diff -Nru libav-11.1/avconv_opt.c libav-11.2/avconv_opt.c --- libav-11.1/avconv_opt.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/avconv_opt.c 2015-01-14 20:50:49.000000000 +0000 @@ -1825,7 +1825,7 @@ opt_default(NULL, "maxrate", "2516000"); opt_default(NULL, "minrate", "0"); // 1145000; opt_default(NULL, "bufsize", "1835008"); // 224*1024*8; - opt_default(NULL, "flags", "+scan_offset"); + opt_default(NULL, "scan_offset", "1"); opt_default(NULL, "b:a", "224000"); diff -Nru libav-11.1/Changelog libav-11.2/Changelog --- libav-11.1/Changelog 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/Changelog 2015-01-14 20:50:49.000000000 +0000 @@ -1,6 +1,29 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 11.2: + +- h264: restore a block mistakenly removed in e10fd08a (libav #781) +- on2avc: check number of channels (CVE-2014-8549) +- smc: fix the bounds check (CVE-2014-8548) +- gifdec: refactor interleave end handling (CVE-2014-8547) +- mmvideo: check frame dimensions (CVE-2014-8543) +- jvdec: check frame dimensions (CVE-2014-8542) +- mjpegdec: check for pixel format changes (CVE-2014-8541) +- mov: avoid a memleak when multiple stss boxes are present +- vc1: Do not assume seek happens after decoding +- avconv: Use the mpeg12 private option scan_offset (debian/773055) +- xsub: Support DXSA subtitles +- mp3dec: fix reading the Xing tag +- matroskaenc: write correct Display{Width, Height} in stereo encoding +- configure: Fix enabling memalign_hack automatically +- mp3enc: fix a triggerable assert +- latm: Do not give a score for a single instance +- mp3: Tweak the probe scores +- matroskaenc: write correct Display{Width, Height} in stereo encoding +- configure: Fix enabling memalign_hack automatically +- coverity: Fix most of the reported warnings and issues + version 11.1: - Replace lena.pnm (debian#771126) diff -Nru libav-11.1/cmdutils.c libav-11.2/cmdutils.c --- libav-11.1/cmdutils.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/cmdutils.c 2015-01-14 20:50:49.000000000 +0000 @@ -414,7 +414,7 @@ (po->name && !strcmp(optname, po->name))) return i; - if (!po || po->flags & HAS_ARG) + if (!po->name || po->flags & HAS_ARG) i++; } return 0; @@ -1395,14 +1395,31 @@ strerror(errno)); return AVERROR(errno); } - fseek(f, 0, SEEK_END); - *size = ftell(f); - fseek(f, 0, SEEK_SET); + + ret = fseek(f, 0, SEEK_END); + if (ret == -1) { + ret = AVERROR(errno); + goto out; + } + + ret = ftell(f); + if (ret < 0) { + ret = AVERROR(errno); + goto out; + } + *size = ret; + + ret = fseek(f, 0, SEEK_SET); + if (ret == -1) { + ret = AVERROR(errno); + goto out; + } + *bufptr = av_malloc(*size + 1); if (!*bufptr) { av_log(NULL, AV_LOG_ERROR, "Could not allocate file buffer\n"); - fclose(f); - return AVERROR(ENOMEM); + ret = AVERROR(ENOMEM); + goto out; } ret = fread(*bufptr, 1, *size, f); if (ret < *size) { @@ -1418,6 +1435,7 @@ (*bufptr)[(*size)++] = '\0'; } +out: fclose(f); return ret; } diff -Nru libav-11.1/configure libav-11.2/configure --- libav-11.1/configure 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/configure 2015-01-14 20:50:49.000000000 +0000 @@ -4469,7 +4469,7 @@ enable dxva2_lib ! enabled_any memalign posix_memalign aligned_malloc && - enabled $simd_align_16 && enable memalign_hack + enabled simd_align_16 && enable memalign_hack map 'enabled $v && intrinsics=${v#intrinsics_}' $INTRINSICS_LIST diff -Nru libav-11.1/debian/changelog libav-11.2/debian/changelog --- libav-11.1/debian/changelog 2015-01-17 19:53:53.000000000 +0000 +++ libav-11.2/debian/changelog 2015-01-19 00:46:26.000000000 +0000 @@ -1,8 +1,34 @@ -libav (6:11.1-1~ppa1) utopic; urgency=low +libav (6:11.2-1~ppa1) utopic; urgency=low * Backported from Debian unstable. - -- Nate Muench Sat, 17 Jan 2015 13:53:20 -0600 + -- Nate Muench Sun, 18 Jan 2015 18:46:13 -0600 + +libav (6:11.2-1) unstable; urgency=medium + + * New upstream release fixing multiple security issues. (Closes: #773626) + - h264: restore a block mistakenly removed in e10fd08a + - on2avc: check number of channels (CVE-2014-8549) + - smc: fix the bounds check (CVE-2014-8548) + - gifdec: refactor interleave end handling (CVE-2014-8547) + - mmvideo: check frame dimensions (CVE-2014-8543) + - jvdec: check frame dimensions (CVE-2014-8542) + - mjpegdec: check for pixel format changes (CVE-2014-8541) + - mov: avoid a memleak when multiple stss boxes are present + - vc1: Do not assume seek happens after decoding + - avconv: Use the mpeg12 private option scan_offset (Closes: #773055) + - xsub: Support DXSA subtitles + - mp3dec: fix reading the Xing tag + - matroskaenc: write correct Display{Width, Height} in stereo encoding + - configure: Fix enabling memalign_hack automatically + - mp3enc: fix a triggerable assert + - latm: Do not give a score for a single instance + - mp3: Tweak the probe scores + - matroskaenc: write correct Display{Width, Height} in stereo encoding + - coverity: Fix most of the reported warnings and issues + * debian/control: Add myself to Uploaders. + + -- Sebastian Ramacher Sat, 17 Jan 2015 20:56:19 +0100 libav (6:11.1-1) unstable; urgency=medium diff -Nru libav-11.1/debian/control libav-11.2/debian/control --- libav-11.1/debian/control 2014-12-30 16:00:54.000000000 +0000 +++ libav-11.2/debian/control 2015-01-17 18:25:07.000000000 +0000 @@ -7,7 +7,8 @@ Loïc Minier , Reinhard Tartler , Fabian Greffrath , - Jonas Smedegaard + Jonas Smedegaard , + Sebastian Ramacher Standards-Version: 3.9.5 Vcs-Git: git://anonscm.debian.org/pkg-multimedia/libav.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-multimedia/libav.git;a=summary diff -Nru libav-11.1/libavcodec/aacdec.c libav-11.2/libavcodec/aacdec.c --- libav-11.1/libavcodec/aacdec.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/aacdec.c 2015-01-14 20:50:49.000000000 +0000 @@ -143,8 +143,6 @@ enum ChannelPosition che_pos, int type, int id, int *channels) { - if (*channels >= MAX_CHANNELS) - return AVERROR_INVALIDDATA; if (che_pos) { if (!ac->che[type][id]) { if (!(ac->che[type][id] = av_mallocz(sizeof(ChannelElement)))) @@ -152,6 +150,8 @@ ff_aac_sbr_ctx_init(ac, &ac->che[type][id]->sbr); } if (type != TYPE_CCE) { + if (*channels >= MAX_CHANNELS - 2) + return AVERROR_INVALIDDATA; ac->output_element[(*channels)++] = &ac->che[type][id]->ch[0]; if (type == TYPE_CPE || (type == TYPE_SCE && ac->oc[1].m4ac.ps == 1)) { diff -Nru libav-11.1/libavcodec/aacenc.c libav-11.2/libavcodec/aacenc.c --- libav-11.1/libavcodec/aacenc.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/aacenc.c 2015-01-14 20:50:49.000000000 +0000 @@ -750,10 +750,10 @@ s->chan_map = aac_chan_configs[s->channels-1]; - if (ret = dsp_init(avctx, s)) + if ((ret = dsp_init(avctx, s)) < 0) goto fail; - if (ret = alloc_buffers(avctx, s)) + if ((ret = alloc_buffers(avctx, s)) < 0) goto fail; avctx->extradata_size = 5; @@ -765,7 +765,8 @@ lengths[1] = ff_aac_num_swb_128[i]; for (i = 0; i < s->chan_map[0]; i++) grouping[i] = s->chan_map[i + 1] == TYPE_CPE; - if (ret = ff_psy_init(&s->psy, avctx, 2, sizes, lengths, s->chan_map[0], grouping)) + if ((ret = ff_psy_init(&s->psy, avctx, 2, sizes, lengths, + s->chan_map[0], grouping)) < 0) goto fail; s->psypp = ff_psy_preprocess_init(avctx); s->coder = &ff_aac_coders[2]; diff -Nru libav-11.1/libavcodec/aacsbr.c libav-11.2/libavcodec/aacsbr.c --- libav-11.1/libavcodec/aacsbr.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/aacsbr.c 2015-01-14 20:50:49.000000000 +0000 @@ -549,7 +549,8 @@ k = sbr->n_master; } while (sb != sbr->kx[1] + sbr->m[1]); - if (sbr->patch_num_subbands[sbr->num_patches-1] < 3 && sbr->num_patches > 1) + if (sbr->num_patches > 1 && + sbr->patch_num_subbands[sbr->num_patches - 1] < 3) sbr->num_patches--; return 0; diff -Nru libav-11.1/libavcodec/allcodecs.c libav-11.2/libavcodec/allcodecs.c --- libav-11.1/libavcodec/allcodecs.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/allcodecs.c 2015-01-14 20:50:49.000000000 +0000 @@ -240,7 +240,6 @@ REGISTER_DECODER(SVQ3, svq3); REGISTER_ENCDEC (TARGA, targa); REGISTER_DECODER(THEORA, theora); - REGISTER_ENCODER(LIBTWOLAME, libtwolame); REGISTER_DECODER(THP, thp); REGISTER_DECODER(TIERTEXSEQVIDEO, tiertexseqvideo); REGISTER_ENCDEC (TIFF, tiff); @@ -448,6 +447,7 @@ REGISTER_ENCDEC (LIBSCHROEDINGER, libschroedinger); REGISTER_ENCDEC (LIBSPEEX, libspeex); REGISTER_ENCODER(LIBTHEORA, libtheora); + REGISTER_ENCODER(LIBTWOLAME, libtwolame); REGISTER_ENCODER(LIBVO_AACENC, libvo_aacenc); REGISTER_ENCODER(LIBVO_AMRWBENC, libvo_amrwbenc); REGISTER_ENCODER(LIBVORBIS, libvorbis); diff -Nru libav-11.1/libavcodec/ansi.c libav-11.2/libavcodec/ansi.c --- libav-11.1/libavcodec/ansi.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/ansi.c 2015-01-14 20:50:49.000000000 +0000 @@ -88,9 +88,11 @@ s->fg = DEFAULT_FG_COLOR; s->bg = DEFAULT_BG_COLOR; - if (!avctx->width || !avctx->height) - ff_set_dimensions(avctx, 80 << 3, 25 << 4); - + if (!avctx->width || !avctx->height) { + int ret = ff_set_dimensions(avctx, 80 << 3, 25 << 4); + if (ret < 0) + return ret; + } return 0; } diff -Nru libav-11.1/libavcodec/avs.c libav-11.2/libavcodec/avs.c --- libav-11.1/libavcodec/avs.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/avs.c 2015-01-14 20:50:49.000000000 +0000 @@ -165,9 +165,8 @@ return AVERROR(ENOMEM); avctx->pix_fmt = AV_PIX_FMT_PAL8; - ff_set_dimensions(avctx, 318, 198); - return 0; + return ff_set_dimensions(avctx, 318, 198); } static av_cold int avs_decode_end(AVCodecContext *avctx) diff -Nru libav-11.1/libavcodec/cavs.c libav-11.2/libavcodec/cavs.c --- libav-11.1/libavcodec/cavs.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/cavs.c 2015-01-14 20:50:49.000000000 +0000 @@ -30,6 +30,7 @@ #include "golomb.h" #include "h264chroma.h" #include "idctdsp.h" +#include "internal.h" #include "mathops.h" #include "qpeldsp.h" #include "cavs.h" @@ -529,8 +530,8 @@ { int den = h->scale_den[src->ref]; - *d_x = (src->x * distp * den + 256 + (src->x >> 31)) >> 9; - *d_y = (src->y * distp * den + 256 + (src->y >> 31)) >> 9; + *d_x = (src->x * distp * den + 256 + FF_SIGNBIT(src->x)) >> 9; + *d_y = (src->y * distp * den + 256 + FF_SIGNBIT(src->y)) >> 9; } static inline void mv_pred_median(AVSContext *h, diff -Nru libav-11.1/libavcodec/cavsdec.c libav-11.2/libavcodec/cavsdec.c --- libav-11.1/libavcodec/cavsdec.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/cavsdec.c 2015-01-14 20:50:49.000000000 +0000 @@ -473,7 +473,7 @@ { cavs_vector *pmv_bw = pmv_fw + MV_BWD_OFFS; int den = h->direct_den[col_mv->ref]; - int m = col_mv->x >> 31; + int m = FF_SIGNBIT(col_mv->x); pmv_fw->dist = h->dist[1]; pmv_bw->dist = h->dist[0]; @@ -482,7 +482,7 @@ /* scale the co-located motion vector according to its temporal span */ pmv_fw->x = (((den + (den * col_mv->x * pmv_fw->dist ^ m) - m - 1) >> 14) ^ m) - m; pmv_bw->x = m - (((den + (den * col_mv->x * pmv_bw->dist ^ m) - m - 1) >> 14) ^ m); - m = col_mv->y >> 31; + m = FF_SIGNBIT(col_mv->y); pmv_fw->y = (((den + (den * col_mv->y * pmv_fw->dist ^ m) - m - 1) >> 14) ^ m) - m; pmv_bw->y = m - (((den + (den * col_mv->y * pmv_bw->dist ^ m) - m - 1) >> 14) ^ m); } diff -Nru libav-11.1/libavcodec/cook.c libav-11.2/libavcodec/cook.c --- libav-11.1/libavcodec/cook.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/cook.c 2015-01-14 20:50:49.000000000 +0000 @@ -1051,7 +1051,7 @@ q->avctx = avctx; /* Take care of the codec specific extradata. */ - if (extradata_size <= 0) { + if (extradata_size < 8) { av_log(avctx, AV_LOG_ERROR, "Necessary extradata missing!\n"); return AVERROR_INVALIDDATA; } diff -Nru libav-11.1/libavcodec/dnxhdenc.c libav-11.2/libavcodec/dnxhdenc.c --- libav-11.1/libavcodec/dnxhdenc.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/dnxhdenc.c 2015-01-14 20:50:49.000000000 +0000 @@ -108,7 +108,7 @@ for (i = 1; i < 64; ++i) { int j = scantable[i]; - int sign = block[j] >> 31; + int sign = FF_SIGNBIT(block[j]); int level = (block[j] ^ sign) - sign; level = level * qmat[j] >> DNX10BIT_QMAT_SHIFT; block[j] = (level ^ sign) - sign; diff -Nru libav-11.1/libavcodec/dvdsubdec.c libav-11.2/libavcodec/dvdsubdec.c --- libav-11.1/libavcodec/dvdsubdec.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/dvdsubdec.c 2015-01-14 20:50:49.000000000 +0000 @@ -503,6 +503,7 @@ { DVDSubContext *ctx = avctx->priv_data; char *data, *cur; + int ret = 0; if (!avctx->extradata || !avctx->extradata_size) return 0; @@ -527,16 +528,18 @@ } else if (!strncmp("size:", cur, 5)) { int w, h; if (sscanf(cur + 5, "%dx%d", &w, &h) == 2) { - int ret = ff_set_dimensions(avctx, w, h); + ret = ff_set_dimensions(avctx, w, h); if (ret < 0) - return ret; + goto fail; } } cur += strcspn(cur, "\n\r"); cur += strspn(cur, "\n\r"); } + +fail: av_free(data); - return 0; + return ret; } AVCodec ff_dvdsub_decoder = { diff -Nru libav-11.1/libavcodec/ffv1enc.c libav-11.2/libavcodec/ffv1enc.c --- libav-11.1/libavcodec/ffv1enc.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/ffv1enc.c 2015-01-14 20:50:49.000000000 +0000 @@ -71,7 +71,7 @@ best_len[k] = len; best_state[i][k] = j; } - for (m = 0; m < 256; m++) + for (m = 1; m < 256; m++) if (occ[m]) { newocc[one_state[m]] += occ[m] * p; newocc[256 - one_state[256 - m]] += occ[m] * (1 - p); diff -Nru libav-11.1/libavcodec/g2meet.c libav-11.2/libavcodec/g2meet.c --- libav-11.1/libavcodec/g2meet.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/g2meet.c 2015-01-14 20:50:49.000000000 +0000 @@ -719,8 +719,11 @@ ret = AVERROR_INVALIDDATA; goto header_fail; } - if (c->width != avctx->width || c->height != avctx->height) - ff_set_dimensions(avctx, c->width, c->height); + if (c->width != avctx->width || c->height != avctx->height) { + ret = ff_set_dimensions(avctx, c->width, c->height); + if (ret < 0) + return ret; + } c->compression = bytestream2_get_be32(&bc); if (c->compression != 2 && c->compression != 3) { av_log(avctx, AV_LOG_ERROR, diff -Nru libav-11.1/libavcodec/gifdec.c libav-11.2/libavcodec/gifdec.c --- libav-11.1/libavcodec/gifdec.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/gifdec.c 2015-01-14 20:50:49.000000000 +0000 @@ -125,26 +125,21 @@ case 1: y1 += 8; ptr += linesize * 8; - if (y1 >= height) { - y1 = pass ? 2 : 4; - ptr = ptr1 + linesize * y1; - pass++; - } break; case 2: y1 += 4; ptr += linesize * 4; - if (y1 >= height) { - y1 = 1; - ptr = ptr1 + linesize; - pass++; - } break; case 3: y1 += 2; ptr += linesize * 2; break; } + while (y1 >= height) { + y1 = 4 >> pass; + ptr = ptr1 + linesize * y1; + pass++; + } } else { ptr += linesize; } diff -Nru libav-11.1/libavcodec/h261dec.c libav-11.2/libavcodec/h261dec.c --- libav-11.1/libavcodec/h261dec.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/h261dec.c 2015-01-14 20:50:49.000000000 +0000 @@ -600,11 +600,10 @@ s->parse_context = pc; } - if (!s->context_initialized) + if (!s->context_initialized) { if ((ret = ff_mpv_common_init(s)) < 0) return ret; - if (!s->context_initialized) { ret = ff_set_dimensions(avctx, s->width, s->height); if (ret < 0) return ret; diff -Nru libav-11.1/libavcodec/h264.c libav-11.2/libavcodec/h264.c --- libav-11.1/libavcodec/h264.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/h264.c 2015-01-14 20:50:49.000000000 +0000 @@ -837,7 +837,7 @@ av_display_rotation_set((int32_t *)rotation->data, angle); av_display_matrix_flip((int32_t *)rotation->data, - h->sei_vflip, h->sei_hflip); + h->sei_hflip, h->sei_vflip); } // FIXME do something with unavailable reference frames @@ -1454,6 +1454,8 @@ buf_index = find_start_code(buf, buf_size, buf_index, next_avc); if (buf_index >= buf_size) break; + if (buf_index >= next_avc) + continue; } hx = h->thread_context[context_count]; diff -Nru libav-11.1/libavcodec/hevc.c libav-11.2/libavcodec/hevc.c --- libav-11.1/libavcodec/hevc.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/hevc.c 2015-01-14 20:50:49.000000000 +0000 @@ -251,7 +251,7 @@ uint8_t luma_weight_l1_flag[16]; uint8_t chroma_weight_l1_flag[16]; - s->sh.luma_log2_weight_denom = get_ue_golomb_long(gb); + s->sh.luma_log2_weight_denom = av_clip_c(get_ue_golomb_long(gb), 0, 7); if (s->sps->chroma_format_idc != 0) { int delta = get_se_golomb(gb); s->sh.chroma_log2_weight_denom = av_clip_c(s->sh.luma_log2_weight_denom + delta, 0, 7); @@ -2434,7 +2434,7 @@ av_display_rotation_set((int32_t *)rotation->data, angle); av_display_matrix_flip((int32_t *)rotation->data, - s->sei_vflip, s->sei_hflip); + s->sei_hflip, s->sei_vflip); } return 0; diff -Nru libav-11.1/libavcodec/hnm4video.c libav-11.2/libavcodec/hnm4video.c --- libav-11.1/libavcodec/hnm4video.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/hnm4video.c 2015-01-14 20:50:49.000000000 +0000 @@ -22,6 +22,7 @@ #include +#include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" #include "libavutil/mem.h" @@ -406,6 +407,7 @@ static av_cold int hnm_decode_init(AVCodecContext *avctx) { Hnm4VideoContext *hnm = avctx->priv_data; + int ret; if (avctx->extradata_size < 1) { av_log(avctx, AV_LOG_ERROR, @@ -413,6 +415,10 @@ return AVERROR_INVALIDDATA; } + ret = av_image_check_size(avctx->width, avctx->height, 0, avctx); + if (ret < 0) + return ret; + hnm->version = avctx->extradata[0]; avctx->pix_fmt = AV_PIX_FMT_PAL8; hnm->width = avctx->width; diff -Nru libav-11.1/libavcodec/indeo3.c libav-11.2/libavcodec/indeo3.c --- libav-11.1/libavcodec/indeo3.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/indeo3.c 2015-01-14 20:50:49.000000000 +0000 @@ -944,7 +944,8 @@ free_frame_buffers(ctx); if ((res = allocate_frame_buffers(ctx, avctx)) < 0) return res; - ff_set_dimensions(avctx, width, height); + if ((res = ff_set_dimensions(avctx, width, height)) < 0) + return res; } y_offset = bytestream2_get_le32(&gb); diff -Nru libav-11.1/libavcodec/internal.h libav-11.2/libavcodec/internal.h --- libav-11.1/libavcodec/internal.h 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/internal.h 2015-01-14 20:50:49.000000000 +0000 @@ -35,6 +35,8 @@ #define FF_SANE_NB_CHANNELS 63U +#define FF_SIGNBIT(x) (x >> CHAR_BIT * sizeof(x) - 1) + typedef struct FramePool { /** * Pools for each data plane. For audio all the planes have the same size, diff -Nru libav-11.1/libavcodec/jvdec.c libav-11.2/libavcodec/jvdec.c --- libav-11.1/libavcodec/jvdec.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/jvdec.c 2015-01-14 20:50:49.000000000 +0000 @@ -43,6 +43,13 @@ { JvContext *s = avctx->priv_data; + if (!avctx->width || !avctx->height || + (avctx->width & 7) || (avctx->height & 7)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM); diff -Nru libav-11.1/libavcodec/libopusenc.c libav-11.2/libavcodec/libopusenc.c --- libav-11.1/libavcodec/libopusenc.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/libopusenc.c 2015-01-14 20:50:49.000000000 +0000 @@ -163,10 +163,11 @@ /* FIXME: Opus can handle up to 255 channels. However, the mapping for * anything greater than 8 is undefined. */ - if (avctx->channels > 8) - av_log(avctx, AV_LOG_WARNING, + if (avctx->channels > 8) { + av_log(avctx, AV_LOG_ERROR, "Channel layout undefined for %d channels.\n", avctx->channels); - + return AVERROR_PATCHWELCOME; + } if (!avctx->bit_rate) { /* Sane default copied from opusenc */ avctx->bit_rate = 64000 * opus->stream_count + diff -Nru libav-11.1/libavcodec/libtwolame.c libav-11.2/libavcodec/libtwolame.c --- libav-11.1/libavcodec/libtwolame.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/libtwolame.c 2015-01-14 20:50:49.000000000 +0000 @@ -148,8 +148,8 @@ if (ret < 0) // twolame error return AVERROR_UNKNOWN; - avpkt->duration = ff_samples_to_time_base(avctx, frame->nb_samples); if (frame) { + avpkt->duration = ff_samples_to_time_base(avctx, frame->nb_samples); if (frame->pts != AV_NOPTS_VALUE) avpkt->pts = frame->pts - ff_samples_to_time_base(avctx, avctx->delay); } else { diff -Nru libav-11.1/libavcodec/mjpegdec.c libav-11.2/libavcodec/mjpegdec.c --- libav-11.1/libavcodec/mjpegdec.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/mjpegdec.c 2015-01-14 20:50:49.000000000 +0000 @@ -220,18 +220,20 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) { - int len, nb_components, i, width, height, pix_fmt_id, ret; + int h_count[MAX_COMPONENTS] = { 0 }; + int v_count[MAX_COMPONENTS] = { 0 }; + int len, nb_components, i, width, height, bits, pix_fmt_id, ret; /* XXX: verify len field validity */ len = get_bits(&s->gb, 16); - s->bits = get_bits(&s->gb, 8); + bits = get_bits(&s->gb, 8); if (s->pegasus_rct) - s->bits = 9; - if (s->bits == 9 && !s->pegasus_rct) + bits = 9; + if (bits == 9 && !s->pegasus_rct) s->rct = 1; // FIXME ugly - if (s->bits != 8 && !s->lossless) { + if (bits != 8 && !s->lossless) { av_log(s->avctx, AV_LOG_ERROR, "only 8 bits/component accepted\n"); return -1; } @@ -258,7 +260,7 @@ return AVERROR_INVALIDDATA; } } - if (s->ls && !(s->bits <= 8 || nb_components == 1)) { + if (s->ls && !(bits <= 8 || nb_components == 1)) { avpriv_report_missing_feature(s->avctx, "JPEG-LS that is not <= 8 " "bits/component or 16-bit gray"); @@ -270,25 +272,25 @@ for (i = 0; i < nb_components; i++) { /* component id */ s->component_id[i] = get_bits(&s->gb, 8) - 1; - s->h_count[i] = get_bits(&s->gb, 4); - s->v_count[i] = get_bits(&s->gb, 4); + h_count[i] = get_bits(&s->gb, 4); + v_count[i] = get_bits(&s->gb, 4); /* compute hmax and vmax (only used in interleaved case) */ - if (s->h_count[i] > s->h_max) - s->h_max = s->h_count[i]; - if (s->v_count[i] > s->v_max) - s->v_max = s->v_count[i]; + if (h_count[i] > s->h_max) + s->h_max = h_count[i]; + if (v_count[i] > s->v_max) + s->v_max = v_count[i]; s->quant_index[i] = get_bits(&s->gb, 8); if (s->quant_index[i] >= 4) return AVERROR_INVALIDDATA; - if (!s->h_count[i] || !s->v_count[i]) { + if (!h_count[i] || !v_count[i]) { av_log(s->avctx, AV_LOG_ERROR, "Invalid sampling factor in component %d %d:%d\n", - i, s->h_count[i], s->v_count[i]); + i, h_count[i], v_count[i]); return AVERROR_INVALIDDATA; } av_log(s->avctx, AV_LOG_DEBUG, "component %d %d:%d id: %d quant:%d\n", - i, s->h_count[i], s->v_count[i], + i, h_count[i], v_count[i], s->component_id[i], s->quant_index[i]); } @@ -301,10 +303,14 @@ s->rgb = 1; /* if different size, realloc/alloc picture */ - /* XXX: also check h_count and v_count */ - if (width != s->width || height != s->height) { + if (width != s->width || height != s->height || bits != s->bits || + memcmp(s->h_count, h_count, sizeof(h_count)) || + memcmp(s->v_count, v_count, sizeof(v_count))) { s->width = width; s->height = height; + s->bits = bits; + memcpy(s->h_count, h_count, sizeof(h_count)); + memcpy(s->v_count, v_count, sizeof(v_count)); s->interlaced = 0; /* test interlaced mode */ diff -Nru libav-11.1/libavcodec/mmvideo.c libav-11.2/libavcodec/mmvideo.c --- libav-11.1/libavcodec/mmvideo.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/mmvideo.c 2015-01-14 20:50:49.000000000 +0000 @@ -61,6 +61,13 @@ avctx->pix_fmt = AV_PIX_FMT_PAL8; + if (!avctx->width || !avctx->height || + (avctx->width & 1) || (avctx->height & 1)) { + av_log(avctx, AV_LOG_ERROR, "Invalid video dimensions: %dx%d\n", + avctx->width, avctx->height); + return AVERROR(EINVAL); + } + s->frame = av_frame_alloc(); if (!s->frame) return AVERROR(ENOMEM); diff -Nru libav-11.1/libavcodec/mpeg4audio.c libav-11.2/libavcodec/mpeg4audio.c --- libav-11.1/libavcodec/mpeg4audio.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/mpeg4audio.c 2015-01-14 20:50:49.000000000 +0000 @@ -80,9 +80,11 @@ int bit_size, int sync_extension) { GetBitContext gb; - int specific_config_bitindex; + int specific_config_bitindex, ret; - init_get_bits(&gb, buf, bit_size); + ret = init_get_bits(&gb, buf, bit_size); + if (ret < 0) + return ret; c->object_type = get_object_type(&gb); c->sample_rate = get_sample_rate(&gb, &c->sampling_index); c->chan_config = get_bits(&gb, 4); diff -Nru libav-11.1/libavcodec/on2avc.c libav-11.2/libavcodec/on2avc.c --- libav-11.1/libavcodec/on2avc.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/on2avc.c 2015-01-14 20:50:49.000000000 +0000 @@ -172,7 +172,7 @@ } else { scale += get_vlc2(gb, c->scale_diff.table, 9, 3) - 60; } - if (scale < 0 || scale > 128) { + if (scale < 0 || scale > 127) { av_log(c->avctx, AV_LOG_ERROR, "Invalid scale value %d\n", scale); return AVERROR_INVALIDDATA; @@ -918,6 +918,10 @@ av_log(avctx, AV_LOG_ERROR, "0x500 version should be mono\n"); return AVERROR_INVALIDDATA; } + if (avctx->channels > 2) { + av_log(avctx, AV_LOG_ERROR, "Only 1 or 2 channels are supported.\n"); + return AVERROR(EINVAL); + } if (avctx->channels == 2) av_log(avctx, AV_LOG_WARNING, "Stereo mode support is not good, patch is welcome\n"); diff -Nru libav-11.1/libavcodec/png_parser.c libav-11.2/libavcodec/png_parser.c --- libav-11.1/libavcodec/png_parser.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/png_parser.c 2015-01-14 20:50:49.000000000 +0000 @@ -36,7 +36,7 @@ ParseContext pc; int chunk_pos; ///< position inside current chunk - int chunk_length; ///< length of the current chunk + uint32_t chunk_length; ///< length of the current chunk int remaining_size; ///< remaining size of the current chunk } PNGParseContext; diff -Nru libav-11.1/libavcodec/proresenc.c libav-11.2/libavcodec/proresenc.c --- libav-11.1/libavcodec/proresenc.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/proresenc.c 2015-01-14 20:50:49.000000000 +0000 @@ -820,10 +820,9 @@ if (ctx->alpha_bits) bits += estimate_alpha_plane(ctx, &error, src, linesize[3], mbs_per_slice, q, td->blocks[3]); - if (bits > 65000 * 8) { + if (bits > 65000 * 8) error = SCORE_LIMIT; - break; - } + slice_bits[q] = bits; slice_score[q] = error; } diff -Nru libav-11.1/libavcodec/qdm2.c libav-11.2/libavcodec/qdm2.c --- libav-11.1/libavcodec/qdm2.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/qdm2.c 2015-01-14 20:50:49.000000000 +0000 @@ -730,7 +730,7 @@ for (j = 0; j < 64; j++) acc += tone_level_idx_temp[ch][sb][j]; - multres = 0x66666667 * (acc * 10); + multres = 0x66666667LL * (acc * 10); esp_40 = (multres >> 32) / 8 + ((multres & 0xffffffff) >> 31); for (ch = 0; ch < nb_channels; ch++) for (sb = 0; sb < 30; sb++) diff -Nru libav-11.1/libavcodec/roqaudioenc.c libav-11.2/libavcodec/roqaudioenc.c --- libav-11.1/libavcodec/roqaudioenc.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/roqaudioenc.c 2015-01-14 20:50:49.000000000 +0000 @@ -147,15 +147,16 @@ context->input_frames++; return 0; } - in = context->frame_buffer; } + if (context->input_frames < 8) + in = context->frame_buffer; if (stereo) { context->lastSample[0] &= 0xFF00; context->lastSample[1] &= 0xFF00; } - if (context->input_frames == 7 || !in) + if (context->input_frames == 7) data_size = avctx->channels * context->buffered_samples; else data_size = avctx->channels * avctx->frame_size; diff -Nru libav-11.1/libavcodec/smc.c libav-11.2/libavcodec/smc.c --- libav-11.1/libavcodec/smc.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/smc.c 2015-01-14 20:50:49.000000000 +0000 @@ -70,7 +70,7 @@ row_ptr += stride * 4; \ } \ total_blocks--; \ - if (total_blocks < 0) \ + if (total_blocks < !!n_blocks) \ { \ av_log(s->avctx, AV_LOG_INFO, "warning: block counter just went negative (this should not happen)\n"); \ return; \ diff -Nru libav-11.1/libavcodec/svq1dec.c libav-11.2/libavcodec/svq1dec.c --- libav-11.1/libavcodec/svq1dec.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/svq1dec.c 2015-01-14 20:50:49.000000000 +0000 @@ -637,8 +637,9 @@ return AVERROR_INVALIDDATA; } - av_fast_malloc(s->pkt_swapped, &s->pkt_swapped_allocated, - buf_size); + av_fast_padded_malloc(&s->pkt_swapped, + &s->pkt_swapped_allocated, + buf_size); if (!s->pkt_swapped) return AVERROR(ENOMEM); diff -Nru libav-11.1/libavcodec/svq1enc.c libav-11.2/libavcodec/svq1enc.c --- libav-11.1/libavcodec/svq1enc.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/svq1enc.c 2015-01-14 20:50:49.000000000 +0000 @@ -580,8 +580,12 @@ } if (!s->current_picture->data[0]) { - ff_get_buffer(avctx, s->current_picture, 0); - ff_get_buffer(avctx, s->last_picture, 0); + ret = ff_get_buffer(avctx, s->current_picture, 0); + if (ret < 0) + return ret; + ret = ff_get_buffer(avctx, s->last_picture, 0); + if (ret < 0) + return ret; s->scratchbuf = av_malloc(s->current_picture->linesize[0] * 16 * 2); } diff -Nru libav-11.1/libavcodec/tiffenc.c libav-11.2/libavcodec/tiffenc.c --- libav-11.1/libavcodec/tiffenc.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/tiffenc.c 2015-01-14 20:50:49.000000000 +0000 @@ -112,8 +112,8 @@ * @param count The number of values * @param ptr_val Pointer to values */ -static void add_entry(TiffEncoderContext *s, enum TiffTags tag, - enum TiffTypes type, int count, const void *ptr_val) +static int add_entry(TiffEncoderContext *s, enum TiffTags tag, + enum TiffTypes type, int count, const void *ptr_val) { uint8_t *entries_ptr = s->entries + 12 * s->num_entries; @@ -127,19 +127,22 @@ tnput(&entries_ptr, count, ptr_val, type, 0); } else { bytestream_put_le32(&entries_ptr, *s->buf - s->buf_start); - check_size(s, count * type_sizes2[type]); + if (check_size(s, count * type_sizes2[type])) + return AVERROR_INVALIDDATA; tnput(s->buf, count, ptr_val, type, 0); } s->num_entries++; + return 0; } -static void add_entry1(TiffEncoderContext *s, - enum TiffTags tag, enum TiffTypes type, int val) +static int add_entry1(TiffEncoderContext *s, + enum TiffTags tag, enum TiffTypes type, int val) { uint16_t w = val; uint32_t dw = val; - add_entry(s, tag, type, 1, type == TIFF_SHORT ? (void *)&w : (void *)&dw); + return add_entry(s, tag, type, 1, + type == TIFF_SHORT ? (void *)&w : (void *)&dw); } /** @@ -200,6 +203,20 @@ } } +#define ADD_ENTRY(s, tag, type, count, ptr_val) \ + do { \ + ret = add_entry(s, tag, type, count, ptr_val); \ + if (ret < 0) \ + goto fail; \ + } while(0); + +#define ADD_ENTRY1(s, tag, type, val) \ + do { \ + ret = add_entry1(s, tag, type, val); \ + if (ret < 0) \ + goto fail; \ + } while(0); + static int encode_frame(AVCodecContext *avctx, AVPacket *pkt, const AVFrame *pict, int *got_packet) { @@ -214,7 +231,7 @@ int bytes_per_row; uint32_t res[2] = { 72, 1 }; // image resolution (72/1) uint16_t bpp_tab[] = { 8, 8, 8, 8 }; - int ret; + int ret = 0; int is_yuv = 0; uint8_t *yuv_line = NULL; int shift_h, shift_v; @@ -405,28 +422,28 @@ s->num_entries = 0; - add_entry1(s, TIFF_SUBFILE, TIFF_LONG, 0); - add_entry1(s, TIFF_WIDTH, TIFF_LONG, s->width); - add_entry1(s, TIFF_HEIGHT, TIFF_LONG, s->height); + ADD_ENTRY1(s, TIFF_SUBFILE, TIFF_LONG, 0); + ADD_ENTRY1(s, TIFF_WIDTH, TIFF_LONG, s->width); + ADD_ENTRY1(s, TIFF_HEIGHT, TIFF_LONG, s->height); if (s->bpp_tab_size) - add_entry(s, TIFF_BPP, TIFF_SHORT, s->bpp_tab_size, bpp_tab); + ADD_ENTRY(s, TIFF_BPP, TIFF_SHORT, s->bpp_tab_size, bpp_tab); - add_entry1(s, TIFF_COMPR, TIFF_SHORT, s->compr); - add_entry1(s, TIFF_PHOTOMETRIC, TIFF_SHORT, s->photometric_interpretation); - add_entry(s, TIFF_STRIP_OFFS, TIFF_LONG, strips, strip_offsets); + ADD_ENTRY1(s, TIFF_COMPR, TIFF_SHORT, s->compr); + ADD_ENTRY1(s, TIFF_PHOTOMETRIC, TIFF_SHORT, s->photometric_interpretation); + ADD_ENTRY(s, TIFF_STRIP_OFFS, TIFF_LONG, strips, strip_offsets); if (s->bpp_tab_size) - add_entry1(s, TIFF_SAMPLES_PER_PIXEL, TIFF_SHORT, s->bpp_tab_size); + ADD_ENTRY1(s, TIFF_SAMPLES_PER_PIXEL, TIFF_SHORT, s->bpp_tab_size); - add_entry1(s, TIFF_ROWSPERSTRIP, TIFF_LONG, s->rps); - add_entry(s, TIFF_STRIP_SIZE, TIFF_LONG, strips, strip_sizes); - add_entry(s, TIFF_XRES, TIFF_RATIONAL, 1, res); - add_entry(s, TIFF_YRES, TIFF_RATIONAL, 1, res); - add_entry1(s, TIFF_RES_UNIT, TIFF_SHORT, 2); + ADD_ENTRY1(s, TIFF_ROWSPERSTRIP, TIFF_LONG, s->rps); + ADD_ENTRY(s, TIFF_STRIP_SIZE, TIFF_LONG, strips, strip_sizes); + ADD_ENTRY(s, TIFF_XRES, TIFF_RATIONAL, 1, res); + ADD_ENTRY(s, TIFF_YRES, TIFF_RATIONAL, 1, res); + ADD_ENTRY1(s, TIFF_RES_UNIT, TIFF_SHORT, 2); if (!(avctx->flags & CODEC_FLAG_BITEXACT)) - add_entry(s, TIFF_SOFTWARE_NAME, TIFF_STRING, + ADD_ENTRY(s, TIFF_SOFTWARE_NAME, TIFF_STRING, strlen(LIBAVCODEC_IDENT) + 1, LIBAVCODEC_IDENT); if (avctx->pix_fmt == AV_PIX_FMT_PAL8) { @@ -437,13 +454,13 @@ pal[i + 256] = ((rgb >> 8) & 0xff) * 257; pal[i + 512] = (rgb & 0xff) * 257; } - add_entry(s, TIFF_PAL, TIFF_SHORT, 256 * 3, pal); + ADD_ENTRY(s, TIFF_PAL, TIFF_SHORT, 256 * 3, pal); } if (is_yuv) { /** according to CCIR Recommendation 601.1 */ uint32_t refbw[12] = { 15, 1, 235, 1, 128, 1, 240, 1, 128, 1, 240, 1 }; - add_entry(s, TIFF_YCBCR_SUBSAMPLING, TIFF_SHORT, 2, s->subsampling); - add_entry(s, TIFF_REFERENCE_BW, TIFF_RATIONAL, 6, refbw); + ADD_ENTRY(s, TIFF_YCBCR_SUBSAMPLING, TIFF_SHORT, 2, s->subsampling); + ADD_ENTRY(s, TIFF_REFERENCE_BW, TIFF_RATIONAL, 6, refbw); } // write offset to dir bytestream_put_le32(&offset, ptr - pkt->data); diff -Nru libav-11.1/libavcodec/vaapi.c libav-11.2/libavcodec/vaapi.c --- libav-11.1/libavcodec/vaapi.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/vaapi.c 2015-01-14 20:50:49.000000000 +0000 @@ -194,6 +194,9 @@ vactx->slice_params_alloc = 0; } +#if CONFIG_H263_VAAPI_HWACCEL || CONFIG_MPEG1_VAAPI_HWACCEL || \ + CONFIG_MPEG2_VAAPI_HWACCEL || CONFIG_MPEG4_VAAPI_HWACCEL || \ + CONFIG_VC1_VAAPI_HWACCEL || CONFIG_WMV3_VAAPI_HWACCEL int ff_vaapi_mpeg_end_frame(AVCodecContext *avctx) { struct vaapi_context * const vactx = avctx->hwaccel_context; @@ -215,5 +218,6 @@ ff_vaapi_common_end_frame(avctx); return ret; } +#endif /* @} */ diff -Nru libav-11.1/libavcodec/vc1dec.c libav-11.2/libavcodec/vc1dec.c --- libav-11.1/libavcodec/vc1dec.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/vc1dec.c 2015-01-14 20:50:49.000000000 +0000 @@ -5503,7 +5503,7 @@ Since we can't enforce it, clear to black the missing sprite. This is wrong but it looks better than doing nothing. */ - if (f->data[0]) + if (f && f->data[0]) for (plane = 0; plane < (s->flags&CODEC_FLAG_GRAY ? 1 : 3); plane++) for (i = 0; i < v->sprite_height>>!!plane; i++) memset(f->data[plane] + i * f->linesize[plane], diff -Nru libav-11.1/libavcodec/vp8.c libav-11.2/libavcodec/vp8.c --- libav-11.1/libavcodec/vp8.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/vp8.c 2015-01-14 20:50:49.000000000 +0000 @@ -529,7 +529,7 @@ s->feature_index_prob[i][j] = vp8_rac_get(c) ? vp8_rac_get_uint(c, 8) : 255; - if (vp7_feature_value_size[i]) + if (vp7_feature_value_size[s->profile][i]) for (j = 0; j < 4; j++) s->feature_value[i][j] = vp8_rac_get(c) ? vp8_rac_get_uint(c, vp7_feature_value_size[s->profile][i]) : 0; @@ -1882,8 +1882,8 @@ mb->bmv[2 * y * 4 + 2 * x + 1].y + mb->bmv[(2 * y + 1) * 4 + 2 * x ].y + mb->bmv[(2 * y + 1) * 4 + 2 * x + 1].y; - uvmv.x = (uvmv.x + 2 + (uvmv.x >> (INT_BIT - 1))) >> 2; - uvmv.y = (uvmv.y + 2 + (uvmv.y >> (INT_BIT - 1))) >> 2; + uvmv.x = (uvmv.x + 2 + FF_SIGNBIT(uvmv.x)) >> 2; + uvmv.y = (uvmv.y + 2 + FF_SIGNBIT(uvmv.y)) >> 2; if (s->profile == 3) { uvmv.x &= ~7; uvmv.y &= ~7; diff -Nru libav-11.1/libavcodec/xsubdec.c libav-11.2/libavcodec/xsubdec.c --- libav-11.1/libavcodec/xsubdec.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavcodec/xsubdec.c 2015-01-14 20:50:49.000000000 +0000 @@ -56,11 +56,12 @@ int w, h, x, y, i; int64_t packet_time = 0; GetBitContext gb; + int has_alpha = avctx->codec_tag == MKTAG('D','X','S','A'); memset(sub, 0, sizeof(*sub)); // check that at least header fits - if (buf_size < 27 + 7 * 2 + 4 * 3) { + if (buf_size < 27 + 7 * 2 + 4 * (3 + has_alpha)) { av_log(avctx, AV_LOG_ERROR, "coded frame too small\n"); return -1; } @@ -107,9 +108,15 @@ // read palette for (i = 0; i < sub->rects[0]->nb_colors; i++) ((uint32_t*)sub->rects[0]->pict.data[1])[i] = bytestream_get_be24(&buf); - // make all except background (first entry) non-transparent - for (i = 1; i < sub->rects[0]->nb_colors; i++) - ((uint32_t*)sub->rects[0]->pict.data[1])[i] |= 0xff000000; + + if (!has_alpha) { + // make all except background (first entry) non-transparent + for (i = 1; i < sub->rects[0]->nb_colors; i++) + ((uint32_t *)sub->rects[0]->pict.data[1])[i] |= 0xff000000; + } else { + for (i = 0; i < sub->rects[0]->nb_colors; i++) + ((uint32_t *)sub->rects[0]->pict.data[1])[i] |= *buf++ << 24; + } // process RLE-compressed data init_get_bits(&gb, buf, (buf_end - buf) * 8); diff -Nru libav-11.1/libavdevice/oss_audio.c libav-11.2/libavdevice/oss_audio.c --- libav-11.1/libavdevice/oss_audio.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavdevice/oss_audio.c 2015-01-14 20:50:49.000000000 +0000 @@ -48,6 +48,7 @@ int audio_fd; int tmp, err; char *flip = getenv("AUDIO_FLIP_LEFT"); + char errbuff[128]; if (is_output) audio_fd = avpriv_open(audio_device, O_WRONLY); @@ -68,8 +69,18 @@ s->frame_size = OSS_AUDIO_BLOCK_SIZE; - /* select format : favour native format */ - err = ioctl(audio_fd, SNDCTL_DSP_GETFMTS, &tmp); +#define CHECK_IOCTL_ERROR(event) \ + if (err < 0) { \ + av_strerror(AVERROR(errno), errbuff, sizeof(errbuff)); \ + av_log(s1, AV_LOG_ERROR, #event ": %s\n", errbuff); \ + goto fail; \ + } + + /* select format : favour native format + * We don't CHECK_IOCTL_ERROR here because even if failed OSS still may be + * usable. If OSS is not usable the SNDCTL_DSP_SETFMTS later is going to + * fail anyway. */ + (void) ioctl(audio_fd, SNDCTL_DSP_GETFMTS, &tmp); #if HAVE_BIGENDIAN if (tmp & AFMT_S16_BE) { @@ -102,24 +113,15 @@ return AVERROR(EIO); } err=ioctl(audio_fd, SNDCTL_DSP_SETFMT, &tmp); - if (err < 0) { - av_log(s1, AV_LOG_ERROR, "SNDCTL_DSP_SETFMT: %s\n", strerror(errno)); - goto fail; - } + CHECK_IOCTL_ERROR(SNDCTL_DSP_SETFMTS) tmp = (s->channels == 2); err = ioctl(audio_fd, SNDCTL_DSP_STEREO, &tmp); - if (err < 0) { - av_log(s1, AV_LOG_ERROR, "SNDCTL_DSP_STEREO: %s\n", strerror(errno)); - goto fail; - } + CHECK_IOCTL_ERROR(SNDCTL_DSP_STEREO) tmp = s->sample_rate; err = ioctl(audio_fd, SNDCTL_DSP_SPEED, &tmp); - if (err < 0) { - av_log(s1, AV_LOG_ERROR, "SNDCTL_DSP_SPEED: %s\n", strerror(errno)); - goto fail; - } + CHECK_IOCTL_ERROR(SNDCTL_DSP_SPEED) s->sample_rate = tmp; /* store real sample rate */ s->fd = audio_fd; @@ -127,6 +129,7 @@ fail: close(audio_fd); return AVERROR(EIO); +#undef CHECK_IOCTL_ERROR } int ff_oss_audio_close(OSSAudioData *s) diff -Nru libav-11.1/libavfilter/af_resample.c libav-11.2/libavfilter/af_resample.c --- libav-11.1/libavfilter/af_resample.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavfilter/af_resample.c 2015-01-14 20:50:49.000000000 +0000 @@ -136,11 +136,14 @@ return AVERROR(ENOMEM); if (s->options) { + int ret; AVDictionaryEntry *e = NULL; while ((e = av_dict_get(s->options, "", e, AV_DICT_IGNORE_SUFFIX))) av_log(ctx, AV_LOG_VERBOSE, "lavr option: %s=%s\n", e->key, e->value); - av_opt_set_dict(s->avr, &s->options); + ret = av_opt_set_dict(s->avr, &s->options); + if (ret < 0) + return ret; } av_opt_set_int(s->avr, "in_channel_layout", inlink ->channel_layout, 0); diff -Nru libav-11.1/libavfilter/avfilter.c libav-11.2/libavfilter/avfilter.c --- libav-11.1/libavfilter/avfilter.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavfilter/avfilter.c 2015-01-14 20:50:49.000000000 +0000 @@ -152,6 +152,11 @@ AVFilterLink *link = filter->inputs[i]; if (!link) continue; + if (!link->src || !link->dst) { + av_log(filter, AV_LOG_ERROR, + "Not all input and output are properly linked (%d).\n", i); + return AVERROR(EINVAL); + } switch (link->init_state) { case AVLINK_INIT: @@ -181,7 +186,7 @@ } if (link->time_base.num == 0 && link->time_base.den == 0) - link->time_base = link->src && link->src->nb_inputs ? + link->time_base = link->src->nb_inputs ? link->src->inputs[0]->time_base : AV_TIME_BASE_Q; if (link->type == AVMEDIA_TYPE_VIDEO) { diff -Nru libav-11.1/libavfilter/vf_drawtext.c libav-11.2/libavfilter/vf_drawtext.c --- libav-11.1/libavfilter/vf_drawtext.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavfilter/vf_drawtext.c 2015-01-14 20:50:49.000000000 +0000 @@ -398,8 +398,11 @@ return err; } - if (!(s->text = av_malloc(textbuf_size+1))) + if (textbuf_size > SIZE_MAX - 1 || + !(s->text = av_malloc(textbuf_size + 1))) { + av_file_unmap(textbuf, textbuf_size); return AVERROR(ENOMEM); + } memcpy(s->text, textbuf, textbuf_size); s->text[textbuf_size] = 0; av_file_unmap(textbuf, textbuf_size); diff -Nru libav-11.1/libavfilter/vf_format.c libav-11.2/libavfilter/vf_format.c --- libav-11.1/libavfilter/vf_format.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavfilter/vf_format.c 2015-01-14 20:50:49.000000000 +0000 @@ -59,6 +59,11 @@ int nb_formats = 1; int i; + if (!s->pix_fmts) { + av_log(ctx, AV_LOG_ERROR, "Empty output format string.\n"); + return AVERROR(EINVAL); + } + /* count the formats */ cur = s->pix_fmts; while ((cur = strchr(cur, '|'))) { diff -Nru libav-11.1/libavfilter/vf_frei0r.c libav-11.2/libavfilter/vf_frei0r.c --- libav-11.1/libavfilter/vf_frei0r.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavfilter/vf_frei0r.c 2015-01-14 20:50:49.000000000 +0000 @@ -149,7 +149,8 @@ if (*params) { if (!(param = av_get_token(¶ms, "|"))) return AVERROR(ENOMEM); - params++; /* skip ':' */ + if (*params) + params++; /* skip ':' */ ret = set_param(ctx, info, i, param); av_free(param); if (ret < 0) diff -Nru libav-11.1/libavfilter/vf_pad.c libav-11.2/libavfilter/vf_pad.c --- libav-11.1/libavfilter/vf_pad.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavfilter/vf_pad.c 2015-01-14 20:50:49.000000000 +0000 @@ -158,9 +158,10 @@ var_values[VAR_VSUB] = 1<vsub; /* evaluate width and height */ - av_expr_parse_and_eval(&res, (expr = s->w_expr), - var_names, var_values, - NULL, NULL, NULL, NULL, NULL, 0, ctx); + if ((ret = av_expr_parse_and_eval(&res, (expr = s->w_expr), + var_names, var_values, + NULL, NULL, NULL, NULL, NULL, 0, ctx)) < 0) + goto eval_fail; s->w = var_values[VAR_OUT_W] = var_values[VAR_OW] = res; if ((ret = av_expr_parse_and_eval(&res, (expr = s->h_expr), var_names, var_values, @@ -175,9 +176,10 @@ s->w = var_values[VAR_OUT_W] = var_values[VAR_OW] = res; /* evaluate x and y */ - av_expr_parse_and_eval(&res, (expr = s->x_expr), - var_names, var_values, - NULL, NULL, NULL, NULL, NULL, 0, ctx); + if ((ret = av_expr_parse_and_eval(&res, (expr = s->x_expr), + var_names, var_values, + NULL, NULL, NULL, NULL, NULL, 0, ctx)) < 0) + goto eval_fail; s->x = var_values[VAR_X] = res; if ((ret = av_expr_parse_and_eval(&res, (expr = s->y_expr), var_names, var_values, diff -Nru libav-11.1/libavfilter/vf_scale.c libav-11.2/libavfilter/vf_scale.c --- libav-11.1/libavfilter/vf_scale.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavfilter/vf_scale.c 2015-01-14 20:50:49.000000000 +0000 @@ -177,9 +177,10 @@ var_values[VAR_VSUB] = 1 << desc->log2_chroma_h; /* evaluate width and height */ - av_expr_parse_and_eval(&res, (expr = scale->w_expr), - var_names, var_values, - NULL, NULL, NULL, NULL, NULL, 0, ctx); + if ((ret = av_expr_parse_and_eval(&res, (expr = scale->w_expr), + var_names, var_values, + NULL, NULL, NULL, NULL, NULL, 0, ctx)) < 0) + goto fail; scale->w = var_values[VAR_OUT_W] = var_values[VAR_OW] = res; if ((ret = av_expr_parse_and_eval(&res, (expr = scale->h_expr), var_names, var_values, diff -Nru libav-11.1/libavfilter/vf_showinfo.c libav-11.2/libavfilter/vf_showinfo.c --- libav-11.1/libavfilter/vf_showinfo.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavfilter/vf_showinfo.c 2015-01-14 20:50:49.000000000 +0000 @@ -78,9 +78,11 @@ int i, plane, vsub = desc->log2_chroma_h; for (plane = 0; frame->data[plane] && plane < 4; plane++) { - size_t linesize = av_image_get_linesize(frame->format, frame->width, plane); uint8_t *data = frame->data[plane]; int h = plane == 1 || plane == 2 ? inlink->h >> vsub : inlink->h; + int linesize = av_image_get_linesize(frame->format, frame->width, plane); + if (linesize < 0) + return linesize; for (i = 0; i < h; i++) { plane_checksum[plane] = av_adler32_update(plane_checksum[plane], data, linesize); diff -Nru libav-11.1/libavformat/assdec.c libav-11.2/libavformat/assdec.c --- libav-11.1/libavformat/assdec.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/assdec.c 2015-01-14 20:50:49.000000000 +0000 @@ -151,6 +151,7 @@ { ASSContext *ass = s->priv_data; uint8_t *p, *end; + int ret; if (ass->event_index >= ass->event_count) return AVERROR(EIO); @@ -158,7 +159,9 @@ p = ass->event[ass->event_index]; end = strchr(p, '\n'); - av_new_packet(pkt, end ? end - p + 1 : strlen(p)); + ret = av_new_packet(pkt, end ? end - p + 1 : strlen(p)); + if (ret < 0) + return ret; pkt->flags |= AV_PKT_FLAG_KEY; pkt->pos = p - ass->event_buffer + s->streams[0]->codec->extradata_size; pkt->pts = pkt->dts = get_pts(p); diff -Nru libav-11.1/libavformat/audiointerleave.c libav-11.2/libavformat/audiointerleave.c --- libav-11.1/libavformat/audiointerleave.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/audiointerleave.c 2015-01-14 20:50:49.000000000 +0000 @@ -75,12 +75,14 @@ { AVStream *st = s->streams[stream_index]; AudioInterleaveContext *aic = st->priv_data; - + int ret; int size = FFMIN(av_fifo_size(aic->fifo), *aic->samples * aic->sample_size); if (!size || (!flush && size == av_fifo_size(aic->fifo))) return 0; - av_new_packet(pkt, size); + ret = av_new_packet(pkt, size); + if (ret < 0) + return ret; av_fifo_generic_read(aic->fifo, pkt->data, size, NULL); pkt->dts = pkt->pts = aic->dts; diff -Nru libav-11.1/libavformat/aviobuf.c libav-11.2/libavformat/aviobuf.c --- libav-11.1/libavformat/aviobuf.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/aviobuf.c 2015-01-14 20:50:49.000000000 +0000 @@ -965,7 +965,7 @@ int avio_close_dyn_buf(AVIOContext *s, uint8_t **pbuffer) { - DynBuffer *d = s->opaque; + DynBuffer *d; int size; static const char padbuf[FF_INPUT_BUFFER_PADDING_SIZE] = {0}; int padding = 0; @@ -983,6 +983,7 @@ avio_flush(s); + d = s->opaque; *pbuffer = d->buffer; size = d->size; av_free(d); diff -Nru libav-11.1/libavformat/avio.c libav-11.2/libavformat/avio.c --- libav-11.1/libavformat/avio.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/avio.c 2015-01-14 20:50:49.000000000 +0000 @@ -361,7 +361,7 @@ if (!h->prot->url_get_multi_file_handle) { if (!h->prot->url_get_file_handle) return AVERROR(ENOSYS); - *handles = av_malloc(sizeof(*handles)); + *handles = av_malloc(sizeof(**handles)); if (!*handles) return AVERROR(ENOMEM); *numhandles = 1; diff -Nru libav-11.1/libavformat/hdsenc.c libav-11.2/libavformat/hdsenc.c --- libav-11.1/libavformat/hdsenc.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/hdsenc.c 2015-01-14 20:50:49.000000000 +0000 @@ -204,8 +204,7 @@ avio_printf(out, "\n"); avio_flush(out); avio_close(out); - rename(temp_filename, filename); - return 0; + return ff_rename(temp_filename, filename); } static void update_size(AVIOContext *out, int64_t pos) @@ -286,8 +285,7 @@ update_size(out, afrt_pos); update_size(out, 0); avio_close(out); - rename(temp_filename, filename); - return 0; + return ff_rename(temp_filename, filename); } static int init_file(AVFormatContext *s, OutputStream *os, int64_t start_ts) @@ -477,7 +475,9 @@ snprintf(target_filename, sizeof(target_filename), "%s/stream%dSeg1-Frag%d", s->filename, index, os->fragment_index); - rename(os->temp_filename, target_filename); + ret = ff_rename(os->temp_filename, target_filename); + if (ret < 0) + return ret; add_fragment(os, target_filename, os->frag_start_ts, end_ts - os->frag_start_ts); if (!final) { diff -Nru libav-11.1/libavformat/img2dec.c libav-11.2/libavformat/img2dec.c --- libav-11.1/libavformat/img2dec.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/img2dec.c 2015-01-14 20:50:49.000000000 +0000 @@ -221,7 +221,7 @@ { VideoDemuxData *s = s1->priv_data; char filename[1024]; - int i; + int i, res; int size[3] = { 0 }, ret[3] = { 0 }; AVIOContext *f[3] = { NULL }; AVCodecContext *codec = s1->streams[0]->codec; @@ -262,7 +262,9 @@ size[0] = 4096; } - av_new_packet(pkt, size[0] + size[1] + size[2]); + res = av_new_packet(pkt, size[0] + size[1] + size[2]); + if (res < 0) + return res; pkt->stream_index = 0; pkt->flags |= AV_PKT_FLAG_KEY; diff -Nru libav-11.1/libavformat/internal.h libav-11.2/libavformat/internal.h --- libav-11.1/libavformat/internal.h 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/internal.h 2015-01-14 20:50:49.000000000 +0000 @@ -353,4 +353,18 @@ */ int ff_generate_avci_extradata(AVStream *st); +/** + * Wrap errno on rename() error. + * + * @param oldpath source path + * @param newpath destination path + * @return 0 or AVERROR on failure + */ +static inline int ff_rename(const char *oldpath, const char *newpath) +{ + if (rename(oldpath, newpath) == -1) + return AVERROR(errno); + return 0; +} + #endif /* AVFORMAT_INTERNAL_H */ diff -Nru libav-11.1/libavformat/librtmp.c libav-11.2/libavformat/librtmp.c --- libav-11.1/libavformat/librtmp.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/librtmp.c 2015-01-14 20:50:49.000000000 +0000 @@ -169,7 +169,7 @@ } if (ctx->swfurl) { av_strlcat(filename, " swfUrl=", len); - av_strlcat(filename, ctx->pageurl, len); + av_strlcat(filename, ctx->swfurl, len); } if (ctx->flashver) { av_strlcat(filename, " flashVer=", len); diff -Nru libav-11.1/libavformat/matroskaenc.c libav-11.2/libavformat/matroskaenc.c --- libav-11.1/libavformat/matroskaenc.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/matroskaenc.c 2015-01-14 20:50:49.000000000 +0000 @@ -629,6 +629,9 @@ AVStream *st, int mode) { int i; + int display_width, display_height; + int h_width = 1, h_height = 1; + AVCodecContext *codec = st->codec; AVDictionaryEntry *tag; MatroskaVideoStereoModeType format = MATROSKA_VIDEO_STEREOMODE_TYPE_NB; @@ -643,6 +646,7 @@ } } + // iterate to find the stereo3d side data for (i = 0; i < st->nb_side_data; i++) { AVPacketSideData sd = st->side_data[i]; if (sd.type == AV_PKT_DATA_STEREO3D) { @@ -656,11 +660,13 @@ format = (stereo->flags & AV_STEREO3D_FLAG_INVERT) ? MATROSKA_VIDEO_STEREOMODE_TYPE_RIGHT_LEFT : MATROSKA_VIDEO_STEREOMODE_TYPE_LEFT_RIGHT; + h_width = 2; break; case AV_STEREO3D_TOPBOTTOM: format = MATROSKA_VIDEO_STEREOMODE_TYPE_TOP_BOTTOM; if (stereo->flags & AV_STEREO3D_FLAG_INVERT) format--; + h_height = 2; break; case AV_STEREO3D_CHECKERBOARD: format = MATROSKA_VIDEO_STEREOMODE_TYPE_CHECKERBOARD_LR; @@ -671,11 +677,13 @@ format = MATROSKA_VIDEO_STEREOMODE_TYPE_ROW_INTERLEAVED_LR; if (stereo->flags & AV_STEREO3D_FLAG_INVERT) format--; + h_height = 2; break; case AV_STEREO3D_COLUMNS: format = MATROSKA_VIDEO_STEREOMODE_TYPE_COL_INTERLEAVED_LR; if (stereo->flags & AV_STEREO3D_FLAG_INVERT) format--; + h_width = 2; break; case AV_STEREO3D_FRAMESEQUENCE: format = MATROSKA_VIDEO_STEREOMODE_TYPE_BOTH_EYES_BLOCK_LR; @@ -688,14 +696,30 @@ } } + // if webm, do not write unsupported modes if (mode == MODE_WEBM && (format > MATROSKA_VIDEO_STEREOMODE_TYPE_TOP_BOTTOM && format != MATROSKA_VIDEO_STEREOMODE_TYPE_RIGHT_LEFT)) format = MATROSKA_VIDEO_STEREOMODE_TYPE_NB; + // write StereoMode if format is valid if (format < MATROSKA_VIDEO_STEREOMODE_TYPE_NB) put_ebml_uint(pb, MATROSKA_ID_VIDEOSTEREOMODE, format); + // write DisplayWidth and DisplayHeight, they contain the size of + // a single source view and/or the display aspect ratio + display_width = codec->width / h_width; + display_height = codec->height / h_height; + if (st->sample_aspect_ratio.num) { + display_width *= av_q2d(st->sample_aspect_ratio); + put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYUNIT, 3); // DAR + } + if (st->sample_aspect_ratio.num || + format < MATROSKA_VIDEO_STEREOMODE_TYPE_NB) { + put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYWIDTH, display_width); + put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYHEIGHT, display_height); + } + return 0; } @@ -804,12 +828,6 @@ if (ret < 0) return ret; - if (st->sample_aspect_ratio.num) { - int d_width = codec->width*av_q2d(st->sample_aspect_ratio); - put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYWIDTH , d_width); - put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYHEIGHT, codec->height); - put_ebml_uint(pb, MATROSKA_ID_VIDEODISPLAYUNIT, 3); - } end_ebml_master(pb, subinfo); break; diff -Nru libav-11.1/libavformat/mov.c libav-11.2/libavformat/mov.c --- libav-11.1/libavformat/mov.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/mov.c 2015-01-14 20:50:49.000000000 +0000 @@ -1702,6 +1702,7 @@ } if (entries >= UINT_MAX / sizeof(int)) return AVERROR_INVALIDDATA; + av_freep(&sc->keyframes); sc->keyframes = av_malloc(entries * sizeof(int)); if (!sc->keyframes) return AVERROR(ENOMEM); @@ -3091,7 +3092,7 @@ MOVStreamContext *sc = st->priv_data; if (st->codec->codec_type == AVMEDIA_TYPE_SUBTITLE) { - if (st->codec->width <= 0 && st->codec->width <= 0) { + if (st->codec->width <= 0 || st->codec->height <= 0) { st->codec->width = sc->width; st->codec->height = sc->height; } diff -Nru libav-11.1/libavformat/mp3dec.c libav-11.2/libavformat/mp3dec.c --- libav-11.1/libavformat/mp3dec.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/mp3dec.c 2015-01-14 20:50:49.000000000 +0000 @@ -36,6 +36,7 @@ #define XING_FLAG_FRAMES 0x01 #define XING_FLAG_SIZE 0x02 #define XING_FLAG_TOC 0x04 +#define XING_FLAC_QSCALE 0x08 #define XING_TOC_COUNT 100 @@ -80,7 +81,10 @@ } // keep this in sync with ac3 probe, both need to avoid // issues with MPEG-files! - if (first_frames >= 4) return AVPROBE_SCORE_EXTENSION + 1; + if (first_frames >= 10) + return AVPROBE_SCORE_EXTENSION + 5; + if (first_frames >= 4) + return AVPROBE_SCORE_EXTENSION + 1; if (max_frames) { int pes = 0, i; @@ -165,7 +169,8 @@ st->time_base)); /* VBR quality */ - avio_rb32(s->pb); + if (v & XING_FLAC_QSCALE) + avio_rb32(s->pb); /* Encoder short version string */ memset(version, 0, sizeof(version)); diff -Nru libav-11.1/libavformat/mpegenc.c libav-11.2/libavformat/mpegenc.c --- libav-11.1/libavformat/mpegenc.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/mpegenc.c 2015-01-14 20:50:49.000000000 +0000 @@ -1052,7 +1052,7 @@ es_size -= stream->premux_packet->unwritten_size; stream->premux_packet = stream->premux_packet->next; } - if (es_size) + if (stream->premux_packet && es_size) stream->premux_packet->unwritten_size -= es_size; if (remove_decoded_packets(ctx, s->last_scr) < 0) diff -Nru libav-11.1/libavformat/mtv.c libav-11.2/libavformat/mtv.c --- libav-11.1/libavformat/mtv.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/mtv.c 2015-01-14 20:50:49.000000000 +0000 @@ -96,14 +96,17 @@ /* Calculate width and height if missing from header */ - if(!mtv->img_width) + if (!mtv->img_width && mtv->img_height > 0 && mtv->img_bpp >= 8) mtv->img_width=mtv->img_segment_size / (mtv->img_bpp>>3) / mtv->img_height; - if(!mtv->img_height) + if (!mtv->img_height && mtv->img_width > 0 && mtv->img_bpp >= 8) mtv->img_height=mtv->img_segment_size / (mtv->img_bpp>>3) / mtv->img_width; + if (!mtv->img_width || !mtv->img_height) + return AVERROR_INVALIDDATA; + avio_skip(pb, 4); audio_subsegments = avio_rl16(pb); diff -Nru libav-11.1/libavformat/mxfdec.c libav-11.2/libavformat/mxfdec.c --- libav-11.1/libavformat/mxfdec.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/mxfdec.c 2015-01-14 20:50:49.000000000 +0000 @@ -1571,6 +1571,7 @@ } /* Turn field height into frame height. */ st->codec->height *= 2; + break; default: av_log(mxf->fc, AV_LOG_INFO, "Unknown frame layout type: %d\n", diff -Nru libav-11.1/libavformat/nutdec.c libav-11.2/libavformat/nutdec.c --- libav-11.1/libavformat/nutdec.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/nutdec.c 2015-01-14 20:50:49.000000000 +0000 @@ -822,7 +822,7 @@ { AVFormatContext *s = nut->avf; AVIOContext *bc = s->pb; - int size, stream_id, discard; + int size, stream_id, discard, ret; int64_t pts, last_IP_pts; StreamContext *stc; uint8_t header_idx; @@ -847,7 +847,9 @@ return 1; } - av_new_packet(pkt, size + nut->header_len[header_idx]); + ret = av_new_packet(pkt, size + nut->header_len[header_idx]); + if (ret < 0) + return ret; memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]); pkt->pos = avio_tell(bc); // FIXME avio_read(bc, pkt->data + nut->header_len[header_idx], size); diff -Nru libav-11.1/libavformat/rawdec.c libav-11.2/libavformat/rawdec.c --- libav-11.1/libavformat/rawdec.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/rawdec.c 2015-01-14 20:50:49.000000000 +0000 @@ -155,7 +155,7 @@ return AVPROBE_SCORE_EXTENSION; else if (max_frames >= 3) return AVPROBE_SCORE_EXTENSION / 2; - else if (max_frames >= 1) + else if (max_frames > 1) return 1; else return 0; diff -Nru libav-11.1/libavformat/rdt.c libav-11.2/libavformat/rdt.c --- libav-11.1/libavformat/rdt.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/rdt.c 2015-01-14 20:50:49.000000000 +0000 @@ -132,7 +132,7 @@ rdt_load_mdpr (PayloadContext *rdt, AVStream *st, int rule_nr) { AVIOContext pb; - int size; + unsigned int size; uint32_t tag; /** diff -Nru libav-11.1/libavformat/rmdec.c libav-11.2/libavformat/rmdec.c --- libav-11.1/libavformat/rmdec.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/rmdec.c 2015-01-14 20:50:49.000000000 +0000 @@ -282,9 +282,9 @@ return 0; } -int -ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, - AVStream *st, RMStream *rst, int codec_data_size) +int ff_rm_read_mdpr_codecdata(AVFormatContext *s, AVIOContext *pb, + AVStream *st, RMStream *rst, + unsigned int codec_data_size) { unsigned int v; int size; @@ -816,7 +816,9 @@ ast->deint_id == DEINT_ID_VBRS) av_get_packet(pb, pkt, ast->sub_packet_lengths[ast->sub_packet_cnt - rm->audio_pkt_cnt]); else { - av_new_packet(pkt, st->codec->block_align); + int ret = av_new_packet(pkt, st->codec->block_align); + if (ret < 0) + return ret; memcpy(pkt->data, ast->pkt.data + st->codec->block_align * //FIXME avoid this (ast->sub_packet_h * ast->audio_framesize / st->codec->block_align - rm->audio_pkt_cnt), st->codec->block_align); diff -Nru libav-11.1/libavformat/rm.h libav-11.2/libavformat/rm.h --- libav-11.1/libavformat/rm.h 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/rm.h 2015-01-14 20:50:49.000000000 +0000 @@ -50,7 +50,7 @@ */ int ff_rm_read_mdpr_codecdata (AVFormatContext *s, AVIOContext *pb, AVStream *st, RMStream *rst, - int codec_data_size); + unsigned int codec_data_size); /** * Parse one rm-stream packet from the input bytestream. diff -Nru libav-11.1/libavformat/rtpdec_h263_rfc2190.c libav-11.2/libavformat/rtpdec_h263_rfc2190.c --- libav-11.1/libavformat/rtpdec_h263_rfc2190.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/rtpdec_h263_rfc2190.c 2015-01-14 20:50:49.000000000 +0000 @@ -83,6 +83,7 @@ avio_close_dyn_buf(data->buf, &p); av_free(p); data->buf = NULL; + data->endbyte_bits = 0; } if (len < 4) { diff -Nru libav-11.1/libavformat/rtsp.c libav-11.2/libavformat/rtsp.c --- libav-11.1/libavformat/rtsp.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/rtsp.c 2015-01-14 20:50:49.000000000 +0000 @@ -1146,6 +1146,8 @@ if (content_length > 0) { /* leave some room for a trailing '\0' (useful for simple parsing) */ content = av_malloc(content_length + 1); + if (!content) + return AVERROR(ENOMEM); ffurl_read_complete(rt->rtsp_hd, content, content_length); content[content_length] = '\0'; } diff -Nru libav-11.1/libavformat/segment.c libav-11.2/libavformat/segment.c --- libav-11.1/libavformat/segment.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/segment.c 2015-01-14 20:50:49.000000000 +0000 @@ -183,6 +183,13 @@ av_free(pb); } +static void seg_free_context(SegmentContext *seg) +{ + avio_closep(&seg->pb); + avformat_free_context(seg->avf); + seg->avf = NULL; +} + static int seg_write_header(AVFormatContext *s) { SegmentContext *seg = s->priv_data; @@ -264,12 +271,9 @@ } fail: - if (ret) { - if (seg->list) - avio_close(seg->pb); - if (seg->avf) - avformat_free_context(seg->avf); - } + if (ret < 0) + seg_free_context(seg); + return ret; } @@ -281,6 +285,9 @@ int64_t end_pts = seg->recording_time * seg->number; int ret, can_split = 1; + if (!oc) + return AVERROR(EINVAL); + if (seg->has_video) { can_split = st->codec->codec_type == AVMEDIA_TYPE_VIDEO && pkt->flags & AV_PKT_FLAG_KEY; @@ -321,11 +328,8 @@ ret = ff_write_chained(oc, pkt->stream_index, pkt, s); fail: - if (ret < 0) { - if (seg->list) - avio_close(seg->pb); - avformat_free_context(oc); - } + if (ret < 0) + seg_free_context(seg); return ret; } @@ -334,7 +338,11 @@ { SegmentContext *seg = s->priv_data; AVFormatContext *oc = seg->avf; - int ret; + int ret = 0; + + if (!oc) + goto fail; + if (!seg->write_header_trailer) { if ((ret = segment_end(oc, 0)) < 0) goto fail; diff -Nru libav-11.1/libavformat/smoothstreamingenc.c libav-11.2/libavformat/smoothstreamingenc.c --- libav-11.1/libavformat/smoothstreamingenc.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/smoothstreamingenc.c 2015-01-14 20:50:49.000000000 +0000 @@ -34,6 +34,7 @@ #include "libavutil/opt.h" #include "libavutil/avstring.h" +#include "libavutil/file.h" #include "libavutil/mathematics.h" #include "libavutil/intreadwrite.h" @@ -282,8 +283,7 @@ avio_printf(out, "\n"); avio_flush(out); avio_close(out); - rename(temp_filename, filename); - return 0; + return ff_rename(temp_filename, filename); } static int ism_write_header(AVFormatContext *s) @@ -533,8 +533,11 @@ snprintf(header_filename, sizeof(header_filename), "%s/FragmentInfo(%s=%"PRIu64")", os->dirname, os->stream_type_tag, start_ts); snprintf(target_filename, sizeof(target_filename), "%s/Fragments(%s=%"PRIu64")", os->dirname, os->stream_type_tag, start_ts); copy_moof(s, filename, header_filename, moof_size); - rename(filename, target_filename); - add_fragment(os, target_filename, header_filename, start_ts, duration, start_pos, size); + ret = ff_rename(filename, target_filename); + if (ret < 0) + break; + add_fragment(os, target_filename, header_filename, start_ts, duration, + os->cur_start_pos, size); } if (c->window_size || (final && c->remove_at_exit)) { diff -Nru libav-11.1/libavformat/utils.c libav-11.2/libavformat/utils.c --- libav-11.1/libavformat/utils.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/utils.c 2015-01-14 20:50:49.000000000 +0000 @@ -2447,6 +2447,9 @@ int i, j; AVStream *st; + if (!s) + return; + av_opt_free(s); if (s->iformat && s->iformat->priv_class && s->priv_data) av_opt_free(s->priv_data); @@ -2535,6 +2538,11 @@ } st->codec = avcodec_alloc_context3(c); + if (!st->codec) { + av_free(st->info); + av_free(st); + return NULL; + } if (s->iformat) { /* no default bitrate if decoding */ st->codec->bit_rate = 0; diff -Nru libav-11.1/libavformat/xwma.c libav-11.2/libavformat/xwma.c --- libav-11.1/libavformat/xwma.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavformat/xwma.c 2015-01-14 20:50:49.000000000 +0000 @@ -44,7 +44,7 @@ static int xwma_read_header(AVFormatContext *s) { int64_t size; - int ret; + int ret = 0; uint32_t dpds_table_size = 0; uint32_t *dpds_table = 0; unsigned int tag; @@ -130,8 +130,10 @@ /* parse the remaining RIFF chunks */ for (;;) { - if (pb->eof_reached) - return -1; + if (pb->eof_reached) { + ret = AVERROR_INVALIDDATA; + goto fail; + } /* read next chunk tag */ tag = avio_rl32(pb); size = avio_rl32(pb); @@ -152,7 +154,8 @@ /* Error out if there is more than one dpds chunk. */ if (dpds_table) { av_log(s, AV_LOG_ERROR, "two dpds chunks present\n"); - return -1; + ret = AVERROR_INVALIDDATA; + goto fail; } /* Compute the number of entries in the dpds chunk. */ @@ -184,8 +187,10 @@ } /* Determine overall data length */ - if (size < 0) - return -1; + if (size < 0) { + ret = AVERROR_INVALIDDATA; + goto fail; + } if (!size) { xwma->data_end = INT64_MAX; } else @@ -204,7 +209,8 @@ av_log(s, AV_LOG_ERROR, "Invalid bits_per_coded_sample %d for %d channels\n", st->codec->bits_per_coded_sample, st->codec->channels); - return AVERROR_INVALIDDATA; + ret = AVERROR_INVALIDDATA; + goto fail; } st->duration = total_decoded_bytes / bytes_per_sample; @@ -239,9 +245,10 @@ st->duration = (size<<3) * st->codec->sample_rate / st->codec->bit_rate; } +fail: av_free(dpds_table); - return 0; + return ret; } static int xwma_read_packet(AVFormatContext *s, AVPacket *pkt) diff -Nru libav-11.1/libavresample/audio_mix_matrix.c libav-11.2/libavresample/audio_mix_matrix.c --- libav-11.1/libavresample/audio_mix_matrix.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavresample/audio_mix_matrix.c 2015-01-14 20:50:49.000000000 +0000 @@ -60,7 +60,7 @@ static av_always_inline int even(uint64_t layout) { - return (!layout || (layout & (layout - 1))); + return (!layout || !!(layout & (layout - 1))); } static int sane_layout(uint64_t layout) diff -Nru libav-11.1/libavutil/opt.c libav-11.2/libavutil/opt.c --- libav-11.1/libavutil/opt.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libavutil/opt.c 2015-01-14 20:50:49.000000000 +0000 @@ -119,6 +119,8 @@ len /= 2; ptr = bin = av_malloc(len); + if (!ptr) + return AVERROR(ENOMEM); while (*val) { int a = hexchar2int(*val++); int b = hexchar2int(*val++); diff -Nru libav-11.1/libswscale/rgb2rgb_template.c libav-11.2/libswscale/rgb2rgb_template.c --- libav-11.1/libswscale/rgb2rgb_template.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libswscale/rgb2rgb_template.c 2015-01-14 20:50:49.000000000 +0000 @@ -376,9 +376,9 @@ const uint8_t *yc = ysrc, *uc = usrc, *vc = vsrc; for (i = 0; i < chromWidth; i += 2) { uint64_t k = yc[0] + (uc[0] << 8) + - (yc[1] << 16) + (vc[0] << 24); + (yc[1] << 16) + ((unsigned) vc[0] << 24); uint64_t l = yc[2] + (uc[1] << 8) + - (yc[3] << 16) + (vc[1] << 24); + (yc[3] << 16) + ((unsigned) vc[1] << 24); *ldst++ = k + (l << 32); yc += 4; uc += 2; @@ -440,9 +440,9 @@ const uint8_t *yc = ysrc, *uc = usrc, *vc = vsrc; for (i = 0; i < chromWidth; i += 2) { uint64_t k = uc[0] + (yc[0] << 8) + - (vc[0] << 16) + (yc[1] << 24); + (vc[0] << 16) + ((unsigned) yc[1] << 24); uint64_t l = uc[1] + (yc[2] << 8) + - (vc[1] << 16) + (yc[3] << 24); + (vc[1] << 16) + ((unsigned) yc[3] << 24); *ldst++ = k + (l << 32); yc += 4; uc += 2; diff -Nru libav-11.1/libswscale/yuv2rgb.c libav-11.2/libswscale/yuv2rgb.c --- libav-11.1/libswscale/yuv2rgb.c 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/libswscale/yuv2rgb.c 2015-01-14 20:50:49.000000000 +0000 @@ -736,9 +736,13 @@ av_free(c->yuvTable); +#define ALLOC_YUV_TABLE(x) \ + c->yuvTable = av_malloc(x); \ + if (!c->yuvTable) \ + return AVERROR(ENOMEM); switch (bpp) { case 1: - c->yuvTable = av_malloc(1024); + ALLOC_YUV_TABLE(1024); y_table = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024 - 110; i++) { @@ -753,7 +757,7 @@ rbase = isRgb ? 3 : 0; gbase = 1; bbase = isRgb ? 0 : 3; - c->yuvTable = av_malloc(1024 * 3); + ALLOC_YUV_TABLE(1024 * 3); y_table = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024 - 110; i++) { @@ -772,7 +776,7 @@ rbase = isRgb ? 5 : 0; gbase = isRgb ? 2 : 3; bbase = isRgb ? 0 : 6; - c->yuvTable = av_malloc(1024 * 3); + ALLOC_YUV_TABLE(1024 * 3); y_table = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024 - 38; i++) { @@ -791,7 +795,7 @@ rbase = isRgb ? 8 : 0; gbase = 4; bbase = isRgb ? 0 : 8; - c->yuvTable = av_malloc(1024 * 3 * 2); + ALLOC_YUV_TABLE(1024 * 3 * 2); y_table16 = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024; i++) { @@ -814,7 +818,7 @@ rbase = isRgb ? bpp - 5 : 0; gbase = 5; bbase = isRgb ? 0 : (bpp - 5); - c->yuvTable = av_malloc(1024 * 3 * 2); + ALLOC_YUV_TABLE(1024 * 3 * 2); y_table16 = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024; i++) { @@ -834,7 +838,7 @@ break; case 24: case 48: - c->yuvTable = av_malloc(1024); + ALLOC_YUV_TABLE(1024); y_table = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024; i++) { @@ -855,7 +859,7 @@ needAlpha = CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat); if (!needAlpha) abase = (base + 24) & 31; - c->yuvTable = av_malloc(1024 * 3 * 4); + ALLOC_YUV_TABLE(1024 * 3 * 4); y_table32 = c->yuvTable; yb = -(384 << 16) - oy; for (i = 0; i < 1024; i++) { diff -Nru libav-11.1/RELEASE libav-11.2/RELEASE --- libav-11.1/RELEASE 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/RELEASE 2015-01-14 20:50:49.000000000 +0000 @@ -1 +1 @@ -11.1 +11.2 diff -Nru libav-11.1/VERSION libav-11.2/VERSION --- libav-11.1/VERSION 2014-12-02 02:43:07.000000000 +0000 +++ libav-11.2/VERSION 2015-01-14 20:50:49.000000000 +0000 @@ -1 +1 @@ -11.1 +11.2