From 0fb3b24adac11cc62ad8daacf3c8e01469baa918 Mon Sep 17 00:00:00 2001 From: Mans Rullgard Date: Mon, 8 Oct 2012 20:35:03 +0100 Subject: [PATCH 01/10] build: link test programs only against static libs The test programs use internal symbols so cannot be linked against the shared libs. Linking against both shared and static is pointless and might do something strange depending on the linker. This changes the dependencies so the test programs are linked only against the static library for the component they belong to. Signed-off-by: Mans Rullgard --- library.mak | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library.mak b/library.mak index 19f05f9e87..7b78e59577 100644 --- a/library.mak +++ b/library.mak @@ -35,7 +35,7 @@ install-libs-$(CONFIG_SHARED): install-lib$(NAME)-shared define RULES $(EXAMPLES) $(TESTPROGS) $(TOOLS): %$(EXESUF): %.o - $$(LD) $(LDFLAGS) $$(LD_O) $$^ $(FULLNAME:%=$(LD_LIB)) $(FFEXTRALIBS) $$(ELIBS) + $$(LD) $(LDFLAGS) $$(LD_O) $$^ $(FFEXTRALIBS) $$(ELIBS) $(SUBDIR)$(SLIBNAME): $(SUBDIR)$(SLIBNAME_WITH_MAJOR) $(Q)cd ./$(SUBDIR) && $(LN_S) $(SLIBNAME_WITH_MAJOR) $(SLIBNAME) @@ -89,8 +89,8 @@ endef $(eval $(RULES)) -$(EXAMPLES) $(TESTPROGS) $(TOOLS): $(THIS_LIB) $(DEP_LIBS) -$(TESTPROGS): $(SUBDIR)$(LIBNAME) +$(EXAMPLES) $(TOOLS): $(THIS_LIB) $(DEP_LIBS) +$(TESTPROGS): $(SUBDIR)$(LIBNAME) $(DEP_LIBS) examples: $(EXAMPLES) testprogs: $(TESTPROGS) From 53e122dd4afbb5bbdbba8b18bee0beb460242dc7 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Tue, 9 Oct 2012 14:48:08 +0200 Subject: [PATCH 02/10] swfenc: error out for more than 1 audio or video stream Prevents CID602000. --- libavformat/swfenc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libavformat/swfenc.c b/libavformat/swfenc.c index 9de8b679d7..31f405d5cd 100644 --- a/libavformat/swfenc.c +++ b/libavformat/swfenc.c @@ -186,6 +186,10 @@ static int swf_write_header(AVFormatContext *s) for(i=0;inb_streams;i++) { AVCodecContext *enc = s->streams[i]->codec; if (enc->codec_type == AVMEDIA_TYPE_AUDIO) { + if (swf->audio_enc) { + av_log(s, AV_LOG_ERROR, "SWF muxer only supports 1 audio stream\n"); + return AVERROR_INVALIDDATA; + } if (enc->codec_id == AV_CODEC_ID_MP3) { swf->audio_enc = enc; swf->audio_fifo= av_fifo_alloc(AUDIO_FIFO_SIZE); @@ -196,6 +200,10 @@ static int swf_write_header(AVFormatContext *s) return -1; } } else { + if (swf->video_enc) { + av_log(s, AV_LOG_ERROR, "SWF muxer only supports 1 video stream\n"); + return AVERROR_INVALIDDATA; + } if (enc->codec_id == AV_CODEC_ID_VP6F || enc->codec_id == AV_CODEC_ID_FLV1 || enc->codec_id == AV_CODEC_ID_MJPEG) { From 4ffbe3f3a5d9892841d9bc31d859916c2c61123f Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Tue, 9 Oct 2012 14:54:01 +0200 Subject: [PATCH 03/10] matroskaenc: check cue point validity before reallocation Prevents memory leak and possible access to freed memory. Fixes CID605744. --- libavformat/matroskaenc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c index 3e32943153..b37d10cba1 100644 --- a/libavformat/matroskaenc.c +++ b/libavformat/matroskaenc.c @@ -368,13 +368,13 @@ static int mkv_add_cuepoint(mkv_cues *cues, int stream, int64_t ts, int64_t clus { mkv_cuepoint *entries = cues->entries; + if (ts < 0) + return 0; + entries = av_realloc(entries, (cues->num_entries + 1) * sizeof(mkv_cuepoint)); if (entries == NULL) return AVERROR(ENOMEM); - if (ts < 0) - return 0; - entries[cues->num_entries ].pts = ts; entries[cues->num_entries ].tracknum = stream + 1; entries[cues->num_entries++].cluster_pos = cluster_pos - cues->segment_offset; From 18ff4d20201ae69fdeb2da2c90bdcbd33f7ac025 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Tue, 9 Oct 2012 15:20:15 +0200 Subject: [PATCH 04/10] avconv: simplify memory allocation in copy_chapters Make just a single reallocation per call instead of one reallocation per copied chapters. This fixes possible memory leaks on realloc failures. Also correct the allocation since it needs multiples of sizeof(AVChapter*) and not sizeof(AVChapter). Fixes CID700633 and CID700719. --- avconv_opt.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/avconv_opt.c b/avconv_opt.c index 108e510516..f8a76c0978 100644 --- a/avconv_opt.c +++ b/avconv_opt.c @@ -1085,8 +1085,14 @@ static int copy_chapters(InputFile *ifile, OutputFile *ofile, int copy_metadata) { AVFormatContext *is = ifile->ctx; AVFormatContext *os = ofile->ctx; + AVChapter **tmp; int i; + tmp = av_realloc(os->chapters, sizeof(*os->chapters) * (is->nb_chapters + os->nb_chapters)); + if (!tmp) + return AVERROR(ENOMEM); + os->chapters = tmp; + for (i = 0; i < is->nb_chapters; i++) { AVChapter *in_ch = is->chapters[i], *out_ch; int64_t ts_off = av_rescale_q(ofile->start_time - ifile->ts_offset, @@ -1112,11 +1118,7 @@ static int copy_chapters(InputFile *ifile, OutputFile *ofile, int copy_metadata) if (copy_metadata) av_dict_copy(&out_ch->metadata, in_ch->metadata, 0); - os->nb_chapters++; - os->chapters = av_realloc(os->chapters, sizeof(AVChapter) * os->nb_chapters); - if (!os->chapters) - return AVERROR(ENOMEM); - os->chapters[os->nb_chapters - 1] = out_ch; + os->chapters[os->nb_chapters++] = out_ch; } return 0; } From 1afd7a118fd71536971f991b823c89f1c9e87509 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Tue, 9 Oct 2012 15:41:24 +0200 Subject: [PATCH 05/10] af_channelmap: free old extended_data on reallocation Prevents writes to freed memory and the leak of the old extended data. Fixes CID732303. --- libavfilter/af_channelmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavfilter/af_channelmap.c b/libavfilter/af_channelmap.c index 3e945d6e91..405a9c2c2f 100644 --- a/libavfilter/af_channelmap.c +++ b/libavfilter/af_channelmap.c @@ -338,8 +338,8 @@ static int channelmap_filter_samples(AVFilterLink *inlink, AVFilterBufferRef *bu if (buf->extended_data == buf->data) { buf->extended_data = new_extended_data; } else { - buf->extended_data = new_extended_data; av_free(buf->extended_data); + buf->extended_data = new_extended_data; } } else if (buf->extended_data != buf->data) { av_free(buf->extended_data); From 714f5ab59780de9da546a24335a6976dac18fbe3 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Tue, 9 Oct 2012 16:07:12 +0200 Subject: [PATCH 06/10] vc1dec: prevent memory leak on av_realloc error --- libavcodec/vc1dec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index df3a55a0ba..13303dc059 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5364,9 +5364,10 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, break; case VC1_CODE_FIELD: { int buf_size3; - slices = av_realloc(slices, sizeof(*slices) * (n_slices+1)); - if (!slices) + tmp = av_realloc(slices, sizeof(*slices) * (n_slices+1)); + if (!tmp) goto err; + slices = tmp; slices[n_slices].buf = av_mallocz(buf_size + FF_INPUT_BUFFER_PADDING_SIZE); if (!slices[n_slices].buf) goto err; @@ -5388,9 +5389,10 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, break; case VC1_CODE_SLICE: { int buf_size3; - slices = av_realloc(slices, sizeof(*slices) * (n_slices+1)); - if (!slices) + tmp = av_realloc(slices, sizeof(*slices) * (n_slices+1)); + if (!tmp) goto err; + slices = tmp; slices[n_slices].buf = av_mallocz(buf_size + FF_INPUT_BUFFER_PADDING_SIZE); if (!slices[n_slices].buf) goto err; From 6f8ef5320f4d435803482ed322f3de45e6ea125c Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Tue, 9 Oct 2012 16:09:41 +0200 Subject: [PATCH 07/10] vc1dec: prevent memory leak in error path Fixes CID732271. --- libavcodec/vc1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c index 13303dc059..d4108757c9 100644 --- a/libavcodec/vc1dec.c +++ b/libavcodec/vc1dec.c @@ -5463,7 +5463,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data, if (!s->context_initialized) { if (ff_msmpeg4_decode_init(avctx) < 0 || ff_vc1_decode_init_alloc_tables(v) < 0) - return -1; + goto err; s->low_delay = !avctx->has_b_frames || v->res_sprite; From 8501c098687bbf551a2f1cdef80ee653fdfff6ac Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Tue, 9 Oct 2012 16:15:15 +0200 Subject: [PATCH 08/10] af_amix: prevent memory leak on error path Fixes CID732272. --- libavfilter/af_amix.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavfilter/af_amix.c b/libavfilter/af_amix.c index 202d67541c..a0b265fa34 100644 --- a/libavfilter/af_amix.c +++ b/libavfilter/af_amix.c @@ -285,8 +285,10 @@ static int output_frame(AVFilterLink *outlink, int nb_samples) return AVERROR(ENOMEM); in_buf = ff_get_audio_buffer(outlink, AV_PERM_WRITE, nb_samples); - if (!in_buf) + if (!in_buf) { + avfilter_unref_buffer(out_buf); return AVERROR(ENOMEM); + } for (i = 0; i < s->nb_inputs; i++) { if (s->input_state[i] == INPUT_ON) { From ac9a89562adcc09d213462830f4da728674958fb Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Tue, 9 Oct 2012 16:28:30 +0200 Subject: [PATCH 09/10] af_resample: unref out_buf when avresample_convert returns 0 Fixes CID732273. --- libavfilter/af_resample.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavfilter/af_resample.c b/libavfilter/af_resample.c index 58a9b2a99e..c43d260610 100644 --- a/libavfilter/af_resample.c +++ b/libavfilter/af_resample.c @@ -194,9 +194,10 @@ static int filter_samples(AVFilterLink *inlink, AVFilterBufferRef *buf) buf_out->linesize[0], nb_samples, buf->extended_data, buf->linesize[0], buf->audio->nb_samples); - if (ret < 0) { + if (ret <= 0) { avfilter_unref_buffer(buf_out); - goto fail; + if (ret < 0) + goto fail; } av_assert0(!avresample_available(s->avr)); From b94e4acb4874843e914fd3cb8e089aff0756bb4a Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Tue, 9 Oct 2012 17:55:32 +0200 Subject: [PATCH 10/10] cmdutils_read_file: increment *size after writing the trailing \0 Fixes CID732166. --- cmdutils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmdutils.c b/cmdutils.c index 3ae48e4863..ac971df20a 100644 --- a/cmdutils.c +++ b/cmdutils.c @@ -1061,7 +1061,7 @@ int cmdutils_read_file(const char *filename, char **bufptr, size_t *size) ret = AVERROR_EOF; } else { ret = 0; - (*bufptr)[*size++] = '\0'; + (*bufptr)[(*size)++] = '\0'; } fclose(f);