The criteria for slice structure validity is similar to that of
subpicture structure validity that we saw not too long ago [1].
The relationship between tiles and slices must satisfy the following
properties:
* Exhaustivity. All tiles in a picture must belong to a slice. The
tiles cover the picture, so this implies the slices must cover the
picture.
* Mutual exclusivity. No tile may belong to more than one slice, i.e.
slices may not overlap.
In most cases these properties are guaranteed by the syntax. There is
one noticable exception however: when pps_tile_idx_delta_present_flag is
equal to one, each slice is associated with a syntax element
pps_tile_idx_delta_val[i] which "specifies the difference between the
tile index of the tile containing the first CTU in the ( i + 1 )-th
rectangular slice and the tile index of the tile containing the first
CTU in the i-th rectangular slice" [2]. When these syntax elements are
present, the i-th slice can begin anywhere and the usual guarantees
provided by the syntax are lost.
The patch detects slice structures which violate either of the two
properties above, and are therefore invalid, while building the
slice map. Should the slice map be determined to be invalid, an
AVERROR_INVALIDDATA is returned. This prevents issues including
segmentation faults when trying to decode, invalid bitstreams.
[1]: https://ffmpeg.org//pipermail/ffmpeg-devel/2024-October/334470.html
[2]: H.266 (V3) Section 7.4.3.5, Picture parameter set RBSP semantics
Signed-off-by: Frank Plowman <post@frankplowman.com>
A minimal DNG header is added to each LJ92 compressed frame, allowing
thme to be decoded by the TIFF decoder. The TIFF decoder is responsible
for setting up the MJPEG decoder, signalling the correct s->bayer flag,
and setting pix_fmt.
The LJ92 compressed frames can be muxed out to DNG files, and manipulated
in DNG software. Tested with darktable and rawtherapee.
Contributor: South East <8billion.people@gmail.com>
It should be more clear what this flag is indicating with a more
verbose comment documenting it.
Signed-off-by: Leo Izen <leo.izen@gmail.com>
Reviewed-by: Marton Balint <cus@passwd.hu>
Reviewed-by: Alexander Strasser <eclipse7@gmx.net>
Reviewed-by: Marth64 <marth64@proxyid.net>
This was previously adjusted by me in 6b3f9c2e92.
Unfortunately, I traded one integer overflow bug for
another.
Currently, NTP timestamps that exceed INT64_MAX
(~Jan 20, 1968) will cause an overflow when passed
to av_rescale.
This patch replaces av_rescale, which operates on
int64_t, with ff_parse_ntp_time, which operates on
uint64_t. This will give the correct values for
timestamps back around the NTP epoch and present day
timestamps.
Fixes ticket #11388.
Signed-off-by: Martin Storsjö <martin@martin.st>
Fixes: 377965565/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-4504434689769472
Fixes: out of array access
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: index 5 out of bounds for type 'uint8_t [5]'
Fixes: 377748135/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5167109774049280
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: -nan is outside the range of representable values of type 'int'
Fixes: 377072730/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6545416570601472
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 2 * -4962931467012268000 cannot be represented in type 'long'
Fixes: 376496313/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4921469185884160
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 1239596184 + 2119376059 cannot be represented in type 'int'
Fixes: 376136844/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6581164455821312
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -1082982400 + -1195645138 cannot be represented in type 'int'
Fixes: 376136843/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-4791844321427456
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: crash
Found-by: Elias Myllymäki <elias.myllymaki04p@gmail.com>
Reviewed-by: Alexander Strasser <eclipse7@gmx.net>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array read
Found-by: Elias Myllymäki <elias.myllymaki04p@gmail.com>
Reviewed-by: Alexander Strasser <eclipse7@gmx.net>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This sample is rather difficult, containing a lot of subtle edge cases
which revealed errors in the VVC decoder. It covers 88.4% of lines in
libavcodec/vvc and brings the line coverage of the entire VVC fate suite
from 96.3% to 97.2%.
Signed-off-by: Frank Plowman <post@frankplowman.com>
Signed-off-by: James Almer <jamrial@gmail.com>
In mpeg_decode_a53_cc() only the A/53 part 4 CC data ("GA94") is saved between
frames. The other formats incorrectly created a larger buffer than they use
since a705bcd763 because they did not append to
the previous data.
The a53_buf_ref is added to the frame in mpeg_field_start() which will only be
called in decode_chunks() if not all of the picture data slices are skipped.
For these formats, utilize the data added to the buffer in case frames are skipped
(concatenating the CC data until a frame can be exported), in a similar fashion to
the A/53 part 4 logic.
Reviewed-by: Marth64 <marth64@proxyid.net>
Signed-off-by: Marth64 <marth64@proxyid.net>
After support was added for DVB 0502 Closed Caption coding,
the cc_format option's range was never updated so user
cannot select this coding as a forced formatting choice.
Fix the range of the option by ending it with the new coding type.
Signed-off-by: Marth64 <marth64@proxyid.net>
Fix the incorrect capitalization of the project name in a comment.
The project is named FFmpeg, not FFMpeg.
Signed-off-by: Leo Izen <leo.izen@gmail.com>
This will ensure any future goto leave that may be added doesn't accidentally forget to
set ret to some proper value.
Reviewed-by: Timo Rothenpieler <timo@rothenpieler.org>
Signed-off-by: James Almer <jamrial@gmail.com>
When muxing to FLV/RTMP a MP3 track with an ID greater than zero,
enhanced RTMP has to be used, and a sequence start should preceed track
data.
This is already implemented (see line 823 of flvenc.c) but the code is
never reached due to a too-strict condition before it. This patch fixes
the issue.
Signed-off-by: Alessandro Ros <aler9.dev@gmail.com>
Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
The scale_vulkan filter initializes the shader once, with the crop
region set by the original frame. However, subsequent frames may
specify a different crop region than the first frame. This change
updates the cropping to match the behavior present on the other
hardware frame scale filters.
The scale filter should also allow negative values
that respect aspect ratio, similar to other scale filters.
Signed-off-by: Koushik Dutta <koushd@gmail.com>
These properties are unreliable because they depend on the frames decoded so
far, users should check directly the presence of the decoded AVFrame side data
or AVFrame flags.
Signed-off-by: Marton Balint <cus@passwd.hu>
When the current subpicture has sps_subpic_treated_as_pic_flag equal to
1, motion vectors are cropped such that they cannot point to other
subpictures. This was accounted for in the prediction logic, but not
in pred_get_y, which is used by the scheduling logic to determine which
parts of the reference pictures must have been reconstructed before
inter prediction of a subsequent frame may begin. Consequently, where a
motion vector pointed to a location significantly above the current
subpicture, there was the possibility of a race condition. Patch fixes
this by cropping the motion vector to the current subpicture in
pred_get_y.
Signed-off-by: Frank Plowman <post@frankplowman.com>
