The branch, release/5.1 has been updated
via fb52923679d5f713dda140006e317d89a992eca5 (commit)
via 2cb9bb481e4d2957fc8d8c981d86e62c714de451 (commit)
via 4f88deb6cb3e1108f31fff180533c9b5f8331ebb (commit)
via 3491fc6b8d8a12589e8afe44968d5680dde9b6a7 (commit)
via da520e2da91f286ca6743111de99c0206c1716be (commit)
via 04986e8f5005f75dbdfae368b716819a47a4754f (commit)
via 1d515916f6dce5e3793ed761156c62f4445a558d (commit)
via 62b4acd62170eaa87ca5310840177b4df8ad8774 (commit)
via 595774182f61b471b0966f8ffc359874117f4e4a (commit)
via cdf9a16125d804eab4abb313c9a37d7a4ad1c587 (commit)
via 4ffc69b99c41f3b12363b0e1fd794dc6b7a21843 (commit)
via 222ef19414dd6cb38911cf364b029d6713a6fb8b (commit)
via 79200bd288b2c300153bc429e7e1991d780dcc48 (commit)
via 033c6d3630850f4becfce0429b05d41e33dad353 (commit)
via b75fcac83c9444884d919b8673591315ec43eb83 (commit)
via ac4caa33bae5841649c61d4f8a0608dfa59c4fa1 (commit)
via f39917c627cd72e08c9885837a711aebe0849f42 (commit)
via 8c369b07962f256aaa14d7800fadb64f6bca8557 (commit)
via b738592e28ad74f25a3350f093ff07abb9befeac (commit)
via e03c34b5c4df4b699862a7fba1b81a2db67019e5 (commit)
via b7263cc4d434d10a557491bd5f05e8478ec0a497 (commit)
via 371692641ede92506f67fd55b74603fd088e3595 (commit)
via f40982e07aa84a29aa5975a00859ecd351954395 (commit)
via 6023611ca735f448f87e49d1a110875dc8b454c5 (commit)
via 5122db9ab2d9db01cf73c7650097e444c15369e1 (commit)
via 983f80867829c1e9332eb39c13e92ccfa2139892 (commit)
via 900eb11fdfe8d1e35dd5a92af09475ebd09a3891 (commit)
via b9f228429d6a21c47437cb31bce4c22fb8b57dfb (commit)
via c1a08abfdf6f6675c148870da1044c9a03a308cb (commit)
from 27267cd5600b09bb5c1a70b8c9751f8ab80a192f (commit)
- Log -----------------------------------------------------------------
commit fb52923679d5f713dda140006e317d89a992eca5
Author: Zhao Zhili <[email protected]>
AuthorDate: Fri Nov 14 17:23:22 2025 +0800
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:19 2025 +0100
avutil/common: cast GET_BYTE/GET_16BIT returned value
In case of GET_BYTE/GET_16BIT return signed value.
(cherry picked from commit 0ae8df5f2ceea82337a2456ef16f930faf160189)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavutil/common.h b/libavutil/common.h
index fd1404be6c..1f316fec4d 100644
--- a/libavutil/common.h
+++ b/libavutil/common.h
@@ -467,13 +467,13 @@ static av_always_inline av_const int av_parity_c(uint32_t
v)
* to prevent undefined results.
*/
#define GET_UTF8(val, GET_BYTE, ERROR)\
- val= (GET_BYTE);\
+ val= (uint8_t)(GET_BYTE);\
{\
uint32_t top = (val & 128) >> 1;\
if ((val & 0xc0) == 0x80 || val >= 0xFE)\
{ERROR}\
while (val & top) {\
- unsigned int tmp = (GET_BYTE) - 128;\
+ unsigned int tmp = (uint8_t)(GET_BYTE) - 128;\
if(tmp>>6)\
{ERROR}\
val= (val<<6) + tmp;\
@@ -492,11 +492,11 @@ static av_always_inline av_const int av_parity_c(uint32_t
v)
* typically a goto statement.
*/
#define GET_UTF16(val, GET_16BIT, ERROR)\
- val = (GET_16BIT);\
+ val = (uint16_t)(GET_16BIT);\
{\
unsigned int hi = val - 0xD800;\
if (hi < 0x800) {\
- val = (GET_16BIT) - 0xDC00;\
+ val = (uint16_t)(GET_16BIT) - 0xDC00;\
if (val > 0x3FFU || hi > 0x3FFU)\
{ERROR}\
val += (hi<<10) + 0x10000;\
commit 2cb9bb481e4d2957fc8d8c981d86e62c714de451
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Nov 1 01:29:32 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:19 2025 +0100
avfilter/vf_drawtext: Account for bbox text seperator
Fixes: out of array access
no test case
Found-by: Joshua Rogers <[email protected]> with ZeroPath
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit ad956ff076ea808e5d64c9ac17c1bfc1ba7d0cc0)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavfilter/vf_drawtext.c b/libavfilter/vf_drawtext.c
index feb6898848..e85f5c03f2 100644
--- a/libavfilter/vf_drawtext.c
+++ b/libavfilter/vf_drawtext.c
@@ -759,7 +759,7 @@ static av_cold int init(AVFilterContext *ctx)
av_log(ctx, AV_LOG_WARNING, "Multiple texts provided, will use
text_source only\n");
av_free(s->text);
}
- s->text = av_mallocz(AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE *
+ s->text = av_mallocz((AV_DETECTION_BBOX_LABEL_NAME_MAX_SIZE + 1) *
(AV_NUM_DETECTION_BBOX_CLASSIFY + 1));
if (!s->text)
return AVERROR(ENOMEM);
commit 4f88deb6cb3e1108f31fff180533c9b5f8331ebb
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Nov 8 23:22:56 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:19 2025 +0100
avcodec/utvideodec: Set B for the width= 1 case in
restore_median_planar_il()
Fixes: use of uninitialized memory
Fixes:
439878388/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5635866203848704
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 59db32b433ea9e7766ec7fac994860ed15d7ed7d)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 12c92d29b2..aa54785e0a 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -436,7 +436,7 @@ static void restore_median_planar_il(UtvideoContext *c,
uint8_t *src, ptrdiff_t
// second line - first element has top prediction, the rest uses median
C = bsrc[-stride2];
bsrc[0] += C;
- A = bsrc[0];
+ A = B = bsrc[0];
for (i = 1; i < FFMIN(width, 16); i++) { /* scalar loop (DSP need
align 16) */
B = bsrc[i - stride2];
bsrc[i] += mid_pred(A, B, (uint8_t)(A + B - C));
commit 3491fc6b8d8a12589e8afe44968d5680dde9b6a7
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:27:56 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:19 2025 +0100
avformat/rtpdec_rfc4175: Only change PayloadContext on success
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit c03e49dd1d8ee2dd21c24002dfac95644c830498)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index 918c04f3e2..208ea8eb7b 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -23,6 +23,7 @@
#include "avio_internal.h"
#include "rtpdec_formats.h"
+#include "libavutil/avassert.h"
#include "libavutil/avstring.h"
#include "libavutil/imgutils.h"
#include "libavutil/pixdesc.h"
@@ -172,33 +173,39 @@ static int rfc4175_parse_fmtp(AVFormatContext *s,
AVStream *stream,
}
static int rfc4175_parse_sdp_line(AVFormatContext *s, int st_index,
- PayloadContext *data, const char *line)
+ PayloadContext *data_arg, const char *line)
{
const char *p;
if (st_index < 0)
return 0;
+ av_assert0(!data_arg->sampling);
+
if (av_strstart(line, "fmtp:", &p)) {
AVStream *stream = s->streams[st_index];
+ PayloadContext data0 = *data_arg, *data = &data0;
int ret = ff_parse_fmtp(s, stream, data, p, rfc4175_parse_fmtp);
+ if (!data->sampling || !data->depth || !data->width || !data->height)
+ ret = AVERROR(EINVAL);
+
if (ret < 0)
- return ret;
+ goto fail;
ret = av_image_check_size(data->width, data->height, 0, s);
if (ret < 0)
- return ret;
-
- if (!data->sampling || !data->depth || !data->width || !data->height)
- return AVERROR(EINVAL);
+ goto fail;
stream->codecpar->width = data->width;
stream->codecpar->height = data->height;
ret = rfc4175_parse_format(stream, data);
av_freep(&data->sampling);
-
+ if (ret >= 0)
+ *data_arg = *data;
+fail:
+ av_freep(&data->sampling);
return ret;
}
commit da520e2da91f286ca6743111de99c0206c1716be
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:28:49 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:19 2025 +0100
avformat/rtpdec_rfc4175: Check dimensions
Fixes: out of array access
Fixes: zeropath/int_overflow_in_rtpdec_rfc4175
Found-by: Joshua Rogers <[email protected]>
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d4e0d5ed48aa9c0e11b9ddeea8c2d14632314089)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index 017f1e162a..918c04f3e2 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -24,6 +24,7 @@
#include "avio_internal.h"
#include "rtpdec_formats.h"
#include "libavutil/avstring.h"
+#include "libavutil/imgutils.h"
#include "libavutil/pixdesc.h"
#include "libavutil/parseutils.h"
@@ -185,6 +186,9 @@ static int rfc4175_parse_sdp_line(AVFormatContext *s, int
st_index,
if (ret < 0)
return ret;
+ ret = av_image_check_size(data->width, data->height, 0, s);
+ if (ret < 0)
+ return ret;
if (!data->sampling || !data->depth || !data->width || !data->height)
return AVERROR(EINVAL);
@@ -295,6 +299,9 @@ static int rfc4175_handle_packet(AVFormatContext *ctx,
PayloadContext *data,
if (data->interlaced)
line = 2 * line + field;
+ if (line >= data->height)
+ return AVERROR_INVALIDDATA;
+
/* prevent ill-formed packets to write after buffer's end */
copy_offset = (line * data->width + offset) * data->pgroup /
data->xinc;
if (copy_offset + length > data->frame_size || !data->frame)
commit 04986e8f5005f75dbdfae368b716819a47a4754f
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:17:27 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:18 2025 +0100
avformat/rtpdec_rfc4175: Fix memleak of sampling
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit af3dee313223c722c34e8231cd6859188928a6e3)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index 83abe499f8..017f1e162a 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -127,7 +127,7 @@ static int rfc4175_parse_fmtp(AVFormatContext *s, AVStream
*stream,
data->width = atoi(value);
else if (!strncmp(attr, "height", 6))
data->height = atoi(value);
- else if (!strncmp(attr, "sampling", 8))
+ else if (data->sampling == NULL && !strncmp(attr, "sampling", 8))
data->sampling = av_strdup(value);
else if (!strncmp(attr, "depth", 5))
data->depth = atoi(value);
commit 1d515916f6dce5e3793ed761156c62f4445a558d
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 17:32:56 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:18 2025 +0100
avformat/http: Fix off by 1 error
Fixes: out of array access
Fixes: zeropath/off-by-one-one-byte
Found-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit b518c027a0cb8d89c586fe241cc99b1c20bc0f50)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/http.c b/libavformat/http.c
index c5c48c7900..dde91b91e2 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -1787,7 +1787,7 @@ static int store_icy(URLContext *h, int size)
ret = http_read_stream_all(h, data, len);
if (ret < 0)
return ret;
- data[len + 1] = 0;
+ data[len] = 0;
if ((ret = av_opt_set(s, "icy_metadata_packet", data, 0)) < 0)
return ret;
update_metadata(h, data);
commit 62b4acd62170eaa87ca5310840177b4df8ad8774
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Nov 8 01:17:46 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:18 2025 +0100
avcodec/exr: spelling
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d80f8f36513ebff05c537adbe756e36036f80074)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 66baf163de..dd8270bea7 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -174,7 +174,7 @@ typedef struct EXRContext {
int is_luma;/* 1 if there is an Y plane */
#define M(chr) (1<<chr - 'A')
- int has_channel; ///< combinatin of flags representing the channel codes
A-Z
+ int has_channel; ///< combination of flags representing the channel codes
A-Z
GetByteContext gb;
const uint8_t *buf;
commit 595774182f61b471b0966f8ffc359874117f4e4a
Author: veygax <[email protected]>
AuthorDate: Sun Nov 2 02:35:40 2025 +0000
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:18 2025 +0100
avcodec/exr: use tile dimensions in pxr24 UINT case
update the switch statement for EXR_UINT in pxr24_uncompress to
correctly use the tile width td->xsize instead of using the full window
width s->xdelta. s->delta is larger than td->xsize which lead to two
buffer overflows when interacting with the ptr variable in the same
switch statement.
Fixes: out of bounds read and write
Found-by: veygax's insomnia network (INSOMNIA-1)
Signed-off-by: veygax <[email protected]>
(cherry picked from commit 162f75b5e6798b385bb3eadd8280eff52d03cf29)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 46fc27fe59..66baf163de 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -742,12 +742,12 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t
*src,
break;
case EXR_UINT:
ptr[0] = in;
- ptr[1] = ptr[0] + s->xdelta;
- ptr[2] = ptr[1] + s->xdelta;
- ptr[3] = ptr[2] + s->xdelta;
- in = ptr[3] + s->xdelta;
+ ptr[1] = ptr[0] + td->xsize;
+ ptr[2] = ptr[1] + td->xsize;
+ ptr[3] = ptr[2] + td->xsize;
+ in = ptr[3] + td->xsize;
- for (j = 0; j < s->xdelta; ++j) {
+ for (j = 0; j < td->xsize; ++j) {
uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) |
(*(ptr[1]++) << 16) |
(*(ptr[2]++) << 8 ) |
commit cdf9a16125d804eab4abb313c9a37d7a4ad1c587
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Sep 19 00:20:36 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:18 2025 +0100
avcodec/exr: Simple check for available channels
The existing is_luma check is fragile as depending on the order
of channels it can be set or reset
No testcase
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 6e8cf0377fee75de9ad2cc87385ab3e8f2c87143)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 48ca48625e..46fc27fe59 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -173,6 +173,9 @@ typedef struct EXRContext {
int is_luma;/* 1 if there is an Y plane */
+#define M(chr) (1<<chr - 'A')
+ int has_channel; ///< combinatin of flags representing the channel codes
A-Z
+
GetByteContext gb;
const uint8_t *buf;
int buf_size;
@@ -1608,6 +1611,7 @@ static int decode_header(EXRContext *s, AVFrame *frame)
s->is_tile = 0;
s->is_multipart = 0;
s->is_luma = 0;
+ s->has_channel = 0;
s->current_part = 0;
if (bytestream2_get_bytes_left(gb) < 10) {
@@ -1711,23 +1715,26 @@ static int decode_header(EXRContext *s, AVFrame *frame)
}
if (layer_match) { /* only search channel if the layer match
is valid */
+ if (strlen(ch_gb.buffer) == 1) {
+ int ch_chr = av_toupper(*ch_gb.buffer);
+ if (ch_chr >= 'A' && ch_chr <= 'Z')
+ s->has_channel |= M(ch_chr);
+ av_log(s->avctx, AV_LOG_DEBUG, "%c\n", ch_chr);
+ }
+
if (!av_strcasecmp(ch_gb.buffer, "R") ||
!av_strcasecmp(ch_gb.buffer, "X") ||
!av_strcasecmp(ch_gb.buffer, "U")) {
channel_index = 0;
- s->is_luma = 0;
} else if (!av_strcasecmp(ch_gb.buffer, "G") ||
!av_strcasecmp(ch_gb.buffer, "V")) {
channel_index = 1;
- s->is_luma = 0;
} else if (!av_strcasecmp(ch_gb.buffer, "Y")) {
channel_index = 1;
- s->is_luma = 1;
} else if (!av_strcasecmp(ch_gb.buffer, "B") ||
!av_strcasecmp(ch_gb.buffer, "Z") ||
!av_strcasecmp(ch_gb.buffer, "W")) {
channel_index = 2;
- s->is_luma = 0;
} else if (!av_strcasecmp(ch_gb.buffer, "A")) {
channel_index = 3;
} else {
@@ -1803,6 +1810,20 @@ static int decode_header(EXRContext *s, AVFrame *frame)
s->current_channel_offset += 4;
}
}
+ if (!((M('R') + M('G') + M('B')) & ~s->has_channel)) {
+ s->is_luma = 0;
+ } else if (!((M('X') + M('Y') + M('Z')) & ~s->has_channel)) {
+ s->is_luma = 0;
+ } else if (!((M('Y') + M('U') + M('V')) & ~s->has_channel)) {
+ s->is_luma = 0;
+ } else if (!((M('Y') ) & ~s->has_channel) &&
+ !((M('R') + M('G') + M('B') + M('U') + M('V') + M('X')
+ M('Z')) & s->has_channel)) {
+ s->is_luma = 1;
+ } else {
+ avpriv_request_sample(s->avctx, "Uncommon channel
combination");
+ ret = AVERROR(AVERROR_PATCHWELCOME);
+ goto fail;
+ }
/* Check if all channels are set with an offset or if the channels
* are causing an overflow */
commit 4ffc69b99c41f3b12363b0e1fd794dc6b7a21843
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 23:08:45 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:17 2025 +0100
avformat/sctp: Check size in sctp_write()
Fixes: out of array access
No testcase
Found-by: Joshua Rogers <[email protected]> with ZeroPath
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 5b98cea4bff2cbbb251b621a2b6c3ab76f814efa)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/sctp.c b/libavformat/sctp.c
index 9d9e90097e..f39ba7ebe0 100644
--- a/libavformat/sctp.c
+++ b/libavformat/sctp.c
@@ -334,6 +334,9 @@ static int sctp_write(URLContext *h, const uint8_t *buf,
int size)
}
if (s->max_streams) {
+ if (size < 2)
+ return AVERROR(EINVAL);
+
/*StreamId is introduced as a 2byte code into the stream*/
struct sctp_sndrcvinfo info = { 0 };
info.sinfo_stream = AV_RB16(buf);
commit 222ef19414dd6cb38911cf364b029d6713a6fb8b
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Oct 30 23:20:41 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:17 2025 +0100
avformat/rtmpproto: consider command line argument lengths
Fixes: out of array access
Fixes: zeropath/rtmp-2025-10
Found-by: Joshua Rogers <[email protected]>
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 83e0298de217a7108ee703806d6380e554007972)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 26eb53aa77..66d2864156 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -161,6 +161,13 @@ static int handle_chunk_size(URLContext *s, RTMPPacket
*pkt);
static int handle_window_ack_size(URLContext *s, RTMPPacket *pkt);
static int handle_set_peer_bw(URLContext *s, RTMPPacket *pkt);
+static size_t zstrlen(const char *c)
+{
+ if(c)
+ return strlen(c);
+ return 0;
+}
+
static int add_tracked_method(RTMPContext *rt, const char *name, int id)
{
int err;
@@ -325,7 +332,15 @@ static int gen_connect(URLContext *s, RTMPContext *rt)
int ret;
if ((ret = ff_rtmp_packet_create(&pkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE,
- 0, 4096 + APP_MAX_LENGTH)) < 0)
+ 0, 4096 + APP_MAX_LENGTH
+ + strlen(rt->auth_params) +
strlen(rt->flashver)
+ + zstrlen(rt->swfurl)
+ + zstrlen(rt->swfverify)
+ + zstrlen(rt->tcurl)
+ + zstrlen(rt->auth_params)
+ + zstrlen(rt->pageurl)
+ + zstrlen(rt->conn)*3
+ )) < 0)
return ret;
p = pkt.data;
@@ -1866,7 +1881,9 @@ static int write_status(URLContext *s, RTMPPacket *pkt,
if ((ret = ff_rtmp_packet_create(&spkt, RTMP_SYSTEM_CHANNEL,
RTMP_PT_INVOKE, 0,
- RTMP_PKTDATA_DEFAULT_SIZE)) < 0) {
+ RTMP_PKTDATA_DEFAULT_SIZE
+ + strlen(status) + strlen(description)
+ + zstrlen(details))) < 0) {
av_log(s, AV_LOG_ERROR, "Unable to create response packet\n");
return ret;
}
commit 79200bd288b2c300153bc429e7e1991d780dcc48
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Oct 30 23:05:57 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:17 2025 +0100
avformat/rtmpproto_ Check tcurl and flashver length
Fixes: out of array accesses
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit a64e037429f20873ec48f6c82aa145ab448e1399)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index dae9f1496b..26eb53aa77 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -2799,6 +2799,12 @@ reconnect:
"FMLE/3.0 (compatible; %s)", LIBAVFORMAT_IDENT);
}
}
+ if ( strlen(rt->flashver) > FLASHVER_MAX_LENGTH
+ || strlen(rt->tcurl ) > TCURL_MAX_LENGTH
+ ) {
+ ret = AVERROR(EINVAL);
+ goto fail;
+ }
rt->receive_report_size = 1048576;
rt->bytes_read = 0;
commit 033c6d3630850f4becfce0429b05d41e33dad353
Author: Michael Niedermayer <[email protected]>
AuthorDate: Tue Oct 7 01:58:34 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:17 2025 +0100
avcodec/g723_1enc: Make min_err 64bit
This is intending to fix the case described in
https://lists.ffmpeg.org/archives/list/[email protected]/thread/AAZ7GJPPUJI5SCVTDGJ6QL7UUEP56WOM/
Where FCBParam optim is used uninitialized
a min_err of 1<<30, allows the struct to be never initilialized as all
err (which is int32_t) can be larger than min_err. By increasing min_err
above the int32_t range this is no longer possible
Untested, as i do not have the testcase
Signed-off-by: Michael Niedermayer <[email protected]>i
(cherry picked from commit 909af3a571da830cc70a34f0c3946379bd12dfbe)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/g723_1.h b/libavcodec/g723_1.h
index 521f220b2a..f3cd32e37d 100644
--- a/libavcodec/g723_1.h
+++ b/libavcodec/g723_1.h
@@ -108,7 +108,7 @@ typedef struct HFParam {
* Optimized fixed codebook excitation parameters
*/
typedef struct FCBParam {
- int min_err;
+ int64_t min_err;
int amp_index;
int grid_index;
int dirac_train;
diff --git a/libavcodec/g723_1enc.c b/libavcodec/g723_1enc.c
index e8fb8429c1..a8066dfc4c 100644
--- a/libavcodec/g723_1enc.c
+++ b/libavcodec/g723_1enc.c
@@ -1015,7 +1015,7 @@ static void fcb_search(G723_1_ChannelContext *p, int16_t
*impulse_resp,
int pulse_cnt = pulses[index];
int i;
- optim.min_err = 1 << 30;
+ optim.min_err = 1LL << 31;
get_fcb_param(&optim, impulse_resp, buf, pulse_cnt, SUBFRAME_LEN);
if (p->pitch_lag[index >> 1] < SUBFRAME_LEN - 2) {
commit b75fcac83c9444884d919b8673591315ec43eb83
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 24 20:29:23 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:17 2025 +0100
avformat/rtpenc_h264_hevc: Check space for nal_length_size in
ff_rtp_send_h264_hevc()
Fixes: memcpy with negative size
Fixes: momo_trip-poc/input
Reported-by: Momoko Shiraishi <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d03483bd265b68db00c9b90f6f48dcf61c5c300d)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpenc_h264_hevc.c b/libavformat/rtpenc_h264_hevc.c
index 0c88fc2a23..470430478b 100644
--- a/libavformat/rtpenc_h264_hevc.c
+++ b/libavformat/rtpenc_h264_hevc.c
@@ -195,6 +195,9 @@ void ff_rtp_send_h264_hevc(AVFormatContext *s1, const
uint8_t *buf1, int size)
r1 = ff_avc_mp4_find_startcode(r, end, s->nal_length_size);
if (!r1)
r1 = end;
+ // Check that the last is not truncated
+ if (r1 - r < s->nal_length_size)
+ break;
r += s->nal_length_size;
} else {
while (!*(r++));
commit ac4caa33bae5841649c61d4f8a0608dfa59c4fa1
Author: Michael Niedermayer <[email protected]>
AuthorDate: Mon Oct 13 14:32:45 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:17 2025 +0100
swscale/output: Fix integer overflow in yuv2ya16_X_c_template()
Found-by: colod colod <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 0c6b7f9483a38657c9be824572b4c0c45d4d9fef)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libswscale/output.c b/libswscale/output.c
index a6abd8c11e..65c9a1a484 100644
--- a/libswscale/output.c
+++ b/libswscale/output.c
@@ -943,7 +943,7 @@ yuv2ya16_X_c_template(SwsContext *c, const int16_t
*lumFilter,
int A = 0xffff;
for (j = 0; j < lumFilterSize; j++)
- Y += lumSrc[j][i] * lumFilter[j];
+ Y += lumSrc[j][i] * (unsigned)lumFilter[j];
Y >>= 15;
Y += (1<<3) + 0x8000;
@@ -952,7 +952,7 @@ yuv2ya16_X_c_template(SwsContext *c, const int16_t
*lumFilter,
if (hasAlpha) {
A = -0x40000000 + (1<<14);
for (j = 0; j < lumFilterSize; j++)
- A += alpSrc[j][i] * lumFilter[j];
+ A += alpSrc[j][i] * (unsigned)lumFilter[j];
A >>= 15;
A += 0x8000;
commit f39917c627cd72e08c9885837a711aebe0849f42
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Sep 19 00:18:30 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:16 2025 +0100
avcodec/exr: Check that DWA has 3 channels
The implementation hardcodes access to 3 channels, so we need to check that
Fixes: out of array access
Fixes: BIGSLEEP-445394503-crash.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 7896cc67c13037abba8941e39a74c56d26b775a7)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index a90ed0f8ec..48ca48625e 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1008,6 +1008,11 @@ static int dwa_uncompress(EXRContext *s, const uint8_t
*src, int compressed_size
if (version != 2)
return AVERROR_INVALIDDATA;
+ if (s->nb_channels < 3) {
+ avpriv_request_sample(s->avctx, "Gray DWA");
+ return AVERROR_PATCHWELCOME;
+ }
+
lo_usize = AV_RL64(src + 8);
lo_size = AV_RL64(src + 16);
ac_size = AV_RL64(src + 24);
commit 8c369b07962f256aaa14d7800fadb64f6bca8557
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 18 17:32:46 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:16 2025 +0100
avcodec/exr: check ac_size
Fixes: out of array read
Fixes: dwa_uncompress.py.crash.exr
The code will read from the ac data even if ac_size is 0, thus that case
is not implemented and we ask for a sample and error out cleanly
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 8e078826da6f2a1dffa25162121b43b272f5e5fa)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index b34cd3523d..a90ed0f8ec 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1024,6 +1024,11 @@ static int dwa_uncompress(EXRContext *s, const uint8_t
*src, int compressed_size
)
return AVERROR_INVALIDDATA;
+ if (ac_size <= 0) {
+ avpriv_request_sample(s->avctx, "Zero ac_size");
+ return AVERROR_INVALIDDATA;
+ }
+
if ((uint64_t)rle_raw_size > INT_MAX) {
avpriv_request_sample(s->avctx, "Too big rle_raw_size");
return AVERROR_INVALIDDATA;
commit b738592e28ad74f25a3350f093ff07abb9befeac
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 18 21:28:04 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:16 2025 +0100
avcodec/exr: Round dc_w/h up
Without rounding them up there are too few dc coeffs for the blocks.
We do not know if this way of handling odd dimensions is correct, as we have
no such DWA sample.
thus we ask the user for a sample if she encounters such a file
Fixes: out of array access
Fixes: BIGSLEEP-445392027-crash.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit c911e0001115bbda904ad103b12c27b9a3c0c265)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index c2210fea51..b34cd3523d 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -995,8 +995,8 @@ static int dwa_uncompress(EXRContext *s, const uint8_t
*src, int compressed_size
int64_t version, lo_usize, lo_size;
int64_t ac_size, dc_size, rle_usize, rle_csize, rle_raw_size;
int64_t ac_count, dc_count, ac_compression;
- const int dc_w = td->xsize >> 3;
- const int dc_h = td->ysize >> 3;
+ const int dc_w = (td->xsize + 7) >> 3;
+ const int dc_h = (td->ysize + 7) >> 3;
GetByteContext gb, agb;
int skip, ret;
int have_rle = 0;
@@ -1029,6 +1029,10 @@ static int dwa_uncompress(EXRContext *s, const uint8_t
*src, int compressed_size
return AVERROR_INVALIDDATA;
}
+ if (td->xsize % 8 || td->ysize % 8) {
+ avpriv_request_sample(s->avctx, "odd dimensions DWA");
+ }
+
bytestream2_init(&gb, src + 88, compressed_size - 88);
skip = bytestream2_get_le16(&gb);
if (skip < 2)
commit e03c34b5c4df4b699862a7fba1b81a2db67019e5
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 11 20:12:55 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:16 2025 +0100
avcodec/mjpegdec: Explain buf_size/width/height check
Suggested-by: Ramiro
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 61b6877637041a1f817ad9811c839b0feae2b8af)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 997c4bb4bc..8ebdfbe23b 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -343,6 +343,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height);
if (av_image_check_size(width, height, 0, s->avctx) < 0)
return AVERROR_INVALIDDATA;
+
+ // A valid frame requires at least 1 bit for DC + 1 bit for AC for each
8x8 block.
if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size *
4LL)
return AVERROR_INVALIDDATA;
commit b7263cc4d434d10a557491bd5f05e8478ec0a497
Author: Andreas Rheinhardt <[email protected]>
AuthorDate: Tue Mar 12 23:23:17 2024 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:16 2025 +0100
avformat/avidec: Fix integer overflow iff ULONG_MAX < INT64_MAX
Affects many FATE-tests, see
https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
Reviewed-by: James Almer <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 7a089ed8e049e3bfcb22de1250b86f2106060857)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index 1cd1edf24c..73938c640c 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -1699,7 +1699,7 @@ static int check_stream_max_drift(AVFormatContext *s)
int *idx = av_calloc(s->nb_streams, sizeof(*idx));
if (!idx)
return AVERROR(ENOMEM);
- for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1LU) {
+ for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1ULL) {
int64_t max_dts = INT64_MIN / 2;
int64_t min_dts = INT64_MAX / 2;
int64_t max_buffer = 0;
commit 371692641ede92506f67fd55b74603fd088e3595
Author: Andreas Rheinhardt <[email protected]>
AuthorDate: Mon Mar 25 16:54:25 2024 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:15 2025 +0100
fftools/ffmpeg_mux_init: Fix double-free on error
MATCH_PER_STREAM_OPT iterates over all options of a given
OptionDef and tests whether they apply to the current stream;
if so, they are set to ost->apad, otherwise, the code errors
out. If no error happens, ost->apad is av_strdup'ed in order
to take ownership of this pointer.
But this means that setting it originally was premature,
as it leads to double-frees when an error happens lateron.
This can simply be reproduced with
ffmpeg -filter_complex anullsrc -apad bar -apad:n baz -f null -
This is a regression since 83ace80bfd80fcdba2c65fa1d554923ea931d5bd.
Fix this by using a temporary variable instead of directly
setting ost->apad. Also only strdup the string if it actually
is != NULL.
Reviewed-by: Marth64 <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit ced5c5fdb8634d39ca9472a2026b2d2fea16c4e5)
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 8a1ccbd5dd76fb12ad75528038a9f7f50fee330d)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c
index 0969b12e7f..65b4cc3cd8 100644
--- a/fftools/ffmpeg_opt.c
+++ b/fftools/ffmpeg_opt.c
@@ -2054,6 +2054,7 @@ static OutputStream *new_audio_stream(OptionsContext *o,
AVFormatContext *oc, in
int channels = 0;
char *layout = NULL;
char *sample_fmt = NULL;
+ const char *apad = NULL;
MATCH_PER_STREAM_OPT(audio_channels, i, channels, oc, st);
if (channels) {
@@ -2091,8 +2092,12 @@ static OutputStream *new_audio_stream(OptionsContext *o,
AVFormatContext *oc, in
MATCH_PER_STREAM_OPT(audio_sample_rate, i, audio_enc->sample_rate, oc,
st);
- MATCH_PER_STREAM_OPT(apad, str, ost->apad, oc, st);
- ost->apad = av_strdup(ost->apad);
+ MATCH_PER_STREAM_OPT(apad, str, apad, oc, st);
+ if (apad) {
+ ost->apad = av_strdup(apad);
+ if (!ost->apad)
+ exit_program(1);
+ }
ost->avfilter = get_ost_filters(o, oc, ost);
if (!ost->avfilter)
commit f40982e07aa84a29aa5975a00859ecd351954395
Author: Andreas Rheinhardt <[email protected]>
AuthorDate: Fri Jul 11 22:58:26 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:15 2025 +0100
avformat/aviobuf: Keep checksum_ptr consistent in avio_seek()
Otherwise it might be > buf_ptr in which case ffio_get_checksum()
could segfault (s->buf_ptr - s->checksum_ptr would be negative
which would be converted to something very big when converted
to unsigned for the update_checksum callback).
Fixes ticket #11233.
Reported-by: Du4t
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 987c955cd7e972d9940284fa6ae7187ac858ebb1)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index b20b1a611a..17950ceef3 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -337,7 +337,7 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int
whence)
ctx->seek_count++;
if (!s->write_flag)
s->buf_end = s->buffer;
- s->buf_ptr = s->buf_ptr_max = s->buffer;
+ s->checksum_ptr = s->buf_ptr = s->buf_ptr_max = s->buffer;
s->pos = offset;
}
s->eof_reached = 0;
commit 6023611ca735f448f87e49d1a110875dc8b454c5
Author: Lynne <[email protected]>
AuthorDate: Sat Feb 8 04:35:31 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:15 2025 +0100
aacenc_tns: clamp filter direction energy measurement
The issue is that:
float en[2];
...
tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
for (g = 0; g < tns->n_filt[w]; g++) {
tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
When using the AAC Main profile, n_filt = 3, and slant is by
default 2 (normal long frames), g can go above 1.
en is the evolution of energy in the frequency domain for every
band at the given window. E.g. whether the energy is concentrated
at the top of each band, or the bottom.
For 2-pole filters, its straightforward.
For 3-pole filters, we need more than 2 measurements.
This commit properly implements support for 3-pole filters, by measuring
the band energy across three areas.
Do note that even xHE-AAC caps n_filt to 2, and only AAC Main allows
n_filt == 3.
Fixes https://trac.ffmpeg.org/ticket/11418
(cherry picked from commit ed09aa28ae3b4509f00a24a9ebdeb084ee00736a)
(cherry picked from commit f98f142da571653436596ccad2d09c7e39bfd4fb)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/aacenc_tns.c b/libavcodec/aacenc_tns.c
index 2ffe1f8de8..f56226c0c7 100644
--- a/libavcodec/aacenc_tns.c
+++ b/libavcodec/aacenc_tns.c
@@ -173,6 +173,7 @@ void ff_aac_search_for_tns(AACEncContext *s,
SingleChannelElement *sce)
sce->ics.window_sequence[0] == LONG_START_SEQUENCE ? 0 :
2;
const int sfb_len = sfb_end - sfb_start;
const int coef_len = sce->ics.swb_offset[sfb_end] -
sce->ics.swb_offset[sfb_start];
+ const int n_filt = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
if (coef_len <= 0 || sfb_len <= 0) {
sce->tns.present = 0;
@@ -180,16 +181,30 @@ void ff_aac_search_for_tns(AACEncContext *s,
SingleChannelElement *sce)
}
for (w = 0; w < sce->ics.num_windows; w++) {
- float en[2] = {0.0f, 0.0f};
- int oc_start = 0, os_start = 0;
+ float en[4] = {0.0f, 0.0f, 0.0f, 0.0f};
+ int oc_start = 0;
int coef_start = sce->ics.swb_offset[sfb_start];
- for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
- FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
- if (g > sfb_start + (sfb_len/2))
- en[1] += band->energy;
- else
- en[0] += band->energy;
+ if (n_filt == 2) {
+ for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
+ FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
+ if (g > sfb_start + (sfb_len/2))
+ en[1] += band->energy; /* End */
+ else
+ en[0] += band->energy; /* Start */
+ }
+ en[2] = en[0];
+ } else {
+ for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
+ FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
+ if (g > sfb_start + (sfb_len/2) + (sfb_len/4))
+ en[2] += band->energy; /* End */
+ else if (g > sfb_start + (sfb_len/2) - (sfb_len/4))
+ en[1] += band->energy; /* Middle */
+ else
+ en[0] += band->energy; /* Start */
+ }
+ en[3] = en[0];
}
/* LPC */
@@ -199,15 +214,14 @@ void ff_aac_search_for_tns(AACEncContext *s,
SingleChannelElement *sce)
if (!order || !isfinite(gain) || gain < TNS_GAIN_THRESHOLD_LOW || gain
> TNS_GAIN_THRESHOLD_HIGH)
continue;
- tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
+ tns->n_filt[w] = n_filt;
for (g = 0; g < tns->n_filt[w]; g++) {
- tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
- tns->order[w][g] = g < tns->n_filt[w] ? order/tns->n_filt[w] :
order - oc_start;
- tns->length[w][g] = g < tns->n_filt[w] ? sfb_len/tns->n_filt[w] :
sfb_len - os_start;
+ tns->direction[w][g] = slant != 2 ? slant : en[g] < en[g + 1];
+ tns->order[w][g] = order/tns->n_filt[w];
+ tns->length[w][g] = sfb_len/tns->n_filt[w];
quantize_coefs(&coefs[oc_start], tns->coef_idx[w][g],
tns->coef[w][g],
tns->order[w][g], c_bits);
oc_start += tns->order[w][g];
- os_start += tns->length[w][g];
}
count++;
}
commit 5122db9ab2d9db01cf73c7650097e444c15369e1
Author: Michael Niedermayer <[email protected]>
AuthorDate: Tue Aug 19 03:12:37 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:15 2025 +0100
avcodec/dxv: Check coded_height, to avoid invalid av_clip()
Fixes: assertion failure
Fixes:
438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5850827739955200
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit cdee519d40e61bd65ba5b3fbec00acd50a08d0d9)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 40788c5a69..1d6914ac1c 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -1147,6 +1147,8 @@ static int dxv_decode(AVCodecContext *avctx, AVFrame
*frame,
ctx->tex_rat = 1;
break;
}
+ if (avctx->coded_height / 2 / TEXTURE_BLOCK_H < 1)
+ return AVERROR_INVALIDDATA;
ctx->slice_count = av_clip(avctx->thread_count, 1,
avctx->coded_height /
FFMAX(ctx->texture_block_h,
commit 983f80867829c1e9332eb39c13e92ccfa2139892
Author: Michael Niedermayer <[email protected]>
AuthorDate: Wed Aug 13 13:11:23 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:15 2025 +0100
avcodec/aac/aacdec: dont allow ff_aac_output_configure() allocating a new
frame if it has no frame
Fixes: null pointer dereference
Fixes: crash_test.mp4
Found-by: Intel PSIRT
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit fcf180d9ea27b7dc29658c9dc3488ae6fac3ebd9)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c
index 7e02f8f8a8..7cf844443a 100644
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -540,6 +540,9 @@ static int output_configure(AACContext *ac,
uint8_t id_map[TYPE_END][MAX_ELEM_ID] = {{ 0 }};
uint8_t type_counts[TYPE_END] = { 0 };
+ if (get_new_frame && !ac->frame)
+ return AVERROR_INVALIDDATA;
+
if (ac->oc[1].layout_map != layout_map) {
memcpy(ac->oc[1].layout_map, layout_map, tags * sizeof(layout_map[0]));
ac->oc[1].layout_map_tags = tags;
commit 900eb11fdfe8d1e35dd5a92af09475ebd09a3891
Author: Michael Niedermayer <[email protected]>
AuthorDate: Mon Aug 18 17:20:49 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:15 2025 +0100
avformat/lrcdec: Fix fate-sub-lrc-ms-remux on x86-32
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 0243cf89b137b093b02a5c61a76e28cec1d69ae9)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c
index 4a7fd80c68..0b3432e3dc 100644
--- a/libavformat/lrcdec.c
+++ b/libavformat/lrcdec.c
@@ -91,7 +91,7 @@ static int64_t read_ts(const char *p, int64_t *start)
if (ret != 3 || prefix[0] != '[' || ss < 0 || ss > 60) {
return 0;
}
- *start = (mm * 60 + ss) * AV_TIME_BASE;
+ *start = llrint((mm * 60 + ss) * AV_TIME_BASE);
if (prefix[1] == '-') {
*start = - *start;
}
commit b9f228429d6a21c47437cb31bce4c22fb8b57dfb
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sun Aug 17 15:31:48 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:14 2025 +0100
avcodec/sanm: Check w,h,left,top
The setup code fow w,h,left,top is complex, the code using it also falls in
at least 2 different classes, one using left/top the other not.
To ensure no out of array access happens we add this clear check.
Fixes: out of array access
Fixes:
439261995/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-5383455572819968
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 134fbfd1dcb59441e38d870ddd231772f4e8e127)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index 7f094c8bbf..4b9f1dc506 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -975,6 +975,11 @@ static int process_frame_obj(SANMVideoContext *ctx)
}
bytestream2_skip(&ctx->gb, 4);
+ if (w + FFMAX(left, 0) > ctx->avctx->width || h + FFMAX(top, 0) >
ctx->avctx->height) {
+ avpriv_request_sample(ctx->avctx, "overly large frame\n");
+ return AVERROR_PATCHWELCOME;
+ }
+
switch (codec) {
case 1:
case 3:
commit c1a08abfdf6f6675c148870da1044c9a03a308cb
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Aug 15 17:55:05 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 23 04:32:14 2025 +0100
avcodec/utvideodec: Clear plane_start array
in pack mode the array is passed into decode_plane() without being
initialized or used
Fixes: use of uninitialized memory
Fixes:
438780119/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5464037027807232
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 2a22972db3b390d82dedbdbb5f44cc09a43912b5)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 29e9ef1e68..12c92d29b2 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -564,7 +564,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame
*frame,
int buf_size = avpkt->size;
UtvideoContext *c = avctx->priv_data;
int i, j;
- const uint8_t *plane_start[5];
+ const uint8_t *plane_start[5] = {NULL};
int plane_size, max_slice_size = 0, slice_start, slice_end, slice_size;
int ret;
GetByteContext gb;
-----------------------------------------------------------------------
Summary of changes:
fftools/ffmpeg_opt.c | 9 +++++--
libavcodec/aacdec_template.c | 3 +++
libavcodec/aacenc_tns.c | 40 +++++++++++++++++++----------
libavcodec/dxv.c | 2 ++
libavcodec/exr.c | 57 ++++++++++++++++++++++++++++++++++--------
libavcodec/g723_1.h | 2 +-
libavcodec/g723_1enc.c | 2 +-
libavcodec/mjpegdec.c | 2 ++
libavcodec/sanm.c | 5 ++++
libavcodec/utvideodec.c | 4 +--
libavfilter/vf_drawtext.c | 2 +-
libavformat/avidec.c | 2 +-
libavformat/aviobuf.c | 2 +-
libavformat/http.c | 2 +-
libavformat/lrcdec.c | 2 +-
libavformat/rtmpproto.c | 27 ++++++++++++++++++--
libavformat/rtpdec_rfc4175.c | 28 +++++++++++++++------
libavformat/rtpenc_h264_hevc.c | 3 +++
libavformat/sctp.c | 3 +++
libavutil/common.h | 8 +++---
libswscale/output.c | 4 +--
21 files changed, 159 insertions(+), 50 deletions(-)
hooks/post-receive
--
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
