git.ffmpeg.org Git - ffmpeg.git/log

avformat/mov: fix cases where we discard iamf packets from enabled streams

Given the entire iamf struct is inside a single Track, if the first iamf stream
(which is the one sharing the index and id from the Track) was to be disabled,
then packets from every iamf stream would be discarded.
Fix this by actually going through the entire iamf Sample and discarding those
from the disabled streams only.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 16ee3d8d99a2f2e83a2559e958e19ede813b29f8)

avformat/mov: fix setting iamf stream id offsets

If we were to add the highest id of a non iamf stream as offset to iamf stream
ids, and one of the latter was 0, then an id overlap would ocurr.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 51aef95ba156b7848eca5445f0f59b091c3b1004)

avformat/whip: remove the confused option buffer_size

See https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20965#issuecomment-22815

The buffer_size isn't inlcuded in release/8.0,
directly use new option ts_buffer_size to replace
buffer_size shoule be okay.

Signed-off-by: Jack Lau <jacklau1222gm@gmail.com>
(cherry picked from commit 2a0a32c42b3e58bd122381868b6e62e46b90a369)

avformat/whip: add new option ts_buffer_size to deprecate buffer_size

See https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20965#issuecomment-15854

The old option name `buffer_size` maybe confusing because there're some
protocols and muxer using this.

Signed-off-by: Jack Lau <jacklau1222gm@gmail.com>
(cherry picked from commit cc8f3921367f562850bc3cd5049eeff8427f6356)

avformat/whip: remind user increase -buffer_size

The udp buffer size might be too small to easily
be full temporarily and return WSAEWOULDBLOCK.
The udp code will handle the windows error code
and convert it to AVERROR(EAGAIN).

This issue just can be reproduced on windows.

If sleep a interval and retry to send pkt when hit
EAGAIN, it will increase latency, and appropriate
interval is hard to define.

So this patch just remind user increase the buffer
size via -buffer_size to avoid this issue.

Signed-off-by: Jack Lau <jacklau1222@qq.com>
(cherry picked from commit ec0a04de0d46b6104a4d92570b2412df5fafb483)

avformat/whip: pass through buffer_size option to udp

Signed-off-by: Jack Lau <jacklau1222@qq.com>
(cherry picked from commit b3793d9941516ea8c3511ca2b7db339148e3f122)

avformat/whip: fix potential 8bit overflow for profile_idc

The profile contains profile_idc and constraint_set*_flag,
throws away high 8 bit flags and then we get profile_idc.

Signed-off-by: Jack Lau <jacklau1222@qq.com>
(cherry picked from commit 785a4e0d6c80f475f7891d33dfa2927faa51da21)

avformat/whip: fix 8 bits overflow and map constraint_set bits for H264

profile_iop is an 8 bits field. Previous code copied
AVCodecParameters::profile (which can contain bits
beyond 8 bits) into profile_iop, producing overflow
and wrong values.

This patch maps the constrained flags into the proper
profile_iop bits (constraint_set1 / 3)

Signed-off-by: Jack Lau <jacklau1222@qq.com>
(cherry picked from commit 6c2768bf8c059126ea89ec14f1fe0c903f4f90c5)

avformat/whip: fix SDP ICE candidates parsing

fix issue #20407

Refer to RFC 5245 15.1,
the foundation may be any string up to 32 chars.
The old code could misread foundations as transport("udp").
This patch fully parse all these attr to avoid parsing error.

Signed-off-by: Jack Lau <jacklau1222@qq.com>
(cherry picked from commit b41f8207c4cfebf9bb6b66a9f354c8bbba3036b5)

avformat/whip: fix ssrc might be same

use audio_ssrc + 1 for video_ssrc to avoid ssrc collision

See RFC 3550 Section 8,
The SSRC identifier carried in the RTP header and in various fields
of RTCP packets is a random 32 bit number that is required to be
globally unique within an RTP session.

simply + 1 also can get an unique ssrc, and faster than generating
new unique ssrc.

Signed-off-by: Jack Lau <jacklau1222@qq.com>
(cherry picked from commit b3ea5584929f16785cc45ad386998ff42fa72110)

avcodec/tableprint_vlc: Unbreak hardcoded tables

Forgotten in d8ffec5bf9a2803f55cc0822a97b7815f24bee83.
Fixes issue #21102 (and part of #21694).

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 1d47ae65bf6df91246cbe25c997b25947f7a4d1d)

tests: Fix fate-run.sh to handle busybox-w32 absolute paths

Busybox-w32 uses regular Windows style paths with drive letters,
but with forward slashes; thus an absolute path starts with "c:/".

Make the target_path() function in fate-run.sh (which converts a
potentially relative path to an absolute one, under the target_path
prefix) handle this case.

With this in place, running fate tests almost works in
busybox-w32 - only one issue remains. A patch [1] has been sent to
upstream busybox for fixing that issue (which also is present if
running fate tests on busybox on Linux), but it hasn't been
responded to yet.

[1] https://lists.busybox.net/pipermail/busybox/2025-December/091851.html

(cherry picked from commit 06a17fdafcb3c3cd91f85b3685768d522c52286d)

configure: Recognize uname "Windows_NT" as using an .exe suffix

Busybox-w32 [1] works for building ffmpeg on Windows (as an
alternative to msys2, cygwin or WSL).

On busybox-w32, "uname" returns "Windows_NT"; recognize this
in exesuf() as having an .exe suffix.

If building in this environment with a mingw toolchain, one has
to explicitly set --target-os=mingw32. (We probably don't
want to imply that this uname, set as target_os_default, would
default to mingw?) But despite what is set with --target-os,
one can't override the configure variable "host_os", which
exesuf() has to recognize.

[1] https://github.com/rmyorston/busybox-w32

(cherry picked from commit 6149ceadebecc357f350a6979174dbd24f5dca28)

avformat/tests/movenc: Make objects static

(This also fixes a symbol name collision with libssh,
which has a nonstatic function called md5.)

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>

checkasm/hevc_pel: rename loop variable 'size' to 'idx' to avoid confusion

The variable 'size' is used as a loop index for the 'sizes' array.
This naming similarity is error-prone and recently led to a typo where
'size[sizes]' was written instead of 'sizes[size]'.

Rename the loop index variable from 'size' to 'idx' across all 10 test
functions to make the code more readable and prevent similar typos.

Additionally, replace the hardcoded loop upper bound '10' with
'FF_ARRAY_ELEMS(sizes)' for better maintainability.

Signed-off-by: Jun Zhao <barryjzhao@tencent.com>

checkasm/hevc_pel: fix typo size[sizes] -> sizes[size]

Commit 4d4b301e4a introduced a typo where `size[sizes]` was used
instead of `sizes[size]` in 10 places within checkasm_check_pixel_padded
calls.

Since `sizes` is an array and `size` is the loop index, `size[sizes]`
interprets the array pointer as an index, resulting in undefined behavior
and causing AddressSanitizer to detect buffer overflows during testing.

Signed-off-by: Jun Zhao <barryjzhao@tencent.com>

avcodec/libsvtav1: rename aq_mode for v4.0.0

Signed-off-by: Christopher Degawa <ccom@randomderp.com>
Signed-off-by: James Almer <jamrial@gmail.com>

vulkan_vp9: fix subsampling source and show_frame flag

(cherry picked from commit 672635932684c0ee7cfbb7f9eef6999b4e72df4b)

avfilter/vf_lcevc: attach a reference to the source frame to each passed in base picture

And free them once they are guaranteed to be no longer needed, instead of freeing them
when returned with an enhanced output.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit af136db1c3c5d72c4a71cedaf7b06d2f8ae3819e)

avcodec/lcevc: attach a reference to the source frame to each passed in base picture

This way we can ensure a frame reference will always exists for as long as the
external library needs the base picture.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 188521c7ad9e2a82d913770c3102593ebcd3454d)

avcodec/lcevcdec: free pictures on error

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit fe1dae1e1857ebda9624f4be3f93f447097ae942)

avcodec/lcevcdec: fix input dimensions for the base picture

Fixes crashes with some samples.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 4f86ebfe940cd11de8f5ccf39e2b45da8354269d)

avcodec/lcevcdec: avoid copying the input frame

Based on the lcevc filter implementation.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit b392d75cf72cca90b5476e0c1b2e0876f3aff4ab)

avcodec/decode: Optimize lcevc away if disabled

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 8e90f150ebccf3f30fe139245b7d22fd6f1ee4a9)

avcodec/decode: Put lcevc fields into structure of their own

Makes it easier to see that width and height in DecodeContext is
actually a lcevc field.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 2786e5a9ad32920fccee9352161e81c8e733563b)

avcodec/decode: Don't allocate LCEVC context for non-video

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 182b9c7a4a7117371d51caa917f26162db53cc56)

hwcontext_vulkan: add support for implict DRM sync for export

When a frame is exported to DRM, it may be written to to read to in an asyncronous fashion. Make sure, on unmap of a Vulkan frame that was mapped to DRM, to import any fences that were put on the dmabuf

(cherry picked from commit 38e89fe5022888f552dce95d168a60900ccffd17)

lavc/vvc: Prevent OOB write to slice_top_left_ctu_x in PPS CBS

Prior to the fix, in the case of a tile containing multiple slices
(pps_num_exp_slices_in_tile != 0) the number of slices was temporarily
allowed to exceed pps_num_slices_in_pic_minus1+1 and therefore
VVC_MAX_SLICES. The number of slices was later verified, but while the
current slice index was higher than expected it was used to write to a
array of size VVC_MAX_SLICES, leading to an OOB write.

To rectify this, the patch adds some checks at an earlier stage, to
ensure that the slice index i + j at no point exceeds
pps_num_slices_in_pic_minus1.

Fixes #YWH-PGM40646-30

(cherry picked from commit 72a38c12e5b84ccb30fba88c39ef2a086013af5b)

lavc/vvc: Error on inter slice with no reference pics

The semantics of sh_num_ref_idx_active_minus1[ i ] state that

When the current slice is a P slice, the value of NumRefIdxActive[ 0 ] shall be greater than 0.
When the current slice is a B slice, both NumRefIdxActive[ 0 ] and NumRefIdxActive[ 1 ] shall be greater than 0.

Fixes: use of uninitialized memory
Fixes: 449549597/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-5600497089445888

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reported-by: Michael Niedermayer michael@niedermayer.cc
(cherry picked from commit 90f1f797aa9231375e4858df523fbfeda89bfd79)

forgejo: backport CI job names

avformat/img2dec: reject input images too big to fit into a single packet

Not entirely sure if it should instead use some entirely different
approach here, given that images exceeding 2GB don't seem that crazy
to me, but so far processing such images results in a heap overflow,
since the size addition overflows and a much too small packet is
allocated and its size never checked again when writing into it.

Fixes #YWH-PGM40646-32

(cherry picked from commit f6a95c7eb786f895812adaaa08d2fe91c4d4caf8)

cbs_vp9: Always update loop filter and segmentation from current frame

Fixes decoding vp90-2-09-aq2, vp90-2-15-segkey_adpq, vp90-2-15-segkey
and vp90-2-22-svc_1280x720_1 with Vulkan hwaccel.

Fixes: 26a2a76346 ("cbs_vp9: Fix VP9 passthrough")

(cherry picked from commit a0a16f2ea43e000816c1474f8295e3cf1cfd299b)

avformat/iamf_writer: check that stream count is consistent for ambisonic Audio Elements

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit a0fc454871c116d5bd1bbec5138dfe3ffcb1f11d)

avformat/iamf_writer: fix writting some ambisonics fields in Audio Elements

The fields are defined as 8 bit long unsigned ints. Fortunately, writing most sane values
as leb is equivalent, which is why no tests are affected.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 21ff60d2cf7dfe00400ffef6a8843736f4cf9a2f)

avformat/iamf_parse: fix setting denominator in AVIAMFLayer.demixing_matrix

The format of demixing_matrix is Q15 fixed point values.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 03a981445ee89a567e5a98ec88cbbbb8d3e3af72)

tests/fate/filter-video: add two feedback tests

- Add fate-filter-feedback-yadif

- add fate-filter-feedback-hflip

Signed-off-by: Jack Lau <jacklau1222gm@gmail.com>
(cherry picked from commit c4b050fd6725561936115397575a4e1f9d9fd471)

avfilter/vf_feedback: fix feedback block

Fix #20940

The feedback and its sub-filter both request frame
from each other, casuing block since 4440e499ba

The feedback should only request inputs[1] once
rather than continuously request frame cause blocking.

This patch add check whether feedback already request
inputs[1] via ff_outlink_frame_wanted(ctx->outputs[1]),
if true, then exit and waiting inputs[0] because it means
we need more frames input to proceed.

Signed-off-by: Jack Lau <jacklau1222gm@gmail.com>
(cherry picked from commit 3f0842294fbefcca32fdad6b644eae8c14f547e5)

fate/ffmpeg: remove comparison against ref from fix_sub_duration_heartbeat

After the full ffmpeg CLI multithreading changes went in, this
test started depending on how far the input side read and decoded
the input compared to how quickly the output encoded things, causing
spurious failures on the CI.

To my knowledge all of the failures have so far been valid correct
results, but unfortunately FATE's built in checks mostly consist of
whether there is a difference against an exact result.

This way we still get the CI and valgrind running of the code,
but stop its comparison. Reference file is left around so that
the previous reference is still available.

(cherry picked from commit e54bd7065d024bd3925f80533eae10ef88a5cced)

configure: Lower libdvdnav and libdvdread minimum versions for EL9

Red Hat Enterprise Linux 9 is one patch version lower than what
FFmpeg currently requests. The slightly older versions still result
in a working build of FFmpeg with DVD support, so allow those
versions to be consumed to build FFmpeg.

(cherry picked from commit 069d465895)
Signed-off-by: Neal Gompa <neal@gompa.dev>
Signed-off-by: Kacper Michajłow <kasper93@gmail.com>

avcodec/aac_ac3_parser: do not override the profile set by the decoder

Parsing the ADTS header is not enough to detect HE-AAC v1/v2.

Regression since 64bb91fd3b5a00a8849531c7e8dd207f2a626096.

Fixes #11600

Signed-off-by: Nicolas Gaullier <nicolas.gaullier@cji.paris>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f24474dcfc719e29dc87e6483d6187ea233f4e0f)

avcodec/aac_ac3_parser: simplify

Use ff_adts_header_parse_buf() wrapper to simplify as GetBitContext is
no longer needed (it was introduced for USAC).

Partially reverts 64bb91fd3b5a00a8849531c7e8dd207f2a626096.

Signed-off-by: Nicolas Gaullier <nicolas.gaullier@cji.paris>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 593b4269027ea6d514b8505d317f6f131693c84e)

avcodec/aac_ac3_parser: remove unused USAC/ADTS code

ff_adts_header_parse() parse the object_type from a 2 bits field.
See also 696ea1c2236842572df88d573e24a39be3f19c98.

Partially reverts 64bb91fd3b5a00a8849531c7e8dd207f2a626096.

Signed-off-by: Nicolas Gaullier <nicolas.gaullier@cji.paris>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9bd10fa32cce741fd0dd900ab9db28cc00e3c9b7)

avfilter/af_amerge: fix possible crash with custom layouts

The check if a native layout can be created from the sources was incomplete and
casued a crash with custom layouts if the layout contained a native channel
multiple times, as in this example command line:

ffmpeg -lavfi "sine[a0];sine,pan=FL+FL[a1];[a0][a1]amerge[aout]" -map "[aout]" -t 1 -f framecrc -

Signed-off-by: Marton Balint <cus@passwd.hu>
(cherry picked from commit e8b10a9b09fff6fa09178634bededf14a6ea598c)

avcodec/vp3: Sync VLCs once during init, fix crash

6c7a344b65cb7476d1575cb1504e3a53bcbc83e7 made the VLCs shared between
threads and did so in a way that was designed to support stream
reconfigurations, so that the structure containing the VLCs was
synced in update_thread_context. The idea was that the currently
active VLCs would just be passed along between threads.

Yet this was broken by 5acbdd2264d3b90dc11369f9e031e762f260882e:
Before this commit, submit_packet() was a no-op during flushing
for VP3, as it is a no-delay decoder, so it won't produce any output
during flushing. This meant that prev_thread in pthread_frame.c
contained the last dst thread that update_thread_context()
was called for (so that these VLCs could be passed along between
threads). Yet after said commit, submit_packet was no longer
a no-op during flushing and changed prev_thread in such a way
that it did not need to contain any VLCs at all*. When flushing,
prev_thread is used to pass the current state to the first worker
thread which is the one that is used to restart decoding.
It could therefore happen that the decoding thread did not contain
the VLCs at all any more after decoding restarts after flushing
leading to a crash (this scenario was never anticipated and
must not happen at all).

There is a simple, easily backportable fix given that we do not
support stream reconfigurations (yet) when using frame threading:
Don't sync the VLCs in update_thread_context(), instead do it once
during init.

This fixes forgejo issue #20346 and trac issue #11592.

(I don't know why 5acbdd2264d3b90dc11369f9e031e762f260882e
changed submit_packet() to no longer be a no-op when draining
no-delay decoders.)

*: The exact condition for the crash is nb_threads > 2*nb_frames.

Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 90551b7d80e39c2fcde67fc65e3623bbef12590c)

avcodec/prores_raw: add missing includes

Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
(cherry picked from commit eec391993e447aaa9b8da38c5daaa4c31849d10f)

avfilter/stack_internal: fix checkheaders test

Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
(cherry picked from commit 1a1377c53decf1264ca255910124caae82fd63a0)

forgejo: apply needed CI changes for 8.0

forgejo/workflows: run tests on correct release branch

forgejo: backport CI changes to release/8.0

configure: replace openssl header check with 1.1.1 API

Fix #20571

Avoid build errors with openssl forks (like libressl)
that lack some APIs.

This patch replace header check for OPENSSL_init_ssl
(was added in 1.1.0) with the OpenSSL 1.1.1 new API
DTLS_get_data_mtu.

Signed-off-by: Jack Lau <jacklau1222gm@gmail.com>
(cherry picked from commit 0486ad61ceb71b7a45976e6e45a4d2a2813aef75)

configure: require at least OpenSSL 1.1.1 (LTS)

Commit f256487cd8f29f24036efa5d91a84a26b048861a bumped requirement to
1.1.0 for OPENSSL_init_ssl.

Bump this again to 1.1.1, because it was an LTS version. Although it has
no mainline support anymore, it still has paid/premium support. 1.1.0 has
no support at all.

Motivated for use of BIO_read_ex() for next commits.

Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
(cherry picked from commit 113c9c6cf36a703afc5ef10bbb40f248df521425)

configure: remove openssl version check for whip

This version check for whip is unnecessary.
Since several rencet patches to the configure
have already added version checks for OpenSSL.

Signed-off-by: Jack Lau <jacklau1222@qq.com>
(cherry picked from commit adc66f30ee3cbd55d42e6079d381fa1a485adb52)

avformat/iamf_parse: ensure the stream count in a scalable channel representation is equal to the audio element's stream count

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit faa382e5b196f2acb5bc5b159aaf06682291328b)

avformat/iamf_parse: ensure each layout in an scalable channel representation has an increasing number of channels

Fixes issue #21013

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 554ae5ada98cd44686ade995102d3aa2295d7b09)

avfilter/vf_scale: don't attempt to rescale AV_NOPTS_VALUE

Finishes fixing issue #20589.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit b9cc8e32109bba3daec1cfb6a834e45f72266b46)

avfilter/framesync: don't attempt to rescale AV_NOPTS_VALUE

Part of a fix for issue #20589.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 5614672d1bed49557f234639f7eeaf3b9c0385fe)

avutil/hwcontext_d3d12va: fix buf size when call av_buffer_create

(cherry picked from commit 36e5576a44b36698614e95956c5cb6b213c29ef3)

avfilter/f_select: Added activate for aselect

During migration to the activation filter API the aselect filter was
accidentally turned into a no-op filter.

(cherry picked from commit 7411e902da5bb1983e54772b3d16bc2d71297ed4)

avcodec/videotoolboxenc: fix crash with negative linesize

(cherry picked from commit 7049df14c83a89e2d32eb138feeb692170d24dc5)

avcodec/videotoolboxenc: improve Lock/Unlock BaseAddress error handling

1. Fix continue after CVPixelBufferLockBaseAddress.
2. Remove redundant "Error: " in error message.

(cherry picked from commit 0da15c93c8411f435b37ab7d504a650ee881cb0f)

doc/filters: add section for VideoToolbox filter

Move scale_vt and transpose_vt to this section. transpose_vt was
incorrectly placed in the Vulkan section previously.

(cherry picked from commit 925282fafcf844eb9ea9095a80eba81009d85b3f)

avformat/mov: fix missing video size when some decoders are disabled

Fix #20667

Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
(cherry picked from commit 6b961f5963d8e362137702d38a744b45fba8ba3a)

avformat/mov: relax check on proj box size

Pico VR adds a '\0' after projection_type (a real C string than
a fourcc). It's not strictly correct, but doesn't affect parsing.

[prji: Projection Information Box]
    position = 149574743
    size = 17
    version = 0
    flags = 0x000000
    projection_type = rect

Co-Authored-by: Keven Ma
Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
(cherry picked from commit 0734d1c55aedaf2df4a51488f9b75e42daf9f707)

tests/fate/hevc: add a mv-hevc sample using long term ref

(cherry picked from commit 071db4b81cca7fe041dc41a109e84f8643c43fb5)

avcodec/hevc: reset long_term_rps.nb_refs for IDR

For mv-hevc, the second layer of IDR frame can be a P slice.
long_term_rps wasn't been reset before the patch, which leading to
ff_hevc_frame_nb_refs return incorrect result.

This fix decoding failure for samples from Pico VR.

(cherry picked from commit 141f5c9071e10c08d0ca35fb8b663ee17ad5f709)

Changelog: fix spell and remove redundant descriptions

Supress lint failure.

Changelog: include last 3 fixes

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avutil/common: cast GET_BYTE/GET_16BIT returned value

In case of GET_BYTE/GET_16BIT return signed value.

(cherry picked from commit 0ae8df5f2ceea82337a2456ef16f930faf160189)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avfilter/vf_drawtext: fix call GET_UTF8 with invalid argument

For GET_UTF8(val, GET_BYTE, ERROR), val has type of uint32_t,
GET_BYTE must return an unsigned integer, otherwise signed
extension happened due to val= (GET_BYTE), and GET_UTF8 went to
the error path.

This bug incidentally cancelled the bug where hb_buffer_add_utf8
was being called with incorrect argument, allowing drawtext to
function correctly on x86 and macOS ARM, which defined char as
signed. However, on Linux and Android ARM environments, because
char is unsigned by default, GET_UTF8 now returns the correct
return, which unexpectedly revealed issue #20906.

(cherry picked from commit a5cc0e5c9e752f98e38c2a95a0893faeb1f78fa9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avfilter/vf_drawtext: fix incorrect text length

From the doc of HarfBuzz, what hb_buffer_add_utf8 needs is the
number of bytes, not Unicode character:
hb_buffer_add_utf8(buf, text, strlen(text), 0, strlen(text));

Fix issue #20906.

(cherry picked from commit 9bc3c572eaaab559a7258c392528e7a1cad2a9b7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Update for 8.0.1

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avfilter/vf_drawtext: Account for bbox text seperator

Fixes: out of array access
no test case

Found-by: Joshua Rogers <joshua@joshua.hu> with ZeroPath
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ad956ff076ea808e5d64c9ac17c1bfc1ba7d0cc0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/mediacodecdec_common: Check that the input to mediacodec_wrap_sw_audio_buffer() contains channel * sample_size

Fixes: out of array access
no testcase

Found-by: Joshua Rogers <joshua@joshua.hu> with ZeroPath
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 41a9c6ec5f75d8737da3e38223b8c4e923703401)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/rv60dec: Clear blk_info

Fixes: use of uninitialized memory
Fixes: 418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5103986067963904

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 729d0379ab6acb48d55c11ec9bb1b917e94765d6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/whip: Fix rtp_ctx->streams access

Fixes: out of array access
No testcase

Found-by: Joshua Rogers <joshua@joshua.hu> with ZeroPath
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c199b3d48ffa29519a3bd8fb47b31bf6ba6a242f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/utvideodec: Set B for the width= 1 case in restore_median_planar_il()

Fixes: use of uninitialized memory
Fixes: 439878388/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5635866203848704

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 59db32b433ea9e7766ec7fac994860ed15d7ed7d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/osq: Fix 32bit sample overflow

Fixes: signed integer overflow: 2147483565 + 128 cannot be represented in type 'int'
Fixes: 428055715/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6358069900804096

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 08816b93760f43433a07e980fa9eeab4135de78c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/rtpdec_rfc4175: Only change PayloadContext on success

Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c03e49dd1d8ee2dd21c24002dfac95644c830498)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/rtpdec_rfc4175: Check dimensions

Fixes: out of array access
Fixes: zeropath/int_overflow_in_rtpdec_rfc4175

Found-by: Joshua Rogers <joshua@joshua.hu>
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d4e0d5ed48aa9c0e11b9ddeea8c2d14632314089)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/rtpdec_rfc4175: Fix memleak of sampling

Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit af3dee313223c722c34e8231cd6859188928a6e3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/http: Fix off by 1 error

Fixes: out of array access
Fixes: zeropath/off-by-one-one-byte

Found-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b518c027a0cb8d89c586fe241cc99b1c20bc0f50)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/exr: spelling

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d80f8f36513ebff05c537adbe756e36036f80074)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/rv60dec: add upper bound check for qp

The quantization parameter (qp) can exceed 63 when the base value
from frame header (0-63) is combined with the offset from slice data
(up to +2), resulting in qp=65. This causes out-of-bounds access to
the rv60_qp_to_idx[64] array in decode_cbp8(), decode_cbp16(), and
get_c4x4_set().

Fixes: Out-of-bounds read
Signed-off-by: oblivionsage <cookieandcream560@gmail.com>
No testsample is available

This is related to 61cbcaf93f3b2e10124f4c63ce7cd8dad6505fb2 and clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5160167345291264
which fixed rv60_qp_to_idx[qp + 32] out of array access
These 2 checks are not redundant and neither covers the cases of the other

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8abeb879df66ea8d27ce1735925ced5a30813de4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/exr: use tile dimensions in pxr24 UINT case

update the switch statement for EXR_UINT in pxr24_uncompress to
correctly use the tile width td->xsize instead of using the full window
width s->xdelta. s->delta is larger than td->xsize which lead to two
buffer overflows when interacting with the ptr variable in the same
switch statement.

Fixes: out of bounds read and write
Found-by: veygax's insomnia network (INSOMNIA-1)
Signed-off-by: veygax <veyga@veygax.dev>
(cherry picked from commit 162f75b5e6798b385bb3eadd8280eff52d03cf29)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/exr: Simple check for available channels

The existing is_luma check is fragile as depending on the order
of channels it can be set or reset

No testcase

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6e8cf0377fee75de9ad2cc87385ab3e8f2c87143)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/sctp: Check size in sctp_write()

Fixes: out of array access
No testcase

Found-by: Joshua Rogers <joshua@joshua.hu> with ZeroPath
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5b98cea4bff2cbbb251b621a2b6c3ab76f814efa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/rtmpproto: consider command line argument lengths

Fixes: out of array access
Fixes: zeropath/rtmp-2025-10

Found-by: Joshua Rogers <joshua@joshua.hu>
Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 83e0298de217a7108ee703806d6380e554007972)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/rtmpproto_ Check tcurl and flashver length

Fixes: out of array accesses

Reviewed-by: Joshua Rogers <joshua@joshua.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a64e037429f20873ec48f6c82aa145ab448e1399)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/g723_1enc: Make min_err 64bit

This is intending to fix the case described in https://lists.ffmpeg.org/archives/list/ffmpeg-devel@ffmpeg.org/thread/AAZ7GJPPUJI5SCVTDGJ6QL7UUEP56WOM/
Where FCBParam optim is used uninitialized

a min_err of 1<<30, allows the struct to be never initilialized as all
err (which is int32_t) can be larger than min_err. By increasing min_err
above the int32_t range this is no longer possible

Untested, as i do not have the testcase

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>i
(cherry picked from commit 909af3a571da830cc70a34f0c3946379bd12dfbe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/vlc: Clear val8/16 in vlc_multi_gen() by av_mallocz()

Fixes: use of uninitialized memory
Fixes: 427814450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_DEC_fuzzer-646512196065689
Fixes: 445961558/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5515158672965632

the multi vlc code will otherwise return uninitialized data. Now one can argue that this data should
not be used, but on errors this data can remain ...

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d8ffec5bf9a2803f55cc0822a97b7815f24bee83)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avformat/rtpenc_h264_hevc: Check space for nal_length_size in ff_rtp_send_h264_hevc()

Fixes: memcpy with negative size
Fixes: momo_trip-poc/input

Reported-by: Momoko Shiraishi <shiraishi@os.is.s.u-tokyo.ac.jp>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d03483bd265b68db00c9b90f6f48dcf61c5c300d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/ffv1enc: Consider variation in slice sizes

When splitting a 5 lines image in 2 slices one will be 3 lines and thus need more space

Fixes: Assertion sc->slice_coding_mode == 0 failed at libavcodec/ffv1enc.c:1668
Fixes: 422811239/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_fuzzer-4933405139861504

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 388e6fb3be63f88bc62ebda35ca0fc96e99ceed5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

libavcodec/cbs_apv_syntax_template: limit tile to 2gb

We do not support larger tiles as we use signed int
Alternatively we can check this in apv_decode_tile_component() or init_get_bits*()
or support bitstreams above 2gb length

Fixes: init_get_bits() failure later
Fixes: 421817631/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APV_fuzzer-4957386534354944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4666c1eed37385484c8e34998b3fe2e5c86d4e08)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

swscale/output: Fix unsigned cast position in yuv2*

Fixes: signed overflow

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 566e9032b1dee8ed4b8bf5faae0b1f9aa873197f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

swscale/output: Fix integer overflow in yuv2ya16_X_c_template()

Found-by: colod colod <colodcolod7@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0c6b7f9483a38657c9be824572b4c0c45d4d9fef)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/exr: Check that DWA has 3 channels

The implementation hardcodes access to 3 channels, so we need to check that
Fixes: out of array access
Fixes: BIGSLEEP-445394503-crash.exr

Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7896cc67c13037abba8941e39a74c56d26b775a7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/exr: check ac_size

Fixes: out of array read
Fixes: dwa_uncompress.py.crash.exr

The code will read from the ac data even if ac_size is 0, thus that case
is not implemented and we ask for a sample and error out cleanly

Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8e078826da6f2a1dffa25162121b43b272f5e5fa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/exr: Round dc_w/h up

Without rounding them up there are too few dc coeffs for the blocks.
We do not know if this way of handling odd dimensions is correct, as we have
no such DWA sample.
thus we ask the user for a sample if she encounters such a file

Fixes: out of array access
Fixes: BIGSLEEP-445392027-crash.exr

Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c911e0001115bbda904ad103b12c27b9a3c0c265)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/mjpegdec: Explain buf_size/width/height check

Suggested-by: Ramiro
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 61b6877637041a1f817ad9811c839b0feae2b8af)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

configure: strip non numeric trailer from gcc version

Fixes: ../configure: 7820: [: Illegal number: 13-win32

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b1cbc7c8ff515159130bc4290ef6ab204e7101e8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>