Marton Balint [Mon, 11 Nov 2019 21:49:15 +0000 (22:49 +0100)]
avformat/mpegtsenc: allow any sensible PID for elementary and PMT PIDs
This sets the range of the first automatically assigned PMT PID or elementary
stream PID parameters to [0x20, 0x1ffa]. You can still assign manually a PID
for a stream using AVStream->id in the wider [0x10, 0x1ffe] range as specified
by ISO13818-1. But since DVB and ATSC both reserves some PIDs, let's not allow
them to be automatically assigned.
Also make sure that assigned PID numbers are valid and fix the error message
for the previous PID collision checks.
The unsharp filter uses an array of arrays of uint32_t, each of which is
separately allocated. These arrays also need to freed separately; but
before doing so, one needs to check whether the array of arrays has
actually been allocated, otherwise one would dereference a NULL pointer.
This fixes #8408.
Furthermore, the array of arrays needs to be zero-initialized so that
no uninitialized pointer will be freed in case an allocation of one of
the individual arrays fails.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The 0 case was added with the support for multiple packets. It
appears unintended and causes extra complexity and out of array
accesses (though within padding)
No testcase
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This combination would assume different block sizes throughout the code so its
better to error out.
Fixes: signed integer overflow: -1082385168 * 2 cannot be represented in type 'int' Fixes: 19110/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5643993950191616 Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/alac: Fix integer overflow in lpc_prediction() with sign
Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 18643/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5672182449700864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/vc1_block: Fix integer overflow in AC rescaling in vc1_decode_i_block_adv()
Fixes: signed integer overflow: 50176 * 262144 cannot be represented in type 'int' Fixes: 18629/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5182370286403584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/vmdaudio: Check chunk counts to avoid integer overflow
Fixes: signed integer overflow: 4 * 538976288 cannot be represented in type 'int' Fixes: 18622/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMDAUDIO_fuzzer-5092166174507008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
ff_flac_parse_picture() parses a buffer containing a flac metadata
picture block by wrapping it in an AVIOContext and using the AVIOContext
API. Consequently, when not enough data could be read AVERROR(EIO) was
returned although reading didn't really fail: A block that contains a
subfield whose size field indicates that it is so big as to extend
beyond the buffer is just invalid.
This commit changes this by using the bytestream2 API instead;
furthermore, the checks for whether there is enough data left are
performed before allocating a buffer for said data.
Finally, if the length of the picture description is bigger than
INT_MAX, it will now raise an error.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
During parsing a flac picture metadata block, the mimetype is read as
follows: Its 32b size field is read and checked for being in the range
1..63; afterwards, the actual mimetype-string is read into a buffer of
size 64, where the length to read is the minimum of the length field and
the size of the destination buffer -1. Then an assert guards that length
is indeed < the size of the destination buffer before the string in the
buffer is zero-terminated.
The FFMIN as well as the assert are actually redundant, as it has
been checked that the string (even after terminating) fits into the
buffer. In order to make this clear, reword the check "len >= 64" to
"len >= sizeof(mimetype)" and drop the FFMIN as well as the assert.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Steven Liu [Fri, 29 Nov 2019 05:16:00 +0000 (13:16 +0800)]
avformat/smoothstreamingenc: removed unused check of avformat_free_context
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Reviewed-by: Jun Zhao <barryjzhao@tencent.com> Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
Steven Liu [Fri, 29 Nov 2019 05:15:59 +0000 (13:15 +0800)]
avformat/rtpenc_mpegts: removed unused check of avformat_free_context
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Reviewed-by: Jun Zhao <barryjzhao@tencent.com> Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
Steven Liu [Fri, 29 Nov 2019 05:15:58 +0000 (13:15 +0800)]
avformat/hdsenc: removed unused check of avformat_free_context
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Reviewed-by: Jun Zhao <barryjzhao@tencent.com> Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
Steven Liu [Fri, 29 Nov 2019 05:15:57 +0000 (13:15 +0800)]
avformat/dashenc: remove unused check of avformat_free_context
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Reviewed-by: Jun Zhao <barryjzhao@tencent.com> Reviewed-by: Jeyapal, Karthick <kjeyapal@akamai.com> Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
This happens if allocating extradata fails and s->remove is unset.
Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: James Almer <jamrial@gmail.com>
Put an AVIOContext whose lifetime doesn't extend beyond the function where
it is allocated on the stack instead of allocating and freeing it. This
also avoids the need to free it, which in this case fixes possible
memleaks on error.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avformat/movenc: Avoid allocation for small dynamic buffers
By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of
avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for
small dynamic buffers.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avformat/matroskaenc: Avoid allocation for small dynamic buffers
By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of
avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for
small dynamic buffers (i.e. small master elements).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avformat/id3v2enc: Avoid allocation for small tags
By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of
avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for
small tags. Furthermore, it simplifies freeing.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avformat/avc: Avoid allocation for small SPS/PPS arrays
By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of
avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for
small extradata. Furthermore, it simplifies freeing.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of
avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for
small headers. Furthermore, it simplifies freeing.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
By using avio_get_dyn_buf() + ffio_free_dyn_buf() instead of
avio_close_dyn_buf() + av_free() one can avoid an allocation + copy for
small tags. Furthermore, it simplifies freeing.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avformat/aviobuf: Avoid allocating buffer when using dynamic buffer
Up until now, using a dynamic buffer entailed at least three
allocations: One for the AVIOContext, one for the AVIOContext's opaque
(which, among other things, contains the small write buffer), and one
for the big buffer that is independently allocated that is returned when
calling avio_close_dyn_buf().
It is possible to avoid the third allocation if one doesn't use a
packetized dynamic buffer, if all the data written so far fit into the
write buffer and if one does not require the actual (big) buffer to have
an indefinite lifetime. This is done by making avio_get_dyn_buf() return
a pointer to the data in the write buffer if nothing has been written to
the main buffer yet. The dynamic buffer will then be freed using
ffio_free_dynamic_buffer (which needed to be modified not to call
avio_close_dyn_buf() internally).
So a typical use-case like:
size = avio_close_dyn_buf(dyn_pb, &buf);
do something with buf
av_free(buf);
can be converted to:
size = avio_get_dyn_buf(dyn_pb, &buf);
do something with buf
ffio_free_dynamic_buffer(&dyn_pb);
In more complex scenarios this can simplify freeing as well, because it
is now clear that freeing always has to be performed via
ffio_free_dynamic_buffer().
Of course, in case this saves an allocation it also saves a memcpy.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Limin Wang [Wed, 20 Nov 2019 15:24:22 +0000 (23:24 +0800)]
avfilter/vf_libvmaf: Check for av_frame_alloc failure
Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Limin Wang <lance.lmwang@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Limin Wang [Wed, 27 Nov 2019 10:46:51 +0000 (18:46 +0800)]
avfilter/vf_colorconstancy: av_frame_free(&in) in case of error or direct flag is false
Signed-off-by: Limin Wang <lance.lmwang@gmail.com> Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Thierry Foucu [Thu, 28 Nov 2019 00:25:33 +0000 (16:25 -0800)]
Add options for spatial layers.
Disable by default to output all the layers, to match libaomdec wrapper.
Add option to select the operating point for the spatial layers.
Update the documentation with the new options.
Limin Wang [Mon, 25 Nov 2019 03:45:10 +0000 (11:45 +0800)]
avcodec/v210dec: add support for frame and slice threading
1, Test server configure:
[root@localhost ~]# cat /proc/cpuinfo |grep "model name"
model name : Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz
model name : Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz
...
[root@localhost ~]# free -h
total used free shared buff/cache available
Mem: 102G 1.1G 100G 16M 657M 100G
Swap: 4.0G 0B 4.0G
2, Test result:
encode the v210 input data for testing:
./ffmpeg -y -i 4k_422.ts -c:v v210 -vframes 10 test.avi
Limin Wang [Mon, 25 Nov 2019 03:40:04 +0000 (11:40 +0800)]
avcodec/v410dec: add support for frame and slice threading
1, Test server configure:
[root@localhost ~]# cat /proc/cpuinfo |grep "model name"
model name : Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz
model name : Intel(R) Xeon(R) CPU E5-2650 v2 @ 2.60GHz
...
[root@localhost ~]# free -h
total used free shared buff/cache available
Mem: 102G 1.1G 100G 16M 657M 100G
Swap: 4.0G 0B 4.0G
2, Test result:
encode the v410 input data for testing:
./ffmpeg -y -i 4k_422.ts -c:v v410 -vframes 10 test.avi
Fixes: OOM Fixes: 18956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-5766505644163072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/ffwavesynth: Fix integer overflow with pink_ts_cur/next
Fixes: signed integer overflow: 6175076100092079360 - -5034989061050195840 cannot be represented in type 'long' Fixes: 18614/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5704508847423488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/ralf: Fix integer overflows with the filter coefficient in decode_channel()
Fixes: signed integer overflow: 1145975808 - -1146173210 cannot be represented in type 'int' Fixes: 18616/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5121296757424128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/g729dec: Use 64bit and clip in scalar product
The G729 reference decoder clips after each individual operation and keeps track if overflow
occurred (in the fixed point implementation), this here is
simpler and faster but not 1:1 the same what the reference does.
Non fuzzed samples which trigger any such overflow are welcome, so
the need and impact of different clipping solutions can be evaluated.
Fixes: signed integer overflow: 1271483721 + 1073676289 cannot be represented in type 'int' Fixes: 18617/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5137705679978496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/wmavoice: Fix integer overflow in synth_frame()
Fixes: left shift of negative value -3 Fixes: 18518/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-6560514359951360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avutil/lfg: Correct index increment type to avoid undefined behavior
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 18333/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COMFORTNOISE_fuzzer-5668481831272448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
As is the decoder will never stop, it will cause an infinite loop. The RFC seems only
to speak of non empty packets so endlessly generating noise from the last empty flush
packets seems wrong.
Fixes: infinite loop Fixes: 18333/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COMFORTNOISE_fuzzer-5668481831272448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Andriy Gelman [Tue, 12 Nov 2019 05:37:02 +0000 (00:37 -0500)]
avcodec/v4l2_m2m_dec: Fix decoding on Odroid XU4
c0c79461967 unintentianally changed the initialization flow of the
decoder: It caused the capture buffers to be initialized on
v4l2_m2m.c:180 in v4l2_configure_contexts(). This breaks h264 decoding
on the Odroid XU4 (RPI4 was not affected).
This commit postpones capture buffer initialization
as before c0c79461967 to fix the issue.
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com> Signed-off-by: Aman Gupta <aman@tmm1.net>