When the file to decode contains a sequence of binary values like
"1101110...", decode_frame() was reading the sequence of digits like a
unique integer value, which was resulting in integer overflows.
The change add support for parsing non-space-separated pixel digits
for mono formats, in particular fix decoding of file battrace.pbm, and
fix trac issue #154.
All decode_channel_map calls together can easily read
more data than the amount of padding available.
Thus below patch adds an input length check before reading them.
Fixes some invalid reads with sample from
http://bugzilla.mplayerhq.hu/show_bug.cgi?id=1138
This is required specifically for setting frame->format to -1,
otherwise it will be set to 0 = PIX_FMT_YUV420P and code reading
the format from the output decoded frame will get misled.
In particular fix regressions occurring with the pending vsrc_buffer
patch.
The format is a per-frame property, having it in AVFrame simplify the
operation of extraction of that information, since avoids the need to
access the codec/stream context.
width and height are per-frame properties, setting these values in
AVFrame simplify the operation of extraction of that information,
since avoids the need to check the codec/stream context.
* qatar/master: (23 commits)
doc: Check standalone compilation before submitting new components.
Fix standalone compilation of pipe protocol.
Fix standalone compilation of ac3_fixed encoder.
Fix standalone compilation of binkaudio_dct / binkaudio_rdft decoders.
Fix standalone compilation of IMC decoder.
Fix standalone compilation of WTV demuxer.
Fix standalone compilation of MXPEG decoder.
flashsv: K&R cosmetics
matroskaenc: fix memory leak
vc1: make overlap filter for I-frames bit-exact.
vc1dec: use s->start/end_mb_y instead of passing them as function args.
Revert "VC1: merge idct8x8, coeff adjustments and put_pixels."
Replace strncpy() with av_strlcpy().
indeo3: Eliminate use of long.
get_bits: make cache unsigned to eliminate undefined signed overflow.
asfdec: fix assert failure on invalid files
avfilter: check malloc return values.
Not pulled as reason for reindent is not pulled: mpegvideo: reindent.
nutenc: check malloc return values.
Not pulled due to much simpler solution in ffmpeg *: don't av_malloc(0).
...
Conflicts:
doc/developer.texi
libavcodec/Makefile
libavcodec/get_bits.h
libavcodec/mpegvideo.c
libavformat/Makefile
libavutil/log.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This reverts commit f8bed30d8b. The reason
for this is that the overlap filter, which runs after IDCT, should run
on unclamped values, and thus IDCT and put_pixels() cannot be merged if
we want to attempt to be bitexact.
lowres option crashes with wmv2 files which I have for test,
so I think it's better to remove the support to the time when
lowres will be really supported by this codec
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
* qatar/master:
vp8: frame-multithreading.
Duplicate Replace deprecated FF_*_TYPE symbols with AV_PICTURE_TYPE_*.
Duplicate Replace deprecated av_get_pict_type_char() with av_get_picture_type_char().
Bug spoted&removed in last merge: dpx: Do not use DPX encoder for decoding.
Conflicts:
ffmpeg.c
ffplay.c
libavcodec/h264.c
libavcodec/mpeg12.c
libavcodec/mpeg4videodec.c
libavcodec/mpegvideo.c
libavcodec/mpegvideo_enc.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
Do not use rlelen for buffer size in init_get_bits, it is
only the size of the data for the first field.
Since it is not reliable, just use the size of the whole buffer.
Additional comments add removal of unused rlelen variable by
Reimar Döffinger.
This means it uses full brightness range and brightness
increasing instead of decreasing with index of non-opaque
color.
Based on patch by Alexandre Colucci [alexandre elgato com]
* qatar/master:
ALPHA: Replace sized int_fast integer types with plain int/unsigned.
Duplicate DPX image encoder
Duplicate DPX decoder: read sample aspect ratio
Duplciate DPX decoder: add buffer size checks.
ac3enc: clip large coefficient values and negative exponents rather than using av_assert2().
ac3enc: do not store a bandwidth code for each channel.
ac3enc: remove bandwidth reduction as fallback for bit allocation failure.
ac3enc: merge compute_exp_strategy_ch() into compute_exp_strategy()
ac3enc: return error if frame+exponent bits are too large instead of using av_assert2().
ac3enc: differentiate between current block and reference block in bit_alloc()
ac3enc: simplify exponent_init() by calculating exponent_group_tab[] based on exponent group sizes.
ac3enc: simplify stereo rematrixing decision options
Include both URLs: Update URL to fate samples
Conflicts:
Changelog
doc/fate.txt
libavcodec/ac3enc.c
libavcodec/dpxenc.c
libavcodec/version.h
Merged-by: Michael Niedermayer <michaelni@gmx.at>
int/unsigned is the natural memory access type for CPUs, using sized types
for temporary variables, counters and similar just increases code size and
can possibly cause a slowdown.
They use now code identical to the AAC decoder.
The AC3 decoder previously did not check the data_size and
the dca decoder checked against and set wrong values for float.
The sample aspect ratio is a per-frame property, so it makes sense to
define it in AVFrame rather than in the codec/stream context.
Simplify application-level sample aspect ratio information extraction,
and allow further simplifications.
This is similar to what was done with pkt_pts. This simplifies the
operation of extracting the pos information from the AVPacket, and
allows further simplifications.
One of the causes of this bug is that the h264 parser defaults low_delay
to 1, but the h264 codec defaults low_delay to 0. Really Ugly.
After many hours of looking at this, I'm still not sure how has_b_frames
is *intended* to behave, but to me the implementation appears way more
complicated than it ought to be.
My patch relies on the encoder to set an optional field in the SPS. This
works for libx264 streams, but I'm not sure that all h264 encoders will
set it.
* commit '85770f2a2651497861ed938efcd0df3696ff5e45':
AVOptions: make default_val a union, as proposed in AVOption2.
Move ff_dynarray_add to lavu and make it public.
lavf: remove duplicate assignment in avformat_alloc_context.
lavf: use designated initializers for AVClasses.
options: simplify av_find_opt by using av_next_option.
Merged-by: Michael Niedermayer <michaelni@gmx.at>
I still don't fully understand the cause but the difference between
the samples that trigger the bug and the samples that don't is
that the former uses delay frames and the later uses drop frames
as placeholders for the packed frame. So, if we see the one type
of frame, we can assume the bug will or won't be present.
Right now, I'm detecting the frame types by size, which may not be
safe in general, but given the specific codec and file type, I
expect any scenario where we encounter these frames where they
aren't being used for b-frame packing won't care one way or
another whether the work around is in effect or not.
Signed-off-by: Philip Langdale <philipl@overt.org>
* qatar/master:
Duplicate AMV: disable DR1 and don't override EMU_EDGE
Duplicate lavf: inspect more frames for fps when container time base is coarse
Wrong and we have correct fix: Fix races in default av_log handler
vorbis: Replace sized int_fast integer types with plain int/unsigned.
Remove disabled non-optimized code variants.
NO bswap.h: Remove disabled code.
Remove some disabled printf debug cruft.
Replace more disabled printf() calls by av_dlog().
NO tests: Remove disabled code.
NO Replace some commented-out debug printf() / av_log() messages with av_dlog().
vorbisdec: Replace some sizeof(type) by sizeof(*variable).
NO vf_fieldorder: Replace FFmpeg by Libav in license boilerplate.
Conflicts:
libavcodec/h264.c
libavcodec/vorbisdec.c
libavutil/log.c
Merged-by: Michael Niedermayer <michaelni@gmx.at>
This works around a possibly exploitable crash.
Appearently, vlc can be exploited with a malicous file. This should get
reverted as soon as a proper fix is found.
Reported-at: Thu, 21 Apr 2011 14:38:25 +0000
Reported-by: Dominic Chell <Dominic.Chell@ngssecure.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 89f903b3d5)
(cherry picked from commit 9b919571e5)
int/unsigned is the natural memory access type for CPUs, using sized types
for temporary variables, counters and similar just increases code size and
can possibly cause a slowdown.
Make av_get_profile_name() return NULL if no profile is detected.
Fix trac issue #130, fix crash reading file tek3.m2v.
(cherry picked from commit e5d80c7b2d)
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
* qatar/master:
vorbisdec: Rename silly "class_" variable to plain "class".
simple_idct_alpha: Drop some useless casts.
Simplify av_log_missing_feature().
ac3enc: remove check for mismatching channels and channel_layout
If AVCodecContext.channels is 0 and AVCodecContext.channel_layout is non-zero, set channels based on channel_layout.
If AVCodecContext.channel_layout and AVCodecContext.channels are both non-zero, check to make sure they do not contradict eachother.
cosmetics: indentation
Check AVCodec.supported_samplerates and AVCodec.channel_layouts in avcodec_open().
aacdec: remove sf_scale and sf_offset.
aacdec: use a scale of 2 in the LTP MDCT rather than doubling the coefficient table values from the spec.
Define POW_SF2_ZERO in aac.h and use for ff_aac_pow2sf_tabp[] offsets instead of hardcoding 200 everywhere.
Large intensity stereo and PNS indices are legal. Clip them instead of erroring out. A magnitude of 100 corresponds to 2^25 so the will most likely result in clipped output anyway.
qpeg: use reget_buffer() in decode_frame()
ultimotion: use reget_buffer() in ulti_decode_frame()
smacker: remove unnecessary call to avctx->release_buffer in decode_frame()
avparser: don't av_malloc(0).
Merged-by: Michael Niedermayer <michaelni@gmx.at>
avcodec_open().
If the encoder has a channel_layouts list and AVCodecContext.channel_layout
is 0, then only print a warning and let the encoder decide how to handle it.
Instead, scalefactors are adjusted by the offset amount, removing the need
for sf_scale, and the MDCT scales are adjusted to compensate for the higher
scalefactors. Floating-point output will be handled by modifying the MDCT
scales.
erroring out. A magnitude of 100 corresponds to 2^25 so the will most
likely result in clipped output anyway.
None of the conformance streams fall in the range that need to be clipped.
Decoder relies on previous frame data, so use reget_buffer().
This also set frame->reference to 3, as the frame will be requested
unmodified later so it shouldn't be modified by the application.
Fix playback of file Clock.avi.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
The release_buffer was cleaning the provided frame, thus causing the
successive call to avctx->reget_buffer() to allocate a new frame. In
case the returned frame was not the same one previously returned but a
new one with different data, it resulted in artifacts.
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
Also remove unnecessary call to avctx->release_buffer(). reget_buffer
is required since apparently the codec needs to be feeded with the
previous frame data.
Releasing the frame and using get_buffer was working only in the case
get_buffer() was returning the old frame data, and resulting in
playback artifacts otherwise.
Fix trac issue #85.
