Version in base suite: 4.3.4-0+deb11u1 Base version: ffmpeg_4.3.4-0+deb11u1 Target version: ffmpeg_4.3.5-0+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/f/ffmpeg/ffmpeg_4.3.4-0+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/f/ffmpeg/ffmpeg_4.3.5-0+deb11u1.dsc Changelog | 83 ++++++++++ MAINTAINERS | 1 RELEASE | 2 VERSION | 2 configure | 4 debian/changelog | 7 debian/patches/0003-avcodec-pngenc-remove-monowhite-from-apng-formats.patch | 25 --- debian/patches/series | 1 doc/Doxyfile | 2 doc/git-howto.texi | 22 ++ libavcodec/8bps.c | 3 libavcodec/aasc.c | 34 ++-- libavcodec/alacdsp.c | 4 libavcodec/apedec.c | 2 libavcodec/bink.c | 2 libavcodec/cdgraphics.c | 2 libavcodec/dstdec.c | 11 - libavcodec/ffv1dec.c | 3 libavcodec/ffv1dec_template.c | 10 - libavcodec/fmvc.c | 21 +- libavcodec/h263dec.c | 2 libavcodec/h264dec.c | 4 libavcodec/hevc_filter.c | 13 + libavcodec/hevcdec.c | 2 libavcodec/hevcdsp_template.c | 2 libavcodec/jpeglsdec.c | 8 libavcodec/lagarith.c | 3 libavcodec/libxavs2.c | 2 libavcodec/midivid.c | 13 - libavcodec/mjpegdec.c | 8 libavcodec/pngenc.c | 2 libavcodec/qdrw.c | 2 libavcodec/qpeldsp.c | 12 - libavcodec/sbrdsp_fixed.c | 4 libavcodec/speedhq.c | 2 libavcodec/texturedspenc.c | 6 libavcodec/tiff.c | 7 libavcodec/tta.c | 11 + libavcodec/wnv1.c | 3 libavfilter/vf_frei0r.c | 22 +- libavfilter/vf_showinfo.c | 11 - libavfilter/vf_signature.c | 4 libavfilter/video.c | 7 libavfilter/video.h | 1 libavfilter/vsrc_mandelbrot.c | 3 libavformat/act.c | 5 libavformat/aiffdec.c | 33 +-- libavformat/ape.c | 11 - libavformat/asfdec_f.c | 12 - libavformat/asfdec_o.c | 12 + libavformat/avidec.c | 12 + libavformat/bfi.c | 6 libavformat/cafdec.c | 2 libavformat/dxa.c | 7 libavformat/flvdec.c | 8 libavformat/genh.c | 3 libavformat/hls.c | 1 libavformat/icodec.c | 3 libavformat/iff.c | 8 libavformat/jacosubdec.c | 2 libavformat/libzmq.c | 18 +- libavformat/mxfdec.c | 9 - libavformat/nutdec.c | 7 libavformat/rmdec.c | 2 libavformat/rpl.c | 2 libavformat/rtsp.c | 2 libavformat/sbgdec.c | 2 libavformat/sctp.c | 2 libavformat/sdsdec.c | 2 libavformat/spdifdec.c | 2 libavformat/subviewerdec.c | 34 ++-- libavformat/tls_mbedtls.c | 34 ++-- libavformat/vividas.c | 7 libavformat/xwma.c | 2 tools/target_dec_fuzzer.c | 1 75 files changed, 447 insertions(+), 199 deletions(-) diff -Nru ffmpeg-4.3.4/Changelog ffmpeg-4.3.5/Changelog --- ffmpeg-4.3.4/Changelog 2022-04-16 08:20:46.000000000 +0000 +++ ffmpeg-4.3.5/Changelog 2022-10-10 20:06:00.000000000 +0000 @@ -1,6 +1,89 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. + +version 4.3.5: + avformat/vividas: Check packet size + avcodec/dstdec: Check for overflow in build_filter() + avformat/spdifdec: Use 64bit to compute bit rate + avformat/rpl: Use 64bit for duration computation + avformat/xwma: Use av_rescale() for duration computation + avformat/sdsdec: Use av_rescale() to avoid intermediate overflow in duration calculation + avformat/sbgdec: Check ts_int in genrate_intervals + avformat/rmdec: check tag_size + avformat/nutdec: Check fields + avformat/flvdec: Use 64bit for sum_flv_tag_size + avformat/jacosubdec: Fix overflow in get_shift() + avformat/dxa: avoid bpc overflows + avformat/cafdec: Check that nb_frasmes fits within 64bit + avformat/asfdec_o: Limit packet offset + avformat/ape: Check frames size + avformat/icodec: Check nb_pal + avformat/aiffdec: Use 64bit for block_duration use + avformat/aiffdec: Check block_duration + avformat/mxfdec: only probe max run in + avformat/mxfdec: Check run_in is within 65536 + avcodec/mjpegdec: Check for unsupported bayer case + avcodec/apedec: Fix integer overflow in filter_3800() + avcodec/tta: Check 24bit scaling for overflow + avcodec/tiff: Fix loop detection + libavformat/hls: Free keys + avcodec/fmvc: Move frame allocation to a later stage + avfilter/vf_showinfo: remove backspaces + avcodec/speedhq: Check width + avcodec/bink: disallow odd positioned scaled blocks + avformat/asfdec_o: limit recursion depth in asf_read_unknown() + doc/git-howto.texi: Document commit signing + libavcodec/8bps: Check that line lengths fit within the buffer + avcodec/midivid: Perform lzss_uncompress() before ff_reget_buffer() + libavformat/iff: Check for overflow in body_end calculation + avformat/avidec: Prevent entity expansion attacks + avcodec/h263dec: Sanity check against minimal I/P frame size + avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel + avformat/subviewerdec: Make read_ts() more flexible + avcodec/mjpegdec: bayer and rct are incompatible + MAINTAINERS: Add ED25519 key for signing my commits in the future + avcodec/hevc_filter: copy_CTB() only within width&height + avformat/flvdec: Check for EOF in index reading + avformat/nutdec: Check get_packetheader() in mainheader + avformat/asfdec_f: Use 64bit for packet start time + tools/target_dec_fuzzer: Adjust threshold for MMVIDEO + avcodec/lagarith: Check dst/src in zero run code + avcodec/h264dec: Skip late SEI + avcodec/sbrdsp_fixed: Fix integer overflows in sbr_qmf_deint_neg_c() + avfilter/vf_signature: Fix integer overflow in filter_frame() + avformat/rtsp: break on unknown protocols + avcodec/hevcdsp_template: stay within tables in sao_band_filter() + avcodec/tiff: Check pixel format types for dng + avcodec/qpeldsp: copy less for the mc0x cases + avcodec/ffv1dec: Limit golomb rice coded slices to width 8M + avformat/iff: simplify duration calculation + avcodec/wnv1: Check for width =1 + avcodec/ffv1dec_template: fix indention + avformat/sctp: close socket on errors + avcodec/aasc: Fix indention + avcodec/qdrw: adjust max colors to array size + avcodec/alacdsp: Make intermediates unsigned + avformat/aiffdec: cleanup size handling for extreem cases + avcodec/jpeglsdec: fix end check for xfrm + avcodec/cdgraphics: limit scrolling to the line + avformat/aiffdec: avoid integer overflow in get_meta() + avformat/ape: more bits in size for less overflows + avformat/bfi: Check offsets better + avformat/asfdec_f: Check packet_frag_timestamp + avcodec/texturedspenc: Fix indexing in color distribution determination + avformat/act: Check ff_get_wav_header() for failure + avcodec/libxavs2: Improve r redundancy in occured + avformat/libzmq: Improve r redundancy in occured + avfilter/vsrc_mandelbrot: Check for malloc failure + avfilter/vf_frei0r: Copy to frame allocated according to frei0r requirements + avfilter/video: Add ff_default_get_video_buffer2() to set specific alignment + avformat/genh: Check sample rate + avcodec/pngenc: remove monowhite from apng formats + configure: bump year + configure: extend SDL check to accept all 2.x versions + lavf/tls_mbedtls: add support for mbedtls version 3 + version 4.3.4: fate: update reference files after the recent dash manifest muxer changes avformat/webmdashenc: fix on-demand profile string diff -Nru ffmpeg-4.3.4/MAINTAINERS ffmpeg-4.3.5/MAINTAINERS --- ffmpeg-4.3.4/MAINTAINERS 2022-04-16 08:20:41.000000000 +0000 +++ ffmpeg-4.3.5/MAINTAINERS 2022-10-10 20:06:00.000000000 +0000 @@ -610,6 +610,7 @@ Lou Logan (llogan) 7D68 DC73 CBEF EABB 671A B6CF 621C 2E28 82F8 DC3A Lynne FE50 139C 6805 72CA FD52 1F8D A2FE A5F0 3F03 4464 Michael Niedermayer 9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB + DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64 Nicolas George 24CE 01CE 9ACC 5CEB 74D8 8D9D B063 D997 36E5 4C93 Nikolay Aleksandrov 8978 1D8C FB71 588E 4B27 EAA8 C4F0 B5FC E011 13B1 Panagiotis Issaris 6571 13A3 33D9 3726 F728 AA98 F643 B12E ECF3 E029 diff -Nru ffmpeg-4.3.4/RELEASE ffmpeg-4.3.5/RELEASE --- ffmpeg-4.3.4/RELEASE 2022-04-16 08:20:46.000000000 +0000 +++ ffmpeg-4.3.5/RELEASE 2022-10-10 20:06:00.000000000 +0000 @@ -1 +1 @@ -4.3.4 +4.3.5 diff -Nru ffmpeg-4.3.4/VERSION ffmpeg-4.3.5/VERSION --- ffmpeg-4.3.4/VERSION 2022-04-16 08:20:46.000000000 +0000 +++ ffmpeg-4.3.5/VERSION 2022-10-10 20:06:00.000000000 +0000 @@ -1 +1 @@ -4.3.4 +4.3.5 diff -Nru ffmpeg-4.3.4/configure ffmpeg-4.3.5/configure --- ffmpeg-4.3.4/configure 2022-04-16 08:20:46.000000000 +0000 +++ ffmpeg-4.3.5/configure 2022-10-10 20:06:00.000000000 +0000 @@ -6493,7 +6493,7 @@ if enabled sdl2; then SDL2_CONFIG="${cross_prefix}sdl2-config" - test_pkg_config sdl2 "sdl2 >= 2.0.1 sdl2 < 2.1.0" SDL_events.h SDL_PollEvent + test_pkg_config sdl2 "sdl2 >= 2.0.1 sdl2 < 3.0.0" SDL_events.h SDL_PollEvent if disabled sdl2 && "${SDL2_CONFIG}" --version > /dev/null 2>&1; then sdl2_cflags=$("${SDL2_CONFIG}" --cflags) sdl2_extralibs=$("${SDL2_CONFIG}" --libs) @@ -7513,7 +7513,7 @@ #define FFMPEG_CONFIG_H #define FFMPEG_CONFIGURATION "$(c_escape $FFMPEG_CONFIGURATION)" #define FFMPEG_LICENSE "$(c_escape $license)" -#define CONFIG_THIS_YEAR 2021 +#define CONFIG_THIS_YEAR 2022 #define FFMPEG_DATADIR "$(eval c_escape $datadir)" #define AVCONV_DATADIR "$(eval c_escape $datadir)" #define CC_IDENT "$(c_escape ${cc_ident:-Unknown compiler})" diff -Nru ffmpeg-4.3.4/debian/changelog ffmpeg-4.3.5/debian/changelog --- ffmpeg-4.3.4/debian/changelog 2022-04-24 20:26:21.000000000 +0000 +++ ffmpeg-4.3.5/debian/changelog 2022-10-29 10:35:02.000000000 +0000 @@ -1,3 +1,10 @@ +ffmpeg (7:4.3.5-0+deb11u1) bullseye-security; urgency=medium + + * New upstream release 4.3.5 + * debian/patches: Remove patches integrated upstream + + -- Sebastian Ramacher Sat, 29 Oct 2022 12:35:02 +0200 + ffmpeg (7:4.3.4-0+deb11u1) bullseye-security; urgency=medium * New upstream version 4.3.4 diff -Nru ffmpeg-4.3.4/debian/patches/0003-avcodec-pngenc-remove-monowhite-from-apng-formats.patch ffmpeg-4.3.5/debian/patches/0003-avcodec-pngenc-remove-monowhite-from-apng-formats.patch --- ffmpeg-4.3.4/debian/patches/0003-avcodec-pngenc-remove-monowhite-from-apng-formats.patch 2022-04-22 17:42:54.000000000 +0000 +++ ffmpeg-4.3.5/debian/patches/0003-avcodec-pngenc-remove-monowhite-from-apng-formats.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,25 +0,0 @@ -From: Paul B Mahol -Date: Sun, 14 Feb 2021 17:20:03 +0100 -Subject: avcodec/pngenc: remove monowhite from apng formats - -Monowhite pixel format is not supported, and it does not make sense -to add support for it. - -Fixes #7989 ---- - libavcodec/pngenc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c -index efcae8c..eebb164 100644 ---- a/libavcodec/pngenc.c -+++ b/libavcodec/pngenc.c -@@ -1174,7 +1174,7 @@ AVCodec ff_apng_encoder = { - AV_PIX_FMT_PAL8, - AV_PIX_FMT_GRAY8, AV_PIX_FMT_GRAY8A, - AV_PIX_FMT_GRAY16BE, AV_PIX_FMT_YA16BE, -- AV_PIX_FMT_MONOBLACK, AV_PIX_FMT_NONE -+ AV_PIX_FMT_NONE - }, - .priv_class = &apngenc_class, - }; diff -Nru ffmpeg-4.3.4/debian/patches/series ffmpeg-4.3.5/debian/patches/series --- ffmpeg-4.3.4/debian/patches/series 2022-04-22 17:42:54.000000000 +0000 +++ ffmpeg-4.3.5/debian/patches/series 2022-10-29 10:35:02.000000000 +0000 @@ -1,3 +1,2 @@ 0001-avcodec-arm-sbcenc-avoid-callee-preserved-vfp-regist.patch 0002-Fix-build-on-powerpc-and-ppc64.patch -0003-avcodec-pngenc-remove-monowhite-from-apng-formats.patch diff -Nru ffmpeg-4.3.4/doc/Doxyfile ffmpeg-4.3.5/doc/Doxyfile --- ffmpeg-4.3.4/doc/Doxyfile 2022-04-16 08:20:46.000000000 +0000 +++ ffmpeg-4.3.5/doc/Doxyfile 2022-10-10 20:06:00.000000000 +0000 @@ -38,7 +38,7 @@ # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.3.4 +PROJECT_NUMBER = 4.3.5 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a diff -Nru ffmpeg-4.3.4/doc/git-howto.texi ffmpeg-4.3.5/doc/git-howto.texi --- ffmpeg-4.3.4/doc/git-howto.texi 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/doc/git-howto.texi 2022-10-10 20:06:00.000000000 +0000 @@ -187,11 +187,18 @@ git add [-i|-p|-A] @end example -Make sure you have told Git your name and email address +Make sure you have told Git your name, email address and GPG key @example git config --global user.name "My Name" git config --global user.email my@@email.invalid +git config --global user.signingkey ABCDEF0123245 +@end example + +Enable signing all commits or use -S + +@example +git config --global commit.gpgsign true @end example Use @option{--global} to set the global configuration for all your Git checkouts. @@ -393,6 +400,19 @@ where @var{$SHA1} is the commit hash from the @command{git log} output. +@chapter gpg key generation + +If you have no gpg key yet, we recommend that you create a ed25519 based key as it +is small, fast and secure. Especially it results in small signatures in git. + +@example +gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr" --quick-generate-key "human@@server.com" +@end example + +When generating a key, make sure the email specified matches the email used in git as some sites like +github consider mismatches a reason to declare such commits unverified. After generating a key you +can add it to the MAINTAINER file and upload it to a keyserver. + @chapter Pre-push checklist Once you have a set of commits that you feel are ready for pushing, diff -Nru ffmpeg-4.3.4/libavcodec/8bps.c ffmpeg-4.3.5/libavcodec/8bps.c --- ffmpeg-4.3.4/libavcodec/8bps.c 2022-04-16 08:20:41.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/8bps.c 2022-10-10 20:06:00.000000000 +0000 @@ -70,6 +70,9 @@ unsigned char *planemap = c->planemap; int ret; + if (buf_size < planes * height *2) + return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; diff -Nru ffmpeg-4.3.4/libavcodec/aasc.c ffmpeg-4.3.5/libavcodec/aasc.c --- ffmpeg-4.3.4/libavcodec/aasc.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/aasc.c 2022-10-10 20:06:00.000000000 +0000 @@ -104,26 +104,26 @@ ff_msrle_decode(avctx, s->frame, 8, &s->gb); break; case MKTAG('A', 'A', 'S', 'C'): - switch (compr) { - case 0: - stride = (avctx->width * psize + psize) & ~psize; - if (buf_size < stride * avctx->height) + switch (compr) { + case 0: + stride = (avctx->width * psize + psize) & ~psize; + if (buf_size < stride * avctx->height) + return AVERROR_INVALIDDATA; + for (i = avctx->height - 1; i >= 0; i--) { + memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize); + buf += stride; + buf_size -= stride; + } + break; + case 1: + bytestream2_init(&s->gb, buf, buf_size); + ff_msrle_decode(avctx, s->frame, 8, &s->gb); + break; + default: + av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr); return AVERROR_INVALIDDATA; - for (i = avctx->height - 1; i >= 0; i--) { - memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf, avctx->width * psize); - buf += stride; - buf_size -= stride; } break; - case 1: - bytestream2_init(&s->gb, buf, buf_size); - ff_msrle_decode(avctx, s->frame, 8, &s->gb); - break; - default: - av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr); - return AVERROR_INVALIDDATA; - } - break; default: av_log(avctx, AV_LOG_ERROR, "Unknown FourCC: %X\n", avctx->codec_tag); return -1; diff -Nru ffmpeg-4.3.4/libavcodec/alacdsp.c ffmpeg-4.3.5/libavcodec/alacdsp.c --- ffmpeg-4.3.4/libavcodec/alacdsp.c 2022-04-16 08:20:46.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/alacdsp.c 2022-10-10 20:06:00.000000000 +0000 @@ -29,12 +29,12 @@ int i; for (i = 0; i < nb_samples; i++) { - int32_t a, b; + uint32_t a, b; a = buffer[0][i]; b = buffer[1][i]; - a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift; + a -= (int)(b * decorr_left_weight) >> decorr_shift; b += a; buffer[0][i] = b; diff -Nru ffmpeg-4.3.4/libavcodec/apedec.c ffmpeg-4.3.5/libavcodec/apedec.c --- ffmpeg-4.3.4/libavcodec/apedec.c 2022-04-16 08:20:46.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/apedec.c 2022-10-10 20:06:00.000000000 +0000 @@ -903,7 +903,7 @@ p->coeffsB[filter][0] += (((d3 >> 29) & 4) - 2) * sign; p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign; - p->filterB[filter] = p->lastA[filter] + (predictionB >> shift); + p->filterB[filter] = p->lastA[filter] + (unsigned)(predictionB >> shift); p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5); return p->filterA[filter]; diff -Nru ffmpeg-4.3.4/libavcodec/bink.c ffmpeg-4.3.5/libavcodec/bink.c --- ffmpeg-4.3.4/libavcodec/bink.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/bink.c 2022-10-10 20:06:00.000000000 +0000 @@ -1084,7 +1084,7 @@ for (bx = 0; bx < bw; bx++, dst += 8, prev += 8) { blk = get_value(c, BINK_SRC_BLOCK_TYPES); // 16x16 block type on odd line means part of the already decoded block, so skip it - if ((by & 1) && blk == SCALED_BLOCK) { + if (((by & 1) || (bx & 1)) && blk == SCALED_BLOCK) { bx++; dst += 8; prev += 8; diff -Nru ffmpeg-4.3.4/libavcodec/cdgraphics.c ffmpeg-4.3.5/libavcodec/cdgraphics.c --- ffmpeg-4.3.4/libavcodec/cdgraphics.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/cdgraphics.c 2022-10-10 20:06:00.000000000 +0000 @@ -239,7 +239,7 @@ for (y = FFMAX(0, vinc); y < FFMIN(CDG_FULL_HEIGHT + vinc, CDG_FULL_HEIGHT); y++) memcpy(out + FFMAX(0, hinc) + stride * y, in + FFMAX(0, hinc) - hinc + (y - vinc) * stride, - FFMIN(stride + hinc, stride)); + FFABS(stride) - FFABS(hinc)); if (vinc > 0) cdg_fill_wrapper(0, 0, out, diff -Nru ffmpeg-4.3.4/libavcodec/dstdec.c ffmpeg-4.3.5/libavcodec/dstdec.c --- ffmpeg-4.3.4/libavcodec/dstdec.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/dstdec.c 2022-10-10 20:06:00.000000000 +0000 @@ -214,7 +214,7 @@ return (ff_reverse[c & 127] >> 1) + 1; } -static void build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets) +static int build_filter(int16_t table[DST_MAX_ELEMENTS][16][256], const Table *fsets) { int i, j, k, l; @@ -225,14 +225,17 @@ int total = av_clip(length - j * 8, 0, 8); for (k = 0; k < 256; k++) { - int v = 0; + int64_t v = 0; for (l = 0; l < total; l++) v += (((k >> l) & 1) * 2 - 1) * fsets->coeff[i][j * 8 + l]; + if ((int16_t)v != v) + return AVERROR_INVALIDDATA; table[i][j][k] = v; } } } + return 0; } static int decode_frame(AVCodecContext *avctx, void *data, @@ -328,7 +331,9 @@ return AVERROR_INVALIDDATA; ac_init(ac, gb); - build_filter(s->filter, &s->fsets); + ret = build_filter(s->filter, &s->fsets); + if (ret < 0) + return ret; memset(s->status, 0xAA, sizeof(s->status)); memset(dsd, 0, frame->nb_samples * 4 * channels); diff -Nru ffmpeg-4.3.4/libavcodec/ffv1dec.c ffmpeg-4.3.5/libavcodec/ffv1dec.c --- ffmpeg-4.3.4/libavcodec/ffv1dec.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/ffv1dec.c 2022-10-10 20:06:00.000000000 +0000 @@ -185,6 +185,9 @@ || (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height) return -1; + if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23)) + return AVERROR_INVALIDDATA; + for (i = 0; i < f->plane_count; i++) { PlaneContext * const p = &fs->plane[i]; int idx = get_symbol(c, state, 0); diff -Nru ffmpeg-4.3.4/libavcodec/ffv1dec_template.c ffmpeg-4.3.5/libavcodec/ffv1dec_template.c --- ffmpeg-4.3.4/libavcodec/ffv1dec_template.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/ffv1dec_template.c 2022-10-10 20:06:00.000000000 +0000 @@ -93,11 +93,11 @@ run_count--; } } else { - while (run_count > 1 && w-x > 1) { - sample[1][x] = RENAME(predict)(sample[1] + x, sample[0] + x); - x++; - run_count--; - } + while (run_count > 1 && w-x > 1) { + sample[1][x] = RENAME(predict)(sample[1] + x, sample[0] + x); + x++; + run_count--; + } } run_count--; if (run_count < 0) { diff -Nru ffmpeg-4.3.4/libavcodec/fmvc.c ffmpeg-4.3.5/libavcodec/fmvc.c --- ffmpeg-4.3.4/libavcodec/fmvc.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/fmvc.c 2022-10-10 20:06:00.000000000 +0000 @@ -401,20 +401,17 @@ PutByteContext *pb = &s->pb; AVFrame *frame = data; int ret, y, x; + int key_frame; if (avpkt->size < 8) return AVERROR_INVALIDDATA; - if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) - return ret; - bytestream2_init(gb, avpkt->data, avpkt->size); bytestream2_skip(gb, 2); - frame->key_frame = !!bytestream2_get_le16(gb); - frame->pict_type = frame->key_frame ? AV_PICTURE_TYPE_I : AV_PICTURE_TYPE_P; + key_frame = !!bytestream2_get_le16(gb); - if (frame->key_frame) { + if (key_frame) { const uint8_t *src; unsigned type, size; uint8_t *dst; @@ -434,6 +431,12 @@ return AVERROR_PATCHWELCOME; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + + frame->key_frame = 1; + frame->pict_type = AV_PICTURE_TYPE_I; + src = s->buffer; dst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; for (y = 0; y < avctx->height; y++) { @@ -512,6 +515,12 @@ dst = &rect[block_h * s->stride]; } + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) + return ret; + + frame->key_frame = 0; + frame->pict_type = AV_PICTURE_TYPE_P; + ssrc = s->buffer; ddst = frame->data[0] + (avctx->height - 1) * frame->linesize[0]; for (y = 0; y < avctx->height; y++) { diff -Nru ffmpeg-4.3.4/libavcodec/h263dec.c ffmpeg-4.3.5/libavcodec/h263dec.c --- ffmpeg-4.3.4/libavcodec/h263dec.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/h263dec.c 2022-10-10 20:06:00.000000000 +0000 @@ -544,6 +544,8 @@ avctx->has_b_frames = !s->low_delay; if (CONFIG_MPEG4_DECODER && avctx->codec_id == AV_CODEC_ID_MPEG4) { + if (s->pict_type != AV_PICTURE_TYPE_B && s->mb_num/2 > get_bits_left(&s->gb)) + return AVERROR_INVALIDDATA; if (ff_mpeg4_workaround_bugs(avctx) == 1) goto retry; if (s->studio_profile != (s->idsp.idct == NULL)) diff -Nru ffmpeg-4.3.4/libavcodec/h264dec.c ffmpeg-4.3.5/libavcodec/h264dec.c --- ffmpeg-4.3.4/libavcodec/h264dec.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/h264dec.c 2022-10-10 20:06:00.000000000 +0000 @@ -679,6 +679,10 @@ avpriv_request_sample(avctx, "data partitioning"); break; case H264_NAL_SEI: + if (h->setup_finished) { + avpriv_request_sample(avctx, "Late SEI"); + break; + } ret = ff_h264_sei_decode(&h->sei, &nal->gb, &h->ps, avctx); h->has_recovery_point = h->has_recovery_point || h->sei.recovery_point.recovery_frame_cnt != -1; if (avctx->debug & FF_DEBUG_GREEN_MD) diff -Nru ffmpeg-4.3.4/libavcodec/hevc_filter.c ffmpeg-4.3.5/libavcodec/hevc_filter.c --- ffmpeg-4.3.4/libavcodec/hevc_filter.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/hevc_filter.c 2022-10-10 20:06:00.000000000 +0000 @@ -145,11 +145,22 @@ if (((intptr_t)dst | (intptr_t)src | stride_dst | stride_src) & 15) { for (i = 0; i < height; i++) { - for (j = 0; j < width; j+=8) + for (j = 0; j < width - 7; j+=8) AV_COPY64U(dst+j, src+j); dst += stride_dst; src += stride_src; } + if (width&7) { + dst += ((width>>3)<<3) - stride_dst * height; + src += ((width>>3)<<3) - stride_src * height; + width &= 7; + for (i = 0; i < height; i++) { + for (j = 0; j < width; j++) + dst[j] = src[j]; + dst += stride_dst; + src += stride_src; + } + } } else { for (i = 0; i < height; i++) { for (j = 0; j < width; j+=16) diff -Nru ffmpeg-4.3.4/libavcodec/hevcdec.c ffmpeg-4.3.5/libavcodec/hevcdec.c --- ffmpeg-4.3.4/libavcodec/hevcdec.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/hevcdec.c 2022-10-10 20:06:00.000000000 +0000 @@ -3241,7 +3241,7 @@ } } else { /* verify the SEI checksum */ - if (avctx->err_recognition & AV_EF_CRCCHECK && s->is_decoded && + if (avctx->err_recognition & AV_EF_CRCCHECK && s->ref && s->is_decoded && s->sei.picture_hash.is_md5) { ret = verify_md5(s, s->ref->frame); if (ret < 0 && avctx->err_recognition & AV_EF_EXPLODE) { diff -Nru ffmpeg-4.3.4/libavcodec/hevcdsp_template.c ffmpeg-4.3.5/libavcodec/hevcdsp_template.c --- ffmpeg-4.3.4/libavcodec/hevcdsp_template.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/hevcdsp_template.c 2022-10-10 20:06:00.000000000 +0000 @@ -313,7 +313,7 @@ offset_table[(k + sao_left_class) & 31] = sao_offset_val[k + 1]; for (y = 0; y < height; y++) { for (x = 0; x < width; x++) - dst[x] = av_clip_pixel(src[x] + offset_table[src[x] >> shift]); + dst[x] = av_clip_pixel(src[x] + offset_table[(src[x] >> shift) & 31]); dst += stride_dst; src += stride_src; } diff -Nru ffmpeg-4.3.4/libavcodec/jpeglsdec.c ffmpeg-4.3.5/libavcodec/jpeglsdec.c --- ffmpeg-4.3.4/libavcodec/jpeglsdec.c 2022-04-16 08:20:46.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/jpeglsdec.c 2022-10-10 20:06:00.000000000 +0000 @@ -478,19 +478,19 @@ for (i = 0; i < s->height; i++) { switch(s->xfrm) { case 1: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { src[x ] += src[x+1] + 128; src[x+2] += src[x+1] + 128; } break; case 2: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { src[x ] += src[x+1] + 128; src[x+2] += ((src[x ] + src[x+1])>>1) + 128; } break; case 3: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { int g = src[x+0] - ((src[x+2]+src[x+1])>>2) + 64; src[x+0] = src[x+2] + g + 128; src[x+2] = src[x+1] + g + 128; @@ -498,7 +498,7 @@ } break; case 4: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { int r = src[x+0] - (( 359 * (src[x+2]-128) + 490) >> 8); int g = src[x+0] - (( 88 * (src[x+1]-128) - 183 * (src[x+2]-128) + 30) >> 8); int b = src[x+0] + ((454 * (src[x+1]-128) + 574) >> 8); diff -Nru ffmpeg-4.3.4/libavcodec/lagarith.c ffmpeg-4.3.5/libavcodec/lagarith.c --- ffmpeg-4.3.4/libavcodec/lagarith.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/lagarith.c 2022-10-10 20:06:00.000000000 +0000 @@ -408,6 +408,9 @@ if (zero_run) { zero_run = 0; i += esc_count; + if (i > end - dst || + i >= src_end - src) + return AVERROR_INVALIDDATA; memcpy(dst, src, i); dst += i; l->zeros_rem = lag_calc_zero_run(src[i]); diff -Nru ffmpeg-4.3.4/libavcodec/libxavs2.c ffmpeg-4.3.5/libavcodec/libxavs2.c --- ffmpeg-4.3.4/libavcodec/libxavs2.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/libxavs2.c 2022-10-10 20:06:00.000000000 +0000 @@ -205,7 +205,7 @@ ret = cae->api->encoder_encode(cae->encoder, &pic, &cae->packet); if (ret) { - av_log(avctx, AV_LOG_ERROR, "Encoding error occured.\n"); + av_log(avctx, AV_LOG_ERROR, "Encoding error occurred.\n"); return AVERROR_EXTERNAL; } diff -Nru ffmpeg-4.3.4/libavcodec/midivid.c ffmpeg-4.3.5/libavcodec/midivid.c --- ffmpeg-4.3.4/libavcodec/midivid.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/midivid.c 2022-10-10 20:06:00.000000000 +0000 @@ -202,12 +202,7 @@ bytestream2_skip(gb, 8); uncompressed = bytestream2_get_le32(gb); - if ((ret = ff_reget_buffer(avctx, s->frame, 0)) < 0) - return ret; - - if (uncompressed) { - ret = decode_mvdv(s, avctx, frame); - } else { + if (!uncompressed) { av_fast_padded_malloc(&s->uncompressed, &s->uncompressed_size, 16LL * (avpkt->size - 12)); if (!s->uncompressed) return AVERROR(ENOMEM); @@ -216,9 +211,13 @@ if (ret < 0) return ret; bytestream2_init(gb, s->uncompressed, ret); - ret = decode_mvdv(s, avctx, frame); } + if ((ret = ff_reget_buffer(avctx, s->frame, 0)) < 0) + return ret; + + ret = decode_mvdv(s, avctx, frame); + if (ret < 0) return ret; key = ret; diff -Nru ffmpeg-4.3.4/libavcodec/mjpegdec.c ffmpeg-4.3.5/libavcodec/mjpegdec.c --- ffmpeg-4.3.4/libavcodec/mjpegdec.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/mjpegdec.c 2022-10-10 20:06:00.000000000 +0000 @@ -1079,6 +1079,10 @@ return AVERROR_INVALIDDATA; if (s->v_max != 1 || s->h_max != 1 || !s->lossless) return AVERROR_INVALIDDATA; + if (s->bayer) { + if (s->rct || s->pegasus_rct) + return AVERROR_INVALIDDATA; + } s->restart_count = s->restart_interval; @@ -1195,6 +1199,8 @@ ptr[3*mb_x + 2] = buffer[mb_x][2] + ptr[3*mb_x + 1]; } } else if (s->bayer) { + if (s->bits <= 8) + return AVERROR_PATCHWELCOME; if (nb_components == 1) { /* Leave decoding to the TIFF/DNG decoder (see comment in ff_mjpeg_decode_sof) */ for (mb_x = 0; mb_x < width; mb_x++) @@ -1929,6 +1935,8 @@ } len -= 9; + if (s->bayer) + goto out; if (s->got_picture) if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) { av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n"); diff -Nru ffmpeg-4.3.4/libavcodec/pngenc.c ffmpeg-4.3.5/libavcodec/pngenc.c --- ffmpeg-4.3.4/libavcodec/pngenc.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/pngenc.c 2022-10-10 20:06:00.000000000 +0000 @@ -1174,7 +1174,7 @@ AV_PIX_FMT_PAL8, AV_PIX_FMT_GRAY8, AV_PIX_FMT_GRAY8A, AV_PIX_FMT_GRAY16BE, AV_PIX_FMT_YA16BE, - AV_PIX_FMT_MONOBLACK, AV_PIX_FMT_NONE + AV_PIX_FMT_NONE }, .priv_class = &apngenc_class, }; diff -Nru ffmpeg-4.3.4/libavcodec/qdrw.c ffmpeg-4.3.5/libavcodec/qdrw.c --- ffmpeg-4.3.4/libavcodec/qdrw.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/qdrw.c 2022-10-10 20:06:00.000000000 +0000 @@ -369,7 +369,7 @@ bytestream2_skip(&gbc, 18); colors = bytestream2_get_be16(&gbc); - if (colors < 0 || colors > 256) { + if (colors < 0 || colors > 255) { av_log(avctx, AV_LOG_ERROR, "Error color count - %i(0x%X)\n", colors, colors); return AVERROR_INVALIDDATA; diff -Nru ffmpeg-4.3.4/libavcodec/qpeldsp.c ffmpeg-4.3.5/libavcodec/qpeldsp.c --- ffmpeg-4.3.4/libavcodec/qpeldsp.c 2020-04-27 21:48:15.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/qpeldsp.c 2022-10-10 20:06:00.000000000 +0000 @@ -198,7 +198,7 @@ uint8_t full[16 * 9]; \ uint8_t half[64]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16); \ OPNAME ## pixels8_l2_8(dst, full, half, stride, 16, 8, 8); \ } \ @@ -208,7 +208,7 @@ { \ uint8_t full[16 * 9]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ OPNAME ## mpeg4_qpel8_v_lowpass(dst, full, stride, 16); \ } \ \ @@ -218,7 +218,7 @@ uint8_t full[16 * 9]; \ uint8_t half[64]; \ \ - copy_block9(full, src, 16, stride, 9); \ + copy_block8(full, src, 16, stride, 9); \ put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16); \ OPNAME ## pixels8_l2_8(dst, full + 16, half, stride, 16, 8, 8); \ } \ @@ -458,7 +458,7 @@ uint8_t full[24 * 17]; \ uint8_t half[256]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24); \ OPNAME ## pixels16_l2_8(dst, full, half, stride, 24, 16, 16); \ } \ @@ -468,7 +468,7 @@ { \ uint8_t full[24 * 17]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ OPNAME ## mpeg4_qpel16_v_lowpass(dst, full, stride, 24); \ } \ \ @@ -478,7 +478,7 @@ uint8_t full[24 * 17]; \ uint8_t half[256]; \ \ - copy_block17(full, src, 24, stride, 17); \ + copy_block16(full, src, 24, stride, 17); \ put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24); \ OPNAME ## pixels16_l2_8(dst, full + 24, half, stride, 24, 16, 16); \ } \ diff -Nru ffmpeg-4.3.4/libavcodec/sbrdsp_fixed.c ffmpeg-4.3.5/libavcodec/sbrdsp_fixed.c --- ffmpeg-4.3.4/libavcodec/sbrdsp_fixed.c 2021-10-24 20:47:11.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/sbrdsp_fixed.c 2022-10-10 20:06:00.000000000 +0000 @@ -114,8 +114,8 @@ { int i; for (i = 0; i < 32; i++) { - v[ i] = ( src[63 - 2*i ] + 0x10) >> 5; - v[63 - i] = (-src[63 - 2*i - 1] + 0x10) >> 5; + v[ i] = (int)(0x10U + src[63 - 2*i ]) >> 5; + v[63 - i] = (int)(0x10U - src[63 - 2*i - 1]) >> 5; } } diff -Nru ffmpeg-4.3.4/libavcodec/speedhq.c ffmpeg-4.3.5/libavcodec/speedhq.c --- ffmpeg-4.3.4/libavcodec/speedhq.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/speedhq.c 2022-10-10 20:06:00.000000000 +0000 @@ -424,7 +424,7 @@ uint32_t second_field_offset; int ret; - if (buf_size < 4 || avctx->width < 8) + if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0) return AVERROR_INVALIDDATA; quality = buf[0]; diff -Nru ffmpeg-4.3.4/libavcodec/texturedspenc.c ffmpeg-4.3.5/libavcodec/texturedspenc.c --- ffmpeg-4.3.4/libavcodec/texturedspenc.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/texturedspenc.c 2022-10-10 20:06:00.000000000 +0000 @@ -255,11 +255,11 @@ muv = minv = maxv = bp[0]; for (y = 0; y < 4; y++) { - for (x = 4; x < 4; x += 4) { + for (x = 0; x < 4; x++) { muv += bp[x * 4 + y * stride]; - if (bp[x] < minv) + if (bp[x * 4 + y * stride] < minv) minv = bp[x * 4 + y * stride]; - else if (bp[x] > maxv) + else if (bp[x * 4 + y * stride] > maxv) maxv = bp[x * 4 + y * stride]; } } diff -Nru ffmpeg-4.3.4/libavcodec/tiff.c ffmpeg-4.3.5/libavcodec/tiff.c --- ffmpeg-4.3.4/libavcodec/tiff.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/tiff.c 2022-10-10 20:06:00.000000000 +0000 @@ -592,6 +592,7 @@ if (s->is_bayer) { av_assert0(width == (s->bpp * s->width + 7) >> 3); } + av_assert0(!(s->is_bayer && is_yuv)); if (p->format == AV_PIX_FMT_GRAY12) { av_fast_padded_malloc(&s->yuv_line, &s->yuv_line_size, width); if (s->yuv_line == NULL) { @@ -675,6 +676,8 @@ av_log(s->avctx, AV_LOG_ERROR, "More than one DNG JPEG strips unsupported\n"); return AVERROR_PATCHWELCOME; } + if (!s->is_bayer) + return AVERROR_PATCHWELCOME; if ((ret = dng_decode_strip(s->avctx, p)) < 0) return ret; return 0; @@ -1783,7 +1786,7 @@ TiffContext *const s = avctx->priv_data; AVFrame *const p = data; ThreadFrame frame = { .f = data }; - unsigned off, last_off; + unsigned off, last_off = 0; int le, ret, plane, planes; int i, j, entries, stride; unsigned soff, ssize; @@ -1848,7 +1851,6 @@ /** whether we should process this multi-page IFD's next page */ retry_for_page = s->get_page && s->cur_page + 1 < s->get_page; // get_page is 1-indexed - last_off = off; if (retry_for_page) { // set offset to the next IFD off = ff_tget_long(&s->gb, le); @@ -1866,6 +1868,7 @@ avpriv_request_sample(s->avctx, "non increasing IFD offset\n"); return AVERROR_INVALIDDATA; } + last_off = off; if (off >= UINT_MAX - 14 || avpkt->size < off + 14) { av_log(avctx, AV_LOG_ERROR, "IFD offset is greater than image size\n"); return AVERROR_INVALIDDATA; diff -Nru ffmpeg-4.3.4/libavcodec/tta.c ffmpeg-4.3.5/libavcodec/tta.c --- ffmpeg-4.3.4/libavcodec/tta.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/tta.c 2022-10-10 20:06:00.000000000 +0000 @@ -371,8 +371,15 @@ case 3: { // shift samples for 24-bit sample format int32_t *samples = (int32_t *)frame->data[0]; - for (i = 0; i < framelen * s->channels; i++) - *samples++ *= 256; + int overflow = 0; + + for (i = 0; i < framelen * s->channels; i++) { + int scaled = *samples * 256U; + overflow += (scaled >> 8 != *samples); + *samples++ = scaled; + } + if (overflow) + av_log(avctx, AV_LOG_WARNING, "%d overflows occurred on 24bit upscale\n", overflow); // reset decode buffer s->decode_buffer = NULL; break; diff -Nru ffmpeg-4.3.4/libavcodec/wnv1.c ffmpeg-4.3.5/libavcodec/wnv1.c --- ffmpeg-4.3.4/libavcodec/wnv1.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavcodec/wnv1.c 2022-10-10 20:06:00.000000000 +0000 @@ -122,6 +122,9 @@ { static VLC_TYPE code_table[1 << CODE_VLC_BITS][2]; + if (avctx->width <= 1) + return AVERROR_INVALIDDATA; + avctx->pix_fmt = AV_PIX_FMT_YUV422P; code_vlc.table = code_table; diff -Nru ffmpeg-4.3.4/libavfilter/vf_frei0r.c ffmpeg-4.3.5/libavfilter/vf_frei0r.c --- ffmpeg-4.3.4/libavfilter/vf_frei0r.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavfilter/vf_frei0r.c 2022-10-10 20:06:00.000000000 +0000 @@ -353,14 +353,20 @@ { Frei0rContext *s = inlink->dst->priv; AVFilterLink *outlink = inlink->dst->outputs[0]; - AVFrame *out; + AVFrame *out = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); + if (!out) + goto fail; - out = ff_get_video_buffer(outlink, outlink->w, outlink->h); - if (!out) { + av_frame_copy_props(out, in); + + if (in->linesize[0] != out->linesize[0]) { + AVFrame *in2 = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); + if (!in2) + goto fail; + av_frame_copy(in2, in); av_frame_free(&in); - return AVERROR(ENOMEM); + in = in2; } - av_frame_copy_props(out, in); s->update(s->instance, in->pts * av_q2d(inlink->time_base) * 1000, (const uint32_t *)in->data[0], @@ -369,6 +375,10 @@ av_frame_free(&in); return ff_filter_frame(outlink, out); +fail: + av_frame_free(&in); + av_frame_free(&out); + return AVERROR(ENOMEM); } #define OFFSET(x) offsetof(Frei0rContext, x) @@ -451,7 +461,7 @@ static int source_request_frame(AVFilterLink *outlink) { Frei0rContext *s = outlink->src->priv; - AVFrame *frame = ff_get_video_buffer(outlink, outlink->w, outlink->h); + AVFrame *frame = ff_default_get_video_buffer2(outlink, outlink->w, outlink->h, 16); if (!frame) return AVERROR(ENOMEM); diff -Nru ffmpeg-4.3.4/libavfilter/vf_showinfo.c ffmpeg-4.3.5/libavfilter/vf_showinfo.c --- ffmpeg-4.3.4/libavfilter/vf_showinfo.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavfilter/vf_showinfo.c 2022-10-10 20:06:00.000000000 +0000 @@ -310,12 +310,15 @@ av_log(ctx, AV_LOG_INFO, " %08"PRIX32, plane_checksum[plane]); av_log(ctx, AV_LOG_INFO, "] mean:["); for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) - av_log(ctx, AV_LOG_INFO, "%"PRId64" ", (sum[plane] + pixelcount[plane]/2) / pixelcount[plane]); - av_log(ctx, AV_LOG_INFO, "\b] stdev:["); + av_log(ctx, AV_LOG_INFO, "%s%"PRId64, + plane ? " ":"", + (sum[plane] + pixelcount[plane]/2) / pixelcount[plane]); + av_log(ctx, AV_LOG_INFO, "] stdev:["); for (plane = 0; plane < 4 && frame->data[plane] && frame->linesize[plane]; plane++) - av_log(ctx, AV_LOG_INFO, "%3.1f ", + av_log(ctx, AV_LOG_INFO, "%s%3.1f", + plane ? " ":"", sqrt((sum2[plane] - sum[plane]*(double)sum[plane]/pixelcount[plane])/pixelcount[plane])); - av_log(ctx, AV_LOG_INFO, "\b]"); + av_log(ctx, AV_LOG_INFO, "]"); } av_log(ctx, AV_LOG_INFO, "\n"); diff -Nru ffmpeg-4.3.4/libavfilter/vf_signature.c ffmpeg-4.3.5/libavfilter/vf_signature.c --- ffmpeg-4.3.4/libavfilter/vf_signature.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavfilter/vf_signature.c 2022-10-10 20:06:00.000000000 +0000 @@ -223,7 +223,7 @@ dw1 = inlink->w / 32; if (inlink->w % 32) dw2 = dw1 + 1; - denom = (sc->divide) ? dh1 * dh2 * dw1 * dw2 : 1; + denom = (sc->divide) ? dh1 * (int64_t)dh2 * dw1 * dw2 : 1; for (i = 0; i < 32; i++) { rowcount = 0; @@ -249,7 +249,7 @@ } } - denom = (sc->divide) ? 1 : dh1 * dh2 * dw1 * dw2; + denom = (sc->divide) ? 1 : dh1 * (int64_t)dh2 * dw1 * dw2; for (i = 0; i < ELEMENT_COUNT; i++) { const ElemCat* elemcat = elements[i]; diff -Nru ffmpeg-4.3.4/libavfilter/video.c ffmpeg-4.3.5/libavfilter/video.c --- ffmpeg-4.3.4/libavfilter/video.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavfilter/video.c 2022-10-10 20:06:00.000000000 +0000 @@ -41,7 +41,7 @@ return ff_get_video_buffer(link->dst->outputs[0], w, h); } -AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h) +AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int align) { AVFrame *frame = NULL; int pool_width = 0; @@ -96,6 +96,11 @@ return frame; } +AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h) +{ + return ff_default_get_video_buffer2(link, w, h, av_cpu_max_align()); +} + AVFrame *ff_get_video_buffer(AVFilterLink *link, int w, int h) { AVFrame *ret = NULL; diff -Nru ffmpeg-4.3.4/libavfilter/video.h ffmpeg-4.3.5/libavfilter/video.h --- ffmpeg-4.3.4/libavfilter/video.h 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavfilter/video.h 2022-10-10 20:06:00.000000000 +0000 @@ -24,6 +24,7 @@ #include "avfilter.h" AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h); +AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int align); AVFrame *ff_null_get_video_buffer(AVFilterLink *link, int w, int h); /** diff -Nru ffmpeg-4.3.4/libavfilter/vsrc_mandelbrot.c ffmpeg-4.3.5/libavfilter/vsrc_mandelbrot.c --- ffmpeg-4.3.4/libavfilter/vsrc_mandelbrot.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavfilter/vsrc_mandelbrot.c 2022-10-10 20:06:00.000000000 +0000 @@ -134,6 +134,9 @@ s-> next_cache= av_malloc_array(s->cache_allocated, sizeof(*s-> next_cache)); s-> zyklus = av_malloc_array(s->maxiter + 16, sizeof(*s->zyklus)); + if (!s->point_cache || !s->next_cache || !s->zyklus) + return AVERROR(ENOMEM); + return 0; } diff -Nru ffmpeg-4.3.4/libavformat/act.c ffmpeg-4.3.5/libavformat/act.c --- ffmpeg-4.3.4/libavformat/act.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/act.c 2022-10-10 20:06:00.000000000 +0000 @@ -66,6 +66,7 @@ AVIOContext *pb = s->pb; int size; AVStream* st; + int ret; int min,sec,msec; @@ -75,7 +76,9 @@ avio_skip(pb, 16); size=avio_rl32(pb); - ff_get_wav_header(s, pb, st->codecpar, size, 0); + ret = ff_get_wav_header(s, pb, st->codecpar, size, 0); + if (ret < 0) + return ret; /* 8000Hz (Fine-rec) file format has 10 bytes long diff -Nru ffmpeg-4.3.4/libavformat/aiffdec.c ffmpeg-4.3.5/libavformat/aiffdec.c --- ffmpeg-4.3.4/libavformat/aiffdec.c 2022-04-16 08:20:46.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/aiffdec.c 2022-10-10 20:06:00.000000000 +0000 @@ -55,9 +55,9 @@ } /* returns the size of the found tag */ -static int get_tag(AVIOContext *pb, uint32_t * tag) +static int64_t get_tag(AVIOContext *pb, uint32_t * tag) { - int size; + int64_t size; if (avio_feof(pb)) return AVERROR(EIO); @@ -65,16 +65,16 @@ *tag = avio_rl32(pb); size = avio_rb32(pb); - if (size < 0) - size = 0x7fffffff; - return size; } /* Metadata string read */ -static void get_meta(AVFormatContext *s, const char *key, int size) +static void get_meta(AVFormatContext *s, const char *key, int64_t size) { - uint8_t *str = av_malloc(size+1); + uint8_t *str = NULL; + + if (size < SIZE_MAX) + str = av_malloc(size+1); if (str) { int res = avio_read(s->pb, str, size); @@ -91,7 +91,7 @@ } /* Returns the number of sound data frames or negative on error */ -static int get_aiff_header(AVFormatContext *s, int size, +static int get_aiff_header(AVFormatContext *s, int64_t size, unsigned version) { AVIOContext *pb = s->pb; @@ -102,9 +102,6 @@ int sample_rate; unsigned int num_frames; - if (size == INT_MAX) - return AVERROR_INVALIDDATA; - if (size & 1) size++; par->codec_type = AVMEDIA_TYPE_AUDIO; @@ -215,7 +212,8 @@ /* aiff input */ static int aiff_read_header(AVFormatContext *s) { - int ret, size, filesize; + int ret; + int64_t filesize, size; int64_t offset = 0, position; uint32_t tag; unsigned version = AIFF_C_VERSION1; @@ -226,7 +224,7 @@ /* check FORM header */ filesize = get_tag(pb, &tag); - if (filesize < 0 || tag != MKTAG('F', 'O', 'R', 'M')) + if (filesize < 4 || tag != MKTAG('F', 'O', 'R', 'M')) return AVERROR_INVALIDDATA; /* AIFF data type */ @@ -253,10 +251,7 @@ if (size < 0) return size; - if (size >= 0x7fffffff - 8) - filesize = 0; - else - filesize -= size + 8; + filesize -= size + 8; switch (tag) { case MKTAG('C', 'O', 'M', 'M'): /* Common chunk */ @@ -376,6 +371,8 @@ av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n"); return -1; } + if (aiff->block_duration < 0) + return AVERROR_INVALIDDATA; /* Now positioned, get the sound data start and end */ avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); @@ -430,7 +427,7 @@ pkt->flags &= ~AV_PKT_FLAG_CORRUPT; /* Only one stream in an AIFF file */ pkt->stream_index = 0; - pkt->duration = (res / st->codecpar->block_align) * aiff->block_duration; + pkt->duration = (res / st->codecpar->block_align) * (int64_t) aiff->block_duration; return 0; } diff -Nru ffmpeg-4.3.4/libavformat/ape.c ffmpeg-4.3.5/libavformat/ape.c --- ffmpeg-4.3.4/libavformat/ape.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/ape.c 2022-10-10 20:06:00.000000000 +0000 @@ -42,8 +42,8 @@ typedef struct APEFrame { int64_t pos; + int64_t size; int nblocks; - int size; int skip; int64_t pts; } APEFrame; @@ -148,7 +148,7 @@ av_log(s, AV_LOG_DEBUG, "\nFrames\n\n"); for (i = 0; i < ape_ctx->totalframes; i++) - av_log(s, AV_LOG_DEBUG, "%8d %8"PRId64" %8d (%d samples)\n", i, + av_log(s, AV_LOG_DEBUG, "%8d %8"PRId64" %8"PRId64" (%d samples)\n", i, ape_ctx->frames[i].pos, ape_ctx->frames[i].size, ape_ctx->frames[i].nblocks); @@ -166,7 +166,8 @@ AVStream *st; uint32_t tag; int i, ret; - int total_blocks, final_size = 0; + int total_blocks; + int64_t final_size = 0; int64_t pts, file_size; /* Skip any leading junk such as id3v2 tags */ @@ -331,6 +332,8 @@ ape->frames[i].pos -= ape->frames[i].skip; ape->frames[i].size += ape->frames[i].skip; } + if (ape->frames[i].size > INT_MAX - 3) + return AVERROR_INVALIDDATA; ape->frames[i].size = (ape->frames[i].size + 3) & ~3; } if (ape->fileversion < 3810) { @@ -420,7 +423,7 @@ if (ape->frames[ape->currentframe].size <= 0 || ape->frames[ape->currentframe].size > INT_MAX - extra_size) { - av_log(s, AV_LOG_ERROR, "invalid packet size: %d\n", + av_log(s, AV_LOG_ERROR, "invalid packet size: %8"PRId64"\n", ape->frames[ape->currentframe].size); ape->currentframe++; return AVERROR(EIO); diff -Nru ffmpeg-4.3.4/libavformat/asfdec_f.c ffmpeg-4.3.5/libavformat/asfdec_f.c --- ffmpeg-4.3.4/libavformat/asfdec_f.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/asfdec_f.c 2022-10-10 20:06:00.000000000 +0000 @@ -104,7 +104,7 @@ int ts_is_pts; int packet_multi_size; int packet_time_delta; - int packet_time_start; + int64_t packet_time_start; int64_t packet_pos; int stream_index; @@ -1315,10 +1315,12 @@ if ((ret = av_new_packet(&asf_st->pkt, asf_st->packet_obj_size)) < 0) return ret; asf_st->seq = asf->packet_seq; - if (asf->ts_is_pts) { - asf_st->pkt.pts = asf->packet_frag_timestamp - asf->hdr.preroll; - } else - asf_st->pkt.dts = asf->packet_frag_timestamp - asf->hdr.preroll; + if (asf->packet_frag_timestamp != AV_NOPTS_VALUE) { + if (asf->ts_is_pts) { + asf_st->pkt.pts = asf->packet_frag_timestamp - asf->hdr.preroll; + } else + asf_st->pkt.dts = asf->packet_frag_timestamp - asf->hdr.preroll; + } asf_st->pkt.stream_index = asf->stream_index; asf_st->pkt.pos = asf_st->packet_pos = asf->packet_pos; asf_st->pkt_clean = 0; diff -Nru ffmpeg-4.3.4/libavformat/asfdec_o.c ffmpeg-4.3.5/libavformat/asfdec_o.c --- ffmpeg-4.3.4/libavformat/asfdec_o.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/asfdec_o.c 2022-10-10 20:06:00.000000000 +0000 @@ -113,6 +113,7 @@ int64_t data_offset; int64_t first_packet_offset; // packet offset int64_t unknown_offset; // for top level header objects or subobjects without specified behavior + int in_asf_read_unknown; // ASF file must not contain more than 128 streams according to the specification ASFStream *asf_st[ASF_MAX_STREAMS]; @@ -177,7 +178,7 @@ uint64_t size = avio_rl64(pb); int ret; - if (size > INT64_MAX) + if (size > INT64_MAX || asf->in_asf_read_unknown > 5) return AVERROR_INVALIDDATA; if (asf->is_header) @@ -186,8 +187,11 @@ if (!g->is_subobject) { if (!(ret = strcmp(g->name, "Header Extension"))) avio_skip(pb, 22); // skip reserved fields and Data Size - if ((ret = detect_unknown_subobject(s, asf->unknown_offset, - asf->unknown_size)) < 0) + asf->in_asf_read_unknown ++; + ret = detect_unknown_subobject(s, asf->unknown_offset, + asf->unknown_size); + asf->in_asf_read_unknown --; + if (ret < 0) return ret; } else { if (size < 24) { @@ -1347,6 +1351,8 @@ unsigned char error_flags, len_flags, pay_flags; asf->packet_offset = avio_tell(pb); + if (asf->packet_offset > INT64_MAX/2) + asf->packet_offset = 0; error_flags = avio_r8(pb); // read Error Correction Flags if (error_flags & ASF_PACKET_FLAG_ERROR_CORRECTION_PRESENT) { if (!(error_flags & ASF_ERROR_CORRECTION_LENGTH_TYPE)) { diff -Nru ffmpeg-4.3.4/libavformat/avidec.c ffmpeg-4.3.5/libavformat/avidec.c --- ffmpeg-4.3.4/libavformat/avidec.c 2022-04-16 08:20:46.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/avidec.c 2022-10-10 20:06:00.000000000 +0000 @@ -79,6 +79,8 @@ int stream_index; DVDemuxContext *dv_demux; int odml_depth; + int64_t odml_read; + int64_t odml_max_pos; int use_odml; #define MAX_ODML_DEPTH 1000 int64_t dts_max; @@ -189,7 +191,7 @@ st = s->streams[stream_id]; ast = st->priv_data; - if (index_sub_type) + if (index_sub_type || entries_in_use < 0) return AVERROR_INVALIDDATA; avio_rl32(pb); @@ -210,11 +212,18 @@ } for (i = 0; i < entries_in_use; i++) { + avi->odml_max_pos = FFMAX(avi->odml_max_pos, avio_tell(pb)); + + // If we read more than there are bytes then we must have been reading something twice + if (avi->odml_read > avi->odml_max_pos) + return AVERROR_INVALIDDATA; + if (index_type) { int64_t pos = avio_rl32(pb) + base - 8; int len = avio_rl32(pb); int key = len >= 0; len &= 0x7FFFFFFF; + avi->odml_read += 8; av_log(s, AV_LOG_TRACE, "pos:%"PRId64", len:%X\n", pos, len); @@ -233,6 +242,7 @@ int64_t offset, pos; int duration; int ret; + avi->odml_read += 16; offset = avio_rl64(pb); avio_rl32(pb); /* size */ diff -Nru ffmpeg-4.3.4/libavformat/bfi.c ffmpeg-4.3.5/libavformat/bfi.c --- ffmpeg-4.3.4/libavformat/bfi.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/bfi.c 2022-10-10 20:06:00.000000000 +0000 @@ -140,12 +140,12 @@ audio_offset = avio_rl32(pb); avio_rl32(pb); video_offset = avio_rl32(pb); - audio_size = video_offset - audio_offset; - bfi->video_size = chunk_size - video_offset; - if (audio_size < 0 || bfi->video_size < 0) { + if (audio_offset < 0 || video_offset < audio_offset || chunk_size < video_offset) { av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n"); return AVERROR_INVALIDDATA; } + audio_size = video_offset - audio_offset; + bfi->video_size = chunk_size - video_offset; //Tossing an audio packet at the audio decoder. ret = av_get_packet(pb, pkt, audio_size); diff -Nru ffmpeg-4.3.4/libavformat/cafdec.c ffmpeg-4.3.5/libavformat/cafdec.c --- ffmpeg-4.3.4/libavformat/cafdec.c 2022-04-16 08:20:46.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/cafdec.c 2022-10-10 20:06:00.000000000 +0000 @@ -342,7 +342,7 @@ found_data: if (caf->bytes_per_packet > 0 && caf->frames_per_packet > 0) { - if (caf->data_size > 0) + if (caf->data_size > 0 && caf->data_size / caf->bytes_per_packet < INT64_MAX / caf->frames_per_packet) st->nb_frames = (caf->data_size / caf->bytes_per_packet) * caf->frames_per_packet; } else if (st->nb_index_entries && st->duration > 0) { if (st->codecpar->sample_rate && caf->data_size / st->duration > INT64_MAX / st->codecpar->sample_rate / 8) { diff -Nru ffmpeg-4.3.4/libavformat/dxa.c ffmpeg-4.3.5/libavformat/dxa.c --- ffmpeg-4.3.4/libavformat/dxa.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/dxa.c 2022-10-10 20:06:00.000000000 +0000 @@ -118,9 +118,12 @@ if(tag == MKTAG('d', 'a', 't', 'a')) break; avio_skip(pb, fsize); } - c->bpc = (fsize + c->frames - 1) / c->frames; - if(ast->codecpar->block_align) + c->bpc = (fsize + (int64_t)c->frames - 1) / c->frames; + if(ast->codecpar->block_align) { + if (c->bpc > INT_MAX - ast->codecpar->block_align + 1) + return AVERROR_INVALIDDATA; c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align; + } c->bytes_left = fsize; c->wavpos = avio_tell(pb); avio_seek(pb, c->vidpos, SEEK_SET); diff -Nru ffmpeg-4.3.4/libavformat/flvdec.c ffmpeg-4.3.5/libavformat/flvdec.c --- ffmpeg-4.3.4/libavformat/flvdec.c 2022-04-16 08:20:46.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/flvdec.c 2022-10-10 20:06:00.000000000 +0000 @@ -64,7 +64,7 @@ uint8_t resync_buffer[2*RESYNC_BUFFER_SIZE]; int broken_sizes; - int sum_flv_tag_size; + int64_t sum_flv_tag_size; int last_keyframe_stream_index; int keyframe_count; @@ -461,6 +461,8 @@ goto invalid; if (current_array == × && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000)) goto invalid; + if (avio_feof(ioc)) + goto invalid; current_array[0][i] = d; } if (times && filepositions) { @@ -1033,7 +1035,7 @@ type = (avio_r8(s->pb) & 0x1F); orig_size = size = avio_rb24(s->pb); - flv->sum_flv_tag_size += size + 11; + flv->sum_flv_tag_size += size + 11LL; dts = avio_rb24(s->pb); dts |= (unsigned)avio_r8(s->pb) << 24; av_log(s, AV_LOG_TRACE, "type:%d, size:%d, last:%d, dts:%"PRId64" pos:%"PRId64"\n", type, size, last, dts, avio_tell(s->pb)); @@ -1338,7 +1340,7 @@ !avio_feof(s->pb) && (last != orig_size || !last) && last != flv->sum_flv_tag_size && !flv->broken_sizes) { - av_log(s, AV_LOG_ERROR, "Packet mismatch %d %d %d\n", last, orig_size + 11, flv->sum_flv_tag_size); + av_log(s, AV_LOG_ERROR, "Packet mismatch %d %d %"PRId64"\n", last, orig_size + 11, flv->sum_flv_tag_size); avio_seek(s->pb, pos + 1, SEEK_SET); ret = resync(s); av_packet_unref(pkt); diff -Nru ffmpeg-4.3.4/libavformat/genh.c ffmpeg-4.3.5/libavformat/genh.c --- ffmpeg-4.3.4/libavformat/genh.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/genh.c 2022-10-10 20:06:00.000000000 +0000 @@ -67,6 +67,9 @@ return AVERROR_INVALIDDATA; st->codecpar->block_align = align * st->codecpar->channels; st->codecpar->sample_rate = avio_rl32(s->pb); + if (st->codecpar->sample_rate < 0) + return AVERROR_INVALIDDATA; + avio_skip(s->pb, 4); st->duration = avio_rl32(s->pb); diff -Nru ffmpeg-4.3.4/libavformat/hls.c ffmpeg-4.3.5/libavformat/hls.c --- ffmpeg-4.3.4/libavformat/hls.c 2022-04-16 08:20:46.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/hls.c 2022-10-10 20:06:00.000000000 +0000 @@ -236,6 +236,7 @@ { int i; for (i = 0; i < pls->n_init_sections; i++) { + av_freep(&pls->init_sections[i]->key); av_freep(&pls->init_sections[i]->url); av_freep(&pls->init_sections[i]); } diff -Nru ffmpeg-4.3.4/libavformat/icodec.c ffmpeg-4.3.5/libavformat/icodec.c --- ffmpeg-4.3.4/libavformat/icodec.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/icodec.c 2022-10-10 20:06:00.000000000 +0000 @@ -203,6 +203,9 @@ AV_WL32(buf + 32, image->nb_pal); } + if (image->nb_pal > INT_MAX / 4 - 14 - 40) + return AVERROR_INVALIDDATA; + AV_WL32(buf - 4, 14 + 40 + image->nb_pal * 4); AV_WL32(buf + 8, AV_RL32(buf + 8) / 2); } diff -Nru ffmpeg-4.3.4/libavformat/iff.c ffmpeg-4.3.5/libavformat/iff.c --- ffmpeg-4.3.4/libavformat/iff.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/iff.c 2022-10-10 20:06:00.000000000 +0000 @@ -385,7 +385,7 @@ avio_skip(pb, 1); pkt->flags |= AV_PKT_FLAG_KEY; pkt->stream_index = 0; - pkt->duration = 588LL * s->streams[0]->codecpar->sample_rate / 44100; + pkt->duration = s->streams[0]->codecpar->sample_rate / 75; pkt->pos = chunk_pos; chunk_pos = avio_tell(pb); @@ -398,7 +398,8 @@ case ID_FRTE: if (data_size < 4) return AVERROR_INVALIDDATA; - s->streams[0]->duration = avio_rb32(pb) * 588LL * s->streams[0]->codecpar->sample_rate / 44100; + s->streams[0]->duration = avio_rb32(pb) * (uint64_t)s->streams[0]->codecpar->sample_rate / 75; + break; } @@ -501,6 +502,9 @@ case ID_DST: case ID_MDAT: iff->body_pos = avio_tell(pb); + if (iff->body_pos < 0 || iff->body_pos + data_size > INT64_MAX) + return AVERROR_INVALIDDATA; + iff->body_end = iff->body_pos + data_size; iff->body_size = data_size; if (chunk_id == ID_DST) { diff -Nru ffmpeg-4.3.4/libavformat/jacosubdec.c ffmpeg-4.3.5/libavformat/jacosubdec.c --- ffmpeg-4.3.4/libavformat/jacosubdec.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/jacosubdec.c 2022-10-10 20:06:00.000000000 +0000 @@ -152,7 +152,7 @@ ret = 0; switch (n) { case 4: - ret = sign * (((int64_t)a*3600 + b*60 + c) * timeres + d); + ret = sign * (((int64_t)a*3600 + (int64_t)b*60 + c) * timeres + d); break; case 3: ret = sign * (( (int64_t)a*60 + b) * timeres + c); diff -Nru ffmpeg-4.3.4/libavformat/libzmq.c ffmpeg-4.3.5/libavformat/libzmq.c --- ffmpeg-4.3.4/libavformat/libzmq.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/libzmq.c 2022-10-10 20:06:00.000000000 +0000 @@ -51,7 +51,7 @@ zmq_pollitem_t items = { .socket = socket, .fd = 0, .events = ev, .revents = 0 }; ret = zmq_poll(&items, 1, POLLING_TIME); if (ret == -1) { - av_log(h, AV_LOG_ERROR, "Error occured during zmq_poll(): %s\n", ZMQ_STRERROR); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_poll(): %s\n", ZMQ_STRERROR); return AVERROR_EXTERNAL; } return items.revents & ev ? 0 : AVERROR(EAGAIN); @@ -90,7 +90,7 @@ s->context = zmq_ctx_new(); if (!s->context) { /*errno not set on failure during zmq_ctx_new()*/ - av_log(h, AV_LOG_ERROR, "Error occured during zmq_ctx_new()\n"); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_ctx_new()\n"); return AVERROR_EXTERNAL; } @@ -100,13 +100,13 @@ if (h->flags & AVIO_FLAG_WRITE) { s->socket = zmq_socket(s->context, ZMQ_PUB); if (!s->socket) { - av_log(h, AV_LOG_ERROR, "Error occured during zmq_socket(): %s\n", ZMQ_STRERROR); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_socket(): %s\n", ZMQ_STRERROR); goto fail_term; } ret = zmq_bind(s->socket, uri); if (ret == -1) { - av_log(h, AV_LOG_ERROR, "Error occured during zmq_bind(): %s\n", ZMQ_STRERROR); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_bind(): %s\n", ZMQ_STRERROR); goto fail_close; } } @@ -115,19 +115,19 @@ if (h->flags & AVIO_FLAG_READ) { s->socket = zmq_socket(s->context, ZMQ_SUB); if (!s->socket) { - av_log(h, AV_LOG_ERROR, "Error occured during zmq_socket(): %s\n", ZMQ_STRERROR); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_socket(): %s\n", ZMQ_STRERROR); goto fail_term; } ret = zmq_setsockopt(s->socket, ZMQ_SUBSCRIBE, "", 0); if (ret == -1) { - av_log(h, AV_LOG_ERROR, "Error occured during zmq_setsockopt(): %s\n", ZMQ_STRERROR); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_setsockopt(): %s\n", ZMQ_STRERROR); goto fail_close; } ret = zmq_connect(s->socket, uri); if (ret == -1) { - av_log(h, AV_LOG_ERROR, "Error occured during zmq_connect(): %s\n", ZMQ_STRERROR); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_connect(): %s\n", ZMQ_STRERROR); goto fail_close; } } @@ -150,7 +150,7 @@ return ret; ret = zmq_send(s->socket, buf, size, 0); if (ret == -1) { - av_log(h, AV_LOG_ERROR, "Error occured during zmq_send(): %s\n", ZMQ_STRERROR); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_send(): %s\n", ZMQ_STRERROR); return AVERROR_EXTERNAL; } return ret; /*number of bytes sent*/ @@ -166,7 +166,7 @@ return ret; ret = zmq_recv(s->socket, buf, size, 0); if (ret == -1) { - av_log(h, AV_LOG_ERROR, "Error occured during zmq_recv(): %s\n", ZMQ_STRERROR); + av_log(h, AV_LOG_ERROR, "Error occurred during zmq_recv(): %s\n", ZMQ_STRERROR); return AVERROR_EXTERNAL; } if (ret > size) { diff -Nru ffmpeg-4.3.4/libavformat/mxfdec.c ffmpeg-4.3.5/libavformat/mxfdec.c --- ffmpeg-4.3.4/libavformat/mxfdec.c 2022-04-16 08:20:46.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/mxfdec.c 2022-10-10 20:06:00.000000000 +0000 @@ -58,6 +58,7 @@ #include "mxf.h" #define MXF_MAX_CHUNK_SIZE (32 << 20) +#define RUN_IN_MAX (65535+1) // S377m-2004 section 5.5 and S377-1-2009 section 6.5, the +1 is to be slightly more tolerant typedef enum { Header, @@ -3184,6 +3185,7 @@ KLVPacket klv; int64_t essence_offset = 0; int ret; + int64_t run_in; mxf->last_forward_tell = INT64_MAX; @@ -3194,7 +3196,10 @@ } avio_seek(s->pb, -14, SEEK_CUR); mxf->fc = s; - mxf->run_in = avio_tell(s->pb); + run_in = avio_tell(s->pb); + if (run_in < 0 || run_in > RUN_IN_MAX) + return AVERROR_INVALIDDATA; + mxf->run_in = run_in; mxf_read_random_index_pack(s); @@ -3607,7 +3612,7 @@ static int mxf_probe(const AVProbeData *p) { const uint8_t *bufp = p->buf; - const uint8_t *end = p->buf + p->buf_size; + const uint8_t *end = p->buf + FFMIN(p->buf_size, RUN_IN_MAX + 1 + sizeof(mxf_header_partition_pack_key)); if (p->buf_size < sizeof(mxf_header_partition_pack_key)) return 0; diff -Nru ffmpeg-4.3.4/libavformat/nutdec.c ffmpeg-4.3.5/libavformat/nutdec.c --- ffmpeg-4.3.4/libavformat/nutdec.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/nutdec.c 2022-10-10 20:06:00.000000000 +0000 @@ -199,6 +199,8 @@ int tmp_stream, tmp_mul, tmp_pts, tmp_size, tmp_res, tmp_head_idx; length = get_packetheader(nut, bc, 1, MAIN_STARTCODE); + if (length == (uint64_t)-1) + return AVERROR_INVALIDDATA; end = length + avio_tell(bc); nut->version = ffio_read_varlen(bc); @@ -242,6 +244,11 @@ for (i = 0; i < 256;) { int tmp_flags = ffio_read_varlen(bc); int tmp_fields = ffio_read_varlen(bc); + if (tmp_fields < 0) { + av_log(s, AV_LOG_ERROR, "fields %d is invalid\n", tmp_fields); + ret = AVERROR_INVALIDDATA; + goto fail; + } if (tmp_fields > 0) tmp_pts = get_s(bc); diff -Nru ffmpeg-4.3.4/libavformat/rmdec.c ffmpeg-4.3.5/libavformat/rmdec.c --- ffmpeg-4.3.4/libavformat/rmdec.c 2022-04-16 08:20:46.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/rmdec.c 2022-10-10 20:06:00.000000000 +0000 @@ -565,6 +565,8 @@ } tag_size = avio_rb32(pb); + if (tag_size < 0) + return AVERROR_INVALIDDATA; avio_skip(pb, tag_size - 8); for(;;) { diff -Nru ffmpeg-4.3.4/libavformat/rpl.c ffmpeg-4.3.5/libavformat/rpl.c --- ffmpeg-4.3.4/libavformat/rpl.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/rpl.c 2022-10-10 20:06:00.000000000 +0000 @@ -276,7 +276,7 @@ error |= read_line(pb, line, sizeof(line)); // size of "helpful" sprite if (vst) { error |= read_line(pb, line, sizeof(line)); // offset to key frame list - vst->duration = number_of_chunks * rpl->frames_per_chunk; + vst->duration = number_of_chunks * (int64_t)rpl->frames_per_chunk; } // Read the index diff -Nru ffmpeg-4.3.4/libavformat/rtsp.c ffmpeg-4.3.5/libavformat/rtsp.c --- ffmpeg-4.3.4/libavformat/rtsp.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/rtsp.c 2022-10-10 20:06:00.000000000 +0000 @@ -931,6 +931,8 @@ ";,", &p); } th->transport = RTSP_TRANSPORT_RAW; + } else { + break; } if (!av_strcasecmp(lower_transport, "TCP")) th->lower_transport = RTSP_LOWER_TRANSPORT_TCP; diff -Nru ffmpeg-4.3.4/libavformat/sbgdec.c ffmpeg-4.3.5/libavformat/sbgdec.c --- ffmpeg-4.3.4/libavformat/sbgdec.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/sbgdec.c 2022-10-10 20:06:00.000000000 +0000 @@ -1314,6 +1314,8 @@ /* Pseudo event before the first one */ ev0 = s->events[s->nb_events - 1]; + if (av_sat_sub64(ev0.ts_int, period) != (uint64_t)ev0.ts_int - period) + return AVERROR_INVALIDDATA; ev0.ts_int -= period; ev0.ts_trans -= period; ev0.ts_next -= period; diff -Nru ffmpeg-4.3.4/libavformat/sctp.c ffmpeg-4.3.5/libavformat/sctp.c --- ffmpeg-4.3.4/libavformat/sctp.c 2021-10-21 17:06:35.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/sctp.c 2022-10-10 20:06:00.000000000 +0000 @@ -282,6 +282,8 @@ goto restart; } fail1: + if (fd >= 0) + closesocket(fd); ret = AVERROR(EIO); freeaddrinfo(ai); return ret; diff -Nru ffmpeg-4.3.4/libavformat/sdsdec.c ffmpeg-4.3.5/libavformat/sdsdec.c --- ffmpeg-4.3.4/libavformat/sdsdec.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/sdsdec.c 2022-10-10 20:06:00.000000000 +0000 @@ -112,7 +112,7 @@ st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; st->codecpar->channels = 1; st->codecpar->sample_rate = sample_period ? 1000000000 / sample_period : 16000; - st->duration = (avio_size(pb) - 21) / (127) * s->size / 4; + st->duration = av_rescale((avio_size(pb) - 21) / 127, s->size, 4); avpriv_set_pts_info(st, 64, 1, st->codecpar->sample_rate); diff -Nru ffmpeg-4.3.4/libavformat/spdifdec.c ffmpeg-4.3.5/libavformat/spdifdec.c --- ffmpeg-4.3.4/libavformat/spdifdec.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/spdifdec.c 2022-10-10 20:06:00.000000000 +0000 @@ -226,7 +226,7 @@ if (!s->bit_rate && s->streams[0]->codecpar->sample_rate) /* stream bitrate matches 16-bit stereo PCM bitrate for currently supported codecs */ - s->bit_rate = 2 * 16 * s->streams[0]->codecpar->sample_rate; + s->bit_rate = 2 * 16LL * s->streams[0]->codecpar->sample_rate; return 0; } diff -Nru ffmpeg-4.3.4/libavformat/subviewerdec.c ffmpeg-4.3.5/libavformat/subviewerdec.c --- ffmpeg-4.3.4/libavformat/subviewerdec.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/subviewerdec.c 2022-10-10 20:06:00.000000000 +0000 @@ -51,26 +51,32 @@ return 0; } +static int get_multiplier(int e) { + switch (e) { + case 1 : return 100; + case 2 : return 10; + case 3 : return 1; + default : return -1; + } +} + static int read_ts(const char *s, int64_t *start, int *duration) { int64_t end; int hh1, mm1, ss1, ms1; int hh2, mm2, ss2, ms2; - int multiplier = 1; + int multiplier1, multiplier2; + int ms1p1, ms1p2, ms2p1, ms2p2; - if (sscanf(s, "%u:%u:%u.%2u,%u:%u:%u.%2u", - &hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) { - multiplier = 10; - } else if (sscanf(s, "%u:%u:%u.%1u,%u:%u:%u.%1u", - &hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) { - multiplier = 100; - } - if (sscanf(s, "%u:%u:%u.%u,%u:%u:%u.%u", - &hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) { - ms1 = FFMIN(ms1, 999); - ms2 = FFMIN(ms2, 999); - end = (hh2*3600LL + mm2*60LL + ss2) * 1000LL + ms2 * multiplier; - *start = (hh1*3600LL + mm1*60LL + ss1) * 1000LL + ms1 * multiplier; + if (sscanf(s, "%u:%u:%u.%n%u%n,%u:%u:%u.%n%u%n", + &hh1, &mm1, &ss1, &ms1p1, &ms1, &ms1p2, &hh2, &mm2, &ss2, &ms2p1, &ms2, &ms2p2) == 8) { + multiplier1 = get_multiplier(ms1p2 - ms1p1); + multiplier2 = get_multiplier(ms2p2 - ms2p1); + if (multiplier1 <= 0 ||multiplier2 <= 0) + return -1; + + end = (hh2*3600LL + mm2*60LL + ss2) * 1000LL + ms2 * multiplier2; + *start = (hh1*3600LL + mm1*60LL + ss1) * 1000LL + ms1 * multiplier1; *duration = end - *start; return 0; } diff -Nru ffmpeg-4.3.4/libavformat/tls_mbedtls.c ffmpeg-4.3.5/libavformat/tls_mbedtls.c --- ffmpeg-4.3.4/libavformat/tls_mbedtls.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/tls_mbedtls.c 2022-10-10 20:06:00.000000000 +0000 @@ -19,8 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ -#include -#include +#include #include #include #include @@ -130,9 +129,15 @@ static void handle_handshake_error(URLContext *h, int ret) { switch (ret) { +#if MBEDTLS_VERSION_MAJOR < 3 case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE: av_log(h, AV_LOG_ERROR, "None of the common ciphersuites is usable. Was the local certificate correctly set?\n"); break; +#else + case MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE: + av_log(h, AV_LOG_ERROR, "TLS handshake failed.\n"); + break; +#endif case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE: av_log(h, AV_LOG_ERROR, "A fatal alert message was received from the peer, has the peer a correct certificate?\n"); break; @@ -195,16 +200,6 @@ } } - // load key file - if (shr->key_file) { - if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key, - shr->key_file, - tls_ctx->priv_key_pw)) != 0) { - handle_pk_parse_error(h, ret); - goto fail; - } - } - // seed the random number generator if ((ret = mbedtls_ctr_drbg_seed(&tls_ctx->ctr_drbg_context, mbedtls_entropy_func, @@ -214,6 +209,21 @@ goto fail; } + // load key file + if (shr->key_file) { + if ((ret = mbedtls_pk_parse_keyfile(&tls_ctx->priv_key, + shr->key_file, + tls_ctx->priv_key_pw +#if MBEDTLS_VERSION_MAJOR >= 3 + , mbedtls_ctr_drbg_random, + &tls_ctx->ctr_drbg_context +#endif + )) != 0) { + handle_pk_parse_error(h, ret); + goto fail; + } + } + if ((ret = mbedtls_ssl_config_defaults(&tls_ctx->ssl_config, shr->listen ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, diff -Nru ffmpeg-4.3.4/libavformat/vividas.c ffmpeg-4.3.5/libavformat/vividas.c --- ffmpeg-4.3.4/libavformat/vividas.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/vividas.c 2022-10-10 20:06:00.000000000 +0000 @@ -683,6 +683,7 @@ if (viv->sb_entries[viv->current_sb_entry].flag == 0) { uint64_t v_size = ffio_read_varlen(pb); + int last = 0, last_start; if (!viv->num_audio) return AVERROR_INVALIDDATA; @@ -706,12 +707,18 @@ if (i > 0 && start == 0) break; + if (start < last) + return AVERROR_INVALIDDATA; viv->n_audio_subpackets = i + 1; + last = viv->audio_subpackets[i].start = start; viv->audio_subpackets[i].pcm_bytes = pcm_bytes; } + last_start = viv->audio_subpackets[viv->n_audio_subpackets].start = (int)(off - avio_tell(pb)); + if (last_start < last) + return AVERROR_INVALIDDATA; viv->current_audio_subpacket = 0; } else { diff -Nru ffmpeg-4.3.4/libavformat/xwma.c ffmpeg-4.3.5/libavformat/xwma.c --- ffmpeg-4.3.4/libavformat/xwma.c 2022-04-14 20:13:38.000000000 +0000 +++ ffmpeg-4.3.5/libavformat/xwma.c 2022-10-10 20:06:00.000000000 +0000 @@ -278,7 +278,7 @@ * the total duration using the average bits per sample and the * total data length. */ - st->duration = (size<<3) * st->codecpar->sample_rate / st->codecpar->bit_rate; + st->duration = av_rescale((size<<3), st->codecpar->sample_rate, st->codecpar->bit_rate); } fail: diff -Nru ffmpeg-4.3.4/tools/target_dec_fuzzer.c ffmpeg-4.3.5/tools/target_dec_fuzzer.c --- ffmpeg-4.3.4/tools/target_dec_fuzzer.c 2022-04-16 08:20:42.000000000 +0000 +++ ffmpeg-4.3.5/tools/target_dec_fuzzer.c 2022-10-10 20:06:00.000000000 +0000 @@ -161,6 +161,7 @@ case AV_CODEC_ID_IFF_ILBM: maxpixels /= 128; break; case AV_CODEC_ID_INDEO4: maxpixels /= 128; break; case AV_CODEC_ID_LSCR: maxpixels /= 16; break; + case AV_CODEC_ID_MMVIDEO: maxpixels /= 256; break; case AV_CODEC_ID_MOTIONPIXELS:maxpixels /= 256; break; case AV_CODEC_ID_MP4ALS: maxsamples /= 65536; break; case AV_CODEC_ID_MSRLE: maxpixels /= 16; break;