The branch, release/7.1 has been updated
via 6486588d79c5468bfe1077bb32e4db4e92094e1c (commit)
via efd6f75cfcc3f5d74537db793e3ca77887df54aa (commit)
via 431e580424d434e7debc755f1e7c0cb5d1172a7f (commit)
via 0f843a8f6227159cd764f965bf64075c89d62155 (commit)
via a218e6a6e5bfbd35319d72e25b8980ed311948a9 (commit)
via f1b3d804db08509fa122bb56fa28f52cb7ae42ac (commit)
via 51b5e19aa5346377b7f75d00d7db97665c835108 (commit)
via 4e8fb530ef79dec2cf2783dfa10ae2d9b869e8ed (commit)
via 92a1f67e01c86056c5929ae8f80b3bcdee095a67 (commit)
via a4a27d464588e51429981ec653299fd5cff8e290 (commit)
via 6381c606285bc98f3365c661ce3183d1cf98d800 (commit)
via 2b2e23ff91fe48bd1683f255cad9773a91eac661 (commit)
via 6f179470b20ff7839e67ef601a2f4e01bac615d7 (commit)
via c0bf64e0093027c3ab56ff86a69aada9fd30c572 (commit)
via 56913de807303c6c4e5ba693c04dbe5cc73225d8 (commit)
via e86132d237b3777cdf47b3a73d55a78621bd8dce (commit)
via ceae7a83532260170b110f954d8ae4d53e0f004a (commit)
via 19877054e340e2babb7ef0d00e81c12bfeb19391 (commit)
via a6ac0c6841c5205393513961ad9cdc3a8ba17b35 (commit)
via 638cafa70b18581f4bc482ac2cf57b55d3a311d5 (commit)
via 3934ab4ee2a2390cf0778c6e64014d0af8659a51 (commit)
via b40c6910255085f661c6ed53b9abd3efb8698c53 (commit)
via d94cce9ee060c0799c0d74d747b11ca657426943 (commit)
via 26115ca03dd65e7e1b83e274293590f163320f86 (commit)
from 5418fbb7f44a7b63aec5ea768c6069045078d5fd (commit)
- Log -----------------------------------------------------------------
commit 6486588d79c5468bfe1077bb32e4db4e92094e1c
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Nov 1 01:29:32 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:55 2025 +0100
avfilter/vf_drawtext: Account for bbox text seperator
Fixes: out of array access
no test case
Found-by: Joshua Rogers <[email protected]> with ZeroPath
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit ad956ff076ea808e5d64c9ac17c1bfc1ba7d0cc0)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavfilter/vf_drawtext.c b/libavfilter/vf_drawtext.c
index daaa1fd83a..232e4015fb 100644
--- a/libavfilter/vf_drawtext.c
+++ b/libavfilter/vf_drawtext.c
@@ -1017,7 +1017,7 @@ static av_cold int init(AVFilterContext *ctx)
av_log(ctx, AV_LOG_WARNING, "Multiple texts provided, will use
text_source only\n");
av_free(s->text);
}
- s->text = av_mallocz(AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE *
+ s->text = av_mallocz((AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE + 1) *
(AV_NUM_DETECTION_BBOX_CLASSIFY + 1));
if (!s->text)
return AVERROR(ENOMEM);
commit efd6f75cfcc3f5d74537db793e3ca77887df54aa
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 23:31:40 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:55 2025 +0100
avcodec/mediacodecdec_common: Check that the input to
mediacodec_wrap_sw_audio_buffer() contains channel * sample_size
Fixes: out of array access
no testcase
Found-by: Joshua Rogers <[email protected]> with ZeroPath
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 41a9c6ec5f75d8737da3e38223b8c4e923703401)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/mediacodecdec_common.c
b/libavcodec/mediacodecdec_common.c
index 8a270f2f29..842a7d2bba 100644
--- a/libavcodec/mediacodecdec_common.c
+++ b/libavcodec/mediacodecdec_common.c
@@ -385,6 +385,12 @@ static int mediacodec_wrap_sw_audio_buffer(AVCodecContext
*avctx,
goto done;
}
+ if (info->size % (sample_size * avctx->ch_layout.nb_channels)) {
+ av_log(avctx, AV_LOG_ERROR, "input is not a multiple of channels *
sample_size\n");
+ ret = AVERROR(EINVAL);
+ goto done;
+ }
+
frame->format = avctx->sample_fmt;
frame->sample_rate = avctx->sample_rate;
frame->nb_samples = info->size / (sample_size *
avctx->ch_layout.nb_channels);
commit 431e580424d434e7debc755f1e7c0cb5d1172a7f
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Nov 8 23:22:56 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:55 2025 +0100
avcodec/utvideodec: Set B for the width= 1 case in
restore_median_planar_il()
Fixes: use of uninitialized memory
Fixes:
439878388/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5635866203848704
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 59db32b433ea9e7766ec7fac994860ed15d7ed7d)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index bc02ac44d5..098706b705 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -457,7 +457,7 @@ static void restore_median_planar_il(UtvideoContext *c,
uint8_t *src, ptrdiff_t
// second line - first element has top prediction, the rest uses median
C = bsrc[-stride2];
bsrc[0] += C;
- A = bsrc[0];
+ A = B = bsrc[0];
for (i = 1; i < FFMIN(width, 16); i++) { /* scalar loop (DSP need
align 16) */
B = bsrc[i - stride2];
bsrc[i] += mid_pred(A, B, (uint8_t)(A + B - C));
commit 0f843a8f6227159cd764f965bf64075c89d62155
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sun Jul 13 01:34:17 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:55 2025 +0100
avcodec/osq: Fix 32bit sample overflow
Fixes: signed integer overflow: 2147483565 + 128 cannot be represented in
type 'int'
Fixes:
428055715/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6358069900804096
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 08816b93760f43433a07e980fa9eeab4135de78c)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/osq.c b/libavcodec/osq.c
index fbb879ec8d..39743acbcc 100644
--- a/libavcodec/osq.c
+++ b/libavcodec/osq.c
@@ -390,7 +390,7 @@ static int osq_decode_block(AVCodecContext *avctx, AVFrame
*frame)
int32_t *src = s->decode_buffer[ch] + OFFSET;
for (int n = 0; n < nb_samples; n++)
- dst[n] = av_clip_uint8(src[n] + 0x80);
+ dst[n] = av_clip_uint8(src[n] + 0x80ll);
}
break;
case AV_SAMPLE_FMT_S16P:
commit a218e6a6e5bfbd35319d72e25b8980ed311948a9
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:27:56 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:55 2025 +0100
avformat/rtpdec_rfc4175: Only change PayloadContext on success
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit c03e49dd1d8ee2dd21c24002dfac95644c830498)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index 4ad69500aa..b49fc55d2d 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -23,6 +23,7 @@
#include "avio_internal.h"
#include "rtpdec_formats.h"
+#include "libavutil/avassert.h"
#include "libavutil/avstring.h"
#include "libavutil/imgutils.h"
#include "libavutil/mem.h"
@@ -173,33 +174,39 @@ static int rfc4175_parse_fmtp(AVFormatContext *s,
AVStream *stream,
}
static int rfc4175_parse_sdp_line(AVFormatContext *s, int st_index,
- PayloadContext *data, const char *line)
+ PayloadContext *data_arg, const char *line)
{
const char *p;
if (st_index < 0)
return 0;
+ av_assert0(!data_arg->sampling);
+
if (av_strstart(line, "fmtp:", &p)) {
AVStream *stream = s->streams[st_index];
+ PayloadContext data0 = *data_arg, *data = &data0;
int ret = ff_parse_fmtp(s, stream, data, p, rfc4175_parse_fmtp);
+ if (!data->sampling || !data->depth || !data->width || !data->height)
+ ret = AVERROR(EINVAL);
+
if (ret < 0)
- return ret;
+ goto fail;
ret = av_image_check_size(data->width, data->height, 0, s);
if (ret < 0)
- return ret;
-
- if (!data->sampling || !data->depth || !data->width || !data->height)
- return AVERROR(EINVAL);
+ goto fail;
stream->codecpar->width = data->width;
stream->codecpar->height = data->height;
ret = rfc4175_parse_format(stream, data);
av_freep(&data->sampling);
-
+ if (ret >= 0)
+ *data_arg = *data;
+fail:
+ av_freep(&data->sampling);
return ret;
}
commit f1b3d804db08509fa122bb56fa28f52cb7ae42ac
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:28:49 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:54 2025 +0100
avformat/rtpdec_rfc4175: Check dimensions
Fixes: out of array access
Fixes: zeropath/int_overflow_in_rtpdec_rfc4175
Found-by: Joshua Rogers <[email protected]>
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d4e0d5ed48aa9c0e11b9ddeea8c2d14632314089)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index c41e4f19e0..4ad69500aa 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -24,6 +24,7 @@
#include "avio_internal.h"
#include "rtpdec_formats.h"
#include "libavutil/avstring.h"
+#include "libavutil/imgutils.h"
#include "libavutil/mem.h"
#include "libavutil/pixdesc.h"
#include "libavutil/parseutils.h"
@@ -186,6 +187,9 @@ static int rfc4175_parse_sdp_line(AVFormatContext *s, int
st_index,
if (ret < 0)
return ret;
+ ret = av_image_check_size(data->width, data->height, 0, s);
+ if (ret < 0)
+ return ret;
if (!data->sampling || !data->depth || !data->width || !data->height)
return AVERROR(EINVAL);
@@ -296,6 +300,9 @@ static int rfc4175_handle_packet(AVFormatContext *ctx,
PayloadContext *data,
if (data->interlaced)
line = 2 * line + field;
+ if (line >= data->height)
+ return AVERROR_INVALIDDATA;
+
/* prevent ill-formed packets to write after buffer's end */
copy_offset = (line * data->width + offset) * data->pgroup /
data->xinc;
if (copy_offset + length > data->frame_size || !data->frame)
commit 51b5e19aa5346377b7f75d00d7db97665c835108
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:17:27 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:54 2025 +0100
avformat/rtpdec_rfc4175: Fix memleak of sampling
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit af3dee313223c722c34e8231cd6859188928a6e3)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index d6260ab69e..c41e4f19e0 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -128,7 +128,7 @@ static int rfc4175_parse_fmtp(AVFormatContext *s, AVStream
*stream,
data->width = atoi(value);
else if (!strncmp(attr, "height", 6))
data->height = atoi(value);
- else if (!strncmp(attr, "sampling", 8))
+ else if (data->sampling == NULL && !strncmp(attr, "sampling", 8))
data->sampling = av_strdup(value);
else if (!strncmp(attr, "depth", 5))
data->depth = atoi(value);
commit 4e8fb530ef79dec2cf2783dfa10ae2d9b869e8ed
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 17:32:56 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:54 2025 +0100
avformat/http: Fix off by 1 error
Fixes: out of array access
Fixes: zeropath/off-by-one-one-byte
Found-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit b518c027a0cb8d89c586fe241cc99b1c20bc0f50)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/http.c b/libavformat/http.c
index ec60bc0b17..b674171d3c 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -1849,7 +1849,7 @@ static int store_icy(URLContext *h, int size)
ret = http_read_stream_all(h, data, len);
if (ret < 0)
return ret;
- data[len + 1] = 0;
+ data[len] = 0;
if ((ret = av_opt_set(s, "icy_metadata_packet", data, 0)) < 0)
return ret;
update_metadata(h, data);
commit 92a1f67e01c86056c5929ae8f80b3bcdee095a67
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Nov 8 01:17:46 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:54 2025 +0100
avcodec/exr: spelling
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d80f8f36513ebff05c537adbe756e36036f80074)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index ac02e09dfb..c9d22435f4 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -175,7 +175,7 @@ typedef struct EXRContext {
int is_luma;/* 1 if there is an Y plane */
#define M(chr) (1<<chr - 'A')
- int has_channel; ///< combinatin of flags representing the channel codes
A-Z
+ int has_channel; ///< combination of flags representing the channel codes
A-Z
GetByteContext gb;
const uint8_t *buf;
commit a4a27d464588e51429981ec653299fd5cff8e290
Author: veygax <[email protected]>
AuthorDate: Sun Nov 2 02:35:40 2025 +0000
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:54 2025 +0100
avcodec/exr: use tile dimensions in pxr24 UINT case
update the switch statement for EXR_UINT in pxr24_uncompress to
correctly use the tile width td->xsize instead of using the full window
width s->xdelta. s->delta is larger than td->xsize which lead to two
buffer overflows when interacting with the ptr variable in the same
switch statement.
Fixes: out of bounds read and write
Found-by: veygax's insomnia network (INSOMNIA-1)
Signed-off-by: veygax <[email protected]>
(cherry picked from commit 162f75b5e6798b385bb3eadd8280eff52d03cf29)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index a1fb69aa97..ac02e09dfb 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -743,12 +743,12 @@ static int pxr24_uncompress(const EXRContext *s, const
uint8_t *src,
break;
case EXR_UINT:
ptr[0] = in;
- ptr[1] = ptr[0] + s->xdelta;
- ptr[2] = ptr[1] + s->xdelta;
- ptr[3] = ptr[2] + s->xdelta;
- in = ptr[3] + s->xdelta;
+ ptr[1] = ptr[0] + td->xsize;
+ ptr[2] = ptr[1] + td->xsize;
+ ptr[3] = ptr[2] + td->xsize;
+ in = ptr[3] + td->xsize;
- for (j = 0; j < s->xdelta; ++j) {
+ for (j = 0; j < td->xsize; ++j) {
uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) |
(*(ptr[1]++) << 16) |
(*(ptr[2]++) << 8 ) |
commit 6381c606285bc98f3365c661ce3183d1cf98d800
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Sep 19 00:20:36 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:53 2025 +0100
avcodec/exr: Simple check for available channels
The existing is_luma check is fragile as depending on the order
of channels it can be set or reset
No testcase
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 6e8cf0377fee75de9ad2cc87385ab3e8f2c87143)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index c90d12b618..a1fb69aa97 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -174,6 +174,9 @@ typedef struct EXRContext {
int is_luma;/* 1 if there is an Y plane */
+#define M(chr) (1<<chr - 'A')
+ int has_channel; ///< combinatin of flags representing the channel codes
A-Z
+
GetByteContext gb;
const uint8_t *buf;
int buf_size;
@@ -1595,6 +1598,7 @@ static int decode_header(EXRContext *s, AVFrame *frame)
s->is_tile = 0;
s->is_multipart = 0;
s->is_luma = 0;
+ s->has_channel = 0;
s->current_part = 0;
if (bytestream2_get_bytes_left(gb) < 10) {
@@ -1698,23 +1702,26 @@ static int decode_header(EXRContext *s, AVFrame *frame)
}
if (layer_match) { /* only search channel if the layer match
is valid */
+ if (strlen(ch_gb.buffer) == 1) {
+ int ch_chr = av_toupper(*ch_gb.buffer);
+ if (ch_chr >= 'A' && ch_chr <= 'Z')
+ s->has_channel |= M(ch_chr);
+ av_log(s->avctx, AV_LOG_DEBUG, "%c\n", ch_chr);
+ }
+
if (!av_strcasecmp(ch_gb.buffer, "R") ||
!av_strcasecmp(ch_gb.buffer, "X") ||
!av_strcasecmp(ch_gb.buffer, "U")) {
channel_index = 0;
- s->is_luma = 0;
} else if (!av_strcasecmp(ch_gb.buffer, "G") ||
!av_strcasecmp(ch_gb.buffer, "V")) {
channel_index = 1;
- s->is_luma = 0;
} else if (!av_strcasecmp(ch_gb.buffer, "Y")) {
channel_index = 1;
- s->is_luma = 1;
} else if (!av_strcasecmp(ch_gb.buffer, "B") ||
!av_strcasecmp(ch_gb.buffer, "Z") ||
!av_strcasecmp(ch_gb.buffer, "W")) {
channel_index = 2;
- s->is_luma = 0;
} else if (!av_strcasecmp(ch_gb.buffer, "A")) {
channel_index = 3;
} else {
@@ -1790,6 +1797,20 @@ static int decode_header(EXRContext *s, AVFrame *frame)
s->current_channel_offset += 4;
}
}
+ if (!((M('R') + M('G') + M('B')) & ~s->has_channel)) {
+ s->is_luma = 0;
+ } else if (!((M('X') + M('Y') + M('Z')) & ~s->has_channel)) {
+ s->is_luma = 0;
+ } else if (!((M('Y') + M('U') + M('V')) & ~s->has_channel)) {
+ s->is_luma = 0;
+ } else if (!((M('Y') ) & ~s->has_channel) &&
+ !((M('R') + M('G') + M('B') + M('U') + M('V') + M('X')
+ M('Z')) & s->has_channel)) {
+ s->is_luma = 1;
+ } else {
+ avpriv_request_sample(s->avctx, "Uncommon channel
combination");
+ ret = AVERROR(AVERROR_PATCHWELCOME);
+ goto fail;
+ }
/* Check if all channels are set with an offset or if the channels
* are causing an overflow */
commit 2b2e23ff91fe48bd1683f255cad9773a91eac661
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 23:08:45 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:53 2025 +0100
avformat/sctp: Check size in sctp_write()
Fixes: out of array access
No testcase
Found-by: Joshua Rogers <[email protected]> with ZeroPath
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 5b98cea4bff2cbbb251b621a2b6c3ab76f814efa)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/sctp.c b/libavformat/sctp.c
index 9d9e90097e..f39ba7ebe0 100644
--- a/libavformat/sctp.c
+++ b/libavformat/sctp.c
@@ -334,6 +334,9 @@ static int sctp_write(URLContext *h, const uint8_t *buf,
int size)
}
if (s->max_streams) {
+ if (size < 2)
+ return AVERROR(EINVAL);
+
/*StreamId is introduced as a 2byte code into the stream*/
struct sctp_sndrcvinfo info = { 0 };
info.sinfo_stream = AV_RB16(buf);
commit 6f179470b20ff7839e67ef601a2f4e01bac615d7
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Oct 30 23:20:41 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:53 2025 +0100
avformat/rtmpproto: consider command line argument lengths
Fixes: out of array access
Fixes: zeropath/rtmp-2025-10
Found-by: Joshua Rogers <[email protected]>
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 83e0298de217a7108ee703806d6380e554007972)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 8055a9fbee..8a568271c8 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -163,6 +163,13 @@ static int handle_chunk_size(URLContext *s, RTMPPacket
*pkt);
static int handle_window_ack_size(URLContext *s, RTMPPacket *pkt);
static int handle_set_peer_bw(URLContext *s, RTMPPacket *pkt);
+static size_t zstrlen(const char *c)
+{
+ if(c)
+ return strlen(c);
+ return 0;
+}
+
static int add_tracked_method(RTMPContext *rt, const char *name, int id)
{
int err;
@@ -327,7 +334,16 @@ static int gen_connect(URLContext *s, RTMPContext *rt)
int ret;
if ((ret = ff_rtmp_packet_create(&pkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE,
- 0, 4096 + APP_MAX_LENGTH)) < 0)
+ 0, 4096 + APP_MAX_LENGTH
+ + strlen(rt->auth_params) +
strlen(rt->flashver)
+ + zstrlen(rt->enhanced_codecs)/5*7
+ + zstrlen(rt->swfurl)
+ + zstrlen(rt->swfverify)
+ + zstrlen(rt->tcurl)
+ + zstrlen(rt->auth_params)
+ + zstrlen(rt->pageurl)
+ + zstrlen(rt->conn)*3
+ )) < 0)
return ret;
p = pkt.data;
@@ -1900,7 +1916,9 @@ static int write_status(URLContext *s, RTMPPacket *pkt,
if ((ret = ff_rtmp_packet_create(&spkt, RTMP_SYSTEM_CHANNEL,
RTMP_PT_INVOKE, 0,
- RTMP_PKTDATA_DEFAULT_SIZE)) < 0) {
+ RTMP_PKTDATA_DEFAULT_SIZE
+ + strlen(status) + strlen(description)
+ + zstrlen(details))) < 0) {
av_log(s, AV_LOG_ERROR, "Unable to create response packet\n");
return ret;
}
commit c0bf64e0093027c3ab56ff86a69aada9fd30c572
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Oct 30 23:05:57 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:53 2025 +0100
avformat/rtmpproto_ Check tcurl and flashver length
Fixes: out of array accesses
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit a64e037429f20873ec48f6c82aa145ab448e1399)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 91f18b6088..8055a9fbee 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -2833,6 +2833,12 @@ reconnect:
"FMLE/3.0 (compatible; %s)", LIBAVFORMAT_IDENT);
}
}
+ if ( strlen(rt->flashver) > FLASHVER_MAX_LENGTH
+ || strlen(rt->tcurl ) > TCURL_MAX_LENGTH
+ ) {
+ ret = AVERROR(EINVAL);
+ goto fail;
+ }
rt->receive_report_size = 1048576;
rt->bytes_read = 0;
commit 56913de807303c6c4e5ba693c04dbe5cc73225d8
Author: Michael Niedermayer <[email protected]>
AuthorDate: Tue Oct 7 01:58:34 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:53 2025 +0100
avcodec/g723_1enc: Make min_err 64bit
This is intending to fix the case described in
https://lists.ffmpeg.org/archives/list/[email protected]/thread/AAZ7GJPPUJI5SCVTDGJ6QL7UUEP56WOM/
Where FCBParam optim is used uninitialized
a min_err of 1<<30, allows the struct to be never initilialized as all
err (which is int32_t) can be larger than min_err. By increasing min_err
above the int32_t range this is no longer possible
Untested, as i do not have the testcase
Signed-off-by: Michael Niedermayer <[email protected]>i
(cherry picked from commit 909af3a571da830cc70a34f0c3946379bd12dfbe)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/g723_1.h b/libavcodec/g723_1.h
index 521f220b2a..f3cd32e37d 100644
--- a/libavcodec/g723_1.h
+++ b/libavcodec/g723_1.h
@@ -108,7 +108,7 @@ typedef struct HFParam {
* Optimized fixed codebook excitation parameters
*/
typedef struct FCBParam {
- int min_err;
+ int64_t min_err;
int amp_index;
int grid_index;
int dirac_train;
diff --git a/libavcodec/g723_1enc.c b/libavcodec/g723_1enc.c
index be80153130..d686c4befa 100644
--- a/libavcodec/g723_1enc.c
+++ b/libavcodec/g723_1enc.c
@@ -1013,7 +1013,7 @@ static void fcb_search(G723_1_ChannelContext *p, int16_t
*impulse_resp,
int pulse_cnt = pulses[index];
int i;
- optim.min_err = 1 << 30;
+ optim.min_err = 1LL << 31;
get_fcb_param(&optim, impulse_resp, buf, pulse_cnt, SUBFRAME_LEN);
if (p->pitch_lag[index >> 1] < SUBFRAME_LEN - 2) {
commit e86132d237b3777cdf47b3a73d55a78621bd8dce
Author: Michael Niedermayer <[email protected]>
AuthorDate: Wed Aug 6 12:49:49 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:53 2025 +0100
avcodec/vlc: Clear val8/16 in vlc_multi_gen() by av_mallocz()
Fixes: use of uninitialized memory
Fixes:
427814450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_DEC_fuzzer-646512196065689
Fixes:
445961558/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5515158672965632
the multi vlc code will otherwise return uninitialized data. Now one can
argue that this data should
not be used, but on errors this data can remain ...
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d8ffec5bf9a2803f55cc0822a97b7815f24bee83)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c
index f46ecbb55e..7209724dc2 100644
--- a/libavcodec/vlc.c
+++ b/libavcodec/vlc.c
@@ -527,7 +527,7 @@ int ff_vlc_init_multi_from_lengths(VLC *vlc, VLC_MULTI
*multi, int nb_bits, int
if (ret < 0)
return ret;
- multi->table = av_malloc(sizeof(*multi->table) << nb_bits);
+ multi->table = av_mallocz(sizeof(*multi->table) << nb_bits);
if (!multi->table)
goto fail;
commit ceae7a83532260170b110f954d8ae4d53e0f004a
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 24 20:29:23 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:52 2025 +0100
avformat/rtpenc_h264_hevc: Check space for nal_length_size in
ff_rtp_send_h264_hevc()
Fixes: memcpy with negative size
Fixes: momo_trip-poc/input
Reported-by: Momoko Shiraishi <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d03483bd265b68db00c9b90f6f48dcf61c5c300d)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpenc_h264_hevc.c b/libavformat/rtpenc_h264_hevc.c
index 4d222dca75..38d508fe8f 100644
--- a/libavformat/rtpenc_h264_hevc.c
+++ b/libavformat/rtpenc_h264_hevc.c
@@ -196,6 +196,9 @@ void ff_rtp_send_h264_hevc(AVFormatContext *s1, const
uint8_t *buf1, int size)
r1 = ff_nal_mp4_find_startcode(r, end, s->nal_length_size);
if (!r1)
r1 = end;
+ // Check that the last is not truncated
+ if (r1 - r < s->nal_length_size)
+ break;
r += s->nal_length_size;
} else {
while (!*(r++));
commit 19877054e340e2babb7ef0d00e81c12bfeb19391
Author: Michael Niedermayer <[email protected]>
AuthorDate: Mon Oct 13 14:32:45 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:52 2025 +0100
swscale/output: Fix integer overflow in yuv2ya16_X_c_template()
Found-by: colod colod <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 0c6b7f9483a38657c9be824572b4c0c45d4d9fef)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libswscale/output.c b/libswscale/output.c
index 2172e4b53b..1ddbee9b2b 100644
--- a/libswscale/output.c
+++ b/libswscale/output.c
@@ -965,7 +965,7 @@ yuv2ya16_X_c_template(SwsContext *c, const int16_t
*lumFilter,
int A = 0xffff;
for (j = 0; j < lumFilterSize; j++)
- Y += lumSrc[j][i] * lumFilter[j];
+ Y += lumSrc[j][i] * (unsigned)lumFilter[j];
Y >>= 15;
Y += (1<<3) + 0x8000;
@@ -974,7 +974,7 @@ yuv2ya16_X_c_template(SwsContext *c, const int16_t
*lumFilter,
if (hasAlpha) {
A = -0x40000000 + (1<<14);
for (j = 0; j < lumFilterSize; j++)
- A += alpSrc[j][i] * lumFilter[j];
+ A += alpSrc[j][i] * (unsigned)lumFilter[j];
A >>= 15;
A += 0x8000;
commit a6ac0c6841c5205393513961ad9cdc3a8ba17b35
Author: James Almer <[email protected]>
AuthorDate: Thu Oct 9 00:31:10 2025 -0300
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:52 2025 +0100
avcodec/hevc/sei: prevent storing a potentially bogus num_ref_displays
value in HEVCSEITDRDI
Fixes:
439711052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4956250308935680
Fixes: out of array access
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <[email protected]>
(cherry picked from commit d448d6d1a0a4cdc76499c137742fdd8b30b9e7de)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/hevc/sei.c b/libavcodec/hevc/sei.c
index e11a33773c..1af6ca2716 100644
--- a/libavcodec/hevc/sei.c
+++ b/libavcodec/hevc/sei.c
@@ -152,6 +152,8 @@ static int decode_nal_sei_timecode(HEVCSEITimeCode *s,
GetBitContext *gb)
static int decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s,
GetBitContext *gb)
{
+ unsigned num_ref_displays;
+
s->prec_ref_display_width = get_ue_golomb(gb);
if (s->prec_ref_display_width > 31)
return AVERROR_INVALIDDATA;
@@ -161,10 +163,10 @@ static int
decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitCont
if (s->prec_ref_viewing_dist > 31)
return AVERROR_INVALIDDATA;
}
- s->num_ref_displays = get_ue_golomb(gb);
- if (s->num_ref_displays > 31)
+ num_ref_displays = get_ue_golomb(gb);
+ if (num_ref_displays > 31)
return AVERROR_INVALIDDATA;
- s->num_ref_displays += 1;
+ s->num_ref_displays = num_ref_displays + 1;
for (int i = 0; i < s->num_ref_displays; i++) {
int length;
commit 638cafa70b18581f4bc482ac2cf57b55d3a311d5
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Sep 19 00:18:30 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:52 2025 +0100
avcodec/exr: Check that DWA has 3 channels
The implementation hardcodes access to 3 channels, so we need to check that
Fixes: out of array access
Fixes: BIGSLEEP-445394503-crash.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 7896cc67c13037abba8941e39a74c56d26b775a7)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 40b6cd70d9..c90d12b618 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1000,6 +1000,11 @@ static int dwa_uncompress(const EXRContext *s, const
uint8_t *src, int compresse
if (version != 2)
return AVERROR_INVALIDDATA;
+ if (s->nb_channels < 3) {
+ avpriv_request_sample(s->avctx, "Gray DWA");
+ return AVERROR_PATCHWELCOME;
+ }
+
lo_usize = AV_RL64(src + 8);
lo_size = AV_RL64(src + 16);
ac_size = AV_RL64(src + 24);
commit 3934ab4ee2a2390cf0778c6e64014d0af8659a51
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 18 17:32:46 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:52 2025 +0100
avcodec/exr: check ac_size
Fixes: out of array read
Fixes: dwa_uncompress.py.crash.exr
The code will read from the ac data even if ac_size is 0, thus that case
is not implemented and we ask for a sample and error out cleanly
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 8e078826da6f2a1dffa25162121b43b272f5e5fa)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index cfff8f9114..40b6cd70d9 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1016,6 +1016,11 @@ static int dwa_uncompress(const EXRContext *s, const
uint8_t *src, int compresse
)
return AVERROR_INVALIDDATA;
+ if (ac_size <= 0) {
+ avpriv_request_sample(s->avctx, "Zero ac_size");
+ return AVERROR_INVALIDDATA;
+ }
+
if ((uint64_t)rle_raw_size > INT_MAX) {
avpriv_request_sample(s->avctx, "Too big rle_raw_size");
return AVERROR_INVALIDDATA;
commit b40c6910255085f661c6ed53b9abd3efb8698c53
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 18 21:28:04 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:52 2025 +0100
avcodec/exr: Round dc_w/h up
Without rounding them up there are too few dc coeffs for the blocks.
We do not know if this way of handling odd dimensions is correct, as we have
no such DWA sample.
thus we ask the user for a sample if she encounters such a file
Fixes: out of array access
Fixes: BIGSLEEP-445392027-crash.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit c911e0001115bbda904ad103b12c27b9a3c0c265)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 20b2cfdc7e..cfff8f9114 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -987,8 +987,8 @@ static int dwa_uncompress(const EXRContext *s, const
uint8_t *src, int compresse
int64_t version, lo_usize, lo_size;
int64_t ac_size, dc_size, rle_usize, rle_csize, rle_raw_size;
int64_t ac_count, dc_count, ac_compression;
- const int dc_w = td->xsize >> 3;
- const int dc_h = td->ysize >> 3;
+ const int dc_w = (td->xsize + 7) >> 3;
+ const int dc_h = (td->ysize + 7) >> 3;
GetByteContext gb, agb;
int skip, ret;
int have_rle = 0;
@@ -1021,6 +1021,10 @@ static int dwa_uncompress(const EXRContext *s, const
uint8_t *src, int compresse
return AVERROR_INVALIDDATA;
}
+ if (td->xsize % 8 || td->ysize % 8) {
+ avpriv_request_sample(s->avctx, "odd dimensions DWA");
+ }
+
bytestream2_init(&gb, src + 88, compressed_size - 88);
skip = bytestream2_get_le16(&gb);
if (skip < 2)
commit d94cce9ee060c0799c0d74d747b11ca657426943
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 11 20:12:55 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:51 2025 +0100
avcodec/mjpegdec: Explain buf_size/width/height check
Suggested-by: Ramiro
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 61b6877637041a1f817ad9811c839b0feae2b8af)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 9438184ae5..94fc0377f0 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -343,6 +343,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height);
if (av_image_check_size(width, height, 0, s->avctx) < 0)
return AVERROR_INVALIDDATA;
+
+ // A valid frame requires at least 1 bit for DC + 1 bit for AC for each
8x8 block.
if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size *
4LL)
return AVERROR_INVALIDDATA;
commit 26115ca03dd65e7e1b83e274293590f163320f86
Author: Andreas Rheinhardt <[email protected]>
AuthorDate: Fri Jul 11 22:58:26 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Wed Nov 19 12:45:43 2025 +0100
avformat/aviobuf: Keep checksum_ptr consistent in avio_seek()
Otherwise it might be > buf_ptr in which case ffio_get_checksum()
could segfault (s->buf_ptr - s->checksum_ptr would be negative
which would be converted to something very big when converted
to unsigned for the update_checksum callback).
Fixes ticket #11233.
Reported-by: Du4t
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 987c955cd7e972d9940284fa6ae7187ac858ebb1)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index 6a74c1ce68..9041280e77 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -308,7 +308,7 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int
whence)
ctx->seek_count++;
if (!s->write_flag)
s->buf_end = s->buffer;
- s->buf_ptr = s->buf_ptr_max = s->buffer;
+ s->checksum_ptr = s->buf_ptr = s->buf_ptr_max = s->buffer;
s->pos = offset;
}
s->eof_reached = 0;
-----------------------------------------------------------------------
Summary of changes:
libavcodec/exr.c | 57 +++++++++++++++++++++++++++++++--------
libavcodec/g723_1.h | 2 +-
libavcodec/g723_1enc.c | 2 +-
libavcodec/hevc/sei.c | 8 +++---
libavcodec/mediacodecdec_common.c | 6 +++++
libavcodec/mjpegdec.c | 2 ++
libavcodec/osq.c | 2 +-
libavcodec/utvideodec.c | 2 +-
libavcodec/vlc.c | 2 +-
libavfilter/vf_drawtext.c | 2 +-
libavformat/aviobuf.c | 2 +-
libavformat/http.c | 2 +-
libavformat/rtmpproto.c | 28 +++++++++++++++++--
libavformat/rtpdec_rfc4175.c | 28 ++++++++++++++-----
libavformat/rtpenc_h264_hevc.c | 3 +++
libavformat/sctp.c | 3 +++
libswscale/output.c | 4 +--
17 files changed, 122 insertions(+), 33 deletions(-)
hooks/post-receive
--
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
