Fixes: out of array read Fixes: 19300/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_METADATA_fuzzer-5653911730126848 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: James Almer <jamrial@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gyan Doshi [Fri, 20 Dec 2019 11:09:32 +0000 (16:39 +0530)]
avformat/mpegtsenc: warn users if codec isn't supported
The MPEG-TS muxer will mux streams with unsupported codec id
as a private data stream; this usually makes the stream
not recognizable by ffmpeg and likely other tools.
avformat/hlsenc: Fix memleaks with repeating parameters
When a parameter like e.g. language is contained more than once in the
part of var_stream_map pertaining to a single VariantStream, the later
one just overwrites the pointer to the earlier one, leading to a
memleak. This commit changes this by handling the situation gracefully:
The earlier string is silently freed first, so that the last one wins.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Reviewed-by: Steven Liu <lq@onvideo.cn>
avformat/hlsenc: Fix return value from localtime_r failure
"If an error is detected, localtime_r() shall return a null pointer
and set errno to indicate the error." Yet in case this happened in
hls_init(), AVERROR(ENOMEM) has been returned.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Reviewed-by: Steven Liu <lq@onvideo.cn>
avformat/hlsenc: Fix potential segfault upon allocation failure
The hls muxer allocates an array of VariantStreams, a structure that
contains pointers to objects that need to be freed on their own. This
means that the number of allocated VariantStreams needs to be correct
when they are freed; yet the number of VariantStreams is set in
update_variant_stream_info() resp. parse_variant_stream_mapstring()
before the allocation has been checked for success, so that upon error
an attempt would be made to free the objects whose pointers are
positioned at position NULL (the location of VariantStreams) +
offsetof(VariantStream, the corresponding pointer).
Furthermore d1fe1344 added another possibility for the first function
to leave an inconsistent state behind: If an allocation of one of the
objects referenced by the VariantStream fails, the VariantStream will be
freed, but the number of allocated VariantStreams isn't reset, leading
to the same problem as above. (This was done in the mistaken belief that
the VariantStreams array would leak otherwise.)
Essentially the same also happens for the number of cc-streams. It has
been fixed, too.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Reviewed-by: Steven Liu <lq@onvideo.cn>
avformat/hlsenc: Fix leak of options when writing packets
Under certain circumstances hls_write_packet() would add options to an
AVDictionary. Said dictionary was never explicitly freed, instead it was
presumed that these options would be consumed when opening a new
IO-context. This left several possibilities for memleaks:
a) When no new IO-context would be opened at all. This is possible when
using both the flags temp_file and single_file together with a file
output.
b) When an error happens before one actually tries to open the new
IO-context.
c) When the new IO-context does not consume all options.
All three have been fixed; furthermore, the AVDictionary has been put
into a smaller scope (namely the only part of hls_write_packet() where
it is actually used).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Reviewed-by: Steven Liu <lq@onvideo.cn>
avformat/hlsenc: Fix leak of options when initializing muxing fails
hls_mux_init() currently leaks an AVDictionary if opening a dynamic
buffer fails or if avformat_init_output fails. This has been fixed by
moving the initialization resp. the freeing of the dictionary around:
In the former case to a place after opening the dynamic buffer, in the
latter to a place before the check for initialization failure so that it
is done unconditionally.
Furthermore, the dictionary is now only copied and freed if the options
in it are actually used (namely when in SEGMENT_TYPE_FMP4 mode).
Finally, a similar situation in hls_start() has been fixed, too.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Reviewed-by: Steven Liu <lq@onvideo.cn>
avformat/hlsenc: Only allocate when data is known to be needed
hls_init() would allocate a buffer, although it is only needed in one of
two branches that follow. This commit moves the allocation to the branch
that actually needs the buffer.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Reviewed-by: Steven Liu <lq@onvideo.cn>
avformat/hlsenc: Fix leak of child AVFormatContext
Before ed897633, the hls muxer would free its child AVFormatContexts
and reset the pointer to these contexts to NULL immediately afterwards; ed897633 moved the former to later (into a separate function), but kept
the resetting, ensuring that the child context leaks.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Reviewed-by: Steven Liu <lq@onvideo.cn>
avformat/icecast: Use AV_DICT_DONT_STRDUP_VAL to save an av_strdup
This will probably also fix CID 1452559, a false positive where Coverity
claims a double-free occurs, because it thinks that av_dict_set() frees
its key and value arguments even when the AV_DICT_DONT_STRDUP_* flags
aren't used.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Reviewed-by: Marvin Scholz <epirat07@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
In case an AVBPrint was not complete, icecast_open() would free some
buffers that have not been allocated yet instead of freeing the data of
the AVBPrint (if they have been allocated). Because this error does not
trigger a jump to the general cleanup section any more, one can moreover
remove a (now unnecessary) initialization of a pointer.
Furthermore, finalizing an AVBPrint can fail (namely when the string
inside the AVBPrint has not been allocated yet) and so this needs to be
checked.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
James Almer [Wed, 11 Dec 2019 16:11:59 +0000 (13:11 -0300)]
avformat/tls_openssl: don't use libcrypto locking functions with newer OpenSSL versions
They have been removed altogether without a compat implementation, and are
either no-ops or return NULL.
This fixes compiler warnings about checks always evaluating to false, and leaks
of allocated mutexes.
James Almer [Thu, 12 Dec 2019 01:39:56 +0000 (22:39 -0300)]
avcodec/cbs_av1: add missing valid range of values for num_cb_points and num_cr_points
It is a requirement of bitstream conformance that num_cr_points is less than or equal to 10.
It is a requirement of bitstream conformance that num_cb_points is less than or equal to 10.
Martin Storsjö [Wed, 4 Dec 2019 11:04:41 +0000 (13:04 +0200)]
checkasm: aacpsdsp: Tolerate extra intermediate precision in stereo_interpolate
The stereo_interpolate functions add h_step to the values h
BUF_SIZE times. Within the stereo_interpolate C functions, the
values h (h0-h3, h00-h13) are declared as local float variables,
but the compiler is free to keep them in a register with extra
precision.
If the accumulation is rounded to 32 bit float precision after
each step, the less significant bits of h_step end up ignored
and the sum can deviate, affecting the end result more than
the currently set EPS.
By clearing the log2(BUF_SIZE) lower bits of h_step, we make sure
that the accumulation shouldn't differ significantly, regardless
of any extra precision in the accmulating register/variable.
This fixes the aacpsdsp checkasm test when built with clang for
mingw/x86_32.
Martin Storsjö [Mon, 2 Dec 2019 09:16:25 +0000 (11:16 +0200)]
ffprobe: Fix fate tests for ffprobe in cases where TARGET_PATH differs from the current path
In these cases, we must pass the full path of the file to ffprobe
(as the current working dir on the remote system, e.g. when invoked
with "ssh remote ffprobe ..." isn't the wanted one).
The input filename passed to ffprobe is also included in the output,
which is part of the reference test data. Add a new option to
ffprobe to allow overriding what path is printed, to keep the
original relative path in the tests.
An alternative approach could be an option to allow requesting omitting
the file name from the dumped data, and updating the test references
accordingly.
Sebastian Pop [Sun, 17 Nov 2019 20:13:13 +0000 (14:13 -0600)]
swscale/aarch64: use multiply accumulate and increase vector factor to 4
This patch implements ff_hscale_8_to_15_neon with NEON fused multiply accumulate
and bumps the vectorization factor from 2 to 4.
The speedup is of 25% on Graviton1 A1 instances based on A-72 cpus:
The speedup is of 39% on Graviton2 m6g instances based on Neoverse-N1 cpus:
$ ffmpeg -nostats -f lavfi -i testsrc2=4k:d=2 -vf bench=start,scale=1024x1024,bench=stop -f null -
before: t:0.019446 avg:0.019423 max:0.019493 min:0.019181
after: t:0.014015 avg:0.014096 max:0.015018 min:0.013971
Tested with `make check` on aarch64-linux.
Signed-off-by: Sebastian Pop <spop@amazon.com> Reviewed-by: Jean-Baptiste Kempf <jb@videolan.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Lynne [Tue, 17 Dec 2019 14:56:33 +0000 (14:56 +0000)]
vc2enc: zero padding of the coefficient buffer
Wavelet types with large amounts of overreading/writing like 9_7 would
write into the padding at high wavelet depths, which would remain and be
read by the next frame's transform and quickly cause artifacts to appear
for subsequent frames.
This fix affects all frames encoded with a non-power-of-two width, with
the artifacts varying between non-observable to very noticeable,
depending on encoder settings, so reencoding is advisable.
Martin Storsjö [Mon, 2 Dec 2019 21:57:11 +0000 (23:57 +0200)]
fate: Add an option for disabling the 2k/4k tests
When testing on a memory limited system, these tests consume a
significant amount of memory and can often fail if testing by running
multiple processes in parallel.
Linjie Fu [Fri, 31 May 2019 00:34:31 +0000 (20:34 -0400)]
lavc/vaapi_encode: grow packet if vaMapBuffer returns multiple buffers
Currently, assigning new buffer for pkt when multiple buffers were returned
from vaMapBuffer will overwrite the previous encoded pkt data and lead
to encode issues.
Iterate through the buf_list first to find out the total buffer size
needed for the pkt, allocate the whole pkt to avoid repeated reallocation
and memcpy, then copy data from each buf to pkt.
Xinpeng Sun [Mon, 2 Dec 2019 07:17:29 +0000 (15:17 +0800)]
avfilter: Add tonemap vaapi filter for H2S
It performs HDR(High Dynamic Range) to SDR(Standard Dynamic Range) conversion
with tone-mapping. It only supports HDR10 as input temporarily.
An example command to use this filter with vaapi codecs:
FFMPEG -hwaccel vaapi -vaapi_device /dev/dri/renderD128 -hwaccel_output_format vaapi \
-i INPUT -vf 'tonemap_vaapi=format=p010' -c:v hevc_vaapi -profile 2 OUTPUT
Signed-off-by: Xinpeng Sun <xinpeng.sun@intel.com> Signed-off-by: Zachary Zhou <zachary.zhou@intel.com> Signed-off-by: Ruiling Song <ruiling.song@intel.com>
Andriy Gelman [Fri, 6 Dec 2019 19:22:14 +0000 (14:22 -0500)]
lavc/cbs_h2645_syntax_template: Fix memleak
payload_count is used to track the number of SEI payloads. It is also
used to free the SEIs in cbs_h264_free_sei()/cbs_h265_free_sei().
Currently, payload_count is set after for loop is completed. Hence if
there is an error and the function exits, the payload remains zero
causing a memleak.
This commit keeps track of payload_count inside the for loop to fix the
issue. Note that that the contents of current are initialized with
av_mallocz() so there is no need to zero initialize payload_count.
Found-by: libFuzzer Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
There can be at most 31 SPS and 255 PPS in the mp4/Matroska extradata.
Given that each has a size of at most 2^16-1, the length of the output
derived from these parameter sets can never overflow an ordinary 32 bit
integer. So use a simple uint32_t instead of uint64_t and replace the
unnecessary check with an av_assert1.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -2147483648 - 13 cannot be represented in type 'int' Fixes: 18893/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_APC_fuzzer-5630760442920960 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 2038337026 + 109343477 cannot be represented in type 'int' Fixes: 18886/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5673660505653248 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/decode: Fix integer overflow in max_samples check
Fixes: signed integer overflow: 1677721600 * 32 cannot be represented in type 'int' Fixes: 18885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5741242185154560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/wmaprodec: Fixes integer overflow with 32bit samples
Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 18860/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAPRO_fuzzer-5755223125786624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: left shift of negative value -1 Fixes: 18859/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_XA_fuzzer-5748474213040128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/wmalosslessdec: Check that padding bits is not more than sample bits
Fixes: left shift of 1 by 31 places cannot be represented in type 'int' Fixes: 18817/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5713317180211200 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array read Fixes: 19309/clusterfuzz-testcase-minimized-ffmpeg_BSF_MP3_HEADER_DECOMPRESS_fuzzer-5651002950942720 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The documentation still mentions numerical constants in addition to textual
ones. It is also wrong to use distinct modes as flags and it disallows us to
actually use the flags field for real flags in the future.
"It is a requirement of bitstream conformance that num_y_points is less than or equal to 14."
Fixes: index 24 out of bounds for type 'uint8_t [24]' Fixes: 19282/clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_FRAME_MERGE_fuzzer-5747424845103104
Note, also needs a23dd33606d5
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: jamrial Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Martin Storsjö [Wed, 11 Dec 2019 20:53:28 +0000 (22:53 +0200)]
configure: Check for the SetDllDirectory and GetModuleHandle functions
These functions aren't available when building for the restricted
UWP/WinRT/WinStore API subsets.
Normally when building in this mode, one is probably only building
the libraries, but being able to build ffmpeg.exe still is useful
(and a ffmpeg.exe targeting these API subsets still can be run
e.g. in wine, for testing).
Martin Storsjö [Wed, 11 Dec 2019 09:15:11 +0000 (11:15 +0200)]
checkasm: af_afir: Use a dynamic tolerance depending on values
As the values generated by av_bmg_get can be arbitrarily large
(only the stddev is specified), we can't use a fixed tolerance.
Calculate a dynamic tolerance (like in float_dsp from 38f966b2222db),
based on the individual steps of the calculation.
This fixes running this test with certain seeds, when built with
clang for mingw/x86_32.