Fixes: signed integer overflow: -1625276744 + -1041893960 cannot be represented in type 'int'
Fixes: 5948/clusterfuzz-testcase-minimized-5791479856365568
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array read
Fixes: 2873/clusterfuzz-testcase-minimized-5924145713905664
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Previous version reviewed-by: Alex Converse <alex.converse@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: runtime error: shift exponent 47 is too large for 32-bit type 'int'
Fixes: 2581/clusterfuzz-testcase-minimized-4681474395602944
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: runtime error: signed integer overflow: -2147483648 - 1202286525 cannot be represented in type 'int'
Fixes: 2071/clusterfuzz-testcase-minimized-6036414271586304
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The only use of that argument was for Opus downmixing which is very rare
and better done after the mdcts.
Signed-off-by: Rostislav Pehlivanov <atomnuker@gmail.com>
Fixes: runtime error: shift exponent 1073741824 is too large for 32-bit type 'int'
Fixes: 1654/clusterfuzz-testcase-minimized-5151903795118080
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array read
Fixes: 1072/clusterfuzz-testcase-6456688074817536
Fixes: 1398/clusterfuzz-testcase-minimized-4576913622302720
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Apparently the demuxer outputs the wrong padding for HE-AAC (based on
the raw sample rate, or so). aacdec contains a hack to adjust the muxer
padding accordingly before it's used to trim the decoder output. This
modified the packet side data, which in combination with the old
decoding API would change the packet the user passed to the decoder.
This is clearly not allowed, and it breaks running some gapless fate
tests with "-fflags +keepside" applied (without keepside, the packet
metadata is typically newly allocated, essentially making a copy and not
modifying the user's input packet).
This should probably be fixed in the demuxer (and consequently also the
muxer), but for now only fix the immediate problem.
Regression since 946ed78f5f (2012).
Handles strides (needed for Opus transients), does pre-reindexing and folding
without needing a copy.
Signed-off-by: Rostislav Pehlivanov <atomnuker@gmail.com>
A strict reading of the spec seems to imply that it should be aligned to
the start of the element instance tag, but that would break all of the
samples with PCEs.
It seems like a well formed LATM stream should have its PCE in the ASC
rather than inband.
Fixes ticket 4544
Fixes index out of bounds error
Fixes: aac_index_out_of_bounds.wmv
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
AAC-Fixed decoder segfaulted. This commit makes the aac encoder
and decoder init the table twice in case of transcoding again.
Signed-off-by: Rostislav Pehlivanov <atomnuker@gmail.com>
Since the ff_aac_tableinit() can be called by both the encoder and
the decoder (in case of transcoding) this commit shares the AVOnce
variable to prevent this.
Signed-off-by: Rostislav Pehlivanov <atomnuker@gmail.com>
This is similar to commit ec38a1b for aac_decode_frame_int.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
2nd channel makes sense only for CPE type.
Skip 2nd channel in preparation for resampler (in spectral_to _sample())
depending on block type.
Fixes fate failure with clang ftrapv.
Signed-off-by: Nedeljko Babic <nedeljko.babic@imgtec.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
There was fixed number of loops (2048) in preparation for resampler, so
when number of samples is smaller than this, there would be an overflow on
ret_buf.
For some reason this behavior popped out only under valgrind with
--disable-memory-poisoning option.
This is now fixed and number of loops depends on actual number of samples.
Signed-off-by: Nedeljko Babic <nedeljko.babic@rt-rk.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Move existing code to the new template files
Signed-off-by: Nedeljko Babic <nedeljko.babic@imgtec.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
The channel configuration can be delivered only by the PCE,
try to parse it first and not try to decode until a channel
configuration is set.
CC: libav-stable@libav.org
These are defined in ISO/IEC 14496-3:2009/PDAM 4 for 6.1 and 7.1.
It also defines another 7.1 layout with configuration 14, that one
is not added here for now.
11: 3/3.1 FC FL+FR BL+BR BC LFE
12: 3/2/2.1 FC FL+FR SiL+SiR BL+BR LFE
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
FDK AAC encoder outputs SCE(front)+CPE(front)+CPE(back)+CPE(back) on
MODE_7_1_REAR_SURROUND configuration.
Since decoder couldn't properly map 4 back channels, decoding failed
unless -request_channel_layout 0x8000000000000000 has been specified.
Now we treat first CPE(back) as CPE(side) on channel mapping.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
The decoder assigns channels using default channel configuration
for 5.1ch when it parses an ADTS frame header using consecutive
channel ids.
When a PCE comes, it reassigns channels using PCE configuration
using directly the ids provided. They can be arbitrary.
Always use consecutive channel ids to avoid decoding glitches due
spurious reconfigurations due the channel ids mismatch between the
two otherwise-identical channel maps.
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
got_frame_ptr is set again after the if block.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Since commit 676a395a aac->frame->data is not necessarily allocated at
the end of aac_decode_frame_int if avctx->channels is 0.
In this case a bogus frame without any data, but non-zero nb_samples is
returned.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
ac may be NULL and then accessing ac->avctx results in a segmentation fault.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit replaces the previous hardcoded constants with both new and previously
defined macros from aac.h. This change makes it easy for anyone reading the code
to know how encoding and decoding scalefactors works. It's also possibly
a step in unifying some of the code across both the encoder and decoder.
Reviewed-by: Claudio Freire <klaussfreire@gmail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Although the specification mandates this bit to zero, it may happen
that software tools incorrectly flip it to one, invalidating a possibly
valid stream.
Relax this restriction, by failing only when AV_EF_BITSTREAM is set.
This behaviour is similar to aac decoders in Firefox and Quicktime.
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>