zmbvenc allocates a buffer for a picture with padding on all four sides:
The stride is choosen so large that it already contains padding on the
right; the height also includes padding rows. The padding on the right
of each row is also reused as padding for the left of the next row. So
one still needs to add padding on the left for the first row. This is done
by offsetting the actual pointer used to access the picture from the
pointer returned by av_mallocz and the formula for this offset was
wrong, because it ignored that a pixel can take more than one byte when
calculating the offset resulting from the left padding of the first row.
This fixes accesses outside of the allocated buffer that were reported
in tickets #7980 and #7994. No writes were ever attempted outside of
the buffer.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
do_streamcopy() has a packet that gets zero-initialized first, then gets
initialized via av_init_packet() after which some of its fields are
oerwritten again with the actually desired values (unless it's EOF): The
side data is copied into the packet with av_copy_packet_side_data() and
if the source packet is refcounted, the packet will get a new reference
to the source packet's data. Furthermore, the flags are copied and the
timestamp related fields are overwritten with new values.
This commit replaces this by using av_packet_ref() to both initialize
the packet as well as populate its fields with the right values (unless
it's EOF again in which case the packet will still be initialized). The
differences to the current approach are as follows:
a) There is no call to a deprecated function (av_copy_packet_side_data())
any more.
b) Several fields that weren't copied before are now copied from the source
packet to the new packet (e.g. pos). Some of them (the timestamp related
fields) may be immediately overwritten again and some don't seem to be
used at all (e.g. pos), but in return using av_packet_ref() allows to forgo
the initializations.
c) There was no check for whether copying side data fails or not. This
has been changed: Now the program is exited in this case.
Using av_packet_ref() does not lead to unnecessary copying of data,
because the source packets are already always refcounted (they originate
from av_read_frame()).
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Not only the first, but each latest chunk must be cached to allow
seekback after finding the mime boundary.
Fixes trac #5023 and #5921.
Signed-off-by: Moritz Barsnick <barsnick@gmx.net>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
According to RFC1341, the multipart boundary indicated by the
Content-Type header must be prepended by CRLF + "--", and followed
by CRLF. In the case of strict MIME header boundary handling, the
"--" was forgotten to add.
Fixes trac #7921.
A side effect is that this coincidentally breaks enforcement of
strict MIME headers against servers running motion < 3.4.1, where
the boundary announcement in the HTTP headers incorrectly used the
prefix "--", which exactly matched this bug's behavior.
Signed-off-by: Moritz Barsnick <barsnick@gmx.net>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The string matching function's return value was evaluated incorrectly.
Fixes trac #7920.
Signed-off-by: Moritz Barsnick <barsnick@gmx.net>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Also propagate proper AVERROR codes while at it.
Fixes ticket #8230.
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
Fixes: memleaks
Fixes: 18023/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5642535011090432
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: shift exponent -2 is negative
Fixes: 17736/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PCM_F16LE_fuzzer-5742815929171968
Fixes: 17998/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PCM_F24LE_fuzzer-5716980383875072
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
when the area outside of the frame, then use expr should
give user warning message and auto set to the area inside of the frame.
Signed-off-by: Steven Liu <lq@chinaffmpeg.org>
Enabled one thread per plane, used the test command for 1080P video
(YUV420P format) as follow:
ffmpeg -i 1080p.mp4 -an -vf hqdn3d -f null /dev/nul
This optimization improved the performance about 30% in 1080P YUV420P
case (from 110fps to 143fps), also pass the framemd5 check and FATE.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Reviewed-by: Moritz Barsnick <barsnick@gmx.net>
Signed-off-by: Jun Zhao <barryjzhao@tencent.com>
GPU copy enables or disables GPU accelerated copying between video
and system memory. This may lead to a notable performance improvement.
Memory must be sequent and aligned with 128x64.
CMD:
ffmpeg -init_hw_device qsv=hw -filter_hw_device hw -c:v h264_qsv
-gpu_copy on -i input.h264 -f null -
or:
ffmpeg -c:v h264_qsv -gpu_copy on -i input.h264 -f null -
Signed-off-by: Linjie Fu <linjie.fu@intel.com>
Signed-off-by: ChaoX A Liu <chaox.a.liu@intel.com>
Signed-off-by: Zhong Li <zhong.li@intel.com>
There is no change in the encoded bitstream, but this
ensures that the written field length is consistent
with the reference implementation.
Unused bytes are zeroed out for backwards compatibility.
Signed-off-by: Raphaël Zumer <rzumer@tebako.net>
the data_start is after reading 12 bytes and if its subtracted
at the very end the intermediate might overflow
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This seeks to the position the previous call to dxv_decompress_opcodes()
positioned us in case of success
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Andreas Rheinhardt
Michael Niedermayer
Moritz Barsnick
Paul B Mahol
James Almer
OvchinnikovDmitrii
Limin Wang
Steven Liu
Jun Zhao
Linjie Fu
Zhong Li
Raphaël Zumer
Zhao Zhili