From d8745de6ae6c6272fb33f696842cedae2c3eaad1 Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Sat, 27 Apr 2013 18:01:51 +0200 Subject: [PATCH 1/4] indeo3: fix off by one in MV validity check CC:libav-stable@libav.org (cherry picked from commit 95220be1faac628d849a004644c0d102df0aa98b) Signed-off-by: Luca Barbato --- libavcodec/indeo3.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c index eacd15043a..f2f7c09d98 100644 --- a/libavcodec/indeo3.c +++ b/libavcodec/indeo3.c @@ -236,8 +236,8 @@ static int copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell) /* -1 because there is an extra line on top for prediction */ if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 || - ((cell->ypos + cell->height) << 2) + mv_y >= plane->height || - ((cell->xpos + cell->width) << 2) + mv_x >= plane->width) { + ((cell->ypos + cell->height) << 2) + mv_y > plane->height || + ((cell->xpos + cell->width) << 2) + mv_x > plane->width) { av_log(ctx->avctx, AV_LOG_ERROR, "Motion vectors point out of the frame.\n"); return AVERROR_INVALIDDATA; @@ -607,8 +607,8 @@ static int decode_cell(Indeo3DecodeContext *ctx, AVCodecContext *avctx, /* -1 because there is an extra line on top for prediction */ if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 || - ((cell->ypos + cell->height) << 2) + mv_y >= plane->height || - ((cell->xpos + cell->width) << 2) + mv_x >= plane->width) { + ((cell->ypos + cell->height) << 2) + mv_y > plane->height || + ((cell->xpos + cell->width) << 2) + mv_x > plane->width) { av_log(ctx->avctx, AV_LOG_ERROR, "Motion vectors point out of the frame.\n"); return AVERROR_INVALIDDATA; From 5aac0811100ee5db9d03d7488b69cc321854da70 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Wed, 1 May 2013 19:01:11 +0200 Subject: [PATCH 2/4] id3v2: check for end of file while unescaping tags Prevent an out of buffer bound write. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org (cherry picked from commit af4cc2605c7a56ecfd84c264aa2b325020418472) Signed-off-by: Luca Barbato --- libavformat/id3v2.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c index 7f39a47428..5cc17c4f3e 100644 --- a/libavformat/id3v2.c +++ b/libavformat/id3v2.c @@ -626,9 +626,10 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t goto seek; } b = buffer; - while (avio_tell(s->pb) < end) { + while (avio_tell(s->pb) < end && !s->pb->eof_reached) { *b++ = avio_r8(s->pb); - if (*(b - 1) == 0xff && avio_tell(s->pb) < end - 1) { + if (*(b - 1) == 0xff && avio_tell(s->pb) < end - 1 && + !s->pb->eof_reached ) { uint8_t val = avio_r8(s->pb); *b++ = val ? val : avio_r8(s->pb); } From ddeb6eeeb1c1343ef40d276335e58a6d75ebd5ba Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Tue, 16 Apr 2013 21:53:56 +0200 Subject: [PATCH 3/4] afifo: fix request_samples on the last frame in certain cases The current code can fail to return the last frame if it contains exactly the requested number of samples. Fixes the join filter test, which previously did not include the last 408 samples in most cases. CC:libav-stable@libav.org Signed-off-by: Diego Biurrun (cherry picked from commit 9bfc6e02bae9de354fb9ba09a8a140e83eeadf7d) Signed-off-by: Reinhard Tartler Conflicts: libavfilter/fifo.c tests/fate/filter-audio.mak --- libavfilter/fifo.c | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/libavfilter/fifo.c b/libavfilter/fifo.c index 88c44fe3b9..3faa84fd55 100644 --- a/libavfilter/fifo.c +++ b/libavfilter/fifo.c @@ -184,8 +184,25 @@ static int return_audio_frame(AVFilterContext *ctx) } while (s->buf_out->audio->nb_samples < s->allocated_samples) { - int len = FFMIN(s->allocated_samples - s->buf_out->audio->nb_samples, - head->audio->nb_samples); + int len; + + if (!s->root.next && + (ret = ff_request_frame(ctx->inputs[0])) < 0) { + if (ret == AVERROR_EOF) { + av_samples_set_silence(s->buf_out->extended_data, + s->buf_out->audio->nb_samples, + s->allocated_samples - + s->buf_out->audio->nb_samples, + nb_channels, link->format); + s->buf_out->audio->nb_samples = s->allocated_samples; + break; + } + return ret; + } + head = s->root.next->buf; + + len = FFMIN(s->allocated_samples - s->buf_out->audio->nb_samples, + head->audio->nb_samples); av_samples_copy(s->buf_out->extended_data, head->extended_data, s->buf_out->audio->nb_samples, 0, len, nb_channels, @@ -195,21 +212,6 @@ static int return_audio_frame(AVFilterContext *ctx) if (len == head->audio->nb_samples) { avfilter_unref_buffer(head); queue_pop(s); - - if (!s->root.next && - (ret = ff_request_frame(ctx->inputs[0])) < 0) { - if (ret == AVERROR_EOF) { - av_samples_set_silence(s->buf_out->extended_data, - s->buf_out->audio->nb_samples, - s->allocated_samples - - s->buf_out->audio->nb_samples, - nb_channels, link->format); - s->buf_out->audio->nb_samples = s->allocated_samples; - break; - } - return ret; - } - head = s->root.next->buf; } else { buffer_offset(link, head, len); } From 0662967d2bbdbe90540eaa8c847f521fa4b75aab Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Fri, 26 Apr 2013 09:54:59 +0200 Subject: [PATCH 4/4] hls, segment: fix splitting for audio-only streams. CC:libav-stable@libav.org (cherry picked from commit cf679b9476727a237c8006c685ace18acba149ab) Signed-off-by: Reinhard Tartler --- libavformat/hlsenc.c | 12 +++++++----- libavformat/segment.c | 12 +++++++----- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c index 4f74b5f04b..c4c0217211 100644 --- a/libavformat/hlsenc.c +++ b/libavformat/hlsenc.c @@ -250,18 +250,20 @@ static int hls_write_packet(AVFormatContext *s, AVPacket *pkt) AVFormatContext *oc = hls->avf; AVStream *st = s->streams[pkt->stream_index]; int64_t end_pts = hls->recording_time * hls->number; - int ret; + int ret, can_split = 1; if (hls->start_pts == AV_NOPTS_VALUE) { hls->start_pts = pkt->pts; hls->end_pts = pkt->pts; } - if ((hls->has_video && st->codec->codec_type == AVMEDIA_TYPE_VIDEO) && - av_compare_ts(pkt->pts - hls->start_pts, st->time_base, - end_pts, AV_TIME_BASE_Q) >= 0 && - pkt->flags & AV_PKT_FLAG_KEY) { + if (hls->has_video) { + can_split = st->codec->codec_type == AVMEDIA_TYPE_VIDEO && + pkt->flags & AV_PKT_FLAG_KEY; + } + if (can_split && av_compare_ts(pkt->pts - hls->start_pts, st->time_base, + end_pts, AV_TIME_BASE_Q) >= 0) { ret = append_entry(hls, av_rescale(pkt->pts - hls->end_pts, st->time_base.num, st->time_base.den)); diff --git a/libavformat/segment.c b/libavformat/segment.c index 8afb41f93d..d79a32798e 100644 --- a/libavformat/segment.c +++ b/libavformat/segment.c @@ -272,13 +272,15 @@ static int seg_write_packet(AVFormatContext *s, AVPacket *pkt) AVFormatContext *oc = seg->avf; AVStream *st = s->streams[pkt->stream_index]; int64_t end_pts = seg->recording_time * seg->number; - int ret; + int ret, can_split = 1; - if ((seg->has_video && st->codec->codec_type == AVMEDIA_TYPE_VIDEO) && - av_compare_ts(pkt->pts, st->time_base, - end_pts, AV_TIME_BASE_Q) >= 0 && - pkt->flags & AV_PKT_FLAG_KEY) { + if (seg->has_video) { + can_split = st->codec->codec_type == AVMEDIA_TYPE_VIDEO && + pkt->flags & AV_PKT_FLAG_KEY; + } + if (can_split && av_compare_ts(pkt->pts, st->time_base, end_pts, + AV_TIME_BASE_Q) >= 0) { av_log(s, AV_LOG_DEBUG, "Next segment starts at %d %"PRId64"\n", pkt->stream_index, pkt->pts);