: Fix wrong return on error +- avcodec/aacdec_template: Avoid some invalid values to be set by decode_audio_specific_config_gb() +- swscale/slice: Check slice for allocation failure +- avformat/matroskadec: Fix handling of huge default durations +- avcodec/lpc: check for zero err in normalization in compute_lpc_coefs() +- avcodec/j2kenc: Check for av_strtok() failure +- avformat/ftp: Check for av_strtok() failure +- tools/cws2fws: Check read() for failure +- avcodec/cpia: Fix missing src_size update +- avcodec/exr: Better size checks +- avcodec/clearvideo: Check tile_size to be not too large +- avcodec/utils: Use 64bit for intermediate in AV_CODEC_ID_ADPCM_THP* duration calculation +- avformat/aaxdec: Check avio_seek() in header reading +- avcodec/hevc_sei: Use get_bits_long() for time_offset_value +- avformat/rmdec: Check old_format len for overflow +- avformat/realtextdec: Check the pts difference before using it for the duration computation +- avformat/qcp: Avoid negative nb_rates +- avformat/pp_bnk: Use 64bit in bitrate computation +- avformat/nutdec: Check tmp_size +- avformat/msf: Check that channels doesnt overflow during extradata construction +- avformat/subtitles: Check pts difference before use +- avformat/mpc8: Check for position overflow in mpc8_handle_chunk() +- avformat/mccdec: Fix overflows in num/den +- avformat/iff: Use 64bit in duration computation +- avformat/dxa: Check fps to be within the supported range more precissely +- avcodec/iff: Only write palette to plane 1 if its PAL8 +- avformat/tta: Check for EOF in index reading loop +- avfilter/vf_scale: set the RGB matrix coefficients in case of RGB +- avfilter/vf_scale: reset color matrix in case of identity & non-RGB +- ffmpeg: fix order between field order autodetection and override +- avcodec/h264_slice: clear old slice POC values on parsing failure +- avfilter/f_metadata: do not return the frame early if there is no metadata +- ffbuild: Avoid using the --preprocessor argument to windres +- avcodec/crystalhd: signal that the decoder sets all output frame properties +- avcodec/cuviddec: signal that the decoder sets all output frame properties +- avcodec/decode: reindent after the previous commit +- avcodec/decode: add an internal codec flag to signal a decoder sets all output frame properties +- avcodec/decode: fetch packets from the pkt_props FIFO on every frame returned +- Update missed irc links +- avformat/rpl: The associative law doesnt hold for signed integers in C +- avcodec/faxcompr: Check available bits in decode_uncompressed() +- avcodec/faxcompr: Check if bits are available before reading in cmode == 9 || cmode == 10 +- avformat/utils: Avoid overflow in codec_info_duration computation for subtitles +- avformat/utils: check dts/duration to be representable before using them +- avcodec/utils: do "calc from frame_bytes, channels, and block_align" in 64bit +- avcodec/ttadata: Add sentinel at the end of ff_tta_shift_1 +- avformat/mov: Check for duplicate mdcv +- avfilter/vf_dctdnoiz: Check threads +- avfilter/vf_ciescope: Fix undefined behavior in rgb_to_xy() with black +- avcodec/dpx: fix off by 1 in bits_per_color check +- avformat/rpl: Check for EOF and zero framesize +- avcodec/vc2enc: Check for non negative slice bounds +- avformat/rpl: Use 64bit in bitrate computation and check it +- avcodec/mpegvideo_enc: Reset stuffing bits if they are not supported +- avcodec/svq1enc: Do not print debug RD value before it has been computed +- avcodec/aacpsy: Check bandwidth +- avcodec/aacenc: Do not divide by lambda_count if it is 0 +- avcodec/aacenc: Use FLT_EPSILON for lambda minimum +- avfilter/vf_yadif: Fix handing of tiny images +- avfilter/vf_vmafmotion: Check dimensions +- avformat/movenc: Check pal_size before use +- avcodec/lpc: Avoid floating point division by 0 +- avcodec/aacpsy: Avoid floating point division by 0 of norm_fac +- avcodec/aacenc: Avoid 0 lambda +- avcodec/exr: More strictly check dc_count +- avcodec/exr: x/ymax cannot be INT_MAX +- avformat/avio: Check av_opt_copy() for failure +- avformat/moflex: Remove unneeded format variable +- avformat/fifo: check for flushed packets and timeshift +- avcodec/clearvideo: Check for 0 tile_shift +- avcodec/vc1: Check remaining bits in ff_vc1_parse_frame_header() +- avformat/mov: Ignore duplicate CoLL +- avformat/mov: Limit nb_chapter_tracks to input size +- avformat/utils: Use 64bit earlier in r_frame_rate check +- avcodec/alsdec: Fix decoding error with mono audio files +- avformat/mvdec: Check sample rate in parse_audio_var() +- avcodec/faxcompr: Check for end of bitstream in decode_group3_1d_line() and decode_group3_2d_line() +- avcodec/utils: treat PAL8 for jpegs similar to other colorspaces +- avcodec/jpeglsdec: Set alpha plane in PAL8 so image is not 100% transparent +- avformat/asfdec_o: Use ff_get_extradata() +- avformat/id3v2: Check end for overflow in id3v2_parse() +- avformat/mxfdec: Fix file position addition +- avformat/wtvdec: Improve size overflow checks in parse_chunks() +- avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line() +- avformat/mov: check for pts overflow in mov_read_sidx() +- avcodec/utils: Check ima wav duration for overflow +- avcodec/rv10: Execute whole size check earlier for rv20 +- avformat/cafdec: Check channels +- avcodec/exr: increase vlc depth +- avcodec/dpx: Check bits_per_color earlier +- avformat/mvi: Check audio_data_size to be non negative +- avcodec/nvenc: disable s12m timestamps by default +- aarch64: hevc_idct: Fix overflows in idct_dc +- avcodec/vaapi_av1: pass full buffer size for each tile +- avcodec/videotoolboxenc: #define TARGET_CPU_ARM64 to 0 if not provided by the SDK +- lavc/pngdec: fix updating reference frames for APNG_DISPOSE_OP_BACKGROUND +- ffmpeg: return no chosen output if an uninitialized stream is unavailable +- avcodec/h263, h263data: Move ff_h263_init_rl_inter to h263.c +- configure: Add missing mpegvideo dependency for IPU decoder +- avcodec/ttmlenc: Don't confuse capabilities and caps_internal +- avformat/mpegts: add missing sample_rate value to Opus extradata +- avformat/movenc: fix writing dOps atoms +- avcodec/av1_metadata: don't store the inserted TD OBU in stack +- avcodec/nellymoserenc: Fix segfault when using unsupported channels/rate +- avutil/cpu: Use HW_NCPUONLINE to detect # of online CPUs with OpenBSD +- avcodec/nvenc: fix lossless tuning logic +- avfilter/overlay_cuda: check av_buffer_ref result +- avfilter/overlay_cuda: hold explicit reference to hw_device_ctx +- avformat/matroskaenc: Fix leak when writing attachment without filename + +version 4.4: - AudioToolbox output device - MacCaption demuxer - PGX decoder diff -Nru ffmpeg-4.4/configure ffmpeg-4.4.2/configure --- ffmpeg-4.4/configure 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/configure 2022-04-14 21:13:38.000000000 +0100 @@ -536,7 +536,7 @@ If you think configure made a mistake, make sure you are using the latest version from Git. If the latest version fails, report the problem to the -ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.freenode.net. +ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.libera.chat. EOF if disabled logging; then cat < Wed, 18 May 2022 23:03:21 +0100 + ffmpeg (7:4.4-6ubuntu5) impish; urgency=medium * Add upstream-proposed patch to fix gcc-11 armhf failure diff -Nru ffmpeg-4.4/doc/Doxyfile ffmpeg-4.4.2/doc/Doxyfile --- ffmpeg-4.4/doc/Doxyfile 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/doc/Doxyfile 2022-04-14 21:13:48.000000000 +0100 @@ -38,7 +38,7 @@ # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.4 +PROJECT_NUMBER = 4.4.2 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a diff -Nru ffmpeg-4.4/doc/writing_filters.txt ffmpeg-4.4.2/doc/writing_filters.txt --- ffmpeg-4.4/doc/writing_filters.txt 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/doc/writing_filters.txt 2021-10-24 21:47:11.000000000 +0100 @@ -418,4 +418,4 @@ When all of this is done, you can submit your patch to the ffmpeg-devel mailing-list for review. If you need any help, feel free to come on our IRC -channel, #ffmpeg-devel on irc.freenode.net. +channel, #ffmpeg-devel on irc.libera.chat. diff -Nru ffmpeg-4.4/ffbuild/common.mak ffmpeg-4.4.2/ffbuild/common.mak --- ffmpeg-4.4/ffbuild/common.mak 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/ffbuild/common.mak 2022-04-14 21:13:38.000000000 +0100 @@ -90,7 +90,7 @@ -$(if $(ASMSTRIPFLAGS), $(STRIP) $(ASMSTRIPFLAGS) $@) %.o: %.rc - $(WINDRES) $(IFLAGS) --preprocessor "$(DEPWINDRES) -E -xc-header -DRC_INVOKED $(CC_DEPFLAGS)" -o $@ $< + $(WINDRES) $(IFLAGS) $(foreach ARG,$(CC_DEPFLAGS),--preprocessor-arg "$(ARG)") -o $@ $< %.i: %.c $(CC) $(CCFLAGS) $(CC_E) $< diff -Nru ffmpeg-4.4/fftools/ffmpeg.c ffmpeg-4.4.2/fftools/ffmpeg.c --- ffmpeg-4.4/fftools/ffmpeg.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/fftools/ffmpeg.c 2022-04-14 21:13:38.000000000 +0100 @@ -1974,6 +1974,9 @@ AVPacket *pkt = ost->pkt; int pkt_size; + if (!pkt) + break; + switch (enc->codec_type) { case AVMEDIA_TYPE_AUDIO: desc = "audio"; @@ -3463,12 +3466,7 @@ enc_ctx->bits_per_raw_sample = frame_bits_per_raw_sample; } - if (ost->top_field_first == 0) { - enc_ctx->field_order = AV_FIELD_BB; - } else if (ost->top_field_first == 1) { - enc_ctx->field_order = AV_FIELD_TT; - } - + // Field order: autodetection if (frame) { if (enc_ctx->flags & (AV_CODEC_FLAG_INTERLACED_DCT | AV_CODEC_FLAG_INTERLACED_ME) && ost->top_field_first >= 0) @@ -3483,6 +3481,13 @@ enc_ctx->field_order = AV_FIELD_PROGRESSIVE; } + // Field order: override + if (ost->top_field_first == 0) { + enc_ctx->field_order = AV_FIELD_BB; + } else if (ost->top_field_first == 1) { + enc_ctx->field_order = AV_FIELD_TT; + } + if (ost->forced_keyframes) { if (!strncmp(ost->forced_keyframes, "expr:", 5)) { ret = av_expr_parse(&ost->forced_keyframes_pexpr, ost->forced_keyframes+5, @@ -3950,7 +3955,7 @@ ost->st->index, ost->st->id, ost->initialized, ost->inputs_done, ost->finished); if (!ost->initialized && !ost->inputs_done) - return ost; + return ost->unavailable ? NULL : ost; if (!ost->finished && opts < opts_min) { opts_min = opts; diff -Nru ffmpeg-4.4/libavcodec/aaccoder.c ffmpeg-4.4.2/libavcodec/aaccoder.c --- ffmpeg-4.4/libavcodec/aaccoder.c 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/aaccoder.c 2022-04-14 21:13:38.000000000 +0100 @@ -843,25 +843,25 @@ sce0->ics.swb_sizes[g], sce0->sf_idx[w*16+g], sce0->band_type[w*16+g], - lambda / band0->threshold, INFINITY, &b1, NULL, 0); + lambda / (band0->threshold + FLT_MIN), INFINITY, &b1, NULL, 0); dist1 += quantize_band_cost(s, &sce1->coeffs[start + (w+w2)*128], R34, sce1->ics.swb_sizes[g], sce1->sf_idx[w*16+g], sce1->band_type[w*16+g], - lambda / band1->threshold, INFINITY, &b2, NULL, 0); + lambda / (band1->threshold + FLT_MIN), INFINITY, &b2, NULL, 0); dist2 += quantize_band_cost(s, M, M34, sce0->ics.swb_sizes[g], mididx, midcb, - lambda / minthr, INFINITY, &b3, NULL, 0); + lambda / (minthr + FLT_MIN), INFINITY, &b3, NULL, 0); dist2 += quantize_band_cost(s, S, S34, sce1->ics.swb_sizes[g], sididx, sidcb, - mslambda / (minthr * bmax), INFINITY, &b4, NULL, 0); + mslambda / (minthr * bmax + FLT_MIN), INFINITY, &b4, NULL, 0); B0 += b1+b2; B1 += b3+b4; dist1 -= b1+b2; diff -Nru ffmpeg-4.4/libavcodec/aacdec_template.c ffmpeg-4.4.2/libavcodec/aacdec_template.c --- ffmpeg-4.4/libavcodec/aacdec_template.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/aacdec_template.c 2022-04-14 21:13:38.000000000 +0100 @@ -1076,14 +1076,18 @@ { int i, ret; GetBitContext gbc = *gb; + MPEG4AudioConfig m4ac_bak = *m4ac; - if ((i = ff_mpeg4audio_get_config_gb(m4ac, &gbc, sync_extension, avctx)) < 0) + if ((i = ff_mpeg4audio_get_config_gb(m4ac, &gbc, sync_extension, avctx)) < 0) { + *m4ac = m4ac_bak; return AVERROR_INVALIDDATA; + } if (m4ac->sampling_index > 12) { av_log(avctx, AV_LOG_ERROR, "invalid sampling rate index %d\n", m4ac->sampling_index); + *m4ac = m4ac_bak; return AVERROR_INVALIDDATA; } if (m4ac->object_type == AOT_ER_AAC_LD && @@ -1091,6 +1095,7 @@ av_log(avctx, AV_LOG_ERROR, "invalid low delay sampling rate index %d\n", m4ac->sampling_index); + *m4ac = m4ac_bak; return AVERROR_INVALIDDATA; } diff -Nru ffmpeg-4.4/libavcodec/aacenc.c ffmpeg-4.4.2/libavcodec/aacenc.c --- ffmpeg-4.4/libavcodec/aacenc.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/aacenc.c 2022-04-14 21:13:38.000000000 +0100 @@ -28,6 +28,7 @@ * TODOs: * add sane pulse detection ***********************************/ +#include #include "libavutil/libm.h" #include "libavutil/float_dsp.h" @@ -852,7 +853,7 @@ /* Not so fast though */ ratio = sqrtf(ratio); } - s->lambda = FFMIN(s->lambda * ratio, 65536.f); + s->lambda = av_clipf(s->lambda * ratio, FLT_EPSILON, 65536.f); /* Keep iterating if we must reduce and lambda is in the sky */ if (ratio > 0.9f && ratio < 1.1f) { @@ -897,7 +898,7 @@ { AACEncContext *s = avctx->priv_data; - av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_sum / s->lambda_count); + av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_count ? s->lambda_sum / s->lambda_count : NAN); ff_mdct_end(&s->mdct1024); ff_mdct_end(&s->mdct128); diff -Nru ffmpeg-4.4/libavcodec/aacpsy.c ffmpeg-4.4.2/libavcodec/aacpsy.c --- ffmpeg-4.4/libavcodec/aacpsy.c 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/aacpsy.c 2022-04-14 21:13:38.000000000 +0100 @@ -308,6 +308,9 @@ const int bandwidth = ctx->cutoff ? ctx->cutoff : AAC_CUTOFF(ctx->avctx); const float num_bark = calc_bark((float)bandwidth); + if (bandwidth <= 0) + return AVERROR(EINVAL); + ctx->model_priv_data = av_mallocz(sizeof(AacPsyContext)); if (!ctx->model_priv_data) return AVERROR(ENOMEM); @@ -794,7 +797,7 @@ if (pe < 1.15f * desired_pe) { /* 6.6.1.3.6 "Final threshold modification by linearization" */ - norm_fac = 1.0f / norm_fac; + norm_fac = norm_fac ? 1.0f / norm_fac : 0; for (w = 0; w < wi->num_windows*16; w += 16) { for (g = 0; g < num_bands; g++) { AacPsyBand *band = &pch->band[w+g]; diff -Nru ffmpeg-4.4/libavcodec/aarch64/hevcdsp_idct_neon.S ffmpeg-4.4.2/libavcodec/aarch64/hevcdsp_idct_neon.S --- ffmpeg-4.4/libavcodec/aarch64/hevcdsp_idct_neon.S 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/aarch64/hevcdsp_idct_neon.S 2021-10-24 21:47:11.000000000 +0100 @@ -573,14 +573,13 @@ // void ff_hevc_idct_NxN_dc_DEPTH_neon(int16_t *coeffs) .macro idct_dc size, bitdepth function ff_hevc_idct_\size\()x\size\()_dc_\bitdepth\()_neon, export=1 - movi v1.8h, #((1 << (14 - \bitdepth))+1) ld1r {v4.8h}, [x0] - add v4.8h, v4.8h, v1.8h - sshr v0.8h, v4.8h, #(15 - \bitdepth) - sshr v1.8h, v4.8h, #(15 - \bitdepth) + srshr v4.8h, v4.8h, #1 + srshr v0.8h, v4.8h, #(14 - \bitdepth) + srshr v1.8h, v4.8h, #(14 - \bitdepth) .if \size > 4 - sshr v2.8h, v4.8h, #(15 - \bitdepth) - sshr v3.8h, v4.8h, #(15 - \bitdepth) + srshr v2.8h, v4.8h, #(14 - \bitdepth) + srshr v3.8h, v4.8h, #(14 - \bitdepth) .if \size > 16 /* dc 32x32 */ mov x2, #4 1: diff -Nru ffmpeg-4.4/libavcodec/alacdsp.c ffmpeg-4.4.2/libavcodec/alacdsp.c --- ffmpeg-4.4/libavcodec/alacdsp.c 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/alacdsp.c 2022-04-14 21:13:48.000000000 +0100 @@ -34,7 +34,7 @@ a = buffer[0][i]; b = buffer[1][i]; - a -= (b * decorr_left_weight) >> decorr_shift; + a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift; b += a; buffer[0][i] = b; diff -Nru ffmpeg-4.4/libavcodec/alsdec.c ffmpeg-4.4.2/libavcodec/alsdec.c --- ffmpeg-4.4/libavcodec/alsdec.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/alsdec.c 2022-04-14 21:13:38.000000000 +0100 @@ -1632,7 +1632,7 @@ AVCodecContext *avctx = ctx->avctx; GetBitContext *gb = &ctx->gb; unsigned int div_blocks[32]; ///< block sizes. - unsigned int c; + int c; unsigned int js_blocks[2]; uint32_t bs_info = 0; int ret; @@ -1810,14 +1810,17 @@ else ctx->cur_frame_length = sconf->frame_length; - ctx->highest_decoded_channel = 0; + ctx->highest_decoded_channel = -1; // decode the frame data if ((invalid_frame = read_frame_data(ctx, ra_frame)) < 0) av_log(ctx->avctx, AV_LOG_WARNING, "Reading frame data failed. Skipping RA unit.\n"); - if (ctx->highest_decoded_channel == 0) + if (ctx->highest_decoded_channel == -1) { + av_log(ctx->avctx, AV_LOG_WARNING, + "No channel data decoded.\n"); return AVERROR_INVALIDDATA; + } ctx->frame_id++; diff -Nru ffmpeg-4.4/libavcodec/apedec.c ffmpeg-4.4.2/libavcodec/apedec.c --- ffmpeg-4.4/libavcodec/apedec.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/apedec.c 2022-04-14 21:13:48.000000000 +0100 @@ -102,7 +102,7 @@ int16_t *historybuffer; ///< filter memory int16_t *delay; ///< filtered values - int avg; + uint32_t avg; } APEFilter; typedef struct APERice { @@ -879,7 +879,7 @@ } predictionA = p->buf[delayA] * 2U - p->buf[delayA - 1]; - p->lastA[filter] = decoded + ((int32_t)(predictionA * p->coeffsA[filter][0]) >> 9); + p->lastA[filter] = decoded + (unsigned)((int32_t)(predictionA * p->coeffsA[filter][0]) >> 9); if ((decoded ^ predictionA) > 0) p->coeffsA[filter][0]++; @@ -909,8 +909,8 @@ return predictionA; } d2 = p->buf[delayA]; - d1 = (p->buf[delayA] - p->buf[delayA - 1]) * 2U; - d0 = p->buf[delayA] + ((p->buf[delayA - 2] - p->buf[delayA - 1]) * 8U); + d1 = (p->buf[delayA] - (unsigned)p->buf[delayA - 1]) * 2; + d0 = p->buf[delayA] + ((p->buf[delayA - 2] - (unsigned)p->buf[delayA - 1]) * 8); d3 = p->buf[delayB] * 2U - p->buf[delayB - 1]; d4 = p->buf[delayB]; @@ -955,7 +955,7 @@ dotprod += delay[j] * (unsigned)coeffs[j]; coeffs[j] += ((delay[j] >> 31) | 1) * sign; } - buffer[i] -= dotprod >> shift; + buffer[i] -= (unsigned)(dotprod >> shift); for (j = 0; j < order - 1; j++) delay[j] = delay[j + 1]; delay[order - 1] = buffer[i]; @@ -979,7 +979,7 @@ for (j = 7; j > 0; j--) delay[j] = delay[j - 1]; delay[0] = buffer[i]; - buffer[i] -= dotprod >> 9; + buffer[i] -= (unsigned)(dotprod >> 9); } } @@ -1088,13 +1088,13 @@ const int delayA) { int32_t predictionA, sign; - int32_t d0, d1, d2, d3; + uint32_t d0, d1, d2, d3; p->buf[delayA] = p->lastA[filter]; d0 = p->buf[delayA ]; - d1 = p->buf[delayA ] - p->buf[delayA - 1]; - d2 = p->buf[delayA - 1] - p->buf[delayA - 2]; - d3 = p->buf[delayA - 2] - p->buf[delayA - 3]; + d1 = p->buf[delayA ] - (unsigned)p->buf[delayA - 1]; + d2 = p->buf[delayA - 1] - (unsigned)p->buf[delayA - 2]; + d3 = p->buf[delayA - 2] - (unsigned)p->buf[delayA - 3]; predictionA = d0 * p->coeffsA[filter][0] + d1 * p->coeffsA[filter][1] + @@ -1105,10 +1105,10 @@ p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5); sign = APESIGN(decoded); - p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign; - p->coeffsA[filter][1] += ((d1 < 0) * 2 - 1) * sign; - p->coeffsA[filter][2] += ((d2 < 0) * 2 - 1) * sign; - p->coeffsA[filter][3] += ((d3 < 0) * 2 - 1) * sign; + p->coeffsA[filter][0] += (((int32_t)d0 < 0) * 2 - 1) * sign; + p->coeffsA[filter][1] += (((int32_t)d1 < 0) * 2 - 1) * sign; + p->coeffsA[filter][2] += (((int32_t)d2 < 0) * 2 - 1) * sign; + p->coeffsA[filter][3] += (((int32_t)d3 < 0) * 2 - 1) * sign; return p->filterA[filter]; } @@ -1337,7 +1337,7 @@ absres = FFABSU(res); if (absres) *f->adaptcoeffs = APESIGN(res) * - (8 << ((absres > f->avg * 3) + (absres > f->avg * 4 / 3))); + (8 << ((absres > f->avg * 3LL) + (absres > (f->avg + f->avg / 3)))); /* equivalent to the following code if (absres <= f->avg * 4 / 3) *f->adaptcoeffs = APESIGN(res) * 8; @@ -1587,7 +1587,7 @@ for (ch = 0; ch < s->channels; ch++) { sample8 = (uint8_t *)frame->data[ch]; for (i = 0; i < blockstodecode; i++) - *sample8++ = (s->decoded[ch][i] + 0x80) & 0xff; + *sample8++ = (s->decoded[ch][i] + 0x80U) & 0xff; } break; case 16: diff -Nru ffmpeg-4.4/libavcodec/argo.c ffmpeg-4.4.2/libavcodec/argo.c --- ffmpeg-4.4/libavcodec/argo.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/argo.c 2022-04-14 21:13:48.000000000 +0100 @@ -59,7 +59,7 @@ return AVERROR_INVALIDDATA; for (int i = 0; i < count; i++) - pal[start + i] = (0xFF << 24U) | bytestream2_get_be24u(gb); + pal[start + i] = (0xFFU << 24) | bytestream2_get_be24u(gb); return 0; } @@ -608,6 +608,9 @@ uint32_t chunk; int ret; + if (avpkt->size < 4) + return AVERROR_INVALIDDATA; + bytestream2_init(gb, avpkt->data, avpkt->size); if ((ret = ff_reget_buffer(avctx, frame, 0)) < 0) @@ -685,6 +688,11 @@ return AVERROR_PATCHWELCOME; } + if (avctx->width % 2 || avctx->height % 2) { + avpriv_request_sample(s, "Odd dimensions\n"); + return AVERROR_PATCHWELCOME; + } + s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM); diff -Nru ffmpeg-4.4/libavcodec/av1dec.c ffmpeg-4.4.2/libavcodec/av1dec.c --- ffmpeg-4.4/libavcodec/av1dec.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/av1dec.c 2022-04-14 21:13:38.000000000 +0100 @@ -28,6 +28,34 @@ #include "internal.h" #include "profiles.h" +/**< same with Div_Lut defined in spec 7.11.3.7 */ +static const uint16_t div_lut[AV1_DIV_LUT_NUM] = { + 16384, 16320, 16257, 16194, 16132, 16070, 16009, 15948, 15888, 15828, 15768, + 15709, 15650, 15592, 15534, 15477, 15420, 15364, 15308, 15252, 15197, 15142, + 15087, 15033, 14980, 14926, 14873, 14821, 14769, 14717, 14665, 14614, 14564, + 14513, 14463, 14413, 14364, 14315, 14266, 14218, 14170, 14122, 14075, 14028, + 13981, 13935, 13888, 13843, 13797, 13752, 13707, 13662, 13618, 13574, 13530, + 13487, 13443, 13400, 13358, 13315, 13273, 13231, 13190, 13148, 13107, 13066, + 13026, 12985, 12945, 12906, 12866, 12827, 12788, 12749, 12710, 12672, 12633, + 12596, 12558, 12520, 12483, 12446, 12409, 12373, 12336, 12300, 12264, 12228, + 12193, 12157, 12122, 12087, 12053, 12018, 11984, 11950, 11916, 11882, 11848, + 11815, 11782, 11749, 11716, 11683, 11651, 11619, 11586, 11555, 11523, 11491, + 11460, 11429, 11398, 11367, 11336, 11305, 11275, 11245, 11215, 11185, 11155, + 11125, 11096, 11067, 11038, 11009, 10980, 10951, 10923, 10894, 10866, 10838, + 10810, 10782, 10755, 10727, 10700, 10673, 10645, 10618, 10592, 10565, 10538, + 10512, 10486, 10460, 10434, 10408, 10382, 10356, 10331, 10305, 10280, 10255, + 10230, 10205, 10180, 10156, 10131, 10107, 10082, 10058, 10034, 10010, 9986, + 9963, 9939, 9916, 9892, 9869, 9846, 9823, 9800, 9777, 9754, 9732, + 9709, 9687, 9664, 9642, 9620, 9598, 9576, 9554, 9533, 9511, 9489, + 9468, 9447, 9425, 9404, 9383, 9362, 9341, 9321, 9300, 9279, 9259, + 9239, 9218, 9198, 9178, 9158, 9138, 9118, 9098, 9079, 9059, 9039, + 9020, 9001, 8981, 8962, 8943, 8924, 8905, 8886, 8867, 8849, 8830, + 8812, 8793, 8775, 8756, 8738, 8720, 8702, 8684, 8666, 8648, 8630, + 8613, 8595, 8577, 8560, 8542, 8525, 8508, 8490, 8473, 8456, 8439, + 8422, 8405, 8389, 8372, 8355, 8339, 8322, 8306, 8289, 8273, 8257, + 8240, 8224, 8208, 8192 +}; + static uint32_t inverse_recenter(int r, uint32_t v) { if (v > 2 * r) @@ -97,6 +125,70 @@ -mx, mx + 1, r) << prec_diff) + round; } +static uint64_t round_two(uint64_t x, uint16_t n) +{ + if (n == 0) + return x; + return ((x + ((uint64_t)1 << (n - 1))) >> n); +} + +static int64_t round_two_signed(int64_t x, uint16_t n) +{ + return ((x<0) ? -((int64_t)round_two(-x, n)) : (int64_t)round_two(x, n)); +} + +/** + * Resolve divisor process. + * see spec 7.11.3.7 + */ +static int16_t resolve_divisor(uint32_t d, uint16_t *shift) +{ + int32_t e, f; + + *shift = av_log2(d); + e = d - (1 << (*shift)); + if (*shift > AV1_DIV_LUT_BITS) + f = round_two(e, *shift - AV1_DIV_LUT_BITS); + else + f = e << (AV1_DIV_LUT_BITS - (*shift)); + + *shift += AV1_DIV_LUT_PREC_BITS; + + return div_lut[f]; +} + +/** + * check if global motion params is valid. + * see spec 7.11.3.6 + */ +static uint8_t get_shear_params_valid(AV1DecContext *s, int idx) +{ + int16_t alpha, beta, gamma, delta, divf, divs; + int64_t v, w; + int32_t *param = &s->cur_frame.gm_params[idx][0]; + if (param[2] < 0) + return 0; + + alpha = av_clip_int16(param[2] - (1 << AV1_WARPEDMODEL_PREC_BITS)); + beta = av_clip_int16(param[3]); + divf = resolve_divisor(abs(param[2]), &divs); + v = (int64_t)param[4] * (1 << AV1_WARPEDMODEL_PREC_BITS); + w = (int64_t)param[3] * param[4]; + gamma = av_clip_int16((int)round_two_signed((v * divf), divs)); + delta = av_clip_int16(param[5] - (int)round_two_signed((w * divf), divs) - (1 << AV1_WARPEDMODEL_PREC_BITS)); + + alpha = round_two_signed(alpha, AV1_WARP_PARAM_REDUCE_BITS) << AV1_WARP_PARAM_REDUCE_BITS; + beta = round_two_signed(beta, AV1_WARP_PARAM_REDUCE_BITS) << AV1_WARP_PARAM_REDUCE_BITS; + gamma = round_two_signed(gamma, AV1_WARP_PARAM_REDUCE_BITS) << AV1_WARP_PARAM_REDUCE_BITS; + delta = round_two_signed(delta, AV1_WARP_PARAM_REDUCE_BITS) << AV1_WARP_PARAM_REDUCE_BITS; + + if ((4 * abs(alpha) + 7 * abs(beta)) >= (1 << AV1_WARPEDMODEL_PREC_BITS) || + (4 * abs(gamma) + 4 * abs(delta)) >= (1 << AV1_WARPEDMODEL_PREC_BITS)) + return 0; + + return 1; +} + /** * update gm type/params, since cbs already implemented part of this funcation, * so we don't need to full implement spec. @@ -144,6 +236,9 @@ read_global_param(s, type, ref, 0); read_global_param(s, type, ref, 1); } + if (type <= AV1_WARP_MODEL_AFFINE) { + s->cur_frame.gm_invalid[ref] = !get_shear_params_valid(s, ref); + } } } @@ -509,6 +604,9 @@ dst->spatial_id = src->spatial_id; dst->temporal_id = src->temporal_id; + memcpy(dst->gm_invalid, + src->gm_invalid, + AV1_NUM_REF_FRAMES * sizeof(uint8_t)); memcpy(dst->gm_type, src->gm_type, AV1_NUM_REF_FRAMES * sizeof(uint8_t)); diff -Nru ffmpeg-4.4/libavcodec/av1dec.h ffmpeg-4.4.2/libavcodec/av1dec.h --- ffmpeg-4.4/libavcodec/av1dec.h 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/av1dec.h 2022-01-14 18:45:25.000000000 +0000 @@ -42,6 +42,7 @@ int temporal_id; int spatial_id; + uint8_t gm_invalid[AV1_NUM_REF_FRAMES]; uint8_t gm_type[AV1_NUM_REF_FRAMES]; int32_t gm_params[AV1_NUM_REF_FRAMES][6]; diff -Nru ffmpeg-4.4/libavcodec/av1.h ffmpeg-4.4.2/libavcodec/av1.h --- ffmpeg-4.4/libavcodec/av1.h 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/av1.h 2022-01-14 18:45:25.000000000 +0000 @@ -114,6 +114,13 @@ AV1_WARP_MODEL_TRANSLATION = 1, AV1_WARP_MODEL_ROTZOOM = 2, AV1_WARP_MODEL_AFFINE = 3, + AV1_WARP_PARAM_REDUCE_BITS = 6, + + AV1_DIV_LUT_BITS = 8, + AV1_DIV_LUT_PREC_BITS = 14, + AV1_DIV_LUT_NUM = 257, + + AV1_MAX_LOOP_FILTER = 63, }; diff -Nru ffmpeg-4.4/libavcodec/av1_metadata_bsf.c ffmpeg-4.4.2/libavcodec/av1_metadata_bsf.c --- ffmpeg-4.4/libavcodec/av1_metadata_bsf.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/av1_metadata_bsf.c 2022-04-14 21:13:38.000000000 +0100 @@ -28,6 +28,7 @@ CBSBSFContext common; int td; + AV1RawOBU td_obu; int color_primaries; int transfer_characteristics; @@ -107,12 +108,11 @@ CodedBitstreamFragment *frag) { AV1MetadataContext *ctx = bsf->priv_data; - AV1RawOBU td, *obu; int err, i; for (i = 0; i < frag->nb_units; i++) { if (frag->units[i].type == AV1_OBU_SEQUENCE_HEADER) { - obu = frag->units[i].content; + AV1RawOBU *obu = frag->units[i].content; err = av1_metadata_update_sequence_header(bsf, &obu->obu.sequence_header); if (err < 0) return err; @@ -124,12 +124,8 @@ if (ctx->td == BSF_ELEMENT_REMOVE) ff_cbs_delete_unit(frag, 0); } else if (pkt && ctx->td == BSF_ELEMENT_INSERT) { - td = (AV1RawOBU) { - .header.obu_type = AV1_OBU_TEMPORAL_DELIMITER, - }; - err = ff_cbs_insert_unit_content(frag, 0, AV1_OBU_TEMPORAL_DELIMITER, - &td, NULL); + &ctx->td_obu, NULL); if (err < 0) { av_log(bsf, AV_LOG_ERROR, "Failed to insert Temporal Delimiter.\n"); return err; @@ -155,6 +151,12 @@ static int av1_metadata_init(AVBSFContext *bsf) { + AV1MetadataContext *ctx = bsf->priv_data; + + ctx->td_obu = (AV1RawOBU) { + .header.obu_type = AV1_OBU_TEMPORAL_DELIMITER, + }; + return ff_cbs_bsf_generic_init(bsf, &av1_metadata_type); } diff -Nru ffmpeg-4.4/libavcodec/cbs_av1_syntax_template.c ffmpeg-4.4.2/libavcodec/cbs_av1_syntax_template.c --- ffmpeg-4.4/libavcodec/cbs_av1_syntax_template.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/cbs_av1_syntax_template.c 2022-01-14 18:45:25.000000000 +0000 @@ -355,7 +355,7 @@ AV1_REF_FRAME_ALTREF2, AV1_REF_FRAME_ALTREF }; int8_t ref_frame_idx[AV1_REFS_PER_FRAME], used_frame[AV1_NUM_REF_FRAMES]; - int8_t shifted_order_hints[AV1_NUM_REF_FRAMES]; + int16_t shifted_order_hints[AV1_NUM_REF_FRAMES]; int cur_frame_hint, latest_order_hint, earliest_order_hint, ref; int i, j; diff -Nru ffmpeg-4.4/libavcodec/cbs_h265_syntax_template.c ffmpeg-4.4.2/libavcodec/cbs_h265_syntax_template.c --- ffmpeg-4.4/libavcodec/cbs_h265_syntax_template.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/cbs_h265_syntax_template.c 2022-04-14 21:13:38.000000000 +0100 @@ -728,7 +728,7 @@ flag(sps_palette_predictor_initializer_present_flag); if (current->sps_palette_predictor_initializer_present_flag) { - ue(sps_num_palette_predictor_initializer_minus1, 0, 128); + ue(sps_num_palette_predictor_initializer_minus1, 0, 127); for (comp = 0; comp < (current->chroma_format_idc ? 3 : 1); comp++) { int bit_depth = comp == 0 ? current->bit_depth_luma_minus8 + 8 : current->bit_depth_chroma_minus8 + 8; diff -Nru ffmpeg-4.4/libavcodec/cfhd.c ffmpeg-4.4.2/libavcodec/cfhd.c --- ffmpeg-4.4/libavcodec/cfhd.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/cfhd.c 2022-04-14 21:13:48.000000000 +0100 @@ -838,7 +838,7 @@ const uint16_t q = s->quantisation; for (i = 0; i < run; i++) { - *coeff_data |= coeff * 256; + *coeff_data |= coeff * 256U; *coeff_data++ *= q; } } else { @@ -869,7 +869,7 @@ const uint16_t q = s->quantisation; for (i = 0; i < run; i++) { - *coeff_data |= coeff * 256; + *coeff_data |= coeff * 256U; *coeff_data++ *= q; } } else { diff -Nru ffmpeg-4.4/libavcodec/clearvideo.c ffmpeg-4.4.2/libavcodec/clearvideo.c --- ffmpeg-4.4/libavcodec/clearvideo.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/clearvideo.c 2022-04-14 21:13:38.000000000 +0100 @@ -722,8 +722,8 @@ } c->tile_shift = av_log2(c->tile_size); - if (1U << c->tile_shift != c->tile_size) { - av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2.\n", c->tile_size); + if (1U << c->tile_shift != c->tile_size || c->tile_shift < 1 || c->tile_shift > 30) { + av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2 > 1 and < 2^31\n", c->tile_size); return AVERROR_INVALIDDATA; } diff -Nru ffmpeg-4.4/libavcodec/cpia.c ffmpeg-4.4.2/libavcodec/cpia.c --- ffmpeg-4.4/libavcodec/cpia.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/cpia.c 2022-04-14 21:13:38.000000000 +0100 @@ -111,6 +111,7 @@ // Read line length, two byte little endian linelength = AV_RL16(src); src += 2; + src_size -= 2; if (src_size < linelength) { frame->decode_error_flags = FF_DECODE_ERROR_INVALID_BITSTREAM; diff -Nru ffmpeg-4.4/libavcodec/crystalhd.c ffmpeg-4.4.2/libavcodec/crystalhd.c --- ffmpeg-4.4/libavcodec/crystalhd.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/crystalhd.c 2022-04-14 21:13:38.000000000 +0100 @@ -785,6 +785,7 @@ .flush = flush, \ .bsfs = bsf_name, \ .capabilities = AV_CODEC_CAP_DELAY | AV_CODEC_CAP_AVOID_PROBING | AV_CODEC_CAP_HARDWARE, \ + .caps_internal = FF_CODEC_CAP_SETS_FRAME_PROPS, \ .pix_fmts = (const enum AVPixelFormat[]){AV_PIX_FMT_YUYV422, AV_PIX_FMT_NONE}, \ .wrapper_name = "crystalhd", \ }; diff -Nru ffmpeg-4.4/libavcodec/cuviddec.c ffmpeg-4.4.2/libavcodec/cuviddec.c --- ffmpeg-4.4/libavcodec/cuviddec.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/cuviddec.c 2022-04-14 21:13:38.000000000 +0100 @@ -1150,6 +1150,7 @@ .flush = cuvid_flush, \ .bsfs = bsf_name, \ .capabilities = AV_CODEC_CAP_DELAY | AV_CODEC_CAP_AVOID_PROBING | AV_CODEC_CAP_HARDWARE, \ + .caps_internal = FF_CODEC_CAP_SETS_FRAME_PROPS, \ .pix_fmts = (const enum AVPixelFormat[]){ AV_PIX_FMT_CUDA, \ AV_PIX_FMT_NV12, \ AV_PIX_FMT_P010, \ diff -Nru ffmpeg-4.4/libavcodec/decode.c ffmpeg-4.4.2/libavcodec/decode.c --- ffmpeg-4.4/libavcodec/decode.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/decode.c 2022-04-14 21:13:38.000000000 +0100 @@ -233,9 +233,11 @@ if (ret < 0) return ret; - ret = extract_packet_props(avctx->internal, pkt); - if (ret < 0) - goto finish; + if (!(avctx->codec->caps_internal & FF_CODEC_CAP_SETS_FRAME_PROPS)) { + ret = extract_packet_props(avctx->internal, pkt); + if (ret < 0) + goto finish; + } ret = apply_param_change(avctx, pkt); if (ret < 0) @@ -502,11 +504,13 @@ pkt->data += consumed; pkt->size -= consumed; - avci->last_pkt_props->size -= consumed; // See extract_packet_props() comment. pkt->pts = AV_NOPTS_VALUE; pkt->dts = AV_NOPTS_VALUE; - avci->last_pkt_props->pts = AV_NOPTS_VALUE; - avci->last_pkt_props->dts = AV_NOPTS_VALUE; + if (!(avctx->codec->caps_internal & FF_CODEC_CAP_SETS_FRAME_PROPS)) { + avci->last_pkt_props->size -= consumed; // See extract_packet_props() comment. + avci->last_pkt_props->pts = AV_NOPTS_VALUE; + avci->last_pkt_props->dts = AV_NOPTS_VALUE; + } } if (got_frame) @@ -548,6 +552,11 @@ if (ret == AVERROR_EOF) avci->draining_done = 1; + if (!(avctx->codec->caps_internal & FF_CODEC_CAP_SETS_FRAME_PROPS) && + IS_EMPTY(avci->last_pkt_props) && av_fifo_size(avci->pkt_props) >= sizeof(*avci->last_pkt_props)) + av_fifo_generic_read(avci->pkt_props, + avci->last_pkt_props, sizeof(*avci->last_pkt_props), NULL); + if (!ret) { frame->best_effort_timestamp = guess_correct_pts(avctx, frame->pts, @@ -1738,39 +1747,37 @@ { AV_PKT_DATA_S12M_TIMECODE, AV_FRAME_DATA_S12M_TIMECODE }, }; - if (IS_EMPTY(pkt) && av_fifo_size(avctx->internal->pkt_props) >= sizeof(*pkt)) - av_fifo_generic_read(avctx->internal->pkt_props, - pkt, sizeof(*pkt), NULL); - - frame->pts = pkt->pts; + if (!(avctx->codec->caps_internal & FF_CODEC_CAP_SETS_FRAME_PROPS)) { + frame->pts = pkt->pts; #if FF_API_PKT_PTS FF_DISABLE_DEPRECATION_WARNINGS - frame->pkt_pts = pkt->pts; + frame->pkt_pts = pkt->pts; FF_ENABLE_DEPRECATION_WARNINGS #endif - frame->pkt_pos = pkt->pos; - frame->pkt_duration = pkt->duration; - frame->pkt_size = pkt->size; - - for (int i = 0; i < FF_ARRAY_ELEMS(sd); i++) { - buffer_size_t size; - uint8_t *packet_sd = av_packet_get_side_data(pkt, sd[i].packet, &size); - if (packet_sd) { - AVFrameSideData *frame_sd = av_frame_new_side_data(frame, - sd[i].frame, - size); - if (!frame_sd) - return AVERROR(ENOMEM); + frame->pkt_pos = pkt->pos; + frame->pkt_duration = pkt->duration; + frame->pkt_size = pkt->size; + + for (int i = 0; i < FF_ARRAY_ELEMS(sd); i++) { + buffer_size_t size; + uint8_t *packet_sd = av_packet_get_side_data(pkt, sd[i].packet, &size); + if (packet_sd) { + AVFrameSideData *frame_sd = av_frame_new_side_data(frame, + sd[i].frame, + size); + if (!frame_sd) + return AVERROR(ENOMEM); - memcpy(frame_sd->data, packet_sd, size); + memcpy(frame_sd->data, packet_sd, size); + } } - } - add_metadata_from_side_data(pkt, frame); + add_metadata_from_side_data(pkt, frame); - if (pkt->flags & AV_PKT_FLAG_DISCARD) { - frame->flags |= AV_FRAME_FLAG_DISCARD; - } else { - frame->flags = (frame->flags & ~AV_FRAME_FLAG_DISCARD); + if (pkt->flags & AV_PKT_FLAG_DISCARD) { + frame->flags |= AV_FRAME_FLAG_DISCARD; + } else { + frame->flags = (frame->flags & ~AV_FRAME_FLAG_DISCARD); + } } frame->reordered_opaque = avctx->reordered_opaque; diff -Nru ffmpeg-4.4/libavcodec/diracdec.c ffmpeg-4.4.2/libavcodec/diracdec.c --- ffmpeg-4.4/libavcodec/diracdec.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/diracdec.c 2022-04-14 21:13:48.000000000 +0100 @@ -1432,8 +1432,8 @@ int *c = s->globalmc[ref].perspective; int64_t m = (1<u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); diff -Nru ffmpeg-4.4/libavcodec/dnxhddec.c ffmpeg-4.4.2/libavcodec/dnxhddec.c --- ffmpeg-4.4/libavcodec/dnxhddec.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/dnxhddec.c 2022-04-14 21:13:38.000000000 +0100 @@ -112,6 +112,7 @@ static int dnxhd_init_vlc(DNXHDContext *ctx, uint32_t cid, int bitdepth) { + int ret; if (cid != ctx->cid) { const CIDEntry *cid_table = ff_dnxhd_get_cid_table(cid); @@ -132,19 +133,26 @@ ff_free_vlc(&ctx->dc_vlc); ff_free_vlc(&ctx->run_vlc); - init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, + if ((ret = init_vlc(&ctx->ac_vlc, DNXHD_VLC_BITS, 257, ctx->cid_table->ac_bits, 1, 1, - ctx->cid_table->ac_codes, 2, 2, 0); - init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, + ctx->cid_table->ac_codes, 2, 2, 0)) < 0) + goto out; + if ((ret = init_vlc(&ctx->dc_vlc, DNXHD_DC_VLC_BITS, bitdepth > 8 ? 14 : 12, ctx->cid_table->dc_bits, 1, 1, - ctx->cid_table->dc_codes, 1, 1, 0); - init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, + ctx->cid_table->dc_codes, 1, 1, 0)) < 0) + goto out; + if ((ret = init_vlc(&ctx->run_vlc, DNXHD_VLC_BITS, 62, ctx->cid_table->run_bits, 1, 1, - ctx->cid_table->run_codes, 2, 2, 0); + ctx->cid_table->run_codes, 2, 2, 0)) < 0) + goto out; ctx->cid = cid; } - return 0; + ret = 0; +out: + if (ret < 0) + av_log(ctx->avctx, AV_LOG_ERROR, "init_vlc failed\n"); + return ret; } static int dnxhd_get_profile(int cid) diff -Nru ffmpeg-4.4/libavcodec/dnxhdenc.c ffmpeg-4.4.2/libavcodec/dnxhdenc.c --- ffmpeg-4.4/libavcodec/dnxhdenc.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/dnxhdenc.c 2022-04-14 21:13:38.000000000 +0100 @@ -1353,7 +1353,7 @@ av_freep(&ctx->qmatrix_c16); av_freep(&ctx->qmatrix_l16); - if (avctx->active_thread_type == FF_THREAD_SLICE) { + if (ctx->thread[1]) { for (i = 1; i < avctx->thread_count; i++) av_freep(&ctx->thread[i]); } diff -Nru ffmpeg-4.4/libavcodec/dpx.c ffmpeg-4.4.2/libavcodec/dpx.c --- ffmpeg-4.4/libavcodec/dpx.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/dpx.c 2022-04-14 21:13:38.000000000 +0100 @@ -242,6 +242,9 @@ return AVERROR_PATCHWELCOME; } + if (bits_per_color > 31) + return AVERROR_INVALIDDATA; + buf += 820; avctx->sample_aspect_ratio.num = read32(&buf, endian); avctx->sample_aspect_ratio.den = read32(&buf, endian); @@ -316,7 +319,7 @@ minCV = av_int2float(i); maxCV = av_int2float(j); if (bits_per_color >= 1 && - minCV == 0.0f && maxCV == ((1<color_range = AVCOL_RANGE_JPEG; } else if (bits_per_color >= 8 && minCV == (1 <<(bits_per_color - 4)) && diff -Nru ffmpeg-4.4/libavcodec/dxva2_av1.c ffmpeg-4.4.2/libavcodec/dxva2_av1.c --- ffmpeg-4.4/libavcodec/dxva2_av1.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/dxva2_av1.c 2022-01-14 18:45:25.000000000 +0000 @@ -73,7 +73,7 @@ pp->max_height = seq->max_frame_height_minus_1 + 1; pp->CurrPicTextureIndex = ff_dxva2_get_surface_index(avctx, ctx, h->cur_frame.tf.f); - pp->superres_denom = frame_header->use_superres ? frame_header->coded_denom : AV1_SUPERRES_NUM; + pp->superres_denom = frame_header->use_superres ? frame_header->coded_denom + AV1_SUPERRES_DENOM_MIN : AV1_SUPERRES_NUM; pp->bitdepth = get_bit_depth_from_seq(seq); pp->seq_profile = seq->seq_profile; @@ -139,7 +139,7 @@ pp->frame_refs[i].Index = ref_frame->buf[0] ? ref_idx : 0xFF; /* Global Motion */ - pp->frame_refs[i].wminvalid = (h->cur_frame.gm_type[AV1_REF_FRAME_LAST + i] == AV1_WARP_MODEL_IDENTITY); + pp->frame_refs[i].wminvalid = h->cur_frame.gm_invalid[AV1_REF_FRAME_LAST + i]; pp->frame_refs[i].wmtype = h->cur_frame.gm_type[AV1_REF_FRAME_LAST + i]; for (j = 0; j < 6; ++j) { pp->frame_refs[i].wmmat[j] = h->cur_frame.gm_params[AV1_REF_FRAME_LAST + i][j]; diff -Nru ffmpeg-4.4/libavcodec/exr.c ffmpeg-4.4.2/libavcodec/exr.c --- ffmpeg-4.4/libavcodec/exr.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/exr.c 2022-04-14 21:13:48.000000000 +0100 @@ -418,7 +418,7 @@ init_get_bits(&gbit, gb->buffer, nbits); while (get_bits_left(&gbit) > 0 && oe < no) { - uint16_t x = get_vlc2(&gbit, vlc->table, 12, 2); + uint16_t x = get_vlc2(&gbit, vlc->table, 12, 3); if (x == run_sym) { int run = get_bits(&gbit, 8); @@ -1014,7 +1014,9 @@ dc_count = AV_RL64(src + 72); ac_compression = AV_RL64(src + 80); - if (compressed_size < 88LL + lo_size + ac_size + dc_size + rle_csize) + if ( compressed_size < (uint64_t)(lo_size | ac_size | dc_size | rle_csize) || compressed_size < 88LL + lo_size + ac_size + dc_size + rle_csize + || ac_count > (uint64_t)INT_MAX/2 + ) return AVERROR_INVALIDDATA; bytestream2_init(&gb, src + 88, compressed_size - 88); @@ -1031,12 +1033,14 @@ } if (ac_size > 0) { - unsigned long dest_len = ac_count * 2LL; + unsigned long dest_len; GetByteContext agb = gb; if (ac_count > 3LL * td->xsize * s->scan_lines_per_block) return AVERROR_INVALIDDATA; + dest_len = ac_count * 2LL; + av_fast_padded_malloc(&td->ac_data, &td->ac_size, dest_len); if (!td->ac_data) return AVERROR(ENOMEM); @@ -1059,13 +1063,15 @@ bytestream2_skip(&gb, ac_size); } - if (dc_size > 0) { - unsigned long dest_len = dc_count * 2LL; + { + unsigned long dest_len; GetByteContext agb = gb; - if (dc_count > (6LL * td->xsize * td->ysize + 63) / 64) + if (dc_count != dc_w * dc_h * 3) return AVERROR_INVALIDDATA; + dest_len = dc_count * 2LL; + av_fast_padded_malloc(&td->dc_data, &td->dc_size, FFALIGN(dest_len, 64) * 2); if (!td->dc_data) return AVERROR(ENOMEM); @@ -1795,6 +1801,7 @@ ymax = bytestream2_get_le32(gb); if (xmin > xmax || ymin > ymax || + ymax == INT_MAX || xmax == INT_MAX || (unsigned)xmax - xmin >= INT_MAX || (unsigned)ymax - ymin >= INT_MAX) { ret = AVERROR_INVALIDDATA; @@ -1822,8 +1829,8 @@ dx = bytestream2_get_le32(gb); dy = bytestream2_get_le32(gb); - s->w = dx - sx + 1; - s->h = dy - sy + 1; + s->w = (unsigned)dx - sx + 1; + s->h = (unsigned)dy - sy + 1; continue; } else if ((var_size = check_header_variable(s, "lineOrder", diff -Nru ffmpeg-4.4/libavcodec/faxcompr.c ffmpeg-4.4.2/libavcodec/faxcompr.c --- ffmpeg-4.4/libavcodec/faxcompr.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/faxcompr.c 2021-10-24 21:47:11.000000000 +0100 @@ -144,6 +144,8 @@ return AVERROR_INVALIDDATA; } cwi = 10 - av_log2(cwi); + if (get_bits_left(gb) < cwi + 1) + return AVERROR_INVALIDDATA; skip_bits(gb, cwi + 1); if (cwi > 5) { newmode = get_bits1(gb); @@ -209,6 +211,8 @@ unsigned int run = 0; unsigned int t; for (;;) { + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; t = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2); run += t; if (t < 64) { @@ -227,7 +231,7 @@ run = 0; mode = !mode; } else if ((int)t == -1) { - if (show_bits(gb, 12) == 15) { + if (get_bits_left(gb) > 12 && show_bits(gb, 12) == 15) { int ret; skip_bits(gb, 12); ret = decode_uncompressed(avctx, gb, &pix_left, &runs, runend, &mode); @@ -254,7 +258,10 @@ unsigned int offs = 0, run = 0; while (offs < width) { - int cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1); + int cmode; + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; + cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1); if (cmode == -1) { av_log(avctx, AV_LOG_ERROR, "Incorrect mode VLC\n"); return AVERROR_INVALIDDATA; @@ -276,6 +283,8 @@ for (k = 0; k < 2; k++) { run = 0; for (;;) { + if (get_bits_left(gb) <= 0) + return AVERROR_INVALIDDATA; t = get_vlc2(gb, ccitt_vlc[mode].table, 9, 2); if (t == -1) { av_log(avctx, AV_LOG_ERROR, "Incorrect code\n"); @@ -299,7 +308,10 @@ mode = !mode; } } else if (cmode == 9 || cmode == 10) { - int xxx = get_bits(gb, 3); + int xxx; + if (get_bits_left(gb) < 3) + return AVERROR_INVALIDDATA; + xxx = get_bits(gb, 3); if (cmode == 9 && xxx == 7) { int ret; int pix_left = width - offs; diff -Nru ffmpeg-4.4/libavcodec/flac_parser.c ffmpeg-4.4.2/libavcodec/flac_parser.c --- ffmpeg-4.4/libavcodec/flac_parser.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/flac_parser.c 2022-04-14 21:13:38.000000000 +0100 @@ -55,6 +55,7 @@ /** largest possible size of flac header */ #define MAX_FRAME_HEADER_SIZE 16 +#define MAX_FRAME_VERIFY_SIZE (MAX_FRAME_HEADER_SIZE) typedef struct FLACHeaderMarker { int offset; /**< byte offset from start of FLACParseContext->buffer */ @@ -170,7 +171,7 @@ uint8_t *header_buf; int size = 0; header_buf = flac_fifo_read_wrap(fpc, offset, - MAX_FRAME_HEADER_SIZE, + MAX_FRAME_VERIFY_SIZE + AV_INPUT_BUFFER_PADDING_SIZE, &fpc->wrap_buf, &fpc->wrap_buf_allocated_size); if (frame_header_is_valid(fpc->avctx, header_buf, &fi)) { diff -Nru ffmpeg-4.4/libavcodec/flicvideo.c ffmpeg-4.4.2/libavcodec/flicvideo.c --- ffmpeg-4.4/libavcodec/flicvideo.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/flicvideo.c 2022-04-14 21:13:38.000000000 +0100 @@ -735,6 +735,8 @@ bytestream2_skip(&g2, chunk_size - 6); } else { + if (bytestream2_get_bytes_left(&g2) < 2 * s->avctx->width * s->avctx->height ) + return AVERROR_INVALIDDATA; for (y_ptr = 0; y_ptr < s->frame->linesize[0] * s->avctx->height; y_ptr += s->frame->linesize[0]) { diff -Nru ffmpeg-4.4/libavcodec/frame_thread_encoder.c ffmpeg-4.4.2/libavcodec/frame_thread_encoder.c --- ffmpeg-4.4/libavcodec/frame_thread_encoder.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/frame_thread_encoder.c 2022-04-14 21:13:38.000000000 +0100 @@ -124,7 +124,7 @@ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options){ int i=0; ThreadContext *c; - + AVCodecContext *thread_avctx = NULL; if( !(avctx->thread_type & FF_THREAD_FRAME) || !(avctx->codec->capabilities & AV_CODEC_CAP_FRAME_THREADS)) @@ -205,16 +205,17 @@ AVDictionary *tmp = NULL; int ret; void *tmpv; - AVCodecContext *thread_avctx = avcodec_alloc_context3(avctx->codec); + thread_avctx = avcodec_alloc_context3(avctx->codec); if(!thread_avctx) goto fail; tmpv = thread_avctx->priv_data; *thread_avctx = *avctx; + thread_avctx->priv_data = tmpv; + thread_avctx->internal = NULL; + thread_avctx->hw_frames_ctx = NULL; ret = av_opt_copy(thread_avctx, avctx); if (ret < 0) goto fail; - thread_avctx->priv_data = tmpv; - thread_avctx->internal = NULL; if (avctx->codec->priv_class) { int ret = av_opt_copy(thread_avctx->priv_data, avctx->priv_data); if (ret < 0) @@ -243,6 +244,8 @@ return 0; fail: + avcodec_close(thread_avctx); + av_freep(&thread_avctx); avctx->thread_count = i; av_log(avctx, AV_LOG_ERROR, "ff_frame_thread_encoder_init failed\n"); ff_frame_thread_encoder_free(avctx); diff -Nru ffmpeg-4.4/libavcodec/frame_thread_encoder.h ffmpeg-4.4.2/libavcodec/frame_thread_encoder.h --- ffmpeg-4.4/libavcodec/frame_thread_encoder.h 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/frame_thread_encoder.h 2022-04-14 21:13:38.000000000 +0100 @@ -23,6 +23,10 @@ #include "avcodec.h" +/** + * Initialize frame thread encoder. + * @note hardware encoders are not supported + */ int ff_frame_thread_encoder_init(AVCodecContext *avctx, AVDictionary *options); void ff_frame_thread_encoder_free(AVCodecContext *avctx); int ff_thread_video_encode_frame(AVCodecContext *avctx, AVPacket *pkt, diff -Nru ffmpeg-4.4/libavcodec/g729_parser.c ffmpeg-4.4.2/libavcodec/g729_parser.c --- ffmpeg-4.4/libavcodec/g729_parser.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/g729_parser.c 2022-04-14 21:13:48.000000000 +0100 @@ -49,6 +49,9 @@ s->block_size = (avctx->bit_rate < 8000) ? G729D_6K4_BLOCK_SIZE : G729_8K_BLOCK_SIZE; if (avctx->codec_id == AV_CODEC_ID_ACELP_KELVIN) s->block_size++; + // channels > 2 is invalid, we pass the packet on unchanged + if (avctx->channels > 2) + s->block_size = 0; s->block_size *= avctx->channels; s->duration = avctx->frame_size; } diff -Nru ffmpeg-4.4/libavcodec/h263.c ffmpeg-4.4.2/libavcodec/h263.c --- ffmpeg-4.4/libavcodec/h263.c 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/h263.c 2022-04-14 21:13:38.000000000 +0100 @@ -29,6 +29,7 @@ #include +#include "libavutil/thread.h" #include "avcodec.h" #include "mpegvideo.h" #include "h263.h" @@ -38,6 +39,17 @@ #include "flv.h" #include "mpeg4video.h" +static av_cold void h263_init_rl_inter(void) +{ + static uint8_t h263_rl_inter_table[2][2 * MAX_RUN + MAX_LEVEL + 3]; + ff_rl_init(&ff_h263_rl_inter, h263_rl_inter_table); +} + +av_cold void ff_h263_init_rl_inter(void) +{ + static AVOnce init_static_once = AV_ONCE_INIT; + ff_thread_once(&init_static_once, h263_init_rl_inter); +} void ff_h263_update_motion_val(MpegEncContext * s){ const int mb_xy = s->mb_y * s->mb_stride + s->mb_x; diff -Nru ffmpeg-4.4/libavcodec/h263data.c ffmpeg-4.4.2/libavcodec/h263data.c --- ffmpeg-4.4/libavcodec/h263data.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/h263data.c 2022-04-14 21:13:38.000000000 +0100 @@ -25,8 +25,6 @@ #include -#include "libavutil/thread.h" - #include "h263data.h" #include "mpegvideo.h" @@ -290,15 +288,3 @@ { 0, 1 }, { 0, 1 }, }; - -static av_cold void h263_init_rl_inter(void) -{ - static uint8_t h263_rl_inter_table[2][2 * MAX_RUN + MAX_LEVEL + 3]; - ff_rl_init(&ff_h263_rl_inter, h263_rl_inter_table); -} - -av_cold void ff_h263_init_rl_inter(void) -{ - static AVOnce init_static_once = AV_ONCE_INIT; - ff_thread_once(&init_static_once, h263_init_rl_inter); -} diff -Nru ffmpeg-4.4/libavcodec/h263data.h ffmpeg-4.4.2/libavcodec/h263data.h --- ffmpeg-4.4/libavcodec/h263data.h 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/h263data.h 2021-10-24 21:47:11.000000000 +0100 @@ -61,7 +61,6 @@ extern RLTable ff_h263_rl_inter; extern RLTable ff_rl_intra_aic; -void ff_h263_init_rl_inter(void); extern const uint16_t ff_h263_format[8][2]; diff -Nru ffmpeg-4.4/libavcodec/h263.h ffmpeg-4.4.2/libavcodec/h263.h --- ffmpeg-4.4/libavcodec/h263.h 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/h263.h 2022-04-14 21:13:38.000000000 +0100 @@ -66,6 +66,7 @@ int *px, int *py); void ff_h263_encode_init(MpegEncContext *s); void ff_h263_decode_init_vlc(void); +void ff_h263_init_rl_inter(void); int ff_h263_decode_picture_header(MpegEncContext *s); int ff_h263_decode_gob_header(MpegEncContext *s); void ff_h263_update_motion_val(MpegEncContext * s); @@ -99,15 +100,16 @@ static inline int h263_get_motion_length(int val, int f_code){ - int l, bit_size, code; + int bit_size, code, sign; if (val == 0) { return ff_mvtab[0][1]; } else { bit_size = f_code - 1; /* modulo encoding */ - l= INT_BIT - 6 - bit_size; - val = (val<>l; + val = sign_extend(val, 6 + bit_size); + sign = val >> 31; + val = (val ^ sign) - sign; /* val = FFABS(val) */ val--; code = (val >> bit_size) + 1; diff -Nru ffmpeg-4.4/libavcodec/h264dec.c ffmpeg-4.4.2/libavcodec/h264dec.c --- ffmpeg-4.4/libavcodec/h264dec.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/h264dec.c 2022-04-14 21:13:38.000000000 +0100 @@ -914,7 +914,7 @@ out->qscale_table, out->motion_val, NULL, - h->mb_width, h->mb_height, h->mb_stride, 1); + out->mb_width, out->mb_height, out->mb_stride, 1); } } diff -Nru ffmpeg-4.4/libavcodec/h264_slice.c ffmpeg-4.4.2/libavcodec/h264_slice.c --- ffmpeg-4.4/libavcodec/h264_slice.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/h264_slice.c 2022-04-14 21:13:38.000000000 +0100 @@ -1831,6 +1831,8 @@ if (nal->type == H264_NAL_IDR_SLICE) get_ue_golomb_long(&sl->gb); /* idr_pic_id */ + sl->poc_lsb = 0; + sl->delta_poc_bottom = 0; if (sps->poc_type == 0) { sl->poc_lsb = get_bits(&sl->gb, sps->log2_max_poc_lsb); @@ -1838,6 +1840,7 @@ sl->delta_poc_bottom = get_se_golomb(&sl->gb); } + sl->delta_poc[0] = sl->delta_poc[1] = 0; if (sps->poc_type == 1 && !sps->delta_pic_order_always_zero_flag) { sl->delta_poc[0] = get_se_golomb(&sl->gb); diff -Nru ffmpeg-4.4/libavcodec/hevc_sei.c ffmpeg-4.4.2/libavcodec/hevc_sei.c --- ffmpeg-4.4/libavcodec/hevc_sei.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/hevc_sei.c 2022-04-14 21:13:38.000000000 +0100 @@ -386,7 +386,7 @@ s->time_offset_length[i] = get_bits(gb, 5); if (s->time_offset_length[i] > 0) { - s->time_offset_value[i] = get_bits(gb, s->time_offset_length[i]); + s->time_offset_value[i] = get_bits_long(gb, s->time_offset_length[i]); } } } diff -Nru ffmpeg-4.4/libavcodec/iff.c ffmpeg-4.4.2/libavcodec/iff.c --- ffmpeg-4.4/libavcodec/iff.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/iff.c 2022-04-14 21:13:38.000000000 +0100 @@ -1848,7 +1848,8 @@ buf += s->planesize; } } - memcpy(frame->data[1], s->pal, 256 * 4); + if (avctx->pix_fmt == AV_PIX_FMT_PAL8) + memcpy(frame->data[1], s->pal, 256 * 4); } else if (s->ham) { int i, count = 1 << s->ham; diff -Nru ffmpeg-4.4/libavcodec/internal.h ffmpeg-4.4.2/libavcodec/internal.h --- ffmpeg-4.4/libavcodec/internal.h 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/internal.h 2022-04-14 21:13:38.000000000 +0100 @@ -78,6 +78,11 @@ * Codec handles avctx->thread_count == 0 (auto) internally. */ #define FF_CODEC_CAP_AUTO_THREADS (1 << 7) +/** + * Codec handles output frame properties internally instead of letting the + * internal logic derive them from AVCodecInternal.last_pkt_props. + */ +#define FF_CODEC_CAP_SETS_FRAME_PROPS (1 << 8) /** * AVCodec.codec_tags termination value diff -Nru ffmpeg-4.4/libavcodec/j2kenc.c ffmpeg-4.4.2/libavcodec/j2kenc.c --- ffmpeg-4.4/libavcodec/j2kenc.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/j2kenc.c 2022-04-14 21:13:38.000000000 +0100 @@ -1679,7 +1679,7 @@ } token = av_strtok(s->lr_str, ",", &saveptr); - if (rate = strtol(token, NULL, 10)) { + if (token && (rate = strtol(token, NULL, 10))) { s->layer_rates[0] = rate <= 1 ? 0:rate; nlayers++; } else { diff -Nru ffmpeg-4.4/libavcodec/jpeg2000dec.c ffmpeg-4.4.2/libavcodec/jpeg2000dec.c --- ffmpeg-4.4/libavcodec/jpeg2000dec.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/jpeg2000dec.c 2022-04-14 21:13:38.000000000 +0100 @@ -2361,6 +2361,8 @@ atom_size >= 16) { uint32_t atom2_size, atom2, atom2_end; do { + if (bytestream2_get_bytes_left(&s->g) < 8) + break; atom2_size = bytestream2_get_be32u(&s->g); atom2 = bytestream2_get_be32u(&s->g); atom2_end = bytestream2_tell(&s->g) + atom2_size - 8; diff -Nru ffmpeg-4.4/libavcodec/jpeglsdec.c ffmpeg-4.4.2/libavcodec/jpeglsdec.c --- ffmpeg-4.4/libavcodec/jpeglsdec.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/jpeglsdec.c 2022-04-14 21:13:48.000000000 +0100 @@ -67,7 +67,7 @@ s->t3 = get_bits(&s->gb, 16); s->reset = get_bits(&s->gb, 16); - if(s->avctx->debug & FF_DEBUG_PICT_INFO) { + if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "Coding parameters maxval:%d T1:%d T2:%d T3:%d reset:%d\n", s->maxval, s->t1, s->t2, s->t3, s->reset); } @@ -96,7 +96,7 @@ else maxtab = 65530/wt - 1; - if(s->avctx->debug & FF_DEBUG_PICT_INFO) { + if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "LSE palette %d tid:%d wt:%d maxtab:%d\n", id, tid, wt, maxtab); } if (maxtab >= 256) { @@ -122,7 +122,7 @@ s->avctx->pix_fmt = AV_PIX_FMT_PAL8; for (i=s->palette_index; i<=maxtab; i++) { uint8_t k = i << shift; - pal[k] = 0; + pal[k] = wt < 4 ? 0xFF000000 : 0; for (j=0; jgb, 8) << (8*(wt-j-1)); } @@ -186,7 +186,7 @@ if (RItype) temp += state->N[Q] >> 1; - for (k = 0; (state->N[Q] << k) < temp; k++) + for (k = 0; ((unsigned)state->N[Q] << k) < temp; k++) ; #ifdef JLS_BROKEN @@ -195,6 +195,8 @@ #endif ret = get_ur_golomb_jpegls(gb, k, state->limit - limit_add - 1, state->qbpp); + if (ret < 0) + return -0x10000; /* decode mapped error */ map = 0; @@ -209,7 +211,7 @@ ret = ret >> 1; } - if(FFABS(ret) > 0xFFFF) + if (FFABS(ret) > 0xFFFF) return -0x10000; /* update state */ state->A[Q] += FFABS(ret) - RItype; diff -Nru ffmpeg-4.4/libavcodec/libdav1d.c ffmpeg-4.4.2/libavcodec/libdav1d.c --- ffmpeg-4.4/libavcodec/libdav1d.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/libdav1d.c 2022-04-14 21:13:48.000000000 +0100 @@ -33,6 +33,9 @@ #include "decode.h" #include "internal.h" +#define FF_DAV1D_VERSION_AT_LEAST(x,y) \ + (DAV1D_API_VERSION_MAJOR > (x) || DAV1D_API_VERSION_MAJOR == (x) && DAV1D_API_VERSION_MINOR >= (y)) + typedef struct Libdav1dContext { AVClass *class; Dav1dContext *c; @@ -124,7 +127,11 @@ { Libdav1dContext *dav1d = c->priv_data; Dav1dSettings s; +#if FF_DAV1D_VERSION_AT_LEAST(6,0) + int threads = c->thread_count; +#else int threads = (c->thread_count ? c->thread_count : av_cpu_count()) * 3 / 2; +#endif int res; av_log(c, AV_LOG_INFO, "libdav1d %s\n", dav1d_version()); @@ -145,6 +152,15 @@ if (dav1d->operating_point >= 0) s.operating_point = dav1d->operating_point; +#if FF_DAV1D_VERSION_AT_LEAST(6,0) + if (dav1d->frame_threads || dav1d->tile_threads) + s.n_threads = FFMAX(dav1d->frame_threads, dav1d->tile_threads); + else + s.n_threads = FFMIN(threads, DAV1D_MAX_THREADS); + s.max_frame_delay = (c->flags & AV_CODEC_FLAG_LOW_DELAY) ? 1 : 0; + av_log(c, AV_LOG_DEBUG, "Using %d threads, %d max_frame_delay\n", + s.n_threads, s.max_frame_delay); +#else s.n_tile_threads = dav1d->tile_threads ? dav1d->tile_threads : FFMIN(floor(sqrt(threads)), DAV1D_MAX_TILE_THREADS); @@ -153,6 +169,7 @@ : FFMIN(ceil(threads / s.n_tile_threads), DAV1D_MAX_FRAME_THREADS); av_log(c, AV_LOG_DEBUG, "Using %d frame threads, %d tile threads\n", s.n_frame_threads, s.n_tile_threads); +#endif res = dav1d_open(&dav1d->c, &s); if (res < 0) @@ -231,8 +248,10 @@ if (res < 0) { if (res == AVERROR(EINVAL)) res = AVERROR_INVALIDDATA; - if (res != AVERROR(EAGAIN)) + if (res != AVERROR(EAGAIN)) { + dav1d_data_unref(data); return res; + } } res = dav1d_get_picture(dav1d->c, p); @@ -456,6 +475,13 @@ return 0; } +#ifndef DAV1D_MAX_FRAME_THREADS +#define DAV1D_MAX_FRAME_THREADS DAV1D_MAX_THREADS +#endif +#ifndef DAV1D_MAX_TILE_THREADS +#define DAV1D_MAX_TILE_THREADS DAV1D_MAX_THREADS +#endif + #define OFFSET(x) offsetof(Libdav1dContext, x) #define VD AV_OPT_FLAG_VIDEO_PARAM | AV_OPT_FLAG_DECODING_PARAM static const AVOption libdav1d_options[] = { diff -Nru ffmpeg-4.4/libavcodec/libkvazaar.c ffmpeg-4.4.2/libavcodec/libkvazaar.c --- ffmpeg-4.4/libavcodec/libkvazaar.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/libkvazaar.c 2022-04-14 21:13:38.000000000 +0100 @@ -210,13 +210,19 @@ // Copy pixels from frame to input_pic. { + uint8_t *dst[4] = { + input_pic->data[0], + input_pic->data[1], + input_pic->data[2], + NULL, + }; int dst_linesizes[4] = { frame->width, frame->width / 2, frame->width / 2, 0 }; - av_image_copy(input_pic->data, dst_linesizes, + av_image_copy(dst, dst_linesizes, (const uint8_t **)frame->data, frame->linesize, frame->format, frame->width, frame->height); } diff -Nru ffmpeg-4.4/libavcodec/libopenh264dec.c ffmpeg-4.4.2/libavcodec/libopenh264dec.c --- ffmpeg-4.4/libavcodec/libopenh264dec.c 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/libopenh264dec.c 2022-04-14 21:13:38.000000000 +0100 @@ -91,8 +91,8 @@ { SVCContext *s = avctx->priv_data; SBufferInfo info = { 0 }; - uint8_t* ptrs[3]; - int ret, linesize[3]; + uint8_t *ptrs[4] = { NULL }; + int ret, linesize[4]; AVFrame *avframe = data; DECODING_STATE state; #if OPENH264_VER_AT_LEAST(1, 7) @@ -140,6 +140,7 @@ linesize[0] = info.UsrData.sSystemBuffer.iStride[0]; linesize[1] = linesize[2] = info.UsrData.sSystemBuffer.iStride[1]; + linesize[3] = 0; av_image_copy(avframe->data, avframe->linesize, (const uint8_t **) ptrs, linesize, avctx->pix_fmt, avctx->width, avctx->height); avframe->pts = info.uiOutYuvTimeStamp; diff -Nru ffmpeg-4.4/libavcodec/libuavs3d.c ffmpeg-4.4.2/libavcodec/libuavs3d.c --- ffmpeg-4.4/libavcodec/libuavs3d.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/libuavs3d.c 2022-04-14 21:13:48.000000000 +0100 @@ -208,7 +208,9 @@ } avctx->has_b_frames = !seqh->low_delay; avctx->pix_fmt = seqh->bit_depth_internal == 8 ? AV_PIX_FMT_YUV420P : AV_PIX_FMT_YUV420P10LE; - ff_set_dimensions(avctx, seqh->horizontal_size, seqh->vertical_size); + ret = ff_set_dimensions(avctx, seqh->horizontal_size, seqh->vertical_size); + if (ret < 0) + return ret; h->got_seqhdr = 1; if (seqh->colour_description) { diff -Nru ffmpeg-4.4/libavcodec/lpc.c ffmpeg-4.4.2/libavcodec/lpc.c --- ffmpeg-4.4/libavcodec/lpc.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/lpc.c 2021-10-24 21:47:11.000000000 +0100 @@ -189,7 +189,7 @@ compute_ref_coefs(autoc, order, ref, error); for (i = 0; i < order; i++) avg_err = (avg_err + error[i])/2.0f; - return signal/avg_err; + return avg_err ? signal/avg_err : NAN; } /** diff -Nru ffmpeg-4.4/libavcodec/lpc.h ffmpeg-4.4.2/libavcodec/lpc.h --- ffmpeg-4.4/libavcodec/lpc.h 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/lpc.h 2021-10-24 21:47:11.000000000 +0100 @@ -143,7 +143,7 @@ gen0[i] = gen1[i] = autoc[i + 1]; err = autoc[0]; - ref[0] = -gen1[0] / err; + ref[0] = -gen1[0] / ((USE_FIXED || err) ? err : 1); err += gen1[0] * ref[0]; if (error) error[0] = err; @@ -152,7 +152,7 @@ gen1[j] = gen1[j + 1] + ref[i - 1] * gen0[j]; gen0[j] = gen1[j + 1] * ref[i - 1] + gen0[j]; } - ref[i] = -gen1[0] / err; + ref[i] = -gen1[0] / ((USE_FIXED || err) ? err : 1); err += gen1[0] * ref[i]; if (error) error[i] = err; @@ -186,7 +186,8 @@ for(j=0; jgot_picture = 0; s->adobe_transform = -1; + s->buf_size = buf_size; read_header: /* reset on every SOI */ @@ -119,9 +120,13 @@ 8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs)); s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16)); s->start_code = SOS; - ret = ff_mjpeg_decode_sos(s, NULL, 0, NULL); - if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) - return ret; + if (avctx->skip_frame == AVDISCARD_ALL) { + skip_bits(&s->gb, get_bits_left(&s->gb)); + } else { + ret = ff_mjpeg_decode_sos(s, NULL, 0, NULL); + if (ret < 0 && (avctx->err_recognition & AV_EF_EXPLODE)) + return ret; + } } if (s->interlaced) { diff -Nru ffmpeg-4.4/libavcodec/mjpegdec.c ffmpeg-4.4.2/libavcodec/mjpegdec.c --- ffmpeg-4.4/libavcodec/mjpegdec.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/mjpegdec.c 2022-04-14 21:13:38.000000000 +0100 @@ -1573,6 +1573,9 @@ else ret = decode_block_progressive(s, *block, last_nnz, s->ac_index[0], quant_matrix, ss, se, Al, &EOBRUN); + + if (ret >= 0 && get_bits_left(&s->gb) < 0) + ret = AVERROR_INVALIDDATA; if (ret < 0) { av_log(s->avctx, AV_LOG_ERROR, "error y=%d x=%d\n", mb_y, mb_x); diff -Nru ffmpeg-4.4/libavcodec/motion_est.c ffmpeg-4.4.2/libavcodec/motion_est.c --- ffmpeg-4.4/libavcodec/motion_est.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/motion_est.c 2022-04-14 21:13:48.000000000 +0100 @@ -1614,7 +1614,7 @@ for(y=0; ymb_height; y++){ int x; int xy= y*s->mb_stride; - for(x=0; xmb_width; x++){ + for(x=0; xmb_width; x++, xy++){ if(s->mb_type[xy] & type){ int mx= mv_table[xy][0]; int my= mv_table[xy][1]; @@ -1622,16 +1622,15 @@ fcode_tab[my + MAX_MV]); int j; - if(mx >= range || mx < -range || - my >= range || my < -range) - continue; + if (mx >= range || mx < -range || + my >= range || my < -range) + continue; for(j=0; jpict_type==AV_PICTURE_TYPE_B || s->current_picture.mc_mb_var[xy] < s->current_picture.mb_var[xy]) score[j]-= 170; } } - xy++; } } diff -Nru ffmpeg-4.4/libavcodec/movtextenc.c ffmpeg-4.4.2/libavcodec/movtextenc.c --- ffmpeg-4.4/libavcodec/movtextenc.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/movtextenc.c 2022-04-14 21:13:38.000000000 +0100 @@ -85,7 +85,7 @@ uint8_t box_flags; StyleBox d; uint16_t text_pos; - uint16_t byte_count; + unsigned byte_count; char **fonts; int font_count; double font_scale_factor; @@ -585,9 +585,9 @@ mov_text_ass_style_set(s, style); } -static uint16_t utf8_strlen(const char *text, int len) +static unsigned utf8_strlen(const char *text, int len) { - uint16_t i = 0, ret = 0; + unsigned i = 0, ret = 0; while (i < len) { char c = text[i]; if ((c & 0x80) == 0) @@ -607,7 +607,7 @@ static void mov_text_text_cb(void *priv, const char *text, int len) { - uint16_t utf8_len = utf8_strlen(text, len); + unsigned utf8_len = utf8_strlen(text, len); MovTextContext *s = priv; av_bprint_append_data(&s->buffer, text, len); // If it's not utf-8, just use the byte length diff -Nru ffmpeg-4.4/libavcodec/mpeg12dec.c ffmpeg-4.4.2/libavcodec/mpeg12dec.c --- ffmpeg-4.4/libavcodec/mpeg12dec.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/mpeg12dec.c 2022-04-14 21:13:38.000000000 +0100 @@ -1538,6 +1538,10 @@ s->mpeg_f_code[0][1] = get_bits(&s->gb, 4); s->mpeg_f_code[1][0] = get_bits(&s->gb, 4); s->mpeg_f_code[1][1] = get_bits(&s->gb, 4); + s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0]; + s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1]; + s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0]; + s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1]; if (!s->pict_type && s1->mpeg_enc_ctx_allocated) { av_log(s->avctx, AV_LOG_ERROR, "Missing picture start code, guessing missing values\n"); @@ -1551,10 +1555,6 @@ s->current_picture.f->pict_type = s->pict_type; s->current_picture.f->key_frame = s->pict_type == AV_PICTURE_TYPE_I; } - s->mpeg_f_code[0][0] += !s->mpeg_f_code[0][0]; - s->mpeg_f_code[0][1] += !s->mpeg_f_code[0][1]; - s->mpeg_f_code[1][0] += !s->mpeg_f_code[1][0]; - s->mpeg_f_code[1][1] += !s->mpeg_f_code[1][1]; s->intra_dc_precision = get_bits(&s->gb, 2); s->picture_structure = get_bits(&s->gb, 2); diff -Nru ffmpeg-4.4/libavcodec/mpegvideo_enc.c ffmpeg-4.4.2/libavcodec/mpegvideo_enc.c --- ffmpeg-4.4/libavcodec/mpegvideo_enc.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/mpegvideo_enc.c 2022-04-14 21:13:38.000000000 +0100 @@ -509,9 +509,13 @@ if (!s->fixed_qscale && avctx->bit_rate * av_q2d(avctx->time_base) > avctx->bit_rate_tolerance) { + double nbt = avctx->bit_rate * av_q2d(avctx->time_base) * 5; av_log(avctx, AV_LOG_WARNING, "bitrate tolerance %d too small for bitrate %"PRId64", overriding\n", avctx->bit_rate_tolerance, avctx->bit_rate); - avctx->bit_rate_tolerance = 5 * avctx->bit_rate * av_q2d(avctx->time_base); + if (nbt <= INT_MAX) { + avctx->bit_rate_tolerance = nbt; + } else + avctx->bit_rate_tolerance = INT_MAX; } if (avctx->rc_max_rate && @@ -2016,6 +2020,7 @@ break; default: av_log(avctx, AV_LOG_ERROR, "vbv buffer overflow\n"); + s->stuffing_bits = 0; } flush_put_bits(&s->pb); s->frame_bits = put_bits_count(&s->pb); diff -Nru ffmpeg-4.4/libavcodec/mxpegdec.c ffmpeg-4.4.2/libavcodec/mxpegdec.c --- ffmpeg-4.4/libavcodec/mxpegdec.c 2021-04-08 22:28:27.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/mxpegdec.c 2022-04-14 21:13:38.000000000 +0100 @@ -193,6 +193,9 @@ int start_code; int ret; + if (avctx->skip_frame == AVDISCARD_ALL) + return AVERROR_PATCHWELCOME; + buf_ptr = buf; buf_end = buf + buf_size; jpg->got_picture = 0; diff -Nru ffmpeg-4.4/libavcodec/nellymoserenc.c ffmpeg-4.4.2/libavcodec/nellymoserenc.c --- ffmpeg-4.4/libavcodec/nellymoserenc.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/nellymoserenc.c 2022-04-14 21:13:38.000000000 +0100 @@ -138,10 +138,8 @@ ff_mdct_end(&s->mdct_ctx); - if (s->avctx->trellis) { - av_freep(&s->opt); - av_freep(&s->path); - } + av_freep(&s->opt); + av_freep(&s->path); ff_af_queue_close(&s->afq); av_freep(&s->fdsp); diff -Nru ffmpeg-4.4/libavcodec/nvenc.c ffmpeg-4.4.2/libavcodec/nvenc.c --- ffmpeg-4.4/libavcodec/nvenc.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/nvenc.c 2022-04-14 21:13:38.000000000 +0100 @@ -144,6 +144,70 @@ return ret; } +typedef struct GUIDTuple { + const GUID guid; + int flags; +} GUIDTuple; + +#define PRESET_ALIAS(alias, name, ...) \ + [PRESET_ ## alias] = { NV_ENC_PRESET_ ## name ## _GUID, __VA_ARGS__ } + +#define PRESET(name, ...) PRESET_ALIAS(name, name, __VA_ARGS__) + +static void nvenc_map_preset(NvencContext *ctx) +{ + GUIDTuple presets[] = { +#ifdef NVENC_HAVE_NEW_PRESETS + PRESET(P1), + PRESET(P2), + PRESET(P3), + PRESET(P4), + PRESET(P5), + PRESET(P6), + PRESET(P7), + PRESET_ALIAS(SLOW, P7, NVENC_TWO_PASSES), + PRESET_ALIAS(MEDIUM, P4, NVENC_ONE_PASS), + PRESET_ALIAS(FAST, P1, NVENC_ONE_PASS), + // Compat aliases + PRESET_ALIAS(DEFAULT, P4, NVENC_DEPRECATED_PRESET), + PRESET_ALIAS(HP, P1, NVENC_DEPRECATED_PRESET), + PRESET_ALIAS(HQ, P7, NVENC_DEPRECATED_PRESET), + PRESET_ALIAS(BD, P5, NVENC_DEPRECATED_PRESET), + PRESET_ALIAS(LOW_LATENCY_DEFAULT, P4, NVENC_DEPRECATED_PRESET | NVENC_LOWLATENCY), + PRESET_ALIAS(LOW_LATENCY_HP, P1, NVENC_DEPRECATED_PRESET | NVENC_LOWLATENCY), + PRESET_ALIAS(LOW_LATENCY_HQ, P7, NVENC_DEPRECATED_PRESET | NVENC_LOWLATENCY), + PRESET_ALIAS(LOSSLESS_DEFAULT, P4, NVENC_DEPRECATED_PRESET | NVENC_LOSSLESS), + PRESET_ALIAS(LOSSLESS_HP, P1, NVENC_DEPRECATED_PRESET | NVENC_LOSSLESS), +#else + PRESET(DEFAULT), + PRESET(HP), + PRESET(HQ), + PRESET(BD), + PRESET_ALIAS(SLOW, HQ, NVENC_TWO_PASSES), + PRESET_ALIAS(MEDIUM, HQ, NVENC_ONE_PASS), + PRESET_ALIAS(FAST, HP, NVENC_ONE_PASS), + PRESET(LOW_LATENCY_DEFAULT, NVENC_LOWLATENCY), + PRESET(LOW_LATENCY_HP, NVENC_LOWLATENCY), + PRESET(LOW_LATENCY_HQ, NVENC_LOWLATENCY), + PRESET(LOSSLESS_DEFAULT, NVENC_LOSSLESS), + PRESET(LOSSLESS_HP, NVENC_LOSSLESS), +#endif + }; + + GUIDTuple *t = &presets[ctx->preset]; + + ctx->init_encode_params.presetGUID = t->guid; + ctx->flags = t->flags; + +#ifdef NVENC_HAVE_NEW_PRESETS + if (ctx->tuning_info == NV_ENC_TUNING_INFO_LOSSLESS) + ctx->flags |= NVENC_LOSSLESS; +#endif +} + +#undef PRESET +#undef PRESET_ALIAS + static void nvenc_print_driver_requirement(AVCodecContext *avctx, int level) { #if NVENCAPI_CHECK_VERSION(11, 1) @@ -358,7 +422,7 @@ } ret = nvenc_check_cap(avctx, NV_ENC_CAPS_SUPPORT_LOSSLESS_ENCODE); - if (ctx->preset >= PRESET_LOSSLESS_DEFAULT && ret <= 0) { + if (ctx->flags & NVENC_LOSSLESS && ret <= 0) { av_log(avctx, AV_LOG_WARNING, "Lossless encoding not supported\n"); return AVERROR(ENOSYS); } @@ -548,6 +612,11 @@ return AVERROR_BUG; } + nvenc_map_preset(ctx); + + if (ctx->flags & NVENC_DEPRECATED_PRESET) + av_log(avctx, AV_LOG_WARNING, "The selected preset is deprecated. Use p1 to p7 + -tune or fast/medium/slow.\n"); + if (avctx->pix_fmt == AV_PIX_FMT_CUDA || avctx->pix_fmt == AV_PIX_FMT_D3D11 || avctx->hw_frames_ctx || avctx->hw_device_ctx) { AVHWFramesContext *frames_ctx; AVHWDeviceContext *hwdev_ctx; @@ -638,65 +707,6 @@ return 0; } -typedef struct GUIDTuple { - const GUID guid; - int flags; -} GUIDTuple; - -#define PRESET_ALIAS(alias, name, ...) \ - [PRESET_ ## alias] = { NV_ENC_PRESET_ ## name ## _GUID, __VA_ARGS__ } - -#define PRESET(name, ...) PRESET_ALIAS(name, name, __VA_ARGS__) - -static void nvenc_map_preset(NvencContext *ctx) -{ - GUIDTuple presets[] = { -#ifdef NVENC_HAVE_NEW_PRESETS - PRESET(P1), - PRESET(P2), - PRESET(P3), - PRESET(P4), - PRESET(P5), - PRESET(P6), - PRESET(P7), - PRESET_ALIAS(SLOW, P7, NVENC_TWO_PASSES), - PRESET_ALIAS(MEDIUM, P4, NVENC_ONE_PASS), - PRESET_ALIAS(FAST, P1, NVENC_ONE_PASS), - // Compat aliases - PRESET_ALIAS(DEFAULT, P4, NVENC_DEPRECATED_PRESET), - PRESET_ALIAS(HP, P1, NVENC_DEPRECATED_PRESET), - PRESET_ALIAS(HQ, P7, NVENC_DEPRECATED_PRESET), - PRESET_ALIAS(BD, P5, NVENC_DEPRECATED_PRESET), - PRESET_ALIAS(LOW_LATENCY_DEFAULT, P4, NVENC_DEPRECATED_PRESET | NVENC_LOWLATENCY), - PRESET_ALIAS(LOW_LATENCY_HP, P1, NVENC_DEPRECATED_PRESET | NVENC_LOWLATENCY), - PRESET_ALIAS(LOW_LATENCY_HQ, P7, NVENC_DEPRECATED_PRESET | NVENC_LOWLATENCY), - PRESET_ALIAS(LOSSLESS_DEFAULT, P4, NVENC_DEPRECATED_PRESET | NVENC_LOSSLESS), - PRESET_ALIAS(LOSSLESS_HP, P1, NVENC_DEPRECATED_PRESET | NVENC_LOSSLESS), -#else - PRESET(DEFAULT), - PRESET(HP), - PRESET(HQ), - PRESET(BD), - PRESET_ALIAS(SLOW, HQ, NVENC_TWO_PASSES), - PRESET_ALIAS(MEDIUM, HQ, NVENC_ONE_PASS), - PRESET_ALIAS(FAST, HP, NVENC_ONE_PASS), - PRESET(LOW_LATENCY_DEFAULT, NVENC_LOWLATENCY), - PRESET(LOW_LATENCY_HP, NVENC_LOWLATENCY), - PRESET(LOW_LATENCY_HQ, NVENC_LOWLATENCY), - PRESET(LOSSLESS_DEFAULT, NVENC_LOSSLESS), - PRESET(LOSSLESS_HP, NVENC_LOSSLESS), -#endif - }; - - GUIDTuple *t = &presets[ctx->preset]; - - ctx->init_encode_params.presetGUID = t->guid; - ctx->flags = t->flags; -} - -#undef PRESET -#undef PRESET_ALIAS - static av_cold void set_constqp(AVCodecContext *avctx) { NvencContext *ctx = avctx->priv_data; @@ -1254,18 +1264,15 @@ ctx->init_encode_params.encodeConfig = &ctx->encode_config; - nvenc_map_preset(ctx); - - if (ctx->flags & NVENC_DEPRECATED_PRESET) - av_log(avctx, AV_LOG_WARNING, "The selected preset is deprecated. Use p1 to p7 + -tune or fast/medium/slow.\n"); - preset_config.version = NV_ENC_PRESET_CONFIG_VER; preset_config.presetCfg.version = NV_ENC_CONFIG_VER; #ifdef NVENC_HAVE_NEW_PRESETS ctx->init_encode_params.tuningInfo = ctx->tuning_info; - if (ctx->flags & NVENC_LOWLATENCY) + if (ctx->flags & NVENC_LOSSLESS) + ctx->init_encode_params.tuningInfo = NV_ENC_TUNING_INFO_LOSSLESS; + else if (ctx->flags & NVENC_LOWLATENCY) ctx->init_encode_params.tuningInfo = NV_ENC_TUNING_INFO_LOW_LATENCY; nv_status = p_nvenc->nvEncGetEncodePresetConfigEx(ctx->nvencoder, @@ -1307,9 +1314,6 @@ * */ if (ctx->rc_lookahead == 0 && ctx->encode_config.rcParams.enableLookahead) ctx->rc_lookahead = ctx->encode_config.rcParams.lookaheadDepth; - - if (ctx->init_encode_params.tuningInfo == NV_ENC_TUNING_INFO_LOSSLESS) - ctx->flags |= NVENC_LOSSLESS; #endif if (ctx->weighted_pred == 1) @@ -1756,7 +1760,7 @@ NV_ENCODE_API_FUNCTION_LIST *p_nvenc = &dl_fn->nvenc_funcs; AVHWFramesContext *frames_ctx = (AVHWFramesContext*)frame->hw_frames_ctx->data; - NV_ENC_REGISTER_RESOURCE reg; + NV_ENC_REGISTER_RESOURCE reg = { 0 }; int i, idx, ret; for (i = 0; i < ctx->nb_registered_frames; i++) { diff -Nru ffmpeg-4.4/libavcodec/nvenc.h ffmpeg-4.4.2/libavcodec/nvenc.h --- ffmpeg-4.4/libavcodec/nvenc.h 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/nvenc.h 2022-04-14 21:13:38.000000000 +0100 @@ -103,7 +103,7 @@ PRESET_LOW_LATENCY_DEFAULT , PRESET_LOW_LATENCY_HQ , PRESET_LOW_LATENCY_HP, - PRESET_LOSSLESS_DEFAULT, // lossless presets must be the last ones + PRESET_LOSSLESS_DEFAULT, PRESET_LOSSLESS_HP, #ifdef NVENC_HAVE_NEW_PRESETS PRESET_P1, diff -Nru ffmpeg-4.4/libavcodec/nvenc_hevc.c ffmpeg-4.4.2/libavcodec/nvenc_hevc.c --- ffmpeg-4.4/libavcodec/nvenc_hevc.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/nvenc_hevc.c 2022-04-14 21:13:38.000000000 +0100 @@ -148,7 +148,7 @@ { "middle", "", 0, AV_OPT_TYPE_CONST, { .i64 = 2 }, 0, 0, VE, "b_ref_mode" }, #endif { "a53cc", "Use A53 Closed Captions (if available)", OFFSET(a53_cc), AV_OPT_TYPE_BOOL, { .i64 = 1 }, 0, 1, VE }, - { "s12m_tc", "Use timecode (if available)", OFFSET(s12m_tc), AV_OPT_TYPE_BOOL, { .i64 = 1 }, 0, 1, VE }, + { "s12m_tc", "Use timecode (if available)", OFFSET(s12m_tc), AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, VE }, { "dpb_size", "Specifies the DPB size used for encoding (0 means automatic)", OFFSET(dpb_size), AV_OPT_TYPE_INT, { .i64 = 0 }, 0, INT_MAX, VE }, #ifdef NVENC_HAVE_MULTIPASS diff -Nru ffmpeg-4.4/libavcodec/opus_silk.c ffmpeg-4.4.2/libavcodec/opus_silk.c --- ffmpeg-4.4/libavcodec/opus_silk.c 2021-02-20 20:27:47.000000000 +0000 +++ ffmpeg-4.4.2/libavcodec/opus_silk.c 2022-01-14 18:45:25.000000000 +0000 @@ -198,7 +198,8 @@ } } -static void silk_lsp2poly(const int32_t lsp[16], int32_t pol[16], int half_order) +static void silk_lsp2poly(const int32_t lsp[/* 2 * half_order - 1 */], + int32_t pol[/* half_order + 1 */], int half_order) { int i, j; diff -Nru ffmpeg-4.4/libavcodec/pixlet.c ffmpeg-4.4.2/libavcodec/pixlet.c --- ffmpeg-4.4/libavcodec/pixlet.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/pixlet.c 2022-04-14 21:13:48.000000000 +0100 @@ -405,7 +405,7 @@ (int64_t) low [i - 1] * -INT64_C(325392907) + (int64_t) high[i + 0] * INT64_C(1518500249) + (int64_t) high[i - 1] * INT64_C(1518500249); - dest[i * 2] = av_clip_int16(((value >> 32) * scale) >> 32); + dest[i * 2] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } for (i = 0; i < hsize; i++) { @@ -416,7 +416,7 @@ (int64_t) high[i + 1] * INT64_C(303700064) + (int64_t) high[i + 0] * -INT64_C(3644400640) + (int64_t) high[i - 1] * INT64_C(303700064); - dest[i * 2 + 1] = av_clip_int16(((value >> 32) * scale) >> 32); + dest[i * 2 + 1] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } } diff -Nru ffmpeg-4.4/libavcodec/pngdec.c ffmpeg-4.4.2/libavcodec/pngdec.c --- ffmpeg-4.4/libavcodec/pngdec.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/pngdec.c 2022-04-14 21:13:38.000000000 +0100 @@ -1644,7 +1644,7 @@ if (!(avctx->active_thread_type & FF_THREAD_FRAME)) { if (s->dispose_op == APNG_DISPOSE_OP_PREVIOUS) { ff_thread_release_buffer(avctx, &s->picture); - } else if (s->dispose_op == APNG_DISPOSE_OP_NONE) { + } else { ff_thread_release_buffer(avctx, &s->last_picture); FFSWAP(ThreadFrame, s->picture, s->last_picture); } @@ -1693,8 +1693,8 @@ pdst->hdr_state |= psrc->hdr_state; } - src_frame = psrc->dispose_op == APNG_DISPOSE_OP_NONE ? - &psrc->picture : &psrc->last_picture; + src_frame = psrc->dispose_op == APNG_DISPOSE_OP_PREVIOUS ? + &psrc->last_picture : &psrc->picture; ff_thread_release_buffer(dst, &pdst->last_picture); if (src_frame && src_frame->f->data[0]) { diff -Nru ffmpeg-4.4/libavcodec/rasc.c ffmpeg-4.4.2/libavcodec/rasc.c --- ffmpeg-4.4/libavcodec/rasc.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/rasc.c 2022-04-14 21:13:38.000000000 +0100 @@ -722,6 +722,7 @@ break; default: bytestream2_skip(gb, size); + ret = 0; } if (ret < 0) diff -Nru ffmpeg-4.4/libavcodec/rv10.c ffmpeg-4.4.2/libavcodec/rv10.c --- ffmpeg-4.4/libavcodec/rv10.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/rv10.c 2022-04-14 21:13:38.000000000 +0100 @@ -154,7 +154,7 @@ return mb_count; } -static int rv20_decode_picture_header(RVDecContext *rv) +static int rv20_decode_picture_header(RVDecContext *rv, int whole_size) { MpegEncContext *s = &rv->m; int seq, mb_pos, i, ret; @@ -232,6 +232,10 @@ "attempting to change resolution to %dx%d\n", new_w, new_h); if (av_image_check_size(new_w, new_h, 0, s->avctx) < 0) return AVERROR_INVALIDDATA; + + if (whole_size < (new_w + 15)/16 * ((new_h + 15)/16) / 8) + return AVERROR_INVALIDDATA; + ff_mpv_common_end(s); // attempt to keep aspect during typical resolution switches @@ -447,7 +451,7 @@ if (s->codec_id == AV_CODEC_ID_RV10) mb_count = rv10_decode_picture_header(s); else - mb_count = rv20_decode_picture_header(rv); + mb_count = rv20_decode_picture_header(rv, whole_size); if (mb_count < 0) { if (mb_count != ERROR_SKIP_FRAME) av_log(s->avctx, AV_LOG_ERROR, "HEADER ERROR\n"); diff -Nru ffmpeg-4.4/libavcodec/sbrdsp_fixed.c ffmpeg-4.4.2/libavcodec/sbrdsp_fixed.c --- ffmpeg-4.4/libavcodec/sbrdsp_fixed.c 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/sbrdsp_fixed.c 2021-10-24 21:47:11.000000000 +0100 @@ -87,7 +87,7 @@ { int i; for (i = 1; i < 64; i += 2) - x[i] = -x[i]; + x[i] = -(unsigned)x[i]; } static void sbr_qmf_pre_shuffle_c(int *z) diff -Nru ffmpeg-4.4/libavcodec/snowdec.c ffmpeg-4.4.2/libavcodec/snowdec.c --- ffmpeg-4.4/libavcodec/snowdec.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/snowdec.c 2022-04-14 21:13:38.000000000 +0100 @@ -493,9 +493,17 @@ s->spatial_decomposition_count ); - av_assert0(!s->avmv); if (s->avctx->export_side_data & AV_CODEC_EXPORT_DATA_MVS) { - s->avmv = av_malloc_array(s->b_width * s->b_height, sizeof(AVMotionVector) << (s->block_max_depth*2)); + size_t size; + res = av_size_mult(s->b_width * s->b_height, sizeof(AVMotionVector) << (s->block_max_depth*2), &size); + if (res) + return res; + av_fast_malloc(&s->avmv, &s->avmv_size, size); + if (!s->avmv) + return AVERROR(ENOMEM); + } else { + s->avmv_size = 0; + av_freep(&s->avmv); } s->avmv_index = 0; @@ -624,8 +632,6 @@ memcpy(sd->data, s->avmv, s->avmv_index * sizeof(AVMotionVector)); } - av_freep(&s->avmv); - if (res < 0) return res; @@ -645,6 +651,9 @@ ff_snow_common_end(s); + s->avmv_size = 0; + av_freep(&s->avmv); + return 0; } diff -Nru ffmpeg-4.4/libavcodec/snow.h ffmpeg-4.4.2/libavcodec/snow.h --- ffmpeg-4.4/libavcodec/snow.h 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/snow.h 2022-04-14 21:13:38.000000000 +0100 @@ -186,6 +186,7 @@ uint8_t *emu_edge_buffer; AVMotionVector *avmv; + unsigned avmv_size; int avmv_index; uint64_t encoding_error[AV_NUM_DATA_POINTERS]; diff -Nru ffmpeg-4.4/libavcodec/sonic.c ffmpeg-4.4.2/libavcodec/sonic.c --- ffmpeg-4.4/libavcodec/sonic.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/sonic.c 2022-04-14 21:13:48.000000000 +0100 @@ -1004,7 +1004,7 @@ // dequantize for (i = 0; i < s->num_taps; i++) - s->predictor_k[i] *= s->tap_quant[i]; + s->predictor_k[i] *= (unsigned) s->tap_quant[i]; if (s->lossless) quant = 1; diff -Nru ffmpeg-4.4/libavcodec/svq1enc.c ffmpeg-4.4.2/libavcodec/svq1enc.c --- ffmpeg-4.4/libavcodec/svq1enc.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/svq1enc.c 2022-04-14 21:13:38.000000000 +0100 @@ -487,9 +487,10 @@ SVQ1EncContext *const s = avctx->priv_data; int i; - av_log(avctx, AV_LOG_DEBUG, "RD: %f\n", - s->rd_total / (double)(avctx->width * avctx->height * - avctx->frame_number)); + if (avctx->frame_number) + av_log(avctx, AV_LOG_DEBUG, "RD: %f\n", + s->rd_total / (double)(avctx->width * avctx->height * + avctx->frame_number)); s->m.mb_type = NULL; ff_mpv_common_end(&s->m); diff -Nru ffmpeg-4.4/libavcodec/takdsp.c ffmpeg-4.4.2/libavcodec/takdsp.c --- ffmpeg-4.4/libavcodec/takdsp.c 2021-02-20 20:27:47.000000000 +0000 +++ ffmpeg-4.4.2/libavcodec/takdsp.c 2022-04-14 21:13:48.000000000 +0100 @@ -65,7 +65,7 @@ for (i = 0; i < length; i++) { int32_t a = p1[i]; int32_t b = p2[i]; - b = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift; + b = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift; p1[i] = b - a; } } diff -Nru ffmpeg-4.4/libavcodec/tiff.c ffmpeg-4.4.2/libavcodec/tiff.c --- ffmpeg-4.4/libavcodec/tiff.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/tiff.c 2022-04-14 21:13:48.000000000 +0100 @@ -735,19 +735,6 @@ return 0; } -static int dng_decode_strip(AVCodecContext *avctx, AVFrame *frame) -{ - TiffContext *s = avctx->priv_data; - - s->jpgframe->width = s->width; - s->jpgframe->height = s->height; - - s->avctx_mjpeg->width = s->width; - s->avctx_mjpeg->height = s->height; - - return dng_decode_jpeg(avctx, frame, s->stripsize, 0, 0, s->width, s->height); -} - static int tiff_unpack_strip(TiffContext *s, AVFrame *p, uint8_t *dst, int stride, const uint8_t *src, int size, int strip_start, int lines) { @@ -869,7 +856,7 @@ av_log(s->avctx, AV_LOG_ERROR, "More than one DNG JPEG strips unsupported\n"); return AVERROR_PATCHWELCOME; } - if ((ret = dng_decode_strip(s->avctx, p)) < 0) + if ((ret = dng_decode_jpeg(s->avctx, p, s->stripsize, 0, 0, s->width, s->height)) < 0) return ret; return 0; } @@ -987,12 +974,6 @@ int pos_x = 0, pos_y = 0; int ret; - s->jpgframe->width = s->tile_width; - s->jpgframe->height = s->tile_length; - - s->avctx_mjpeg->width = s->tile_width; - s->avctx_mjpeg->height = s->tile_length; - has_width_leftover = (s->width % s->tile_width != 0); has_height_leftover = (s->height % s->tile_length != 0); @@ -2169,6 +2150,7 @@ s->avctx_mjpeg->flags2 = avctx->flags2; s->avctx_mjpeg->dct_algo = avctx->dct_algo; s->avctx_mjpeg->idct_algo = avctx->idct_algo; + s->avctx_mjpeg->max_pixels = avctx->max_pixels; ret = avcodec_open2(s->avctx_mjpeg, codec, NULL); if (ret < 0) { return ret; diff -Nru ffmpeg-4.4/libavcodec/ttadata.c ffmpeg-4.4.2/libavcodec/ttadata.c --- ffmpeg-4.4/libavcodec/ttadata.c 2020-04-27 22:48:15.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/ttadata.c 2021-10-24 21:47:11.000000000 +0100 @@ -30,7 +30,8 @@ 0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000, 0x20000000, 0x40000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, 0x80000000, - 0x80000000, 0x80000000, 0x80000000, 0x80000000 + 0x80000000, 0x80000000, 0x80000000, 0x80000000, + 0xFFFFFFFF }; const uint32_t * const ff_tta_shift_16 = ff_tta_shift_1 + 4; diff -Nru ffmpeg-4.4/libavcodec/ttadsp.c ffmpeg-4.4.2/libavcodec/ttadsp.c --- ffmpeg-4.4/libavcodec/ttadsp.c 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/ttadsp.c 2021-10-24 21:47:11.000000000 +0100 @@ -47,9 +47,9 @@ *error = *in; *in += (round >> shift); - dl[4] = -dl[5]; dl[5] = -dl[6]; - dl[6] = *in - dl[7]; dl[7] = *in; - dl[5] += dl[6]; dl[4] += dl[5]; + dl[4] = -(unsigned)dl[5]; dl[5] = -(unsigned)dl[6]; + dl[6] = *in -(unsigned)dl[7]; dl[7] = *in; + dl[5] += (unsigned)dl[6]; dl[4] += (unsigned)dl[5]; } av_cold void ff_ttadsp_init(TTADSPContext *c) diff -Nru ffmpeg-4.4/libavcodec/ttmlenc.c ffmpeg-4.4.2/libavcodec/ttmlenc.c --- ffmpeg-4.4/libavcodec/ttmlenc.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/ttmlenc.c 2022-04-14 21:13:38.000000000 +0100 @@ -206,5 +206,5 @@ .init = ttml_encode_init, .encode_sub = ttml_encode_frame, .close = ttml_encode_close, - .capabilities = FF_CODEC_CAP_INIT_CLEANUP, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; diff -Nru ffmpeg-4.4/libavcodec/utils.c ffmpeg-4.4.2/libavcodec/utils.c --- ffmpeg-4.4/libavcodec/utils.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/utils.c 2022-04-14 21:13:38.000000000 +0100 @@ -268,10 +268,21 @@ h_align = 4; } if (s->codec_id == AV_CODEC_ID_JV || + s->codec_id == AV_CODEC_ID_ARGO || s->codec_id == AV_CODEC_ID_INTERPLAY_VIDEO) { w_align = 8; h_align = 8; } + if (s->codec_id == AV_CODEC_ID_MJPEG || + s->codec_id == AV_CODEC_ID_MJPEGB || + s->codec_id == AV_CODEC_ID_LJPEG || + s->codec_id == AV_CODEC_ID_SMVJPEG || + s->codec_id == AV_CODEC_ID_AMV || + s->codec_id == AV_CODEC_ID_SP5X || + s->codec_id == AV_CODEC_ID_JPEGLS) { + w_align = 8; + h_align = 2*8; + } break; case AV_PIX_FMT_BGR24: if ((s->codec_id == AV_CODEC_ID_MSZH) || @@ -286,6 +297,12 @@ h_align = 4; } break; + case AV_PIX_FMT_BGR0: + if (s->codec_id == AV_CODEC_ID_ARGO) { + w_align = 8; + h_align = 8; + } + break; default: break; } @@ -739,7 +756,7 @@ case AV_CODEC_ID_ADPCM_THP: case AV_CODEC_ID_ADPCM_THP_LE: if (extradata) - return frame_bytes * 14 / (8 * ch); + return frame_bytes * 14LL / (8 * ch); break; case AV_CODEC_ID_ADPCM_XA: return (frame_bytes / 128) * 224 / ch; @@ -773,21 +790,33 @@ if (ba > 0) { /* calc from frame_bytes, channels, and block_align */ int blocks = frame_bytes / ba; + int64_t tmp = 0; switch (id) { case AV_CODEC_ID_ADPCM_IMA_WAV: if (bps < 2 || bps > 5) return 0; - return blocks * (1 + (ba - 4 * ch) / (bps * ch) * 8); + tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8); + break; case AV_CODEC_ID_ADPCM_IMA_DK3: - return blocks * (((ba - 16) * 2 / 3 * 4) / ch); + tmp = blocks * (((ba - 16LL) * 2 / 3 * 4) / ch); + break; case AV_CODEC_ID_ADPCM_IMA_DK4: - return blocks * (1 + (ba - 4 * ch) * 2 / ch); + tmp = blocks * (1 + (ba - 4LL * ch) * 2 / ch); + break; case AV_CODEC_ID_ADPCM_IMA_RAD: - return blocks * ((ba - 4 * ch) * 2 / ch); + tmp = blocks * ((ba - 4LL * ch) * 2 / ch); + break; case AV_CODEC_ID_ADPCM_MS: - return blocks * (2 + (ba - 7 * ch) * 2LL / ch); + tmp = blocks * (2 + (ba - 7LL * ch) * 2LL / ch); + break; case AV_CODEC_ID_ADPCM_MTAF: - return blocks * (ba - 16) * 2 / ch; + tmp = blocks * (ba - 16LL) * 2 / ch; + break; + } + if (tmp) { + if (tmp != (int)tmp) + return 0; + return tmp; } } @@ -825,20 +854,22 @@ int av_get_audio_frame_duration(AVCodecContext *avctx, int frame_bytes) { - return get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, + int duration = get_audio_frame_duration(avctx->codec_id, avctx->sample_rate, avctx->channels, avctx->block_align, avctx->codec_tag, avctx->bits_per_coded_sample, avctx->bit_rate, avctx->extradata, avctx->frame_size, frame_bytes); + return FFMAX(0, duration); } int av_get_audio_frame_duration2(AVCodecParameters *par, int frame_bytes) { - return get_audio_frame_duration(par->codec_id, par->sample_rate, + int duration = get_audio_frame_duration(par->codec_id, par->sample_rate, par->channels, par->block_align, par->codec_tag, par->bits_per_coded_sample, par->bit_rate, par->extradata, par->frame_size, frame_bytes); + return FFMAX(0, duration); } #if !HAVE_THREADS diff -Nru ffmpeg-4.4/libavcodec/vaapi_av1.c ffmpeg-4.4.2/libavcodec/vaapi_av1.c --- ffmpeg-4.4/libavcodec/vaapi_av1.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/vaapi_av1.c 2022-01-14 18:45:25.000000000 +0000 @@ -21,8 +21,28 @@ #include "libavutil/pixdesc.h" #include "hwconfig.h" #include "vaapi_decode.h" +#include "internal.h" #include "av1dec.h" +typedef struct VAAPIAV1FrameRef { + ThreadFrame frame; + int valid; +} VAAPIAV1FrameRef; + +typedef struct VAAPIAV1DecContext { + VAAPIDecodeContext base; + + /** + * For film grain case, VAAPI generate 2 output for each frame, + * current_frame will not apply film grain, and will be used for + * references for next frames. Maintain the reference list without + * applying film grain here. And current_display_picture will be + * used to apply film grain and push to downstream. + */ + VAAPIAV1FrameRef ref_tab[AV1_NUM_REF_FRAMES]; + ThreadFrame tmp_frame; +} VAAPIAV1DecContext; + static VASurfaceID vaapi_av1_surface_id(AV1Frame *vf) { if (vf) @@ -49,6 +69,48 @@ return bit_depth == 8 ? 0 : bit_depth == 10 ? 1 : 2; } +static int vaapi_av1_decode_init(AVCodecContext *avctx) +{ + VAAPIAV1DecContext *ctx = avctx->internal->hwaccel_priv_data; + + ctx->tmp_frame.f = av_frame_alloc(); + if (!ctx->tmp_frame.f) { + av_log(avctx, AV_LOG_ERROR, + "Failed to allocate frame.\n"); + return AVERROR(ENOMEM); + } + + for (int i = 0; i < FF_ARRAY_ELEMS(ctx->ref_tab); i++) { + ctx->ref_tab[i].frame.f = av_frame_alloc(); + if (!ctx->ref_tab[i].frame.f) { + av_log(avctx, AV_LOG_ERROR, + "Failed to allocate reference table frame %d.\n", i); + return AVERROR(ENOMEM); + } + ctx->ref_tab[i].valid = 0; + } + + return ff_vaapi_decode_init(avctx); +} + +static int vaapi_av1_decode_uninit(AVCodecContext *avctx) +{ + VAAPIAV1DecContext *ctx = avctx->internal->hwaccel_priv_data; + + if (ctx->tmp_frame.f->buf[0]) + ff_thread_release_buffer(avctx, &ctx->tmp_frame); + av_frame_free(&ctx->tmp_frame.f); + + for (int i = 0; i < FF_ARRAY_ELEMS(ctx->ref_tab); i++) { + if (ctx->ref_tab[i].frame.f->buf[0]) + ff_thread_release_buffer(avctx, &ctx->ref_tab[i].frame); + av_frame_free(&ctx->ref_tab[i].frame.f); + } + + return ff_vaapi_decode_uninit(avctx); +} + + static int vaapi_av1_start_frame(AVCodecContext *avctx, av_unused const uint8_t *buffer, av_unused uint32_t size) @@ -58,40 +120,62 @@ const AV1RawFrameHeader *frame_header = s->raw_frame_header; const AV1RawFilmGrainParams *film_grain = &s->cur_frame.film_grain; VAAPIDecodePicture *pic = s->cur_frame.hwaccel_picture_private; + VAAPIAV1DecContext *ctx = avctx->internal->hwaccel_priv_data; VADecPictureParameterBufferAV1 pic_param; int8_t bit_depth_idx; int err = 0; int apply_grain = !(avctx->export_side_data & AV_CODEC_EXPORT_DATA_FILM_GRAIN) && film_grain->apply_grain; uint8_t remap_lr_type[4] = {AV1_RESTORE_NONE, AV1_RESTORE_SWITCHABLE, AV1_RESTORE_WIENER, AV1_RESTORE_SGRPROJ}; - - pic->output_surface = vaapi_av1_surface_id(&s->cur_frame); + uint8_t segmentation_feature_signed[AV1_SEG_LVL_MAX] = {1, 1, 1, 1, 1, 0, 0, 0}; + uint8_t segmentation_feature_max[AV1_SEG_LVL_MAX] = {255, AV1_MAX_LOOP_FILTER, + AV1_MAX_LOOP_FILTER, AV1_MAX_LOOP_FILTER, AV1_MAX_LOOP_FILTER, 7 , 0 , 0 }; bit_depth_idx = vaapi_av1_get_bit_depth_idx(avctx); if (bit_depth_idx < 0) goto fail; + if (apply_grain) { + if (ctx->tmp_frame.f->buf[0]) + ff_thread_release_buffer(avctx, &ctx->tmp_frame); + err = ff_thread_get_buffer(avctx, &ctx->tmp_frame, AV_GET_BUFFER_FLAG_REF); + if (err < 0) + goto fail; + pic->output_surface = ff_vaapi_get_surface_id(ctx->tmp_frame.f); + } else { + pic->output_surface = vaapi_av1_surface_id(&s->cur_frame); + } + memset(&pic_param, 0, sizeof(VADecPictureParameterBufferAV1)); pic_param = (VADecPictureParameterBufferAV1) { - .profile = seq->seq_profile, - .order_hint_bits_minus_1 = seq->order_hint_bits_minus_1, - .bit_depth_idx = bit_depth_idx, - .current_frame = pic->output_surface, - .current_display_picture = pic->output_surface, - .frame_width_minus1 = frame_header->frame_width_minus_1, - .frame_height_minus1 = frame_header->frame_height_minus_1, - .primary_ref_frame = frame_header->primary_ref_frame, - .order_hint = frame_header->order_hint, - .tile_cols = frame_header->tile_cols, - .tile_rows = frame_header->tile_rows, - .context_update_tile_id = frame_header->context_update_tile_id, - .interp_filter = frame_header->interpolation_filter, - .filter_level[0] = frame_header->loop_filter_level[0], - .filter_level[1] = frame_header->loop_filter_level[1], - .filter_level_u = frame_header->loop_filter_level[2], - .filter_level_v = frame_header->loop_filter_level[3], - .base_qindex = frame_header->base_q_idx, - .cdef_damping_minus_3 = frame_header->cdef_damping_minus_3, - .cdef_bits = frame_header->cdef_bits, + .profile = seq->seq_profile, + .order_hint_bits_minus_1 = seq->order_hint_bits_minus_1, + .bit_depth_idx = bit_depth_idx, + .matrix_coefficients = seq->color_config.matrix_coefficients, + .current_frame = pic->output_surface, + .current_display_picture = vaapi_av1_surface_id(&s->cur_frame), + .frame_width_minus1 = frame_header->frame_width_minus_1, + .frame_height_minus1 = frame_header->frame_height_minus_1, + .primary_ref_frame = frame_header->primary_ref_frame, + .order_hint = frame_header->order_hint, + .tile_cols = frame_header->tile_cols, + .tile_rows = frame_header->tile_rows, + .context_update_tile_id = frame_header->context_update_tile_id, + .superres_scale_denominator = frame_header->use_superres ? + frame_header->coded_denom + AV1_SUPERRES_DENOM_MIN : + AV1_SUPERRES_NUM, + .interp_filter = frame_header->interpolation_filter, + .filter_level[0] = frame_header->loop_filter_level[0], + .filter_level[1] = frame_header->loop_filter_level[1], + .filter_level_u = frame_header->loop_filter_level[2], + .filter_level_v = frame_header->loop_filter_level[3], + .base_qindex = frame_header->base_q_idx, + .y_dc_delta_q = frame_header->delta_q_y_dc, + .u_dc_delta_q = frame_header->delta_q_u_dc, + .u_ac_delta_q = frame_header->delta_q_u_ac, + .v_dc_delta_q = frame_header->delta_q_v_dc, + .v_ac_delta_q = frame_header->delta_q_v_ac, + .cdef_damping_minus_3 = frame_header->cdef_damping_minus_3, + .cdef_bits = frame_header->cdef_bits, .seq_info_fields.fields = { .still_picture = seq->still_picture, .use_128x128_superblock = seq->use_128x128_superblock, @@ -162,12 +246,15 @@ .mode_ref_delta_update = frame_header->loop_filter_delta_update, }, .mode_control_fields.bits = { - .delta_q_present_flag = frame_header->delta_q_present, - .log2_delta_q_res = frame_header->delta_q_res, - .tx_mode = frame_header->tx_mode, - .reference_select = frame_header->reference_select, - .reduced_tx_set_used = frame_header->reduced_tx_set, - .skip_mode_present = frame_header->skip_mode_present, + .delta_q_present_flag = frame_header->delta_q_present, + .log2_delta_q_res = frame_header->delta_q_res, + .delta_lf_present_flag = frame_header->delta_lf_present, + .log2_delta_lf_res = frame_header->delta_lf_res, + .delta_lf_multi = frame_header->delta_lf_multi, + .tx_mode = frame_header->tx_mode, + .reference_select = frame_header->reference_select, + .reduced_tx_set_used = frame_header->reduced_tx_set, + .skip_mode_present = frame_header->skip_mode_present, }, .loop_restoration_fields.bits = { .yframe_restoration_type = remap_lr_type[frame_header->lr_type[0]], @@ -178,6 +265,9 @@ }, .qmatrix_fields.bits = { .using_qmatrix = frame_header->using_qmatrix, + .qm_y = frame_header->qm_y, + .qm_u = frame_header->qm_u, + .qm_v = frame_header->qm_v, } }; @@ -185,7 +275,9 @@ if (pic_param.pic_info_fields.bits.frame_type == AV1_FRAME_KEY) pic_param.ref_frame_map[i] = VA_INVALID_ID; else - pic_param.ref_frame_map[i] = vaapi_av1_surface_id(&s->ref[i]); + pic_param.ref_frame_map[i] = ctx->ref_tab[i].valid ? + ff_vaapi_get_surface_id(ctx->ref_tab[i].frame.f) : + vaapi_av1_surface_id(&s->ref[i]); } for (int i = 0; i < AV1_REFS_PER_FRAME; i++) { pic_param.ref_frame_idx[i] = frame_header->ref_frame_idx[i]; @@ -213,10 +305,22 @@ frame_header->height_in_sbs_minus_1[i]; } for (int i = AV1_REF_FRAME_LAST; i <= AV1_REF_FRAME_ALTREF; i++) { - pic_param.wm[i - 1].wmtype = s->cur_frame.gm_type[i]; + pic_param.wm[i - 1].invalid = s->cur_frame.gm_invalid[i]; + pic_param.wm[i - 1].wmtype = s->cur_frame.gm_type[i]; for (int j = 0; j < 6; j++) pic_param.wm[i - 1].wmmat[j] = s->cur_frame.gm_params[i][j]; } + for (int i = 0; i < AV1_MAX_SEGMENTS; i++) { + for (int j = 0; j < AV1_SEG_LVL_MAX; j++) { + pic_param.seg_info.feature_mask[i] |= (frame_header->feature_enabled[i][j] << j); + if (segmentation_feature_signed[j]) + pic_param.seg_info.feature_data[i][j] = av_clip(frame_header->feature_value[i][j], + -segmentation_feature_max[j], segmentation_feature_max[j]); + else + pic_param.seg_info.feature_data[i][j] = av_clip(frame_header->feature_value[i][j], + 0, segmentation_feature_max[j]); + } + } if (apply_grain) { for (int i = 0; i < film_grain->num_y_points; i++) { pic_param.film_grain_info.point_y_value[i] = @@ -263,8 +367,34 @@ static int vaapi_av1_end_frame(AVCodecContext *avctx) { const AV1DecContext *s = avctx->priv_data; + const AV1RawFrameHeader *header = s->raw_frame_header; + const AV1RawFilmGrainParams *film_grain = &s->cur_frame.film_grain; VAAPIDecodePicture *pic = s->cur_frame.hwaccel_picture_private; - return ff_vaapi_decode_issue(avctx, pic); + VAAPIAV1DecContext *ctx = avctx->internal->hwaccel_priv_data; + + int apply_grain = !(avctx->export_side_data & AV_CODEC_EXPORT_DATA_FILM_GRAIN) && film_grain->apply_grain; + int ret; + ret = ff_vaapi_decode_issue(avctx, pic); + if (ret < 0) + return ret; + + for (int i = 0; i < AV1_NUM_REF_FRAMES; i++) { + if (header->refresh_frame_flags & (1 << i)) { + if (ctx->ref_tab[i].frame.f->buf[0]) + ff_thread_release_buffer(avctx, &ctx->ref_tab[i].frame); + + if (apply_grain) { + ret = ff_thread_ref_frame(&ctx->ref_tab[i].frame, &ctx->tmp_frame); + if (ret < 0) + return ret; + ctx->ref_tab[i].valid = 1; + } else { + ctx->ref_tab[i].valid = 0; + } + } + } + + return 0; } static int vaapi_av1_decode_slice(AVCodecContext *avctx, @@ -292,7 +422,7 @@ err = ff_vaapi_decode_make_slice_buffer(avctx, pic, &slice_param, sizeof(VASliceParameterBufferAV1), buffer, - s->tile_group_info[i].tile_size); + size); if (err) { ff_vaapi_decode_cancel(avctx, pic); return err; @@ -311,9 +441,9 @@ .end_frame = vaapi_av1_end_frame, .decode_slice = vaapi_av1_decode_slice, .frame_priv_data_size = sizeof(VAAPIDecodePicture), - .init = ff_vaapi_decode_init, - .uninit = ff_vaapi_decode_uninit, + .init = vaapi_av1_decode_init, + .uninit = vaapi_av1_decode_uninit, .frame_params = ff_vaapi_common_frame_params, - .priv_data_size = sizeof(VAAPIDecodeContext), + .priv_data_size = sizeof(VAAPIAV1DecContext), .caps_internal = HWACCEL_CAP_ASYNC_SAFE, }; diff -Nru ffmpeg-4.4/libavcodec/vaapi_decode.c ffmpeg-4.4.2/libavcodec/vaapi_decode.c --- ffmpeg-4.4/libavcodec/vaapi_decode.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/vaapi_decode.c 2022-04-14 21:13:38.000000000 +0100 @@ -577,10 +577,10 @@ switch (avctx->codec_id) { case AV_CODEC_ID_H264: case AV_CODEC_ID_HEVC: + case AV_CODEC_ID_AV1: frames->initial_pool_size += 16; break; case AV_CODEC_ID_VP9: - case AV_CODEC_ID_AV1: frames->initial_pool_size += 8; break; case AV_CODEC_ID_VP8: diff -Nru ffmpeg-4.4/libavcodec/vaapi_encode.c ffmpeg-4.4.2/libavcodec/vaapi_encode.c --- ffmpeg-4.4/libavcodec/vaapi_encode.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/vaapi_encode.c 2022-04-14 21:13:38.000000000 +0100 @@ -2366,6 +2366,11 @@ VAStatus vas; int err; + ctx->va_config = VA_INVALID_ID; + ctx->va_context = VA_INVALID_ID; + + /* If you add something that can fail above this av_frame_alloc(), + * modify ff_vaapi_encode_close() accordingly. */ ctx->frame = av_frame_alloc(); if (!ctx->frame) { return AVERROR(ENOMEM); @@ -2377,9 +2382,6 @@ return AVERROR(EINVAL); } - ctx->va_config = VA_INVALID_ID; - ctx->va_context = VA_INVALID_ID; - ctx->input_frames_ref = av_buffer_ref(avctx->hw_frames_ctx); if (!ctx->input_frames_ref) { err = AVERROR(ENOMEM); @@ -2531,6 +2533,11 @@ VAAPIEncodeContext *ctx = avctx->priv_data; VAAPIEncodePicture *pic, *next; + /* We check ctx->frame to know whether ff_vaapi_encode_init() + * has been called and va_config/va_context initialized. */ + if (!ctx->frame) + return 0; + for (pic = ctx->pic_start; pic; pic = next) { next = pic->next; vaapi_encode_free(avctx, pic); diff -Nru ffmpeg-4.4/libavcodec/vc1.c ffmpeg-4.4.2/libavcodec/vc1.c --- ffmpeg-4.4/libavcodec/vc1.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/vc1.c 2022-04-14 21:13:38.000000000 +0100 @@ -672,6 +672,8 @@ if (v->s.pict_type == AV_PICTURE_TYPE_P) v->rnd ^= 1; + if (get_bits_left(gb) < 5) + return AVERROR_INVALIDDATA; /* Quantizer stuff */ pqindex = get_bits(gb, 5); if (!pqindex) @@ -764,6 +766,9 @@ av_log(v->s.avctx, AV_LOG_DEBUG, "MB Skip plane encoding: " "Imode: %i, Invert: %i\n", status>>1, status&1); + if (get_bits_left(gb) < 4) + return AVERROR_INVALIDDATA; + /* Hopefully this is correct for P-frames */ v->s.mv_table_index = get_bits(gb, 2); //but using ff_vc1_ tables v->cbptab = get_bits(gb, 2); diff -Nru ffmpeg-4.4/libavcodec/vc1dec.c ffmpeg-4.4.2/libavcodec/vc1dec.c --- ffmpeg-4.4/libavcodec/vc1dec.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/vc1dec.c 2022-04-14 21:13:38.000000000 +0100 @@ -1124,7 +1124,9 @@ ret = AVERROR_INVALIDDATA; goto err; } - if (!v->field_mode) + if ( !v->field_mode + && avctx->codec_id != AV_CODEC_ID_WMV3IMAGE + && avctx->codec_id != AV_CODEC_ID_VC1IMAGE) ff_er_frame_end(&s->er); } @@ -1152,12 +1154,14 @@ if (s->pict_type == AV_PICTURE_TYPE_B || s->low_delay) { if ((ret = av_frame_ref(pict, s->current_picture_ptr->f)) < 0) goto err; - ff_print_debug_info(s, s->current_picture_ptr, pict); + if (!v->field_mode) + ff_print_debug_info(s, s->current_picture_ptr, pict); *got_frame = 1; } else if (s->last_picture_ptr) { if ((ret = av_frame_ref(pict, s->last_picture_ptr->f)) < 0) goto err; - ff_print_debug_info(s, s->last_picture_ptr, pict); + if (!v->field_mode) + ff_print_debug_info(s, s->last_picture_ptr, pict); *got_frame = 1; } } diff -Nru ffmpeg-4.4/libavcodec/vc2enc.c ffmpeg-4.4.2/libavcodec/vc2enc.c --- ffmpeg-4.4/libavcodec/vc2enc.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/vc2enc.c 2022-04-14 21:13:38.000000000 +0100 @@ -982,6 +982,8 @@ } s->slice_min_bytes = s->slice_max_bytes - s->slice_max_bytes*(s->tolerance/100.0f); + if (s->slice_min_bytes < 0) + return AVERROR(EINVAL); ret = encode_frame(s, avpkt, frame, aux_data, header_size, s->interlaced); if (ret) diff -Nru ffmpeg-4.4/libavcodec/videotoolboxenc.c ffmpeg-4.4.2/libavcodec/videotoolboxenc.c --- ffmpeg-4.4/libavcodec/videotoolboxenc.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/videotoolboxenc.c 2022-04-14 21:13:38.000000000 +0100 @@ -49,6 +49,10 @@ enum { kCVPixelFormatType_420YpCbCr10BiPlanarVideoRange = 'x420' }; #endif +#ifndef TARGET_CPU_ARM64 +# define TARGET_CPU_ARM64 0 +#endif + typedef OSStatus (*getParameterSetAtIndex)(CMFormatDescriptionRef videoDesc, size_t parameterSetIndex, const uint8_t **parameterSetPointerOut, diff -Nru ffmpeg-4.4/libavcodec/vp3.c ffmpeg-4.4.2/libavcodec/vp3.c --- ffmpeg-4.4/libavcodec/vp3.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/vp3.c 2022-04-14 21:13:48.000000000 +0100 @@ -2691,7 +2691,14 @@ skip_bits(&gb, 4); /* width code */ skip_bits(&gb, 4); /* height code */ if (s->version) { - s->version = get_bits(&gb, 5); + int version = get_bits(&gb, 5); +#if !CONFIG_VP4_DECODER + if (version >= 2) { + av_log(avctx, AV_LOG_ERROR, "This build does not support decoding VP4.\n"); + return AVERROR_DECODER_NOT_FOUND; + } +#endif + s->version = version; if (avctx->frame_number == 0) av_log(s->avctx, AV_LOG_DEBUG, "VP version: %d\n", s->version); diff -Nru ffmpeg-4.4/libavcodec/vqavideo.c ffmpeg-4.4.2/libavcodec/vqavideo.c --- ffmpeg-4.4/libavcodec/vqavideo.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/vqavideo.c 2022-04-14 21:13:48.000000000 +0100 @@ -588,13 +588,14 @@ if (s->partial_countdown <= 0) { bytestream2_init(&s->gb, s->next_codebook_buffer, s->next_codebook_buffer_index); /* decompress codebook */ - if ((res = decode_format80(s, s->next_codebook_buffer_index, - s->codebook, s->codebook_size, 0)) < 0) - return res; + res = decode_format80(s, s->next_codebook_buffer_index, + s->codebook, s->codebook_size, 0); /* reset accounting */ s->next_codebook_buffer_index = 0; s->partial_countdown = s->partial_count; + if (res < 0) + return res; } } diff -Nru ffmpeg-4.4/libavcodec/webp.c ffmpeg-4.4.2/libavcodec/webp.c --- ffmpeg-4.4/libavcodec/webp.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/webp.c 2022-04-14 21:13:38.000000000 +0100 @@ -627,6 +627,9 @@ while (y < img->frame->height) { int v; + if (get_bits_left(&s->gb) < 0) + return AVERROR_INVALIDDATA; + hg = get_huffman_group(s, img, x, y); v = huff_reader_get_symbol(&hg[HUFF_IDX_GREEN], &s->gb); if (v < NUM_LITERAL_CODES) { diff -Nru ffmpeg-4.4/libavcodec/wma.c ffmpeg-4.4.2/libavcodec/wma.c --- ffmpeg-4.4/libavcodec/wma.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/wma.c 2022-04-14 21:13:38.000000000 +0100 @@ -457,7 +457,7 @@ if (get_bits1(gb)) { av_log(avctx, AV_LOG_ERROR, "broken escape sequence\n"); - return -1; + return AVERROR_INVALIDDATA; } else offset += get_bits(gb, frame_len_bits) + 4; } else @@ -475,7 +475,7 @@ offset, num_coefs ); - return -1; + return AVERROR_INVALIDDATA; } return 0; diff -Nru ffmpeg-4.4/libavcodec/wmadec.c ffmpeg-4.4.2/libavcodec/wmadec.c --- ffmpeg-4.4/libavcodec/wmadec.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/wmadec.c 2022-04-14 21:13:38.000000000 +0100 @@ -590,15 +590,18 @@ if (s->channel_coded[ch]) { int tindex; WMACoef *ptr = &s->coefs1[ch][0]; + int ret; /* special VLC tables are used for ms stereo because * there is potentially less energy there */ tindex = (ch == 1 && s->ms_stereo); memset(ptr, 0, s->block_len * sizeof(WMACoef)); - ff_wma_run_level_decode(s->avctx, &s->gb, &s->coef_vlc[tindex], - s->level_table[tindex], s->run_table[tindex], - 0, ptr, 0, nb_coefs[ch], - s->block_len, s->frame_len_bits, coef_nb_bits); + ret = ff_wma_run_level_decode(s->avctx, &s->gb, &s->coef_vlc[tindex], + s->level_table[tindex], s->run_table[tindex], + 0, ptr, 0, nb_coefs[ch], + s->block_len, s->frame_len_bits, coef_nb_bits); + if (ret < 0) + return ret; } if (s->version == 1 && s->avctx->channels >= 2) align_get_bits(&s->gb); @@ -977,6 +980,7 @@ .capabilities = AV_CODEC_CAP_DR1, .sample_fmts = (const enum AVSampleFormat[]) { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; #endif #if CONFIG_WMAV2_DECODER @@ -993,5 +997,6 @@ .capabilities = AV_CODEC_CAP_DR1, .sample_fmts = (const enum AVSampleFormat[]) { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; #endif diff -Nru ffmpeg-4.4/libavcodec/wmaenc.c ffmpeg-4.4.2/libavcodec/wmaenc.c --- ffmpeg-4.4/libavcodec/wmaenc.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/wmaenc.c 2022-04-14 21:13:38.000000000 +0100 @@ -436,6 +436,7 @@ .close = ff_wma_end, .sample_fmts = (const enum AVSampleFormat[]) { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; #endif #if CONFIG_WMAV2_ENCODER @@ -450,5 +451,6 @@ .close = ff_wma_end, .sample_fmts = (const enum AVSampleFormat[]) { AV_SAMPLE_FMT_FLTP, AV_SAMPLE_FMT_NONE }, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; #endif diff -Nru ffmpeg-4.4/libavcodec/wmaprodec.c ffmpeg-4.4.2/libavcodec/wmaprodec.c --- ffmpeg-4.4/libavcodec/wmaprodec.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/wmaprodec.c 2022-04-14 21:13:38.000000000 +0100 @@ -985,13 +985,16 @@ /** decode run level coded coefficients */ if (cur_coeff < s->subframe_len) { + int ret; + memset(&ci->coeffs[cur_coeff], 0, sizeof(*ci->coeffs) * (s->subframe_len - cur_coeff)); - if (ff_wma_run_level_decode(s->avctx, &s->gb, vlc, - level, run, 1, ci->coeffs, - cur_coeff, s->subframe_len, - s->subframe_len, s->esc_len, 0)) - return AVERROR_INVALIDDATA; + ret = ff_wma_run_level_decode(s->avctx, &s->gb, vlc, + level, run, 1, ci->coeffs, + cur_coeff, s->subframe_len, + s->subframe_len, s->esc_len, 0); + if (ret < 0) + return ret; } return 0; diff -Nru ffmpeg-4.4/libavcodec/xpmdec.c ffmpeg-4.4.2/libavcodec/xpmdec.c --- ffmpeg-4.4/libavcodec/xpmdec.c 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/xpmdec.c 2022-04-14 21:13:38.000000000 +0100 @@ -341,9 +341,6 @@ if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; - if ((ret = ff_get_buffer(avctx, p, 0)) < 0) - return ret; - if (cpp <= 0 || cpp >= 5) { av_log(avctx, AV_LOG_ERROR, "unsupported/invalid number of chars per pixel: %d\n", cpp); return AVERROR_INVALIDDATA; @@ -360,14 +357,17 @@ size *= 4; - av_fast_padded_malloc(&x->pixels, &x->pixels_size, size); - if (!x->pixels) - return AVERROR(ENOMEM); - ptr += mod_strcspn(ptr, ",") + 1; if (end - ptr < 1) return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, p, 0)) < 0) + return ret; + + av_fast_padded_malloc(&x->pixels, &x->pixels_size, size); + if (!x->pixels) + return AVERROR(ENOMEM); + for (i = 0; i < ncolors; i++) { const uint8_t *index; int len; diff -Nru ffmpeg-4.4/libavcodec/zmbvenc.c ffmpeg-4.4.2/libavcodec/zmbvenc.c --- ffmpeg-4.4/libavcodec/zmbvenc.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavcodec/zmbvenc.c 2022-04-14 21:13:38.000000000 +0100 @@ -73,6 +73,7 @@ int keyint, curfrm; int bypp; enum ZmbvFormat fmt; + int zlib_init_ok; z_stream zstream; int score_tab[ZMBV_BLOCK * ZMBV_BLOCK * 4 + 1]; @@ -310,8 +311,9 @@ av_freep(&c->comp_buf); av_freep(&c->work_buf); - deflateEnd(&c->zstream); av_freep(&c->prev_buf); + if (c->zlib_init_ok) + deflateEnd(&c->zstream); return 0; } @@ -381,8 +383,6 @@ return AVERROR(EINVAL); } - // Needed if zlib unused or init aborted before deflateInit - memset(&c->zstream, 0, sizeof(z_stream)); c->comp_size = avctx->width * c->bypp * avctx->height + 1024 + ((avctx->width + ZMBV_BLOCK - 1) / ZMBV_BLOCK) * ((avctx->height + ZMBV_BLOCK - 1) / ZMBV_BLOCK) * 2 + 4; if (!(c->work_buf = av_malloc(c->comp_size))) { @@ -424,6 +424,7 @@ av_log(avctx, AV_LOG_ERROR, "Inflate init error: %d\n", zret); return -1; } + c->zlib_init_ok = 1; return 0; } @@ -445,4 +446,5 @@ #endif //ZMBV_ENABLE_24BPP AV_PIX_FMT_BGR0, AV_PIX_FMT_NONE }, + .caps_internal = FF_CODEC_CAP_INIT_CLEANUP, }; diff -Nru ffmpeg-4.4/libavdevice/xv.c ffmpeg-4.4.2/libavdevice/xv.c --- ffmpeg-4.4/libavdevice/xv.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavdevice/xv.c 2022-04-14 21:13:38.000000000 +0100 @@ -296,7 +296,7 @@ { XVContext *xv = s->priv_data; XvImage *img = xv->yuv_image; - uint8_t *data[3] = { + uint8_t *data[4] = { img->data + img->offsets[0], img->data + img->offsets[1], img->data + img->offsets[2] diff -Nru ffmpeg-4.4/libavfilter/aeval.c ffmpeg-4.4.2/libavfilter/aeval.c --- ffmpeg-4.4/libavfilter/aeval.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/aeval.c 2022-04-14 21:13:38.000000000 +0100 @@ -124,11 +124,10 @@ } #define ADD_EXPRESSION(expr_) do { \ - if (!av_dynarray2_add((void **)&eval->expr, &eval->nb_channels, \ - sizeof(*eval->expr), NULL)) { \ - ret = AVERROR(ENOMEM); \ + ret = av_dynarray_add_nofree(&eval->expr, \ + &eval->nb_channels, NULL); \ + if (ret < 0) \ goto end; \ - } \ eval->expr[eval->nb_channels-1] = NULL; \ ret = av_expr_parse(&eval->expr[eval->nb_channels - 1], expr_, \ var_names, func1_names, func1, \ diff -Nru ffmpeg-4.4/libavfilter/af_drmeter.c ffmpeg-4.4.2/libavfilter/af_drmeter.c --- ffmpeg-4.4/libavfilter/af_drmeter.c 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/af_drmeter.c 2022-04-14 21:13:38.000000000 +0100 @@ -167,6 +167,11 @@ float chdr, secondpeak, rmssum = 0; int i, j, first = 0; + if (!p->nb_samples) { + av_log(ctx, AV_LOG_INFO, "No data, dynamic range not meassurable\n"); + return; + } + finish_block(p); for (i = 0; i <= 10000; i++) { diff -Nru ffmpeg-4.4/libavfilter/af_surround.c ffmpeg-4.4.2/libavfilter/af_surround.c --- ffmpeg-4.4/libavfilter/af_surround.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/af_surround.c 2022-04-14 21:13:38.000000000 +0100 @@ -203,13 +203,13 @@ s->rdft = av_calloc(inlink->channels, sizeof(*s->rdft)); if (!s->rdft) return AVERROR(ENOMEM); + s->nb_in_channels = inlink->channels; for (ch = 0; ch < inlink->channels; ch++) { s->rdft[ch] = av_rdft_init(ff_log2(s->buf_size), DFT_R2C); if (!s->rdft[ch]) return AVERROR(ENOMEM); } - s->nb_in_channels = inlink->channels; s->input_levels = av_malloc_array(s->nb_in_channels, sizeof(*s->input_levels)); if (!s->input_levels) return AVERROR(ENOMEM); @@ -266,13 +266,13 @@ s->irdft = av_calloc(outlink->channels, sizeof(*s->irdft)); if (!s->irdft) return AVERROR(ENOMEM); + s->nb_out_channels = outlink->channels; for (ch = 0; ch < outlink->channels; ch++) { s->irdft[ch] = av_rdft_init(ff_log2(s->buf_size), IDFT_C2R); if (!s->irdft[ch]) return AVERROR(ENOMEM); } - s->nb_out_channels = outlink->channels; s->output_levels = av_malloc_array(s->nb_out_channels, sizeof(*s->output_levels)); if (!s->output_levels) return AVERROR(ENOMEM); diff -Nru ffmpeg-4.4/libavfilter/af_vibrato.c ffmpeg-4.4.2/libavfilter/af_vibrato.c --- ffmpeg-4.4/libavfilter/af_vibrato.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/af_vibrato.c 2022-04-14 21:13:38.000000000 +0100 @@ -157,11 +157,11 @@ int c; AVFilterContext *ctx = inlink->dst; VibratoContext *s = ctx->priv; - s->channels = inlink->channels; s->buf = av_calloc(inlink->channels, sizeof(*s->buf)); if (!s->buf) return AVERROR(ENOMEM); + s->channels = inlink->channels; s->buf_size = lrint(inlink->sample_rate * 0.005 + 0.5); for (c = 0; c < s->channels; c++) { s->buf[c] = av_malloc_array(s->buf_size, sizeof(*s->buf[c])); diff -Nru ffmpeg-4.4/libavfilter/asrc_flite.c ffmpeg-4.4.2/libavfilter/asrc_flite.c --- ffmpeg-4.4/libavfilter/asrc_flite.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/asrc_flite.c 2022-04-14 21:13:38.000000000 +0100 @@ -196,10 +196,12 @@ { FliteContext *flite = ctx->priv; - if (!--flite->voice_entry->usage_count) - flite->voice_entry->unregister_fn(flite->voice); - flite->voice = NULL; - flite->voice_entry = NULL; + if (flite->voice_entry) { + if (!--flite->voice_entry->usage_count) { + flite->voice_entry->unregister_fn(flite->voice); + flite->voice_entry->voice = NULL; + } + } delete_wave(flite->wave); flite->wave = NULL; } diff -Nru ffmpeg-4.4/libavfilter/avfilter.c ffmpeg-4.4.2/libavfilter/avfilter.c --- ffmpeg-4.4/libavfilter/avfilter.c 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/avfilter.c 2022-04-14 21:13:38.000000000 +0100 @@ -925,6 +925,8 @@ ret = ctx->filter->init(ctx); else if (ctx->filter->init_dict) ret = ctx->filter->init_dict(ctx, options); + if (ret < 0) + return ret; if (ctx->enable_str) { ret = set_enable_expr(ctx, ctx->enable_str); @@ -932,7 +934,7 @@ return ret; } - return ret; + return 0; } int avfilter_init_str(AVFilterContext *filter, const char *args) diff -Nru ffmpeg-4.4/libavfilter/f_metadata.c ffmpeg-4.4.2/libavfilter/f_metadata.c --- ffmpeg-4.4/libavfilter/f_metadata.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/f_metadata.c 2022-04-14 21:13:38.000000000 +0100 @@ -304,9 +304,6 @@ AVDictionary **metadata = &frame->metadata; AVDictionaryEntry *e; - if (!*metadata && s->mode != METADATA_ADD) - return ff_filter_frame(outlink, frame); - e = av_dict_get(*metadata, !s->key ? "" : s->key, NULL, !s->key ? AV_DICT_IGNORE_SUFFIX: 0); diff -Nru ffmpeg-4.4/libavfilter/vf_ciescope.c ffmpeg-4.4.2/libavfilter/vf_ciescope.c --- ffmpeg-4.4/libavfilter/vf_ciescope.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/vf_ciescope.c 2022-04-14 21:13:38.000000000 +0100 @@ -849,7 +849,8 @@ *z = m[2][0] * rc + m[2][1] * gc + m[2][2] * bc; sum = *x + *y + *z; - + if (sum == 0) + sum = 1; *x = *x / sum; *y = *y / sum; } diff -Nru ffmpeg-4.4/libavfilter/vf_dctdnoiz.c ffmpeg-4.4.2/libavfilter/vf_dctdnoiz.c --- ffmpeg-4.4/libavfilter/vf_dctdnoiz.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/vf_dctdnoiz.c 2022-04-14 21:13:38.000000000 +0100 @@ -564,6 +564,9 @@ inlink->h - s->pr_height); max_slice_h = s->pr_height / ((s->bsize - 1) * 2); + if (max_slice_h == 0) + return AVERROR(EINVAL); + s->nb_threads = FFMIN3(MAX_THREADS, ff_filter_get_nb_threads(ctx), max_slice_h); av_log(ctx, AV_LOG_DEBUG, "threads: [max=%d hmax=%d user=%d] => %d\n", MAX_THREADS, max_slice_h, ff_filter_get_nb_threads(ctx), s->nb_threads); diff -Nru ffmpeg-4.4/libavfilter/vf_fftdnoiz.c ffmpeg-4.4.2/libavfilter/vf_fftdnoiz.c --- ffmpeg-4.4/libavfilter/vf_fftdnoiz.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/vf_fftdnoiz.c 2022-04-14 21:13:38.000000000 +0100 @@ -161,7 +161,7 @@ int j; for (j = 0; j < rw; j++) - dst[j] = av_clip_uint8(src[j].re * scale + 0.5f); + dst[j] = av_clip_uint8(lrintf(src[j].re * scale)); } static void import_row16(FFTComplex *dst, uint8_t *srcp, int rw) diff -Nru ffmpeg-4.4/libavfilter/vf_idet.c ffmpeg-4.4.2/libavfilter/vf_idet.c --- ffmpeg-4.4/libavfilter/vf_idet.c 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/vf_idet.c 2022-04-14 21:13:38.000000000 +0100 @@ -336,20 +336,19 @@ static av_cold void uninit(AVFilterContext *ctx) { IDETContext *idet = ctx->priv; - int level = strncmp(ctx->name, "auto-inserted", 13) ? AV_LOG_INFO : AV_LOG_DEBUG; - av_log(ctx, level, "Repeated Fields: Neither:%6"PRId64" Top:%6"PRId64" Bottom:%6"PRId64"\n", + av_log(ctx, AV_LOG_INFO, "Repeated Fields: Neither:%6"PRId64" Top:%6"PRId64" Bottom:%6"PRId64"\n", idet->total_repeats[REPEAT_NONE], idet->total_repeats[REPEAT_TOP], idet->total_repeats[REPEAT_BOTTOM] ); - av_log(ctx, level, "Single frame detection: TFF:%6"PRId64" BFF:%6"PRId64" Progressive:%6"PRId64" Undetermined:%6"PRId64"\n", + av_log(ctx, AV_LOG_INFO, "Single frame detection: TFF:%6"PRId64" BFF:%6"PRId64" Progressive:%6"PRId64" Undetermined:%6"PRId64"\n", idet->total_prestat[TFF], idet->total_prestat[BFF], idet->total_prestat[PROGRESSIVE], idet->total_prestat[UNDETERMINED] ); - av_log(ctx, level, "Multi frame detection: TFF:%6"PRId64" BFF:%6"PRId64" Progressive:%6"PRId64" Undetermined:%6"PRId64"\n", + av_log(ctx, AV_LOG_INFO, "Multi frame detection: TFF:%6"PRId64" BFF:%6"PRId64" Progressive:%6"PRId64" Undetermined:%6"PRId64"\n", idet->total_poststat[TFF], idet->total_poststat[BFF], idet->total_poststat[PROGRESSIVE], diff -Nru ffmpeg-4.4/libavfilter/vf_mestimate.c ffmpeg-4.4.2/libavfilter/vf_mestimate.c --- ffmpeg-4.4/libavfilter/vf_mestimate.c 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/vf_mestimate.c 2022-04-14 21:13:38.000000000 +0100 @@ -100,6 +100,9 @@ s->b_height = inlink->h >> s->log2_mb_size; s->b_count = s->b_width * s->b_height; + if (s->b_count == 0) + return AVERROR(EINVAL); + for (i = 0; i < 3; i++) { s->mv_table[i] = av_mallocz_array(s->b_count, sizeof(*s->mv_table[0])); if (!s->mv_table[i]) diff -Nru ffmpeg-4.4/libavfilter/vf_overlay_cuda.c ffmpeg-4.4.2/libavfilter/vf_overlay_cuda.c --- ffmpeg-4.4/libavfilter/vf_overlay_cuda.c 2021-04-08 22:28:27.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/vf_overlay_cuda.c 2022-04-14 21:13:38.000000000 +0100 @@ -63,6 +63,7 @@ enum AVPixelFormat in_format_overlay; enum AVPixelFormat in_format_main; + AVBufferRef *hw_device_ctx; AVCUDADeviceContext *hwctx; CUcontext cu_ctx; @@ -256,6 +257,9 @@ CHECK_CU(cu->cuModuleUnload(ctx->cu_module)); CHECK_CU(cu->cuCtxPopCurrent(&dummy)); } + + av_buffer_unref(&ctx->hw_device_ctx); + ctx->hwctx = NULL; } /** @@ -341,13 +345,19 @@ // initialize - ctx->hwctx = frames_ctx->device_ctx->hwctx; + ctx->hw_device_ctx = av_buffer_ref(frames_ctx->device_ref); + if (!ctx->hw_device_ctx) + return AVERROR(ENOMEM); + ctx->hwctx = ((AVHWDeviceContext*)ctx->hw_device_ctx->data)->hwctx; + cuda_ctx = ctx->hwctx->cuda_ctx; ctx->fs.time_base = inlink->time_base; ctx->cu_stream = ctx->hwctx->stream; outlink->hw_frames_ctx = av_buffer_ref(inlink->hw_frames_ctx); + if (!outlink->hw_frames_ctx) + return AVERROR(ENOMEM); // load functions diff -Nru ffmpeg-4.4/libavfilter/vf_scale.c ffmpeg-4.4.2/libavfilter/vf_scale.c --- ffmpeg-4.4/libavfilter/vf_scale.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/vf_scale.c 2022-04-14 21:13:38.000000000 +0100 @@ -739,6 +739,18 @@ out->width = outlink->w; out->height = outlink->h; + // Sanity checks: + // 1. If the output is RGB, set the matrix coefficients to RGB. + // 2. If the output is not RGB and we've got the RGB/XYZ (identity) + // matrix configured, unset the matrix. + // In theory these should be in swscale itself as the AVFrame + // based API gets in, so that not every swscale API user has + // to go through duplicating such sanity checks. + if (av_pix_fmt_desc_get(out->format)->flags & AV_PIX_FMT_FLAG_RGB) + out->colorspace = AVCOL_SPC_RGB; + else if (out->colorspace == AVCOL_SPC_RGB) + out->colorspace = AVCOL_SPC_UNSPECIFIED; + if (scale->output_is_pal) avpriv_set_systematic_pal2((uint32_t*)out->data[1], outlink->format == AV_PIX_FMT_PAL8 ? AV_PIX_FMT_BGR8 : outlink->format); diff -Nru ffmpeg-4.4/libavfilter/vf_scale_npp.c ffmpeg-4.4.2/libavfilter/vf_scale_npp.c --- ffmpeg-4.4/libavfilter/vf_scale_npp.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/vf_scale_npp.c 2022-04-14 21:13:38.000000000 +0100 @@ -481,13 +481,16 @@ src = s->stages[i].frame; last_stage = i; } - if (last_stage < 0) return AVERROR_BUG; + ret = av_hwframe_get_buffer(src->hw_frames_ctx, s->tmp_frame, 0); if (ret < 0) return ret; + s->tmp_frame->width = src->width; + s->tmp_frame->height = src->height; + av_frame_move_ref(out, src); av_frame_move_ref(src, s->tmp_frame); diff -Nru ffmpeg-4.4/libavfilter/vf_subtitles.c ffmpeg-4.4.2/libavfilter/vf_subtitles.c --- ffmpeg-4.4/libavfilter/vf_subtitles.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/vf_subtitles.c 2022-04-14 21:13:48.000000000 +0100 @@ -145,9 +145,16 @@ ff_draw_init(&ass->draw, inlink->format, ass->alpha ? FF_DRAW_PROCESS_ALPHA : 0); ass_set_frame_size (ass->renderer, inlink->w, inlink->h); - if (ass->original_w && ass->original_h) + if (ass->original_w && ass->original_h) { ass_set_aspect_ratio(ass->renderer, (double)inlink->w / inlink->h, (double)ass->original_w / ass->original_h); +#if LIBASS_VERSION > 0x01010000 + ass_set_storage_size(ass->renderer, ass->original_w, ass->original_h); + } else { + ass_set_storage_size(ass->renderer, inlink->w, inlink->h); +#endif + } + if (ass->shaping != -1) ass_set_shaper(ass->renderer, ass->shaping); diff -Nru ffmpeg-4.4/libavfilter/vf_vmafmotion.c ffmpeg-4.4.2/libavfilter/vf_vmafmotion.c --- ffmpeg-4.4/libavfilter/vf_vmafmotion.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/vf_vmafmotion.c 2022-04-14 21:13:38.000000000 +0100 @@ -238,6 +238,9 @@ int i; const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt); + if (w < 3 || h < 3) + return AVERROR(EINVAL); + s->width = w; s->height = h; s->stride = FFALIGN(w * sizeof(uint16_t), 32); diff -Nru ffmpeg-4.4/libavfilter/vf_w3fdif.c ffmpeg-4.4.2/libavfilter/vf_w3fdif.c --- ffmpeg-4.4/libavfilter/vf_w3fdif.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/vf_w3fdif.c 2022-04-14 21:13:38.000000000 +0100 @@ -283,7 +283,7 @@ AVFilterContext *ctx = inlink->dst; W3FDIFContext *s = ctx->priv; const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(inlink->format); - int ret, i, depth; + int ret, i, depth, nb_threads; if ((ret = av_image_fill_linesizes(s->linesize, inlink->format, inlink->w)) < 0) return ret; @@ -297,10 +297,11 @@ } s->nb_planes = av_pix_fmt_count_planes(inlink->format); - s->nb_threads = ff_filter_get_nb_threads(ctx); - s->work_line = av_calloc(s->nb_threads, sizeof(*s->work_line)); + nb_threads = ff_filter_get_nb_threads(ctx); + s->work_line = av_calloc(nb_threads, sizeof(*s->work_line)); if (!s->work_line) return AVERROR(ENOMEM); + s->nb_threads = nb_threads; for (i = 0; i < s->nb_threads; i++) { s->work_line[i] = av_calloc(FFALIGN(s->linesize[0], 32), sizeof(*s->work_line[0])); diff -Nru ffmpeg-4.4/libavfilter/vf_yadif.c ffmpeg-4.4.2/libavfilter/vf_yadif.c --- ffmpeg-4.4/libavfilter/vf_yadif.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavfilter/vf_yadif.c 2022-04-14 21:13:38.000000000 +0100 @@ -123,20 +123,22 @@ uint8_t *next2 = parity ? cur : next; const int edge = MAX_ALIGN - 1; + int offset = FFMAX(w - edge, 3); /* Only edge pixels need to be processed here. A constant value of false * for is_not_edge should let the compiler ignore the whole branch. */ - FILTER(0, 3, 0) + FILTER(0, FFMIN(3, w), 0) - dst = (uint8_t*)dst1 + w - edge; - prev = (uint8_t*)prev1 + w - edge; - cur = (uint8_t*)cur1 + w - edge; - next = (uint8_t*)next1 + w - edge; + dst = (uint8_t*)dst1 + offset; + prev = (uint8_t*)prev1 + offset; + cur = (uint8_t*)cur1 + offset; + next = (uint8_t*)next1 + offset; prev2 = (uint8_t*)(parity ? prev : cur); next2 = (uint8_t*)(parity ? cur : next); - FILTER(w - edge, w - 3, 1) - FILTER(w - 3, w, 0) + FILTER(offset, w - 3, 1) + offset = FFMAX(offset, w - 3); + FILTER(offset, w, 0) } @@ -170,21 +172,23 @@ uint16_t *next2 = parity ? cur : next; const int edge = MAX_ALIGN / 2 - 1; + int offset = FFMAX(w - edge, 3); mrefs /= 2; prefs /= 2; - FILTER(0, 3, 0) + FILTER(0, FFMIN(3, w), 0) - dst = (uint16_t*)dst1 + w - edge; - prev = (uint16_t*)prev1 + w - edge; - cur = (uint16_t*)cur1 + w - edge; - next = (uint16_t*)next1 + w - edge; + dst = (uint16_t*)dst1 + offset; + prev = (uint16_t*)prev1 + offset; + cur = (uint16_t*)cur1 + offset; + next = (uint16_t*)next1 + offset; prev2 = (uint16_t*)(parity ? prev : cur); next2 = (uint16_t*)(parity ? cur : next); - FILTER(w - edge, w - 3, 1) - FILTER(w - 3, w, 0) + FILTER(offset, w - 3, 1) + offset = FFMAX(offset, w - 3); + FILTER(offset, w, 0) } static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) diff -Nru ffmpeg-4.4/libavformat/4xm.c ffmpeg-4.4.2/libavformat/4xm.c --- ffmpeg-4.4/libavformat/4xm.c 2021-02-20 20:27:47.000000000 +0000 +++ ffmpeg-4.4.2/libavformat/4xm.c 2022-04-14 21:13:48.000000000 +0100 @@ -137,7 +137,8 @@ return AVERROR_INVALIDDATA; track = AV_RL32(buf + 8); - if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1) { + if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1 || + track >= s->max_streams) { av_log(s, AV_LOG_ERROR, "current_track too large\n"); return AVERROR_INVALIDDATA; } @@ -148,6 +149,9 @@ memset(&fourxm->tracks[fourxm->track_count], 0, sizeof(AudioTrack) * (track + 1 - fourxm->track_count)); fourxm->track_count = track + 1; + } else { + if (fourxm->tracks[track].bits) + return AVERROR_INVALIDDATA; } fourxm->tracks[track].adpcm = AV_RL32(buf + 12); fourxm->tracks[track].channels = AV_RL32(buf + 36); diff -Nru ffmpeg-4.4/libavformat/aadec.c ffmpeg-4.4.2/libavformat/aadec.c --- ffmpeg-4.4/libavformat/aadec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/aadec.c 2022-04-14 21:13:38.000000000 +0100 @@ -130,8 +130,8 @@ AV_WB32(&header_key[idx * 4], header_key_part[idx]); // convert each part to BE! } av_log(s, AV_LOG_DEBUG, "Processed HeaderKey is "); - for (i = 0; i < 16; i++) - av_log(s, AV_LOG_DEBUG, "%02x", header_key[i]); + for (int j = 0; j < 16; j++) + av_log(s, AV_LOG_DEBUG, "%02x", header_key[j]); av_log(s, AV_LOG_DEBUG, "\n"); } else { av_dict_set(&s->metadata, key, val, 0); diff -Nru ffmpeg-4.4/libavformat/aaxdec.c ffmpeg-4.4.2/libavformat/aaxdec.c --- ffmpeg-4.4/libavformat/aaxdec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/aaxdec.c 2022-04-14 21:13:38.000000000 +0100 @@ -117,6 +117,7 @@ int64_t column_offset = 0; int ret, extradata_size; char *codec; + int64_t ret64; avio_skip(pb, 4); a->table_size = avio_rb32(pb) + 8LL; @@ -218,7 +219,10 @@ } } - avio_seek(pb, a->strings_offset, SEEK_SET); + ret = ret64 = avio_seek(pb, a->strings_offset, SEEK_SET); + if (ret64 < 0) + goto fail; + ret = avio_read(pb, a->string_table, a->strings_size); if (ret != a->strings_size) { if (ret < 0) @@ -249,7 +253,10 @@ goto fail; } - avio_seek(pb, data_offset, SEEK_SET); + ret = ret64 = avio_seek(pb, data_offset, SEEK_SET); + if (ret64 < 0) + goto fail; + if (type == COLUMN_TYPE_VLDATA) { int64_t start, size; @@ -281,8 +288,8 @@ codec = a->string_table + a->name_offset; if (!strcmp(codec, "AAX")) { par->codec_id = AV_CODEC_ID_ADPCM_ADX; - avio_seek(pb, a->segments[0].start, SEEK_SET); - if (avio_rb16(pb) != 0x8000) { + ret64 = avio_seek(pb, a->segments[0].start, SEEK_SET); + if (ret64 < 0 || avio_rb16(pb) != 0x8000) { ret = AVERROR_INVALIDDATA; goto fail; } diff -Nru ffmpeg-4.4/libavformat/adtsenc.c ffmpeg-4.4.2/libavformat/adtsenc.c --- ffmpeg-4.4/libavformat/adtsenc.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/adtsenc.c 2022-04-14 21:13:38.000000000 +0100 @@ -51,9 +51,11 @@ GetBitContext gb; PutBitContext pb; MPEG4AudioConfig m4ac; - int off; + int off, ret; - init_get_bits(&gb, buf, size * 8); + ret = init_get_bits8(&gb, buf, size); + if (ret < 0) + return ret; off = avpriv_mpeg4audio_get_config2(&m4ac, buf, size, 1, s); if (off < 0) return off; diff -Nru ffmpeg-4.4/libavformat/aiffdec.c ffmpeg-4.4.2/libavformat/aiffdec.c --- ffmpeg-4.4/libavformat/aiffdec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/aiffdec.c 2022-04-14 21:13:48.000000000 +0100 @@ -100,6 +100,9 @@ int sample_rate; unsigned int num_frames; + if (size == INT_MAX) + return AVERROR_INVALIDDATA; + if (size & 1) size++; par->codec_type = AVMEDIA_TYPE_AUDIO; @@ -117,6 +120,9 @@ sample_rate = val << exp; else sample_rate = (val + (1ULL<<(-exp-1))) >> -exp; + if (sample_rate <= 0) + return AVERROR_INVALIDDATA; + par->sample_rate = sample_rate; if (size < 18) return AVERROR_INVALIDDATA; @@ -179,8 +185,10 @@ par->block_align = (av_get_bits_per_sample(par->codec_id) * par->channels) >> 3; if (aiff->block_duration) { - par->bit_rate = (int64_t)par->sample_rate * (par->block_align << 3) / - aiff->block_duration; + par->bit_rate = av_rescale(par->sample_rate, par->block_align * 8LL, + aiff->block_duration); + if (par->bit_rate < 0) + par->bit_rate = 0; } /* Chunk is over */ @@ -362,7 +370,7 @@ if (!st->codecpar->block_align && st->codecpar->codec_id == AV_CODEC_ID_QCELP) { av_log(s, AV_LOG_WARNING, "qcelp without wave chunk, assuming full rate\n"); st->codecpar->block_align = 35; - } else if (!st->codecpar->block_align) { + } else if (st->codecpar->block_align <= 0) { av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n"); return -1; } diff -Nru ffmpeg-4.4/libavformat/aqtitledec.c ffmpeg-4.4.2/libavformat/aqtitledec.c --- ffmpeg-4.4/libavformat/aqtitledec.c 2020-07-09 10:17:49.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/aqtitledec.c 2022-04-14 21:13:48.000000000 +0100 @@ -74,7 +74,8 @@ new_event = 1; pos = avio_tell(s->pb); if (sub) { - sub->duration = frame - sub->pts; + if (frame >= sub->pts && (uint64_t)frame - sub->pts < INT64_MAX) + sub->duration = frame - sub->pts; sub = NULL; } } else if (*line) { diff -Nru ffmpeg-4.4/libavformat/argo_asf.c ffmpeg-4.4.2/libavformat/argo_asf.c --- ffmpeg-4.4/libavformat/argo_asf.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/argo_asf.c 2022-04-14 21:13:48.000000000 +0100 @@ -422,7 +422,7 @@ ArgoASFMuxContext *ctx = s->priv_data; int64_t ret; - if ((ret = avio_seek(s->pb, ASF_FILE_HEADER_SIZE, SEEK_SET) < 0)) + if ((ret = avio_seek(s->pb, ASF_FILE_HEADER_SIZE, SEEK_SET)) < 0) return ret; avio_wl32(s->pb, (uint32_t)ctx->nb_blocks); diff -Nru ffmpeg-4.4/libavformat/asfdec_f.c ffmpeg-4.4.2/libavformat/asfdec_f.c --- ffmpeg-4.4/libavformat/asfdec_f.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/asfdec_f.c 2022-04-14 21:13:38.000000000 +0100 @@ -522,7 +522,7 @@ tag1 = avio_rl32(pb); avio_skip(pb, 20); if (sizeX > 40) { - if (size < sizeX - 40) + if (size < sizeX - 40 || sizeX - 40 > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) return AVERROR_INVALIDDATA; st->codecpar->extradata_size = ffio_limit(pb, sizeX - 40); st->codecpar->extradata = av_mallocz(st->codecpar->extradata_size + diff -Nru ffmpeg-4.4/libavformat/asfdec_o.c ffmpeg-4.4.2/libavformat/asfdec_o.c --- ffmpeg-4.4/libavformat/asfdec_o.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/asfdec_o.c 2022-04-14 21:13:38.000000000 +0100 @@ -685,7 +685,7 @@ return 0; } -static int parse_video_info(AVIOContext *pb, AVStream *st) +static int parse_video_info(AVFormatContext *avfmt, AVIOContext *pb, AVStream *st) { uint16_t size_asf; // ASF-specific Format Data size uint32_t size_bmp; // BMP_HEADER-specific Format Data size @@ -700,19 +700,10 @@ st->codecpar->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag); size_bmp = FFMAX(size_asf, size_bmp); - if (size_bmp > BMP_HEADER_SIZE && - size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) { - int ret; - st->codecpar->extradata_size = size_bmp - BMP_HEADER_SIZE; - if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size + - AV_INPUT_BUFFER_PADDING_SIZE))) { - st->codecpar->extradata_size = 0; - return AVERROR(ENOMEM); - } - memset(st->codecpar->extradata + st->codecpar->extradata_size , 0, - AV_INPUT_BUFFER_PADDING_SIZE); - if ((ret = avio_read(pb, st->codecpar->extradata, - st->codecpar->extradata_size)) < 0) + if (size_bmp > BMP_HEADER_SIZE) { + int ret = ff_get_extradata(avfmt, st->codecpar, pb, size_bmp - BMP_HEADER_SIZE); + + if (ret < 0) return ret; } return 0; @@ -795,7 +786,7 @@ break; case AVMEDIA_TYPE_VIDEO: asf_st->type = AVMEDIA_TYPE_VIDEO; - if ((ret = parse_video_info(pb, st)) < 0) + if ((ret = parse_video_info(s, pb, st)) < 0) return ret; break; default: diff -Nru ffmpeg-4.4/libavformat/avidec.c ffmpeg-4.4.2/libavformat/avidec.c --- ffmpeg-4.4/libavformat/avidec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/avidec.c 2022-04-14 21:13:48.000000000 +0100 @@ -165,7 +165,7 @@ return 0; } -static int read_odml_index(AVFormatContext *s, int frame_num) +static int read_odml_index(AVFormatContext *s, int64_t frame_num) { AVIContext *avi = s->priv_data; AVIOContext *pb = s->pb; @@ -185,7 +185,7 @@ av_log(s, AV_LOG_TRACE, "longs_per_entry:%d index_type:%d entries_in_use:%d " - "chunk_id:%X base:%16"PRIX64" frame_num:%d\n", + "chunk_id:%X base:%16"PRIX64" frame_num:%"PRId64"\n", longs_per_entry, index_type, entries_in_use, @@ -241,11 +241,13 @@ } else { int64_t offset, pos; int duration; + int ret; + offset = avio_rl64(pb); avio_rl32(pb); /* size */ duration = avio_rl32(pb); - if (avio_feof(pb)) + if (avio_feof(pb) || offset > INT64_MAX - 8) return AVERROR_INVALIDDATA; pos = avio_tell(pb); @@ -258,7 +260,7 @@ if (avio_seek(pb, offset + 8, SEEK_SET) < 0) return -1; avi->odml_depth++; - read_odml_index(s, frame_num); + ret = read_odml_index(s, frame_num); avi->odml_depth--; frame_num += duration; @@ -266,7 +268,8 @@ av_log(s, AV_LOG_ERROR, "Failed to restore position after reading index\n"); return -1; } - + if (ret < 0) + return ret; } } avi->index_loaded = 2; @@ -856,6 +859,8 @@ memcpy(st->codecpar->extradata + st->codecpar->extradata_size - 9, "BottomUp", 9); } + if (st->codecpar->height == INT_MIN) + return AVERROR_INVALIDDATA; st->codecpar->height = FFABS(st->codecpar->height); // avio_skip(pb, size - 5 * 4); @@ -1783,7 +1788,10 @@ size = avio_rl32(pb); if (avio_feof(pb)) break; - next = avio_tell(pb) + size + (size & 1); + next = avio_tell(pb); + if (next < 0 || next > INT64_MAX - size - (size & 1)) + break; + next += size + (size & 1LL); if (tag == MKTAG('i', 'd', 'x', '1') && avi_read_idx1(s, size) >= 0) { diff -Nru ffmpeg-4.4/libavformat/avio.c ffmpeg-4.4.2/libavformat/avio.c --- ffmpeg-4.4/libavformat/avio.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/avio.c 2022-04-14 21:13:38.000000000 +0100 @@ -316,8 +316,11 @@ int ret = ffurl_alloc(puc, filename, flags, int_cb); if (ret < 0) return ret; - if (parent) - av_opt_copy(*puc, parent); + if (parent) { + ret = av_opt_copy(*puc, parent); + if (ret < 0) + goto fail; + } if (options && (ret = av_opt_set_dict(*puc, options)) < 0) goto fail; diff -Nru ffmpeg-4.4/libavformat/bfi.c ffmpeg-4.4.2/libavformat/bfi.c --- ffmpeg-4.4/libavformat/bfi.c 2021-02-20 20:27:47.000000000 +0000 +++ ffmpeg-4.4.2/libavformat/bfi.c 2022-04-14 21:13:38.000000000 +0100 @@ -73,6 +73,8 @@ return AVERROR_INVALIDDATA; bfi->nframes = avio_rl32(pb); + if (bfi->nframes < 0) + return AVERROR_INVALIDDATA; avio_rl32(pb); avio_rl32(pb); avio_rl32(pb); diff -Nru ffmpeg-4.4/libavformat/cafdec.c ffmpeg-4.4.2/libavformat/cafdec.c --- ffmpeg-4.4/libavformat/cafdec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/cafdec.c 2022-04-14 21:13:48.000000000 +0100 @@ -79,7 +79,7 @@ st->codecpar->channels = avio_rb32(pb); st->codecpar->bits_per_coded_sample = avio_rb32(pb); - if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0) + if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0 || st->codecpar->channels < 0) return AVERROR_INVALIDDATA; /* calculate bit rate for constant size packets */ @@ -241,6 +241,8 @@ char value[1024]; avio_get_str(pb, INT_MAX, key, sizeof(key)); avio_get_str(pb, INT_MAX, value, sizeof(value)); + if (!*key) + continue; av_dict_set(&s->metadata, key, value, 0); } } diff -Nru ffmpeg-4.4/libavformat/cafenc.c ffmpeg-4.4.2/libavformat/cafenc.c --- ffmpeg-4.4/libavformat/cafenc.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/cafenc.c 2022-04-14 21:13:38.000000000 +0100 @@ -28,7 +28,6 @@ typedef struct { int64_t data; - uint8_t *pkt_sizes; int size_buffer_size; int size_entries_used; int packets; @@ -209,30 +208,29 @@ static int caf_write_packet(AVFormatContext *s, AVPacket *pkt) { CAFContext *caf = s->priv_data; + AVStream *const st = s->streams[0]; - avio_write(s->pb, pkt->data, pkt->size); - if (!s->streams[0]->codecpar->block_align) { - void *pkt_sizes = caf->pkt_sizes; - int i, alloc_size = caf->size_entries_used + 5; - if (alloc_size < 0) { - caf->pkt_sizes = NULL; - } else { - caf->pkt_sizes = av_fast_realloc(caf->pkt_sizes, - &caf->size_buffer_size, - alloc_size); - } - if (!caf->pkt_sizes) { - av_free(pkt_sizes); + if (!st->codecpar->block_align) { + uint8_t *pkt_sizes; + int i, alloc_size = caf->size_entries_used + 5U; + if (alloc_size < 0) + return AVERROR(ERANGE); + + pkt_sizes = av_fast_realloc(st->priv_data, + &caf->size_buffer_size, + alloc_size); + if (!pkt_sizes) return AVERROR(ENOMEM); - } + st->priv_data = pkt_sizes; for (i = 4; i > 0; i--) { unsigned top = pkt->size >> i * 7; if (top) - caf->pkt_sizes[caf->size_entries_used++] = 128 | top; + pkt_sizes[caf->size_entries_used++] = 128 | top; } - caf->pkt_sizes[caf->size_entries_used++] = pkt->size & 127; + pkt_sizes[caf->size_entries_used++] = pkt->size & 127; caf->packets++; } + avio_write(s->pb, pkt->data, pkt->size); return 0; } @@ -240,7 +238,8 @@ { CAFContext *caf = s->priv_data; AVIOContext *pb = s->pb; - AVCodecParameters *par = s->streams[0]->codecpar; + AVStream *st = s->streams[0]; + AVCodecParameters *par = st->codecpar; if (pb->seekable & AVIO_SEEKABLE_NORMAL) { int64_t file_size = avio_tell(pb); @@ -250,16 +249,14 @@ avio_seek(pb, file_size, SEEK_SET); if (!par->block_align) { ffio_wfourcc(pb, "pakt"); - avio_wb64(pb, caf->size_entries_used + 24); + avio_wb64(pb, caf->size_entries_used + 24U); avio_wb64(pb, caf->packets); ///< mNumberPackets avio_wb64(pb, caf->packets * samples_per_packet(par->codec_id, par->channels, par->block_align)); ///< mNumberValidFrames avio_wb32(pb, 0); ///< mPrimingFrames avio_wb32(pb, 0); ///< mRemainderFrames - avio_write(pb, caf->pkt_sizes, caf->size_entries_used); - caf->size_buffer_size = 0; + avio_write(pb, st->priv_data, caf->size_entries_used); } } - av_freep(&caf->pkt_sizes); return 0; } diff -Nru ffmpeg-4.4/libavformat/dsfdec.c ffmpeg-4.4.2/libavformat/dsfdec.c --- ffmpeg-4.4/libavformat/dsfdec.c 2021-02-20 20:27:47.000000000 +0000 +++ ffmpeg-4.4.2/libavformat/dsfdec.c 2022-04-14 21:13:38.000000000 +0100 @@ -129,7 +129,7 @@ return AVERROR_INVALIDDATA; } st->codecpar->block_align *= st->codecpar->channels; - st->codecpar->bit_rate = st->codecpar->channels * st->codecpar->sample_rate * 8LL; + st->codecpar->bit_rate = st->codecpar->channels * 8LL * st->codecpar->sample_rate; avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); avio_skip(pb, 4); diff -Nru ffmpeg-4.4/libavformat/dsicin.c ffmpeg-4.4.2/libavformat/dsicin.c --- ffmpeg-4.4/libavformat/dsicin.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/dsicin.c 2022-04-14 21:13:38.000000000 +0100 @@ -166,7 +166,8 @@ CinDemuxContext *cin = s->priv_data; AVIOContext *pb = s->pb; CinFrameHeader *hdr = &cin->frame_header; - int rc, palette_type, pkt_size; + int rc, palette_type; + int64_t pkt_size; int ret; if (cin->audio_buffer_size == 0) { @@ -182,7 +183,9 @@ } /* palette and video packet */ - pkt_size = (palette_type + 3) * hdr->pal_colors_count + hdr->video_frame_size; + pkt_size = (palette_type + 3LL) * hdr->pal_colors_count + hdr->video_frame_size; + if (pkt_size + 4 > INT_MAX) + return AVERROR_INVALIDDATA; pkt_size = ffio_limit(pb, pkt_size); diff -Nru ffmpeg-4.4/libavformat/dxa.c ffmpeg-4.4.2/libavformat/dxa.c --- ffmpeg-4.4/libavformat/dxa.c 2021-02-20 20:27:47.000000000 +0000 +++ ffmpeg-4.4.2/libavformat/dxa.c 2022-04-14 21:13:38.000000000 +0100 @@ -79,7 +79,7 @@ if(fps > 0){ den = 1000; num = fps; - }else if (fps < 0){ + }else if (fps < 0 && fps > INT_MIN){ den = 100000; num = -fps; }else{ diff -Nru ffmpeg-4.4/libavformat/fifo.c ffmpeg-4.4.2/libavformat/fifo.c --- ffmpeg-4.4/libavformat/fifo.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/fifo.c 2022-04-14 21:13:38.000000000 +0100 @@ -593,7 +593,7 @@ goto fail; } - if (fifo->timeshift && pkt->dts != AV_NOPTS_VALUE) + if (fifo->timeshift && pkt && pkt->dts != AV_NOPTS_VALUE) atomic_fetch_add_explicit(&fifo->queue_duration, next_duration(avf, pkt, &fifo->last_sent_dts), memory_order_relaxed); return ret; diff -Nru ffmpeg-4.4/libavformat/flvdec.c ffmpeg-4.4.2/libavformat/flvdec.c --- ffmpeg-4.4/libavformat/flvdec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/flvdec.c 2022-04-14 21:13:48.000000000 +0100 @@ -459,6 +459,8 @@ d = av_int2double(avio_rb64(ioc)); if (isnan(d) || d < INT64_MIN || d > INT64_MAX) goto invalid; + if (current_array == × && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000)) + goto invalid; current_array[0][i] = d; } if (times && filepositions) { diff -Nru ffmpeg-4.4/libavformat/ftp.c ffmpeg-4.4.2/libavformat/ftp.c --- ffmpeg-4.4/libavformat/ftp.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/ftp.c 2022-04-14 21:13:38.000000000 +0100 @@ -972,6 +972,8 @@ continue; } fact = av_strtok(fact, "=", &value); + if (!fact) + continue; if (!av_strcasecmp(fact, "type")) { if (!av_strcasecmp(value, "cdir") || !av_strcasecmp(value, "pdir")) return 1; diff -Nru ffmpeg-4.4/libavformat/hls.c ffmpeg-4.4.2/libavformat/hls.c --- ffmpeg-4.4/libavformat/hls.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/hls.c 2022-04-14 21:13:48.000000000 +0100 @@ -810,10 +810,16 @@ &info); new_rendition(c, &info, url); } else if (av_strstart(line, "#EXT-X-TARGETDURATION:", &ptr)) { + int64_t t; ret = ensure_playlist(c, &pls, url); if (ret < 0) goto fail; - pls->target_duration = strtoll(ptr, NULL, 10) * AV_TIME_BASE; + t = strtoll(ptr, NULL, 10); + if (t < 0 || t >= INT64_MAX / AV_TIME_BASE) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + pls->target_duration = t * AV_TIME_BASE; } else if (av_strstart(line, "#EXT-X-MEDIA-SEQUENCE:", &ptr)) { uint64_t seq_no; ret = ensure_playlist(c, &pls, url); @@ -903,7 +909,7 @@ if (has_iv) { memcpy(seg->iv, iv, sizeof(iv)); } else { - int64_t seq = pls->start_seq_no + pls->n_segments; + uint64_t seq = pls->start_seq_no + (uint64_t)pls->n_segments; memset(seg->iv, 0, sizeof(seg->iv)); AV_WB64(seg->iv + 8, seq); } diff -Nru ffmpeg-4.4/libavformat/hlsenc.c ffmpeg-4.4.2/libavformat/hlsenc.c --- ffmpeg-4.4/libavformat/hlsenc.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/hlsenc.c 2022-04-14 21:13:38.000000000 +0100 @@ -2672,14 +2672,13 @@ vs->packets_written++; if (oc->pb) { - int64_t keyframe_pre_pos = avio_tell(oc->pb); ret = ff_write_chained(oc, stream_index, pkt, s, 0); - if ((st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) && - (pkt->flags & AV_PKT_FLAG_KEY) && !keyframe_pre_pos) { - av_write_frame(oc, NULL); /* Flush any buffered data */ - vs->video_keyframe_size = avio_tell(oc->pb) - keyframe_pre_pos; + vs->video_keyframe_size += pkt->size; + if ((st->codecpar->codec_type == AVMEDIA_TYPE_VIDEO) && (pkt->flags & AV_PKT_FLAG_KEY)) { + vs->video_keyframe_size = avio_tell(oc->pb); + } else { + vs->video_keyframe_pos = avio_tell(vs->out); } - vs->video_keyframe_pos = vs->start_pos; if (hls->ignore_io_errors) ret = 0; } diff -Nru ffmpeg-4.4/libavformat/id3v2.c ffmpeg-4.4.2/libavformat/id3v2.c --- ffmpeg-4.4/libavformat/id3v2.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/id3v2.c 2022-04-14 21:13:38.000000000 +0100 @@ -816,7 +816,7 @@ int isv34, unsync; unsigned tlen; char tag[5]; - int64_t next, end = avio_tell(pb) + len; + int64_t next, end = avio_tell(pb); int taghdrlen; const char *reason = NULL; AVIOContext pb_local; @@ -828,6 +828,10 @@ av_unused int uncompressed_buffer_size = 0; const char *comm_frame; + if (end > INT64_MAX - len - 10) + return; + end += len; + av_log(s, AV_LOG_DEBUG, "id3v2 ver:%d flags:%02X len:%d\n", version, flags, len); switch (version) { diff -Nru ffmpeg-4.4/libavformat/iff.c ffmpeg-4.4.2/libavformat/iff.c --- ffmpeg-4.4/libavformat/iff.c 2021-02-20 20:27:47.000000000 +0000 +++ ffmpeg-4.4.2/libavformat/iff.c 2022-04-14 21:13:38.000000000 +0100 @@ -385,7 +385,7 @@ avio_skip(pb, 1); pkt->flags |= AV_PKT_FLAG_KEY; pkt->stream_index = 0; - pkt->duration = 588 * s->streams[0]->codecpar->sample_rate / 44100; + pkt->duration = 588LL * s->streams[0]->codecpar->sample_rate / 44100; pkt->pos = chunk_pos; chunk_pos = avio_tell(pb); diff -Nru ffmpeg-4.4/libavformat/jacosubdec.c ffmpeg-4.4.2/libavformat/jacosubdec.c --- ffmpeg-4.4/libavformat/jacosubdec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/jacosubdec.c 2022-04-14 21:13:38.000000000 +0100 @@ -141,6 +141,9 @@ int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d); #undef SSEP + if (a == INT_MIN) + return 0; + if (*buf == '-' || a < 0) { sign = -1; a = FFABS(a); diff -Nru ffmpeg-4.4/libavformat/jacosubenc.c ffmpeg-4.4.2/libavformat/jacosubenc.c --- ffmpeg-4.4/libavformat/jacosubenc.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/jacosubenc.c 2022-04-14 21:13:38.000000000 +0100 @@ -24,7 +24,7 @@ const AVCodecParameters *par = s->streams[0]->codecpar; if (par->extradata_size) { - avio_write(s->pb, par->extradata, par->extradata_size - 1); + avio_write(s->pb, par->extradata, par->extradata_size); } return 0; } diff -Nru ffmpeg-4.4/libavformat/matroskadec.c ffmpeg-4.4.2/libavformat/matroskadec.c --- ffmpeg-4.4/libavformat/matroskadec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/matroskadec.c 2022-04-14 21:13:48.000000000 +0100 @@ -802,20 +802,22 @@ static int matroska_reset_status(MatroskaDemuxContext *matroska, uint32_t id, int64_t position) { + int64_t err = 0; if (position >= 0) { - int64_t err = avio_seek(matroska->ctx->pb, position, SEEK_SET); - if (err < 0) - return err; - } + err = avio_seek(matroska->ctx->pb, position, SEEK_SET); + if (err > 0) + err = 0; + } else + position = avio_tell(matroska->ctx->pb); matroska->current_id = id; matroska->num_levels = 1; matroska->unknown_count = 0; - matroska->resync_pos = avio_tell(matroska->ctx->pb); + matroska->resync_pos = position; if (id) matroska->resync_pos -= (av_log2(id) + 7) / 8; - return 0; + return err; } static int matroska_resync(MatroskaDemuxContext *matroska, int64_t last_pos) @@ -1688,7 +1690,7 @@ case MATROSKA_TRACK_ENCODING_COMP_ZLIB: { z_stream zstream = { 0 }; - if (inflateInit(&zstream) != Z_OK) + if (!pkt_size || inflateInit(&zstream) != Z_OK) return -1; zstream.next_in = data; zstream.avail_in = isize; @@ -1721,7 +1723,7 @@ case MATROSKA_TRACK_ENCODING_COMP_BZLIB: { bz_stream bzstream = { 0 }; - if (BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK) + if (!pkt_size || BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK) return -1; bzstream.next_in = data; bzstream.avail_in = isize; @@ -1871,6 +1873,7 @@ uint32_t saved_id = matroska->current_id; int64_t before_pos = avio_tell(matroska->ctx->pb); int ret = 0; + int ret2; /* seek */ if (avio_seek(matroska->ctx->pb, pos, SEEK_SET) == pos) { @@ -1895,7 +1898,9 @@ } /* Seek back - notice that in all instances where this is used * it is safe to set the level to 1. */ - matroska_reset_status(matroska, saved_id, before_pos); + ret2 = matroska_reset_status(matroska, saved_id, before_pos); + if (ret >= 0) + ret = ret2; return ret; } @@ -2801,14 +2806,15 @@ &st->sample_aspect_ratio.den, st->codecpar->height * track->video.display_width * display_width_mul, st->codecpar->width * track->video.display_height * display_height_mul, - 255); + INT_MAX); } if (st->codecpar->codec_id != AV_CODEC_ID_HEVC) st->need_parsing = AVSTREAM_PARSE_HEADERS; if (track->default_duration) { + int div = track->default_duration <= INT64_MAX ? 1 : 2; av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den, - 1000000000, track->default_duration, 30000); + 1000000000 / div, track->default_duration / div, 30000); #if FF_API_R_FRAME_RATE if ( st->avg_frame_rate.num < st->avg_frame_rate.den * 1000LL && st->avg_frame_rate.num > st->avg_frame_rate.den * 5LL) @@ -2969,6 +2975,8 @@ if (!matroska->time_scale) matroska->time_scale = 1000000; + if (isnan(matroska->duration)) + matroska->duration = 0; if (matroska->duration) matroska->ctx->duration = matroska->duration * matroska->time_scale * 1000 / AV_TIME_BASE; @@ -3929,7 +3937,9 @@ int i; int nb_index_entries = s->streams[0]->nb_index_entries; AVIndexEntry *index_entries = s->streams[0]->index_entries; - if (ts >= matroska->duration * matroska->time_scale) return (CueDesc) {-1, -1, -1, -1}; + + if (ts >= (int64_t)(matroska->duration * matroska->time_scale)) + return (CueDesc) {-1, -1, -1, -1}; for (i = 1; i < nb_index_entries; i++) { if (index_entries[i - 1].timestamp * matroska->time_scale <= ts && index_entries[i].timestamp * matroska->time_scale > ts) { @@ -4118,6 +4128,8 @@ // prebuffered. pre_bytes = desc_end.end_offset - desc_end.start_offset; pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; + if (pre_ns <= 0) + return -1; pre_sec = pre_ns / nano_seconds_per_second; prebuffer_bytes += pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / pre_sec); @@ -4129,12 +4141,16 @@ do { int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset; int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns; - double desc_sec = desc_ns / nano_seconds_per_second; - double calc_bits_per_second = (desc_bytes * 8) / desc_sec; + double desc_sec, calc_bits_per_second, percent, mod_bits_per_second; + if (desc_bytes <= 0) + return -1; + + desc_sec = desc_ns / nano_seconds_per_second; + calc_bits_per_second = (desc_bytes * 8) / desc_sec; // Drop the bps by the percentage of bytes buffered. - double percent = (desc_bytes - prebuffer_bytes) / desc_bytes; - double mod_bits_per_second = calc_bits_per_second * percent; + percent = (desc_bytes - prebuffer_bytes) / desc_bytes; + mod_bits_per_second = calc_bits_per_second * percent; if (prebuffer < desc_sec) { double search_sec = diff -Nru ffmpeg-4.4/libavformat/matroskaenc.c ffmpeg-4.4.2/libavformat/matroskaenc.c --- ffmpeg-4.4/libavformat/matroskaenc.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/matroskaenc.c 2022-04-14 21:13:38.000000000 +0100 @@ -1768,6 +1768,7 @@ put_ebml_string(dyn_cp, MATROSKA_ID_FILEDESC, t->value); if (!(t = av_dict_get(st->metadata, "filename", NULL, 0))) { av_log(s, AV_LOG_ERROR, "Attachment stream %d has no filename tag.\n", i); + ffio_free_dyn_buf(&dyn_cp); return AVERROR(EINVAL); } put_ebml_string(dyn_cp, MATROSKA_ID_FILENAME, t->value); diff -Nru ffmpeg-4.4/libavformat/mccdec.c ffmpeg-4.4.2/libavformat/mccdec.c --- ffmpeg-4.4/libavformat/mccdec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/mccdec.c 2022-04-14 21:13:38.000000000 +0100 @@ -127,8 +127,7 @@ num = strtol(rate_str, &df, 10); den = 1; if (df && !av_strncasecmp(df, "DF", 2)) { - num *= 1000; - den = 1001; + av_reduce(&num, &den, num * 1000LL, 1001, INT_MAX); } } diff -Nru ffmpeg-4.4/libavformat/moflex.c ffmpeg-4.4.2/libavformat/moflex.c --- ffmpeg-4.4/libavformat/moflex.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/moflex.c 2022-04-14 21:13:38.000000000 +0100 @@ -172,8 +172,7 @@ unsigned type, ssize, codec_id = 0; unsigned codec_type, width = 0, height = 0, sample_rate = 0, channels = 0; int stream_index = -1; - int format; - AVRational fps; + AVRational tb = av_make_q(0, 1); read_var_byte(s, &type); read_var_byte(s, &ssize); @@ -196,6 +195,7 @@ return AVERROR_PATCHWELCOME; } sample_rate = avio_rb24(pb) + 1; + tb = av_make_q(1, sample_rate); channels = avio_r8(pb) + 1; break; case 1: @@ -209,11 +209,10 @@ av_log(s, AV_LOG_ERROR, "Unsupported video codec: %d\n", codec_id); return AVERROR_PATCHWELCOME; } - fps.num = avio_rb16(pb); - fps.den = avio_rb16(pb); + tb.den = avio_rb16(pb); + tb.num = avio_rb16(pb); width = avio_rb16(pb); height = avio_rb16(pb); - format = AV_PIX_FMT_YUV420P; avio_skip(pb, type == 3 ? 3 : 2); break; case 4: @@ -235,15 +234,12 @@ st->codecpar->height = height; st->codecpar->sample_rate= sample_rate; st->codecpar->channels = channels; - st->codecpar->format = format; st->priv_data = av_packet_alloc(); if (!st->priv_data) return AVERROR(ENOMEM); - if (sample_rate) - avpriv_set_pts_info(st, 63, 1, sample_rate); - else - avpriv_set_pts_info(st, 63, fps.den, fps.num); + if (tb.num) + avpriv_set_pts_info(st, 63, tb.num, tb.den); } } diff -Nru ffmpeg-4.4/libavformat/mov.c ffmpeg-4.4.2/libavformat/mov.c --- ffmpeg-4.4/libavformat/mov.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/mov.c 2022-04-14 21:13:48.000000000 +0100 @@ -294,6 +294,8 @@ int moment_time = avio_rb32(pb); avpriv_new_chapter(c->fc, i, av_make_q(1, 1000), moment_time, AV_NOPTS_VALUE, NULL); } + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; return 0; } @@ -605,11 +607,13 @@ for (i = 0; i < entries; i++) { MOVDref *dref = &sc->drefs[i]; uint32_t size = avio_rb32(pb); - int64_t next = avio_tell(pb) + size - 4; + int64_t next = avio_tell(pb); - if (size < 12) + if (size < 12 || next < 0 || next > INT64_MAX - size) return AVERROR_INVALIDDATA; + next += size - 4; + dref->type = avio_rl32(pb); avio_rb32(pb); // version + flags @@ -1940,6 +1944,8 @@ // wrap a whole fiel atom inside of a glbl atom. unsigned size = avio_rb32(pb); unsigned type = avio_rl32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_seek(pb, -8, SEEK_CUR); if (type == MKTAG('f','i','e','l') && size == atom.size) return mov_read_default(c, pb, atom); @@ -2549,6 +2555,10 @@ av_log(c->fc, AV_LOG_ERROR, "Invalid sample rate %d\n", st->codecpar->sample_rate); return AVERROR_INVALIDDATA; } + if (st->codecpar->channels < 0) { + av_log(c->fc, AV_LOG_ERROR, "Invalid channels %d\n", st->codecpar->channels); + return AVERROR_INVALIDDATA; + } } else if (st->codecpar->codec_type==AVMEDIA_TYPE_SUBTITLE){ mov_parse_stsd_subtitle(c, pb, st, sc, size - (avio_tell(pb) - start_pos)); @@ -3835,7 +3845,11 @@ if ((empty_duration || start_time) && mov->time_scale > 0) { if (empty_duration) empty_duration = av_rescale(empty_duration, sc->time_scale, mov->time_scale); - sc->time_offset = start_time - empty_duration; + + if (av_sat_sub64(start_time, empty_duration) != start_time - (uint64_t)empty_duration) + av_log(mov->fc, AV_LOG_WARNING, "start_time - empty_duration is not representable\n"); + + sc->time_offset = start_time - (uint64_t)empty_duration; sc->min_corrected_pts = start_time; if (!mov->advanced_editlist) current_dts = -sc->time_offset; @@ -4700,6 +4714,8 @@ for (i = 0; i < num && !pb->eof_reached; i++) c->chapter_tracks[i] = avio_rb32(pb); + c->nb_chapter_tracks = i; + return 0; } @@ -4984,6 +5000,8 @@ "size %u, distance %d, keyframe %d\n", st->index, index_entry_pos, offset, dts, sample_size, distance, keyframe); distance++; + if (av_sat_add64(dts, sample_duration) != dts + (uint64_t)sample_duration) + return AVERROR_INVALIDDATA; dts += sample_duration; offset += sample_size; sc->data_size += sample_size; @@ -5106,6 +5124,8 @@ avio_rb16(pb); // reserved item_count = avio_rb16(pb); + if (item_count == 0) + return AVERROR_INVALIDDATA; for (i = 0; i < item_count; i++) { int index; @@ -5124,7 +5144,9 @@ if (frag_stream_info) frag_stream_info->sidx_pts = timestamp; - if (av_sat_add64(offset, size) != offset + size) + if (av_sat_add64(offset, size) != offset + (uint64_t)size || + av_sat_add64(pts, duration) != pts + (uint64_t)duration + ) return AVERROR_INVALIDDATA; offset += size; pts += duration; @@ -5136,7 +5158,7 @@ // See if the remaining bytes are just an mfra which we can ignore. is_complete = offset == stream_size; - if (!is_complete && (pb->seekable & AVIO_SEEKABLE_NORMAL)) { + if (!is_complete && (pb->seekable & AVIO_SEEKABLE_NORMAL) && stream_size > 0 ) { int64_t ret; int64_t original_pos = avio_tell(pb); if (!c->have_read_mfra_size) { @@ -5147,7 +5169,7 @@ if ((ret = avio_seek(pb, original_pos, SEEK_SET)) < 0) return ret; } - if (offset + c->mfra_size == stream_size) + if (offset == stream_size - c->mfra_size) is_complete = 1; } @@ -5429,6 +5451,9 @@ av_log(c->fc, AV_LOG_WARNING, "Unsupported Mastering Display Metadata box version %d\n", version); return 0; } + if (sc->mastering) + return AVERROR_INVALIDDATA; + avio_skip(pb, 3); /* flags */ sc->mastering = av_mastering_display_metadata_alloc(); @@ -5464,7 +5489,7 @@ sc = c->fc->streams[c->fc->nb_streams - 1]->priv_data; - if (atom.size < 24) { + if (atom.size < 24 || sc->mastering) { av_log(c->fc, AV_LOG_ERROR, "Invalid Mastering Display Color Volume box\n"); return AVERROR_INVALIDDATA; } @@ -5512,6 +5537,11 @@ } avio_skip(pb, 3); /* flags */ + if (sc->coll){ + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate COLL\n"); + return 0; + } + sc->coll = av_content_light_metadata_alloc(&sc->coll_size); if (!sc->coll) return AVERROR(ENOMEM); @@ -5536,6 +5566,11 @@ return AVERROR_INVALIDDATA; } + if (sc->coll){ + av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate CLLI/COLL\n"); + return 0; + } + sc->coll = av_content_light_metadata_alloc(&sc->coll_size); if (!sc->coll) return AVERROR(ENOMEM); @@ -6107,6 +6142,8 @@ } if (pb->eof_reached) { av_log(c->fc, AV_LOG_ERROR, "Hit EOF while reading senc\n"); + if (ret >= 0) + av_encryption_info_free(encryption_index->encrypted_samples[i]); ret = AVERROR_INVALIDDATA; } @@ -7045,6 +7082,8 @@ if (a.size == 0) { a.size = atom.size - total_size + 8; } + if (a.size < 0) + break; a.size -= 8; if (a.size < 0) break; diff -Nru ffmpeg-4.4/libavformat/movenc.c ffmpeg-4.4.2/libavformat/movenc.c --- ffmpeg-4.4/libavformat/movenc.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/movenc.c 2022-04-14 21:13:38.000000000 +0100 @@ -91,7 +91,7 @@ { "frag_duration", "Maximum fragment duration", offsetof(MOVMuxContext, max_fragment_duration), AV_OPT_TYPE_INT, {.i64 = 0}, 0, INT_MAX, AV_OPT_FLAG_ENCODING_PARAM}, { "min_frag_duration", "Minimum fragment duration", offsetof(MOVMuxContext, min_fragment_duration), AV_OPT_TYPE_INT, {.i64 = 0}, 0, INT_MAX, AV_OPT_FLAG_ENCODING_PARAM}, { "frag_size", "Maximum fragment size", offsetof(MOVMuxContext, max_fragment_size), AV_OPT_TYPE_INT, {.i64 = 0}, 0, INT_MAX, AV_OPT_FLAG_ENCODING_PARAM}, - { "ism_lookahead", "Number of lookahead entries for ISM files", offsetof(MOVMuxContext, ism_lookahead), AV_OPT_TYPE_INT, {.i64 = 0}, 0, INT_MAX, AV_OPT_FLAG_ENCODING_PARAM}, + { "ism_lookahead", "Number of lookahead entries for ISM files", offsetof(MOVMuxContext, ism_lookahead), AV_OPT_TYPE_INT, {.i64 = 0}, 0, 255, AV_OPT_FLAG_ENCODING_PARAM}, { "video_track_timescale", "set timescale of all video tracks", offsetof(MOVMuxContext, video_track_timescale), AV_OPT_TYPE_INT, {.i64 = 0}, 0, INT_MAX, AV_OPT_FLAG_ENCODING_PARAM}, { "brand", "Override major brand", offsetof(MOVMuxContext, major_brand), AV_OPT_TYPE_STRING, {.str = NULL}, .flags = AV_OPT_FLAG_ENCODING_PARAM }, { "use_editlist", "use edit list", offsetof(MOVMuxContext, use_editlist), AV_OPT_TYPE_BOOL, {.i64 = -1}, -1, 1, AV_OPT_FLAG_ENCODING_PARAM}, @@ -797,6 +797,7 @@ static int mov_write_dops_tag(AVFormatContext *s, AVIOContext *pb, MOVTrack *track) { int64_t pos = avio_tell(pb); + int channels, channel_map; avio_wb32(pb, 0); ffio_wfourcc(pb, "dOps"); avio_w8(pb, 0); /* Version */ @@ -807,12 +808,22 @@ /* extradata contains an Ogg OpusHead, other than byte-ordering and OpusHead's preceeding magic/version, OpusSpecificBox is currently identical. */ - avio_w8(pb, AV_RB8(track->par->extradata + 9)); /* OuputChannelCount */ + channels = AV_RB8(track->par->extradata + 9); + channel_map = AV_RB8(track->par->extradata + 18); + + avio_w8(pb, channels); /* OuputChannelCount */ avio_wb16(pb, AV_RL16(track->par->extradata + 10)); /* PreSkip */ avio_wb32(pb, AV_RL32(track->par->extradata + 12)); /* InputSampleRate */ avio_wb16(pb, AV_RL16(track->par->extradata + 16)); /* OutputGain */ + avio_w8(pb, channel_map); /* ChannelMappingFamily */ /* Write the rest of the header out without byte-swapping. */ - avio_write(pb, track->par->extradata + 18, track->par->extradata_size - 18); + if (channel_map) { + if (track->par->extradata_size < 21 + channels) { + av_log(s, AV_LOG_ERROR, "invalid extradata size\n"); + return AVERROR_INVALIDDATA; + } + avio_write(pb, track->par->extradata + 19, 2 + channels); /* ChannelMappingTable */ + } return update_size(pb, pos); } @@ -2166,11 +2177,13 @@ avio_wb16(pb, 0x18); /* Reserved */ if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) { - int pal_size = 1 << track->par->bits_per_coded_sample; - int i; + int pal_size, i; avio_wb16(pb, 0); /* Color table ID */ avio_wb32(pb, 0); /* Color table seed */ avio_wb16(pb, 0x8000); /* Color table flags */ + if (track->par->bits_per_coded_sample < 0 || track->par->bits_per_coded_sample > 8) + return AVERROR(EINVAL); + pal_size = 1 << track->par->bits_per_coded_sample; avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */ for (i = 0; i < pal_size; i++) { uint32_t rgb = track->palette[i]; diff -Nru ffmpeg-4.4/libavformat/mpc8.c ffmpeg-4.4.2/libavformat/mpc8.c --- ffmpeg-4.4/libavformat/mpc8.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/mpc8.c 2022-04-14 21:13:38.000000000 +0100 @@ -177,7 +177,13 @@ } seekd = get_bits(&gb, 4); for(i = 0; i < 2; i++){ - pos = gb_get_v(&gb) + c->header_pos; + pos = gb_get_v(&gb); + if (av_sat_add64(pos, c->header_pos) != pos + (uint64_t)c->header_pos) { + av_free(buf); + return; + } + + pos += c->header_pos; ppos[1 - i] = pos; av_add_index_entry(s->streams[0], pos, i, 0, 0, AVINDEX_KEYFRAME); } @@ -205,8 +211,11 @@ switch(tag){ case TAG_SEEKTBLOFF: - pos = avio_tell(pb) + size; + pos = avio_tell(pb); off = ffio_read_varlen(pb); + if (pos > INT64_MAX - size || off < 0 || off > INT64_MAX - chunk_pos) + return; + pos += size; mpc8_parse_seektable(s, chunk_pos + off); avio_seek(pb, pos, SEEK_SET); break; diff -Nru ffmpeg-4.4/libavformat/mpegts.c ffmpeg-4.4.2/libavformat/mpegts.c --- ffmpeg-4.4/libavformat/mpegts.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/mpegts.c 2022-04-14 21:13:38.000000000 +0100 @@ -2026,6 +2026,7 @@ return AVERROR_INVALIDDATA; if (channel_config_code <= 0x8) { st->codecpar->extradata[9] = channels = channel_config_code ? channel_config_code : 2; + AV_WL32(&st->codecpar->extradata[12], 48000); st->codecpar->extradata[18] = channel_config_code ? (channels > 2) : /* Dual Mono */ 255; st->codecpar->extradata[19] = opus_stream_cnt[channel_config_code]; st->codecpar->extradata[20] = opus_coupled_stream_cnt[channel_config_code]; @@ -2861,8 +2862,8 @@ int64_t back = FFMIN(seekback, pos); //Special case for files like 01c56b0dc1.ts - if (current_packet[0] == 0x80 && current_packet[12] == 0x47) { - avio_seek(pb, 12 - back, SEEK_CUR); + if (current_packet[0] == 0x80 && current_packet[12] == 0x47 && pos >= TS_PACKET_SIZE) { + avio_seek(pb, 12 - TS_PACKET_SIZE, SEEK_CUR); return 0; } diff -Nru ffmpeg-4.4/libavformat/msf.c ffmpeg-4.4.2/libavformat/msf.c --- ffmpeg-4.4/libavformat/msf.c 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/msf.c 2022-04-14 21:13:38.000000000 +0100 @@ -70,6 +70,8 @@ case 4: case 5: case 6: st->codecpar->block_align = (codec == 4 ? 96 : codec == 5 ? 152 : 192) * st->codecpar->channels; + if (st->codecpar->channels > UINT16_MAX / 2048) + return AVERROR_INVALIDDATA; ret = ff_alloc_extradata(st->codecpar, 14); if (ret < 0) return ret; diff -Nru ffmpeg-4.4/libavformat/mvdec.c ffmpeg-4.4.2/libavformat/mvdec.c --- ffmpeg-4.4/libavformat/mvdec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/mvdec.c 2022-04-14 21:13:38.000000000 +0100 @@ -156,7 +156,10 @@ } else if (!strcmp(name, "NUM_CHANNELS")) { return set_channels(avctx, st, var_read_int(pb, size)); } else if (!strcmp(name, "SAMPLE_RATE")) { - st->codecpar->sample_rate = var_read_int(pb, size); + int sample_rate = var_read_int(pb, size); + if (sample_rate <= 0) + return AVERROR_INVALIDDATA; + st->codecpar->sample_rate = sample_rate; avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate); } else if (!strcmp(name, "SAMPLE_WIDTH")) { uint64_t bpc = var_read_int(pb, size) * (uint64_t)8; diff -Nru ffmpeg-4.4/libavformat/mvi.c ffmpeg-4.4.2/libavformat/mvi.c --- ffmpeg-4.4/libavformat/mvi.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/mvi.c 2022-04-14 21:13:38.000000000 +0100 @@ -32,7 +32,6 @@ typedef struct MviDemuxContext { unsigned int (*get_int)(AVIOContext *); - uint32_t audio_data_size; uint64_t audio_size_counter; uint64_t audio_frame_size; int audio_size_left; @@ -46,6 +45,7 @@ AVStream *ast, *vst; unsigned int version, frames_count, msecs_per_frame, player_version; int ret; + int audio_data_size; ast = avformat_new_stream(s, NULL); if (!ast) @@ -67,13 +67,13 @@ vst->codecpar->height = avio_rl16(pb); avio_r8(pb); ast->codecpar->sample_rate = avio_rl16(pb); - mvi->audio_data_size = avio_rl32(pb); + audio_data_size = avio_rl32(pb); avio_r8(pb); player_version = avio_rl32(pb); avio_rl16(pb); avio_r8(pb); - if (frames_count == 0 || mvi->audio_data_size == 0) + if (frames_count == 0 || audio_data_size <= 0) return AVERROR_INVALIDDATA; if (version != 7 || player_version > 213) { @@ -96,16 +96,16 @@ mvi->get_int = (vst->codecpar->width * (int64_t)vst->codecpar->height < (1 << 16)) ? avio_rl16 : avio_rl24; - mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count; + mvi->audio_frame_size = ((uint64_t)audio_data_size << MVI_FRAC_BITS) / frames_count; if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) { av_log(s, AV_LOG_ERROR, - "Invalid audio_data_size (%"PRIu32") or frames_count (%u)\n", - mvi->audio_data_size, frames_count); + "Invalid audio_data_size (%d) or frames_count (%u)\n", + audio_data_size, frames_count); return AVERROR_INVALIDDATA; } mvi->audio_size_counter = (ast->codecpar->sample_rate * 830 / mvi->audio_frame_size - 1) * mvi->audio_frame_size; - mvi->audio_size_left = mvi->audio_data_size; + mvi->audio_size_left = audio_data_size; return 0; } diff -Nru ffmpeg-4.4/libavformat/mxfdec.c ffmpeg-4.4.2/libavformat/mxfdec.c --- ffmpeg-4.4/libavformat/mxfdec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/mxfdec.c 2022-04-14 21:13:48.000000000 +0100 @@ -565,6 +565,10 @@ data_ptr = pkt->data; end_ptr = pkt->data + length; buf_ptr = pkt->data + 4; /* skip SMPTE 331M header */ + + if (st->codecpar->channels > 8) + return AVERROR_INVALIDDATA; + for (; end_ptr - buf_ptr >= st->codecpar->channels * 4; ) { for (i = 0; i < st->codecpar->channels; i++) { uint32_t sample = bytestream_get_le32(&buf_ptr); @@ -624,7 +628,7 @@ return AVERROR_INVALIDDATA; // enc. code size = klv_decode_ber_length(pb); - if (size < 32 || size - 32 < orig_size) + if (size < 32 || size - 32 < orig_size || (int)orig_size != orig_size) return AVERROR_INVALIDDATA; avio_read(pb, ivec, 16); avio_read(pb, tmpbuf, 16); @@ -871,15 +875,27 @@ static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count) { - *count = avio_rb32(pb); + int64_t ret; + unsigned c = avio_rb32(pb); + + //avio_read() used int + if (c > INT_MAX / sizeof(UID)) + return AVERROR_PATCHWELCOME; + *count = c; + av_free(*refs); - *refs = av_calloc(*count, sizeof(UID)); + *refs = av_malloc_array(*count, sizeof(UID)); if (!*refs) { *count = 0; return AVERROR(ENOMEM); } avio_skip(pb, 4); /* useless size of objects, always 16 according to specs */ - avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID)); + ret = avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID)); + if (ret != *count * sizeof(UID)) { + *count = ret < 0 ? 0 : ret / sizeof(UID); + return ret < 0 ? ret : AVERROR_INVALIDDATA; + } + return 0; } @@ -1088,6 +1104,9 @@ { int i, length; + if (segment->temporal_offset_entries) + return AVERROR_INVALIDDATA; + segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); @@ -2249,12 +2268,12 @@ /* CDCI range metadata */ if (!descriptor->component_depth) return AVCOL_RANGE_UNSPECIFIED; - if (descriptor->black_ref_level == 0 && + if (descriptor->black_ref_level == 0 && descriptor->component_depth < 31 && descriptor->white_ref_level == ((1<component_depth) - 1) && (descriptor->color_range == (1<component_depth) || descriptor->color_range == ((1<component_depth) - 1))) return AVCOL_RANGE_JPEG; - if (descriptor->component_depth >= 8 && + if (descriptor->component_depth >= 8 && descriptor->component_depth < 31 && descriptor->black_ref_level == (1 <<(descriptor->component_depth - 4)) && descriptor->white_ref_level == (235<<(descriptor->component_depth - 8)) && descriptor->color_range == ((14<<(descriptor->component_depth - 4)) + 1)) @@ -2903,7 +2922,7 @@ meta = NULL; ctx = mxf; } - while (avio_tell(pb) + 4 < klv_end && !avio_feof(pb)) { + while (avio_tell(pb) + 4ULL < klv_end && !avio_feof(pb)) { int ret; int tag = avio_rb16(pb); int size = avio_rb16(pb); /* KLV specified by 0x53 */ diff -Nru ffmpeg-4.4/libavformat/nutdec.c ffmpeg-4.4.2/libavformat/nutdec.c --- ffmpeg-4.4/libavformat/nutdec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/nutdec.c 2022-04-14 21:13:38.000000000 +0100 @@ -286,6 +286,11 @@ ret = AVERROR_INVALIDDATA; goto fail; } + if (tmp_size < 0 || tmp_size > INT_MAX - count) { + av_log(s, AV_LOG_ERROR, "illegal size\n"); + ret = AVERROR_INVALIDDATA; + goto fail; + } for (j = 0; j < count; j++, i++) { if (i == 'N') { diff -Nru ffmpeg-4.4/libavformat/omadec.c ffmpeg-4.4.2/libavformat/omadec.c --- ffmpeg-4.4/libavformat/omadec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/omadec.c 2022-04-14 21:13:38.000000000 +0100 @@ -494,7 +494,7 @@ AV_WL16(&edata[6], jsflag); // coding mode AV_WL16(&edata[8], jsflag); // coding mode AV_WL16(&edata[10], 1); // always 1 - // AV_WL16(&edata[12], 0); // always 0 + AV_WL16(&edata[12], 0); // always 0 avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); break; diff -Nru ffmpeg-4.4/libavformat/pp_bnk.c ffmpeg-4.4.2/libavformat/pp_bnk.c --- ffmpeg-4.4/libavformat/pp_bnk.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/pp_bnk.c 2022-04-14 21:13:38.000000000 +0100 @@ -223,7 +223,7 @@ par->bits_per_coded_sample = 4; par->bits_per_raw_sample = 16; par->block_align = 1; - par->bit_rate = par->sample_rate * par->bits_per_coded_sample * par->channels; + par->bit_rate = par->sample_rate * (int64_t)par->bits_per_coded_sample * par->channels; avpriv_set_pts_info(st, 64, 1, par->sample_rate); st->start_time = 0; diff -Nru ffmpeg-4.4/libavformat/qcp.c ffmpeg-4.4.2/libavformat/qcp.c --- ffmpeg-4.4/libavformat/qcp.c 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/qcp.c 2022-04-14 21:13:38.000000000 +0100 @@ -93,7 +93,8 @@ QCPContext *c = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); uint8_t buf[16]; - int i, nb_rates; + int i; + unsigned nb_rates; if (!st) return AVERROR(ENOMEM); diff -Nru ffmpeg-4.4/libavformat/realtextdec.c ffmpeg-4.4.2/libavformat/realtextdec.c --- ffmpeg-4.4/libavformat/realtextdec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/realtextdec.c 2022-04-14 21:13:38.000000000 +0100 @@ -111,10 +111,11 @@ if (!merge) { const char *begin = ff_smil_get_attr_ptr(buf.str, "begin"); const char *end = ff_smil_get_attr_ptr(buf.str, "end"); + int64_t endi = end ? read_ts(end) : 0; sub->pos = pos; sub->pts = begin ? read_ts(begin) : 0; - sub->duration = end ? (read_ts(end) - sub->pts) : duration; + sub->duration = (end && endi > sub->pts && endi - (uint64_t)sub->pts <= INT64_MAX) ? endi - sub->pts : duration; } } av_bprint_clear(&buf); diff -Nru ffmpeg-4.4/libavformat/rmdec.c ffmpeg-4.4.2/libavformat/rmdec.c --- ffmpeg-4.4/libavformat/rmdec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/rmdec.c 2022-04-14 21:13:48.000000000 +0100 @@ -269,9 +269,9 @@ case DEINT_ID_INT4: if (ast->coded_framesize > ast->audio_framesize || sub_packet_h <= 1 || - ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) + ast->coded_framesize * (uint64_t)sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize) return AVERROR_INVALIDDATA; - if (ast->coded_framesize * sub_packet_h != 2*ast->audio_framesize) { + if (ast->coded_framesize * (uint64_t)sub_packet_h != 2*ast->audio_framesize) { avpriv_request_sample(s, "mismatching interleaver parameters"); return AVERROR_INVALIDDATA; } @@ -327,6 +327,11 @@ if (codec_data_size == 0) return 0; + // Duplicate tags + if ( st->codecpar->codec_type != AVMEDIA_TYPE_UNKNOWN + && st->codecpar->codec_type != AVMEDIA_TYPE_DATA) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, 1, 1000); codec_pos = avio_tell(pb); v = avio_rb32(pb); @@ -1012,8 +1017,8 @@ { RMDemuxContext *rm = s->priv_data; AVStream *st = NULL; // init to silence compiler warning - int i, len, res, seq = 1; - int64_t timestamp, pos; + int i, res, seq = 1; + int64_t timestamp, pos, len; int flags; for (;;) { @@ -1032,7 +1037,9 @@ ast = st->priv_data; timestamp = AV_NOPTS_VALUE; len = !ast->audio_framesize ? RAW_PACKET_SIZE : - ast->coded_framesize * ast->sub_packet_h / 2; + ast->coded_framesize * (int64_t)ast->sub_packet_h / 2; + if (len > INT_MAX) + return AVERROR_INVALIDDATA; flags = (seq++ == 1) ? 2 : 0; pos = avio_tell(s->pb); } else { diff -Nru ffmpeg-4.4/libavformat/rpl.c ffmpeg-4.4.2/libavformat/rpl.c --- ffmpeg-4.4/libavformat/rpl.c 2021-02-20 20:27:47.000000000 +0000 +++ ffmpeg-4.4.2/libavformat/rpl.c 2022-04-14 21:13:38.000000000 +0100 @@ -103,7 +103,7 @@ // Truncate any numerator too large to fit into an int64_t if (num > (INT64_MAX - 9) / 10 || den > INT64_MAX / 10) break; - num = 10 * num + *line - '0'; + num = 10 * num + (*line - '0'); den *= 10; } if (!num) @@ -207,8 +207,10 @@ ast->codecpar->bits_per_coded_sample = 4; ast->codecpar->bit_rate = ast->codecpar->sample_rate * - ast->codecpar->bits_per_coded_sample * - ast->codecpar->channels; + (int64_t)ast->codecpar->channels; + if (ast->codecpar->bit_rate > INT64_MAX / ast->codecpar->bits_per_coded_sample) + return AVERROR_INVALIDDATA; + ast->codecpar->bit_rate *= ast->codecpar->bits_per_coded_sample; ast->codecpar->codec_id = AV_CODEC_ID_NONE; switch (audio_format) { @@ -334,7 +336,7 @@ avio_skip(pb, 4); /* flags */ frame_size = avio_rl32(pb); - if (avio_seek(pb, -8, SEEK_CUR) < 0) + if (avio_feof(pb) || avio_seek(pb, -8, SEEK_CUR) < 0 || !frame_size) return AVERROR(EIO); ret = av_get_packet(pb, pkt, frame_size); diff -Nru ffmpeg-4.4/libavformat/sbgdec.c ffmpeg-4.4.2/libavformat/sbgdec.c --- ffmpeg-4.4/libavformat/sbgdec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/sbgdec.c 2022-04-14 21:13:38.000000000 +0100 @@ -935,6 +935,9 @@ } if (s->start_ts == AV_NOPTS_VALUE) s->start_ts = (s->opt_start_at_first && s->tseq) ? s->tseq[0].ts.t : now; + if (s->start_ts > INT64_MAX - s->opt_duration) + return AVERROR_INVALIDDATA; + s->end_ts = s->opt_duration ? s->start_ts + s->opt_duration : AV_NOPTS_VALUE; /* may be overridden later by -E option */ cur_ts = now; @@ -961,6 +964,9 @@ tseq->name_len, tseq->name); return AVERROR(EINVAL); } + if (t0 + (uint64_t)tseq->ts.t != av_sat_add64(t0, tseq->ts.t)) + return AVERROR(EINVAL); + t0 += tseq->ts.t; for (i = 0; i < s->nb_def; i++) { if (s->def[i].name_len == tseq->name_len && @@ -1291,6 +1297,10 @@ ev1 = &s->events[i]; ev2 = &s->events[(i + 1) % s->nb_events]; ev1->ts_int = ev1->ts; + + if (!ev1->fade.slide && ev1 >= ev2 && ev2->ts > INT64_MAX - period) + return AVERROR_INVALIDDATA; + ev1->ts_trans = ev1->fade.slide ? ev1->ts : ev2->ts + (ev1 < ev2 ? 0 : period); } diff -Nru ffmpeg-4.4/libavformat/sccdec.c ffmpeg-4.4.2/libavformat/sccdec.c --- ffmpeg-4.4/libavformat/sccdec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/sccdec.c 2022-04-14 21:13:38.000000000 +0100 @@ -63,8 +63,7 @@ { SCCContext *scc = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); - char line2[4096], line[4096]; - int64_t pos, ts, next_ts = AV_NOPTS_VALUE; + AVPacket *sub = NULL; ptrdiff_t len; uint8_t out[4096]; FFTextReader tr; @@ -77,47 +76,26 @@ st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE; st->codecpar->codec_id = AV_CODEC_ID_EIA_608; - while (!ff_text_eof(&tr) || next_ts == AV_NOPTS_VALUE || line2[0]) { + while (1) { char *saveptr = NULL, *lline; int hh, mm, ss, fs, i; - AVPacket *sub; + char line[4096]; + int64_t pos, ts; - if (next_ts == AV_NOPTS_VALUE) { - while (!ff_text_eof(&tr)) { - len = ff_subtitles_read_line(&tr, line, sizeof(line)); - if (len <= 13) - continue; + len = ff_subtitles_read_line(&tr, line, sizeof(line)); + if (len <= 13) { + if (ff_text_eof(&tr)) + break; + continue; + } if (!strncmp(line, "Scenarist_SCC V1.0", 18)) continue; - if (av_sscanf(line, "%d:%d:%d%*[:;]%d", &hh, &mm, &ss, &fs) == 4) - break; - } - - ts = (hh * 3600LL + mm * 60LL + ss) * 1000LL + fs * 33LL; - - while (!ff_text_eof(&tr)) { - len = ff_subtitles_read_line(&tr, line2, sizeof(line2)); - if (len <= 13) - continue; - - if (av_sscanf(line2, "%d:%d:%d%*[:;]%d", &hh, &mm, &ss, &fs) == 4) - break; - } - } else { - memmove(line, line2, sizeof(line)); - line2[0] = 0; - - while (!ff_text_eof(&tr)) { - len = ff_subtitles_read_line(&tr, line2, sizeof(line2)); - if (len <= 13) - continue; - - if (av_sscanf(line2, "%d:%d:%d%*[:;]%d", &hh, &mm, &ss, &fs) == 4) - break; - } - } + if (av_sscanf(line, "%d:%d:%d%*[:;]%d", &hh, &mm, &ss, &fs) != 4) + continue; - next_ts = (hh * 3600LL + mm * 60LL + ss) * 1000LL + fs * 33LL; + ts = (hh * 3600LL + mm * 60LL + ss) * 1000LL + fs * 33LL; + if (sub) + sub->duration = ts - sub->pts; pos = ff_text_pos(&tr); lline = (char *)&line; @@ -168,8 +146,6 @@ sub->pos = pos; sub->pts = ts; - sub->duration = next_ts - ts; - ts = next_ts; } ff_subtitles_queue_finalize(s, &scc->q); diff -Nru ffmpeg-4.4/libavformat/subtitles.c ffmpeg-4.4.2/libavformat/subtitles.c --- ffmpeg-4.4/libavformat/subtitles.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/subtitles.c 2022-04-14 21:13:38.000000000 +0100 @@ -206,7 +206,7 @@ q->sort == SUB_SORT_TS_POS ? cmp_pkt_sub_ts_pos : cmp_pkt_sub_pos_ts); for (i = 0; i < q->nb_subs; i++) - if (q->subs[i]->duration < 0 && i < q->nb_subs - 1) + if (q->subs[i]->duration < 0 && i < q->nb_subs - 1 && q->subs[i + 1]->pts - (uint64_t)q->subs[i]->pts <= INT64_MAX) q->subs[i]->duration = q->subs[i + 1]->pts - q->subs[i]->pts; if (!q->keep_duplicates) @@ -418,6 +418,7 @@ size_t cur = 0; if (!size) return 0; + buf[0] = '\0'; while (cur + 1 < size) { unsigned char c = ff_text_r8(tr); if (!c) diff -Nru ffmpeg-4.4/libavformat/tee.c ffmpeg-4.4.2/libavformat/tee.c --- ffmpeg-4.4/libavformat/tee.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/tee.c 2022-04-14 21:13:38.000000000 +0100 @@ -124,6 +124,7 @@ unsigned i; int ret = 0; + av_dict_free(&tee_slave->fifo_options); avf = tee_slave->avf; if (!avf) return 0; @@ -229,6 +230,7 @@ av_dict_free(&options); options = tee_slave->fifo_options; + tee_slave->fifo_options = NULL; } ret = avformat_alloc_output_context2(&avf2, NULL, tee_slave->use_fifo ? "fifo" :format, filename); @@ -403,6 +405,8 @@ av_free(format); av_free(select); av_free(on_fail); + av_free(use_fifo); + av_free(fifo_options_str); av_dict_free(&options); av_dict_free(&bsf_options); av_freep(&tmp_select); diff -Nru ffmpeg-4.4/libavformat/tta.c ffmpeg-4.4.2/libavformat/tta.c --- ffmpeg-4.4/libavformat/tta.c 2021-02-20 20:27:47.000000000 +0000 +++ ffmpeg-4.4.2/libavformat/tta.c 2022-04-14 21:13:38.000000000 +0100 @@ -119,6 +119,8 @@ for (i = 0; i < c->totalframes; i++) { uint32_t size = avio_rl32(s->pb); int r; + if (avio_feof(s->pb)) + return AVERROR_INVALIDDATA; if ((r = av_add_index_entry(st, framepos, i * (int64_t)c->frame_size, size, 0, AVINDEX_KEYFRAME)) < 0) return r; diff -Nru ffmpeg-4.4/libavformat/udp.c ffmpeg-4.4.2/libavformat/udp.c --- ffmpeg-4.4/libavformat/udp.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/udp.c 2022-04-14 21:13:38.000000000 +0100 @@ -740,8 +740,10 @@ /* XXX: fix av_url_split */ if (hostname[0] == '\0' || hostname[0] == '?') { /* only accepts null hostname if input */ - if (!(flags & AVIO_FLAG_READ)) + if (!(flags & AVIO_FLAG_READ)) { + ret = AVERROR(EINVAL); goto fail; + } } else { if ((ret = ff_udp_set_remote_url(h, uri)) < 0) goto fail; @@ -754,8 +756,10 @@ udp_fd = udp_socket_create(h, &my_addr, &len, localaddr); else udp_fd = udp_socket_create(h, &my_addr, &len, s->localaddr); - if (udp_fd < 0) + if (udp_fd < 0) { + ret = AVERROR(EIO); goto fail; + } s->local_addr_storage=my_addr; //store for future multicast join diff -Nru ffmpeg-4.4/libavformat/utils.c ffmpeg-4.4.2/libavformat/utils.c --- ffmpeg-4.4/libavformat/utils.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/utils.c 2022-04-14 21:13:48.000000000 +0100 @@ -1208,7 +1208,9 @@ (pktl->pkt.dts == AV_NOPTS_VALUE || pktl->pkt.dts == st->first_dts || pktl->pkt.dts == RELATIVE_TS_BASE) && - !pktl->pkt.duration) { + !pktl->pkt.duration && + av_sat_add64(cur_dts, duration) == cur_dts + (uint64_t)duration + ) { pktl->pkt.dts = cur_dts; if (!st->internal->avctx->has_b_frames) pktl->pkt.pts = cur_dts; @@ -3912,8 +3914,10 @@ av_packet_unref(pkt1); break; } - if (pkt->duration) { - if (avctx->codec_type == AVMEDIA_TYPE_SUBTITLE && pkt->pts != AV_NOPTS_VALUE && st->start_time != AV_NOPTS_VALUE && pkt->pts >= st->start_time) { + if (pkt->duration > 0) { + if (avctx->codec_type == AVMEDIA_TYPE_SUBTITLE && pkt->pts != AV_NOPTS_VALUE && st->start_time != AV_NOPTS_VALUE && pkt->pts >= st->start_time + && (uint64_t)pkt->pts - st->start_time < INT64_MAX + ) { st->internal->info->codec_info_duration = FFMIN(pkt->pts - st->start_time, st->internal->info->codec_info_duration + pkt->duration); } else st->internal->info->codec_info_duration += pkt->duration; @@ -4059,7 +4063,7 @@ if (!st->r_frame_rate.num) { if ( avctx->time_base.den * (int64_t) st->time_base.num - <= avctx->time_base.num * avctx->ticks_per_frame * (uint64_t) st->time_base.den) { + <= avctx->time_base.num * (uint64_t)avctx->ticks_per_frame * st->time_base.den) { av_reduce(&st->r_frame_rate.num, &st->r_frame_rate.den, avctx->time_base.den, (int64_t)avctx->time_base.num * avctx->ticks_per_frame, INT_MAX); } else { @@ -4993,7 +4997,7 @@ key_len = ptr - key; callback_get_buf(context, key, key_len, &dest, &dest_len); - dest_end = dest + dest_len - 1; + dest_end = dest ? dest + dest_len - 1 : NULL; if (*ptr == '\"') { ptr++; diff -Nru ffmpeg-4.4/libavformat/vivo.c ffmpeg-4.4.2/libavformat/vivo.c --- ffmpeg-4.4/libavformat/vivo.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/vivo.c 2022-04-14 21:13:48.000000000 +0100 @@ -26,6 +26,7 @@ * @sa http://wiki.multimedia.cx/index.php?title=Vivo */ +#include "libavutil/avstring.h" #include "libavutil/parseutils.h" #include "avformat.h" #include "internal.h" @@ -120,7 +121,7 @@ static int vivo_read_header(AVFormatContext *s) { VivoContext *vivo = s->priv_data; - AVRational fps = { 1, 25}; + AVRational fps = { 0 }; AVStream *ast, *vst; unsigned char *line, *line_end, *key, *value; long value_int; @@ -206,17 +207,21 @@ return AVERROR_INVALIDDATA; value_used = 1; } else if (!strcmp(key, "FPS")) { - AVRational tmp; + double d; + if (av_sscanf(value, "%f", &d) != 1) + return AVERROR_INVALIDDATA; value_used = 1; - if (!av_parse_ratio(&tmp, value, 10000, AV_LOG_WARNING, s)) - fps = av_inv_q(tmp); + if (!fps.num && !fps.den) + fps = av_inv_q(av_d2q(d, 10000)); } if (!value_used) av_dict_set(&s->metadata, key, value, 0); } } + if (!fps.num || !fps.den) + fps = (AVRational){ 1, 25 }; avpriv_set_pts_info(ast, 64, 1, ast->codecpar->sample_rate); avpriv_set_pts_info(vst, 64, fps.num, fps.den); diff -Nru ffmpeg-4.4/libavformat/wavdec.c ffmpeg-4.4.2/libavformat/wavdec.c --- ffmpeg-4.4/libavformat/wavdec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/wavdec.c 2022-04-14 21:13:38.000000000 +0100 @@ -498,6 +498,8 @@ wav->smv_data_ofs = avio_tell(pb) + (size - 5) * 3; avio_rl24(pb); wav->smv_block_size = avio_rl24(pb); + if (!wav->smv_block_size) + return AVERROR_INVALIDDATA; avpriv_set_pts_info(vst, 32, 1, avio_rl24(pb)); vst->duration = avio_rl24(pb); avio_rl24(pb); @@ -718,7 +720,7 @@ if (wav->smv_last_stream) { uint64_t old_pos = avio_tell(s->pb); uint64_t new_pos = wav->smv_data_ofs + - wav->smv_block * wav->smv_block_size; + wav->smv_block * (int64_t)wav->smv_block_size; if (avio_seek(s->pb, new_pos, SEEK_SET) < 0) { ret = AVERROR_EOF; goto smv_out; diff -Nru ffmpeg-4.4/libavformat/webmdashenc.c ffmpeg-4.4.2/libavformat/webmdashenc.c --- ffmpeg-4.4/libavformat/webmdashenc.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/webmdashenc.c 2022-04-14 21:13:48.000000000 +0100 @@ -93,7 +93,7 @@ } avio_printf(pb, " minBufferTime=\"PT%gS\"\n", min_buffer_time); avio_printf(pb, " profiles=\"%s\"%s", - w->is_live ? "urn:mpeg:dash:profile:isoff-live:2011" : "urn:webm:dash:profile:webm-on-demand:2012", + w->is_live ? "urn:mpeg:dash:profile:isoff-live:2011" : "urn:mpeg:dash:profile:webm-on-demand:2012", w->is_live ? "\n" : ">\n"); if (w->is_live) { time_t local_time = time(NULL); diff -Nru ffmpeg-4.4/libavformat/wtvdec.c ffmpeg-4.4.2/libavformat/wtvdec.c --- ffmpeg-4.4/libavformat/wtvdec.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavformat/wtvdec.c 2022-04-14 21:13:38.000000000 +0100 @@ -660,6 +660,8 @@ avio_skip(pb, size - 32); ff_get_guid(pb, &actual_subtype); ff_get_guid(pb, &actual_formattype); + if (avio_feof(pb)) + return NULL; avio_seek(pb, -size, SEEK_CUR); st = parse_media_type(s, st, sid, mediatype, actual_subtype, actual_formattype, size - 32); @@ -817,7 +819,7 @@ avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); - if (size < 0 || size > INT_MAX - 92) + if (size < 0 || size > INT_MAX - 92 - consumed) return AVERROR_INVALIDDATA; parse_media_type(s, 0, sid, mediatype, subtype, formattype, size); consumed += 92 + size; @@ -833,7 +835,7 @@ avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); - if (size < 0 || size > INT_MAX - 76) + if (size < 0 || size > INT_MAX - 76 - consumed) return AVERROR_INVALIDDATA; parse_media_type(s, s->streams[stream_index], sid, mediatype, subtype, formattype, size); consumed += 76 + size; diff -Nru ffmpeg-4.4/libavutil/cpu.c ffmpeg-4.4.2/libavutil/cpu.c --- ffmpeg-4.4/libavutil/cpu.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libavutil/cpu.c 2022-04-14 21:13:38.000000000 +0100 @@ -291,6 +291,12 @@ DWORD_PTR proc_aff, sys_aff; if (GetProcessAffinityMask(GetCurrentProcess(), &proc_aff, &sys_aff)) nb_cpus = av_popcount64(proc_aff); +#elif HAVE_SYSCTL && defined(HW_NCPUONLINE) + int mib[2] = { CTL_HW, HW_NCPUONLINE }; + size_t len = sizeof(nb_cpus); + + if (sysctl(mib, 2, &nb_cpus, &len, NULL, 0) == -1) + nb_cpus = 0; #elif HAVE_SYSCTL && defined(HW_NCPU) int mib[2] = { CTL_HW, HW_NCPU }; size_t len = sizeof(nb_cpus); diff -Nru ffmpeg-4.4/libavutil/mathematics.h ffmpeg-4.4.2/libavutil/mathematics.h --- ffmpeg-4.4/libavutil/mathematics.h 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/libavutil/mathematics.h 2021-10-24 21:47:11.000000000 +0100 @@ -134,6 +134,7 @@ * * The operation is mathematically equivalent to `a * b / c`, but writing that * directly can overflow, and does not support different rounding methods. + * If the result is not representable then INT64_MIN is returned. * * @see av_rescale(), av_rescale_q(), av_rescale_q_rnd() */ diff -Nru ffmpeg-4.4/libavutil/utils.c ffmpeg-4.4.2/libavutil/utils.c --- ffmpeg-4.4/libavutil/utils.c 2020-07-11 11:39:30.000000000 +0100 +++ ffmpeg-4.4.2/libavutil/utils.c 2022-01-14 18:45:25.000000000 +0000 @@ -37,10 +37,6 @@ unsigned avutil_version(void) { - static int checks_done; - if (checks_done) - return LIBAVUTIL_VERSION_INT; - av_assert0(AV_SAMPLE_FMT_DBLP == 9); av_assert0(AVMEDIA_TYPE_ATTACHMENT == 4); av_assert0(AV_PICTURE_TYPE_BI == 7); @@ -58,7 +54,6 @@ av_log(NULL, AV_LOG_ERROR, "Libavutil has been linked to a broken llrint()\n"); } - checks_done = 1; return LIBAVUTIL_VERSION_INT; } diff -Nru ffmpeg-4.4/libswscale/alphablend.c ffmpeg-4.4.2/libswscale/alphablend.c --- ffmpeg-4.4/libswscale/alphablend.c 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/libswscale/alphablend.c 2021-10-24 21:47:11.000000000 +0100 @@ -26,7 +26,7 @@ { const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(c->srcFormat); int nb_components = desc->nb_components; - int plane, x, y; + int plane, x, ysrc; int plane_count = isGray(c->srcFormat) ? 1 : 3; int sixteen_bits = desc->comp[0].depth >= 9; unsigned off = 1<<(desc->comp[0].depth - 1); @@ -50,14 +50,15 @@ int w = plane ? c->chrSrcW : c->srcW; int x_subsample = plane ? desc->log2_chroma_w: 0; int y_subsample = plane ? desc->log2_chroma_h: 0; - for (y = srcSliceY >> y_subsample; y < AV_CEIL_RSHIFT(srcSliceH, y_subsample); y++) { + for (ysrc = 0; ysrc < AV_CEIL_RSHIFT(srcSliceH, y_subsample); ysrc++) { + int y = ysrc + (srcSliceY >> y_subsample); if (x_subsample || y_subsample) { int alpha; unsigned u; if (sixteen_bits) { ptrdiff_t alpha_step = srcStride[plane_count] >> 1; - const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * y); - const uint16_t *a = (const uint16_t *)(src[plane_count] + (srcStride[plane_count] * y << y_subsample)); + const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * ysrc); + const uint16_t *a = (const uint16_t *)(src[plane_count] + (srcStride[plane_count] * ysrc << y_subsample)); uint16_t *d = ( uint16_t *)(dst[plane ] + dstStride[plane ] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -82,8 +83,8 @@ } } else { ptrdiff_t alpha_step = srcStride[plane_count]; - const uint8_t *s = src[plane ] + srcStride[plane] * y; - const uint8_t *a = src[plane_count] + (srcStride[plane_count] * y << y_subsample); + const uint8_t *s = src[plane ] + srcStride[plane] * ysrc; + const uint8_t *a = src[plane_count] + (srcStride[plane_count] * ysrc << y_subsample); uint8_t *d = dst[plane ] + dstStride[plane] * y; for (x = 0; x < w; x++) { if (y_subsample) { @@ -97,8 +98,8 @@ } } else { if (sixteen_bits) { - const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * y); - const uint16_t *a = (const uint16_t *)(src[plane_count] + srcStride[plane_count] * y); + const uint16_t *s = (const uint16_t *)(src[plane ] + srcStride[plane ] * ysrc); + const uint16_t *a = (const uint16_t *)(src[plane_count] + srcStride[plane_count] * ysrc); uint16_t *d = ( uint16_t *)(dst[plane ] + dstStride[plane ] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -113,8 +114,8 @@ } } } else { - const uint8_t *s = src[plane ] + srcStride[plane] * y; - const uint8_t *a = src[plane_count] + srcStride[plane_count] * y; + const uint8_t *s = src[plane ] + srcStride[plane] * ysrc; + const uint8_t *a = src[plane_count] + srcStride[plane_count] * ysrc; uint8_t *d = dst[plane ] + dstStride[plane] * y; for (x = 0; x < w; x++) { unsigned u = s[x]*a[x] + target_table[((x^y)>>5)&1][plane]*(255-a[x]) + 128; @@ -127,10 +128,11 @@ } else { int alpha_pos = desc->comp[plane_count].offset; int w = c->srcW; - for (y = srcSliceY; y < srcSliceH; y++) { + for (ysrc = 0; ysrc < srcSliceH; ysrc++) { + int y = ysrc + srcSliceY; if (sixteen_bits) { - const uint16_t *s = (const uint16_t *)(src[0] + srcStride[0] * y + 2*!alpha_pos); - const uint16_t *a = (const uint16_t *)(src[0] + srcStride[0] * y + alpha_pos); + const uint16_t *s = (const uint16_t *)(src[0] + srcStride[0] * ysrc + 2*!alpha_pos); + const uint16_t *a = (const uint16_t *)(src[0] + srcStride[0] * ysrc + alpha_pos); uint16_t *d = ( uint16_t *)(dst[0] + dstStride[0] * y); if ((!isBE(c->srcFormat)) == !HAVE_BIGENDIAN) { for (x = 0; x < w; x++) { @@ -151,8 +153,8 @@ } } } else { - const uint8_t *s = src[0] + srcStride[0] * y + !alpha_pos; - const uint8_t *a = src[0] + srcStride[0] * y + alpha_pos; + const uint8_t *s = src[0] + srcStride[0] * ysrc + !alpha_pos; + const uint8_t *a = src[0] + srcStride[0] * ysrc + alpha_pos; uint8_t *d = dst[0] + dstStride[0] * y; for (x = 0; x < w; x++) { for (plane = 0; plane < plane_count; plane++) { diff -Nru ffmpeg-4.4/libswscale/slice.c ffmpeg-4.4.2/libswscale/slice.c --- ffmpeg-4.4/libswscale/slice.c 2021-04-08 22:28:40.000000000 +0100 +++ ffmpeg-4.4.2/libswscale/slice.c 2022-04-14 21:13:38.000000000 +0100 @@ -288,7 +288,10 @@ if (!c->desc) return AVERROR(ENOMEM); c->slice = av_mallocz_array(sizeof(SwsSlice), c->numSlice); - + if (!c->slice) { + res = AVERROR(ENOMEM); + goto cleanup; + } res = alloc_slice(&c->slice[0], c->srcFormat, c->srcH, c->chrSrcH, c->chrSrcHSubSample, c->chrSrcVSubSample, 0); if (res < 0) goto cleanup; diff -Nru ffmpeg-4.4/RELEASE ffmpeg-4.4.2/RELEASE --- ffmpeg-4.4/RELEASE 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/RELEASE 2022-04-14 21:13:48.000000000 +0100 @@ -1 +1 @@ -4.4 +4.4.2 diff -Nru ffmpeg-4.4/RELEASE_NOTES ffmpeg-4.4.2/RELEASE_NOTES --- ffmpeg-4.4/RELEASE_NOTES 2021-04-08 22:28:39.000000000 +0100 +++ ffmpeg-4.4.2/RELEASE_NOTES 2022-04-14 21:13:38.000000000 +0100 @@ -11,5 +11,5 @@ We hope you will like this release as much as we enjoyed working on it, and as usual, if you have any questions about it, or any FFmpeg related topic, - feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask + feel free to join us on the #ffmpeg IRC channel (on irc.libera.chat) or ask on the mailing-lists. diff -Nru ffmpeg-4.4/tests/ref/fate/ts-opus-demux ffmpeg-4.4.2/tests/ref/fate/ts-opus-demux --- ffmpeg-4.4/tests/ref/fate/ts-opus-demux 2020-07-09 10:17:46.000000000 +0100 +++ ffmpeg-4.4.2/tests/ref/fate/ts-opus-demux 2022-04-14 21:13:38.000000000 +0100 @@ -1,4 +1,4 @@ -#extradata 0: 30, 0x53be0347 +#extradata 0: 30, 0x69290482 #tb 0: 1/90000 #media_type 0: audio #codec_id 0: opus diff -Nru ffmpeg-4.4/tests/ref/fate/webm-dash-manifest ffmpeg-4.4.2/tests/ref/fate/webm-dash-manifest --- ffmpeg-4.4/tests/ref/fate/webm-dash-manifest 2020-04-27 22:48:16.000000000 +0100 +++ ffmpeg-4.4.2/tests/ref/fate/webm-dash-manifest 2022-04-14 21:13:48.000000000 +0100 @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.501S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff -Nru ffmpeg-4.4/tests/ref/fate/webm-dash-manifest-representations ffmpeg-4.4.2/tests/ref/fate/webm-dash-manifest-representations --- ffmpeg-4.4/tests/ref/fate/webm-dash-manifest-representations 2020-04-27 22:48:16.000000000 +0100 +++ ffmpeg-4.4.2/tests/ref/fate/webm-dash-manifest-representations 2022-04-14 21:13:48.000000000 +0100 @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.48S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff -Nru ffmpeg-4.4/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams ffmpeg-4.4.2/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams --- ffmpeg-4.4/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams 2020-04-27 22:48:16.000000000 +0100 +++ ffmpeg-4.4.2/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams 2022-04-14 21:13:48.000000000 +0100 @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.501S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff -Nru ffmpeg-4.4/tests/ref/fate/webm-dash-manifest-unaligned-video-streams ffmpeg-4.4.2/tests/ref/fate/webm-dash-manifest-unaligned-video-streams --- ffmpeg-4.4/tests/ref/fate/webm-dash-manifest-unaligned-video-streams 2020-04-27 22:48:16.000000000 +0100 +++ ffmpeg-4.4.2/tests/ref/fate/webm-dash-manifest-unaligned-video-streams 2022-04-14 21:13:48.000000000 +0100 @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.48S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff -Nru ffmpeg-4.4/tools/cws2fws.c ffmpeg-4.4.2/tools/cws2fws.c --- ffmpeg-4.4/tools/cws2fws.c 2020-04-27 22:48:16.000000000 +0100 +++ ffmpeg-4.4.2/tools/cws2fws.c 2021-10-24 21:47:11.000000000 +0100 @@ -89,6 +89,12 @@ for (i = 0; i < comp_len - 8;) { int ret, len = read(fd_in, &buf_in, 1024); + if (len == -1) { + printf("read failure\n"); + inflateEnd(&zstream); + goto out; + } + dbgprintf("read %d bytes\n", len); last_out = zstream.total_out; diff -Nru ffmpeg-4.4/VERSION ffmpeg-4.4.2/VERSION --- ffmpeg-4.4/VERSION 2021-04-08 22:28:42.000000000 +0100 +++ ffmpeg-4.4.2/VERSION 2022-04-14 21:13:48.000000000 +0100 @@ -1 +1 @@ -4.4 +4.4.2