[FFmpeg-cvslog] [ffmpeg] branch release/6.1 updated. 979df1c813 Changelog:update
ffmpeg-git at ffmpeg.org
ffmpeg-git at ffmpeg.org
Thu Aug 14 14:47:35 EEST 2025
The branch, release/6.1 has been updated
via 979df1c813fbb3a7ac5e2806eb85c7afa4291891 (commit)
via 6250ed77a6fb5bb089e533e30985d197e8323dcf (commit)
via f978c37eabb64facb21d9016b7d8b4006b377520 (commit)
via a2e8dc01c0a50d2ec8c85d836bda8eaef6891e50 (commit)
via 2f1fc996ec51a3170a7f061ed778d29f101bdeea (commit)
via 8b90fb40e99b47c0bbaecd183f292139b25b1a7c (commit)
via a991df7c1eea1cf0332e894de907a5e49c9bff34 (commit)
via 9c7c34c92f4b72b1ef50507724e901310403a34e (commit)
via 164915184fa841a556526bc3f7970ab8d89e9b40 (commit)
via 435b00a7cce404e9f095d370e4540597670649d0 (commit)
via 8577a6b2fef4bb13b5ebdb7bfa049d0e47ac28f1 (commit)
via 9b9b22993f32e866682033ea8e75875bf8e34144 (commit)
via c7bc9e14f2455947c29062f1088ffdc074e0eaec (commit)
via 25f6058e4f0373750c08d513f4eb13954c1db6e3 (commit)
via 465026b37d13ede7000b277cfe3ad887f6ddd4e6 (commit)
via 4f845aaf7d26262e9aa93f6917ce595fcc1c1eb4 (commit)
via be682029ae18b80fa9b27f0715ca77323409379c (commit)
via fa543b33f63478090137d124c20ff97f76251254 (commit)
via 63c4658e629a9dda63ff06392200baa67800e0cf (commit)
via 8efb352a85823837d0a82b61ce1518c13f2042b1 (commit)
via 00b5af29a4203a31574c11b3df892d78d5d862ec (commit)
via bbac13c54a9e33eeca83a5da9beecbec253133ed (commit)
via 7af8307c40bbc0481d5720fecc60fe190714f6a3 (commit)
via f515a3ed0251050e57e46a938939278168dd5d51 (commit)
via 3d86f5e251cf10692da3048a21325b11c355afd0 (commit)
via 5deafdfb648cb91698395fa59ec4d88029102e3f (commit)
via 02b6fa099f31d554cbd062f2315d7366677fffca (commit)
via 4014ff00f9a1cf5ac1b43dbb2502d10bd82c14c0 (commit)
from 845c5e71fa37aaf76e50a240a95e7af40ef45242 (commit)
- Log -----------------------------------------------------------------
commit 979df1c813fbb3a7ac5e2806eb85c7afa4291891
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Thu Aug 14 12:31:14 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 12:31:14 2025 +0200
Changelog:update
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/Changelog b/Changelog
index 7ad903a815..458986d2f7 100644
--- a/Changelog
+++ b/Changelog
@@ -2,6 +2,35 @@ Entries are sorted chronologically from oldest to youngest within each release,
releases are sorted from youngest to oldest.
version 6.1.3:
+ libavfilter/dnn/dnn_backend_tf: Remove redundant av_freep() to avoid double free
+ avcodec/dxv: Check that we initialize op_data
+ avcodec/exr: Check for pixel type consistency in DWA
+ avcodec/libvorbisdec: avoid overflow when assinging sample rate from long to int
+ avcodec/g726: init missing sample rate
+ avformat/lrcdec: limit input timestamp range to avoid overflows
+ avcodec/scpr3: Clear clr
+ avcodec/ilbcdec: Clear cbvec when used with create_augmented_vector()
+ avcodec/jpeg2000dec: Make sure the 4 extra bytes allocated are initialized
+ avfilter/avf_showcqt: fix unbounded index when copying to fft_data
+ avcodec/aacsbr_template: Check ilb
+ avcodec/utvideodec: Set B for the width= 1 case
+ avcodec/ffv1: Clear state on alloc
+ avcodec/jpeg2000dec: implement cdef remapping during pixel format matching
+ avcodec/jpeg2000dec: move cdef default check into get_siz()
+ avcodec/exr: Check rle_raw_data and surroundings
+ avcodec/exr: Dont access outside xsize/ysize
+ examples: Add check and replace av_free() to avoid potential memory errors
+ libavcodec/tests/snowenc: Add av_free() to avoid memory leak
+ libavfilter/af_firequalizer: Add check for av_malloc_array()
+ libavcodec/videotoolbox_vp9: Move av_malloc() to avoid memory leak
+ avcodec/mpc8: init avctx->sample_rate
+ avcodec/cbs_h266_syntax_template: fix out of bounds access
+ avformat/libopenmpt: fix seeking weirdness
+ avformat/hls: add cmfv/cmfa exceptions
+ avformat/lrcdec: support arbitrary precision timestamp
+ avcodec/ffv1dec: Disable frame threading due to race condition
+ (origin/release/6.1, fforge/release/6.1) swscale/swscale_unscaled: use 8 line alignment for planarCopyWrapper with dithering
+ Update for 6.1.3
libavcodec/tests/motion: Add check for avcodec_alloc_context3()
avcodec/tests/avpacket: Add av_free() to avoid memory leak
examples: Add av_freep to avoid potential memory leak
commit 6250ed77a6fb5bb089e533e30985d197e8323dcf
Author: Jiasheng Jiang <jiashengjiangcool at gmail.com>
AuthorDate: Thu Aug 7 14:50:10 2025 +0000
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:52 2025 +0200
libavfilter/dnn/dnn_backend_tf: Remove redundant av_freep() to avoid double free
Remove redundant av_freep() to avoid double free since task will be freed in dnn_free_model_tf() after the success of ff_queue_push_back().
Fixes: af052f9066 ("lavfi/dnn: fix mem leak in TF backend error handle")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool at gmail.com>
(cherry picked from commit b8d5f65b9e89d893f27cf00799dbc15fc0ca2f8e)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavfilter/dnn/dnn_backend_tf.c b/libavfilter/dnn/dnn_backend_tf.c
index 25046b58d9..957d8d6c84 100644
--- a/libavfilter/dnn/dnn_backend_tf.c
+++ b/libavfilter/dnn/dnn_backend_tf.c
@@ -853,14 +853,12 @@ static int dnn_execute_model_tf(const DNNModel *model, DNNExecBaseParams *exec_p
ret = extract_lltask_from_task(task, tf_model->lltask_queue);
if (ret != 0) {
- av_freep(&task);
av_log(ctx, AV_LOG_ERROR, "unable to extract last level task from task.\n");
return ret;
}
request = ff_safe_queue_pop_front(tf_model->request_queue);
if (!request) {
- av_freep(&task);
av_log(ctx, AV_LOG_ERROR, "unable to get infer request.\n");
return AVERROR(EINVAL);
}
commit f978c37eabb64facb21d9016b7d8b4006b377520
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Fri Aug 8 12:25:55 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:52 2025 +0200
avcodec/dxv: Check that we initialize op_data
Fixes: 431665305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5339599339847680
Fixes: use of uninitialized memory
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 6a8c41dcacbba011e553fbf35518577321d1aadb)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 089cf78d53..0b53d0b909 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -474,7 +474,9 @@ static int dxv_decompress_opcodes(GetByteContext *gb, void *dstp, size_t op_size
if ((flag & 3) == 0) {
bytestream2_skip(gb, 1);
- bytestream2_get_buffer(gb, dstp, op_size);
+ int read_size = bytestream2_get_buffer(gb, dstp, op_size);
+ if (read_size != op_size)
+ return AVERROR_INVALIDDATA;
} else if ((flag & 3) == 1) {
bytestream2_skip(gb, 1);
memset(dstp, bytestream2_get_byte(gb), op_size);
commit a2e8dc01c0a50d2ec8c85d836bda8eaef6891e50
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Sat Aug 9 14:05:19 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:51 2025 +0200
avcodec/exr: Check for pixel type consistency in DWA
Fixes: out of array access
Fixes: BIGSLEEP-436511754/testcase.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 0469d68acb52081ca8385b844b9650398242be0f)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 874f5bbb73..8862d1274c 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -2064,6 +2064,16 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *picture,
for (int i = 0; i < 4; i++)
s->channel_offsets[i] *= 2;
}
+ if (s->compression == EXR_DWAA ||
+ s->compression == EXR_DWAB) {
+ for (int i = 0; i<s->nb_channels; i++) {
+ EXRChannel *channel = &s->channels[i];
+ if (channel->pixel_type != s->pixel_type) {
+ avpriv_request_sample(s->avctx, "mixed pixel type DWA");
+ return AVERROR_PATCHWELCOME;
+ }
+ }
+ }
switch (s->pixel_type) {
case EXR_FLOAT:
commit 2f1fc996ec51a3170a7f061ed778d29f101bdeea
Author: Kacper Michajłow <kasper93 at gmail.com>
AuthorDate: Sat Aug 9 17:15:51 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:51 2025 +0200
avcodec/libvorbisdec: avoid overflow when assinging sample rate from long to int
Fixes: 416134551/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVORBIS_DEC_fuzzer-6096101407260672
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
(cherry picked from commit 2287a19abbd80d25b411a3028969c55c4b0b8c88)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/libvorbisdec.c b/libavcodec/libvorbisdec.c
index a5e7a691d6..eb80ecf67d 100644
--- a/libavcodec/libvorbisdec.c
+++ b/libavcodec/libvorbisdec.c
@@ -113,6 +113,12 @@ static int oggvorbis_decode_init(AVCodecContext *avccontext) {
}
}
+ if (context->vi.rate <= 0 || context->vi.rate > INT_MAX) {
+ av_log(avccontext, AV_LOG_ERROR, "vorbis rate is invalid\n");
+ ret = AVERROR_INVALIDDATA;
+ goto error;
+ }
+
av_channel_layout_uninit(&avccontext->ch_layout);
avccontext->ch_layout.order = AV_CHANNEL_ORDER_UNSPEC;
avccontext->ch_layout.nb_channels = context->vi.channels;
commit 8b90fb40e99b47c0bbaecd183f292139b25b1a7c
Author: Kacper Michajłow <kasper93 at gmail.com>
AuthorDate: Sat Aug 9 17:09:57 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:51 2025 +0200
avcodec/g726: init missing sample rate
Fixes: 416134551/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_G726_DEC_fuzzer-5695764455292928
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
(cherry picked from commit c2f7dae70d27a8f5ca1e3fa43d96ff5c8bf032fa)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/g726.c b/libavcodec/g726.c
index 6c5638760d..0e0b2531c0 100644
--- a/libavcodec/g726.c
+++ b/libavcodec/g726.c
@@ -457,6 +457,8 @@ static av_cold int g726_decode_init(AVCodecContext *avctx)
g726_reset(c);
avctx->sample_fmt = AV_SAMPLE_FMT_S16;
+ if (!avctx->sample_rate)
+ avctx->sample_rate = 8000;
return 0;
}
commit a991df7c1eea1cf0332e894de907a5e49c9bff34
Author: Kacper Michajłow <kasper93 at gmail.com>
AuthorDate: Sat Aug 9 16:49:17 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:50 2025 +0200
avformat/lrcdec: limit input timestamp range to avoid overflows
Fixes: clusterfuzz-testcase-ffmpeg_dem_LRC_fuzzer-5226140131459072
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
(cherry picked from commit c74bc74398e7a1e235fdf51d0dd2dfb942626c82)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c
index e4e13f57a8..0c10632993 100644
--- a/libavformat/lrcdec.c
+++ b/libavformat/lrcdec.c
@@ -77,7 +77,7 @@ static int64_t count_ts(const char *p)
static int64_t read_ts(const char *p, int64_t *start)
{
int64_t offset = 0;
- uint64_t mm;
+ uint32_t mm;
double ss;
char prefix[3];
@@ -87,8 +87,8 @@ static int64_t read_ts(const char *p, int64_t *start)
if(p[offset] != '[') {
return 0;
}
- int ret = sscanf(p, "%2[[-]%"SCNu64":%lf]", prefix, &mm, &ss);
- if (ret != 3 || prefix[0] != '[') {
+ int ret = sscanf(p, "%2[[-]%"SCNu32":%lf]", prefix, &mm, &ss);
+ if (ret != 3 || prefix[0] != '[' || ss < 0 || ss > 60) {
return 0;
}
*start = (mm * 60 + ss) * AV_TIME_BASE;
commit 9c7c34c92f4b72b1ef50507724e901310403a34e
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Fri Aug 8 23:19:03 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:50 2025 +0200
avcodec/scpr3: Clear clr
clr is passing into decode_run_p() its not used when not set
but this possibly triggers msan (it doesnt locally)
Fixes?: use of uninintialized memory
Fixes?: 436997807/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-6253316466606080
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 354226037646d44701f0f2a84749fb2ea303f043)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/scpr3.c b/libavcodec/scpr3.c
index e91c198308..369d2653c2 100644
--- a/libavcodec/scpr3.c
+++ b/libavcodec/scpr3.c
@@ -1167,7 +1167,7 @@ static int decompress_p3(AVCodecContext *avctx,
}
} else {
int run, bx = x * 16 + sx1, by = y * 16 + sy1;
- uint32_t clr, ptype = 0, r, g, b;
+ uint32_t clr = 0, ptype = 0, r, g, b;
if (bx >= avctx->width)
return AVERROR_INVALIDDATA;
commit 164915184fa841a556526bc3f7970ab8d89e9b40
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Fri Aug 8 15:03:56 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:50 2025 +0200
avcodec/ilbcdec: Clear cbvec when used with create_augmented_vector()
Fixes: use of uninitialized memory
Fixes: 42538134/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ILBC_fuzzer-6322020827070464
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 9686fdd729a9caeeac0dc84dca2a65e4c9e5460b)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c
index 7fea39b43c..81b9a49f43 100644
--- a/libavcodec/ilbcdec.c
+++ b/libavcodec/ilbcdec.c
@@ -675,6 +675,7 @@ static void get_codebook(int16_t * cbvec, /* (o) Constructed codebook vector *
/* get vector */
memcpy(cbvec, mem + lMem - k, cbveclen * 2);
} else if (index < base_size) {
+ memset(cbvec, 0, cbveclen * 2);
/* Calculate lag */
@@ -701,6 +702,7 @@ static void get_codebook(int16_t * cbvec, /* (o) Constructed codebook vector *
filter_mafq12(&mem[memIndTest + 4], cbvec, kCbFiltersRev, CB_FILTERLEN, cbveclen);
} else {
+ memset(cbvec, 0, cbveclen * 2);
/* interpolated vectors */
/* Stuff zeros outside memory buffer */
memIndTest = lMem - cbveclen - CB_FILTERLEN;
commit 435b00a7cce404e9f095d370e4540597670649d0
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Sat Aug 9 11:38:07 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:49 2025 +0200
avcodec/jpeg2000dec: Make sure the 4 extra bytes allocated are initialized
Fixes: use of uninitialized memory
Fixes: 429130590/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_DEC_fuzzer-5736930522497024
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit d6fe3786cd8c06437756d407f727ff01cf1774ff)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 2ec36c4009..5aed129bed 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1231,6 +1231,7 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext *s, Jpeg2000Tile *tile,
bytestream2_get_bufferu(&s->g, cblk->data + cblk->length, cblk->lengthinc[cwsno]);
cblk->length += cblk->lengthinc[cwsno];
+ memset(cblk->data + cblk->length, 0, 4);
cblk->lengthinc[cwsno] = 0;
if (cblk->nb_terminationsinc) {
cblk->nb_terminationsinc--;
commit 8577a6b2fef4bb13b5ebdb7bfa049d0e47ac28f1
Author: Muhammad Faiz <mfcc64-at-gmail.com at ffmpeg.org>
AuthorDate: Thu Jul 3 20:47:58 2025 +0700
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:49 2025 +0200
avfilter/avf_showcqt: fix unbounded index when copying to fft_data
When timeclamp and/or fps are low, j can be negative.
Fix Ticket11640
(cherry picked from commit 35ea45835484b90490e7d1704ef99ccb7b775578)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavfilter/avf_showcqt.c b/libavfilter/avf_showcqt.c
index a7b6e5bcf5..86e4534848 100644
--- a/libavfilter/avf_showcqt.c
+++ b/libavfilter/avf_showcqt.c
@@ -1519,7 +1519,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *insamples)
i = insamples->nb_samples - remaining;
j = s->fft_len/2 + s->remaining_fill_max - s->remaining_fill;
if (remaining >= s->remaining_fill) {
- for (m = 0; m < s->remaining_fill; m++) {
+ for (m = FFMAX(0, -j); m < s->remaining_fill; m++) {
s->fft_data[j+m].re = audio_data[2*(i+m)];
s->fft_data[j+m].im = audio_data[2*(i+m)+1];
}
@@ -1548,7 +1548,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *insamples)
s->fft_data[m] = s->fft_data[m+step];
s->remaining_fill = step;
} else {
- for (m = 0; m < remaining; m++) {
+ for (m = FFMAX(0, -j); m < remaining; m++) {
s->fft_data[j+m].re = audio_data[2*(i+m)];
s->fft_data[j+m].im = audio_data[2*(i+m)+1];
}
commit 9b9b22993f32e866682033ea8e75875bf8e34144
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Sun May 11 00:58:26 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:49 2025 +0200
avcodec/aacsbr_template: Check ilb
Fixes: index 50 out of bounds for type 'INTFLOAT [40][2]'
Fixes: 401661737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-4866055713652736
Someone knowing AAC well should review this, there is likely a nicer fix
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 01a1b99fc2ccdf713abfa5203e36fbf5816e1b5f)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c
index 5b96fbb234..3e3fbeac7f 100644
--- a/libavcodec/aacsbr_template.c
+++ b/libavcodec/aacsbr_template.c
@@ -1453,6 +1453,9 @@ static void sbr_env_estimate(AAC_FLOAT (*e_curr)[48], INTFLOAT X_high[64][40][2]
int ilb = ch_data->t_env[e] * 2 + ENVELOPE_ADJUSTMENT_OFFSET;
int iub = ch_data->t_env[e + 1] * 2 + ENVELOPE_ADJUSTMENT_OFFSET;
+ if (ilb >= 40)
+ return;
+
for (m = 0; m < sbr->m[1]; m++) {
AAC_FLOAT sum = sbr->dsp.sum_square(X_high[m+kx1] + ilb, iub - ilb);
#if USE_FIXED
@@ -1471,6 +1474,9 @@ static void sbr_env_estimate(AAC_FLOAT (*e_curr)[48], INTFLOAT X_high[64][40][2]
int iub = ch_data->t_env[e + 1] * 2 + ENVELOPE_ADJUSTMENT_OFFSET;
const uint16_t *table = ch_data->bs_freq_res[e + 1] ? sbr->f_tablehigh : sbr->f_tablelow;
+ if (ilb >= 40)
+ return;
+
for (p = 0; p < sbr->n[ch_data->bs_freq_res[e + 1]]; p++) {
#if USE_FIXED
SoftFloat sum = FLOAT_0;
commit c7bc9e14f2455947c29062f1088ffdc074e0eaec
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Wed Aug 6 13:09:26 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:48 2025 +0200
avcodec/utvideodec: Set B for the width= 1 case
Fixes: use of uninitialized meory
Fixes: 428034093/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-6195630160805888
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 032dfe8584c4675f3253ebb5e333e834f55f7562)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index ce5d00f7af..a5e28bde8a 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -401,7 +401,7 @@ static void restore_median_planar(UtvideoContext *c, uint8_t *src, ptrdiff_t str
// second line - first element has top prediction, the rest uses median
C = bsrc[-stride];
bsrc[0] += C;
- A = bsrc[0];
+ A = B = bsrc[0];
for (i = 1; i < FFMIN(width, 16); i++) { /* scalar loop (DSP need align 16) */
B = bsrc[i - stride];
bsrc[i] += mid_pred(A, B, (uint8_t)(A + B - C));
commit 25f6058e4f0373750c08d513f4eb13954c1db6e3
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Wed Aug 6 13:36:06 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:48 2025 +0200
avcodec/ffv1: Clear state on alloc
Fixes: use of uninitialized memory
Fixes: 428969823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_DEC_fuzzer-5909681623334912
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 70fc46d185663dbea0995bf868d66b58b388119e)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c
index 2660cae208..2688ad403d 100644
--- a/libavcodec/ffv1.c
+++ b/libavcodec/ffv1.c
@@ -64,7 +64,7 @@ av_cold int ff_ffv1_init_slice_state(const FFV1Context *f, FFV1Context *fs)
if (fs->ac != AC_GOLOMB_RICE) {
if (!p->state)
- p->state = av_malloc_array(p->context_count, CONTEXT_SIZE *
+ p->state = av_calloc(p->context_count, CONTEXT_SIZE *
sizeof(uint8_t));
if (!p->state)
return AVERROR(ENOMEM);
commit 465026b37d13ede7000b277cfe3ad887f6ddd4e6
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Tue Aug 5 23:42:23 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:48 2025 +0200
avcodec/jpeg2000dec: implement cdef remapping during pixel format matching
Fixes: out of array access
Fixes: poc.jp2
Found-by: Andy Nguyen <theflow at google.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 01a292c7e36545ddeb3c7f79cd02e2611cd37d73)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index f7c3276925..2ec36c4009 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -272,6 +272,14 @@ static int get_siz(Jpeg2000DecoderContext *s)
}
// after here we no longer have to consider negative cdef
+ int cdef_used = 0;
+ for (i = 0; i < s->ncomponents; i++)
+ cdef_used |= 1<<s->cdef[i];
+
+ // Check that the channels we have are what we expect for the number of components
+ if (cdef_used != ((int[]){0,2,3,14,15})[s->ncomponents])
+ return AVERROR_INVALIDDATA;
+
for (i = 0; i < s->ncomponents; i++) { // Ssiz_i XRsiz_i, YRsiz_i
uint8_t x = bytestream2_get_byteu(&s->g);
s->cbps[i] = (x & 0x7f) + 1;
@@ -284,7 +292,9 @@ static int get_siz(Jpeg2000DecoderContext *s)
av_log(s->avctx, AV_LOG_ERROR, "Invalid sample separation %d/%d\n", s->cdx[i], s->cdy[i]);
return AVERROR_INVALIDDATA;
}
- log2_chroma_wh |= s->cdy[i] >> 1 << i * 4 | s->cdx[i] >> 1 << i * 4 + 2;
+ int i_remapped = s->cdef[i] ? s->cdef[i]-1 : (s->ncomponents-1);
+
+ log2_chroma_wh |= s->cdy[i] >> 1 << i_remapped * 4 | s->cdx[i] >> 1 << i_remapped * 4 + 2;
}
s->numXtiles = ff_jpeg2000_ceildiv(s->width - s->tile_offset_x, s->tile_width);
commit 4f845aaf7d26262e9aa93f6917ce595fcc1c1eb4
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Tue Aug 5 23:18:47 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:47 2025 +0200
avcodec/jpeg2000dec: move cdef default check into get_siz()
This way cdef is at its final value earlier
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 104d6846c1be0cb757dc95d5801a416f4d7c687d)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index c958c27e3a..f7c3276925 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -261,6 +261,17 @@ static int get_siz(Jpeg2000DecoderContext *s)
return AVERROR_INVALIDDATA;
}
+ for (i = 0; i < s->ncomponents; i++) {
+ if (s->cdef[i] < 0) {
+ for (i = 0; i < s->ncomponents; i++) {
+ s->cdef[i] = i + 1;
+ }
+ if ((s->ncomponents & 1) == 0)
+ s->cdef[s->ncomponents-1] = 0;
+ }
+ }
+ // after here we no longer have to consider negative cdef
+
for (i = 0; i < s->ncomponents; i++) { // Ssiz_i XRsiz_i, YRsiz_i
uint8_t x = bytestream2_get_byteu(&s->g);
s->cbps[i] = (x & 0x7f) + 1;
@@ -2510,17 +2521,6 @@ static int jpeg2000_decode_frame(AVCodecContext *avctx, AVFrame *picture,
if (ret = jpeg2000_read_bitstream_packets(s))
goto end;
- for (int x = 0; x < s->ncomponents; x++) {
- if (s->cdef[x] < 0) {
- for (x = 0; x < s->ncomponents; x++) {
- s->cdef[x] = x + 1;
- }
- if ((s->ncomponents & 1) == 0)
- s->cdef[s->ncomponents-1] = 0;
- break;
- }
- }
-
avctx->execute2(avctx, jpeg2000_decode_tile, picture, NULL, s->numXtiles * s->numYtiles);
jpeg2000_dec_cleanup(s);
commit be682029ae18b80fa9b27f0715ca77323409379c
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Wed Aug 6 10:08:14 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:47 2025 +0200
avcodec/exr: Check rle_raw_data and surroundings
Fixes: out of array read
Fixes: BIGSLEEP-436510153/dwa_uncompress_read.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 0d9c003d76383e82b57b6d5aa33776709d0cda2c)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 96aafb77a2..874f5bbb73 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -990,6 +990,7 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
const int dc_h = td->ysize >> 3;
GetByteContext gb, agb;
int skip, ret;
+ int have_rle = 0;
if (compressed_size <= 88)
return AVERROR_INVALIDDATA;
@@ -1014,6 +1015,11 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
)
return AVERROR_INVALIDDATA;
+ if ((uint64_t)rle_raw_size > INT_MAX) {
+ avpriv_request_sample(s->avctx, "Too big rle_raw_size");
+ return AVERROR_INVALIDDATA;
+ }
+
bytestream2_init(&gb, src + 88, compressed_size - 88);
skip = bytestream2_get_le16(&gb);
if (skip < 2)
@@ -1084,6 +1090,9 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
if (rle_raw_size > 0 && rle_csize > 0 && rle_usize > 0) {
unsigned long dest_len = rle_usize;
+ if (2LL * td->xsize * td->ysize > rle_raw_size)
+ return AVERROR_INVALIDDATA;
+
av_fast_padded_malloc(&td->rle_data, &td->rle_size, rle_usize);
if (!td->rle_data)
return AVERROR(ENOMEM);
@@ -1100,6 +1109,8 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
if (ret < 0)
return ret;
bytestream2_skip(&gb, rle_csize);
+
+ have_rle = 1;
}
bytestream2_init(&agb, td->ac_data, ac_count * 2);
@@ -1158,7 +1169,7 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
if (s->nb_channels < 4)
return 0;
- for (int y = 0; y < td->ysize && td->rle_raw_data; y++) {
+ for (int y = 0; y < td->ysize && have_rle; y++) {
uint32_t *ao = ((uint32_t *)td->uncompressed_data) + y * td->xsize * s->nb_channels;
uint8_t *ai0 = td->rle_raw_data + y * td->xsize;
uint8_t *ai1 = td->rle_raw_data + y * td->xsize + rle_raw_size / 2;
commit fa543b33f63478090137d124c20ff97f76251254
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Wed Aug 6 10:35:15 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:47 2025 +0200
avcodec/exr: Dont access outside xsize/ysize
Fixes: out of array access
Fixes: BIGSLEEP-436510316/dwa_uncompress_write.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit f45da79b2c336c5f8f3e563d72b8a22fecdcde0c)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index cffd250a3c..96aafb77a2 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1106,6 +1106,9 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
for (int y = 0; y < td->ysize; y += 8) {
for (int x = 0; x < td->xsize; x += 8) {
+ int bw = FFMIN(8, td->xsize - x);
+ int bh = FFMIN(8, td->ysize - y);
+
memset(td->block, 0, sizeof(td->block));
for (int j = 0; j < 3; j++) {
@@ -1133,8 +1136,8 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
float *ub = td->block[1];
float *vb = td->block[2];
- for (int yy = 0; yy < 8; yy++) {
- for (int xx = 0; xx < 8; xx++) {
+ for (int yy = 0; yy < bh; yy++) {
+ for (int xx = 0; xx < bw; xx++) {
const int idx = xx + yy * 8;
convert(yb[idx], ub[idx], vb[idx], &bo[xx], &go[xx], &ro[xx]);
commit 63c4658e629a9dda63ff06392200baa67800e0cf
Author: Jiasheng Jiang <jiashengjiangcool at gmail.com>
AuthorDate: Wed Aug 6 14:54:22 2025 +0000
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:46 2025 +0200
examples: Add check and replace av_free() to avoid potential memory errors
Add check for the return value of av_packet_alloc() to avoid potential NULL pointer dereference.
Moreover, replace redundant av_free() with fprintf().
Fixes: 9a38184a14 ("examples/decode_audio: allocate the packet dynamically")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool at gmail.com>
Reviewed-by: Nicolas George <george at nsup.org>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit c64cff64a22a59c0c02281ee9fd9d89963d14d16)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/doc/examples/decode_audio.c b/doc/examples/decode_audio.c
index bcb3d87a69..26ce07a552 100644
--- a/doc/examples/decode_audio.c
+++ b/doc/examples/decode_audio.c
@@ -128,6 +128,10 @@ int main(int argc, char **argv)
outfilename = argv[2];
pkt = av_packet_alloc();
+ if (!pkt) {
+ fprintf(stderr, "Could not allocate AVPacket\n");
+ exit(1); /* or proper cleanup and returning */
+ }
/* find the MPEG audio decoder */
codec = avcodec_find_decoder(AV_CODEC_ID_MP2);
@@ -161,7 +165,7 @@ int main(int argc, char **argv)
}
outfile = fopen(outfilename, "wb");
if (!outfile) {
- av_free(c);
+ fprintf(stderr, "Could not open %s\n", outfilename);
exit(1);
}
commit 8efb352a85823837d0a82b61ce1518c13f2042b1
Author: Jiasheng Jiang <jiashengjiangcool at gmail.com>
AuthorDate: Sun Aug 3 23:31:27 2025 +0000
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:46 2025 +0200
libavcodec/tests/snowenc: Add av_free() to avoid memory leak
Add av_free() to free s.temp_dwt_buffer and s.temp_idwt_buffer at the end of the function to avoid memory leak.
Fixes: 5d48e4eafa ("Merge commit 'a6a750c7ef240b72ce01e9653343a0ddf247d196'")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 446cfbfb7446208bd1592bbc0ac18ac744543563)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c
index 37198cd4e3..24868f76ce 100644
--- a/libavcodec/tests/snowenc.c
+++ b/libavcodec/tests/snowenc.c
@@ -44,7 +44,8 @@ int main(void){
if (!s.temp_dwt_buffer || !s.temp_idwt_buffer) {
fprintf(stderr, "Failed to allocate memory\n");
- return 1;
+ ret = 1;
+ goto end;
}
av_lfg_init(&prng, 1);
@@ -144,5 +145,9 @@ int main(void){
}
}
+
+end:
+ av_free(s.temp_dwt_buffer);
+ av_free(s.temp_idwt_buffer);
return ret;
}
commit 00b5af29a4203a31574c11b3df892d78d5d862ec
Author: Jiasheng Jiang <jiashengjiangcool at gmail.com>
AuthorDate: Wed Aug 6 16:39:47 2025 +0000
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:46 2025 +0200
libavfilter/af_firequalizer: Add check for av_malloc_array()
Add check for the return value of av_malloc_array() to avoid potential NULL pointer dereference.
Fixes: d3be186ed1 ("avfilter/firequalizer: add dumpfile and dumpscale option")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit a25462482c02c004d685a8fcf2fa63955aaa0931)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavfilter/af_firequalizer.c b/libavfilter/af_firequalizer.c
index 40054f07de..1e075b7612 100644
--- a/libavfilter/af_firequalizer.c
+++ b/libavfilter/af_firequalizer.c
@@ -806,6 +806,8 @@ static int config_input(AVFilterLink *inlink)
if ((ret = av_tx_init(&s->analysis_rdft, &s->analysis_rdft_fn, AV_TX_FLOAT_RDFT, 0, 1 << rdft_bits, &scale, 0)) < 0)
return ret;
s->dump_buf = av_malloc_array(s->analysis_rdft_len + 2, sizeof(*s->dump_buf));
+ if (!s->dump_buf)
+ return AVERROR(ENOMEM);
}
s->analysis_buf = av_malloc_array((s->analysis_rdft_len + 2), sizeof(*s->analysis_buf));
commit bbac13c54a9e33eeca83a5da9beecbec253133ed
Author: Jiasheng Jiang <jiashengjiangcool at gmail.com>
AuthorDate: Tue Aug 5 19:31:15 2025 +0000
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:45 2025 +0200
libavcodec/videotoolbox_vp9: Move av_malloc() to avoid memory leak
Move av_malloc() after the check for subsampling to avoid memory leak if subsampling < 0 and av_malloc() succeeds.
Fixes: a41a2efc85 ("lavc/videotoolbox: add VP9 hardware acceleration")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool at gmail.com>
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 8b4e6ccb13f10752bc5c2a963478c7f3764a0cfe)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/videotoolbox_vp9.c b/libavcodec/videotoolbox_vp9.c
index f5489854e3..d870ea5d0f 100644
--- a/libavcodec/videotoolbox_vp9.c
+++ b/libavcodec/videotoolbox_vp9.c
@@ -70,12 +70,12 @@ CFDataRef ff_videotoolbox_vpcc_extradata_create(AVCodecContext *avctx)
uint8_t *vt_extradata;
int subsampling = get_vpx_chroma_subsampling(avctx->sw_pix_fmt, avctx->chroma_sample_location);
- vt_extradata_size = 1 + 3 + 6 + 2;
- vt_extradata = av_malloc(vt_extradata_size);
-
if (subsampling < 0)
return NULL;
+ vt_extradata_size = 1 + 3 + 6 + 2;
+ vt_extradata = av_malloc(vt_extradata_size);
+
if (!vt_extradata)
return NULL;
commit 7af8307c40bbc0481d5720fecc60fe190714f6a3
Author: Kacper Michajłow <kasper93 at gmail.com>
AuthorDate: Wed Aug 6 19:49:11 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:45 2025 +0200
avcodec/mpc8: init avctx->sample_rate
Fixes frame validation.
Fixes: 416134551/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC8_fuzzer-5765557242888192
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
(cherry picked from commit 09cb2d41d1862c2f9b3b66311ede28527d703700)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c
index 2785259119..ae145927ee 100644
--- a/libavcodec/mpc8.c
+++ b/libavcodec/mpc8.c
@@ -155,7 +155,13 @@ static av_cold int mpc8_decode_init(AVCodecContext * avctx)
init_get_bits(&gb, avctx->extradata, 16);
- skip_bits(&gb, 3);//sample rate
+ uint8_t sample_rate_idx = get_bits(&gb, 3);
+ static const int sample_rates[] = { 44100, 48000, 37800, 32000 };
+ if (sample_rate_idx >= FF_ARRAY_ELEMS(sample_rates)) {
+ av_log(avctx, AV_LOG_ERROR, "invalid sample rate index (%u)\n", sample_rate_idx);
+ return AVERROR_INVALIDDATA;
+ }
+ avctx->sample_rate = sample_rates[sample_rate_idx];
c->maxbands = get_bits(&gb, 5) + 1;
if (c->maxbands >= BANDS) {
av_log(avctx,AV_LOG_ERROR, "maxbands %d too high\n", c->maxbands);
commit f515a3ed0251050e57e46a938939278168dd5d51
Author: Kacper Michajłow <kasper93 at gmail.com>
AuthorDate: Wed Aug 6 18:26:42 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:45 2025 +0200
avcodec/cbs_h266_syntax_template: fix out of bounds access
current->num_tile_columns is not updated in the loop, so the existing
check was not working. Check current index instead and break. This also
simplifies duplicated log.
Fixes: 435225531/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_METADATA_fuzzer-6639684232216576
Found-by: OSS-Fuzz
Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
(cherry picked from commit fb862976df08b3b132491abca9956f2fe9f96bc1)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c
index b903e4c91f..03d46c46b1 100644
--- a/libavcodec/cbs_h266_syntax_template.c
+++ b/libavcodec/cbs_h266_syntax_template.c
@@ -1870,10 +1870,10 @@ static int FUNC(pps) (CodedBitstreamContext *ctx, RWContext *rw,
}
unified_size = current->pps_tile_column_width_minus1[i - 1] + 1;
while (remaining_size > 0) {
- if (current->num_tile_columns > VVC_MAX_TILE_COLUMNS) {
+ if (i == VVC_MAX_TILE_COLUMNS) {
av_log(ctx->log_ctx, AV_LOG_ERROR,
- "NumTileColumns(%d) > than VVC_MAX_TILE_COLUMNS(%d)\n",
- current->num_tile_columns, VVC_MAX_TILE_COLUMNS);
+ "Exceeded maximum tile columns (%d) (remaining size: %u)\n",
+ VVC_MAX_TILE_COLUMNS, remaining_size);
return AVERROR_INVALIDDATA;
}
unified_size = FFMIN(remaining_size, unified_size);
@@ -1882,12 +1882,6 @@ static int FUNC(pps) (CodedBitstreamContext *ctx, RWContext *rw,
i++;
}
current->num_tile_columns = i;
- if (current->num_tile_columns > VVC_MAX_TILE_COLUMNS) {
- av_log(ctx->log_ctx, AV_LOG_ERROR,
- "NumTileColumns(%d) > than VVC_MAX_TILE_COLUMNS(%d)\n",
- current->num_tile_columns, VVC_MAX_TILE_COLUMNS);
- return AVERROR_INVALIDDATA;
- }
remaining_size = pic_height_in_ctbs_y;
for (i = 0; i <= current->pps_num_exp_tile_rows_minus1; i++) {
@@ -1902,18 +1896,18 @@ static int FUNC(pps) (CodedBitstreamContext *ctx, RWContext *rw,
unified_size = current->pps_tile_row_height_minus1[i - 1] + 1;
while (remaining_size > 0) {
+ if (i == VVC_MAX_TILE_ROWS) {
+ av_log(ctx->log_ctx, AV_LOG_ERROR,
+ "Exceeded maximum tile rows (%d) (remaining size: %u)\n",
+ VVC_MAX_TILE_ROWS, remaining_size);
+ return AVERROR_INVALIDDATA;
+ }
unified_size = FFMIN(remaining_size, unified_size);
current->row_height_val[i] = unified_size;
remaining_size -= unified_size;
i++;
}
current->num_tile_rows=i;
- if (current->num_tile_rows > VVC_MAX_TILE_ROWS) {
- av_log(ctx->log_ctx, AV_LOG_ERROR,
- "NumTileRows(%d) > than VVC_MAX_TILE_ROWS(%d)\n",
- current->num_tile_rows, VVC_MAX_TILE_ROWS);
- return AVERROR_INVALIDDATA;
- }
current->num_tiles_in_pic = current->num_tile_columns *
current->num_tile_rows;
commit 3d86f5e251cf10692da3048a21325b11c355afd0
Author: Kimapr <root at kimapr.net>
AuthorDate: Mon Jul 28 06:32:27 2025 +0500
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:44 2025 +0200
avformat/libopenmpt: fix seeking weirdness
- proper pts for packets. leaving it blank leaves it up for guessing,
but the guess doesn't take seeking into account, causing weirdness.
- clamp to 0 when seeking to negative ts. libopenmpt docs are unclear on
this but not doing this causes an immediate EOF when seeking backwards
to the beginning in mpv.
- only set song duration and packet pts when they are non-negative and
in int64 range. NaNs count as out of range. this isn't a fix for any
specific issue but might be helpful still, and shouldn't break
anything.
(cherry picked from commit ecef5f9e1fb70b38f3e325c8e613349344c97de4)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavformat/libopenmpt.c b/libavformat/libopenmpt.c
index 3ca59f506f..25f59ee342 100644
--- a/libavformat/libopenmpt.c
+++ b/libavformat/libopenmpt.c
@@ -147,7 +147,8 @@ static int read_header_openmpt(AVFormatContext *s)
if (!st)
return AVERROR(ENOMEM);
avpriv_set_pts_info(st, 64, 1, AV_TIME_BASE);
- st->duration = llrint(openmpt->duration*AV_TIME_BASE);
+ if (openmpt->duration >= 0 && openmpt->duration < ((double)INT64_MAX + 1) / AV_TIME_BASE)
+ st->duration = llrint(openmpt->duration*AV_TIME_BASE);
st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO;
st->codecpar->codec_id = AV_NE(AV_CODEC_ID_PCM_F32BE, AV_CODEC_ID_PCM_F32LE);
@@ -170,6 +171,8 @@ static int read_packet_openmpt(AVFormatContext *s, AVPacket *pkt)
if ((ret = av_new_packet(pkt, AUDIO_PKT_SIZE)) < 0)
return ret;
+ double pos = openmpt_module_get_position_seconds(openmpt->module);
+
switch (openmpt->ch_layout.nb_channels) {
case 1:
ret = openmpt_module_read_float_mono(openmpt->module, openmpt->sample_rate,
@@ -195,6 +198,9 @@ static int read_packet_openmpt(AVFormatContext *s, AVPacket *pkt)
pkt->size = ret * (openmpt->ch_layout.nb_channels * 4);
+ if (pos >= 0 && pos < ((double)INT64_MAX + 1) / AV_TIME_BASE)
+ pkt->pts = llrint(pos * AV_TIME_BASE);
+
return 0;
}
@@ -211,6 +217,8 @@ static int read_close_openmpt(AVFormatContext *s)
static int read_seek_openmpt(AVFormatContext *s, int stream_idx, int64_t ts, int flags)
{
OpenMPTContext *openmpt = s->priv_data;
+ if (ts < 0)
+ ts = 0;
openmpt_module_set_position_seconds(openmpt->module, (double)ts/AV_TIME_BASE);
return 0;
}
commit 5deafdfb648cb91698395fa59ec4d88029102e3f
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Sat Aug 2 18:55:26 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:44 2025 +0200
avformat/hls: add cmfv/cmfa exceptions
Fixes: Ticket11526
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit f3c3a6ecfb230c56a8ff9d219d79d5981b2aa4f3)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavformat/hls.c b/libavformat/hls.c
index 121c9b9db8..7033111f61 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -751,8 +751,8 @@ static int test_segment(AVFormatContext *s, const AVInputFormat *in_fmt, struct
+ 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0);
// Youtube uses aac files with .ts extension
if(av_match_name("mp4", in_fmt->name) || av_match_name("aac", in_fmt->name)) {
- matchF |= av_match_ext( seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts")
- + 2*(ff_match_url_ext(seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") > 0);
+ matchF |= av_match_ext( seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts,cmfv,cmfa")
+ + 2*(ff_match_url_ext(seg->url, "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts,cmfv,cmfa") > 0);
}
} else if (!strcmp(in_fmt->name, "mpegts")) {
const char *str = "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts"
commit 02b6fa099f31d554cbd062f2315d7366677fffca
Author: Kacper Michajłow <kasper93 at gmail.com>
AuthorDate: Wed Jul 23 20:04:53 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:43 2025 +0200
avformat/lrcdec: support arbitrary precision timestamp
Apparently files with milliseconds exist in the wild. And since it cost
nothing to support arbitrary number of digits, extend format to support
that.
Depending on number of digits, the time base of fractional part is
changing. Most LRCs use 2 digits and centiseconds base, but subs with 3
digits and miliseconds exist too.
Set internal time base to AV_TIME_BASE, which in parcitice allows to
hold microseconds with 6 digits. Totally artificial, but who knows maybe
someone wants that.
Fixes: #11677
Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
(cherry picked from commit bc3cc0a6af44adc63caf4e5097fcfebd7a7475b4)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c
index f43e9dccf5..e4e13f57a8 100644
--- a/libavformat/lrcdec.c
+++ b/libavformat/lrcdec.c
@@ -77,7 +77,9 @@ static int64_t count_ts(const char *p)
static int64_t read_ts(const char *p, int64_t *start)
{
int64_t offset = 0;
- uint64_t mm, ss, cs;
+ uint64_t mm;
+ double ss;
+ char prefix[3];
while(p[offset] == ' ' || p[offset] == '\t') {
offset++;
@@ -85,14 +87,14 @@ static int64_t read_ts(const char *p, int64_t *start)
if(p[offset] != '[') {
return 0;
}
- if(sscanf(p, "[-%"SCNu64":%"SCNu64".%"SCNu64"]", &mm, &ss, &cs) == 3) {
- /* Just in case negative pts, players may drop it but we won't. */
- *start = -(int64_t) (mm*60000 + ss*1000 + cs*10);
- } else if(sscanf(p, "[%"SCNu64":%"SCNu64".%"SCNu64"]", &mm, &ss, &cs) == 3) {
- *start = mm*60000 + ss*1000 + cs*10;
- } else {
+ int ret = sscanf(p, "%2[[-]%"SCNu64":%lf]", prefix, &mm, &ss);
+ if (ret != 3 || prefix[0] != '[') {
return 0;
}
+ *start = (mm * 60 + ss) * AV_TIME_BASE;
+ if (prefix[1] == '-') {
+ *start = - *start;
+ }
do {
offset++;
} while(p[offset] && p[offset-1] != ']');
@@ -163,7 +165,7 @@ static int lrc_read_header(AVFormatContext *s)
if(!st) {
return AVERROR(ENOMEM);
}
- avpriv_set_pts_info(st, 64, 1, 1000);
+ avpriv_set_pts_info(st, 64, 1, AV_TIME_BASE);
lrc->ts_offset = 0;
st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE;
st->codecpar->codec_id = AV_CODEC_ID_TEXT;
commit 4014ff00f9a1cf5ac1b43dbb2502d10bd82c14c0
Author: Michael Niedermayer <michael at niedermayer.cc>
AuthorDate: Mon Aug 4 21:08:47 2025 +0200
Commit: Michael Niedermayer <michael at niedermayer.cc>
CommitDate: Thu Aug 14 02:55:43 2025 +0200
avcodec/ffv1dec: Disable frame threading due to race condition
Slice threading remains available!
The race condition fix is in 8d5efc218245c3f0559f48837b3e63e2932525e0
and bcf08c11710cab5db8eb3d0774e1a93e322fb821
Backport of these is welcome
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 880ad1d6f1..a7d15b4976 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -1133,7 +1133,6 @@ const FFCodec ff_ffv1_decoder = {
FF_CODEC_DECODE_CB(decode_frame),
UPDATE_THREAD_CONTEXT(update_thread_context),
.p.capabilities = AV_CODEC_CAP_DR1 |
- AV_CODEC_CAP_FRAME_THREADS | AV_CODEC_CAP_SLICE_THREADS,
- .caps_internal = FF_CODEC_CAP_INIT_CLEANUP |
- FF_CODEC_CAP_ALLOCATE_PROGRESS,
+ AV_CODEC_CAP_SLICE_THREADS,
+ .caps_internal = FF_CODEC_CAP_INIT_CLEANUP,
};
-----------------------------------------------------------------------
Summary of changes:
Changelog | 29 +++++++++++++++++++++++++++++
doc/examples/decode_audio.c | 6 +++++-
libavcodec/aacsbr_template.c | 6 ++++++
libavcodec/cbs_h266_syntax_template.c | 24 +++++++++---------------
libavcodec/dxv.c | 4 +++-
libavcodec/exr.c | 30 +++++++++++++++++++++++++++---
libavcodec/ffv1.c | 2 +-
libavcodec/ffv1dec.c | 5 ++---
libavcodec/g726.c | 2 ++
libavcodec/ilbcdec.c | 2 ++
libavcodec/jpeg2000dec.c | 35 +++++++++++++++++++++++------------
libavcodec/libvorbisdec.c | 6 ++++++
libavcodec/mpc8.c | 8 +++++++-
libavcodec/scpr3.c | 2 +-
libavcodec/tests/snowenc.c | 7 ++++++-
libavcodec/utvideodec.c | 2 +-
libavcodec/videotoolbox_vp9.c | 6 +++---
libavfilter/af_firequalizer.c | 2 ++
libavfilter/avf_showcqt.c | 4 ++--
libavfilter/dnn/dnn_backend_tf.c | 2 --
libavformat/hls.c | 4 ++--
libavformat/libopenmpt.c | 10 +++++++++-
libavformat/lrcdec.c | 18 ++++++++++--------
23 files changed, 158 insertions(+), 58 deletions(-)
hooks/post-receive
--
More information about the ffmpeg-cvslog
mailing list