Version in base suite: 4.3.3-0+deb11u1 Base version: ffmpeg_4.3.3-0+deb11u1 Target version: ffmpeg_4.3.4-0+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/f/ffmpeg/ffmpeg_4.3.3-0+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/f/ffmpeg/ffmpeg_4.3.4-0+deb11u1.dsc Changelog | 58 ++++++++++++++ RELEASE | 2 VERSION | 2 configure | 2 debian/changelog | 6 + doc/Doxyfile | 2 libavcodec/alacdsp.c | 2 libavcodec/apedec.c | 22 ++--- libavcodec/diracdec.c | 4 libavcodec/flac_parser.c | 3 libavcodec/g729_parser.c | 3 libavcodec/jpeglsdec.c | 10 +- libavcodec/libdav1d.c | 4 libavcodec/mjpegbdec.c | 1 libavcodec/motion_est.c | 9 -- libavcodec/pixlet.c | 4 libavcodec/sonic.c | 2 libavcodec/takdsp.c | 2 libavcodec/vp3.c | 9 +- libavcodec/vqavideo.c | 7 - libavfilter/vf_subtitles.c | 9 +- libavformat/4xm.c | 6 + libavformat/aiffdec.c | 11 +- libavformat/aqtitledec.c | 3 libavformat/avidec.c | 9 +- libavformat/cafdec.c | 2 libavformat/flvdec.c | 2 libavformat/hls.c | 8 + libavformat/matroskadec.c | 24 ++++- libavformat/mov.c | 21 ++++- libavformat/mxfdec.c | 21 ++++- libavformat/rmdec.c | 9 +- libavformat/utils.c | 2 libavformat/vivo.c | 13 ++- libavformat/webmdashenc.c | 2 tests/ref/fate/webm-dash-manifest | 2 tests/ref/fate/webm-dash-manifest-representations | 2 tests/ref/fate/webm-dash-manifest-unaligned-audio-streams | 2 tests/ref/fate/webm-dash-manifest-unaligned-video-streams | 2 39 files changed, 232 insertions(+), 72 deletions(-) diff -Nru ffmpeg-4.3.3/Changelog ffmpeg-4.3.4/Changelog --- ffmpeg-4.3.3/Changelog 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/Changelog 2022-04-16 08:20:46.000000000 +0000 @@ -1,6 +1,64 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.3.4: + fate: update reference files after the recent dash manifest muxer changes + avformat/webmdashenc: fix on-demand profile string + Update for FFmpeg 4.3.4 + avcodec/diracdec: avoid signed integer overflow in global mv + avcodec/takdsp: Fix integer overflow in decorrelate_sf() + avcodec/apedec: fix a integer overflow in long_filter_high_3800() + avfilter/vf_subtitles: pass storage size to libass + avformat/aqtitledec: Skip unrepresentable durations + avformat/cafdec: Do not store empty keys in read_info_chunk() + avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before writing + avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array() + avformat/mxfdec: Check count in mxf_read_strong_ref_array() + avformat/hls: Check target_duration + avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn() + avformat/matroskadec: Check pre_ns + avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior + avcodec/mjpegbdec: Set buf_size + avformat/matroskadec: Use rounded down duration in get_cue_desc() check + avcodec/g729_parser: Check channels + avformat/avidec: Check height + avformat/rmdec: Better duplicate tags check + avformat/mov: Disallow empty sidx + avformat/matroskadec: Check duration + avformat/mov: Corner case encryption error cleanup in mov_read_senc() + avcodec/jpeglsdec: Fix if( code style + avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error + avcodec/motion_est: fix indention of ff_get_best_fcode() + avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode() + avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned + avformat/matroskadec: Check desc_bytes + avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value() + avformat/matroskadec: Fix infinite loop with bz decompression + avformat/mov: Check size before subtraction + avcodec/apedec: Fix integer overflows in predictor_update_3930() + avcodec/apedec: fix integer overflow in 8bit samples + avformat/flvdec: timestamps cannot use the full int64 range + avcodec/vqavideo: reset accounting on error + avcodec/alacdsp: fix integer overflow in decorrelate_stereo() + avformat/4xm: Check for duplicate track ids + avformat/4xm: Consider max_streams on reallocating tracks array + avformat/mov: Check next offset in mov_read_dref() + avformat/vivo: Favor setting fps from explicit fractions + avformat/vivo: Do not use the general expression evaluator for parsing a floating point value + avformat/mxfdec: Check for duplicate mxf_read_index_entry_array() + avcodec/apedec: Change avg to uint32_t + avformat/mov: Disallow duplicate smdm + avformat/mov: Check for EOF in mov_read_glbl() + avcodec/vp3: Check version in all cases when VP4 code is not built + avformat/mov: Check channels for mov_parse_stsd_audio() + avformat/avidec: Check read_odml_index() for failure + avformat/aiffdec: Use av_rescale() for bitrate + avformat/aiffdec: sanity check block_align + avformat/aiffdec: Check sample_rate + avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE + avcodec/libdav1d: free the Dav1dData packet on dav1d_send_data() failure + configure: Add missing libshine->mpegaudioheader dependency + version 4.3.3: avcodec/ttadsp: Fix integer overflows in tta_filter_process_c() avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results diff -Nru ffmpeg-4.3.3/RELEASE ffmpeg-4.3.4/RELEASE --- ffmpeg-4.3.3/RELEASE 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/RELEASE 2022-04-16 08:20:46.000000000 +0000 @@ -1 +1 @@ -4.3.3 +4.3.4 diff -Nru ffmpeg-4.3.3/VERSION ffmpeg-4.3.4/VERSION --- ffmpeg-4.3.3/VERSION 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/VERSION 2022-04-16 08:20:46.000000000 +0000 @@ -1 +1 @@ -4.3.3 +4.3.4 diff -Nru ffmpeg-4.3.3/configure ffmpeg-4.3.4/configure --- ffmpeg-4.3.3/configure 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/configure 2022-04-16 08:20:46.000000000 +0000 @@ -3236,7 +3236,7 @@ librav1e_encoder_select="extract_extradata_bsf" librsvg_decoder_deps="librsvg" libshine_encoder_deps="libshine" -libshine_encoder_select="audio_frame_queue" +libshine_encoder_select="audio_frame_queue mpegaudioheader" libspeex_decoder_deps="libspeex" libspeex_encoder_deps="libspeex" libspeex_encoder_select="audio_frame_queue" diff -Nru ffmpeg-4.3.3/debian/changelog ffmpeg-4.3.4/debian/changelog --- ffmpeg-4.3.3/debian/changelog 2021-10-28 20:55:17.000000000 +0000 +++ ffmpeg-4.3.4/debian/changelog 2022-04-24 20:26:21.000000000 +0000 @@ -1,3 +1,9 @@ +ffmpeg (7:4.3.4-0+deb11u1) bullseye-security; urgency=medium + + * New upstream version 4.3.4 + + -- Sebastian Ramacher Sun, 24 Apr 2022 22:26:21 +0200 + ffmpeg (7:4.3.3-0+deb11u1) bullseye-security; urgency=medium * New upstream version 4.3.3 diff -Nru ffmpeg-4.3.3/doc/Doxyfile ffmpeg-4.3.4/doc/Doxyfile --- ffmpeg-4.3.3/doc/Doxyfile 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/doc/Doxyfile 2022-04-16 08:20:46.000000000 +0000 @@ -38,7 +38,7 @@ # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.3.3 +PROJECT_NUMBER = 4.3.4 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a diff -Nru ffmpeg-4.3.3/libavcodec/alacdsp.c ffmpeg-4.3.4/libavcodec/alacdsp.c --- ffmpeg-4.3.3/libavcodec/alacdsp.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.4/libavcodec/alacdsp.c 2022-04-16 08:20:46.000000000 +0000 @@ -34,7 +34,7 @@ a = buffer[0][i]; b = buffer[1][i]; - a -= (b * decorr_left_weight) >> decorr_shift; + a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift; b += a; buffer[0][i] = b; diff -Nru ffmpeg-4.3.3/libavcodec/apedec.c ffmpeg-4.3.4/libavcodec/apedec.c --- ffmpeg-4.3.3/libavcodec/apedec.c 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/libavcodec/apedec.c 2022-04-16 08:20:46.000000000 +0000 @@ -102,7 +102,7 @@ int16_t *historybuffer; ///< filter memory int16_t *delay; ///< filtered values - int avg; + uint32_t avg; } APEFilter; typedef struct APERice { @@ -928,7 +928,7 @@ dotprod += delay[j] * (unsigned)coeffs[j]; coeffs[j] += ((delay[j] >> 31) | 1) * sign; } - buffer[i] -= dotprod >> shift; + buffer[i] -= (unsigned)(dotprod >> shift); for (j = 0; j < order - 1; j++) delay[j] = delay[j + 1]; delay[order - 1] = buffer[i]; @@ -1061,13 +1061,13 @@ const int delayA) { int32_t predictionA, sign; - int32_t d0, d1, d2, d3; + uint32_t d0, d1, d2, d3; p->buf[delayA] = p->lastA[filter]; d0 = p->buf[delayA ]; - d1 = p->buf[delayA ] - p->buf[delayA - 1]; - d2 = p->buf[delayA - 1] - p->buf[delayA - 2]; - d3 = p->buf[delayA - 2] - p->buf[delayA - 3]; + d1 = p->buf[delayA ] - (unsigned)p->buf[delayA - 1]; + d2 = p->buf[delayA - 1] - (unsigned)p->buf[delayA - 2]; + d3 = p->buf[delayA - 2] - (unsigned)p->buf[delayA - 3]; predictionA = d0 * p->coeffsA[filter][0] + d1 * p->coeffsA[filter][1] + @@ -1078,10 +1078,10 @@ p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5); sign = APESIGN(decoded); - p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign; - p->coeffsA[filter][1] += ((d1 < 0) * 2 - 1) * sign; - p->coeffsA[filter][2] += ((d2 < 0) * 2 - 1) * sign; - p->coeffsA[filter][3] += ((d3 < 0) * 2 - 1) * sign; + p->coeffsA[filter][0] += (((int32_t)d0 < 0) * 2 - 1) * sign; + p->coeffsA[filter][1] += (((int32_t)d1 < 0) * 2 - 1) * sign; + p->coeffsA[filter][2] += (((int32_t)d2 < 0) * 2 - 1) * sign; + p->coeffsA[filter][3] += (((int32_t)d3 < 0) * 2 - 1) * sign; return p->filterA[filter]; } @@ -1559,7 +1559,7 @@ for (ch = 0; ch < s->channels; ch++) { sample8 = (uint8_t *)frame->data[ch]; for (i = 0; i < blockstodecode; i++) - *sample8++ = (s->decoded[ch][i] + 0x80) & 0xff; + *sample8++ = (s->decoded[ch][i] + 0x80U) & 0xff; } break; case 16: diff -Nru ffmpeg-4.3.3/libavcodec/diracdec.c ffmpeg-4.3.4/libavcodec/diracdec.c --- ffmpeg-4.3.3/libavcodec/diracdec.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.4/libavcodec/diracdec.c 2022-04-16 08:20:46.000000000 +0000 @@ -1431,8 +1431,8 @@ int *c = s->globalmc[ref].perspective; int64_t m = (1<u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); diff -Nru ffmpeg-4.3.3/libavcodec/flac_parser.c ffmpeg-4.3.4/libavcodec/flac_parser.c --- ffmpeg-4.3.3/libavcodec/flac_parser.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.4/libavcodec/flac_parser.c 2022-04-16 08:20:46.000000000 +0000 @@ -55,6 +55,7 @@ /** largest possible size of flac header */ #define MAX_FRAME_HEADER_SIZE 16 +#define MAX_FRAME_VERIFY_SIZE (MAX_FRAME_HEADER_SIZE) typedef struct FLACHeaderMarker { int offset; /**< byte offset from start of FLACParseContext->buffer */ @@ -170,7 +171,7 @@ uint8_t *header_buf; int size = 0; header_buf = flac_fifo_read_wrap(fpc, offset, - MAX_FRAME_HEADER_SIZE, + MAX_FRAME_VERIFY_SIZE + AV_INPUT_BUFFER_PADDING_SIZE, &fpc->wrap_buf, &fpc->wrap_buf_allocated_size); if (frame_header_is_valid(fpc->avctx, header_buf, &fi)) { diff -Nru ffmpeg-4.3.3/libavcodec/g729_parser.c ffmpeg-4.3.4/libavcodec/g729_parser.c --- ffmpeg-4.3.3/libavcodec/g729_parser.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.4/libavcodec/g729_parser.c 2022-04-16 08:20:46.000000000 +0000 @@ -49,6 +49,9 @@ s->block_size = (avctx->bit_rate < 8000) ? G729D_6K4_BLOCK_SIZE : G729_8K_BLOCK_SIZE; if (avctx->codec_id == AV_CODEC_ID_ACELP_KELVIN) s->block_size++; + // channels > 2 is invalid, we pass the packet on unchanged + if (avctx->channels > 2) + s->block_size = 0; s->block_size *= avctx->channels; s->duration = avctx->frame_size; } diff -Nru ffmpeg-4.3.3/libavcodec/jpeglsdec.c ffmpeg-4.3.4/libavcodec/jpeglsdec.c --- ffmpeg-4.3.3/libavcodec/jpeglsdec.c 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/libavcodec/jpeglsdec.c 2022-04-16 08:20:46.000000000 +0000 @@ -67,7 +67,7 @@ s->t3 = get_bits(&s->gb, 16); s->reset = get_bits(&s->gb, 16); - if(s->avctx->debug & FF_DEBUG_PICT_INFO) { + if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "Coding parameters maxval:%d T1:%d T2:%d T3:%d reset:%d\n", s->maxval, s->t1, s->t2, s->t3, s->reset); } @@ -96,7 +96,7 @@ else maxtab = 65530/wt - 1; - if(s->avctx->debug & FF_DEBUG_PICT_INFO) { + if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "LSE palette %d tid:%d wt:%d maxtab:%d\n", id, tid, wt, maxtab); } if (maxtab >= 256) { @@ -186,7 +186,7 @@ if (RItype) temp += state->N[Q] >> 1; - for (k = 0; (state->N[Q] << k) < temp; k++) + for (k = 0; ((unsigned)state->N[Q] << k) < temp; k++) ; #ifdef JLS_BROKEN @@ -195,6 +195,8 @@ #endif ret = get_ur_golomb_jpegls(gb, k, state->limit - limit_add - 1, state->qbpp); + if (ret < 0) + return -0x10000; /* decode mapped error */ map = 0; @@ -209,7 +211,7 @@ ret = ret >> 1; } - if(FFABS(ret) > 0xFFFF) + if (FFABS(ret) > 0xFFFF) return -0x10000; /* update state */ state->A[Q] += FFABS(ret) - RItype; diff -Nru ffmpeg-4.3.3/libavcodec/libdav1d.c ffmpeg-4.3.4/libavcodec/libdav1d.c --- ffmpeg-4.3.3/libavcodec/libdav1d.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.4/libavcodec/libdav1d.c 2022-04-16 08:20:46.000000000 +0000 @@ -226,8 +226,10 @@ if (res < 0) { if (res == AVERROR(EINVAL)) res = AVERROR_INVALIDDATA; - if (res != AVERROR(EAGAIN)) + if (res != AVERROR(EAGAIN)) { + dav1d_data_unref(data); return res; + } } res = dav1d_get_picture(dav1d->c, p); diff -Nru ffmpeg-4.3.3/libavcodec/mjpegbdec.c ffmpeg-4.3.4/libavcodec/mjpegbdec.c --- ffmpeg-4.3.3/libavcodec/mjpegbdec.c 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/libavcodec/mjpegbdec.c 2022-04-16 08:20:46.000000000 +0000 @@ -57,6 +57,7 @@ buf_end = buf + buf_size; s->got_picture = 0; s->adobe_transform = -1; + s->buf_size = buf_size; read_header: /* reset on every SOI */ diff -Nru ffmpeg-4.3.3/libavcodec/motion_est.c ffmpeg-4.3.4/libavcodec/motion_est.c --- ffmpeg-4.3.3/libavcodec/motion_est.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.4/libavcodec/motion_est.c 2022-04-16 08:20:46.000000000 +0000 @@ -1614,7 +1614,7 @@ for(y=0; ymb_height; y++){ int x; int xy= y*s->mb_stride; - for(x=0; xmb_width; x++){ + for(x=0; xmb_width; x++, xy++){ if(s->mb_type[xy] & type){ int mx= mv_table[xy][0]; int my= mv_table[xy][1]; @@ -1622,16 +1622,15 @@ fcode_tab[my + MAX_MV]); int j; - if(mx >= range || mx < -range || - my >= range || my < -range) - continue; + if (mx >= range || mx < -range || + my >= range || my < -range) + continue; for(j=0; jpict_type==AV_PICTURE_TYPE_B || s->current_picture.mc_mb_var[xy] < s->current_picture.mb_var[xy]) score[j]-= 170; } } - xy++; } } diff -Nru ffmpeg-4.3.3/libavcodec/pixlet.c ffmpeg-4.3.4/libavcodec/pixlet.c --- ffmpeg-4.3.3/libavcodec/pixlet.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.4/libavcodec/pixlet.c 2022-04-16 08:20:46.000000000 +0000 @@ -404,7 +404,7 @@ (int64_t) low [i - 1] * -INT64_C(325392907) + (int64_t) high[i + 0] * INT64_C(1518500249) + (int64_t) high[i - 1] * INT64_C(1518500249); - dest[i * 2] = av_clip_int16(((value >> 32) * scale) >> 32); + dest[i * 2] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } for (i = 0; i < hsize; i++) { @@ -415,7 +415,7 @@ (int64_t) high[i + 1] * INT64_C(303700064) + (int64_t) high[i + 0] * -INT64_C(3644400640) + (int64_t) high[i - 1] * INT64_C(303700064); - dest[i * 2 + 1] = av_clip_int16(((value >> 32) * scale) >> 32); + dest[i * 2 + 1] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } } diff -Nru ffmpeg-4.3.3/libavcodec/sonic.c ffmpeg-4.3.4/libavcodec/sonic.c --- ffmpeg-4.3.3/libavcodec/sonic.c 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/libavcodec/sonic.c 2022-04-16 08:20:46.000000000 +0000 @@ -1018,7 +1018,7 @@ // dequantize for (i = 0; i < s->num_taps; i++) - s->predictor_k[i] *= s->tap_quant[i]; + s->predictor_k[i] *= (unsigned) s->tap_quant[i]; if (s->lossless) quant = 1; diff -Nru ffmpeg-4.3.3/libavcodec/takdsp.c ffmpeg-4.3.4/libavcodec/takdsp.c --- ffmpeg-4.3.3/libavcodec/takdsp.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.4/libavcodec/takdsp.c 2022-04-16 08:20:46.000000000 +0000 @@ -65,7 +65,7 @@ for (i = 0; i < length; i++) { int32_t a = p1[i]; int32_t b = p2[i]; - b = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift; + b = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift; p1[i] = b - a; } } diff -Nru ffmpeg-4.3.3/libavcodec/vp3.c ffmpeg-4.3.4/libavcodec/vp3.c --- ffmpeg-4.3.3/libavcodec/vp3.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.4/libavcodec/vp3.c 2022-04-16 08:20:46.000000000 +0000 @@ -2741,7 +2741,14 @@ skip_bits(&gb, 4); /* width code */ skip_bits(&gb, 4); /* height code */ if (s->version) { - s->version = get_bits(&gb, 5); + int version = get_bits(&gb, 5); +#if !CONFIG_VP4_DECODER + if (version >= 2) { + av_log(avctx, AV_LOG_ERROR, "This build does not support decoding VP4.\n"); + return AVERROR_DECODER_NOT_FOUND; + } +#endif + s->version = version; if (avctx->frame_number == 0) av_log(s->avctx, AV_LOG_DEBUG, "VP version: %d\n", s->version); diff -Nru ffmpeg-4.3.3/libavcodec/vqavideo.c ffmpeg-4.3.4/libavcodec/vqavideo.c --- ffmpeg-4.3.3/libavcodec/vqavideo.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.4/libavcodec/vqavideo.c 2022-04-16 08:20:46.000000000 +0000 @@ -588,13 +588,14 @@ if (s->partial_countdown <= 0) { bytestream2_init(&s->gb, s->next_codebook_buffer, s->next_codebook_buffer_index); /* decompress codebook */ - if ((res = decode_format80(s, s->next_codebook_buffer_index, - s->codebook, s->codebook_size, 0)) < 0) - return res; + res = decode_format80(s, s->next_codebook_buffer_index, + s->codebook, s->codebook_size, 0); /* reset accounting */ s->next_codebook_buffer_index = 0; s->partial_countdown = s->partial_count; + if (res < 0) + return res; } } diff -Nru ffmpeg-4.3.3/libavfilter/vf_subtitles.c ffmpeg-4.3.4/libavfilter/vf_subtitles.c --- ffmpeg-4.3.3/libavfilter/vf_subtitles.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.4/libavfilter/vf_subtitles.c 2022-04-16 08:20:46.000000000 +0000 @@ -145,9 +145,16 @@ ff_draw_init(&ass->draw, inlink->format, ass->alpha ? FF_DRAW_PROCESS_ALPHA : 0); ass_set_frame_size (ass->renderer, inlink->w, inlink->h); - if (ass->original_w && ass->original_h) + if (ass->original_w && ass->original_h) { ass_set_aspect_ratio(ass->renderer, (double)inlink->w / inlink->h, (double)ass->original_w / ass->original_h); +#if LIBASS_VERSION > 0x01010000 + ass_set_storage_size(ass->renderer, ass->original_w, ass->original_h); + } else { + ass_set_storage_size(ass->renderer, inlink->w, inlink->h); +#endif + } + if (ass->shaping != -1) ass_set_shaper(ass->renderer, ass->shaping); diff -Nru ffmpeg-4.3.3/libavformat/4xm.c ffmpeg-4.3.4/libavformat/4xm.c --- ffmpeg-4.3.3/libavformat/4xm.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.4/libavformat/4xm.c 2022-04-16 08:20:46.000000000 +0000 @@ -137,7 +137,8 @@ return AVERROR_INVALIDDATA; track = AV_RL32(buf + 8); - if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1) { + if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1 || + track >= s->max_streams) { av_log(s, AV_LOG_ERROR, "current_track too large\n"); return AVERROR_INVALIDDATA; } @@ -148,6 +149,9 @@ memset(&fourxm->tracks[fourxm->track_count], 0, sizeof(AudioTrack) * (track + 1 - fourxm->track_count)); fourxm->track_count = track + 1; + } else { + if (fourxm->tracks[track].bits) + return AVERROR_INVALIDDATA; } fourxm->tracks[track].adpcm = AV_RL32(buf + 12); fourxm->tracks[track].channels = AV_RL32(buf + 36); diff -Nru ffmpeg-4.3.3/libavformat/aiffdec.c ffmpeg-4.3.4/libavformat/aiffdec.c --- ffmpeg-4.3.3/libavformat/aiffdec.c 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/libavformat/aiffdec.c 2022-04-16 08:20:46.000000000 +0000 @@ -122,6 +122,9 @@ sample_rate = val << exp; else sample_rate = (val + (1ULL<<(-exp-1))) >> -exp; + if (sample_rate <= 0) + return AVERROR_INVALIDDATA; + par->sample_rate = sample_rate; if (size < 18) return AVERROR_INVALIDDATA; @@ -184,8 +187,10 @@ par->block_align = (av_get_bits_per_sample(par->codec_id) * par->channels) >> 3; if (aiff->block_duration) { - par->bit_rate = (int64_t)par->sample_rate * (par->block_align << 3) / - aiff->block_duration; + par->bit_rate = av_rescale(par->sample_rate, par->block_align * 8LL, + aiff->block_duration); + if (par->bit_rate < 0) + par->bit_rate = 0; } /* Chunk is over */ @@ -367,7 +372,7 @@ if (!st->codecpar->block_align && st->codecpar->codec_id == AV_CODEC_ID_QCELP) { av_log(s, AV_LOG_WARNING, "qcelp without wave chunk, assuming full rate\n"); st->codecpar->block_align = 35; - } else if (!st->codecpar->block_align) { + } else if (st->codecpar->block_align <= 0) { av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n"); return -1; } diff -Nru ffmpeg-4.3.3/libavformat/aqtitledec.c ffmpeg-4.3.4/libavformat/aqtitledec.c --- ffmpeg-4.3.3/libavformat/aqtitledec.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.4/libavformat/aqtitledec.c 2022-04-16 08:20:46.000000000 +0000 @@ -74,7 +74,8 @@ new_event = 1; pos = avio_tell(s->pb); if (sub) { - sub->duration = frame - sub->pts; + if (frame >= sub->pts && (uint64_t)frame - sub->pts < INT64_MAX) + sub->duration = frame - sub->pts; sub = NULL; } } else if (*line) { diff -Nru ffmpeg-4.3.3/libavformat/avidec.c ffmpeg-4.3.4/libavformat/avidec.c --- ffmpeg-4.3.3/libavformat/avidec.c 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/libavformat/avidec.c 2022-04-16 08:20:46.000000000 +0000 @@ -232,6 +232,8 @@ } else { int64_t offset, pos; int duration; + int ret; + offset = avio_rl64(pb); avio_rl32(pb); /* size */ duration = avio_rl32(pb); @@ -249,7 +251,7 @@ if (avio_seek(pb, offset + 8, SEEK_SET) < 0) return -1; avi->odml_depth++; - read_odml_index(s, frame_num); + ret = read_odml_index(s, frame_num); avi->odml_depth--; frame_num += duration; @@ -257,7 +259,8 @@ av_log(s, AV_LOG_ERROR, "Failed to restore position after reading index\n"); return -1; } - + if (ret < 0) + return ret; } } avi->index_loaded = 2; @@ -841,6 +844,8 @@ memcpy(st->codecpar->extradata + st->codecpar->extradata_size - 9, "BottomUp", 9); } + if (st->codecpar->height == INT_MIN) + return AVERROR_INVALIDDATA; st->codecpar->height = FFABS(st->codecpar->height); // avio_skip(pb, size - 5 * 4); diff -Nru ffmpeg-4.3.3/libavformat/cafdec.c ffmpeg-4.3.4/libavformat/cafdec.c --- ffmpeg-4.3.3/libavformat/cafdec.c 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/libavformat/cafdec.c 2022-04-16 08:20:46.000000000 +0000 @@ -241,6 +241,8 @@ char value[1024]; avio_get_str(pb, INT_MAX, key, sizeof(key)); avio_get_str(pb, INT_MAX, value, sizeof(value)); + if (!*key) + continue; av_dict_set(&s->metadata, key, value, 0); } } diff -Nru ffmpeg-4.3.3/libavformat/flvdec.c ffmpeg-4.3.4/libavformat/flvdec.c --- ffmpeg-4.3.3/libavformat/flvdec.c 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/libavformat/flvdec.c 2022-04-16 08:20:46.000000000 +0000 @@ -459,6 +459,8 @@ d = av_int2double(avio_rb64(ioc)); if (isnan(d) || d < INT64_MIN || d > INT64_MAX) goto invalid; + if (current_array == × && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000)) + goto invalid; current_array[0][i] = d; } if (times && filepositions) { diff -Nru ffmpeg-4.3.3/libavformat/hls.c ffmpeg-4.3.4/libavformat/hls.c --- ffmpeg-4.3.3/libavformat/hls.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.4/libavformat/hls.c 2022-04-16 08:20:46.000000000 +0000 @@ -813,10 +813,16 @@ &info); new_rendition(c, &info, url); } else if (av_strstart(line, "#EXT-X-TARGETDURATION:", &ptr)) { + int64_t t; ret = ensure_playlist(c, &pls, url); if (ret < 0) goto fail; - pls->target_duration = strtoll(ptr, NULL, 10) * AV_TIME_BASE; + t = strtoll(ptr, NULL, 10); + if (t < 0 || t >= INT64_MAX / AV_TIME_BASE) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + pls->target_duration = t * AV_TIME_BASE; } else if (av_strstart(line, "#EXT-X-MEDIA-SEQUENCE:", &ptr)) { ret = ensure_playlist(c, &pls, url); if (ret < 0) diff -Nru ffmpeg-4.3.3/libavformat/matroskadec.c ffmpeg-4.3.4/libavformat/matroskadec.c --- ffmpeg-4.3.3/libavformat/matroskadec.c 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/libavformat/matroskadec.c 2022-04-16 08:20:46.000000000 +0000 @@ -1643,7 +1643,7 @@ case MATROSKA_TRACK_ENCODING_COMP_ZLIB: { z_stream zstream = { 0 }; - if (inflateInit(&zstream) != Z_OK) + if (!pkt_size || inflateInit(&zstream) != Z_OK) return -1; zstream.next_in = data; zstream.avail_in = isize; @@ -1676,7 +1676,7 @@ case MATROSKA_TRACK_ENCODING_COMP_BZLIB: { bz_stream bzstream = { 0 }; - if (BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK) + if (!pkt_size || BZ2_bzDecompressInit(&bzstream, 0, 0) != BZ_OK) return -1; bzstream.next_in = data; bzstream.avail_in = isize; @@ -2906,6 +2906,8 @@ if (!matroska->time_scale) matroska->time_scale = 1000000; + if (isnan(matroska->duration)) + matroska->duration = 0; if (matroska->duration) matroska->ctx->duration = matroska->duration * matroska->time_scale * 1000 / AV_TIME_BASE; @@ -3865,7 +3867,9 @@ int i; int nb_index_entries = s->streams[0]->nb_index_entries; AVIndexEntry *index_entries = s->streams[0]->index_entries; - if (ts >= matroska->duration * matroska->time_scale) return (CueDesc) {-1, -1, -1, -1}; + + if (ts >= (int64_t)(matroska->duration * matroska->time_scale)) + return (CueDesc) {-1, -1, -1, -1}; for (i = 1; i < nb_index_entries; i++) { if (index_entries[i - 1].timestamp * matroska->time_scale <= ts && index_entries[i].timestamp * matroska->time_scale > ts) { @@ -4054,6 +4058,8 @@ // prebuffered. pre_bytes = desc_end.end_offset - desc_end.start_offset; pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; + if (pre_ns <= 0) + return -1; pre_sec = pre_ns / nano_seconds_per_second; prebuffer_bytes += pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / pre_sec); @@ -4065,12 +4071,16 @@ do { int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset; int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns; - double desc_sec = desc_ns / nano_seconds_per_second; - double calc_bits_per_second = (desc_bytes * 8) / desc_sec; + double desc_sec, calc_bits_per_second, percent, mod_bits_per_second; + if (desc_bytes <= 0) + return -1; + + desc_sec = desc_ns / nano_seconds_per_second; + calc_bits_per_second = (desc_bytes * 8) / desc_sec; // Drop the bps by the percentage of bytes buffered. - double percent = (desc_bytes - prebuffer_bytes) / desc_bytes; - double mod_bits_per_second = calc_bits_per_second * percent; + percent = (desc_bytes - prebuffer_bytes) / desc_bytes; + mod_bits_per_second = calc_bits_per_second * percent; if (prebuffer < desc_sec) { double search_sec = diff -Nru ffmpeg-4.3.3/libavformat/mov.c ffmpeg-4.3.4/libavformat/mov.c --- ffmpeg-4.3.3/libavformat/mov.c 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/libavformat/mov.c 2022-04-16 08:20:46.000000000 +0000 @@ -605,11 +605,13 @@ for (i = 0; i < entries; i++) { MOVDref *dref = &sc->drefs[i]; uint32_t size = avio_rb32(pb); - int64_t next = avio_tell(pb) + size - 4; + int64_t next = avio_tell(pb); - if (size < 12) + if (size < 12 || next < 0 || next > INT64_MAX - size) return AVERROR_INVALIDDATA; + next += size - 4; + dref->type = avio_rl32(pb); avio_rb32(pb); // version + flags @@ -1916,6 +1918,8 @@ // wrap a whole fiel atom inside of a glbl atom. unsigned size = avio_rb32(pb); unsigned type = avio_rl32(pb); + if (avio_feof(pb)) + return AVERROR_INVALIDDATA; avio_seek(pb, -8, SEEK_CUR); if (type == MKTAG('f','i','e','l') && size == atom.size) return mov_read_default(c, pb, atom); @@ -2532,6 +2536,10 @@ av_log(c->fc, AV_LOG_ERROR, "Invalid sample rate %d\n", st->codecpar->sample_rate); return AVERROR_INVALIDDATA; } + if (st->codecpar->channels < 0) { + av_log(c->fc, AV_LOG_ERROR, "Invalid channels %d\n", st->codecpar->channels); + return AVERROR_INVALIDDATA; + } } else if (st->codecpar->codec_type==AVMEDIA_TYPE_SUBTITLE){ mov_parse_stsd_subtitle(c, pb, st, sc, size - (avio_tell(pb) - start_pos)); @@ -5096,6 +5104,8 @@ avio_rb16(pb); // reserved item_count = avio_rb16(pb); + if (item_count == 0) + return AVERROR_INVALIDDATA; for (i = 0; i < item_count; i++) { int index; @@ -5400,6 +5410,9 @@ av_log(c->fc, AV_LOG_WARNING, "Unsupported Mastering Display Metadata box version %d\n", version); return 0; } + if (sc->mastering) + return AVERROR_INVALIDDATA; + avio_skip(pb, 3); /* flags */ sc->mastering = av_mastering_display_metadata_alloc(); @@ -6097,6 +6110,8 @@ } if (pb->eof_reached) { av_log(c->fc, AV_LOG_ERROR, "Hit EOF while reading senc\n"); + if (ret >= 0) + av_encryption_info_free(encryption_index->encrypted_samples[i]); ret = AVERROR_INVALIDDATA; } @@ -7039,6 +7054,8 @@ if (a.size == 0) { a.size = atom.size - total_size + 8; } + if (a.size < 0) + break; a.size -= 8; if (a.size < 0) break; diff -Nru ffmpeg-4.3.3/libavformat/mxfdec.c ffmpeg-4.3.4/libavformat/mxfdec.c --- ffmpeg-4.3.3/libavformat/mxfdec.c 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/libavformat/mxfdec.c 2022-04-16 08:20:46.000000000 +0000 @@ -852,15 +852,27 @@ static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count) { - *count = avio_rb32(pb); + int64_t ret; + unsigned c = avio_rb32(pb); + + //avio_read() used int + if (c > INT_MAX / sizeof(UID)) + return AVERROR_PATCHWELCOME; + *count = c; + av_free(*refs); - *refs = av_calloc(*count, sizeof(UID)); + *refs = av_malloc_array(*count, sizeof(UID)); if (!*refs) { *count = 0; return AVERROR(ENOMEM); } avio_skip(pb, 4); /* useless size of objects, always 16 according to specs */ - avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID)); + ret = avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID)); + if (ret != *count * sizeof(UID)) { + *count = ret < 0 ? 0 : ret / sizeof(UID); + return ret < 0 ? ret : AVERROR_INVALIDDATA; + } + return 0; } @@ -1069,6 +1081,9 @@ { int i, length; + if (segment->temporal_offset_entries) + return AVERROR_INVALIDDATA; + segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); diff -Nru ffmpeg-4.3.3/libavformat/rmdec.c ffmpeg-4.3.4/libavformat/rmdec.c --- ffmpeg-4.3.3/libavformat/rmdec.c 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/libavformat/rmdec.c 2022-04-16 08:20:46.000000000 +0000 @@ -128,10 +128,6 @@ uint32_t version; int ret; - // Duplicate tags - if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) - return AVERROR_INVALIDDATA; - /* ra type header */ version = avio_rb16(pb); /* version */ if (version == 3) { @@ -331,6 +327,11 @@ if (codec_data_size == 0) return 0; + // Duplicate tags + if ( st->codecpar->codec_type != AVMEDIA_TYPE_UNKNOWN + && st->codecpar->codec_type != AVMEDIA_TYPE_DATA) + return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, 1, 1000); codec_pos = avio_tell(pb); v = avio_rb32(pb); diff -Nru ffmpeg-4.3.3/libavformat/utils.c ffmpeg-4.3.4/libavformat/utils.c --- ffmpeg-4.3.3/libavformat/utils.c 2021-10-21 17:06:38.000000000 +0000 +++ ffmpeg-4.3.4/libavformat/utils.c 2022-04-16 08:20:46.000000000 +0000 @@ -5000,7 +5000,7 @@ key_len = ptr - key; callback_get_buf(context, key, key_len, &dest, &dest_len); - dest_end = dest + dest_len - 1; + dest_end = dest ? dest + dest_len - 1 : NULL; if (*ptr == '\"') { ptr++; diff -Nru ffmpeg-4.3.3/libavformat/vivo.c ffmpeg-4.3.4/libavformat/vivo.c --- ffmpeg-4.3.3/libavformat/vivo.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.4/libavformat/vivo.c 2022-04-16 08:20:46.000000000 +0000 @@ -26,6 +26,7 @@ * @sa http://wiki.multimedia.cx/index.php?title=Vivo */ +#include "libavutil/avstring.h" #include "libavutil/parseutils.h" #include "avformat.h" #include "internal.h" @@ -120,7 +121,7 @@ static int vivo_read_header(AVFormatContext *s) { VivoContext *vivo = s->priv_data; - AVRational fps = { 1, 25}; + AVRational fps = { 0 }; AVStream *ast, *vst; unsigned char *line, *line_end, *key, *value; long value_int; @@ -206,17 +207,21 @@ return AVERROR_INVALIDDATA; value_used = 1; } else if (!strcmp(key, "FPS")) { - AVRational tmp; + double d; + if (av_sscanf(value, "%f", &d) != 1) + return AVERROR_INVALIDDATA; value_used = 1; - if (!av_parse_ratio(&tmp, value, 10000, AV_LOG_WARNING, s)) - fps = av_inv_q(tmp); + if (!fps.num && !fps.den) + fps = av_inv_q(av_d2q(d, 10000)); } if (!value_used) av_dict_set(&s->metadata, key, value, 0); } } + if (!fps.num || !fps.den) + fps = (AVRational){ 1, 25 }; avpriv_set_pts_info(ast, 64, 1, ast->codecpar->sample_rate); avpriv_set_pts_info(vst, 64, fps.num, fps.den); diff -Nru ffmpeg-4.3.3/libavformat/webmdashenc.c ffmpeg-4.3.4/libavformat/webmdashenc.c --- ffmpeg-4.3.3/libavformat/webmdashenc.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.4/libavformat/webmdashenc.c 2022-04-16 08:20:46.000000000 +0000 @@ -92,7 +92,7 @@ } avio_printf(s->pb, " minBufferTime=\"PT%gS\"\n", min_buffer_time); avio_printf(s->pb, " profiles=\"%s\"%s", - w->is_live ? "urn:mpeg:dash:profile:isoff-live:2011" : "urn:webm:dash:profile:webm-on-demand:2012", + w->is_live ? "urn:mpeg:dash:profile:isoff-live:2011" : "urn:mpeg:dash:profile:webm-on-demand:2012", w->is_live ? "\n" : ">\n"); if (w->is_live) { time_t local_time = time(NULL); diff -Nru ffmpeg-4.3.3/tests/ref/fate/webm-dash-manifest ffmpeg-4.3.4/tests/ref/fate/webm-dash-manifest --- ffmpeg-4.3.3/tests/ref/fate/webm-dash-manifest 2020-04-27 21:48:16.000000000 +0000 +++ ffmpeg-4.3.4/tests/ref/fate/webm-dash-manifest 2022-04-16 08:20:46.000000000 +0000 @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.501S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff -Nru ffmpeg-4.3.3/tests/ref/fate/webm-dash-manifest-representations ffmpeg-4.3.4/tests/ref/fate/webm-dash-manifest-representations --- ffmpeg-4.3.3/tests/ref/fate/webm-dash-manifest-representations 2020-04-27 21:48:16.000000000 +0000 +++ ffmpeg-4.3.4/tests/ref/fate/webm-dash-manifest-representations 2022-04-16 08:20:46.000000000 +0000 @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.48S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff -Nru ffmpeg-4.3.3/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams ffmpeg-4.3.4/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams --- ffmpeg-4.3.3/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams 2020-04-27 21:48:16.000000000 +0000 +++ ffmpeg-4.3.4/tests/ref/fate/webm-dash-manifest-unaligned-audio-streams 2022-04-16 08:20:46.000000000 +0000 @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.501S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012"> diff -Nru ffmpeg-4.3.3/tests/ref/fate/webm-dash-manifest-unaligned-video-streams ffmpeg-4.3.4/tests/ref/fate/webm-dash-manifest-unaligned-video-streams --- ffmpeg-4.3.3/tests/ref/fate/webm-dash-manifest-unaligned-video-streams 2020-04-27 21:48:16.000000000 +0000 +++ ffmpeg-4.3.4/tests/ref/fate/webm-dash-manifest-unaligned-video-streams 2022-04-16 08:20:46.000000000 +0000 @@ -6,7 +6,7 @@ type="static" mediaPresentationDuration="PT32.48S" minBufferTime="PT1S" - profiles="urn:webm:dash:profile:webm-on-demand:2012"> + profiles="urn:mpeg:dash:profile:webm-on-demand:2012">