updatze for 7.1.3

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Changelog

@@ -1,6 +1,42 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
+version 7.1.3:
+ avfilter/vf_drawtext: Account for bbox text seperator
+ avcodec/mediacodecdec_common: Check that the input to mediacodec_wrap_sw_audio_buffer() contains channel * sample_size
+ avcodec/utvideodec: Set B for the width= 1 case in restore_median_planar_il()
+ avcodec/osq: Fix 32bit sample overflow
+ avformat/rtpdec_rfc4175: Only change PayloadContext on success
+ avformat/rtpdec_rfc4175: Check dimensions
+ avformat/rtpdec_rfc4175: Fix memleak of sampling
+ avformat/http: Fix off by 1 error
+ avcodec/exr: spelling
+ avcodec/exr: use tile dimensions in pxr24 UINT case
+ avcodec/exr: Simple check for available channels
+ avformat/sctp: Check size in sctp_write()
+ avformat/rtmpproto: consider command line argument lengths
+ avformat/rtmpproto_ Check tcurl and flashver length
+ avcodec/g723_1enc: Make min_err 64bit
+ avcodec/vlc: Clear val8/16 in vlc_multi_gen() by av_mallocz()
+ avformat/rtpenc_h264_hevc: Check space for nal_length_size in ff_rtp_send_h264_hevc()
+ swscale/output: Fix integer overflow in yuv2ya16_X_c_template()
+ avcodec/hevc/sei: prevent storing a potentially bogus num_ref_displays value in HEVCSEITDRDI
+ avcodec/exr: Check that DWA has 3 channels
+ avcodec/exr: check ac_size
+ avcodec/exr: Round dc_w/h up
+ avcodec/mjpegdec: Explain buf_size/width/height check
+ avformat/aviobuf: Keep checksum_ptr consistent in avio_seek()
+ fftools/ffmpeg_sched: prevent demuxers from getting stuck
+ lavc/aarch64: Fix addp overflow in ff_pred16x16_plane_neon_10
+ avcodec/mlpdec: don't depend on context channel layout when setting substream masks
+ avformat/demux: pass new extradata to the parser
+ avcodec/svq1enc: restrict Altivec acceleration to big-endian POWER configurations
+ libavutil/arm: Rename the HWCAP defines
+ libavutil/arm: Make use of elf_aux_info() on FreeBSD/OpenBSD
+ avcodec/decode: sync initial_pict_type and intra_only_flag with thread worker's avctx
+ avcodec/x86/pngdsp: add missing emms at the end of add_png_paeth_prediction
+
+
 version 7.1.2:
  doc/examples/vaapi_encode: fix invalid check on fwrite
  avcodec/librsvgdec: fix compilation with librsvg 2.50.3

RELEASE

@@ -1 +1 @@
-7.1.2
+7.1.3

doc/Doxyfile

@@ -38,7 +38,7 @@ PROJECT_NAME           = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.
 
-PROJECT_NUMBER         = 7.1.2
+PROJECT_NUMBER         = 7.1.3
 
 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a

libavcodec/exr.c

@@ -174,6 +174,9 @@ typedef struct EXRContext {
 
     int is_luma;/* 1 if there is an Y plane */
 
+#define M(chr) (1<<chr - 'A')
+    int has_channel; ///< combination of flags representing the channel codes A-Z
+
     GetByteContext gb;
     const uint8_t *buf;
     int buf_size;
@@ -740,12 +743,12 @@ static int pxr24_uncompress(const EXRContext *s, const uint8_t *src,
                 break;
             case EXR_UINT:
                 ptr[0] = in;
-                ptr[1] = ptr[0] + s->xdelta;
-                ptr[2] = ptr[1] + s->xdelta;
-                ptr[3] = ptr[2] + s->xdelta;
-                in     = ptr[3] + s->xdelta;
+                ptr[1] = ptr[0] + td->xsize;
+                ptr[2] = ptr[1] + td->xsize;
+                ptr[3] = ptr[2] + td->xsize;
+                in     = ptr[3] + td->xsize;
 
-                for (j = 0; j < s->xdelta; ++j) {
+                for (j = 0; j < td->xsize; ++j) {
                     uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) |
                     (*(ptr[1]++) << 16) |
                     (*(ptr[2]++) << 8 ) |
@@ -987,8 +990,8 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
     int64_t version, lo_usize, lo_size;
     int64_t ac_size, dc_size, rle_usize, rle_csize, rle_raw_size;
     int64_t ac_count, dc_count, ac_compression;
-    const int dc_w = td->xsize >> 3;
-    const int dc_h = td->ysize >> 3;
+    const int dc_w = (td->xsize + 7) >> 3;
+    const int dc_h = (td->ysize + 7) >> 3;
     GetByteContext gb, agb;
     int skip, ret;
     int have_rle = 0;
@@ -1000,6 +1003,11 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
     if (version != 2)
         return AVERROR_INVALIDDATA;
 
+    if (s->nb_channels < 3) {
+        avpriv_request_sample(s->avctx, "Gray DWA");
+        return AVERROR_PATCHWELCOME;
+    }
+
     lo_usize = AV_RL64(src + 8);
     lo_size = AV_RL64(src + 16);
     ac_size = AV_RL64(src + 24);
@@ -1016,11 +1024,20 @@ static int dwa_uncompress(const EXRContext *s, const uint8_t *src, int compresse
     )
         return AVERROR_INVALIDDATA;
 
+    if (ac_size <= 0) {
+        avpriv_request_sample(s->avctx, "Zero ac_size");
+        return AVERROR_INVALIDDATA;
+    }
+
     if ((uint64_t)rle_raw_size > INT_MAX) {
         avpriv_request_sample(s->avctx, "Too big rle_raw_size");
         return AVERROR_INVALIDDATA;
     }
 
+    if (td->xsize % 8 || td->ysize % 8) {
+        avpriv_request_sample(s->avctx, "odd dimensions DWA");
+    }
+
     bytestream2_init(&gb, src + 88, compressed_size - 88);
     skip = bytestream2_get_le16(&gb);
     if (skip < 2)
@@ -1581,6 +1598,7 @@ static int decode_header(EXRContext *s, AVFrame *frame)
     s->is_tile            = 0;
     s->is_multipart       = 0;
     s->is_luma            = 0;
+    s->has_channel        = 0;
     s->current_part       = 0;
 
     if (bytestream2_get_bytes_left(gb) < 10) {
@@ -1684,23 +1702,26 @@ static int decode_header(EXRContext *s, AVFrame *frame)
                 }
 
                 if (layer_match) { /* only search channel if the layer match is valid */
+                    if (strlen(ch_gb.buffer) == 1) {
+                        int ch_chr = av_toupper(*ch_gb.buffer);
+                        if (ch_chr >= 'A' && ch_chr <= 'Z')
+                            s->has_channel |= M(ch_chr);
+                        av_log(s->avctx, AV_LOG_DEBUG, "%c\n", ch_chr);
+                    }
+
                     if (!av_strcasecmp(ch_gb.buffer, "R") ||
                         !av_strcasecmp(ch_gb.buffer, "X") ||
                         !av_strcasecmp(ch_gb.buffer, "U")) {
                         channel_index = 0;
-                        s->is_luma = 0;
                     } else if (!av_strcasecmp(ch_gb.buffer, "G") ||
                                !av_strcasecmp(ch_gb.buffer, "V")) {
                         channel_index = 1;
-                        s->is_luma = 0;
                     } else if (!av_strcasecmp(ch_gb.buffer, "Y")) {
                         channel_index = 1;
-                        s->is_luma = 1;
                     } else if (!av_strcasecmp(ch_gb.buffer, "B") ||
                                !av_strcasecmp(ch_gb.buffer, "Z") ||
                                !av_strcasecmp(ch_gb.buffer, "W")) {
                         channel_index = 2;
-                        s->is_luma = 0;
                     } else if (!av_strcasecmp(ch_gb.buffer, "A")) {
                         channel_index = 3;
                     } else {
@@ -1776,6 +1797,20 @@ static int decode_header(EXRContext *s, AVFrame *frame)
                     s->current_channel_offset += 4;
                 }
             }
+            if        (!((M('R') + M('G') + M('B')) & ~s->has_channel)) {
+                s->is_luma = 0;
+            } else if (!((M('X') + M('Y') + M('Z')) & ~s->has_channel)) {
+                s->is_luma = 0;
+            } else if (!((M('Y') + M('U') + M('V')) & ~s->has_channel)) {
+                s->is_luma = 0;
+            } else if (!((M('Y')                  ) & ~s->has_channel) &&
+                       !((M('R') + M('G') + M('B') + M('U') + M('V') + M('X') + M('Z')) &  s->has_channel)) {
+                s->is_luma = 1;
+            } else {
+                avpriv_request_sample(s->avctx, "Uncommon channel combination");
+                ret = AVERROR(AVERROR_PATCHWELCOME);
+                goto fail;
+            }
 
             /* Check if all channels are set with an offset or if the channels
              * are causing an overflow  */

libavcodec/g723_1.h

@@ -108,7 +108,7 @@ typedef struct HFParam {
  * Optimized fixed codebook excitation parameters
  */
 typedef struct FCBParam {
-    int min_err;
+    int64_t min_err;
     int amp_index;
     int grid_index;
     int dirac_train;

libavcodec/g723_1enc.c

@@ -1013,7 +1013,7 @@ static void fcb_search(G723_1_ChannelContext *p, int16_t *impulse_resp,
     int pulse_cnt = pulses[index];
     int i;
 
-    optim.min_err = 1 << 30;
+    optim.min_err = 1LL << 31;
     get_fcb_param(&optim, impulse_resp, buf, pulse_cnt, SUBFRAME_LEN);
 
     if (p->pitch_lag[index >> 1] < SUBFRAME_LEN - 2) {

libavcodec/hevc/sei.c

@@ -152,6 +152,8 @@ static int decode_nal_sei_timecode(HEVCSEITimeCode *s, GetBitContext *gb)
 
 static int decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitContext *gb)
 {
+    unsigned num_ref_displays;
+
     s->prec_ref_display_width = get_ue_golomb(gb);
     if (s->prec_ref_display_width > 31)
         return AVERROR_INVALIDDATA;
@@ -161,10 +163,10 @@ static int decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitCont
         if (s->prec_ref_viewing_dist > 31)
             return AVERROR_INVALIDDATA;
     }
-    s->num_ref_displays = get_ue_golomb(gb);
-    if (s->num_ref_displays > 31)
+    num_ref_displays = get_ue_golomb(gb);
+    if (num_ref_displays > 31)
         return AVERROR_INVALIDDATA;
-    s->num_ref_displays += 1;
+    s->num_ref_displays = num_ref_displays + 1;
 
     for (int i = 0; i < s->num_ref_displays; i++) {
         int length;

libavcodec/mediacodecdec_common.c

@@ -385,6 +385,12 @@ static int mediacodec_wrap_sw_audio_buffer(AVCodecContext *avctx,
         goto done;
     }
 
+    if (info->size % (sample_size * avctx->ch_layout.nb_channels)) {
+        av_log(avctx, AV_LOG_ERROR, "input is not a multiple of channels * sample_size\n");
+        ret = AVERROR(EINVAL);
+        goto done;
+    }
+
     frame->format = avctx->sample_fmt;
     frame->sample_rate = avctx->sample_rate;
     frame->nb_samples = info->size / (sample_size * avctx->ch_layout.nb_channels);

libavcodec/mjpegdec.c

@@ -343,6 +343,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
     av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height);
     if (av_image_check_size(width, height, 0, s->avctx) < 0)
         return AVERROR_INVALIDDATA;
+
+    // A valid frame requires at least 1 bit for DC + 1 bit for AC for each 8x8 block.
     if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size * 4LL)
         return AVERROR_INVALIDDATA;
 

libavcodec/osq.c

@@ -390,7 +390,7 @@ static int osq_decode_block(AVCodecContext *avctx, AVFrame *frame)
             int32_t *src = s->decode_buffer[ch] + OFFSET;
 
             for (int n = 0; n < nb_samples; n++)
-                dst[n] = av_clip_uint8(src[n] + 0x80);
+                dst[n] = av_clip_uint8(src[n] + 0x80ll);
         }
         break;
     case AV_SAMPLE_FMT_S16P:

libavcodec/utvideodec.c

@@ -457,7 +457,7 @@ static void restore_median_planar_il(UtvideoContext *c, uint8_t *src, ptrdiff_t
         // second line - first element has top prediction, the rest uses median
         C        = bsrc[-stride2];
         bsrc[0] += C;
-        A        = bsrc[0];
+        A = B    = bsrc[0];
         for (i = 1; i < FFMIN(width, 16); i++) { /* scalar loop (DSP need align 16) */
             B        = bsrc[i - stride2];
             bsrc[i] += mid_pred(A, B, (uint8_t)(A + B - C));

libavcodec/vlc.c

@@ -527,7 +527,7 @@ int ff_vlc_init_multi_from_lengths(VLC *vlc, VLC_MULTI *multi, int nb_bits, int
     if (ret < 0)
         return ret;
 
-    multi->table = av_malloc(sizeof(*multi->table) << nb_bits);
+    multi->table = av_mallocz(sizeof(*multi->table) << nb_bits);
     if (!multi->table)
         goto fail;
 

libavfilter/vf_drawtext.c

@@ -1017,7 +1017,7 @@ static av_cold int init(AVFilterContext *ctx)
             av_log(ctx, AV_LOG_WARNING, "Multiple texts provided, will use text_source only\n");
             av_free(s->text);
         }
-        s->text = av_mallocz(AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE *
+        s->text = av_mallocz((AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE + 1) *
                              (AV_NUM_DETECTION_BBOX_CLASSIFY + 1));
         if (!s->text)
             return AVERROR(ENOMEM);

libavformat/aviobuf.c

@@ -308,7 +308,7 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int whence)
         ctx->seek_count++;
         if (!s->write_flag)
             s->buf_end = s->buffer;
-        s->buf_ptr = s->buf_ptr_max = s->buffer;
+        s->checksum_ptr = s->buf_ptr = s->buf_ptr_max = s->buffer;
         s->pos = offset;
     }
     s->eof_reached = 0;

libavformat/http.c

@@ -1849,7 +1849,7 @@ static int store_icy(URLContext *h, int size)
             ret = http_read_stream_all(h, data, len);
             if (ret < 0)
                 return ret;
-            data[len + 1] = 0;
+            data[len] = 0;
             if ((ret = av_opt_set(s, "icy_metadata_packet", data, 0)) < 0)
                 return ret;
             update_metadata(h, data);

libavformat/rtmpproto.c

@@ -163,6 +163,13 @@ static int handle_chunk_size(URLContext *s, RTMPPacket *pkt);
 static int handle_window_ack_size(URLContext *s, RTMPPacket *pkt);
 static int handle_set_peer_bw(URLContext *s, RTMPPacket *pkt);
 
+static size_t zstrlen(const char *c)
+{
+    if(c)
+        return strlen(c);
+    return 0;
+}
+
 static int add_tracked_method(RTMPContext *rt, const char *name, int id)
 {
     int err;
@@ -327,7 +334,16 @@ static int gen_connect(URLContext *s, RTMPContext *rt)
     int ret;
 
     if ((ret = ff_rtmp_packet_create(&pkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE,
-                                     0, 4096 + APP_MAX_LENGTH)) < 0)
+                                     0, 4096 + APP_MAX_LENGTH
+                                     + strlen(rt->auth_params) + strlen(rt->flashver)
+                                     + zstrlen(rt->enhanced_codecs)/5*7
+                                     + zstrlen(rt->swfurl)
+                                     + zstrlen(rt->swfverify)
+                                     + zstrlen(rt->tcurl)
+                                     + zstrlen(rt->auth_params)
+                                     + zstrlen(rt->pageurl)
+                                     + zstrlen(rt->conn)*3
+                                     )) < 0)
         return ret;
 
     p = pkt.data;
@@ -1900,7 +1916,9 @@ static int write_status(URLContext *s, RTMPPacket *pkt,
 
     if ((ret = ff_rtmp_packet_create(&spkt, RTMP_SYSTEM_CHANNEL,
                                      RTMP_PT_INVOKE, 0,
-                                     RTMP_PKTDATA_DEFAULT_SIZE)) < 0) {
+                                     RTMP_PKTDATA_DEFAULT_SIZE
+                                     + strlen(status) + strlen(description)
+                                     + zstrlen(details))) < 0) {
         av_log(s, AV_LOG_ERROR, "Unable to create response packet\n");
         return ret;
     }
@@ -2833,6 +2851,12 @@ reconnect:
                     "FMLE/3.0 (compatible; %s)", LIBAVFORMAT_IDENT);
         }
     }
+    if (   strlen(rt->flashver) > FLASHVER_MAX_LENGTH
+        || strlen(rt->tcurl   ) >    TCURL_MAX_LENGTH
+    ) {
+        ret = AVERROR(EINVAL);
+        goto fail;
+    }
 
     rt->receive_report_size = 1048576;
     rt->bytes_read = 0;

libavformat/rtpdec_rfc4175.c

@@ -23,7 +23,9 @@
 
 #include "avio_internal.h"
 #include "rtpdec_formats.h"
+#include "libavutil/avassert.h"
 #include "libavutil/avstring.h"
+#include "libavutil/imgutils.h"
 #include "libavutil/mem.h"
 #include "libavutil/pixdesc.h"
 #include "libavutil/parseutils.h"
@@ -128,7 +130,7 @@ static int rfc4175_parse_fmtp(AVFormatContext *s, AVStream *stream,
         data->width = atoi(value);
     else if (!strncmp(attr, "height", 6))
         data->height = atoi(value);
-    else if (!strncmp(attr, "sampling", 8))
+    else if (data->sampling == NULL && !strncmp(attr, "sampling", 8))
         data->sampling = av_strdup(value);
     else if (!strncmp(attr, "depth", 5))
         data->depth = atoi(value);
@@ -172,30 +174,39 @@ static int rfc4175_parse_fmtp(AVFormatContext *s, AVStream *stream,
 }
 
 static int rfc4175_parse_sdp_line(AVFormatContext *s, int st_index,
-                                  PayloadContext *data, const char *line)
+                                  PayloadContext *data_arg, const char *line)
 {
     const char *p;
 
     if (st_index < 0)
         return 0;
 
+    av_assert0(!data_arg->sampling);
+
     if (av_strstart(line, "fmtp:", &p)) {
         AVStream *stream = s->streams[st_index];
+        PayloadContext data0 = *data_arg, *data = &data0;
         int ret = ff_parse_fmtp(s, stream, data, p, rfc4175_parse_fmtp);
 
-        if (ret < 0)
-            return ret;
-
-
         if (!data->sampling || !data->depth || !data->width || !data->height)
-            return AVERROR(EINVAL);
+            ret =  AVERROR(EINVAL);
+
+        if (ret < 0)
+            goto fail;
+
+        ret = av_image_check_size(data->width, data->height, 0, s);
+        if (ret < 0)
+            goto fail;
 
         stream->codecpar->width = data->width;
         stream->codecpar->height = data->height;
 
         ret = rfc4175_parse_format(stream, data);
         av_freep(&data->sampling);
-
+        if (ret >= 0)
+            *data_arg = *data;
+fail:
+        av_freep(&data->sampling);
         return ret;
     }
 
@@ -296,6 +307,9 @@ static int rfc4175_handle_packet(AVFormatContext *ctx, PayloadContext *data,
         if (data->interlaced)
             line = 2 * line + field;
 
+        if (line >= data->height)
+            return AVERROR_INVALIDDATA;
+
         /* prevent ill-formed packets to write after buffer's end */
         copy_offset = (line * data->width + offset) * data->pgroup / data->xinc;
         if (copy_offset + length > data->frame_size || !data->frame)

libavformat/rtpenc_h264_hevc.c

@@ -196,6 +196,9 @@ void ff_rtp_send_h264_hevc(AVFormatContext *s1, const uint8_t *buf1, int size)
             r1 = ff_nal_mp4_find_startcode(r, end, s->nal_length_size);
             if (!r1)
                 r1 = end;
+            // Check that the last is not truncated
+            if (r1 - r < s->nal_length_size)
+                break;
             r += s->nal_length_size;
         } else {
             while (!*(r++));

libavformat/sctp.c

@@ -334,6 +334,9 @@ static int sctp_write(URLContext *h, const uint8_t *buf, int size)
     }
 
     if (s->max_streams) {
+        if (size < 2)
+            return AVERROR(EINVAL);
+
         /*StreamId is introduced as a 2byte code into the stream*/
         struct sctp_sndrcvinfo info = { 0 };
         info.sinfo_stream           = AV_RB16(buf);

libswscale/output.c

@@ -965,7 +965,7 @@ yuv2ya16_X_c_template(SwsContext *c, const int16_t *lumFilter,
         int A = 0xffff;
 
         for (j = 0; j < lumFilterSize; j++)
-            Y += lumSrc[j][i] * lumFilter[j];
+            Y += lumSrc[j][i] * (unsigned)lumFilter[j];
 
         Y >>= 15;
         Y += (1<<3) + 0x8000;
@@ -974,7 +974,7 @@ yuv2ya16_X_c_template(SwsContext *c, const int16_t *lumFilter,
         if (hasAlpha) {
             A = -0x40000000 + (1<<14);
             for (j = 0; j < lumFilterSize; j++)
-                A += alpSrc[j][i] * lumFilter[j];
+                A += alpSrc[j][i] * (unsigned)lumFilter[j];
 
             A >>= 15;
             A += 0x8000;