The branch, release/6.1 has been updated
via 275ddd00386b37f1ef097732b2dd6073d220bfe8 (commit)
via 05e10ce5ac75eb2a0cbecc0ee477d7e1b6f7edcf (commit)
via cf6842fd8a04029b9b7b112d6bf383e203cef6a3 (commit)
via 7327a9ab190a59ea5169c69fbc16bb9d5d6c9c8f (commit)
via d2b053fb88c4fef3f7051d6ba48064ae8e96261b (commit)
via 90b8d6d0b3deabf0dd1c58c9eb4504e49a8fbf26 (commit)
via d6e3e6f8fb06f375acdf1ff69f365d33a751a18b (commit)
via faaf5d724e63b3a2c989b753aaf4472bd0ac9867 (commit)
via 8c4368718d3411c44ef296472be56626312621a3 (commit)
via 690795d871402144b163b179d29030870b27573b (commit)
via 4629eb333433bbd99b5fa69709e4ce51adfbc824 (commit)
via 122ac706fffd8c7c00357289390fe15b40b08f0c (commit)
via d501380d80c7562672b83e286f9963774bfdd4e1 (commit)
via 1e20df44a45020017b1fdd0e86f61f3193166643 (commit)
via 4fd92ec49dfdfc79cb7a3b52c2185a273c2f1847 (commit)
via 14ea8d0de13a7e3ed9a901c34dd5cafe8a140d47 (commit)
via f8b9ce5688e0078e06b9b12d8fd67e7ded43f4e0 (commit)
via beec7084e4cc353acf6e208ee714990090f546be (commit)
via 2b37613678913bb22a3d8806ac06486c61bbd871 (commit)
via 49b052c467bf58f203736391a87824a89d7781af (commit)
via 50b3fa8dbe9758cceef6585a67e2cf805a01e3dd (commit)
via 39d89c391792d163d873e0a6881a6e86880dd6af (commit)
via f8d1079f973bc6f5b647b3fccdbcd224a273f68a (commit)
via 4dad371236bbe24628b70384c4b72f7c566f7403 (commit)
via aa4daa33f9871f9915f79ba15c9d92fbb1d33693 (commit)
via e3b8e3e071cecdb6f6a688452f0dcc7a7d6d2afe (commit)
via 8e96472d7c16b14a0ee1521f213f42472f8665f4 (commit)
via 2cbf12cbb95e0d35e802ce6d2b6a9a083e14b334 (commit)
via 40a705516a511b7a3428cc016007ba8fa7173d2a (commit)
via c8d0bb8966fadd0a725bbf7ab78a290e3ae9a216 (commit)
via 647b235ec1878247f9cd796b20a64fcda377560a (commit)
via 23a68e89e0a58461b26c5a721f1bfeb3ad2764d9 (commit)
via 9df90b6a6ab7a90ed9f00170fc191bd3c49d6f12 (commit)
via 20877cb73200d9829266e16fa1f5e6af0a33a528 (commit)
via eda70e88cf3c7f9a714b524f3e4e44c7f897ac8b (commit)
from e835b06f2d888d6072116ee3c446020e1c1128bc (commit)
- Log -----------------------------------------------------------------
commit 275ddd00386b37f1ef097732b2dd6073d220bfe8
Author: Zhao Zhili <[email protected]>
AuthorDate: Fri Nov 14 17:23:22 2025 +0800
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:57:02 2025 +0100
avutil/common: cast GET_BYTE/GET_16BIT returned value
In case of GET_BYTE/GET_16BIT return signed value.
(cherry picked from commit 0ae8df5f2ceea82337a2456ef16f930faf160189)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavutil/common.h b/libavutil/common.h
index de2140a678..48f36d6854 100644
--- a/libavutil/common.h
+++ b/libavutil/common.h
@@ -468,13 +468,13 @@ static av_always_inline av_const int av_parity_c(uint32_t
v)
* to prevent undefined results.
*/
#define GET_UTF8(val, GET_BYTE, ERROR)\
- val= (GET_BYTE);\
+ val= (uint8_t)(GET_BYTE);\
{\
uint32_t top = (val & 128) >> 1;\
if ((val & 0xc0) == 0x80 || val >= 0xFE)\
{ERROR}\
while (val & top) {\
- unsigned int tmp = (GET_BYTE) - 128;\
+ unsigned int tmp = (uint8_t)(GET_BYTE) - 128;\
if(tmp>>6)\
{ERROR}\
val= (val<<6) + tmp;\
@@ -493,11 +493,11 @@ static av_always_inline av_const int av_parity_c(uint32_t
v)
* typically a goto statement.
*/
#define GET_UTF16(val, GET_16BIT, ERROR)\
- val = (GET_16BIT);\
+ val = (uint16_t)(GET_16BIT);\
{\
unsigned int hi = val - 0xD800;\
if (hi < 0x800) {\
- val = (GET_16BIT) - 0xDC00;\
+ val = (uint16_t)(GET_16BIT) - 0xDC00;\
if (val > 0x3FFU || hi > 0x3FFU)\
{ERROR}\
val += (hi<<10) + 0x10000;\
commit 05e10ce5ac75eb2a0cbecc0ee477d7e1b6f7edcf
Author: Zhao Zhili <[email protected]>
AuthorDate: Fri Nov 14 16:53:07 2025 +0800
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:57:02 2025 +0100
avfilter/vf_drawtext: fix call GET_UTF8 with invalid argument
For GET_UTF8(val, GET_BYTE, ERROR), val has type of uint32_t,
GET_BYTE must return an unsigned integer, otherwise signed
extension happened due to val= (GET_BYTE), and GET_UTF8 went to
the error path.
This bug incidentally cancelled the bug where hb_buffer_add_utf8
was being called with incorrect argument, allowing drawtext to
function correctly on x86 and macOS ARM, which defined char as
signed. However, on Linux and Android ARM environments, because
char is unsigned by default, GET_UTF8 now returns the correct
return, which unexpectedly revealed issue #20906.
(cherry picked from commit a5cc0e5c9e752f98e38c2a95a0893faeb1f78fa9)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavfilter/vf_drawtext.c b/libavfilter/vf_drawtext.c
index d748f2cfc4..817fb161d3 100644
--- a/libavfilter/vf_drawtext.c
+++ b/libavfilter/vf_drawtext.c
@@ -1669,7 +1669,7 @@ static int measure_text(AVFilterContext *ctx, TextMetrics
*metrics)
{
DrawTextContext *s = ctx->priv;
char *text = s->expanded_text.str;
- char *textdup = NULL, *start = NULL;
+ char *textdup = NULL;
int width64 = 0, w64 = 0;
int cur_min_y64 = 0, first_max_y64 = -32000;
int first_min_x64 = 32000, last_max_x64 = -32000;
@@ -1679,7 +1679,7 @@ static int measure_text(AVFilterContext *ctx, TextMetrics
*metrics)
Glyph *glyph = NULL;
int i, tab_idx = 0, last_tab_idx = 0, line_offset = 0;
- char* p;
+ uint8_t *start, *p;
int ret = 0;
// Count the lines and the tab characters
commit cf6842fd8a04029b9b7b112d6bf383e203cef6a3
Author: Zhao Zhili <[email protected]>
AuthorDate: Fri Nov 14 16:23:10 2025 +0800
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:57:02 2025 +0100
avfilter/vf_drawtext: fix incorrect text length
From the doc of HarfBuzz, what hb_buffer_add_utf8 needs is the
number of bytes, not Unicode character:
hb_buffer_add_utf8(buf, text, strlen(text), 0, strlen(text));
Fix issue #20906.
(cherry picked from commit 9bc3c572eaaab559a7258c392528e7a1cad2a9b7)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavfilter/vf_drawtext.c b/libavfilter/vf_drawtext.c
index 56dafc3168..d748f2cfc4 100644
--- a/libavfilter/vf_drawtext.c
+++ b/libavfilter/vf_drawtext.c
@@ -1670,7 +1670,6 @@ static int measure_text(AVFilterContext *ctx, TextMetrics
*metrics)
DrawTextContext *s = ctx->priv;
char *text = s->expanded_text.str;
char *textdup = NULL, *start = NULL;
- int num_chars = 0;
int width64 = 0, w64 = 0;
int cur_min_y64 = 0, first_max_y64 = -32000;
int first_min_x64 = 32000, last_max_x64 = -32000;
@@ -1733,7 +1732,7 @@ continue_on_failed2:
TextLine *cur_line = &s->lines[line_count];
HarfbuzzData *hb = &cur_line->hb_data;
cur_line->cluster_offset = line_offset;
- ret = shape_text_hb(s, hb, start, num_chars);
+ ret = shape_text_hb(s, hb, start, p - start);
if (ret != 0) {
goto done;
}
@@ -1791,14 +1790,12 @@ continue_on_failed2:
if (w64 > width64) {
width64 = w64;
}
- num_chars = -1;
start = p;
++line_count;
line_offset = i + 1;
}
if (code == 0) break;
- ++num_chars;
}
metrics->line_height64 = s->face->size->metrics.height;
commit 7327a9ab190a59ea5169c69fbc16bb9d5d6c9c8f
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Nov 1 01:29:32 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:57:02 2025 +0100
avfilter/vf_drawtext: Account for bbox text seperator
Fixes: out of array access
no test case
Found-by: Joshua Rogers <[email protected]> with ZeroPath
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit ad956ff076ea808e5d64c9ac17c1bfc1ba7d0cc0)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavfilter/vf_drawtext.c b/libavfilter/vf_drawtext.c
index c5477cbff1..56dafc3168 100644
--- a/libavfilter/vf_drawtext.c
+++ b/libavfilter/vf_drawtext.c
@@ -938,7 +938,7 @@ static av_cold int init(AVFilterContext *ctx)
av_log(ctx, AV_LOG_WARNING, "Multiple texts provided, will use
text_source only\n");
av_free(s->text);
}
- s->text = av_mallocz(AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE *
+ s->text = av_mallocz((AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE + 1) *
(AV_NUM_DETECTION_BBOX_CLASSIFY + 1));
if (!s->text)
return AVERROR(ENOMEM);
commit d2b053fb88c4fef3f7051d6ba48064ae8e96261b
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Nov 8 23:22:56 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:57:02 2025 +0100
avcodec/utvideodec: Set B for the width= 1 case in
restore_median_planar_il()
Fixes: use of uninitialized memory
Fixes:
439878388/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5635866203848704
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 59db32b433ea9e7766ec7fac994860ed15d7ed7d)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 9281abd239..82ea7ced28 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -456,7 +456,7 @@ static void restore_median_planar_il(UtvideoContext *c,
uint8_t *src, ptrdiff_t
// second line - first element has top prediction, the rest uses median
C = bsrc[-stride2];
bsrc[0] += C;
- A = bsrc[0];
+ A = B = bsrc[0];
for (i = 1; i < FFMIN(width, 16); i++) { /* scalar loop (DSP need
align 16) */
B = bsrc[i - stride2];
bsrc[i] += mid_pred(A, B, (uint8_t)(A + B - C));
commit 90b8d6d0b3deabf0dd1c58c9eb4504e49a8fbf26
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sun Jul 13 01:34:17 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:57:02 2025 +0100
avcodec/osq: Fix 32bit sample overflow
Fixes: signed integer overflow: 2147483565 + 128 cannot be represented in
type 'int'
Fixes:
428055715/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6358069900804096
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 08816b93760f43433a07e980fa9eeab4135de78c)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/osq.c b/libavcodec/osq.c
index 4824c021bc..3872dcef2e 100644
--- a/libavcodec/osq.c
+++ b/libavcodec/osq.c
@@ -389,7 +389,7 @@ static int osq_decode_block(AVCodecContext *avctx, AVFrame
*frame)
int32_t *src = s->decode_buffer[ch] + OFFSET;
for (int n = 0; n < nb_samples; n++)
- dst[n] = av_clip_uint8(src[n] + 0x80);
+ dst[n] = av_clip_uint8(src[n] + 0x80ll);
}
break;
case AV_SAMPLE_FMT_S16P:
commit d6e3e6f8fb06f375acdf1ff69f365d33a751a18b
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:27:56 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:57:01 2025 +0100
avformat/rtpdec_rfc4175: Only change PayloadContext on success
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit c03e49dd1d8ee2dd21c24002dfac95644c830498)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index 918c04f3e2..208ea8eb7b 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -23,6 +23,7 @@
#include "avio_internal.h"
#include "rtpdec_formats.h"
+#include "libavutil/avassert.h"
#include "libavutil/avstring.h"
#include "libavutil/imgutils.h"
#include "libavutil/pixdesc.h"
@@ -172,33 +173,39 @@ static int rfc4175_parse_fmtp(AVFormatContext *s,
AVStream *stream,
}
static int rfc4175_parse_sdp_line(AVFormatContext *s, int st_index,
- PayloadContext *data, const char *line)
+ PayloadContext *data_arg, const char *line)
{
const char *p;
if (st_index < 0)
return 0;
+ av_assert0(!data_arg->sampling);
+
if (av_strstart(line, "fmtp:", &p)) {
AVStream *stream = s->streams[st_index];
+ PayloadContext data0 = *data_arg, *data = &data0;
int ret = ff_parse_fmtp(s, stream, data, p, rfc4175_parse_fmtp);
+ if (!data->sampling || !data->depth || !data->width || !data->height)
+ ret = AVERROR(EINVAL);
+
if (ret < 0)
- return ret;
+ goto fail;
ret = av_image_check_size(data->width, data->height, 0, s);
if (ret < 0)
- return ret;
-
- if (!data->sampling || !data->depth || !data->width || !data->height)
- return AVERROR(EINVAL);
+ goto fail;
stream->codecpar->width = data->width;
stream->codecpar->height = data->height;
ret = rfc4175_parse_format(stream, data);
av_freep(&data->sampling);
-
+ if (ret >= 0)
+ *data_arg = *data;
+fail:
+ av_freep(&data->sampling);
return ret;
}
commit faaf5d724e63b3a2c989b753aaf4472bd0ac9867
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:28:49 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:57:01 2025 +0100
avformat/rtpdec_rfc4175: Check dimensions
Fixes: out of array access
Fixes: zeropath/int_overflow_in_rtpdec_rfc4175
Found-by: Joshua Rogers <[email protected]>
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d4e0d5ed48aa9c0e11b9ddeea8c2d14632314089)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index 017f1e162a..918c04f3e2 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -24,6 +24,7 @@
#include "avio_internal.h"
#include "rtpdec_formats.h"
#include "libavutil/avstring.h"
+#include "libavutil/imgutils.h"
#include "libavutil/pixdesc.h"
#include "libavutil/parseutils.h"
@@ -185,6 +186,9 @@ static int rfc4175_parse_sdp_line(AVFormatContext *s, int
st_index,
if (ret < 0)
return ret;
+ ret = av_image_check_size(data->width, data->height, 0, s);
+ if (ret < 0)
+ return ret;
if (!data->sampling || !data->depth || !data->width || !data->height)
return AVERROR(EINVAL);
@@ -295,6 +299,9 @@ static int rfc4175_handle_packet(AVFormatContext *ctx,
PayloadContext *data,
if (data->interlaced)
line = 2 * line + field;
+ if (line >= data->height)
+ return AVERROR_INVALIDDATA;
+
/* prevent ill-formed packets to write after buffer's end */
copy_offset = (line * data->width + offset) * data->pgroup /
data->xinc;
if (copy_offset + length > data->frame_size || !data->frame)
commit 8c4368718d3411c44ef296472be56626312621a3
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:17:27 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:57:01 2025 +0100
avformat/rtpdec_rfc4175: Fix memleak of sampling
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit af3dee313223c722c34e8231cd6859188928a6e3)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index 83abe499f8..017f1e162a 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -127,7 +127,7 @@ static int rfc4175_parse_fmtp(AVFormatContext *s, AVStream
*stream,
data->width = atoi(value);
else if (!strncmp(attr, "height", 6))
data->height = atoi(value);
- else if (!strncmp(attr, "sampling", 8))
+ else if (data->sampling == NULL && !strncmp(attr, "sampling", 8))
data->sampling = av_strdup(value);
else if (!strncmp(attr, "depth", 5))
data->depth = atoi(value);
commit 690795d871402144b163b179d29030870b27573b
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 17:32:56 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:57:01 2025 +0100
avformat/http: Fix off by 1 error
Fixes: out of array access
Fixes: zeropath/off-by-one-one-byte
Found-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit b518c027a0cb8d89c586fe241cc99b1c20bc0f50)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/http.c b/libavformat/http.c
index c0fe7c36d9..032f820068 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -1788,7 +1788,7 @@ static int store_icy(URLContext *h, int size)
ret = http_read_stream_all(h, data, len);
if (ret < 0)
return ret;
- data[len + 1] = 0;
+ data[len] = 0;
if ((ret = av_opt_set(s, "icy_metadata_packet", data, 0)) < 0)
return ret;
update_metadata(h, data);
commit 4629eb333433bbd99b5fa69709e4ce51adfbc824
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Nov 8 01:17:46 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:57:01 2025 +0100
avcodec/exr: spelling
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d80f8f36513ebff05c537adbe756e36036f80074)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 44fa4a67a0..211bc7284d 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -174,7 +174,7 @@ typedef struct EXRContext {
int is_luma;/* 1 if there is an Y plane */
#define M(chr) (1<<chr - 'A')
- int has_channel; ///< combinatin of flags representing the channel codes
A-Z
+ int has_channel; ///< combination of flags representing the channel codes
A-Z
GetByteContext gb;
const uint8_t *buf;
commit 122ac706fffd8c7c00357289390fe15b40b08f0c
Author: veygax <[email protected]>
AuthorDate: Sun Nov 2 02:35:40 2025 +0000
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:57:01 2025 +0100
avcodec/exr: use tile dimensions in pxr24 UINT case
update the switch statement for EXR_UINT in pxr24_uncompress to
correctly use the tile width td->xsize instead of using the full window
width s->xdelta. s->delta is larger than td->xsize which lead to two
buffer overflows when interacting with the ptr variable in the same
switch statement.
Fixes: out of bounds read and write
Found-by: veygax's insomnia network (INSOMNIA-1)
Signed-off-by: veygax <[email protected]>
(cherry picked from commit 162f75b5e6798b385bb3eadd8280eff52d03cf29)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 6c58f8fe39..44fa4a67a0 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -742,12 +742,12 @@ static int pxr24_uncompress(const EXRContext *s, const
uint8_t *src,
break;
case EXR_UINT:
ptr[0] = in;
- ptr[1] = ptr[0] + s->xdelta;
- ptr[2] = ptr[1] + s->xdelta;
- ptr[3] = ptr[2] + s->xdelta;
- in = ptr[3] + s->xdelta;
+ ptr[1] = ptr[0] + td->xsize;
+ ptr[2] = ptr[1] + td->xsize;
+ ptr[3] = ptr[2] + td->xsize;
+ in = ptr[3] + td->xsize;
- for (j = 0; j < s->xdelta; ++j) {
+ for (j = 0; j < td->xsize; ++j) {
uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) |
(*(ptr[1]++) << 16) |
(*(ptr[2]++) << 8 ) |
commit d501380d80c7562672b83e286f9963774bfdd4e1
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Sep 19 00:20:36 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:57:00 2025 +0100
avcodec/exr: Simple check for available channels
The existing is_luma check is fragile as depending on the order
of channels it can be set or reset
No testcase
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 6e8cf0377fee75de9ad2cc87385ab3e8f2c87143)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index e06041c7c0..6c58f8fe39 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -173,6 +173,9 @@ typedef struct EXRContext {
int is_luma;/* 1 if there is an Y plane */
+#define M(chr) (1<<chr - 'A')
+ int has_channel; ///< combinatin of flags representing the channel codes
A-Z
+
GetByteContext gb;
const uint8_t *buf;
int buf_size;
@@ -1594,6 +1597,7 @@ static int decode_header(EXRContext *s, AVFrame *frame)
s->is_tile = 0;
s->is_multipart = 0;
s->is_luma = 0;
+ s->has_channel = 0;
s->current_part = 0;
if (bytestream2_get_bytes_left(gb) < 10) {
@@ -1697,23 +1701,26 @@ static int decode_header(EXRContext *s, AVFrame *frame)
}
if (layer_match) { /* only search channel if the layer match
is valid */
+ if (strlen(ch_gb.buffer) == 1) {
+ int ch_chr = av_toupper(*ch_gb.buffer);
+ if (ch_chr >= 'A' && ch_chr <= 'Z')
+ s->has_channel |= M(ch_chr);
+ av_log(s->avctx, AV_LOG_DEBUG, "%c\n", ch_chr);
+ }
+
if (!av_strcasecmp(ch_gb.buffer, "R") ||
!av_strcasecmp(ch_gb.buffer, "X") ||
!av_strcasecmp(ch_gb.buffer, "U")) {
channel_index = 0;
- s->is_luma = 0;
} else if (!av_strcasecmp(ch_gb.buffer, "G") ||
!av_strcasecmp(ch_gb.buffer, "V")) {
channel_index = 1;
- s->is_luma = 0;
} else if (!av_strcasecmp(ch_gb.buffer, "Y")) {
channel_index = 1;
- s->is_luma = 1;
} else if (!av_strcasecmp(ch_gb.buffer, "B") ||
!av_strcasecmp(ch_gb.buffer, "Z") ||
!av_strcasecmp(ch_gb.buffer, "W")) {
channel_index = 2;
- s->is_luma = 0;
} else if (!av_strcasecmp(ch_gb.buffer, "A")) {
channel_index = 3;
} else {
@@ -1789,6 +1796,20 @@ static int decode_header(EXRContext *s, AVFrame *frame)
s->current_channel_offset += 4;
}
}
+ if (!((M('R') + M('G') + M('B')) & ~s->has_channel)) {
+ s->is_luma = 0;
+ } else if (!((M('X') + M('Y') + M('Z')) & ~s->has_channel)) {
+ s->is_luma = 0;
+ } else if (!((M('Y') + M('U') + M('V')) & ~s->has_channel)) {
+ s->is_luma = 0;
+ } else if (!((M('Y') ) & ~s->has_channel) &&
+ !((M('R') + M('G') + M('B') + M('U') + M('V') + M('X')
+ M('Z')) & s->has_channel)) {
+ s->is_luma = 1;
+ } else {
+ avpriv_request_sample(s->avctx, "Uncommon channel
combination");
+ ret = AVERROR(AVERROR_PATCHWELCOME);
+ goto fail;
+ }
/* Check if all channels are set with an offset or if the channels
* are causing an overflow */
commit 1e20df44a45020017b1fdd0e86f61f3193166643
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 23:08:45 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:57:00 2025 +0100
avformat/sctp: Check size in sctp_write()
Fixes: out of array access
No testcase
Found-by: Joshua Rogers <[email protected]> with ZeroPath
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 5b98cea4bff2cbbb251b621a2b6c3ab76f814efa)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/sctp.c b/libavformat/sctp.c
index 9d9e90097e..f39ba7ebe0 100644
--- a/libavformat/sctp.c
+++ b/libavformat/sctp.c
@@ -334,6 +334,9 @@ static int sctp_write(URLContext *h, const uint8_t *buf,
int size)
}
if (s->max_streams) {
+ if (size < 2)
+ return AVERROR(EINVAL);
+
/*StreamId is introduced as a 2byte code into the stream*/
struct sctp_sndrcvinfo info = { 0 };
info.sinfo_stream = AV_RB16(buf);
commit 4fd92ec49dfdfc79cb7a3b52c2185a273c2f1847
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Oct 30 23:20:41 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:57:00 2025 +0100
avformat/rtmpproto: consider command line argument lengths
Fixes: out of array access
Fixes: zeropath/rtmp-2025-10
Found-by: Joshua Rogers <[email protected]>
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 83e0298de217a7108ee703806d6380e554007972)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 6e31b2492d..eb13d3de8d 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -162,6 +162,13 @@ static int handle_chunk_size(URLContext *s, RTMPPacket
*pkt);
static int handle_window_ack_size(URLContext *s, RTMPPacket *pkt);
static int handle_set_peer_bw(URLContext *s, RTMPPacket *pkt);
+static size_t zstrlen(const char *c)
+{
+ if(c)
+ return strlen(c);
+ return 0;
+}
+
static int add_tracked_method(RTMPContext *rt, const char *name, int id)
{
int err;
@@ -326,7 +333,16 @@ static int gen_connect(URLContext *s, RTMPContext *rt)
int ret;
if ((ret = ff_rtmp_packet_create(&pkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE,
- 0, 4096 + APP_MAX_LENGTH)) < 0)
+ 0, 4096 + APP_MAX_LENGTH
+ + strlen(rt->auth_params) +
strlen(rt->flashver)
+ + zstrlen(rt->enhanced_codecs)/5*7
+ + zstrlen(rt->swfurl)
+ + zstrlen(rt->swfverify)
+ + zstrlen(rt->tcurl)
+ + zstrlen(rt->auth_params)
+ + zstrlen(rt->pageurl)
+ + zstrlen(rt->conn)*3
+ )) < 0)
return ret;
p = pkt.data;
@@ -1899,7 +1915,9 @@ static int write_status(URLContext *s, RTMPPacket *pkt,
if ((ret = ff_rtmp_packet_create(&spkt, RTMP_SYSTEM_CHANNEL,
RTMP_PT_INVOKE, 0,
- RTMP_PKTDATA_DEFAULT_SIZE)) < 0) {
+ RTMP_PKTDATA_DEFAULT_SIZE
+ + strlen(status) + strlen(description)
+ + zstrlen(details))) < 0) {
av_log(s, AV_LOG_ERROR, "Unable to create response packet\n");
return ret;
}
commit 14ea8d0de13a7e3ed9a901c34dd5cafe8a140d47
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Oct 30 23:05:57 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:57:00 2025 +0100
avformat/rtmpproto_ Check tcurl and flashver length
Fixes: out of array accesses
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit a64e037429f20873ec48f6c82aa145ab448e1399)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 0292fa10e1..6e31b2492d 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -2832,6 +2832,12 @@ reconnect:
"FMLE/3.0 (compatible; %s)", LIBAVFORMAT_IDENT);
}
}
+ if ( strlen(rt->flashver) > FLASHVER_MAX_LENGTH
+ || strlen(rt->tcurl ) > TCURL_MAX_LENGTH
+ ) {
+ ret = AVERROR(EINVAL);
+ goto fail;
+ }
rt->receive_report_size = 1048576;
rt->bytes_read = 0;
commit f8b9ce5688e0078e06b9b12d8fd67e7ded43f4e0
Author: Michael Niedermayer <[email protected]>
AuthorDate: Tue Oct 7 01:58:34 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:57:00 2025 +0100
avcodec/g723_1enc: Make min_err 64bit
This is intending to fix the case described in
https://lists.ffmpeg.org/archives/list/[email protected]/thread/AAZ7GJPPUJI5SCVTDGJ6QL7UUEP56WOM/
Where FCBParam optim is used uninitialized
a min_err of 1<<30, allows the struct to be never initilialized as all
err (which is int32_t) can be larger than min_err. By increasing min_err
above the int32_t range this is no longer possible
Untested, as i do not have the testcase
Signed-off-by: Michael Niedermayer <[email protected]>i
(cherry picked from commit 909af3a571da830cc70a34f0c3946379bd12dfbe)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/g723_1.h b/libavcodec/g723_1.h
index 521f220b2a..f3cd32e37d 100644
--- a/libavcodec/g723_1.h
+++ b/libavcodec/g723_1.h
@@ -108,7 +108,7 @@ typedef struct HFParam {
* Optimized fixed codebook excitation parameters
*/
typedef struct FCBParam {
- int min_err;
+ int64_t min_err;
int amp_index;
int grid_index;
int dirac_train;
diff --git a/libavcodec/g723_1enc.c b/libavcodec/g723_1enc.c
index be80153130..d686c4befa 100644
--- a/libavcodec/g723_1enc.c
+++ b/libavcodec/g723_1enc.c
@@ -1013,7 +1013,7 @@ static void fcb_search(G723_1_ChannelContext *p, int16_t
*impulse_resp,
int pulse_cnt = pulses[index];
int i;
- optim.min_err = 1 << 30;
+ optim.min_err = 1LL << 31;
get_fcb_param(&optim, impulse_resp, buf, pulse_cnt, SUBFRAME_LEN);
if (p->pitch_lag[index >> 1] < SUBFRAME_LEN - 2) {
commit beec7084e4cc353acf6e208ee714990090f546be
Author: Michael Niedermayer <[email protected]>
AuthorDate: Wed Aug 6 12:49:49 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:59 2025 +0100
avcodec/vlc: Clear val8/16 in vlc_multi_gen() by av_mallocz()
Fixes: use of uninitialized memory
Fixes:
427814450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_DEC_fuzzer-646512196065689
Fixes:
445961558/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5515158672965632
the multi vlc code will otherwise return uninitialized data. Now one can
argue that this data should
not be used, but on errors this data can remain ...
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d8ffec5bf9a2803f55cc0822a97b7815f24bee83)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/vlc.c b/libavcodec/vlc.c
index 79eb8142e1..ecfaaf3c66 100644
--- a/libavcodec/vlc.c
+++ b/libavcodec/vlc.c
@@ -456,7 +456,7 @@ int ff_vlc_init_multi_from_lengths(VLC *vlc, VLC_MULTI
*multi, int nb_bits, int
if (ret < 0)
return ret;
- multi->table = av_malloc(sizeof(*multi->table) << nb_bits);
+ multi->table = av_mallocz(sizeof(*multi->table) << nb_bits);
if (!multi->table)
goto fail;
commit 2b37613678913bb22a3d8806ac06486c61bbd871
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 24 20:29:23 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:59 2025 +0100
avformat/rtpenc_h264_hevc: Check space for nal_length_size in
ff_rtp_send_h264_hevc()
Fixes: memcpy with negative size
Fixes: momo_trip-poc/input
Reported-by: Momoko Shiraishi <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d03483bd265b68db00c9b90f6f48dcf61c5c300d)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpenc_h264_hevc.c b/libavformat/rtpenc_h264_hevc.c
index 0c88fc2a23..470430478b 100644
--- a/libavformat/rtpenc_h264_hevc.c
+++ b/libavformat/rtpenc_h264_hevc.c
@@ -195,6 +195,9 @@ void ff_rtp_send_h264_hevc(AVFormatContext *s1, const
uint8_t *buf1, int size)
r1 = ff_avc_mp4_find_startcode(r, end, s->nal_length_size);
if (!r1)
r1 = end;
+ // Check that the last is not truncated
+ if (r1 - r < s->nal_length_size)
+ break;
r += s->nal_length_size;
} else {
while (!*(r++));
commit 49b052c467bf58f203736391a87824a89d7781af
Author: Michael Niedermayer <[email protected]>
AuthorDate: Mon Oct 13 14:32:45 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:59 2025 +0100
swscale/output: Fix integer overflow in yuv2ya16_X_c_template()
Found-by: colod colod <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 0c6b7f9483a38657c9be824572b4c0c45d4d9fef)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libswscale/output.c b/libswscale/output.c
index 586b2e81eb..4cf9a6d77a 100644
--- a/libswscale/output.c
+++ b/libswscale/output.c
@@ -965,7 +965,7 @@ yuv2ya16_X_c_template(SwsContext *c, const int16_t
*lumFilter,
int A = 0xffff;
for (j = 0; j < lumFilterSize; j++)
- Y += lumSrc[j][i] * lumFilter[j];
+ Y += lumSrc[j][i] * (unsigned)lumFilter[j];
Y >>= 15;
Y += (1<<3) + 0x8000;
@@ -974,7 +974,7 @@ yuv2ya16_X_c_template(SwsContext *c, const int16_t
*lumFilter,
if (hasAlpha) {
A = -0x40000000 + (1<<14);
for (j = 0; j < lumFilterSize; j++)
- A += alpSrc[j][i] * lumFilter[j];
+ A += alpSrc[j][i] * (unsigned)lumFilter[j];
A >>= 15;
A += 0x8000;
commit 50b3fa8dbe9758cceef6585a67e2cf805a01e3dd
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Sep 19 00:18:30 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:59 2025 +0100
avcodec/exr: Check that DWA has 3 channels
The implementation hardcodes access to 3 channels, so we need to check that
Fixes: out of array access
Fixes: BIGSLEEP-445394503-crash.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 7896cc67c13037abba8941e39a74c56d26b775a7)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index a00d27b576..e06041c7c0 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -999,6 +999,11 @@ static int dwa_uncompress(const EXRContext *s, const
uint8_t *src, int compresse
if (version != 2)
return AVERROR_INVALIDDATA;
+ if (s->nb_channels < 3) {
+ avpriv_request_sample(s->avctx, "Gray DWA");
+ return AVERROR_PATCHWELCOME;
+ }
+
lo_usize = AV_RL64(src + 8);
lo_size = AV_RL64(src + 16);
ac_size = AV_RL64(src + 24);
commit 39d89c391792d163d873e0a6881a6e86880dd6af
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 18 17:32:46 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:59 2025 +0100
avcodec/exr: check ac_size
Fixes: out of array read
Fixes: dwa_uncompress.py.crash.exr
The code will read from the ac data even if ac_size is 0, thus that case
is not implemented and we ask for a sample and error out cleanly
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 8e078826da6f2a1dffa25162121b43b272f5e5fa)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 9a703fdae4..a00d27b576 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1015,6 +1015,11 @@ static int dwa_uncompress(const EXRContext *s, const
uint8_t *src, int compresse
)
return AVERROR_INVALIDDATA;
+ if (ac_size <= 0) {
+ avpriv_request_sample(s->avctx, "Zero ac_size");
+ return AVERROR_INVALIDDATA;
+ }
+
if ((uint64_t)rle_raw_size > INT_MAX) {
avpriv_request_sample(s->avctx, "Too big rle_raw_size");
return AVERROR_INVALIDDATA;
commit f8d1079f973bc6f5b647b3fccdbcd224a273f68a
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 18 21:28:04 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:59 2025 +0100
avcodec/exr: Round dc_w/h up
Without rounding them up there are too few dc coeffs for the blocks.
We do not know if this way of handling odd dimensions is correct, as we have
no such DWA sample.
thus we ask the user for a sample if she encounters such a file
Fixes: out of array access
Fixes: BIGSLEEP-445392027-crash.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit c911e0001115bbda904ad103b12c27b9a3c0c265)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 8862d1274c..9a703fdae4 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -986,8 +986,8 @@ static int dwa_uncompress(const EXRContext *s, const
uint8_t *src, int compresse
int64_t version, lo_usize, lo_size;
int64_t ac_size, dc_size, rle_usize, rle_csize, rle_raw_size;
int64_t ac_count, dc_count, ac_compression;
- const int dc_w = td->xsize >> 3;
- const int dc_h = td->ysize >> 3;
+ const int dc_w = (td->xsize + 7) >> 3;
+ const int dc_h = (td->ysize + 7) >> 3;
GetByteContext gb, agb;
int skip, ret;
int have_rle = 0;
@@ -1020,6 +1020,10 @@ static int dwa_uncompress(const EXRContext *s, const
uint8_t *src, int compresse
return AVERROR_INVALIDDATA;
}
+ if (td->xsize % 8 || td->ysize % 8) {
+ avpriv_request_sample(s->avctx, "odd dimensions DWA");
+ }
+
bytestream2_init(&gb, src + 88, compressed_size - 88);
skip = bytestream2_get_le16(&gb);
if (skip < 2)
commit 4dad371236bbe24628b70384c4b72f7c566f7403
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 11 20:12:55 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:58 2025 +0100
avcodec/mjpegdec: Explain buf_size/width/height check
Suggested-by: Ramiro
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 61b6877637041a1f817ad9811c839b0feae2b8af)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 7b3528c429..8a5d74a4fe 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -343,6 +343,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height);
if (av_image_check_size(width, height, 0, s->avctx) < 0)
return AVERROR_INVALIDDATA;
+
+ // A valid frame requires at least 1 bit for DC + 1 bit for AC for each
8x8 block.
if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size *
4LL)
return AVERROR_INVALIDDATA;
commit aa4daa33f9871f9915f79ba15c9d92fbb1d33693
Author: Andreas Rheinhardt <[email protected]>
AuthorDate: Tue Mar 12 23:23:17 2024 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:58 2025 +0100
avformat/avidec: Fix integer overflow iff ULONG_MAX < INT64_MAX
Affects many FATE-tests, see
https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
Reviewed-by: James Almer <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 7a089ed8e049e3bfcb22de1250b86f2106060857)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index e3d8373665..7948063209 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -1700,7 +1700,7 @@ static int check_stream_max_drift(AVFormatContext *s)
int *idx = av_calloc(s->nb_streams, sizeof(*idx));
if (!idx)
return AVERROR(ENOMEM);
- for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1LU) {
+ for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1ULL) {
int64_t max_dts = INT64_MIN / 2;
int64_t min_dts = INT64_MAX / 2;
int64_t max_buffer = 0;
commit e3b8e3e071cecdb6f6a688452f0dcc7a7d6d2afe
Author: Andreas Rheinhardt <[email protected]>
AuthorDate: Mon Mar 25 16:54:25 2024 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:58 2025 +0100
fftools/ffmpeg_mux_init: Fix double-free on error
MATCH_PER_STREAM_OPT iterates over all options of a given
OptionDef and tests whether they apply to the current stream;
if so, they are set to ost->apad, otherwise, the code errors
out. If no error happens, ost->apad is av_strdup'ed in order
to take ownership of this pointer.
But this means that setting it originally was premature,
as it leads to double-frees when an error happens lateron.
This can simply be reproduced with
ffmpeg -filter_complex anullsrc -apad bar -apad:n baz -f null -
This is a regression since 83ace80bfd80fcdba2c65fa1d554923ea931d5bd.
Fix this by using a temporary variable instead of directly
setting ost->apad. Also only strdup the string if it actually
is != NULL.
Reviewed-by: Marth64 <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit ced5c5fdb8634d39ca9472a2026b2d2fea16c4e5)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/fftools/ffmpeg_mux_init.c b/fftools/ffmpeg_mux_init.c
index ef0eea09c8..697ca9e4be 100644
--- a/fftools/ffmpeg_mux_init.c
+++ b/fftools/ffmpeg_mux_init.c
@@ -845,6 +845,7 @@ static int new_stream_audio(Muxer *mux, const
OptionsContext *o,
int channels = 0;
char *layout = NULL;
char *sample_fmt = NULL;
+ const char *apad = NULL;
MATCH_PER_STREAM_OPT(audio_channels, i, channels, oc, st);
if (channels) {
@@ -882,8 +883,12 @@ static int new_stream_audio(Muxer *mux, const
OptionsContext *o,
MATCH_PER_STREAM_OPT(audio_sample_rate, i, audio_enc->sample_rate, oc,
st);
- MATCH_PER_STREAM_OPT(apad, str, ost->apad, oc, st);
- ost->apad = av_strdup(ost->apad);
+ MATCH_PER_STREAM_OPT(apad, str, apad, oc, st);
+ if (apad) {
+ ost->apad = av_strdup(apad);
+ if (!ost->apad)
+ return AVERROR(ENOMEM);
+ }
#if FFMPEG_OPT_MAP_CHANNEL
/* check for channel mapping for this audio stream */
commit 8e96472d7c16b14a0ee1521f213f42472f8665f4
Author: Andreas Rheinhardt <[email protected]>
AuthorDate: Fri Jul 11 22:58:26 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:58 2025 +0100
avformat/aviobuf: Keep checksum_ptr consistent in avio_seek()
Otherwise it might be > buf_ptr in which case ffio_get_checksum()
could segfault (s->buf_ptr - s->checksum_ptr would be negative
which would be converted to something very big when converted
to unsigned for the update_checksum callback).
Fixes ticket #11233.
Reported-by: Du4t
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 987c955cd7e972d9940284fa6ae7187ac858ebb1)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index 2899c75521..32757f0514 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -355,7 +355,7 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int
whence)
ctx->seek_count++;
if (!s->write_flag)
s->buf_end = s->buffer;
- s->buf_ptr = s->buf_ptr_max = s->buffer;
+ s->checksum_ptr = s->buf_ptr = s->buf_ptr_max = s->buffer;
s->pos = offset;
}
s->eof_reached = 0;
commit 2cbf12cbb95e0d35e802ce6d2b6a9a083e14b334
Author: Andrey Semashev <[email protected]>
AuthorDate: Tue Sep 2 01:07:05 2025 +0300
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:58 2025 +0100
avcodec/librsvgdec: fix compilation with librsvg 2.50.3
This fixes compilation with librsvg 2.50.3: error: viewport undeclared
This was a regression since commit
86ed68420d3b60439d0b7767c53d0fdc1deb7277.
Fixes #10722.
Reviewed-by: Leo Izen <[email protected]>
(cherry picked from commit 9ee7796c540ce9cec3fdff0dd246de842228707b)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/librsvgdec.c b/libavcodec/librsvgdec.c
index c328fbc774..f0566eb5d8 100644
--- a/libavcodec/librsvgdec.c
+++ b/libavcodec/librsvgdec.c
@@ -90,8 +90,6 @@ static int librsvg_decode_frame(AVCodecContext *avctx,
AVFrame *frame,
goto end;
avctx->pix_fmt = AV_PIX_FMT_RGB32;
- viewport.width = dimensions.width;
- viewport.height = dimensions.height;
ret = ff_get_buffer(avctx, frame, 0);
if (ret < 0)
@@ -116,6 +114,8 @@ static int librsvg_decode_frame(AVCodecContext *avctx,
AVFrame *frame,
cairo_restore(crender);
#if LIBRSVG_MAJOR_VERSION > 2 || LIBRSVG_MAJOR_VERSION == 2 &&
LIBRSVG_MINOR_VERSION >= 52
+ viewport.width = dimensions.width;
+ viewport.height = dimensions.height;
gret = rsvg_handle_render_document(handle, crender, &viewport, &error);
#else
cairo_scale(crender, dimensions.width / (double)unscaled_dimensions.width,
commit 40a705516a511b7a3428cc016007ba8fa7173d2a
Author: Lynne <[email protected]>
AuthorDate: Sat Feb 8 04:35:31 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:58 2025 +0100
aacenc_tns: clamp filter direction energy measurement
The issue is that:
float en[2];
...
tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
for (g = 0; g < tns->n_filt[w]; g++) {
tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
When using the AAC Main profile, n_filt = 3, and slant is by
default 2 (normal long frames), g can go above 1.
en is the evolution of energy in the frequency domain for every
band at the given window. E.g. whether the energy is concentrated
at the top of each band, or the bottom.
For 2-pole filters, its straightforward.
For 3-pole filters, we need more than 2 measurements.
This commit properly implements support for 3-pole filters, by measuring
the band energy across three areas.
Do note that even xHE-AAC caps n_filt to 2, and only AAC Main allows
n_filt == 3.
Fixes https://trac.ffmpeg.org/ticket/11418
(cherry picked from commit ed09aa28ae3b4509f00a24a9ebdeb084ee00736a)
(cherry picked from commit f98f142da571653436596ccad2d09c7e39bfd4fb)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/aacenc_tns.c b/libavcodec/aacenc_tns.c
index 8dc6dfcf62..d2d087d587 100644
--- a/libavcodec/aacenc_tns.c
+++ b/libavcodec/aacenc_tns.c
@@ -172,6 +172,7 @@ void ff_aac_search_for_tns(AACEncContext *s,
SingleChannelElement *sce)
sce->ics.window_sequence[0] == LONG_START_SEQUENCE ? 0 :
2;
const int sfb_len = sfb_end - sfb_start;
const int coef_len = sce->ics.swb_offset[sfb_end] -
sce->ics.swb_offset[sfb_start];
+ const int n_filt = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
if (coef_len <= 0 || sfb_len <= 0) {
sce->tns.present = 0;
@@ -179,16 +180,30 @@ void ff_aac_search_for_tns(AACEncContext *s,
SingleChannelElement *sce)
}
for (w = 0; w < sce->ics.num_windows; w++) {
- float en[2] = {0.0f, 0.0f};
- int oc_start = 0, os_start = 0;
+ float en[4] = {0.0f, 0.0f, 0.0f, 0.0f};
+ int oc_start = 0;
int coef_start = sce->ics.swb_offset[sfb_start];
- for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
- FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
- if (g > sfb_start + (sfb_len/2))
- en[1] += band->energy;
- else
- en[0] += band->energy;
+ if (n_filt == 2) {
+ for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
+ FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
+ if (g > sfb_start + (sfb_len/2))
+ en[1] += band->energy; /* End */
+ else
+ en[0] += band->energy; /* Start */
+ }
+ en[2] = en[0];
+ } else {
+ for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
+ FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
+ if (g > sfb_start + (sfb_len/2) + (sfb_len/4))
+ en[2] += band->energy; /* End */
+ else if (g > sfb_start + (sfb_len/2) - (sfb_len/4))
+ en[1] += band->energy; /* Middle */
+ else
+ en[0] += band->energy; /* Start */
+ }
+ en[3] = en[0];
}
/* LPC */
@@ -198,15 +213,14 @@ void ff_aac_search_for_tns(AACEncContext *s,
SingleChannelElement *sce)
if (!order || !isfinite(gain) || gain < TNS_GAIN_THRESHOLD_LOW || gain
> TNS_GAIN_THRESHOLD_HIGH)
continue;
- tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
+ tns->n_filt[w] = n_filt;
for (g = 0; g < tns->n_filt[w]; g++) {
- tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
- tns->order[w][g] = g < tns->n_filt[w] ? order/tns->n_filt[w] :
order - oc_start;
- tns->length[w][g] = g < tns->n_filt[w] ? sfb_len/tns->n_filt[w] :
sfb_len - os_start;
+ tns->direction[w][g] = slant != 2 ? slant : en[g] < en[g + 1];
+ tns->order[w][g] = order/tns->n_filt[w];
+ tns->length[w][g] = sfb_len/tns->n_filt[w];
quantize_coefs(&coefs[oc_start], tns->coef_idx[w][g],
tns->coef[w][g],
tns->order[w][g], c_bits);
oc_start += tns->order[w][g];
- os_start += tns->length[w][g];
}
count++;
}
commit c8d0bb8966fadd0a725bbf7ab78a290e3ae9a216
Author: Michael Niedermayer <[email protected]>
AuthorDate: Tue Aug 19 03:12:37 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:57 2025 +0100
avcodec/dxv: Check coded_height, to avoid invalid av_clip()
Fixes: assertion failure
Fixes:
438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5850827739955200
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit cdee519d40e61bd65ba5b3fbec00acd50a08d0d9)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 0b53d0b909..838ec7d21f 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -1147,6 +1147,8 @@ static int dxv_decode(AVCodecContext *avctx, AVFrame
*frame,
ctx->tex_rat = 1;
break;
}
+ if (avctx->coded_height / 2 / TEXTURE_BLOCK_H < 1)
+ return AVERROR_INVALIDDATA;
ctx->slice_count = av_clip(avctx->thread_count, 1,
avctx->coded_height /
FFMAX(ctx->texture_block_h,
commit 647b235ec1878247f9cd796b20a64fcda377560a
Author: Michael Niedermayer <[email protected]>
AuthorDate: Wed Aug 13 13:11:23 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:57 2025 +0100
avcodec/aac/aacdec: dont allow ff_aac_output_configure() allocating a new
frame if it has no frame
Fixes: null pointer dereference
Fixes: crash_test.mp4
Found-by: Intel PSIRT
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit fcf180d9ea27b7dc29658c9dc3488ae6fac3ebd9)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c
index 954399f86b..eaa2e973cc 100644
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -454,6 +454,9 @@ static int output_configure(AACContext *ac,
uint8_t id_map[TYPE_END][MAX_ELEM_ID] = {{ 0 }};
uint8_t type_counts[TYPE_END] = { 0 };
+ if (get_new_frame && !ac->frame)
+ return AVERROR_INVALIDDATA;
+
if (ac->oc[1].layout_map != layout_map) {
memcpy(ac->oc[1].layout_map, layout_map, tags * sizeof(layout_map[0]));
ac->oc[1].layout_map_tags = tags;
commit 23a68e89e0a58461b26c5a721f1bfeb3ad2764d9
Author: Michael Niedermayer <[email protected]>
AuthorDate: Mon Aug 18 17:20:49 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:57 2025 +0100
avformat/lrcdec: Fix fate-sub-lrc-ms-remux on x86-32
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 0243cf89b137b093b02a5c61a76e28cec1d69ae9)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c
index 0c10632993..a80f15f33a 100644
--- a/libavformat/lrcdec.c
+++ b/libavformat/lrcdec.c
@@ -91,7 +91,7 @@ static int64_t read_ts(const char *p, int64_t *start)
if (ret != 3 || prefix[0] != '[' || ss < 0 || ss > 60) {
return 0;
}
- *start = (mm * 60 + ss) * AV_TIME_BASE;
+ *start = llrint((mm * 60 + ss) * AV_TIME_BASE);
if (prefix[1] == '-') {
*start = - *start;
}
commit 9df90b6a6ab7a90ed9f00170fc191bd3c49d6f12
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sun Aug 17 15:31:48 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:57 2025 +0100
avcodec/sanm: Check w,h,left,top
The setup code fow w,h,left,top is complex, the code using it also falls in
at least 2 different classes, one using left/top the other not.
To ensure no out of array access happens we add this clear check.
Fixes: out of array access
Fixes:
439261995/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-5383455572819968
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 134fbfd1dcb59441e38d870ddd231772f4e8e127)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index b70daab7ac..7868ea112c 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -973,6 +973,11 @@ static int process_frame_obj(SANMVideoContext *ctx)
}
bytestream2_skip(&ctx->gb, 4);
+ if (w + FFMAX(left, 0) > ctx->avctx->width || h + FFMAX(top, 0) >
ctx->avctx->height) {
+ avpriv_request_sample(ctx->avctx, "overly large frame\n");
+ return AVERROR_PATCHWELCOME;
+ }
+
switch (codec) {
case 1:
case 3:
commit 20877cb73200d9829266e16fa1f5e6af0a33a528
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Aug 15 17:55:05 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:57 2025 +0100
avcodec/utvideodec: Clear plane_start array
in pack mode the array is passed into decode_plane() without being
initialized or used
Fixes: use of uninitialized memory
Fixes:
438780119/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5464037027807232
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 2a22972db3b390d82dedbdbb5f44cc09a43912b5)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index a5e28bde8a..9281abd239 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -584,7 +584,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame
*frame,
int buf_size = avpkt->size;
UtvideoContext *c = avctx->priv_data;
int i, j;
- const uint8_t *plane_start[5];
+ const uint8_t *plane_start[5] = {NULL};
int plane_size, max_slice_size = 0, slice_start, slice_end, slice_size;
int ret;
GetByteContext gb;
commit eda70e88cf3c7f9a714b524f3e4e44c7f897ac8b
Author: Michael Niedermayer <[email protected]>
AuthorDate: Wed Aug 13 00:59:20 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Fri Nov 21 20:56:56 2025 +0100
fftools/ffmpeg_mux_init: Use 64bit for score computation in map_auto_video()
Fixes: signed integer overflow: 10 * 1952737655 cannot be represented in
type 'int'
Fixes: PoC_avi_demux
Found-by: 2ourc3 (Salim LARGO)
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit cdbb5f1b93352f9e7eceb1562ad283a78b546091)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/fftools/ffmpeg_mux_init.c b/fftools/ffmpeg_mux_init.c
index 63a25a350f..ef0eea09c8 100644
--- a/fftools/ffmpeg_mux_init.c
+++ b/fftools/ffmpeg_mux_init.c
@@ -1467,7 +1467,7 @@ static int map_auto_video(Muxer *mux, const
OptionsContext *o)
{
AVFormatContext *oc = mux->fc;
InputStream *best_ist = NULL;
- int best_score = 0;
+ int64_t best_score = 0;
int qcr;
/* video: highest resolution */
@@ -1478,16 +1478,16 @@ static int map_auto_video(Muxer *mux, const
OptionsContext *o)
for (int j = 0; j < nb_input_files; j++) {
InputFile *ifile = input_files[j];
InputStream *file_best_ist = NULL;
- int file_best_score = 0;
+ int64_t file_best_score = 0;
for (int i = 0; i < ifile->nb_streams; i++) {
InputStream *ist = ifile->streams[i];
- int score;
+ int64_t score;
if (ist->user_set_discard == AVDISCARD_ALL ||
ist->st->codecpar->codec_type != AVMEDIA_TYPE_VIDEO)
continue;
- score = ist->st->codecpar->width * ist->st->codecpar->height
+ score = ist->st->codecpar->width *
(int64_t)ist->st->codecpar->height
+ 100000000 * !!(ist->st->event_flags &
AVSTREAM_EVENT_FLAG_NEW_PACKETS)
+ 5000000*!!(ist->st->disposition &
AV_DISPOSITION_DEFAULT);
if((qcr!=MKTAG('A', 'P', 'I', 'C')) && (ist->st->disposition &
AV_DISPOSITION_ATTACHED_PIC))
-----------------------------------------------------------------------
Summary of changes:
fftools/ffmpeg_mux_init.c | 17 ++++++++-----
libavcodec/aacdec_template.c | 3 +++
libavcodec/aacenc_tns.c | 40 +++++++++++++++++++----------
libavcodec/dxv.c | 2 ++
libavcodec/exr.c | 57 ++++++++++++++++++++++++++++++++++--------
libavcodec/g723_1.h | 2 +-
libavcodec/g723_1enc.c | 2 +-
libavcodec/librsvgdec.c | 4 +--
libavcodec/mjpegdec.c | 2 ++
libavcodec/osq.c | 2 +-
libavcodec/sanm.c | 5 ++++
libavcodec/utvideodec.c | 4 +--
libavcodec/vlc.c | 2 +-
libavfilter/vf_drawtext.c | 11 +++-----
libavformat/avidec.c | 2 +-
libavformat/aviobuf.c | 2 +-
libavformat/http.c | 2 +-
libavformat/lrcdec.c | 2 +-
libavformat/rtmpproto.c | 28 +++++++++++++++++++--
libavformat/rtpdec_rfc4175.c | 28 +++++++++++++++------
libavformat/rtpenc_h264_hevc.c | 3 +++
libavformat/sctp.c | 3 +++
libavutil/common.h | 8 +++---
libswscale/output.c | 4 +--
24 files changed, 171 insertions(+), 64 deletions(-)
hooks/post-receive
--
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
