git.ffmpeg.org Git - ffmpeg.git/log

avformat/mov: fix cases where we discard iamf packets from enabled streams

Given the entire iamf struct is inside a single Track, if the first iamf stream
(which is the one sharing the index and id from the Track) was to be disabled,
then packets from every iamf stream would be discarded.
Fix this by actually going through the entire iamf Sample and discarding those
from the disabled streams only.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 16ee3d8d99a2f2e83a2559e958e19ede813b29f8)

avformat/mov: fix setting iamf stream id offsets

If we were to add the highest id of a non iamf stream as offset to iamf stream
ids, and one of the latter was 0, then an id overlap would ocurr.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 51aef95ba156b7848eca5445f0f59b091c3b1004)

avcodec/tableprint_vlc: Unbreak hardcoded tables

Forgotten in d8ffec5bf9a2803f55cc0822a97b7815f24bee83.
Fixes issue #21102 (and part of #21694).

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 1d47ae65bf6df91246cbe25c997b25947f7a4d1d)

tests: Fix fate-run.sh to handle busybox-w32 absolute paths

Busybox-w32 uses regular Windows style paths with drive letters,
but with forward slashes; thus an absolute path starts with "c:/".

Make the target_path() function in fate-run.sh (which converts a
potentially relative path to an absolute one, under the target_path
prefix) handle this case.

With this in place, running fate tests almost works in
busybox-w32 - only one issue remains. A patch [1] has been sent to
upstream busybox for fixing that issue (which also is present if
running fate tests on busybox on Linux), but it hasn't been
responded to yet.

[1] https://lists.busybox.net/pipermail/busybox/2025-December/091851.html

(cherry picked from commit 06a17fdafcb3c3cd91f85b3685768d522c52286d)

configure: Recognize uname "Windows_NT" as using an .exe suffix

Busybox-w32 [1] works for building ffmpeg on Windows (as an
alternative to msys2, cygwin or WSL).

On busybox-w32, "uname" returns "Windows_NT"; recognize this
in exesuf() as having an .exe suffix.

If building in this environment with a mingw toolchain, one has
to explicitly set --target-os=mingw32. (We probably don't
want to imply that this uname, set as target_os_default, would
default to mingw?) But despite what is set with --target-os,
one can't override the configure variable "host_os", which
exesuf() has to recognize.

[1] https://github.com/rmyorston/busybox-w32

(cherry picked from commit 6149ceadebecc357f350a6979174dbd24f5dca28)

avformat/tests/movenc: Make objects static

(This also fixes a symbol name collision with libssh,
which has a nonstatic function called md5.)

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 836d34e3bab29cf7e962a1e9360329d9e52f7a4b)

avcodec/libsvtav1: rename aq_mode for v4.0.0

Signed-off-by: Christopher Degawa <ccom@randomderp.com>
Signed-off-by: James Almer <jamrial@gmail.com>

avformat/mov: add an offset to IAMF streams

Using audio_substream_id for AVStream ids is not ideal give that in containers
like mp4, the IAMF structure is opaque to the outside and other streams may
share such id values.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit a8f23745074acd8a1934e3653caebd5a0ba05c6f)

avfilter/vf_lcevc: attach a reference to the source frame to each passed in base picture

And free them once they are guaranteed to be no longer needed, instead of freeing them
when returned with an enhanced output.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit af136db1c3c5d72c4a71cedaf7b06d2f8ae3819e)

avfilter/vf_lcevc: support LCEVCdec version 4

Signed-off-by: James Almer <jamrial@gmail.com>

avcodec/lcevc: attach a reference to the source frame to each passed in base picture

This way we can ensure a frame reference will always exists for as long as the
external library needs the base picture.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 188521c7ad9e2a82d913770c3102593ebcd3454d)

avcodec/lcevcdec: free pictures on error

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit fe1dae1e1857ebda9624f4be3f93f447097ae942)

avcodec/lcevcdec: fix input dimensions for the base picture

Fixes crashes with some samples.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 4f86ebfe940cd11de8f5ccf39e2b45da8354269d)

avcodec/lcevcdec: avoid copying the input frame

Based on the lcevc filter implementation.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit b392d75cf72cca90b5476e0c1b2e0876f3aff4ab)

avcodec/decode: Optimize lcevc away if disabled

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 8e90f150ebccf3f30fe139245b7d22fd6f1ee4a9)

avcodec/decode: Put lcevc fields into structure of their own

Makes it easier to see that width and height in DecodeContext is
actually a lcevc field.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 2786e5a9ad32920fccee9352161e81c8e733563b)

avcodec/decode: Don't allocate LCEVC context for non-video

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 182b9c7a4a7117371d51caa917f26162db53cc56)

avcodec/lcevcdec: support LCEVCdec version 4

Signed-off-by: James Almer <jamrial@gmail.com>

forgejo: backport CI job names

avformat/img2dec: reject input images too big to fit into a single packet

Not entirely sure if it should instead use some entirely different
approach here, given that images exceeding 2GB don't seem that crazy
to me, but so far processing such images results in a heap overflow,
since the size addition overflows and a much too small packet is
allocated and its size never checked again when writing into it.

Fixes #YWH-PGM40646-32

(cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8)

avformat/iamf_writer: check that stream count is consistent for ambisonic Audio Elements

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit a0fc454871c116d5bd1bbec5138dfe3ffcb1f11d)

avformat/iamf_writer: fix writting some ambisonics fields in Audio Elements

The fields are defined as 8 bit long unsigned ints. Fortunately, writing most sane values
as leb is equivalent, which is why no tests are affected.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 21ff60d2cf7dfe00400ffef6a8843736f4cf9a2f)

avformat/iamf_parse: fix setting denominator in AVIAMFLayer.demixing_matrix

The format of demixing_matrix is Q15 fixed point values.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 03a981445ee89a567e5a98ec88cbbbb8d3e3af72)

fate/ffmpeg: remove comparison against ref from fix_sub_duration_heartbeat

After the full ffmpeg CLI multithreading changes went in, this
test started depending on how far the input side read and decoded
the input compared to how quickly the output encoded things, causing
spurious failures on the CI.

To my knowledge all of the failures have so far been valid correct
results, but unfortunately FATE's built in checks mostly consist of
whether there is a difference against an exact result.

This way we still get the CI and valgrind running of the code,
but stop its comparison. Reference file is left around so that
the previous reference is still available.

(cherry picked from commit e54bd7065d024bd3925f80533eae10ef88a5cced)

configure: Lower libdvdnav and libdvdread minimum versions for EL9

Red Hat Enterprise Linux 9 is one patch version lower than what
FFmpeg currently requests. The slightly older versions still result
in a working build of FFmpeg with DVD support, so allow those
versions to be consumed to build FFmpeg.

(cherry picked from commit 069d465895)
Signed-off-by: Neal Gompa <neal@gompa.dev>
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>

avformat/rtsp: fix leading space in RTSP reason

When parsing the RTSP message reason, the whole remainder
after parsing the status code was used, which would lead to
a leading space in the parsed reason string.

(cherry picked from commit e63e040f0cef2d6af2fb57aefa6250fc450fa049)
Signed-off-by: Marvin Scholz <epirat07@gmail.com>

avformat/rtsp: do not log invalid values

When reading fails the first time, ch would be uninitialized and
printed in the log message. Instead check for an error early and
log it properly.

(cherry picked from commit 2ed47ab72509bbee60288d245a0aebb7eb05e41a)
Signed-off-by: Marvin Scholz <epirat07@gmail.com>

avformat/http: Handle IPv6 Zone ID in hostname

When using a literal IPv6 address as hostname, it can contain a Zone ID
especially in the case of link-local addresses. Sending this to the
server in the Host header is not useful to the server and in some cases
servers refuse such requests.

To prevent any such issues, strip the Zone ID from the address if it's
an IPv6 address. This also removes it for the Cookies lookup.

Based on a patch by: Daniel N Pettersson <danielnp@axis.com>

(cherry picked from commit 5cb6d2221a6d4c07453b6c301ecfcaed48402680)
Signed-off-by: Marvin Scholz <epirat07@gmail.com>

avfilter/af_amerge: fix possible crash with custom layouts

The check if a native layout can be created from the sources was incomplete and
casued a crash with custom layouts if the layout contained a native channel
multiple times, as in this example command line:

ffmpeg -lavfi "sine[a0];sine,pan=FL+FL[a1];[a0][a1]amerge[aout]" -map "[aout]" -t 1 -f framecrc -

Signed-off-by: Marton Balint <cus@passwd.hu>
(cherry picked from commit e8b10a9b09fff6fa09178634bededf14a6ea598c)

avfilter/stack_internal: fix checkheaders test

Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
(cherry picked from commit 1a1377c53decf1264ca255910124caae82fd63a0)

all: apply linter fixes

forgejo: apply needed CI changes for 7.1

forgejo: backport CI to release/7.1

avcodec/vp3: Sync VLCs once during init, fix crash

6c7a344b65cb7476d1575cb1504e3a53bcbc83e7 made the VLCs shared between
threads and did so in a way that was designed to support stream
reconfigurations, so that the structure containing the VLCs was
synced in update_thread_context. The idea was that the currently
active VLCs would just be passed along between threads.

Yet this was broken by 5acbdd2264d3b90dc11369f9e031e762f260882e:
Before this commit, submit_packet() was a no-op during flushing
for VP3, as it is a no-delay decoder, so it won't produce any output
during flushing. This meant that prev_thread in pthread_frame.c
contained the last dst thread that update_thread_context()
was called for (so that these VLCs could be passed along between
threads). Yet after said commit, submit_packet was no longer
a no-op during flushing and changed prev_thread in such a way
that it did not need to contain any VLCs at all*. When flushing,
prev_thread is used to pass the current state to the first worker
thread which is the one that is used to restart decoding.
It could therefore happen that the decoding thread did not contain
the VLCs at all any more after decoding restarts after flushing
leading to a crash (this scenario was never anticipated and
must not happen at all).

There is a simple, easily backportable fix given that we do not
support stream reconfigurations (yet) when using frame threading:
Don't sync the VLCs in update_thread_context(), instead do it once
during init.

This fixes forgejo issue #20346 and trac issue #11592.

(I don't know why 5acbdd2264d3b90dc11369f9e031e762f260882e
changed submit_packet() to no longer be a no-op when draining
no-delay decoders.)

*: The exact condition for the crash is nb_threads > 2*nb_frames.

Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 90551b7d80e39c2fcde67fc65e3623bbef12590c)

configure: unbreak glslang build

Don't unconditionally link to libSPVRemapper which was removed in 16.0 in 3a7f787

avformat/iamf_parse: fix compilation error

Regression since a2a67282859904283f1008e1ce0a7f6bc1e71757.

Signed-off-by: James Almer <jamrial@gmail.com>

avfilter/vf_scale: don't attempt to rescale AV_NOPTS_VALUE

Finishes fixing issue #20589.

Signed-off-by: James Almer <jamrial@gmail.com>

avfilter/framesync: don't attempt to rescale AV_NOPTS_VALUE

Part of a fix for issue #20589.

Signed-off-by: James Almer <jamrial@gmail.com>

avformat/iamf_parse: ensure the stream count in a scalable channel representation is equal to the audio element's stream count

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit faa382e5b196f2acb5bc5b159aaf06682291328b)

avformat/iamf_parse: ensure each layout in an scalable channel representation has an increasing number of channels

Fixes issue #21013

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 554ae5ada98cd44686ade995102d3aa2295d7b09)

fftools/ffmpeg_filter: close all no-longer needed inputs

Currently, the thread loop of ffmpeg_filter essentially works like this:

while (1) {
    frame, idx = get_from_decoder();
    err = send_to_filter_graph(frame);
    if (err) { // i.e. EOF
        close_input(idx);
        continue;
    }

    while (filtered_frame = get_filtered_frame())
        send_to_encoder(filtered_frame);
}

The exact details are not 100% correct since the actual control flow is a bit
more complicated as a result of the scheduler, but this is the general flow.

Notably, this leaves the possibility of leaving a no-longer-needed input
permanently open if the filter graph starts producing infinite frames (during
the second loop) *after* it finishes reading from an input, e.g. in a filter
graph like -af atrim,apad.

This patch avoids this issue by always querying the status of all filter graph
inputs and explicitly closing any that were closed downstream; after each round
of reading output frames. As a result, information about the filtergraph being
closed can now propagate back upstream, even if the filter is no longer
requesting any input frames (i.e. input_idx == fg->nb_inputs).

Fixes: https://trac.ffmpeg.org/ticket/11061
See-Also: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20457#issuecomment-6208

Backported-from: 38a5fcc02c2ef1bcb37d2e53eddde8eccc0c75ed

During backporting, I had to change the signature of `close_input()` to
`void close_input(FilterGraph *fg, int input_idx)` since this version of
FFmpeg does not contain a reference to the input index in the InputFilterPriv.

avfilter/buffersrc: add av_buffersrc_get_status()

There is currently no way for API users to know that a buffersrc is no longer
accepting input, except by trying to feed it a frame and seeing what happens.

Of course, this is not possible if the user does not *have* a frame to feed,
but may still wish to know if the filter is still accepting input or not.

Since passing `frame == NULL` to `av_buffersrc_add_frame()` is already treated
as closing the input, we are left with no choice but to introduce a new
function for this.

We don't explicitly return the result of `ff_outlink_get_status()` to avoid
leaking internal status codes, and instead translate them all to AVERROR(EOF).

Backported-from: 623669a02cd6cdc5598801bf31fd77199e61bae1

Changelog: update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avutil/common: cast GET_BYTE/GET_16BIT returned value

In case of GET_BYTE/GET_16BIT return signed value.

(cherry picked from commit 0ae8df5f2ceea82337a2456ef16f930faf160189)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avfilter/vf_drawtext: fix call GET_UTF8 with invalid argument

For GET_UTF8(val, GET_BYTE, ERROR), val has type of uint32_t,
GET_BYTE must return an unsigned integer, otherwise signed
extension happened due to val= (GET_BYTE), and GET_UTF8 went to
the error path.

This bug incidentally cancelled the bug where hb_buffer_add_utf8
was being called with incorrect argument, allowing drawtext to
function correctly on x86 and macOS ARM, which defined char as
signed. However, on Linux and Android ARM environments, because
char is unsigned by default, GET_UTF8 now returns the correct
return, which unexpectedly revealed issue #20906.

(cherry picked from commit a5cc0e5c9e752f98e38c2a95a0893faeb1f78fa9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avfilter/vf_drawtext: fix incorrect text length

From the doc of HarfBuzz, what hb_buffer_add_utf8 needs is the
number of bytes, not Unicode character:
hb_buffer_add_utf8(buf, text, strlen(text), 0, strlen(text));

Fix issue #20906.

(cherry picked from commit 9bc3c572eaaab559a7258c392528e7a1cad2a9b7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/avformat: also clear FFFormatContext packet queue when closing a muxer

packet_buffer is used in mux.c, and if a muxing process fails at a point where
packets remained in said queue, they will leak.

Fixes ticket #11419

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit c08d300481b8ebb846cd43a473988fdbc6793d1b)

updatze for 7.1.3

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avfilter/vf_drawtext: Account for bbox text seperator

Fixes: out of array access
no test case

Found-by: Joshua Rogers <joshua@joshua.hu> with ZeroPath
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ad956ff076ea808e5d64c9ac17c1bfc1ba7d0cc0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/mediacodecdec_common: Check that the input to mediacodec_wrap_sw_audio_buffer() contains channel * sample_size

Fixes: out of array access
no testcase

Found-by: Joshua Rogers <joshua@joshua.hu> with ZeroPath
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 41a9c6ec5f75d8737da3e38223b8c4e923703401)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/utvideodec: Set B for the width= 1 case in restore_median_planar_il()

Fixes: use of uninitialized memory
Fixes: 439878388/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5635866203848704

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 59db32b433ea9e7766ec7fac994860ed15d7ed7d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/osq: Fix 32bit sample overflow

Fixes: signed integer overflow: 2147483565 + 128 cannot be represented in type 'int'
Fixes: 428055715/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6358069900804096

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 08816b93760f43433a07e980fa9eeab4135de78c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/rtpdec_rfc4175: Only change PayloadContext on success

Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c03e49dd1d8ee2dd21c24002dfac95644c830498)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/rtpdec_rfc4175: Check dimensions

Fixes: out of array access
Fixes: zeropath/int_overflow_in_rtpdec_rfc4175

Found-by: Joshua Rogers <joshua@joshua.hu>
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d4e0d5ed48aa9c0e11b9ddeea8c2d14632314089)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/rtpdec_rfc4175: Fix memleak of sampling

Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit af3dee313223c722c34e8231cd6859188928a6e3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/http: Fix off by 1 error

Fixes: out of array access
Fixes: zeropath/off-by-one-one-byte

Found-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b518c027a0cb8d89c586fe241cc99b1c20bc0f50)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/exr: spelling

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d80f8f36513ebff05c537adbe756e36036f80074)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/exr: use tile dimensions in pxr24 UINT case

update the switch statement for EXR_UINT in pxr24_uncompress to
correctly use the tile width td->xsize instead of using the full window
width s->xdelta. s->delta is larger than td->xsize which lead to two
buffer overflows when interacting with the ptr variable in the same
switch statement.

Fixes: out of bounds read and write
Found-by: veygax's insomnia network (INSOMNIA-1)
Signed-off-by: veygax <veyga@veygax.dev>
(cherry picked from commit 162f75b5e6798b385bb3eadd8280eff52d03cf29)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/exr: Simple check for available channels

The existing is_luma check is fragile as depending on the order
of channels it can be set or reset

No testcase

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6e8cf0377fee75de9ad2cc87385ab3e8f2c87143)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/sctp: Check size in sctp_write()

Fixes: out of array access
No testcase

Found-by: Joshua Rogers <joshua@joshua.hu> with ZeroPath
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5b98cea4bff2cbbb251b621a2b6c3ab76f814efa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/rtmpproto: consider command line argument lengths

Fixes: out of array access
Fixes: zeropath/rtmp-2025-10

Found-by: Joshua Rogers <joshua@joshua.hu>
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 83e0298de217a7108ee703806d6380e554007972)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/rtmpproto_ Check tcurl and flashver length

Fixes: out of array accesses

Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a64e037429f20873ec48f6c82aa145ab448e1399)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/g723_1enc: Make min_err 64bit

This is intending to fix the case described in https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/thread/AAZ7GJPPUJI5SCVTDGJ6QL7UUEP56WOM/
Where FCBParam optim is used uninitialized

a min_err of 1<<30, allows the struct to be never initilialized as all
err (which is int32_t) can be larger than min_err. By increasing min_err
above the int32_t range this is no longer possible

Untested, as i do not have the testcase

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>i
(cherry picked from commit 909af3a571da830cc70a34f0c3946379bd12dfbe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/vlc: Clear val8/16 in vlc_multi_gen() by av_mallocz()

Fixes: use of uninitialized memory
Fixes: 427814450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_DEC_fuzzer-646512196065689
Fixes: 445961558/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5515158672965632

the multi vlc code will otherwise return uninitialized data. Now one can argue that this data should
not be used, but on errors this data can remain ...

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d8ffec5bf9a2803f55cc0822a97b7815f24bee83)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/rtpenc_h264_hevc: Check space for nal_length_size in ff_rtp_send_h264_hevc()

Fixes: memcpy with negative size
Fixes: momo_trip-poc/input

Reported-by: Momoko Shiraishi <shiraishi@os.is.s.u-tokyo.ac.jp>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d03483bd265b68db00c9b90f6f48dcf61c5c300d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

swscale/output: Fix integer overflow in yuv2ya16_X_c_template()

Found-by: colod colod <colodcolod7@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0c6b7f9483a38657c9be824572b4c0c45d4d9fef)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/hevc/sei: prevent storing a potentially bogus num_ref_displays value in HEVCSEITDRDI

Fixes: 439711052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4956250308935680
Fixes: out of array access

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit d448d6d1a0a4cdc76499c137742fdd8b30b9e7de)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/exr: Check that DWA has 3 channels

The implementation hardcodes access to 3 channels, so we need to check that
Fixes: out of array access
Fixes: BIGSLEEP-445394503-crash.exr

Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7896cc67c13037abba8941e39a74c56d26b775a7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/exr: check ac_size

Fixes: out of array read
Fixes: dwa_uncompress.py.crash.exr

The code will read from the ac data even if ac_size is 0, thus that case
is not implemented and we ask for a sample and error out cleanly

Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8e078826da6f2a1dffa25162121b43b272f5e5fa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/exr: Round dc_w/h up

Without rounding them up there are too few dc coeffs for the blocks.
We do not know if this way of handling odd dimensions is correct, as we have
no such DWA sample.
thus we ask the user for a sample if she encounters such a file

Fixes: out of array access
Fixes: BIGSLEEP-445392027-crash.exr

Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c911e0001115bbda904ad103b12c27b9a3c0c265)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/mjpegdec: Explain buf_size/width/height check

Suggested-by: Ramiro
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 61b6877637041a1f817ad9811c839b0feae2b8af)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/aviobuf: Keep checksum_ptr consistent in avio_seek()

Otherwise it might be > buf_ptr in which case ffio_get_checksum()
could segfault (s->buf_ptr - s->checksum_ptr would be negative
which would be converted to something very big when converted
to unsigned for the update_checksum callback).

Fixes ticket #11233.

Reported-by: Du4t
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 987c955cd7e972d9940284fa6ae7187ac858ebb1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

fftools/ffmpeg_sched: prevent demuxers from getting stuck

When the furthest-behind stream is being fed by a demuxer that is also
feeding packets to a choked filter graph, we need to unchoke that filter
graph to prevent the demuxer from getting stuck trying to write packets to
the choked filter graph.

This situation can also apply recursively - if the demuxer is also writing
to a filtergraph that is also reading from a choked demuxer, there is a
similar deadlock.

Solve all such deadlocks by just brute-force recursively unchoking all
nodes that can somehow prevent this demuxer from writing packets. This
should normally not result in any change in behavior, unless audio/video
streams are badly desynchronized, in which case it may result in extra
memory usage from the too-far-ahead stream buffering packets inside the
muxer. (But this is, of course, preferable to a deadlock)

Fixes: https://code.ffmpeg.org/FFmpeg/FFmpeg/issues/20611
Backported-From: 133a0bcb1385f3214e501970f0ced52dcde906cb

lavc/aarch64: Fix addp overflow in ff_pred16x16_plane_neon_10

The mismatch between neon and C functions can be reproduced
using the following bitstream and command line on aarch64 devices.

wget https://streams.videolan.org/ffmpeg/incoming/replay_intra_pred_16x16.h264
./ffmpeg -cpuflags 0 -threads 1 -i replay_intra_pred_16x16.h264 -f framemd5 -y md5_ref
./ffmpeg -threads 1 -i replay_intra_pred_16x16.h264 -f framemd5 -y md5_neon

Signed-off-by: Bin Peng <pengbin@visionular.com>
(cherry picked from commit 3115c0c0e6c27c689a02a7267dcf8e61fa2ac425)

avcodec/mlpdec: don't depend on context channel layout when setting substream masks

If avctx->ch_layout is unset (as it's allowed and even expeced by the
AV_CODEC_CAP_CHANNEL_CONF flag), the code setting substream masks will fail for
stereo and mono layouts unless a downmix channel was requested.
Fix this by deriving the mask with coded values only.

Fixes issue #20764.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 530ca627a325a0f77859a6a7d8baa05395767d56)

avformat/demux: pass new extradata to the parser

The parser API doesn't work with packets, only raw data, so in order for it to
be made aware of new extradata propagated through packet side data we need to
pass it in some other form, namely, replacing the main extradata and ensuring
it will be parsed by restarting the parser.

Signed-off-by: James Almer <jamrial@gmail.com>

avcodec/svq1enc: restrict Altivec acceleration to big-endian POWER configurations

This was disabled in da60b99a8857d5ca236f32c1799a066e0135a866 and then
accidentally re-enabled in 172b0e2e88832822632841e8e0d3794f974cbc93.

The code in question was never properly adapted for litte-endian mode.

refs: trac/10955
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4322be512b2bd6c7d8ee61a2b0230546f3107be0)

libavutil/arm: Rename the HWCAP defines

Rename the HWCAP defines to use the same naming scheme as AArch64 and PPC.

(cherry picked from commit ced4a6ebc9e7cd92d0ca9b9fb8f9d1013d23cbfa)
Signed-off-by: Brad Smith <brad@comstyle.com>

libavutil/arm: Make use of elf_aux_info() on FreeBSD/OpenBSD

- FreBSD/OpenBSD have elf_aux_info() on arm
- Wrap AT_HWCAP as the value is different for BSD vs Linux (16 vs 25)

(cherry picked from commit cdae5c3639f4adcd289e643a203d43d4e01d87f5)
Signed-off-by: Brad Smith <brad@comstyle.com>

avcodec/decode: sync initial_pict_type and intra_only_flag with thread worker's avctx

Regression since 5acbdd2264d3b90dc11369f9e031e762f260882e, which removed
setting both values from PerThreadContext.
Given the pthread code calls ff_decode_receive_frame_internal() on the frame,
any value set before it will be overwritten, so instead sync each thread's
DecodeContext and let ff_decode_receive_frame_internal() handle these values.

Fixes issue #20534.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 26f4230082dad1a6a0f2384694037562f73bb2fd)

avcodec/x86/pngdsp: add missing emms at the end of add_png_paeth_prediction

Fixes unpredictable behavior with floats.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 57a29f2e7dd2374a1df27316c6cf7c0225e86758)

Changelog: update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

doc/examples/vaapi_encode: fix invalid check on fwrite

enc_pkt->size is 0 after av_packet_unref, which makes the check invalid.

Fix regression from 3e4bfff2.

Co-Authored-by: Jin Bo <jinbo@loongson.cn>
Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
(cherry picked from commit 09856e4e483f14125d38e5c84e908f623bb1a888)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/librsvgdec: fix compilation with librsvg 2.50.3

This fixes compilation with librsvg 2.50.3: error: viewport undeclared

This was a regression since commit
86ed68420d3b60439d0b7767c53d0fdc1deb7277.

Fixes #10722.

Reviewed-by: Leo Izen <leo.izen@gmail.com>
(cherry picked from commit 9ee7796c540ce9cec3fdff0dd246de842228707b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

fftools/ffmpeg: fix gracefully shutdown

d119ae2fd82a494d9430ff4d4fc262961a68c598 removed the loop-breaking condition
received_sigterm.
Thus, signals no longer gracefully shutdown ffmpeg.

Fixes: #10834

Signed-off-by: Patrick Wang <mail6543210@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d7173e982ec815dcf70999c8683c465b99ce249c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Changelog: update

Signed-off-by: James Almer <jamrial@gmail.com>

fftools/ffmpeg_demux: ensure the display_rotation option is honored

If requested, it should have priotity over any coded value.
Fixes ticket #11649.

Signed-off-by: James Almer <jamrial@gmail.com>

avcodec/mjpegdec: use ff_frame_new_side_data() to export display matrix

Otherwise, the user requested priority of packet side data will be ignored.

Signed-off-by: James Almer <jamrial@gmail.com>

Update for 7.1.2

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

aacdec_usac: use RefStruct to track unfinished extension buffers

Extensions in AAC USAC can be stored across multiple frames (mainly to keep CBR compliance).
This means that we need to reallocate a buffer when new data is received, accumulate the bitstream data,
and so on until the end of extension flag is signalled and the extension can be decoded.

This is made more complicated by the way in which the AAC channel layout switching is performed.
After decades of evolution, our AAC decoder evolved to double-buffer its entire configuration.
All changes are buffered, verified, and applied, on a per-frame basis if required, in often
random order.

Since we allocate the extension data on heap, this means that if configuration is applied,
in order to avoid double-freeing, we have to keep track of what we've allocated.

It should be noted that extensions which are spread in multiple frames are generally rare,
so an optimization to introduce av_refstruct_realloc() wouldn't generally be useful across the codebase.
Therefore, a copy is good enough for now.

Thanks to Michael Niedermayer for additional fixing.

Fixes: double free
Fixes: 393523547/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-6740617236905984

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
(cherry picked from commit c05fc27dd33b361eb0105157ab7d3a01c2ffa782)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcode: Use av_fast_realloc() in ff_lzf_uncompress()

Fixes: 438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5850827739955200
Fixes: mixed up realloc() functions

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Co-Authored-by: James Almer <jamrial@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 0a5046c09996262d0f8b1802a4b34816f72fff06)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/dxv: Check coded_height, to avoid invalid av_clip()

Fixes: assertion failure
Fixes: 438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5850827739955200

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cdee519d40e61bd65ba5b3fbec00acd50a08d0d9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/aac/aacdec: dont allow ff_aac_output_configure() allocating a new frame if it has no frame

Fixes: null pointer dereference
Fixes: crash_test.mp4

Found-by: Intel PSIRT
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fcf180d9ea27b7dc29658c9dc3488ae6fac3ebd9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/lrcdec: Fix fate-sub-lrc-ms-remux on x86-32

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0243cf89b137b093b02a5c61a76e28cec1d69ae9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/sanm: Check w,h,left,top

The setup code fow w,h,left,top is complex, the code using it also falls in
at least 2 different classes, one using left/top the other not.

To ensure no out of array access happens we add this clear check.

Fixes: out of array access
Fixes: 439261995/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-5383455572819968

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 134fbfd1dcb59441e38d870ddd231772f4e8e127)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/utvideodec: Clear plane_start array

in pack mode the array is passed into decode_plane() without being initialized or used

Fixes: use of uninitialized memory
Fixes: 438780119/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5464037027807232

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2a22972db3b390d82dedbdbb5f44cc09a43912b5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

fftools/ffmpeg_mux_init: Use 64bit for score computation in map_auto_video()

Fixes: signed integer overflow: 10 * 1952737655 cannot be represented in type 'int'
Fixes: PoC_avi_demux

Found-by: 2ourc3 (Salim LARGO)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cdbb5f1b93352f9e7eceb1562ad283a78b546091)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

libavfilter/dnn/dnn_backend_tf: Remove redundant av_freep() to avoid double free

Remove redundant av_freep() to avoid double free since task will be freed in dnn_free_model_tf() after the success of ff_queue_push_back().

Fixes: af052f9066 ("lavfi/dnn: fix mem leak in TF backend error handle")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
(cherry picked from commit b8d5f65b9e89d893f27cf00799dbc15fc0ca2f8e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/dxv: Use av_fast_realloc() for op_data

makes things consistent

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 373bd80b16643e349d229e2479fad565dba129a5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/dxv: Use av_fast_realloc() and clear all new space

The code writing in the buffer has a wide range of error checks
which simply leave it partly uninitialized.

Initializing it on allocation ensures no sensitive data leaks and that
bugs are more reliably reproduceable

Fixes: use of uninitialized memory
Fixes: 435225510/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-4521918634196992

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4a0b793737ec1a118d2119a677fa17926def01bc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>