git.ffmpeg.org Git - ffmpeg.git/log

avcodec/nvdec: reset bitstream_len/nb_slices when resetting bitstream pointer

avcodec/vdpau_mpeg4: fix order of quant matrix coefficients

The matrix coefficients are stored permutated for the IDCT,
rather then in plain raster order, and need to be un-permutated
for the hardware.

avcodec/vdpau_mpeg12: fix order of quant matrix coefficients

The matrix coefficients are stored permutated for the IDCT,
rather then in plain raster order, and need to be un-permutated
for the hardware.

avcodec/nvdec_mpeg4: fix order of quant matrix coefficients

The matrix coefficients are stored permutated for the IDCT,
rather then in plain raster order, and need to be un-permutated
for the hardware.

avcodec/nvdec_mpeg2: fix order of quant matrix coefficients

The matrix coefficients are stored permutated for the IDCT,
rather then in plain raster order, and need to be un-permutated
for the hardware.

swscale: aarch64: Fix yuv2rgb with negative strides

Treat the 32 bit stride registers as signed.

Alternatively, we could make the stride arguments ptrdiff_t instead
of int, and changing all of the assembly to operate on these
registers with their full 64 bit width, but that's a much larger
and more intrusive change (and risks missing some operation, which
would clamp the intermediates to 32 bit still).

Fixes: https://trac.ffmpeg.org/ticket/9985

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit cb803a0072cb98945dcd3f1660bd2a975650ce42)
Signed-off-by: Martin Storsjö <martin@martin.st>

configure: extend SDL check to accept all 2.x versions

sdl2 recently changed their versioning, moving the patch level to minor level
https://github.com/libsdl-org/SDL/commit/cd7c2f1de7d9e418bb554047d714dd7cacc020ff
and have said that they will instead ship sdl3.pc for 3.0.0

Fixes ticket 9768

Signed-off-by: Christopher Degawa <ccom@randomderp.com>
Signed-off-by: Gyan Doshi <ffmpeg@gyani.pro>

configure: Add missing libshine->mpegaudioheader dependency

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit e228d7b0db7d6cb02a73bee6d3bf4f6ecf92d0bf)

avcodec/cuviddec: backport extradata fixes

avcodec/cuviddec: handle arbitrarily sized extradata

lavf/tls_gnutls: check for interrupt inside handshake loop

fixes #8080

Signed-off-by: Błażej Szczygieł <spaz16@wp.pl>
(cherry picked from commit 561ba15c973120c9565a8f75a7439f3e8a10e04d)

lavf/tls_gnutls: retry gnutls_handshake on non fatal errors

fixes #7801

Signed-off-by: Remita Amine <remitamine@gmail.com>
(cherry picked from commit bc1749c6e46099ec85110361dbe6f7994a63040d)

avformat/tls_schannel: immediately return decrypted data if available

Until now, we would have only attempted to utilize already decrypted
data if it was enough to fill the size of buffer requested, that could
very well be up to 32 kilobytes.

With keep-alive connections this would just lead to recv blocking
until rw_timeout had been reached, as the connection would not be
officially closed after each transfer. This would also lead to a
loop, as such timed out I/O request would just be attempted again.

By just returning the available decrypted data, keep-alive based
connectivity such as HLS playback is fixed with schannel.

(cherry picked from commit 6f8826e4aaddf1ee6cf3f333ed0e392a748382fe)

avformat/tls_schannel: always decrypt all received data

The dec_buf seems to be properly managed between read calls,
and we have no logic to decrypt before attempting socket I/O.
Thus - until now - such data would not be decrypted in case of
connections such as HTTP keep-alive, as the recv call would
always get executed first, block until rw_timeout, and then get
retried by retry_transfer_wrapper.

Thus - if data is received - decrypt all of it right away. This way
it is available for the following requests in case they can be
satisfied with it.

(cherry picked from commit 39977fff20048f1798a95c593d6034a0e73ebbe5)

avformat/tls_schannel: Fix use of uninitialized variable

Fixes: runtime error: passing uninitialized value to FreeContextBuffer
causes a crash

Signed-off-by: Paweł Wegner <pawel.wegner95@gmail.com>
(cherry picked from commit 85c00643b763bc62f3a15c19df44c3f1312bfe81)

Changelog: update

avcodec/dstdec: Replace AC overread check by sample rate check

Real files do skip coding 0 bits at the end, thus this kind of check
does not work reliable.

Fixes: Ticket 8770
Fixes: dst-256fs44-6ch-refdstencoder.dff

The samplerate is specified in ISO/IEC 14496-3:2005(E) as one of 3 fixed
values, this also can be used to limit the duration and avoid the timeout

This reverts commit f6df99dba1ae64b05d08fba8160d13eb9795042f.

(cherry picked from commit 1679f23beb3cfc3639352b3cbe7c08c00189c6b0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/hevc_mp4toannexb_bsf: Check NAL size against available input

The hevc_mp4toannexb bsf does not explicitly check whether a NAL unit
is so big that it extends beyond the end of the input packet; it does so
only implicitly by using the checked version of the bytestream2 API.
But this has downsides compared to real checks: It can lead to huge
allocations (up to 2GiB) even when the input packet is just a few bytes.
And furthermore it leads to uninitialized data being output.
So add a check to error out early if it happens.

Also check directly whether there is enough data for the length field.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit ea1b71e82f5a1752d59d3bfb9704092a79eba6b5)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

lavf/webm_chunk: Fix NULL dereference

The earlier version of the webm_chunk muxer had several bugs:

1. If the first packet of an audio stream didn't have a PTS of zero,
then no chunk will be started before a packet is delivered to the
underlying Matroska/WebM muxer, i.e. the AVFormatContext used to write
these packets had a NULL as AVIOContext for output. This is behind the
crash in ticket #5752.

2. If an error happens during writing a packet, the underlyimg
Matroska/WebM muxer context is freed. This leads to a use-after-free
coupled with a double-free in webm_chunk_write_trailer (which supposes
that the underlying AVFormatContext is still valid).

3. Even when no error occurs at all, webm_chunk_write_trailer is still
buggy: After the underlying Matroska/WebM muxer has written its trailer,
ending the chunk implicitly flushes it again which is illegal at this
point.

These bugs have been fixed.

Fixes #5752.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 8c6ee7626bcce7c270360f33b60dc7ef99939fc3)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avcodec/ttaenc: Fix undefined shift

ttaenc contained (1 << unary) - 1 as an argument for a function
expecting an unsigned int. unary can be as big as 31 in this case.
The type of the shift and the whole expression is int, because 1 fits
into an integer, so that the behaviour is undefined if unary == 31
as the result of the shift can't be represented in an int §. Subtraction
by 1 (which makes the result of the whole expression representable in
an int) doesn't change that this is undefined (it usually leads to
signed integer overflow which is undefined, too).

The solution is simple: Make 1 unsigned to change the type of the
whole expression to unsigned int (as the function expects anyway).

Fixes ticket #8153.

§: This of course presupposes the common int range of -2^31..2^31-1

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3ab488a5407f833ecc66e8fa4c537dc4852db720)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

fftools/ffmpeg: Free swresample dictionary during cleanup

Freeing this was forgotten in ad899522.

Fixes #8315 and #8316.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6f2a3958cfac135c60b509a61a4fd39432d8f9a9)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avfilter/vf_xbr: Fix left shift of negative number

Affected every usage of vf_xbr, e.g. the FATE-tests filter-2xbr,
filter-3xbr, filter-4xbr.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4294dc3589a3ab973b10a85b576ff15e3ffb000d)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avfilter/vf_hqx: Fix undefined left shifts of negative numbers

Affected every usage of this filter; in particular, it affected the
FATE-tests filter-2xbr, filter-3xbr and filter-4xbr.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fa211943265ca991548a4cc2f85a6df9cedcd092)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avcodec/jpeg2000dwt: Fix undefined shifts of negative numbers

Affected the vsynth*-jpeg2000 and the vsynth*-jpeg2000-97 FATE tests
(where * ranges over { 1, 2, 3, _lena }) as well as ticket #7983.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5cf593adcd79a7c9502dc2725e1f0681ada36aef)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avcodec/ituh263dec: Fix undefined left shift of negative number

Fixes ticket #8160.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 324487b596fbcda0a5753c7bb7b2e96e9d512479)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avcodec/dnxhdenc: Fix undefined left shifts of negative numbers

Affected 61 FATE-tests: 60 vsynth tests and lavf-mxf_opatom.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b7f156e8cbdf3256c7860c62ebb7a6c3002cbb03)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

swscale/utils: Fix invalid left shifts of negative numbers

Affected the FATE-tests vsynth_lena-dv-411, vsynth1-dv-411,
vsynth2-dv-411 and hevc-paramchange-yuv420p.yuv420p10.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e2646e23be69bdef1e41d4decee1a4298701b8d1)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

swscale/x86/swscale: Fix undefined left shifts of negative numbers

This affected many FATE-tests: The number of failing tests went down
from 663 to 344. (Both numbers exclude tests that failed because of
unaligned accesses in code that is inside #if HAVE_FAST_UNALIGNED.)

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 736c7c20e7819811dc59f43490563789b192eb6e)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avcodec/exr: Fix undefined left shifts of negative numbers

Affected the FATE-tests exr-rgb-scanline-pxr24-half-uint32-13x9 and
exr-rgb-scanline-pxr24-uint32.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8b0f949906116c40b6f1e55a1bce4447ada3219c)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/movenc: Fix undefined shift

Fixes the movenc FATE-test.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 646799b42fd59ee79920e472795bf881b78bb5ce)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avcodec/pcm: Fix undefined shifts

Fixes the acodec-pcm-u16[lb]e FATE-tests.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 69473bec6f38fefc9a433d95f8e00de101299592)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avcodec/wavpackenc: Fix undefined shifts

Fixes ticket #8161 and the acodec-wavpack FATE-test.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 84974c6fb542cf019904016c2165d9a62db9f312)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avcodec/ac3enc: Fix invalid shift

Fixes the FATE-tests unknown_layout-ac3, ac3-fixed-encode, ac3-encode
and eac3-encode. It furthermore fixes the ac3-encoder bugs mentioned in
tickets #7994, #8144 and #8159.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2f289ec914cc7e8133858d4f9e8d91dab685ae44)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avcodec/tdsc: Fix undefined shifts

Fixes the tdsc FATE-test.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 86bef10e7aee338a4df60c57904c16e33509e76e)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

fftools/ffmpeg_opt: Fix signed integer overflow

Fixes ticket #8154.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2b1fcba8ddcb7d29299ea28403fb597640a7288b)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/mov: Fix reel_name size check

Only read str_size bytes from offset 30 of extradata if the extradata is
indeed at least 30 + str_size bytes long.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit ff3fad6b0edb13dd664403b01bc00309f035b110)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/mov: Fix memleak upon encountering repeating tags

mov_read_custom tries to read three strings belonging to three different
tags. When an already encountered tag is encountered again, a new buffer
for the string to be read is allocated and stored in the pointer
destined for this particular tag. But in this scenario, said pointer
already holds the address of the string read earlier, leading to a leak.

This commit therefore aborts the reading process upon encountering
an already encountered tag.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit dfef1d5e3cd4dfead84416a01e6c9ff0da50b34d)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/matroskaenc: Don't use NULL for %s format string

The argument pertaining to a printf %s conversion specifier must not
be NULL, even if the precision (i.e. the number of characters to write)
is zero. If it is NULL, it is undefined behaviour.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 6de6ce7bc80e874099895b6c73977bc2efb06a4d)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/webvttdec: Fix memleak upon read header failure

The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit c784fe8b867e42a1c8d2c48d7046e3e0cce7ec31)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/vplayerdec: Fix memleak upon read header failure

The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 67434afa7fcb2b411b10a4d09fb30cd3a5907c2c)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/tedcaptionsdec: Fix memleak upon read header failure

The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if allocating the AVStream for the subtitles fails.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 337783b118d4cc265759c103b672dd5d5d3e7cb8)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/subviewerdec: Fix memleak upon read header failure

The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit a708f652737eba08607df84394ca4bec6b458736)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/subviewer1dec: Fix memleak upon read header failure

The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 9751d7515222c7b58d0c6fb31aec6e0464c0f338)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/stldec: Fix memleak upon read header failure

The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit e13874b9eae4e156ca1c478e6d59d3461bbdc09f)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/srtdec: Fix memleak upon read header failure

The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit c70409957c7332971f0e147729d769f6d2f95390)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/sccdec: Fix memleak upon read header failure

The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit f3c63e67bb00fa7d96595203d01a576df651e275)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/samidec: Fix memleak upon read header failure

The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle
or when creating extradata.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit f161f8e4ad10c8ae5b2e97870e09bc6a421408eb)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/pjsdec: Fix memleak upon read header failure

The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 9df560e8986640e20c62286f0baee2a80540accd)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/mpsubdec: Fix memleak upon read header failure

The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon creating an AVStream.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit a5ed8aeea4f4199e89520c3fdbd9d07ae7fc3c3f)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/mpl2dec: Fix memleak upon read header failure

The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 331799747e7e995710f5dfc4d413cda35eb01289)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/microdvddec: Fix memleak upon read header failure

The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle
or when allocating extradata.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit b12014a5b861959fd41a32ba3ff4cb139c56efcd)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/lrcdec: Fix memleak upon read header failure

The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit d38694cea9f289b3f9dcce1a2f07746d029b35f3)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/jacosubdec: Fix memleak upon read header failure

The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit c13a752733a9af955b032c55f704b748fe37dd19)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/assdec: Fix memleak upon read header failure

The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle
or if creating the extradata failed.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 5ab39c2d8c1e5e00b48d758eee7d5ae435a99ef7)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/aqtitledec: Fix memleak upon read header failure

The already parsed subtitles (contained in an FFDemuxSubtitlesQueue)
would leak if an error happened upon reading a subsequent subtitle.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit a86a5d06d8967d01964833456df1df9fc186f125)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/mov: Fix memleaks upon read_header failure

By default, a demuxer's read_close function is not called automatically
if an error happens when reading the header; instead it is up to the
demuxer to clean up after itself in this case. The mov demuxer did this
by calling its read_close function when it encountered some errors when
reading the header. Yet for other errors (mostly adding side-data to
streams) this has been forgotten, so that all the internal structures
of the demuxer leak.

This commit fixes this by making sure mov_read_close is called when
necessary.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit ac378c535be907ee383dafb430be7216a2920982)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/omadec: Fix memleaks upon read_header failure

Fixes possible leaks of id3v2 metadata as well as an AVDES struct in
case the content is encrypted and an error happens lateron.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 3d3ba43bc68ca90fe72d0fc390c9e5f5c7de1513)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/matroskadec: Fix memleaks in WebM DASH manifest demuxer

In certain error scenarios, the underlying Matroska demuxer was not
properly closed, causing leaks.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 0841063ce6a2e664fb3986b0a255c57392cd9f02)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/matroskadec: Use right number of tracks

When demuxing a Matroska/WebM file, streams are added for tracks and for
attachments, so that the array containing the former can be NULL even
when the corresponding AVFormatContext has streams. So check for there
to be tracks in the MatroskaDemuxContext instead of just streams in the
AVFormatContext before dereferencing the pointer to the tracks.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 1ef30571a0a7150cb20c580bfc52af2a7101c20d)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/matroskadec: Fix handling gigantic durations

matroska_parse_block currently asserts that the duration is not equal to
AV_NOPTS_VALUE, but there is nothing that actually guarantees this. It
is easy to create (spec-compliant) files which run into this assert;
so replace it and instead cap the duration to INT64_MAX, as the duration
field of an AVPacket is an int64_t.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 3714d452b894821591a2fbafdd1b8ef15abe4be6)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avcodec/cinepakenc: Fix invalid shifts

Fixes: left shift of 1 by 31 places cannot be represented in type 'int'.
Affected the FATE-tests vsynth1-cinepak, vsynth2-cinepak and
vsynth_lena-cinepak. Also fixes ticket #8220.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e3650dcfc9cde6ceccf7bbc225962da196e2a386)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avcodec/cbs_h2645: Fix potential out-of-bounds array access

The maximum allowed index for an array access is FF_ARRAY_ELEMS - 1; yet
the current code allowed FF_ARRAY_ELEMS. This wasn't dangerous in practice,
as parameter sets with invalid ids were already filtered out during
reading.

Found via PVS-Studio (see ticket #8156).

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit f3333c3c67e8825a4468120bb8aa0943c72c03f3)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

h264_redundant_pps: Fix memleak in case of errors

Now the fragment is uninitialized and the input packet freed in case of
errors.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@googlemail.com>
Signed-off-by: Mark Thompson <sw@jkqxz.net>
(cherry picked from commit 40b74abfca39bf514333c3ebb6d6e946975057c3)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/aviobuf: Don't check for overflow after it happened

If adding two ints overflows, it doesn't matter whether the result will
be stored in an unsigned or not; and checking afterwards does not make it
retroactively defined.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 28a078eded1c29985ed078b59d48ff59cf00394b)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/matroskaenc: Fix memleak upon encountering bogus chapter

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit cb255b616cf1ebc6bc89b3538b6b7465dc2c526b)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

fftools/ffmpeg_opt: Check attachment filesize

The data of an attachment file is put into an AVCodecParameter's
extradata. The corresponding size field has type int, yet there was no
check for the size to fit into an int. As a consequence, it was possible
to create extradata with negative size (by using a big enough max_alloc).

Other errors were also possible: If SIZE_MAX < INT64_MAX (e.g. on 32bit
systems) then the file size might be truncated before the allocation;
and avio_read() takes an int, too, so one would not have read as much
as one desired.

Furthermore, the extradata is now padded as is required.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 889ad93c8839e5ac1ec28bc8e1fea6df71b9bf80)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/webmdashenc: Check codec types

The WebM DASH Manifest muxer only supports VP8, VP9, Vorbis and Opus,
but there was no check for this. The codec type is used to get a pointer
to a string containing the codec name or NULL if it is not one of those
four codecs. Said pointer has then been used without further checks as
string for the %s conversion specifier in an avio_printf()) call which
is undefined behaviour.

This commit adds a check for the supported codec types.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit cbea58b2b35c6409e062c929f0b2ab763b8661eb)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/avidec: Fix memleak with embedded GAB2 subtitles

The code for GAB2 subtitles predates refcounting AVPackets. So in order
to transfer the ownership of a packet's data pkt->data was simply stored
and the packet zeroed; in the end (i.e. in the read_close-function) this
data was then simply freed with av_freep(). This of course leads to a leak
of an AVBufferRef and an AVBuffer. It has been fixed by keeping and
eventually unreferencing the packet's buf instead.

Additionally, the packet is now reset via av_packet_unref().

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit da44bbefaabeb2fdb58a03fe533a44aa150486fc)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/webmdashenc: Fix memleak upon realloc failure

The classical ptr = av_realloc(ptr, size).

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 418e468699868a0265f8b439beedf64bb643b088)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/matroskadec: Don't discard the upper 32bits of TrackNumber

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit ba36a077342c01faa3f3deb841e8cdcc1379ea3d)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/hnm: Check for extradata allocation failure

and also add padding to it; moreover, don't use memcpy to write one byte
to extradata.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9e0f3352d1f37a739d98df4347a2b60a396a56fe)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/subtitles: Don't increment packet counter prematurely

Do it only if the packet has been successfully allocated in
av_new_packet() -- otherwise on error a completely uninitialized packet
would be unreferenced later.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6bd8bcc2ac4c64577d964552317989e61db794d8)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/bethsoftvid: Fix potential memleak upon reallocation failure

The classical ptr = av_realloc(ptr, size), just with av_fast_realloc().

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5acef1206144554a48f699b421e8d739e752d8ab)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/smoothstreaming: Fix memleaks on errors

If an AVFormatContext could be allocated, but white-/blacklists couldn't
be copied, the AVFormatContext would leak as it was only accessible
through a local variable that goes out of scope when one goes to fail.

Furthermore, in case writing a header of a submuxer failed, the options
used for said call could leak.

Both of these memleaks have been fixed.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit abbb466368c51285ca27d5e3959a16a9591e9a4c)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/matroskaenc: Check BlockAdditional size before use

Don't read a 64bit number before having checked that the data is at
least 8 bytes long.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6e9cc964293bf1e0cca6a52b2938a20d711e4146)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/utils: Fix memleaks in avformat_open_input()

A demuxer might have allocated memory while reading the header. If
reading the header was successfull and an error happens before returning
(e.g. when queueing the attached pictures), the read_close function
would have never been called, so that all those allocations would leak.
This commit changes this.

Furthermore, there would be even more memleaks if the error level was
set to AV_EF_EXPLODE in case there is both metadata and id3v2 metadata.
This has been fixed, too.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Marton Balint <cus@passwd.hu>
(cherry picked from commit e2307f4ff197646a7feee0edbcdd2d3262932676)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avcodec/cavsdsp: Fix undefined left shifts of negative numbers

Affected the ffmpeg-filter_colorkey FATE-test (but only if the C version
of idct8_add is used and not e.g. the x86 SSE2 version).

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Fixes: left shift of negative value -107
Fixes: 20398/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5725389278412800

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0f0f2ab0c3b3d04e904db97b07ae829c72c91778)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/mov: Don't leak MOVFragmentStreamInfo on error

Fixes Coverity issue #1441933.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 43f58f2354bfab3819e44c1a97b0af75cc091226)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/hevc: Fix potential leak in case of ff_hevc_annexb2mp4_buf failure

ff_hevc_annexb2mp4_buf() could indicate an error, yet leave cleaning
after itself to the caller, so that a caller could not simply return the
error, but had to free the buffer first.

(Given that all current callers have set filter_ps = 0, this error can
currently not be triggered.)

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 680cd59bb21c7bce92789ff885c018207b0b90bc)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/matroskaenc: Check for reformatting errors

This is needed especially for AV1: If a reformatting error happens (e.g.
if the length field of an OBU contained in the current packet indicates
that said OBU extends beyond the current packet), the data pointer is
still NULL, yet the size is unchanged, so that writing the data leads
to a segmentation fault.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 58428bef4b2c053f47dce35157fb96833ba8efea)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avcodec/ra144enc: Fix invalid left shift of negative number

by replacing it with a multiplication. Said multiplication can't
overflow an int32_t because lpc_coefs is limited to 16 bit precision.

Fixes the FACE-test acodec-ra144 as well as part of #8217.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e3fb9af6f1353f30855eaa1cbd5befaf06e303b8)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avcodec/adxenc: Avoid undefined left shift of negative numbers

Replace "((a << shift) + b) >> shift" by "a + (b >> shift)". This avoids
a left shift which also happens to trigger undefined behaviour in case "a"
is negative. This affected the FATE-tests acodec-adpcm-adx and
acodec-adpcm-adx-trellis; it also fixes ticket #8008.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 59a9d65e0d790821f88527a82569f56eb2f8a9be)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avcodec/adpcm: Fix undefined left shifts of negative numbers

Affected the adpcm-afc, adpcm-ea-1, adpcm-ea-2, adpcm-ea-maxis-xa,
adpcm-thp and ea-cdata FATE-tests. Also fixes ticket #8487.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3ad8af51b7c0a968ac3fd62964780d4ff9136c5a)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/segafilmenc: Fix undefined left shift of 1 by 31 places

by changing the type to unsigned.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8ae026d74f599b2d00b91798af1c1067a879007c)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avcodec/proresenc_anatoliy: Fix invalid left shift of negative number

This fixes ticket #7997 as well as the vsynth*-prores_# FATE-tests
(where * ranges over { 1, 2, 3, _lena } and # over { , _int, _444,
_444_int }).

(Given that prev_dc is in the range -0xC000..0x3FFF, no overflow can
happen upon multiplication with 2.)

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 198081efb7c7343349f0a7acc836f001c511e990)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/wtvdec: Fix memleak when reading header fails

Fixes #8314.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 373c1c9b691fd4c6831b3a114a006b639304c2af)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/fitsdec: Fix potential leak of string in AVBPrint

by freeing it a bit earlier.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bb20f3dd730689c3a99f7820cff8b74b06992fff)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/matroskadec: Fix use-after-free when demuxing ProRes

ProRes in Matroska is supposed to not contain the first atom header
(containing a size field and the tag "icpf") and therefore the Matroska
demuxer has to recreate it; this involves an allocation and copy, of
course. Whether the old buffer (containing the data without the atom
header) needs to be freed or not depends upon whether it is what was
directly read (in which case it is owned by an AVBuffer) or whether it
has been allocated when reversing the track's content compression (e.g.
zlib compression) that Matroska supports.

So there are three pointers involved: The one pointing to the directly
read data (owned by the AVBuffer), the one pointing to the currently
valid data (which coincides with the former if no content compression
needed to be reverted) and the one pointing to the new data with the
first atom header. The check for whether to free the second of these is
simply whether the first two are different.

This works mostly, but there is a complication: Some muxers don't strip
the first atom header away and in this case, it is also not reinserted
and no new buffer is allocated; instead, the second and the third
pointers agree. In this case, one must never free the second buffer.
Yet it is currently done if the track is e.g. zlib compressed.
This commit fixes this.

This is a regression since b8e75a2a.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit af50f0a515d8096fece9776e2d3034fe990a1373)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/matroskadec: Fix demuxing ProRes

The structure of a ProRes frame in mov/mp4 is that of a typical atom:
First a 32 bit BE size field, then a tag detailling the content. Said
size field includes the eight bytes of the atom header.

This header is actually redundant, as the size of the atom is already
known from the containing atom. It is therefore stripped away when muxed
into Matroska and so the Matroska demuxer has to recreate upon demuxing.
But it did not account for the fact that the size field includes the
size of the header and this can lead to problems when a decoder uses the
in-band size field.

Fixes ticket #8210.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 581419ea39de6619c3389b8d10ac2cbe212c62a0)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avcodec/bitstream: Don't check for undefined behaviour after it happened

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 5e196dac22cc510db104922f99626a03b453ef4a)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

avformat/mov: fix memleaks

Fix two cases of memleaks:
1. The leak of dv_demux
2. The leak of dv_fctx upon dv_demux allocate failure

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit f3dc38a186b2326ce03e50969897ea703817ddb0)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

libavformat/mov: Fix memleaks when demuxing DV audio

The code for demuxing DV audio predates the introduction of refcounted
packets and when the latter was added, changes to the former were
forgotten. This meant that when avpriv_dv_produce_packet initialized the
packet containing the AVBufferRef, the AVBufferRef as well as the
underlying AVBuffer leaked; the actual packet data didn't leak: They
were directly freed, but not via their AVBuffer's free function.

https://samples.ffmpeg.org/ffmpeg-bugs/trac/ticket4671/dir1.tar.bz2
contains samples for this (enable_drefs needs to be enabled for them).

Moreover, errors in avpriv_dv_produce_packet were ignored; this has been
changed, too.

Furthermore, in the hypothetical scenario that the track has a palette,
this would leak, too, so reorder the code so that the palette code
appears after the DV audio code.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 61f5c6ab06fc61e0f9f8f8dab5595b8bb202df73)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>

Update for 4.0.6

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/utils: reorder duration computation to avoid overflow

Fixes: signed integer overflow: 8 * 9223372036854774783 cannot be represented in type 'long'
Fixes: 23381/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4818340509122560

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 10cc82c35baabbb07ffec3faccb04d8928c39e4c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/pngdec: Check for fctl after idat

Fixes: out of array access
Fixes: 23554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-4796622520451072.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 65b1ba680fb67902a9c876a49d0146eaae5a1c3d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/hls: Pass a copy of the URL for probing

The segments / url can be modified by the io read when reloading

This may be an alternative or additional fix for Ticket8673
as a further alternative the reload stuff could be disabled during
probing

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b5e39880fb7269b1b3577cee288e06aa3dc1dfa2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/hls: check segment duration value of EXTINF

fix ticket: 8673
set the default EXTINF duration to 1ms if duration is smaller than 1ms

Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
(cherry picked from commit 9dfb19baeb86a8bb02c53a441682c6e9a6e104cc)

avutil/common: Fix integer overflow in av_ceil_log2_c()

Fixes: left shift of 1913647649 by 1 places cannot be represented in type 'int'
Fixes: 23572/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5082619795734528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e409262837712016097c187e97bf99aadf6a4cdf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/wmalosslessdec: fix overflow with pred in revert_cdlms

Fixes: signed integer overflow: 2048 + 2147483646 cannot be represented in type 'int'
Fixes: 23538/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5227567073460224

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 21598d711d894081d0566282473044ba4f378f33)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/mvdec: Fix integer overflow with billions of channels

Fixes: signed integer overflow: 1394614304 * 2 cannot be represented in type 'int'
Fixes: 23491/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5697377020411904

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b6fbbe08c325415cc784df296058beb6604f0b9c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>