[FFmpeg-cvslog] [ffmpeg] branch release/5.1 updated. ec95928189 avcodec/exr: Check rle_raw_data and surroundings
ffmpeg-git at ffmpeg.org
ffmpeg-git at ffmpeg.org
Thu Aug 14 02:07:58 EEST 2025
The branch, release/5.1 has been updated
via ec959281897aa29076f3083edbc2306357342d7c (commit)
via 2e97157566cc392fe8aa68809a3ffe11ac981737 (commit)
via 1080d0e3cded6d8e177c2ce8b6649bc238be2ff6 (commit)
via cbe4bc152f98e8139b3cb9590506e83987273d6e (commit)
via 09ba9f9c3542f58ccac3e2aae84335d77b9420f9 (commit)
via 2838f8f54c459deeafe015cc059e3ca9987f4cb6 (commit)
via 719e640c887124f048c832317f6ee0ef48b530fc (commit)
via fec904ab3b06026a955036cfc64b009e5462dee6 (commit)
via df24628a7cbc5134445712e28f2b45d13b7b2f0e (commit)
via 5ccc56161b7c52f94d229cf4d8795743c59b1d8f (commit)
via a4d35d1392ba98100a3fd3f669e33b8b393dbed2 (commit)
via 2b73793ac59ed5ccc589d93a6293151086243bb4 (commit)
via 27ff4caf5b2f795bd769930160dbeeda2fa073d7 (commit)
via 1f03c050e4e37f96968d1ffa4d720ed20810fdf6 (commit)
via eaf748ec88ada50d40ff533d9f2d9515b583b839 (commit)
via 20708b957e8d4d57801c0b7ac52131988b093a49 (commit)
via 63c07d87a9f4a8a783145640902f52f3f316b7f6 (commit)
via 9251abf87d4d65d5a70fa1b26d18c93a64b632d4 (commit)
via f481811ac8340b3099ca23b5ca41b91bcbf4ef8c (commit)
via 01925dde9caa8335ca32bfb7395baed8d6a3d28e (commit)
via 8bce773786229348fb28d52147c0a6c649f9f69e (commit)
via c08f721f58e8e8660ede6150bb7507d6b145839f (commit)
via 1f4a28e59ee1a2cb6a7f563b7d217f1b08d74cef (commit)
via 2b8878c353b0d1490bab8693d5ba5c40705f15a9 (commit)
from 25504277437bccd8853e478fbd6677ad54569e18 (commit)
- Log -----------------------------------------------------------------
commit ec959281897aa29076f3083edbc2306357342d7c
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Wed Aug 6 10:08:14 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 00:21:17 2025 +0200
avcodec/exr: Check rle_raw_data and surroundings
Fixes: out of array read
Fixes: BIGSLEEP-436510153/dwa_uncompress_read.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 0d9c003d76383e82b57b6d5aa33776709d0cda2c)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 4778aae0e0..c2210fea51 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -999,6 +999,7 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size
const int dc_h = td->ysize >> 3;
GetByteContext gb, agb;
int skip, ret;
+ int have_rle = 0;
if (compressed_size <= 88)
return AVERROR_INVALIDDATA;
@@ -1023,6 +1024,11 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size
)
return AVERROR_INVALIDDATA;
+ if ((uint64_t)rle_raw_size > INT_MAX) {
+ avpriv_request_sample(s->avctx, "Too big rle_raw_size");
+ return AVERROR_INVALIDDATA;
+ }
+
bytestream2_init(&gb, src + 88, compressed_size - 88);
skip = bytestream2_get_le16(&gb);
if (skip < 2)
@@ -1093,6 +1099,9 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size
if (rle_raw_size > 0 && rle_csize > 0 && rle_usize > 0) {
unsigned long dest_len = rle_usize;
+ if (2LL * td->xsize * td->ysize > rle_raw_size)
+ return AVERROR_INVALIDDATA;
+
av_fast_padded_malloc(&td->rle_data, &td->rle_size, rle_usize);
if (!td->rle_data)
return AVERROR(ENOMEM);
@@ -1109,6 +1118,8 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size
if (ret < 0)
return ret;
bytestream2_skip(&gb, rle_csize);
+
+ have_rle = 1;
}
bytestream2_init(&agb, td->ac_data, ac_count * 2);
@@ -1169,7 +1180,7 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size
if (s->nb_channels < 4)
return 0;
- for (int y = 0; y < td->ysize && td->rle_raw_data; y++) {
+ for (int y = 0; y < td->ysize && have_rle; y++) {
uint32_t *ao = ((uint32_t *)td->uncompressed_data) + y * td->xsize * s->nb_channels;
uint8_t *ai0 = td->rle_raw_data + y * td->xsize;
uint8_t *ai1 = td->rle_raw_data + y * td->xsize + rle_raw_size / 2;
commit 2e97157566cc392fe8aa68809a3ffe11ac981737
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Fri Aug 8 12:25:55 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 00:20:34 2025 +0200
avcodec/dxv: Check that we initialize op_data
Fixes: 431665305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5339599339847680
Fixes: use of uninitialized memory
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 6a8c41dcacbba011e553fbf35518577321d1aadb)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 3365fcf08a..40788c5a69 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -474,7 +474,9 @@ static int dxv_decompress_opcodes(GetByteContext *gb, void *dstp, size_t op_size
if ((flag & 3) == 0) {
bytestream2_skip(gb, 1);
- bytestream2_get_buffer(gb, dstp, op_size);
+ int read_size = bytestream2_get_buffer(gb, dstp, op_size);
+ if (read_size != op_size)
+ return AVERROR_INVALIDDATA;
} else if ((flag & 3) == 1) {
bytestream2_skip(gb, 1);
memset(dstp, bytestream2_get_byte(gb), op_size);
commit 1080d0e3cded6d8e177c2ce8b6649bc238be2ff6
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Sat Aug 9 14:05:19 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 00:20:33 2025 +0200
avcodec/exr: Check for pixel type consistency in DWA
Fixes: out of array access
Fixes: BIGSLEEP-436511754/testcase.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 0469d68acb52081ca8385b844b9650398242be0f)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 299b10eb42..4778aae0e0 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -2066,6 +2066,16 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *picture,
for (int i = 0; i < 4; i++)
s->channel_offsets[i] *= 2;
}
+ if (s->compression == EXR_DWAA ||
+ s->compression == EXR_DWAB) {
+ for (int i = 0; i<s->nb_channels; i++) {
+ EXRChannel *channel = &s->channels[i];
+ if (channel->pixel_type != s->pixel_type) {
+ avpriv_request_sample(s->avctx, "mixed pixel type DWA");
+ return AVERROR_PATCHWELCOME;
+ }
+ }
+ }
switch (s->pixel_type) {
case EXR_FLOAT:
commit cbe4bc152f98e8139b3cb9590506e83987273d6e
Author: Kacper Michajłow <kasper93 at gmail.com>
AuthorDate: Sat Aug 9 17:15:51 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 00:20:33 2025 +0200
avcodec/libvorbisdec: avoid overflow when assinging sample rate from long to int
Fixes: 416134551/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVORBIS_DEC_fuzzer-6096101407260672
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
(cherry picked from commit 2287a19abbd80d25b411a3028969c55c4b0b8c88)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/libvorbisdec.c b/libavcodec/libvorbisdec.c
index 81c4ac1c02..7a8fa2a454 100644
--- a/libavcodec/libvorbisdec.c
+++ b/libavcodec/libvorbisdec.c
@@ -113,6 +113,12 @@ static int oggvorbis_decode_init(AVCodecContext *avccontext) {
}
}
+ if (context->vi.rate <= 0 || context->vi.rate > INT_MAX) {
+ av_log(avccontext, AV_LOG_ERROR, "vorbis rate is invalid\n");
+ ret = AVERROR_INVALIDDATA;
+ goto error;
+ }
+
av_channel_layout_uninit(&avccontext->ch_layout);
avccontext->ch_layout.order = AV_CHANNEL_ORDER_UNSPEC;
avccontext->ch_layout.nb_channels = context->vi.channels;
commit 09ba9f9c3542f58ccac3e2aae84335d77b9420f9
Author: Kacper Michajłow <kasper93 at gmail.com>
AuthorDate: Sat Aug 9 17:09:57 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 00:20:33 2025 +0200
avcodec/g726: init missing sample rate
Fixes: 416134551/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_G726_DEC_fuzzer-5695764455292928
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
(cherry picked from commit c2f7dae70d27a8f5ca1e3fa43d96ff5c8bf032fa)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/g726.c b/libavcodec/g726.c
index 3bf0da3949..3a9198f94e 100644
--- a/libavcodec/g726.c
+++ b/libavcodec/g726.c
@@ -457,6 +457,8 @@ static av_cold int g726_decode_init(AVCodecContext *avctx)
g726_reset(c);
avctx->sample_fmt = AV_SAMPLE_FMT_S16;
+ if (!avctx->sample_rate)
+ avctx->sample_rate = 8000;
return 0;
}
commit 2838f8f54c459deeafe015cc059e3ca9987f4cb6
Author: Kacper Michajłow <kasper93 at gmail.com>
AuthorDate: Sat Aug 9 16:49:17 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 00:20:32 2025 +0200
avformat/lrcdec: limit input timestamp range to avoid overflows
Fixes: clusterfuzz-testcase-ffmpeg_dem_LRC_fuzzer-5226140131459072
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
(cherry picked from commit c74bc74398e7a1e235fdf51d0dd2dfb942626c82)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c
index 18dc955917..4a7fd80c68 100644
--- a/libavformat/lrcdec.c
+++ b/libavformat/lrcdec.c
@@ -77,7 +77,7 @@ static int64_t count_ts(const char *p)
static int64_t read_ts(const char *p, int64_t *start)
{
int64_t offset = 0;
- uint64_t mm;
+ uint32_t mm;
double ss;
char prefix[3];
@@ -87,8 +87,8 @@ static int64_t read_ts(const char *p, int64_t *start)
if(p[offset] != '[') {
return 0;
}
- int ret = sscanf(p, "%2[[-]%"SCNu64":%lf]", prefix, &mm, &ss);
- if (ret != 3 || prefix[0] != '[') {
+ int ret = sscanf(p, "%2[[-]%"SCNu32":%lf]", prefix, &mm, &ss);
+ if (ret != 3 || prefix[0] != '[' || ss < 0 || ss > 60) {
return 0;
}
*start = (mm * 60 + ss) * AV_TIME_BASE;
commit 719e640c887124f048c832317f6ee0ef48b530fc
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Fri Aug 8 23:19:03 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 00:20:32 2025 +0200
avcodec/scpr3: Clear clr
clr is passing into decode_run_p() its not used when not set
but this possibly triggers msan (it doesnt locally)
Fixes?: use of uninintialized memory
Fixes?: 436997807/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-6253316466606080
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 354226037646d44701f0f2a84749fb2ea303f043)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/scpr3.c b/libavcodec/scpr3.c
index 85524feafe..7e0c066bfa 100644
--- a/libavcodec/scpr3.c
+++ b/libavcodec/scpr3.c
@@ -1168,7 +1168,7 @@ static int decompress_p3(AVCodecContext *avctx,
}
} else {
int run, bx = x * 16 + sx1, by = y * 16 + sy1;
- uint32_t clr, ptype = 0, r, g, b;
+ uint32_t clr = 0, ptype = 0, r, g, b;
if (bx >= avctx->width)
return AVERROR_INVALIDDATA;
commit fec904ab3b06026a955036cfc64b009e5462dee6
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Fri Aug 8 15:03:56 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 00:20:32 2025 +0200
avcodec/ilbcdec: Clear cbvec when used with create_augmented_vector()
Fixes: use of uninitialized memory
Fixes: 42538134/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ILBC_fuzzer-6322020827070464
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 9686fdd729a9caeeac0dc84dca2a65e4c9e5460b)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c
index 53e0021c73..54bf8fffec 100644
--- a/libavcodec/ilbcdec.c
+++ b/libavcodec/ilbcdec.c
@@ -672,6 +672,7 @@ static void get_codebook(int16_t * cbvec, /* (o) Constructed codebook vector *
/* get vector */
memcpy(cbvec, mem + lMem - k, cbveclen * 2);
} else if (index < base_size) {
+ memset(cbvec, 0, cbveclen * 2);
/* Calculate lag */
@@ -698,6 +699,7 @@ static void get_codebook(int16_t * cbvec, /* (o) Constructed codebook vector *
filter_mafq12(&mem[memIndTest + 4], cbvec, (int16_t *) kCbFiltersRev, CB_FILTERLEN, cbveclen);
} else {
+ memset(cbvec, 0, cbveclen * 2);
/* interpolated vectors */
/* Stuff zeros outside memory buffer */
memIndTest = lMem - cbveclen - CB_FILTERLEN;
commit df24628a7cbc5134445712e28f2b45d13b7b2f0e
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Sat Aug 9 11:38:07 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 00:20:31 2025 +0200
avcodec/jpeg2000dec: Make sure the 4 extra bytes allocated are initialized
Fixes: use of uninitialized memory
Fixes: 429130590/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_DEC_fuzzer-5736930522497024
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit d6fe3786cd8c06437756d407f727ff01cf1774ff)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index a34bbc833a..4a5a0bd47d 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1291,6 +1291,7 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile,
bytestream2_get_bufferu(&s->g, cblk->data + cblk->length, cblk->lengthinc[cwsno]);
cblk->length += cblk->lengthinc[cwsno];
+ memset(cblk->data + cblk->length, 0, 4);
cblk->lengthinc[cwsno] = 0;
if (cblk->nb_terminationsinc) {
cblk->nb_terminationsinc--;
commit 5ccc56161b7c52f94d229cf4d8795743c59b1d8f
Author: Muhammad Faiz <mfcc64-at-gmail.com at ffmpeg.org>
AuthorDate: Thu Jul 3 20:47:58 2025 +0700
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 00:20:31 2025 +0200
avfilter/avf_showcqt: fix unbounded index when copying to fft_data
When timeclamp and/or fps are low, j can be negative.
Fix Ticket11640
(cherry picked from commit 35ea45835484b90490e7d1704ef99ccb7b775578)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavfilter/avf_showcqt.c b/libavfilter/avf_showcqt.c
index 33c482bd42..4163c2ee12 100644
--- a/libavfilter/avf_showcqt.c
+++ b/libavfilter/avf_showcqt.c
@@ -1516,7 +1516,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *insamples)
i = insamples->nb_samples - remaining;
j = s->fft_len/2 + s->remaining_fill_max - s->remaining_fill;
if (remaining >= s->remaining_fill) {
- for (m = 0; m < s->remaining_fill; m++) {
+ for (m = FFMAX(0, -j); m < s->remaining_fill; m++) {
s->fft_data[j+m].re = audio_data[2*(i+m)];
s->fft_data[j+m].im = audio_data[2*(i+m)+1];
}
@@ -1550,7 +1550,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *insamples)
s->fft_data[m] = s->fft_data[m+step];
s->remaining_fill = step;
} else {
- for (m = 0; m < remaining; m++) {
+ for (m = FFMAX(0, -j); m < remaining; m++) {
s->fft_data[j+m].re = audio_data[2*(i+m)];
s->fft_data[j+m].im = audio_data[2*(i+m)+1];
}
commit a4d35d1392ba98100a3fd3f669e33b8b393dbed2
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Sun May 11 00:58:26 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 00:20:31 2025 +0200
avcodec/aacsbr_template: Check ilb
Fixes: index 50 out of bounds for type 'INTFLOAT [40][2]'
Fixes: 401661737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-4866055713652736
Someone knowing AAC well should review this, there is likely a nicer fix
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 01a1b99fc2ccdf713abfa5203e36fbf5816e1b5f)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c
index e3666b25d3..9b06e8376a 100644
--- a/libavcodec/aacsbr_template.c
+++ b/libavcodec/aacsbr_template.c
@@ -1430,6 +1430,9 @@ static void sbr_env_estimate(AAC_FLOAT (*e_curr)[48], INTFLOAT X_high[64][40][2]
int ilb = ch_data->t_env[e] * 2 + ENVELOPE_ADJUSTMENT_OFFSET;
int iub = ch_data->t_env[e + 1] * 2 + ENVELOPE_ADJUSTMENT_OFFSET;
+ if (ilb >= 40)
+ return;
+
for (m = 0; m < sbr->m[1]; m++) {
AAC_FLOAT sum = sbr->dsp.sum_square(X_high[m+kx1] + ilb, iub - ilb);
#if USE_FIXED
@@ -1448,6 +1451,9 @@ static void sbr_env_estimate(AAC_FLOAT (*e_curr)[48], INTFLOAT X_high[64][40][2]
int iub = ch_data->t_env[e + 1] * 2 + ENVELOPE_ADJUSTMENT_OFFSET;
const uint16_t *table = ch_data->bs_freq_res[e + 1] ? sbr->f_tablehigh : sbr->f_tablelow;
+ if (ilb >= 40)
+ return;
+
for (p = 0; p < sbr->n[ch_data->bs_freq_res[e + 1]]; p++) {
#if USE_FIXED
SoftFloat sum = FLOAT_0;
commit 2b73793ac59ed5ccc589d93a6293151086243bb4
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Wed Aug 6 13:09:26 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 00:20:30 2025 +0200
avcodec/utvideodec: Set B for the width= 1 case
Fixes: use of uninitialized meory
Fixes: 428034093/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-6195630160805888
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 032dfe8584c4675f3253ebb5e333e834f55f7562)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 03ee8f0b10..29e9ef1e68 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -381,7 +381,7 @@ static void restore_median_planar(UtvideoContext *c, uint8_t *src, ptrdiff_t str
// second line - first element has top prediction, the rest uses median
C = bsrc[-stride];
bsrc[0] += C;
- A = bsrc[0];
+ A = B = bsrc[0];
for (i = 1; i < FFMIN(width, 16); i++) { /* scalar loop (DSP need align 16) */
B = bsrc[i - stride];
bsrc[i] += mid_pred(A, B, (uint8_t)(A + B - C));
commit 27ff4caf5b2f795bd769930160dbeeda2fa073d7
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Wed Aug 6 13:36:06 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 00:20:30 2025 +0200
avcodec/ffv1: Clear state on alloc
Fixes: use of uninitialized memory
Fixes: 428969823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_DEC_fuzzer-5909681623334912
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 70fc46d185663dbea0995bf868d66b58b388119e)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c
index 42fbcdcea3..d04baa8647 100644
--- a/libavcodec/ffv1.c
+++ b/libavcodec/ffv1.c
@@ -69,7 +69,7 @@ av_cold int ff_ffv1_init_slice_state(const FFV1Context *f, FFV1Context *fs)
if (fs->ac != AC_GOLOMB_RICE) {
if (!p->state)
- p->state = av_malloc_array(p->context_count, CONTEXT_SIZE *
+ p->state = av_calloc(p->context_count, CONTEXT_SIZE *
sizeof(uint8_t));
if (!p->state)
return AVERROR(ENOMEM);
commit 1f03c050e4e37f96968d1ffa4d720ed20810fdf6
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Tue Aug 5 23:42:23 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 00:20:30 2025 +0200
avcodec/jpeg2000dec: implement cdef remapping during pixel format matching
Fixes: out of array access
Fixes: poc.jp2
Found-by: Andy Nguyen <theflow at google.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 01a292c7e36545ddeb3c7f79cd02e2611cd37d73)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 9586e2011c..a34bbc833a 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -357,6 +357,14 @@ static int get_siz(Jpeg2000DecoderContext *s)
}
// after here we no longer have to consider negative cdef
+ int cdef_used = 0;
+ for (i = 0; i < s->ncomponents; i++)
+ cdef_used |= 1<<s->cdef[i];
+
+ // Check that the channels we have are what we expect for the number of components
+ if (cdef_used != ((int[]){0,2,3,14,15})[s->ncomponents])
+ return AVERROR_INVALIDDATA;
+
for (i = 0; i < s->ncomponents; i++) { // Ssiz_i XRsiz_i, YRsiz_i
uint8_t x = bytestream2_get_byteu(&s->g);
s->cbps[i] = (x & 0x7f) + 1;
@@ -369,7 +377,9 @@ static int get_siz(Jpeg2000DecoderContext *s)
av_log(s->avctx, AV_LOG_ERROR, "Invalid sample separation %d/%d\n", s->cdx[i], s->cdy[i]);
return AVERROR_INVALIDDATA;
}
- log2_chroma_wh |= s->cdy[i] >> 1 << i * 4 | s->cdx[i] >> 1 << i * 4 + 2;
+ int i_remapped = s->cdef[i] ? s->cdef[i]-1 : (s->ncomponents-1);
+
+ log2_chroma_wh |= s->cdy[i] >> 1 << i_remapped * 4 | s->cdx[i] >> 1 << i_remapped * 4 + 2;
}
s->numXtiles = ff_jpeg2000_ceildiv(s->width - s->tile_offset_x, s->tile_width);
commit eaf748ec88ada50d40ff533d9f2d9515b583b839
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Tue Aug 5 23:18:47 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 00:20:29 2025 +0200
avcodec/jpeg2000dec: move cdef default check into get_siz()
This way cdef is at its final value earlier
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 104d6846c1be0cb757dc95d5801a416f4d7c687d)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index a317040fc3..9586e2011c 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -346,6 +346,17 @@ static int get_siz(Jpeg2000DecoderContext *s)
return AVERROR_INVALIDDATA;
}
+ for (i = 0; i < s->ncomponents; i++) {
+ if (s->cdef[i] < 0) {
+ for (i = 0; i < s->ncomponents; i++) {
+ s->cdef[i] = i + 1;
+ }
+ if ((s->ncomponents & 1) == 0)
+ s->cdef[s->ncomponents-1] = 0;
+ }
+ }
+ // after here we no longer have to consider negative cdef
+
for (i = 0; i < s->ncomponents; i++) { // Ssiz_i XRsiz_i, YRsiz_i
uint8_t x = bytestream2_get_byteu(&s->g);
s->cbps[i] = (x & 0x7f) + 1;
@@ -2539,17 +2550,6 @@ static int jpeg2000_decode_frame(AVCodecContext *avctx, AVFrame *picture,
if (ret = jpeg2000_read_bitstream_packets(s))
goto end;
- for (int x = 0; x < s->ncomponents; x++) {
- if (s->cdef[x] < 0) {
- for (x = 0; x < s->ncomponents; x++) {
- s->cdef[x] = x + 1;
- }
- if ((s->ncomponents & 1) == 0)
- s->cdef[s->ncomponents-1] = 0;
- break;
- }
- }
-
avctx->execute2(avctx, jpeg2000_decode_tile, picture, NULL, s->numXtiles * s->numYtiles);
jpeg2000_dec_cleanup(s);
commit 20708b957e8d4d57801c0b7ac52131988b093a49
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Wed Aug 6 10:35:15 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Wed Aug 13 22:05:50 2025 +0200
avcodec/exr: Dont access outside xsize/ysize
Fixes: out of array access
Fixes: BIGSLEEP-436510316/dwa_uncompress_write.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit f45da79b2c336c5f8f3e563d72b8a22fecdcde0c)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 12db6d4236..299b10eb42 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1115,6 +1115,9 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size
for (int y = 0; y < td->ysize; y += 8) {
for (int x = 0; x < td->xsize; x += 8) {
+ int bw = FFMIN(8, td->xsize - x);
+ int bh = FFMIN(8, td->ysize - y);
+
memset(td->block, 0, sizeof(td->block));
for (int j = 0; j < 3; j++) {
@@ -1144,8 +1147,8 @@ static int dwa_uncompress(EXRContext *s, const uint8_t *src, int compressed_size
float *ub = td->block[1];
float *vb = td->block[2];
- for (int yy = 0; yy < 8; yy++) {
- for (int xx = 0; xx < 8; xx++) {
+ for (int yy = 0; yy < bh; yy++) {
+ for (int xx = 0; xx < bw; xx++) {
const int idx = xx + yy * 8;
convert(yb[idx], ub[idx], vb[idx], &bo[xx], &go[xx], &ro[xx]);
commit 63c07d87a9f4a8a783145640902f52f3f316b7f6
Author: Jiasheng Jiang <jiashengjiangcool at gmail.com>
AuthorDate: Wed Aug 6 14:54:22 2025 +0000
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Wed Aug 13 22:05:50 2025 +0200
examples: Add check and replace av_free() to avoid potential memory errors
Add check for the return value of av_packet_alloc() to avoid potential NULL pointer dereference.
Moreover, replace redundant av_free() with fprintf().
Fixes: 9a38184a14 ("examples/decode_audio: allocate the packet dynamically")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool at gmail.com>
Reviewed-by: Nicolas George <george at nsup.org>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit c64cff64a22a59c0c02281ee9fd9d89963d14d16)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/doc/examples/decode_audio.c b/doc/examples/decode_audio.c
index 49ad22cba6..11d83745f0 100644
--- a/doc/examples/decode_audio.c
+++ b/doc/examples/decode_audio.c
@@ -127,6 +127,10 @@ int main(int argc, char **argv)
outfilename = argv[2];
pkt = av_packet_alloc();
+ if (!pkt) {
+ fprintf(stderr, "Could not allocate AVPacket\n");
+ exit(1); /* or proper cleanup and returning */
+ }
/* find the MPEG audio decoder */
codec = avcodec_find_decoder(AV_CODEC_ID_MP2);
@@ -160,7 +164,7 @@ int main(int argc, char **argv)
}
outfile = fopen(outfilename, "wb");
if (!outfile) {
- av_free(c);
+ fprintf(stderr, "Could not open %s\n", outfilename);
exit(1);
}
commit 9251abf87d4d65d5a70fa1b26d18c93a64b632d4
Author: Jiasheng Jiang <jiashengjiangcool at gmail.com>
AuthorDate: Sun Aug 3 23:31:27 2025 +0000
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Wed Aug 13 22:05:49 2025 +0200
libavcodec/tests/snowenc: Add av_free() to avoid memory leak
Add av_free() to free s.temp_dwt_buffer and s.temp_idwt_buffer at the end of the function to avoid memory leak.
Fixes: 5d48e4eafa ("Merge commit 'a6a750c7ef240b72ce01e9653343a0ddf247d196'")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 446cfbfb7446208bd1592bbc0ac18ac744543563)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c
index 37198cd4e3..24868f76ce 100644
--- a/libavcodec/tests/snowenc.c
+++ b/libavcodec/tests/snowenc.c
@@ -44,7 +44,8 @@ int main(void){
if (!s.temp_dwt_buffer || !s.temp_idwt_buffer) {
fprintf(stderr, "Failed to allocate memory\n");
- return 1;
+ ret = 1;
+ goto end;
}
av_lfg_init(&prng, 1);
@@ -144,5 +145,9 @@ int main(void){
}
}
+
+end:
+ av_free(s.temp_dwt_buffer);
+ av_free(s.temp_idwt_buffer);
return ret;
}
commit f481811ac8340b3099ca23b5ca41b91bcbf4ef8c
Author: Jiasheng Jiang <jiashengjiangcool at gmail.com>
AuthorDate: Tue Aug 5 19:31:15 2025 +0000
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Wed Aug 13 22:05:49 2025 +0200
libavcodec/videotoolbox_vp9: Move av_malloc() to avoid memory leak
Move av_malloc() after the check for subsampling to avoid memory leak if subsampling < 0 and av_malloc() succeeds.
Fixes: a41a2efc85 ("lavc/videotoolbox: add VP9 hardware acceleration")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 8b4e6ccb13f10752bc5c2a963478c7f3764a0cfe)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/videotoolbox_vp9.c b/libavcodec/videotoolbox_vp9.c
index 1b6d08f00b..343b285012 100644
--- a/libavcodec/videotoolbox_vp9.c
+++ b/libavcodec/videotoolbox_vp9.c
@@ -68,12 +68,12 @@ CFDataRef ff_videotoolbox_vpcc_extradata_create(AVCodecContext *avctx)
uint8_t *vt_extradata;
int subsampling = get_vpx_chroma_subsampling(avctx->sw_pix_fmt, avctx->chroma_sample_location);
- vt_extradata_size = 1 + 3 + 6 + 2;
- vt_extradata = av_malloc(vt_extradata_size);
-
if (subsampling < 0)
return NULL;
+ vt_extradata_size = 1 + 3 + 6 + 2;
+ vt_extradata = av_malloc(vt_extradata_size);
+
if (!vt_extradata)
return NULL;
commit 01925dde9caa8335ca32bfb7395baed8d6a3d28e
Author: Kacper Michajłow <kasper93 at gmail.com>
AuthorDate: Wed Aug 6 19:49:11 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Wed Aug 13 22:05:48 2025 +0200
avcodec/mpc8: init avctx->sample_rate
Fixes frame validation.
Fixes: 416134551/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC8_fuzzer-5765557242888192
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
(cherry picked from commit 09cb2d41d1862c2f9b3b66311ede28527d703700)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c
index 9d084e1664..20493fae76 100644
--- a/libavcodec/mpc8.c
+++ b/libavcodec/mpc8.c
@@ -155,7 +155,13 @@ static av_cold int mpc8_decode_init(AVCodecContext * avctx)
init_get_bits(&gb, avctx->extradata, 16);
- skip_bits(&gb, 3);//sample rate
+ uint8_t sample_rate_idx = get_bits(&gb, 3);
+ static const int sample_rates[] = { 44100, 48000, 37800, 32000 };
+ if (sample_rate_idx >= FF_ARRAY_ELEMS(sample_rates)) {
+ av_log(avctx, AV_LOG_ERROR, "invalid sample rate index (%u)\n", sample_rate_idx);
+ return AVERROR_INVALIDDATA;
+ }
+ avctx->sample_rate = sample_rates[sample_rate_idx];
c->maxbands = get_bits(&gb, 5) + 1;
if (c->maxbands >= BANDS) {
av_log(avctx,AV_LOG_ERROR, "maxbands %d too high\n", c->maxbands);
commit 8bce773786229348fb28d52147c0a6c649f9f69e
Author: Kimapr <root at kimapr.net>
AuthorDate: Mon Jul 28 06:32:27 2025 +0500
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Wed Aug 13 22:05:48 2025 +0200
avformat/libopenmpt: fix seeking weirdness
- proper pts for packets. leaving it blank leaves it up for guessing,
but the guess doesn't take seeking into account, causing weirdness.
- clamp to 0 when seeking to negative ts. libopenmpt docs are unclear on
this but not doing this causes an immediate EOF when seeking backwards
to the beginning in mpv.
- only set song duration and packet pts when they are non-negative and
in int64 range. NaNs count as out of range. this isn't a fix for any
specific issue but might be helpful still, and shouldn't break
anything.
(cherry picked from commit ecef5f9e1fb70b38f3e325c8e613349344c97de4)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavformat/libopenmpt.c b/libavformat/libopenmpt.c
index 3ca59f506f..25f59ee342 100644
--- a/libavformat/libopenmpt.c
+++ b/libavformat/libopenmpt.c
@@ -147,7 +147,8 @@ static int read_header_openmpt(AVFormatContext *s)
if (!st)
return AVERROR(ENOMEM);
avpriv_set_pts_info(st, 64, 1, AV_TIME_BASE);
- st->duration = llrint(openmpt->duration*AV_TIME_BASE);
+ if (openmpt->duration >= 0 && openmpt->duration < ((double)INT64_MAX + 1) / AV_TIME_BASE)
+ st->duration = llrint(openmpt->duration*AV_TIME_BASE);
st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO;
st->codecpar->codec_id = AV_NE(AV_CODEC_ID_PCM_F32BE, AV_CODEC_ID_PCM_F32LE);
@@ -170,6 +171,8 @@ static int read_packet_openmpt(AVFormatContext *s, AVPacket *pkt)
if ((ret = av_new_packet(pkt, AUDIO_PKT_SIZE)) < 0)
return ret;
+ double pos = openmpt_module_get_position_seconds(openmpt->module);
+
switch (openmpt->ch_layout.nb_channels) {
case 1:
ret = openmpt_module_read_float_mono(openmpt->module, openmpt->sample_rate,
@@ -195,6 +198,9 @@ static int read_packet_openmpt(AVFormatContext *s, AVPacket *pkt)
pkt->size = ret * (openmpt->ch_layout.nb_channels * 4);
+ if (pos >= 0 && pos < ((double)INT64_MAX + 1) / AV_TIME_BASE)
+ pkt->pts = llrint(pos * AV_TIME_BASE);
+
return 0;
}
@@ -211,6 +217,8 @@ static int read_close_openmpt(AVFormatContext *s)
static int read_seek_openmpt(AVFormatContext *s, int stream_idx, int64_t ts, int flags)
{
OpenMPTContext *openmpt = s->priv_data;
+ if (ts < 0)
+ ts = 0;
openmpt_module_set_position_seconds(openmpt->module, (double)ts/AV_TIME_BASE);
return 0;
}
commit c08f721f58e8e8660ede6150bb7507d6b145839f
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Sat Aug 2 18:55:26 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Wed Aug 13 22:05:48 2025 +0200
avformat/hls: add cmfv/cmfa exceptions
Fixes: Ticket11526
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit f3c3a6ecfb230c56a8ff9d219d79d5981b2aa4f3)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavformat/hls.c b/libavformat/hls.c
index 357e56d30f..abc9173e5a 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -749,8 +749,8 @@ static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct
+ 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0);
// Youtube uses aac files with .ts extension
if(av_match_name("mp4", in_fmt->name) || av_match_name("aac", in_fmt->name)) {
- matchF |= av_match_ext( seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts")
- + 2*(ff_match_url_ext(seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") > 0);
+ matchF |= av_match_ext( seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts,cmfv,cmfa")
+ + 2*(ff_match_url_ext(seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts,cmfv,cmfa") > 0);
}
} else if (!strcmp(in_fmt->name, "mpegts")) {
const char *str = "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts"
commit 1f4a28e59ee1a2cb6a7f563b7d217f1b08d74cef
Author: Kacper Michajłow <kasper93 at gmail.com>
AuthorDate: Wed Jul 23 20:04:53 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Wed Aug 13 22:05:47 2025 +0200
avformat/lrcdec: support arbitrary precision timestamp
Apparently files with milliseconds exist in the wild. And since it cost
nothing to support arbitrary number of digits, extend format to support
that.
Depending on number of digits, the time base of fractional part is
changing. Most LRCs use 2 digits and centiseconds base, but subs with 3
digits and miliseconds exist too.
Set internal time base to AV_TIME_BASE, which in parcitice allows to
hold microseconds with 6 digits. Totally artificial, but who knows maybe
someone wants that.
Fixes: #11677
Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
(cherry picked from commit bc3cc0a6af44adc63caf4e5097fcfebd7a7475b4)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c
index fff39495f8..18dc955917 100644
--- a/libavformat/lrcdec.c
+++ b/libavformat/lrcdec.c
@@ -77,7 +77,9 @@ static int64_t count_ts(const char *p)
static int64_t read_ts(const char *p, int64_t *start)
{
int64_t offset = 0;
- uint64_t mm, ss, cs;
+ uint64_t mm;
+ double ss;
+ char prefix[3];
while(p[offset] == ' ' || p[offset] == '\t') {
offset++;
@@ -85,14 +87,14 @@ static int64_t read_ts(const char *p, int64_t *start)
if(p[offset] != '[') {
return 0;
}
- if(sscanf(p, "[-%"SCNu64":%"SCNu64".%"SCNu64"]", &mm, &ss, &cs) == 3) {
- /* Just in case negative pts, players may drop it but we won't. */
- *start = -(int64_t) (mm*60000 + ss*1000 + cs*10);
- } else if(sscanf(p, "[%"SCNu64":%"SCNu64".%"SCNu64"]", &mm, &ss, &cs) == 3) {
- *start = mm*60000 + ss*1000 + cs*10;
- } else {
+ int ret = sscanf(p, "%2[[-]%"SCNu64":%lf]", prefix, &mm, &ss);
+ if (ret != 3 || prefix[0] != '[') {
return 0;
}
+ *start = (mm * 60 + ss) * AV_TIME_BASE;
+ if (prefix[1] == '-') {
+ *start = - *start;
+ }
do {
offset++;
} while(p[offset] && p[offset-1] != ']');
@@ -163,7 +165,7 @@ static int lrc_read_header(AVFormatContext *s)
if(!st) {
return AVERROR(ENOMEM);
}
- avpriv_set_pts_info(st, 64, 1, 1000);
+ avpriv_set_pts_info(st, 64, 1, AV_TIME_BASE);
lrc->ts_offset = 0;
st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE;
st->codecpar->codec_id = AV_CODEC_ID_TEXT;
commit 2b8878c353b0d1490bab8693d5ba5c40705f15a9
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Mon Aug 4 21:08:47 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Wed Aug 13 22:05:47 2025 +0200
avcodec/ffv1dec: Disable frame threading due to race condition
Slice threading remains available!
The race condition fix is in 8d5efc218245c3f0559f48837b3e63e2932525e0
and bcf08c11710cab5db8eb3d0774e1a93e322fb821
Backport of these is welcome
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 666e8f7985..1bb19d4b78 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -1105,7 +1105,6 @@ const FFCodec ff_ffv1_decoder = {
FF_CODEC_DECODE_CB(decode_frame),
.update_thread_context = ONLY_IF_THREADS_ENABLED(update_thread_context),
.p.capabilities = AV_CODEC_CAP_DR1 /*| AV_CODEC_CAP_DRAW_HORIZ_BAND*/ |
- AV_CODEC_CAP_FRAME_THREADS | AV_CODEC_CAP_SLICE_THREADS,
- .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP |
- FF_CODEC_CAP_ALLOCATE_PROGRESS,
+ AV_CODEC_CAP_SLICE_THREADS,
+ .caps_internal = FF_CODEC_CAP_INIT_THREADSAFE | FF_CODEC_CAP_INIT_CLEANUP,
};
-----------------------------------------------------------------------
Summary of changes:
doc/examples/decode_audio.c | 6 +++++-
libavcodec/aacsbr_template.c | 6 ++++++
libavcodec/dxv.c | 4 +++-
libavcodec/exr.c | 30 +++++++++++++++++++++++++++---
libavcodec/ffv1.c | 2 +-
libavcodec/ffv1dec.c | 5 ++---
libavcodec/g726.c | 2 ++
libavcodec/ilbcdec.c | 2 ++
libavcodec/jpeg2000dec.c | 35 +++++++++++++++++++++++------------
libavcodec/libvorbisdec.c | 6 ++++++
libavcodec/mpc8.c | 8 +++++++-
libavcodec/scpr3.c | 2 +-
libavcodec/tests/snowenc.c | 7 ++++++-
libavcodec/utvideodec.c | 2 +-
libavcodec/videotoolbox_vp9.c | 6 +++---
libavfilter/avf_showcqt.c | 4 ++--
libavformat/hls.c | 4 ++--
libavformat/libopenmpt.c | 10 +++++++++-
libavformat/lrcdec.c | 18 ++++++++++--------
19 files changed, 118 insertions(+), 41 deletions(-)
hooks/post-receive
--
More information about the ffmpeg-cvslog
mailing list