Version in base suite: 5.1.7-0+deb12u1 Base version: ffmpeg_5.1.7-0+deb12u1 Target version: ffmpeg_5.1.8-0+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/f/ffmpeg/ffmpeg_5.1.7-0+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/f/ffmpeg/ffmpeg_5.1.8-0+deb12u1.dsc Changelog | 33 +++++++++++++++++++++ RELEASE | 2 - VERSION | 2 - debian/changelog | 6 +++ doc/Doxyfile | 2 - fftools/ffmpeg_opt.c | 9 ++++- libavcodec/aacdec_template.c | 3 + libavcodec/aacenc_tns.c | 40 +++++++++++++++++-------- libavcodec/aarch64/h264pred_neon.S | 13 +++----- libavcodec/dxv.c | 2 + libavcodec/exr.c | 57 +++++++++++++++++++++++++++++-------- libavcodec/g723_1.h | 2 - libavcodec/g723_1enc.c | 2 - libavcodec/mjpegdec.c | 2 + libavcodec/sanm.c | 5 +++ libavcodec/utvideodec.c | 4 +- libavcodec/x86/pngdsp.asm | 1 libavfilter/vf_drawtext.c | 2 - libavformat/avidec.c | 2 - libavformat/aviobuf.c | 2 - libavformat/http.c | 2 - libavformat/lrcdec.c | 2 - libavformat/rtmpproto.c | 27 ++++++++++++++++- libavformat/rtpdec_rfc4175.c | 28 +++++++++++++----- libavformat/rtpenc_h264_hevc.c | 3 + libavformat/sctp.c | 3 + libavutil/common.h | 8 ++--- libswscale/output.c | 4 +- 28 files changed, 208 insertions(+), 60 deletions(-) diff -Nru ffmpeg-5.1.7/Changelog ffmpeg-5.1.8/Changelog --- ffmpeg-5.1.7/Changelog 2025-08-14 00:31:36.000000000 +0000 +++ ffmpeg-5.1.8/Changelog 2025-11-26 02:41:35.000000000 +0000 @@ -1,6 +1,39 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 5.1.8: + avutil/common: cast GET_BYTE/GET_16BIT returned value + avfilter/vf_drawtext: Account for bbox text seperator + avcodec/utvideodec: Set B for the width= 1 case in restore_median_planar_il() + avformat/rtpdec_rfc4175: Only change PayloadContext on success + avformat/rtpdec_rfc4175: Check dimensions + avformat/rtpdec_rfc4175: Fix memleak of sampling + avformat/http: Fix off by 1 error + avcodec/exr: spelling + avcodec/exr: use tile dimensions in pxr24 UINT case + avcodec/exr: Simple check for available channels + avformat/sctp: Check size in sctp_write() + avformat/rtmpproto: consider command line argument lengths + avformat/rtmpproto_ Check tcurl and flashver length + avcodec/g723_1enc: Make min_err 64bit + avformat/rtpenc_h264_hevc: Check space for nal_length_size in ff_rtp_send_h264_hevc() + swscale/output: Fix integer overflow in yuv2ya16_X_c_template() + avcodec/exr: Check that DWA has 3 channels + avcodec/exr: check ac_size + avcodec/exr: Round dc_w/h up + avcodec/mjpegdec: Explain buf_size/width/height check + avformat/avidec: Fix integer overflow iff ULONG_MAX < INT64_MAX + fftools/ffmpeg_mux_init: Fix double-free on error + avformat/aviobuf: Keep checksum_ptr consistent in avio_seek() + aacenc_tns: clamp filter direction energy measurement + avcodec/dxv: Check coded_height, to avoid invalid av_clip() + avcodec/aac/aacdec: dont allow ff_aac_output_configure() allocating a new frame if it has no frame + avformat/lrcdec: Fix fate-sub-lrc-ms-remux on x86-32 + avcodec/sanm: Check w,h,left,top + avcodec/utvideodec: Clear plane_start array + lavc/aarch64: Fix addp overflow in ff_pred16x16_plane_neon_10 + avcodec/x86/pngdsp: add missing emms at the end of add_png_paeth_prediction + version 5.1.7: avcodec/exr: Check rle_raw_data and surroundings diff -Nru ffmpeg-5.1.7/RELEASE ffmpeg-5.1.8/RELEASE --- ffmpeg-5.1.7/RELEASE 2025-08-14 00:31:36.000000000 +0000 +++ ffmpeg-5.1.8/RELEASE 2025-11-26 02:41:35.000000000 +0000 @@ -1 +1 @@ -5.1.7 +5.1.8 diff -Nru ffmpeg-5.1.7/VERSION ffmpeg-5.1.8/VERSION --- ffmpeg-5.1.7/VERSION 2025-08-14 00:31:36.000000000 +0000 +++ ffmpeg-5.1.8/VERSION 2025-11-26 02:41:35.000000000 +0000 @@ -1 +1 @@ -5.1.7 +5.1.8 diff -Nru ffmpeg-5.1.7/debian/changelog ffmpeg-5.1.8/debian/changelog --- ffmpeg-5.1.7/debian/changelog 2025-08-24 20:59:40.000000000 +0000 +++ ffmpeg-5.1.8/debian/changelog 2025-12-05 21:14:02.000000000 +0000 @@ -1,3 +1,9 @@ +ffmpeg (7:5.1.8-0+deb12u1) bookworm-security; urgency=medium + + * New upstream version 5.1.8 + + -- Sebastian Ramacher Fri, 05 Dec 2025 22:14:02 +0100 + ffmpeg (7:5.1.7-0+deb12u1) bookworm-security; urgency=medium * New upstream version 5.1.7 diff -Nru ffmpeg-5.1.7/doc/Doxyfile ffmpeg-5.1.8/doc/Doxyfile --- ffmpeg-5.1.7/doc/Doxyfile 2025-08-14 00:31:36.000000000 +0000 +++ ffmpeg-5.1.8/doc/Doxyfile 2025-11-26 02:41:35.000000000 +0000 @@ -38,7 +38,7 @@ # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 5.1.7 +PROJECT_NUMBER = 5.1.8 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a diff -Nru ffmpeg-5.1.7/fftools/ffmpeg_opt.c ffmpeg-5.1.8/fftools/ffmpeg_opt.c --- ffmpeg-5.1.7/fftools/ffmpeg_opt.c 2025-08-14 00:31:30.000000000 +0000 +++ ffmpeg-5.1.8/fftools/ffmpeg_opt.c 2025-11-26 02:41:35.000000000 +0000 @@ -2054,6 +2054,7 @@ int channels = 0; char *layout = NULL; char *sample_fmt = NULL; + const char *apad = NULL; MATCH_PER_STREAM_OPT(audio_channels, i, channels, oc, st); if (channels) { @@ -2091,8 +2092,12 @@ MATCH_PER_STREAM_OPT(audio_sample_rate, i, audio_enc->sample_rate, oc, st); - MATCH_PER_STREAM_OPT(apad, str, ost->apad, oc, st); - ost->apad = av_strdup(ost->apad); + MATCH_PER_STREAM_OPT(apad, str, apad, oc, st); + if (apad) { + ost->apad = av_strdup(apad); + if (!ost->apad) + exit_program(1); + } ost->avfilter = get_ost_filters(o, oc, ost); if (!ost->avfilter) diff -Nru ffmpeg-5.1.7/libavcodec/aacdec_template.c ffmpeg-5.1.8/libavcodec/aacdec_template.c --- ffmpeg-5.1.7/libavcodec/aacdec_template.c 2025-08-14 00:31:30.000000000 +0000 +++ ffmpeg-5.1.8/libavcodec/aacdec_template.c 2025-11-26 02:41:35.000000000 +0000 @@ -540,6 +540,9 @@ uint8_t id_map[TYPE_END][MAX_ELEM_ID] = {{ 0 }}; uint8_t type_counts[TYPE_END] = { 0 }; + if (get_new_frame && !ac->frame) + return AVERROR_INVALIDDATA; + if (ac->oc[1].layout_map != layout_map) { memcpy(ac->oc[1].layout_map, layout_map, tags * sizeof(layout_map[0])); ac->oc[1].layout_map_tags = tags; diff -Nru ffmpeg-5.1.7/libavcodec/aacenc_tns.c ffmpeg-5.1.8/libavcodec/aacenc_tns.c --- ffmpeg-5.1.7/libavcodec/aacenc_tns.c 2025-08-14 00:31:30.000000000 +0000 +++ ffmpeg-5.1.8/libavcodec/aacenc_tns.c 2025-11-26 02:41:35.000000000 +0000 @@ -173,6 +173,7 @@ sce->ics.window_sequence[0] == LONG_START_SEQUENCE ? 0 : 2; const int sfb_len = sfb_end - sfb_start; const int coef_len = sce->ics.swb_offset[sfb_end] - sce->ics.swb_offset[sfb_start]; + const int n_filt = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3; if (coef_len <= 0 || sfb_len <= 0) { sce->tns.present = 0; @@ -180,16 +181,30 @@ } for (w = 0; w < sce->ics.num_windows; w++) { - float en[2] = {0.0f, 0.0f}; - int oc_start = 0, os_start = 0; + float en[4] = {0.0f, 0.0f, 0.0f, 0.0f}; + int oc_start = 0; int coef_start = sce->ics.swb_offset[sfb_start]; - for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) { - FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g]; - if (g > sfb_start + (sfb_len/2)) - en[1] += band->energy; - else - en[0] += band->energy; + if (n_filt == 2) { + for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) { + FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g]; + if (g > sfb_start + (sfb_len/2)) + en[1] += band->energy; /* End */ + else + en[0] += band->energy; /* Start */ + } + en[2] = en[0]; + } else { + for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) { + FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g]; + if (g > sfb_start + (sfb_len/2) + (sfb_len/4)) + en[2] += band->energy; /* End */ + else if (g > sfb_start + (sfb_len/2) - (sfb_len/4)) + en[1] += band->energy; /* Middle */ + else + en[0] += band->energy; /* Start */ + } + en[3] = en[0]; } /* LPC */ @@ -199,15 +214,14 @@ if (!order || !isfinite(gain) || gain < TNS_GAIN_THRESHOLD_LOW || gain > TNS_GAIN_THRESHOLD_HIGH) continue; - tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3; + tns->n_filt[w] = n_filt; for (g = 0; g < tns->n_filt[w]; g++) { - tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g]; - tns->order[w][g] = g < tns->n_filt[w] ? order/tns->n_filt[w] : order - oc_start; - tns->length[w][g] = g < tns->n_filt[w] ? sfb_len/tns->n_filt[w] : sfb_len - os_start; + tns->direction[w][g] = slant != 2 ? slant : en[g] < en[g + 1]; + tns->order[w][g] = order/tns->n_filt[w]; + tns->length[w][g] = sfb_len/tns->n_filt[w]; quantize_coefs(&coefs[oc_start], tns->coef_idx[w][g], tns->coef[w][g], tns->order[w][g], c_bits); oc_start += tns->order[w][g]; - os_start += tns->length[w][g]; } count++; } diff -Nru ffmpeg-5.1.7/libavcodec/aarch64/h264pred_neon.S ffmpeg-5.1.8/libavcodec/aarch64/h264pred_neon.S --- ffmpeg-5.1.7/libavcodec/aarch64/h264pred_neon.S 2025-08-14 00:31:36.000000000 +0000 +++ ffmpeg-5.1.8/libavcodec/aarch64/h264pred_neon.S 2025-11-26 02:41:35.000000000 +0000 @@ -489,10 +489,10 @@ mul v2.8h, v2.8h, v0.8h mul v3.8h, v3.8h, v0.8h addp v2.8h, v2.8h, v3.8h - addp v2.8h, v2.8h, v2.8h - addp v2.4h, v2.4h, v2.4h - sshll v3.4s, v2.4h, #2 - saddw v2.4s, v3.4s, v2.4h + saddlp v2.4s, v2.8h + addp v2.4s, v2.4s, v2.4s + shl v3.4s, v2.4s, #2 + add v2.4s, v3.4s, v2.4s rshrn v4.4h, v2.4s, #6 trn2 v5.4h, v4.4h, v4.4h add v2.4h, v4.4h, v5.4h @@ -506,14 +506,13 @@ sxtl v6.4s, v5.4h // c mov v0.h[0], wzr - mul v0.8h, v0.8h, v4.h[0] dup v16.4s, v2.s[0] dup v17.4s, v2.s[0] dup v2.8h, v4.h[0] // b dup v3.4s, v6.s[0] // c sshll v2.4s, v2.4h, #3 // b * 8 - saddw v16.4s, v16.4s, v0.4h - saddw2 v17.4s, v17.4s, v0.8h + smlal v16.4s, v0.4h, v4.h[0] + smlal2 v17.4s, v0.8h, v4.h[0] sub v3.4s, v3.4s, v2.4s mov w3, #16 diff -Nru ffmpeg-5.1.7/libavcodec/dxv.c ffmpeg-5.1.8/libavcodec/dxv.c --- ffmpeg-5.1.7/libavcodec/dxv.c 2025-08-14 00:31:36.000000000 +0000 +++ ffmpeg-5.1.8/libavcodec/dxv.c 2025-11-26 02:41:35.000000000 +0000 @@ -1147,6 +1147,8 @@ ctx->tex_rat = 1; break; } + if (avctx->coded_height / 2 / TEXTURE_BLOCK_H < 1) + return AVERROR_INVALIDDATA; ctx->slice_count = av_clip(avctx->thread_count, 1, avctx->coded_height / FFMAX(ctx->texture_block_h, diff -Nru ffmpeg-5.1.7/libavcodec/exr.c ffmpeg-5.1.8/libavcodec/exr.c --- ffmpeg-5.1.7/libavcodec/exr.c 2025-08-14 00:31:36.000000000 +0000 +++ ffmpeg-5.1.8/libavcodec/exr.c 2025-11-26 02:41:35.000000000 +0000 @@ -173,6 +173,9 @@ int is_luma;/* 1 if there is an Y plane */ +#define M(chr) (1<xdelta; - ptr[2] = ptr[1] + s->xdelta; - ptr[3] = ptr[2] + s->xdelta; - in = ptr[3] + s->xdelta; + ptr[1] = ptr[0] + td->xsize; + ptr[2] = ptr[1] + td->xsize; + ptr[3] = ptr[2] + td->xsize; + in = ptr[3] + td->xsize; - for (j = 0; j < s->xdelta; ++j) { + for (j = 0; j < td->xsize; ++j) { uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) | (*(ptr[1]++) << 16) | (*(ptr[2]++) << 8 ) | @@ -995,8 +998,8 @@ int64_t version, lo_usize, lo_size; int64_t ac_size, dc_size, rle_usize, rle_csize, rle_raw_size; int64_t ac_count, dc_count, ac_compression; - const int dc_w = td->xsize >> 3; - const int dc_h = td->ysize >> 3; + const int dc_w = (td->xsize + 7) >> 3; + const int dc_h = (td->ysize + 7) >> 3; GetByteContext gb, agb; int skip, ret; int have_rle = 0; @@ -1008,6 +1011,11 @@ if (version != 2) return AVERROR_INVALIDDATA; + if (s->nb_channels < 3) { + avpriv_request_sample(s->avctx, "Gray DWA"); + return AVERROR_PATCHWELCOME; + } + lo_usize = AV_RL64(src + 8); lo_size = AV_RL64(src + 16); ac_size = AV_RL64(src + 24); @@ -1024,11 +1032,20 @@ ) return AVERROR_INVALIDDATA; + if (ac_size <= 0) { + avpriv_request_sample(s->avctx, "Zero ac_size"); + return AVERROR_INVALIDDATA; + } + if ((uint64_t)rle_raw_size > INT_MAX) { avpriv_request_sample(s->avctx, "Too big rle_raw_size"); return AVERROR_INVALIDDATA; } + if (td->xsize % 8 || td->ysize % 8) { + avpriv_request_sample(s->avctx, "odd dimensions DWA"); + } + bytestream2_init(&gb, src + 88, compressed_size - 88); skip = bytestream2_get_le16(&gb); if (skip < 2) @@ -1594,6 +1611,7 @@ s->is_tile = 0; s->is_multipart = 0; s->is_luma = 0; + s->has_channel = 0; s->current_part = 0; if (bytestream2_get_bytes_left(gb) < 10) { @@ -1697,23 +1715,26 @@ } if (layer_match) { /* only search channel if the layer match is valid */ + if (strlen(ch_gb.buffer) == 1) { + int ch_chr = av_toupper(*ch_gb.buffer); + if (ch_chr >= 'A' && ch_chr <= 'Z') + s->has_channel |= M(ch_chr); + av_log(s->avctx, AV_LOG_DEBUG, "%c\n", ch_chr); + } + if (!av_strcasecmp(ch_gb.buffer, "R") || !av_strcasecmp(ch_gb.buffer, "X") || !av_strcasecmp(ch_gb.buffer, "U")) { channel_index = 0; - s->is_luma = 0; } else if (!av_strcasecmp(ch_gb.buffer, "G") || !av_strcasecmp(ch_gb.buffer, "V")) { channel_index = 1; - s->is_luma = 0; } else if (!av_strcasecmp(ch_gb.buffer, "Y")) { channel_index = 1; - s->is_luma = 1; } else if (!av_strcasecmp(ch_gb.buffer, "B") || !av_strcasecmp(ch_gb.buffer, "Z") || !av_strcasecmp(ch_gb.buffer, "W")) { channel_index = 2; - s->is_luma = 0; } else if (!av_strcasecmp(ch_gb.buffer, "A")) { channel_index = 3; } else { @@ -1789,6 +1810,20 @@ s->current_channel_offset += 4; } } + if (!((M('R') + M('G') + M('B')) & ~s->has_channel)) { + s->is_luma = 0; + } else if (!((M('X') + M('Y') + M('Z')) & ~s->has_channel)) { + s->is_luma = 0; + } else if (!((M('Y') + M('U') + M('V')) & ~s->has_channel)) { + s->is_luma = 0; + } else if (!((M('Y') ) & ~s->has_channel) && + !((M('R') + M('G') + M('B') + M('U') + M('V') + M('X') + M('Z')) & s->has_channel)) { + s->is_luma = 1; + } else { + avpriv_request_sample(s->avctx, "Uncommon channel combination"); + ret = AVERROR(AVERROR_PATCHWELCOME); + goto fail; + } /* Check if all channels are set with an offset or if the channels * are causing an overflow */ diff -Nru ffmpeg-5.1.7/libavcodec/g723_1.h ffmpeg-5.1.8/libavcodec/g723_1.h --- ffmpeg-5.1.7/libavcodec/g723_1.h 2025-08-05 00:22:34.000000000 +0000 +++ ffmpeg-5.1.8/libavcodec/g723_1.h 2025-11-26 02:41:35.000000000 +0000 @@ -108,7 +108,7 @@ * Optimized fixed codebook excitation parameters */ typedef struct FCBParam { - int min_err; + int64_t min_err; int amp_index; int grid_index; int dirac_train; diff -Nru ffmpeg-5.1.7/libavcodec/g723_1enc.c ffmpeg-5.1.8/libavcodec/g723_1enc.c --- ffmpeg-5.1.7/libavcodec/g723_1enc.c 2025-08-14 00:31:30.000000000 +0000 +++ ffmpeg-5.1.8/libavcodec/g723_1enc.c 2025-11-26 02:41:35.000000000 +0000 @@ -1015,7 +1015,7 @@ int pulse_cnt = pulses[index]; int i; - optim.min_err = 1 << 30; + optim.min_err = 1LL << 31; get_fcb_param(&optim, impulse_resp, buf, pulse_cnt, SUBFRAME_LEN); if (p->pitch_lag[index >> 1] < SUBFRAME_LEN - 2) { diff -Nru ffmpeg-5.1.7/libavcodec/mjpegdec.c ffmpeg-5.1.8/libavcodec/mjpegdec.c --- ffmpeg-5.1.7/libavcodec/mjpegdec.c 2025-08-14 00:31:36.000000000 +0000 +++ ffmpeg-5.1.8/libavcodec/mjpegdec.c 2025-11-26 02:41:35.000000000 +0000 @@ -343,6 +343,8 @@ av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height); if (av_image_check_size(width, height, 0, s->avctx) < 0) return AVERROR_INVALIDDATA; + + // A valid frame requires at least 1 bit for DC + 1 bit for AC for each 8x8 block. if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size * 4LL) return AVERROR_INVALIDDATA; diff -Nru ffmpeg-5.1.7/libavcodec/sanm.c ffmpeg-5.1.8/libavcodec/sanm.c --- ffmpeg-5.1.7/libavcodec/sanm.c 2025-08-14 00:31:30.000000000 +0000 +++ ffmpeg-5.1.8/libavcodec/sanm.c 2025-11-26 02:41:35.000000000 +0000 @@ -975,6 +975,11 @@ } bytestream2_skip(&ctx->gb, 4); + if (w + FFMAX(left, 0) > ctx->avctx->width || h + FFMAX(top, 0) > ctx->avctx->height) { + avpriv_request_sample(ctx->avctx, "overly large frame\n"); + return AVERROR_PATCHWELCOME; + } + switch (codec) { case 1: case 3: diff -Nru ffmpeg-5.1.7/libavcodec/utvideodec.c ffmpeg-5.1.8/libavcodec/utvideodec.c --- ffmpeg-5.1.7/libavcodec/utvideodec.c 2025-08-14 00:31:36.000000000 +0000 +++ ffmpeg-5.1.8/libavcodec/utvideodec.c 2025-11-26 02:41:35.000000000 +0000 @@ -436,7 +436,7 @@ // second line - first element has top prediction, the rest uses median C = bsrc[-stride2]; bsrc[0] += C; - A = bsrc[0]; + A = B = bsrc[0]; for (i = 1; i < FFMIN(width, 16); i++) { /* scalar loop (DSP need align 16) */ B = bsrc[i - stride2]; bsrc[i] += mid_pred(A, B, (uint8_t)(A + B - C)); @@ -564,7 +564,7 @@ int buf_size = avpkt->size; UtvideoContext *c = avctx->priv_data; int i, j; - const uint8_t *plane_start[5]; + const uint8_t *plane_start[5] = {NULL}; int plane_size, max_slice_size = 0, slice_start, slice_end, slice_size; int ret; GetByteContext gb; diff -Nru ffmpeg-5.1.7/libavcodec/x86/pngdsp.asm ffmpeg-5.1.8/libavcodec/x86/pngdsp.asm --- ffmpeg-5.1.7/libavcodec/x86/pngdsp.asm 2025-08-14 00:31:30.000000000 +0000 +++ ffmpeg-5.1.8/libavcodec/x86/pngdsp.asm 2025-11-26 02:41:35.000000000 +0000 @@ -163,6 +163,7 @@ dec cntrq jge .bpp_loop POP dstq + emms RET %endmacro diff -Nru ffmpeg-5.1.7/libavfilter/vf_drawtext.c ffmpeg-5.1.8/libavfilter/vf_drawtext.c --- ffmpeg-5.1.7/libavfilter/vf_drawtext.c 2025-08-14 00:31:30.000000000 +0000 +++ ffmpeg-5.1.8/libavfilter/vf_drawtext.c 2025-11-26 02:41:35.000000000 +0000 @@ -759,7 +759,7 @@ av_log(ctx, AV_LOG_WARNING, "Multiple texts provided, will use text_source only\n"); av_free(s->text); } - s->text = av_mallocz(AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE * + s->text = av_mallocz((AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE + 1) * (AV_NUM_DETECTION_BBOX_CLASSIFY + 1)); if (!s->text) return AVERROR(ENOMEM); diff -Nru ffmpeg-5.1.7/libavformat/avidec.c ffmpeg-5.1.8/libavformat/avidec.c --- ffmpeg-5.1.7/libavformat/avidec.c 2025-08-14 00:31:36.000000000 +0000 +++ ffmpeg-5.1.8/libavformat/avidec.c 2025-11-26 02:41:35.000000000 +0000 @@ -1699,7 +1699,7 @@ int *idx = av_calloc(s->nb_streams, sizeof(*idx)); if (!idx) return AVERROR(ENOMEM); - for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1LU) { + for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1ULL) { int64_t max_dts = INT64_MIN / 2; int64_t min_dts = INT64_MAX / 2; int64_t max_buffer = 0; diff -Nru ffmpeg-5.1.7/libavformat/aviobuf.c ffmpeg-5.1.8/libavformat/aviobuf.c --- ffmpeg-5.1.7/libavformat/aviobuf.c 2025-08-14 00:31:30.000000000 +0000 +++ ffmpeg-5.1.8/libavformat/aviobuf.c 2025-11-26 02:41:35.000000000 +0000 @@ -337,7 +337,7 @@ ctx->seek_count++; if (!s->write_flag) s->buf_end = s->buffer; - s->buf_ptr = s->buf_ptr_max = s->buffer; + s->checksum_ptr = s->buf_ptr = s->buf_ptr_max = s->buffer; s->pos = offset; } s->eof_reached = 0; diff -Nru ffmpeg-5.1.7/libavformat/http.c ffmpeg-5.1.8/libavformat/http.c --- ffmpeg-5.1.7/libavformat/http.c 2025-08-14 00:31:31.000000000 +0000 +++ ffmpeg-5.1.8/libavformat/http.c 2025-11-26 02:41:35.000000000 +0000 @@ -1787,7 +1787,7 @@ ret = http_read_stream_all(h, data, len); if (ret < 0) return ret; - data[len + 1] = 0; + data[len] = 0; if ((ret = av_opt_set(s, "icy_metadata_packet", data, 0)) < 0) return ret; update_metadata(h, data); diff -Nru ffmpeg-5.1.7/libavformat/lrcdec.c ffmpeg-5.1.8/libavformat/lrcdec.c --- ffmpeg-5.1.7/libavformat/lrcdec.c 2025-08-14 00:31:36.000000000 +0000 +++ ffmpeg-5.1.8/libavformat/lrcdec.c 2025-11-26 02:41:35.000000000 +0000 @@ -91,7 +91,7 @@ if (ret != 3 || prefix[0] != '[' || ss < 0 || ss > 60) { return 0; } - *start = (mm * 60 + ss) * AV_TIME_BASE; + *start = llrint((mm * 60 + ss) * AV_TIME_BASE); if (prefix[1] == '-') { *start = - *start; } diff -Nru ffmpeg-5.1.7/libavformat/rtmpproto.c ffmpeg-5.1.8/libavformat/rtmpproto.c --- ffmpeg-5.1.7/libavformat/rtmpproto.c 2025-08-14 00:31:36.000000000 +0000 +++ ffmpeg-5.1.8/libavformat/rtmpproto.c 2025-11-26 02:41:35.000000000 +0000 @@ -161,6 +161,13 @@ static int handle_window_ack_size(URLContext *s, RTMPPacket *pkt); static int handle_set_peer_bw(URLContext *s, RTMPPacket *pkt); +static size_t zstrlen(const char *c) +{ + if(c) + return strlen(c); + return 0; +} + static int add_tracked_method(RTMPContext *rt, const char *name, int id) { int err; @@ -325,7 +332,15 @@ int ret; if ((ret = ff_rtmp_packet_create(&pkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE, - 0, 4096 + APP_MAX_LENGTH)) < 0) + 0, 4096 + APP_MAX_LENGTH + + strlen(rt->auth_params) + strlen(rt->flashver) + + zstrlen(rt->swfurl) + + zstrlen(rt->swfverify) + + zstrlen(rt->tcurl) + + zstrlen(rt->auth_params) + + zstrlen(rt->pageurl) + + zstrlen(rt->conn)*3 + )) < 0) return ret; p = pkt.data; @@ -1866,7 +1881,9 @@ if ((ret = ff_rtmp_packet_create(&spkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE, 0, - RTMP_PKTDATA_DEFAULT_SIZE)) < 0) { + RTMP_PKTDATA_DEFAULT_SIZE + + strlen(status) + strlen(description) + + zstrlen(details))) < 0) { av_log(s, AV_LOG_ERROR, "Unable to create response packet\n"); return ret; } @@ -2799,6 +2816,12 @@ "FMLE/3.0 (compatible; %s)", LIBAVFORMAT_IDENT); } } + if ( strlen(rt->flashver) > FLASHVER_MAX_LENGTH + || strlen(rt->tcurl ) > TCURL_MAX_LENGTH + ) { + ret = AVERROR(EINVAL); + goto fail; + } rt->receive_report_size = 1048576; rt->bytes_read = 0; diff -Nru ffmpeg-5.1.7/libavformat/rtpdec_rfc4175.c ffmpeg-5.1.8/libavformat/rtpdec_rfc4175.c --- ffmpeg-5.1.7/libavformat/rtpdec_rfc4175.c 2025-08-05 00:22:34.000000000 +0000 +++ ffmpeg-5.1.8/libavformat/rtpdec_rfc4175.c 2025-11-26 02:41:35.000000000 +0000 @@ -23,7 +23,9 @@ #include "avio_internal.h" #include "rtpdec_formats.h" +#include "libavutil/avassert.h" #include "libavutil/avstring.h" +#include "libavutil/imgutils.h" #include "libavutil/pixdesc.h" #include "libavutil/parseutils.h" @@ -127,7 +129,7 @@ data->width = atoi(value); else if (!strncmp(attr, "height", 6)) data->height = atoi(value); - else if (!strncmp(attr, "sampling", 8)) + else if (data->sampling == NULL && !strncmp(attr, "sampling", 8)) data->sampling = av_strdup(value); else if (!strncmp(attr, "depth", 5)) data->depth = atoi(value); @@ -171,30 +173,39 @@ } static int rfc4175_parse_sdp_line(AVFormatContext *s, int st_index, - PayloadContext *data, const char *line) + PayloadContext *data_arg, const char *line) { const char *p; if (st_index < 0) return 0; + av_assert0(!data_arg->sampling); + if (av_strstart(line, "fmtp:", &p)) { AVStream *stream = s->streams[st_index]; + PayloadContext data0 = *data_arg, *data = &data0; int ret = ff_parse_fmtp(s, stream, data, p, rfc4175_parse_fmtp); - if (ret < 0) - return ret; + if (!data->sampling || !data->depth || !data->width || !data->height) + ret = AVERROR(EINVAL); + if (ret < 0) + goto fail; - if (!data->sampling || !data->depth || !data->width || !data->height) - return AVERROR(EINVAL); + ret = av_image_check_size(data->width, data->height, 0, s); + if (ret < 0) + goto fail; stream->codecpar->width = data->width; stream->codecpar->height = data->height; ret = rfc4175_parse_format(stream, data); av_freep(&data->sampling); - + if (ret >= 0) + *data_arg = *data; +fail: + av_freep(&data->sampling); return ret; } @@ -295,6 +306,9 @@ if (data->interlaced) line = 2 * line + field; + if (line >= data->height) + return AVERROR_INVALIDDATA; + /* prevent ill-formed packets to write after buffer's end */ copy_offset = (line * data->width + offset) * data->pgroup / data->xinc; if (copy_offset + length > data->frame_size || !data->frame) diff -Nru ffmpeg-5.1.7/libavformat/rtpenc_h264_hevc.c ffmpeg-5.1.8/libavformat/rtpenc_h264_hevc.c --- ffmpeg-5.1.7/libavformat/rtpenc_h264_hevc.c 2025-03-12 11:48:36.000000000 +0000 +++ ffmpeg-5.1.8/libavformat/rtpenc_h264_hevc.c 2025-11-26 02:41:35.000000000 +0000 @@ -195,6 +195,9 @@ r1 = ff_avc_mp4_find_startcode(r, end, s->nal_length_size); if (!r1) r1 = end; + // Check that the last is not truncated + if (r1 - r < s->nal_length_size) + break; r += s->nal_length_size; } else { while (!*(r++)); diff -Nru ffmpeg-5.1.7/libavformat/sctp.c ffmpeg-5.1.8/libavformat/sctp.c --- ffmpeg-5.1.7/libavformat/sctp.c 2025-08-05 00:22:34.000000000 +0000 +++ ffmpeg-5.1.8/libavformat/sctp.c 2025-11-26 02:41:35.000000000 +0000 @@ -334,6 +334,9 @@ } if (s->max_streams) { + if (size < 2) + return AVERROR(EINVAL); + /*StreamId is introduced as a 2byte code into the stream*/ struct sctp_sndrcvinfo info = { 0 }; info.sinfo_stream = AV_RB16(buf); diff -Nru ffmpeg-5.1.7/libavutil/common.h ffmpeg-5.1.8/libavutil/common.h --- ffmpeg-5.1.7/libavutil/common.h 2025-08-14 00:31:31.000000000 +0000 +++ ffmpeg-5.1.8/libavutil/common.h 2025-11-26 02:41:35.000000000 +0000 @@ -467,13 +467,13 @@ * to prevent undefined results. */ #define GET_UTF8(val, GET_BYTE, ERROR)\ - val= (GET_BYTE);\ + val= (uint8_t)(GET_BYTE);\ {\ uint32_t top = (val & 128) >> 1;\ if ((val & 0xc0) == 0x80 || val >= 0xFE)\ {ERROR}\ while (val & top) {\ - unsigned int tmp = (GET_BYTE) - 128;\ + unsigned int tmp = (uint8_t)(GET_BYTE) - 128;\ if(tmp>>6)\ {ERROR}\ val= (val<<6) + tmp;\ @@ -492,11 +492,11 @@ * typically a goto statement. */ #define GET_UTF16(val, GET_16BIT, ERROR)\ - val = (GET_16BIT);\ + val = (uint16_t)(GET_16BIT);\ {\ unsigned int hi = val - 0xD800;\ if (hi < 0x800) {\ - val = (GET_16BIT) - 0xDC00;\ + val = (uint16_t)(GET_16BIT) - 0xDC00;\ if (val > 0x3FFU || hi > 0x3FFU)\ {ERROR}\ val += (hi<<10) + 0x10000;\ diff -Nru ffmpeg-5.1.7/libswscale/output.c ffmpeg-5.1.8/libswscale/output.c --- ffmpeg-5.1.7/libswscale/output.c 2025-08-14 00:31:36.000000000 +0000 +++ ffmpeg-5.1.8/libswscale/output.c 2025-11-26 02:41:35.000000000 +0000 @@ -943,7 +943,7 @@ int A = 0xffff; for (j = 0; j < lumFilterSize; j++) - Y += lumSrc[j][i] * lumFilter[j]; + Y += lumSrc[j][i] * (unsigned)lumFilter[j]; Y >>= 15; Y += (1<<3) + 0x8000; @@ -952,7 +952,7 @@ if (hasAlpha) { A = -0x40000000 + (1<<14); for (j = 0; j < lumFilterSize; j++) - A += alpSrc[j][i] * lumFilter[j]; + A += alpSrc[j][i] * (unsigned)lumFilter[j]; A >>= 15; A += 0x8000;