Fixes: out of array access
Fixes: 37197/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ARGO_fuzzer-5877046382297088
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Just check for the existence of the bsf. This is equivalent to
the old criterion of the AVCodecContext being a decoder.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
It is now checked by FATE that no encoder capable of flushing
uses frame threads, so this now redundant runtime check can
be removed.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
If an AVCodec has a private class, its priv_data_size must be > 0
and at the end of a successful call to avcodec_open2()
the AVCodecContext's priv_data must exist and its first element
must be a pointer to said AVClass. This should not be conditional
on priv_data_size being > 0 (which is tested by FATE) or
on the private context having been successfully allocated
(which has to have happened at that point). So remove these
preconditions to make the test stricter.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
The current name comes from a time in which libavcodec/utils.c
contained the whole core of libavcodec.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
When a color indexing transform with 16 or fewer colors is used,
WebP uses "pixel packing", i.e. storing several pixels in one byte,
which virtually reduces the width of the image (see WebPContext's
reduced_width field). This reduced_width should always be used when
reading and applying subsequent transforms.
Updated patch with added fate test.
The source image dual_transform.webp can be downloaded by cloning
https://chromium.googlesource.com/webm/libwebp-test-data/
Fixes: 9368
Signed-off-by: James Zern <jzern@google.com>
Dead since commit 93016f5d1d
which ensured that the packets received by encoders are always blank.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Fixes leaks in case the allocation of the H.264-specific stuff fails.
Fixes Coverity issues #1442911 and #1442914.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This improves performance: For msvideo1, the performance improved by
4.8% when encoding the sample from the fate-vsynth1-msvideo1 test;
when encoding the sample from fate-vsynth1-cinepak, performance
improved by 2%. The compiler user was GCC 10 and the calls to encode2
have been timed.
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This is currently unused and it is only added to enable changes
while maintaining ABI compatibility. The type is uintptr_t in order
to potentially accept a pointer argument.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This is possible because the number of elements needed in each
recursion step decreases geometrically, so the geometric series
provides an upper bound for the sum of number of elements of
the needed buffers.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Fixes: index 128 out of bounds for type 'uint16_t [128]'
Fixes: 38651/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-6296416058736640
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Up until now, each call to avpriv_elbg_do() would result
in at least six allocations. And this function is called a lot:
A typical FATE run results in 52213653 calls to av_malloc; of these,
34974671 originate from av_malloc_array and from these 34783679
originate from avpriv_elbg_do; the msvideo1 encoder tests are behind
most of these.
This commit changes this by keeping the buffers and only reallocating
them when needed. E.g. for the encoding part of fate-vsynth1-msvideo1
total heap usage went down from 11,407,939 allocs and frees with
468,106,207 bytes allocated to 3,149 allocs and frees with 13,181,847
bytes allocated. The time for one encode2-call went down by 69%.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This affects all the arguments that don't change during a call
to avpriv_elbg_do(); doing so makes it easily recognizable which
arguments change upon recursive calls.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
It will be used in future commits to avoid having to allocate and free
all the buffers used.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
It is in line with our naming conventions for types.
Also change numCB to num_cb for the same reason.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
These functions are always called directly after another with
the exact same arguments. This avoids exporting a symbol;
it also avoids having to perform two calls for every caller.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
It will avoid a forward declaration later.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
silk_lsp2poly()'s declaration contained arrays with array sizes;
yet these array sizes exceeded the number of actually accessed array
elements (which is related to another parameter) and this leads to
-Wstringop-overflow= warnings from GCC 11, because the arrays provided
by callers are only large enough for the actually used elements.
So replace the incorrect array sizes with comments containing
the correct array sizes. Given that these sizes are not compile-time
constants, they can only be communicated via a comment.
Reported by Paul B Mahol.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Unused since 1f63665ca5.
Found-by: Soft Works <softworkz@hotmail.com>
Reviewed-by: Soft Works <softworkz@hotmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
It is supported only by a few decoders (h263, h263p, mpeg(1|2|)video
and mpeg4) and is entirely redundant with parsers. Furthermore, using
it leads to missing frames, as flushing the decoder at the end does not
work properly.
Co-authored-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Fixes: out of array access
Fixes: 38603/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSNSIREN_fuzzer-5741847809490944.fuzz
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: error: 1.66789e+11 is outside the range of representable values of type 'int'
Fixes: Ticket8201
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: NULL pointer dereference
Fixes: 38125/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA1_fuzzer-5151909422432256
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Fixes: signed integer overflow: 559334865 * 4 cannot be represented in type 'int'
Fixes: 37929/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6751932295806976
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Defined in spec 5.9.8. When superres is enabled, SuperresDenom equals
"coded_denom + SUPERRES_DENOM_MIN" instead of coded_denom.
Signed-off-by: Tong Wu <tong1.wu@intel.com>
Signed-off-by: Hendrik Leppkes <h.leppkes@gmail.com>
Fixes: signed integer overflow: 7020950083487072256 * 2 cannot be represented in type 'long long'
Fixes: 37523/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5133634955771904
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array read
Fixes: 37664/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5893420460146688
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The documentation does not require the packet to be blank in this case
(i.e. it can now contain opaque_ref), but it does contain that the
contents will be reset upon success.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
When an empty list bsf is used for passthrough, there is a check
for every packet in bsf_list_filter() before ff_bsf_get_packet_ref()
is called. Directly using the null bsf avoids that.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Fixes trac issue #7473.
Removes encoder delay (skip samples) and writes remaining frame samples after EOF to get correct sample count.
Output is now accurate vs players that use Microsoft's codecs (Windows Media Format Runtime).
Tested vs encode>decode WMAv2 with MS's codecs and most sample rate/bit rate/channel/mode combinations in ASF/XWMA.
WMAv1 appears to use the same delay, from FFmpeg samples.
Signed-off-by: bnnm <bananaman255@gmail.com>
This bug flew under the radar because, in practice, these values are
0-initialized for the first invocation. But for subsequent invocations
(with different h/v values), reading from the uninitialized parts of
`out` is undefined behavior.
Avoid this by simply adjusting the iteration range of the following
loops. Has the added benefit of being a minor speedup.
Signed-off-by: James Almer <jamrial@gmail.com>
fixes#8857
If we do not clear the enc_ctrl, we will reuse previous frames' data like FrameType.
Reviewed-by: Xiang, Haihao <haihao.xiang@intel.com>
Signed-off-by: James Almer <jamrial@gmail.com>
When encoding yuva420 (alpha) frames, the vpx encoder uses a second
vpx_codec_ctx to encode the alpha stream. However, codec options were
only being applied to the primary encoder. This patch updates
codecctl_int and codecctl_intp to also apply codec options to the alpha
codec context when encoding frames with alpha.
This is necessary to take advantage of libvpx speed optimizations
such as 'row-mt' and 'cpu-used' when encoding videos with alpha.
Without this patch, the speed optimizations are only applied to the
primary stream encoding, and the overall encoding is just as slow
as it would be without the options specified.
Signed-off-by: Adam Chelminski <chelminski.adam@gmail.com>
Signed-off-by: James Zern <jzern@google.com>
It is a special BSF that is only available via the av_bsf_list-API;
it is not part of the list generated from the declarations in
bitstream_filters.c and therefore needn't have external linkage.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Adding DX11 relevant device type checks and adjusting callbacks with
proper MediaSDK pair type support.
Extending structure for proper MediaSDK pair type support.
Signed-off-by: Artem Galin <artem.galin@intel.com>
Fixes: Infinite loop
Fixes: 36666/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5912760671141888
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 1683879955 - -466265224 cannot be represented in type 'int'
Fixes: 37419/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6074294407921664
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Timeout
Fixes: 37035/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-5142718576721920
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: left shift of 255 by 24 places cannot be represented in type 'int'
Fixes: 37249/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ARGO_fuzzer-5754862984888320
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
It is supposed to be used with different bit depth and/or sample rates
per each substream, but such currently not implemented feature is not
important and current state causes problems when implementing variable
restart interval to fix decoding with sample rates not multiple of 40.
The earlier code did not properly check these initializations:
It only recorded whether the part of init where these initializations
are has been reached, but it did not check whether the initializations
were successful, although destroying them would be undefined behaviour
if they had not been initialized successfully.
Furthermore cleanup() always locked a mutex regardless of whether there
was any attempt to initialize these mutexes at all.
Reviewed-by: Martin Storsjö <martin@martin.st>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Now that the mutexes and conditions are only initialized and destroyed
once, said function only had one purpose: free the entries array.
Given that vp9_alloc_entries() already does this if the array is already
allocated it is unnecessary to call vp9_free_entries() anywhere except
when closing. And then one can just inline the one free into
vp9_decode_free().
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Otherwise the context would be in an inconsistent state
if vp9_alloc_entries() failed (and if this would be checked).
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
We have more mutexes/condition variables whose initialization is
unchecked.
Also use a proper namespace for these functions.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Also do not destroy and reinitialize mutexes and conditions when
certain input parameters change. Given that the decoder did not
create these variables at all during init, uninitialized mutexes
and conditions are destroyed before the very first initialization.
This is undefined behaviour and certain threading implementations
like pthreadGC2 crash when it is attempted.
Fix this by initializing these objects once during init and freeing
them in close.
Reported-by: Steve Lhomme <robux4@ycbcr.xyz>
Reviewed-by: Steve Lhomme <robux4@ycbcr.xyz>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
H.264 and H.265 levels' names are usually of the form "x" or "x.y"
with x and y being single digits; the one exception are the H.264 1b
levels. All of those levels' names fit into a char[4] and it is likely
that this future levels will do so, too.
Therefore this commit changes the H26(4|5)LevelDescriptor structures
to use such a char [4] instead of a pointer to a const char. This makes
the structures smaller (when sizeof(char*) == 8) and avoids relocations,
thereby moving the corresponding arrays from .data.rel.ro into .rodata.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
They were done in preparation for an upcoming 1.0 release.
Keep supporting previous releases for the time being.
Reviewed-by: BBB
Signed-off-by: James Almer <jamrial@gmail.com>
Fixes: Timeout
Fixes: 36875/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PICTOR_fuzzer-4842960888922112
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Tested-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
ff_pnm_parser and ff_vp3_parser already hit the current limit;
an addition to the former (to handle pfm) is planned.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Unlike libx264, libx265 does not handle the chroma format check
on its own side, so in order to not write out values which are
supposed to be ignored according to the specification, we limit
the writing out of chroma sample location to 4:2:0 only.
Fixes invalid reports of bad lossless crc.
While here make end of stream message into debug level as it is
not really important to user.
Also wait for new major sync frame as invalid concating of files
may produce invalid files, which cause various errors.
This results in warnings on compilers which don't support it,
objections were raised during the review process about it but went unnoticed,
and the speed benefit is highly compiler and version specific, and
also not very critical.
We generally hand-write assembly to optimize loops like that, rather
than use compiler magic, and for 40% best case scenario, it's simply
not worth it.
Plus, tree vectorization is still problematic with GCC and disabled by default
for a good reason, so enabling it locally is sketchy.
As the second argument for init_get_bits(avctx and buf) can be crafted,
a return value check for this function call is necessary,
so replace init_get_bits with init_get_bits8 and add return value check.
Consider data as invalid if ff_wma_run_level_decode
gets out with an error.
It avoids an unpleasant sound distorsion.
See http://trac.ffmpeg.org/ticket/9358
As the second argument for init_get_bits(buf) can be crafted,
a return value check for this function call is necessary.
Also replace init_get_bits with init_get_bits8.
Signed-off-by: Peter Ross <pross@xvid.org>