Moritz Barsnick [Wed, 5 Aug 2020 12:06:53 +0000 (14:06 +0200)]
avdevice/xcbgrab: check return values of xcb query functions
Fixes #7312, segmentation fault on close of X11 server
xcb_query_pointer_reply() and xcb_get_geometry_reply() can return NULL
if e.g. the X server closes or the connection is lost. This needs to
be checked in order to cleanly exit, because the returned pointers are
dereferenced later.
Signed-off-by: Moritz Barsnick <barsnick@gmx.net> Reviewed-by: Andriy Gelman <andriy.gelman@gmail.com>
James Almer [Fri, 14 Aug 2020 03:09:43 +0000 (00:09 -0300)]
avformat/av1dec: fix return value on some code paths
If avio_read() returns a value of bytes read that's lower than the
expected, return an error instead. And when there are zero bytes in
the prefetch buffer, return 0 in order for the frame merge bsf to
drain all potentially buffered packets.
Missed by mistake when amending and committing 9a7bdb6d71.
avfilter/formats: Avoid allocations when merging channel layouts
When one merges two AVFilterChannelLayouts structs, there is no need to
allocate a new one. Instead one can reuse one of the two given ones.
If one does this, one also doesn't need to update the references of the
AVFilterChannelLayouts that is reused. Therefore this commit reuses the
structure with the higher refcount.
Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avfilter/formats: Fix heap-buffer overflow when merging channel layouts
The channel layouts accepted by ff_merge_channel_layouts() are of two
types: Ordinary channel layouts and generic channel layouts. These are
layouts that match all layouts with a certain number of channels.
Therefore parsing these channel layouts is not done in one go; instead
first the intersection of the ordinary layouts of the first input
list of channel layouts with the ordinary layouts of the second list is
determined, then the intersection of the ordinary layouts of the first
one and the generic layouts of the second one etc. In order to mark the
ordinary channel layouts that have already been matched as used they are
zeroed. The inner loop that does this is as follows:
(Here ret->channel_layouts is the array containing the intersection of
the two input arrays.)
Yet the problem with this code is that after a match has been found, the
loop continues the search with the new value a->channel_layouts[i].
The intention of zeroing these elements was to make sure that elements
already paired at this stage are ignored later. And while they are indeed
ignored when pairing ordinary and generic channel layouts later, it has
the exact opposite effect when pairing ordinary channel layouts.
To see this consider the channel layouts A B C D E and E D C B A. In the
first round, A and A will be paired and added to ret->channel_layouts.
In the second round, the input arrays are 0 B C D E and E D C B 0.
At first B and B will be matched and zeroed, but after doing so matching
continues, but this time it will search for 0, which will match with the
last entry of the second array. ret->channel_layouts now contains A B 0.
In the third round, C 0 0 will be added to ret->channel_layouts etc.
This gives a quadratic amount of elements, yet the amount of elements
allocated for said array is only the sum of the sizes of a and b.
This issue can e.g. be reproduced by
ffmpeg -f lavfi -i anullsrc=cl=7.1 \
-af 'aformat=cl=mono|stereo|2.1|3.0|4.0,aformat=cl=4.0|3.0|2.1|stereo|mono' \
-f null -
The fix is easy: break out of the inner loop after having found a match.
Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
The checks added by said commit are nonsense because they did not help
in case ff_merge_samplerates() or ff_merge_formats() returned NULL
while freeing one of its arguments: Said freeing does not change
the local variables of can_merge_formats().
Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avfilter/formats: Simplify cleanup for ff_merge_* functions
Now that the output's refs-array is only allocated once, it is NULL in
any error case and therefore needn't be freed at all; Instead an
av_assert1() has been added to guarantee it to be NULL.
Furthermore, it is unnecessary to av_freep(&ptr) when ptr == NULL.
Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avfilter/formats: Leave lists' ownership unchanged upon merge failure
ff_merge_formats(), ff_merge_samplerates() and ff_merge_channel_layouts()
share common semantics: If merging succeeds, a non-NULL pointer is
returned and both input lists (of type AVFilterFormats resp.
AVFilterChannelLayouts) are to be treated as if they had been freed;
the owners of the input parameters (if any) become owners of the
returned list. If merging does not succeed, NULL is returned and both
input lists are supposed to be unchanged.
The problem is that the functions did not abide by these semantics:
In case of reallocation failure, it is possible for these functions
to return NULL after having already freed one of the two input list.
This happens because sometimes the refs-array of the destined output
gets reallocated twice to its final size and if the second of these
reallocations fails, the first of the two inputs has already been freed
and its refs updated to point to the destined output which in this case
will be freed immediately so that all of the already updated pointers
are now dangling. This leads to use-after-frees and memory corruptions
lateron (when these owners get cleaned up, the lists they own get
unreferenced). Should the input lists don't have owners at all, the
caller (namely can_merge_formats() in avfiltergraph.c) thinks that both
the input lists are unchanged and need to be freed, leading to a double
free.
The solution to this is simple: Don't reallocate twice; do it just once.
This also saves a reallocation.
This commit fixes the issue behind Coverity issue #1452636. It might
also make Coverity realize that the issue has been fixed.
Reviewed-by: Nicolas George <george@nsup.org> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avfilter/formats: Schedule avfilter_make_format64_list() for removal
Despite its name, this function is not part of the public API, as
formats.h, the header containing its declaration, is a private header.
The formats API was once public API, but that changed long ago
(b74a1da49db5ebed51aceae6cacc2329288a92c1, the commit scheduling it to
become private, is from 2012). That avfilter_make_format64_list() was
forgotten is probably a result of the confusion resulting from the
libav-ffmpeg split.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
lavc/snowenc: Expose an option to set the rc_eq expression
Snow uses the ratecontrol module, but does not expose a way to set
the rc_eq expression. The default expression, set in the ratecontrol
module, will always be used.
Make it possible to set rc_eq by adding an AVOption to snowenc.
The option definition is mostly a copy from the mpegvideo common
options definition of rc_eq (libavcodec/mpegvideo.h), with some
minor style adjustments to be closer to the other snowenc option
initializer expressions.
Signed-off-by: Alexander Strasser <eclipse7@gmx.net>
Up until now, the TiVo demuxer parse an array of SEQ entries, yet it has
never ever made any use of them. In fact, parse_master, the function
parsing said table, only influenced the outside world in three ways: Via
an excessive amount of error message in case a certain parameter is not
what it expected; via an allocation (the aforementioned write-only
array); and by setting a certain parameter (ty->cur_chunk_pos), but that
parameter is always overwritten before it is used (it is overwritten
in get_chunk() on success and if get_chunk() fails, the error is
returned to the caller anyway). So remove the array and the function
used to parse it.
Reviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Zane van Iperen [Fri, 7 Aug 2020 23:17:51 +0000 (09:17 +1000)]
avformat/argo_asf: add name option
Reviewed-by: Alexander Strasser <eclipse7@gmx.net> Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Zane van Iperen <zane@zanevaniperen.com>
Zane van Iperen [Wed, 5 Aug 2020 02:15:30 +0000 (12:15 +1000)]
avformat/argo_asf: add version_major and version_minor options
Reviewed-by: Alexander Strasser <eclipse7@gmx.net> Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> Signed-off-by: Zane van Iperen <zane@zanevaniperen.com>
Zane van Iperen [Sun, 9 Aug 2020 22:37:47 +0000 (08:37 +1000)]
avformat/argo_asf: don't check file version
It has no bearing on structure. Determined by looking at the ASF
files from several Argonaut games:
- FX Fighter,
- Croc,
- Croc 2,
- The Emperor's New Groove, and
- Disney's Aladdin in Nasira's Revenge
The only versions that appear are 1.1, 1.2, and 2.1, and their
structure is identical.
Reviewed-by: Alexander Strasser <eclipse7@gmx.net> Signed-off-by: Zane van Iperen <zane@zanevaniperen.com>
avformat/mpegts: Don't leave context in inconsistent state upon error
Up until now, opening a section filter works as follows: A filter is
opened and (on success) attached to the MpegTSContext. Then a buffer for
said filter is allocated and upon success attached to the section
filter; on error, the filter is simply freed without removing it from
the MpegTSContext, leaving the latter in an inconsistent state. This
leads to use-after-frees lateron.
This commit fixes this by allocating the buffer first; the filter is
only opened if the buffer could be successfully allocated.
Reviewed-by: Marton Balint <cus@passwd.hu> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
avcodec/jpeg2000dec: Check remaining data in packed_headers_stream before use
Fixes: out of array read Fixes: 24487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5165847820369920 Fixes: 24636/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5700973918683136 Fixes: 24683/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6202883897556992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Steven Liu [Wed, 22 Jul 2020 09:15:29 +0000 (17:15 +0800)]
avformat/hlsenc: write temp file for append single file by encryption mode
fix ticket: 8783
Because in single file by encryption mode, it cannot get the last one
block of the file, it need ff_format_io_close for get full file size,
then hlsenc can get the total size of the encryption content,
so write the content into temp file first, and get the temp file content
append the temp file content into append to single file, then hlsenc can
get the correct file/content size and offset.
Mark Thompson [Sun, 5 Jul 2020 15:49:44 +0000 (16:49 +0100)]
kmsgrab: Use GetFB2 if available
The most useful feature here is the ability to automatically extract the
framebuffer format and modifiers. It also makes support for multi-plane
framebuffers possible, though none are added to the format table in this
patch.
This requires libdrm 2.4.101 (from April 2020) to build, so it includes a
configure check to allow compatibility with existing distributions. Even
with libdrm support, it still won't do anything at runtime if you are
running Linux < 5.7 (before June 2020).
libavcodec/j2kenc: Support for all Progression orders
This patch allows for selecting the progression order
in the j2k encoder. However, all components and resolution
levels will use the same progression order and will not
feature the use of progression order change markers.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
avcodec/put_bits: Make skip_put_bits() less dangerous
Before c63c303a1f2b58677d480505ec93a90f77dd25b5 (the commit which
introduced a typedef for the type of the buffer of a PutBitContext)
skip_put_bits() was as follows:
If s->bit_left was negative after the first subtraction, then the next
line will divide this by 32 with rounding towards -inf and multiply by
four; the result will be negative, of course.
Casting s->bit_left to unsigned meant that the rounding is still towards
-inf; yet the right side is now always positive (it transformed the
arithmetic shift into a logical shift), so that s->buf_ptr will always
be decremented (by about UINT_MAX / 8 unless n is huge) which leads to
segfaults on further usage and is already undefined pointer arithmetic
before that. This can be reproduced with the mpeg4 encoder with the
AV_CODEC_FLAG2_NO_OUTPUT flag set.
Furthermore, the earlier version as well as the new version share
another bug: s->bit_left will be in the range of 0..(BUF_BITS - 1)
afterwards, although the assumption throughout the other PutBitContext
functions is that it is in the range of 1..BUF_BITS. This might lead to
a shift by BUF_BITS in little-endian mode. This has been fixed, too.
The new version is furthermore able to skip zero bits, too.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Fixes: division by zero Fixes: 24253/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6250318007107584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int' Fixes: 24011/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5486376610168832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The default for the chromaoffset field in AVCodecContext
is zero, which until now always ended up overriding the
AVOption-set value, thus leading to the AVOption not working.
Additionally, the previous usage prevented the usage of
negative values, while both the variable as well as x264's
API would successfully handle such.
Thus, the default value of the AVOption is changed to match
the default of x264 (and what is currently the default for
the AVCodecContext chromaoffset field), and the checks are
changed to check for nonzero values.
This way:
1. the library default is still utilized if the value is zero.
2. both negative and positive values are correctly passed to
x264.
Fixes: shift exponent 32 is too large for 32-bit type 'int' Fixes: 24566/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6033783737024512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Gautam Ramakrishnan <gautamramk@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>