[FFmpeg-cvslog] New commits on branch release/4.3

Git System git at videolan.org
Sat Feb 27 08:58:01 EET 2021


URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fbb9368226d693c99d9b0aee672c59ed1a36785b
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Nov 26 22:16:13 2020 +0100

    avcodec/mxpegdec: Fix memleaks upon init failure
    
    Reviewed-by: Anton Khirnov <anton at khirnov.net>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 9de6688cc4216381e155a5b3f7d88c26806db93d)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eda1ed6f914a762a30e13e538f380355e8b7337a
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Nov 26 21:54:54 2020 +0100

    avcodec/mjpegdec: Fix memleak upon init failure
    
    This affected all decoders that used ff_mjpeg_decode_init() as init
    function; and it also affected decoders that open jpeg decoders via
    ff_codec_open2_recursive() as well as MxPEG.
    
    Reviewed-by: Anton Khirnov <anton at khirnov.net>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit f3e645a7967d64df8a19c4e0eea93f17937913fb)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4ec5d6896d2396f6a9f3dd558e393eeacc22dd6f
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Wed Aug 26 10:11:38 2020 +0200

    avfilter/af_headphone: Fix stack buffer overflow
    
    The number of channels can be up to 64, not only 16.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 58b6594b01e37ebf3daa2cb66183287a1f1b0a78)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d5992cc1556380852e406f566f56dc250a993123
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Aug 24 06:34:17 2020 +0200

    avfilter/af_headphone: Don't overrun array
    
    The headphone filter stores the channel position of the ith HRIR stream
    in the ith element of an array of 64 elements; but because there is no
    check for duplicate channels, it is easy to write beyond the end of the
    array by simply repeating channels.
    
    This commit adds a check for duplicate channels to rule this out.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 14226be499d27935d54981f0a6e1b15fd65746cd)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9d82a7c813a14d741f4164b689111e80dde3bad6
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 28 10:56:20 2020 +0200

    avfilter/af_headphone: Fix segfault when using very short streams
    
    When the headphone filter does its processing in the time domain,
    the lengths of the buffers involved are determined by three parameters,
    only two of which are relevant here: ir_len and air_len. The former is
    the length (in samples) of the longest HRIR input stream and the latter
    is the smallest power-of-two bigger than ir_len.
    
    Using optimized functions to calculate the convolution places
    restrictions on the alignment of the length of the vectors whose scalar
    product is calculated. Therefore said length, namely ir_len, is aligned
    on 32; but the number of elements of the buffers used is given by air_len
    and for ir_len < 16 a buffer overflow happens.
    
    This commit fixes this by ensuring that air_len is always >= 32 if
    processing happens in the time domain.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 7b74e02ef2d0099a2e1f1d1cefc1fce2e041f618)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=66e8328d049a60b1adb78f315ecd002f42954e1d
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 28 10:37:46 2020 +0200

    avfilter/af_headphone: Check for the existence of samples
    
    Not providing any samples makes no sense at all. And if no samples
    were provided for one of the HRIR streams, one would either run into
    an av_assert1 in ff_inlink_consume_samples() or into a segfault in
    take_samples() in avfilter.c.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit dfd46e2d160afcb7e453d0e2394a6978cb447712)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=33f78e278b22c32c3e214a09b0b9da49adf5ee63
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 28 14:22:43 2020 +0200

    avfilter/af_headphone: Remove always true check
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 709fca0a9415ea97cd1d49d67298b8c8728a7aec)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e212f0c00077dae75d662caa296b94df96e6e2c4
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Aug 24 06:08:56 2020 +0200

    avfilter/af_headphone: Don't use uninitialized buffer in log message
    
    This buffer was supposed to be initialized by sscanf(input, "%7[A-Z]%n",
    buf, &len), yet if the first input character is not in the A-Z range,
    buf is not touched (in particular it needn't be zero-terminated if the
    failure happened when parsing the first channel and it still contains
    the last channel name if the failure happened when one channel name
    could be successfully parsed). This is treated as error in which case
    buf is used directly in the log message. This commit fixes this by
    actually using the string that could not be matched in the log message
    instead.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit e2d4a5807fa5914185dc6f3ae0a4d63cd8fe3b29)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=262162883a0c5b17050489381f8a6de7d9eeae66
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Sep 6 11:24:22 2020 +0200

    avformat/segment: Fix error messages
    
    Reviewed-by: Ridley Combs <rcombs at rcombs.me>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 1d090dfa911914933a852106234a3ecbfa1dc9ba)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4c7718c1de83fb38d24d87ffe9e47fad639d2f3a
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Sep 5 23:36:03 2020 +0200

    avformat/segment: Free SegmentListEntries in deinit, not write_trailer
    
    This fixes leaks when the trailer is never written.
    
    Reviewed-by: Ridley Combs <rcombs at rcombs.me>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 848f96a2a6f1f60c8e0539a421d08ce8b4f24139)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2b8ad98791c2941a76254423b8b664852191b227
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Sep 6 00:29:33 2020 +0200

    avformat/segment: Fix leak and invalid free of AVIOContext
    
    seg_init() and seg_write_header() currently contain a few error paths
    in which an already opened AVIOContext for the child muxer leaks (namely
    if there are unrecognized options for the child muxer or if writing the
    header of the child muxer fails); the reason for this is that this
    AVIOContext is not closed in the deinit function. If all goes well, it
    is closed when writing the trailer. From this it also follows that the
    AVIOContext also leaks when the trailer is never written, even when
    writing the header succeeds.
    
    But simply freeing said AVIOContext in the deinit function is
    complicated by the fact that the AVIOContext may or may not have been
    opened via the io_open callback: If options are set to discard header
    and trailer, said AVIOContext can also be a null context which must not
    be closed via the io_close callback. This may lead to crashes, as
    io_close may presume the AVIOContext's opaque to be set. It currently
    works with the default io_close callback which simply calls avio_close(),
    because avio_close() doesn't care about opaque being NULL since commit
    6e8e8431e15a58aa44cfdd8c11f9ea096837c0fa. Therefore this commit records
    which of the two kinds of AVIOContext is currently in use to use the
    right way to close it.
    
    Finally there was one instance (namely if initializing the child muxer
    fails with no unrecognized options) where the AVIOContext was always
    closed via the io_close callback. The above remark applies to this; it
    has been fixed, too.
    
    Reviewed-by: Ridley Combs <rcombs at rcombs.me>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 30de02998df3b253dce68904cfdd50cdfe6fb3ed)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=021e1aa6b84f0c81fa0aadbdffde3f6655a676eb
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Sep 5 21:22:21 2020 +0200

    avformat/segment: Fix leak of string on error
    
    A string containing the segment's filename that the segment muxer
    allocates got only freed in its write_trailer function. This implies
    that it leaks if write_trailer is never called, e.g. if initializing
    the child muxer fails. This commit fixes this by freeing the string
    in the deinit function instead.
    
    Reviewed-by: Ridley Combs <rcombs at rcombs.me>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 3152a2a218578ad3c024dcd7d4ced06b396d30e1)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2c8f99deb8c23ece3b821ef3a3ec29cade99d1ce
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Sep 5 18:12:27 2020 +0200

    avformat/segment: Fix segfault when error happens and segment list is output
    
    The segment muxer has an option to output a file containing a list of
    the segments written. The AVIOContext used for writing this file is
    opened via the main AVFormatContext's io_open callback; seg_free()
    meanwhile unconditionally closes this AVIOContext by calling
    ff_format_io_close() with the child muxer (the one for the actual output
    format) as AVFormatContext.
    
    The problem hereby is that the child AVFormatContext need not exist,
    even when the AVIOContext does. This leads to a segfault in
    ff_format_io_close() when the child muxer's io_close callback is called.
    
    Situations in which the AVFormatContext can be NULL range from an
    invalid reference stream parameter to an unavailable/bogus/unsupported
    output format to inability to allocate the AVFormatContext.
    
    The solution is to simply close the AVIOContext with the AVFormatContext
    that was used to open it: The main AVFormatContext.
    
    Reviewed-by: Ridley Combs <rcombs at rcombs.me>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 936d967871562e36e307126b59e4e6bbb3a3bab7)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=08cd00a86faa2407957cf5cb31edee48fcf6c40d
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Sep 6 12:34:58 2020 +0200

    avformat/segment: Fix segfault on allocation error, avoid allocation
    
    If the user has set none of the options specifying the segments'
    durations, a default value of 2s is used by duplicating a "2" string and
    using av_parse_time() on it. Yet duplicating the string was unchecked
    and if the allocation failed, one would get a segfault in
    av_parse_time().
    
    This commit solves this by turning said option into an option of type
    AV_OPT_TYPE_DURATION (which also uses av_parse_time() internally),
    avoiding duplicating the string altogether.
    
    Reviewed-by: Ridley Combs <rcombs at rcombs.me>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 06f99cc4ddbb16f8fd9ae3d72835d542be3dbab2)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1b8c6b2666f30855d82c1d368138628c140f804a
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Sep 5 19:36:31 2020 +0200

    avformat/segment: Fix leak of duration/framenumber lists upon error
    
    The code to free them is not in the segment muxer's deinit function,
    but in its write_trailer function which means that these lists leak if
    write_trailer isn't called after their allocation. This happens e.g. if
    the given lists are invalid (e.g. consisting only of ',' (which delimit
    entries)), so that parsing them fails and so does the muxer's init
    function; write_trailer is then never called.
    
    This has been fixed by moving the code to free them to the deinit
    function.
    
    Reviewed-by: Ridley Combs <rcombs at rcombs.me>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 4b836c86132feb67ca10e383988884dd67bcd19a)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a00952ea198685641254aee499055ec5044e0f79
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Sep 6 13:24:03 2020 +0200

    avformat/segment: Don't overwrite AVCodecParameters after init
    
    The segment muxer copies the user-provided AVCodecParameters to the
    newly created child streams in its init function before initializing the
    child muxer; and since commit 8e6478b723affe4d44f94d34b98e0c47f6a0b411,
    it does this again before calling avformat_write_header() if that is
    called from seg_write_header(). The reason for this is complicated:
    
    At that time writing the header was delayed, i.e. it was not triggered
    by avformat_write_header() (unless the AVFMT_FLAG_AUTO_BSF was unset),
    but instead by writing the very first packet. The rationale behind this
    was to allow to run bitstream filters on the packets in the interleavement
    queue in order to generate missing extradata from them before the muxer's
    write_header function is actually called.
    
    The segment muxer went even further: It initialized the child muxer and
    ran the child muxer's check_bitstream functions on the packets in its
    own muxing queue and stole any bitstream filters that got inserted. The
    reason for this is that the segment muxer has an option to write the
    header to a separate file and for this it is needed to write the child
    muxer's header without delay, but with correct extradata. Unsetting
    AVFMT_FLAG_AUTO_BSF for the child muxer accomplished the first goal and
    stealing the bitstream filters the second; and in order for the child
    muxer to actually use the updated extradata, the old AVCodecParameters
    (set before avformat_init_output()) were overwritten with the new ones.
    
    Updating the extradata proceeded as follows: The bitstream filter itself
    simply updated the AVBSFContext's par_out when processing a packet, in
    violation of the new BSF API (where par_out may only be set in the init
    function); the muxing code then simply forwarded the updated extradata,
    overwriting the par_in of the next BSF in the BSF chain with the fresh
    par_out of the last one and the AVStream's par with the par_out of the
    last BSF. This was an API violation, too, of course, but it made
    remuxing ADTS AAC into mp4/matroska work.
    
    But this no longer serves a useful purpose since the aac_adtstoasc BSF
    was updated to propagate new extradata via packet side data in commit
    f63c3516577d605e51cf16358cbdfa0bc97565d8; the next commit then removed
    the code in mux.c passing new extradata along the filter chain. This
    alone justifies removing the code for setting the AVCodecParameters a
    second time.
    
    But there is even another reason to do so: It is harmful. The ogg muxer
    parses the extradata of Theora and Vorbis in its init function and keeps
    pointers to parts of it. Said pointers become dangling when the
    extradata is overwritten by the segment muxer, leading to
    use-after-frees as has happened in ticket #8881 which this commit fixes.
    
    Ticket #8517 is about another issue caused by this: Immediately after
    having overwritten the old AVCodecParameters the segment muxer checks
    whether the codec_tag is ok (the codec_tag is set generically when
    initializing the child muxer based upon muxer-specific lists). The check
    used is: If the child output format has such a list and if the codec tag
    of the non-child stream does not match the codec id given the list of
    codec tags and if there is a match for the codec id in the codec tag
    list, then set the codec tag to zero (and not to the existing match),
    otherwise set the codec tag of the child stream to the codec tag
    of the corresponding stream of the main AVFormatContext (which is btw
    redundant given that the child AVCodecParameters have just been
    overwritten with the AVCodecParameters of the corresponding stream of
    the main AVFormatContext).
    
    Reviewed-by: Ridley Combs <rcombs at rcombs.me>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 92c8b79b5acc06ec608b4c5a2b1ff428dfa1a810)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=69286f8cf93aeaa57f9dab2f1e3b797d73a0975a
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Oct 8 15:40:02 2020 +0200

    avformat/dashdec: Reset pointer to NULL after freeing it
    
    This is currently safe here, because the effective lifetime of
    adaptionset_lang is parse_manifest_adaptationset() (i.e. the pointer
    gets overwritten each time on entry to the function and gets freed
    before exiting the function), but it is nevertheless safer to reset the
    pointer.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 616eb93a404c088635be74498ddb04072dfe1b90)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9e950320e73a3ac649e1f025a1c28e57b7ca145b
Author: Christopher Degawa <ccom at randomderp.com>
Date:   Thu Oct 8 12:45:21 2020 +0000

    libavformat/dashdec: Fix issue with dash on Windows
    
    Use xmlFree instead of av_freep
    
    snip from libxml2:
    
     * xmlGetProp:
    ...
     * Returns the attribute value or NULL if not found.
     *     It's up to the caller to free the memory with xmlFree().
    
    According to libxml2, you are supposed to use xmlFree instead of free
    on the pointer returned by it, and also using av_freep on Windows will
    call _aligned_free instead of normal free, causing _aligned_free to raise
    SIGTRAP and crashing ffmpeg and ffplay.
    
    Signed-off-by: Christopher Degawa <ccom at randomderp.com>
    (cherry picked from commit 0117d5aa03aca0158ee54b806d420fb1a974b788)
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f3ee6b2a3e04624fcec0f230d4a429ff6cf0ea54
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 7 18:14:47 2020 +0200

    avformat/dashdec: Fix memleak on allocation error, avoid allocation
    
    get_content_url() allocates two buffers for temporary strings and when
    one of them couldn't be allocated, it simply returns, although one of
    the two allocations could have succeeded and would leak in this
    scenario. This can be fixed by avoiding one of the temporary buffers.
    
    Reviewed-by: Steven Liu <lq at chinaffmpeg.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 0f9ade1ff395cfaf51f9a7ecc1ed725339aa1426)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3c13a44dd40f17264ac498d17cc15f237785ba20
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Sep 19 08:52:41 2020 +0200

    avformat/dashdec: Fix memleaks on error to add representation to dynarray
    
    Up until now, the DASH demuxer used av_dynarray_add() to add
    audio/video/subtitles representations to arrays. Yet av_dynarray_add()
    frees the array upon failure, leading to leaks of its elements;
    furthermore, the element to be added leaks, too.
    
    This has been fixed by using av_dynarray_add_nofree() instead and by
    freeing the elements that could not be added to the list. Furthermore,
    errors from this are now checked and returned.
    
    Reviewed-by: Steven Liu <lq at chinaffmpeg.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit d63f8c873bd65f4dfab852069fb5faf07cffe6aa)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=92898d7536b64d9e09da9a71d3322b65b5b04ef9
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Sep 19 07:01:30 2020 +0200

    avformat/dashdec: Fix leak of representation languages
    
    These languages are normally freed after having been added as metadata
    to their respective AVStreams. Yet if one never reaches said point, they
    leak. This can happen as a result of an error when reading the header or
    as a result of refreshing the manifests.
    
    Reviewed-by: Steven Liu <lq at chinaffmpeg.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit f1c3c173c9408085d7b26f3bdd264b426bca314a)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ee0bf1d5f8794423dc3086c39b7e22ded65d5f31
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Sep 19 06:32:42 2020 +0200

    avformat/dashdec: Fix leak of string on error when parsing representation
    
    The DASH demuxer currently extracts several strings at once from an xml
    document before processing them one by one; these strings are allocated,
    stored in local variables and need to be freed by the demuxer itself.
    So if an error happens when processing one of them, all strings need to
    be freed before returning. This has simply not been done, leading to
    leaks.
    
    A simple fix would be to add the necessary code for freeing; yet there is
    a better solution: Avoid having several strings at the same time by
    extracting a string, processing it and immediately freeing it. That way
    one only has to free at most one string on error.
    
    Reviewed-by: Steven Liu <lq at chinaffmpeg.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit e7aea1fe7304352c4b5359159700ab4957b10449)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=74b97ea6034c75044c43b065df1fc07e5b2e4b84
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Sep 19 04:28:47 2020 +0200

    avformat/dashdec: Fix leak of representation on error
    
    If parsing a representation fails, it is not added to the list of
    representations and is therefore not freed in dash_close(); it therefore
    leaked in most error paths in parse_manifest_representation() (some
    error paths had (incomplete) code for freeing). This commit fixes
    freeing the representation in this case.
    
    Reviewed-by: Steven Liu <lq at chinaffmpeg.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 5c91701dc7f46975f9fb714d30c70a81dc0ce90a)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=06d5472b3c5f226530a0d8377496e1e4838a8413
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 7 20:06:23 2020 +0200

    avformat/dashdec: Remove unused index of representation
    
    It is always zero. Also remove other unused elements.
    
    Reviewed-by: Steven Liu <lq at chinaffmpeg.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 5d63f154efb0a59b614dc8fff049086f9355a358)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a42f19e2118d4e8df421595f0c67ef48b96f13f5
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Sep 19 03:18:30 2020 +0200

    avformat/dashdec: Fix memleaks upon read_header failure
    
    Reviewed-by: Steven Liu <lq at chinaffmpeg.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 06e31f953ec6e4332f65e9ece72cc02166636095)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ef338de23c33f0f72143032af80d30014ef3e4ab
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Sep 19 13:14:12 2020 +0200

    avformat/dashdec: Check allocation of AVProgram
    
    Reviewed-by: Steven Liu <lq at chinaffmpeg.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit aed96e13c1dafd44a6995f23fadd9f64e90547d4)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d23b9dd9cf4179f774e25a7da8171cdada59a36a
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 7 20:49:02 2020 +0200

    avformat/dashdec, hls: Update correct pointer to AVDictionary
    
    open_url() in the DASH as well in the hls demuxer share a common bug:
    They modify an AVDictionary (i.e. set a new entry) given to them as
    AVDictionary *, yet if this new entry leads to reallocation and
    relocation of the AVDictionary, the caller's pointer will become
    dangling, leading to use-after-frees. So pass an AVDictionary **.
    
    (With the current implementation of AVDictionary the above can only
    happen if the AVDictionary was empty initially (in which case the
    new AVDictionary leaks); furthermore if the I/O is ordinary (i.e. opened
    by avio_open2() or ffio_open_whitelist()), the dict is never empty (it
    contains an rw_timeout entry from save_avio_options()). So this issue
    could only happen if the caller sets a nondefault io_open callback, but
    no AVIOContext (the AVFMT_FLAG_CUSTOM_IO flag won't be set in this
    case). In case of the HLS demuxer, it was also necessary that setting
    the "seekable" entry failed. Yet one should simply not rely on internals
    of the AVDict API.)
    
    Reviewed-by: Steven Liu <lq at chinaffmpeg.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit ac2852d7958622322c69d68212d96fe41a595001)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9ad4fc4369aba5da6bd5c690210842000770caa2
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 7 20:36:25 2020 +0200

    avformat/dashdec: Fix leak of AVDictionary on error
    
    Just postpone the allocation of the dict until it is really needed
    (after the checks that can fail).
    
    Reviewed-by: Steven Liu <lq at chinaffmpeg.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 4b8fdf70a87b9d3d60f4c78bd9a5c294f524032c)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=52d18d7e885bc0a745ef4ea894535574c8f817bf
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Sep 19 02:37:05 2020 +0200

    avformat/dashdec: Free subtitle representations on exit
    
    Reviewed-by: Steven Liu <lq at chinaffmpeg.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit eb344862e4a5493900d2120952f95fb26805350c)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c182a2ba403f979fd7c33cc1b097fcc5c9f45e01
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 7 19:25:22 2020 +0200

    avformat/dashdec: Free strings as soon as they aren't needed anymore
    
    Reviewed-by: Steven Liu <lq at chinaffmpeg.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 7369e952676595b1ccf1e707e741f6c1f05481aa)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9b9fd0dd20cb7385b56d5d7d6cde9d44017bb380
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Sep 19 01:04:32 2020 +0200

    avformat/dashdec: Don't overwrite and leak old initialization fragments
    
    Reviewed-by: Steven Liu <lq at chinaffmpeg.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 17963a6ad7e41312312b32a4ce590abb9805f799)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6b7172bcd43ee5d1e5acd8fd24e73201744a9340
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 7 20:32:51 2020 +0200

    avformat/dashdec: Don't leave representation in inconsistent state on error
    
    This currently doesn't cause any trouble, because the only caller did
    not clean up the representation upon error at all; but fixing this is
    a prerequisite for doing so.
    
    Reviewed-by: Steven Liu <lq at chinaffmpeg.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 01a4c3596942dad396834fea155173590687c59d)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9ec9fc351e667b108b5b5bafab04152b4a47638c
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Sep 18 23:50:53 2020 +0200

    avformat/dashdec: Remove dead code
    
    The code in question seems to have been copied from about 70 lines
    above; yet the code here is only executed if some of the variables
    (namely representation_segmenttemplate_node and fragment_template_node)
    are NULL, so it makes no sense to check them for a child element.
    
    Also remove a redundant resetting of a pointer to an AVFormatContext
    after avformat_close_input() (which already sets the pointer to NULL).
    
    Reviewed-by: Steven Liu <lq at chinaffmpeg.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 248ef276beb8222bc2610484b830420e1a306d8b)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c0aa40d3344670a65f159121afbac01ae4ebe92f
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Feb 22 09:10:40 2021 +0100

    avformat/spdifenc: Fix leak upon error
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit e38cbb8d19e21af9ea3f947e64bee1d4d362e492)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=de2229421ee8a79b7514e12ad66a0744f323b121
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Feb 22 08:31:50 2021 +0100

    avformat/wavenc: Fix leak and segfault on reallocation error
    
    Up until now, the wav muxer used a reallocation of the form ptr =
    av_realloc(ptr, size); that leaks upon error. Furthermore, if a
    failed reallocation happened when writing the trailer, a segfault
    would occur due to avio_write(NULL, size) because the muxer only
    prints an error message upon allocation error, but does not return
    the error.
    
    Moreover setting the pointer to the buffer to NULL on error seems to
    be done on purpose in order to record that an error has occured so that
    outputting the peak values is no longer attempted. This behaviour has
    been retained by simply disabling whether peak data should be written
    if an error occurs.
    
    Finally, the reallocation is now done once per peak block and not once
    per peak block per channel; it is also done with av_fast_realloc and not
    with a linear size increase.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 19ae873252c35a78b9bc1918f2878f47a1f4dc2d)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=99812e2355deac2a84025503a6429da449b7b204
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Feb 15 03:44:52 2021 +0100

    avformat/mpegenc: Avoid adding invalid packet to queue
    
    Do this by moving the check before the allocation.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 4294f64d578e14b3f65a6a2cd064461cb74bb122)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d711b5698544a6a23f185c085621b8f7fe99800a
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Feb 15 03:41:20 2021 +0100

    avformat/mpegenc: Fix leak in case trailer is never written
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 54987a37daccbeec28d3f2ec58ff4d5656acd9b1)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0685bd0245a9682adee9c7c162e3c32f2ddf44cb
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Feb 15 03:26:04 2021 +0100

    avformat/mpegenc: Ensure packet queue stays valid
    
    The MPEG-PS muxer uses a custom queue of custom packets. To keep track
    of it, it has a pointer (named predecode_packet) to the head of the
    queue and a pointer to where the next packet is to be added (it points
    to the next-pointer of the last element of the queue); furthermore,
    there is also a pointer that points into the queue (called premux_packet).
    
    The exact behaviour was as follows: If premux_packet was NULL when a
    packet is received, it is taken to mean that the old queue is empty and
    a new queue is started. premux_packet will point to the head of said
    queue and the next_packet-pointer points to its next pointer. If
    predecode_packet is NULL, it will also made to point to the newly
    allocated element.
    
    But if premux_packet is NULL and predecode_packet is not, then there
    will be two queues with head elements premux_packet and
    predecode_packet. Yet only elements reachable from predecode_packet are
    ever freed, so the premux_packet queue leaks.
    Worse yet, when the predecode_packet queue will be eventually exhausted,
    predecode_packet will be made to point into the other queue and when
    predecode_packet will be freed, the next pointer of the preceding
    element of the queue will still point to the element just freed. This
    element might very well be still reachable from premux_packet which
    leads to use-after-frees lateron. This happened in the tickets mentioned
    below.
    
    Fix this by never creating two queues in the first place by checking for
    predecode_packet to know whether the queue is empty. If premux_packet is
    NULL, then it is set to the newly allocated element of the queue.
    
    Fixes tickets #6887, #8188 and #8266.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit cfce16449cb815132f829d5a07beb138dfb2cba6)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3865b1952e5cf993b016d83ba78fe1deb63bbfad
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Feb 28 04:48:22 2020 +0100

    avformat/mxfenc: Never set codec_ul UID to NULL
    
    mxf distinguishes codec profiles by different UIDs and therefore needs
    to check that the input is actually compatible with mxf (i.e. if there
    is a defined UID for it). If not, then sometimes the UID would be set to
    NULL and writing the (video) packet would fail. Yet the following audio
    packet would trigger writing the header (which has been postponed because
    the UID is not known at the start) and if the UID is NULL, this can lead
    to segfaults. This commit therefore stops setting the UID to NULL if the
    input is incompatible with mxf (it has initially been set to a generic
    value in mxf_write_header()).
    
    Fixes #7993.
    
    Reviewed-by: Tomas Härdin <tjoppen at acc.umu.se>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 5400e4a50c61e53e1bc50b3e77201649bbe9c510)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6ab290e20a55eead17d6fd21c031028f101c9662
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Feb 7 10:58:25 2021 +0100

    avcodec/frame_thread_encoder: Fix segfault on allocation error
    
    Fixes a segfault from av_fifo_size(NULL) that happens in
    ff_frame_thread_encoder_free if the fifo couldn't be allocted;
    furthermore the mutexes and conditions that are destroyed in
    ff_frame_thread_encoder_free are not even initialized at this point,
    so don't call said function.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 2ccbc40eefd22a6aac1e543ea849951e159f4d8a)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=515aa63e4dd76a96022df04b07823b568c5fef65
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Feb 14 23:55:39 2021 +0100

    avformat/utils: Add av_assert1 to preclude NULL + len, len != 0
    
    Such a scenario is undefined behaviour and would also indicate a bug
    in our code.
    
    Suggested-by: James Almer <jamrial at gmail.com>
    Reviewed-by: James Almer <jamrial at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit da857099e92fb7fede6d7b9e6b26879ce9c5a483)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3e8771e99e0c5572b92dccc0a6a034ab121d96cd
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Feb 14 22:24:46 2021 +0100

    avformat/utils: Fix undefined NULL + 0
    
    This is undefined behaviour in C, so use data = len ? data + len : data
    instead of data += len. GCC optimizes the branch away in this case;
    Clang unfortunately doesn't.
    
    Fixes ticket #8592.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 9c0b3eddf4262f9dcea479091f1307444e614e88)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a86fd1c7d58369d56a016c313b2472a2920795a2
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Feb 5 12:23:49 2021 +0100

    avcodec/g722enc: Validate parameters before using them
    
    In case trellis is outside of 0..23, an invalid shift and/or a signed
    integer overflow happens; furthermore, it can lead to the request to
    allocate nonsense amounts of memory. So validate first.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 8d21eccd267acfcde3d35bbbf6621d6c3282e1ea)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a8bd30a48ed90bc5fae279f794c1b674f61183f4
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 14 17:21:12 2020 +0200

    avcodec/g722enc: Cleanup generically on init failure
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 23daf8e67fd842a70b783105025ddb483c036472)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=45d9887751b16e7ae5367ec4835e4ba8d1f02e48
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Dec 28 17:52:12 2020 +0100

    avcodec/opusdec: Return error upon error
    
    The Opus decoder forgot to return an error when allocating an
    SwrContext fails.
    
    Reviewed-by: Michael Niedermayer <michael at niedermayer.cc>
    Reviewed-by: Lynne <dev at lynne.ee>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 794fb18369be7dae9f9844c83040bb06611ff890)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6d3a064251c6d1d8e9491e916c8cbac1c16ddb2f
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Nov 23 04:09:56 2020 +0100

    avcodec/wavpack: Fix leak on init failure
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit fd5d66af744462a97237fa0474e77924c71729ec)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=92d0a598ad8d86b1daf2cf57cb2d2f8456cc96cd
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Nov 28 23:23:22 2020 +0100

    avcodec/pthread_slice: Don't use static variable, fix race
    
    ff_slice_thread_init() uses a static variable to hold a function
    pointer, although the value of said pointer needn't be saved between
    different runs of this function at all.
    
    The reason for this being so is probably that said pointer points to
    a static function (if used); but storage class specifiers like "static"
    are not part of the type of an object and so including it in the pointer
    declaration is wrong (anyway, "static" means different things in both
    contexts: for the function declaration it affects linkage, for the
    variable storage duration).
    
    Using a static variable here can lead to races, e.g. when initializing
    VP9 (for which said function pointer was added) and H.264 with slice
    threading. The latter has the FF_CODEC_CAP_INIT_THREADSAFE flag set and
    is therefore unaffected by the lock guarding initializations of
    decoders.
    
    Reviewed-by: Anton Khirnov <anton at khirnov.net>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 0639f5c294c70c55f4da75ce2ca5bf6c5a809248)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=85e0f7d5003e9707855ccb7a315aadc255ac8ed8
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Nov 26 13:48:09 2020 +0100

    avcodec/a64multienc: Fix memleak upon init failure
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 5baee59301bdf7f6dbf80ceaf5d5b38c9b385571)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e30b61c261dedf318a2e68c9268409fb94362e36
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Nov 20 17:36:39 2020 +0100

    avformat/flacenc: Fix memleak when writing attached pictures fails
    
    The FLAC muxer currently stores an attached picture corresponding to an
    AVStream in AVStream.priv_data. The AVPacket contained therein is
    unreferenced after it has been written. The AVPacket structure itself is
    then freed generically as AVStream.priv_data.
    
    And this can lead to memleaks if an attached picture is not written:
    It might be because the trailer is never written or because writing
    a previous attached picture failed in case error_recognition is set
    to explode.
    
    Therefore free the packets properly (i.e. with av_packet_free())
    in the muxer's deinit function.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 029cf6a91ceb849f31f575111070a113c53b29ee)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eb5c81f3737d430b534c963985959196643a6993
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Tue Nov 24 13:29:29 2020 +0100

    avcodec/mpeg12enc: Always initialize MPEG-2 intra VLC table lengths
    
    The MPEG-1/2 encoders initialize several tables once during the first
    time one of the encoders is initialized; the table for MPEG-2 intra VLC
    lengths is only initialized if it is used for this encoder instance.
    This implies that if the first MPEG-1/2 encoder to be initialized does
    not use it, it will never be initialized even if a later encoder
    instance makes use of them. Fix this by initializing this table
    unconditionally.
    
    Reviewed-by: Michael Niedermayer <michael at niedermayer.cc>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit ef3c1670d488d1cffc98115a5e67b07ee921e47d)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b7d4a08f0d4563f3d411eb4fd692625d03b37e19
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Wed Nov 18 21:38:45 2020 +0100

    avcodec/fft_template, fft_init_table: Make ff_fft_init() thread-safe
    
    Commit 1af615683e4a1a858407afbaa2fd686842da7e49 put initializing
    the ff_fft_offsets_lut (which is typically used if FFT_FIXED_32)
    behind an ff_thread_once() to make ff_fft_init() thread-safe; yet
    there is a second place where said table may be initialized which
    is not guarded by this AVOnce: ff_fft_init_mips(). MIPS uses this LUT
    even for ordinary floating point FFTs, so that ff_fft_init() is not
    thread-safe (on MIPS) for both 32bit fixed-point as well as
    floating-point FFTs; e.g. ff_mdct_init() inherits this flaw and
    therefore initializing e.g. the AAC decoders is not thread-safe (on
    MIPS) despite them having FF_CODEC_CAP_INIT_CLEANUP set.
    
    This commit fixes this by moving the AVOnce to fft_init_table.c and
    using it to guard all initializations of ff_fft_offsets_lut.
    
    (It is not that bad in practice, because every entry of
    ff_fft_offsets_lut is never read during initialization and is only once
    ever written to (namely to its final value); but even these are
    conflicting actions which are (by definition) data races and lead to
    undefined behaviour.)
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit b9c1ab89078d862e0146c9d7ed277addd770e3a3)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9475175ec0da425955e0ada4c8d43453215f6c8b
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Nov 12 16:13:48 2020 +0100

    avformat/asfdec_o: Don't segfault with lots of attached pics
    
    The ASF file format has a limit of 127 streams and the "asf_o" demuxer
    (the ASF demuxer from Libav) has an array of pointers for a structure
    called ASFStream that is allocated on demand for every stream. Attached
    pictures are not streams in the sense of the ASF specification, yet the
    demuxer created an ASFStream for them; and in one codepath it also
    forgot to check whether the array of ASFStreams is already full. The
    result is a write beyond the end of the array and a segfault lateron.
    
    Fixing this is easy: Don't create ASFStreams for attached picture
    streams.
    
    (Other results of the current state of affairs are unnecessary allocations
    (of ASFStreams structures), the misparsing of valid files (there might not
    be enough ASFStreams left for the valid streams if attached pictures take
    up too many); furthermore, the ASFStreams created for attached pictures all
    have the stream number 0, an invalid stream number (the valid range is
    1-127). This means that invalid data (packets for a stream with stream
    number 0) won't get rejected lateron.)
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit e83f27a21a6d2f602b55e541ef66e365400e9827)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2eb76188d03767eb782918fcd6c93a82429ddad0
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Tue Nov 3 23:43:01 2020 +0100

    avcodec/mss4: Fix memleaks upon allocation error
    
    During init the mts2 decoder allocates several VLCs and then several
    buffers in a loop; if one of the latter allocations fails, only the VLCs
    are freed, not any buffers that might already have been successfully
    allocated. This commit fixes this by setting the
    FF_CODEC_CAP_INIT_CLEANUP flag.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 4b4c7d6e1a700ef6b784b2f0b093e200ed049c20)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=25a5fddbb7f892b1c1af2c025945d7a858fc36fa
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Jan 12 17:36:05 2020 +0100

    avformat/apngdec: Fix size/overflow checks
    
    apng data consists of parts containing a small header (including a
    four-byte size field) and a data part; the size field does not account
    for everything and is actually twelve bytes short of the actual size. In
    order to make sure that the size fits into an int, the size field is
    checked for being > INT_MAX; yet this does not account for the + 12 and
    upon conversion to int (which happens when calling append_extradata()),
    the size parameter can still wrap around. In this case the currently
    used check would lead to undefined signed integer overflow.
    
    Furthermore, append_extradata() appends the new data to the already
    existing extradata and therefore needs to make sure that the combined
    size of new and old data as well as padding fits into an int. The check
    used for this is "if (old_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE -
    new_size)". If new_size is > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE
    the right side becomes negative if the types are signed (as they are
    now); yet changing this to "if (new_size > INT_MAX -
    AV_INPUT_BUFFER_PADDING_SIZE - old_size)" is better as this also works
    for unsigned types (where it is of course presumed that INT_MAX is
    replaced by the corresponding maximum for the new type).
    
    Both of these issues have been fixed.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 9c341c6c92a0fc9c5bbecbd12e8bdd904678e4d5)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8372a3b4b1d1bd77a008d92d83a8fbd53e736231
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Tue Dec 10 11:47:57 2019 +0100

    avformat/apngdec: Return error for incomplete header
    
    If avio_read() could read anything, it returns the number of bytes read,
    even if it could not read as much as the caller desired.
    apng_read_header() only checked the return value of its avio_read() calls
    for being negative and this meant that it was possible for an incomplete
    header to not be detected. The return value of the last successfull call
    has been returned instead. This commit changes this.
    
    Fixes: OOM
    Fixes: 26608/clusterfuzz-testcase-minimized-ffmpeg_dem_APNG_fuzzer-4839491644424192
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 2cf1eefae5dba7a7259156f9ff5c62f4e4e2fe0d)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b7ad5dbb5e29085cdd7c38daeaf2507ee09f6b76
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Oct 29 13:36:22 2020 +0100

    avformat/jacosubdec: Fix unintended fallthrough
    
    Regression since 715ff75e5dbbbefff7337351db596a9b7a5d4379.
    
    Fixes Coverity issues #1468654 and #1468656.
    
    Reviewed-by: Michael Niedermayer <michael at niedermayer.cc>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 11ea0ed20e11dd1b19af6e23eceabce7ec76f70d)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=943ce3a75684bb32b706a5832635892bc7d9ac9e
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Oct 26 00:05:26 2020 +0100

    avcodec/bitstream: Consistently treat symbol as VLC_TYPE
    
    If a static VLC table gets initialized a second time (or concurrently by
    two threads) and if said VLC table uses symbols that have the sign bit
    of VLC_TYPE (a typedef for int16_t) set, initializing the VLC fails. The
    reason is that the type of the symbol in the temporary array is an
    uint16_t and so comparing it to the symbol read from the VLC table will
    fail, because only the lower 16bits coincide. Said failure triggers an
    assert.
    
    Reviewed-by: Lynne <dev at lynne.ee>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit df6ec7f83b4fb65d760259e01182dc28b6cf3f2f)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=da5ac1563e60b370b881291c5bde11d02c995b70
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Oct 19 20:59:58 2020 +0200

    avcodec/vp3: Check allocations of VLCs
    
    It would lead to crashs lateron if they failed.
    
    Reviewed-by: Peter Ross <pross at xvid.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 786b1b0c44d3e5d71c3e69a3fe260baa95172e02)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4e5a97e3932b519e9003b206ecd0bbfde3e61411
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Oct 19 20:23:54 2020 +0200

    avcodec/vp3: Fix memleak upon init failure
    
    Up until now, there was no cleanup in case initializing the Theora VLC
    tables failed, leading to memleaks. This commit gets rid of them by
    setting the FF_CODEC_CAP_INIT_CLEANUP flag for all decoders in vp3.c;
    this also allows to remove some (now redundant) cleanup code.
    
    Reviewed-by: Peter Ross <pross at xvid.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit a01ca21bbbd41ad86ca58f2c7575c92a36a4b722)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=78ac14f280f9bf71c824ef11c40f0a0f3c877b4c
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Oct 17 05:00:13 2020 +0200

    avcodec/movtextenc: Fix undefined left shifts outside the range of int
    
    Reviewed-by: Philip Langdale <philipl at overt.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 2f9fc35028364b0140fd6e0d2e4dbaffebed1acd)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=915e68c051952f4bc18b8d0fa35a7870cb3dd803
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Oct 17 03:35:08 2020 +0200

    avcodec/movtextenc: Fix memleak on (re)allocation error
    
    Up until now, the mov_text encoder used the dynamic array API for its
    list of style attributes; it used the (horrible) av_dynarray_add() which
    works with an array of pointers; on error it frees its array but not
    the buffers referenced by the pointers said array contains. It also
    returns no error code, encouraging not to check for errors.
    
    These properties imply that this function may only be used if the buffers
    referenced by the list either need not be freed at all or if they are
    freed by other means (i.e. if the list contains non-ownership pointers).
    
    In this case, the style attributes are owned by the pointers of the
    dynamic list. Ergo the old style attributes leak on a subsequent
    reallocation failure. But given that the (re)allocation isn't checked
    for success, the style attribute intended to be added to the list also
    leaks because the only pointer to it gets overwritten in the belief that
    it is now owned by the list.
    
    This commit fixes this by switching to av_fast_realloc() and an array
    containing the styles directly instead of pointers to individually
    allocated style attributes. The current style attributes are now no longer
    individually allocated, instead they are part of the context.
    
    Furthermore, av_fast_realloc() allows to easily distinguish between
    valid and allocated elements, thereby allowing to reuse the array
    (which up until now has always been freed after processing an
    AVSubtitleRect).
    
    Reviewed-by: Philip Langdale <philipl at overt.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 9a731e9fec53f121e0fd5981f22c9c5093db0793)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0f70a8ae192999c751a75e634fca027af3cb4955
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Oct 16 16:33:23 2020 +0200

    avcodec/movtextenc: Don't presume every style to have a font
    
    Fixes segfaults in the absence of fonts; this can happen because the
    file didn't contain any or because the allocation of the font-string
    failed.
    
    Reviewed-by: Philip Langdale <philipl at overt.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 0dd7b8232d38317abc195edc48434ac1fd3e80fd)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f4d7dba3ce72344e8f2c6ea3293249df6127de00
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Oct 16 13:47:56 2020 +0200

    avcodec/movtextenc: Reset array counter after freeing array
    
    Otherwise the mov_text encoder can segfault when given subtitles with more
    than one AVSubtitleRect if one of the first nb_rects - 1 rects contained
    a style attribute.
    
    Reviewed-by: Philip Langdale <philipl at overt.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 8d4431955ccca80933a837e1bc7f44679039335b)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bb8d18a39bee5dba0137c22f1f1fcec2254c4bc7
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Oct 15 14:12:21 2020 +0200

    avcodec/movtextenc: Fix potential use of uninitialized value
    
    Background colour was never initialized if no style was available.
    Use a sane default of zero (i.e. completely transparent).
    
    Fixes Coverity issue #1461471.
    
    Reviewed-by: Philip Langdale <philipl at overt.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 56b3726ed2ac89df31a939a8f5f00fa66a0ad2ed)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1eb8f6885eb858a444164bbf97db3ff5401e6a86
Author: Andriy Gelman <andriy.gelman at gmail.com>
Date:   Wed Oct 14 00:38:22 2020 -0400

    avcodec/movtextenc: fix writing to bytestream on BE arches
    
    Fixes fate-binsub-movtextenc on PPC64
    
    Currently tags are written in reverse order on BE arches. This is fixed
    by using MKBETAG() and AV_RB32() to be arch agnostics.
    
    Also s->font_count is of type int. On BE arches with 32bit int,
    count = AV_RB16(&s->font_count) will read two most significant bytes
    instead of the least significant bytes. This is fixed by assigning
    s->font_count to count first.
    
    The final change is modifying the type of len. On BE arches
    the most significant byte of the int was written instead of the least
    significant byte.
    
    Signed-off-by: Andriy Gelman <andriy.gelman at gmail.com>
    (cherry picked from commit d4c46dc32856bd9c7c7ab29ee727676c7855fa1c)
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=51faa4bd60f0a548c6a4613bf30d645b8ff55e7c
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Oct 17 15:18:00 2020 +0200

    avcodec/movtextdec: Fix leaks on (re)allocation failure
    
    Up until now, the 3GPP Timed Text decoder used av_dynarray_add()
    for a list of style entries. Said entries are individually allocated
    and owned by the pointers in the dynamic array and are therefore
    unsuitable for av_dynarray_add() which simply frees the array,
    but not the entries on error. In this case the intended new entry
    also leaks because it has been forgotten to free it.
    
    This commit fixes this. It is now allocated in one go and not
    reallocated multiple times (and it won't be overallocated any more).
    After all, the final number of elements (pending errors) is already
    known in advance.
    
    Furthermore, the style entries are now the entries of the new array,
    i.e. they are no longer allocated separately. This also removes one
    level of indirection.
    
    Reviewed-by: Philip Langdale <philipl at overt.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 94ad68ee17420996c9b003f142717d82b52c0915)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b4a96efdda22e3f0e0e4f1e3fcfe556d3b4639fb
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Oct 17 13:13:23 2020 +0200

    avcodec/movtextdec: Simplify checking for invalid extradata
    
    Every font entry occupies at least three bytes, so checking early
    whether there is that much data available is a low-effort way to exclude
    invalid extradata. Doing so leads to an overall simplification.
    
    Reviewed-by: Philip Langdale <philipl at overt.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit a42695c07244991ceabf9996d086dda3fcc28fc1)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=59b8634411ba2a6c7700968b3af5b400b14f0f41
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Oct 17 12:32:54 2020 +0200

    avcodec/movtextdec: Fix leaks of strings upon reallocation failure
    
    Up until now, the 3GPP Timed Text decoder used av_dynarray_add()
    for a list of font entries, a structure which contains an allocated
    string. The font entries are owned by the pointers in the dynamic array
    and are therefore unsuitable for av_dynarray_add() which simply frees
    the array, but not the font entries and of course not the strings. The
    latter all leak if reallocating the dynamic array fails.
    
    This commit fixes this. It stops reallocating the array altogether:
    After all, the final number of elements (pending errors) is already
    known in advance.
    
    Furthermore, the font entries are now the entries of the new array,
    i.e. the font entries are no longer allocated separately. This also
    removes one level of indirection.
    
    Reviewed-by: Philip Langdale <philipl at overt.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 38cdd27e9b36183a74c19859a8092aca6e82d712)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2e49daad795832b23325e9294f9444928a5b5cb3
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Oct 17 10:15:29 2020 +0200

    avcodec/movtextdec: Reset counter of fonts when freeing them
    
    If allocating fonts fails when reading the header, all fonts are freed,
    yet the counter of fonts is not reset and no error is returned; when
    subtitles are decoded lateron, the inexistent list of fonts is searched
    for the matching font for this particular entry which of course leads to
    a segfault.
    
    Reviewed-by: Philip Langdale <philipl at overt.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 5758620560f1aa329a26ca1585dc0dbd903522c4)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9c6feb104d61c550fc77e8866705bdffc8de8736
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Oct 10 20:11:49 2020 +0200

    avcodec/sheervideo: Don't leave context in inconsistent state upon error
    
    This has happened if the format changed midstream and if the new packet
    is so small that it is instantaneously rejected: In this case the VLC
    tables were for the new format, although the context says that they are
    still the ones for the old format. It can also happen if the format
    changed midstream and the allocation of the new tables fails. If the
    next packet is a packet for the old format, the decoder thinks it
    already has the correct VLC tables, leading to a segfault.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 8969b9aa061790a5e87694aab17741cc7647d099)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a7d3dc5b0407401993aa9a5a40f55903a121d450
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Tue Oct 6 14:52:11 2020 +0200

    avfilter/vf_minterpolate: Fix left shift of negative value
    
    This has happened when initializing the motion estimation context if
    width or height of the video was smaller than the block size used
    for motion estimation and if the motion interpolation mode indicates
    not to use motion estimation.
    
    The solution is of course to only initialize the motion estimation
    context if the interpolation mode uses motion estimation.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit aa262dcce850e7d0361bb6c78d833f7249543712)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8b7f2f0ec50fd7faa60ae927e81c608d4c9f6223
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Tue Oct 6 14:35:25 2020 +0200

    avfilter/vf_minterpolate: Reject too small dimensions
    
    The latter code relies upon the dimensions to be not too small;
    otherwise one will call av_clip() with min > max lateron which aborts
    in case ASSERT_LEVEL is >= 2 or one will get a nonsense result that may
    lead to a heap-buffer-overflow/underflow. The latter has happened in
    ticket #8248 which this commit fixes.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit bb13cdbe279d92f595243a9b3e2b91fb48cf146c)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bcf3ac039bcb98a3ab07e80c7ed3a4d41196ebc0
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 28 18:36:06 2020 +0200

    avformat/movenc: Don't forget to free fragment buffers
    
    The buffers used when fragmented output is enabled have up until now not
    been freed in the deinit function; they leak e.g. if one errors out of
    mov_write_trailer() before one reaches the point where they are normally
    written out and freed. This can e.g. happen if allocating new vos_data
    fails at the beginning of mov_write_trailer().
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit e3b5316bede3cf735f66a0a1b83ca833693ffce7)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3fc8dc35896420385e265de676ea01ed1950d8bd
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 28 18:05:44 2020 +0200

    avformat/movenc: Free old vos_data before overwriting it
    
    Otherwise the old data leaks whenever extradata needs to be rewritten
    (e.g. when encoding FLAC with our encoder that sends an updated
    extradata packet at the end).
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 432f291dffb0079bf447b1cdb8802a022298510f)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dc4e3b9586a28b4ef41c7e9de3d029fd2f200d45
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Tue Sep 29 10:21:34 2020 +0200

    avformat/movenc: Fix segfault when remuxing rtp hint stream
    
    When remuxing an rtp hint stream (or any stream with the tag "rtp "),
    the mov muxer treats this as one of the rtp hint tracks it creates
    internally when ordered to do so; yet this track lacks the
    AVFormatContext for the hinting rtp muxer, leading to segfaults in
    mov_write_udta_sdp() if a "trak" atom is written for this stream; if not,
    the stream's codecpar is freed by mov_free() as if the mov muxer owned
    it (it does for the internally created "rtp " tracks), but without
    resetting st->codecpar, leading to double-frees lateron. This commit
    therefore ignores said tag which makes rtp hint streams unremuxable.
    
    This fixes tickets #8181 and #8186.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 22c3cd176079dd104ec7610ead697235b04396f1)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3f9c5f242f5169a59cb735598b6fb1365099c45c
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Tue Sep 29 14:58:24 2020 +0200

    avcodec/dvenc: Fix undefined left shift of negative numbers
    
    The earlier code was based on the assumption that AVFrame.linesize can
    not be negative.
    
    Fixes ticket #8280.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 6770057ac97e78c799f06eb3769fecdb0833d44f)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0608949fa2fb5b16e09d6c50d77ccea3c6cd56e4
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Wed Sep 30 14:36:23 2020 +0200

    avformat/movenc: Fix stack overflow when remuxing timecode tracks
    
    There are two possible kinds of timecode tracks (with tag "tmcd") in the
    mov muxer: Tracks created internally by the muxer and timecode tracks
    sent by the user. If any of the latter exists, the former are
    deactivated. The former all belong to another track, the source
    track; the latter don't have a source track set, but the index of the
    source track is initially zeroed by av_mallocz_array(). This is a
    problem since 3d894db700cc1e360a7a75ab9ac8bf67ac6670a3: Said commit added
    a function that calculates the duration of tracks and the duration of
    timecode tracks is calculated by rescaling the duration (calculated by
    the very same function) of the source track. This gives an infinite
    recursion if the first track (the one that will be treated as source
    track for all timecode tracks) is a timecode track itself, leading to a
    stack overflow.
    
    This commit fixes this by not using the nonexistent source track
    when calculating the duration of timecode tracks not created internally
    by the mov muxer.
    
    Reviewed-by: Martin Storsjö <martin at martin.st>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 22a2386a561ccbaabbbfd5cf7f89b2cbbade71b0)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=211f23d7897c48bb954e40134a6d6c3ac477b198
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Sep 26 11:18:13 2020 +0200

    avcodec/utils: Also free encoder extradata on avcodec_open2() error
    
    It is owned by libavcodec for encoders.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit b8e0ceda11f7a12d763c6a744943347fc808b8b7)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=39d6d7f7e882f385d5b6e0dfe1acf9447ec467f1
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Sep 24 23:54:17 2020 +0200

    avcodec/utils: Don't forget cleaning up when allocating priv_data fails
    
    Allocating an AVCodecContext's priv_data used to be the first object
    allocated in avcodec_open2(), so it was unnecessary to goto free_and_end
    (which does the cleanup) upon error here. But this is no longer so since
    f3a29b750a5979ae6847879fba758faf1fae88d0.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit d1dcc20126f3df52762bf5972a282d1699ef1ca8)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3fe22f2a0d76301de4567cdbade66c1992a57509
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Sep 24 23:41:24 2020 +0200

    avcodec/utils: Improve check for freeing codec private options
    
    Don't check for AVCodec.priv_data_size (which is always true if
    AVCodec.priv_class is set). Instead check for AVCodecContext.priv_data
    to actually exist.
    
    (Note: av_opt_free(NULL) is a no-op.)
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit c6e54d14c55221b7380a0e86d7a42b60ff9e5eeb)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9f895e984b9238727bd442c7c3bba97b0268d2ca
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Tue Sep 29 16:06:31 2020 +0200

    swresample/audioconvert: Fix left shift of negative value
    
    Fixes ticket #8219.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 9d8f9b2e4094ae6b07a9f23ae044b802722b3b4e)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=62dc4c2df500e1564a88f75bd402e09e5c205817
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Sep 24 23:05:29 2020 +0200

    avcodec/utils: Only call codec->close if init has been called
    
    avcodec_open2() also called the AVCodec's close function if an error
    happened before init had ever been called if the AVCodec has the
    FF_CODEC_CAP_INIT_CLEANUP flag set. This is against the documentation of
    said flag: "The codec allows calling the close function for deallocation
    even if the init function returned a failure."
    
    E.g. the SVQ3 decoder is not ready to be closed if init has never been
    called.
    
    Fixes: NULL dereference
    Fixes: 25762/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-5716279070294016
    
    Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Reviewed-by: Michael Niedermayer <michael at niedermayer.cc>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 5bc74d06dad35d00b5925b1c76208aeaf40a2dbb)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=89231df48903d6aad6b5c4776f8fc0dbbf2119e8
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 28 16:00:56 2020 +0200

    avformat/movenc: Fix segfault upon allocation error
    
    Reviewed-by: Jan Ekström <jeebjp at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 4106013523f46824d32fd5b469ea264fbdfdb591)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9637dc8ebdb95f1d5cc1507b84e5f8fbba4e5dcf
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Sep 20 12:28:03 2020 +0200

    avformat/swfdec: Reorder allocations/initializations
    
    The earlier code would first attempt to allocate two buffers, then
    attempt to allocate an AVIOContext, using one of the new buffers I/O
    buffer, then check the allocations. On success, a z_stream that is used
    in the AVIOContext's read_packet callback is initialized afterwards.
    
    There are two problems with this: In case the allocation of the I/O
    buffer fails avio_alloc_context() will be given a NULL read buffer
    with a size > 0. This works right now, but it is fragile. The second
    problem is that the z_stream used in the read_packet callback is not
    functional when avio_alloc_context() is allocated (it might be that
    avio_alloc_context() might already fill the buffer in the future). This
    commit fixes both of these problems by reordering the operations.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 3f04c3037223f5e5417a14674103f3eeabb4887c)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5db6f6672f12c5e367e5b5cdf7f3107088f0e216
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Sep 20 12:07:19 2020 +0200

    avformat/swfdec: Fix memleaks on error
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 28dc0c20cc51346ba7891a324b35e0ef6295c9dd)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=753c0afe72a7ba634d5d58e5add67fbda1fbb427
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 7 18:41:51 2020 +0200

    avformat/dashdec: Avoid double free on error
    
    When using one of the AV_DICT_DONT_STRDUP_KEY/VAL flags, av_dict_set()
    already frees the key/value on error, so that freeing it again would
    lead to a double free.
    
    Reviewed-by: Steven Liu <lq at chinaffmpeg.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit e09e2c6442924bfa1fb5efc419bc27fc6ef8a532)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4e7e2e1bd3cedc85decb7a1c2c1bb5e56d7d65cc
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Sep 20 16:16:51 2020 +0200

    avformat/tedcaptionsdec: Fix leak of AVBPrint upon error
    
    The tedcaptions demuxer uses an AVBPrint whose string is not restricted
    to its internal buffer; it therefore needs to be cleaned up, yet this is
    not done on error, as parse_file() returned simply returned directly.
    This is fixed by going to fail first in such cases.
    Furthermore, there is also a second way how this string can leak: By
    having more than one subtitle per subtitle block, as the new one simply
    overwrites the old one in this case as the AVBPrint is initialized each
    time upon encountering a subtitle line. The code has been modified to
    simply append the new subtitle to the old one, so that the old one can't
    leak any more.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 9f7e592df27bd96bdffae173e3462d0438aea120)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ffb0cad8f9d6ca00cc0959555e4f5879bbc1d241
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Sep 20 08:05:58 2020 +0200

    avformat/swfenc: Fix memleak upon write_header error
    
    The SWF muxer accepts at most one mp3 audio and at most one VP6F, FLV1
    or MJPEG stream. Upon encountering an mp3 stream, a fifo is allocated
    that leaks if one of the subsequent streams is incompliant with the
    restrictions mentioned above or if the framerate or samplerate are
    invalid. This is fixed by adding a deinit function to free said fifo.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit d554aabdaf81fc3ea99783aca42649b43013e796)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2d91ddd2dff1eae935f958135bf3658e7c56e341
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Jul 20 22:44:42 2020 +0200

    avformat/rmdec: Fix potential crash on allocation failure
    
    The RealMedia demuxer uses the priv_data of its streams to store a
    structure containing an AVPacket. These packets are unreferenced in the
    read_close function, yet said function simply presumed that the
    priv_data has been successfully allocated. This implies that it mustn't
    be called when an allocation of priv_data fails; but this can happen
    since commit 35bbc1955a58ba74552c50d9161084644f00bbd3 if one has a
    stream with multiple substreams (also exported as AVStream) and if
    allocating the priv_data for one of these substreams fails.
    
    This has been fixed by making sure that read_close can handle the case
    in which priv_data has not been successfully allocated.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 5aafdb4e5fe3ca8a0d8b16498caf5899a8d68e2c)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7b4ff1a19a1d7118d95612ef2950de712ce4ba0d
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Jul 20 21:14:15 2020 +0200

    avformat/rmdec: Actually return value < 0 on read_header failure
    
    The RealMedia demuxer's read_header function initially initializes ret,
    the variable designated for the return variable to -1. Afterwards, chunks
    of the file are parsed in a loop until an error happens or until the actual
    frame data is encountered. If the first function whose return
    value is put into ret doesn't fail, then ret contains a value >= 0
    (actually == 0) and this is what will be returned if an error is
    encountered afterwards.
    
    This is a regression since 35bbc1955a58ba74552c50d9161084644f00bbd3.
    Before that, ret had never been overwritten with a nonnegative value.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 4cc43d30c387fda30e34b7075670dfb28e868acb)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=287a06cb1b194ddcf4d7d4484b6fc3fbb108801b
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Tue Aug 18 23:21:31 2020 +0200

    avformat/avidec: Fix memleak when error happens after creating DV stream
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit ea45d6e61a8562fa8094499d2b052ba2e3ce8f6b)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cb08668ff906859ffc7f5082a8a710d851961366
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Tue Sep 15 07:13:46 2020 +0200

    avcodec/mpegaudiodec_template: Check return value of subdecoder
    
    After all, allocating an AVFloatDSPContext might have failed.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit dac9e88a99ea34c2f812b8f7b6781a84ac86360a)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c937f21e26072e870d20b4ddfa30fee96c7d1138
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Tue Sep 15 01:29:58 2020 +0200

    avcodec/j2kenc: Fix leaks on init failure
    
    The JPEG2000 encoder did not clean up after itself on error.
    This commit fixes this by modifying the cleanup function to be able to
    handle only partially allocated structures and by setting the
    FF_CODEC_CAP_INIT_CLEANUP flag.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 3d83de4187e9bb07af2ea8a0ec071094fca7a500)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f8747758bbcde83005dbc3021cd057fa7e2e568e
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 14 16:56:13 2020 +0200

    avcodec/flashsv2enc: Check allocations for success before usage
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 319dbcf4402978f7a493b81d0f61be7a46ddbeba)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=140d871e0873c538b41a29be81b9400dc71f231c
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 14 16:28:32 2020 +0200

    avcodec/flashsvenc: Avoid allocation of buffer, fix memleak
    
    Up until now, the flashsv encoder tried to allocate two buffers in its
    init function; if only one of these allocations succeeds, the other
    buffer leaks. Fix this by making one of these buffers part of the
    context (its size is a compile-time constant).
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit ec6f4c51586cc213d16749f930970ba8afd0e38a)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5000bae8305950f0412df240fb17f1f48c8f7590
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 14 02:59:51 2020 +0200

    avcodec/ac3enc_template: Don't free uninitialized pointers on error
    
    The ac3 encoders (fixed- and floating-point AC-3 as well as the EAC-3
    encoder) all allocate an array whose elements are pointers to other
    buffers. The array is not zeroed initially so that if an allocation of
    one of the subbuffers fails, the other pointers are uninitialized.
    This causes problems when cleaning, so zero the array initially.
    
    (Only the fixed-point AC-3 encoder was affected by this, because
    the other two don't clean up at all in case of errors during init.)
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit ae36fad624307dcd1bbe0c954a017293a1ce34d3)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7cfa8e1910d708d81b808dfe54c76e7b39523253
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Sep 13 02:25:16 2020 +0200

    avcodec/svq3: Fix segfault on allocation error, avoid allocations
    
    The very first thing the SVQ3 decoder currently does is allocating several
    SVQ3Frames, a structure which contains members that need to be freed on
    their own. If one of these allocations fails, the decoder calls its own
    close function to not leak the already allocated SVQ3Frames. Yet said
    function presumes that the SVQ3Frames have been successfully allocated
    as there is no check before freeing the members that need to be freed.
    
    This commit fixes this by making these frames part of the SVQ3Context,
    thereby avoiding the allocations altogether. Notice that the pointers
    to the frames have been retained in order to allow to just swap them as
    the code already does.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 96061c5a4f690c3ab49e4458701bb013fd3dd57f)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2e05113b927f09c3fa872028b6a588ac040c39d6
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Sep 13 01:10:40 2020 +0200

    avcodec/sonic: Fix leaks upon allocation errors
    
    The Sonic decoder and encoders allocate several buffers in their init
    function and return immediately if one of these allocations fails; this
    will lead to leaks if there was an earlier successfull allocation. Fix
    this by setting the FF_CODEC_CAP_INIT_CLEANUP flag.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 7d91f9271ee336da93b6871bf3306348ac1595a7)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0dd79193a773d867b624095d555ebf01c2529ebe
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Sep 12 23:52:36 2020 +0200

    avcodec/qtrleenc: Fix memleak upon allocation failure
    
    The qtrle encoder allocates several buffers and an AVFrame in its init
    function. If one of these allocations fails, but others succeed, the
    successfully allocated objects leak. This is fixed by setting the
    FF_CODEC_CAP_INIT_CLEANUP flag.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 2a71cbeb019fabd70f04ca9d2ec5d0bff3b3e3d2)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ce629ee2164ce316feb1ceb96868fa447d42ce88
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 14 05:30:15 2020 +0200

    avcodec/ffv1enc: Fix memleaks on init failure
    
    The FFV1 encoder has so far not cleaned up after itself in this case;
    but it can be done easily by setting the FF_CODEC_CAP_INIT_CLEANUP flag.
    
    Reviewed-by: Michael Niedermayer <michael at niedermayer.cc>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit f9215d0bb20242299f3654fd4646511665b20c4c)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5e95dc426e94a1161b2cf66031b5ef24a6f27ff9
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 14 04:58:34 2020 +0200

    avcodec/ffv1: Fix segfaults on allocation error
    
    When allocating FFV1 slice contexts fails, ff_ffv1_init_slice_contexts()
    frees everything that it has allocated, yet it does not reset the
    counter for the number of allocated slice contexts. This inconsistent
    state leads to segfaults lateron in ff_ffv1_close(), because said
    function presumes that the slice contexts have been allocated.
    Fix this by making sure that the number of slice contexts on error is
    consistent (namely zero).
    
    (This issue only affected the FFV1 decoder, because the encoder does not
    clean up after itself on init failure.)
    
    Reviewed-by: Michael Niedermayer <michael at niedermayer.cc>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit a0750f412ade5a969b1f90e038d707d531c97342)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e7780f16153051f9b169e8bdd6f0696ca03e5f34
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Tue Sep 15 02:35:27 2020 +0200

    avcodec/mlpenc: Fix memleak upon init failure
    
    If an error happens during init after an allocation has succeeded,
    the already allocated data leaked up until now. Fix this by setting the
    FF_CODEC_CAP_INIT_CLEANUP flag.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit b78031cf1670c176e97f62ad6a4865d3a44c1507)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7b10d643a06178e160212ca9369abd0810392683
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 14 20:59:12 2020 +0200

    avcodec/indeo5: Fix memleaks upon allocation error
    
    ff_ivi_init_planes() might error out after having allocated some arrays.
    Set the FF_CODEC_CAP_INIT_CLEANUP flag in order to free these arrays in
    this case.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit d8fc69bd6a20394adf42406bf80bd06b4c8d7384)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=83cd7a29dccc37de4fe290b61300172d47a207d4
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 14 20:32:33 2020 +0200

    avcodec/ivi: Fix segfault on allocation error
    
    If allocating the tiles array for indeo 4/5 fails, the context is in an
    inconsistent state, because the counter for the number of tiles is > 0.
    This will lead to a segfault when freeing the tiles' substructures.
    Fix this by setting the number of tiles to zero if the allocation was
    unsuccessful.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit e411a3af11e5d00a311f594a45c17f74898cb46e)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d0045b41a362c1724a0e0659d32b664becd4c2d8
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Tue Sep 15 02:13:56 2020 +0200

    avcodec/magicyuvenc: Fix memleak upon init failure
    
    If an error happens during init after an allocation has succeeded,
    the already allocated data leaked up until now. Fix this by setting the
    FF_CODEC_CAP_INIT_CLEANUP flag.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit a8ebb5632018adad733f89fa4efe74d7e92155ac)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9ce88b5b5361c019a1db0c6993fc25f5e316a204
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Sep 14 17:30:34 2020 +0200

    avcodec/gif: Fix leaks upon allocation error
    
    If one of several allocations the gif encoder performs in its init
    function fails, the successful allocations leak. Fix this by adding the
    FF_CODEC_CAP_INIT_CLEANUP flag.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 8da8774d8eb1d5dec830f36d2e6b0ace1b16e2f5)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9c6d8ae33c1666bbfb8411f2efb3208711486163
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Sep 13 22:05:25 2020 +0200

    avcodec/avrndec: Fix memleak on error
    
    If ff_codec_open2_recursive() fails, the already allocated
    AVCodecContext leaks. Fix this by setting the FF_CODEC_CAP_INIT_CLEANUP
    flag.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 3c2128df7ffdb32a3ef34044f9a4c2f15dc1776f)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=682574e1da9bd87b32d5d46143fe2b434f742259
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Sep 13 21:57:50 2020 +0200

    avcodec/avrndec: Check allocation for success
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit d8e4d26de6a96ffd7813aad5bb0680b494192031)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=634c4ce8b08a5f7eaf1a31be42bbfd6b59ff4bf0
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Sep 13 20:53:46 2020 +0200

    avcodec/atrac1: Check allocation of AVFloatDSPContext
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit e75ccc81234a22eee90e2a31808639e754b97cd1)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a080af9b8c89ab74320a9377da5827e5b532685d
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Sep 10 21:39:28 2020 +0200

    avfilter/vf_subtitles: Fix leaks on failure
    
    init_subtitles() sometimes returned directly upon error without cleaning
    up after itself. The easiest way to trigger this is by using
    picture-based subtitles; it is also possible to run into this in case of
    missing decoders or allocation failures.
    
    Furthermore, return the proper error code in case of missing decoder.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 77ace1ffea6bd40d44326c1a87a55db0937877f1)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d0a8273efeb9acf149e0e4780d57936130cc9814
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Sep 10 16:57:13 2020 +0200

    avfilter/vf_uspp: Fix potential leak of dict on error
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 8443848dfc632334439d4eae7e446167682a4ddb)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e434e138924cf0d30936583e20db709aed92081f
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Sep 10 16:07:28 2020 +0200

    avfilter/lavfutils: Fix memleak when avformat_find_stream_info() fails
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit f38926ec24247d5e7365f0c5e73a5db43146f5a1)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0d7fe1ab8fca8e9237363e5c3c6d13caa632aa56
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Sep 10 15:36:11 2020 +0200

    avfilter/lavfutils: Don't use uninitialized pointers for freeing
    
    Happened on several error conditions, e.g. if there is just no decoder
    for the format (like with svg images).
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 3d1a9824b8e7f5ad52447cc2d60beffc9e66ff67)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=88a563b27d7a1312d8ae9aaa9f71227e244d00e8
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Sep 4 16:16:15 2020 +0200

    avcodec/binkaudio: Don't use static storage for context-dependent data
    
    Move it to the context instead.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 2777bae7f2fbb96843bc2d12c9190a12ffdfef55)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7f1f850f11766be9dd2a03caa19f6d1e85c7793c
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Sep 4 17:49:16 2020 +0200

    avcodec/bink: Fix memleak upon init failure
    
    The init function first allocates an AVFrame and then some buffers; if
    one of the buffers couldn't be allocated, the AVFrame leaks. Solve this
    by setting the FF_CODEC_CAP_INIT_CLEANUP flag.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 4f672889481e7b3dc03c04b02a86836e94104e63)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c71de42131a524a3d9fa69209f899e84734cf1bc
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Aug 29 16:12:05 2020 +0200

    avcodec/wnv1: Use LE bitstream reader, avoid copying packet, fix memleak
    
    The Winnov WNV1 format is designed for a little-endian bitstream reader;
    yet our decoder reversed every byte bitwise (in a buffer only
    allocated for this purpose) to use a big-endian bitstream reader. This
    commit stops this.
    
    Two things needed to be done to achieve this: The codes in the table used
    to initialize a VLC reader needed to be reversed bitwise (when
    initializing a VLC in LE mode, it is expected that the first bit to be
    read is in the least significant bit; with BE codes the first bit to be
    read is the most significant bit of the code) and the following
    expression needed to be adapted:
    
    ff_reverse[get_bits(&w->gb, 8 - w->shift)]
    
    But this is easy: When only the bits read are reversed, they coincide
    with what a little-endian bitstream reader reads that reads the
    original, not-reversed data. But ff_reverse always reverses the full
    eight bits and this also performs a shift by (8 - (8 - w->shift)) on top
    of reversing the bits read. So the above line needs to be changed to
    
    get_bits(&w->gb, 8 - w->shift) << w->shift
    
    and this also shows why the variable shift is named the way it is.
    
    Finally, this also fixes a hypothetical memleak: For gigantic packets,
    initializing a GetBitContext can fail and in this case, the buffer
    containing the reversed data would leak.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 0166b1d1a6d052ef49aba3523d64f3c6d4f26372)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d9da39572b42254f0f219daef34128eb39b80bf0
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Aug 29 09:40:39 2020 +0200

    avcodec/truemotion2: Avoid duplicating array, fix memleak
    
    TrueMotion 2.0 uses Huffmann trees. To parse them, the decoder allocates
    arrays for the codes, their lengths and their value; afterwards a VLC
    table is initialized using these values. If everything up to this point
    succeeds, a new buffer of the same size as the already allocated arrays
    for the values is allocated and upon success the values are copied into
    the new array; all the old arrays are then freed. Yet if allocating the
    new array fails, the old arrays get freed, but the VLC table doesn't.
    
    This leak is fixed by not allocating a new array at all; instead the old
    array is simply reused, ensuring that nothing can fail after the
    creation of the VLC table.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 5ff2ff6bd9cd9e08729060d330e381a09972c498)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f722ddc23425f61815d7b1373ecf161bdaa824f6
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Aug 24 22:21:51 2020 +0200

    avfilter/af_headphone: Fix leak of channel layouts list on error
    
    In case the multichannel HRIR mode was enabled, an error could happen
    between allocating a channel layouts list and attaching it to its target
    destination. If an error happened, the list would leak. This is fixed by
    attaching the list to its target directly after its allocation.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit ca8e5dedc7fabae3df76ea11d9952070cbb19620)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=42d160ac40f69f65113db108614659a365cebb9d
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Aug 24 05:26:57 2020 +0200

    avfilter/af_headphone: Fix segfault upon allocation failure
    
    The headphone filter uses a variable number of inpads and allocates them
    in its init function; if all goes well, the number of inpads coincides
    with a number stored in the filter's private context. Yet if allocating a
    subsequent inpad fails, the uninit function nevertheless uses the number
    stored in the private context to determine the number of inpads to free
    and not the AVFilterContext's nb_inputs. This will lead to an access
    beyond the end of the allocated AVFilterContext.input_pads array and
    an invalid free.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 0960da42f5414a24497c75787ff4be318ae41421)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b343188cd866f6fda1b248ac2a098fb0729492c2
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Tue Aug 25 00:20:35 2020 +0200

    avfilter/vf_signature: Fix leak of string upon error
    
    If an error happens between allocating a string intended to be used as
    an inpad's name and attaching it to its input pad, the string leaks.
    Fix this by inserting the inpad directly after allocating its string.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 16ea88778e6f4e2d49318ea6e02fa938ac2f401e)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ed86d63a7f26815e4abee286e07d5ae427da0a35
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Tue Aug 25 00:20:01 2020 +0200

    avfilter/vf_signature: Fix leak of inpads' names
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 37838417b8045fa3a49acc55546c741d3f2ac602)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dbc4b46c7a65a075aea289f7237be901af2a07c4
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Aug 22 04:47:14 2020 +0200

    avfilter/af_aiir: Fix segfault and leak upon allocation failure
    
    The aiir filter adds output pads in its init function. Each of these
    output pads had a name which was allocated and to be freed in the uninit
    function. Given that the aiir filter has between one and two outputs,
    one output pad's name was freed unconditionally and a second was freed
    conditionally.
    
    Yet if adding output pads fails, there are no output pads at all and
    trying to free a nonexistent pad's name will lead to a segfault.
    
    Furthermore, if the name could be successfully allocated, yet adding the
    new pad fails, the name would leak.
    
    This commit fixes this by not allocating the pads' names at all any
    more: They are constant anyway. This allows to remove the code to free
    them and hence fixes the aforementioned bugs.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 97b1a2c564e0d4dbf8573b4647ae110a75238db3)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6d81b627662bcd5857017b9909ffa35436a43bc2
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Aug 22 03:51:46 2020 +0200

    avfilter/vf_premultiply: Fix leak of names of inpads
    
    These names leak because freeing them in the uninit function has been
    forgotten. Instead of adding the freeing code, this commit stops
    allocating these names. They are constants anyway.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 7e736cd38aed1886fcc9672848ccf31ea1cc0b28)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=07fb367737e1eb933f009852f9d8cff45a76ea34
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Aug 22 03:23:51 2020 +0200

    avfilter/af_anequalizer: Fix memleak when inserting pad fails
    
    It has been forgotten to free the name of the second outpad if attaching
    the first one to the AVFilterContext fails. Fixing this is easy: Only
    prepare the second outpad after (and if) the first outpad has been
    successfully attached to the AVFilterContext.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit fdbd579fd10bc80c0f4e5a86497a4aa2e00317c5)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7316177a44fcd325dff8d19a382c83a51f1dfacc
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Aug 24 05:46:08 2020 +0200

    avfilter/af_amerge: Fix segfault upon allocation failure
    
    The amerge filter uses a variable number of inpads and allocates them
    in its init function; if all goes well, the number of inpads coincides
    with a number stored in the filter's private context. Yet if allocating a
    subsequent inpad fails, the uninit function nevertheless uses the number
    stored in the private context to determine the number of inpads to free
    and not the AVFilterContext's nb_inputs. This will lead to an access
    beyond the end of the allocated AVFilterContext.input_pads array and
    an invalid free.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 8f2c1f2cbe77685435362f1940b637a6c3ff1934)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9ef72373131738c690cc6d1504a23a42cd220685
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Aug 9 16:42:37 2020 +0200

    avfilter/af_aformat: Add uninit function
    
    Fixes memleaks in case init fails (e.g. because of invalid parameters
    like 'aformat=sample_fmts=s16:cl=wtf') or also if query_formats is never
    called.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit a7bd37927628df3672488e07f718b3549bea717d)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1f0bfdffe3797deb23ebc5ec9aea8b5dbc2f454b
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 7 23:40:43 2020 +0200

    avfilter/vf_hwdownload: Fix leak of formats list upon error
    
    If adding the list of input formats to its AVFilterLink fails, the list
    of output formats (which has not been attached to permanent storage yet)
    leaks. This has been fixed by not creating the lists of in- and output
    formats simultaneously. Instead creating said lists is relegated to
    ff_formats_pixdesc_filter() (this also avoids the reallocations implicit
    in using ff_add_format()) and the second list is only created after (and
    if) the first list has been permanently attached to its AVFilterLink.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 257cd5fa389465032b2b222fff5ada9dfebeb4d0)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4516fc3e2b94c77b58749b22d7f1151ffb9e2114
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 7 19:43:20 2020 +0200

    avfilter/formats: Fix double frees and memleaks on error
    
    The formats API deals with lists of channel layouts, sample rates,
    pixel formats and sample formats. These lists are refcounted in a way in
    which the list structure itself contains pointers to all of its owners.
    Furthermore, it is possible for a list to be not owned by anyone yet;
    this status is temporary until the list has been attached to an owner.
    Adding an owner to a list involves reallocating the list's list of
    owners and can therefore fail.
    
    In order to reduce the amount of checks and cleanup code for the users
    of this API, the API is supposed to be lenient when faced with input
    lists that are NULL and it is supposed to clean up if adding an owner
    to a list fails, so that a simple use case like
    
    list = ff_make_format_list(foo_fmts);
    if ((ret = ff_formats_ref(list, &ctx->inputs[0]->out_formats)) < 0)
        return ret;
    
    needn't check whether list could be successfully allocated
    (ff_formats_ref() return AVERROR(ENOMEM) if it couldn't) and it also
    needn't free list if ff_formats_ref() couldn't add an owner for it.
    
    But the cleaning up after itself was broken. The root cause was that
    the refcount was decremented during unreferencing whether or not the
    element to be unreferenced was actually an owner of the list or not.
    This means that if the above sample code is continued by
    
    if ((ret = ff_formats_ref(list, &ctx->inputs[1]->out_formats)) < 0)
        return ret;
    
    and that if an error happens at the second ff_formats_ref() call, the
    automatic cleaning of list will decrement the refcount from 1 (the sole
    owner of list at this moment is ctx->input[0]->out_formats) to 0 and so
    the list will be freed; yet ctx->input[0]->out_formats still points to
    the list and this will lead to a double free/use-after-free when
    ctx->input[0] is freed later.
    
    Presumably in order to work around such an issue, commit
    93afb338a405eac0f9e7b092bc26603378bfcca6 restricted unreferencing to
    lists with owners. This does not solve the root cause (the above example
    is not fixed by this) at all, but it solves some crashs.
    
    This commit fixes the API: The list's refcount is only decremented if
    an owner is removed from the list of owners and not if the
    unref-function is called with a pointer that is not among the owners of
    the list. Furtermore, the requirement for the list to have owners is
    dropped.
    
    This implies that if the first call to ff_formats_ref() in the above
    example fails, the refcount which is initially zero during unreferencing
    is not modified, so that the list will be freed automatically in said
    call to ff_formats_ref() as every list whose refcount reaches zero is.
    
    If on the other hand, the second call to ff_formats_ref() is the first
    to fail, the refcount would stay at one during the automatic
    unreferencing in ff_formats_ref(). The list would later be freed when
    its last (and in this case sole) owner (namely
    ctx->inputs[0]->out_formats) gets unreferenced.
    
    The issues described here for ff_formats_ref() also affected the other
    functions of this API. E.g. ff_add_format() failed to clean up after
    itself if adding an entry to an already existing list failed (the case
    of a freshly allocated list was handled specially and this commit also
    removes said code). E.g. ff_all_formats() inherited the flaw.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 2a471af50aab02e8bb062c84a5779c7de1952fc0)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ff0201f6e734979267ed2722f2d9949734bb368e
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 7 18:54:18 2020 +0200

    avfilter/af_channelmap: Fix double-free of AVFilterChannelLayouts on error
    
    The query_formats function of the channelmap filter tries to allocate
    a list of channel layouts which on success are attached to more permanent
    objects (an AVFilterLink) for storage afterwards. If attaching succeeds,
    the link becomes one of the common owners (in this case, the only owner)
    of the list. Yet if the list has been successfully attached to the link
    and an error happens lateron, the list was manually freed, which is wrong,
    because it is owned by its link so that the link's pointer to the list will
    become dangling and there will be a double-free/use-after-free when the link
    is later cleaned up automatically.
    
    This commit fixes this by removing the custom freeing code; this will
    temporarily add a leaking codepath (if attaching the list fails, the list
    will leak), but this will be fixed soon by making sure that an
    AVFilterChannelLayouts without owner will be automatically freed when
    attaching it to an AVFilterLink fails.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 44bcd6f74922ba490e680e79eae897b249c29d62)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=65be8cdc4dcdf95085d00afc38aef24967ff48a9
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 7 15:04:41 2020 +0200

    avfilter/vf_alphamerge: Fix double-free of AVFilterFormats on error
    
    The query_formats function of the alphamerge filter tries to allocate
    two lists of formats which on success are attached to more permanent
    objects (AVFilterLinks) for storage afterwards. If attaching a list
    to an AVFilterLink succeeds, the link becomes one of the owners of
    the list. Yet if attaching a list to one of its links succeeds and
    an error happens lateron, both lists were manually freed, which is wrong
    if the list is already owned by one or more links; these links' pointers
    to their lists will become dangling and there will be a double-free/use-
    after-free when these links are cleaned up automatically.
    
    This commit fixes this by removing the custom freeing code; this will
    temporarily add a leaking codepath (if attaching a list not already
    owned by a link to a link fails, the list will leak), but this will
    be fixed soon by making sure that an AVFilterFormats without owner will
    be automatically freed when attaching it to an AVFilterLink fails.
    At most one list leaks because as of this commit a new list is only
    allocated after the old list has been successfully attached to a link.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit fd1a2a54a478462212b25753e7106c13af1e33c6)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1bbcc09f2ffad02cf52969534f93aea745a507b5
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 7 14:42:57 2020 +0200

    avfilter/vf_overlay: Fix double-free of AVFilterFormats on error
    
    The query_formats function of the overlay filter tries to allocate
    two lists (only one in a special case) of formats which on success
    are attached to more permanent objects (AVFilterLinks) for storage
    afterwards. If attaching a list to an AVFilterLink succeeds, it is
    in turn owned by the AVFilterLink (or more exactly, the AVFilterLink
    becomes one of the common owners of the list). Yet if attaching a list
    to one of its links succeeds and an error happens lateron, both lists
    were manually freed, whic is wrong if the list is already owned by one
    or more links; these links' pointers to their lists will become dangling
    and there will be a double-free/use-after-free when these links are
    cleaned up automatically.
    
    This commit fixes this by removing the custom freeing code; this will
    temporarily add a leaking codepath (if attaching a list not already
    owned by a link to a link fails, the list will leak), but this will
    be fixed soon by making sure that an AVFilterFormats without owner will
    be automatically freed when attaching it to an AVFilterLink fails.
    Notice that at most one list leaks because a new list is only allocated
    after the old list has been successfully attached to a link.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit a86ee5fd79840dc4af3e3f5c90ff8ce19b9ae993)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ef0023fb90f256b47ba01ad0f2019ab527e4cadc
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 7 14:21:56 2020 +0200

    avfilter/vf_remap: Fix double-free of AVFilterFormats on error
    
    The query_formats function of the remap filter tries to allocate
    two lists of formats which on success are attached to more permanent objects
    (AVFilterLinks) for storage afterwards. If attaching a list to an
    AVFilterLink succeeds, it is in turn owned by the AVFilterLink (or more
    exactly, the AVFilterLink becomes one of the common owners of the list).
    Yet if attaching a list to one of its links succeeds and an error happens
    lateron, both lists were manually freed, which means that is wrong if the
    list is already owned by one or more links; these links' pointers to
    their lists will become dangling and there will be a double-free/use-after-
    free when these links are cleaned up automatically.
    
    This commit fixes this by removing the custom free code; this will
    temporarily add a leaking codepath (if attaching a list not already
    owned by a link to a link fails, the list will leak), but this will
    be fixed soon by making sure that an AVFilterFormats without owner will
    be automatically freed when attaching it to an AVFilterLink fails.
    Notice at most one list leaks because a new list is only allocated
    after the old list has been successfully attached to a link.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 07240c36c2912cea96dd9d11c8e3ed27995a2b3c)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ac5eb3c75115efc857017e15ea1e435ba2b46f37
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 7 13:23:30 2020 +0200

    avfilter/vf_showpalette: Fix double-free of AVFilterFormats on error
    
    The query_formats function of the showpalette filter tries to allocate
    two lists of formats which on success are attached to more permanent objects
    (AVFilterLinks) for storage afterwards. If attaching a list to an
    AVFilterLink succeeds, the link becomes one (in this case the only one)
    of the owners of the list. Yet if attaching the first list to its link
    succeeds and attaching the second list fails, both lists were manually
    freed, which means that the first link's pointer to the first list
    becomes dangling and there will be a double-free when the first link is
    cleaned up automatically.
    
    This commit fixes this by removing the custom free code; this will
    temporarily add a leaking codepath (if attaching a list to a link fails,
    the list will leak), but this will be fixed shortly by making sure that
    an AVFilterFormats without owner will be automatically freed when
    attaching it to an AVFilterLink fails. Notice at most one list leaks
    because as of this commit a new list is only allocated after the old list
    has been successfully attached to a link.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 76909c97c68c79d3c0353de83418a112595e9798)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=74b47138a39b36a67531e5e3d17713ae265a1555
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 7 17:31:11 2020 +0200

    avfilter/af_amix: Fix double-free of AVFilterChannelLayouts on error
    
    The query_formats function of the amix filter tries to allocate a list
    of channel layouts which are attached to more permanent objects
    (an AVFilter's links) for storage afterwards on success. If attaching
    a list to a link succeeds, the link becomes one of the common owners
    of the list. Yet if a list has been successfully attached to links (or if
    there were no links to attach it to in which case
    ff_set_common_channel_layouts() already frees the list) and an error
    happens lateron, the list was manually freed, which is wrong, because
    the list has either already been freed or it is owned by its links in
    which case these links' pointers to their list will become dangling and
    there will be double-frees/uses-after-free when these links are cleaned
    up automatically.
    
    This commit fixes this by removing the custom freeing code; this is made
    possible by using the list in ff_set_common_channel_layouts() directly
    after its allocation (without anything that can fail in between).
    
    Notice that ff_set_common_channel_layouts() is buggy itself which can
    lead to double-frees on error. This is not fixed in this commit.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 44e376500fd0a5e6b9ca1611e645feeb50de1ac5)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=662ef103671e943c8c02badb1f94c760fb23dbe6
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 7 16:08:42 2020 +0200

    avfilter/af_amix: Don't needlessly reallocate table
    
    Replace using ff_add_format() repeatedly by a single call to
    ff_make_format_list(). (Right now this also fixes a memleak: If the
    first ff_add_format() succeeds and a subsequent call fails, the list
    leaks.)
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 27f35fd121e38b28daafb4f1ad47cf55b5e5ab71)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4a95c96eb76b7580e7e3b2440c33afc4cfdf4c97
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 7 05:54:34 2020 +0200

    avfilter/vf_vpp_qsv: Fix leak of AVFilterFormats on error
    
    The vpp_qsv's query_formats function allocated two AVFilterFormats,
    before storing them permanently. If storing the first of them fails,
    the function simply returns and the second leaks. This has been fixed by
    only allocating the second AVFilterFormats structure after the first one
    has been successfully stored.
    
    Fixes Coverity issue #1422231.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit c4beb0783bd2470edbcc8da9e264c7fe1c10d7cc)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5bc83dd89d1fa5e165f2d98ffaf403a45a2a98a3
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 7 06:09:59 2020 +0200

    avfilter/vf_paletteuse: Fix leaks of AVFilterFormats on error
    
    The paletteuse's query_formats function allocated three AVFilterFormats
    before storing them permanently. If allocating one of them failed, the
    three AVFilterFormats structures would be freed with av_freep() which
    does not free separately allocated subelements (namely the formats
    array) which leak.
    
    Furthermore, if storing one of the first two fails, the function simply
    returns and the ones not yet stored leak.
    
    These leaks have been fixed by only creating a new AVFilterFormats after
    the last one has already been permanently stored. Furthermore, it is
    enough to check whether the elements have been properly stored as
    ff_formats_ref() by design returns AVERROR(ENOMEM) if it is provided a
    NULL AVFilterFormats *.
    
    Fixes Coverity issues #1270818 and #1270819.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 6a65449954d466e76c1166f524d2f6cde28c3c96)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3125fae1cf4a23166d603de39d9da14280333ffa
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Aug 23 11:12:30 2020 +0200

    avfilter/graphparser: Fix memleak when linking filters fails
    
    Parsing labeled outputs involves a check for an already known match
    (a labeled input with the same name) to pair them together. If yes,
    it is attempted to create a link between the two filters; in this case
    the AVFilterInOuts have fulfilled their purpose and are freed. Yet if
    creating the link fails, these AVFilterInOuts have up until now not been
    freed, although they had already been removed from their respective lists
    (which means that they are not freed automatically). In other words:
    They leak. This commit fixes this.
    
    This fixes ticket #7084. Said ticket contains an example program to
    reproduce a leak. It can also be reproduced with ffmpeg alone, e.g. with
    the complex filters "[0]null[1],[2]anull[0]" or with "[0]abitscope[0]".
    All of these three examples involve media type mismatches which make it
    impossible to create the links. The bug could also be triggered by other
    means, e.g. failure to allocate the necessary AVFilterLink.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit deb6476fd8bc3a3c2b134704ecb804269843ed89)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a23078a721682268caf03fc6d24a6ab202d309ae
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Aug 23 03:49:48 2020 +0200

    fftools/ffmpeg: Fix leak of AVFilterInOut in case of error
    
    The AVFilterInOuts normally get freed in init_output_filter() when
    the corresponding streams get created; yet if an error happens before
    one reaches said point, they leak. Therefore this commit makes
    ffmpeg_cleanup free them, too.
    
    Fixes ticket #8267.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 426c16d61a9b5056a157a1a2a057a4e4d13eef84)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ba257f568e3aacf0aa85de2d57b6e49733bfbb69
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Aug 23 01:51:22 2020 +0200

    avfilter/graphparser: Check allocations for success
    
    parse_filter() did not check the return value of av_get_token() for
    success; in case name (the name of a filter) was NULL, one got a
    segfault in av_strlcpy() (called from create_filter()).
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 95b8df687cc0182a4ec7666c2bbc2826c9ef0852)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b93ccb8d59fc4d079e9902fd5544845c686ca86a
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Aug 23 00:31:17 2020 +0200

    avfilter/graphparser: Don't set pointer to one beyond '\0' of string
    
    This happened in parse_link_name() if there was a '[' without matching
    ']'. While this is not undefined behaviour (pointer arithmetic one
    beyond the end of an array works fine as long as there are no accesses),
    it is potentially dangerous. It currently isn't (all callers of
    parse_link_name() treat this as an error and don't access the string any
    more), but making sure that this will never cause trouble in the future
    seems nevertheless worthwhile.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit f33faa5b9bfb288f83db034fa1f8719ab8a994c6)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3b3d85c26eaeaa7fa960e3268520b2af34035936
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sat Aug 22 23:54:13 2020 +0200

    avfilter/graphparser: Fix leaks when parsing inputs fails
    
    parse_inputs() uses a temporary linked list to parse the labeled inputs
    of a filter; said linked list owns its elements (and their names). On
    success, the list of unlabeled inputs is appened to the end of the list
    of labeled inputs and the new list is returned; yet on failures, nothing
    frees the already existing elements of the temporary linked list, leading
    to a leak.
    
    This can be triggered by e.g. using '-vf [v][' in the FFmpeg
    command-line tool.
    
    This leak seems to exist since 4e781c25b7b1955d1a9a0b0771c3ce1acb0957bd.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit b3f6dee728c2741388638f8343379bf0f0ef5946)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ad0132fab81916cdc60caf893ec805111d12ed9b
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 7 04:58:56 2020 +0200

    avfilter/af_afir: Fix leak of AVFilterChannelLayout in case of error
    
    If an error happens between the allocation of an AVFilterChannelLayout
    and its usage (which involves attaching said object to a more permanent
    object), the channel layout array leaks. This can simply be fixed by
    making sure that nothing is between the allocation and the
    aforementioned usage.
    
    Fixes Coverity issue #1250334.
    
    Reviewed-by: Paul B Mahol <onemda at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 3a0f080ffa5185f45850f15e5e7b8cf997337bf7)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2617956abd5ac8339cb2f3fb4ab7b64f83743ebd
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Aug 10 02:33:19 2020 +0200

    avformat/mlvdec: Only store dimensions after having validated them
    
    Otherwise it might happen that invalid dimensions are used when reading
    a video packet; this might lead to undefined overflow.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit d661cfc184bcf0bb13bb11fdba6f5d4493675f85)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=45c83744fd3b813730be6f9c09341be77e7518ce
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Aug 10 02:19:35 2020 +0200

    avformat/mlvdec: Don't leak open AVIOContexts on error
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 0d560873da2fc851955e95957473026d2d2243cc)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=280c6e0d1cf7c22c6f9f551edbc7942b96df93c6
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Aug 10 01:32:42 2020 +0200

    avformat/mlvdec: Check for existence of AVIOContext before using it
    
    The mlv demuxer supports input split into multiple files; if invalid
    data is encountered when parsing one of the subsequent files, that file
    is closed. But at this point some index entries belonging to this file
    might already have been added. In this case, the read_packet function
    might try to use the AVIOContext (which is NULL) to read data which will
    of course crash. This commit fixes this.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 6e0dd41fa3cdfd4b31d2c03c52e926231d7b2e73)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b03a87605096037e2e50a11e5b48de36b80be498
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 14 22:06:54 2020 +0200

    avformat/hls: Fix memleak when url is empty
    
    Fixes Coverity ID 1465888.
    
    Reviewed-by: Steven Liu <lingjiujianke at gmail.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit dfc6a9f07543e3c2bf01baaf8459558365f961d2)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4bc5de8e553873459f2bb93aecf2253fc99a0066
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Aug 13 04:02:26 2020 +0200

    avfilter/formats: Fix heap-buffer overflow when merging channel layouts
    
    The channel layouts accepted by ff_merge_channel_layouts() are of two
    types: Ordinary channel layouts and generic channel layouts. These are
    layouts that match all layouts with a certain number of channels.
    Therefore parsing these channel layouts is not done in one go; instead
    first the intersection of the ordinary layouts of the first input
    list of channel layouts with the ordinary layouts of the second list is
    determined, then the intersection of the ordinary layouts of the first
    one and the generic layouts of the second one etc. In order to mark the
    ordinary channel layouts that have already been matched as used they are
    zeroed. The inner loop that does this is as follows:
    
    for (j = 0; j < b->nb_channel_layouts; j++) {
        if (a->channel_layouts[i] == b->channel_layouts[j]) {
            ret->channel_layouts[ret_nb++] = a->channel_layouts[i];
            a->channel_layouts[i] = b->channel_layouts[j] = 0;
        }
    }
    
    (Here ret->channel_layouts is the array containing the intersection of
    the two input arrays.)
    
    Yet the problem with this code is that after a match has been found, the
    loop continues the search with the new value a->channel_layouts[i].
    The intention of zeroing these elements was to make sure that elements
    already paired at this stage are ignored later. And while they are indeed
    ignored when pairing ordinary and generic channel layouts later, it has
    the exact opposite effect when pairing ordinary channel layouts.
    
    To see this consider the channel layouts A B C D E and E D C B A. In the
    first round, A and A will be paired and added to ret->channel_layouts.
    In the second round, the input arrays are 0 B C D E and E D C B 0.
    At first B and B will be matched and zeroed, but after doing so matching
    continues, but this time it will search for 0, which will match with the
    last entry of the second array. ret->channel_layouts now contains A B 0.
    In the third round, C 0 0 will be added to ret->channel_layouts etc.
    This gives a quadratic amount of elements, yet the amount of elements
    allocated for said array is only the sum of the sizes of a and b.
    
    This issue can e.g. be reproduced by
    ffmpeg -f lavfi -i anullsrc=cl=7.1 \
    -af 'aformat=cl=mono|stereo|2.1|3.0|4.0,aformat=cl=4.0|3.0|2.1|stereo|mono' \
    -f null -
    
    The fix is easy: break out of the inner loop after having found a match.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 4147f63d63358e5c1969bfe431ee08ca54f8434d)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=07b52a4b70a3a0593f8fa327187447efae68c03c
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 7 04:28:07 2020 +0200

    Revert "lavfi/avfiltergraph: add check before free the format"
    
    This reverts commit f156f4ab2317f22bfef33c7eaead0d5d5f162903.
    
    The checks added by said commit are nonsense because they did not help
    in case ff_merge_samplerates() or ff_merge_formats() returned NULL
    while freeing one of its arguments: Said freeing does not change
    the local variables of can_merge_formats().
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit c4c10feaa8c3604abfec4283715b37358f73b6e7)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9d82cfe3def0776040e6bbe2743cebbbf16bcc76
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Fri Aug 7 03:41:18 2020 +0200

    avfilter/formats: Leave lists' ownership unchanged upon merge failure
    
    ff_merge_formats(), ff_merge_samplerates() and ff_merge_channel_layouts()
    share common semantics: If merging succeeds, a non-NULL pointer is
    returned and both input lists (of type AVFilterFormats resp.
    AVFilterChannelLayouts) are to be treated as if they had been freed;
    the owners of the input parameters (if any) become owners of the
    returned list. If merging does not succeed, NULL is returned and both
    input lists are supposed to be unchanged.
    
    The problem is that the functions did not abide by these semantics:
    In case of reallocation failure, it is possible for these functions
    to return NULL after having already freed one of the two input list.
    This happens because sometimes the refs-array of the destined output
    gets reallocated twice to its final size and if the second of these
    reallocations fails, the first of the two inputs has already been freed
    and its refs updated to point to the destined output which in this case
    will be freed immediately so that all of the already updated pointers
    are now dangling. This leads to use-after-frees and memory corruptions
    lateron (when these owners get cleaned up, the lists they own get
    unreferenced). Should the input lists don't have owners at all, the
    caller (namely can_merge_formats() in avfiltergraph.c) thinks that both
    the input lists are unchanged and need to be freed, leading to a double
    free.
    
    The solution to this is simple: Don't reallocate twice; do it just once.
    This also saves a reallocation.
    
    This commit fixes the issue behind Coverity issue #1452636. It might
    also make Coverity realize that the issue has been fixed.
    
    Reviewed-by: Nicolas George <george at nsup.org>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 195a25a7aba89d4fc040de63cbc6389abece393d)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4cdd6cac1fc14ee5c2b19c059c72486d4fc6ba34
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Aug 10 14:20:58 2020 +0200

    avformat/mpegts: Don't leave context in inconsistent state upon error
    
    Up until now, opening a section filter works as follows: A filter is
    opened and (on success) attached to the MpegTSContext. Then a buffer for
    said filter is allocated and upon success attached to the section
    filter; on error, the filter is simply freed without removing it from
    the MpegTSContext, leaving the latter in an inconsistent state. This
    leads to use-after-frees lateron.
    
    This commit fixes this by allocating the buffer first; the filter is
    only opened if the buffer could be successfully allocated.
    
    Reviewed-by: Marton Balint <cus at passwd.hu>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 1ead176d874acb489827ace3935fc71e1eea7e0e)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ea42edb9336ee0968910250177d27c23b68231e8
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Aug 6 01:21:38 2020 +0200

    avformat/sierravmd: Don't return packets for non-existing stream
    
    It leads to an assert in ff_read_packet().
    
    Reviewed-by: Michael Niedermayer <michael at niedermayer.cc>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit ea8f8d28d096827636f518b6074d31fc472d03c6)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f66647daa615561305260033f8d3c499ad20b372
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Aug 6 00:59:37 2020 +0200

    avformat/vividas: Check allocation for success
    
    Reviewed-by: Zane van Iperen <zane at zanevaniperen.com>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit c4a4fe938d435de9e9126d7e151fc370a6f5ee72)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ffa5b1f1164efbc519a2873aea68e695e40c02d5
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Thu Aug 6 00:44:55 2020 +0200

    avformat/vividas: Check return value before storing it in smaller type
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit a3dced69c8e0759d7cfd74e88f16c357d731b75c)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=22cb13d4c507a7a48286b82d56fc455f5d4f1023
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Wed Jul 15 00:06:10 2020 +0200

    avformat/webmdashenc: Avoid allocations, fix memleak
    
    When using the WebM DASH Manifest muxer, every stream of each adaptation
    set has to contain a metadata entry containing the filename of the
    source file. In case of live stream manifests, said filename has to
    conform to a pattern of
    <file_description>_<representation_id>.<extension>. These pieces are
    used to create the other strings that are actually output. Up until now,
    these other strings would be allocated, used once and then freed
    directly after usage. This commit changes this: The function that
    allocated and assembled these strings now returns pointers to the '_'
    and '.' delimiters and so that the caller can easily pick substrings
    from it without needing to copy the string.
    
    Avoiding allocations also fixes a memleak: One of the allocated strings
    would leak upon a subsequent allocation failure.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit f163b2eb27d88cb39a1860a8c1554b4952a50a71)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9d5c7e067510f57378e8ba18321991457b0c275a
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Tue Jul 14 22:49:15 2020 +0200

    avformat/webmdashenc: Fix segfault when no filename is given when live
    
    by checking a bit earlier.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit c1fab8637e4bd9e0f09ae31247b709a22dafa440)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e114a337be61e3c37f74c15c196bcb9ba6b6300d
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Sun Jul 19 10:16:33 2020 +0200

    avformat/matroskadec: Avoid undefined pointer arithmetic
    
    The Matroska demuxer currently always opens a GetByteContext to read the
    content of the projection's private data buffer; it does this even if
    there is no private data buffer in which case opening the GetByteContext
    will lead to a NULL + 0 which is undefined behaviour.
    Furthermore, in this case the code relied both on the implicit checks
    of the bytestream2 API as well as on the fact that it returns zero
    if there is not enough data available.
    
    Both of these issues have been addressed by not using the bytestream API
    any more; instead the data is simply read directly by using AV_RB. This
    is possible because the offsets are constants.
    
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 880519c1de3f2bfad04e6fef93e0bf41129ff99e)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f25caec87f0c9409b320e63202145ce4ae5d8929
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Jul 20 07:24:53 2020 +0200

    avformat/mxfdec: Fix memleak upon repeating tags
    
    When parsing MXF encountering some tags leads to allocations. And when
    these tags were encountered repeatedly, this could lead to memleaks,
    because the pointer to the old data got simply overwritten with a
    pointer to the new data (or to NULL on allocation failure). This has
    been fixed.
    
    Reviewed-by: Tomas Härdin <tjoppen at acc.umu.se>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 28ce651c6d53866c1b8c3b49b8b66a2e967aa273)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6918d1281cef12f17171242f3536ce00a8d1cdcc
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Jul 20 06:20:29 2020 +0200

    avformat/mxfdec: Fix memleak when parsing tag fails
    
    The MXF demuxer uses an array of pointers to different structures of
    metadata (all containing a common initial sequence containing a type
    field to distinguish them) and some of these structures contain pointers
    to separately allocated subelements. If an error happens while reading
    and creating the tags, the semi-finished new tag is freed using the
    function to free these tags. But this function doesn't free the already
    allocated subelements, because the type has not been set yet. This commit
    changes this.
    
    Reviewed-by: Tomas Härdin <tjoppen at acc.umu.se>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 78f21cab188a094d42520bcad9686c3b5afa844b)

URL:    http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8e7eedf294db371b2fbe1bcc1f6a6772db40fedb
Author: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
Date:   Mon Jul 20 02:46:09 2020 +0200

    avformat/mxfdec: Fix memleak when adding element to array fails
    
    Said array contains pointers to other structs and both the designated
    new element as well as other stuff contained in it (e.g. strings) leak
    if the new element can't be added to the array.
    
    Reviewed-by: Tomas Härdin <tjoppen at acc.umu.se>
    Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
    (cherry picked from commit 49e78548c35be84200ea9f617c4b5b2f58c7e6f6)




More information about the ffmpeg-cvslog mailing list