Fixes: Use after free
Fixes: 47399/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLASHSV2_fuzzer-5718646686613504
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This packet may not be writable, hence we must not write to it.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
These packets need not be writable, so we must not modify them.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
A decoder's input packet need not be writable, so we must not modify
the data.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
davs2_decoder_close doesn't free those on the fly frames which
don't get output yet. It's a design bug, but easy to workaround.
Before the patch:
Direct leak of 1198606 byte(s) in 2 object(s) allocated from:
#0 0x563af5e1e5f0 in malloc (ffmpeg+0x6675f0)
#1 0x563af9765ef3 in davs2_malloc davs2/source/common/common.h:1240
#2 0x563af9765ef3 in davs2_alloc_picture davs2/source/common/header.cc:815
Indirect leak of 3595818 byte(s) in 6 object(s) allocated from:
#0 0x563af5e1e5f0 in malloc (ffmpeg+0x6675f0)
#1 0x563af9765ef3 in davs2_malloc davs2/source/common/common.h:1240
#2 0x563af9765ef3 in davs2_alloc_picture davs2/source/common/header.cc:815
Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
Fixes: out of array access
Fixes: 48145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5054524173189120
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Thilo Borgmann <thilo.borgmann@mail.de>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array access
Fixes: 48429/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDRAW_fuzzer-4608329791438848
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -14914387 + -2147418648 cannot be represented in type 'int'
Fixes: 46464/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-474307197311385
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
It results in undefined behaviour. Instead initialize the mutexes
and condition variables once during init (and check these
initializations).
Also combine the corresponding mutex and condition variable
into one structure so that one can allocate their array
jointly.
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Required by MP4's AC3SpecificBox and MPEG-TS AC-3 audio_descriptor,
of which the former is implemented in our MP4 writer.
Signed-off-by: Jan Ekström <jan.ekstrom@24i.com>
This function is only called from the decoder's init function
and given that this decoder has FF_CODEC_CAP_INIT_CLEANUP set,
hevc_decode_free() is called automatically (currently it would
be called twice with the second call being redundant).
Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
All contexts are always initialized during init, regardless
of whether frame threading is in use or not.
Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
avcodec_thread_init() has been removed in
9a79bb552a.
Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
- ff_pix_abs16_neon
- ff_pix_abs16_xy2_neon
In direct micro benchmarks of these ff functions verses their C implementations,
these functions performed as follows on AWS Graviton 3.
ff_pix_abs16_neon:
pix_abs_0_0_c: 141.1
pix_abs_0_0_neon: 19.6
ff_pix_abs16_xy2_neon:
pix_abs_0_3_c: 269.1
pix_abs_0_3_neon: 39.3
Tested with:
./tests/checkasm/checkasm --test=motion --bench --disable-linux-perf
Signed-off-by: Jonathan Swinney <jswinney@amazon.com>
Signed-off-by: Martin Storsjö <martin@martin.st>
Currently the format listing misses the J formats completely, yet
they are marked as supported in the encoder. Thus to make the logic
support them while not explicitly listing them, make the logic
utilize chroma subsampling information in both width and height
available through the pixel format descriptor.
Enable dynamic QP configuration in runtime on qsv encoder. Through
AVFrame->metadata, we can set key "qsv_config_qp" to change QP
configuration when we encode video in CQP mode.
Signed-off-by: Yue Heng <yue.heng@intel.com>
Signed-off-by: Wenbin Chen <wenbin.chen@intel.com>
Signed-off-by: Haihao Xiang <haihao.xiang@intel.com>
Change the default value of "bf" for hevc_qsv to -1. 8 isn't the best
choice so let MSDK to decide the number of b frames.
Signed-off-by: Wenbin Chen <wenbin.chen@intel.com>
Signed-off-by: Haihao Xiang <haihao.xiang@intel.com>
cuvidParseVideoData only supports pure OBUs, it reports an unknown
error with AV1CodecConfigurationRecord. Check whether extradata
is AV1CodecConfigurationRecord and skip the first 4 bytes to fix
the issue.
The bug is revealed in ffmpeg cmd since 45e3b6a68 and ffd1316e.
Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
This adds the exact bits per sample for DFPWM to
av_get_exact_bits_per_sample.
Previously, the DTS and PTS were set to 0 because the codec never
reported them, but adding this allows libavformat to automatically
set DTS and PTS from the byte position of the stream.
Signed-off-by: Jack Bruienne <jackbruienne@gmail.com>
Forgotten in 4011a76494.
The reason for this is that these functtions are marked
as av_always_inline and GCC does not emit warnings
if such functions are unused, so this went unnoticed.
Yet Clang does, so this commit removes them.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Whether an ICC profile is present or not, the libjxl
encoder wrapper should now properly read colorspace tags
and forward them to libjxl appropriately, rather than just
assume sRGB as before. It will also print warnings when
colorimetric assumptions are made about the input data.
Reviewed-by: Niklas Haas <git@haasn.dev>
Signed-off-by: Leo Izen <leo.izen@gmail.com>
Whether an ICC profile is present or not, the decoder
should now properly tag the colorspace of pixel data
received by the decoder.
Reviewed-by: Niklas Haas <git@haasn.dev>
Signed-off-by: Leo Izen <leo.izen@gmail.com>
Support for VDPAU accelerated AV1 decoding was added with libvdpau-1.5.
Support for the same in ffmpeg is added with this patch. Profiles
related to VDPAU AV1 can be found in latest vdpau.h present in
libvdpau-1.5.
Add AV1 VDPAU to list of hwaccels and supported formats
Added file vdpau_av1.c and Modified configure to add VDPAU AV1 support.
Mapped AV1 profiles to VDPAU AV1 profiles. Populated the codec specific
params that need to be passed to VDPAU.
Signed-off-by: Philip Langdale <philipl@overt.org>
It will be used by the Matroska muxer to reserve a certain number
of bytes for the CodecPrivate in case no extradata is initially
available (as it is for the libaom-av1 encoder).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
The intention behind the current check seems to be to check for
the rbsp_trailing_bits() syntax structure which is always 0x80
for valid SEI messages. Yet this is wrong: These trailing bits
are not part of the GetBitContext -- they have already been
stripped in ff_h2645_packet_split(). And it is harmful, as
0x80 is a legal SEI message payload type (namely for
Structure of pictures information SEI messages). We ignore this
type of SEI, but because of this bug we also ignored every
SEI message in the same NALU following it.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
It does not exist for NALUs for which the SODB is empty;
it also does not exist for NALUs for which not even
the complete header is present. The former category contains
end of sequence and end of bitstream units. The latter category
consists of one-byte HEVC units (the ordinary H.264 header is only
one byte long).
This commit therefore stops stripping RBSP trailing padding
from the former type of unit and discards the latter type of unit
altogether.
This also fixes an assertion failure: Before this commit, a one-byte
HEVC NALU from an ISOBMFF packet could pass all the checks in
hevc_parse_nal_header() (because the first byte of the size field
of the next unit is mistaken as containing the temporal_id);
yet because the trailing padding bits were stripped, its actually
had a size of less than eight bits; because h2645_parse.c uses
the checked bitstream reader, the get_bits_count() of the GetBitContext
is not 16 in this case; it is not even a multiple of eight
and this can trigger an assert in ff_hevc_decode_nal_sei().
Fixes: Assertion failure
Fixes: 46662/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4947860854013952
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Michael Niedermayer
Paul B Mahol
Timo Rothenpieler
Anton Khirnov
Andreas Rheinhardt
Zhao Zhili
Wujian(Chin)
Jan Ekström
Swinney, Jonathan
Jan Ekström
Yue Heng
Wenbin Chen
Zhao Zhili
Jack Bruienne
Leo Izen
ManojGuptaBonda