diff -Nru ffmpeg-3.3.3/Changelog ffmpeg-3.3.4/Changelog --- ffmpeg-3.3.3/Changelog 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/Changelog 2017-09-12 01:36:20.000000000 +0000 @@ -2,6 +2,63 @@ releases are sorted from youngest to oldest. +version 3.3.4: +- avcodec/hevc_ps: improve check for missing default display window bitstream +- avcodec/hevc_ps: Fix c?_qp_offset_list size +- avcodec/shorten: Move buffer allocation and offset init to end of read_header() +- avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int() +- avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels +- avcodec/diracdec: Fix overflow in DC computation +- avcodec/scpr: optimize shift loop. +- avcodec/dirac_vlc: limit res_bits in APPEND_RESIDUE() +- libavcodec/h264_parse: don't use uninitialized value when chroma_format_idc==0 +- avformat/asfdec: Fix DoS in asf_build_simple_index() +- avformat/mov: Fix DoS in read_tfra() +- avcodec/dirac_vlc: Fix invalid shift in ff_dirac_golomb_read_32bit() +- avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting +- avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED() +- avformat/mxfdec: Fix Sign error in mxf_read_primer_pack() +- avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array() +- avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop. +- avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered() +- avcodec/hevc_ps: Fix undefined shift in pcm code +- avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate() +- avformat/mvdec: Fix DoS due to lack of eof check +- avformat/rl2: Fix DoS due to lack of eof check +- avformat/rmdec: Fix DoS due to lack of eof check +- avformat/cinedec: Fix DoS due to lack of eof check +- avformat/asfdec: Fix DoS due to lack of eof check +- avformat/hls: Fix DoS due to infinite loop +- ffprobe: Fix NULL pointer handling in color parameter printing +- ffprobe: Fix null pointer dereference with color primaries +- avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps() +- avformat/rtpdec_h264: Fix heap-buffer-overflow +- avformat/aviobuf: Fix signed integer overflow in avio_seek() +- avformat/mov: Fix signed integer overflows with total_size +- avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization +- avcodec/aacdec_template: Fix running cleanup in decode_ics_info() +- avcodec/me_cmp: Fix crashes on ARM due to misalignment +- avcodec/pixlet: Fixes: undefined shift in av_mod_uintp2() +- avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0() +- avcodec/fic: Fixes signed integer overflow +- avcodec/snowdec: Fix off by 1 error +- avcodec/pixlet: fixes integer overflow in read_highpass() +- avcodec/zmbv: Check decomp_size +- avcodec/diracdec: Fixes integer overflow +- avcodec/diracdec: Check perspective_exp and zrs_exp. +- avcodec/ffv1dec_template: Fix undefined shift +- avcodec/mpeg4videodec: Clear mcsel before decoding an image +- avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97* +- avcodec/aacdec_fixed: fix invalid shift in predict() +- avcodec/h264_slice: Fix overflow in slice offset +- avformat/utils: fix memory leak in avformat_free_context +- swscale: fix gbrap16 alpha channel issues +- avcodec/h264idct_template: Fix integer overflow in ff_h264_idct_add() +- avcodec/diracdsp: fix integer overflow +- avcodec/diracdec: Check weight_log2denom +- avcodec/nvenc: only push cuda context on encoder close if encoder exists +- avfilter/vf_ssim: fix temp size calculation + version 3.3.3: - avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0() - avcodec/diracdec: Fix integer overflow in divide3() diff -Nru ffmpeg-3.3.3/debian/changelog ffmpeg-3.3.4/debian/changelog --- ffmpeg-3.3.3/debian/changelog 2017-08-07 05:41:29.000000000 +0000 +++ ffmpeg-3.3.4/debian/changelog 2017-09-15 06:09:50.000000000 +0000 @@ -1,3 +1,9 @@ +ffmpeg (7:3.3.4-0yavdr0~xenial) xenial; urgency=medium + + * new upstream version + + -- Alexander Grothe Fri, 15 Sep 2017 08:09:36 +0200 + ffmpeg (7:3.3.3-0yavdr0~xenial) xenial; urgency=medium * new upstream version diff -Nru ffmpeg-3.3.3/doc/demuxers.texi ffmpeg-3.3.4/doc/demuxers.texi --- ffmpeg-3.3.3/doc/demuxers.texi 2017-07-29 17:49:29.000000000 +0000 +++ ffmpeg-3.3.4/doc/demuxers.texi 2017-09-12 00:51:43.000000000 +0000 @@ -300,6 +300,24 @@ which in this case is @file{input.mp4} as the GIF in this example loops infinitely. +@section hls + +HLS demuxer + +It accepts the following options: + +@table @option +@item live_start_index +segment index to start live streams at (negative values are from the end). + +@item allowed_extensions +',' separated list of file extensions that hls is allowed to access. + +@item max_reload +Maximum number of times a insufficient list is attempted to be reloaded. +Default value is 1000. +@end table + @section image2 Image file demuxer. diff -Nru ffmpeg-3.3.3/doc/Doxyfile ffmpeg-3.3.4/doc/Doxyfile --- ffmpeg-3.3.3/doc/Doxyfile 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/doc/Doxyfile 2017-09-12 00:51:43.000000000 +0000 @@ -38,7 +38,7 @@ # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 3.3.3 +PROJECT_NUMBER = 3.3.4 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a diff -Nru ffmpeg-3.3.3/ffprobe.c ffmpeg-3.3.4/ffprobe.c --- ffmpeg-3.3.3/ffprobe.c 2017-07-29 17:49:29.000000000 +0000 +++ ffmpeg-3.3.4/ffprobe.c 2017-09-12 00:51:43.000000000 +0000 @@ -1899,6 +1899,57 @@ writer_print_section_footer(w); } +static void print_color_range(WriterContext *w, enum AVColorRange color_range, const char *fallback) +{ + const char *val = av_color_range_name(color_range); + if (!val || color_range == AVCOL_RANGE_UNSPECIFIED) { + print_str_opt("color_range", fallback); + } else { + print_str("color_range", val); + } +} + +static void print_color_space(WriterContext *w, enum AVColorSpace color_space) +{ + const char *val = av_color_space_name(color_space); + if (!val || color_space == AVCOL_SPC_UNSPECIFIED) { + print_str_opt("color_space", "unknown"); + } else { + print_str("color_space", val); + } +} + +static void print_primaries(WriterContext *w, enum AVColorPrimaries color_primaries) +{ + const char *val = av_color_primaries_name(color_primaries); + if (!val || color_primaries == AVCOL_PRI_UNSPECIFIED) { + print_str_opt("color_primaries", "unknown"); + } else { + print_str("color_primaries", val); + } +} + +static void print_color_trc(WriterContext *w, enum AVColorTransferCharacteristic color_trc) +{ + const char *val = av_color_transfer_name(color_trc); + if (!val || color_trc == AVCOL_TRC_UNSPECIFIED) { + print_str_opt("color_transfer", "unknown"); + } else { + print_str("color_transfer", val); + } +} + +static void print_chroma_location(WriterContext *w, enum AVChromaLocation chroma_location) +{ + const char *val = av_chroma_location_name(chroma_location); + if (!val || chroma_location == AVCHROMA_LOC_UNSPECIFIED) { + print_str_opt("chroma_location", "unspecified"); + } else { + print_str("chroma_location", val); + } +} + + static void clear_log(int need_lock) { int i; @@ -2406,29 +2457,12 @@ if (s) print_str ("pix_fmt", s); else print_str_opt("pix_fmt", "unknown"); print_int("level", par->level); - if (par->color_range != AVCOL_RANGE_UNSPECIFIED) - print_str ("color_range", av_color_range_name(par->color_range)); - else - print_str_opt("color_range", "N/A"); - - s = av_get_colorspace_name(par->color_space); - if (s) print_str ("color_space", s); - else print_str_opt("color_space", "unknown"); - - if (par->color_trc != AVCOL_TRC_UNSPECIFIED) - print_str("color_transfer", av_color_transfer_name(par->color_trc)); - else - print_str_opt("color_transfer", av_color_transfer_name(par->color_trc)); - - if (par->color_primaries != AVCOL_PRI_UNSPECIFIED) - print_str("color_primaries", av_color_primaries_name(par->color_primaries)); - else - print_str_opt("color_primaries", av_color_primaries_name(par->color_primaries)); - if (par->chroma_location != AVCHROMA_LOC_UNSPECIFIED) - print_str("chroma_location", av_chroma_location_name(par->chroma_location)); - else - print_str_opt("chroma_location", av_chroma_location_name(par->chroma_location)); + print_color_range(w, par->color_range, "N/A"); + print_color_space(w, par->color_space); + print_color_trc(w, par->color_trc); + print_primaries(w, par->color_primaries); + print_chroma_location(w, par->chroma_location); if (par->field_order == AV_FIELD_PROGRESSIVE) print_str("field_order", "progressive"); diff -Nru ffmpeg-3.3.3/libavcodec/aacdec_fixed.c ffmpeg-3.3.4/libavcodec/aacdec_fixed.c --- ffmpeg-3.3.3/libavcodec/aacdec_fixed.c 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/aacdec_fixed.c 2017-09-12 00:51:43.000000000 +0000 @@ -305,8 +305,12 @@ if (output_enable) { int shift = 28 - pv.exp; - if (shift < 31) - *coef += (pv.mant + (1 << (shift - 1))) >> shift; + if (shift < 31) { + if (shift > 0) { + *coef += (pv.mant + (1 << (shift - 1))) >> shift; + } else + *coef += pv.mant << -shift; + } } e0 = av_int2sf(*coef, 2); diff -Nru ffmpeg-3.3.3/libavcodec/aacdec_template.c ffmpeg-3.3.4/libavcodec/aacdec_template.c --- ffmpeg-3.3.3/libavcodec/aacdec_template.c 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/aacdec_template.c 2017-09-12 00:51:43.000000000 +0000 @@ -1281,6 +1281,8 @@ const MPEG4AudioConfig *const m4ac = &ac->oc[1].m4ac; const int aot = m4ac->object_type; const int sampling_index = m4ac->sampling_index; + int ret_fail = AVERROR_INVALIDDATA; + if (aot != AOT_ER_AAC_ELD) { if (get_bits1(gb)) { av_log(ac->avctx, AV_LOG_ERROR, "Reserved bit set.\n"); @@ -1331,8 +1333,10 @@ ics->num_swb = ff_aac_num_swb_512[sampling_index]; ics->tns_max_bands = ff_tns_max_bands_512[sampling_index]; } - if (!ics->num_swb || !ics->swb_offset) - return AVERROR_BUG; + if (!ics->num_swb || !ics->swb_offset) { + ret_fail = AVERROR_BUG; + goto fail; + } } else { ics->swb_offset = ff_swb_offset_1024[sampling_index]; ics->num_swb = ff_aac_num_swb_1024[sampling_index]; @@ -1356,7 +1360,8 @@ if (aot == AOT_ER_AAC_LD) { av_log(ac->avctx, AV_LOG_ERROR, "LTP in ER AAC LD not yet implemented.\n"); - return AVERROR_PATCHWELCOME; + ret_fail = AVERROR_PATCHWELCOME; + goto fail; } if ((ics->ltp.present = get_bits(gb, 1))) decode_ltp(&ics->ltp, gb, ics->max_sfb); @@ -1375,7 +1380,7 @@ return 0; fail: ics->max_sfb = 0; - return AVERROR_INVALIDDATA; + return ret_fail; } /** diff -Nru ffmpeg-3.3.3/libavcodec/diracdec.c ffmpeg-3.3.4/libavcodec/diracdec.c --- ffmpeg-3.3.3/libavcodec/diracdec.c 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/diracdec.c 2017-09-12 00:51:43.000000000 +0000 @@ -442,7 +442,7 @@ static inline int coeff_unpack_golomb(GetBitContext *gb, int qfactor, int qoffset) { int coeff = dirac_get_se_golomb(gb); - const int sign = FFSIGN(coeff); + const unsigned sign = FFSIGN(coeff); if (coeff) coeff = sign*((sign * coeff * qfactor + qoffset) >> 2); return coeff; @@ -586,7 +586,7 @@ } \ INTRA_DC_PRED(8, int16_t) -INTRA_DC_PRED(10, int32_t) +INTRA_DC_PRED(10, uint32_t) /** * Dirac Specification -> @@ -1161,6 +1161,10 @@ s->globalmc[ref].perspective[0] = dirac_get_se_golomb(gb); s->globalmc[ref].perspective[1] = dirac_get_se_golomb(gb); } + if (s->globalmc[ref].perspective_exp + (uint64_t)s->globalmc[ref].zrs_exp > 30) { + return AVERROR_INVALIDDATA; + } + } } @@ -1179,6 +1183,11 @@ if (get_bits1(gb)) { s->weight_log2denom = get_interleaved_ue_golomb(gb); + if (s->weight_log2denom < 1 || s->weight_log2denom > 8) { + av_log(s->avctx, AV_LOG_ERROR, "weight_log2denom unsupported or invalid\n"); + s->weight_log2denom = 1; + return AVERROR_INVALIDDATA; + } s->weight[0] = dirac_get_se_golomb(gb); if (s->num_refs == 2) s->weight[1] = dirac_get_se_golomb(gb); @@ -1413,7 +1422,7 @@ if (!block->ref) { pred_block_dc(block, stride, x, y); for (i = 0; i < 3; i++) - block->u.dc[i] += dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); + block->u.dc[i] += (unsigned)dirac_get_arith_int(arith+1+i, CTX_DC_F1, CTX_DC_DATA); return; } diff -Nru ffmpeg-3.3.3/libavcodec/diracdsp.c ffmpeg-3.3.4/libavcodec/diracdsp.c --- ffmpeg-3.3.3/libavcodec/diracdsp.c 2017-07-29 17:49:30.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/diracdsp.c 2017-09-12 00:51:43.000000000 +0000 @@ -199,7 +199,7 @@ for (i = 0; i < tot_h; i++) { \ c = *src_r++; \ sign = FFSIGN(c)*(!!c); \ - c = (FFABS(c)*qf + qs) >> 2; \ + c = (FFABS(c)*(unsigned)qf + qs) >> 2; \ *dst_r++ = c*sign; \ } \ src += tot_h << (sizeof(PX) >> 1); \ diff -Nru ffmpeg-3.3.3/libavcodec/dirac_dwt.h ffmpeg-3.3.4/libavcodec/dirac_dwt.h --- ffmpeg-3.3.3/libavcodec/dirac_dwt.h 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/dirac_dwt.h 2017-09-12 00:51:43.000000000 +0000 @@ -117,16 +117,16 @@ (b4 + ((-2*(b0+b8) + 10*(b1+b7) - 25*(b2+b6) + 81*(b3+b5) + 128) >> 8)) #define COMPOSE_DAUB97iL1(b0, b1, b2)\ - (b1 - ((1817*(b0 + b2) + 2048) >> 12)) + (b1 - ((int)(1817*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH1(b0, b1, b2)\ - (b1 - (( 113*(b0 + b2) + 64) >> 7)) + (b1 - ((int)( 113*(b0 + (unsigned)b2) + 64) >> 7)) #define COMPOSE_DAUB97iL0(b0, b1, b2)\ - (b1 + (( 217*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)( 217*(b0 + (unsigned)b2) + 2048) >> 12)) #define COMPOSE_DAUB97iH0(b0, b1, b2)\ - (b1 + ((6497*(b0 + b2) + 2048) >> 12)) + (b1 + ((int)(6497*(b0 + (unsigned)b2) + 2048) >> 12)) #endif /* AVCODEC_DWT_H */ diff -Nru ffmpeg-3.3.3/libavcodec/dirac_dwt_template.c ffmpeg-3.3.4/libavcodec/dirac_dwt_template.c --- ffmpeg-3.3.3/libavcodec/dirac_dwt_template.c 2017-06-07 02:03:53.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/dirac_dwt_template.c 2017-09-12 00:51:43.000000000 +0000 @@ -49,7 +49,7 @@ TYPE *b1 = (TYPE *)_b1; TYPE *b2 = (TYPE *)_b2; for (i = 0; i < width; i++) - b1[i] -= (b0[i] + b2[i] + 2) >> 2; + b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2; } static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src1, int w2, diff -Nru ffmpeg-3.3.3/libavcodec/dirac_vlc.c ffmpeg-3.3.4/libavcodec/dirac_vlc.c --- ffmpeg-3.3.3/libavcodec/dirac_vlc.c 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/dirac_vlc.c 2017-09-12 00:51:43.000000000 +0000 @@ -37,7 +37,7 @@ #define APPEND_RESIDUE(N, M) \ N |= M >> (N ## _bits); \ - N ## _bits += (M ## _bits) + N ## _bits = (N ## _bits + (M ## _bits)) & 0x3F int ff_dirac_golomb_read_32bit(DiracGolombLUT *lut_ctx, const uint8_t *buf, int bytes, uint8_t *_dst, int coeffs) diff -Nru ffmpeg-3.3.3/libavcodec/ffv1dec_template.c ffmpeg-3.3.4/libavcodec/ffv1dec_template.c --- ffmpeg-3.3.3/libavcodec/ffv1dec_template.c 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/ffv1dec_template.c 2017-09-12 00:51:43.000000000 +0000 @@ -149,7 +149,7 @@ } if (lbd) - *((uint32_t*)(src[0] + x*4 + stride[0]*y)) = b + (g<<8) + (r<<16) + (a<<24); + *((uint32_t*)(src[0] + x*4 + stride[0]*y)) = b + ((unsigned)g<<8) + ((unsigned)r<<16) + ((unsigned)a<<24); else if (sizeof(TYPE) == 4) { *((uint16_t*)(src[0] + x*2 + stride[0]*y)) = g; *((uint16_t*)(src[1] + x*2 + stride[1]*y)) = b; diff -Nru ffmpeg-3.3.3/libavcodec/fic.c ffmpeg-3.3.4/libavcodec/fic.c --- ffmpeg-3.3.3/libavcodec/fic.c 2017-07-29 17:49:30.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/fic.c 2017-09-12 00:51:43.000000000 +0000 @@ -85,12 +85,12 @@ static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd) { - const int t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; - const int t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; - const int t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; - const int t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; - const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12); - const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12); + const unsigned t0 = 27246 * blk[3 * step] + 18405 * blk[5 * step]; + const unsigned t1 = 27246 * blk[5 * step] - 18405 * blk[3 * step]; + const unsigned t2 = 6393 * blk[7 * step] + 32139 * blk[1 * step]; + const unsigned t3 = 6393 * blk[1 * step] - 32139 * blk[7 * step]; + const unsigned t4 = 5793U * ((int)(t2 + t0 + 0x800) >> 12); + const unsigned t5 = 5793U * ((int)(t3 + t1 + 0x800) >> 12); const unsigned t6 = t2 - t0; const unsigned t7 = t3 - t1; const unsigned t8 = 17734 * blk[2 * step] - 42813 * blk[6 * step]; diff -Nru ffmpeg-3.3.3/libavcodec/h264idct_template.c ffmpeg-3.3.4/libavcodec/h264idct_template.c --- ffmpeg-3.3.3/libavcodec/h264idct_template.c 2017-07-29 17:49:30.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/h264idct_template.c 2017-09-12 00:51:43.000000000 +0000 @@ -40,10 +40,10 @@ block[0] += 1 << 5; for(i=0; i<4; i++){ - const SUINT z0= block[i + 4*0] + block[i + 4*2]; - const SUINT z1= block[i + 4*0] - block[i + 4*2]; - const SUINT z2= (block[i + 4*1]>>1) - block[i + 4*3]; - const SUINT z3= block[i + 4*1] + (block[i + 4*3]>>1); + const SUINT z0= block[i + 4*0] + (unsigned)block[i + 4*2]; + const SUINT z1= block[i + 4*0] - (unsigned)block[i + 4*2]; + const SUINT z2= (block[i + 4*1]>>1) - (unsigned)block[i + 4*3]; + const SUINT z3= block[i + 4*1] + (unsigned)(block[i + 4*3]>>1); block[i + 4*0]= z0 + z3; block[i + 4*1]= z1 + z2; diff -Nru ffmpeg-3.3.3/libavcodec/h264_parse.c ffmpeg-3.3.4/libavcodec/h264_parse.c --- ffmpeg-3.3.3/libavcodec/h264_parse.c 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/h264_parse.c 2017-09-12 00:51:43.000000000 +0000 @@ -34,21 +34,22 @@ pwt->use_weight = 0; pwt->use_weight_chroma = 0; - pwt->luma_log2_weight_denom = get_ue_golomb(gb); - if (sps->chroma_format_idc) - pwt->chroma_log2_weight_denom = get_ue_golomb(gb); + pwt->luma_log2_weight_denom = get_ue_golomb(gb); if (pwt->luma_log2_weight_denom > 7U) { av_log(logctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is out of range\n", pwt->luma_log2_weight_denom); pwt->luma_log2_weight_denom = 0; } - if (pwt->chroma_log2_weight_denom > 7U) { - av_log(logctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", pwt->chroma_log2_weight_denom); - pwt->chroma_log2_weight_denom = 0; - } + luma_def = 1 << pwt->luma_log2_weight_denom; - luma_def = 1 << pwt->luma_log2_weight_denom; - chroma_def = 1 << pwt->chroma_log2_weight_denom; + if (sps->chroma_format_idc) { + pwt->chroma_log2_weight_denom = get_ue_golomb(gb); + if (pwt->chroma_log2_weight_denom > 7U) { + av_log(logctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", pwt->chroma_log2_weight_denom); + pwt->chroma_log2_weight_denom = 0; + } + chroma_def = 1 << pwt->chroma_log2_weight_denom; + } for (list = 0; list < 2; list++) { pwt->luma_weight_flag[list] = 0; @@ -102,9 +103,11 @@ if (picture_structure == PICT_FRAME) { pwt->luma_weight[16 + 2 * i][list][0] = pwt->luma_weight[16 + 2 * i + 1][list][0] = pwt->luma_weight[i][list][0]; pwt->luma_weight[16 + 2 * i][list][1] = pwt->luma_weight[16 + 2 * i + 1][list][1] = pwt->luma_weight[i][list][1]; - for (j = 0; j < 2; j++) { - pwt->chroma_weight[16 + 2 * i][list][j][0] = pwt->chroma_weight[16 + 2 * i + 1][list][j][0] = pwt->chroma_weight[i][list][j][0]; - pwt->chroma_weight[16 + 2 * i][list][j][1] = pwt->chroma_weight[16 + 2 * i + 1][list][j][1] = pwt->chroma_weight[i][list][j][1]; + if (sps->chroma_format_idc) { + for (j = 0; j < 2; j++) { + pwt->chroma_weight[16 + 2 * i][list][j][0] = pwt->chroma_weight[16 + 2 * i + 1][list][j][0] = pwt->chroma_weight[i][list][j][0]; + pwt->chroma_weight[16 + 2 * i][list][j][1] = pwt->chroma_weight[16 + 2 * i + 1][list][j][1] = pwt->chroma_weight[i][list][j][1]; + } } } } diff -Nru ffmpeg-3.3.3/libavcodec/h264_slice.c ffmpeg-3.3.4/libavcodec/h264_slice.c --- ffmpeg-3.3.3/libavcodec/h264_slice.c 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/h264_slice.c 2017-09-12 00:51:43.000000000 +0000 @@ -1835,17 +1835,19 @@ sl->deblocking_filter ^= 1; // 1<->0 if (sl->deblocking_filter) { - sl->slice_alpha_c0_offset = get_se_golomb(&sl->gb) * 2; - sl->slice_beta_offset = get_se_golomb(&sl->gb) * 2; - if (sl->slice_alpha_c0_offset > 12 || - sl->slice_alpha_c0_offset < -12 || - sl->slice_beta_offset > 12 || - sl->slice_beta_offset < -12) { + int slice_alpha_c0_offset_div2 = get_se_golomb(&sl->gb); + int slice_beta_offset_div2 = get_se_golomb(&sl->gb); + if (slice_alpha_c0_offset_div2 > 6 || + slice_alpha_c0_offset_div2 < -6 || + slice_beta_offset_div2 > 6 || + slice_beta_offset_div2 < -6) { av_log(h->avctx, AV_LOG_ERROR, "deblocking filter parameters %d %d out of range\n", - sl->slice_alpha_c0_offset, sl->slice_beta_offset); + slice_alpha_c0_offset_div2, slice_beta_offset_div2); return AVERROR_INVALIDDATA; } + sl->slice_alpha_c0_offset = slice_alpha_c0_offset_div2 * 2; + sl->slice_beta_offset = slice_beta_offset_div2 * 2; } } diff -Nru ffmpeg-3.3.3/libavcodec/hevcdsp_template.c ffmpeg-3.3.4/libavcodec/hevcdsp_template.c --- ffmpeg-3.3.3/libavcodec/hevcdsp_template.c 2017-07-29 17:49:30.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/hevcdsp_template.c 2017-09-12 00:51:43.000000000 +0000 @@ -593,7 +593,7 @@ ox1 = ox1 * (1 << (BIT_DEPTH - 8)); for (y = 0; y < height; y++) { for (x = 0; x < width; x++) { - dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + ((ox0 + ox1 + 1) << log2Wd)) >> (log2Wd + 1)); + dst[x] = av_clip_pixel(( (src[x] << (14 - BIT_DEPTH)) * wx1 + src2[x] * wx0 + (ox0 + ox1 + 1) * (1 << log2Wd)) >> (log2Wd + 1)); } src += srcstride; dst += dststride; diff -Nru ffmpeg-3.3.3/libavcodec/hevc_ps.c ffmpeg-3.3.4/libavcodec/hevc_ps.c --- ffmpeg-3.3.3/libavcodec/hevc_ps.c 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/hevc_ps.c 2017-09-12 01:36:20.000000000 +0000 @@ -225,6 +225,12 @@ prev = 0; for (i = 0; i < rps->num_negative_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; + if (delta_poc < 1 || delta_poc > 32768) { + av_log(avctx, AV_LOG_ERROR, + "Invalid value of delta_poc: %d\n", + delta_poc); + return AVERROR_INVALIDDATA; + } prev -= delta_poc; rps->delta_poc[i] = prev; rps->used[i] = get_bits1(gb); @@ -232,6 +238,12 @@ prev = 0; for (i = 0; i < nb_positive_pics; i++) { delta_poc = get_ue_golomb_long(gb) + 1; + if (delta_poc < 1 || delta_poc > 32768) { + av_log(avctx, AV_LOG_ERROR, + "Invalid value of delta_poc: %d\n", + delta_poc); + return AVERROR_INVALIDDATA; + } prev += delta_poc; rps->delta_poc[rps->num_negative_pics + i] = prev; rps->used[rps->num_negative_pics + i] = get_bits1(gb); @@ -538,7 +550,7 @@ static void decode_vui(GetBitContext *gb, AVCodecContext *avctx, int apply_defdispwin, HEVCSPS *sps) { - VUI *vui = &sps->vui; + VUI backup_vui, *vui = &sps->vui; GetBitContext backup; int sar_present, alt = 0; @@ -606,13 +618,14 @@ vui->field_seq_flag = get_bits1(gb); vui->frame_field_info_present_flag = get_bits1(gb); + // Backup context in case an alternate header is detected + memcpy(&backup, gb, sizeof(backup)); + memcpy(&backup_vui, vui, sizeof(backup_vui)); if (get_bits_left(gb) >= 68 && show_bits_long(gb, 21) == 0x100000) { vui->default_display_window_flag = 0; av_log(avctx, AV_LOG_WARNING, "Invalid default display window\n"); } else vui->default_display_window_flag = get_bits1(gb); - // Backup context in case an alternate header is detected - memcpy(&backup, gb, sizeof(backup)); if (vui->default_display_window_flag) { int vert_mult = 1 + (sps->chroma_format_idc < 2); @@ -639,18 +652,19 @@ } } +timing_info: vui->vui_timing_info_present_flag = get_bits1(gb); if (vui->vui_timing_info_present_flag) { - if( get_bits_left(gb) < 66) { + if( get_bits_left(gb) < 66 && !alt) { // The alternate syntax seem to have timing info located // at where def_disp_win is normally located av_log(avctx, AV_LOG_WARNING, "Strange VUI timing information, retrying...\n"); - vui->default_display_window_flag = 0; - memset(&vui->def_disp_win, 0, sizeof(vui->def_disp_win)); + memcpy(vui, &backup_vui, sizeof(backup_vui)); memcpy(gb, &backup, sizeof(backup)); alt = 1; + goto timing_info; } vui->vui_num_units_in_tick = get_bits_long(gb, 32); vui->vui_time_scale = get_bits_long(gb, 32); @@ -668,6 +682,15 @@ vui->bitstream_restriction_flag = get_bits1(gb); if (vui->bitstream_restriction_flag) { + if (get_bits_left(gb) < 8 && !alt) { + av_log(avctx, AV_LOG_WARNING, + "Strange VUI bitstream restriction information, retrying" + " from timing information...\n"); + memcpy(vui, &backup_vui, sizeof(backup_vui)); + memcpy(gb, &backup, sizeof(backup)); + alt = 1; + goto timing_info; + } vui->tiles_fixed_structure_flag = get_bits1(gb); vui->motion_vectors_over_pic_boundaries_flag = get_bits1(gb); vui->restricted_ref_pic_lists_flag = get_bits1(gb); @@ -677,6 +700,16 @@ vui->log2_max_mv_length_horizontal = get_ue_golomb_long(gb); vui->log2_max_mv_length_vertical = get_ue_golomb_long(gb); } + + if (get_bits_left(gb) < 1 && !alt) { + // XXX: Alternate syntax when sps_range_extension_flag != 0? + av_log(avctx, AV_LOG_WARNING, + "Overread in VUI, retrying from timing information...\n"); + memcpy(vui, &backup_vui, sizeof(backup_vui)); + memcpy(gb, &backup, sizeof(backup)); + alt = 1; + goto timing_info; + } } static void set_default_scaling_list_data(ScalingList *sl) @@ -1014,10 +1047,10 @@ sps->pcm.log2_min_pcm_cb_size = get_ue_golomb_long(gb) + 3; sps->pcm.log2_max_pcm_cb_size = sps->pcm.log2_min_pcm_cb_size + get_ue_golomb_long(gb); - if (sps->pcm.bit_depth > sps->bit_depth) { + if (FFMAX(sps->pcm.bit_depth, sps->pcm.bit_depth_chroma) > sps->bit_depth) { av_log(avctx, AV_LOG_ERROR, - "PCM bit depth (%d) is greater than normal bit depth (%d)\n", - sps->pcm.bit_depth, sps->bit_depth); + "PCM bit depth (%d, %d) is greater than normal bit depth (%d)\n", + sps->pcm.bit_depth, sps->pcm.bit_depth_chroma, sps->bit_depth); return AVERROR_INVALIDDATA; } diff -Nru ffmpeg-3.3.3/libavcodec/hevc_ps.h ffmpeg-3.3.4/libavcodec/hevc_ps.h --- ffmpeg-3.3.3/libavcodec/hevc_ps.h 2017-07-29 17:49:30.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/hevc_ps.h 2017-09-12 00:51:43.000000000 +0000 @@ -285,8 +285,8 @@ uint8_t chroma_qp_offset_list_enabled_flag; uint8_t diff_cu_chroma_qp_offset_depth; uint8_t chroma_qp_offset_list_len_minus1; - int8_t cb_qp_offset_list[5]; - int8_t cr_qp_offset_list[5]; + int8_t cb_qp_offset_list[6]; + int8_t cr_qp_offset_list[6]; uint8_t log2_sao_offset_scale_luma; uint8_t log2_sao_offset_scale_chroma; diff -Nru ffmpeg-3.3.3/libavcodec/jpeg2000dsp.c ffmpeg-3.3.4/libavcodec/jpeg2000dsp.c --- ffmpeg-3.3.3/libavcodec/jpeg2000dsp.c 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/jpeg2000dsp.c 2017-09-12 00:51:43.000000000 +0000 @@ -65,9 +65,9 @@ for (i = 0; i < csize; i++) { i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16); - i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16) + i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16) - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16); - i2 = *src0 + (2 * *src1) + (((-14942 * *src1) + (1 << 15)) >> 16); + i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16); *src0++ = i0; *src1++ = i1; *src2++ = i2; diff -Nru ffmpeg-3.3.3/libavcodec/me_cmp.c ffmpeg-3.3.4/libavcodec/me_cmp.c --- ffmpeg-3.3.3/libavcodec/me_cmp.c 2017-07-29 17:49:30.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/me_cmp.c 2017-09-12 00:51:43.000000000 +0000 @@ -628,7 +628,7 @@ av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); return s->mecc.sum_abs_dctelem(temp); } @@ -668,7 +668,7 @@ int16_t dct[8][8]; int i, sum = 0; - s->pdsp.diff_pixels(dct[0], src1, src2, stride); + s->pdsp.diff_pixels_unaligned(dct[0], src1, src2, stride); #define SRC(x) dct[i][x] #define DST(x, v) dct[i][x] = v @@ -695,7 +695,7 @@ av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->fdsp.fdct(temp); for (i = 0; i < 64; i++) @@ -714,7 +714,7 @@ av_assert2(h == 8); s->mb_intra = 0; - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); memcpy(bak, temp, 64 * sizeof(int16_t)); @@ -817,7 +817,7 @@ av_assert2(h == 8); - s->pdsp.diff_pixels(temp, src1, src2, stride); + s->pdsp.diff_pixels_unaligned(temp, src1, src2, stride); s->block_last_index[0 /* FIXME */] = last = diff -Nru ffmpeg-3.3.3/libavcodec/mpeg4videodec.c ffmpeg-3.3.4/libavcodec/mpeg4videodec.c --- ffmpeg-3.3.3/libavcodec/mpeg4videodec.c 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/mpeg4videodec.c 2017-09-12 00:51:43.000000000 +0000 @@ -2290,6 +2290,7 @@ int time_incr, time_increment; int64_t pts; + s->mcsel = 0; s->pict_type = get_bits(gb, 2) + AV_PICTURE_TYPE_I; /* pict type: I = 0 , P = 1 */ if (s->pict_type == AV_PICTURE_TYPE_B && s->low_delay && ctx->vol_control_parameters == 0 && !(s->avctx->flags & AV_CODEC_FLAG_LOW_DELAY)) { diff -Nru ffmpeg-3.3.3/libavcodec/nvenc.c ffmpeg-3.3.4/libavcodec/nvenc.c --- ffmpeg-3.3.3/libavcodec/nvenc.c 2017-07-29 17:49:30.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/nvenc.c 2017-09-12 00:51:43.000000000 +0000 @@ -1262,17 +1262,17 @@ CUcontext dummy; int i; - cu_res = dl_fn->cuda_dl->cuCtxPushCurrent(ctx->cu_context); - if (cu_res != CUDA_SUCCESS) { - av_log(avctx, AV_LOG_ERROR, "cuCtxPushCurrent failed\n"); - return AVERROR_EXTERNAL; - } - /* the encoder has to be flushed before it can be closed */ if (ctx->nvencoder) { NV_ENC_PIC_PARAMS params = { .version = NV_ENC_PIC_PARAMS_VER, .encodePicFlags = NV_ENC_PIC_FLAG_EOS }; + cu_res = dl_fn->cuda_dl->cuCtxPushCurrent(ctx->cu_context); + if (cu_res != CUDA_SUCCESS) { + av_log(avctx, AV_LOG_ERROR, "cuCtxPushCurrent failed\n"); + return AVERROR_EXTERNAL; + } + p_nvenc->nvEncEncodePicture(ctx->nvencoder, ¶ms); } @@ -1304,15 +1304,16 @@ av_freep(&ctx->surfaces); ctx->nb_surfaces = 0; - if (ctx->nvencoder) + if (ctx->nvencoder) { p_nvenc->nvEncDestroyEncoder(ctx->nvencoder); - ctx->nvencoder = NULL; - cu_res = dl_fn->cuda_dl->cuCtxPopCurrent(&dummy); - if (cu_res != CUDA_SUCCESS) { - av_log(avctx, AV_LOG_ERROR, "cuCtxPopCurrent failed\n"); - return AVERROR_EXTERNAL; + cu_res = dl_fn->cuda_dl->cuCtxPopCurrent(&dummy); + if (cu_res != CUDA_SUCCESS) { + av_log(avctx, AV_LOG_ERROR, "cuCtxPopCurrent failed\n"); + return AVERROR_EXTERNAL; + } } + ctx->nvencoder = NULL; if (ctx->cu_context_internal) dl_fn->cuda_dl->cuCtxDestroy(ctx->cu_context_internal); diff -Nru ffmpeg-3.3.3/libavcodec/pixblockdsp.c ffmpeg-3.3.4/libavcodec/pixblockdsp.c --- ffmpeg-3.3.3/libavcodec/pixblockdsp.c 2017-07-29 17:49:31.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/pixblockdsp.c 2017-09-12 00:51:43.000000000 +0000 @@ -82,6 +82,7 @@ { const unsigned high_bit_depth = avctx->bits_per_raw_sample > 8; + c->diff_pixels_unaligned = c->diff_pixels = diff_pixels_c; switch (avctx->bits_per_raw_sample) { diff -Nru ffmpeg-3.3.3/libavcodec/pixblockdsp.h ffmpeg-3.3.4/libavcodec/pixblockdsp.h --- ffmpeg-3.3.3/libavcodec/pixblockdsp.h 2017-07-29 17:49:31.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/pixblockdsp.h 2017-09-12 00:51:43.000000000 +0000 @@ -33,6 +33,11 @@ const uint8_t *s1 /* align 8 */, const uint8_t *s2 /* align 8 */, ptrdiff_t stride); + void (*diff_pixels_unaligned)(int16_t *av_restrict block /* align 16 */, + const uint8_t *s1, + const uint8_t *s2, + ptrdiff_t stride); + } PixblockDSPContext; void ff_pixblockdsp_init(PixblockDSPContext *c, AVCodecContext *avctx); diff -Nru ffmpeg-3.3.3/libavcodec/pixlet.c ffmpeg-3.3.4/libavcodec/pixlet.c --- ffmpeg-3.3.3/libavcodec/pixlet.c 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/pixlet.c 2017-09-12 00:51:43.000000000 +0000 @@ -262,7 +262,7 @@ flag = 0; - if (state * 4ULL > 0xFF || i >= size) + if ((uint64_t)state > 0xFF / 4 || i >= size) continue; pfx = ((state + 8) >> 5) + (state ? ff_clz(state): 32) - 24; @@ -331,6 +331,9 @@ return AVERROR_INVALIDDATA; } + if (a == INT32_MIN) + return AVERROR_INVALIDDATA; + ret = read_high_coeffs(avctx, ptr + bytestream2_tell(&ctx->gb), dest, size, c, (b >= FFABS(a)) ? b : a, d, ctx->band[plane][i + 1].width, stride); diff -Nru ffmpeg-3.3.3/libavcodec/sbrdsp_fixed.c ffmpeg-3.3.4/libavcodec/sbrdsp_fixed.c --- ffmpeg-3.3.3/libavcodec/sbrdsp_fixed.c 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/sbrdsp_fixed.c 2017-09-12 00:51:43.000000000 +0000 @@ -136,19 +136,19 @@ if (lag) { for (i = 1; i < 38; i++) { - accu_re += (int64_t)x[i][0] * x[i+lag][0]; - accu_re += (int64_t)x[i][1] * x[i+lag][1]; - accu_im += (int64_t)x[i][0] * x[i+lag][1]; - accu_im -= (int64_t)x[i][1] * x[i+lag][0]; + accu_re += (uint64_t)x[i][0] * x[i+lag][0]; + accu_re += (uint64_t)x[i][1] * x[i+lag][1]; + accu_im += (uint64_t)x[i][0] * x[i+lag][1]; + accu_im -= (uint64_t)x[i][1] * x[i+lag][0]; } real_sum = accu_re; imag_sum = accu_im; - accu_re += (int64_t)x[ 0][0] * x[lag][0]; - accu_re += (int64_t)x[ 0][1] * x[lag][1]; - accu_im += (int64_t)x[ 0][0] * x[lag][1]; - accu_im -= (int64_t)x[ 0][1] * x[lag][0]; + accu_re += (uint64_t)x[ 0][0] * x[lag][0]; + accu_re += (uint64_t)x[ 0][1] * x[lag][1]; + accu_im += (uint64_t)x[ 0][0] * x[lag][1]; + accu_im -= (uint64_t)x[ 0][1] * x[lag][0]; phi[2-lag][1][0] = autocorr_calc(accu_re); phi[2-lag][1][1] = autocorr_calc(accu_im); @@ -156,28 +156,28 @@ if (lag == 1) { accu_re = real_sum; accu_im = imag_sum; - accu_re += (int64_t)x[38][0] * x[39][0]; - accu_re += (int64_t)x[38][1] * x[39][1]; - accu_im += (int64_t)x[38][0] * x[39][1]; - accu_im -= (int64_t)x[38][1] * x[39][0]; + accu_re += (uint64_t)x[38][0] * x[39][0]; + accu_re += (uint64_t)x[38][1] * x[39][1]; + accu_im += (uint64_t)x[38][0] * x[39][1]; + accu_im -= (uint64_t)x[38][1] * x[39][0]; phi[0][0][0] = autocorr_calc(accu_re); phi[0][0][1] = autocorr_calc(accu_im); } } else { for (i = 1; i < 38; i++) { - accu_re += (int64_t)x[i][0] * x[i][0]; - accu_re += (int64_t)x[i][1] * x[i][1]; + accu_re += (uint64_t)x[i][0] * x[i][0]; + accu_re += (uint64_t)x[i][1] * x[i][1]; } real_sum = accu_re; - accu_re += (int64_t)x[ 0][0] * x[ 0][0]; - accu_re += (int64_t)x[ 0][1] * x[ 0][1]; + accu_re += (uint64_t)x[ 0][0] * x[ 0][0]; + accu_re += (uint64_t)x[ 0][1] * x[ 0][1]; phi[2][1][0] = autocorr_calc(accu_re); accu_re = real_sum; - accu_re += (int64_t)x[38][0] * x[38][0]; - accu_re += (int64_t)x[38][1] * x[38][1]; + accu_re += (uint64_t)x[38][0] * x[38][0]; + accu_re += (uint64_t)x[38][1] * x[38][1]; phi[1][0][0] = autocorr_calc(accu_re); } diff -Nru ffmpeg-3.3.3/libavcodec/scpr.c ffmpeg-3.3.4/libavcodec/scpr.c --- ffmpeg-3.3.3/libavcodec/scpr.c 2017-07-29 17:49:31.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/scpr.c 2017-09-12 00:51:43.000000000 +0000 @@ -824,8 +824,19 @@ if (ret < 0) return ret; + // scale up each sample by 8 for (y = 0; y < avctx->height; y++) { - for (x = 0; x < avctx->width * 4; x++) { + // If the image is sufficiently aligned, compute 8 samples at once + if (!(((uintptr_t)dst) & 7)) { + uint64_t *dst64 = (uint64_t *)dst; + int w = avctx->width>>1; + for (x = 0; x < w; x++) { + dst64[x] = (dst64[x] << 3) & 0xFCFCFCFCFCFCFCFCULL; + } + x *= 8; + } else + x = 0; + for (; x < avctx->width * 4; x++) { dst[x] = dst[x] << 3; } dst += frame->linesize[0]; diff -Nru ffmpeg-3.3.3/libavcodec/shorten.c ffmpeg-3.3.4/libavcodec/shorten.c --- ffmpeg-3.3.3/libavcodec/shorten.c 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/shorten.c 2017-09-12 00:51:43.000000000 +0000 @@ -462,12 +462,6 @@ } s->nwrap = FFMAX(NWRAP, maxnlpc); - if ((ret = allocate_buffers(s)) < 0) - return ret; - - if ((ret = init_offset(s)) < 0) - return ret; - if (s->version > 1) s->lpcqoffset = V2LPCQOFFSET; @@ -504,6 +498,13 @@ } end: + + if ((ret = allocate_buffers(s)) < 0) + return ret; + + if ((ret = init_offset(s)) < 0) + return ret; + s->cur_chan = 0; s->bitshift = 0; diff -Nru ffmpeg-3.3.3/libavcodec/snowdec.c ffmpeg-3.3.4/libavcodec/snowdec.c --- ffmpeg-3.3.3/libavcodec/snowdec.c 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/snowdec.c 2017-09-12 00:51:43.000000000 +0000 @@ -140,7 +140,7 @@ v = b->x_coeff[new_index].coeff; x = b->x_coeff[new_index++].x; while(x < w){ - register int t= ( (v>>1)*qmul + qadd)>>QEXPSHIFT; + register int t= (int)( (v>>1)*(unsigned)qmul + qadd)>>QEXPSHIFT; register int u= -(v&1); line[x] = (t^u) - u; @@ -355,7 +355,7 @@ Plane *p= &s->plane[plane_index]; p->diag_mc= get_rac(&s->c, s->header_state); htaps= get_symbol(&s->c, s->header_state, 0)*2 + 2; - if((unsigned)htaps > HTAPS_MAX || htaps==0) + if((unsigned)htaps >= HTAPS_MAX || htaps==0) return AVERROR_INVALIDDATA; p->htaps= htaps; for(i= htaps/2; i; i--){ diff -Nru ffmpeg-3.3.3/libavcodec/utils.c ffmpeg-3.3.4/libavcodec/utils.c --- ffmpeg-3.3.3/libavcodec/utils.c 2017-07-29 17:49:31.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/utils.c 2017-09-12 00:51:43.000000000 +0000 @@ -1568,7 +1568,7 @@ } if (!avctx->rc_initial_buffer_occupancy) - avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3 / 4; + avctx->rc_initial_buffer_occupancy = avctx->rc_buffer_size * 3LL / 4; if (avctx->ticks_per_frame && avctx->time_base.num && avctx->ticks_per_frame > INT_MAX / avctx->time_base.num) { diff -Nru ffmpeg-3.3.3/libavcodec/x86/pixblockdsp_init.c ffmpeg-3.3.4/libavcodec/x86/pixblockdsp_init.c --- ffmpeg-3.3.3/libavcodec/x86/pixblockdsp_init.c 2017-07-29 17:49:31.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/x86/pixblockdsp_init.c 2017-09-12 00:51:43.000000000 +0000 @@ -39,12 +39,14 @@ if (EXTERNAL_MMX(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_mmx; + c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_mmx; } if (EXTERNAL_SSE2(cpu_flags)) { if (!high_bit_depth) c->get_pixels = ff_get_pixels_sse2; + c->diff_pixels_unaligned = c->diff_pixels = ff_diff_pixels_sse2; } } diff -Nru ffmpeg-3.3.3/libavcodec/zmbv.c ffmpeg-3.3.4/libavcodec/zmbv.c --- ffmpeg-3.3.3/libavcodec/zmbv.c 2017-07-29 17:49:31.000000000 +0000 +++ ffmpeg-3.3.4/libavcodec/zmbv.c 2017-09-12 00:51:43.000000000 +0000 @@ -589,6 +589,11 @@ // Needed if zlib unused or init aborted before inflateInit memset(&c->zstream, 0, sizeof(z_stream)); + if ((avctx->width + 255ULL) * (avctx->height + 64ULL) > FFMIN(avctx->max_pixels, INT_MAX / 4) ) { + av_log(avctx, AV_LOG_ERROR, "Internal buffer (decomp_size) larger than max_pixels or too large\n"); + return AVERROR_INVALIDDATA; + } + c->decomp_size = (avctx->width + 255) * 4 * (avctx->height + 64); /* Allocate decompression buffer */ diff -Nru ffmpeg-3.3.3/libavfilter/vf_ssim.c ffmpeg-3.3.4/libavfilter/vf_ssim.c --- ffmpeg-3.3.3/libavfilter/vf_ssim.c 2017-07-29 17:49:32.000000000 +0000 +++ ffmpeg-3.3.4/libavfilter/vf_ssim.c 2017-09-12 00:51:43.000000000 +0000 @@ -219,6 +219,8 @@ return ssim; } +#define SUM_LEN(w) (((w) >> 2) + 3) + static float ssim_plane_16bit(SSIMDSPContext *dsp, uint8_t *main, int main_stride, uint8_t *ref, int ref_stride, @@ -228,7 +230,7 @@ int z = 0, y; float ssim = 0.0; int64_t (*sum0)[4] = temp; - int64_t (*sum1)[4] = sum0 + (width >> 2) + 3; + int64_t (*sum1)[4] = sum0 + SUM_LEN(width); width >>= 2; height >>= 2; @@ -256,7 +258,7 @@ int z = 0, y; float ssim = 0.0; int (*sum0)[4] = temp; - int (*sum1)[4] = sum0 + (width >> 2) + 3; + int (*sum1)[4] = sum0 + SUM_LEN(width); width >>= 2; height >>= 2; @@ -402,7 +404,7 @@ for (i = 0; i < s->nb_components; i++) s->coefs[i] = (double) s->planeheight[i] * s->planewidth[i] / sum; - s->temp = av_malloc_array((2 * inlink->w + 12), sizeof(*s->temp) * (1 + (desc->comp[0].depth > 8))); + s->temp = av_mallocz_array(2 * SUM_LEN(inlink->w), (desc->comp[0].depth > 8) ? sizeof(int64_t[4]) : sizeof(int[4])); if (!s->temp) return AVERROR(ENOMEM); s->max = (1 << desc->comp[0].depth) - 1; diff -Nru ffmpeg-3.3.3/libavformat/asfdec_f.c ffmpeg-3.3.4/libavformat/asfdec_f.c --- ffmpeg-3.3.3/libavformat/asfdec_f.c 2017-07-29 17:49:32.000000000 +0000 +++ ffmpeg-3.3.4/libavformat/asfdec_f.c 2017-09-12 00:51:43.000000000 +0000 @@ -749,13 +749,15 @@ count = avio_rl32(pb); // markers count avio_rl16(pb); // reserved 2 bytes name_len = avio_rl16(pb); // name length - for (i = 0; i < name_len; i++) - avio_r8(pb); // skip the name + avio_skip(pb, name_len); for (i = 0; i < count; i++) { int64_t pres_time; int name_len; + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + avio_rl64(pb); // offset, 8 bytes pres_time = avio_rl64(pb); // presentation time pres_time -= asf->hdr.preroll * 10000; @@ -1608,6 +1610,11 @@ int64_t pos = s->internal->data_offset + s->packet_size * (int64_t)pktnum; int64_t index_pts = FFMAX(av_rescale(itime, i, 10000) - asf->hdr.preroll, 0); + if (avio_feof(s->pb)) { + ret = AVERROR_INVALIDDATA; + goto end; + } + if (pos != last_pos) { av_log(s, AV_LOG_DEBUG, "pktnum:%d, pktct:%d pts: %"PRId64"\n", pktnum, pktct, index_pts); diff -Nru ffmpeg-3.3.3/libavformat/aviobuf.c ffmpeg-3.3.4/libavformat/aviobuf.c --- ffmpeg-3.3.3/libavformat/aviobuf.c 2017-07-29 17:49:32.000000000 +0000 +++ ffmpeg-3.3.4/libavformat/aviobuf.c 2017-09-12 00:51:43.000000000 +0000 @@ -251,6 +251,8 @@ offset1 = pos + (s->buf_ptr - s->buffer); if (offset == 0) return offset1; + if (offset > INT64_MAX - offset1) + return AVERROR(EINVAL); offset += offset1; } if (offset < 0) diff -Nru ffmpeg-3.3.3/libavformat/cinedec.c ffmpeg-3.3.4/libavformat/cinedec.c --- ffmpeg-3.3.3/libavformat/cinedec.c 2017-07-29 17:49:32.000000000 +0000 +++ ffmpeg-3.3.4/libavformat/cinedec.c 2017-09-12 00:51:43.000000000 +0000 @@ -267,8 +267,12 @@ /* parse image offsets */ avio_seek(pb, offImageOffsets, SEEK_SET); - for (i = 0; i < st->duration; i++) + for (i = 0; i < st->duration; i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; + av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME); + } return 0; } diff -Nru ffmpeg-3.3.3/libavformat/hls.c ffmpeg-3.3.4/libavformat/hls.c --- ffmpeg-3.3.3/libavformat/hls.c 2017-07-29 17:49:32.000000000 +0000 +++ ffmpeg-3.3.4/libavformat/hls.c 2017-09-12 00:51:43.000000000 +0000 @@ -205,6 +205,7 @@ AVDictionary *avio_opts; int strict_std_compliance; char *allowed_extensions; + int max_reload; } HLSContext; static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) @@ -1263,6 +1264,7 @@ HLSContext *c = v->parent->priv_data; int ret, i; int just_opened = 0; + int reload_count = 0; restart: if (!v->needed) @@ -1294,6 +1296,9 @@ reload_interval = default_reload_interval(v); reload: + reload_count++; + if (reload_count > c->max_reload) + return AVERROR_EOF; if (!v->finished && av_gettime_relative() - v->last_load_time >= reload_interval) { if ((ret = parse_playlist(c, v->url, v, NULL)) < 0) { @@ -2150,6 +2155,8 @@ OFFSET(allowed_extensions), AV_OPT_TYPE_STRING, {.str = "3gp,aac,avi,flac,mkv,m3u8,m4a,m4s,m4v,mpg,mov,mp2,mp3,mp4,mpeg,mpegts,ogg,ogv,oga,ts,vob,wav"}, INT_MIN, INT_MAX, FLAGS}, + {"max_reload", "Maximum number of times a insufficient list is attempted to be reloaded", + OFFSET(max_reload), AV_OPT_TYPE_INT, {.i64 = 1000}, 0, INT_MAX, FLAGS}, {NULL} }; diff -Nru ffmpeg-3.3.3/libavformat/mov.c ffmpeg-3.3.4/libavformat/mov.c --- ffmpeg-3.3.3/libavformat/mov.c 2017-07-29 17:49:32.000000000 +0000 +++ ffmpeg-3.3.4/libavformat/mov.c 2017-09-12 00:51:43.000000000 +0000 @@ -5362,7 +5362,7 @@ if (atom.size < 0) atom.size = INT64_MAX; - while (total_size + 8 <= atom.size && !avio_feof(pb)) { + while (total_size <= atom.size - 8 && !avio_feof(pb)) { int (*parse)(MOVContext*, AVIOContext*, MOVAtom) = NULL; a.size = atom.size; a.type=0; @@ -5873,6 +5873,13 @@ } for (i = 0; i < index->item_count; i++) { int64_t time, offset; + + if (avio_feof(f)) { + index->item_count = 0; + av_freep(&index->items); + return AVERROR_INVALIDDATA; + } + if (version == 1) { time = avio_rb64(f); offset = avio_rb64(f); diff -Nru ffmpeg-3.3.3/libavformat/mvdec.c ffmpeg-3.3.4/libavformat/mvdec.c --- ffmpeg-3.3.3/libavformat/mvdec.c 2017-07-29 17:49:32.000000000 +0000 +++ ffmpeg-3.3.4/libavformat/mvdec.c 2017-09-12 00:51:43.000000000 +0000 @@ -342,6 +342,8 @@ uint32_t pos = avio_rb32(pb); uint32_t asize = avio_rb32(pb); uint32_t vsize = avio_rb32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_skip(pb, 8); av_add_index_entry(ast, pos, timestamp, asize, 0, AVINDEX_KEYFRAME); av_add_index_entry(vst, pos + asize, i, vsize, 0, AVINDEX_KEYFRAME); diff -Nru ffmpeg-3.3.3/libavformat/mxfdec.c ffmpeg-3.3.4/libavformat/mxfdec.c --- ffmpeg-3.3.3/libavformat/mxfdec.c 2017-07-29 17:49:32.000000000 +0000 +++ ffmpeg-3.3.4/libavformat/mxfdec.c 2017-09-12 00:51:43.000000000 +0000 @@ -500,7 +500,7 @@ avpriv_request_sample(pb, "Primer pack item length %d", item_len); return AVERROR_PATCHWELCOME; } - if (item_num > 65536) { + if (item_num > 65536 || item_num < 0) { av_log(mxf->fc, AV_LOG_ERROR, "item_num %d is too large\n", item_num); return AVERROR_INVALIDDATA; } @@ -899,6 +899,8 @@ segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); + if(segment->nb_index_entries && length < 11) + return AVERROR_INVALIDDATA; if (!(segment->temporal_offset_entries=av_calloc(segment->nb_index_entries, sizeof(*segment->temporal_offset_entries))) || !(segment->flag_entries = av_calloc(segment->nb_index_entries, sizeof(*segment->flag_entries))) || @@ -909,6 +911,8 @@ } for (i = 0; i < segment->nb_index_entries; i++) { + if(avio_feof(pb)) + return AVERROR_INVALIDDATA; segment->temporal_offset_entries[i] = avio_r8(pb); avio_r8(pb); /* KeyFrameOffset */ segment->flag_entries[i] = avio_r8(pb); diff -Nru ffmpeg-3.3.3/libavformat/nsvdec.c ffmpeg-3.3.4/libavformat/nsvdec.c --- ffmpeg-3.3.3/libavformat/nsvdec.c 2017-07-29 17:49:32.000000000 +0000 +++ ffmpeg-3.3.4/libavformat/nsvdec.c 2017-09-12 00:51:43.000000000 +0000 @@ -335,8 +335,11 @@ if (!nsv->nsvs_file_offset) return AVERROR(ENOMEM); - for(i=0;insvs_file_offset[i] = avio_rl32(pb) + size; + } if(table_entries > table_entries_used && avio_rl32(pb) == MKTAG('T','O','C','2')) { diff -Nru ffmpeg-3.3.3/libavformat/rl2.c ffmpeg-3.3.4/libavformat/rl2.c --- ffmpeg-3.3.3/libavformat/rl2.c 2017-07-29 17:49:32.000000000 +0000 +++ ffmpeg-3.3.4/libavformat/rl2.c 2017-09-12 00:51:43.000000000 +0000 @@ -170,12 +170,21 @@ } /** read offset and size tables */ - for(i=0; i < frame_count;i++) + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_size[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; chunk_offset[i] = avio_rl32(pb); - for(i=0; i < frame_count;i++) + } + for(i=0; i < frame_count;i++) { + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; audio_size[i] = avio_rl32(pb) & 0xFFFF; + } /** build the sample index */ for(i=0;imetadata); av_dict_free(&s->internal->id3v2_meta); av_freep(&s->streams); - av_freep(&s->internal); flush_packet_queue(s); + av_freep(&s->internal); av_free(s); } diff -Nru ffmpeg-3.3.3/libswscale/output.c ffmpeg-3.3.4/libswscale/output.c --- ffmpeg-3.3.3/libswscale/output.c 2017-07-29 17:49:33.000000000 +0000 +++ ffmpeg-3.3.4/libswscale/output.c 2017-09-12 00:51:43.000000000 +0000 @@ -2026,24 +2026,24 @@ const int16_t **lumSrcx, int lumFilterSize, const int16_t *chrFilter, const int16_t **chrUSrcx, const int16_t **chrVSrcx, int chrFilterSize, - const int16_t **alpSrc, uint8_t **dest, + const int16_t **alpSrcx, uint8_t **dest, int dstW, int y) { const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(c->dstFormat); int i; - int hasAlpha = (desc->flags & AV_PIX_FMT_FLAG_ALPHA) && alpSrc; + int hasAlpha = (desc->flags & AV_PIX_FMT_FLAG_ALPHA) && alpSrcx; uint16_t **dest16 = (uint16_t**)dest; const int32_t **lumSrc = (const int32_t**)lumSrcx; const int32_t **chrUSrc = (const int32_t**)chrUSrcx; const int32_t **chrVSrc = (const int32_t**)chrVSrcx; - int A = 0; // init to silence warning + const int32_t **alpSrc = (const int32_t**)alpSrcx; for (i = 0; i < dstW; i++) { int j; int Y = -0x40000000; int U = -(128 << 23); int V = -(128 << 23); - int R, G, B; + int R, G, B, A; for (j = 0; j < lumFilterSize; j++) Y += lumSrc[j][i] * (unsigned)lumFilter[j]; @@ -2059,13 +2059,13 @@ V >>= 14; if (hasAlpha) { - A = 1 << 18; + A = -0x40000000; for (j = 0; j < lumFilterSize; j++) A += alpSrc[j][i] * lumFilter[j]; - if (A & 0xF8000000) - A = av_clip_uintp2(A, 27); + A >>= 1; + A += 0x20002000; } Y -= c->yuv2rgb_y_offset; @@ -2083,7 +2083,7 @@ dest16[1][i] = B >> 14; dest16[2][i] = R >> 14; if (hasAlpha) - dest16[3][i] = A >> 11; + dest16[3][i] = av_clip_uintp2(A, 30) >> 14; } if ((!isBE(c->dstFormat)) != (!HAVE_BIGENDIAN)) { for (i = 0; i < dstW; i++) { diff -Nru ffmpeg-3.3.3/RELEASE ffmpeg-3.3.4/RELEASE --- ffmpeg-3.3.3/RELEASE 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/RELEASE 2017-09-12 00:51:43.000000000 +0000 @@ -1 +1 @@ -3.3.3 +3.3.4 diff -Nru ffmpeg-3.3.3/tests/ref/fate/filter-pixfmts-scale ffmpeg-3.3.4/tests/ref/fate/filter-pixfmts-scale --- ffmpeg-3.3.3/tests/ref/fate/filter-pixfmts-scale 2017-07-29 17:49:33.000000000 +0000 +++ ffmpeg-3.3.4/tests/ref/fate/filter-pixfmts-scale 2017-09-12 00:51:43.000000000 +0000 @@ -23,8 +23,8 @@ gbrap10le cf974e23f485a10740f5de74a5c8c3df gbrap12be 1d9b57766ba9c2192403f43967cb9af0 gbrap12le bb1ba1c157717db3dd612a76d38a018e -gbrap16be 81542b96575d1fe3b239d23899f5ece3 -gbrap16le 6feb8b9da131917abe867e0eaaf07b90 +gbrap16be c72b935a6e57a8e1c37bff08c2db55b1 +gbrap16le 13eb0e62b1ac9c1c86c81521eaefab5f gbrp dc3387f925f972c61aae7eb23cdc19f0 gbrp10be 0277d4c3a8498d75e2783fb81379e481 gbrp10le f3d70f8ab845c3c9b8f7452e4a6e285a diff -Nru ffmpeg-3.3.3/VERSION ffmpeg-3.3.4/VERSION --- ffmpeg-3.3.3/VERSION 2017-07-29 17:49:39.000000000 +0000 +++ ffmpeg-3.3.4/VERSION 2017-09-12 01:36:20.000000000 +0000 @@ -1 +1 @@ -3.3.3 +3.3.4