Merge remote-tracking branch 'qatar/master'

* qatar/master: lavf: fix signed overflow in avformat_find_stream_info() vp8: fix signed overflows motion_est: fix some signed overflows dca: fix signed overflow in shift aacdec: fix undefined shifts bink: Check for various out of bound writes bink: Check for out of bound writes when building tree put_bits: fix invalid shift by 32 in flush_put_bits() Conflicts: libavcodec/bink.c libavformat/utils.c Merged-by: Michael Niedermayer <michaelni@gmx.at>

Merge remote-tracking branch 'qatar/master'
* qatar/master: lavf: fix signed overflow in avformat_find_stream_info() vp8: fix signed overflows motion_est: fix some signed overflows dca: fix signed overflow in shift aacdec: fix undefined shifts bink: Check for various out of bound writes bink: Check for out of bound writes when building tree put_bits: fix invalid shift by 32 in flush_put_bits() Conflicts: libavcodec/bink.c libavformat/utils.c Merged-by: Michael Niedermayer <michaelni@gmx.at>
c5db8b4d · Michael Niedermayer · 7fb92be7 · a31e9f68 · c5db8b4d · c5db8b4d
Commit c5db8b4d authored Oct 09, 2011 by Michael Niedermayer
7 changed files
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -1131,7 +1131,7 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024],
                            GET_VLC(code, re, gb, vlc_tab, 8, 2);
                            cb_idx = cb_vector_idx[code];
                            nnz = cb_idx >> 8 & 15;
-                            bits = SHOW_UBITS(re, gb, nnz) << (32-nnz);
+                            bits = nnz ? GET_CACHE(re, gb) : 0;
                            LAST_SKIP_BITS(re, gb, nnz);
                            cf = VMUL4S(cf, vq, cb_idx, bits, sf + idx);
                        } while (len -= 4);
@@ -1171,7 +1171,7 @@ static int decode_spectrum_and_dequant(AACContext *ac, float coef[1024],
                            GET_VLC(code, re, gb, vlc_tab, 8, 2);
                            cb_idx = cb_vector_idx[code];
                            nnz = cb_idx >> 8 & 15;
-                            sign = SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12);
+                            sign = nnz ? SHOW_UBITS(re, gb, nnz) << (cb_idx >> 12) : 0;
                            LAST_SKIP_BITS(re, gb, nnz);
                            cf = VMUL2S(cf, vq, cb_idx, sign, sf + idx);
                        } while (len -= 2);

--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@@ -459,7 +459,7 @@ static int read_dcs(AVCodecContext *avctx, GetBitContext *gb, Bundle *b,
 {
    int i, j, len, len2, bsize, sign, v, v2;
    int16_t *dst     = (int16_t*)b->cur_dec;
-    int16_t *dst_end =( int16_t*)b->data_end;
+    int16_t *dst_end = (int16_t*)b->data_end;
    CHECK_READ_VAL(gb, b, len);
    v = get_bits(gb, start_bits - has_sign);

--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -909,7 +909,8 @@ static void qmf_32_subbands(DCAContext * s, int chans,
    for (subindex = 0; subindex < 8; subindex++) {
        /* Load in one sample from each subband and clear inactive subbands */
        for (i = 0; i < sb_act; i++){
-            uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ ((i-1)&2)<<30;
+            unsigned sign = (i - 1) & 2;
+            uint32_t v = AV_RN32A(&samples_in[i][subindex]) ^ sign << 30;
            AV_WN32A(&s->raXin[i], v);
        }

--- a/libavcodec/motion_est.c
+++ b/libavcodec/motion_est.c
@@ -1016,7 +1016,7 @@ void ff_estimate_p_frame_motion(MpegEncContext * s,
    /* intra / predictive decision */
    pix = c->src[0][0];
    sum = s->dsp.pix_sum(pix, s->linesize);
-    varc = s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)(sum*sum))>>8) + 500;
+    varc = s->dsp.pix_norm1(pix, s->linesize) - (((unsigned)sum*sum)>>8) + 500;
    pic->mb_mean[s->mb_stride * mb_y + mb_x] = (sum+128)>>8;
    pic->mb_var [s->mb_stride * mb_y + mb_x] = (varc+128)>>8;
@@ -1178,7 +1178,7 @@ void ff_estimate_p_frame_motion(MpegEncContext * s,
        if((c->avctx->mb_cmp&0xFF)==FF_CMP_SSE){
            intra_score= varc - 500;
        }else{
-            int mean= (sum+128)>>8;
+            unsigned mean = (sum+128)>>8;
            mean*= 0x01010101;
            for(i=0; i<16; i++){

--- a/libavcodec/put_bits.h
+++ b/libavcodec/put_bits.h
@@ -78,6 +78,7 @@ static inline int put_bits_count(PutBitContext *s)
 static inline void flush_put_bits(PutBitContext *s)
 {
 #ifndef BITSTREAM_WRITER_LE
+    if (s->bit_left < 32)
        s->bit_buf<<= s->bit_left;
 #endif
    while (s->bit_left < 32) {

--- a/libavcodec/vp8.c
+++ b/libavcodec/vp8.c
@@ -919,7 +919,8 @@ void intra_predict(VP8Context *s, uint8_t *dst[3], VP8Macroblock *mb,
                   int mb_x, int mb_y)
 {
    AVCodecContext *avctx = s->avctx;
-    int x, y, mode, nnz, tr;
+    int x, y, mode, nnz;
+    uint32_t tr;
    // for the first row, we need to run xchg_mb_border to init the top edge to 127
    // otherwise, skip it if we aren't going to deblock
@@ -948,7 +949,7 @@ void intra_predict(VP8Context *s, uint8_t *dst[3], VP8Macroblock *mb,
        // from the top macroblock
        if (!(!mb_y && avctx->flags & CODEC_FLAG_EMU_EDGE) &&
            mb_x == s->mb_width-1) {
-            tr = tr_right[-1]*0x01010101;
+            tr = tr_right[-1]*0x01010101u;
            tr_right = (uint8_t *)&tr;
        }

--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -2435,10 +2435,10 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options)
        }
        {
            int64_t last = st->info->last_dts;
-            int64_t duration= pkt->dts - last;
-            if(pkt->dts != AV_NOPTS_VALUE && last != AV_NOPTS_VALUE && duration>0){
+            if(pkt->dts != AV_NOPTS_VALUE && last != AV_NOPTS_VALUE && pkt->dts > last){
                double dts= pkt->dts * av_q2d(st->time_base);
+                int64_t duration= pkt->dts - last;
 //                if(st->codec->codec_type == AVMEDIA_TYPE_VIDEO)
 //                    av_log(NULL, AV_LOG_ERROR, "%f\n", dur);