When the mov/mp4 demuxer encounters an error during decrypting a packet,
it returns the error, yet doesn't free the packet, so that the packet
leaks. This has been fixed in this commit.
Fixes the memleaks from ticket #8150.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
ttaenc contained (1 << unary) - 1 as an argument for a function
expecting an unsigned int. unary can be as big as 31 in this case.
The type of the shift and the whole expression is int, because 1 fits
into an integer, so that the behaviour is undefined if unary == 31
as the result of the shift can't be represented in an int §. Subtraction
by 1 (which makes the result of the whole expression representable in
an int) doesn't change that this is undefined (it usually leads to
signed integer overflow which is undefined, too).
The solution is simple: Make 1 unsigned to change the type of the
whole expression to unsigned int (as the function expects anyway).
Fixes ticket #8153.
§: This of course presupposes the common int range of -2^31..2^31-1
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
sharpbai [Tue, 13 Aug 2019 06:18:21 +0000 (14:18 +0800)]
avcodec/videotoolboxenc: fix encoding frame crash on iOS 11
On iOS 11, encoding a frame may return error with log
"Error encoding frame 0", which means vtenc_output_callback
is called with status=0 and sample_buffer=NULL. Then the
encoding session will be crashed on next callback wether or not
closing the codec context.
Let us look through the link below introducing VTCompressionOutputCallback,
"status=0" (noErr) means compression was successful.
"sampleBuffer=NULL" means the frame was dropped when compression
was successful (status=0) or compression was not successful (status!=0).
So we should not set AVERROR_EXTERNAL on "status=0" and "sample_buffer=NULL"
as it is not a error.
The fix is that we only set AVERROR_EXTERNAL with status value non zero.
When sample_buffer is NULL and status value is zero, we simply return
with no other operation.
This crash often occurs on iOS 11 for example encoding 720p@25fps.
Signed-off-by: sharpbai <sharpbai@gmail.com> Signed-off-by: Rick Kern <kernrj@gmail.com>
avformat/cdxl: Fix integer overflow in intermediate
Fixes: signed integer overflow: 65535 * 65312 cannot be represented in type 'int' Fixes: 16704/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6294115603447808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/cfhd: Check that cropped size is smaller than full
Fixes: signed integer overflow: 57342 * 120830 cannot be represented in type 'int' Fixes: 16426/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5758744817827840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
gxw [Tue, 6 Aug 2019 11:11:16 +0000 (19:11 +0800)]
avutil/mips: refactor msa SLDI_Bn_0 and SLDI_Bn macros.
Changing details as following:
1. The previous order of parameters are irregular and difficult to
understand. Adjust the order of the parameters according to the
rule: (RTYPE, input registers, input mask/input index/..., output registers).
Most of the existing msa macros follow the rule.
2. Remove the redundant macro SLDI_Bn_0 and use SLDI_Bn instead.
Reviewed-by: Shiyou Yin <yinshiyou-hf@loongson.cn> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
lavc/videotoolboxdec: fix crop handling when multithreaded
This was partially fixed by 233cd89, but it made changes to AVFrame fields
from within end_frame, which doesn't work consistently when multithreading
is enabled. This is what the post_process function is for.
avformat/hlsenc: Fix memleak when using single_file
This commit fixes a memleak in the hls muxer when one uses a single file
as output. It has been forgotten to free the temporary buffers used to write
the packets so that the size of the leaks basically amounts to the size
of the output file. This commit adds the necessary free.
Reviewed-by: Steven Liu <lq@onvideo.cn> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avcodec/mjpegdec: Restore non bayer checks in ljpeg_decode_rgb_scan()
Fixes: out of array write Fixes: 17088/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5654877765632000 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/alsdec: Check k from being outside what our implementation can handle
The specification does not seem to list what the maximum valid
value is
Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int' Fixes: 16268/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5638164544225280 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/takdec: Fix integer overflow in decorrelate()
Fixes: signed integer overflow: -2424832 - 2145653689 cannot be represented in type 'int' Fixes: 16138/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-5643451346976768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/aacps: Fix integer overflows in hybrid_synthesis()
Fixes: signed integer overflow: -822667928 + -1399761199 cannot be represented in type 'int' Fixes: 15756/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5645182051024896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/mpeg4videodec: Fix integer overflow in mpeg4_decode_studio_block()
Fixes: signed integer overflow: 24023040 * 112 cannot be represented in type 'int' Fixes: 16570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5173275211071488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Kieran Kunhya <kierank@obe.tv> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/vp56rac: delay signaling an error on truncated input
A threshold of 1 is sufficient for simple_dump_cut.webm, 10 is used
just to be sure the next truncated file doesnt cause the same issue
Obvious alternative fixes are to simply accept that the file is broken or to
write some advanced error concealment or to
simply accept that the decoder wont stop at the end of input.
Fixes: Ticket 8069 (artifacts not the differing md5 which was there before 1afd246960202917e244c844c534e9c1e3c323f5) Fixes: simple_dump_cut.webm Fixes: regression of 1afd246960202917e244c844c534e9c1e3c323f5
fate-vp5 changes because the last frame is truncated and now handled
differently.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Maxime Jourdan [Fri, 30 Aug 2019 18:34:52 +0000 (11:34 -0700)]
avcodec/v4l2_m2m_dec: fix dropped packets while decoding
* FFmpeg retrieves a packet from the bitstream
* It attempts to get an input buffer (from its own list or by dequeuing one from the driver)
* If no input buffer is found, the bitstream packet is dropped instead of scheduled for trying again later
It's an issue that showed especially at high speeds (like using `-f null -` as output parameters).
Aman Gupta [Fri, 30 Aug 2019 22:42:00 +0000 (15:42 -0700)]
avcodec/v4l2_m2m_dec: set pkt_dts on decoded frames to NOPTS
Without this ffmpeg will attempt to copy the dts from the
most recently enqueued packet into the most recently dequeued
frame, which does not account for the buffering inside v4l2
and is not accurate.
Aman Gupta [Fri, 30 Aug 2019 21:02:48 +0000 (14:02 -0700)]
avcodec/v4l2_buffers: read height/width from the proper context
Frames are generally dequeued into capture buffers, so using
the output properties here was incorrect. It happened to work
fine for decoding, since the output/capture buffers have the same
dimensions.
For the v4l2 scaler, the dimensions can be different between output
and capture. Using the buffer's associated context makes this code
work correctly regardless of where the frame is coming from.
Lynne [Thu, 15 Aug 2019 10:13:35 +0000 (11:13 +0100)]
opusdsp: adjust and optimize C function to match assembly
The C and asm versions behaved differently _outside_ of the codec.
The C version returned pre-multiplied 'state' for the next execution
to use right away, while the assembly version outputted non-multiplied
'state' for the next execution to multiply to save instructions.
Since the initial state when initialized or seeking is always 0,
and since C and asm versions were never mixed, there was no issue.
However, comparing outputs directly in checkasm doesn't work without
dividing the initial state by CELT_EMPH_COEFF and multiplying the
returned state by CELT_EMPH_COEFF for the assembly function.
Since its actually faster to do this in C as well, copy the behavior the
asm versions use. As a reminder, the initial state 0 is divided by
CELT_EMPH_COEFF on seek and init (just in case in the future this is
changed, its technically more correct to init with CELT_EMPH_COEFF than 0,
however when seeking this will result in more audiable pops, unlike with 0
where the output gets in sync over a few samples).