From 10ff052c601368f129466e6de19e9862aaaec7d1 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 23 Nov 2012 14:05:36 +0100 Subject: [PATCH 01/12] lavf: avoid integer overflow in ff_compute_frame_duration() Scaling the denominator instead of the numerator if it is too large loses precision. Fixes an assert caused by a negative frame duration in the fuzzed sample nasa-8s2.ts_s202310. CC: libav-stable@libav.org (cherry picked from commit 7709ce029a7bc101b9ac1ceee607cda10dcb89dc) Signed-off-by: Reinhard Tartler --- libavformat/utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 5f3da495fd..be679258a0 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -813,7 +813,10 @@ static void compute_frame_duration(int *pnum, int *pden, AVStream *st, *pnum = st->codec->time_base.num; *pden = st->codec->time_base.den; if (pc && pc->repeat_pict) { - *pnum = (*pnum) * (1 + pc->repeat_pict); + if (*pnum > INT_MAX / (1 + pc->repeat_pict)) + *pden /= 1 + pc->repeat_pict; + else + *pnum *= 1 + pc->repeat_pict; } //If this codec can be interlaced or progressive then we need a parser to compute duration of a packet //Thus if we have no parser in such case leave duration undefined. From 5fa739e685bcbd29dd83139c245935099112beed Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 16 Nov 2012 14:31:09 +0100 Subject: [PATCH 02/12] h264: enable low delay only if no delayed frames were seen Dropping frames is undesirable but that is the only way by which the decoder could return to low delay mode. Instead emit a warning and continue with delayed frames. Fixes a crash in fuzzed sample nasa-8s2.ts_s20033 caused by a larger than expected has_b_frames value. Low delay keeps getting re-enabled from a presumely broken SPS. CC: libav-stable@libav.org (cherry picked from commit 706acb558a38eba633056773280155d66c2f4b24) Conflicts: libavcodec/h264.c --- libavcodec/h264.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 0940335edf..98c68d873f 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3847,9 +3847,16 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ init_get_bits(&s->gb, ptr, bit_length); ff_h264_decode_seq_parameter_set(h); - if (s->flags& CODEC_FLAG_LOW_DELAY || - (h->sps.bitstream_restriction_flag && !h->sps.num_reorder_frames)) - s->low_delay=1; + if (s->flags & CODEC_FLAG_LOW_DELAY || + (h->sps.bitstream_restriction_flag && + !h->sps.num_reorder_frames)) { + if (s->avctx->has_b_frames > 1 || h->delayed_pic[0]) + av_log(avctx, AV_LOG_WARNING, "Delayed frames seen " + "reenabling low delay requires a codec " + "flush.\n"); + else + s->low_delay = 1; + } if(avctx->has_b_frames < 2) avctx->has_b_frames= !s->low_delay; From 08d9fd611eac18be52e0bd3430ba6acb740cd79f Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Mon, 3 Dec 2012 22:53:30 +0100 Subject: [PATCH 03/12] ppc: always use pic for shared libraries CC: libav-stable@libav.org (cherry picked from commit 1944d532a8a1c4b12222f0acfeb1153630dbc996) Conflicts: configure --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 6a2ff4fa01..05a7161ef8 100755 --- a/configure +++ b/configure @@ -2342,7 +2342,7 @@ check_host_cflags -std=c99 check_host_cflags -Wall case "$arch" in - alpha|ia64|mips|parisc|sparc) + alpha|ia64|mips|parisc|ppc|sparc) spic=$shared ;; x86) From 4457e6137d83d3b65d919608cd0f12bc62d57c67 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sun, 25 Nov 2012 12:56:04 +0100 Subject: [PATCH 04/12] h264: check sps.log2_max_frame_num for validity Fixes infinite or long taking loop in frame num gap code in the fuzzed sample bipbop234.ts_s223302. CC: libav-stable@libav.org (cherry picked from commit d7d6efe42b0d2057e67999b96b9a391f533d2333) Signed-off-by: Reinhard Tartler --- libavcodec/h264_ps.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 9eeff59762..367138a8c0 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -37,6 +37,9 @@ //#undef NDEBUG #include +#define MAX_LOG2_MAX_FRAME_NUM (12 + 4) +#define MIN_LOG2_MAX_FRAME_NUM 4 + static const AVRational pixel_aspect[17]={ {0, 1}, {1, 1}, @@ -298,7 +301,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ MpegEncContext * const s = &h->s; int profile_idc, level_idc, constraint_set_flags = 0; unsigned int sps_id; - int i; + int i, log2_max_frame_num_minus4; SPS *sps; profile_idc= get_bits(&s->gb, 8); @@ -345,7 +348,16 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ sps->bit_depth_chroma = 8; } - sps->log2_max_frame_num= get_ue_golomb(&s->gb) + 4; + log2_max_frame_num_minus4 = get_ue_golomb(&s->gb); + if (log2_max_frame_num_minus4 < MIN_LOG2_MAX_FRAME_NUM - 4 || + log2_max_frame_num_minus4 > MAX_LOG2_MAX_FRAME_NUM - 4) { + av_log(h->s.avctx, AV_LOG_ERROR, + "log2_max_frame_num_minus4 out of range (0-12): %d\n", + log2_max_frame_num_minus4); + return AVERROR_INVALIDDATA; + } + sps->log2_max_frame_num = log2_max_frame_num_minus4 + 4; + sps->poc_type= get_ue_golomb_31(&s->gb); if(sps->poc_type == 0){ //FIXME #define From 884a9b0d298acfba29c01690e27419ab646fa51a Mon Sep 17 00:00:00 2001 From: Victor Lopez Date: Wed, 19 Dec 2012 09:12:24 +0100 Subject: [PATCH 05/12] h264: fix sps parsing for SVC and CAVLC 4:4:4 Intra profiles Fixes bug 396. CC: libav-stable@libav.org (cherry picked from commit 1c8bf3bfed5ff5c504c8e3de96188a977f67cce0) Signed-off-by: Reinhard Tartler --- libavcodec/h264_ps.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 367138a8c0..26db079af3 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -330,7 +330,11 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ memset(sps->scaling_matrix8, 16, sizeof(sps->scaling_matrix8)); sps->scaling_matrix_present = 0; - if(sps->profile_idc >= 100){ //high profile + if (sps->profile_idc == 100 || sps->profile_idc == 110 || + sps->profile_idc == 122 || sps->profile_idc == 244 || + sps->profile_idc == 44 || sps->profile_idc == 83 || + sps->profile_idc == 86 || sps->profile_idc == 118 || + sps->profile_idc == 128 || sps->profile_idc == 144) { sps->chroma_format_idc= get_ue_golomb_31(&s->gb); if(sps->chroma_format_idc > 3) { av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc (%u) out of range\n", sps->chroma_format_idc); From a39c6bf1b878f6667697225299707ef08a9482c8 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Sat, 22 Dec 2012 01:21:09 -0500 Subject: [PATCH 06/12] alacdec: do not be too strict about the extradata size Sometimes the extradata has duplicate atoms, but that shouldn't prevent decoding. Just ensure that it is at least 36 bytes as a sanity check. CC: libav-stable@libav.org (cherry picked from commit 68a04b0ccee66f57516e129dd3ec457fd50b4bec) Signed-off-by: Reinhard Tartler --- libavcodec/alac.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavcodec/alac.c b/libavcodec/alac.c index 4ea3f7ee84..37e957eed5 100644 --- a/libavcodec/alac.c +++ b/libavcodec/alac.c @@ -664,10 +664,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx) alac->numchannels = alac->avctx->channels; /* initialize from the extradata */ - if (alac->avctx->extradata_size != ALAC_EXTRADATA_SIZE) { - av_log(avctx, AV_LOG_ERROR, "alac: expected %d extradata bytes\n", - ALAC_EXTRADATA_SIZE); - return -1; + if (alac->avctx->extradata_size < ALAC_EXTRADATA_SIZE) { + av_log(avctx, AV_LOG_ERROR, "alac: extradata is too small\n"); + return AVERROR_INVALIDDATA; } if (alac_set_info(alac)) { av_log(avctx, AV_LOG_ERROR, "alac: set_info failed\n"); From 808187965570012cca99a7c0fdf1d93652947285 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Storsj=C3=B6?= Date: Mon, 7 Jan 2013 18:39:04 +0200 Subject: [PATCH 07/12] rtsp: Recheck the reordering queue if getting a new packet MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If we timed out and consumed a packet from the reordering queue, but didn't return a packet to the caller, recheck the queue status. Otherwise, we could end up in an infinite loop, trying to consume a queued packet that has already been consumed. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 8729698d50739524665090e083d1bfdf28235724) Signed-off-by: Reinhard Tartler --- libavformat/rtsp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c index 80cd587144..25aba7de67 100644 --- a/libavformat/rtsp.c +++ b/libavformat/rtsp.c @@ -1641,6 +1641,7 @@ int ff_rtsp_fetch_packet(AVFormatContext *s, AVPacket *pkt) rt->cur_transport_priv = NULL; } +redo: if (rt->transport == RTSP_TRANSPORT_RTP) { int i; int64_t first_queue_time = 0; @@ -1656,12 +1657,15 @@ int ff_rtsp_fetch_packet(AVFormatContext *s, AVPacket *pkt) first_queue_st = rt->rtsp_streams[i]; } } - if (first_queue_time) + if (first_queue_time) { wait_end = first_queue_time + s->max_delay; + } else { + wait_end = 0; + first_queue_st = NULL; + } } /* read next RTP packet */ - redo: if (!rt->recvbuf) { rt->recvbuf = av_malloc(RECVBUF_SIZE); if (!rt->recvbuf) From 55065315caf138223b1f2f4e168fc64f601d1352 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Wed, 7 Mar 2012 14:26:58 -0800 Subject: [PATCH 08/12] Fix uninitialized reads on malformed ogg files. The ogg decoder wasn't padding the input buffer with the appropriate FF_INPUT_BUFFER_PADDING_SIZE bytes. Which led to uninitialized reads in various pieces of parsing code when they thought they had more data than they actually did. Signed-off-by: Dale Curtis Signed-off-by: Ronald S. Bultje (cherry picked from commit ef0d779706c77ca9007527bd8d41e9400682f4e4) Signed-off-by: Reinhard Tartler --- libavformat/oggdec.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 18201677b8..8c94f4e618 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -69,8 +69,7 @@ static int ogg_save(AVFormatContext *s) for (i = 0; i < ogg->nstreams; i++){ struct ogg_stream *os = ogg->streams + i; - os->buf = av_malloc (os->bufsize); - memset (os->buf, 0, os->bufsize); + os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); memcpy (os->buf, ost->streams[i].buf, os->bufpos); } @@ -167,7 +166,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) os = ogg->streams + idx; os->serial = serial; os->bufsize = DECODER_BUFFER_SIZE; - os->buf = av_malloc(os->bufsize); + os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); os->header = -1; if (new_avstream) { @@ -184,7 +183,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) static int ogg_new_buf(struct ogg *ogg, int idx) { struct ogg_stream *os = ogg->streams + idx; - uint8_t *nb = av_malloc(os->bufsize); + uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE); int size = os->bufpos - os->pstart; if(os->buf){ memcpy(nb, os->buf + os->pstart, size); @@ -293,7 +292,7 @@ static int ogg_read_page(AVFormatContext *s, int *str) } if (os->bufsize - os->bufpos < size){ - uint8_t *nb = av_malloc (os->bufsize *= 2); + uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE); memcpy (nb, os->buf, os->bufpos); av_free (os->buf); os->buf = nb; @@ -306,6 +305,7 @@ static int ogg_read_page(AVFormatContext *s, int *str) os->granule = gp; os->flags = flags; + memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE); if (str) *str = idx; From 910c1f2352830f1c0e7505cc96c77eac556df083 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 22 Dec 2012 17:58:24 +0100 Subject: [PATCH 09/12] oggdec: check memory allocation (cherry picked from commit ba064ebe48376e199f353ef0b335ed8a39c638c5) Conflicts: libavformat/oggdec.c --- libavformat/oggdec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 8c94f4e618..a28232a04e 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -160,8 +160,13 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream) AVStream *st; struct ogg_stream *os; - ogg->streams = av_realloc (ogg->streams, - ogg->nstreams * sizeof (*ogg->streams)); + os = av_realloc (ogg->streams, ogg->nstreams * sizeof (*ogg->streams)); + + if (!os) + return AVERROR(ENOMEM); + + ogg->streams = os; + memset (ogg->streams + idx, 0, sizeof (*ogg->streams)); os = ogg->streams + idx; os->serial = serial; @@ -293,6 +298,8 @@ static int ogg_read_page(AVFormatContext *s, int *str) if (os->bufsize - os->bufpos < size){ uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE); + if (!nb) + return AVERROR(ENOMEM); memcpy (nb, os->buf, os->bufpos); av_free (os->buf); os->buf = nb; From 3bc9cfe66e1a34c6d9dc45fde2a44aa38e6363ce Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Sat, 12 Jan 2013 19:36:27 +0100 Subject: [PATCH 10/12] oggdec: free the ogg streams on read_header failure Plug an annoying memory leak on broken files. (cherry picked from commit 89b51b570daa80e6e3790fcd449fe61fc5574e07) Signed-off-by: Luca Barbato (cherry picked from commit 42bd6d9cf681306d14c92af97a40116fe4eb2522) Conflicts: libavformat/oggdec.c Conflicts: libavformat/oggdec.c --- libavformat/oggdec.c | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index a28232a04e..cab6da7b13 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -492,14 +492,29 @@ static int ogg_get_length(AVFormatContext *s) return 0; } -static int ogg_read_header(AVFormatContext *s, AVFormatParameters *ap) +static int ogg_read_close(AVFormatContext *s) { struct ogg *ogg = s->priv_data; int i; + + for (i = 0; i < ogg->nstreams; i++) { + av_free(ogg->streams[i].buf); + av_free(ogg->streams[i].private); + } + av_free(ogg->streams); + return 0; +} + +static int ogg_read_header(AVFormatContext *s) +{ + struct ogg *ogg = s->priv_data; + int i, ret; ogg->curidx = -1; //linear headers seek from start - if (ogg_get_headers (s) < 0){ - return -1; + ret = ogg_get_headers(s); + if (ret < 0) { + ogg_read_close(s); + return ret; } for (i = 0; i < ogg->nstreams; i++) @@ -583,19 +598,6 @@ retry: return psize; } -static int ogg_read_close(AVFormatContext *s) -{ - struct ogg *ogg = s->priv_data; - int i; - - for (i = 0; i < ogg->nstreams; i++){ - av_free (ogg->streams[i].buf); - av_free (ogg->streams[i].private); - } - av_free (ogg->streams); - return 0; -} - static int64_t ogg_read_timestamp(AVFormatContext *s, int stream_index, int64_t *pos_arg, int64_t pos_limit) { From ad025377462cd01c11f1fe67d087804999af9d49 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Wed, 28 Nov 2012 22:17:14 +0100 Subject: [PATCH 11/12] h264: check context state before decoding slice data partitions Fixes mov_h264_aac__Demo_FlagOfOurFathers.mov.SIGSEGV.4e9.656. Found-by: Mateusz "j00ru" Jurczyk CC: libav-stable@libav.org (cherry-picked from commit c1fcf563b13051f280db169ba41c6a1b21b25e08) Signed-off-by: Reinhard Tartler --- libavcodec/h264.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 98c68d873f..1f85eea24d 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3832,6 +3832,7 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){ hx->inter_gb_ptr= &hx->inter_gb; if(hx->redundant_pic_count==0 && hx->intra_gb_ptr && hx->s.data_partitioning + && s->current_picture_ptr && s->context_initialized && (avctx->skip_frame < AVDISCARD_NONREF || hx->nal_ref_idc) && (avctx->skip_frame < AVDISCARD_BIDIR || hx->slice_type_nos!=AV_PICTURE_TYPE_B) From dd0c5e0fa909bac905ea8baa49b704892792a1c9 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Sat, 12 Jan 2013 17:22:50 +0100 Subject: [PATCH 12/12] h264: check ref_count validity for num_ref_idx_active_override_flag Fixes segfault in the fuzzed sample bipbop234.ts_s226407. CC: libav-stable@libav.org (cherry-picked from commit 6e5cdf26281945ddea3aaf5eca4d127791f23ca8) Signed-off-by: Janne Grunau --- libavcodec/h264.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 1f85eea24d..739b9d2e51 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2890,8 +2890,13 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ if(num_ref_idx_active_override_flag){ h->ref_count[0]= get_ue_golomb(&s->gb) + 1; - if(h->slice_type_nos==AV_PICTURE_TYPE_B) + if (h->ref_count[0] < 1) + return AVERROR_INVALIDDATA; + if (h->slice_type_nos == AV_PICTURE_TYPE_B) { h->ref_count[1]= get_ue_golomb(&s->gb) + 1; + if (h->ref_count[1] < 1) + return AVERROR_INVALIDDATA; + } } if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) {