diff -Nru ffmpeg-2.8.11/Changelog ffmpeg-2.8.14/Changelog --- ffmpeg-2.8.11/Changelog 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/Changelog 2018-02-19 00:50:31.000000000 +0000 @@ -1,6 +1,456 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 2.8.14: +- avcodec/vp8: Check for bitstream end before vp7_fade_frame() +- avcodec/exr: Check remaining bits in last get code loop +- avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c() +- avcodec/h264_cabac: Tighten allowed coeff_abs range +- avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc() +- avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs() +- avcodec/mpeg4videodec: Ignore multiple VOL headers +- avcodec/vp3: Check eob_run +- avcodec/huffyuvdec: Check input buffer size +- avcodec/wavpack: Fix integer overflow in FFABS +- avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble() +- changelog: update with previous commit +- x264: Support version 153 +- avcodec/indeo5: Do not leave frame_type set to an invalid value +- avcodec/hevc_ps: Check log2_sao_offset_scale_* +- avcodec/mpeg4videodec: Avoid possibly aliasing violating casts +- avcodec/get_bits: Document the return code of get_vlc2() +- avcodec/mpeg4videodec: Check mb_num also against 0 +- avfilter/vf_transpose: Fix used plane count. +- avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode() +- avcodec/mjpegdec: Fix integer overflow in DC dequantization +- avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down +- avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK() +- avcodec/snowdec: Fix integer overflow before htaps check +- avcodec/ulti: Check number of blocks at init +- avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs() +- avformat/lrcdec: Fix memory leak in lrc_read_header() +- avformat/matroskadec: Fix float-cast-overflow undefined behavior in matroska_parse_tracks() +- configure: bump year +- avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one +- avcodec/h264addpx_template: Fixes integer overflows +- avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0 +- avcodec/diracdec: Fix integer overflow with quant +- avcodec/opus_parser: Check payload_len in parse_opus_ts_header() +- avcodec/jpeg2000dsp: Fix integer overflows in ict_int() +- avcodec/h264_slice: Do not attempt to render into frames already output +- avcodec/exr: Check buf_size more completely +- avcodec/flacdec: Fix overflow in multiplication in decode_subframe_fixed() +- avcodec/hevcdsp_template: Fix Invalid shifts in put_hevc_qpel_bi_w_h() and put_hevc_qpel_bi_w_w() +- avcodec/flacdec: avoid undefined shift +- avcodec/hevcdsp_template.c: Fix undefined shift in FUNC(dequant) +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0() and COMPOSE_DD137iL0() +- avcodec/hevc_cabac: Fix integer overflow in ff_hevc_cu_qp_delta_abs() +- avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_qpel_bi_w_hv() +- libavfilter/af_dcshift.c: Fixed repeated spelling error +- avfilter/formats: fix wrong function name in error message +- avcodec/amrwbdec: Fix division by 0 in voice_factor() +- avcodec/dirac_dwt: Fix integer overflows in COMPOSE_DAUB97* +- avcodec/vorbis: Fix another 1 << 31 > int32_t::max() with 1u. +- Don't manipulate duration when it's AV_NOPTS_VALUE. +- avcodec/vorbis: 1 << 31 > int32_t::max(), so use 1u << 31 instead. +- avformat/utils: Prevent undefined shift with wrap_bits > 64. +- avcodec/j2kenc: Fix out of array access in encode_cblk() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_epel_bi_w_h() +- avcodec/mlpdsp: Fix signed integer overflow, 2nd try +- avcodec/kgv1dec: Check that there is enough input for maximum RLE compression +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi* +- avcodec/mpeg4videodec: Check also for negative versions in the validity check +- Close ogg stream upon error when using AV_EF_EXPLODE. +- Fix undefined shift on assumed 8-bit input. +- avformat/mov: Propagate errors in mov_switch_root. +- avcodec/hevcdsp_template: Fix invalid shift in put_hevc_epel_bi_w_v() +- avcodec/mlpdsp: Fix undefined shift ff_mlp_pack_output() +- avcodec/zmbv: Check that the buffer is large enough for mvec +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD137iL0() +- avcodec/wmv2dec: Check end of bitstream in parse_mb_skip() and ff_wmv2_decode_mb() +- avcodec/snowdec: Check for remaining bitstream in decode_blocks() +- avcodec/snowdec: Check intra block dc differences. +- avformat/mov: Check size of STSC allocation +- avcodec/h264dec: Fix potential array overread +- avcodec/x86/mpegvideodsp: Fix signedness bug in need_emu +- avcodec/aacdec_fixed: Fix undefined shift +- avcodec/mdct_*: Fix integer overflow in addition in RESCALE() +- avcodec/snowdec: Fix integer overflow in header parsing +- avcodec/cngdec: Fix integer clipping +- avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c() +- avutil/softfloat: Add FLOAT_MIN +- avcodec/aacsbr_fixed: Fix division by zero in sbr_gain_calc() +- avcodec/h264idct_template: Fix integer overflows in ff_h264_idct8_add() +- avcodec/xan: Check for bitstream end in xan_huffman_decode() +- avformat: Free the internal codec context at the end +- avcodec/xan: Improve overlapping check +- avcodec/aacdec_fixed: Fix integer overflow in apply_dependent_coupling_fixed() +- avcodec/aacdec_fixed: Fix integer overflow in predict() +- avcodec/jpeglsdec: Check for end of bitstream in ls_decode_line() +- avcodec/jpeglsdec: Check ilv for being a supported value +- avcodec/snowdec: Check mv_scale +- avcodec/pafvideo: Check for bitstream end in decode_0() +- avcodec/ffv1dec: Fix out of array read in slice counting +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_53iL0() +- avcodec/mpeg_er: Clear mcsel in mpeg_er_decode_mb() +- avcodec/mpeg4videodec: Use 64 bit intermediates for sprite delta +- avcodec/truemotion2: Fix integer overflows in tm2_high_chroma() +- avcodec/aacdec_template: Clear tns present flag on error +- avcodec/proresdec2: SKIP_BITS() does not work with len=32 +- avcodec/hevcdsp_template: Fix undefined shift +- avcodec/jpeg2000: Check that codsty->log2_prec_widths/heights has been initialized +- avcodec/takdec: Fix integer overflow in decode_lpc() +- avcodec/proresdec2: Check bits in DECODE_CODEWORD(), fixes invalid shift +- avcodec/takdec: Fix integer overflows in decode_subframe() +- avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*() +- avcodec/ffv1dec: Fix integer overflow in read_quant_table() +- avcodec/svq3: Fix overflow in svq3_add_idct_c() +- avcodec/pngdec: Clean up on av_frame_ref() failure +- avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels +- avcodec/diracdec: Fix overflow in DC computation +- avformat/asfdec: Fix DoS in asf_build_simple_index() +- avformat/mov: Fix DoS in read_tfra() +- avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting +- avformat/libssh: check the user provided a password before trying to use it + +version 2.8.13: +- avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() +- avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() +- avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. +- avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered() +- avcodec/hevc_ps: Fix undefined shift in pcm code +- avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate() +- avformat/mvdec: Fix DoS due to lack of eof check +- avformat/rl2: Fix DoS due to lack of eof check +- avformat/cinedec: Fix DoS due to lack of eof check +- avformat/asfdec: Fix DoS due to lack of eof check +- avformat/hls: Fix DoS due to infinite loop +- ffprobe: Fix NULL pointer handling in color parameter printing +- ffprobe: Fix null pointer dereference with color primaries +- avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps() +- avformat/aviobuf: Fix signed integer overflow in avio_seek() +- avformat/mov: Fix signed integer overflows with total_size +- avcodec/aacdec_template: Fix running cleanup in decode_ics_info() +- avcodec/me_cmp: Fix crashes on ARM due to misalignment +- avcodec/fic: Fixes signed integer overflow +- avcodec/snowdec: Fix off by 1 error +- avcodec/diracdec: Check perspective_exp and zrs_exp. +- avcodec/mpeg4videodec: Clear mcsel before decoding an image +- avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97* +- avcodec/aacdec_fixed: fix invalid shift in predict() +- avcodec/h264_slice: Fix overflow in slice offset +- avformat/utils: fix memory leak in avformat_free_context +- avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0() +- avcodec/diracdec: Fix integer overflow in divide3() +- avcodec/takdec: Fix integer overflow in decode_subframe() +- avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2 +- avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2 +- avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2 +- avformat/oggparsecelt: Do not re-allocate os->private +- avcodec/aacps: Fix multiple integer overflow in map_val_34_to_20() +- avcodec/aacdec_fixed: fix: left shift of negative value -1 +- doc/filters: typo in frei0r +- avcodec/aacdec_template (fixed point): Check gain in decode_cce() to avoid undefined shifts later +- avcodec/mjpegdec: Clip DC also on the negative side. +- avcodec/aacps (fixed point): Fix multiple signed integer overflows +- avcodec/sbrdsp_fixed: Fix integer overflow in sbr_hf_apply_noise() +- avcodec/wavpack: Fix invalid shift +- avcodec/hevc_ps: Fix integer overflow with beta/tc offsets +- avcodec/vb: Check vertical GMC component before multiply +- avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int() +- avcodec/apedec: Fix integer overflow +- avcodec/wavpack: Fix integer overflow in wv_unpack_stereo() +- avcodec/mpeg4videodec: Fix GMC with videos of dimension 1 +- avcodec/wavpack: Fix integer overflow +- avcodec/takdec: Fix integer overflow +- avcodec/tiff: Update pointer only when the result is used +- avcodec/hevc_filter: Fix invalid shift +- avcodec/mpeg4videodec: Fix overflow in virtual_ref computation +- avcodec/wavpack: Fix undefined integer negation +- avcodec/aacdec_fixed: Check s for being too small +- avcodec/h264: Fix mix of lossless and lossy MBs decoding +- avcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264 +- avcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4 +- avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output +- avcodec/jpeg2000dsp: Reorder operations in ict_int() to avoid 2 integer overflows +- avcodec/hevcpred_template: Fix left shift of negative value +- avcodec/hevcdec: Fix signed integer overflow in decode_lt_rps() +- avcodec/jpeg2000dec: Check nonzerobits more completely +- avcodec/shorten: Sanity check maxnlpc +- avcodec/jpeg2000: Fixes integer overflow in ff_jpeg2000_ceildivpow2() +- avcodec/hevcdec: Check nb_sps +- avcodec/hevc_refs: Check nb_refs in add_candidate_ref() +- avcodec/mpeg4videodec: Check sprite delta upshift against overflowing. +- avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case +- avcodec/aacsbr_fixed: Check shift in sbr_hf_assemble() +- avcodec/sbrdsp_fixed: Return an error from sbr_hf_apply_noise() if operations are impossible +- avcodec/jpeg2000dwt: Fix runtime error: left shift of negative value -123 +- avcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 + 277872640 cannot be represented in type 'int' +- avcodec/snowdec: Fix runtime error: left shift of negative value -1 +- avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1297616 +- avcodec/tiff: Fix leak of geotags[].val +- avcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot be represented in type 'int' +- avcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296 cannot be represented in type 'int' +- avcodec/indeo4: Check remaining data in Pic hdr extension parsing code +- avcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow: -39271008 * 59 cannot be represented in type 'int' +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448 cannot be represented in type 'int' +- avcodec/pafvideo: Fix assertion failure +- avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int' + +version 2.8.12: +- avcodec/mjpegdec: Check that reference frame matches the current frame +- avcodec/tiff: Avoid loosing allocated geotag values +- avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int' +- avformat/hls: Check local file extensions +- avcodec/qdrw: Fix null pointer dereference +- avutil/softfloat: Fix sign error in and improve documentation of av_int2sf() +- avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]' +- avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer() +- avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int' +- avcodec/aacps: Fix runtime error: left shift of 1073741824 by 1 places cannot be represented in type 'INTFLOAT' (aka 'int') +- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' +- avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int' +- avcodec/cinepak: Check input packet size before frame reallocation +- avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int' +- avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot be represented in type 'int' +- avcodec/pnm: Use ff_set_dimensions() +- avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int' +- avformat/avidec: Limit formats in gab2 to srt and ass/ssa +- avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float' +- avcodec/wavpack: Check float_shift +- avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int' +- avcodec/ansi: Fix frame memleak +- avcodec/jpeg2000dec: Use ff_set_dimensions() +- avcodec/truemotion2: Fix passing null pointer to memset() +- avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int' +- avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot be represented in type 'int' +- avcodec/aac_defines: Add missing () to AAC_HALF_SUM() macro +- avcodec/webp: Fixes null pointer dereference +- avcodec/aacdec_fixed: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994 cannot be represented in type 'int' +- avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 cannot be represented in type 'int' +- avcodec/jpeg2000dec: Check tile offsets more completely +- avcodec/aacdec_fixed: Fix multiple runtime error: shift exponent 127 is too large for 32-bit type 'int' +- avcodec/wnv1: More strict buffer size check +- avcodec/libfdk-aacdec: Correct buffer_size parameter +- avcodec/sbrdsp_template: Fix: runtime error: signed integer overflow: 849815297 + 1315389781 cannot be represented in type 'int' +- avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2 +- doc/filters: Clarify scale2ref example +- avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error +- avcodec/ra144dec: Fix runtime error: left shift of negative value -17 +- avformat/mux: Fix copy an paste typo +- avutil/internal: Do not enable CHECKED with DEBUG +- avcodec/aacdec_fixed: Fix runtime error: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' +- avcodec/smc: Check remaining input +- avcodec/jpeg2000dec: Fix copy and paste error +- avcodec/jpeg2000dec: Check tile offsets +- avcodec/sanm: Fix uninitialized reference frames +- avcodec/jpeglsdec: Check get_bits_left() before decoding a picture +- avcodec/ivi_dsp: Fix multiple runtime error: left shift of negative value -71 +- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -32767 * 130560 cannot be represented in type 'int' +- avcodec/aacdec_fixed: Fix runtime error: shift exponent 34 is too large for 32-bit type 'int' +- avcodec/mpeg4videodec: Check for multiple VOL headers +- avcodec/vmnc: Check location before use +- avcodec/takdec: Fix runtime error: signed integer overflow: 8192 * 524308 cannot be represented in type 'int' +- avcodec/aac_defines: Fix: runtime error: left shift of negative value -2 +- avcodec/takdec: Fix runtime error: left shift of negative value -63 +- avcodec/mlpdsp: Fix runtime error: signed integer overflow: -24419392 * 128 cannot be represented in type 'int' +- avcodec/sbrdsp_fixed: fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 170 is too large for 32-bit type 'int' +- avcodec/hevc_sei: fix amount of bits skipped when reading picture timing SEI message +- avformat/concatdec: fix the h264 annexb extradata check +- avformat/utils: free AVStream.codec properly in free_stream() +- avcodec/options: do a more thorough clean up in avcodec_copy_context() +- avcodec/options: factorize avcodec_copy_context() cleanup code +- avcodec/mlpdec: Do not leave a invalid num_primitive_matrices in the context +- avcodec/aacsbr_fixed: Fix multiple runtime error: shift exponent 150 is too large for 32-bit type 'int' +- avcodec/mimic: Use ff_set_dimensions() to set the dimensions +- avcodec/fic: Fix multiple runtime error: signed integer overflow: 5793 * 419752 cannot be represented in type 'int' +- avcodec/mlpdec: Fix: runtime error: left shift of negative value -8 +- avcodec/dfa: Fix: runtime error: signed integer overflow: -14202 * 196877 cannot be represented in type 'int' +- avcodec/aacdec: Fix runtime error: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' +- avcodec/aacdec_template: Fix fixed point scale in decode_cce() +- avcodec/flicvideo: Check frame_size before decrementing +- avcodec/mlpdec: Fix runtime error: left shift of negative value -1 +- avcodec/takdec: Fix runtime error: left shift of negative value -42 +- avcodec/hq_hqa: Fix: runtime error: signed integer overflow: -255 * 10180917 cannot be represented in type 'int' +- avcodec/truemotion1: Fix multiple runtime error: signed integer overflow: 1246906962 * 2 cannot be represented in type 'int' +- avcodec/svq3: Fix runtime error: left shift of negative value -6 +- avcodec/tiff: reset sampling[] if its invalid +- avcodec/aacps: Fix undefined behavior +- avcodec/opus_silk: Fix integer overflow and out of array read +- avcodec/flacdec: Return error code instead of 0 for failures +- avcodec/snowdec: Check width +- avcodec/webp: Update canvas size in vp8_lossy_decode_frame() as in vp8_lossless_decode_frame() +- avcodec/webp: Factor update_canvas_size() out +- avcodec/cllc: Check prefix +- avcodec/dds: Fix runtime error: left shift of 210 by 24 places cannot be represented in type 'int' +- avcodec/mpeg4videodec: Clear sprite wraping on unsupported cases in VOP decode +- avcodec/ac3dec: Fix: runtime error: index -1 out of bounds for type 'INTFLOAT [2]' +- avcodec/hqxdsp: Fix runtime error: signed integer overflow: -196264 * 11585 cannot be represented in type 'int' +- libswscale/tests/swscale: Fix uninitialized variables +- avcodec/ffv1dec: Fix runtime error: signed integer overflow: 1550964438 + 1550964438 cannot be represented in type 'int' +- avcodec/webp: Fix signedness in prefix_code check +- avcodec/svq3: Fix runtime error: signed integer overflow: 169 * 12717677 cannot be represented in type 'int' +- avcodec/mlpdec: Check that there is enough data for headers +- avcodec/ac3dec: Keep track of band structure +- avcodec/webp: Add missing input padding +- avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1 +- avcodec/aacsbr_template: Do not change bs_num_env before its checked +- avcodec/mlp: Fix multiple runtime error: left shift of negative value -1 +- avcodec/vp8dsp: vp7_luma_dc_wht_c: Fix multiple runtime error: signed integer overflow: -1366381240 + -1262413604 cannot be represented in type 'int' +- avcodec/avcodec: Limit the number of side data elements per packet +- avcodec/texturedsp: Fix runtime error: left shift of 255 by 24 places cannot be represented in type 'int' +- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -17047030 cannot be represented in type 'int' +- avcodec/diracdec: Fix Assertion frame->buf[0] failed at libavcodec/decode.c:610 +- avcodec/msmpeg4dec: Check for cbpy VLC errors +- avcodec/cllc: Check num_bits +- avcodec/cllc: Factor VLC_BITS/DEPTH out, do not use repeated literal numbers +- avcodec/dvbsubdec: Check entry_id +- avcodec/aacdec_fixed: Fix multiple shift exponent 33 is too large for 32-bit type 'int' +- avcodec/mpeg12dec: Fixes runtime error: division by zero +- avcodec/webp: Always set pix_fmt +- avfilter/vf_uspp: Fix currently unused input frame dimensions +- avcodec/truemotion1: Fix multiple runtime error: left shift of negative value -1 +- avcodec/eatqi: Fix runtime error: signed integer overflow: 4466147 * 1075 cannot be represented in type 'int' +- avcodec/dss_sp: Fix runtime error: signed integer overflow: 2147481189 + 4096 cannot be represented in type 'int' +- avformat/wavdec: Check chunk_size +- avcodec/cavs: Check updated MV +- avcodec/y41pdec: Fix width in input buffer size check +- avcodec/svq3: Fix multiple runtime error: signed integer overflow: -237341 * 24552 cannot be represented in type 'int' +- avcodec/texturedsp: Fix runtime error: left shift of 218 by 24 places cannot be represented in type 'int' +- avcodec/lagarith: Check scale_factor +- avcodec/lagarith: Fix runtime error: left shift of negative value -1 +- avcodec/takdec: Fix multiple runtime error: left shift of negative value -1 +- avcodec/indeo2: Check for invalid VLCs +- avcodec/htmlsubtitles: Check for string truncation and return error +- avcodec/bmvvideo: Fix runtime error: left shift of 137 by 24 places cannot be represented in type 'int' +- avcodec/dss_sp: Fix multiple runtime error: signed integer overflow: -15699 * -164039 cannot be represented in type 'int' +- avcodec/dvbsubdec: check region dimensions +- avcodec/vp8dsp: Fixes: runtime error: signed integer overflow: 1330143360 - -1023040530 cannot be represented in type 'int' +- avcodec/hqxdsp: Fix multiple runtime error: signed integer overflow: 248220 * 21407 cannot be represented in type 'int' in idct_col() +- avcodec/cavsdec: Check sym_factor +- avcodec/cdxl: Check format for BGR24 +- avcodec/ffv1dec: Fix copying planes of paletted formats +- avcodec/wmv2dsp: Fix runtime error: signed integer overflow: 181 * -12156865 cannot be represented in type 'int' +- avcodec/xwddec: Check bpp more completely +- avcodec/s302m: Fix left shift of 8 by 28 places cannot be represented in type 'int' +- avcodec/eamad: Fix runtime error: signed integer overflow: 49674 * 49858 cannot be represented in type 'int' +- avcodec/g726: Fix runtime error: left shift of negative value -2 +- avcodec/ra144: Fix runtime error: left shift of negative value -798 +- avcodec/mss34dsp: Fix multiple signed integer overflow +- avcodec/targa_y216dec: Fix width type +- avcodec/ivi_dsp: Fix multiple left shift of negative value -2 +- avcodec/svq3: Fix multiple runtime error: signed integer overflow: 44161 * 61694 cannot be represented in type 'int' +- avcodec/msmpeg4dec: Correct table depth +- avcodec/dds: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int' +- avcodec/cdxl: Check format parameter +- avutil/softfloat: Fix overflow in av_div_sf() +- avcodec/hq_hqa: Fix runtime error: left shift of negative value -207 +- avcodec/mss3: Change types in rac_get_model_sym() to match the types they are initialized from +- avcodec/shorten: Check k in get_uint() +- avcodec/webp: Fix null pointer dereference +- avcodec/dfa: Fix signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' +- avcodec/mimic: Fix runtime error: left shift of negative value -1 +- avcodec/fic: Fix multiple left shift of negative value -15 +- avcodec/mlpdec: Fix runtime error: left shift of negative value -22 +- avcodec/snowdec: Check qbias +- avutil/softfloat: Fix multiple runtime error: left shift of negative value -8 +- avcodec/aacsbr_template: Do not leave bs_num_env invalid +- avcodec/mdec: Fix signed integer overflow: 28835400 * 83 cannot be represented in type 'int' +- avcodec/dfa: Fix off by 1 error +- avcodec/nellymoser: Fix multiple left shift of negative value -8591 +- avcodec/cdxl: Fix signed integer overflow: 14243456 * 164 cannot be represented in type 'int' +- avcodec/g722: Fix multiple runtime error: left shift of negative value -1 +- avcodec/dss_sp: Fix multiple left shift of negative value -466 +- avcodec/wnv1: Fix runtime error: left shift of negative value -1 +- avcodec/tiertexseqv: set the fixed dimenasions, do not depend on the demuxer doing so +- avcodec/mjpegdec: Fix runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int' +- avcodec/cavsdec: Fix undefined behavior from integer overflow +- avcodec/dvdsubdec: Fix runtime error: left shift of 242 by 24 places cannot be represented in type 'int' +- libavcodec/mpeg4videodec: Convert sprite_offset to 64bit +- avcodec/pngdec: Use ff_set_dimensions() +- avcodec/msvideo1: Check buffer size before re-getting the frame +- avcodec/h264_cavlc: Fix undefined behavior on qscale overflow +- avcodec/svq3: Increase offsets to prevent integer overflows +- avcodec/indeo2: Check remaining bits in ir2_decode_plane() +- avcodec/vp3: Check remaining bits in unpack_dct_coeffs() +- avcodec/mdec: Fix runtime error: left shift of negative value -127 +- libavcodec/exr : fix float to uint16 conversion for negative float value +- avformat/webmdashenc: Validate the 'streams' adaptation sets parameter +- avformat/webmdashenc: Require the 'adaptation_sets' option to be set +- avcodec/dvdsubdec: Fixes 2 runtime error: left shift of 170 by 24 places cannot be represented in type 'int' +- avfilter/avfiltergraph: Add assert to write down in machine readable form what is assumed about sample rates in swap_samplerates_on_filter() +- avcodec/tiff: Perform multiply in tiff_unpack_lzma() as 64bit +- avcodec/vdpau_hevc: Fix potential out-of-bounds write +- avcodec/tiff: Check geotag count for being non zero +- avcodec/vp56: Check avctx->error_concealment before enabling EC +- avcodec/tiff: Check stripsize strippos for overflow +- avcodec/mpegaudiodec_template: Make l3_unscale() work with e=0 +- avcodec/tiff: Check for multiple geo key directories +- avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int' +- avcodec/rv34: Fix runtime error: signed integer overflow: 36880 * 66288 cannot be represented in type 'int' +- avcodec/amrwbdec: Fix runtime error: left shift of negative value -1 +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: -135088512 * 16 cannot be represented in type 'int' +- avcodec/h264_mvpred: Fix runtime error: left shift of negative value -1 +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -127 +- avcodec/wavpack: Fix runtime error: left shift of negative value -5 +- avcodec/wavpack: Fix runtime error: left shift of negative value -2 +- avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 134527392 * 16 cannot be represented in type 'int' +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -13 +- avcodec/h264_mvpred: Fix multiple runtime error: left shift of negative value +- avcodec/adxdec: Fix runtime error: left shift of negative value -1 +- avcodec/mpeg4videodec: Improve the overflow checks in mpeg4_decode_sprite_trajectory() +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -511 +- avcodec/h264_direct: Fix runtime error: left shift of negative value -14 +- avcodec/pictordec: Check plane value before doing value/mask computations +- avcodec/mpeg4videodec: Fix runtime error: left shift of negative value -2650 +- avcodec/eac3dec: Fix runtime error: left shift of negative value -3 +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -2 +- avcodec/mpeg4videodec: Check the other 3 sprite points for intermediate overflows +- avcodec/mpeg4videodec: Check sprite_offset in addition to shifts +- avcodec/mpeg4video: Fix runtime error: left shift of negative value +- avcodec/ituh263dec: Fix runtime error: left shift of negative value -22 +- avcodec/rv40: Fix runtime error: left shift of negative value +- avcodec/h264_cabac: runtime error: signed integer overflow: 2147483647 + 14 cannot be represented in type 'int' +- avcodec/mpeg4videodec: Fix runtime error: shift exponent -2 is negative +- avcodec/mjpegdec: Fix runtime error: left shift of negative value -507 +- avcodec/eac3dec: Fix runtime error: left shift of negative value +- avcodec/vp6: clear dimensions on failed resolution change in vp6_parse_header() +- avcodec/vp56: Reset have_undamaged_frame on resolution changes +- avcodec/vp8: Fix hang with slice threads +- avcodec/vp8: Check for the bitstream end per MB in decode_mb_row_no_filter() +- avcodec/vp568: Check that there is enough data for ff_vp56_init_range_decoder() +- avcodec/vp8: remove redundant check +- avcodec/vp56: Require a correctly decoded frame before using vp56_conceal_mb() +- avcodec/vp3: Do not return random positive values but the buf size +- avcodec/vp8: Check for bitsteam end in decode_mb_row_no_filter() +- avcodec/vp56: Factorize vp56_render_mb() out +- avcodec/vp3dsp: Fix multiple signed integer overflow: 46341 * 47523 cannot be represented in type 'int' +- Add CHECK/SUINT code +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value -1 +- avcodec/vp56: Clear dimensions in case of failure in the middle of a resolution change +- avcodec/vp56: Implement very basic error concealment +- avcodec/amrwbdec: Fix 2 runtime errors: left shift of negative value -1 +- avcodec/pngdec: Fix runtime error: left shift of 152 by 24 places cannot be represented in type 'int' +- avcodec/vp56: Fix sign typo +- avcodec/mpegaudiodec_template: Correct return code on id3 tag discarding +- avcodec/rv34: Simplify and factor get_slice_offset() code +- avcodec/pictordec: Do not read more than nb_planes +- avcodec/srtdec: Fix signed integer overflow: 1811992524 * 384 cannot be represented in type 'int' +- avcodec/pngdec: Check bit depth for validity +- avcodec/mpeg12dec: Fix runtime error: left shift of negative value +- avcodec/wavpacl: Fix runtime error: left shift of negative value -1 +- avformat/http: Check for truncated buffers in http_connect() +- (github/release/2.8) avformat/apng: fix setting frame delay when max_fps is set to no limit +- swresample/resample: free existing ResampleContext on reinit +- swresample/resample: move resample_free() higher in the file +- lavf/mpeg: Initialize a stack variable used by memcmp(). +- lavc/avpacket: Initialize a variable in error path. + version 2.8.11 - avcodec/h264_slice: Clear ref_counts on redundant slices - lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid diff -Nru ffmpeg-2.8.11/RELEASE ffmpeg-2.8.14/RELEASE --- ffmpeg-2.8.11/RELEASE 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/RELEASE 2018-02-19 00:50:31.000000000 +0000 @@ -1 +1 @@ -2.8.11 +2.8.14 diff -Nru ffmpeg-2.8.11/VERSION ffmpeg-2.8.14/VERSION --- ffmpeg-2.8.11/VERSION 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/VERSION 2018-02-19 00:50:32.000000000 +0000 @@ -1 +1 @@ -2.8.11 +2.8.14 diff -Nru ffmpeg-2.8.11/configure ffmpeg-2.8.14/configure --- ffmpeg-2.8.11/configure 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/configure 2018-02-19 00:50:31.000000000 +0000 @@ -6144,7 +6144,7 @@ #define FFMPEG_CONFIG_H #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)" #define FFMPEG_LICENSE "$(c_escape $license)" -#define CONFIG_THIS_YEAR 2017 +#define CONFIG_THIS_YEAR 2018 #define FFMPEG_DATADIR "$(eval c_escape $datadir)" #define AVCONV_DATADIR "$(eval c_escape $datadir)" #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})" diff -Nru ffmpeg-2.8.11/debian/changelog ffmpeg-2.8.14/debian/changelog --- ffmpeg-2.8.11/debian/changelog 2017-02-14 05:57:20.000000000 +0000 +++ ffmpeg-2.8.14/debian/changelog 2018-04-10 14:49:07.000000000 +0100 @@ -1,3 +1,14 @@ +ffmpeg (7:2.8.14-0ubuntu0.16.04.1) xenial-security; urgency=medium + + * New upstream bugfix release. (LP: #1697785) + - Fixes CVE-2017-9991, CVE-2017-9992, CVE-2017-9993, CVE-2017-9994, + CVE-2017-9996, CVE-2017-11399, CVE-2017-11665, CVE-2017-14055, + CVE-2017-14056, CVE-2017-14057, CVE-2017-14058, CVE-2017-14059, + CVE-2017-14169, CVE-2017-14170, CVE-2017-14171, CVE-2017-14222, + CVE-2017-14223, CVE-2017-14225, CVE-2017-15672, CVE-2017-17081. + + -- James Cowgill Tue, 10 Apr 2018 14:49:07 +0100 + ffmpeg (7:2.8.11-0ubuntu0.16.04.1) xenial-security; urgency=medium * Import new upstream bugfix release 2.8.11. (LP: #1664403) diff -Nru ffmpeg-2.8.11/debian/gbp.conf ffmpeg-2.8.14/debian/gbp.conf --- ffmpeg-2.8.11/debian/gbp.conf 2016-10-17 08:52:52.000000000 +0100 +++ ffmpeg-2.8.14/debian/gbp.conf 2018-04-10 14:49:07.000000000 +0100 @@ -1,5 +1,5 @@ [DEFAULT] pristine-tar = True -debian-branch = xenial -upstream-branch = upstream-xenial +debian-branch = ubuntu/xenial +upstream-branch = upstream/2.8.x debian-tag = ubuntu/%(version)s diff -Nru ffmpeg-2.8.11/doc/Doxyfile ffmpeg-2.8.14/doc/Doxyfile --- ffmpeg-2.8.11/doc/Doxyfile 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/doc/Doxyfile 2018-02-19 00:50:31.000000000 +0000 @@ -31,7 +31,7 @@ # This could be handy for archiving the generated documentation or # if some version control system is used. -PROJECT_NUMBER = 2.8.11 +PROJECT_NUMBER = 2.8.14 # With the PROJECT_LOGO tag one can specify a logo or icon that is included # in the documentation. The maximum height of the logo should not exceed 55 diff -Nru ffmpeg-2.8.11/doc/demuxers.texi ffmpeg-2.8.14/doc/demuxers.texi --- ffmpeg-2.8.11/doc/demuxers.texi 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/doc/demuxers.texi 2018-02-19 00:50:23.000000000 +0000 @@ -283,6 +283,24 @@ which in this case is @file{input.mp4} as the GIF in this example loops infinitely. +@section hls + +HLS demuxer + +It accepts the following options: + +@table @option +@item live_start_index +segment index to start live streams at (negative values are from the end). + +@item allowed_extensions +',' separated list of file extensions that hls is allowed to access. + +@item max_reload +Maximum number of times a insufficient list is attempted to be reloaded. +Default value is 1000. +@end table + @section image2 Image file demuxer. diff -Nru ffmpeg-2.8.11/doc/filters.texi ffmpeg-2.8.14/doc/filters.texi --- ffmpeg-2.8.11/doc/filters.texi 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/doc/filters.texi 2018-02-19 00:50:24.000000000 +0000 @@ -6094,7 +6094,7 @@ @item filter_name The name of the frei0r effect to load. If the environment variable @env{FREI0R_PATH} is defined, the frei0r effect is searched for in each of the -directories specified by the colon-separated list in @env{FREIOR_PATH}. +directories specified by the colon-separated list in @env{FREI0R_PATH}. Otherwise, the standard frei0r paths are searched, in this order: @file{HOME/.frei0r-1/lib/}, @file{/usr/local/lib/frei0r-1/}, @file{/usr/lib/frei0r-1/}. @@ -9206,7 +9206,7 @@ @itemize @item -Scale a subtitle stream to match the main video in size before overlaying +Scale a subtitle stream (b) to match the main video (a) in size before overlaying @example 'scale2ref[b][a];[a][b]overlay' @end example diff -Nru ffmpeg-2.8.11/ffprobe.c ffmpeg-2.8.14/ffprobe.c --- ffmpeg-2.8.11/ffprobe.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/ffprobe.c 2018-02-19 00:50:24.000000000 +0000 @@ -1732,6 +1732,57 @@ return ret; } + +static void print_color_range(WriterContext *w, enum AVColorRange color_range, const char *fallback) +{ + const char *val = av_color_range_name(color_range); + if (!val || color_range == AVCOL_RANGE_UNSPECIFIED) { + print_str_opt("color_range", fallback); + } else { + print_str("color_range", val); + } +} + +static void print_color_space(WriterContext *w, enum AVColorSpace color_space) +{ + const char *val = av_color_space_name(color_space); + if (!val || color_space == AVCOL_SPC_UNSPECIFIED) { + print_str_opt("color_space", "unknown"); + } else { + print_str("color_space", val); + } +} + +static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries) +{ + const char *val = av_color_primaries_name(color_primaries); + if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) { + print_str_opt("color_primaries", "unknown"); + } else { + print_str("color_primaries", val); + } +} + +static void print_color_trc(WriterContext *w, enum AVColorTransferCharacteristic color_trc) +{ + const char *val = av_color_transfer_name(color_trc); + if (!val || color_trc == AVCOL_TRC_UNSPECIFIED) { + print_str_opt("color_transfer", "unknown"); + } else { + print_str("color_transfer", val); + } +} + +static void print_chroma_location(WriterContext *w, enum AVChromaLocation chroma_location) +{ + const char *val = av_chroma_location_name(chroma_location); + if (!val || chroma_location == AVCHROMA_LOC_UNSPECIFIED) { + print_str_opt("chroma_location", "unspecified"); + } else { + print_str("chroma_location", val); + } +} + static void show_packet(WriterContext *w, AVFormatContext *fmt_ctx, AVPacket *pkt, int packet_idx) { char val_str[128]; @@ -2174,28 +2225,12 @@ if (s) print_str ("pix_fmt", s); else print_str_opt("pix_fmt", "unknown"); print_int("level", dec_ctx->level); - if (dec_ctx->color_range != AVCOL_RANGE_UNSPECIFIED) - print_str ("color_range", av_color_range_name(dec_ctx->color_range)); - else - print_str_opt("color_range", "N/A"); - s = av_get_colorspace_name(dec_ctx->colorspace); - if (s) print_str ("color_space", s); - else print_str_opt("color_space", "unknown"); - - if (dec_ctx->color_trc != AVCOL_TRC_UNSPECIFIED) - print_str("color_transfer", av_color_transfer_name(dec_ctx->color_trc)); - else - print_str_opt("color_transfer", av_color_transfer_name(dec_ctx->color_trc)); - - if (dec_ctx->color_primaries != AVCOL_PRI_UNSPECIFIED) - print_str("color_primaries", av_color_primaries_name(dec_ctx->color_primaries)); - else - print_str_opt("color_primaries", av_color_primaries_name(dec_ctx->color_primaries)); - if (dec_ctx->chroma_sample_location != AVCHROMA_LOC_UNSPECIFIED) - print_str("chroma_location", av_chroma_location_name(dec_ctx->chroma_sample_location)); - else - print_str_opt("chroma_location", av_chroma_location_name(dec_ctx->chroma_sample_location)); + print_color_range(w, dec_ctx->color_range, "N/A"); + print_color_space(w, dec_ctx->colorspace); + print_color_trc(w, dec_ctx->color_trc); + print_primaries(w, dec_ctx->color_primaries); + print_chroma_location(w, dec_ctx->chroma_sample_location); if (dec_ctx->timecode_frame_start >= 0) { char tcbuf[AV_TIMECODE_STR_SIZE]; diff -Nru ffmpeg-2.8.11/libavcodec/aac_defines.h ffmpeg-2.8.14/libavcodec/aac_defines.h --- ffmpeg-2.8.11/libavcodec/aac_defines.h 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/aac_defines.h 2018-02-19 00:50:24.000000000 +0000 @@ -45,7 +45,7 @@ #define Q30(x) (int)((x)*1073741824.0 + 0.5) #define Q31(x) (int)((x)*2147483648.0 + 0.5) #define RANGE15(x) x -#define GET_GAIN(x, y) (-(y) << (x)) + 1024 +#define GET_GAIN(x, y) (-(y) * (1 << (x))) + 1024 #define AAC_MUL16(x, y) (int)(((int64_t)(x) * (y) + 0x8000) >> 16) #define AAC_MUL26(x, y) (int)(((int64_t)(x) * (y) + 0x2000000) >> 26) #define AAC_MUL30(x, y) (int)(((int64_t)(x) * (y) + 0x20000000) >> 30) @@ -72,7 +72,7 @@ #define AAC_MSUB31_V3(x, y, z) (int)((((int64_t)(x) * (z)) - \ ((int64_t)(y) * (z)) + \ 0x40000000) >> 31) -#define AAC_HALF_SUM(x, y) (x) >> 1 + (y) >> 1 +#define AAC_HALF_SUM(x, y) (((x) >> 1) + ((y) >> 1)) #define AAC_SRA_R(x, y) (int)(((x) + (1 << ((y) - 1))) >> (y)) #else diff -Nru ffmpeg-2.8.11/libavcodec/aacdec.c ffmpeg-2.8.14/libavcodec/aacdec.c --- ffmpeg-2.8.11/libavcodec/aacdec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/aacdec.c 2018-02-19 00:50:24.000000000 +0000 @@ -423,6 +423,8 @@ if (ctx->frame_length_type == 0) { int mux_slot_length = 0; do { + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; tmp = get_bits(gb, 8); mux_slot_length += tmp; } while (tmp == 255); @@ -452,7 +454,7 @@ } if (latmctx->audio_mux_version_A == 0) { int mux_slot_length_bytes = read_payload_length_info(latmctx, gb); - if (mux_slot_length_bytes * 8 > get_bits_left(gb)) { + if (mux_slot_length_bytes < 0 || mux_slot_length_bytes * 8LL > get_bits_left(gb)) { av_log(latmctx->aac_ctx.avctx, AV_LOG_ERROR, "incomplete frame\n"); return AVERROR_INVALIDDATA; } else if (mux_slot_length_bytes * 8 + 256 < get_bits_left(gb)) { diff -Nru ffmpeg-2.8.11/libavcodec/aacdec_fixed.c ffmpeg-2.8.14/libavcodec/aacdec_fixed.c --- ffmpeg-2.8.11/libavcodec/aacdec_fixed.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/aacdec_fixed.c 2018-02-19 00:50:31.000000000 +0000 @@ -124,7 +124,7 @@ static inline int *DEC_UPAIR(int *dst, unsigned idx, unsigned sign) { dst[0] = (idx & 15) * (1 - (sign & 0xFFFFFFFE)); - dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) << 1)); + dst[1] = (idx >> 4 & 15) * (1 - ((sign & 1) * 2)); return dst + 2; } @@ -133,16 +133,16 @@ { unsigned nz = idx >> 12; - dst[0] = (idx & 3) * (1 + (((int)sign >> 31) << 1)); + dst[0] = (idx & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[1] = (idx >> 2 & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[2] = (idx >> 4 & 3) * (1 + (((int)sign >> 31) * 2)); sign <<= nz & 1; nz >>= 1; - dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) << 1)); + dst[3] = (idx >> 6 & 3) * (1 + (((int)sign >> 31) * 2)); return dst + 4; } @@ -170,20 +170,25 @@ s = offset - (s >> 2); - if (s > 0) { + if (s > 31) { + for (i=0; i 0) { round = 1 << (s-1); for (i=0; i> 32); dst[i] = ((int)(out+round) >> s) * ssign; } - } - else { + } else if (s > -32) { s = s + 32; round = 1 << (s-1); for (i=0; i> s); - dst[i] = out * ssign; + dst[i] = out * (unsigned)ssign; } + } else { + av_log(NULL, AV_LOG_ERROR, "Overflow in subband_scale()\n"); } } @@ -202,8 +207,12 @@ c /= band_energy; s = 21 + nlz - (s >> 2); - if (s > 0) { - round = 1 << (s-1); + if (s > 31) { + for (i=0; i= 0) { + round = s ? 1 << (s-1) : 0; for (i=0; i> 32); coefs[i] = ((int)(out+round) >> s) * ssign; @@ -295,8 +304,12 @@ if (output_enable) { int shift = 28 - pv.exp; - if (shift < 31) - *coef += (pv.mant + (1 << (shift - 1))) >> shift; + if (shift < 31) { + if (shift > 0) { + *coef += (unsigned)((pv.mant + (1 << (shift - 1))) >> shift); + } else + *coef += (unsigned)pv.mant << -shift; + } } e0 = av_int2sf(*coef, 2); @@ -361,7 +374,9 @@ shift = (gain-1024) >> 3; } - if (shift < 0) { + if (shift < -31) { + // Nothing to do + } else if (shift < 0) { shift = -shift; round = 1 << (shift - 1); @@ -378,7 +393,7 @@ for (k = offsets[i]; k < offsets[i + 1]; k++) { tmp = (int)(((int64_t)src[group * 128 + k] * c + \ (int64_t)0x1000000000) >> 37); - dest[group * 128 + k] += tmp << shift; + dest[group * 128 + k] += tmp * (1U << shift); } } } @@ -418,7 +433,7 @@ else { for (i = 0; i < len; i++) { tmp = (int)(((int64_t)src[i] * c + (int64_t)0x1000000000) >> 37); - dest[i] += tmp << shift; + dest[i] += tmp * (1 << shift); } } } diff -Nru ffmpeg-2.8.11/libavcodec/aacdec_template.c ffmpeg-2.8.14/libavcodec/aacdec_template.c --- ffmpeg-2.8.11/libavcodec/aacdec_template.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/aacdec_template.c 2018-02-19 00:50:31.000000000 +0000 @@ -1243,6 +1243,8 @@ const MPEG4AudioConfig *const m4ac = &ac->oc[1].m4ac; const int aot = m4ac->object_type; const int sampling_index = m4ac->sampling_index; + int ret_fail = AVERROR_INVALIDDATA; + if (aot != AOT_ER_AAC_ELD) { if (get_bits1(gb)) { av_log(ac->avctx, AV_LOG_ERROR, "Reserved bit set.\n"); @@ -1293,8 +1295,10 @@ ics->num_swb = ff_aac_num_swb_512[sampling_index]; ics->tns_max_bands = ff_tns_max_bands_512[sampling_index]; } - if (!ics->num_swb || !ics->swb_offset) - return AVERROR_BUG; + if (!ics->num_swb || !ics->swb_offset) { + ret_fail = AVERROR_BUG; + goto fail; + } } else { ics->swb_offset = ff_swb_offset_1024[sampling_index]; ics->num_swb = ff_aac_num_swb_1024[sampling_index]; @@ -1318,7 +1322,8 @@ if (aot == AOT_ER_AAC_LD) { av_log(ac->avctx, AV_LOG_ERROR, "LTP in ER AAC LD not yet implemented.\n"); - return AVERROR_PATCHWELCOME; + ret_fail = AVERROR_PATCHWELCOME; + goto fail; } if ((ics->ltp.present = get_bits(gb, 1))) decode_ltp(&ics->ltp, gb, ics->max_sfb); @@ -1337,7 +1342,7 @@ return 0; fail: ics->max_sfb = 0; - return AVERROR_INVALIDDATA; + return ret_fail; } /** @@ -1924,16 +1929,17 @@ global_gain = get_bits(gb, 8); if (!common_window && !scale_flag) { - if (decode_ics_info(ac, ics, gb) < 0) - return AVERROR_INVALIDDATA; + ret = decode_ics_info(ac, ics, gb); + if (ret < 0) + goto fail; } if ((ret = decode_band_types(ac, sce->band_type, sce->band_type_run_end, gb, ics)) < 0) - return ret; + goto fail; if ((ret = decode_scalefactors(ac, sce->sf, gb, global_gain, ics, sce->band_type, sce->band_type_run_end)) < 0) - return ret; + goto fail; pulse_present = 0; if (!scale_flag) { @@ -1941,37 +1947,48 @@ if (ics->window_sequence[0] == EIGHT_SHORT_SEQUENCE) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse tool not allowed in eight short sequence.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (decode_pulses(&pulse, gb, ics->swb_offset, ics->num_swb)) { av_log(ac->avctx, AV_LOG_ERROR, "Pulse data corrupt or invalid.\n"); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } } tns->present = get_bits1(gb); - if (tns->present && !er_syntax) - if (decode_tns(ac, tns, gb, ics) < 0) - return AVERROR_INVALIDDATA; + if (tns->present && !er_syntax) { + ret = decode_tns(ac, tns, gb, ics); + if (ret < 0) + goto fail; + } if (!eld_syntax && get_bits1(gb)) { avpriv_request_sample(ac->avctx, "SSR"); - return AVERROR_PATCHWELCOME; + ret = AVERROR_PATCHWELCOME; + goto fail; } // I see no textual basis in the spec for this occurring after SSR gain // control, but this is what both reference and real implmentations do - if (tns->present && er_syntax) - if (decode_tns(ac, tns, gb, ics) < 0) - return AVERROR_INVALIDDATA; + if (tns->present && er_syntax) { + ret = decode_tns(ac, tns, gb, ics); + if (ret < 0) + goto fail; + } } - if (decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, - &pulse, ics, sce->band_type) < 0) - return AVERROR_INVALIDDATA; + ret = decode_spectrum_and_dequant(ac, out, gb, sce->sf, pulse_present, + &pulse, ics, sce->band_type); + if (ret < 0) + goto fail; if (ac->oc[1].m4ac.object_type == AOT_AAC_MAIN && !common_window) apply_prediction(ac, sce); return 0; +fail: + tns->present = 0; + return ret; } /** @@ -2143,7 +2160,11 @@ coup->coupling_point += get_bits1(gb) || (coup->coupling_point >> 1); sign = get_bits(gb, 1); - scale = AAC_RENAME(cce_scale)[get_bits(gb, 2)]; +#if USE_FIXED + scale = get_bits(gb, 2); +#else + scale = cce_scale[get_bits(gb, 2)]; +#endif if ((ret = decode_ics(ac, sce, gb, 0, 0))) return ret; @@ -2157,6 +2178,10 @@ cge = coup->coupling_point == AFTER_IMDCT ? 1 : get_bits1(gb); gain = cge ? get_vlc2(gb, vlc_scalefactors.table, 7, 3) - 60: 0; gain_cache = GET_GAIN(scale, gain); +#if USE_FIXED + if ((abs(gain_cache)-1024) >> 3 > 30) + return AVERROR(ERANGE); +#endif } if (coup->coupling_point == AFTER_IMDCT) { coup->gain[c][0] = gain_cache; @@ -2174,6 +2199,10 @@ t >>= 1; } gain_cache = GET_GAIN(scale, t) * s; +#if USE_FIXED + if ((abs(gain_cache)-1024) >> 3 > 30) + return AVERROR(ERANGE); +#endif } } coup->gain[c][idx] = gain_cache; diff -Nru ffmpeg-2.8.11/libavcodec/aacps.c ffmpeg-2.8.14/libavcodec/aacps.c --- ffmpeg-2.8.11/libavcodec/aacps.c 2016-06-27 00:54:28.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/aacps.c 2018-02-19 00:50:24.000000000 +0000 @@ -499,13 +499,13 @@ static void map_val_34_to_20(INTFLOAT par[PS_MAX_NR_IIDICC]) { #if USE_FIXED - par[ 0] = (int)(((int64_t)(par[ 0] + (par[ 1]>>1)) * 1431655765 + \ + par[ 0] = (int)(((int64_t)(par[ 0] + (unsigned)(par[ 1]>>1)) * 1431655765 + \ 0x40000000) >> 31); - par[ 1] = (int)(((int64_t)((par[ 1]>>1) + par[ 2]) * 1431655765 + \ + par[ 1] = (int)(((int64_t)((par[ 1]>>1) + (unsigned)par[ 2]) * 1431655765 + \ 0x40000000) >> 31); - par[ 2] = (int)(((int64_t)(par[ 3] + (par[ 4]>>1)) * 1431655765 + \ + par[ 2] = (int)(((int64_t)(par[ 3] + (unsigned)(par[ 4]>>1)) * 1431655765 + \ 0x40000000) >> 31); - par[ 3] = (int)(((int64_t)((par[ 4]>>1) + par[ 5]) * 1431655765 + \ + par[ 3] = (int)(((int64_t)((par[ 4]>>1) + (unsigned)par[ 5]) * 1431655765 + \ 0x40000000) >> 31); #else par[ 0] = (2*par[ 0] + par[ 1]) * 0.33333333f; @@ -692,26 +692,17 @@ for (i = 0; i < NR_PAR_BANDS[is34]; i++) { for (n = n0; n < nL; n++) { int decayed_peak; - int denom; - decayed_peak = (int)(((int64_t)peak_decay_factor * \ peak_decay_nrg[i] + 0x40000000) >> 31); peak_decay_nrg[i] = FFMAX(decayed_peak, power[i][n]); - power_smooth[i] += (power[i][n] - power_smooth[i] + 2) >> 2; - peak_decay_diff_smooth[i] += (peak_decay_nrg[i] - power[i][n] - \ - peak_decay_diff_smooth[i] + 2) >> 2; - denom = peak_decay_diff_smooth[i] + (peak_decay_diff_smooth[i] >> 1); - if (denom > power_smooth[i]) { - int p = power_smooth[i]; - while (denom < 0x40000000) { - denom <<= 1; - p <<= 1; - } - transient_gain[i][n] = p / (denom >> 16); - } - else { - transient_gain[i][n] = 1 << 16; - } + power_smooth[i] += (power[i][n] + 2LL - power_smooth[i]) >> 2; + peak_decay_diff_smooth[i] += (peak_decay_nrg[i] + 2LL - power[i][n] - \ + peak_decay_diff_smooth[i]) >> 2; + + if (peak_decay_diff_smooth[i]) { + transient_gain[i][n] = FFMIN(power_smooth[i]*43691LL / peak_decay_diff_smooth[i], 1<<16); + } else + transient_gain[i][n] = 1 << 16; } } #else @@ -942,7 +933,7 @@ int stop = ps->border_position[e+1]; INTFLOAT width = Q30(1.f) / ((stop - start) ? (stop - start) : 1); #if USE_FIXED - width <<= 1; + width = FFMIN(2U*width, INT_MAX); #endif b = k_to_i[k]; h[0][0] = H11[0][e][b]; @@ -975,7 +966,7 @@ h_step[1][3] = AAC_MSUB31_V3(H22[1][e+1][b], h[1][3], width); } ps->dsp.stereo_interpolate[!PS_BASELINE && ps->enable_ipdopd]( - l[k] + start + 1, r[k] + start + 1, + l[k] + 1 + start, r[k] + 1 + start, h, h_step, stop - start); } } diff -Nru ffmpeg-2.8.11/libavcodec/aacsbr_fixed.c ffmpeg-2.8.14/libavcodec/aacsbr_fixed.c --- ffmpeg-2.8.11/libavcodec/aacsbr_fixed.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/aacsbr_fixed.c 2018-02-19 00:50:31.000000000 +0000 @@ -291,6 +291,8 @@ shift = a00.exp; if (shift >= 3) alpha0[k][0] = 0x7fffffff; + else if (shift <= -30) + alpha0[k][0] = 0; else { a00.mant <<= 1; shift = 2-shift; @@ -305,6 +307,8 @@ shift = a01.exp; if (shift >= 3) alpha0[k][1] = 0x7fffffff; + else if (shift <= -30) + alpha0[k][1] = 0; else { a01.mant <<= 1; shift = 2-shift; @@ -318,6 +322,8 @@ shift = a10.exp; if (shift >= 3) alpha1[k][0] = 0x7fffffff; + else if (shift <= -30) + alpha1[k][0] = 0; else { a10.mant <<= 1; shift = 2-shift; @@ -332,6 +338,8 @@ shift = a11.exp; if (shift >= 3) alpha1[k][1] = 0x7fffffff; + else if (shift <= -30) + alpha1[k][1] = 0; else { a11.mant <<= 1; shift = 2-shift; @@ -432,6 +440,7 @@ av_add_sf(FLOAT_1, sbr->e_curr[e][m]), av_add_sf(FLOAT_1, sbr->q_mapped[e][m])))); } + sbr->gain[e][m] = av_add_sf(sbr->gain[e][m], FLOAT_MIN); } for (m = sbr->f_tablelim[k] - sbr->kx[1]; m < sbr->f_tablelim[k + 1] - sbr->kx[1]; m++) { sum[0] = av_add_sf(sum[0], sbr->e_origmapped[e][m]); @@ -566,24 +575,38 @@ int A = (1-((indexsine+(kx & 1))&2)); int B = (A^(-idx)) + idx; int *out = &Y1[i][kx][idx]; - int shift, round; + int shift; + unsigned round; SoftFloat *in = sbr->s_m[e]; for (m = 0; m+1 < m_max; m+=2) { - shift = 22 - in[m ].exp; - round = 1 << (shift-1); - out[2*m ] += (in[m ].mant * A + round) >> shift; - - shift = 22 - in[m+1].exp; - round = 1 << (shift-1); - out[2*m+2] += (in[m+1].mant * B + round) >> shift; + int shift2; + shift = 22 - in[m ].exp; + shift2= 22 - in[m+1].exp; + if (shift < 1 || shift2 < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_assemble, shift=%d,%d\n", shift, shift2); + return; + } + if (shift < 32) { + round = 1 << (shift-1); + out[2*m ] += (int)(in[m ].mant * A + round) >> shift; + } + + if (shift2 < 32) { + round = 1 << (shift2-1); + out[2*m+2] += (int)(in[m+1].mant * B + round) >> shift2; + } } if(m_max&1) { - shift = 22 - in[m ].exp; - round = 1 << (shift-1); - - out[2*m ] += (in[m ].mant * A + round) >> shift; + shift = 22 - in[m ].exp; + if (shift < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_assemble, shift=%d\n", shift); + return; + } else if (shift < 32) { + round = 1 << (shift-1); + out[2*m ] += (int)(in[m ].mant * A + round) >> shift; + } } } indexnoise = (indexnoise + m_max) & 0x1ff; diff -Nru ffmpeg-2.8.11/libavcodec/aacsbr_template.c ffmpeg-2.8.14/libavcodec/aacsbr_template.c --- ffmpeg-2.8.11/libavcodec/aacsbr_template.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/aacsbr_template.c 2018-02-19 00:50:24.000000000 +0000 @@ -621,24 +621,26 @@ int abs_bord_trail = 16; int num_rel_lead, num_rel_trail; unsigned bs_num_env_old = ch_data->bs_num_env; + int bs_frame_class, bs_num_env; ch_data->bs_freq_res[0] = ch_data->bs_freq_res[ch_data->bs_num_env]; ch_data->bs_amp_res = sbr->bs_amp_res_header; ch_data->t_env_num_env_old = ch_data->t_env[bs_num_env_old]; - switch (ch_data->bs_frame_class = get_bits(gb, 2)) { + switch (bs_frame_class = get_bits(gb, 2)) { case FIXFIX: - ch_data->bs_num_env = 1 << get_bits(gb, 2); - num_rel_lead = ch_data->bs_num_env - 1; - if (ch_data->bs_num_env == 1) - ch_data->bs_amp_res = 0; - - if (ch_data->bs_num_env > 4) { + bs_num_env = 1 << get_bits(gb, 2); + if (bs_num_env > 4) { av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in FIXFIX type SBR frame: %d\n", - ch_data->bs_num_env); + bs_num_env); return -1; } + ch_data->bs_num_env = bs_num_env; + num_rel_lead = ch_data->bs_num_env - 1; + if (ch_data->bs_num_env == 1) + ch_data->bs_amp_res = 0; + ch_data->t_env[0] = 0; ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail; @@ -686,14 +688,15 @@ abs_bord_trail += get_bits(gb, 2); num_rel_lead = get_bits(gb, 2); num_rel_trail = get_bits(gb, 2); - ch_data->bs_num_env = num_rel_lead + num_rel_trail + 1; + bs_num_env = num_rel_lead + num_rel_trail + 1; - if (ch_data->bs_num_env > 5) { + if (bs_num_env > 5) { av_log(ac->avctx, AV_LOG_ERROR, "Invalid bitstream, too many SBR envelopes in VARVAR type SBR frame: %d\n", - ch_data->bs_num_env); + bs_num_env); return -1; } + ch_data->bs_num_env = bs_num_env; ch_data->t_env[ch_data->bs_num_env] = abs_bord_trail; @@ -708,6 +711,7 @@ get_bits1_vector(gb, ch_data->bs_freq_res + 1, ch_data->bs_num_env); break; } + ch_data->bs_frame_class = bs_frame_class; av_assert0(bs_pointer >= 0); if (bs_pointer > ch_data->bs_num_env + 1) { diff -Nru ffmpeg-2.8.11/libavcodec/ac3dec.c ffmpeg-2.8.14/libavcodec/ac3dec.c --- ffmpeg-2.8.11/libavcodec/ac3dec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/ac3dec.c 2018-02-19 00:50:24.000000000 +0000 @@ -750,30 +750,31 @@ * @param[in] default_band_struct default band structure table * @param[out] num_bands number of bands (optionally NULL) * @param[out] band_sizes array containing the number of bins in each band (optionally NULL) + * @param[in,out] band_struct current band structure */ static void decode_band_structure(GetBitContext *gbc, int blk, int eac3, int ecpl, int start_subband, int end_subband, const uint8_t *default_band_struct, - int *num_bands, uint8_t *band_sizes) + int *num_bands, uint8_t *band_sizes, + uint8_t *band_struct, int band_struct_size) { int subbnd, bnd, n_subbands, n_bands=0; uint8_t bnd_sz[22]; - uint8_t coded_band_struct[22]; - const uint8_t *band_struct; n_subbands = end_subband - start_subband; + if (!blk) + memcpy(band_struct, default_band_struct, band_struct_size); + + av_assert0(band_struct_size >= start_subband + n_subbands); + + band_struct += start_subband + 1; + /* decode band structure from bitstream or use default */ if (!eac3 || get_bits1(gbc)) { for (subbnd = 0; subbnd < n_subbands - 1; subbnd++) { - coded_band_struct[subbnd] = get_bits1(gbc); + band_struct[subbnd] = get_bits1(gbc); } - band_struct = coded_band_struct; - } else if (!blk) { - band_struct = &default_band_struct[start_subband+1]; - } else { - /* no change in band structure */ - return; } /* calculate number of bands and band sizes based on band structure. @@ -900,7 +901,8 @@ start_subband, end_subband, ff_eac3_default_spx_band_struct, &s->num_spx_bands, - s->spx_band_sizes); + s->spx_band_sizes, + s->spx_band_struct, sizeof(s->spx_band_struct)); } } if (!s->eac3 || !s->spx_in_use) { @@ -1034,7 +1036,8 @@ decode_band_structure(gbc, blk, s->eac3, 0, cpl_start_subband, cpl_end_subband, ff_eac3_default_cpl_band_struct, - &s->num_cpl_bands, s->cpl_band_sizes); + &s->num_cpl_bands, s->cpl_band_sizes, + s->cpl_band_struct, sizeof(s->cpl_band_struct)); } else { /* coupling not in use */ for (ch = 1; ch <= fbw_channels; ch++) { @@ -1335,7 +1338,7 @@ for (ch = 1; ch <= s->channels; ch++) { int audio_channel = 0; INTFLOAT gain; - if (s->channel_mode == AC3_CHMODE_DUALMONO) + if (s->channel_mode == AC3_CHMODE_DUALMONO && ch <= 2) audio_channel = 2-ch; if (s->heavy_compression && s->compression_exists[audio_channel]) gain = s->heavy_dynamic_range[audio_channel]; diff -Nru ffmpeg-2.8.11/libavcodec/ac3dec.h ffmpeg-2.8.14/libavcodec/ac3dec.h --- ffmpeg-2.8.11/libavcodec/ac3dec.h 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/ac3dec.h 2018-02-19 00:50:24.000000000 +0000 @@ -126,6 +126,7 @@ int phase_flags_in_use; ///< phase flags in use (phsflginu) int phase_flags[AC3_MAX_CPL_BANDS]; ///< phase flags (phsflg) int num_cpl_bands; ///< number of coupling bands (ncplbnd) + uint8_t cpl_band_struct[AC3_MAX_CPL_BANDS]; uint8_t cpl_band_sizes[AC3_MAX_CPL_BANDS]; ///< number of coeffs in each coupling band int firstchincpl; ///< first channel in coupling int first_cpl_coords[AC3_MAX_CHANNELS]; ///< first coupling coordinates states (firstcplcos) @@ -142,6 +143,7 @@ int spx_dst_start_freq; ///< spx starting frequency bin for copying (copystartmant) ///< the copy region ends at the start of the spx region. int num_spx_bands; ///< number of spx bands (nspxbnds) + uint8_t spx_band_struct[SPX_MAX_BANDS]; uint8_t spx_band_sizes[SPX_MAX_BANDS]; ///< number of bins in each spx band uint8_t first_spx_coords[AC3_MAX_CHANNELS]; ///< first spx coordinates states (firstspxcos) INTFLOAT spx_noise_blend[AC3_MAX_CHANNELS][SPX_MAX_BANDS]; ///< spx noise blending factor (nblendfact) diff -Nru ffmpeg-2.8.11/libavcodec/ac3dec_fixed.c ffmpeg-2.8.14/libavcodec/ac3dec_fixed.c --- ffmpeg-2.8.11/libavcodec/ac3dec_fixed.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/ac3dec_fixed.c 2018-02-19 00:50:31.000000000 +0000 @@ -64,12 +64,12 @@ int dynrng, int len) { - int i, shift, round; - int16_t mul; + int i, shift; + unsigned mul, round; int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7; mul = (dynrng & 0x1f) + 0x20; - shift = 4 - ((dynrng << 23) >> 28); + shift = 4 - (sign_extend(dynrng, 9) >> 5); if (shift > 0 ) { round = 1 << (shift-1); for (i=0; is2; for (i = 0; i < BLOCK_SAMPLES; i++) { d = get_sbits(&gb, 4); - s0 = ((d << COEFF_BITS) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; + s0 = ((d * (1 << COEFF_BITS)) * scale + c->coeff[0] * s1 + c->coeff[1] * s2) >> COEFF_BITS; s2 = s1; s1 = av_clip_int16(s0); *out++ = s1; diff -Nru ffmpeg-2.8.11/libavcodec/amrwbdec.c ffmpeg-2.8.14/libavcodec/amrwbdec.c --- ffmpeg-2.8.11/libavcodec/amrwbdec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/amrwbdec.c 2018-02-19 00:50:31.000000000 +0000 @@ -265,7 +265,7 @@ *lag_frac = pitch_index - (*lag_int << 2) + 136; } else if (pitch_index < 440) { *lag_int = (pitch_index + 257 - 376) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) << 1; + *lag_frac = (pitch_index - (*lag_int << 1) + 256 - 376) * 2; /* the actual resolution is 1/2 but expressed as 1/4 */ } else { *lag_int = pitch_index - 280; @@ -295,7 +295,7 @@ if (subframe == 0 || (subframe == 2 && mode != MODE_6k60)) { if (pitch_index < 116) { *lag_int = (pitch_index + 69) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1) + 68) << 1; + *lag_frac = (pitch_index - (*lag_int << 1) + 68) * 2; } else { *lag_int = pitch_index - 24; *lag_frac = 0; @@ -305,7 +305,7 @@ AMRWB_P_DELAY_MIN, AMRWB_P_DELAY_MAX - 15); } else { *lag_int = (pitch_index + 1) >> 1; - *lag_frac = (pitch_index - (*lag_int << 1)) << 1; + *lag_frac = (pitch_index - (*lag_int << 1)) * 2; *lag_int += *base_lag_int; } } @@ -614,7 +614,7 @@ AMRWB_SFR_SIZE) * f_gain * f_gain; - return (p_ener - f_ener) / (p_ener + f_ener); + return (p_ener - f_ener) / (p_ener + f_ener + 0.01); } /** diff -Nru ffmpeg-2.8.11/libavcodec/ansi.c ffmpeg-2.8.14/libavcodec/ansi.c --- ffmpeg-2.8.11/libavcodec/ansi.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/ansi.c 2018-02-19 00:50:24.000000000 +0000 @@ -80,10 +80,6 @@ AnsiContext *s = avctx->priv_data; avctx->pix_fmt = AV_PIX_FMT_PAL8; - s->frame = av_frame_alloc(); - if (!s->frame) - return AVERROR(ENOMEM); - /* defaults */ s->font = avpriv_vga16_font; s->font_height = 16; @@ -98,6 +94,11 @@ av_log(avctx, AV_LOG_ERROR, "Invalid dimensions %d %d\n", avctx->width, avctx->height); return AVERROR(EINVAL); } + + s->frame = av_frame_alloc(); + if (!s->frame) + return AVERROR(ENOMEM); + return 0; } diff -Nru ffmpeg-2.8.11/libavcodec/apedec.c ffmpeg-2.8.14/libavcodec/apedec.c --- ffmpeg-2.8.11/libavcodec/apedec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/apedec.c 2018-02-19 00:50:24.000000000 +0000 @@ -1404,6 +1404,7 @@ int32_t *sample24; int i, ch, ret; int blockstodecode; + uint64_t decoded_buffer_size; /* this should never be negative, but bad things will happen if it is, so check it just to make sure. */ @@ -1459,7 +1460,7 @@ skip_bits_long(&s->gb, offset); } - if (!nblocks || nblocks > INT_MAX) { + if (!nblocks || nblocks > INT_MAX / 2 / sizeof(*s->decoded_buffer) - 8) { av_log(avctx, AV_LOG_ERROR, "Invalid sample count: %"PRIu32".\n", nblocks); return AVERROR_INVALIDDATA; @@ -1485,8 +1486,9 @@ blockstodecode = s->samples; /* reallocate decoded sample buffer if needed */ - av_fast_malloc(&s->decoded_buffer, &s->decoded_size, - 2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)); + decoded_buffer_size = 2LL * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer); + av_assert0(decoded_buffer_size <= INT_MAX); + av_fast_malloc(&s->decoded_buffer, &s->decoded_size, decoded_buffer_size); if (!s->decoded_buffer) return AVERROR(ENOMEM); memset(s->decoded_buffer, 0, s->decoded_size); diff -Nru ffmpeg-2.8.11/libavcodec/arm/sbrdsp_neon.S ffmpeg-2.8.14/libavcodec/arm/sbrdsp_neon.S --- ffmpeg-2.8.11/libavcodec/arm/sbrdsp_neon.S 2016-03-29 03:25:11.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/arm/sbrdsp_neon.S 2018-02-19 00:50:31.000000000 +0000 @@ -336,11 +336,11 @@ vld1.32 {d0}, [r0,:64] vld1.32 {d6}, [lr,:64] vld1.32 {d2[]}, [r1,:32]! - vld1.32 {d3[]}, [r2,:32]! + vld1.32 {d18[]}, [r2,:32]! vceq.f32 d4, d2, #0 veor d2, d2, d3 vmov d1, d0 - vmla.f32 d0, d6, d3 + vmla.f32 d0, d6, d18 vadd.f32 s2, s2, s4 vbif d0, d1, d4 vst1.32 {d0}, [r0,:64]! diff -Nru ffmpeg-2.8.11/libavcodec/avcodec.h ffmpeg-2.8.14/libavcodec/avcodec.h --- ffmpeg-2.8.11/libavcodec/avcodec.h 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/avcodec.h 2018-02-19 00:50:24.000000000 +0000 @@ -1365,6 +1365,16 @@ * side data includes updated metadata which appeared in the stream. */ AV_PKT_DATA_METADATA_UPDATE, + + /** + * The number of side data elements (in fact a bit more than it). + * This is not part of the public API/ABI in the sense that it may + * change when new side data types are added. + * This must stay the last enum value. + * If its value becomes huge, some code using it + * needs to be updated as it assumes it to be smaller than other limits. + */ + AV_PKT_DATA_NB }; #define AV_PKT_DATA_QUALITY_FACTOR AV_PKT_DATA_QUALITY_STATS //DEPRECATED diff -Nru ffmpeg-2.8.11/libavcodec/avpacket.c ffmpeg-2.8.14/libavcodec/avpacket.c --- ffmpeg-2.8.11/libavcodec/avpacket.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/avpacket.c 2018-02-19 00:50:24.000000000 +0000 @@ -305,11 +305,12 @@ { int elems = pkt->side_data_elems; - if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data)) + if ((unsigned)elems + 1 > AV_PKT_DATA_NB) return NULL; if ((unsigned)size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) return NULL; + pkt->side_data = av_realloc(pkt->side_data, (elems + 1) * sizeof(*pkt->side_data)); if (!pkt->side_data) @@ -337,6 +338,8 @@ return pkt->side_data[i].data; } } + if (size) + *size = 0; return NULL; } @@ -423,6 +426,9 @@ p-= size+5; } + if (i > AV_PKT_DATA_NB) + return AVERROR(ERANGE); + pkt->side_data = av_malloc_array(i, sizeof(*pkt->side_data)); if (!pkt->side_data) return AVERROR(ENOMEM); diff -Nru ffmpeg-2.8.11/libavcodec/bmvvideo.c ffmpeg-2.8.14/libavcodec/bmvvideo.c --- ffmpeg-2.8.11/libavcodec/bmvvideo.c 2016-06-27 00:54:28.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/bmvvideo.c 2018-02-19 00:50:24.000000000 +0000 @@ -107,7 +107,7 @@ if (src < source || src >= source_end) return AVERROR_INVALIDDATA; shift += 2; - val |= *src << shift; + val |= (unsigned)*src << shift; if (*src & 0xC) break; } diff -Nru ffmpeg-2.8.11/libavcodec/cavs.c ffmpeg-2.8.14/libavcodec/cavs.c --- ffmpeg-2.8.11/libavcodec/cavs.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/cavs.c 2018-02-19 00:50:24.000000000 +0000 @@ -538,8 +538,7 @@ static inline void scale_mv(AVSContext *h, int *d_x, int *d_y, cavs_vector *src, int distp) { - int den = h->scale_den[FFMAX(src->ref, 0)]; - + int64_t den = h->scale_den[FFMAX(src->ref, 0)]; *d_x = (src->x * distp * den + 256 + FF_SIGNBIT(src->x)) >> 9; *d_y = (src->y * distp * den + 256 + FF_SIGNBIT(src->y)) >> 9; } @@ -614,8 +613,15 @@ mv_pred_median(h, mvP, mvA, mvB, mvC); if (mode < MV_PRED_PSKIP) { - mvP->x += get_se_golomb(&h->gb); - mvP->y += get_se_golomb(&h->gb); + int mx = get_se_golomb(&h->gb) + (unsigned)mvP->x; + int my = get_se_golomb(&h->gb) + (unsigned)mvP->y; + + if (mx != (int16_t)mx || my != (int16_t)my) { + av_log(h->avctx, AV_LOG_ERROR, "MV %d %d out of supported range\n", mx, my); + } else { + mvP->x = mx; + mvP->y = my; + } } set_mvs(mvP, size); } diff -Nru ffmpeg-2.8.11/libavcodec/cavsdec.c ffmpeg-2.8.14/libavcodec/cavsdec.c --- ffmpeg-2.8.11/libavcodec/cavsdec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/cavsdec.c 2018-02-19 00:50:24.000000000 +0000 @@ -466,7 +466,7 @@ cavs_vector *col_mv) { cavs_vector *pmv_bw = pmv_fw + MV_BWD_OFFS; - int den = h->direct_den[col_mv->ref]; + unsigned den = h->direct_den[col_mv->ref]; int m = FF_SIGNBIT(col_mv->x); pmv_fw->dist = h->dist[1]; @@ -616,7 +616,7 @@ /* get quantizer */ if (h->cbp && !h->qp_fixed) - h->qp = (h->qp + get_se_golomb(&h->gb)) & 63; + h->qp = (h->qp + (unsigned)get_se_golomb(&h->gb)) & 63; for (block = 0; block < 4; block++) if (h->cbp & (1 << block)) decode_residual_block(h, &h->gb, inter_dec, 0, h->qp, @@ -1032,6 +1032,10 @@ h->scale_den[1] = h->dist[1] ? 512/h->dist[1] : 0; if (h->cur.f->pict_type == AV_PICTURE_TYPE_B) { h->sym_factor = h->dist[0] * h->scale_den[1]; + if (FFABS(h->sym_factor) > 32768) { + av_log(h->avctx, AV_LOG_ERROR, "sym_factor %d too large\n", h->sym_factor); + return AVERROR_INVALIDDATA; + } } else { h->direct_den[0] = h->dist[0] ? 16384 / h->dist[0] : 0; h->direct_den[1] = h->dist[1] ? 16384 / h->dist[1] : 0; diff -Nru ffmpeg-2.8.11/libavcodec/cdxl.c ffmpeg-2.8.14/libavcodec/cdxl.c --- ffmpeg-2.8.11/libavcodec/cdxl.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/cdxl.c 2018-02-19 00:50:24.000000000 +0000 @@ -252,11 +252,11 @@ aligned_width = FFALIGN(c->avctx->width, 16); c->padded_bits = aligned_width - c->avctx->width; - if (c->video_size < aligned_width * avctx->height * c->bpp / 8) + if (c->video_size < aligned_width * avctx->height * (int64_t)c->bpp / 8) return AVERROR_INVALIDDATA; - if (!encoding && c->palette_size && c->bpp <= 8) { + if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) { + } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8) && c->format != CHUNKY) { if (c->palette_size != (1 << (c->bpp - 1))) return AVERROR_INVALIDDATA; avctx->pix_fmt = AV_PIX_FMT_BGR24; diff -Nru ffmpeg-2.8.11/libavcodec/cinepak.c ffmpeg-2.8.14/libavcodec/cinepak.c --- ffmpeg-2.8.11/libavcodec/cinepak.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/cinepak.c 2018-02-19 00:50:24.000000000 +0000 @@ -322,9 +322,6 @@ int y0 = 0; int encoded_buf_size; - if (s->size < 10) - return AVERROR_INVALIDDATA; - frame_flags = s->data[0]; num_strips = AV_RB16 (&s->data[8]); encoded_buf_size = AV_RB24(&s->data[1]); @@ -439,6 +436,9 @@ s->data = buf; s->size = buf_size; + if (s->size < 10) + return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; diff -Nru ffmpeg-2.8.11/libavcodec/cllc.c ffmpeg-2.8.14/libavcodec/cllc.c --- ffmpeg-2.8.11/libavcodec/cllc.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/cllc.c 2018-02-19 00:50:24.000000000 +0000 @@ -29,6 +29,10 @@ #include "avcodec.h" #include "internal.h" +#define VLC_BITS 7 +#define VLC_DEPTH 2 + + typedef struct CLLCContext { AVCodecContext *avctx; BswapDSPContext bdsp; @@ -51,6 +55,13 @@ num_lens = get_bits(gb, 5); + if (num_lens > VLC_BITS * VLC_DEPTH) { + vlc->table = NULL; + + av_log(ctx->avctx, AV_LOG_ERROR, "To long VLCs %d\n", num_lens); + return AVERROR_INVALIDDATA; + } + for (i = 0; i < num_lens; i++) { num_codes = get_bits(gb, 9); num_codes_sum += num_codes; @@ -70,11 +81,15 @@ count++; } + if (prefix > (65535 - 256)/2) { + vlc->table = NULL; + return AVERROR_INVALIDDATA; + } prefix <<= 1; } - return ff_init_vlc_sparse(vlc, 7, count, bits, 1, 1, + return ff_init_vlc_sparse(vlc, VLC_BITS, count, bits, 1, 1, codes, 2, 2, symbols, 1, 1, 0); } @@ -101,7 +116,7 @@ for (i = 0; i < ctx->avctx->width; i++) { /* Always get the alpha component */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[0].table, 7, 2); + GET_VLC(code, bits, gb, vlc[0].table, VLC_BITS, VLC_DEPTH); pred[0] += code; dst[0] = pred[0]; @@ -110,21 +125,21 @@ if (dst[0]) { /* Red */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[1].table, 7, 2); + GET_VLC(code, bits, gb, vlc[1].table, VLC_BITS, VLC_DEPTH); pred[1] += code; dst[1] = pred[1]; /* Green */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[2].table, 7, 2); + GET_VLC(code, bits, gb, vlc[2].table, VLC_BITS, VLC_DEPTH); pred[2] += code; dst[2] = pred[2]; /* Blue */ UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc[3].table, 7, 2); + GET_VLC(code, bits, gb, vlc[3].table, VLC_BITS, VLC_DEPTH); pred[3] += code; dst[3] = pred[3]; @@ -166,7 +181,7 @@ /* Simultaneously read and restore the line */ for (i = 0; i < ctx->avctx->width; i++) { UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc->table, 7, 2); + GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH); pred += code; dst[0] = pred; @@ -195,7 +210,7 @@ /* Simultaneously read and restore the line */ for (i = 0; i < ctx->avctx->width >> is_chroma; i++) { UPDATE_CACHE(bits, gb); - GET_VLC(code, bits, gb, vlc->table, 7, 2); + GET_VLC(code, bits, gb, vlc->table, VLC_BITS, VLC_DEPTH); pred += code; outbuf[i] = pred; diff -Nru ffmpeg-2.8.11/libavcodec/cngdec.c ffmpeg-2.8.14/libavcodec/cngdec.c --- ffmpeg-2.8.11/libavcodec/cngdec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/cngdec.c 2018-02-19 00:50:31.000000000 +0000 @@ -146,7 +146,7 @@ return ret; buf_out = (int16_t *)frame->data[0]; for (i = 0; i < avctx->frame_size; i++) - buf_out[i] = p->filter_out[i + p->order]; + buf_out[i] = av_clip_int16(p->filter_out[i + p->order]); memcpy(p->filter_out, p->filter_out + avctx->frame_size, p->order * sizeof(*p->filter_out)); diff -Nru ffmpeg-2.8.11/libavcodec/dds.c ffmpeg-2.8.14/libavcodec/dds.c --- ffmpeg-2.8.11/libavcodec/dds.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/dds.c 2018-02-19 00:50:24.000000000 +0000 @@ -38,7 +38,7 @@ #define DDPF_FOURCC (1 << 2) #define DDPF_PALETTE (1 << 5) -#define DDPF_NORMALMAP (1 << 31) +#define DDPF_NORMALMAP (1U << 31) enum DDSPostProc { DDS_NONE = 0, @@ -675,7 +675,7 @@ (frame->data[1][2+i*4]<<0)+ (frame->data[1][1+i*4]<<8)+ (frame->data[1][0+i*4]<<16)+ - (frame->data[1][3+i*4]<<24) + ((unsigned)frame->data[1][3+i*4]<<24) ); frame->palette_has_changed = 1; diff -Nru ffmpeg-2.8.11/libavcodec/dfa.c ffmpeg-2.8.14/libavcodec/dfa.c --- ffmpeg-2.8.11/libavcodec/dfa.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/dfa.c 2018-02-19 00:50:24.000000000 +0000 @@ -67,7 +67,8 @@ const uint8_t *frame_start = frame; const uint8_t *frame_end = frame + width * height; int mask = 0x10000, bitbuf = 0; - int v, count, segments; + int v, count; + unsigned segments; unsigned offset; segments = bytestream2_get_le32(gb); @@ -175,7 +176,7 @@ return AVERROR_INVALIDDATA; frame += v; } else { - if (frame_end - frame < width + 3) + if (frame_end - frame < width + 4) return AVERROR_INVALIDDATA; frame[0] = frame[1] = frame[width] = frame[width + 1] = bytestream2_get_byte(gb); @@ -249,7 +250,7 @@ segments = bytestream2_get_le16u(gb); while ((segments & 0xC000) == 0xC000) { unsigned skip_lines = -(int16_t)segments; - unsigned delta = -((int16_t)segments * width); + int64_t delta = -((int16_t)segments * (int64_t)width); if (frame_end - frame <= delta || y + lines + skip_lines > height) return AVERROR_INVALIDDATA; frame += delta; diff -Nru ffmpeg-2.8.11/libavcodec/dirac_dwt.h ffmpeg-2.8.14/libavcodec/dirac_dwt.h --- ffmpeg-2.8.11/libavcodec/dirac_dwt.h 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/dirac_dwt.h 2018-02-19 00:50:31.000000000 +0000 @@ -84,40 +84,40 @@ // shared stuff for simd optimizations #define COMPOSE_53iL0(b0, b1, b2)\ - (b1 - ((b0 + b2 + 2) >> 2)) + (b1 - ((int)(b0 + (unsigned)(b2) + 2) >> 2)) #define COMPOSE_DIRAC53iH0(b0, b1, b2)\ - (b1 + ((b0 + b2 + 1) >> 1)) + (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ - (b2 + ((-b0 + 9*b1 + 9*b3 - b4 + 8) >> 4)) + (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ - (b2 - ((-b0 + 9*b1 + 9*b3 - b4 + 16) >> 5)) + (int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ - (b0 - ((b1 + 1) >> 1)) + ((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1))) #define COMPOSE_HAARiH0(b0, b1)\ - (b0 + b1) + ((int)(b0 + (unsigned)(b1))) #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 - ((-8*(b0+b8) + 21*(b1+b7) - 46*(b2+b6) + 161*(b3+b5) + 128) >> 8)) + ((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_FIDELITYiH0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ - (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) + ((unsigned)b4 + ((int)(-2*(b0+(unsigned)b8) + 10*(b1+(unsigned)b7) - 25*(b2+(unsigned)b6) + 81*(b3+(unsigned)b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ - (b1 - ((1817*(b0 + b2) + 2048) >> 12)) + ((unsigned)(b1) - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ - (b1 - (( 113*(b0 + b2) + 64) >> 7)) + ((unsigned)(b1) - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ - (b1 + (( 217*(b0 + b2) + 2048) >> 12)) + ((unsigned)(b1) + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ - (b1 + ((6497*(b0 + b2) + 2048) >> 12)) + ((unsigned)(b1) + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ diff -Nru ffmpeg-2.8.11/libavcodec/diracdec.c ffmpeg-2.8.14/libavcodec/diracdec.c --- ffmpeg-2.8.11/libavcodec/diracdec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/diracdec.c 2018-02-19 00:50:31.000000000 +0000 @@ -285,7 +285,7 @@ /* magic number division by 3 from schroedinger */ static inline int divide3(int x) { - return ((x+1)*21845 + 10922) >> 16; + return (int)((x+1U)*21845 + 10922) >> 16; } static DiracFrame *remove_frame(DiracFrame *framelist[], int picnum) @@ -532,16 +532,16 @@ } if (s->codeblock_mode && !(s->old_delta_quant && blockcnt_one)) { - int quant = b->quant; + int quant; if (is_arith) - quant += dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA); + quant = dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA); else - quant += dirac_get_se_golomb(gb); - if (quant < 0) { + quant = dirac_get_se_golomb(gb); + if (quant > INT_MAX - b->quant || b->quant + quant < 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid quant\n"); return; } - b->quant = quant; + b->quant += quant; } b->quant = FFMIN(b->quant, MAX_QUANT); @@ -960,6 +960,10 @@ s->globalmc[ref].perspective[0] = dirac_get_se_golomb(gb); s->globalmc[ref].perspective[1] = dirac_get_se_golomb(gb); } + if (s->globalmc[ref].perspective_exp + (uint64_t)s->globalmc[ref].zrs_exp > 30) { + return AVERROR_INVALIDDATA; + } + } } @@ -1205,7 +1209,7 @@ if (!block->ref) { pred_block_dc(block, stride, x, y); for (i = 0; i < 3; i++) - block->u.dc[i] += dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); + block->u.dc[i] += (unsigned)dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); return; } @@ -1833,9 +1837,9 @@ if (out) { out->reference ^= DELAYED_PIC_REF; - *got_frame = 1; if((ret = av_frame_ref(picture, out->avframe)) < 0) return ret; + *got_frame = 1; } return 0; diff -Nru ffmpeg-2.8.11/libavcodec/dss_sp.c ffmpeg-2.8.14/libavcodec/dss_sp.c --- ffmpeg-2.8.11/libavcodec/dss_sp.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/dss_sp.c 2018-02-19 00:50:24.000000000 +0000 @@ -33,7 +33,7 @@ #define DSS_SP_FRAME_SIZE 42 #define DSS_SP_SAMPLE_COUNT (66 * SUBFRAMES) -#define DSS_SP_FORMULA(a, b, c) (((((a) << 15) + (b) * (c)) + 0x4000) >> 15) +#define DSS_SP_FORMULA(a, b, c) ((int)((((a) * (1 << 15)) + (b) * (unsigned)(c)) + 0x4000) >> 15) typedef struct DssSpSubframe { int16_t gain; @@ -499,7 +499,7 @@ vec[i] = vec[i] >> -bits; else for (i = 0; i < size; i++) - vec[i] = vec[i] << bits; + vec[i] = vec[i] * (1 << bits); } static void dss_sp_update_buf(int32_t *hist, int32_t *vector) @@ -524,12 +524,12 @@ tmp = dst[a] * filter_buf[0]; for (i = 14; i > 0; i--) - tmp -= error_buf[i] * filter_buf[i]; + tmp -= error_buf[i] * (unsigned)filter_buf[i]; for (i = 14; i > 0; i--) error_buf[i] = error_buf[i - 1]; - tmp = (tmp + 4096) >> 13; + tmp = (int)(tmp + 4096U) >> 13; error_buf[1] = tmp; diff -Nru ffmpeg-2.8.11/libavcodec/dvbsubdec.c ffmpeg-2.8.14/libavcodec/dvbsubdec.c --- ffmpeg-2.8.11/libavcodec/dvbsubdec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/dvbsubdec.c 2018-02-19 00:50:24.000000000 +0000 @@ -24,6 +24,7 @@ #include "bytestream.h" #include "internal.h" #include "libavutil/colorspace.h" +#include "libavutil/imgutils.h" #include "libavutil/opt.h" #define DVBSUB_PAGE_SEGMENT 0x10 @@ -1205,9 +1206,9 @@ return AVERROR_INVALIDDATA; } - if (depth & 0x80) + if (depth & 0x80 && entry_id < 4) clut->clut4[entry_id] = RGBA(r,g,b,255 - alpha); - else if (depth & 0x40) + else if (depth & 0x40 && entry_id < 16) clut->clut16[entry_id] = RGBA(r,g,b,255 - alpha); else if (depth & 0x20) clut->clut256[entry_id] = RGBA(r,g,b,255 - alpha); @@ -1230,6 +1231,7 @@ DVBSubObject *object; DVBSubObjectDisplay *display; int fill; + int ret; if (buf_size < 10) return AVERROR_INVALIDDATA; @@ -1258,6 +1260,12 @@ region->height = AV_RB16(buf); buf += 2; + ret = av_image_check_size(region->width, region->height, 0, avctx); + if (ret < 0) { + region->width= region->height= 0; + return ret; + } + if (region->width * region->height != region->buf_size) { av_free(region->pbuf); diff -Nru ffmpeg-2.8.11/libavcodec/dvdsubdec.c ffmpeg-2.8.14/libavcodec/dvdsubdec.c --- ffmpeg-2.8.11/libavcodec/dvdsubdec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/dvdsubdec.c 2018-02-19 00:50:24.000000000 +0000 @@ -60,7 +60,7 @@ cb = *ycbcr++; YUV_TO_RGB1_CCIR(cb, cr); YUV_TO_RGB2_CCIR(r, g, b, y); - *rgba++ = (*alpha++ << 24) | (r << 16) | (g << 8) | b; + *rgba++ = ((unsigned)*alpha++ << 24) | (r << 16) | (g << 8) | b; } } @@ -189,12 +189,12 @@ r = (((subtitle_color >> 16) & 0xff) * level) >> 8; g = (((subtitle_color >> 8) & 0xff) * level) >> 8; b = (((subtitle_color >> 0) & 0xff) * level) >> 8; - rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17) << 24); + rgba_palette[i] = b | (g << 8) | (r << 16) | ((alpha[i] * 17U) << 24); color_used[colormap[i]] = (i + 1); j++; } else { rgba_palette[i] = (rgba_palette[color_used[colormap[i]] - 1] & 0x00ffffff) | - ((alpha[i] * 17) << 24); + ((alpha[i] * 17U) << 24); } } } diff -Nru ffmpeg-2.8.11/libavcodec/eac3dec.c ffmpeg-2.8.14/libavcodec/eac3dec.c --- ffmpeg-2.8.11/libavcodec/eac3dec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/eac3dec.c 2018-02-19 00:50:24.000000000 +0000 @@ -252,7 +252,7 @@ /* Vector Quantization */ int v = get_bits(gbc, bits); for (blk = 0; blk < 6; blk++) { - s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] << 8; + s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] * (1 << 8); } } else { /* Gain Adaptive Quantization */ @@ -271,16 +271,16 @@ int b; int mbits = bits - (2 - log_gain); mant = get_sbits(gbc, mbits); - mant <<= (23 - (mbits - 1)); + mant = ((unsigned)mant) << (23 - (mbits - 1)); /* remap mantissa value to correct for asymmetric quantization */ if (mant >= 0) b = 1 << (23 - log_gain); else - b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] << 8; + b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] * (1 << 8); mant += ((ff_eac3_gaq_remap_2_4_a[hebap-8][log_gain-1] * (int64_t)mant) >> 15) + b; } else { /* small mantissa, no GAQ, or Gk=1 */ - mant <<= 24 - bits; + mant *= (1 << 24 - bits); if (!log_gain) { /* remap mantissa value for no GAQ or Gk=1 */ mant += (ff_eac3_gaq_remap_1[hebap-8] * (int64_t)mant) >> 15; diff -Nru ffmpeg-2.8.11/libavcodec/eamad.c ffmpeg-2.8.14/libavcodec/eamad.c --- ffmpeg-2.8.11/libavcodec/eamad.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/eamad.c 2018-02-19 00:50:24.000000000 +0000 @@ -284,7 +284,7 @@ if (avctx->width != width || avctx->height != height) { av_frame_unref(s->last_frame); - if((width * height)/2048*7 > bytestream2_get_bytes_left(&gb)) + if((width * (int64_t)height)/2048*7 > bytestream2_get_bytes_left(&gb)) return AVERROR_INVALIDDATA; if ((ret = ff_set_dimensions(avctx, width, height)) < 0) return ret; diff -Nru ffmpeg-2.8.11/libavcodec/eatqi.c ffmpeg-2.8.14/libavcodec/eatqi.c --- ffmpeg-2.8.11/libavcodec/eatqi.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/eatqi.c 2018-02-19 00:50:24.000000000 +0000 @@ -93,7 +93,7 @@ static void tqi_calculate_qtable(MpegEncContext *s, int quant) { - const int qscale = (215 - 2*quant)*5; + const int64_t qscale = (215 - 2*quant)*5; int i; s->intra_matrix[0] = (ff_inv_aanscales[0]*ff_mpeg1_default_intra_matrix[0])>>11; for(i=1; i<64; i++) diff -Nru ffmpeg-2.8.11/libavcodec/exr.c ffmpeg-2.8.14/libavcodec/exr.c --- ffmpeg-2.8.11/libavcodec/exr.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/exr.c 2018-02-19 00:50:31.000000000 +0000 @@ -184,9 +184,9 @@ * * @return normalized 16-bit unsigned int */ -static inline uint16_t exr_flt2uint(uint32_t v) +static inline uint16_t exr_flt2uint(int32_t v) { - unsigned int exp = v >> 23; + int32_t exp = v >> 23; // "HACK": negative values result in exp< 0, so clipping them to 0 // is also handled by this condition, avoids explicit check for sign bit. if (exp <= 127 + 7 - 24) // we would shift out all bits anyway @@ -537,7 +537,7 @@ while (lc > 0) { const HufDec pl = hdecod[(c << (HUF_DECBITS - lc)) & HUF_DECMASK]; - if (pl.len) { + if (pl.len && lc >= pl.len) { lc -= pl.len; get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { @@ -846,7 +846,7 @@ line_offset = AV_RL64(s->gb.buffer + jobnr * 8); // Check if the buffer has the required bytes needed from the offset - if (line_offset > buf_size - 8) + if (buf_size < 8 || line_offset > buf_size - 8) return AVERROR_INVALIDDATA; src = buf + line_offset + 8; @@ -855,7 +855,7 @@ return AVERROR_INVALIDDATA; data_size = AV_RL32(src - 4); - if (data_size <= 0 || data_size > buf_size) + if (data_size <= 0 || data_size > buf_size - line_offset - 8) return AVERROR_INVALIDDATA; s->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); diff -Nru ffmpeg-2.8.11/libavcodec/ffv1dec.c ffmpeg-2.8.14/libavcodec/ffv1dec.c --- ffmpeg-2.8.11/libavcodec/ffv1dec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/ffv1dec.c 2018-02-19 00:50:31.000000000 +0000 @@ -45,7 +45,8 @@ if (get_rac(c, state + 0)) return 0; else { - int i, e, a; + int i, e; + unsigned a; e = 0; while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10 e++; @@ -478,7 +479,7 @@ memset(state, 128, sizeof(state)); for (v = 0; i < 128; v++) { - unsigned len = get_symbol(c, state, 0) + 1; + unsigned len = get_symbol(c, state, 0) + 1U; if (len > 128 - i || !len) return AVERROR_INVALIDDATA; @@ -791,7 +792,7 @@ } else { const uint8_t *p = c->bytestream_end; for (f->slice_count = 0; - f->slice_count < MAX_SLICES && 3 < p - c->bytestream_start; + f->slice_count < MAX_SLICES && 3 + 5*!!f->ec < p - c->bytestream_start; f->slice_count++) { int trailer = 3 + 5*!!f->ec; int size = AV_RB24(p-trailer); @@ -987,16 +988,23 @@ FFV1Context *fs = f->slice_context[i]; int j; if (fs->slice_damaged && f->last_picture.f->data[0]) { + const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(avctx->pix_fmt); const uint8_t *src[4]; uint8_t *dst[4]; ff_thread_await_progress(&f->last_picture, INT_MAX, 0); - for (j = 0; j < 4; j++) { + for (j = 0; j < desc->nb_components; j++) { int sh = (j == 1 || j == 2) ? f->chroma_h_shift : 0; int sv = (j == 1 || j == 2) ? f->chroma_v_shift : 0; dst[j] = p->data[j] + p->linesize[j] * (fs->slice_y >> sv) + (fs->slice_x >> sh); src[j] = f->last_picture.f->data[j] + f->last_picture.f->linesize[j] * (fs->slice_y >> sv) + (fs->slice_x >> sh); + + } + if (desc->flags & AV_PIX_FMT_FLAG_PAL || + desc->flags & AV_PIX_FMT_FLAG_PSEUDOPAL) { + dst[1] = p->data[1]; + src[1] = f->last_picture.f->data[1]; } av_image_copy(dst, p->linesize, src, f->last_picture.f->linesize, diff -Nru ffmpeg-2.8.11/libavcodec/fic.c ffmpeg-2.8.14/libavcodec/fic.c --- ffmpeg-2.8.11/libavcodec/fic.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/fic.c 2018-02-19 00:50:24.000000000 +0000 @@ -84,26 +84,26 @@ static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd) { - const int t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; - const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; - const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; - const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; - const int t4 = 5793 * (t2 + t0 + 0x800 >> 12); - const int t5 = 5793 * (t3 + t1 + 0x800 >> 12); - const int t6 = t2 - t0; - const int t7 = t3 - t1; - const int t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; - const int t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; - const int tA = (blk[0 * step] - blk[4 * step] << 15) + rnd; - const int tB = (blk[0 * step] + blk[4 * step] << 15) + rnd; - blk[0 * step] = ( t4 + t9 + tB) >> shift; - blk[1 * step] = ( t6 + t7 + t8 + tA) >> shift; - blk[2 * step] = ( t6 - t7 - t8 + tA) >> shift; - blk[3 * step] = ( t5 - t9 + tB) >> shift; - blk[4 * step] = ( -t5 - t9 + tB) >> shift; - blk[5 * step] = (-(t6 - t7) - t8 + tA) >> shift; - blk[6 * step] = (-(t6 + t7) + t8 + tA) >> shift; - blk[7 * step] = ( -t4 + t9 + tB) >> shift; + const unsigned t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; + const unsigned t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; + const unsigned t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; + const unsigned t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; + const unsigned t4 = 5793U * ((int)(t2 + t0 + 0x800) >> 12); + const unsigned t5 = 5793U * ((int)(t3 + t1 + 0x800) >> 12); + const unsigned t6 = t2 - t0; + const unsigned t7 = t3 - t1; + const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; + const unsigned t9 = 17734 * blk[6 * step] + 42814 * blk[2 * step]; + const unsigned tA = (blk[0 * step] - blk[4 * step]) * 32768 + rnd; + const unsigned tB = (blk[0 * step] + blk[4 * step]) * 32768 + rnd; + blk[0 * step] = (int)( t4 + t9 + tB) >> shift; + blk[1 * step] = (int)( t6 + t7 + t8 + tA) >> shift; + blk[2 * step] = (int)( t6 - t7 - t8 + tA) >> shift; + blk[3 * step] = (int)( t5 - t9 + tB) >> shift; + blk[4 * step] = (int)( -t5 - t9 + tB) >> shift; + blk[5 * step] = (int)(-(t6 - t7) - t8 + tA) >> shift; + blk[6 * step] = (int)(-(t6 + t7) + t8 + tA) >> shift; + blk[7 * step] = (int)( -t4 + t9 + tB) >> shift; } static void fic_idct_put(uint8_t *dst, int stride, int16_t *block) diff -Nru ffmpeg-2.8.11/libavcodec/flacdec.c ffmpeg-2.8.14/libavcodec/flacdec.c --- ffmpeg-2.8.11/libavcodec/flacdec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/flacdec.c 2018-02-19 00:50:31.000000000 +0000 @@ -201,12 +201,12 @@ buf += 4; do { if (buf_end - buf < 4) - return 0; + return AVERROR_INVALIDDATA; flac_parse_block_header(buf, &metadata_last, NULL, &metadata_size); buf += 4; if (buf_end - buf < metadata_size) { /* need more data in order to read the complete header */ - return 0; + return AVERROR_INVALIDDATA; } buf += metadata_size; } while (!metadata_last); @@ -287,7 +287,7 @@ if (pred_order > 2) c = b - decoded[pred_order-2] + decoded[pred_order-3]; if (pred_order > 3) - d = c - decoded[pred_order-2] + 2*decoded[pred_order-3] - decoded[pred_order-4]; + d = c - decoded[pred_order-2] + 2U*decoded[pred_order-3] - decoded[pred_order-4]; switch (pred_order) { case 0: @@ -445,7 +445,7 @@ return AVERROR_INVALIDDATA; } - if (wasted) { + if (wasted && wasted < 32) { int i; for (i = 0; i < s->blocksize; i++) decoded[i] = (unsigned)decoded[i] << wasted; diff -Nru ffmpeg-2.8.11/libavcodec/flicvideo.c ffmpeg-2.8.14/libavcodec/flicvideo.c --- ffmpeg-2.8.11/libavcodec/flicvideo.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/flicvideo.c 2018-02-19 00:50:24.000000000 +0000 @@ -202,6 +202,9 @@ num_chunks = bytestream2_get_le16(&g2); bytestream2_skip(&g2, 8); /* skip padding */ + if (frame_size < 16) + return AVERROR_INVALIDDATA; + frame_size -= 16; /* iterate through the chunks */ @@ -272,10 +275,14 @@ while (compressed_lines > 0) { if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) break; + if (y_ptr > pixel_limit) + return AVERROR_INVALIDDATA; line_packets = bytestream2_get_le16(&g2); if ((line_packets & 0xC000) == 0xC000) { // line skip opcode line_packets = -line_packets; + if (line_packets > s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr += line_packets * s->frame->linesize[0]; } else if ((line_packets & 0xC000) == 0x4000) { av_log(avctx, AV_LOG_ERROR, "Undefined opcode (%x) in DELTA_FLI\n", line_packets); @@ -324,6 +331,8 @@ case FLI_LC: /* line compressed */ starting_line = bytestream2_get_le16(&g2); + if (starting_line >= s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr = 0; y_ptr += starting_line * s->frame->linesize[0]; @@ -520,6 +529,8 @@ if (frame_size > buf_size) frame_size = buf_size; + if (frame_size < 16) + return AVERROR_INVALIDDATA; frame_size -= 16; /* iterate through the chunks */ @@ -556,9 +567,13 @@ while (compressed_lines > 0) { if (bytestream2_tell(&g2) + 2 > stream_ptr_after_chunk) break; + if (y_ptr > pixel_limit) + return AVERROR_INVALIDDATA; line_packets = bytestream2_get_le16(&g2); if (line_packets < 0) { line_packets = -line_packets; + if (line_packets > s->avctx->height) + return AVERROR_INVALIDDATA; y_ptr += line_packets * s->frame->linesize[0]; } else { compressed_lines--; diff -Nru ffmpeg-2.8.11/libavcodec/g722.c ffmpeg-2.8.14/libavcodec/g722.c --- ffmpeg-2.8.11/libavcodec/g722.c 2016-03-29 03:25:15.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/g722.c 2017-12-31 22:35:46.000000000 +0000 @@ -88,14 +88,14 @@ ACCUM(3, band->diff_mem[2], 1); ACCUM(2, band->diff_mem[1], 1); ACCUM(1, band->diff_mem[0], 1); - ACCUM(0, cur_diff << 1, 1); + ACCUM(0, cur_diff * 2, 1); } else { ACCUM(5, band->diff_mem[4], 0); ACCUM(4, band->diff_mem[3], 0); ACCUM(3, band->diff_mem[2], 0); ACCUM(2, band->diff_mem[1], 0); ACCUM(1, band->diff_mem[0], 0); - ACCUM(0, cur_diff << 1, 0); + ACCUM(0, cur_diff * 2, 0); } #undef ACCUM band->s_zero = s_zero; @@ -119,14 +119,14 @@ band->part_reconst_mem[0] = cur_part_reconst; band->pole_mem[1] = av_clip((sg[0] * av_clip(band->pole_mem[0], -8191, 8191) >> 5) + - (sg[1] << 7) + (band->pole_mem[1] * 127 >> 7), -12288, 12288); + (sg[1] * 128) + (band->pole_mem[1] * 127 >> 7), -12288, 12288); limit = 15360 - band->pole_mem[1]; band->pole_mem[0] = av_clip(-192 * sg[0] + (band->pole_mem[0] * 255 >> 8), -limit, limit); s_zero(cur_diff, band); - cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) << 1); + cur_qtzd_reconst = av_clip_int16((band->s_predictor + cur_diff) * 2); band->s_predictor = av_clip_int16(band->s_zero + (band->pole_mem[0] * cur_qtzd_reconst >> 15) + (band->pole_mem[1] * band->prev_qtzd_reconst >> 15)); diff -Nru ffmpeg-2.8.11/libavcodec/g726.c ffmpeg-2.8.14/libavcodec/g726.c --- ffmpeg-2.8.11/libavcodec/g726.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/g726.c 2018-02-19 00:50:24.000000000 +0000 @@ -269,7 +269,7 @@ c->se += mult(i2f(c->a[i] >> 2, &f), &c->sr[i]); c->se >>= 1; - return av_clip(re_signal << 2, -0xffff, 0xffff); + return av_clip(re_signal * 4, -0xffff, 0xffff); } static av_cold int g726_reset(G726Context *c) diff -Nru ffmpeg-2.8.11/libavcodec/get_bits.h ffmpeg-2.8.14/libavcodec/get_bits.h --- ffmpeg-2.8.11/libavcodec/get_bits.h 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/get_bits.h 2018-02-19 00:50:31.000000000 +0000 @@ -555,6 +555,7 @@ * @param max_depth is the number of times bits bits must be read to completely * read the longest vlc code * = (max_vlc_length + bits - 1) / bits + * @returns the code parsed or -1 if no vlc matches */ static av_always_inline int get_vlc2(GetBitContext *s, VLC_TYPE (*table)[2], int bits, int max_depth) diff -Nru ffmpeg-2.8.11/libavcodec/h264.h ffmpeg-2.8.14/libavcodec/h264.h --- ffmpeg-2.8.11/libavcodec/h264.h 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/h264.h 2018-02-19 00:50:31.000000000 +0000 @@ -600,6 +600,7 @@ uint8_t (*mvd_table[2])[2]; uint8_t *direct_table; + uint8_t scan_padding[16]; uint8_t zigzag_scan[16]; uint8_t zigzag_scan8x8[64]; uint8_t zigzag_scan8x8_cavlc[64]; diff -Nru ffmpeg-2.8.11/libavcodec/h264_cabac.c ffmpeg-2.8.14/libavcodec/h264_cabac.c --- ffmpeg-2.8.11/libavcodec/h264_cabac.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/h264_cabac.c 2018-02-19 00:50:31.000000000 +0000 @@ -1732,7 +1732,7 @@ \ if( coeff_abs >= 15 ) { \ int j = 0; \ - while (get_cabac_bypass(CC) && j < 30) { \ + while (get_cabac_bypass(CC) && j < 16+7) { \ j++; \ } \ \ @@ -1740,7 +1740,7 @@ while( j-- ) { \ coeff_abs += coeff_abs + get_cabac_bypass( CC ); \ } \ - coeff_abs+= 14; \ + coeff_abs+= 14U; \ } \ \ if( is_dc ) { \ @@ -2339,21 +2339,40 @@ if (CHROMA444(h) && IS_8x8DCT(mb_type)){ int i; uint8_t *nnz_cache = sl->non_zero_count_cache; - for (i = 0; i < 2; i++){ - if (sl->left_type[LEFT(i)] && !IS_8x8DCT(sl->left_type[LEFT(i)])) { - nnz_cache[3+8* 1 + 2*8*i]= - nnz_cache[3+8* 2 + 2*8*i]= - nnz_cache[3+8* 6 + 2*8*i]= - nnz_cache[3+8* 7 + 2*8*i]= - nnz_cache[3+8*11 + 2*8*i]= - nnz_cache[3+8*12 + 2*8*i]= IS_INTRA(mb_type) ? 64 : 0; + if (h->x264_build < 151U) { + for (i = 0; i < 2; i++){ + if (sl->left_type[LEFT(i)] && !IS_8x8DCT(sl->left_type[LEFT(i)])) { + nnz_cache[3+8* 1 + 2*8*i]= + nnz_cache[3+8* 2 + 2*8*i]= + nnz_cache[3+8* 6 + 2*8*i]= + nnz_cache[3+8* 7 + 2*8*i]= + nnz_cache[3+8*11 + 2*8*i]= + nnz_cache[3+8*12 + 2*8*i]= IS_INTRA(mb_type) ? 64 : 0; + } + } + if (sl->top_type && !IS_8x8DCT(sl->top_type)){ + uint32_t top_empty = !IS_INTRA(mb_type) ? 0 : 0x40404040; + AV_WN32A(&nnz_cache[4+8* 0], top_empty); + AV_WN32A(&nnz_cache[4+8* 5], top_empty); + AV_WN32A(&nnz_cache[4+8*10], top_empty); + } + } else { + for (i = 0; i < 2; i++){ + if (sl->left_type[LEFT(i)] && !IS_8x8DCT(sl->left_type[LEFT(i)])) { + nnz_cache[3+8* 1 + 2*8*i]= + nnz_cache[3+8* 2 + 2*8*i]= + nnz_cache[3+8* 6 + 2*8*i]= + nnz_cache[3+8* 7 + 2*8*i]= + nnz_cache[3+8*11 + 2*8*i]= + nnz_cache[3+8*12 + 2*8*i]= !IS_INTRA_PCM(sl->left_type[LEFT(i)]) ? 0 : 64; + } + } + if (sl->top_type && !IS_8x8DCT(sl->top_type)){ + uint32_t top_empty = !IS_INTRA_PCM(sl->top_type) ? 0 : 0x40404040; + AV_WN32A(&nnz_cache[4+8* 0], top_empty); + AV_WN32A(&nnz_cache[4+8* 5], top_empty); + AV_WN32A(&nnz_cache[4+8*10], top_empty); } - } - if (sl->top_type && !IS_8x8DCT(sl->top_type)){ - uint32_t top_empty = CABAC(h) && !IS_INTRA(mb_type) ? 0 : 0x40404040; - AV_WN32A(&nnz_cache[4+8* 0], top_empty); - AV_WN32A(&nnz_cache[4+8* 5], top_empty); - AV_WN32A(&nnz_cache[4+8*10], top_empty); } } h->cur_pic.mb_type[mb_xy] = mb_type; @@ -2362,14 +2381,6 @@ const uint8_t *scan, *scan8x8; const uint32_t *qmul; - if(IS_INTERLACED(mb_type)){ - scan8x8 = sl->qscale ? h->field_scan8x8 : h->field_scan8x8_q0; - scan = sl->qscale ? h->field_scan : h->field_scan_q0; - }else{ - scan8x8 = sl->qscale ? h->zigzag_scan8x8 : h->zigzag_scan8x8_q0; - scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; - } - // decode_cabac_mb_dqp if(get_cabac_noinline( &sl->cabac, &sl->cabac_state[60 + (sl->last_qscale_diff != 0)])){ int val = 1; @@ -2400,6 +2411,14 @@ }else sl->last_qscale_diff=0; + if(IS_INTERLACED(mb_type)){ + scan8x8 = sl->qscale ? h->field_scan8x8 : h->field_scan8x8_q0; + scan = sl->qscale ? h->field_scan : h->field_scan_q0; + }else{ + scan8x8 = sl->qscale ? h->zigzag_scan8x8 : h->zigzag_scan8x8_q0; + scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; + } + decode_cabac_luma_residual(h, sl, scan, scan8x8, pixel_shift, mb_type, cbp, 0); if (CHROMA444(h)) { decode_cabac_luma_residual(h, sl, scan, scan8x8, pixel_shift, mb_type, cbp, 1); diff -Nru ffmpeg-2.8.11/libavcodec/h264_cavlc.c ffmpeg-2.8.14/libavcodec/h264_cavlc.c --- ffmpeg-2.8.11/libavcodec/h264_cavlc.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/h264_cavlc.c 2018-02-19 00:50:31.000000000 +0000 @@ -1104,23 +1104,16 @@ const uint8_t *scan, *scan8x8; const int max_qp = 51 + 6*(h->sps.bit_depth_luma-8); - if(IS_INTERLACED(mb_type)){ - scan8x8 = sl->qscale ? h->field_scan8x8_cavlc : h->field_scan8x8_cavlc_q0; - scan = sl->qscale ? h->field_scan : h->field_scan_q0; - }else{ - scan8x8 = sl->qscale ? h->zigzag_scan8x8_cavlc : h->zigzag_scan8x8_cavlc_q0; - scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; - } - dquant= get_se_golomb(&sl->gb); - sl->qscale += dquant; + sl->qscale += (unsigned)dquant; if (((unsigned)sl->qscale) > max_qp){ if (sl->qscale < 0) sl->qscale += max_qp + 1; else sl->qscale -= max_qp+1; if (((unsigned)sl->qscale) > max_qp){ av_log(h->avctx, AV_LOG_ERROR, "dquant out of range (%d) at %d %d\n", dquant, sl->mb_x, sl->mb_y); + sl->qscale = max_qp; return -1; } } @@ -1128,6 +1121,14 @@ sl->chroma_qp[0] = get_chroma_qp(h, 0, sl->qscale); sl->chroma_qp[1] = get_chroma_qp(h, 1, sl->qscale); + if(IS_INTERLACED(mb_type)){ + scan8x8 = sl->qscale ? h->field_scan8x8_cavlc : h->field_scan8x8_cavlc_q0; + scan = sl->qscale ? h->field_scan : h->field_scan_q0; + }else{ + scan8x8 = sl->qscale ? h->zigzag_scan8x8_cavlc : h->zigzag_scan8x8_cavlc_q0; + scan = sl->qscale ? h->zigzag_scan : h->zigzag_scan_q0; + } + if ((ret = decode_luma_residual(h, sl, gb, scan, scan8x8, pixel_shift, mb_type, cbp, 0)) < 0 ) { return -1; } diff -Nru ffmpeg-2.8.11/libavcodec/h264_direct.c ffmpeg-2.8.14/libavcodec/h264_direct.c --- ffmpeg-2.8.11/libavcodec/h264_direct.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/h264_direct.c 2018-02-19 00:50:24.000000000 +0000 @@ -609,7 +609,7 @@ { const int16_t *mv_col = l1mv[x8 * 3 + y8 * b4_stride]; - int my_col = (mv_col[1] << y_shift) / 2; + int my_col = (mv_col[1] * (1 << y_shift)) / 2; int mx = (scale * mv_col[0] + 128) >> 8; int my = (scale * my_col + 128) >> 8; fill_rectangle(&sl->mv_cache[0][scan8[i8 * 4]], 2, 2, 8, diff -Nru ffmpeg-2.8.11/libavcodec/h264_mb.c ffmpeg-2.8.14/libavcodec/h264_mb.c --- ffmpeg-2.8.11/libavcodec/h264_mb.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/h264_mb.c 2018-02-19 00:50:24.000000000 +0000 @@ -638,7 +638,7 @@ uint8_t *const ptr = dest_y + block_offset[i]; const int dir = sl->intra4x4_pred_mode_cache[scan8[i]]; if (transform_bypass && h->sps.profile_idc == 244 && dir <= 1) { - if (h->x264_build != -1) { + if (h->x264_build < 151U) { h->hpc.pred8x8l_add[dir](ptr, sl->mb + (i * 16 + p * 256 << pixel_shift), linesize); } else h->hpc.pred8x8l_filter_add[dir](ptr, sl->mb + (i * 16 + p * 256 << pixel_shift), diff -Nru ffmpeg-2.8.11/libavcodec/h264_mvpred.h ffmpeg-2.8.14/libavcodec/h264_mvpred.h --- ffmpeg-2.8.11/libavcodec/h264_mvpred.h 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/h264_mvpred.h 2018-02-19 00:50:24.000000000 +0000 @@ -68,7 +68,7 @@ } if (MB_FIELD(sl) && !IS_INTERLACED(sl->left_type[0])) { // left shift will turn LIST_NOT_USED into PART_NOT_AVAILABLE, but that's OK. - SET_DIAG_MV(/ 2, << 1, sl->left_mb_xy[i >= 36], ((i >> 2)) & 3); + SET_DIAG_MV(/ 2, *2, sl->left_mb_xy[i >= 36], ((i >> 2)) & 3); } } #undef SET_DIAG_MV @@ -248,7 +248,7 @@ if (IS_INTERLACED(type)) { \ refn >>= 1; \ AV_COPY32(mvbuf[idx], mvn); \ - mvbuf[idx][1] <<= 1; \ + mvbuf[idx][1] *= 2; \ mvn = mvbuf[idx]; \ } \ } \ diff -Nru ffmpeg-2.8.11/libavcodec/h264_slice.c ffmpeg-2.8.14/libavcodec/h264_slice.c --- ffmpeg-2.8.11/libavcodec/h264_slice.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/h264_slice.c 2018-02-19 00:50:31.000000000 +0000 @@ -1634,6 +1634,12 @@ h->missing_fields ++; h->cur_pic_ptr = NULL; h->first_field = FIELD_PICTURE(h); + } else if (h->cur_pic_ptr->reference & DELAYED_PIC_REF) { + /* This frame was already output, we cannot draw into it + * anymore. + */ + h->first_field = 1; + h->cur_pic_ptr = NULL; } else { h->missing_fields = 0; if (h->cur_pic_ptr->frame_num != h->frame_num) { @@ -1835,17 +1841,19 @@ sl->deblocking_filter ^= 1; // 1<->0 if (sl->deblocking_filter) { - sl->slice_alpha_c0_offset = get_se_golomb(&sl->gb) * 2; - sl->slice_beta_offset = get_se_golomb(&sl->gb) * 2; - if (sl->slice_alpha_c0_offset > 12 || - sl->slice_alpha_c0_offset < -12 || - sl->slice_beta_offset > 12 || - sl->slice_beta_offset < -12) { + int slice_alpha_c0_offset_div2 = get_se_golomb(&sl->gb); + int slice_beta_offset_div2 = get_se_golomb(&sl->gb); + if (slice_alpha_c0_offset_div2 > 6 || + slice_alpha_c0_offset_div2 < -6 || + slice_beta_offset_div2 > 6 || + slice_beta_offset_div2 < -6) { av_log(h->avctx, AV_LOG_ERROR, "deblocking filter parameters %d %d out of range\n", - sl->slice_alpha_c0_offset, sl->slice_beta_offset); + slice_alpha_c0_offset_div2, slice_beta_offset_div2); return AVERROR_INVALIDDATA; } + sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2; + sl->slice_beta_offset = slice_beta_offset_div2 * 2; } } diff -Nru ffmpeg-2.8.11/libavcodec/h264addpx_template.c ffmpeg-2.8.14/libavcodec/h264addpx_template.c --- ffmpeg-2.8.11/libavcodec/h264addpx_template.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/h264addpx_template.c 2018-02-19 00:50:31.000000000 +0000 @@ -35,10 +35,10 @@ stride /= sizeof(pixel); for (i = 0; i < 4; i++) { - dst[0] += src[0]; - dst[1] += src[1]; - dst[2] += src[2]; - dst[3] += src[3]; + dst[0] += (unsigned)src[0]; + dst[1] += (unsigned)src[1]; + dst[2] += (unsigned)src[2]; + dst[3] += (unsigned)src[3]; dst += stride; src += 4; @@ -55,14 +55,14 @@ stride /= sizeof(pixel); for (i = 0; i < 8; i++) { - dst[0] += src[0]; - dst[1] += src[1]; - dst[2] += src[2]; - dst[3] += src[3]; - dst[4] += src[4]; - dst[5] += src[5]; - dst[6] += src[6]; - dst[7] += src[7]; + dst[0] += (unsigned)src[0]; + dst[1] += (unsigned)src[1]; + dst[2] += (unsigned)src[2]; + dst[3] += (unsigned)src[3]; + dst[4] += (unsigned)src[4]; + dst[5] += (unsigned)src[5]; + dst[6] += (unsigned)src[6]; + dst[7] += (unsigned)src[7]; dst += stride; src += 8; diff -Nru ffmpeg-2.8.11/libavcodec/h264idct_template.c ffmpeg-2.8.14/libavcodec/h264idct_template.c --- ffmpeg-2.8.11/libavcodec/h264idct_template.c 2017-02-09 13:06:29.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/h264idct_template.c 2018-02-19 00:50:31.000000000 +0000 @@ -91,10 +91,10 @@ const int a5 = -block[i+1*8] + block[i+7*8] + block[i+5*8] + (block[i+5*8]>>1); const int a7 = block[i+3*8] + block[i+5*8] + block[i+1*8] + (block[i+1*8]>>1); - const int b1 = (a7>>2) + a1; - const int b3 = a3 + (a5>>2); - const int b5 = (a3>>2) - a5; - const int b7 = a7 - (a1>>2); + const int b1 = (a7>>2) + (unsigned)a1; + const int b3 = (unsigned)a3 + (a5>>2); + const int b5 = (a3>>2) - (unsigned)a5; + const int b7 = (unsigned)a7 - (a1>>2); block[i+0*8] = b0 + b7; block[i+7*8] = b0 - b7; diff -Nru ffmpeg-2.8.11/libavcodec/hevc.c ffmpeg-2.8.14/libavcodec/hevc.c --- ffmpeg-2.8.11/libavcodec/hevc.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/hevc.c 2018-02-19 00:50:24.000000000 +0000 @@ -244,6 +244,8 @@ nb_sps = get_ue_golomb_long(gb); nb_sh = get_ue_golomb_long(gb); + if (nb_sps > sps->num_long_term_ref_pics_sps) + return AVERROR_INVALIDDATA; if (nb_sh + (uint64_t)nb_sps > FF_ARRAY_ELEMS(rps->poc)) return AVERROR_INVALIDDATA; @@ -267,12 +269,16 @@ delta_poc_msb_present = get_bits1(gb); if (delta_poc_msb_present) { - int delta = get_ue_golomb_long(gb); + int64_t delta = get_ue_golomb_long(gb); + int64_t poc; if (i && i != nb_sps) delta += prev_delta_msb; - rps->poc[i] += s->poc - delta * max_poc_lsb - s->sh.pic_order_cnt_lsb; + poc = rps->poc[i] + s->poc - delta * max_poc_lsb - s->sh.pic_order_cnt_lsb; + if (poc != (int32_t)poc) + return AVERROR_INVALIDDATA; + rps->poc[i] = poc; prev_delta_msb = delta; } } diff -Nru ffmpeg-2.8.11/libavcodec/hevc.h ffmpeg-2.8.14/libavcodec/hevc.h --- ffmpeg-2.8.11/libavcodec/hevc.h 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/hevc.h 2018-02-19 00:50:31.000000000 +0000 @@ -407,6 +407,7 @@ HEVCWindow pic_conf_win; int bit_depth; + int bit_depth_chroma; int pixel_shift; enum AVPixelFormat pix_fmt; diff -Nru ffmpeg-2.8.11/libavcodec/hevc_cabac.c ffmpeg-2.8.14/libavcodec/hevc_cabac.c --- ffmpeg-2.8.11/libavcodec/hevc_cabac.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/hevc_cabac.c 2018-02-19 00:50:31.000000000 +0000 @@ -633,8 +633,10 @@ suffix_val += 1 << k; k++; } - if (k == CABAC_MAX_BIN) + if (k == CABAC_MAX_BIN) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", k); + return AVERROR_INVALIDDATA; + } while (k--) suffix_val += get_cabac_bypass(&s->HEVClc->cc) << k; @@ -975,16 +977,19 @@ while (prefix < CABAC_MAX_BIN && get_cabac_bypass(&s->HEVClc->cc)) prefix++; - if (prefix == CABAC_MAX_BIN) { - av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); - return 0; - } + if (prefix < 3) { for (i = 0; i < rc_rice_param; i++) suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc); last_coeff_abs_level_remaining = (prefix << rc_rice_param) + suffix; } else { int prefix_minus3 = prefix - 3; + + if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) { + av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); + return 0; + } + for (i = 0; i < prefix_minus3 + rc_rice_param; i++) suffix = (suffix << 1) | get_cabac_bypass(&s->HEVClc->cc); last_coeff_abs_level_remaining = (((1 << prefix_minus3) + 3 - 1) diff -Nru ffmpeg-2.8.11/libavcodec/hevc_filter.c ffmpeg-2.8.14/libavcodec/hevc_filter.c --- ffmpeg-2.8.11/libavcodec/hevc_filter.c 2017-02-09 13:06:29.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/hevc_filter.c 2018-02-19 00:50:24.000000000 +0000 @@ -471,7 +471,7 @@ #define TC_CALC(qp, bs) \ tctable[av_clip((qp) + DEFAULT_INTRA_TC_OFFSET * ((bs) - 1) + \ - (tc_offset >> 1 << 1), \ + (tc_offset & -2), \ 0, MAX_QP + DEFAULT_INTRA_TC_OFFSET)] static void deblocking_filter_CTB(HEVCContext *s, int x0, int y0) diff -Nru ffmpeg-2.8.11/libavcodec/hevc_ps.c ffmpeg-2.8.14/libavcodec/hevc_ps.c --- ffmpeg-2.8.11/libavcodec/hevc_ps.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/hevc_ps.c 2018-02-19 00:50:31.000000000 +0000 @@ -169,6 +169,12 @@ } } + if (k >= FF_ARRAY_ELEMS(rps->used)) { + av_log(avctx, AV_LOG_ERROR, + "Invalid num_delta_pocs: %d\n", k); + return AVERROR_INVALIDDATA; + } + rps->num_delta_pocs = k; rps->num_negative_pics = k0; // sort in increasing order (smallest first) @@ -218,6 +224,12 @@ prev = 0; for (i = 0; i < rps->num_negative_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; + if (delta_poc < 1 || delta_poc > 32768) { + av_log(avctx, AV_LOG_ERROR, + "Invalid value of delta_poc: %d\n", + delta_poc); + return AVERROR_INVALIDDATA; + } prev -= delta_poc; rps->delta_poc[i] = prev; rps->used[i] = get_bits1(gb); @@ -225,6 +237,12 @@ prev = 0; for (i = 0; i < nb_positive_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; + if (delta_poc < 1 || delta_poc > 32768) { + av_log(avctx, AV_LOG_ERROR, + "Invalid value of delta_poc: %d\n", + delta_poc); + return AVERROR_INVALIDDATA; + } prev += delta_poc; rps->delta_poc[rps->num_negative_pics + i] = prev; rps->used[rps->num_negative_pics + i] = get_bits1(gb); @@ -720,7 +738,7 @@ ff_hevc_diag_scan8x8_x[i]; scaling_list_delta_coef = get_se_golomb(gb); - next_coef = (next_coef + scaling_list_delta_coef + 256) % 256; + next_coef = (next_coef + 256U + scaling_list_delta_coef) % 256; sl->sl[size_id][matrix_id][pos] = next_coef; } } @@ -884,6 +902,7 @@ sps->bit_depth, bit_depth_chroma); return AVERROR_INVALIDDATA; } + sps->bit_depth_chroma = bit_depth_chroma; ret = map_pixel_format(avctx, sps); if (ret < 0) @@ -977,10 +996,10 @@ sps->pcm.log2_min_pcm_cb_size = get_ue_golomb_long(gb) + 3; sps->pcm.log2_max_pcm_cb_size = sps->pcm.log2_min_pcm_cb_size + get_ue_golomb_long(gb); - if (sps->pcm.bit_depth > sps->bit_depth) { + if (FFMAX(sps->pcm.bit_depth, sps->pcm.bit_depth_chroma) > sps->bit_depth) { av_log(avctx, AV_LOG_ERROR, - "PCM bit depth (%d) is greater than normal bit depth (%d)\n", - sps->pcm.bit_depth, sps->bit_depth); + "PCM bit depth (%d, %d) is greater than normal bit depth (%d)\n", + sps->pcm.bit_depth, sps->pcm.bit_depth_chroma, sps->bit_depth); return AVERROR_INVALIDDATA; } @@ -1247,6 +1266,11 @@ pps->log2_sao_offset_scale_luma = get_ue_golomb_long(gb); pps->log2_sao_offset_scale_chroma = get_ue_golomb_long(gb); + if ( pps->log2_sao_offset_scale_luma > FFMAX(sps->bit_depth - 10, 0) + || pps->log2_sao_offset_scale_chroma > FFMAX(sps->bit_depth_chroma - 10, 0) + ) + return AVERROR_INVALIDDATA; + return(0); } @@ -1388,6 +1412,7 @@ HEVCSPS *sps = NULL; int i, ret = 0; unsigned int pps_id = 0; + unsigned log2_parallel_merge_level_minus2; AVBufferRef *pps_buf; HEVCPPS *pps = av_mallocz(sizeof(*pps)); @@ -1547,20 +1572,22 @@ pps->deblocking_filter_override_enabled_flag = get_bits1(gb); pps->disable_dbf = get_bits1(gb); if (!pps->disable_dbf) { - pps->beta_offset = get_se_golomb(gb) * 2; - pps->tc_offset = get_se_golomb(gb) * 2; - if (pps->beta_offset/2 < -6 || pps->beta_offset/2 > 6) { + int beta_offset_div2 = get_se_golomb(gb); + int tc_offset_div2 = get_se_golomb(gb) ; + if (beta_offset_div2 < -6 || beta_offset_div2 > 6) { av_log(avctx, AV_LOG_ERROR, "pps_beta_offset_div2 out of range: %d\n", - pps->beta_offset/2); + beta_offset_div2); ret = AVERROR_INVALIDDATA; goto err; } - if (pps->tc_offset/2 < -6 || pps->tc_offset/2 > 6) { + if (tc_offset_div2 < -6 || tc_offset_div2 > 6) { av_log(avctx, AV_LOG_ERROR, "pps_tc_offset_div2 out of range: %d\n", - pps->tc_offset/2); + tc_offset_div2); ret = AVERROR_INVALIDDATA; goto err; } + pps->beta_offset = 2 * beta_offset_div2; + pps->tc_offset = 2 * tc_offset_div2; } } @@ -1572,13 +1599,14 @@ goto err; } pps->lists_modification_present_flag = get_bits1(gb); - pps->log2_parallel_merge_level = get_ue_golomb_long(gb) + 2; - if (pps->log2_parallel_merge_level > sps->log2_ctb_size) { + log2_parallel_merge_level_minus2 = get_ue_golomb_long(gb); + if (log2_parallel_merge_level_minus2 > sps->log2_ctb_size) { av_log(avctx, AV_LOG_ERROR, "log2_parallel_merge_level_minus2 out of range: %d\n", - pps->log2_parallel_merge_level - 2); + log2_parallel_merge_level_minus2); ret = AVERROR_INVALIDDATA; goto err; } + pps->log2_parallel_merge_level = log2_parallel_merge_level_minus2 + 2; pps->slice_header_extension_present_flag = get_bits1(gb); diff -Nru ffmpeg-2.8.11/libavcodec/hevc_refs.c ffmpeg-2.8.14/libavcodec/hevc_refs.c --- ffmpeg-2.8.11/libavcodec/hevc_refs.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/hevc_refs.c 2018-02-19 00:50:24.000000000 +0000 @@ -438,7 +438,7 @@ { HEVCFrame *ref = find_ref_idx(s, poc); - if (ref == s->ref) + if (ref == s->ref || list->nb_refs >= MAX_REFS) return AVERROR_INVALIDDATA; if (!ref) { diff -Nru ffmpeg-2.8.11/libavcodec/hevc_sei.c ffmpeg-2.8.14/libavcodec/hevc_sei.c --- ffmpeg-2.8.11/libavcodec/hevc_sei.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/hevc_sei.c 2018-02-19 00:50:31.000000000 +0000 @@ -121,7 +121,7 @@ return 0; } -static int decode_pic_timing(HEVCContext *s) +static int decode_pic_timing(HEVCContext *s, int size) { GetBitContext *gb = &s->HEVClc->gb; HEVCSPS *sps; @@ -142,8 +142,12 @@ } get_bits(gb, 2); // source_scan_type get_bits(gb, 1); // duplicate_flag + skip_bits1(gb); + size--; } - return 1; + skip_bits_long(gb, 8 * size); + + return 0; } static int active_parameter_sets(HEVCContext *s) @@ -189,9 +193,8 @@ return decode_nal_sei_display_orientation(s); case SEI_TYPE_PICTURE_TIMING: { - int ret = decode_pic_timing(s); + int ret = decode_pic_timing(s, size); av_log(s->avctx, AV_LOG_DEBUG, "Skipped PREFIX SEI %d\n", type); - skip_bits(gb, 8 * size); return ret; } case SEI_TYPE_ACTIVE_PARAMETER_SETS: @@ -229,11 +232,15 @@ av_log(s->avctx, AV_LOG_DEBUG, "Decoding SEI\n"); while (byte == 0xFF) { + if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255) + return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_type += byte; } byte = 0xFF; while (byte == 0xFF) { + if (get_bits_left(gb) < 8 + 8LL*payload_size) + return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_size += byte; } diff -Nru ffmpeg-2.8.11/libavcodec/hevcdsp_template.c ffmpeg-2.8.14/libavcodec/hevcdsp_template.c --- ffmpeg-2.8.11/libavcodec/hevcdsp_template.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/hevcdsp_template.c 2018-02-19 00:50:31.000000000 +0000 @@ -125,7 +125,7 @@ } else { for (y = 0; y < size; y++) { for (x = 0; x < size; x++) { - *coeffs = *coeffs << -shift; + *coeffs = *(uint16_t*)coeffs << -shift; coeffs++; } } @@ -599,7 +599,7 @@ ox1 = ox1 * (1 << (BIT_DEPTH - 8)); for (y = 0; y < height; y++) { for (x = 0; x < width; x++) { - dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + (ox0 + ox1 + 1) * (1 << log2Wd)) >> (log2Wd + 1)); } src += srcstride; dst += dststride; @@ -921,7 +921,7 @@ for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; @@ -976,7 +976,7 @@ for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; @@ -1057,7 +1057,7 @@ for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((QPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); tmp += MAX_PB_SIZE; dst += dststride; src2 += MAX_PB_SIZE; @@ -1361,7 +1361,7 @@ for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(src, 1) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; @@ -1413,7 +1413,7 @@ for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(src, srcstride) >> (BIT_DEPTH - 8)) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); src += srcstride; dst += dststride; src2 += MAX_PB_SIZE; @@ -1492,7 +1492,7 @@ for (y = 0; y < height; y++) { for (x = 0; x < width; x++) dst[x] = av_clip_pixel(((EPEL_FILTER(tmp, MAX_PB_SIZE) >> 6) * wx1 + src2[x] * wx0 + - ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + ((ox0 + ox1 + 1) * (1 << log2Wd))) >> (log2Wd + 1)); tmp += MAX_PB_SIZE; dst += dststride; src2 += MAX_PB_SIZE; diff -Nru ffmpeg-2.8.11/libavcodec/hevcpred_template.c ffmpeg-2.8.14/libavcodec/hevcpred_template.c --- ffmpeg-2.8.11/libavcodec/hevcpred_template.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/hevcpred_template.c 2017-12-31 22:35:47.000000000 +0000 @@ -35,7 +35,7 @@ #define MVF(x, y) \ (s->ref->tab_mvf[(x) + (y) * min_pu_width]) #define MVF_PU(x, y) \ - MVF(PU(x0 + ((x) << hshift)), PU(y0 + ((y) << vshift))) + MVF(PU(x0 + ((x) * (1 << hshift))), PU(y0 + ((y) * (1 << vshift)))) #define IS_INTRA(x, y) \ (MVF_PU(x, y).pred_flag == PF_INTRA) #define MIN_TB_ADDR_ZS(x, y) \ diff -Nru ffmpeg-2.8.11/libavcodec/hq_hqa.c ffmpeg-2.8.14/libavcodec/hq_hqa.c --- ffmpeg-2.8.11/libavcodec/hq_hqa.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/hq_hqa.c 2018-02-19 00:50:24.000000000 +0000 @@ -67,11 +67,11 @@ memset(block, 0, 64 * sizeof(*block)); if (!is_hqa) { - block[0] = get_sbits(gb, 9) << 6; + block[0] = get_sbits(gb, 9) * 64; q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)]; } else { q = ff_hq_quants[qsel][is_chroma][get_bits(gb, 2)]; - block[0] = get_sbits(gb, 9) << 6; + block[0] = get_sbits(gb, 9) * 64; } for (;;) { @@ -82,7 +82,7 @@ pos += ff_hq_ac_skips[val]; if (pos >= 64) break; - block[ff_zigzag_direct[pos]] = (ff_hq_ac_syms[val] * q[pos]) >> 12; + block[ff_zigzag_direct[pos]] = (int)(ff_hq_ac_syms[val] * (unsigned)q[pos]) >> 12; pos++; } diff -Nru ffmpeg-2.8.11/libavcodec/hqxdsp.c ffmpeg-2.8.14/libavcodec/hqxdsp.c --- ffmpeg-2.8.11/libavcodec/hqxdsp.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/hqxdsp.c 2017-12-31 22:35:47.000000000 +0000 @@ -39,18 +39,18 @@ s6 = (int) blk[6 * 8] * quant[6 * 8]; s7 = (int) blk[7 * 8] * quant[7 * 8]; - t0 = (s3 * 19266 + s5 * 12873) >> 15; - t1 = (s5 * 19266 - s3 * 12873) >> 15; - t2 = ((s7 * 4520 + s1 * 22725) >> 15) - t0; - t3 = ((s1 * 4520 - s7 * 22725) >> 15) - t1; + t0 = (int)(s3 * 19266U + s5 * 12873U) >> 15; + t1 = (int)(s5 * 19266U - s3 * 12873U) >> 15; + t2 = ((int)(s7 * 4520U + s1 * 22725U) >> 15) - t0; + t3 = ((int)(s1 * 4520U - s7 * 22725U) >> 15) - t1; t4 = t0 * 2 + t2; t5 = t1 * 2 + t3; t6 = t2 - t3; t7 = t3 * 2 + t6; - t8 = (t6 * 11585) >> 14; - t9 = (t7 * 11585) >> 14; - tA = (s2 * 8867 - s6 * 21407) >> 14; - tB = (s6 * 8867 + s2 * 21407) >> 14; + t8 = (int)(t6 * 11585U) >> 14; + t9 = (int)(t7 * 11585U) >> 14; + tA = (int)(s2 * 8867U - s6 * 21407U) >> 14; + tB = (int)(s6 * 8867U + s2 * 21407U) >> 14; tC = (s0 >> 1) - (s4 >> 1); tD = (s4 >> 1) * 2 + tC; tE = tC - (tA >> 1); diff -Nru ffmpeg-2.8.11/libavcodec/huffyuvdec.c ffmpeg-2.8.14/libavcodec/huffyuvdec.c --- ffmpeg-2.8.11/libavcodec/huffyuvdec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/huffyuvdec.c 2018-02-19 00:50:31.000000000 +0000 @@ -913,6 +913,9 @@ AVFrame *const p = data; int table_size = 0, ret; + if (buf_size < (width * height + 7)/8) + return AVERROR_INVALIDDATA; + av_fast_padded_malloc(&s->bitstream_buffer, &s->bitstream_buffer_size, buf_size); diff -Nru ffmpeg-2.8.11/libavcodec/indeo2.c ffmpeg-2.8.14/libavcodec/indeo2.c --- ffmpeg-2.8.11/libavcodec/indeo2.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/indeo2.c 2018-02-19 00:50:24.000000000 +0000 @@ -68,6 +68,8 @@ for (i = 0; i < c * 2; i++) dst[out++] = 0x80; } else { /* copy two values from table */ + if (c <= 0) + return AVERROR_INVALIDDATA; dst[out++] = table[c * 2]; dst[out++] = table[(c * 2) + 1]; } @@ -76,6 +78,8 @@ for (j = 1; j < height; j++) { out = 0; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; while (out < width) { int c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ @@ -87,7 +91,10 @@ out++; } } else { /* add two deltas from table */ - int t = dst[out - pitch] + (table[c * 2] - 128); + int t; + if (c <= 0) + return AVERROR_INVALIDDATA; + t = dst[out - pitch] + (table[c * 2] - 128); t = av_clip_uint8(t); dst[out] = t; out++; @@ -115,12 +122,16 @@ for (j = 0; j < height; j++) { out = 0; + if (get_bits_left(&ctx->gb) <= 0) + return AVERROR_INVALIDDATA; while (out < width) { c = ir2_get_code(&ctx->gb); if (c >= 0x80) { /* we have a skip */ c -= 0x7F; out += c * 2; } else { /* add two deltas from table */ + if (c <= 0) + return AVERROR_INVALIDDATA; t = dst[out] + (((table[c * 2] - 128)*3) >> 2); t = av_clip_uint8(t); dst[out] = t; diff -Nru ffmpeg-2.8.11/libavcodec/indeo4.c ffmpeg-2.8.14/libavcodec/indeo4.c --- ffmpeg-2.8.11/libavcodec/indeo4.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/indeo4.c 2018-02-19 00:50:24.000000000 +0000 @@ -246,6 +246,8 @@ /* skip picture header extension if any */ while (get_bits1(&ctx->gb)) { ff_dlog(avctx, "Pic hdr extension encountered!\n"); + if (get_bits_left(&ctx->gb) < 10) + return AVERROR_INVALIDDATA; skip_bits(&ctx->gb, 8); } diff -Nru ffmpeg-2.8.11/libavcodec/indeo5.c ffmpeg-2.8.14/libavcodec/indeo5.c --- ffmpeg-2.8.11/libavcodec/indeo5.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/indeo5.c 2018-02-19 00:50:31.000000000 +0000 @@ -324,6 +324,7 @@ ctx->frame_type = get_bits(&ctx->gb, 3); if (ctx->frame_type >= 5) { av_log(avctx, AV_LOG_ERROR, "Invalid frame type: %d \n", ctx->frame_type); + ctx->frame_type = FRAMETYPE_INTRA; return AVERROR_INVALIDDATA; } diff -Nru ffmpeg-2.8.11/libavcodec/ituh263dec.c ffmpeg-2.8.14/libavcodec/ituh263dec.c --- ffmpeg-2.8.11/libavcodec/ituh263dec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/ituh263dec.c 2018-02-19 00:50:24.000000000 +0000 @@ -524,7 +524,7 @@ }else{ level = SHOW_UBITS(re, &s->gb, 5); SKIP_CACHE(re, &s->gb, 5); - level |= SHOW_SBITS(re, &s->gb, 6)<<5; + level |= SHOW_SBITS(re, &s->gb, 6) * (1<<5); SKIP_COUNTER(re, &s->gb, 5 + 6); } } diff -Nru ffmpeg-2.8.11/libavcodec/ivi_dsp.c ffmpeg-2.8.14/libavcodec/ivi_dsp.c --- ffmpeg-2.8.11/libavcodec/ivi_dsp.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/ivi_dsp.c 2018-02-19 00:50:24.000000000 +0000 @@ -116,10 +116,10 @@ b0_2 = b0_ptr[pitch+indx+1]; tmp1 = tmp0 + b0_1; - p0 = tmp0 << 4; - p1 = tmp1 << 3; - p2 = (tmp0 + tmp2) << 3; - p3 = (tmp1 + tmp2 + b0_2) << 2; + p0 = tmp0 * 16; + p1 = tmp1 * 8; + p2 = (tmp0 + tmp2) * 8; + p3 = (tmp1 + tmp2 + b0_2) * 4; } /* process the HL-band by applying HPF vertically and LPF horizontally */ @@ -132,10 +132,10 @@ tmp2 = tmp1 - tmp0*6 + b1_3; b1_3 = b1_1 - b1_2*6 + b1_ptr[pitch+indx+1]; - p0 += (tmp0 + tmp1) << 3; - p1 += (tmp0 + tmp1 + b1_1 + b1_2) << 2; - p2 += tmp2 << 2; - p3 += (tmp2 + b1_3) << 1; + p0 += (tmp0 + tmp1) * 8; + p1 += (tmp0 + tmp1 + b1_1 + b1_2) * 4; + p2 += tmp2 * 4; + p3 += (tmp2 + b1_3) * 2; } /* process the LH-band by applying LPF vertically and HPF horizontally */ @@ -146,10 +146,10 @@ tmp0 = b2_1 + b2_2; tmp1 = b2_1 - b2_2*6 + b2_3; - p0 += tmp0 << 3; - p1 += tmp1 << 2; - p2 += (tmp0 + b2_4 + b2_5) << 2; - p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) << 1; + p0 += tmp0 * 8; + p1 += tmp1 * 4; + p2 += (tmp0 + b2_4 + b2_5) * 4; + p3 += (tmp1 + b2_4 - b2_5*6 + b2_6) * 2; } /* process the HH-band by applying HPF both vertically and horizontally */ @@ -163,9 +163,9 @@ b3_9 = b3_3 - b3_6*6 + b3_ptr[pitch+indx+1]; - p0 += (tmp0 + tmp1) << 2; - p1 += (tmp0 - tmp1*6 + tmp2) << 1; - p2 += (b3_7 + b3_8) << 1; + p0 += (tmp0 + tmp1) * 4; + p1 += (tmp0 - tmp1*6 + tmp2) * 2; + p2 += (b3_7 + b3_8) * 2; p3 += b3_7 - b3_8*6 + b3_9; } @@ -243,7 +243,7 @@ #define INV_HAAR8(s1, s5, s3, s7, s2, s4, s6, s8,\ d1, d2, d3, d4, d5, d6, d7, d8,\ t0, t1, t2, t3, t4, t5, t6, t7, t8) {\ - t1 = (s1) << 1; t5 = (s5) << 1;\ + t1 = (s1) * 2; t5 = (s5) * 2;\ IVI_HAAR_BFLY(t1, t5, t1, t5, t0); IVI_HAAR_BFLY(t1, s3, t1, t3, t0);\ IVI_HAAR_BFLY(t5, s7, t5, t7, t0); IVI_HAAR_BFLY(t1, s2, t1, t2, t0);\ IVI_HAAR_BFLY(t3, s4, t3, t4, t0); IVI_HAAR_BFLY(t5, s6, t5, t6, t0);\ @@ -284,10 +284,10 @@ if (flags[i]) { /* pre-scaling */ shift = !(i & 4); - sp1 = src[ 0] << shift; - sp2 = src[ 8] << shift; - sp3 = src[16] << shift; - sp4 = src[24] << shift; + sp1 = src[ 0] * (1 << shift); + sp2 = src[ 8] * (1 << shift); + sp3 = src[16] * (1 << shift); + sp4 = src[24] * (1 << shift); INV_HAAR8( sp1, sp2, sp3, sp4, src[32], src[40], src[48], src[56], dst[ 0], dst[ 8], dst[16], dst[24], @@ -393,8 +393,8 @@ if (flags[i]) { /* pre-scaling */ shift = !(i & 2); - sp1 = src[0] << shift; - sp2 = src[4] << shift; + sp1 = src[0] * (1 << shift); + sp2 = src[4] * (1 << shift); INV_HAAR4( sp1, sp2, src[8], src[12], dst[0], dst[4], dst[8], dst[12], t0, t1, t2, t3, t4); diff -Nru ffmpeg-2.8.11/libavcodec/j2kenc.c ffmpeg-2.8.14/libavcodec/j2kenc.c --- ffmpeg-2.8.11/libavcodec/j2kenc.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/j2kenc.c 2018-02-19 00:50:31.000000000 +0000 @@ -687,7 +687,8 @@ cblk->npasses = passno; cblk->ninclpasses = passno; - cblk->passes[passno-1].rate = ff_mqc_flush_to(&t1->mqc, cblk->passes[passno-1].flushed, &cblk->passes[passno-1].flushed_len); + if (passno) + cblk->passes[passno-1].rate = ff_mqc_flush_to(&t1->mqc, cblk->passes[passno-1].flushed, &cblk->passes[passno-1].flushed_len); } /* tier-2 routines: */ diff -Nru ffmpeg-2.8.11/libavcodec/jpeg2000.c ffmpeg-2.8.14/libavcodec/jpeg2000.c --- ffmpeg-2.8.11/libavcodec/jpeg2000.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/jpeg2000.c 2018-02-19 00:50:31.000000000 +0000 @@ -254,6 +254,9 @@ // update precincts size: 2^n value reslevel->log2_prec_width = codsty->log2_prec_widths[reslevelno]; reslevel->log2_prec_height = codsty->log2_prec_heights[reslevelno]; + if (!reslevel->log2_prec_width || !reslevel->log2_prec_height) { + return AVERROR_INVALIDDATA; + } /* Number of bands for each resolution level */ if (reslevelno == 0) diff -Nru ffmpeg-2.8.11/libavcodec/jpeg2000.h ffmpeg-2.8.14/libavcodec/jpeg2000.h --- ffmpeg-2.8.11/libavcodec/jpeg2000.h 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/jpeg2000.h 2017-12-31 22:35:47.000000000 +0000 @@ -215,12 +215,12 @@ /* misc tools */ static inline int ff_jpeg2000_ceildivpow2(int a, int b) { - return -(((int64_t)(-a)) >> b); + return -((-(int64_t)a) >> b); } static inline int ff_jpeg2000_ceildiv(int a, int b) { - return (a + b - 1) / b; + return (a + (int64_t)b - 1) / b; } /* TIER-1 routines */ diff -Nru ffmpeg-2.8.11/libavcodec/jpeg2000dec.c ffmpeg-2.8.14/libavcodec/jpeg2000dec.c --- ffmpeg-2.8.11/libavcodec/jpeg2000dec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/jpeg2000dec.c 2018-02-19 00:50:24.000000000 +0000 @@ -259,6 +259,7 @@ uint32_t log2_chroma_wh = 0; const enum AVPixelFormat *possible_fmts = NULL; int possible_fmts_nb = 0; + int ret; if (bytestream2_get_bytes_left(&s->g) < 36) { av_log(s->avctx, AV_LOG_ERROR, "Insufficient space for SIZ\n"); @@ -297,6 +298,16 @@ return AVERROR_PATCHWELCOME; } + if (s->tile_offset_x < 0 || s->tile_offset_y < 0 || + s->image_offset_x < s->tile_offset_x || + s->image_offset_y < s->tile_offset_y || + s->tile_width + (int64_t)s->tile_offset_x <= s->image_offset_x || + s->tile_height + (int64_t)s->tile_offset_y <= s->image_offset_y + ) { + av_log(s->avctx, AV_LOG_ERROR, "Tile offsets are invalid\n"); + return AVERROR_INVALIDDATA; + } + s->ncomponents = ncomponents; if (s->tile_width <= 0 || s->tile_height <= 0) { @@ -348,10 +359,13 @@ } /* compute image size with reduction factor */ - s->avctx->width = ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x, - s->reduction_factor); - s->avctx->height = ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y, - s->reduction_factor); + ret = ff_set_dimensions(s->avctx, + ff_jpeg2000_ceildivpow2(s->width - s->image_offset_x, + s->reduction_factor), + ff_jpeg2000_ceildivpow2(s->height - s->image_offset_y, + s->reduction_factor)); + if (ret < 0) + return ret; if (s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_2K || s->avctx->profile == FF_PROFILE_JPEG2000_DCINEMA_4K) { @@ -945,9 +959,9 @@ if (!cblk->npasses) { int v = expn[bandno] + numgbits - 1 - tag_tree_decode(s, prec->zerobits + cblkno, 100); - if (v < 0) { + if (v < 0 || v > 30) { av_log(s->avctx, AV_LOG_ERROR, - "nonzerobits %d invalid\n", v); + "nonzerobits %d invalid or unsupported\n", v); return AVERROR_INVALIDDATA; } cblk->nonzerobits = v; diff -Nru ffmpeg-2.8.11/libavcodec/jpeg2000dsp.c ffmpeg-2.8.14/libavcodec/jpeg2000dsp.c --- ffmpeg-2.8.11/libavcodec/jpeg2000dsp.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/jpeg2000dsp.c 2018-02-19 00:50:31.000000000 +0000 @@ -64,10 +64,10 @@ int i; for (i = 0; i < csize; i++) { - i0 = *src0 + (((i_ict_params[0] * *src2) + (1 << 15)) >> 16); - i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16) - - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16); - i2 = *src0 + (((i_ict_params[3] * *src1) + (1 << 15)) >> 16); + i0 = *src0 + *src2 + ((int)((26345U * *src2) + (1 << 15)) >> 16); + i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16) + - ((int)(((unsigned)i_ict_params[2] * *src2) + (1 << 15)) >> 16); + i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16); *src0++ = i0; *src1++ = i1; *src2++ = i2; diff -Nru ffmpeg-2.8.11/libavcodec/jpeg2000dwt.c ffmpeg-2.8.14/libavcodec/jpeg2000dwt.c --- ffmpeg-2.8.11/libavcodec/jpeg2000dwt.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/jpeg2000dwt.c 2018-02-19 00:50:24.000000000 +0000 @@ -488,7 +488,7 @@ line += 5; for (i = 0; i < w * h; i++) - data[i] <<= I_PRESHIFT; + data[i] *= 1LL << I_PRESHIFT; for (lev = 0; lev < s->ndeclevels; lev++) { int lh = s->linelen[lev][0], diff -Nru ffmpeg-2.8.11/libavcodec/jpeglsdec.c ffmpeg-2.8.14/libavcodec/jpeglsdec.c --- ffmpeg-2.8.11/libavcodec/jpeglsdec.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/jpeglsdec.c 2018-02-19 00:50:32.000000000 +0000 @@ -233,6 +233,9 @@ while (x < w) { int err, pred; + if (get_bits_left(&s->gb) <= 0) + return; + /* compute gradients */ Ra = x ? R(dst, x - stride) : R(last, x); Rb = R(last, x); @@ -385,6 +388,10 @@ av_log(s->avctx, AV_LOG_DEBUG, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", ilv, point_transform, s->bits, s->cur_scan); } + if (get_bits_left(&s->gb) < s->height) { + ret = AVERROR_INVALIDDATA; + goto end; + } if (ilv == 0) { /* separate planes */ if (s->cur_scan > s->nb_components) { ret = AVERROR_INVALIDDATA; @@ -434,6 +441,10 @@ avpriv_report_missing_feature(s->avctx, "Sample interleaved images"); ret = AVERROR_PATCHWELCOME; goto end; + } else { /* unknown interleaving */ + avpriv_report_missing_feature(s->avctx, "Unknown interleaved images"); + ret = AVERROR_PATCHWELCOME; + goto end; } if (s->xfrm && s->nb_components == 3) { diff -Nru ffmpeg-2.8.11/libavcodec/kgv1dec.c ffmpeg-2.8.14/libavcodec/kgv1dec.c --- ffmpeg-2.8.11/libavcodec/kgv1dec.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/kgv1dec.c 2018-02-19 00:50:32.000000000 +0000 @@ -62,6 +62,9 @@ h = (buf[1] + 1) * 8; buf += 2; + if (avpkt->size < 2 + w*h / 513) + return AVERROR_INVALIDDATA; + if (w != avctx->width || h != avctx->height) { av_freep(&c->frame_buffer); av_freep(&c->last_frame_buffer); diff -Nru ffmpeg-2.8.11/libavcodec/lagarith.c ffmpeg-2.8.14/libavcodec/lagarith.c --- ffmpeg-2.8.11/libavcodec/lagarith.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/lagarith.c 2018-02-19 00:50:24.000000000 +0000 @@ -98,7 +98,7 @@ static uint8_t lag_calc_zero_run(int8_t x) { - return (x << 1) ^ (x >> 7); + return (x * 2) ^ (x >> 7); } static int lag_decode_prob(GetBitContext *gb, uint32_t *value) @@ -191,7 +191,9 @@ } scale_factor++; - cumulative_target = 1 << scale_factor; + if (scale_factor >= 32U) + return AVERROR_INVALIDDATA; + cumulative_target = 1U << scale_factor; if (scaled_cumul_prob > cumulative_target) { av_log(rac->avctx, AV_LOG_ERROR, diff -Nru ffmpeg-2.8.11/libavcodec/libfdk-aacdec.c ffmpeg-2.8.14/libavcodec/libfdk-aacdec.c --- ffmpeg-2.8.11/libavcodec/libfdk-aacdec.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/libfdk-aacdec.c 2017-12-31 22:35:47.000000000 +0000 @@ -325,7 +325,7 @@ return AVERROR_INVALIDDATA; } - err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) s->decoder_buffer, s->decoder_buffer_size, 0); + err = aacDecoder_DecodeFrame(s->handle, (INT_PCM *) s->decoder_buffer, s->decoder_buffer_size / sizeof(INT_PCM), 0); if (err == AAC_DEC_NOT_ENOUGH_BITS) { ret = avpkt->size - valid; goto end; diff -Nru ffmpeg-2.8.11/libavcodec/libx264.c ffmpeg-2.8.14/libavcodec/libx264.c --- ffmpeg-2.8.11/libavcodec/libx264.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/libx264.c 2018-02-19 00:50:32.000000000 +0000 @@ -259,7 +259,11 @@ x264_picture_init( &x4->pic ); x4->pic.img.i_csp = x4->params.i_csp; +#if X264_BUILD >= 153 + if (x4->params.i_bitdepth > 8) +#else if (x264_bit_depth > 8) +#endif x4->pic.img.i_csp |= X264_CSP_HIGH_DEPTH; x4->pic.img.i_plane = avfmt2_num_planes(ctx->pix_fmt); @@ -436,6 +440,9 @@ x4->params.p_log_private = avctx; x4->params.i_log_level = X264_LOG_DEBUG; x4->params.i_csp = convert_pix_fmt(avctx->pix_fmt); +#if X264_BUILD >= 153 + x4->params.i_bitdepth = av_pix_fmt_desc_get(avctx->pix_fmt)->comp[0].depth_minus1 + 1; +#endif OPT_STR("weightp", x4->wpredp); @@ -792,6 +799,24 @@ AV_PIX_FMT_NV20, AV_PIX_FMT_NONE }; +static const enum AVPixelFormat pix_fmts_all[] = { + AV_PIX_FMT_YUV420P, + AV_PIX_FMT_YUVJ420P, + AV_PIX_FMT_YUV422P, + AV_PIX_FMT_YUVJ422P, + AV_PIX_FMT_YUV444P, + AV_PIX_FMT_YUVJ444P, + AV_PIX_FMT_NV12, + AV_PIX_FMT_NV16, +#ifdef X264_CSP_NV21 + AV_PIX_FMT_NV21, +#endif + AV_PIX_FMT_YUV420P10, + AV_PIX_FMT_YUV422P10, + AV_PIX_FMT_YUV444P10, + AV_PIX_FMT_NV20, + AV_PIX_FMT_NONE +}; static const enum AVPixelFormat pix_fmts_8bit_rgb[] = { #ifdef X264_CSP_BGR AV_PIX_FMT_BGR0, @@ -803,12 +828,16 @@ static av_cold void X264_init_static(AVCodec *codec) { +#if X264_BUILD < 153 if (x264_bit_depth == 8) codec->pix_fmts = pix_fmts_8bit; else if (x264_bit_depth == 9) codec->pix_fmts = pix_fmts_9bit; else if (x264_bit_depth == 10) codec->pix_fmts = pix_fmts_10bit; +#else + codec->pix_fmts = pix_fmts_all; +#endif } #define OFFSET(x) offsetof(X264Context, x) diff -Nru ffmpeg-2.8.11/libavcodec/mdct_fixed.c ffmpeg-2.8.14/libavcodec/mdct_fixed.c --- ffmpeg-2.8.11/libavcodec/mdct_fixed.c 2016-03-29 03:25:17.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/mdct_fixed.c 2018-02-19 00:50:32.000000000 +0000 @@ -39,13 +39,13 @@ /* pre rotation */ for(i=0;i> 6) +# define RSCALE(x, y) ((int)((x) + (unsigned)(y) + 32) >> 6) #else /* FFT_FIXED_32 */ -# define RSCALE(x) ((x) >> 1) +# define RSCALE(x, y) ((int)((x) + (unsigned)(y)) >> 1) #endif /* FFT_FIXED_32 */ #endif @@ -180,13 +180,13 @@ /* pre rotation */ for(i=0;i= 0xffff) return AVERROR_INVALIDDATA; a->last_dc[component] += diff; - block[0] = a->last_dc[component] << 3; + block[0] = a->last_dc[component] * (1 << 3); } i = 0; @@ -112,11 +112,11 @@ j = scantable[i]; if (level < 0) { level = -level; - level = (level * qscale * quant_matrix[j]) >> 3; + level = (level * (unsigned)qscale * quant_matrix[j]) >> 3; level = (level - 1) | 1; level = -level; } else { - level = (level * qscale * quant_matrix[j]) >> 3; + level = (level * (unsigned)qscale * quant_matrix[j]) >> 3; level = (level - 1) | 1; } } diff -Nru ffmpeg-2.8.11/libavcodec/me_cmp.c ffmpeg-2.8.14/libavcodec/me_cmp.c --- ffmpeg-2.8.11/libavcodec/me_cmp.c 2017-02-09 13:06:29.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/me_cmp.c 2018-02-19 00:50:24.000000000 +0000 @@ -555,7 +555,7 @@ av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); return s->mecc.sum_abs_dctelem(temp); } @@ -595,7 +595,7 @@ int16_t dct[8][8]; int i, sum = 0; - s->pdsp.diff_pixels(dct[0], src1, src2, stride); + s->pdsp.diff_pixels_unaligned(dct[0], src1, src2, stride); #define SRC(x) dct[i][x] #define DST(x, v) dct[i][x] = v @@ -622,7 +622,7 @@ av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); for (i = 0; i < 64; i++) @@ -641,7 +641,7 @@ av_assert2(h == 8); s->mb_intra = 0; - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); memcpy(bak, temp, 64 * sizeof(int16_t)); @@ -744,7 +744,7 @@ av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->block_last_index[0 /* FIXME */] = last = diff -Nru ffmpeg-2.8.11/libavcodec/mimic.c ffmpeg-2.8.14/libavcodec/mimic.c --- ffmpeg-2.8.11/libavcodec/mimic.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/mimic.c 2018-02-19 00:50:24.000000000 +0000 @@ -263,7 +263,7 @@ coeff = vlcdec_lookup[num_bits][value]; if (pos < 3) - coeff <<= 4; + coeff *= 16; else /* TODO Use >> 10 instead of / 1001 */ coeff = (coeff * qscale) / 1001; @@ -390,9 +390,11 @@ return AVERROR_INVALIDDATA; } + res = ff_set_dimensions(avctx, width, height); + if (res < 0) + return res; + ctx->avctx = avctx; - avctx->width = width; - avctx->height = height; avctx->pix_fmt = AV_PIX_FMT_YUV420P; for (i = 0; i < 3; i++) { ctx->num_vblocks[i] = FF_CEIL_RSHIFT(height, 3 + !!i); diff -Nru ffmpeg-2.8.11/libavcodec/mjpegdec.c ffmpeg-2.8.14/libavcodec/mjpegdec.c --- ffmpeg-2.8.11/libavcodec/mjpegdec.c 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/mjpegdec.c 2018-02-19 00:50:32.000000000 +0000 @@ -686,8 +686,8 @@ av_log(s->avctx, AV_LOG_ERROR, "error dc\n"); return AVERROR_INVALIDDATA; } - val = val * quant_matrix[0] + s->last_dc[component]; - val = FFMIN(val, 32767); + val = val * (unsigned)quant_matrix[0] + s->last_dc[component]; + val = av_clip_int16(val); s->last_dc[component] = val; block[0] = val; /* AC coefs */ @@ -728,7 +728,7 @@ int component, int dc_index, int16_t *quant_matrix, int Al) { - int val; + unsigned val; s->bdsp.clear_block(block); val = mjpeg_decode_dc(s, dc_index); if (val == 0xfffff) { @@ -747,7 +747,8 @@ int16_t *quant_matrix, int ss, int se, int Al, int *EOBRUN) { - int code, i, j, level, val, run; + int code, i, j, val, run; + unsigned level; if (*EOBRUN) { (*EOBRUN)--; @@ -1131,7 +1132,7 @@ if (s->interlaced && s->bottom_field) ptr += linesize >> 1; pred &= mask; - *ptr= pred + (dc << point_transform); + *ptr= pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap if(y==0 && toprow){ @@ -1151,7 +1152,7 @@ if (s->interlaced && s->bottom_field) ptr16 += linesize >> 1; pred &= mask; - *ptr16= pred + (dc << point_transform); + *ptr16= pred + ((unsigned)dc << point_transform); } if (++x == h) { x = 0; @@ -1190,13 +1191,13 @@ PREDICT(pred, ptr[-linesize-1], ptr[-linesize], ptr[-1], predictor); pred &= mask; - *ptr = pred + (dc << point_transform); + *ptr = pred + ((unsigned)dc << point_transform); }else{ ptr16 = (uint16_t*)(s->picture_ptr->data[c] + 2*(linesize * (v * mb_y + y)) + 2*(h * mb_x + x)); //FIXME optimize this crap PREDICT(pred, ptr16[-linesize-1], ptr16[-linesize], ptr16[-1], predictor); pred &= mask; - *ptr16= pred + (dc << point_transform); + *ptr16= pred + ((unsigned)dc << point_transform); } if (++x == h) { @@ -1468,6 +1469,15 @@ return -1; } + if (reference) { + if (reference->width != s->picture_ptr->width || + reference->height != s->picture_ptr->height || + reference->format != s->picture_ptr->format) { + av_log(s->avctx, AV_LOG_ERROR, "Reference mismatching\n"); + return AVERROR_INVALIDDATA; + } + } + av_assert0(s->picture_ptr->data[0]); /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); diff -Nru ffmpeg-2.8.11/libavcodec/mlpdec.c ffmpeg-2.8.14/libavcodec/mlpdec.c --- ffmpeg-2.8.11/libavcodec/mlpdec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/mlpdec.c 2018-02-19 00:50:24.000000000 +0000 @@ -264,7 +264,7 @@ result = (result << lsb_bits) + get_bits(gbp, lsb_bits); result += cp->sign_huff_offset; - result <<= quant_step_size; + result *= 1 << quant_step_size; m->sample_buffer[pos + s->blockpos][channel] = result; } @@ -697,7 +697,7 @@ } for (i = 0; i < order; i++) - fcoeff[i] = get_sbits(gbp, coeff_bits) << coeff_shift; + fcoeff[i] = get_sbits(gbp, coeff_bits) * (1 << coeff_shift); if (get_bits1(gbp)) { int state_bits, state_shift; @@ -714,7 +714,7 @@ /* TODO: Check validity of state data. */ for (i = 0; i < order; i++) - fp->state[i] = state_bits ? get_sbits(gbp, state_bits) << state_shift : 0; + fp->state[i] = state_bits ? get_sbits(gbp, state_bits) * (1 << state_shift) : 0; } } @@ -742,7 +742,7 @@ av_log(m->avctx, AV_LOG_ERROR, "Number of primitive matrices cannot be greater than %d.\n", max_primitive_matrices); - return AVERROR_INVALIDDATA; + goto error; } for (mat = 0; mat < s->num_primitive_matrices; mat++) { @@ -755,12 +755,12 @@ av_log(m->avctx, AV_LOG_ERROR, "Invalid channel %d specified as output from matrix.\n", s->matrix_out_ch[mat]); - return AVERROR_INVALIDDATA; + goto error; } if (frac_bits > 14) { av_log(m->avctx, AV_LOG_ERROR, "Too many fractional bits specified.\n"); - return AVERROR_INVALIDDATA; + goto error; } max_chan = s->max_matrix_channel; @@ -772,7 +772,7 @@ if (get_bits1(gbp)) coeff_val = get_sbits(gbp, frac_bits + 2); - s->matrix_coeff[mat][ch] = coeff_val << (14 - frac_bits); + s->matrix_coeff[mat][ch] = coeff_val * (1 << (14 - frac_bits)); } if (s->noise_type) @@ -782,6 +782,11 @@ } return 0; +error: + s->num_primitive_matrices = 0; + memset(s->matrix_out_ch, 0, sizeof(s->matrix_out_ch)); + + return AVERROR_INVALIDDATA; } /** Read channel parameters. */ @@ -1012,8 +1017,8 @@ for (i = 0; i < s->blockpos; i++) { uint16_t seed_shr7 = seed >> 7; - m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) << s->noise_shift; - m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) << s->noise_shift; + m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) * (1 << s->noise_shift); + m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7) * (1 << s->noise_shift); seed = (seed << 16) ^ seed_shr7 ^ (seed_shr7 << 5); } @@ -1175,6 +1180,11 @@ substr_header_size += 2; } + if (length < header_size + substr_header_size) { + av_log(m->avctx, AV_LOG_ERROR, "Insuffient data for headers\n"); + goto error; + } + if (!(nonrestart_substr ^ m->is_major_sync_unit)) { av_log(m->avctx, AV_LOG_ERROR, "Invalid nonrestart_substr.\n"); goto error; diff -Nru ffmpeg-2.8.11/libavcodec/mlpdsp.c ffmpeg-2.8.14/libavcodec/mlpdsp.c --- ffmpeg-2.8.11/libavcodec/mlpdsp.c 2016-03-29 03:25:18.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/mlpdsp.c 2018-02-19 00:50:32.000000000 +0000 @@ -113,11 +113,11 @@ for (i = 0; i < blockpos; i++) { for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) { int mat_ch = ch_assign[out_ch]; - int32_t sample = sample_buffer[i][mat_ch] - << output_shift[mat_ch]; + int32_t sample = sample_buffer[i][mat_ch] * + (1U << output_shift[mat_ch]); lossless_check_data ^= (sample & 0xffffff) << mat_ch; if (is32) - *data_32++ = sample << 8; + *data_32++ = sample * 256U; else *data_16++ = sample >> 8; } diff -Nru ffmpeg-2.8.11/libavcodec/mpeg12dec.c ffmpeg-2.8.14/libavcodec/mpeg12dec.c --- ffmpeg-2.8.11/libavcodec/mpeg12dec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/mpeg12dec.c 2018-02-19 00:50:24.000000000 +0000 @@ -569,7 +569,7 @@ dc = s->last_dc[component]; dc += diff; s->last_dc[component] = dc; - block[0] = dc << (3 - s->intra_dc_precision); + block[0] = dc * (1 << (3 - s->intra_dc_precision)); ff_tlog(s->avctx, "dc=%d\n", block[0]); mismatch = block[0] ^ 1; i = 0; @@ -920,8 +920,8 @@ s->last_mv[i][0][1]); /* full_pel: only for MPEG-1 */ if (s->full_pel[i]) { - s->mv[i][0][0] <<= 1; - s->mv[i][0][1] <<= 1; + s->mv[i][0][0] *= 2; + s->mv[i][0][1] *= 2; } } } @@ -1003,8 +1003,8 @@ dmy = get_dmv(s); - s->last_mv[i][0][1] = my << my_shift; - s->last_mv[i][1][1] = my << my_shift; + s->last_mv[i][0][1] = my * (1 << my_shift); + s->last_mv[i][1][1] = my * (1 << my_shift); s->mv[i][0][0] = mx; s->mv[i][0][1] = my; @@ -1049,7 +1049,7 @@ cbp = get_vlc2(&s->gb, ff_mb_pat_vlc.table, MB_PAT_VLC_BITS, 1); if (mb_block_count > 6) { - cbp <<= mb_block_count - 6; + cbp *= 1 << mb_block_count - 6; cbp |= get_bits(&s->gb, mb_block_count - 6); s->bdsp.clear_blocks(s->block[6]); } @@ -1294,7 +1294,8 @@ if (avctx->codec_id == AV_CODEC_ID_MPEG1VIDEO) { // MPEG-1 aspect - avctx->sample_aspect_ratio = av_d2q(1.0 / ff_mpeg1_aspect[s->aspect_ratio_info], 255); + AVRational aspect_inv = av_d2q(ff_mpeg1_aspect[s->aspect_ratio_info], 255); + avctx->sample_aspect_ratio = (AVRational) { aspect_inv.den, aspect_inv.num }; } else { // MPEG-2 // MPEG-2 aspect if (s->aspect_ratio_info > 1) { diff -Nru ffmpeg-2.8.11/libavcodec/mpeg4videodec.c ffmpeg-2.8.14/libavcodec/mpeg4videodec.c --- ffmpeg-2.8.11/libavcodec/mpeg4videodec.c 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/mpeg4videodec.c 2018-02-19 00:50:32.000000000 +0000 @@ -170,13 +170,15 @@ int a = 2 << s->sprite_warping_accuracy; int rho = 3 - s->sprite_warping_accuracy; int r = 16 / a; - int alpha = 0; + int alpha = 1; int beta = 0; int w = s->width; int h = s->height; int min_ab, i, w2, h2, w3, h3; int sprite_ref[4][2]; int virtual_ref[2][2]; + int64_t sprite_offset[2][2]; + int64_t sprite_delta[2][2]; // only true for rectangle shapes const int vop_ref[4][2] = { { 0, 0 }, { s->width, 0 }, @@ -241,71 +243,71 @@ * from w&h based to w2&h2 based which are of the 2^x form. */ virtual_ref[0][0] = 16 * (vop_ref[0][0] + w2) + ROUNDED_DIV(((w - w2) * - (r * sprite_ref[0][0] - 16 * vop_ref[0][0]) + - w2 * (r * sprite_ref[1][0] - 16 * vop_ref[1][0])), w); + (r * sprite_ref[0][0] - 16LL * vop_ref[0][0]) + + w2 * (r * sprite_ref[1][0] - 16LL * vop_ref[1][0])), w); virtual_ref[0][1] = 16 * vop_ref[0][1] + ROUNDED_DIV(((w - w2) * - (r * sprite_ref[0][1] - 16 * vop_ref[0][1]) + - w2 * (r * sprite_ref[1][1] - 16 * vop_ref[1][1])), w); + (r * sprite_ref[0][1] - 16LL * vop_ref[0][1]) + + w2 * (r * sprite_ref[1][1] - 16LL * vop_ref[1][1])), w); virtual_ref[1][0] = 16 * vop_ref[0][0] + - ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][0] - 16 * vop_ref[0][0]) + - h2 * (r * sprite_ref[2][0] - 16 * vop_ref[2][0])), h); + ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][0] - 16LL * vop_ref[0][0]) + + h2 * (r * sprite_ref[2][0] - 16LL * vop_ref[2][0])), h); virtual_ref[1][1] = 16 * (vop_ref[0][1] + h2) + - ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][1] - 16 * vop_ref[0][1]) + - h2 * (r * sprite_ref[2][1] - 16 * vop_ref[2][1])), h); + ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][1] - 16LL * vop_ref[0][1]) + + h2 * (r * sprite_ref[2][1] - 16LL * vop_ref[2][1])), h); switch (ctx->num_sprite_warping_points) { case 0: - s->sprite_offset[0][0] = - s->sprite_offset[0][1] = - s->sprite_offset[1][0] = - s->sprite_offset[1][1] = 0; - s->sprite_delta[0][0] = a; - s->sprite_delta[0][1] = - s->sprite_delta[1][0] = 0; - s->sprite_delta[1][1] = a; + sprite_offset[0][0] = + sprite_offset[0][1] = + sprite_offset[1][0] = + sprite_offset[1][1] = 0; + sprite_delta[0][0] = a; + sprite_delta[0][1] = + sprite_delta[1][0] = 0; + sprite_delta[1][1] = a; ctx->sprite_shift[0] = ctx->sprite_shift[1] = 0; break; case 1: // GMC only - s->sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0]; - s->sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1]; - s->sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) - + sprite_offset[0][0] = sprite_ref[0][0] - a * vop_ref[0][0]; + sprite_offset[0][1] = sprite_ref[0][1] - a * vop_ref[0][1]; + sprite_offset[1][0] = ((sprite_ref[0][0] >> 1) | (sprite_ref[0][0] & 1)) - a * (vop_ref[0][0] / 2); - s->sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - + sprite_offset[1][1] = ((sprite_ref[0][1] >> 1) | (sprite_ref[0][1] & 1)) - a * (vop_ref[0][1] / 2); - s->sprite_delta[0][0] = a; - s->sprite_delta[0][1] = - s->sprite_delta[1][0] = 0; - s->sprite_delta[1][1] = a; + sprite_delta[0][0] = a; + sprite_delta[0][1] = + sprite_delta[1][0] = 0; + sprite_delta[1][1] = a; ctx->sprite_shift[0] = ctx->sprite_shift[1] = 0; break; case 2: - s->sprite_offset[0][0] = (sprite_ref[0][0] << (alpha + rho)) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-vop_ref[0][0]) + - (r * sprite_ref[0][1] - virtual_ref[0][1]) * - (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] << (alpha + rho)) + - (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - (-vop_ref[0][0]) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-vop_ref[0][1]) + (1 << (alpha + rho - 1)); - s->sprite_offset[1][0] = ((-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-2 * vop_ref[0][0] + 1) + - (r * sprite_ref[0][1] - virtual_ref[0][1]) * - (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * - sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); - s->sprite_offset[1][1] = ((-r * sprite_ref[0][1] + virtual_ref[0][1]) * - (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - (-2 * vop_ref[0][1] + 1) + 2 * w2 * r * - sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); - s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); - s->sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]); - s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]); - s->sprite_delta[1][1] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); + sprite_offset[0][0] = ((int64_t) sprite_ref[0][0] * (1 << alpha + rho)) + + ((int64_t) -r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t) -vop_ref[0][0]) + + ((int64_t) r * sprite_ref[0][1] - virtual_ref[0][1]) * + ((int64_t) -vop_ref[0][1]) + (1 << (alpha + rho - 1)); + sprite_offset[0][1] = ((int64_t) sprite_ref[0][1] * (1 << alpha + rho)) + + ((int64_t) -r * sprite_ref[0][1] + virtual_ref[0][1]) * + ((int64_t) -vop_ref[0][0]) + + ((int64_t) -r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t) -vop_ref[0][1]) + (1 << (alpha + rho - 1)); + sprite_offset[1][0] = (((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-2 * vop_ref[0][0] + 1) + + ((int64_t) r * sprite_ref[0][1] - virtual_ref[0][1]) * + ((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r * + (int64_t) sprite_ref[0][0] - 16 * w2 + (1 << (alpha + rho + 1))); + sprite_offset[1][1] = (((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * + ((int64_t)-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * + ((int64_t)-2 * vop_ref[0][1] + 1) + 2 * w2 * r * + (int64_t) sprite_ref[0][1] - 16 * w2 + (1 << (alpha + rho + 1))); + sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); + sprite_delta[0][1] = (+r * sprite_ref[0][1] - virtual_ref[0][1]); + sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]); + sprite_delta[1][1] = (-r * sprite_ref[0][0] + virtual_ref[0][0]); ctx->sprite_shift[0] = alpha + rho; ctx->sprite_shift[1] = alpha + rho + 2; @@ -314,69 +316,105 @@ min_ab = FFMIN(alpha, beta); w3 = w2 >> min_ab; h3 = h2 >> min_ab; - s->sprite_offset[0][0] = (sprite_ref[0][0] * (1<<(alpha + beta + rho - min_ab))) + - (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - h3 * (-vop_ref[0][0]) + - (-r * sprite_ref[0][0] + virtual_ref[1][0]) * - w3 * (-vop_ref[0][1]) + - (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[0][1] = (sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + - (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - h3 * (-vop_ref[0][0]) + - (-r * sprite_ref[0][1] + virtual_ref[1][1]) * - w3 * (-vop_ref[0][1]) + - (1 << (alpha + beta + rho - min_ab - 1)); - s->sprite_offset[1][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * - h3 * (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][0] + virtual_ref[1][0]) * - w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 * - r * sprite_ref[0][0] - 16 * w2 * h3 + - (1 << (alpha + beta + rho - min_ab + 1)); - s->sprite_offset[1][1] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * - h3 * (-2 * vop_ref[0][0] + 1) + - (-r * sprite_ref[0][1] + virtual_ref[1][1]) * - w3 * (-2 * vop_ref[0][1] + 1) + 2 * w2 * h3 * - r * sprite_ref[0][1] - 16 * w2 * h3 + - (1 << (alpha + beta + rho - min_ab + 1)); - s->sprite_delta[0][0] = (-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3; - s->sprite_delta[0][1] = (-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3; - s->sprite_delta[1][0] = (-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3; - s->sprite_delta[1][1] = (-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3; + sprite_offset[0][0] = ((int64_t)sprite_ref[0][0] * (1 << (alpha + beta + rho - min_ab))) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-vop_ref[0][0]) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-vop_ref[0][1]) + + ((int64_t)1 << (alpha + beta + rho - min_ab - 1)); + sprite_offset[0][1] = ((int64_t)sprite_ref[0][1] * (1 << (alpha + beta + rho - min_ab))) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-vop_ref[0][0]) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-vop_ref[0][1]) + + ((int64_t)1 << (alpha + beta + rho - min_ab - 1)); + sprite_offset[1][0] = ((int64_t)-r * sprite_ref[0][0] + virtual_ref[0][0]) * h3 * (-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][0] + virtual_ref[1][0]) * w3 * (-2 * vop_ref[0][1] + 1) + + (int64_t)2 * w2 * h3 * r * sprite_ref[0][0] - 16 * w2 * h3 + + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); + sprite_offset[1][1] = ((int64_t)-r * sprite_ref[0][1] + virtual_ref[0][1]) * h3 * (-2 * vop_ref[0][0] + 1) + + ((int64_t)-r * sprite_ref[0][1] + virtual_ref[1][1]) * w3 * (-2 * vop_ref[0][1] + 1) + + (int64_t)2 * w2 * h3 * r * sprite_ref[0][1] - 16 * w2 * h3 + + ((int64_t)1 << (alpha + beta + rho - min_ab + 1)); + sprite_delta[0][0] = (-r * (int64_t)sprite_ref[0][0] + virtual_ref[0][0]) * h3; + sprite_delta[0][1] = (-r * (int64_t)sprite_ref[0][0] + virtual_ref[1][0]) * w3; + sprite_delta[1][0] = (-r * (int64_t)sprite_ref[0][1] + virtual_ref[0][1]) * h3; + sprite_delta[1][1] = (-r * (int64_t)sprite_ref[0][1] + virtual_ref[1][1]) * w3; ctx->sprite_shift[0] = alpha + beta + rho - min_ab; ctx->sprite_shift[1] = alpha + beta + rho - min_ab + 2; break; } /* try to simplify the situation */ - if (s->sprite_delta[0][0] == a << ctx->sprite_shift[0] && - s->sprite_delta[0][1] == 0 && - s->sprite_delta[1][0] == 0 && - s->sprite_delta[1][1] == a << ctx->sprite_shift[0]) { - s->sprite_offset[0][0] >>= ctx->sprite_shift[0]; - s->sprite_offset[0][1] >>= ctx->sprite_shift[0]; - s->sprite_offset[1][0] >>= ctx->sprite_shift[1]; - s->sprite_offset[1][1] >>= ctx->sprite_shift[1]; - s->sprite_delta[0][0] = a; - s->sprite_delta[0][1] = 0; - s->sprite_delta[1][0] = 0; - s->sprite_delta[1][1] = a; + if (sprite_delta[0][0] == a << ctx->sprite_shift[0] && + sprite_delta[0][1] == 0 && + sprite_delta[1][0] == 0 && + sprite_delta[1][1] == a << ctx->sprite_shift[0]) { + sprite_offset[0][0] >>= ctx->sprite_shift[0]; + sprite_offset[0][1] >>= ctx->sprite_shift[0]; + sprite_offset[1][0] >>= ctx->sprite_shift[1]; + sprite_offset[1][1] >>= ctx->sprite_shift[1]; + sprite_delta[0][0] = a; + sprite_delta[0][1] = 0; + sprite_delta[1][0] = 0; + sprite_delta[1][1] = a; ctx->sprite_shift[0] = 0; ctx->sprite_shift[1] = 0; s->real_sprite_warping_points = 1; } else { int shift_y = 16 - ctx->sprite_shift[0]; int shift_c = 16 - ctx->sprite_shift[1]; + + for (i = 0; i < 2; i++) { + if (shift_c < 0 || shift_y < 0 || + FFABS( sprite_offset[0][i]) >= INT_MAX >> shift_y || + FFABS( sprite_offset[1][i]) >= INT_MAX >> shift_c || + FFABS( sprite_delta[0][i]) >= INT_MAX >> shift_y || + FFABS( sprite_delta[1][i]) >= INT_MAX >> shift_y + ) { + avpriv_request_sample(s->avctx, "Too large sprite shift, delta or offset"); + goto overflow; + } + } + for (i = 0; i < 2; i++) { - s->sprite_offset[0][i] *= 1 << shift_y; - s->sprite_offset[1][i] *= 1 << shift_c; - s->sprite_delta[0][i] *= 1 << shift_y; - s->sprite_delta[1][i] *= 1 << shift_y; + sprite_offset[0][i] *= 1 << shift_y; + sprite_offset[1][i] *= 1 << shift_c; + sprite_delta[0][i] *= 1 << shift_y; + sprite_delta[1][i] *= 1 << shift_y; ctx->sprite_shift[i] = 16; + + } + for (i = 0; i < 2; i++) { + int64_t sd[2] = { + sprite_delta[i][0] - a * (1LL<<16), + sprite_delta[i][1] - a * (1LL<<16) + }; + + if (llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL) + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || + llabs(sprite_delta[i][0] * (w+16LL)) >= INT_MAX || + llabs(sprite_delta[i][1] * (w+16LL)) >= INT_MAX || + llabs(sd[0]) >= INT_MAX || + llabs(sd[1]) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[1] * (h+16LL)) >= INT_MAX || + llabs(sprite_offset[0][i] + sd[0] * (w+16LL) + sd[1] * (h+16LL)) >= INT_MAX + ) { + avpriv_request_sample(s->avctx, "Overflow on sprite points"); + goto overflow; + } } s->real_sprite_warping_points = ctx->num_sprite_warping_points; } + for (i = 0; i < 4; i++) { + s->sprite_offset[i&1][i>>1] = sprite_offset[i&1][i>>1]; + s->sprite_delta [i&1][i>>1] = sprite_delta [i&1][i>>1]; + } + return 0; +overflow: + memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); + memset(s->sprite_delta, 0, sizeof(s->sprite_delta)); + return AVERROR_PATCHWELCOME; } static int decode_new_pred(Mpeg4DecContext *ctx, GetBitContext *gb) { @@ -420,7 +458,7 @@ } mb_num = get_bits(&s->gb, mb_num_bits); - if (mb_num >= s->mb_num) { + if (mb_num >= s->mb_num || !mb_num) { av_log(s->avctx, AV_LOG_ERROR, "illegal mb_num in video packet (%d %d) \n", mb_num, s->mb_num); return -1; @@ -502,7 +540,7 @@ if (ctx->divx_version == 500 && ctx->divx_build == 413) sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample)); else - sum = RSHIFT(s->sprite_offset[0][n] << s->quarter_sample, a); + sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a); } else { dx = s->sprite_delta[n][0]; dy = s->sprite_delta[n][1]; @@ -1211,10 +1249,12 @@ */ static int mpeg4_decode_partitioned_mb(MpegEncContext *s, int16_t block[6][64]) { - Mpeg4DecContext *ctx = (Mpeg4DecContext *)s; + Mpeg4DecContext *ctx = s->avctx->priv_data; int cbp, mb_type; const int xy = s->mb_x + s->mb_y * s->mb_stride; + av_assert2(s == (void*)ctx); + mb_type = s->current_picture.mb_type[xy]; cbp = s->cbp_table[xy]; @@ -1296,12 +1336,13 @@ static int mpeg4_decode_mb(MpegEncContext *s, int16_t block[6][64]) { - Mpeg4DecContext *ctx = (Mpeg4DecContext *)s; + Mpeg4DecContext *ctx = s->avctx->priv_data; int cbpc, cbpy, i, cbp, pred_x, pred_y, mx, my, dquant; int16_t *mot_val; static const int8_t quant_tab[4] = { -1, -2, 1, 2 }; const int xy = s->mb_x + s->mb_y * s->mb_stride; + av_assert2(s == (void*)ctx); av_assert2(s->h263_pred); if (s->pict_type == AV_PICTURE_TYPE_P || @@ -2100,8 +2141,15 @@ e = sscanf(buf, "FFmpeg v%d.%d.%d / libavcodec build: %d", &ver, &ver2, &ver3, &build); if (e != 4) { e = sscanf(buf, "Lavc%d.%d.%d", &ver, &ver2, &ver3) + 1; - if (e > 1) - build = (ver << 16) + (ver2 << 8) + ver3; + if (e > 1) { + if (ver > 0xFFU || ver2 > 0xFFU || ver3 > 0xFFU) { + av_log(s->avctx, AV_LOG_WARNING, + "Unknown Lavc version string encountered, %d.%d.%d; " + "clamping sub-version values to 8-bits.\n", + ver, ver2, ver3); + } + build = ((ver & 0xFF) << 16) + ((ver2 & 0xFF) << 8) + (ver3 & 0xFF); + } } if (e != 4) { if (strcmp(buf, "ffmpeg") == 0) @@ -2235,6 +2283,7 @@ int time_incr, time_increment; int64_t pts; + s->mcsel = 0; s->pict_type = get_bits(gb, 2) + AV_PICTURE_TYPE_I; /* pict type: I = 0 , P = 1 */ if (s->pict_type == AV_PICTURE_TYPE_B && s->low_delay && ctx->vol_control_parameters == 0 && !(s->avctx->flags & AV_CODEC_FLAG_LOW_DELAY)) { @@ -2287,7 +2336,7 @@ if (s->pict_type != AV_PICTURE_TYPE_B) { s->last_time_base = s->time_base; s->time_base += time_incr; - s->time = s->time_base * s->avctx->framerate.num + time_increment; + s->time = s->time_base * (int64_t)s->avctx->framerate.num + time_increment; if (s->workaround_bugs & FF_BUG_UMP4) { if (s->time < s->last_non_b_time) { /* header is not mpeg-4-compatible, broken encoder, @@ -2299,7 +2348,7 @@ s->pp_time = s->time - s->last_non_b_time; s->last_non_b_time = s->time; } else { - s->time = (s->last_time_base + time_incr) * s->avctx->framerate.num + time_increment; + s->time = (s->last_time_base + time_incr) * (int64_t)s->avctx->framerate.num + time_increment; s->pb_time = s->pp_time - (s->last_non_b_time - s->time); if (s->pp_time <= s->pb_time || s->pp_time <= s->pp_time - s->pb_time || @@ -2402,16 +2451,20 @@ ff_init_scantable(s->idsp.idct_permutation, &s->intra_v_scantable, ff_alternate_vertical_scan); } - if (s->pict_type == AV_PICTURE_TYPE_S && - (ctx->vol_sprite_usage == STATIC_SPRITE || - ctx->vol_sprite_usage == GMC_SPRITE)) { - if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0) - return AVERROR_INVALIDDATA; - if (ctx->sprite_brightness_change) - av_log(s->avctx, AV_LOG_ERROR, - "sprite_brightness_change not supported\n"); - if (ctx->vol_sprite_usage == STATIC_SPRITE) - av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); + if (s->pict_type == AV_PICTURE_TYPE_S) { + if((ctx->vol_sprite_usage == STATIC_SPRITE || + ctx->vol_sprite_usage == GMC_SPRITE)) { + if (mpeg4_decode_sprite_trajectory(ctx, gb) < 0) + return AVERROR_INVALIDDATA; + if (ctx->sprite_brightness_change) + av_log(s->avctx, AV_LOG_ERROR, + "sprite_brightness_change not supported\n"); + if (ctx->vol_sprite_usage == STATIC_SPRITE) + av_log(s->avctx, AV_LOG_ERROR, "static sprite not supported\n"); + } else { + memset(s->sprite_offset, 0, sizeof(s->sprite_offset)); + memset(s->sprite_delta, 0, sizeof(s->sprite_delta)); + } } if (ctx->shape != BIN_ONLY_SHAPE) { @@ -2509,6 +2562,7 @@ MpegEncContext *s = &ctx->m; unsigned startcode, v; int ret; + int vol = 0; /* search next start code */ align_get_bits(gb); @@ -2597,6 +2651,11 @@ } if (startcode >= 0x120 && startcode <= 0x12F) { + if (vol) { + av_log(s->avctx, AV_LOG_WARNING, "Ignoring multiple VOL headers\n"); + continue; + } + vol++; if ((ret = decode_vol_header(ctx, gb)) < 0) return ret; } else if (startcode == USER_DATA_STARTCODE) { diff -Nru ffmpeg-2.8.11/libavcodec/mpeg_er.c ffmpeg-2.8.14/libavcodec/mpeg_er.c --- ffmpeg-2.8.11/libavcodec/mpeg_er.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/mpeg_er.c 2018-02-19 00:50:32.000000000 +0000 @@ -71,6 +71,7 @@ s->mb_skipped = mb_skipped; s->mb_x = mb_x; s->mb_y = mb_y; + s->mcsel = 0; memcpy(s->mv, mv, sizeof(*mv)); ff_init_block_index(s); diff -Nru ffmpeg-2.8.11/libavcodec/mpegaudiodec_template.c ffmpeg-2.8.14/libavcodec/mpegaudiodec_template.c --- ffmpeg-2.8.11/libavcodec/mpegaudiodec_template.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/mpegaudiodec_template.c 2018-02-19 00:50:24.000000000 +0000 @@ -252,7 +252,7 @@ #endif if (e > 31) return 0; - m = (m + (1 << (e - 1))) >> e; + m = (m + ((1U << e)>>1)) >> e; return m; } @@ -1670,7 +1670,7 @@ header = AV_RB32(buf); if (header>>8 == AV_RB32("TAG")>>8) { av_log(avctx, AV_LOG_DEBUG, "discarding ID3 tag\n"); - return buf_size; + return buf_size + skipped; } if (ff_mpa_check_header(header) < 0) { av_log(avctx, AV_LOG_ERROR, "Header missing\n"); diff -Nru ffmpeg-2.8.11/libavcodec/mpegvideo_motion.c ffmpeg-2.8.14/libavcodec/mpegvideo_motion.c --- ffmpeg-2.8.11/libavcodec/mpegvideo_motion.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/mpegvideo_motion.c 2018-02-19 00:50:24.000000000 +0000 @@ -48,8 +48,8 @@ motion_y = s->sprite_offset[0][1]; src_x = s->mb_x * 16 + (motion_x >> (s->sprite_warping_accuracy + 1)); src_y = s->mb_y * 16 + (motion_y >> (s->sprite_warping_accuracy + 1)); - motion_x <<= (3 - s->sprite_warping_accuracy); - motion_y <<= (3 - s->sprite_warping_accuracy); + motion_x *= 1 << (3 - s->sprite_warping_accuracy); + motion_y *= 1 << (3 - s->sprite_warping_accuracy); src_x = av_clip(src_x, -16, s->width); if (src_x == s->width) motion_x = 0; @@ -95,8 +95,8 @@ motion_y = s->sprite_offset[1][1]; src_x = s->mb_x * 8 + (motion_x >> (s->sprite_warping_accuracy + 1)); src_y = s->mb_y * 8 + (motion_y >> (s->sprite_warping_accuracy + 1)); - motion_x <<= (3 - s->sprite_warping_accuracy); - motion_y <<= (3 - s->sprite_warping_accuracy); + motion_x *= 1 << (3 - s->sprite_warping_accuracy); + motion_y *= 1 << (3 - s->sprite_warping_accuracy); src_x = av_clip(src_x, -8, s->width >> 1); if (src_x == s->width >> 1) motion_x = 0; diff -Nru ffmpeg-2.8.11/libavcodec/msmpeg4dec.c ffmpeg-2.8.14/libavcodec/msmpeg4dec.c --- ffmpeg-2.8.11/libavcodec/msmpeg4dec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/msmpeg4dec.c 2018-02-19 00:50:24.000000000 +0000 @@ -141,7 +141,7 @@ if(s->msmpeg4_version==2) cbp= get_vlc2(&s->gb, v2_intra_cbpc_vlc.table, V2_INTRA_CBPC_VLC_BITS, 1); else - cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 1); + cbp= get_vlc2(&s->gb, ff_h263_intra_MCBPC_vlc.table, INTRA_MCBPC_VLC_BITS, 2); if(cbp<0 || cbp>3){ av_log(s->avctx, AV_LOG_ERROR, "cbpc %d invalid at %d %d\n", cbp, s->mb_x, s->mb_y); return -1; @@ -170,12 +170,23 @@ s->mv[0][0][1] = my; *mb_type_ptr = MB_TYPE_L0 | MB_TYPE_16x16; } else { + int v; if(s->msmpeg4_version==2){ s->ac_pred = get_bits1(&s->gb); - cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors + v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1); + if (v < 0) { + av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n"); + return -1; + } + cbp|= v<<2; } else{ s->ac_pred = 0; - cbp|= get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1)<<2; //FIXME check errors + v = get_vlc2(&s->gb, ff_h263_cbpy_vlc.table, CBPY_VLC_BITS, 1); + if (v < 0) { + av_log(s->avctx, AV_LOG_ERROR, "cbpy vlc invalid\n"); + return -1; + } + cbp|= v<<2; if(s->pict_type==AV_PICTURE_TYPE_P) cbp^=0x3C; } *mb_type_ptr = MB_TYPE_INTRA; diff -Nru ffmpeg-2.8.11/libavcodec/mss3.c ffmpeg-2.8.14/libavcodec/mss3.c --- ffmpeg-2.8.11/libavcodec/mss3.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/mss3.c 2018-02-19 00:50:24.000000000 +0000 @@ -356,8 +356,9 @@ static int rac_get_model_sym(RangeCoder *c, Model *m) { - int prob, prob2, helper, val; + int val; int end, end2; + unsigned prob, prob2, helper; prob = 0; prob2 = c->range; diff -Nru ffmpeg-2.8.11/libavcodec/mss34dsp.c ffmpeg-2.8.14/libavcodec/mss34dsp.c --- ffmpeg-2.8.11/libavcodec/mss34dsp.c 2016-03-29 03:25:20.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/mss34dsp.c 2018-02-19 00:50:24.000000000 +0000 @@ -62,30 +62,30 @@ } #define DCT_TEMPLATE(blk, step, SOP, shift) \ - const int t0 = -39409 * blk[7 * step] - 58980 * blk[1 * step]; \ - const int t1 = 39410 * blk[1 * step] - 58980 * blk[7 * step]; \ - const int t2 = -33410 * blk[5 * step] - 167963 * blk[3 * step]; \ - const int t3 = 33410 * blk[3 * step] - 167963 * blk[5 * step]; \ - const int t4 = blk[3 * step] + blk[7 * step]; \ - const int t5 = blk[1 * step] + blk[5 * step]; \ - const int t6 = 77062 * t4 + 51491 * t5; \ - const int t7 = 77062 * t5 - 51491 * t4; \ - const int t8 = 35470 * blk[2 * step] - 85623 * blk[6 * step]; \ - const int t9 = 35470 * blk[6 * step] + 85623 * blk[2 * step]; \ - const int tA = SOP(blk[0 * step] - blk[4 * step]); \ - const int tB = SOP(blk[0 * step] + blk[4 * step]); \ + const unsigned t0 =-39409U * blk[7 * step] - 58980U * blk[1 * step]; \ + const unsigned t1 = 39410U * blk[1 * step] - 58980U * blk[7 * step]; \ + const unsigned t2 =-33410U * blk[5 * step] -167963U * blk[3 * step]; \ + const unsigned t3 = 33410U * blk[3 * step] -167963U * blk[5 * step]; \ + const unsigned t4 = blk[3 * step] + blk[7 * step]; \ + const unsigned t5 = blk[1 * step] + blk[5 * step]; \ + const unsigned t6 = 77062U * t4 + 51491U * t5; \ + const unsigned t7 = 77062U * t5 - 51491U * t4; \ + const unsigned t8 = 35470U * blk[2 * step] - 85623U * blk[6 * step]; \ + const unsigned t9 = 35470U * blk[6 * step] + 85623U * blk[2 * step]; \ + const unsigned tA = SOP(blk[0 * step] - blk[4 * step]); \ + const unsigned tB = SOP(blk[0 * step] + blk[4 * step]); \ \ - blk[0 * step] = ( t1 + t6 + t9 + tB) >> shift; \ - blk[1 * step] = ( t3 + t7 + t8 + tA) >> shift; \ - blk[2 * step] = ( t2 + t6 - t8 + tA) >> shift; \ - blk[3 * step] = ( t0 + t7 - t9 + tB) >> shift; \ - blk[4 * step] = (-(t0 + t7) - t9 + tB) >> shift; \ - blk[5 * step] = (-(t2 + t6) - t8 + tA) >> shift; \ - blk[6 * step] = (-(t3 + t7) + t8 + tA) >> shift; \ - blk[7 * step] = (-(t1 + t6) + t9 + tB) >> shift; \ + blk[0 * step] = (int)( t1 + t6 + t9 + tB) >> shift; \ + blk[1 * step] = (int)( t3 + t7 + t8 + tA) >> shift; \ + blk[2 * step] = (int)( t2 + t6 - t8 + tA) >> shift; \ + blk[3 * step] = (int)( t0 + t7 - t9 + tB) >> shift; \ + blk[4 * step] = (int)(-(t0 + t7) - t9 + tB) >> shift; \ + blk[5 * step] = (int)(-(t2 + t6) - t8 + tA) >> shift; \ + blk[6 * step] = (int)(-(t3 + t7) + t8 + tA) >> shift; \ + blk[7 * step] = (int)(-(t1 + t6) + t9 + tB) >> shift; \ -#define SOP_ROW(a) (((a) << 16) + 0x2000) -#define SOP_COL(a) (((a) + 32) << 16) +#define SOP_ROW(a) (((a) * (1U << 16)) + 0x2000) +#define SOP_COL(a) (((a) + 32) * (1U << 16)) void ff_mss34_dct_put(uint8_t *dst, int stride, int *block) { diff -Nru ffmpeg-2.8.11/libavcodec/msvideo1.c ffmpeg-2.8.14/libavcodec/msvideo1.c --- ffmpeg-2.8.11/libavcodec/msvideo1.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/msvideo1.c 2018-02-19 00:50:24.000000000 +0000 @@ -302,6 +302,12 @@ s->buf = buf; s->size = buf_size; + // Discard frame if its smaller than the minimum frame size + if (buf_size < (avctx->width/4) * (avctx->height/4) / 512) { + av_log(avctx, AV_LOG_ERROR, "Packet is too small\n"); + return AVERROR_INVALIDDATA; + } + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; diff -Nru ffmpeg-2.8.11/libavcodec/nellymoser.c ffmpeg-2.8.14/libavcodec/nellymoser.c --- ffmpeg-2.8.11/libavcodec/nellymoser.c 2017-02-09 13:06:29.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/nellymoser.c 2018-02-19 00:50:24.000000000 +0000 @@ -85,7 +85,7 @@ static inline int signed_shift(int i, int shift) { if (shift > 0) - return i << shift; + return (unsigned)i << shift; return i >> -shift; } @@ -109,7 +109,7 @@ return 31; } l = 30 - av_log2(FFABS(*la)); - *la <<= l; + *la *= 1<coded_frame); +FF_ENABLE_DEPRECATION_WARNINGS +#endif + av_freep(&avctx->rc_override); + av_freep(&avctx->intra_matrix); + av_freep(&avctx->inter_matrix); + av_freep(&avctx->extradata); + av_freep(&avctx->subtitle_header); + avctx->subtitle_header_size = 0; + avctx->extradata_size = 0; +} + int avcodec_copy_context(AVCodecContext *dest, const AVCodecContext *src) { const AVCodec *orig_codec = dest->codec; @@ -191,12 +208,7 @@ return AVERROR(EINVAL); } - av_opt_free(dest); - av_freep(&dest->rc_override); - av_freep(&dest->intra_matrix); - av_freep(&dest->inter_matrix); - av_freep(&dest->extradata); - av_freep(&dest->subtitle_header); + copy_context_reset(dest); memcpy(dest, src, sizeof(*dest)); av_opt_copy(dest, src); @@ -248,14 +260,7 @@ return 0; fail: - av_freep(&dest->rc_override); - av_freep(&dest->intra_matrix); - av_freep(&dest->inter_matrix); - av_freep(&dest->extradata); - av_freep(&dest->subtitle_header); - dest->subtitle_header_size = 0; - dest->extradata_size = 0; - av_opt_free(dest); + copy_context_reset(dest); return AVERROR(ENOMEM); } diff -Nru ffmpeg-2.8.11/libavcodec/opus_parser.c ffmpeg-2.8.14/libavcodec/opus_parser.c --- ffmpeg-2.8.11/libavcodec/opus_parser.c 2016-03-29 03:25:20.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/opus_parser.c 2018-02-19 00:50:32.000000000 +0000 @@ -43,6 +43,7 @@ const uint8_t *buf = start + 1; int start_trim_flag, end_trim_flag, control_extension_flag, control_extension_length; uint8_t flags; + uint64_t payload_len_tmp; GetByteContext gb; bytestream2_init(&gb, buf, buf_len); @@ -52,11 +53,11 @@ end_trim_flag = (flags >> 3) & 1; control_extension_flag = (flags >> 2) & 1; - *payload_len = 0; + payload_len_tmp = *payload_len = 0; while (bytestream2_peek_byte(&gb) == 0xff) - *payload_len += bytestream2_get_byte(&gb); + payload_len_tmp += bytestream2_get_byte(&gb); - *payload_len += bytestream2_get_byte(&gb); + payload_len_tmp += bytestream2_get_byte(&gb); if (start_trim_flag) bytestream2_skip(&gb, 2); @@ -67,6 +68,11 @@ bytestream2_skip(&gb, control_extension_length); } + if (bytestream2_tell(&gb) + payload_len_tmp > buf_len) + return NULL; + + *payload_len = payload_len_tmp; + return buf + bytestream2_tell(&gb); } @@ -104,6 +110,10 @@ state = (state << 8) | payload[i]; if ((state & OPUS_TS_MASK) == OPUS_TS_HEADER) { payload = parse_opus_ts_header(payload, &payload_len, buf_size - i); + if (!payload) { + av_log(avctx, AV_LOG_ERROR, "Error parsing Ogg TS header.\n"); + return AVERROR_INVALIDDATA; + } *header_len = payload - buf; start_found = 1; break; diff -Nru ffmpeg-2.8.11/libavcodec/opus_silk.c ffmpeg-2.8.14/libavcodec/opus_silk.c --- ffmpeg-2.8.11/libavcodec/opus_silk.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/opus_silk.c 2018-02-19 00:50:24.000000000 +0000 @@ -851,8 +851,7 @@ if (nlsf[0] < min_delta[0]) nlsf[0] = min_delta[0]; for (i = 1; i < order; i++) - if (nlsf[i] < nlsf[i - 1] + min_delta[i]) - nlsf[i] = nlsf[i - 1] + min_delta[i]; + nlsf[i] = FFMAX(nlsf[i], FFMIN(nlsf[i - 1] + min_delta[i], 32767)); /* push backwards to increase distance */ if (nlsf[order-1] > 32768 - min_delta[order]) diff -Nru ffmpeg-2.8.11/libavcodec/pafvideo.c ffmpeg-2.8.14/libavcodec/pafvideo.c --- ffmpeg-2.8.11/libavcodec/pafvideo.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/pafvideo.c 2018-02-19 00:50:32.000000000 +0000 @@ -181,6 +181,8 @@ dend = c->frame[page] + c->frame_size; offset = (x & 0x7F) * 2; j = bytestream2_get_le16(&c->gb) + offset; + if (bytestream2_get_bytes_left(&c->gb) < (j - offset) * 16) + return AVERROR_INVALIDDATA; do { offset++; if (dst + 3 * c->width + 4 > dend) @@ -198,7 +200,8 @@ do { set_src_position(c, &src, &send); if ((src + 3 * c->width + 4 > send) || - (dst + 3 * c->width + 4 > dend)) + (dst + 3 * c->width + 4 > dend) || + bytestream2_get_bytes_left(&c->gb) < 4) return AVERROR_INVALIDDATA; copy_block4(dst, src, c->width, c->width, 4); i++; @@ -267,12 +270,20 @@ uint8_t code, *dst, *end; int i, frame, ret; - if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) - return ret; + if (pkt->size < 2) + return AVERROR_INVALIDDATA; bytestream2_init(&c->gb, pkt->data, pkt->size); code = bytestream2_get_byte(&c->gb); + if ((code & 0xF) > 4 || (code & 0xF) == 3) { + avpriv_request_sample(avctx, "unknown/invalid code"); + return AVERROR_INVALIDDATA; + } + + if ((ret = ff_reget_buffer(avctx, c->pic)) < 0) + return ret; + if (code & 0x20) { // frame is keyframe for (i = 0; i < 4; i++) memset(c->frame[i], 0, c->frame_size); @@ -367,8 +378,7 @@ } break; default: - avpriv_request_sample(avctx, "unknown/invalid code"); - return AVERROR_INVALIDDATA; + av_assert0(0); } av_image_copy_plane(c->pic->data[0], c->pic->linesize[0], diff -Nru ffmpeg-2.8.11/libavcodec/pictordec.c ffmpeg-2.8.14/libavcodec/pictordec.c --- ffmpeg-2.8.11/libavcodec/pictordec.c 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/pictordec.c 2018-02-19 00:50:24.000000000 +0000 @@ -77,10 +77,10 @@ if (*y < 0) { *y = s->height - 1; *plane += 1; + if (*plane >= s->nb_planes) + return; value <<= bits_per_plane; mask <<= bits_per_plane; - if (*plane >= s->nb_planes) - break; } } } @@ -236,7 +236,7 @@ } } - if (x < avctx->width) { + if (plane < s->nb_planes && x < avctx->width) { int run = (y + 1) * avctx->width - x; if (bits_per_plane == 8) picmemset_8bpp(s, frame, val, run, &x, &y); diff -Nru ffmpeg-2.8.11/libavcodec/pixblockdsp.c ffmpeg-2.8.14/libavcodec/pixblockdsp.c --- ffmpeg-2.8.11/libavcodec/pixblockdsp.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/pixblockdsp.c 2018-02-19 00:50:24.000000000 +0000 @@ -55,6 +55,7 @@ { const unsigned high_bit_depth = avctx->bits_per_raw_sample > 8; + c->diff_pixels_unaligned = c->diff_pixels = diff_pixels_c; switch (avctx->bits_per_raw_sample) { diff -Nru ffmpeg-2.8.11/libavcodec/pixblockdsp.h ffmpeg-2.8.14/libavcodec/pixblockdsp.h --- ffmpeg-2.8.11/libavcodec/pixblockdsp.h 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/pixblockdsp.h 2018-02-19 00:50:24.000000000 +0000 @@ -31,6 +31,11 @@ const uint8_t *s1 /* align 8 */, const uint8_t *s2 /* align 8 */, int stride); + void (*diff_pixels_unaligned)(int16_t *av_restrict block /* align 16 */, + const uint8_t *s1, + const uint8_t *s2, + int stride); + } PixblockDSPContext; void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx); diff -Nru ffmpeg-2.8.11/libavcodec/pngdec.c ffmpeg-2.8.14/libavcodec/pngdec.c --- ffmpeg-2.8.11/libavcodec/pngdec.c 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/pngdec.c 2018-02-19 00:50:32.000000000 +0000 @@ -557,6 +557,11 @@ return AVERROR_INVALIDDATA; } s->bit_depth = bytestream2_get_byte(&s->gb); + if (s->bit_depth != 1 && s->bit_depth != 2 && s->bit_depth != 4 && + s->bit_depth != 8 && s->bit_depth != 16) { + av_log(avctx, AV_LOG_ERROR, "Invalid bit depth\n"); + goto error; + } s->color_type = bytestream2_get_byte(&s->gb); s->compression_type = bytestream2_get_byte(&s->gb); s->filter_type = bytestream2_get_byte(&s->gb); @@ -570,6 +575,10 @@ s->compression_type, s->filter_type, s->interlace_type); return 0; +error: + s->cur_w = s->cur_h = s->width = s->height = 0; + s->bit_depth = 8; + return AVERROR_INVALIDDATA; } static int decode_phys_chunk(AVCodecContext *avctx, PNGDecContext *s) @@ -600,8 +609,9 @@ } if (!(s->state & PNG_IDAT)) { /* init image info */ - avctx->width = s->width; - avctx->height = s->height; + ret = ff_set_dimensions(avctx, s->width, s->height); + if (ret < 0) + return ret; s->channels = ff_png_get_nb_channels(s->color_type); s->bits_per_pixel = s->bit_depth * s->channels; @@ -785,7 +795,7 @@ return AVERROR_INVALIDDATA; for (i = 0; i < length; i++) { - v = bytestream2_get_byte(&s->gb); + unsigned v = bytestream2_get_byte(&s->gb); s->palette[i] = (s->palette[i] & 0x00ffffff) | (v << 24); } } else if (s->color_type == PNG_COLOR_TYPE_GRAY || s->color_type == PNG_COLOR_TYPE_RGB) { @@ -1293,7 +1303,7 @@ goto the_end; if ((ret = av_frame_ref(data, s->picture.f)) < 0) - return ret; + goto the_end; *got_frame = 1; diff -Nru ffmpeg-2.8.11/libavcodec/pnm.c ffmpeg-2.8.14/libavcodec/pnm.c --- ffmpeg-2.8.11/libavcodec/pnm.c 2016-03-29 03:25:21.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/pnm.c 2018-02-19 00:50:24.000000000 +0000 @@ -24,6 +24,7 @@ #include "libavutil/imgutils.h" #include "avcodec.h" +#include "internal.h" #include "pnm.h" static inline int pnm_space(int c) @@ -61,6 +62,7 @@ { char buf1[32], tuple_type[32]; int h, w, depth, maxval; + int ret; pnm_get(s, buf1, sizeof(buf1)); if(buf1[0] != 'P') @@ -110,8 +112,9 @@ if (w <= 0 || h <= 0 || maxval <= 0 || depth <= 0 || tuple_type[0] == '\0' || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) return AVERROR_INVALIDDATA; - avctx->width = w; - avctx->height = h; + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + return ret; s->maxval = maxval; if (depth == 1) { if (maxval == 1) { @@ -153,8 +156,9 @@ if(w <= 0 || h <= 0 || av_image_check_size(w, h, 0, avctx) || s->bytestream >= s->bytestream_end) return AVERROR_INVALIDDATA; - avctx->width = w; - avctx->height = h; + ret = ff_set_dimensions(avctx, w, h); + if (ret < 0) + return ret; if (avctx->pix_fmt != AV_PIX_FMT_MONOWHITE && avctx->pix_fmt != AV_PIX_FMT_MONOBLACK) { pnm_get(s, buf1, sizeof(buf1)); diff -Nru ffmpeg-2.8.11/libavcodec/proresdec2.c ffmpeg-2.8.14/libavcodec/proresdec2.c --- ffmpeg-2.8.11/libavcodec/proresdec2.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/proresdec2.c 2018-02-19 00:50:32.000000000 +0000 @@ -264,6 +264,8 @@ \ if (q > switch_bits) { /* exp golomb */ \ bits = exp_order - switch_bits + (q<<1); \ + if (bits > FFMIN(MIN_CACHE_BITS, 31)) \ + return AVERROR_INVALIDDATA; \ val = SHOW_UBITS(re, gb, bits) - (1 << exp_order) + \ ((switch_bits + 1) << rice_order); \ SKIP_BITS(re, gb, bits); \ @@ -283,7 +285,7 @@ static const uint8_t dc_codebook[7] = { 0x04, 0x28, 0x28, 0x4D, 0x4D, 0x70, 0x70}; -static av_always_inline void decode_dc_coeffs(GetBitContext *gb, int16_t *out, +static av_always_inline int decode_dc_coeffs(GetBitContext *gb, int16_t *out, int blocks_per_slice) { int16_t prev_dc; @@ -307,6 +309,7 @@ out[0] = prev_dc; } CLOSE_READER(re, gb); + return 0; } // adaptive codebook switching lut according to previous run/level values @@ -373,7 +376,8 @@ init_get_bits(&gb, buf, buf_size << 3); - decode_dc_coeffs(&gb, blocks, blocks_per_slice); + if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0) + return ret; if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0) return ret; @@ -406,7 +410,8 @@ init_get_bits(&gb, buf, buf_size << 3); - decode_dc_coeffs(&gb, blocks, blocks_per_slice); + if ((ret = decode_dc_coeffs(&gb, blocks, blocks_per_slice)) < 0) + return ret; if ((ret = decode_ac_coeffs(avctx, &gb, blocks, blocks_per_slice)) < 0) return ret; diff -Nru ffmpeg-2.8.11/libavcodec/qdrw.c ffmpeg-2.8.14/libavcodec/qdrw.c --- ffmpeg-2.8.11/libavcodec/qdrw.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/qdrw.c 2018-02-19 00:50:25.000000000 +0000 @@ -55,6 +55,8 @@ bytestream2_skip(gbc, 6); continue; } + if (avctx->pix_fmt != AV_PIX_FMT_PAL8) + return AVERROR_INVALIDDATA; r = bytestream2_get_byte(gbc); bytestream2_skip(gbc, 1); g = bytestream2_get_byte(gbc); @@ -227,7 +229,9 @@ if ((ret = ff_get_buffer(avctx, p, 0)) < 0) return ret; - parse_palette(avctx, &gbc, (uint32_t *)p->data[1], colors); + ret = parse_palette(avctx, &gbc, (uint32_t *)p->data[1], colors); + if (ret < 0) + return ret; p->palette_has_changed = 1; /* jump to image data */ diff -Nru ffmpeg-2.8.11/libavcodec/ra144.c ffmpeg-2.8.14/libavcodec/ra144.c --- ffmpeg-2.8.11/libavcodec/ra144.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/ra144.c 2018-02-19 00:50:25.000000000 +0000 @@ -1512,7 +1512,7 @@ v[0] = 0; for (i=!skip_first; i<3; i++) - v[i] = (ff_gain_val_tab[n][i] * m[i]) >> ff_gain_exp_tab[n]; + v[i] = (ff_gain_val_tab[n][i] * (unsigned)m[i]) >> ff_gain_exp_tab[n]; if (v[0]) { for (i=0; i < BLOCKSIZE; i++) @@ -1573,7 +1573,7 @@ if((int)(a*(unsigned)b) != a*(int64_t)b) return 1; #endif - bp1[j] = ((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * b) >> 12; + bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12; } if ((unsigned) bp1[i] + 0x1000 > 0x1fff) @@ -1598,10 +1598,10 @@ int i, j; for (i=0; i < LPC_ORDER; i++) { - b1[i] = refl[i] << 4; + b1[i] = refl[i] * 16; for (j=0; j < i; j++) - b1[j] = ((refl[i] * b2[i-j-1]) >> 12) + b2[j]; + b1[j] = ((int)(refl[i] * (unsigned)b2[i-j-1]) >> 12) + b2[j]; FFSWAP(int *, b1, b2); } @@ -1701,7 +1701,7 @@ if (cba_idx) { cba_idx += BLOCKSIZE/2 - 1; ff_copy_and_dup(ractx->buffer_a, ractx->adapt_cb, cba_idx); - m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * gval) >> 12; + m[0] = (ff_irms(&ractx->adsp, ractx->buffer_a) * (unsigned)gval) >> 12; } else { m[0] = 0; } diff -Nru ffmpeg-2.8.11/libavcodec/ra144dec.c ffmpeg-2.8.14/libavcodec/ra144dec.c --- ffmpeg-2.8.11/libavcodec/ra144dec.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/ra144dec.c 2017-12-31 22:35:47.000000000 +0000 @@ -113,7 +113,7 @@ do_output_subblock(ractx, block_coefs[i], refl_rms[i], &gb); for (j=0; j < BLOCKSIZE; j++) - *samples++ = av_clip_int16(ractx->curr_sblock[j + 10] << 2); + *samples++ = av_clip_int16(ractx->curr_sblock[j + 10] * (1 << 2)); } ractx->old_energy = energy; diff -Nru ffmpeg-2.8.11/libavcodec/rv34.c ffmpeg-2.8.14/libavcodec/rv34.c --- ffmpeg-2.8.11/libavcodec/rv34.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/rv34.c 2018-02-19 00:50:25.000000000 +0000 @@ -1585,10 +1585,13 @@ return ff_mpeg_update_thread_context(dst, src); } -static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n) +static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n, int slice_count, int buf_size) { - if(avctx->slice_count) return avctx->slice_offset[n]; - else return AV_RL32(buf + n*8 - 4) == 1 ? AV_RL32(buf + n*8) : AV_RB32(buf + n*8); + if (n < slice_count) { + if(avctx->slice_count) return avctx->slice_offset[n]; + else return AV_RL32(buf + n*8 - 4) == 1 ? AV_RL32(buf + n*8) : AV_RB32(buf + n*8); + } else + return buf_size; } static int finish_frame(AVCodecContext *avctx, AVFrame *pict) @@ -1627,7 +1630,7 @@ if (!sar.num) sar = (AVRational){1, 1}; - sar = av_mul_q(sar, (AVRational){new_h * old_w, new_w * old_h}); + sar = av_mul_q(sar, av_mul_q((AVRational){new_h, new_w}, (AVRational){old_w, old_h})); return sar; } @@ -1645,6 +1648,7 @@ int slice_count; const uint8_t *slices_hdr = NULL; int last = 0; + int offset; /* no supplementary picture */ if (buf_size == 0) { @@ -1667,13 +1671,13 @@ }else slice_count = avctx->slice_count; + offset = get_slice_offset(avctx, slices_hdr, 0, slice_count, buf_size); //parse first slice header to check whether this frame can be decoded - if(get_slice_offset(avctx, slices_hdr, 0) < 0 || - get_slice_offset(avctx, slices_hdr, 0) > buf_size){ + if(offset < 0 || offset > buf_size){ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); return AVERROR_INVALIDDATA; } - init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8); + init_get_bits(&s->gb, buf+offset, (buf_size-offset)*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){ av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n"); return AVERROR_INVALIDDATA; @@ -1774,40 +1778,32 @@ } for(i = 0; i < slice_count; i++){ - int offset = get_slice_offset(avctx, slices_hdr, i); + int offset = get_slice_offset(avctx, slices_hdr, i , slice_count, buf_size); + int offset1 = get_slice_offset(avctx, slices_hdr, i+1, slice_count, buf_size); int size; - if(i+1 == slice_count) - size = buf_size - offset; - else - size = get_slice_offset(avctx, slices_hdr, i+1) - offset; - if(offset < 0 || offset > buf_size){ + if(offset < 0 || offset > offset1 || offset1 > buf_size){ av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } + size = offset1 - offset; r->si.end = s->mb_width * s->mb_height; s->mb_num_left = r->s.mb_x + r->s.mb_y*r->s.mb_width - r->si.start; if(i+1 < slice_count){ - if (get_slice_offset(avctx, slices_hdr, i+1) < 0 || - get_slice_offset(avctx, slices_hdr, i+1) > buf_size) { + int offset2 = get_slice_offset(avctx, slices_hdr, i+2, slice_count, buf_size); + if (offset2 < offset1 || offset2 > buf_size) { av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n"); break; } - init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, i+1), (buf_size-get_slice_offset(avctx, slices_hdr, i+1))*8); + init_get_bits(&s->gb, buf+offset1, (buf_size-offset1)*8); if(r->parse_slice_header(r, &r->s.gb, &si) < 0){ - if(i+2 < slice_count) - size = get_slice_offset(avctx, slices_hdr, i+2) - offset; - else - size = buf_size - offset; + size = offset2 - offset; }else r->si.end = si.start; } - if (size < 0 || size > buf_size - offset) { - av_log(avctx, AV_LOG_ERROR, "Slice size is invalid\n"); - break; - } + av_assert0 (size >= 0 && size <= buf_size - offset); last = rv34_decode_slice(r, r->si.end, buf + offset, size); if(last) break; diff -Nru ffmpeg-2.8.11/libavcodec/rv40.c ffmpeg-2.8.14/libavcodec/rv40.c --- ffmpeg-2.8.11/libavcodec/rv40.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/rv40.c 2018-02-19 00:50:25.000000000 +0000 @@ -189,7 +189,7 @@ A = ptr[-r->intra_types_stride + 1]; // it won't be used for the last coefficient in a row B = ptr[-r->intra_types_stride]; C = ptr[-1]; - pattern = A + (B << 4) + (C << 8); + pattern = A + B * (1 << 4) + C * (1 << 8); for(k = 0; k < MODE2_PATTERNS_NUM; k++) if(pattern == rv40_aic_table_index[k]) break; diff -Nru ffmpeg-2.8.11/libavcodec/rv40dsp.c ffmpeg-2.8.14/libavcodec/rv40dsp.c --- ffmpeg-2.8.11/libavcodec/rv40dsp.c 2016-03-29 03:25:21.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/rv40dsp.c 2018-02-19 00:50:25.000000000 +0000 @@ -449,7 +449,7 @@ if (u > 3 - (filter_p1 && filter_q1)) continue; - t <<= 2; + t *= 1 << 2; if (filter_p1 && filter_q1) t += src[-2*step] - src[1*step]; diff -Nru ffmpeg-2.8.11/libavcodec/s302m.c ffmpeg-2.8.14/libavcodec/s302m.c --- ffmpeg-2.8.11/libavcodec/s302m.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/s302m.c 2018-02-19 00:50:25.000000000 +0000 @@ -120,10 +120,10 @@ if (avctx->bits_per_raw_sample == 24) { uint32_t *o = (uint32_t *)frame->data[0]; for (; buf_size > 6; buf_size -= 7) { - *o++ = (ff_reverse[buf[2]] << 24) | + *o++ = ((unsigned)ff_reverse[buf[2]] << 24) | (ff_reverse[buf[1]] << 16) | (ff_reverse[buf[0]] << 8); - *o++ = (ff_reverse[buf[6] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[6] & 0xf0] << 28) | (ff_reverse[buf[5]] << 20) | (ff_reverse[buf[4]] << 12) | (ff_reverse[buf[3] & 0x0f] << 4); @@ -142,10 +142,10 @@ } else if (avctx->bits_per_raw_sample == 20) { uint32_t *o = (uint32_t *)frame->data[0]; for (; buf_size > 5; buf_size -= 6) { - *o++ = (ff_reverse[buf[2] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[2] & 0xf0] << 28) | (ff_reverse[buf[1]] << 20) | (ff_reverse[buf[0]] << 12); - *o++ = (ff_reverse[buf[5] & 0xf0] << 28) | + *o++ = ((unsigned)ff_reverse[buf[5] & 0xf0] << 28) | (ff_reverse[buf[4]] << 20) | (ff_reverse[buf[3]] << 12); buf += 6; diff -Nru ffmpeg-2.8.11/libavcodec/sanm.c ffmpeg-2.8.14/libavcodec/sanm.c --- ffmpeg-2.8.11/libavcodec/sanm.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/sanm.c 2018-02-19 00:50:25.000000000 +0000 @@ -462,11 +462,11 @@ static av_cold int init_buffers(SANMVideoContext *ctx) { - av_fast_padded_malloc(&ctx->frm0, &ctx->frm0_size, ctx->buf_size); - av_fast_padded_malloc(&ctx->frm1, &ctx->frm1_size, ctx->buf_size); - av_fast_padded_malloc(&ctx->frm2, &ctx->frm2_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm0, &ctx->frm0_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm1, &ctx->frm1_size, ctx->buf_size); + av_fast_padded_mallocz(&ctx->frm2, &ctx->frm2_size, ctx->buf_size); if (!ctx->version) - av_fast_padded_malloc(&ctx->stored_frame, + av_fast_padded_mallocz(&ctx->stored_frame, &ctx->stored_frame_size, ctx->buf_size); if (!ctx->frm0 || !ctx->frm1 || !ctx->frm2 || diff -Nru ffmpeg-2.8.11/libavcodec/sbrdsp_fixed.c ffmpeg-2.8.14/libavcodec/sbrdsp_fixed.c --- ffmpeg-2.8.11/libavcodec/sbrdsp_fixed.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/sbrdsp_fixed.c 2018-02-19 00:50:32.000000000 +0000 @@ -136,19 +136,19 @@ if (lag) { for (i = 1; i < 38; i++) { - accu_re += (int64_t)x[i][0] * x[i+lag][0]; - accu_re += (int64_t)x[i][1] * x[i+lag][1]; - accu_im += (int64_t)x[i][0] * x[i+lag][1]; - accu_im -= (int64_t)x[i][1] * x[i+lag][0]; + accu_re += (uint64_t)x[i][0] * x[i+lag][0]; + accu_re += (uint64_t)x[i][1] * x[i+lag][1]; + accu_im += (uint64_t)x[i][0] * x[i+lag][1]; + accu_im -= (uint64_t)x[i][1] * x[i+lag][0]; } real_sum = accu_re; imag_sum = accu_im; - accu_re += (int64_t)x[ 0][0] * x[lag][0]; - accu_re += (int64_t)x[ 0][1] * x[lag][1]; - accu_im += (int64_t)x[ 0][0] * x[lag][1]; - accu_im -= (int64_t)x[ 0][1] * x[lag][0]; + accu_re += (uint64_t)x[ 0][0] * x[lag][0]; + accu_re += (uint64_t)x[ 0][1] * x[lag][1]; + accu_im += (uint64_t)x[ 0][0] * x[lag][1]; + accu_im -= (uint64_t)x[ 0][1] * x[lag][0]; phi[2-lag][1][0] = autocorr_calc(accu_re); phi[2-lag][1][1] = autocorr_calc(accu_im); @@ -156,28 +156,28 @@ if (lag == 1) { accu_re = real_sum; accu_im = imag_sum; - accu_re += (int64_t)x[38][0] * x[39][0]; - accu_re += (int64_t)x[38][1] * x[39][1]; - accu_im += (int64_t)x[38][0] * x[39][1]; - accu_im -= (int64_t)x[38][1] * x[39][0]; + accu_re += (uint64_t)x[38][0] * x[39][0]; + accu_re += (uint64_t)x[38][1] * x[39][1]; + accu_im += (uint64_t)x[38][0] * x[39][1]; + accu_im -= (uint64_t)x[38][1] * x[39][0]; phi[0][0][0] = autocorr_calc(accu_re); phi[0][0][1] = autocorr_calc(accu_im); } } else { for (i = 1; i < 38; i++) { - accu_re += (int64_t)x[i][0] * x[i][0]; - accu_re += (int64_t)x[i][1] * x[i][1]; + accu_re += (uint64_t)x[i][0] * x[i][0]; + accu_re += (uint64_t)x[i][1] * x[i][1]; } real_sum = accu_re; - accu_re += (int64_t)x[ 0][0] * x[ 0][0]; - accu_re += (int64_t)x[ 0][1] * x[ 0][1]; + accu_re += (uint64_t)x[ 0][0] * x[ 0][0]; + accu_re += (uint64_t)x[ 0][1] * x[ 0][1]; phi[2][1][0] = autocorr_calc(accu_re); accu_re = real_sum; - accu_re += (int64_t)x[38][0] * x[38][0]; - accu_re += (int64_t)x[38][1] * x[38][1]; + accu_re += (uint64_t)x[38][0] * x[38][0]; + accu_re += (uint64_t)x[38][1] * x[38][1]; phi[1][0][0] = autocorr_calc(accu_re); } @@ -229,20 +229,22 @@ static void sbr_hf_g_filt_c(int (*Y)[2], const int (*X_high)[40][2], const SoftFloat *g_filt, int m_max, intptr_t ixh) { - int m, r; + int m; int64_t accu; for (m = 0; m < m_max; m++) { - r = 1 << (22-g_filt[m].exp); - accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7); - Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp)); + if (22 - g_filt[m].exp < 61) { + int64_t r = 1LL << (22-g_filt[m].exp); + accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7); + Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp)); - accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7); - Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp)); + accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7); + Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp)); + } } } -static av_always_inline void sbr_hf_apply_noise(int (*Y)[2], +static av_always_inline int sbr_hf_apply_noise(int (*Y)[2], const SoftFloat *s_m, const SoftFloat *q_filt, int noise, @@ -253,14 +255,17 @@ int m; for (m = 0; m < m_max; m++) { - int y0 = Y[m][0]; - int y1 = Y[m][1]; + unsigned y0 = Y[m][0]; + unsigned y1 = Y[m][1]; noise = (noise + 1) & 0x1ff; if (s_m[m].mant) { int shift, round; shift = 22 - s_m[m].exp; - if (shift < 30) { + if (shift < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_apply_noise, shift=%d\n", shift); + return AVERROR(ERANGE); + } else if (shift < 30) { round = 1 << (shift-1); y0 += (s_m[m].mant * phi_sign0 + round) >> shift; y1 += (s_m[m].mant * phi_sign1 + round) >> shift; @@ -270,7 +275,10 @@ int64_t accu; shift = 22 - q_filt[m].exp; - if (shift < 30) { + if (shift < 1) { + av_log(NULL, AV_LOG_ERROR, "Overflow in sbr_hf_apply_noise, shift=%d\n", shift); + return AVERROR(ERANGE); + } else if (shift < 30) { round = 1 << (shift-1); accu = (int64_t)q_filt[m].mant * ff_sbr_noise_table_fixed[noise][0]; @@ -286,6 +294,7 @@ Y[m][1] = y1; phi_sign1 = -phi_sign1; } + return 0; } #include "sbrdsp_template.c" diff -Nru ffmpeg-2.8.11/libavcodec/sbrdsp_template.c ffmpeg-2.8.14/libavcodec/sbrdsp_template.c --- ffmpeg-2.8.11/libavcodec/sbrdsp_template.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/sbrdsp_template.c 2018-02-19 00:50:25.000000000 +0000 @@ -33,8 +33,13 @@ { int i; for (i = 0; i < 64; i++) { - v[ i] = AAC_SRA_R((src0[i] - src1[63 - i]), 5); - v[127 - i] = AAC_SRA_R((src0[i] + src1[63 - i]), 5); +#if USE_FIXED + v[ i] = (int)(0x10U + src0[i] - src1[63 - i]) >> 5; + v[127 - i] = (int)(0x10U + src0[i] + src1[63 - i]) >> 5; +#else + v[ i] = src0[i] - src1[63 - i]; + v[127 - i] = src0[i] + src1[63 - i]; +#endif } } diff -Nru ffmpeg-2.8.11/libavcodec/shorten.c ffmpeg-2.8.14/libavcodec/shorten.c --- ffmpeg-2.8.11/libavcodec/shorten.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/shorten.c 2018-02-19 00:50:25.000000000 +0000 @@ -156,8 +156,11 @@ static inline unsigned int get_uint(ShortenContext *s, int k) { - if (s->version != 0) + if (s->version != 0) { k = get_ur_golomb_shorten(&s->gb, ULONGSIZE); + if (k > 31U) + return AVERROR_INVALIDDATA; + } return get_ur_golomb_shorten(&s->gb, k); } @@ -366,6 +369,10 @@ s->blocksize = blocksize; maxnlpc = get_uint(s, LPCQSIZE); + if (maxnlpc > 1024U) { + av_log(s->avctx, AV_LOG_ERROR, "maxnlpc is: %d\n", maxnlpc); + return AVERROR_INVALIDDATA; + } s->nmean = get_uint(s, 0); skip_bytes = get_uint(s, NSKIPSIZE); diff -Nru ffmpeg-2.8.11/libavcodec/smc.c ffmpeg-2.8.14/libavcodec/smc.c --- ffmpeg-2.8.11/libavcodec/smc.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/smc.c 2018-02-19 00:50:25.000000000 +0000 @@ -132,6 +132,10 @@ row_ptr, image_size); return; } + if (bytestream2_get_bytes_left(&s->gb) < 1) { + av_log(s->avctx, AV_LOG_ERROR, "input too small\n"); + return; + } opcode = bytestream2_get_byte(&s->gb); switch (opcode & 0xF0) { diff -Nru ffmpeg-2.8.11/libavcodec/snow.h ffmpeg-2.8.14/libavcodec/snow.h --- ffmpeg-2.8.11/libavcodec/snow.h 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/snow.h 2018-02-19 00:50:25.000000000 +0000 @@ -561,7 +561,8 @@ if(get_rac(c, state+0)) return 0; else{ - int i, e, a; + int i, e; + unsigned a; e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; diff -Nru ffmpeg-2.8.11/libavcodec/snowdec.c ffmpeg-2.8.14/libavcodec/snowdec.c --- ffmpeg-2.8.11/libavcodec/snowdec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/snowdec.c 2018-02-19 00:50:32.000000000 +0000 @@ -137,7 +137,7 @@ v = b->x_coeff[new_index].coeff; x = b->x_coeff[new_index++].x; while(x < w){ - register int t= ( (v>>1)*qmul + qadd)>>QEXPSHIFT; + register int t= (int)( (v>>1)*(unsigned)qmul + qadd)>>QEXPSHIFT; register int u= -(v&1); line[x] = (t^u) - u; @@ -180,13 +180,22 @@ int my_context= av_log2(2*FFABS(left->my - top->my)) + 0*av_log2(2*FFABS(tr->my - top->my)); type= get_rac(&s->c, &s->block_state[1 + left->type + top->type]) ? BLOCK_INTRA : 0; - if(type){ + int ld, cbd, crd; pred_mv(s, &mx, &my, 0, left, top, tr); - l += get_symbol(&s->c, &s->block_state[32], 1); + ld = get_symbol(&s->c, &s->block_state[32], 1); + if (ld < -255 || ld > 255) { + return AVERROR_INVALIDDATA; + } + l += ld; if (s->nb_planes > 2) { - cb+= get_symbol(&s->c, &s->block_state[64], 1); - cr+= get_symbol(&s->c, &s->block_state[96], 1); + cbd = get_symbol(&s->c, &s->block_state[64], 1); + crd = get_symbol(&s->c, &s->block_state[96], 1); + if (cbd < -255 || cbd > 255 || crd < -255 || crd > 255) { + return AVERROR_INVALIDDATA; + } + cb += cbd; + cr += crd; } }else{ if(s->ref_frames > 1) @@ -351,9 +360,10 @@ int htaps, i, sum=0; Plane *p= &s->plane[plane_index]; p->diag_mc= get_rac(&s->c, s->header_state); - htaps= get_symbol(&s->c, s->header_state, 0)*2 + 2; - if((unsigned)htaps > HTAPS_MAX || htaps==0) + htaps= get_symbol(&s->c, s->header_state, 0); + if((unsigned)htaps >= HTAPS_MAX/2 - 1) return AVERROR_INVALIDDATA; + htaps = htaps*2 + 2; p->htaps= htaps; for(i= htaps/2; i; i--){ p->hcoeff[i]= get_symbol(&s->c, s->header_state, 0) * (1-2*(i&1)); @@ -371,7 +381,7 @@ } } - s->spatial_decomposition_type+= get_symbol(&s->c, s->header_state, 1); + s->spatial_decomposition_type+= (unsigned)get_symbol(&s->c, s->header_state, 1); if(s->spatial_decomposition_type > 1U){ av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_type %d not supported\n", s->spatial_decomposition_type); return AVERROR_INVALIDDATA; @@ -381,15 +391,25 @@ av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_count %d too large for size\n", s->spatial_decomposition_count); return AVERROR_INVALIDDATA; } + if (s->avctx->width > 65536-4) { + av_log(s->avctx, AV_LOG_ERROR, "Width %d is too large\n", s->avctx->width); + return AVERROR_INVALIDDATA; + } - s->qlog += get_symbol(&s->c, s->header_state, 1); - s->mv_scale += get_symbol(&s->c, s->header_state, 1); - s->qbias += get_symbol(&s->c, s->header_state, 1); - s->block_max_depth+= get_symbol(&s->c, s->header_state, 1); - if(s->block_max_depth > 1 || s->block_max_depth < 0){ + s->qlog += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->mv_scale += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->qbias += (unsigned)get_symbol(&s->c, s->header_state, 1); + s->block_max_depth+= (unsigned)get_symbol(&s->c, s->header_state, 1); + if(s->block_max_depth > 1 || s->block_max_depth < 0 || s->mv_scale > 256U){ av_log(s->avctx, AV_LOG_ERROR, "block_max_depth= %d is too large\n", s->block_max_depth); s->block_max_depth= 0; + s->mv_scale = 0; + return AVERROR_INVALIDDATA; + } + if (FFABS(s->qbias) > 127) { + av_log(s->avctx, AV_LOG_ERROR, "qbias %d is too large\n", s->qbias); + s->qbias = 0; return AVERROR_INVALIDDATA; } @@ -415,6 +435,8 @@ for(y=0; yc.bytestream >= s->c.bytestream_end) + return AVERROR_INVALIDDATA; if ((res = decode_q_branch(s, 0, x, y)) < 0) return res; } @@ -574,7 +596,7 @@ for(; yqsb, yq); for(x=0; xlen > 0 && buf->str[buf->len - 1] == ' ') - buf->str[--buf->len] = 0; + if (av_bprint_is_complete(buf)) + while (buf->len > 0 && buf->str[buf->len - 1] == ' ') + buf->str[--buf->len] = 0; } -static void srt_to_ass(AVCodecContext *avctx, AVBPrint *dst, +static int srt_to_ass(AVCodecContext *avctx, AVBPrint *dst, const char *in, int x1, int y1, int x2, int y2) { char *param, buffer[128], tmp[128]; @@ -73,13 +74,13 @@ /* text rectangle defined, write the text at the center of the rectangle */ const int cx = x1 + (x2 - x1)/2; const int cy = y1 + (y2 - y1)/2; - const int scaled_x = cx * ASS_DEFAULT_PLAYRESX / 720; - const int scaled_y = cy * ASS_DEFAULT_PLAYRESY / 480; + const int scaled_x = cx * (int64_t)ASS_DEFAULT_PLAYRESX / 720; + const int scaled_y = cy * (int64_t)ASS_DEFAULT_PLAYRESY / 480; av_bprintf(dst, "{\\an5}{\\pos(%d,%d)}", scaled_x, scaled_y); } else { /* only the top left corner, assume the text starts in that corner */ - const int scaled_x = x1 * ASS_DEFAULT_PLAYRESX / 720; - const int scaled_y = y1 * ASS_DEFAULT_PLAYRESY / 480; + const int scaled_x = x1 * (int64_t)ASS_DEFAULT_PLAYRESX / 720; + const int scaled_y = y1 * (int64_t)ASS_DEFAULT_PLAYRESY / 480; av_bprintf(dst, "{\\an1}{\\pos(%d,%d)}", scaled_x, scaled_y); } } @@ -191,10 +192,15 @@ line_start = 0; } + if (!av_bprint_is_complete(dst)) + return AVERROR(ENOMEM); + while (dst->len >= 2 && !strncmp(&dst->str[dst->len - 2], "\\N", 2)) dst->len -= 2; dst->str[dst->len] = 0; rstrip_spaces_buf(dst); + + return 0; } static int srt_decode_frame(AVCodecContext *avctx, diff -Nru ffmpeg-2.8.11/libavcodec/svq3.c ffmpeg-2.8.14/libavcodec/svq3.c --- ffmpeg-2.8.11/libavcodec/svq3.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/svq3.c 2018-02-19 00:50:32.000000000 +0000 @@ -166,7 +166,7 @@ void ff_svq3_luma_dc_dequant_idct_c(int16_t *output, int16_t *input, int qp) { - const int qmul = svq3_dequant_coeff[qp]; + const unsigned qmul = svq3_dequant_coeff[qp]; #define stride 16 int i; int temp[16]; @@ -191,10 +191,10 @@ const int z2 = 7 * temp[4 * 1 + i] - 17 * temp[4 * 3 + i]; const int z3 = 17 * temp[4 * 1 + i] + 7 * temp[4 * 3 + i]; - output[stride * 0 + offset] = (z0 + z3) * qmul + 0x80000 >> 20; - output[stride * 2 + offset] = (z1 + z2) * qmul + 0x80000 >> 20; - output[stride * 8 + offset] = (z1 - z2) * qmul + 0x80000 >> 20; - output[stride * 10 + offset] = (z0 - z3) * qmul + 0x80000 >> 20; + output[stride * 0 + offset] = (int)((z0 + z3) * qmul + 0x80000) >> 20; + output[stride * 2 + offset] = (int)((z1 + z2) * qmul + 0x80000) >> 20; + output[stride * 8 + offset] = (int)((z1 - z2) * qmul + 0x80000) >> 20; + output[stride * 10 + offset] = (int)((z0 - z3) * qmul + 0x80000) >> 20; } } #undef stride @@ -206,7 +206,7 @@ int i; if (dc) { - dc = 13 * 13 * (dc == 1 ? 1538 * block[0] + dc = 13 * 13 * (dc == 1 ? 1538U* block[0] : qmul * (block[0] >> 3) / 2); block[0] = 0; } @@ -224,16 +224,16 @@ } for (i = 0; i < 4; i++) { - const int z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]); - const int z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); - const int z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; - const int z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; - const int rr = (dc + 0x80000); - - dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((z0 + z3) * qmul + rr >> 20)); - dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((z1 + z2) * qmul + rr >> 20)); - dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((z1 - z2) * qmul + rr >> 20)); - dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((z0 - z3) * qmul + rr >> 20)); + const unsigned z0 = 13 * (block[i + 4 * 0] + block[i + 4 * 2]); + const unsigned z1 = 13 * (block[i + 4 * 0] - block[i + 4 * 2]); + const unsigned z2 = 7 * block[i + 4 * 1] - 17 * block[i + 4 * 3]; + const unsigned z3 = 17 * block[i + 4 * 1] + 7 * block[i + 4 * 3]; + const int rr = (dc + 0x80000u); + + dst[i + stride * 0] = av_clip_uint8(dst[i + stride * 0] + ((int)((z0 + z3) * qmul + rr) >> 20)); + dst[i + stride * 1] = av_clip_uint8(dst[i + stride * 1] + ((int)((z1 + z2) * qmul + rr) >> 20)); + dst[i + stride * 2] = av_clip_uint8(dst[i + stride * 2] + ((int)((z1 - z2) * qmul + rr) >> 20)); + dst[i + stride * 3] = av_clip_uint8(dst[i + stride * 3] + ((int)((z0 - z3) * qmul + rr) >> 20)); } memset(block, 0, 16 * sizeof(int16_t)); @@ -397,8 +397,8 @@ if (mode != PREDICT_MODE) { pred_motion(h, sl, k, part_width >> 2, dir, 1, &mx, &my); } else { - mx = s->next_pic->motion_val[0][b_xy][0] << 1; - my = s->next_pic->motion_val[0][b_xy][1] << 1; + mx = s->next_pic->motion_val[0][b_xy][0] * 2; + my = s->next_pic->motion_val[0][b_xy][1] * 2; if (dir == 0) { mx = mx * h->frame_num_offset / @@ -435,8 +435,8 @@ int fx, fy; mx = (mx + 1 >> 1) + dx; my = (my + 1 >> 1) + dy; - fx = (unsigned)(mx + 0x3000) / 3 - 0x1000; - fy = (unsigned)(my + 0x3000) / 3 - 0x1000; + fx = (unsigned)(mx + 0x30000) / 3 - 0x10000; + fy = (unsigned)(my + 0x30000) / 3 - 0x10000; dxy = (mx - 3 * fx) + 4 * (my - 3 * fy); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -444,8 +444,8 @@ mx += mx; my += my; } else if (mode == HALFPEL_MODE || mode == PREDICT_MODE) { - mx = (unsigned)(mx + 1 + 0x3000) / 3 + dx - 0x1000; - my = (unsigned)(my + 1 + 0x3000) / 3 + dy - 0x1000; + mx = (unsigned)(mx + 1 + 0x30000) / 3 + dx - 0x10000; + my = (unsigned)(my + 1 + 0x30000) / 3 + dy - 0x10000; dxy = (mx & 1) + 2 * (my & 1); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -453,8 +453,8 @@ mx *= 3; my *= 3; } else { - mx = (unsigned)(mx + 3 + 0x6000) / 6 + dx - 0x1000; - my = (unsigned)(my + 3 + 0x6000) / 6 + dy - 0x1000; + mx = (unsigned)(mx + 3 + 0x60000) / 6 + dx - 0x10000; + my = (unsigned)(my + 3 + 0x60000) / 6 + dy - 0x10000; svq3_mc_dir_part(s, x, y, part_width, part_height, mx, my, 0, 0, dir, avg); diff -Nru ffmpeg-2.8.11/libavcodec/takdec.c ffmpeg-2.8.14/libavcodec/takdec.c --- ffmpeg-2.8.11/libavcodec/takdec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/takdec.c 2018-02-19 00:50:32.000000000 +0000 @@ -192,7 +192,7 @@ int a1 = *coeffs++; for (i = 0; i < length - 1 >> 1; i++) { *coeffs += a1; - coeffs[1] += *coeffs; + coeffs[1] += (unsigned)*coeffs; a1 = coeffs[1]; coeffs += 2; } @@ -253,11 +253,11 @@ code = xcodes[mode - 1]; for (i = 0; i < len; i++) { - int x = get_bits_long(gb, code.init); + unsigned x = get_bits_long(gb, code.init); if (x >= code.escape && get_bits1(gb)) { x |= 1 << code.init; if (x >= code.aescape) { - int scale = get_unary(gb, 1, 9); + unsigned scale = get_unary(gb, 1, 9); if (scale == 9) { int scale_bits = get_bits(gb, 3); if (scale_bits > 0) { @@ -419,19 +419,19 @@ s->predictors[0] = get_sbits(gb, 10); s->predictors[1] = get_sbits(gb, 10); - s->predictors[2] = get_sbits(gb, size) << (10 - size); - s->predictors[3] = get_sbits(gb, size) << (10 - size); + s->predictors[2] = get_sbits(gb, size) * (1 << (10 - size)); + s->predictors[3] = get_sbits(gb, size) * (1 << (10 - size)); if (filter_order > 4) { int tmp = size - get_bits1(gb); for (i = 4; i < filter_order; i++) { if (!(i & 3)) x = tmp - get_bits(gb, 2); - s->predictors[i] = get_sbits(gb, x) << (10 - size); + s->predictors[i] = get_sbits(gb, x) * (1 << (10 - size)); } } - tfilter[0] = s->predictors[0] << 6; + tfilter[0] = s->predictors[0] * 64; for (i = 1; i < filter_order; i++) { int32_t *p1 = &tfilter[0]; int32_t *p2 = &tfilter[i - 1]; @@ -443,7 +443,7 @@ p2--; } - tfilter[i] = s->predictors[i] << 6; + tfilter[i] = s->predictors[i] * 64; } x = 1 << (32 - (15 - filter_quant)); @@ -469,15 +469,15 @@ int v = 1 << (filter_quant - 1); if (filter_order & -16) - v += s->adsp.scalarproduct_int16(&s->residues[i], s->filter, + v += (unsigned)s->adsp.scalarproduct_int16(&s->residues[i], s->filter, filter_order & -16); for (j = filter_order & -16; j < filter_order; j += 4) { - v += s->residues[i + j + 3] * s->filter[j + 3] + - s->residues[i + j + 2] * s->filter[j + 2] + - s->residues[i + j + 1] * s->filter[j + 1] + - s->residues[i + j ] * s->filter[j ]; + v += s->residues[i + j + 3] * (unsigned)s->filter[j + 3] + + s->residues[i + j + 2] * (unsigned)s->filter[j + 2] + + s->residues[i + j + 1] * (unsigned)s->filter[j + 1] + + s->residues[i + j ] * (unsigned)s->filter[j ]; } - v = (av_clip_intp2(v >> filter_quant, 13) << dshift) - *decoded; + v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - (unsigned)*decoded; *decoded++ = v; s->residues[filter_order + i] = v >> dshift; } @@ -857,7 +857,7 @@ if (s->sample_shift[chan] > 0) for (i = 0; i < s->nb_samples; i++) - decoded[i] <<= s->sample_shift[chan]; + decoded[i] *= 1U << s->sample_shift[chan]; } } @@ -884,7 +884,7 @@ uint8_t *samples = (uint8_t *)frame->extended_data[chan]; int32_t *decoded = s->decoded[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] = decoded[i] + 0x80; + samples[i] = decoded[i] + 0x80U; } break; case AV_SAMPLE_FMT_S16P: @@ -899,7 +899,7 @@ for (chan = 0; chan < avctx->channels; chan++) { int32_t *samples = (int32_t *)frame->extended_data[chan]; for (i = 0; i < s->nb_samples; i++) - samples[i] <<= 8; + samples[i] *= 1U << 8; } break; } diff -Nru ffmpeg-2.8.11/libavcodec/targa_y216dec.c ffmpeg-2.8.14/libavcodec/targa_y216dec.c --- ffmpeg-2.8.11/libavcodec/targa_y216dec.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/targa_y216dec.c 2017-12-31 22:35:48.000000000 +0000 @@ -35,7 +35,8 @@ { AVFrame *pic = data; const uint16_t *src = (uint16_t *)avpkt->data; - uint16_t *y, *u, *v, aligned_width = FFALIGN(avctx->width, 4); + uint16_t *y, *u, *v; + int aligned_width = FFALIGN(avctx->width, 4); int i, j, ret; if (avpkt->size < 4 * avctx->height * aligned_width) { diff -Nru ffmpeg-2.8.11/libavcodec/texturedsp.c ffmpeg-2.8.14/libavcodec/texturedsp.c --- ffmpeg-2.8.11/libavcodec/texturedsp.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/texturedsp.c 2018-02-19 00:50:25.000000000 +0000 @@ -154,7 +154,7 @@ for (x = 0; x < 4; x++) { uint8_t alpha = alpha_values[x]; - uint32_t pixel = colors[code & 3] | (alpha << 24); + uint32_t pixel = colors[code & 3] | ((unsigned)alpha << 24); code >>= 2; AV_WL32(dst + x * 4, pixel); @@ -287,7 +287,7 @@ } } } - pixel = colors[code & 3] | (alpha << 24); + pixel = colors[code & 3] | ((unsigned)alpha << 24); code >>= 2; AV_WL32(dst + x * 4, pixel); } diff -Nru ffmpeg-2.8.11/libavcodec/tiertexseqv.c ffmpeg-2.8.14/libavcodec/tiertexseqv.c --- ffmpeg-2.8.11/libavcodec/tiertexseqv.c 2017-02-09 13:06:29.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/tiertexseqv.c 2018-02-19 00:50:25.000000000 +0000 @@ -213,10 +213,15 @@ static av_cold int seqvideo_decode_init(AVCodecContext *avctx) { SeqVideoContext *seq = avctx->priv_data; + int ret; seq->avctx = avctx; avctx->pix_fmt = AV_PIX_FMT_PAL8; + ret = ff_set_dimensions(avctx, 256, 128); + if (ret < 0) + return ret; + seq->frame = av_frame_alloc(); if (!seq->frame) return AVERROR(ENOMEM); diff -Nru ffmpeg-2.8.11/libavcodec/tiff.c ffmpeg-2.8.14/libavcodec/tiff.c --- ffmpeg-2.8.11/libavcodec/tiff.c 2017-02-09 13:06:29.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/tiff.c 2018-02-19 00:50:25.000000000 +0000 @@ -408,7 +408,7 @@ const uint8_t *src, int size, int width, int lines, int strip_start, int is_yuv) { - uint64_t outlen = width * lines; + uint64_t outlen = width * (uint64_t)lines; int ret, line; uint8_t *buf = av_malloc(outlen); if (!buf) @@ -904,6 +904,11 @@ break; case TIFF_STRIP_OFFS: if (count == 1) { + if (value > INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, + "strippos %u too large\n", value); + return AVERROR_INVALIDDATA; + } s->strippos = 0; s->stripoff = value; } else @@ -915,6 +920,11 @@ break; case TIFF_STRIP_SIZE: if (count == 1) { + if (value > INT_MAX) { + av_log(s->avctx, AV_LOG_ERROR, + "stripsize %u too large\n", value); + return AVERROR_INVALIDDATA; + } s->stripsizesoff = 0; s->stripsize = value; s->strips = 1; @@ -1008,6 +1018,7 @@ s->subsampling[i] = ff_tget(&s->gb, type, s->le); if (s->subsampling[i] <= 0) { av_log(s->avctx, AV_LOG_ERROR, "subsampling %d is invalid\n", s->subsampling[i]); + s->subsampling[i] = 1; return AVERROR_INVALIDDATA; } } @@ -1035,6 +1046,10 @@ ADD_METADATA(count, "ModelTiepointTag", NULL); break; case TIFF_GEO_KEY_DIRECTORY: + if (s->geotag_count) { + avpriv_request_sample(s->avctx, "Multiple geo key directories\n"); + return AVERROR_INVALIDDATA; + } ADD_METADATA(1, "GeoTIFF_Version", NULL); ADD_METADATA(2, "GeoTIFF_Key_Revision", "."); s->geotag_count = ff_tget_short(&s->gb, s->le); @@ -1042,7 +1057,8 @@ s->geotag_count = count / 4 - 1; av_log(s->avctx, AV_LOG_WARNING, "GeoTIFF key directory buffer shorter than specified\n"); } - if (bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4) { + if ( bytestream2_get_bytes_left(&s->gb) < s->geotag_count * sizeof(int16_t) * 4 + || s->geotag_count == 0) { s->geotag_count = 0; return -1; } @@ -1080,6 +1096,8 @@ if (s->geotags[i].count == 0 || s->geotags[i].offset + s->geotags[i].count > count) { av_log(s->avctx, AV_LOG_WARNING, "Invalid GeoTIFF key %d\n", s->geotags[i].key); + } else if (s->geotags[i].val) { + av_log(s->avctx, AV_LOG_WARNING, "Duplicate GeoTIFF key %d\n", s->geotags[i].key); } else { char *ap = doubles2str(&dp[s->geotags[i].offset], s->geotags[i].count, ", "); if (!ap) { @@ -1106,6 +1124,8 @@ bytestream2_seek(&s->gb, pos + s->geotags[i].offset, SEEK_SET); if (bytestream2_get_bytes_left(&s->gb) < s->geotags[i].count) return AVERROR_INVALIDDATA; + if (s->geotags[i].val) + return AVERROR_INVALIDDATA; ap = av_malloc(s->geotags[i].count); if (!ap) { av_log(s->avctx, AV_LOG_ERROR, "Error allocating temporary buffer\n"); @@ -1268,6 +1288,8 @@ stride = p->linesize[plane]; dst = p->data[plane]; for (i = 0; i < s->height; i += s->rps) { + if (i) + dst += s->rps * stride; if (s->stripsizesoff) ssize = ff_tget(&stripsizes, s->sstype, le); else @@ -1288,7 +1310,6 @@ return ret; break; } - dst += s->rps * stride; } if (s->predictor == 2) { if (s->photometric == TIFF_PHOTOMETRIC_YCBCR) { diff -Nru ffmpeg-2.8.11/libavcodec/truemotion1.c ffmpeg-2.8.14/libavcodec/truemotion1.c --- ffmpeg-2.8.11/libavcodec/truemotion1.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/truemotion1.c 2018-02-19 00:50:25.000000000 +0000 @@ -177,10 +177,10 @@ int lo, hi; lo = ydt[p1]; - lo += (lo << 5) + (lo << 10); + lo += (lo * 32) + (lo * 1024); hi = ydt[p2]; - hi += (hi << 5) + (hi << 10); - return (lo + (hi << 16)) << 1; + hi += (hi * 32) + (hi * 1024); + return (lo + (hi * (1U << 16))) * 2; } static int make_cdt15_entry(int p1, int p2, int16_t *cdt) @@ -188,9 +188,9 @@ int r, b, lo; b = cdt[p2]; - r = cdt[p1] << 10; + r = cdt[p1] * 1024; lo = b + r; - return (lo + (lo << 16)) << 1; + return (lo + (lo * (1U << 16))) * 2; } #if HAVE_BIGENDIAN diff -Nru ffmpeg-2.8.11/libavcodec/truemotion2.c ffmpeg-2.8.14/libavcodec/truemotion2.c --- ffmpeg-2.8.11/libavcodec/truemotion2.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/truemotion2.c 2018-02-19 00:50:32.000000000 +0000 @@ -272,7 +272,7 @@ for (i = 0; i < d; i++) { v = get_bits_long(&ctx->gb, mb); if (v & (1 << (mb - 1))) - ctx->deltas[stream_id][i] = v - (1 << mb); + ctx->deltas[stream_id][i] = v - (1U << mb); else ctx->deltas[stream_id][i] = v; } @@ -433,8 +433,8 @@ /* recalculate last and delta values for next blocks */ #define TM2_RECALC_BLOCK(CHR, stride, last, CD) {\ - CD[0] = CHR[1] - last[1];\ - CD[1] = (int)CHR[stride + 1] - (int)CHR[1];\ + CD[0] = (unsigned)CHR[ 1] - (unsigned)last[1];\ + CD[1] = (unsigned)CHR[stride + 1] - (unsigned) CHR[1];\ last[0] = (int)CHR[stride + 0];\ last[1] = (int)CHR[stride + 1];} @@ -457,7 +457,7 @@ } } -static inline void tm2_high_chroma(int *data, int stride, int *last, int *CD, int *deltas) +static inline void tm2_high_chroma(int *data, int stride, int *last, unsigned *CD, int *deltas) { int i, j; for (j = 0; j < 2; j++) { @@ -907,7 +907,8 @@ buf_size - offset); if (t < 0) { int j = tm2_stream_order[i]; - memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]); + if (l->tok_lens[j]) + memset(l->tokens[j], 0, sizeof(**l->tokens) * l->tok_lens[j]); return t; } offset += t; diff -Nru ffmpeg-2.8.11/libavcodec/ulti.c ffmpeg-2.8.14/libavcodec/ulti.c --- ffmpeg-2.8.11/libavcodec/ulti.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/ulti.c 2018-02-19 00:50:32.000000000 +0000 @@ -50,6 +50,8 @@ s->width = avctx->width; s->height = avctx->height; s->blocks = (s->width / 8) * (s->height / 8); + if (s->blocks == 0) + return AVERROR_INVALIDDATA; avctx->pix_fmt = AV_PIX_FMT_YUV410P; s->ulti_codebook = ulti_codebook; diff -Nru ffmpeg-2.8.11/libavcodec/vb.c ffmpeg-2.8.14/libavcodec/vb.c --- ffmpeg-2.8.11/libavcodec/vb.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/vb.c 2017-12-31 22:35:48.000000000 +0000 @@ -205,6 +205,10 @@ if (flags & VB_HAS_GMC) { i = (int16_t)bytestream2_get_le16(&c->stream); j = (int16_t)bytestream2_get_le16(&c->stream); + if (FFABS(j) > avctx->height) { + av_log(avctx, AV_LOG_ERROR, "GMV out of range\n"); + return AVERROR_INVALIDDATA; + } offset = i + j * avctx->width; } if (flags & VB_HAS_VIDEO) { diff -Nru ffmpeg-2.8.11/libavcodec/vdpau_hevc.c ffmpeg-2.8.14/libavcodec/vdpau_hevc.c --- ffmpeg-2.8.11/libavcodec/vdpau_hevc.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/vdpau_hevc.c 2018-02-19 00:50:25.000000000 +0000 @@ -245,7 +245,7 @@ const HEVCFrame *frame = &h->DPB[i]; if (frame != h->ref && (frame->flags & (HEVC_FRAME_FLAG_LONG_REF | HEVC_FRAME_FLAG_SHORT_REF))) { - if (j > 16) { + if (j > 15) { av_log(avctx, AV_LOG_WARNING, "VDPAU only supports up to 16 references in the DPB. " "This frame may not be decoded correctly.\n"); diff -Nru ffmpeg-2.8.11/libavcodec/vmnc.c ffmpeg-2.8.14/libavcodec/vmnc.c --- ffmpeg-2.8.11/libavcodec/vmnc.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/vmnc.c 2018-02-19 00:50:25.000000000 +0000 @@ -374,6 +374,12 @@ w = bytestream2_get_be16(gb); h = bytestream2_get_be16(gb); enc = bytestream2_get_be32(gb); + if ((dx + w > c->width) || (dy + h > c->height)) { + av_log(avctx, AV_LOG_ERROR, + "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", + w, h, dx, dy, c->width, c->height); + return AVERROR_INVALIDDATA; + } outptr = c->pic->data[0] + dx * c->bpp2 + dy * c->pic->linesize[0]; size_left = bytestream2_get_bytes_left(gb); switch (enc) { @@ -451,12 +457,6 @@ bytestream2_skip(gb, 2); break; case 0x00000000: // raw rectangle data - if ((dx + w > c->width) || (dy + h > c->height)) { - av_log(avctx, AV_LOG_ERROR, - "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", - w, h, dx, dy, c->width, c->height); - return AVERROR_INVALIDDATA; - } if (size_left < w * h * c->bpp2) { av_log(avctx, AV_LOG_ERROR, "Premature end of data! (need %i got %i)\n", @@ -467,12 +467,6 @@ c->pic->linesize[0]); break; case 0x00000005: // HexTile encoded rectangle - if ((dx + w > c->width) || (dy + h > c->height)) { - av_log(avctx, AV_LOG_ERROR, - "Incorrect frame size: %ix%i+%ix%i of %ix%i\n", - w, h, dx, dy, c->width, c->height); - return AVERROR_INVALIDDATA; - } res = decode_hextile(c, outptr, gb, w, h, c->pic->linesize[0]); if (res < 0) return res; diff -Nru ffmpeg-2.8.11/libavcodec/vorbis.c ffmpeg-2.8.14/libavcodec/vorbis.c --- ffmpeg-2.8.11/libavcodec/vorbis.c 2017-02-09 13:06:29.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/vorbis.c 2018-02-19 00:50:32.000000000 +0000 @@ -73,7 +73,7 @@ if (bits[p] > 32) return AVERROR_INVALIDDATA; for (i = 0; i < bits[p]; ++i) - exit_at_level[i+1] = 1 << i; + exit_at_level[i+1] = 1u << i; #ifdef DEBUG av_log(NULL, AV_LOG_INFO, " %u. of %u code len %d code %d - ", p, num, bits[p], codes[p]); @@ -105,7 +105,7 @@ exit_at_level[i] = 0; // construct code (append 0s to end) and introduce new exits for (j = i + 1 ;j <= bits[p]; ++j) - exit_at_level[j] = code + (1 << (j - 1)); + exit_at_level[j] = code + (1u << (j - 1)); codes[p] = code; #ifdef DEBUG diff -Nru ffmpeg-2.8.11/libavcodec/vp3.c ffmpeg-2.8.14/libavcodec/vp3.c --- ffmpeg-2.8.11/libavcodec/vp3.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/vp3.c 2018-02-19 00:50:32.000000000 +0000 @@ -951,9 +951,11 @@ Vp3Fragment *all_fragments = s->all_fragments; VLC_TYPE(*vlc_table)[2] = table->table; - if (num_coeffs < 0) + if (num_coeffs < 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid number of coefficents at level %d\n", coeff_index); + return AVERROR_INVALIDDATA; + } if (eob_run > num_coeffs) { coeff_i = @@ -978,6 +980,9 @@ if (eob_run_get_bits[token]) eob_run += get_bits(gb, eob_run_get_bits[token]); + if (!eob_run) + eob_run = INT_MAX; + // record only the number of blocks ended in this plane, // any spill will be recorded in the next plane. if (eob_run > num_coeffs - coeff_i) { @@ -1071,6 +1076,9 @@ s->dct_tokens[0][0] = s->dct_tokens_base; + if (get_bits_left(gb) < 16) + return AVERROR_INVALIDDATA; + /* fetch the DC table indexes */ dc_y_table = get_bits(gb, 4); dc_c_table = get_bits(gb, 4); @@ -1080,6 +1088,8 @@ 0, residual_eob_run); if (residual_eob_run < 0) return residual_eob_run; + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; /* reverse prediction of the Y-plane DC coefficients */ reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]); @@ -1102,6 +1112,8 @@ s->fragment_width[1], s->fragment_height[1]); } + if (get_bits_left(gb) < 8) + return AVERROR_INVALIDDATA; /* fetch the AC table indexes */ ac_y_table = get_bits(gb, 4); ac_c_table = get_bits(gb, 4); @@ -2020,16 +2032,18 @@ ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); + return ret; } - return ret; + return buf_size; } else if (type == 2) { ret = theora_decode_tables(avctx, &gb); if (ret >= 0) ret = vp3_decode_init(avctx); if (ret < 0) { vp3_decode_end(avctx); + return ret; } - return ret; + return buf_size; } av_log(avctx, AV_LOG_ERROR, diff -Nru ffmpeg-2.8.11/libavcodec/vp3dsp.c ffmpeg-2.8.14/libavcodec/vp3dsp.c --- ffmpeg-2.8.11/libavcodec/vp3dsp.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/vp3dsp.c 2018-02-19 00:50:25.000000000 +0000 @@ -41,7 +41,7 @@ #define xC6S2 25080 #define xC7S1 12785 -#define M(a, b) (((a) * (b)) >> 16) +#define M(a, b) ((int)((SUINT)(a) * (b)) >> 16) static av_always_inline void idct(uint8_t *dst, int stride, int16_t *input, int type) diff -Nru ffmpeg-2.8.11/libavcodec/vp5.c ffmpeg-2.8.14/libavcodec/vp5.c --- ffmpeg-2.8.11/libavcodec/vp5.c 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/vp5.c 2018-02-19 00:50:25.000000000 +0000 @@ -39,8 +39,11 @@ { VP56RangeCoder *c = &s->c; int rows, cols; + int ret; - ff_vp56_init_range_decoder(&s->c, buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->c, buf, buf_size); + if (ret < 0) + return ret; s->frames[VP56_FRAME_CURRENT]->key_frame = !vp56_rac_get(c); vp56_rac_get(c); ff_vp56_init_dequant(s, vp56_rac_gets(c, 6)); @@ -181,7 +184,7 @@ int b, i, cg, idx, ctx, ctx_last; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end >= c->buffer && c->bits >= 0) { + if (c->end <= c->buffer && c->bits >= 0) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp5_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff -Nru ffmpeg-2.8.11/libavcodec/vp56.c ffmpeg-2.8.14/libavcodec/vp56.c --- ffmpeg-2.8.11/libavcodec/vp56.c 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/vp56.c 2018-02-19 00:50:25.000000000 +0000 @@ -261,6 +261,25 @@ return s->mb_type; } +static VP56mb vp56_conceal_mv(VP56Context *s, int row, int col) +{ + VP56mv *mv, vect = {0,0}; + int b; + + s->mb_type = VP56_MB_INTER_NOVEC_PF; + s->macroblocks[row * s->mb_width + col].type = s->mb_type; + + mv = &vect; + + s->macroblocks[row*s->mb_width + col].mv = *mv; + + /* same vector for all blocks */ + for (b=0; b<6; b++) + s->mv[b] = *mv; + + return s->mb_type; +} + static void vp56_add_predictors_dc(VP56Context *s, VP56Frame ref_frame) { int idx = s->idct_scantable[0]; @@ -381,30 +400,18 @@ } } -static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +static av_always_inline void vp56_render_mb(VP56Context *s, int row, int col, int is_alpha, VP56mb mb_type) { - AVFrame *frame_current, *frame_ref; - VP56mb mb_type; - VP56Frame ref_frame; int b, ab, b_max, plane, off; - int ret; - - if (s->frames[VP56_FRAME_CURRENT]->key_frame) - mb_type = VP56_MB_INTRA; - else - mb_type = vp56_decode_mv(s, row, col); - ref_frame = ff_vp56_reference_frame[mb_type]; - - ret = s->parse_coeff(s); - if (ret < 0) - return ret; + AVFrame *frame_current, *frame_ref; + VP56Frame ref_frame = ff_vp56_reference_frame[mb_type]; vp56_add_predictors_dc(s, ref_frame); frame_current = s->frames[VP56_FRAME_CURRENT]; frame_ref = s->frames[ref_frame]; if (mb_type != VP56_MB_INTRA && !frame_ref->data[0]) - return 0; + return; ab = 6*is_alpha; b_max = 6 - 2*is_alpha; @@ -454,6 +461,38 @@ s->block_coeff[4][0] = 0; s->block_coeff[5][0] = 0; } +} + +static int vp56_decode_mb(VP56Context *s, int row, int col, int is_alpha) +{ + VP56mb mb_type; + int ret; + + if (s->frames[VP56_FRAME_CURRENT]->key_frame) + mb_type = VP56_MB_INTRA; + else + mb_type = vp56_decode_mv(s, row, col); + + ret = s->parse_coeff(s); + if (ret < 0) + return ret; + + vp56_render_mb(s, row, col, is_alpha, mb_type); + + return 0; +} + +static int vp56_conceal_mb(VP56Context *s, int row, int col, int is_alpha) +{ + VP56mb mb_type; + + if (s->frames[VP56_FRAME_CURRENT]->key_frame) + mb_type = VP56_MB_INTRA; + else + mb_type = vp56_conceal_mv(s, row, col); + + vp56_render_mb(s, row, col, is_alpha, mb_type); + return 0; } @@ -468,6 +507,8 @@ s->plane_height[0] = s->plane_height[3] = avctx->coded_height; s->plane_height[1] = s->plane_height[2] = avctx->coded_height/2; + s->have_undamaged_frame = 0; + for (i=0; i<4; i++) s->stride[i] = s->flip * s->frames[VP56_FRAME_CURRENT]->linesize[i]; @@ -533,13 +574,18 @@ } ret = ff_get_buffer(avctx, p, AV_GET_BUFFER_FLAG_REF); - if (ret < 0) + if (ret < 0) { + if (res == VP56_SIZE_CHANGE) + ff_set_dimensions(avctx, 0, 0); return ret; + } if (avctx->pix_fmt == AV_PIX_FMT_YUVA420P) { av_frame_unref(s->alpha_context->frames[VP56_FRAME_CURRENT]); if ((ret = av_frame_ref(s->alpha_context->frames[VP56_FRAME_CURRENT], p)) < 0) { av_frame_unref(p); + if (res == VP56_SIZE_CHANGE) + ff_set_dimensions(avctx, 0, 0); return ret; } } @@ -573,8 +619,12 @@ } } + s->discard_frame = 0; avctx->execute2(avctx, ff_vp56_decode_mbs, 0, 0, (avctx->pix_fmt == AV_PIX_FMT_YUVA420P) + 1); + if (s->discard_frame) + return AVERROR_INVALIDDATA; + if ((res = av_frame_ref(data, p)) < 0) return res; *got_frame = 1; @@ -593,6 +643,7 @@ int block, y, uv; ptrdiff_t stride_y, stride_uv; int res; + int damaged = 0; if (p->key_frame) { p->pict_type = AV_PICTURE_TYPE_I; @@ -657,9 +708,18 @@ s->block_offset[5] = s->block_offset[4]; for (mb_col=0; mb_colmb_width; mb_col++) { - int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); - if (ret < 0) - return ret; + if (!damaged) { + int ret = vp56_decode_mb(s, mb_row, mb_col, is_alpha); + if (ret < 0) { + damaged = 1; + if (!s->have_undamaged_frame || !avctx->error_concealment) { + s->discard_frame = 1; + return AVERROR_INVALIDDATA; + } + } + } + if (damaged) + vp56_conceal_mb(s, mb_row, mb_col, is_alpha); for (y=0; y<4; y++) { s->above_block_idx[y] += 2; @@ -673,6 +733,9 @@ } } + if (!damaged) + s->have_undamaged_frame = 1; + next: if (p->key_frame || s->golden_frame) { av_frame_unref(s->frames[VP56_FRAME_GOLDEN]); diff -Nru ffmpeg-2.8.11/libavcodec/vp56.h ffmpeg-2.8.14/libavcodec/vp56.h --- ffmpeg-2.8.11/libavcodec/vp56.h 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/vp56.h 2018-02-19 00:50:25.000000000 +0000 @@ -203,6 +203,9 @@ VLC runv_vlc[2]; VLC ract_vlc[2][3][6]; unsigned int nb_null[2][2]; /* number of consecutive NULL DC/AC */ + + int have_undamaged_frame; + int discard_frame; }; @@ -221,7 +224,7 @@ */ extern const uint8_t ff_vp56_norm_shift[256]; -void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size); +int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size); static av_always_inline unsigned int vp56_rac_renorm(VP56RangeCoder *c) { diff -Nru ffmpeg-2.8.11/libavcodec/vp56rac.c ffmpeg-2.8.14/libavcodec/vp56rac.c --- ffmpeg-2.8.11/libavcodec/vp56rac.c 2016-03-29 03:25:23.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/vp56rac.c 2017-12-31 02:32:05.000000000 +0000 @@ -37,11 +37,14 @@ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, }; -void ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size) +int ff_vp56_init_range_decoder(VP56RangeCoder *c, const uint8_t *buf, int buf_size) { c->high = 255; c->bits = -16; c->buffer = buf; c->end = buf + buf_size; + if (buf_size < 1) + return AVERROR_INVALIDDATA; c->code_word = bytestream_get_be24(&c->buffer); + return 0; } diff -Nru ffmpeg-2.8.11/libavcodec/vp6.c ffmpeg-2.8.14/libavcodec/vp6.c --- ffmpeg-2.8.11/libavcodec/vp6.c 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/vp6.c 2018-02-19 00:50:25.000000000 +0000 @@ -52,6 +52,7 @@ int sub_version; int rows, cols; int res = 0; + int ret; int separated_coeff = buf[0] & 1; s->frames[VP56_FRAME_CURRENT]->key_frame = !(buf[0] & 0x80); @@ -93,7 +94,7 @@ s->avctx->coded_width = 16 * cols; s->avctx->coded_height = 16 * rows; } else { - int ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows); + ret = ff_set_dimensions(s->avctx, 16 * cols, 16 * rows); if (ret < 0) return ret; @@ -105,7 +106,9 @@ res = VP56_SIZE_CHANGE; } - ff_vp56_init_range_decoder(c, buf+6, buf_size-6); + ret = ff_vp56_init_range_decoder(c, buf+6, buf_size-6); + if (ret < 0) + goto fail; vp56_rac_gets(c, 2); parse_filter_info = s->filter_header; @@ -122,7 +125,9 @@ buf += 2; buf_size -= 2; } - ff_vp56_init_range_decoder(c, buf+1, buf_size-1); + ret = ff_vp56_init_range_decoder(c, buf+1, buf_size-1); + if (ret < 0) + return ret; s->golden_frame = vp56_rac_get(c); if (s->filter_header) { @@ -157,15 +162,16 @@ buf += coeff_offset; buf_size -= coeff_offset; if (buf_size < 0) { - if (s->frames[VP56_FRAME_CURRENT]->key_frame) - ff_set_dimensions(s->avctx, 0, 0); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } if (s->use_huffman) { s->parse_coeff = vp6_parse_coeff_huffman; init_get_bits(&s->gb, buf, buf_size<<3); } else { - ff_vp56_init_range_decoder(&s->cc, buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->cc, buf, buf_size); + if (ret < 0) + goto fail; s->ccp = &s->cc; } } else { @@ -173,6 +179,10 @@ } return res; +fail: + if (res == VP56_SIZE_CHANGE) + ff_set_dimensions(s->avctx, 0, 0); + return ret; } static void vp6_coeff_order_table_init(VP56Context *s) @@ -450,7 +460,7 @@ int b, i, cg, idx, ctx; int pt = 0; /* plane type (0 for Y, 1 for U or V) */ - if (c->end >= c->buffer && c->bits >= 0) { + if (c->end <= c->buffer && c->bits >= 0) { av_log(s->avctx, AV_LOG_ERROR, "End of AC stream reached in vp6_parse_coeff\n"); return AVERROR_INVALIDDATA; } diff -Nru ffmpeg-2.8.11/libavcodec/vp8.c ffmpeg-2.8.14/libavcodec/vp8.c --- ffmpeg-2.8.11/libavcodec/vp8.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/vp8.c 2018-02-19 00:50:32.000000000 +0000 @@ -260,6 +260,7 @@ { const uint8_t *sizes = buf; int i; + int ret; s->num_coeff_partitions = 1 << vp8_rac_get_uint(&s->c, 2); @@ -273,13 +274,13 @@ if (buf_size - size < 0) return -1; - ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size); + ret = ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, size); + if (ret < 0) + return ret; buf += size; buf_size -= size; } - ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size); - - return 0; + return ff_vp56_init_range_decoder(&s->coeff_partition[i], buf, buf_size); } static void vp7_get_quants(VP8Context *s) @@ -517,7 +518,9 @@ memcpy(s->put_pixels_tab, s->vp8dsp.put_vp8_epel_pixels_tab, sizeof(s->put_pixels_tab)); - ff_vp56_init_range_decoder(c, buf, part1_size); + ret = ff_vp56_init_range_decoder(c, buf, part1_size); + if (ret < 0) + return ret; buf += part1_size; buf_size -= part1_size; @@ -569,7 +572,9 @@ s->lf_delta.enabled = 0; s->num_coeff_partitions = 1; - ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size); + ret = ff_vp56_init_range_decoder(&s->coeff_partition[0], buf, buf_size); + if (ret < 0) + return ret; if (!s->macroblocks_base || /* first frame */ width != s->avctx->width || height != s->avctx->height || @@ -600,6 +605,8 @@ s->fade_present = vp8_rac_get(c); } + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; /* E. Fading information for previous frame */ if (s->fade_present && vp8_rac_get(c)) { if ((ret = vp7_fade_frame(s ,c)) < 0) @@ -698,7 +705,9 @@ memset(&s->lf_delta, 0, sizeof(s->lf_delta)); } - ff_vp56_init_range_decoder(c, buf, header_size); + ret = ff_vp56_init_range_decoder(c, buf, header_size); + if (ret < 0) + return ret; buf += header_size; buf_size -= header_size; @@ -2274,7 +2283,7 @@ #define update_pos(td, mb_y, mb_x) while(0) #endif -static av_always_inline void decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static av_always_inline int decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr, int is_vp7) { VP8Context *s = avctx->priv_data; @@ -2290,6 +2299,10 @@ curframe->tf.f->data[1] + 8 * mb_y * s->uvlinesize, curframe->tf.f->data[2] + 8 * mb_y * s->uvlinesize }; + + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; + if (mb_y == 0) prev_td = td; else @@ -2318,6 +2331,8 @@ s->mv_max.x = ((s->mb_width - 1) << 6) + MARGIN; for (mb_x = 0; mb_x < s->mb_width; mb_x++, mb_xy++, mb++) { + if (c->end <= c->buffer && c->bits >= 0) + return AVERROR_INVALIDDATA; // Wait for previous thread to read mb_x+2, and reach mb_y-1. if (prev_td != td) { if (threadnr != 0) { @@ -2393,18 +2408,19 @@ update_pos(td, mb_y, mb_x); } } + return 0; } -static void vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static int vp7_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr) { - decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1); + return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 1); } -static void vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, +static int vp8_decode_mb_row_no_filter(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr) { - decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0); + return decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr, 0); } static av_always_inline void filter_mb_row(AVCodecContext *avctx, void *tdata, @@ -2487,13 +2503,16 @@ VP8ThreadData *next_td = NULL, *prev_td = NULL; VP8Frame *curframe = s->curframe; int mb_y, num_jobs = s->num_jobs; + int ret; td->thread_nr = threadnr; for (mb_y = jobnr; mb_y < s->mb_height; mb_y += num_jobs) { - if (mb_y >= s->mb_height) - break; td->thread_mb_pos = mb_y << 16; - s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); + ret = s->decode_mb_row_no_filter(avctx, tdata, jobnr, threadnr); + if (ret < 0) { + update_pos(td, s->mb_height, INT_MAX & 0xFFFF); + return ret; + } if (s->deblock_filter) s->filter_mb_row(avctx, tdata, jobnr, threadnr); update_pos(td, mb_y, INT_MAX & 0xFFFF); @@ -2530,6 +2549,8 @@ enum AVDiscard skip_thresh; VP8Frame *av_uninit(curframe), *prev_frame; + av_assert0(avctx->pix_fmt == AV_PIX_FMT_YUVA420P || avctx->pix_fmt == AV_PIX_FMT_YUV420P); + if (is_vp7) ret = vp7_decode_frame_header(s, avpkt->data, avpkt->size); else diff -Nru ffmpeg-2.8.11/libavcodec/vp8.h ffmpeg-2.8.14/libavcodec/vp8.h --- ffmpeg-2.8.11/libavcodec/vp8.h 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/vp8.h 2018-02-19 00:50:25.000000000 +0000 @@ -282,7 +282,7 @@ */ int mb_layout; - void (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); + int (*decode_mb_row_no_filter)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); void (*filter_mb_row)(AVCodecContext *avctx, void *tdata, int jobnr, int threadnr); int vp7; diff -Nru ffmpeg-2.8.11/libavcodec/vp8dsp.c ffmpeg-2.8.14/libavcodec/vp8dsp.c --- ffmpeg-2.8.11/libavcodec/vp8dsp.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/vp8dsp.c 2017-12-31 22:35:48.000000000 +0000 @@ -53,7 +53,8 @@ #if CONFIG_VP7_DECODER static void vp7_luma_dc_wht_c(int16_t block[4][4][16], int16_t dc[16]) { - int i, a1, b1, c1, d1; + int i; + unsigned a1, b1, c1, d1; int16_t tmp[16]; for (i = 0; i < 4; i++) { @@ -61,10 +62,10 @@ b1 = (dc[i * 4 + 0] - dc[i * 4 + 2]) * 23170; c1 = dc[i * 4 + 1] * 12540 - dc[i * 4 + 3] * 30274; d1 = dc[i * 4 + 1] * 30274 + dc[i * 4 + 3] * 12540; - tmp[i * 4 + 0] = (a1 + d1) >> 14; - tmp[i * 4 + 3] = (a1 - d1) >> 14; - tmp[i * 4 + 1] = (b1 + c1) >> 14; - tmp[i * 4 + 2] = (b1 - c1) >> 14; + tmp[i * 4 + 0] = (int)(a1 + d1) >> 14; + tmp[i * 4 + 3] = (int)(a1 - d1) >> 14; + tmp[i * 4 + 1] = (int)(b1 + c1) >> 14; + tmp[i * 4 + 2] = (int)(b1 - c1) >> 14; } for (i = 0; i < 4; i++) { @@ -73,10 +74,10 @@ c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274; d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540; AV_ZERO64(dc + i * 4); - block[0][i][0] = (a1 + d1 + 0x20000) >> 18; - block[3][i][0] = (a1 - d1 + 0x20000) >> 18; - block[1][i][0] = (b1 + c1 + 0x20000) >> 18; - block[2][i][0] = (b1 - c1 + 0x20000) >> 18; + block[0][i][0] = (int)(a1 + d1 + 0x20000) >> 18; + block[3][i][0] = (int)(a1 - d1 + 0x20000) >> 18; + block[1][i][0] = (int)(b1 + c1 + 0x20000) >> 18; + block[2][i][0] = (int)(b1 - c1 + 0x20000) >> 18; } } @@ -95,7 +96,8 @@ static void vp7_idct_add_c(uint8_t *dst, int16_t block[16], ptrdiff_t stride) { - int i, a1, b1, c1, d1; + int i; + unsigned a1, b1, c1, d1; int16_t tmp[16]; for (i = 0; i < 4; i++) { @@ -104,10 +106,10 @@ c1 = block[i * 4 + 1] * 12540 - block[i * 4 + 3] * 30274; d1 = block[i * 4 + 1] * 30274 + block[i * 4 + 3] * 12540; AV_ZERO64(block + i * 4); - tmp[i * 4 + 0] = (a1 + d1) >> 14; - tmp[i * 4 + 3] = (a1 - d1) >> 14; - tmp[i * 4 + 1] = (b1 + c1) >> 14; - tmp[i * 4 + 2] = (b1 - c1) >> 14; + tmp[i * 4 + 0] = (int)(a1 + d1) >> 14; + tmp[i * 4 + 3] = (int)(a1 - d1) >> 14; + tmp[i * 4 + 1] = (int)(b1 + c1) >> 14; + tmp[i * 4 + 2] = (int)(b1 - c1) >> 14; } for (i = 0; i < 4; i++) { @@ -116,13 +118,13 @@ c1 = tmp[i + 4] * 12540 - tmp[i + 12] * 30274; d1 = tmp[i + 4] * 30274 + tmp[i + 12] * 12540; dst[0 * stride + i] = av_clip_uint8(dst[0 * stride + i] + - ((a1 + d1 + 0x20000) >> 18)); + ((int)(a1 + d1 + 0x20000) >> 18)); dst[3 * stride + i] = av_clip_uint8(dst[3 * stride + i] + - ((a1 - d1 + 0x20000) >> 18)); + ((int)(a1 - d1 + 0x20000) >> 18)); dst[1 * stride + i] = av_clip_uint8(dst[1 * stride + i] + - ((b1 + c1 + 0x20000) >> 18)); + ((int)(b1 + c1 + 0x20000) >> 18)); dst[2 * stride + i] = av_clip_uint8(dst[2 * stride + i] + - ((b1 - c1 + 0x20000) >> 18)); + ((int)(b1 - c1 + 0x20000) >> 18)); } } diff -Nru ffmpeg-2.8.11/libavcodec/vp9.c ffmpeg-2.8.14/libavcodec/vp9.c --- ffmpeg-2.8.11/libavcodec/vp9.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/vp9.c 2018-02-19 00:50:25.000000000 +0000 @@ -880,7 +880,10 @@ av_log(ctx, AV_LOG_ERROR, "Invalid compressed header size\n"); return AVERROR_INVALIDDATA; } - ff_vp56_init_range_decoder(&s->c, data2, size2); + res = ff_vp56_init_range_decoder(&s->c, data2, size2); + if (res < 0) + return res; + if (vp56_rac_get_prob_branchy(&s->c, 128)) { // marker bit av_log(ctx, AV_LOG_ERROR, "Marker bit was set\n"); return AVERROR_INVALIDDATA; @@ -4129,7 +4132,9 @@ ff_thread_report_progress(&s->frames[CUR_FRAME].tf, INT_MAX, 0); return AVERROR_INVALIDDATA; } - ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size); + res = ff_vp56_init_range_decoder(&s->c_b[tile_col], data, tile_size); + if (res < 0) + return res; if (vp56_rac_get_prob_branchy(&s->c_b[tile_col], 128)) { // marker bit ff_thread_report_progress(&s->frames[CUR_FRAME].tf, INT_MAX, 0); return AVERROR_INVALIDDATA; diff -Nru ffmpeg-2.8.11/libavcodec/wavpack.c ffmpeg-2.8.14/libavcodec/wavpack.c --- ffmpeg-2.8.11/libavcodec/wavpack.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/wavpack.c 2018-02-19 00:50:32.000000000 +0000 @@ -184,7 +184,7 @@ goto error; t += t2; } else { - if (get_bits_left(gb) < t2 - 1) + if (t2 >= 32 || get_bits_left(gb) < t2 - 1) goto error; t += get_bits_long(gb, t2 - 1) | (1 << (t2 - 1)); } @@ -219,7 +219,7 @@ INC_MED(1); DEC_MED(2); } else { - base = GET_MED(0) + GET_MED(1) + GET_MED(2) * (t - 2); + base = GET_MED(0) + GET_MED(1) + GET_MED(2) * (t - 2U); add = GET_MED(2) - 1; INC_MED(0); INC_MED(1); @@ -239,7 +239,7 @@ if (get_bits_left(gb) <= 0) goto error; if (get_bits1(gb)) { - add -= (mid - base); + add -= (mid - (unsigned)base); base = mid; } else add = mid - base - 1; @@ -267,7 +267,7 @@ int bit; if (s->extra_bits) { - S <<= s->extra_bits; + S *= 1 << s->extra_bits; if (s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits) { @@ -307,8 +307,8 @@ S <<= s->float_shift; sign = S < 0; if (sign) - S = -S; - if (S >= 0x1000000) { + S = -(unsigned)S; + if (S >= 0x1000000U) { if (s->got_extra_bits && get_bits1(&s->gb_extra_bits)) S = get_bits(&s->gb_extra_bits, 23); else @@ -474,7 +474,7 @@ } if (type == AV_SAMPLE_FMT_S16P) { - if (FFABS(L) + FFABS(R) > (1<<19)) { + if (FFABS((int64_t)L) + FFABS((int64_t)R) > (1<<19)) { av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L, R); return AVERROR_INVALIDDATA; } @@ -548,7 +548,7 @@ if (type != AV_SAMPLE_FMT_S16P) S = T + ((s->decorr[i].weightA * (int64_t)A + 512) >> 10); else - S = T + ((s->decorr[i].weightA * A + 512) >> 10); + S = T + ((int)(s->decorr[i].weightA * (unsigned)A + 512) >> 10); if (A && T) s->decorr[i].weightA -= ((((T ^ A) >> 30) & 2) - 1) * s->decorr[i].delta; s->decorr[i].samplesA[j] = T = S; @@ -680,7 +680,7 @@ s->hybrid_bitrate = s->frame_flags & WV_HYBRID_BITRATE; s->post_shift = bpp * 8 - orig_bpp + ((s->frame_flags >> 13) & 0x1f); s->hybrid_maxclip = ((1LL << (orig_bpp - 1)) - 1); - s->hybrid_minclip = ((-1LL << (orig_bpp - 1))); + s->hybrid_minclip = ((-1UL << (orig_bpp - 1))); s->CRC = bytestream2_get_le32(&gb); // parse metadata blocks @@ -734,13 +734,13 @@ } for (i = 0; i < weights; i++) { t = (int8_t)bytestream2_get_byte(&gb); - s->decorr[s->terms - i - 1].weightA = t << 3; + s->decorr[s->terms - i - 1].weightA = t * (1 << 3); if (s->decorr[s->terms - i - 1].weightA > 0) s->decorr[s->terms - i - 1].weightA += (s->decorr[s->terms - i - 1].weightA + 64) >> 7; if (s->stereo_in) { t = (int8_t)bytestream2_get_byte(&gb); - s->decorr[s->terms - i - 1].weightB = t << 3; + s->decorr[s->terms - i - 1].weightB = t * (1 << 3); if (s->decorr[s->terms - i - 1].weightB > 0) s->decorr[s->terms - i - 1].weightB += (s->decorr[s->terms - i - 1].weightB + 64) >> 7; @@ -835,9 +835,9 @@ continue; } bytestream2_get_buffer(&gb, val, 4); - if (val[0] > 32) { + if (val[0] > 30) { av_log(avctx, AV_LOG_ERROR, - "Invalid INT32INFO, extra_bits = %d (> 32)\n", val[0]); + "Invalid INT32INFO, extra_bits = %d (> 30)\n", val[0]); continue; } else if (val[0]) { s->extra_bits = val[0]; @@ -870,6 +870,12 @@ s->float_flag = bytestream2_get_byte(&gb); s->float_shift = bytestream2_get_byte(&gb); s->float_max_exp = bytestream2_get_byte(&gb); + if (s->float_shift > 31) { + av_log(avctx, AV_LOG_ERROR, + "Invalid FLOATINFO, shift = %d (> 31)\n", s->float_shift); + s->float_shift = 0; + continue; + } got_float = 1; bytestream2_skip(&gb, 1); break; diff -Nru ffmpeg-2.8.11/libavcodec/wavpack.h ffmpeg-2.8.14/libavcodec/wavpack.h --- ffmpeg-2.8.11/libavcodec/wavpack.h 2016-03-29 03:25:24.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/wavpack.h 2018-02-19 00:50:25.000000000 +0000 @@ -94,7 +94,7 @@ typedef struct WvChannel { int median[3]; int slow_level, error_limit; - int bitrate_acc, bitrate_delta; + unsigned bitrate_acc, bitrate_delta; } WvChannel; // macros for manipulating median values diff -Nru ffmpeg-2.8.11/libavcodec/webp.c ffmpeg-2.8.14/libavcodec/webp.c --- ffmpeg-2.8.11/libavcodec/webp.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/webp.c 2018-02-19 00:50:25.000000000 +0000 @@ -694,7 +694,7 @@ length = offset + get_bits(&s->gb, extra_bits) + 1; } prefix_code = huff_reader_get_symbol(&hg[HUFF_IDX_DIST], &s->gb); - if (prefix_code > 39) { + if (prefix_code > 39U) { av_log(s->avctx, AV_LOG_ERROR, "distance prefix code too large: %d\n", prefix_code); return AVERROR_INVALIDDATA; @@ -1043,7 +1043,7 @@ uint8_t *line; int pixel_bits = 8 >> pal->size_reduction; - line = av_malloc(img->frame->linesize[0]); + line = av_malloc(img->frame->linesize[0] + AV_INPUT_BUFFER_PADDING_SIZE); if (!line) return AVERROR(ENOMEM); @@ -1099,6 +1099,21 @@ return 0; } +static void update_canvas_size(AVCodecContext *avctx, int w, int h) +{ + WebPContext *s = avctx->priv_data; + if (s->width && s->width != w) { + av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n", + s->width, w); + } + s->width = w; + if (s->height && s->height != h) { + av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n", + s->height, h); + } + s->height = h; +} + static int vp8_lossless_decode_frame(AVCodecContext *avctx, AVFrame *p, int *got_frame, uint8_t *data_start, unsigned int data_size, int is_alpha_chunk) @@ -1123,16 +1138,8 @@ w = get_bits(&s->gb, 14) + 1; h = get_bits(&s->gb, 14) + 1; - if (s->width && s->width != w) { - av_log(avctx, AV_LOG_WARNING, "Width mismatch. %d != %d\n", - s->width, w); - } - s->width = w; - if (s->height && s->height != h) { - av_log(avctx, AV_LOG_WARNING, "Height mismatch. %d != %d\n", - s->width, w); - } - s->height = h; + + update_canvas_size(avctx, w, h); ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) @@ -1327,9 +1334,8 @@ if (!s->initialized) { ff_vp8_decode_init(avctx); s->initialized = 1; - if (s->has_alpha) - avctx->pix_fmt = AV_PIX_FMT_YUVA420P; } + avctx->pix_fmt = s->has_alpha ? AV_PIX_FMT_YUVA420P : AV_PIX_FMT_YUV420P; s->lossless = 0; if (data_size > INT_MAX) { @@ -1342,6 +1348,14 @@ pkt.size = data_size; ret = ff_vp8_decode_frame(avctx, p, got_frame, &pkt); + if (ret < 0) + return ret; + + if (!*got_frame) + return AVERROR_INVALIDDATA; + + update_canvas_size(avctx, avctx->width, avctx->height); + if (s->has_alpha) { ret = vp8_lossy_decode_alpha(avctx, p, s->alpha_data, s->alpha_data_size); diff -Nru ffmpeg-2.8.11/libavcodec/wmv2dec.c ffmpeg-2.8.14/libavcodec/wmv2dec.c --- ffmpeg-2.8.11/libavcodec/wmv2dec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/wmv2dec.c 2018-02-19 00:50:32.000000000 +0000 @@ -30,7 +30,7 @@ #include "wmv2.h" -static void parse_mb_skip(Wmv2Context *w) +static int parse_mb_skip(Wmv2Context *w) { int mb_x, mb_y; MpegEncContext *const s = &w->s; @@ -45,6 +45,8 @@ MB_TYPE_16x16 | MB_TYPE_L0; break; case SKIP_TYPE_MPEG: + if (get_bits_left(&s->gb) < s->mb_height * s->mb_width) + return AVERROR_INVALIDDATA; for (mb_y = 0; mb_y < s->mb_height; mb_y++) for (mb_x = 0; mb_x < s->mb_width; mb_x++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -52,6 +54,8 @@ break; case SKIP_TYPE_ROW: for (mb_y = 0; mb_y < s->mb_height; mb_y++) { + if (get_bits_left(&s->gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(&s->gb)) { for (mb_x = 0; mb_x < s->mb_width; mb_x++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -65,6 +69,8 @@ break; case SKIP_TYPE_COL: for (mb_x = 0; mb_x < s->mb_width; mb_x++) { + if (get_bits_left(&s->gb) < 1) + return AVERROR_INVALIDDATA; if (get_bits1(&s->gb)) { for (mb_y = 0; mb_y < s->mb_height; mb_y++) mb_type[mb_y * s->mb_stride + mb_x] = @@ -77,6 +83,7 @@ } break; } + return 0; } static int decode_ext_header(Wmv2Context *w) @@ -170,9 +177,12 @@ } } else { int cbp_index; + int ret; w->j_type = 0; - parse_mb_skip(w); + ret = parse_mb_skip(w); + if (ret < 0) + return ret; cbp_index = decode012(&s->gb); w->cbp_table_index = wmv2_get_cbp_table_index(s, cbp_index); @@ -352,6 +362,8 @@ w->hshift = 0; return 0; } + if (get_bits_left(&s->gb) <= 0) + return AVERROR_INVALIDDATA; code = get_vlc2(&s->gb, ff_mb_non_intra_vlc[w->cbp_table_index].table, MB_NON_INTRA_VLC_BITS, 3); @@ -362,6 +374,8 @@ cbp = code & 0x3f; } else { s->mb_intra = 1; + if (get_bits_left(&s->gb) <= 0) + return AVERROR_INVALIDDATA; code = get_vlc2(&s->gb, ff_msmp4_mb_i_vlc.table, MB_INTRA_VLC_BITS, 2); if (code < 0) { av_log(s->avctx, AV_LOG_ERROR, diff -Nru ffmpeg-2.8.11/libavcodec/wmv2dsp.c ffmpeg-2.8.14/libavcodec/wmv2dsp.c --- ffmpeg-2.8.11/libavcodec/wmv2dsp.c 2016-03-29 03:25:24.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/wmv2dsp.c 2018-02-19 00:50:25.000000000 +0000 @@ -48,8 +48,8 @@ a4 = W0 * b[0] - W0 * b[4]; /* step 2 */ - s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7 - s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8; + s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8; // 1, 3, 5, 7 + s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8; /* step 3 */ b[0] = (a0 + a2 + a1 + a5 + (1 << 7)) >> 8; @@ -78,8 +78,8 @@ a4 = (W0 * b[8 * 0] - W0 * b[8 * 4] ) >> 3; /* step 2 */ - s1 = (181 * (a1 - a5 + a7 - a3) + 128) >> 8; - s2 = (181 * (a1 - a5 - a7 + a3) + 128) >> 8; + s1 = (int)(181U * (a1 - a5 + a7 - a3) + 128) >> 8; + s2 = (int)(181U * (a1 - a5 - a7 + a3) + 128) >> 8; /* step 3 */ b[8 * 0] = (a0 + a2 + a1 + a5 + (1 << 13)) >> 14; diff -Nru ffmpeg-2.8.11/libavcodec/wnv1.c ffmpeg-2.8.14/libavcodec/wnv1.c --- ffmpeg-2.8.11/libavcodec/wnv1.c 2016-06-27 00:54:29.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/wnv1.c 2017-12-31 22:35:48.000000000 +0000 @@ -52,7 +52,7 @@ if (v == 15) return ff_reverse[get_bits(&w->gb, 8 - w->shift)]; else - return base_value + ((v - 7) << w->shift); + return base_value + ((v - 7U) << w->shift); } static int decode_frame(AVCodecContext *avctx, @@ -68,7 +68,7 @@ int prev_y = 0, prev_u = 0, prev_v = 0; uint8_t *rbuf; - if (buf_size <= 8) { + if (buf_size < 8 + avctx->height * (avctx->width/2)/8) { av_log(avctx, AV_LOG_ERROR, "Packet size %d is too small\n", buf_size); return AVERROR_INVALIDDATA; } diff -Nru ffmpeg-2.8.11/libavcodec/x86/mpegvideodsp.c ffmpeg-2.8.14/libavcodec/x86/mpegvideodsp.c --- ffmpeg-2.8.11/libavcodec/x86/mpegvideodsp.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/x86/mpegvideodsp.c 2018-02-19 00:50:32.000000000 +0000 @@ -53,8 +53,9 @@ const int dyh = (dyy - (1 << (16 + shift))) * (h - 1); const int dxh = dxy * (h - 1); const int dyw = dyx * (w - 1); - int need_emu = (unsigned) ix >= width - w || - (unsigned) iy >= height - h; + int need_emu = (unsigned) ix >= width - w || width < w || + (unsigned) iy >= height - h || height< h + ; if ( // non-constant fullpel offset (3% of blocks) ((ox ^ (ox + dxw)) | (ox ^ (ox + dxh)) | (ox ^ (ox + dxw + dxh)) | diff -Nru ffmpeg-2.8.11/libavcodec/x86/pixblockdsp_init.c ffmpeg-2.8.14/libavcodec/x86/pixblockdsp_init.c --- ffmpeg-2.8.11/libavcodec/x86/pixblockdsp_init.c 2016-03-29 03:25:25.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/x86/pixblockdsp_init.c 2018-02-19 00:50:25.000000000 +0000 @@ -39,12 +39,14 @@ if (EXTERNAL_MMX(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_mmx; + c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_mmx; } if (EXTERNAL_SSE2(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_sse2; + c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_sse2; } } diff -Nru ffmpeg-2.8.11/libavcodec/xan.c ffmpeg-2.8.14/libavcodec/xan.c --- ffmpeg-2.8.11/libavcodec/xan.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/xan.c 2018-02-19 00:50:32.000000000 +0000 @@ -130,7 +130,10 @@ return ret; while (val != 0x16) { - unsigned idx = val - 0x17 + get_bits1(&gb) * byte; + unsigned idx; + if (get_bits_left(&gb) < 1) + return AVERROR_INVALIDDATA; + idx = val - 0x17 + get_bits1(&gb) * byte; if (idx >= 2 * byte) return AVERROR_INVALIDDATA; val = src[idx]; @@ -262,7 +265,7 @@ prevframe_index = (y + motion_y) * stride + x + motion_x; prevframe_x = x + motion_x; - if (prev_palette_plane == palette_plane && FFABS(curframe_index - prevframe_index) < pixel_count) { + if (prev_palette_plane == palette_plane && FFABS(motion_x + width*motion_y) < pixel_count) { avpriv_request_sample(s->avctx, "Overlapping copy"); return ; } diff -Nru ffmpeg-2.8.11/libavcodec/xwddec.c ffmpeg-2.8.14/libavcodec/xwddec.c --- ffmpeg-2.8.11/libavcodec/xwddec.c 2016-06-27 00:54:30.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/xwddec.c 2017-12-31 22:35:48.000000000 +0000 @@ -157,9 +157,9 @@ case XWD_GRAY_SCALE: if (bpp != 1 && bpp != 8) return AVERROR_INVALIDDATA; - if (pixdepth == 1) { + if (bpp == 1 && pixdepth == 1) { avctx->pix_fmt = AV_PIX_FMT_MONOWHITE; - } else if (pixdepth == 8) { + } else if (bpp == 8 && pixdepth == 8) { avctx->pix_fmt = AV_PIX_FMT_GRAY8; } break; diff -Nru ffmpeg-2.8.11/libavcodec/y41pdec.c ffmpeg-2.8.14/libavcodec/y41pdec.c --- ffmpeg-2.8.11/libavcodec/y41pdec.c 2016-06-27 00:54:30.000000000 +0100 +++ ffmpeg-2.8.14/libavcodec/y41pdec.c 2017-12-31 22:35:48.000000000 +0000 @@ -43,7 +43,7 @@ uint8_t *y, *u, *v; int i, j, ret; - if (avpkt->size < 3LL * avctx->height * avctx->width / 2) { + if (avpkt->size < 3LL * avctx->height * FFALIGN(avctx->width, 8) / 2) { av_log(avctx, AV_LOG_ERROR, "Insufficient input data.\n"); return AVERROR(EINVAL); } diff -Nru ffmpeg-2.8.11/libavcodec/zmbv.c ffmpeg-2.8.14/libavcodec/zmbv.c --- ffmpeg-2.8.11/libavcodec/zmbv.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavcodec/zmbv.c 2018-02-19 00:50:32.000000000 +0000 @@ -539,6 +539,8 @@ } else { frame->key_frame = 0; frame->pict_type = AV_PICTURE_TYPE_P; + if (c->decomp_len < 2LL * ((c->width + c->bw - 1) / c->bw) * ((c->height + c->bh - 1) / c->bh)) + return AVERROR_INVALIDDATA; if (c->decomp_len) c->decode_xor(c); } diff -Nru ffmpeg-2.8.11/libavfilter/af_dcshift.c ffmpeg-2.8.14/libavfilter/af_dcshift.c --- ffmpeg-2.8.11/libavfilter/af_dcshift.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavfilter/af_dcshift.c 2018-02-19 00:50:32.000000000 +0000 @@ -28,7 +28,7 @@ typedef struct DCShiftContext { const AVClass *class; double dcshift; - double limiterthreshhold; + double limiterthreshold; double limitergain; } DCShiftContext; @@ -47,7 +47,7 @@ { DCShiftContext *s = ctx->priv; - s->limiterthreshhold = INT32_MAX * (1.0 - (fabs(s->dcshift) - s->limitergain)); + s->limiterthreshold = INT32_MAX * (1.0 - (fabs(s->dcshift) - s->limitergain)); return 0; } @@ -106,14 +106,14 @@ d = src[j]; - if (d > s->limiterthreshhold && dcshift > 0) { - d = (d - s->limiterthreshhold) * s->limitergain / - (INT32_MAX - s->limiterthreshhold) + - s->limiterthreshhold + dcshift; - } else if (d < -s->limiterthreshhold && dcshift < 0) { - d = (d + s->limiterthreshhold) * s->limitergain / - (INT32_MAX - s->limiterthreshhold) - - s->limiterthreshhold + dcshift; + if (d > s->limiterthreshold && dcshift > 0) { + d = (d - s->limiterthreshold) * s->limitergain / + (INT32_MAX - s->limiterthreshold) + + s->limiterthreshold + dcshift; + } else if (d < -s->limiterthreshold && dcshift < 0) { + d = (d + s->limiterthreshold) * s->limitergain / + (INT32_MAX - s->limiterthreshold) - + s->limiterthreshold + dcshift; } else { d = dcshift * INT32_MAX + d; } diff -Nru ffmpeg-2.8.11/libavfilter/avfiltergraph.c ffmpeg-2.8.14/libavfilter/avfiltergraph.c --- ffmpeg-2.8.11/libavfilter/avfiltergraph.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavfilter/avfiltergraph.c 2018-02-19 00:50:25.000000000 +0000 @@ -866,6 +866,8 @@ for (j = 0; j < outlink->in_samplerates->nb_formats; j++) { int diff = abs(sample_rate - outlink->in_samplerates->formats[j]); + av_assert0(diff < INT_MAX); // This would lead to the use of uninitialized best_diff but is only possible with invalid sample rates + if (diff < best_diff) { best_diff = diff; best_idx = j; diff -Nru ffmpeg-2.8.11/libavfilter/formats.c ffmpeg-2.8.14/libavfilter/formats.c --- ffmpeg-2.8.11/libavfilter/formats.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavfilter/formats.c 2018-02-19 00:50:32.000000000 +0000 @@ -72,7 +72,7 @@ for (j = 0; j < b->nb; j++) \ if (a->fmts[i] == b->fmts[j]) { \ if(k >= FFMIN(a->nb, b->nb)){ \ - av_log(NULL, AV_LOG_ERROR, "Duplicate formats in avfilter_merge_formats() detected\n"); \ + av_log(NULL, AV_LOG_ERROR, "Duplicate formats in %s detected\n", __FUNCTION__); \ av_free(ret->fmts); \ av_free(ret); \ return NULL; \ diff -Nru ffmpeg-2.8.11/libavfilter/vf_transpose.c ffmpeg-2.8.14/libavfilter/vf_transpose.c --- ffmpeg-2.8.11/libavfilter/vf_transpose.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavfilter/vf_transpose.c 2018-02-19 00:50:32.000000000 +0000 @@ -27,6 +27,7 @@ #include +#include "libavutil/avassert.h" #include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" @@ -54,6 +55,7 @@ typedef struct TransContext { const AVClass *class; int hsub, vsub; + int planes; int pixsteps[4]; int passthrough; ///< PassthroughType, landscape passthrough mode enabled @@ -105,6 +107,10 @@ trans->hsub = desc_in->log2_chroma_w; trans->vsub = desc_in->log2_chroma_h; + trans->planes = av_pix_fmt_count_planes(outlink->format); + + av_assert0(desc_in->nb_components == desc_out->nb_components); + av_image_fill_max_pixsteps(trans->pixsteps, NULL, desc_out); @@ -147,7 +153,7 @@ AVFrame *in = td->in; int plane; - for (plane = 0; out->data[plane]; plane++) { + for (plane = 0; plane < trans->planes; plane++) { int hsub = plane == 1 || plane == 2 ? trans->hsub : 0; int vsub = plane == 1 || plane == 2 ? trans->vsub : 0; int pixstep = trans->pixsteps[plane]; diff -Nru ffmpeg-2.8.11/libavfilter/vf_uspp.c ffmpeg-2.8.14/libavfilter/vf_uspp.c --- ffmpeg-2.8.11/libavfilter/vf_uspp.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavfilter/vf_uspp.c 2018-02-19 00:50:25.000000000 +0000 @@ -227,8 +227,8 @@ p->frame->quality = ff_norm_qscale((qpsum + qpcount/2) / qpcount, p->qscale_type) * FF_QP2LAMBDA; } // init per MB qscale stuff FIXME - p->frame->height = height; - p->frame->width = width; + p->frame->height = height + BLOCK; + p->frame->width = width + BLOCK; for (i = 0; i < count; i++) { const int x1 = offset[i+count-1][0]; diff -Nru ffmpeg-2.8.11/libavformat/apngdec.c ffmpeg-2.8.14/libavformat/apngdec.c --- ffmpeg-2.8.11/libavformat/apngdec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/apngdec.c 2018-02-19 00:50:25.000000000 +0000 @@ -269,7 +269,7 @@ /* default is hundredths of seconds */ if (!delay_den) delay_den = 100; - if (!delay_num || delay_den / delay_num > ctx->max_fps) { + if (!delay_num || (ctx->max_fps && delay_den / delay_num > ctx->max_fps)) { delay_num = 1; delay_den = ctx->default_fps; } diff -Nru ffmpeg-2.8.11/libavformat/asfdec_f.c ffmpeg-2.8.14/libavformat/asfdec_f.c --- ffmpeg-2.8.11/libavformat/asfdec_f.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/asfdec_f.c 2018-02-19 00:50:32.000000000 +0000 @@ -749,13 +749,15 @@ count = avio_rl32(pb); // markers count avio_rl16(pb); // reserved 2 bytes name_len = avio_rl16(pb); // name length - for (i = 0; i < name_len; i++) - avio_r8(pb); // skip the name + avio_skip(pb, name_len); for (i = 0; i < count; i++) { int64_t pres_time; int name_len; + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time pres_time -= asf->hdr.preroll * 10000; @@ -1611,6 +1613,11 @@ int64_t pos = s->internal->data_offset + s->packet_size * (int64_t)pktnum; int64_t index_pts = FFMAX(av_rescale(itime, i, 10000) - asf->hdr.preroll, 0); + if (avio_feof(s->pb)) { + ret = AVERROR_INVALIDDATA; + goto end; + } + if (pos != last_pos) { av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d pts: %"PRId64"\n", pktnum, pktct, index_pts); diff -Nru ffmpeg-2.8.11/libavformat/avidec.c ffmpeg-2.8.14/libavformat/avidec.c --- ffmpeg-2.8.11/libavformat/avidec.c 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/avidec.c 2018-02-19 00:50:25.000000000 +0000 @@ -1081,6 +1081,9 @@ if (!sub_demuxer) goto error; + if (strcmp(sub_demuxer->name, "srt") && strcmp(sub_demuxer->name, "ass")) + goto error; + if (!(ast->sub_ctx = avformat_alloc_context())) goto error; diff -Nru ffmpeg-2.8.11/libavformat/aviobuf.c ffmpeg-2.8.14/libavformat/aviobuf.c --- ffmpeg-2.8.11/libavformat/aviobuf.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/aviobuf.c 2018-02-19 00:50:25.000000000 +0000 @@ -222,6 +222,8 @@ offset1 = pos + (s->buf_ptr - s->buffer); if (offset == 0) return offset1; + if (offset > INT64_MAX - offset1) + return AVERROR(EINVAL); offset += offset1; } if (offset < 0) diff -Nru ffmpeg-2.8.11/libavformat/cinedec.c ffmpeg-2.8.14/libavformat/cinedec.c --- ffmpeg-2.8.11/libavformat/cinedec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/cinedec.c 2018-02-19 00:50:25.000000000 +0000 @@ -267,8 +267,12 @@ /* parse image offsets */ avio_seek(pb, offImageOffsets, SEEK_SET); - for (i = 0; i < st->duration; i++) + for (i = 0; i < st->duration; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME); + } return 0; } diff -Nru ffmpeg-2.8.11/libavformat/concatdec.c ffmpeg-2.8.14/libavformat/concatdec.c --- ffmpeg-2.8.11/libavformat/concatdec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/concatdec.c 2018-02-19 00:50:25.000000000 +0000 @@ -192,8 +192,11 @@ ConcatStream *cs = &cat->cur_file->streams[idx]; AVBitStreamFilterContext *bsf; - if (cat->auto_convert && st->codec->codec_id == AV_CODEC_ID_H264 && - (st->codec->extradata_size < 4 || AV_RB32(st->codec->extradata) != 1)) { + if (cat->auto_convert && st->codec->codec_id == AV_CODEC_ID_H264) { + if (!st->codec->extradata_size || + (st->codec->extradata_size >= 3 && AV_RB24(st->codec->extradata) == 1) || + (st->codec->extradata_size >= 4 && AV_RB32(st->codec->extradata) == 1)) + return 0; av_log(cat->avf, AV_LOG_INFO, "Auto-inserting h264_mp4toannexb bitstream filter\n"); if (!(bsf = av_bitstream_filter_init("h264_mp4toannexb"))) { diff -Nru ffmpeg-2.8.11/libavformat/hls.c ffmpeg-2.8.14/libavformat/hls.c --- ffmpeg-2.8.11/libavformat/hls.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/hls.c 2018-02-19 00:50:25.000000000 +0000 @@ -197,6 +197,8 @@ char *cookies; ///< holds HTTP cookie values set in either the initial response or as an AVOption to the HTTP protocol context char *headers; ///< holds HTTP headers set as an AVOption to the HTTP protocol context AVDictionary *avio_opts; + char *allowed_extensions; + int max_reload; } HLSContext; static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) @@ -624,8 +626,19 @@ return AVERROR_INVALIDDATA; // only http(s) & file are allowed - if (!av_strstart(proto_name, "http", NULL) && !av_strstart(proto_name, "file", NULL)) + if (av_strstart(proto_name, "file", NULL)) { + if (strcmp(c->allowed_extensions, "ALL") && !av_match_ext(url, c->allowed_extensions)) { + av_log(c, AV_LOG_ERROR, + "Filename extension of \'%s\' is not a common multimedia extension, blocked for security reasons.\n" + "If you wish to override this adjust allowed_extensions, you can set it to \'ALL\' to allow all\n", + url); + return AVERROR_INVALIDDATA; + } + } else if (av_strstart(proto_name, "http", NULL)) { + ; + } else return AVERROR_INVALIDDATA; + if (!strncmp(proto_name, url, strlen(proto_name)) && url[strlen(proto_name)] == ':') ; else if (strcmp(proto_name, "file") || !strncmp(url, "file,", 5)) @@ -1240,6 +1253,7 @@ HLSContext *c = v->parent->priv_data; int ret, i; int just_opened = 0; + int reload_count = 0; restart: if (!v->needed) @@ -1271,6 +1285,9 @@ reload_interval = default_reload_interval(v); reload: + reload_count++; + if (reload_count > c->max_reload) + return AVERROR_EOF; if (!v->finished && av_gettime_relative() - v->last_load_time >= reload_interval) { if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) { @@ -1995,6 +2012,12 @@ static const AVOption hls_options[] = { {"live_start_index", "segment index to start live streams at (negative values are from the end)", OFFSET(live_start_index), AV_OPT_TYPE_INT, {.i64 = -3}, INT_MIN, INT_MAX, FLAGS}, + {"allowed_extensions", "List of file extensions that hls is allowed to access", + OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, + {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, + INT_MIN, INT_MAX, FLAGS}, + {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, {NULL} }; diff -Nru ffmpeg-2.8.11/libavformat/http.c ffmpeg-2.8.14/libavformat/http.c --- ffmpeg-2.8.11/libavformat/http.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/http.c 2018-02-19 00:50:25.000000000 +0000 @@ -989,6 +989,7 @@ int len = 0; const char *method; int send_expect_100 = 0; + int ret; /* send http header */ post = h->flags & AVIO_FLAG_WRITE; @@ -1079,7 +1080,7 @@ if (s->headers) av_strlcpy(headers + len, s->headers, sizeof(headers) - len); - snprintf(s->buffer, sizeof(s->buffer), + ret = snprintf(s->buffer, sizeof(s->buffer), "%s %s HTTP/1.1\r\n" "%s" "%s" @@ -1095,6 +1096,14 @@ av_log(h, AV_LOG_DEBUG, "request: %s\n", s->buffer); + if (strlen(headers) + 1 == sizeof(headers) || + ret >= sizeof(s->buffer)) { + av_log(h, AV_LOG_ERROR, "overlong headers\n"); + err = AVERROR(EINVAL); + goto done; + } + + if ((err = ffurl_write(s->hd, s->buffer, strlen(s->buffer))) < 0) goto done; diff -Nru ffmpeg-2.8.11/libavformat/libssh.c ffmpeg-2.8.14/libavformat/libssh.c --- ffmpeg-2.8.11/libavformat/libssh.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/libssh.c 2018-02-19 00:50:32.000000000 +0000 @@ -103,7 +103,7 @@ } } - if (!authorized && (auth_methods & SSH_AUTH_METHOD_PASSWORD)) { + if (!authorized && password && (auth_methods & SSH_AUTH_METHOD_PASSWORD)) { if (ssh_userauth_password(libssh->session, NULL, password) == SSH_AUTH_SUCCESS) { av_log(libssh, AV_LOG_DEBUG, "Authentication successful with password.\n"); authorized = 1; diff -Nru ffmpeg-2.8.11/libavformat/lrcdec.c ffmpeg-2.8.14/libavformat/lrcdec.c --- ffmpeg-2.8.11/libavformat/lrcdec.c 2017-02-09 16:14:40.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/lrcdec.c 2018-02-19 00:50:32.000000000 +0000 @@ -212,6 +212,7 @@ } ff_subtitles_queue_finalize(&lrc->q); ff_metadata_conv_ctx(s, NULL, ff_lrc_metadata_conv); + av_bprint_finalize(&line, NULL); return 0; } diff -Nru ffmpeg-2.8.11/libavformat/matroskadec.c ffmpeg-2.8.14/libavformat/matroskadec.c --- ffmpeg-2.8.11/libavformat/matroskadec.c 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/matroskadec.c 2018-02-19 00:50:32.000000000 +0000 @@ -1693,8 +1693,16 @@ } if (track->type == MATROSKA_TRACK_TYPE_VIDEO) { - if (!track->default_duration && track->video.frame_rate > 0) - track->default_duration = 1000000000 / track->video.frame_rate; + if (!track->default_duration && track->video.frame_rate > 0) { + double default_duration = 1000000000 / track->video.frame_rate; + if (default_duration > UINT64_MAX || default_duration < 0) { + av_log(matroska->ctx, AV_LOG_WARNING, + "Invalid frame rate %e. Cannot calculate default duration.\n", + track->video.frame_rate); + } else { + track->default_duration = default_duration; + } + } if (track->video.display_width == -1) track->video.display_width = track->video.pixel_width; if (track->video.display_height == -1) diff -Nru ffmpeg-2.8.11/libavformat/mov.c ffmpeg-2.8.14/libavformat/mov.c --- ffmpeg-2.8.11/libavformat/mov.c 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/mov.c 2018-02-19 00:50:32.000000000 +0000 @@ -2206,6 +2206,8 @@ avio_rb24(pb); /* flags */ entries = avio_rb32(pb); + if ((uint64_t)entries * 12 + 4 > atom.size) + return AVERROR_INVALIDDATA; av_log(c->fc, AV_LOG_TRACE, "track[%i].stsc.entries = %i\n", c->fc->nb_streams-1, entries); @@ -3979,7 +3981,7 @@ if (atom.size < 0) atom.size = INT64_MAX; - while (total_size + 8 <= atom.size && !avio_feof(pb)) { + while (total_size <= atom.size - 8 && !avio_feof(pb)) { int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL; a.size = atom.size; a.type=0; @@ -4408,6 +4410,13 @@ } for (i = 0; i < index->item_count; i++) { int64_t time, offset; + + if (avio_feof(f)) { + index->item_count = 0; + av_freep(&index->items); + return AVERROR_INVALIDDATA; + } + if (version == 1) { time = avio_rb64(f); offset = avio_rb64(f); @@ -4665,6 +4674,7 @@ static int mov_switch_root(AVFormatContext *s, int64_t target) { + int ret; MOVContext *mov = s->priv_data; int i, j; int already_read = 0; @@ -4701,8 +4711,10 @@ mov->found_mdat = 0; - if (mov_read_default(mov, s->pb, (MOVAtom){ AV_RL32("root"), INT64_MAX }) < 0 || - avio_feof(s->pb)) + ret = mov_read_default(mov, s->pb, (MOVAtom){ AV_RL32("root"), INT64_MAX }); + if (ret < 0) + return ret; + if (avio_feof(s->pb)) return AVERROR_EOF; av_log(s, AV_LOG_TRACE, "read fragments, offset 0x%"PRIx64"\n", avio_tell(s->pb)); diff -Nru ffmpeg-2.8.11/libavformat/mpeg.c ffmpeg-2.8.14/libavformat/mpeg.c --- ffmpeg-2.8.11/libavformat/mpeg.c 2017-02-09 16:14:41.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/mpeg.c 2018-02-19 00:50:25.000000000 +0000 @@ -138,7 +138,7 @@ static int mpegps_read_header(AVFormatContext *s) { MpegDemuxContext *m = s->priv_data; - char buffer[7]; + char buffer[7] = { 0 }; int64_t last_pos = avio_tell(s->pb); m->header_state = 0xff; diff -Nru ffmpeg-2.8.11/libavformat/mux.c ffmpeg-2.8.14/libavformat/mux.c --- ffmpeg-2.8.11/libavformat/mux.c 2017-02-09 16:14:41.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/mux.c 2018-02-19 00:50:25.000000000 +0000 @@ -632,7 +632,7 @@ av_log(s, AV_LOG_WARNING, "failed to avoid negative " "pts %s in stream %d.\n" "Try -avoid_negative_ts 1 as a possible workaround.\n", - av_ts2str(pkt->dts), + av_ts2str(pkt->pts), pkt->stream_index ); } diff -Nru ffmpeg-2.8.11/libavformat/mvdec.c ffmpeg-2.8.14/libavformat/mvdec.c --- ffmpeg-2.8.11/libavformat/mvdec.c 2017-02-09 16:14:41.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/mvdec.c 2018-02-19 00:50:25.000000000 +0000 @@ -338,6 +338,8 @@ uint32_t pos = avio_rb32(pb); uint32_t asize = avio_rb32(pb); uint32_t vsize = avio_rb32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); diff -Nru ffmpeg-2.8.11/libavformat/mxfdec.c ffmpeg-2.8.14/libavformat/mxfdec.c --- ffmpeg-2.8.11/libavformat/mxfdec.c 2017-02-09 16:14:41.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/mxfdec.c 2018-02-19 00:50:25.000000000 +0000 @@ -491,7 +491,7 @@ avpriv_request_sample(pb, "Primer pack item length %d", item_len); return AVERROR_PATCHWELCOME; } - if (item_num > 65536) { + if (item_num > 65536 || item_num < 0) { av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num); return AVERROR_INVALIDDATA; } @@ -887,6 +887,8 @@ segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); + if(segment->nb_index_entries && length < 11) + return AVERROR_INVALIDDATA; if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) || !(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) || @@ -897,6 +899,8 @@ } for (i = 0; i < segment->nb_index_entries; i++) { + if(avio_feof(pb)) + return AVERROR_INVALIDDATA; segment->temporal_offset_entries[i] = avio_r8(pb); avio_r8(pb); /* KeyFrameOffset */ segment->flag_entries[i] = avio_r8(pb); diff -Nru ffmpeg-2.8.11/libavformat/nsvdec.c ffmpeg-2.8.14/libavformat/nsvdec.c --- ffmpeg-2.8.11/libavformat/nsvdec.c 2017-02-09 16:14:41.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/nsvdec.c 2018-02-19 00:50:25.000000000 +0000 @@ -350,8 +350,11 @@ if (!nsv->nsvs_file_offset) return AVERROR(ENOMEM); - for(i=0;insvs_file_offset[i] = avio_rl32(pb) + size; + } if(table_entries > table_entries_used && avio_rl32(pb) == MKTAG('T','O','C','2')) { diff -Nru ffmpeg-2.8.11/libavformat/oggdec.c ffmpeg-2.8.14/libavformat/oggdec.c --- ffmpeg-2.8.11/libavformat/oggdec.c 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/oggdec.c 2018-02-19 00:50:32.000000000 +0000 @@ -708,8 +708,10 @@ "Headers mismatch for stream %d: " "expected %d received %d.\n", i, os->codec->nb_header, os->nb_header); - if (s->error_recognition & AV_EF_EXPLODE) + if (s->error_recognition & AV_EF_EXPLODE) { + ogg_read_close(s); return AVERROR_INVALIDDATA; + } } if (os->start_granule != OGG_NOGRANULE_VALUE) os->lastpts = s->streams[i]->start_time = diff -Nru ffmpeg-2.8.11/libavformat/oggparsecelt.c ffmpeg-2.8.14/libavformat/oggparsecelt.c --- ffmpeg-2.8.11/libavformat/oggparsecelt.c 2017-02-09 16:14:41.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/oggparsecelt.c 2018-02-19 00:50:25.000000000 +0000 @@ -65,9 +65,14 @@ st->codec->channels = nb_channels; if (sample_rate) avpriv_set_pts_info(st, 64, 1, sample_rate); - priv->extra_headers_left = 1 + extra_headers; - av_free(os->private); + + if (os->private) { + av_free(priv); + priv = os->private; + } os->private = priv; + priv->extra_headers_left = 1 + extra_headers; + AV_WL32(st->codec->extradata + 0, overlap); AV_WL32(st->codec->extradata + 4, version); return 1; diff -Nru ffmpeg-2.8.11/libavformat/oggparsevp8.c ffmpeg-2.8.14/libavformat/oggparsevp8.c --- ffmpeg-2.8.11/libavformat/oggparsevp8.c 2017-02-09 16:14:41.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/oggparsevp8.c 2018-02-19 00:50:32.000000000 +0000 @@ -125,7 +125,7 @@ os->lastdts = vp8_gptopts(s, idx, os->granule, NULL) - duration; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; - if (s->streams[idx]->duration) + if (s->streams[idx]->duration && s->streams[idx]->duration != AV_NOPTS_VALUE) s->streams[idx]->duration -= s->streams[idx]->start_time; } } diff -Nru ffmpeg-2.8.11/libavformat/rl2.c ffmpeg-2.8.14/libavformat/rl2.c --- ffmpeg-2.8.11/libavformat/rl2.c 2017-02-09 16:14:41.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/rl2.c 2018-02-19 00:50:25.000000000 +0000 @@ -170,12 +170,21 @@ } /** read offset and size tables */ - for(i=0; i < frame_count;i++) + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_size[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_offset[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; audio_size[i] = avio_rl32(pb) & 0xFFFF; + } /** build the sample index */ for(i=0;isize = 0; } -int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) +static int amf_tag_skip(GetByteContext *gb) { - const uint8_t *base = data; AMFDataType type; unsigned nb = -1; int parse_key = 1; - if (data >= data_end) + if (bytestream2_get_bytes_left(gb) < 1) return -1; - switch ((type = *data++)) { - case AMF_DATA_TYPE_NUMBER: return 9; - case AMF_DATA_TYPE_BOOL: return 2; - case AMF_DATA_TYPE_STRING: return 3 + AV_RB16(data); - case AMF_DATA_TYPE_LONG_STRING: return 5 + AV_RB32(data); - case AMF_DATA_TYPE_NULL: return 1; - case AMF_DATA_TYPE_DATE: return 11; + + type = bytestream2_get_byte(gb); + switch (type) { + case AMF_DATA_TYPE_NUMBER: + bytestream2_get_be64(gb); + return 0; + case AMF_DATA_TYPE_BOOL: + bytestream2_get_byte(gb); + return 0; + case AMF_DATA_TYPE_STRING: + bytestream2_skip(gb, bytestream2_get_be16(gb)); + return 0; + case AMF_DATA_TYPE_LONG_STRING: + bytestream2_skip(gb, bytestream2_get_be32(gb)); + return 0; + case AMF_DATA_TYPE_NULL: + return 0; + case AMF_DATA_TYPE_DATE: + bytestream2_skip(gb, 10); + return 0; case AMF_DATA_TYPE_ARRAY: parse_key = 0; case AMF_DATA_TYPE_MIXEDARRAY: - nb = bytestream_get_be32(&data); + nb = bytestream2_get_be32(gb); case AMF_DATA_TYPE_OBJECT: while (nb-- > 0 || type != AMF_DATA_TYPE_ARRAY) { int t; if (parse_key) { - int size = bytestream_get_be16(&data); + int size = bytestream2_get_be16(gb); if (!size) { - data++; + bytestream2_get_byte(gb); break; } - if (size < 0 || size >= data_end - data) + if (size < 0 || size >= bytestream2_get_bytes_left(gb)) return -1; - data += size; + bytestream2_skip(gb, size); } - t = ff_amf_tag_size(data, data_end); - if (t < 0 || t >= data_end - data) + t = amf_tag_skip(gb); + if (t < 0 || bytestream2_get_bytes_left(gb) <= 0) return -1; - data += t; } - return data - base; - case AMF_DATA_TYPE_OBJECT_END: return 1; + return 0; + case AMF_DATA_TYPE_OBJECT_END: return 0; default: return -1; } } -int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, +int ff_amf_tag_size(const uint8_t *data, const uint8_t *data_end) +{ + GetByteContext gb; + int ret; + + if (data >= data_end) + return -1; + + bytestream2_init(&gb, data, data_end - data); + + ret = amf_tag_skip(&gb); + if (ret < 0 || bytestream2_get_bytes_left(&gb) <= 0) + return -1; + av_assert0(bytestream2_tell(&gb) >= 0 && bytestream2_tell(&gb) <= data_end - data); + return bytestream2_tell(&gb); +} + +static int amf_get_field_value2(GetByteContext *gb, const uint8_t *name, uint8_t *dst, int dst_size) { int namelen = strlen(name); int len; - while (*data != AMF_DATA_TYPE_OBJECT && data < data_end) { - len = ff_amf_tag_size(data, data_end); - if (len < 0) - len = data_end - data; - data += len; + while (bytestream2_peek_byte(gb) != AMF_DATA_TYPE_OBJECT && bytestream2_get_bytes_left(gb) > 0) { + int ret = amf_tag_skip(gb); + if (ret < 0) + return -1; } - if (data_end - data < 3) + if (bytestream2_get_bytes_left(gb) < 3) return -1; - data++; + bytestream2_get_byte(gb); + for (;;) { - int size = bytestream_get_be16(&data); + int size = bytestream2_get_be16(gb); if (!size) break; - if (size < 0 || size >= data_end - data) + if (size < 0 || size >= bytestream2_get_bytes_left(gb)) return -1; - data += size; - if (size == namelen && !memcmp(data-size, name, namelen)) { - switch (*data++) { + bytestream2_skip(gb, size); + if (size == namelen && !memcmp(gb->buffer-size, name, namelen)) { + switch (bytestream2_get_byte(gb)) { case AMF_DATA_TYPE_NUMBER: - snprintf(dst, dst_size, "%g", av_int2double(AV_RB64(data))); + snprintf(dst, dst_size, "%g", av_int2double(bytestream2_get_be64(gb))); break; case AMF_DATA_TYPE_BOOL: - snprintf(dst, dst_size, "%s", *data ? "true" : "false"); + snprintf(dst, dst_size, "%s", bytestream2_get_byte(gb) ? "true" : "false"); break; case AMF_DATA_TYPE_STRING: - len = bytestream_get_be16(&data); - av_strlcpy(dst, data, FFMIN(len+1, dst_size)); + len = bytestream2_get_be16(gb); + if (dst_size < 1) + return -1; + if (dst_size < len + 1) + len = dst_size - 1; + bytestream2_get_buffer(gb, dst, len); + dst[len] = 0; break; default: return -1; } return 0; } - len = ff_amf_tag_size(data, data_end); - if (len < 0 || len >= data_end - data) + len = amf_tag_skip(gb); + if (len < 0 || bytestream2_get_bytes_left(gb) <= 0) return -1; - data += len; } return -1; } +int ff_amf_get_field_value(const uint8_t *data, const uint8_t *data_end, + const uint8_t *name, uint8_t *dst, int dst_size) +{ + GetByteContext gb; + + if (data >= data_end) + return -1; + + bytestream2_init(&gb, data, data_end - data); + + return amf_get_field_value2(&gb, name, dst, dst_size); +} + static const char* rtmp_packet_type(int type) { switch (type) { diff -Nru ffmpeg-2.8.11/libavformat/utils.c ffmpeg-2.8.14/libavformat/utils.c --- ffmpeg-2.8.11/libavformat/utils.c 2017-02-09 16:14:55.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/utils.c 2018-02-19 00:50:32.000000000 +0000 @@ -1501,13 +1501,14 @@ if (next_pkt->dts != AV_NOPTS_VALUE) { int wrap_bits = s->streams[next_pkt->stream_index]->pts_wrap_bits; + av_assert2(wrap_bits <= 64); // last dts seen for this stream. if any of packets following // current one had no dts, we will set this to AV_NOPTS_VALUE. int64_t last_dts = next_pkt->dts; while (pktl && next_pkt->pts == AV_NOPTS_VALUE) { if (pktl->pkt.stream_index == next_pkt->stream_index && - (av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2LL << (wrap_bits - 1)) < 0)) { - if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2LL << (wrap_bits - 1))) { + av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2ULL << (wrap_bits - 1)) < 0) { + if (av_compare_mod(pktl->pkt.pts, pktl->pkt.dts, 2ULL << (wrap_bits - 1))) { // not B-frame next_pkt->pts = pktl->pkt.dts; } @@ -3435,12 +3436,6 @@ } } - // close codecs which were opened in try_decode_frame() - for (i = 0; i < ic->nb_streams; i++) { - st = ic->streams[i]; - avcodec_close(st->codec); - } - ff_rfps_calculate(ic); for (i = 0; i < ic->nb_streams; i++) { @@ -3556,6 +3551,7 @@ ic->streams[i]->codec->thread_count = 0; if (st->info) av_freep(&st->info->duration_error); + avcodec_close(st->codec); av_freep(&ic->streams[i]->info); } if (ic->pb) @@ -3683,9 +3679,7 @@ av_dict_free(&st->metadata); av_freep(&st->probe_data.buf); av_freep(&st->index_entries); - av_freep(&st->codec->extradata); - av_freep(&st->codec->subtitle_header); - av_freep(&st->codec); + avcodec_free_context(&st->codec); av_freep(&st->priv_data); if (st->info) av_freep(&st->info->duration_error); @@ -3725,8 +3719,8 @@ av_freep(&s->chapters); av_dict_free(&s->metadata); av_freep(&s->streams); - av_freep(&s->internal); flush_packet_queue(s); + av_freep(&s->internal); av_free(s); } diff -Nru ffmpeg-2.8.11/libavformat/wavdec.c ffmpeg-2.8.14/libavformat/wavdec.c --- ffmpeg-2.8.11/libavformat/wavdec.c 2017-02-09 16:14:41.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/wavdec.c 2018-02-19 00:50:25.000000000 +0000 @@ -747,6 +747,8 @@ chunk_key[4] = 0; avio_read(pb, chunk_key, 4); chunk_size = avio_rl32(pb); + if (chunk_size == UINT32_MAX) + return AVERROR_INVALIDDATA; value = av_mallocz(chunk_size + 1); if (!value) diff -Nru ffmpeg-2.8.11/libavformat/webmdashenc.c ffmpeg-2.8.14/libavformat/webmdashenc.c --- ffmpeg-2.8.11/libavformat/webmdashenc.c 2017-02-09 16:14:41.000000000 +0000 +++ ffmpeg-2.8.14/libavformat/webmdashenc.c 2018-02-19 00:50:25.000000000 +0000 @@ -428,6 +428,10 @@ char *p = w->adaptation_sets; char *q; enum { new_set, parsed_id, parsing_streams } state; + if (!w->adaptation_sets) { + av_log(s, AV_LOG_ERROR, "The 'adaptation_sets' option must be set.\n"); + return AVERROR(EINVAL); + } // syntax id=0,streams=0,1,2 id=1,streams=3,4 and so on state = new_set; while (p < w->adaptation_sets + strlen(w->adaptation_sets)) { @@ -458,7 +462,11 @@ if (as->streams == NULL) return AVERROR(ENOMEM); as->streams[as->nb_streams - 1] = to_integer(p, q - p + 1); - if (as->streams[as->nb_streams - 1] < 0) return -1; + if (as->streams[as->nb_streams - 1] < 0 || + as->streams[as->nb_streams - 1] >= s->nb_streams) { + av_log(s, AV_LOG_ERROR, "Invalid value for 'streams' in adapation_sets.\n"); + return AVERROR(EINVAL); + } if (*q == '\0') break; if (*q == ' ') state = new_set; p = ++q; diff -Nru ffmpeg-2.8.11/libavutil/common.h ffmpeg-2.8.14/libavutil/common.h --- ffmpeg-2.8.11/libavutil/common.h 2017-02-09 16:14:41.000000000 +0000 +++ ffmpeg-2.8.14/libavutil/common.h 2018-02-19 00:50:32.000000000 +0000 @@ -162,7 +162,7 @@ */ static av_always_inline av_const uint8_t av_clip_uint8_c(int a) { - if (a&(~0xFF)) return (-a)>>31; + if (a&(~0xFF)) return (~a)>>31; else return a; } @@ -184,7 +184,7 @@ */ static av_always_inline av_const uint16_t av_clip_uint16_c(int a) { - if (a&(~0xFFFF)) return (-a)>>31; + if (a&(~0xFFFF)) return (~a)>>31; else return a; } diff -Nru ffmpeg-2.8.11/libavutil/internal.h ffmpeg-2.8.14/libavutil/internal.h --- ffmpeg-2.8.11/libavutil/internal.h 2017-02-09 16:14:41.000000000 +0000 +++ ffmpeg-2.8.14/libavutil/internal.h 2018-02-19 00:50:25.000000000 +0000 @@ -30,6 +30,9 @@ # define NDEBUG #endif +// This can be enabled to allow detection of additional integer overflows with ubsan +//#define CHECKED + #include #include #include @@ -256,6 +259,16 @@ # define ff_dlog(ctx, ...) do { if (0) av_log(ctx, AV_LOG_DEBUG, __VA_ARGS__); } while (0) #endif +// For debuging we use signed operations so overflows can be detected (by ubsan) +// For production we use unsigned so there are no undefined operations +#ifdef CHECKED +#define SUINT int +#define SUINT32 int32_t +#else +#define SUINT unsigned +#define SUINT32 uint32_t +#endif + /** * A wrapper for open() setting O_CLOEXEC. */ diff -Nru ffmpeg-2.8.11/libavutil/softfloat.h ffmpeg-2.8.14/libavutil/softfloat.h --- ffmpeg-2.8.11/libavutil/softfloat.h 2017-02-09 16:14:41.000000000 +0000 +++ ffmpeg-2.8.14/libavutil/softfloat.h 2018-02-19 00:50:32.000000000 +0000 @@ -43,6 +43,7 @@ static const SoftFloat FLOAT_1584893192 = { 0x32B771ED, 1}; static const SoftFloat FLOAT_100000 = { 0x30D40000, 17}; static const SoftFloat FLOAT_0999999 = { 0x3FFFFBCE, 0}; +static const SoftFloat FLOAT_MIN = { 0x20000000, MIN_EXP}; static inline av_const double av_sf2double(SoftFloat v) { v.exp -= ONE_BITS +1; @@ -109,8 +110,15 @@ * @return Will not be more denormalized than a. */ static inline av_const SoftFloat av_div_sf(SoftFloat a, SoftFloat b){ + int64_t temp = (int64_t)a.mant * (1<<(ONE_BITS+1)); + temp /= b.mant; a.exp -= b.exp; - a.mant = ((int64_t)a.mant<<(ONE_BITS+1)) / b.mant; + a.mant = temp; + while (a.mant != temp) { + temp /= 2; + a.exp--; + a.mant = temp; + } a = av_normalize1_sf(a); if (!a.mant || a.exp < MIN_EXP) return FLOAT_0; @@ -149,8 +157,10 @@ //FIXME log, exp, pow /** - * Converts a mantisse and exponent to a SoftFloat - * @returns a SoftFloat with value v * 2^frac_bits + * Converts a mantisse and exponent to a SoftFloat. + * This converts a fixed point value v with frac_bits fractional bits to a + * SoftFloat. + * @returns a SoftFloat with value v * 2^-frac_bits */ static inline av_const SoftFloat av_int2sf(int v, int frac_bits){ int exp_offset = 0; @@ -213,12 +223,12 @@ int st, ct; idx = a >> 26; - sign = (idx << 27) >> 31; + sign = (int32_t)((unsigned)idx << 27) >> 31; cv = av_costbl_1_sf[idx & 0xf]; cv = (cv ^ sign) - sign; idx -= 8; - sign = (idx << 27) >> 31; + sign = (int32_t)((unsigned)idx << 27) >> 31; sv = av_costbl_1_sf[idx & 0xf]; sv = (sv ^ sign) - sign; diff -Nru ffmpeg-2.8.11/libswresample/resample.c ffmpeg-2.8.14/libswresample/resample.c --- ffmpeg-2.8.11/libswresample/resample.c 2017-02-09 16:14:41.000000000 +0000 +++ ffmpeg-2.8.14/libswresample/resample.c 2018-02-19 00:50:25.000000000 +0000 @@ -171,6 +171,14 @@ return 0; } +static void resample_free(ResampleContext **cc){ + ResampleContext *c = *cc; + if(!c) + return; + av_freep(&c->filter_bank); + av_freep(cc); +} + static ResampleContext *resample_init(ResampleContext *c, int out_rate, int in_rate, int filter_size, int phase_shift, int linear, double cutoff0, enum AVSampleFormat format, enum SwrFilterType filter_type, int kaiser_beta, double precision, int cheby) @@ -182,6 +190,7 @@ if (!c || c->phase_shift != phase_shift || c->linear!=linear || c->factor != factor || c->filter_length != FFMAX((int)ceil(filter_size/factor), 1) || c->format != format || c->filter_type != filter_type || c->kaiser_beta != kaiser_beta) { + resample_free(&c); c = av_mallocz(sizeof(*c)); if (!c) return NULL; @@ -251,13 +260,6 @@ return NULL; } -static void resample_free(ResampleContext **c){ - if(!*c) - return; - av_freep(&(*c)->filter_bank); - av_freep(c); -} - static int set_compensation(ResampleContext *c, int sample_delta, int compensation_distance){ c->compensation_distance= compensation_distance; if (compensation_distance) diff -Nru ffmpeg-2.8.11/libswscale/swscale-test.c ffmpeg-2.8.14/libswscale/swscale-test.c --- ffmpeg-2.8.11/libswscale/swscale-test.c 2017-02-09 16:14:41.000000000 +0000 +++ ffmpeg-2.8.14/libswscale/swscale-test.c 2018-02-19 00:50:25.000000000 +0000 @@ -298,10 +298,10 @@ struct Results r; enum AVPixelFormat srcFormat; char srcStr[12]; - int srcW, srcH; + int srcW = 0, srcH = 0; enum AVPixelFormat dstFormat; char dstStr[12]; - int dstW, dstH; + int dstW = 0, dstH = 0; int flags; int ret; diff -Nru ffmpeg-2.8.11/tests/ref/fate/vp5 ffmpeg-2.8.14/tests/ref/fate/vp5 --- ffmpeg-2.8.11/tests/ref/fate/vp5 2017-02-09 16:14:41.000000000 +0000 +++ ffmpeg-2.8.14/tests/ref/fate/vp5 2018-02-19 00:50:25.000000000 +0000 @@ -245,4 +245,4 @@ 0, 243, 243, 1, 233472, 0x6f530ac6 0, 244, 244, 1, 233472, 0x94f7466c 0, 245, 245, 1, 233472, 0xa8c1d365 -0, 246, 246, 1, 233472, 0xedcff050 +0, 246, 246, 1, 233472, 0xbf73f1b7