From 9125aa9218c3ff2ae89ef2094c9138438dbeec70 Mon Sep 17 00:00:00 2001 From: Kostya Shishkov Date: Thu, 27 Sep 2012 19:25:06 +0200 Subject: [PATCH 1/5] vc1dec: add flush function for WMV9 and VC-1 decoders CC: libav-stable@libav.org (cherry picked from commit 4dc8c8386eef942dba35c4f2fb3210e22b511a5b) Signed-off-by: Anton Khirnov (cherry picked from commit 02b72394627933dc8ce26445231a69f00dba491b) Conflicts: libavcodec/vc1dec.c Signed-off-by: Anton Khirnov (cherry picked from commit 0173a7966b331105158a88f96b9afcc431d2fef8) Signed-off-by: Anton Khirnov (cherry picked from commit aa4121276777b20eaaa83bf9bd544b00748c865c) Conflicts: libavcodec/vc1dec.c Signed-off-by: Anton Khirnov --- libavcodec/vc1.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index 619e9030cb..3b8cd22933 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -4347,6 +4347,7 @@ AVCodec vc1_decoder = { vc1_decode_frame, CODEC_CAP_DELAY, NULL, + .flush = ff_mpeg_flush, .long_name = NULL_IF_CONFIG_SMALL("SMPTE VC-1"), .pix_fmts = ff_pixfmt_list_420 }; @@ -4362,6 +4363,7 @@ AVCodec wmv3_decoder = { vc1_decode_frame, CODEC_CAP_DELAY, NULL, + .flush = ff_mpeg_flush, .long_name = NULL_IF_CONFIG_SMALL("Windows Media Video 9"), .pix_fmts = ff_pixfmt_list_420 }; From f695be22d89aab1e0549e6ef04b1431c7db96316 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 6 Aug 2012 13:59:04 +0200 Subject: [PATCH 2/5] nuv: check RTjpeg header for validity CC: libav-stable@libav.org (cherry picked from commit 859a579e9bbf47fae2e09494c43bcf813dcb2fad) Signed-off-by: Anton Khirnov (cherry picked from commit 6704522ca9dd32c858ee474492be568c386910f9) Signed-off-by: Anton Khirnov (cherry picked from commit f31170d4e7f9671e019315391160d454b18d7296) Signed-off-by: Anton Khirnov (cherry picked from commit 459feb7cce03af7154c098171fc9d36fc9d472f6) Signed-off-by: Anton Khirnov --- libavcodec/nuv.c | 9 +++++---- libavcodec/rtjpeg.h | 3 +++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 109ef41a8c..64ba3ccc10 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -182,17 +182,18 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, } if (c->codec_frameheader) { int w, h, q; - if (buf_size < 12) { + if (buf_size < RTJPEG_HEADER_SIZE || buf[4] != RTJPEG_HEADER_SIZE || + buf[5] != RTJPEG_FILE_VERSION) { av_log(avctx, AV_LOG_ERROR, "invalid nuv video frame\n"); - return -1; + return AVERROR_INVALIDDATA; } w = AV_RL16(&buf[6]); h = AV_RL16(&buf[8]); q = buf[10]; if (!codec_reinit(avctx, w, h, q)) return -1; - buf = &buf[12]; - buf_size -= 12; + buf = &buf[RTJPEG_HEADER_SIZE]; + buf_size -= RTJPEG_HEADER_SIZE; } if (keyframe && c->pic.data[0]) diff --git a/libavcodec/rtjpeg.h b/libavcodec/rtjpeg.h index 02f2058b2c..c12a78c67b 100644 --- a/libavcodec/rtjpeg.h +++ b/libavcodec/rtjpeg.h @@ -25,6 +25,9 @@ #include #include "dsputil.h" +#define RTJPEG_FILE_VERSION 0 +#define RTJPEG_HEADER_SIZE 12 + typedef struct { int w, h; DSPContext *dsp; From 7296a6b5e9c22be515f7bd60a3c6c293691de3f8 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Mon, 2 Jul 2012 10:46:39 +0200 Subject: [PATCH 3/5] imgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt CC: libav-stable@libav.org (cherry picked from commit 39bb27bf79bc4c2d8beaed637a14176264cb1916) Signed-off-by: Anton Khirnov (cherry picked from commit 7a7229b52d1900279041991fadbd29b27e8dfe95) Signed-off-by: Anton Khirnov (cherry picked from commit 8812b5f164109553f009ce385e17a1af16b6ea53) Signed-off-by: Anton Khirnov (cherry picked from commit fd7426ed898533bed98e6b472ff5f5c8e47f2eb5) Signed-off-by: Anton Khirnov --- libavcodec/imgconvert.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 1e0c66de84..eecd12535e 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -890,7 +890,8 @@ static int avcodec_find_best_pix_fmt1(int64_t pix_fmt_mask, /* find exact color match with smallest size */ dst_pix_fmt = -1; min_dist = 0x7fffffff; - for(i = 0;i < PIX_FMT_NB; i++) { + /* test only the first 64 pixel formats to avoid undefined behaviour */ + for (i = 0; i < 64; i++) { if (pix_fmt_mask & (1ULL << i)) { loss = avcodec_get_pix_fmt_loss(i, src_pix_fmt, has_alpha) & loss_mask; if (loss == 0) { From 6d6373dc6441b26271d37ec372507e29c0123a88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 20 Nov 2011 17:19:25 +0100 Subject: [PATCH 4/5] mpegvideo: Don't use ff_mspel_motion() for vc1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Using ff_mspel_motion assumes that s (a MpegEncContext poiinter) really is a Wmv2Context. This fixes crashes in error resilience on vc1/wmv3 videos. CC: libav-stable@libav.org Signed-off-by: Martin Storsjö (cherry picked from commit 18f2d5cb9c48d06895960f37467576725c9dc2d1) Signed-off-by: Anton Khirnov (cherry picked from commit da0c457663479bc1828918e1bb3e4a5e4de0d557) Signed-off-by: Anton Khirnov (cherry picked from commit 899d95efe12f1e250b361837c1c8c06df9ac9b86) Signed-off-by: Anton Khirnov (cherry picked from commit c82ae85a8a78a98f7c7fea68d24a4ac0ca74d01f) Conflicts: libavcodec/mpegvideo_common.h Signed-off-by: Anton Khirnov --- libavcodec/mpegvideo_common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegvideo_common.h b/libavcodec/mpegvideo_common.h index cf66dc7fbb..6c39ac7325 100644 --- a/libavcodec/mpegvideo_common.h +++ b/libavcodec/mpegvideo_common.h @@ -727,7 +727,7 @@ static av_always_inline void MPV_motion_internal(MpegEncContext *s, 0, 0, 0, ref_picture, pix_op, qpix_op, s->mv[dir][0][0], s->mv[dir][0][1], 16); - }else if(!is_mpeg12 && CONFIG_WMV2 && s->mspel){ + }else if(!is_mpeg12 && CONFIG_WMV2 && s->mspel && s->codec_id == CODEC_ID_WMV2){ ff_mspel_motion(s, dest_y, dest_cb, dest_cr, ref_picture, pix_op, s->mv[dir][0][0], s->mv[dir][0][1], 16); From 0dfcbe5285f04964f5de5e15a4bfbf83fb9fd082 Mon Sep 17 00:00:00 2001 From: Mina Nagy Zaki Date: Wed, 8 Jun 2011 19:24:25 +0300 Subject: [PATCH 5/5] lavfi: avfilter_merge_formats: handle case where inputs are same This fixes a double-free crash if lists are the same due to the two merge_ref() calls at the end of the (useless) merging that happens. Signed-off-by: Anton Khirnov (cherry picked from commit 11b6a82412bcd372adf694a26d83b07d337e1325) Conflicts: libavfilter/formats.c Signed-off-by: Reinhard Tartler (cherry picked from commit e5f4e249422834f727bcd432b73af971277f1371) Signed-off-by: Anton Khirnov (cherry picked from commit b6c5848a1f8fc2755ea70d325acaddae9fac45ab) Signed-off-by: Anton Khirnov (cherry picked from commit a4e277312cacfb78ef7583ed0b4fe4ccf5a0bcb1) Signed-off-by: Anton Khirnov --- libavfilter/formats.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/formats.c b/libavfilter/formats.c index 33fec163a5..c91f8b2cf8 100644 --- a/libavfilter/formats.c +++ b/libavfilter/formats.c @@ -43,6 +43,9 @@ AVFilterFormats *avfilter_merge_formats(AVFilterFormats *a, AVFilterFormats *b) AVFilterFormats *ret; unsigned i, j, k = 0; + if (a == b) + return a; + ret = av_mallocz(sizeof(AVFilterFormats)); /* merge list of formats */