avfilter/af_amix: Fix double-free of AVFilterChannelLayouts on error
The query_formats function of the amix filter tries to allocate a list
of channel layouts which are attached to more permanent objects
(an AVFilter's links) for storage afterwards on success. If attaching
a list to a link succeeds, the link becomes one of the common owners
of the list. Yet if a list has been successfully attached to links (or if
there were no links to attach it to in which case
ff_set_common_channel_layouts() already frees the list) and an error
happens lateron, the list was manually freed, which is wrong, because
the list has either already been freed or it is owned by its links in
which case these links' pointers to their list will become dangling and
there will be double-frees/uses-after-free when these links are cleaned
up automatically.
This commit fixes this by removing the custom freeing code; this is made
possible by using the list in ff_set_common_channel_layouts() directly
after its allocation (without anything that can fail in between).
Notice that ff_set_common_channel_layouts() is buggy itself which can
lead to double-frees on error. This is not fixed in this commit.
Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Replace using ff_add_format() repeatedly by a single call to
ff_make_format_list(). (Right now this also fixes a memleak: If the
first ff_add_format() succeeds and a subsequent call fails, the list
leaks.)
Reviewed-by: Paul B Mahol <onemda@gmail.com> Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avfilter/vf_vpp_qsv: Fix leak of AVFilterFormats on error
The vpp_qsv's query_formats function allocated two AVFilterFormats,
before storing them permanently. If storing the first of them fails,
the function simply returns and the second leaks. This has been fixed by
only allocating the second AVFilterFormats structure after the first one
has been successfully stored.
avfilter/vf_paletteuse: Fix leaks of AVFilterFormats on error
The paletteuse's query_formats function allocated three AVFilterFormats
before storing them permanently. If allocating one of them failed, the
three AVFilterFormats structures would be freed with av_freep() which
does not free separately allocated subelements (namely the formats
array) which leak.
Furthermore, if storing one of the first two fails, the function simply
returns and the ones not yet stored leak.
These leaks have been fixed by only creating a new AVFilterFormats after
the last one has already been permanently stored. Furthermore, it is
enough to check whether the elements have been properly stored as
ff_formats_ref() by design returns AVERROR(ENOMEM) if it is provided a
NULL AVFilterFormats *.
avfilter/graphparser: Fix memleak when linking filters fails
Parsing labeled outputs involves a check for an already known match
(a labeled input with the same name) to pair them together. If yes,
it is attempted to create a link between the two filters; in this case
the AVFilterInOuts have fulfilled their purpose and are freed. Yet if
creating the link fails, these AVFilterInOuts have up until now not been
freed, although they had already been removed from their respective lists
(which means that they are not freed automatically). In other words:
They leak. This commit fixes this.
This fixes ticket #7084. Said ticket contains an example program to
reproduce a leak. It can also be reproduced with ffmpeg alone, e.g. with
the complex filters "[0]null[1],[2]anull[0]" or with "[0]abitscope[0]".
All of these three examples involve media type mismatches which make it
impossible to create the links. The bug could also be triggered by other
means, e.g. failure to allocate the necessary AVFilterLink.
Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
fftools/ffmpeg: Fix leak of AVFilterInOut in case of error
The AVFilterInOuts normally get freed in init_output_filter() when
the corresponding streams get created; yet if an error happens before
one reaches said point, they leak. Therefore this commit makes
ffmpeg_cleanup free them, too.
Fixes ticket #8267.
Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avfilter/graphparser: Check allocations for success
parse_filter() did not check the return value of av_get_token() for
success; in case name (the name of a filter) was NULL, one got a
segfault in av_strlcpy() (called from create_filter()).
Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avfilter/graphparser: Don't set pointer to one beyond '\0' of string
This happened in parse_link_name() if there was a '[' without matching
']'. While this is not undefined behaviour (pointer arithmetic one
beyond the end of an array works fine as long as there are no accesses),
it is potentially dangerous. It currently isn't (all callers of
parse_link_name() treat this as an error and don't access the string any
more), but making sure that this will never cause trouble in the future
seems nevertheless worthwhile.
Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avfilter/graphparser: Fix leaks when parsing inputs fails
parse_inputs() uses a temporary linked list to parse the labeled inputs
of a filter; said linked list owns its elements (and their names). On
success, the list of unlabeled inputs is appened to the end of the list
of labeled inputs and the new list is returned; yet on failures, nothing
frees the already existing elements of the temporary linked list, leading
to a leak.
This can be triggered by e.g. using '-vf [v][' in the FFmpeg
command-line tool.
Andriy Gelman [Sun, 23 Aug 2020 17:33:37 +0000 (13:33 -0400)]
avcodec/v4l2_m2m_enc: buffer frame if it cannot be enqueued
Currently if the frame buffers are full, the frame is unrefed and
dropped. Instead buffer the frame so that it is enqueued in the
next v4l2_receive_packet() call. The behavior was observed on
DragonBoard 410c.
Clément Bœsch [Mon, 10 Aug 2020 13:59:26 +0000 (15:59 +0200)]
fate: add fate-sub-dvb test
The dvbsubtest_filter.ts sample is a filtered version of the Videolan
sample database (samples/sub/dvbsub/dvbsubtest.ts) using Project X. It
originates from ticket #8844.
Michael Bradshaw [Mon, 13 Apr 2020 17:11:38 +0000 (11:11 -0600)]
avformat/movenc: write the colr atom by default
The write_colr flag has been marked as experimental for over 5 years.
It should be safe to enable its behavior by default as follows:
- Write the colr atom by default for mp4/mov if any of the following:
- The primaries/trc/matrix are all specified, OR
- There is an ICC profile, OR
- The user specified +write_colr
- Keep the write_colr flag for situations where the user wants to
write the colr atom even if the color info is unspecified (e.g.,
http://ffmpeg.org/pipermail/ffmpeg-devel/2020-March/259334.html)
This fixes https://trac.ffmpeg.org/ticket/7961
Signed-off-by: Michael Bradshaw <mjbshaw@google.com>
This commit removes ff_parse_sample_format(), ff_parse_time_base() and
ff_query_formats_all_layouts() from libavfilter/formats.c. All of these
functions were completely unused. ff_parse_time_base() has not been used
at all since it had been added in 3448404a707b6e236a2ffa7b0453b3300de41b7b;
the last caller of ff_parse_sample_format has been removed in commit d1c49bcae9b7fd41df5c6804ac7f6a5c271a7c2e. And the one and only caller of
ff_query_formats_all_layouts() (the asyncts filter) has been removed in
commit a8fe8d6b4a35c95aa94fccde5f001041278d197c.
Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
ff_planar_sample_fmts_array is unused (and was unused since it was added
in 4d4098da009c8340997b8d1abedbf2062e4aa991) and therefore this commit
removes it; ff_packed_sample_fmts_array meanwhile is used only once (in
the amerge filter) and therefore it has been moved to this place.
Reviewed-by: Paul B Mahol <onemda@gmail.com> Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
dnn_backend_native_layer_avgpool: Fix invalid assignment, use av_assert
dnn_execute_layer_avg_pool() contains the following line:
assert(avgpool_params->padding_method = VALID);
This statement contains an assignment where obviously a comparison was
intended. Furthermore, *avgpool_params is const, so that the attempted
assignment leads to a compilation failure if asserts are enabled
(i.e. if DEBUG is defined which leads libavutil/internal.h to not define
NDEBUG). Moreover, the enumeration constant VALID actually has the value 0,
so that the assert would be triggered if a compiler compiles this with
asserts enabled. Finally, the statement uses assert() directly instead
of av_assert*().
All these errors have been fixed.
Thanks to ubitux for providing a FATE-box [1] where DEBUG is defined.
In a function body, a redundant ; is just a null statement that does
nothing. Yet outside a function body, a superfluous ';' like one that
exists if one adds a ';' immediately after a function body's closing
brace is actually invalid C that compilers happen to accept. Yet when
compiled in -pedantic mode, both GCC as well as Clang emit warnings for
this like "ISO C does not allow extra ‘;’ outside of a function
[-Wpedantic]".
The scenario described above existed in vf_overlay.c as a result of
macro expansion. This commit fixes it.
Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avfilter/fifo: Remove unused functions and headers
The functions were forgotten in 03c8fe49ea3f2a2444607e541dff15a1ccd7f0c2;
removing them also means that the avassert.h and samplefmt.h headers are
no longer used any more, so they have been removed, too.
avfilter/formats: Factor checking for mergeability out of ff_merge_*
The callers of the ff_merge_*() functions fall into two categories with
quite different needs:
One caller is can_merge_formats() which only wants to test for mergeability
without it merging anything. In order to do so, it duplicates the lists
it intends to test and resets their owners so that they are not modified
by ff_merge_*(). It also means that it needs to receive the merged list
(and not only an int containing whether the lists are mergeable) to
properly free it.
The other callers want the lists to be actually merged. But given the
fact that ff_merge_*() automatically updates the owners of the lists,
they only want the information whether the merge succeeded or not; they
don't want a link to the new list.
Therefore this commit splits these functions in two: ff_merge_*() for
the latter callers and ff_can_merge_*() for the former.
ff_merge_*() doesn't need to return a pointer to the combined list at all
and hence these functions have been modified to return an int, which
allows to distinguish between incompability and memory allocation failures.
ff_can_merge_*() meanwhile doesn't modify its arguments at all obviating
the need for copies. This in turn implies that there is no reason to
return a pointer to the new list, as nothing needs to be freed. These
functions therefore return an int as well. This allowed to completely
remove can_merge_formats() in avfiltergraph.c.
Notice that no ff_can_merge_channel_layouts() has been created, because
there is currently no caller for this. It could be added if needed.
Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avfilter/formats: Avoid code duplication when merging samplerates
Right now, ff_merge_samplerates() contains three instances of the
MERGE_REF() macro, a macro which reallocates an array, updates some
pointers in a loop and frees several buffers. This commit makes it
possible to contain only one instance of said macro in the function,
thereby reducing codesize.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Nicolas Sugino [Fri, 14 Aug 2020 01:18:26 +0000 (22:18 -0300)]
avformat/libsrt: close listen fd in listener mode
In listener mode the first fd is not closed when libsrt_close() is called
because it is overwritten by the new accept fd. Added the listen_fd to the
context to properly close it when libsrt_close() is called.
Fixes trac ticket #8372.
Signed-off-by: Nicolas Sugino <nsugino@3way.com.ar> Signed-off-by: Marton Balint <cus@passwd.hu>
avformat/siff: Reject audio packets without audio stream
Fixes: Assertion failure Fixes: 24612/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6600899842277376.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avfilter/formats: Avoid allocations when merging formats and samplerates
This is the analogue of cfc65520324ae640299bd321ef88ae76dcee6f78 for
formats and samplerates; in contrast to said commit, one can avoid
allocating a new array for formats as well (the complications of the
generic channel layouts made this impossible for channel layouts).
This commit also starts to move the line continuation '\' chars to the
left to keep them in line with MERGE_REF() as well as with the 80 lines
limit.
Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avfilter/formats: Make check for buffer overflow redundant
and remove the redundant check.
This check for whether the allocated buffer is sufficient has been added
in commit 1cbf7fb4345a3e5b7791d483241bf4759bde4ece (merging commit 5775a1832c4165e6acc1d307004b38701bb463f4). It is not sufficient to
detect invalid input lists (namely lists with duplicates); its only use
is to avoid buffer overflows. And this can be achieved by simpler means:
Make sure that one allocates space for so many elements as the outer loop
ranges over and break out of the inner loop if a match has been found.
For valid input without duplicates, no further match will be found anyway.
This change will temporarily make the allocated formats array larger
than before and larger than necessary; this will be fixed in a later
commit that avoids the allocation altogether.
If a check for duplicates in the lists is deemed necessary, it should be
done properly somewhere else.
Finally, the error message that is removed in this commit used
__FUNCTION__, which is a GCC extension (C99 added __func__ for this).
So this commit removes a warning when compiling in -pedantic mode.
Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avfilter/af_afir: Fix leak of AVFilterChannelLayout in case of error
If an error happens between the allocation of an AVFilterChannelLayout
and its usage (which involves attaching said object to a more permanent
object), the channel layout array leaks. This can simply be fixed by
making sure that nothing is between the allocation and the
aforementioned usage.
Jan Ekström [Wed, 12 Aug 2020 21:27:09 +0000 (00:27 +0300)]
avformat/mpegts: only reset timestamps to NOPTS for DVB teletext
While having the possibility of non-NOPTS values that can suddenly
jump in time due to adjustments to match PCR is not nice for DVB
subtitles, apparently the parser for this format bases its behavior on
whether the packets' timestamps are NOPTS or not. Thus while we can
adjust timestamps, we should exclude DVB subtitles from the timestamp
unsetting logic.
Fixes: Timeout (too long -> 3sec) Fixes: 24239/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5189061015502848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross <pross@xvid.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avformat/mlvdec: Check for existence of AVIOContext before using it
The mlv demuxer supports input split into multiple files; if invalid
data is encountered when parsing one of the subsequent files, that file
is closed. But at this point some index entries belonging to this file
might already have been added. In this case, the read_packet function
might try to use the AVIOContext (which is NULL) to read data which will
of course crash. This commit fixes this.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
and remove reset_packet(). The packet's data pointer is already zeroed,
so the only thing that reset_packet() does that av_init_pkt() doesn't is
redundant.
Reviewed-by: Steven Liu <lingjiujianke@gmail.com> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Andriy Gelman [Sun, 16 Aug 2020 21:39:13 +0000 (17:39 -0400)]
avcodec/v4l2_context: return EAGAIN to signal full buffers
Return proper error when frame buffers are full. This path is triggered
on the DragonBoard 410c since the encoding API change in commit 827d6fe73d2f5472c1c2.
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com> Reviewed-by: Mark Thompson <sw@jkqxz.net>
Moritz Barsnick [Wed, 5 Aug 2020 12:06:53 +0000 (14:06 +0200)]
avdevice/xcbgrab: check return values of xcb query functions
Fixes #7312, segmentation fault on close of X11 server
xcb_query_pointer_reply() and xcb_get_geometry_reply() can return NULL
if e.g. the X server closes or the connection is lost. This needs to
be checked in order to cleanly exit, because the returned pointers are
dereferenced later.
Signed-off-by: Moritz Barsnick <barsnick@gmx.net> Reviewed-by: Andriy Gelman <andriy.gelman@gmail.com>