Some of the test cases of #1780 cause uninitialized memory to be written
to the output file due to incomplete reads. This causes subsequent tests
to fail their checksums. Therefore only record the fact that they've
completed successfully.
The three arrays delta_poc[], user[] and ref_id[] all have 17
entries. Therefore the loop limits determined by num_pics,
num_positive_pics and num_negative_pics must be checked for validity
before iterating over the arrays.
Fixes the following test cases of #1780:
explorer🆔000110,sig:11,src:000003,op:flip1,pos:0
explorer🆔000699,sig:11,src:002364,op:flip1,pos:138
Prevents an uncaught exception in the AAC packetizer as it requires the
sample rate to be set properly. Fixes the following test case of #1780:
explorer🆔000019,sig:06,src:000000,op:flip2,pos:2
No one guarantees us that the duration map size & number values really
sum to no more than the number of sample table entries in the
file. Therefore check the current sample table index against the sample
table's size before accessing the table.
Fixes the following test cases of #1780:
explorer🆔000011,sig:11,src:000001,op:flip1,pos:42
explorer🆔000012,sig:11,src:000001,op:flip1,pos:13438
explorer🆔000014,sig:11,src:000001,op:flip1,pos:13457
explorer🆔000030,sig:11,src:000001,op:flip1,pos:13798
explorer🆔000031,sig:11,src:000001,op:flip1,pos:13798
explorer🆔000032,sig:11,src:000001,op:flip1,pos:13798
explorer🆔000063,sig:06,src:000001,op:arith8,pos:13794,val:-13
explorer🆔000083,sig:06,src:000005,op:flip1,pos:3
explorer🆔000097,sig:06,src:000005,op:flip1,pos:13730
explorer🆔000129,sig:06,src:000005,op:flip1,pos:13801
explorer🆔000144,sig:11,src:000005,op:flip2,pos:13866
explorer🆔000231,sig:11,src:000005,op:havoc,rep:16
explorer🆔000261,sig:11,src:000013,op:arith8,pos:13647,val:+7
explorer🆔000318,sig:11,src:000287,op:flip2,pos:13797
explorer🆔000323,sig:06,src:000314,op:flip1,pos:13731
explorer🆔000324,sig:06,src:000314,op:havoc,rep:64
explorer🆔000347,sig:06,src:000426,op:flip1,pos:13797
explorer🆔000353,sig:11,src:000426,op:flip1,pos:13823
explorer🆔000354,sig:11,src:000426,op:flip1,pos:13825
explorer🆔000357,sig:11,src:000426,op:flip2,pos:13825
explorer🆔000358,sig:06,src:000426,op:flip2,pos:13826
The sps_t structure contains an array of 64 short_term_ref_pic_sets_t
elements. Therefore at most 63 may be added to the base pointer
short_term_ref_pic_sets for accessing one of those elements.
Fixes the following test cases of #1780:
explorer🆔000494,sig:11,src:001249,op:flip1,pos:63
explorer🆔000496,sig:06,src:001249,op:flip1,pos:92
explorer🆔000502,sig:06,src:001249,op:int8,pos:100,val:+32
explorer🆔000605,sig:11,src:001741,op:int32,pos:29,val:+0
explorer🆔000676,sig:06,src:002253,op:ext_AO,pos:101
explorer🆔000784,sig:11,src:002818,op:ext_AO,pos:103
explorer🆔000830,sig:11,src:003020,op:flip1,pos:103
explorer🆔000831,sig:11,src:003020,op:flip1,pos:104
explorer🆔000834,sig:11,src:003020,op:havoc,rep:2
explorer🆔000882,sig:11,src:003246,op:flip1,pos:123
explorer🆔000884,sig:11,src:003246,op:int8,pos:121,val:-128
explorer🆔000886,sig:06,src:003248,op:flip1,pos:106
explorer🆔000935,sig:11,src:003528,op:flip4,pos:130
explorer🆔000936,sig:11,src:003528,op:flip32,pos:127
explorer🆔000937,sig:11,src:003528,op:arith8,pos:130,val:+5
explorer🆔000938,sig:11,src:003528,op:int32,pos:127,val:+100
explorer🆔000939,sig:11,src:003528,op:int32,pos:128,val:+1
explorer🆔000974,sig:11,src:003742,op:flip1,pos:123
explorer🆔000975,sig:11,src:003746,op:flip1,pos:130
explorer🆔000976,sig:11,src:003746,op:flip1,pos:130
explorer🆔000977,sig:11,src:003746,op:flip1,pos:133
explorer🆔000978,sig:11,src:003746,op:flip1,pos:133
explorer🆔000979,sig:11,src:003746,op:flip2,pos:134
explorer🆔000980,sig:11,src:003746,op:arith8,pos:133,val:-3
explorer🆔001003,sig:11,src:003976,op:flip1,pos:127
explorer🆔001019,sig:11,src:004180,op:flip1,pos:9
explorer🆔001020,sig:11,src:004180,op:int32,pos:143,val:be:+1
explorer🆔001021,sig:11,src:004180,op:havoc,rep:2
Several classes rely on other classes' and variables' presence during
their destruction. The most prominent case is various sub-classes of
mm_io_c using the debugging facilities, e.g. debugging_c. Therefore
debugging_c must still work when mm_io_c instances are closed.
Otherwise access to invalid memory will occur (a use after free),
e.g. by the destructor of mm_io_c calling debugging_c::operator()
accessing a std::vector or std::unordered_map that's already been
destructed.
For mkvmerge this means that ::exit() must not be called before all
instances of mm_io_c have been closed. This commit moves in that
direction by explicitly closing several resources stored in global
variables in the proper order before calling ::exit().
Fixes the following cases of #1780:
explorer🆔000000,sig:11,src:000000,op:flip1,pos:1
explorer🆔000001,sig:11,src:000000,op:flip1,pos:2
explorer🆔000608,sig:06,src:001761,op:int8,pos:135,val:-128
explorer🆔000738,sig:11,src:002531,op:int32,pos:126,val:be:+1
explorer🆔000740,sig:06,src:002531,op:ext_AO,pos:99
In its core mkvmerge uses a pull model: it iterates over each packetizer
and asks it to produce a packet. The packetizer passes that request on
to the reader it belongs to. The reader will then read the next frame
for the track corresponding to the packetizer and pass that data back to
the packetizer.
However, several container formats (e.g. MPEG PS, Matroska, Ogg and
others) do not allow arbitrary access to the frames for each
track. Instead mkvmerge has to read them from front to back. In such a
case the reader ignores the packetizer and simply reads the next frame,
whichever packetizer that might belong to.
This is problematic with sparse tracks. For those the packetizer will
repeatedly call the reader's read() method, but the read() method will
only produce data for the other tracks in that file. That data is then
buffered in those tracks' packetizers.
In order to limit that memory usage the readers/packetizers know a state
known as "holding" — meaning a lot of data has been buffered and no data
for this packetizer has been found yet.
The actual problem occurred when all packetizers for a file were holding
and no packets were present for any of those packetizers:
- The packetizers run empty on data.
- The reader sees too much data had been buffered and enters "holding"
state.
- The core only saw packetizers that don't have any data anymore and
concluded that it was done.
This commit changes the behavior to force a pull in such a
situation (which the readers already provided for — it was just that the
code never opted to force the pull). This will allow the reader to
exceed its allotted memory usage and deliver more data.
A fixed, non-eliding label will have a minimum width of the text it's
displaying. When such a label is used for displaying a chapter's name
then the window will in turn become very wide.
Fixes#1760.
