The branch, release/4.4 has been updated
via f63a934407e11ddd48d146d30921dee225a0da05 (commit)
via 468e425a23d8ea149f15503ec3a9adbd890b3357 (commit)
via 56ff5db7d759b3b33344709b214e68e55a775e10 (commit)
via ace015bd43b8e2d73c28e2da2c99f4519296b3ec (commit)
via d81116742b1f5962979d710bb26011e3f8eedae7 (commit)
via 2eecc2c6e776fb7d1b7f4c8b2c4ead46b6a41065 (commit)
via 96fcd37fd03441dbe0187afe1d4f7dd55e146249 (commit)
via 0fcf3321f7df99fd806d0a50acfc665a2fabe0c8 (commit)
via 96a27bebf5f035d4b3565e03eb1c0fdad1e9b5a4 (commit)
via b2f5dd780d97a04bc52948aa42fe18c529c5e3b1 (commit)
via 3a850b1e0f51bcd8ef141be1764652af2661b526 (commit)
via a40b8f4ee38373f9ee2b182c8d561832ed49f264 (commit)
via 8ff2d9606555c0c62f698d54be27080dcf90ceb7 (commit)
via 25d9db13cae96d57b7888560a4d750de95cc26ef (commit)
via 8d174ecd1047dbd5504b0ce5f9aa1a85fc491ff8 (commit)
via 1c4bbca9326817e549d449726ec7a9348d348589 (commit)
via 26e3ed6080daffd2cbb14167cb060e94dc15998a (commit)
via 447d98b07235c04437e7d3836fc97195a503fe3d (commit)
via c20c66499812b85ab3876e746a5474376b6000b1 (commit)
via a1a5ab07ee6f04c563e56c576136a500c4ab8a7c (commit)
via 0cf474451d51d984ae574754a0ce993faac97526 (commit)
via 3798f1b2311946183551ba30e945abda4bf52100 (commit)
via c3069227bc1c0ad4acfb9c1c802c1d2f0b077c8a (commit)
via 21fe514152a22cc5653fd95f065320adfcf076e9 (commit)
via ab45118cc7a78e82f623deaba18e4b4c65973914 (commit)
via c9323a8efc144285d85c7602ad87787024b9ea2e (commit)
via 9d304b823c9a1e01abf0c6b4f715424840a78f5e (commit)
via b39f58aa95a22487402aedcf02f277e1fd30dba0 (commit)
via 91aca4595550bd99e025bcaea9aa01deaf1cce0f (commit)
via 24531f73d22eaaa072fcc5d19a525fa8e3553a9b (commit)
via 2a5e5b9cde94cd48545b613271c3affacd806e60 (commit)
via 72973c98b622067f2fe23d53a09703d6b3c46939 (commit)
via cf9ac939ce8fdcfeba0876772e5d06b9a12b1152 (commit)
via 32a9aae14cd0b6ae3ed56bf11f07e2a6e1e3d9a6 (commit)
via 6103d73dce4fac75f7113244efc7f6a1f24777ae (commit)
via 39f4a60035085e7b1465fa7159d3ef03114dfe27 (commit)
via 2838a74097cd0e6df76a4f2e6bf86cacbcad4a39 (commit)
via bfd4b415be8b5cb2ace7676bc266f0d690a38575 (commit)
via a1b6585b74e0ca64b4aefd0e5fe4d357a559fc88 (commit)
via 85eda6ff84a027543e4d1712a261a26a63188667 (commit)
via eb80096cbe8b11105f7be0eb99233667e8836c1a (commit)
via de97cc3892f9655e292af8d7d235f2c1eb77b3b7 (commit)
via f86359ec440f3462df0e7cf10cc9e95d959167d8 (commit)
via 713e086aff3a83eb357c69a4909cac379d4b37dc (commit)
via 013d39a06cddaa177ed7d0ec8df5d0dfb69e0a9d (commit)
via dc9780ac6850ddf839f1ac6cb7cfcf4d70e38a15 (commit)
via c1a253b002c83f276ad9407b2257c3e7c1b5e3f7 (commit)
via 5bcb05cc16846edfc54cd20cff0ff4aa187d0aec (commit)
via 972d098319ededd2ea94c5103b2d347faa0e2118 (commit)
via 902c725b2cfce8126c8f397e8a7a794ab1cd932e (commit)
via 8c03e1112beef9e251b46c14fe7b1baa1225a12f (commit)
via 74f0280dca9f8e9b4b3b2f627f440ba5c59f7406 (commit)
via 4ee4b85123b50a6c57d6bc6c63dc0617e78a75e0 (commit)
via 78dfb98f7d670b7a25bd00db4965151eabced39c (commit)
via bd715593734bc7fc92b478e3b3d9a9104e9451ff (commit)
via 4c41f132f411aae967a990d94a0dd47f91aa355c (commit)
via 50a56ba2ee9984d124a93afdb4f3a5d13bb5617d (commit)
via 12a3bca16f317e52d79ac0eaa3217dd5986638db (commit)
via 736acc71a70a7c04f0d2afa0c277fb012fb0a5b6 (commit)
via da19447883a39d0469f75e4cd1d064c184d5e992 (commit)
via 8c3bc258e34993d3dcc52ff1c1b2fa725f63891f (commit)
via fcf31af212cf98bf886ca359ab3334b29c358474 (commit)
via e3d695473d95fe8e23df6a5dadb1a802854471da (commit)
via 5339f20be22d4290876fcfd6b2afb2c35f1f0593 (commit)
via 75d6f80fd210bbcb6a7979f58f06e9323097ba2e (commit)
via da9ef71013d7b975795a8778f806f1d470c83373 (commit)
via 916ede06b72a422bbda8b9be254e430139af13de (commit)
via 2bb6fa7c44588c25428aec81a423fec8a3e02fb9 (commit)
via 99bd8a74073603482d7bf64acd54617a908ae36f (commit)
via 3f59e8d1fb8d7b9b6c878ddbb17ee21b64af196f (commit)
via 4d6a7843f1e95a6680a629c11f6187a5d36b1385 (commit)
via 777f7e87bc1b80d0754be6cdae7d343045ba69b0 (commit)
via c6ea1492addb855ef77416492235d50097c3fb45 (commit)
via 40ef0b1ee1f38cbb7438ac84683a2094e14f2b09 (commit)
via 88a2c540579d6bfd6579346265eadc2797b43dd5 (commit)
via e3e479d077044175dca0376739eeafde49610573 (commit)
via 4ebd7e4a0888f404fa5f85ff8651d33390916c04 (commit)
via 9e3bb8346c9811d4f9036dd123dd2dad2b58c5ec (commit)
from 1a9521eae3fa2d3348a39567b26431d81eb10c65 (commit)
- Log -----------------------------------------------------------------
commit f63a934407e11ddd48d146d30921dee225a0da05
Author: Michael Niedermayer <[email protected]>
AuthorDate: Mon Dec 1 02:13:20 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Mon Dec 1 02:13:20 2025 +0100
update for 4.4.7
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/Changelog b/Changelog
index dbe2432a79..b58968dbfa 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,86 @@
Entries are sorted chronologically from oldest to youngest within each release,
releases are sorted from youngest to oldest.
+version 4.4.7:
+ avutil/common: cast GET_BYTE/GET_16BIT returned value
+ avcodec/utvideodec: Set B for the width= 1 case in restore_median_planar_il()
+ avformat/rtpdec_rfc4175: Only change PayloadContext on success
+ avformat/rtpdec_rfc4175: Check dimensions
+ avformat/rtpdec_rfc4175: Fix memleak of sampling
+ avformat/http: Fix off by 1 error
+ avcodec/exr: spelling
+ avcodec/exr: use tile dimensions in pxr24 UINT case
+ avcodec/exr: Simple check for available channels
+ avformat/sctp: Check size in sctp_write()
+ avformat/rtmpproto: consider command line argument lengths
+ avformat/rtmpproto_ Check tcurl and flashver length
+ avcodec/g723_1enc: Make min_err 64bit
+ avformat/rtpenc_h264_hevc: Check space for nal_length_size in
ff_rtp_send_h264_hevc()
+ swscale/output: Fix integer overflow in yuv2ya16_X_c_template()
+ avcodec/exr: Check that DWA has 3 channels
+ avcodec/exr: check ac_size
+ avcodec/exr: Round dc_w/h up
+ avcodec/mjpegdec: Explain buf_size/width/height check
+ fftools/ffmpeg_mux_init: Fix double-free on error
+ avformat/avidec: Fix integer overflow iff ULONG_MAX < INT64_MAX
+ avformat/aviobuf: Keep checksum_ptr consistent in avio_seek()
+ aacenc_tns: clamp filter direction energy measurement
+ avcodec/dxv: Check coded_height, to avoid invalid av_clip()
+ avcodec/aac/aacdec: dont allow ff_aac_output_configure() allocating a new
frame if it has no frame
+ avformat/lrcdec: Fix fate-sub-lrc-ms-remux on x86-32
+ avcodec/sanm: Check w,h,left,top
+ avcodec/utvideodec: Clear plane_start array
+ avcodec/dxv: Check that we initialize op_data
+ avcodec/exr: Check for pixel type consistency in DWA
+ avcodec/g726: init missing sample rate
+ avformat/lrcdec: limit input timestamp range to avoid overflows
+ avcodec/scpr3: Clear clr
+ avcodec/ilbcdec: Clear cbvec when used with create_augmented_vector()
+ avcodec/jpeg2000dec: Make sure the 4 extra bytes allocated are initialized
+ avfilter/avf_showcqt: fix unbounded index when copying to fft_data
+ avcodec/aacsbr_template: Check ilb
+ avcodec/utvideodec: Set B for the width= 1 case
+ avcodec/ffv1: Clear state on alloc
+ avcodec/jpeg2000dec: implement cdef remapping during pixel format matching
+ avcodec/jpeg2000dec: move cdef default check into get_siz()
+ avcodec/exr: Check rle_raw_data and surroundings
+ avcodec/exr: Dont access outside xsize/ysize
+ examples: Add check and replace av_free() to avoid potential memory errors
+ libavcodec/tests/snowenc: Add av_free() to avoid memory leak
+ avcodec/mpc8: init avctx->sample_rate
+ avformat/hls: add cmfv/cmfa exceptions
+ avformat/lrcdec: support arbitrary precision timestamp
+ avcodec/ffv1dec: Disable frame threading due to race condition
+ libavcodec/tests/motion: Add check for avcodec_alloc_context3()
+ avcodec/tests/avpacket: Add av_free() to avoid memory leak
+ examples: Add av_freep to avoid potential memory leak
+ avcodec/tests/avpacket: Add av_packet_free() to avoid memory leak
+ avcodec/fits: Clear naxis
+ avcodec/vqavideo; Check bytestream2_get_buffer() reading next_codebook_buffer
+ avcodec/lzf: Check for input space
+ avcodec/imc: Clear padding of buf16
+ avcodec/cri: Check bytestream2_get_buffer() for end
+ avcodec/cri: Factor read_len out
+ avformat/dashdec: Allocate space for appended "/"
+ avformat/mxg: clear AV_INPUT_BUFFER_PADDING_SIZE
+ avformat/mov: make sure file_checksum is fully initialized
+ avformat/asfdec_f: Check amount of value read
+ avformat/concatdec: Clip duration in one more case in
get_best_effort_duration()
+ avcodec/ffv1dec: Check k in get_vlc_symbol()
+ avcodec/cfhd: Check idwt_buf size before allocation
+ avcodec/ivi: Check luma/chroma mb_size
+ avcodec/motion_est: don't add offsets to NULL pointers
+ swscale/swscale_unscaled: don't add offsets to NULL pointers
+ avcodec/psd: Move frame allocation after RLE processing
+ avcodec/smacker: Move buffer allocation to later
+ avcodec/opus: don't materialize buf pointer from null
+ avformat/iff: Check nb_channels == 0 in CHNL
+ avcodec/mss2dsp: use FF_PTR_ADD to add offsets to a pointer
+ avformat/hls: check return value of new_init_section()
+ avcodec/rkmppdec: Fix double-free on error
+ avcodec/ppc/vp8dsp_altivec: Fix out-of-bounds access
+ avcodec/x86/pngdsp: add missing emms at the end of add_png_paeth_prediction
+
version 4.4.6:
avcodec/takdec: Check remaining space for first predictors
avcodec/svq3: Check there are bits left before decompression
diff --git a/RELEASE b/RELEASE
index b98ff4c483..c966188e11 100644
--- a/RELEASE
+++ b/RELEASE
@@ -1 +1 @@
-4.4.6
+4.4.7
diff --git a/doc/Doxyfile b/doc/Doxyfile
index 5193355163..94fa4e82d2 100644
--- a/doc/Doxyfile
+++ b/doc/Doxyfile
@@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg
# could be handy for archiving the generated documentation or if some version
# control system is used.
-PROJECT_NUMBER = 4.4.6
+PROJECT_NUMBER = 4.4.7
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
commit 468e425a23d8ea149f15503ec3a9adbd890b3357
Author: Zhao Zhili <[email protected]>
AuthorDate: Fri Nov 14 17:23:22 2025 +0800
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:26 2025 +0100
avutil/common: cast GET_BYTE/GET_16BIT returned value
In case of GET_BYTE/GET_16BIT return signed value.
(cherry picked from commit 0ae8df5f2ceea82337a2456ef16f930faf160189)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavutil/common.h b/libavutil/common.h
index aee353d399..16e52e33b0 100644
--- a/libavutil/common.h
+++ b/libavutil/common.h
@@ -497,13 +497,13 @@ static av_always_inline av_const int av_parity_c(uint32_t
v)
* to prevent undefined results.
*/
#define GET_UTF8(val, GET_BYTE, ERROR)\
- val= (GET_BYTE);\
+ val= (uint8_t)(GET_BYTE);\
{\
uint32_t top = (val & 128) >> 1;\
if ((val & 0xc0) == 0x80 || val >= 0xFE)\
{ERROR}\
while (val & top) {\
- unsigned int tmp = (GET_BYTE) - 128;\
+ unsigned int tmp = (uint8_t)(GET_BYTE) - 128;\
if(tmp>>6)\
{ERROR}\
val= (val<<6) + tmp;\
@@ -522,11 +522,11 @@ static av_always_inline av_const int av_parity_c(uint32_t
v)
* typically a goto statement.
*/
#define GET_UTF16(val, GET_16BIT, ERROR)\
- val = (GET_16BIT);\
+ val = (uint16_t)(GET_16BIT);\
{\
unsigned int hi = val - 0xD800;\
if (hi < 0x800) {\
- val = (GET_16BIT) - 0xDC00;\
+ val = (uint16_t)(GET_16BIT) - 0xDC00;\
if (val > 0x3FFU || hi > 0x3FFU)\
{ERROR}\
val += (hi<<10) + 0x10000;\
commit 56ff5db7d759b3b33344709b214e68e55a775e10
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Nov 8 23:22:56 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:26 2025 +0100
avcodec/utvideodec: Set B for the width= 1 case in
restore_median_planar_il()
Fixes: use of uninitialized memory
Fixes:
439878388/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5635866203848704
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 59db32b433ea9e7766ec7fac994860ed15d7ed7d)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 65ae623d3f..0c7af440a8 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -436,7 +436,7 @@ static void restore_median_planar_il(UtvideoContext *c,
uint8_t *src, ptrdiff_t
// second line - first element has top prediction, the rest uses median
C = bsrc[-stride2];
bsrc[0] += C;
- A = bsrc[0];
+ A = B = bsrc[0];
for (i = 1; i < FFMIN(width, 16); i++) { /* scalar loop (DSP need
align 16) */
B = bsrc[i - stride2];
bsrc[i] += mid_pred(A, B, (uint8_t)(A + B - C));
commit ace015bd43b8e2d73c28e2da2c99f4519296b3ec
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:27:56 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:26 2025 +0100
avformat/rtpdec_rfc4175: Only change PayloadContext on success
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit c03e49dd1d8ee2dd21c24002dfac95644c830498)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index 978ec5c8c2..4683d93a64 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -23,6 +23,7 @@
#include "avio_internal.h"
#include "rtpdec_formats.h"
+#include "libavutil/avassert.h"
#include "libavutil/avstring.h"
#include "libavutil/imgutils.h"
#include "libavutil/pixdesc.h"
@@ -91,33 +92,39 @@ static int rfc4175_parse_fmtp(AVFormatContext *s, AVStream
*stream,
}
static int rfc4175_parse_sdp_line(AVFormatContext *s, int st_index,
- PayloadContext *data, const char *line)
+ PayloadContext *data_arg, const char *line)
{
const char *p;
if (st_index < 0)
return 0;
+ av_assert0(!data_arg->sampling);
+
if (av_strstart(line, "fmtp:", &p)) {
AVStream *stream = s->streams[st_index];
+ PayloadContext data0 = *data_arg, *data = &data0;
int ret = ff_parse_fmtp(s, stream, data, p, rfc4175_parse_fmtp);
+ if (!data->sampling || !data->depth || !data->width || !data->height)
+ ret = AVERROR(EINVAL);
+
if (ret < 0)
- return ret;
+ goto fail;
ret = av_image_check_size(data->width, data->height, 0, s);
if (ret < 0)
- return ret;
-
- if (!data->sampling || !data->depth || !data->width || !data->height)
- return -1;
+ goto fail;
stream->codecpar->width = data->width;
stream->codecpar->height = data->height;
ret = rfc4175_parse_format(stream, data);
av_freep(&data->sampling);
-
+ if (ret >= 0)
+ *data_arg = *data;
+fail:
+ av_freep(&data->sampling);
return ret;
}
commit d81116742b1f5962979d710bb26011e3f8eedae7
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:28:49 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:26 2025 +0100
avformat/rtpdec_rfc4175: Check dimensions
Fixes: out of array access
Fixes: zeropath/int_overflow_in_rtpdec_rfc4175
Found-by: Joshua Rogers <[email protected]>
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d4e0d5ed48aa9c0e11b9ddeea8c2d14632314089)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index 47580d0b24..978ec5c8c2 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -24,6 +24,7 @@
#include "avio_internal.h"
#include "rtpdec_formats.h"
#include "libavutil/avstring.h"
+#include "libavutil/imgutils.h"
#include "libavutil/pixdesc.h"
struct PayloadContext {
@@ -104,6 +105,9 @@ static int rfc4175_parse_sdp_line(AVFormatContext *s, int
st_index,
if (ret < 0)
return ret;
+ ret = av_image_check_size(data->width, data->height, 0, s);
+ if (ret < 0)
+ return ret;
if (!data->sampling || !data->depth || !data->width || !data->height)
return -1;
@@ -205,6 +209,9 @@ static int rfc4175_handle_packet(AVFormatContext *ctx,
PayloadContext *data,
if (length > payload_len)
length = payload_len;
+ if (line >= data->height)
+ return AVERROR_INVALIDDATA;
+
/* prevent ill-formed packets to write after buffer's end */
copy_offset = (line * data->width + offset) * data->pgroup /
data->xinc;
if (copy_offset + length > data->frame_size)
commit 2eecc2c6e776fb7d1b7f4c8b2c4ead46b6a41065
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 16:17:27 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:26 2025 +0100
avformat/rtpdec_rfc4175: Fix memleak of sampling
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit af3dee313223c722c34e8231cd6859188928a6e3)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpdec_rfc4175.c b/libavformat/rtpdec_rfc4175.c
index e9c62c1389..47580d0b24 100644
--- a/libavformat/rtpdec_rfc4175.c
+++ b/libavformat/rtpdec_rfc4175.c
@@ -81,7 +81,7 @@ static int rfc4175_parse_fmtp(AVFormatContext *s, AVStream
*stream,
data->width = atoi(value);
else if (!strncmp(attr, "height", 6))
data->height = atoi(value);
- else if (!strncmp(attr, "sampling", 8))
+ else if (data->sampling == NULL && !strncmp(attr, "sampling", 8))
data->sampling = av_strdup(value);
else if (!strncmp(attr, "depth", 5))
data->depth = atoi(value);
commit 96fcd37fd03441dbe0187afe1d4f7dd55e146249
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 17:32:56 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:26 2025 +0100
avformat/http: Fix off by 1 error
Fixes: out of array access
Fixes: zeropath/off-by-one-one-byte
Found-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit b518c027a0cb8d89c586fe241cc99b1c20bc0f50)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/http.c b/libavformat/http.c
index fb2d9306bd..b8921f25d2 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -1665,7 +1665,7 @@ static int store_icy(URLContext *h, int size)
ret = http_read_stream_all(h, data, len);
if (ret < 0)
return ret;
- data[len + 1] = 0;
+ data[len] = 0;
if ((ret = av_opt_set(s, "icy_metadata_packet", data, 0)) < 0)
return ret;
update_metadata(h, data);
commit 0fcf3321f7df99fd806d0a50acfc665a2fabe0c8
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Nov 8 01:17:46 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:25 2025 +0100
avcodec/exr: spelling
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d80f8f36513ebff05c537adbe756e36036f80074)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 12b1a927e9..cf5af2f36a 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -173,7 +173,7 @@ typedef struct EXRContext {
int is_luma;/* 1 if there is an Y plane */
#define M(chr) (1<<chr - 'A')
- int has_channel; ///< combinatin of flags representing the channel codes
A-Z
+ int has_channel; ///< combination of flags representing the channel codes
A-Z
GetByteContext gb;
const uint8_t *buf;
commit 96a27bebf5f035d4b3565e03eb1c0fdad1e9b5a4
Author: veygax <[email protected]>
AuthorDate: Sun Nov 2 02:35:40 2025 +0000
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:25 2025 +0100
avcodec/exr: use tile dimensions in pxr24 UINT case
update the switch statement for EXR_UINT in pxr24_uncompress to
correctly use the tile width td->xsize instead of using the full window
width s->xdelta. s->delta is larger than td->xsize which lead to two
buffer overflows when interacting with the ptr variable in the same
switch statement.
Fixes: out of bounds read and write
Found-by: veygax's insomnia network (INSOMNIA-1)
Signed-off-by: veygax <[email protected]>
(cherry picked from commit 162f75b5e6798b385bb3eadd8280eff52d03cf29)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index dd73ece558..12b1a927e9 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -741,12 +741,12 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t
*src,
break;
case EXR_UINT:
ptr[0] = in;
- ptr[1] = ptr[0] + s->xdelta;
- ptr[2] = ptr[1] + s->xdelta;
- ptr[3] = ptr[2] + s->xdelta;
- in = ptr[3] + s->xdelta;
+ ptr[1] = ptr[0] + td->xsize;
+ ptr[2] = ptr[1] + td->xsize;
+ ptr[3] = ptr[2] + td->xsize;
+ in = ptr[3] + td->xsize;
- for (j = 0; j < s->xdelta; ++j) {
+ for (j = 0; j < td->xsize; ++j) {
uint32_t diff = ((uint32_t)*(ptr[0]++) << 24) |
(*(ptr[1]++) << 16) |
(*(ptr[2]++) << 8 ) |
commit b2f5dd780d97a04bc52948aa42fe18c529c5e3b1
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Sep 19 00:20:36 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:25 2025 +0100
avcodec/exr: Simple check for available channels
The existing is_luma check is fragile as depending on the order
of channels it can be set or reset
No testcase
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 6e8cf0377fee75de9ad2cc87385ab3e8f2c87143)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index fc1d150e4d..dd73ece558 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -172,6 +172,9 @@ typedef struct EXRContext {
int is_luma;/* 1 if there is an Y plane */
+#define M(chr) (1<<chr - 'A')
+ int has_channel; ///< combinatin of flags representing the channel codes
A-Z
+
GetByteContext gb;
const uint8_t *buf;
int buf_size;
@@ -1604,6 +1607,7 @@ static int decode_header(EXRContext *s, AVFrame *frame)
s->is_tile = 0;
s->is_multipart = 0;
s->is_luma = 0;
+ s->has_channel = 0;
s->current_part = 0;
if (bytestream2_get_bytes_left(gb) < 10) {
@@ -1707,23 +1711,26 @@ static int decode_header(EXRContext *s, AVFrame *frame)
}
if (layer_match) { /* only search channel if the layer match
is valid */
+ if (strlen(ch_gb.buffer) == 1) {
+ int ch_chr = av_toupper(*ch_gb.buffer);
+ if (ch_chr >= 'A' && ch_chr <= 'Z')
+ s->has_channel |= M(ch_chr);
+ av_log(s->avctx, AV_LOG_DEBUG, "%c\n", ch_chr);
+ }
+
if (!av_strcasecmp(ch_gb.buffer, "R") ||
!av_strcasecmp(ch_gb.buffer, "X") ||
!av_strcasecmp(ch_gb.buffer, "U")) {
channel_index = 0;
- s->is_luma = 0;
} else if (!av_strcasecmp(ch_gb.buffer, "G") ||
!av_strcasecmp(ch_gb.buffer, "V")) {
channel_index = 1;
- s->is_luma = 0;
} else if (!av_strcasecmp(ch_gb.buffer, "Y")) {
channel_index = 1;
- s->is_luma = 1;
} else if (!av_strcasecmp(ch_gb.buffer, "B") ||
!av_strcasecmp(ch_gb.buffer, "Z") ||
!av_strcasecmp(ch_gb.buffer, "W")) {
channel_index = 2;
- s->is_luma = 0;
} else if (!av_strcasecmp(ch_gb.buffer, "A")) {
channel_index = 3;
} else {
@@ -1799,6 +1806,20 @@ static int decode_header(EXRContext *s, AVFrame *frame)
s->current_channel_offset += 4;
}
}
+ if (!((M('R') + M('G') + M('B')) & ~s->has_channel)) {
+ s->is_luma = 0;
+ } else if (!((M('X') + M('Y') + M('Z')) & ~s->has_channel)) {
+ s->is_luma = 0;
+ } else if (!((M('Y') + M('U') + M('V')) & ~s->has_channel)) {
+ s->is_luma = 0;
+ } else if (!((M('Y') ) & ~s->has_channel) &&
+ !((M('R') + M('G') + M('B') + M('U') + M('V') + M('X')
+ M('Z')) & s->has_channel)) {
+ s->is_luma = 1;
+ } else {
+ avpriv_request_sample(s->avctx, "Uncommon channel
combination");
+ ret = AVERROR(AVERROR_PATCHWELCOME);
+ goto fail;
+ }
/* Check if all channels are set with an offset or if the channels
* are causing an overflow */
commit 3a850b1e0f51bcd8ef141be1764652af2661b526
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 31 23:08:45 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:25 2025 +0100
avformat/sctp: Check size in sctp_write()
Fixes: out of array access
No testcase
Found-by: Joshua Rogers <[email protected]> with ZeroPath
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 5b98cea4bff2cbbb251b621a2b6c3ab76f814efa)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/sctp.c b/libavformat/sctp.c
index be0cb47865..aa500d5ea3 100644
--- a/libavformat/sctp.c
+++ b/libavformat/sctp.c
@@ -334,6 +334,9 @@ static int sctp_write(URLContext *h, const uint8_t *buf,
int size)
}
if (s->max_streams) {
+ if (size < 2)
+ return AVERROR(EINVAL);
+
/*StreamId is introduced as a 2byte code into the stream*/
struct sctp_sndrcvinfo info = { 0 };
info.sinfo_stream = AV_RB16(buf);
commit a40b8f4ee38373f9ee2b182c8d561832ed49f264
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Oct 30 23:20:41 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:25 2025 +0100
avformat/rtmpproto: consider command line argument lengths
Fixes: out of array access
Fixes: zeropath/rtmp-2025-10
Found-by: Joshua Rogers <[email protected]>
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 83e0298de217a7108ee703806d6380e554007972)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 5e6531f93f..7db1d26142 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -157,6 +157,13 @@ static int handle_chunk_size(URLContext *s, RTMPPacket
*pkt);
static int handle_window_ack_size(URLContext *s, RTMPPacket *pkt);
static int handle_set_peer_bw(URLContext *s, RTMPPacket *pkt);
+static size_t zstrlen(const char *c)
+{
+ if(c)
+ return strlen(c);
+ return 0;
+}
+
static int add_tracked_method(RTMPContext *rt, const char *name, int id)
{
int err;
@@ -321,7 +328,15 @@ static int gen_connect(URLContext *s, RTMPContext *rt)
int ret;
if ((ret = ff_rtmp_packet_create(&pkt, RTMP_SYSTEM_CHANNEL, RTMP_PT_INVOKE,
- 0, 4096 + APP_MAX_LENGTH)) < 0)
+ 0, 4096 + APP_MAX_LENGTH
+ + strlen(rt->auth_params) +
strlen(rt->flashver)
+ + zstrlen(rt->swfurl)
+ + zstrlen(rt->swfverify)
+ + zstrlen(rt->tcurl)
+ + zstrlen(rt->auth_params)
+ + zstrlen(rt->pageurl)
+ + zstrlen(rt->conn)*3
+ )) < 0)
return ret;
p = pkt.data;
@@ -1865,7 +1880,8 @@ static int write_status(URLContext *s, RTMPPacket *pkt,
if ((ret = ff_rtmp_packet_create(&spkt, RTMP_SYSTEM_CHANNEL,
RTMP_PT_INVOKE, 0,
- RTMP_PKTDATA_DEFAULT_SIZE)) < 0) {
+ RTMP_PKTDATA_DEFAULT_SIZE
+ + strlen(status))) < 0) {
av_log(s, AV_LOG_ERROR, "Unable to create response packet\n");
return ret;
}
commit 8ff2d9606555c0c62f698d54be27080dcf90ceb7
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Oct 30 23:05:57 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:24 2025 +0100
avformat/rtmpproto_ Check tcurl and flashver length
Fixes: out of array accesses
Reviewed-by: Joshua Rogers <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit a64e037429f20873ec48f6c82aa145ab448e1399)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtmpproto.c b/libavformat/rtmpproto.c
index 5b5cff63f8..5e6531f93f 100644
--- a/libavformat/rtmpproto.c
+++ b/libavformat/rtmpproto.c
@@ -2796,6 +2796,12 @@ reconnect:
"FMLE/3.0 (compatible; %s)", LIBAVFORMAT_IDENT);
}
}
+ if ( strlen(rt->flashver) > FLASHVER_MAX_LENGTH
+ || strlen(rt->tcurl ) > TCURL_MAX_LENGTH
+ ) {
+ ret = AVERROR(EINVAL);
+ goto fail;
+ }
rt->receive_report_size = 1048576;
rt->bytes_read = 0;
commit 25d9db13cae96d57b7888560a4d750de95cc26ef
Author: Michael Niedermayer <[email protected]>
AuthorDate: Tue Oct 7 01:58:34 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:24 2025 +0100
avcodec/g723_1enc: Make min_err 64bit
This is intending to fix the case described in
https://lists.ffmpeg.org/archives/list/[email protected]/thread/AAZ7GJPPUJI5SCVTDGJ6QL7UUEP56WOM/
Where FCBParam optim is used uninitialized
a min_err of 1<<30, allows the struct to be never initilialized as all
err (which is int32_t) can be larger than min_err. By increasing min_err
above the int32_t range this is no longer possible
Untested, as i do not have the testcase
Signed-off-by: Michael Niedermayer <[email protected]>i
(cherry picked from commit 909af3a571da830cc70a34f0c3946379bd12dfbe)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/g723_1.h b/libavcodec/g723_1.h
index 521f220b2a..f3cd32e37d 100644
--- a/libavcodec/g723_1.h
+++ b/libavcodec/g723_1.h
@@ -108,7 +108,7 @@ typedef struct HFParam {
* Optimized fixed codebook excitation parameters
*/
typedef struct FCBParam {
- int min_err;
+ int64_t min_err;
int amp_index;
int grid_index;
int dirac_train;
diff --git a/libavcodec/g723_1enc.c b/libavcodec/g723_1enc.c
index 11b0c7f71e..c9d6871b32 100644
--- a/libavcodec/g723_1enc.c
+++ b/libavcodec/g723_1enc.c
@@ -1019,7 +1019,7 @@ static void fcb_search(G723_1_ChannelContext *p, int16_t
*impulse_resp,
int pulse_cnt = pulses[index];
int i;
- optim.min_err = 1 << 30;
+ optim.min_err = 1LL << 31;
get_fcb_param(&optim, impulse_resp, buf, pulse_cnt, SUBFRAME_LEN);
if (p->pitch_lag[index >> 1] < SUBFRAME_LEN - 2) {
commit 8d174ecd1047dbd5504b0ce5f9aa1a85fc491ff8
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Oct 24 20:29:23 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:24 2025 +0100
avformat/rtpenc_h264_hevc: Check space for nal_length_size in
ff_rtp_send_h264_hevc()
Fixes: memcpy with negative size
Fixes: momo_trip-poc/input
Reported-by: Momoko Shiraishi <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d03483bd265b68db00c9b90f6f48dcf61c5c300d)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/rtpenc_h264_hevc.c b/libavformat/rtpenc_h264_hevc.c
index 0c88fc2a23..470430478b 100644
--- a/libavformat/rtpenc_h264_hevc.c
+++ b/libavformat/rtpenc_h264_hevc.c
@@ -195,6 +195,9 @@ void ff_rtp_send_h264_hevc(AVFormatContext *s1, const
uint8_t *buf1, int size)
r1 = ff_avc_mp4_find_startcode(r, end, s->nal_length_size);
if (!r1)
r1 = end;
+ // Check that the last is not truncated
+ if (r1 - r < s->nal_length_size)
+ break;
r += s->nal_length_size;
} else {
while (!*(r++));
commit 1c4bbca9326817e549d449726ec7a9348d348589
Author: Michael Niedermayer <[email protected]>
AuthorDate: Mon Oct 13 14:32:45 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:24 2025 +0100
swscale/output: Fix integer overflow in yuv2ya16_X_c_template()
Found-by: colod colod <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 0c6b7f9483a38657c9be824572b4c0c45d4d9fef)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libswscale/output.c b/libswscale/output.c
index be22279229..49af3818b9 100644
--- a/libswscale/output.c
+++ b/libswscale/output.c
@@ -911,7 +911,7 @@ yuv2ya16_X_c_template(SwsContext *c, const int16_t
*lumFilter,
int A = 0xffff;
for (j = 0; j < lumFilterSize; j++)
- Y += lumSrc[j][i] * lumFilter[j];
+ Y += lumSrc[j][i] * (unsigned)lumFilter[j];
Y >>= 15;
Y += (1<<3) + 0x8000;
@@ -920,7 +920,7 @@ yuv2ya16_X_c_template(SwsContext *c, const int16_t
*lumFilter,
if (hasAlpha) {
A = -0x40000000 + (1<<14);
for (j = 0; j < lumFilterSize; j++)
- A += alpSrc[j][i] * lumFilter[j];
+ A += alpSrc[j][i] * (unsigned)lumFilter[j];
A >>= 15;
A += 0x8000;
commit 26e3ed6080daffd2cbb14167cb060e94dc15998a
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Sep 19 00:18:30 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:24 2025 +0100
avcodec/exr: Check that DWA has 3 channels
The implementation hardcodes access to 3 channels, so we need to check that
Fixes: out of array access
Fixes: BIGSLEEP-445394503-crash.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 7896cc67c13037abba8941e39a74c56d26b775a7)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 85c925fb66..fc1d150e4d 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1007,6 +1007,11 @@ static int dwa_uncompress(EXRContext *s, const uint8_t
*src, int compressed_size
if (version != 2)
return AVERROR_INVALIDDATA;
+ if (s->nb_channels < 3) {
+ avpriv_request_sample(s->avctx, "Gray DWA");
+ return AVERROR_PATCHWELCOME;
+ }
+
lo_usize = AV_RL64(src + 8);
lo_size = AV_RL64(src + 16);
ac_size = AV_RL64(src + 24);
commit 447d98b07235c04437e7d3836fc97195a503fe3d
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 18 17:32:46 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:24 2025 +0100
avcodec/exr: check ac_size
Fixes: out of array read
Fixes: dwa_uncompress.py.crash.exr
The code will read from the ac data even if ac_size is 0, thus that case
is not implemented and we ask for a sample and error out cleanly
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 8e078826da6f2a1dffa25162121b43b272f5e5fa)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index d277eb7858..85c925fb66 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1023,6 +1023,11 @@ static int dwa_uncompress(EXRContext *s, const uint8_t
*src, int compressed_size
)
return AVERROR_INVALIDDATA;
+ if (ac_size <= 0) {
+ avpriv_request_sample(s->avctx, "Zero ac_size");
+ return AVERROR_INVALIDDATA;
+ }
+
if ((uint64_t)rle_raw_size > INT_MAX) {
avpriv_request_sample(s->avctx, "Too big rle_raw_size");
return AVERROR_INVALIDDATA;
commit c20c66499812b85ab3876e746a5474376b6000b1
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 18 21:28:04 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:23 2025 +0100
avcodec/exr: Round dc_w/h up
Without rounding them up there are too few dc coeffs for the blocks.
We do not know if this way of handling odd dimensions is correct, as we have
no such DWA sample.
thus we ask the user for a sample if she encounters such a file
Fixes: out of array access
Fixes: BIGSLEEP-445392027-crash.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit c911e0001115bbda904ad103b12c27b9a3c0c265)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index bbf1cd9984..d277eb7858 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -994,8 +994,8 @@ static int dwa_uncompress(EXRContext *s, const uint8_t
*src, int compressed_size
int64_t version, lo_usize, lo_size;
int64_t ac_size, dc_size, rle_usize, rle_csize, rle_raw_size;
int64_t ac_count, dc_count, ac_compression;
- const int dc_w = td->xsize >> 3;
- const int dc_h = td->ysize >> 3;
+ const int dc_w = (td->xsize + 7) >> 3;
+ const int dc_h = (td->ysize + 7) >> 3;
GetByteContext gb, agb;
int skip, ret;
int have_rle = 0;
@@ -1028,6 +1028,10 @@ static int dwa_uncompress(EXRContext *s, const uint8_t
*src, int compressed_size
return AVERROR_INVALIDDATA;
}
+ if (td->xsize % 8 || td->ysize % 8) {
+ avpriv_request_sample(s->avctx, "odd dimensions DWA");
+ }
+
bytestream2_init(&gb, src + 88, compressed_size - 88);
skip = bytestream2_get_le16(&gb);
if (skip < 2)
commit a1a5ab07ee6f04c563e56c576136a500c4ab8a7c
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Sep 11 20:12:55 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:23 2025 +0100
avcodec/mjpegdec: Explain buf_size/width/height check
Suggested-by: Ramiro
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 61b6877637041a1f817ad9811c839b0feae2b8af)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 03597ba3e2..be7c64894c 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -338,6 +338,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height);
if (av_image_check_size(width, height, 0, s->avctx) < 0)
return AVERROR_INVALIDDATA;
+
+ // A valid frame requires at least 1 bit for DC + 1 bit for AC for each
8x8 block.
if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size *
4LL)
return AVERROR_INVALIDDATA;
commit 0cf474451d51d984ae574754a0ce993faac97526
Author: Andreas Rheinhardt <[email protected]>
AuthorDate: Mon Mar 25 16:54:25 2024 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:23 2025 +0100
fftools/ffmpeg_mux_init: Fix double-free on error
MATCH_PER_STREAM_OPT iterates over all options of a given
OptionDef and tests whether they apply to the current stream;
if so, they are set to ost->apad, otherwise, the code errors
out. If no error happens, ost->apad is av_strdup'ed in order
to take ownership of this pointer.
But this means that setting it originally was premature,
as it leads to double-frees when an error happens lateron.
This can simply be reproduced with
ffmpeg -filter_complex anullsrc -apad bar -apad:n baz -f null -
This is a regression since 83ace80bfd80fcdba2c65fa1d554923ea931d5bd.
Fix this by using a temporary variable instead of directly
setting ost->apad. Also only strdup the string if it actually
is != NULL.
Reviewed-by: Marth64 <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit ced5c5fdb8634d39ca9472a2026b2d2fea16c4e5)
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 8a1ccbd5dd76fb12ad75528038a9f7f50fee330d)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c
index 807e783422..feaf4faebb 100644
--- a/fftools/ffmpeg_opt.c
+++ b/fftools/ffmpeg_opt.c
@@ -1916,6 +1916,7 @@ static OutputStream *new_audio_stream(OptionsContext *o,
AVFormatContext *oc, in
if (!ost->stream_copy) {
char *sample_fmt = NULL;
+ const char *apad = NULL;
MATCH_PER_STREAM_OPT(audio_channels, i, audio_enc->channels, oc, st);
@@ -1928,8 +1929,12 @@ static OutputStream *new_audio_stream(OptionsContext *o,
AVFormatContext *oc, in
MATCH_PER_STREAM_OPT(audio_sample_rate, i, audio_enc->sample_rate, oc,
st);
- MATCH_PER_STREAM_OPT(apad, str, ost->apad, oc, st);
- ost->apad = av_strdup(ost->apad);
+ MATCH_PER_STREAM_OPT(apad, str, apad, oc, st);
+ if (apad) {
+ ost->apad = av_strdup(apad);
+ if (!ost->apad)
+ exit_program(1);
+ }
ost->avfilter = get_ost_filters(o, oc, ost);
if (!ost->avfilter)
commit 3798f1b2311946183551ba30e945abda4bf52100
Author: Andreas Rheinhardt <[email protected]>
AuthorDate: Tue Mar 12 23:23:17 2024 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:23 2025 +0100
avformat/avidec: Fix integer overflow iff ULONG_MAX < INT64_MAX
Affects many FATE-tests, see
https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
Reviewed-by: James Almer <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 7a089ed8e049e3bfcb22de1250b86f2106060857)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index 7da14d07f6..3b72f93265 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -1694,7 +1694,7 @@ static int check_stream_max_drift(AVFormatContext *s)
int *idx = av_mallocz_array(s->nb_streams, sizeof(*idx));
if (!idx)
return AVERROR(ENOMEM);
- for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1LU) {
+ for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1ULL) {
int64_t max_dts = INT64_MIN / 2;
int64_t min_dts = INT64_MAX / 2;
int64_t max_buffer = 0;
commit c3069227bc1c0ad4acfb9c1c802c1d2f0b077c8a
Author: Andreas Rheinhardt <[email protected]>
AuthorDate: Fri Jul 11 22:58:26 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:23 2025 +0100
avformat/aviobuf: Keep checksum_ptr consistent in avio_seek()
Otherwise it might be > buf_ptr in which case ffio_get_checksum()
could segfault (s->buf_ptr - s->checksum_ptr would be negative
which would be converted to something very big when converted
to unsigned for the update_checksum callback).
Fixes ticket #11233.
Reported-by: Du4t
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 987c955cd7e972d9940284fa6ae7187ac858ebb1)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c
index 1fb30644ff..3b963a6152 100644
--- a/libavformat/aviobuf.c
+++ b/libavformat/aviobuf.c
@@ -327,7 +327,7 @@ int64_t avio_seek(AVIOContext *s, int64_t offset, int
whence)
s->seek_count ++;
if (!s->write_flag)
s->buf_end = s->buffer;
- s->buf_ptr = s->buf_ptr_max = s->buffer;
+ s->checksum_ptr = s->buf_ptr = s->buf_ptr_max = s->buffer;
s->pos = offset;
}
s->eof_reached = 0;
commit 21fe514152a22cc5653fd95f065320adfcf076e9
Author: Lynne <[email protected]>
AuthorDate: Sat Feb 8 04:35:31 2025 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:23 2025 +0100
aacenc_tns: clamp filter direction energy measurement
The issue is that:
float en[2];
...
tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
for (g = 0; g < tns->n_filt[w]; g++) {
tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
When using the AAC Main profile, n_filt = 3, and slant is by
default 2 (normal long frames), g can go above 1.
en is the evolution of energy in the frequency domain for every
band at the given window. E.g. whether the energy is concentrated
at the top of each band, or the bottom.
For 2-pole filters, its straightforward.
For 3-pole filters, we need more than 2 measurements.
This commit properly implements support for 3-pole filters, by measuring
the band energy across three areas.
Do note that even xHE-AAC caps n_filt to 2, and only AAC Main allows
n_filt == 3.
Fixes https://trac.ffmpeg.org/ticket/11418
(cherry picked from commit ed09aa28ae3b4509f00a24a9ebdeb084ee00736a)
(cherry picked from commit f98f142da571653436596ccad2d09c7e39bfd4fb)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/aacenc_tns.c b/libavcodec/aacenc_tns.c
index 2ffe1f8de8..f56226c0c7 100644
--- a/libavcodec/aacenc_tns.c
+++ b/libavcodec/aacenc_tns.c
@@ -173,6 +173,7 @@ void ff_aac_search_for_tns(AACEncContext *s,
SingleChannelElement *sce)
sce->ics.window_sequence[0] == LONG_START_SEQUENCE ? 0 :
2;
const int sfb_len = sfb_end - sfb_start;
const int coef_len = sce->ics.swb_offset[sfb_end] -
sce->ics.swb_offset[sfb_start];
+ const int n_filt = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
if (coef_len <= 0 || sfb_len <= 0) {
sce->tns.present = 0;
@@ -180,16 +181,30 @@ void ff_aac_search_for_tns(AACEncContext *s,
SingleChannelElement *sce)
}
for (w = 0; w < sce->ics.num_windows; w++) {
- float en[2] = {0.0f, 0.0f};
- int oc_start = 0, os_start = 0;
+ float en[4] = {0.0f, 0.0f, 0.0f, 0.0f};
+ int oc_start = 0;
int coef_start = sce->ics.swb_offset[sfb_start];
- for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
- FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
- if (g > sfb_start + (sfb_len/2))
- en[1] += band->energy;
- else
- en[0] += band->energy;
+ if (n_filt == 2) {
+ for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
+ FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
+ if (g > sfb_start + (sfb_len/2))
+ en[1] += band->energy; /* End */
+ else
+ en[0] += band->energy; /* Start */
+ }
+ en[2] = en[0];
+ } else {
+ for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
+ FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
+ if (g > sfb_start + (sfb_len/2) + (sfb_len/4))
+ en[2] += band->energy; /* End */
+ else if (g > sfb_start + (sfb_len/2) - (sfb_len/4))
+ en[1] += band->energy; /* Middle */
+ else
+ en[0] += band->energy; /* Start */
+ }
+ en[3] = en[0];
}
/* LPC */
@@ -199,15 +214,14 @@ void ff_aac_search_for_tns(AACEncContext *s,
SingleChannelElement *sce)
if (!order || !isfinite(gain) || gain < TNS_GAIN_THRESHOLD_LOW || gain
> TNS_GAIN_THRESHOLD_HIGH)
continue;
- tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
+ tns->n_filt[w] = n_filt;
for (g = 0; g < tns->n_filt[w]; g++) {
- tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
- tns->order[w][g] = g < tns->n_filt[w] ? order/tns->n_filt[w] :
order - oc_start;
- tns->length[w][g] = g < tns->n_filt[w] ? sfb_len/tns->n_filt[w] :
sfb_len - os_start;
+ tns->direction[w][g] = slant != 2 ? slant : en[g] < en[g + 1];
+ tns->order[w][g] = order/tns->n_filt[w];
+ tns->length[w][g] = sfb_len/tns->n_filt[w];
quantize_coefs(&coefs[oc_start], tns->coef_idx[w][g],
tns->coef[w][g],
tns->order[w][g], c_bits);
oc_start += tns->order[w][g];
- os_start += tns->length[w][g];
}
count++;
}
commit ab45118cc7a78e82f623deaba18e4b4c65973914
Author: Michael Niedermayer <[email protected]>
AuthorDate: Tue Aug 19 03:12:37 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:22 2025 +0100
avcodec/dxv: Check coded_height, to avoid invalid av_clip()
Fixes: assertion failure
Fixes:
438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5850827739955200
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit cdee519d40e61bd65ba5b3fbec00acd50a08d0d9)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 2540ff67a8..e7d04ff957 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -1148,6 +1148,8 @@ static int dxv_decode(AVCodecContext *avctx, void *data,
ctx->tex_rat = 1;
break;
}
+ if (avctx->coded_height / 2 / TEXTURE_BLOCK_H < 1)
+ return AVERROR_INVALIDDATA;
ctx->slice_count = av_clip(avctx->thread_count, 1,
avctx->coded_height /
FFMAX(ctx->texture_block_h,
commit c9323a8efc144285d85c7602ad87787024b9ea2e
Author: Michael Niedermayer <[email protected]>
AuthorDate: Wed Aug 13 13:11:23 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:22 2025 +0100
avcodec/aac/aacdec: dont allow ff_aac_output_configure() allocating a new
frame if it has no frame
Fixes: null pointer dereference
Fixes: crash_test.mp4
Found-by: Intel PSIRT
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit fcf180d9ea27b7dc29658c9dc3488ae6fac3ebd9)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c
index 3d7f3257db..e18317f79a 100644
--- a/libavcodec/aacdec_template.c
+++ b/libavcodec/aacdec_template.c
@@ -539,6 +539,9 @@ static int output_configure(AACContext *ac,
uint8_t id_map[TYPE_END][MAX_ELEM_ID] = {{ 0 }};
uint8_t type_counts[TYPE_END] = { 0 };
+ if (get_new_frame && !ac->frame)
+ return AVERROR_INVALIDDATA;
+
if (ac->oc[1].layout_map != layout_map) {
memcpy(ac->oc[1].layout_map, layout_map, tags * sizeof(layout_map[0]));
ac->oc[1].layout_map_tags = tags;
commit 9d304b823c9a1e01abf0c6b4f715424840a78f5e
Author: Michael Niedermayer <[email protected]>
AuthorDate: Mon Aug 18 17:20:49 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:22 2025 +0100
avformat/lrcdec: Fix fate-sub-lrc-ms-remux on x86-32
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 0243cf89b137b093b02a5c61a76e28cec1d69ae9)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c
index 7c273b7e1a..915b9ad36d 100644
--- a/libavformat/lrcdec.c
+++ b/libavformat/lrcdec.c
@@ -91,7 +91,7 @@ static int64_t read_ts(const char *p, int64_t *start)
if (ret != 3 || prefix[0] != '[' || ss < 0 || ss > 60) {
return 0;
}
- *start = (mm * 60 + ss) * AV_TIME_BASE;
+ *start = llrint((mm * 60 + ss) * AV_TIME_BASE);
if (prefix[1] == '-') {
*start = - *start;
}
commit b39f58aa95a22487402aedcf02f277e1fd30dba0
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sun Aug 17 15:31:48 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:22 2025 +0100
avcodec/sanm: Check w,h,left,top
The setup code fow w,h,left,top is complex, the code using it also falls in
at least 2 different classes, one using left/top the other not.
To ensure no out of array access happens we add this clear check.
Fixes: out of array access
Fixes:
439261995/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-5383455572819968
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 134fbfd1dcb59441e38d870ddd231772f4e8e127)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index d0000ebd0c..fedb194874 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -974,6 +974,11 @@ static int process_frame_obj(SANMVideoContext *ctx)
}
bytestream2_skip(&ctx->gb, 4);
+ if (w + FFMAX(left, 0) > ctx->avctx->width || h + FFMAX(top, 0) >
ctx->avctx->height) {
+ avpriv_request_sample(ctx->avctx, "overly large frame\n");
+ return AVERROR_PATCHWELCOME;
+ }
+
switch (codec) {
case 1:
case 3:
commit 91aca4595550bd99e025bcaea9aa01deaf1cce0f
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Aug 15 17:55:05 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:22 2025 +0100
avcodec/utvideodec: Clear plane_start array
in pack mode the array is passed into decode_plane() without being
initialized or used
Fixes: use of uninitialized memory
Fixes:
438780119/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5464037027807232
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 2a22972db3b390d82dedbdbb5f44cc09a43912b5)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index c3eb83b47b..65ae623d3f 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -564,7 +564,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
int *got_frame,
int buf_size = avpkt->size;
UtvideoContext *c = avctx->priv_data;
int i, j;
- const uint8_t *plane_start[5];
+ const uint8_t *plane_start[5] = {NULL};
int plane_size, max_slice_size = 0, slice_start, slice_end, slice_size;
int ret;
GetByteContext gb;
commit 24531f73d22eaaa072fcc5d19a525fa8e3553a9b
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Aug 8 12:25:55 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:21 2025 +0100
avcodec/dxv: Check that we initialize op_data
Fixes:
431665305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5339599339847680
Fixes: use of uninitialized memory
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 6a8c41dcacbba011e553fbf35518577321d1aadb)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 69263cd30d..2540ff67a8 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -474,7 +474,9 @@ static int dxv_decompress_opcodes(GetByteContext *gb, void
*dstp, size_t op_size
if ((flag & 3) == 0) {
bytestream2_skip(gb, 1);
- bytestream2_get_buffer(gb, dstp, op_size);
+ int read_size = bytestream2_get_buffer(gb, dstp, op_size);
+ if (read_size != op_size)
+ return AVERROR_INVALIDDATA;
} else if ((flag & 3) == 1) {
bytestream2_skip(gb, 1);
memset(dstp, bytestream2_get_byte(gb), op_size);
commit 2a5e5b9cde94cd48545b613271c3affacd806e60
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Aug 9 14:05:19 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:21 2025 +0100
avcodec/exr: Check for pixel type consistency in DWA
Fixes: out of array access
Fixes: BIGSLEEP-436511754/testcase.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 0469d68acb52081ca8385b844b9650398242be0f)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 7e4e0a3261..bbf1cd9984 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -2075,6 +2075,16 @@ static int decode_frame(AVCodecContext *avctx, void
*data,
for (int i = 0; i < 4; i++)
s->channel_offsets[i] *= 2;
}
+ if (s->compression == EXR_DWAA ||
+ s->compression == EXR_DWAB) {
+ for (int i = 0; i<s->nb_channels; i++) {
+ EXRChannel *channel = &s->channels[i];
+ if (channel->pixel_type != s->pixel_type) {
+ avpriv_request_sample(s->avctx, "mixed pixel type DWA");
+ return AVERROR_PATCHWELCOME;
+ }
+ }
+ }
switch (s->pixel_type) {
case EXR_FLOAT:
commit 72973c98b622067f2fe23d53a09703d6b3c46939
Author: Kacper MichajÅow <[email protected]>
AuthorDate: Sat Aug 9 17:09:57 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:21 2025 +0100
avcodec/g726: init missing sample rate
Fixes:
416134551/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_G726_DEC_fuzzer-5695764455292928
Found-by: OSS-Fuzz
Signed-off-by: Kacper MichajÅow <[email protected]>
(cherry picked from commit c2f7dae70d27a8f5ca1e3fa43d96ff5c8bf032fa)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/g726.c b/libavcodec/g726.c
index 71f5791416..88eab834d2 100644
--- a/libavcodec/g726.c
+++ b/libavcodec/g726.c
@@ -458,6 +458,8 @@ static av_cold int g726_decode_init(AVCodecContext *avctx)
g726_reset(c);
avctx->sample_fmt = AV_SAMPLE_FMT_S16;
+ if (!avctx->sample_rate)
+ avctx->sample_rate = 8000;
return 0;
}
commit cf9ac939ce8fdcfeba0876772e5d06b9a12b1152
Author: Kacper MichajÅow <[email protected]>
AuthorDate: Sat Aug 9 16:49:17 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:21 2025 +0100
avformat/lrcdec: limit input timestamp range to avoid overflows
Fixes: clusterfuzz-testcase-ffmpeg_dem_LRC_fuzzer-5226140131459072
Found-by: OSS-Fuzz
Signed-off-by: Kacper MichajÅow <[email protected]>
(cherry picked from commit c74bc74398e7a1e235fdf51d0dd2dfb942626c82)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c
index 6273d88ae7..7c273b7e1a 100644
--- a/libavformat/lrcdec.c
+++ b/libavformat/lrcdec.c
@@ -77,7 +77,7 @@ static int64_t count_ts(const char *p)
static int64_t read_ts(const char *p, int64_t *start)
{
int64_t offset = 0;
- uint64_t mm;
+ uint32_t mm;
double ss;
char prefix[3];
@@ -87,8 +87,8 @@ static int64_t read_ts(const char *p, int64_t *start)
if(p[offset] != '[') {
return 0;
}
- int ret = sscanf(p, "%2[[-]%"SCNu64":%lf]", prefix, &mm, &ss);
- if (ret != 3 || prefix[0] != '[') {
+ int ret = sscanf(p, "%2[[-]%"SCNu32":%lf]", prefix, &mm, &ss);
+ if (ret != 3 || prefix[0] != '[' || ss < 0 || ss > 60) {
return 0;
}
*start = (mm * 60 + ss) * AV_TIME_BASE;
commit 32a9aae14cd0b6ae3ed56bf11f07e2a6e1e3d9a6
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Aug 8 23:19:03 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:21 2025 +0100
avcodec/scpr3: Clear clr
clr is passing into decode_run_p() its not used when not set
but this possibly triggers msan (it doesnt locally)
Fixes?: use of uninintialized memory
Fixes?:
436997807/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-6253316466606080
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 354226037646d44701f0f2a84749fb2ea303f043)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/scpr3.c b/libavcodec/scpr3.c
index 85524feafe..7e0c066bfa 100644
--- a/libavcodec/scpr3.c
+++ b/libavcodec/scpr3.c
@@ -1168,7 +1168,7 @@ static int decompress_p3(AVCodecContext *avctx,
}
} else {
int run, bx = x * 16 + sx1, by = y * 16 + sy1;
- uint32_t clr, ptype = 0, r, g, b;
+ uint32_t clr = 0, ptype = 0, r, g, b;
if (bx >= avctx->width)
return AVERROR_INVALIDDATA;
commit 6103d73dce4fac75f7113244efc7f6a1f24777ae
Author: Michael Niedermayer <[email protected]>
AuthorDate: Fri Aug 8 15:03:56 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:21 2025 +0100
avcodec/ilbcdec: Clear cbvec when used with create_augmented_vector()
Fixes: use of uninitialized memory
Fixes:
42538134/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ILBC_fuzzer-6322020827070464
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 9686fdd729a9caeeac0dc84dca2a65e4c9e5460b)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c
index 1aa6dddac8..87e7e82c82 100644
--- a/libavcodec/ilbcdec.c
+++ b/libavcodec/ilbcdec.c
@@ -670,6 +670,7 @@ static void get_codebook(int16_t * cbvec, /* (o)
Constructed codebook vector *
/* get vector */
memcpy(cbvec, mem + lMem - k, cbveclen * 2);
} else if (index < base_size) {
+ memset(cbvec, 0, cbveclen * 2);
/* Calculate lag */
@@ -696,6 +697,7 @@ static void get_codebook(int16_t * cbvec, /* (o)
Constructed codebook vector *
filter_mafq12(&mem[memIndTest + 4], cbvec, (int16_t *)
kCbFiltersRev, CB_FILTERLEN, cbveclen);
} else {
+ memset(cbvec, 0, cbveclen * 2);
/* interpolated vectors */
/* Stuff zeros outside memory buffer */
memIndTest = lMem - cbveclen - CB_FILTERLEN;
commit 39f4a60035085e7b1465fa7159d3ef03114dfe27
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Aug 9 11:38:07 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:20 2025 +0100
avcodec/jpeg2000dec: Make sure the 4 extra bytes allocated are initialized
Fixes: use of uninitialized memory
Fixes:
429130590/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_DEC_fuzzer-5736930522497024
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d6fe3786cd8c06437756d407f727ff01cf1774ff)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 8663bdb4c9..2fe35530a6 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1291,6 +1291,7 @@ static int jpeg2000_decode_packet(Jpeg2000DecoderContext
*s, Jpeg2000Tile *tile,
bytestream2_get_bufferu(&s->g, cblk->data + cblk->length,
cblk->lengthinc[cwsno]);
cblk->length += cblk->lengthinc[cwsno];
+ memset(cblk->data + cblk->length, 0, 4);
cblk->lengthinc[cwsno] = 0;
if (cblk->nb_terminationsinc) {
cblk->nb_terminationsinc--;
commit 2838a74097cd0e6df76a4f2e6bf86cacbcad4a39
Author: Muhammad Faiz <[email protected]>
AuthorDate: Thu Jul 3 20:47:58 2025 +0700
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:20 2025 +0100
avfilter/avf_showcqt: fix unbounded index when copying to fft_data
When timeclamp and/or fps are low, j can be negative.
Fix Ticket11640
(cherry picked from commit 35ea45835484b90490e7d1704ef99ccb7b775578)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavfilter/avf_showcqt.c b/libavfilter/avf_showcqt.c
index dba1f089ee..88681ec9b0 100644
--- a/libavfilter/avf_showcqt.c
+++ b/libavfilter/avf_showcqt.c
@@ -1513,7 +1513,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame
*insamples)
i = insamples->nb_samples - remaining;
j = s->fft_len/2 + s->remaining_fill_max - s->remaining_fill;
if (remaining >= s->remaining_fill) {
- for (m = 0; m < s->remaining_fill; m++) {
+ for (m = FFMAX(0, -j); m < s->remaining_fill; m++) {
s->fft_data[j+m].re = audio_data[2*(i+m)];
s->fft_data[j+m].im = audio_data[2*(i+m)+1];
}
@@ -1547,7 +1547,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame
*insamples)
s->fft_data[m] = s->fft_data[m+step];
s->remaining_fill = step;
} else {
- for (m = 0; m < remaining; m++) {
+ for (m = FFMAX(0, -j); m < remaining; m++) {
s->fft_data[j+m].re = audio_data[2*(i+m)];
s->fft_data[j+m].im = audio_data[2*(i+m)+1];
}
commit bfd4b415be8b5cb2ace7676bc266f0d690a38575
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sun May 11 00:58:26 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:20 2025 +0100
avcodec/aacsbr_template: Check ilb
Fixes: index 50 out of bounds for type 'INTFLOAT [40][2]'
Fixes:
401661737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-4866055713652736
Someone knowing AAC well should review this, there is likely a nicer fix
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 01a1b99fc2ccdf713abfa5203e36fbf5816e1b5f)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/aacsbr_template.c b/libavcodec/aacsbr_template.c
index 04ab2f1e36..9c65119344 100644
--- a/libavcodec/aacsbr_template.c
+++ b/libavcodec/aacsbr_template.c
@@ -1430,6 +1430,9 @@ static void sbr_env_estimate(AAC_FLOAT (*e_curr)[48],
INTFLOAT X_high[64][40][2]
int ilb = ch_data->t_env[e] * 2 + ENVELOPE_ADJUSTMENT_OFFSET;
int iub = ch_data->t_env[e + 1] * 2 + ENVELOPE_ADJUSTMENT_OFFSET;
+ if (ilb >= 40)
+ return;
+
for (m = 0; m < sbr->m[1]; m++) {
AAC_FLOAT sum = sbr->dsp.sum_square(X_high[m+kx1] + ilb, iub -
ilb);
#if USE_FIXED
@@ -1448,6 +1451,9 @@ static void sbr_env_estimate(AAC_FLOAT (*e_curr)[48],
INTFLOAT X_high[64][40][2]
int iub = ch_data->t_env[e + 1] * 2 + ENVELOPE_ADJUSTMENT_OFFSET;
const uint16_t *table = ch_data->bs_freq_res[e + 1] ?
sbr->f_tablehigh : sbr->f_tablelow;
+ if (ilb >= 40)
+ return;
+
for (p = 0; p < sbr->n[ch_data->bs_freq_res[e + 1]]; p++) {
#if USE_FIXED
SoftFloat sum = FLOAT_0;
commit a1b6585b74e0ca64b4aefd0e5fe4d357a559fc88
Author: Michael Niedermayer <[email protected]>
AuthorDate: Wed Aug 6 13:09:26 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:20 2025 +0100
avcodec/utvideodec: Set B for the width= 1 case
Fixes: use of uninitialized meory
Fixes:
428034093/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-6195630160805888
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 032dfe8584c4675f3253ebb5e333e834f55f7562)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 1b10b3bd06..c3eb83b47b 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -381,7 +381,7 @@ static void restore_median_planar(UtvideoContext *c,
uint8_t *src, ptrdiff_t str
// second line - first element has top prediction, the rest uses median
C = bsrc[-stride];
bsrc[0] += C;
- A = bsrc[0];
+ A = B = bsrc[0];
for (i = 1; i < FFMIN(width, 16); i++) { /* scalar loop (DSP need
align 16) */
B = bsrc[i - stride];
bsrc[i] += mid_pred(A, B, (uint8_t)(A + B - C));
commit 85eda6ff84a027543e4d1712a261a26a63188667
Author: Michael Niedermayer <[email protected]>
AuthorDate: Wed Aug 6 13:36:06 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:20 2025 +0100
avcodec/ffv1: Clear state on alloc
Fixes: use of uninitialized memory
Fixes:
428969823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_DEC_fuzzer-5909681623334912
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 70fc46d185663dbea0995bf868d66b58b388119e)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c
index 56a8fb847e..4796916300 100644
--- a/libavcodec/ffv1.c
+++ b/libavcodec/ffv1.c
@@ -74,7 +74,7 @@ av_cold int ff_ffv1_init_slice_state(FFV1Context *f,
FFV1Context *fs)
if (fs->ac != AC_GOLOMB_RICE) {
if (!p->state)
- p->state = av_malloc_array(p->context_count, CONTEXT_SIZE *
+ p->state = av_calloc(p->context_count, CONTEXT_SIZE *
sizeof(uint8_t));
if (!p->state)
return AVERROR(ENOMEM);
commit eb80096cbe8b11105f7be0eb99233667e8836c1a
Author: Michael Niedermayer <[email protected]>
AuthorDate: Tue Aug 5 23:42:23 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:19 2025 +0100
avcodec/jpeg2000dec: implement cdef remapping during pixel format matching
Fixes: out of array access
Fixes: poc.jp2
Found-by: Andy Nguyen <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 01a292c7e36545ddeb3c7f79cd02e2611cd37d73)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 197dc86965..8663bdb4c9 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -357,6 +357,14 @@ static int get_siz(Jpeg2000DecoderContext *s)
}
// after here we no longer have to consider negative cdef
+ int cdef_used = 0;
+ for (i = 0; i < s->ncomponents; i++)
+ cdef_used |= 1<<s->cdef[i];
+
+ // Check that the channels we have are what we expect for the number of
components
+ if (cdef_used != ((int[]){0,2,3,14,15})[s->ncomponents])
+ return AVERROR_INVALIDDATA;
+
for (i = 0; i < s->ncomponents; i++) { // Ssiz_i XRsiz_i, YRsiz_i
uint8_t x = bytestream2_get_byteu(&s->g);
s->cbps[i] = (x & 0x7f) + 1;
@@ -369,7 +377,9 @@ static int get_siz(Jpeg2000DecoderContext *s)
av_log(s->avctx, AV_LOG_ERROR, "Invalid sample separation
%d/%d\n", s->cdx[i], s->cdy[i]);
return AVERROR_INVALIDDATA;
}
- log2_chroma_wh |= s->cdy[i] >> 1 << i * 4 | s->cdx[i] >> 1 << i * 4 +
2;
+ int i_remapped = s->cdef[i] ? s->cdef[i]-1 : (s->ncomponents-1);
+
+ log2_chroma_wh |= s->cdy[i] >> 1 << i_remapped * 4 | s->cdx[i] >> 1 <<
i_remapped * 4 + 2;
}
s->numXtiles = ff_jpeg2000_ceildiv(s->width - s->tile_offset_x,
s->tile_width);
commit de97cc3892f9655e292af8d7d235f2c1eb77b3b7
Author: Michael Niedermayer <[email protected]>
AuthorDate: Tue Aug 5 23:18:47 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:19 2025 +0100
avcodec/jpeg2000dec: move cdef default check into get_siz()
This way cdef is at its final value earlier
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 104d6846c1be0cb757dc95d5801a416f4d7c687d)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 9b3654dbc6..197dc86965 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -346,6 +346,17 @@ static int get_siz(Jpeg2000DecoderContext *s)
return AVERROR_INVALIDDATA;
}
+ for (i = 0; i < s->ncomponents; i++) {
+ if (s->cdef[i] < 0) {
+ for (i = 0; i < s->ncomponents; i++) {
+ s->cdef[i] = i + 1;
+ }
+ if ((s->ncomponents & 1) == 0)
+ s->cdef[s->ncomponents-1] = 0;
+ }
+ }
+ // after here we no longer have to consider negative cdef
+
for (i = 0; i < s->ncomponents; i++) { // Ssiz_i XRsiz_i, YRsiz_i
uint8_t x = bytestream2_get_byteu(&s->g);
s->cbps[i] = (x & 0x7f) + 1;
commit f86359ec440f3462df0e7cf10cc9e95d959167d8
Author: Michael Niedermayer <[email protected]>
AuthorDate: Wed Aug 6 10:08:14 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:19 2025 +0100
avcodec/exr: Check rle_raw_data and surroundings
Fixes: out of array read
Fixes: BIGSLEEP-436510153/dwa_uncompress_read.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 0d9c003d76383e82b57b6d5aa33776709d0cda2c)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 93528084a6..7e4e0a3261 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -998,6 +998,7 @@ static int dwa_uncompress(EXRContext *s, const uint8_t
*src, int compressed_size
const int dc_h = td->ysize >> 3;
GetByteContext gb, agb;
int skip, ret;
+ int have_rle = 0;
if (compressed_size <= 88)
return AVERROR_INVALIDDATA;
@@ -1022,6 +1023,11 @@ static int dwa_uncompress(EXRContext *s, const uint8_t
*src, int compressed_size
)
return AVERROR_INVALIDDATA;
+ if ((uint64_t)rle_raw_size > INT_MAX) {
+ avpriv_request_sample(s->avctx, "Too big rle_raw_size");
+ return AVERROR_INVALIDDATA;
+ }
+
bytestream2_init(&gb, src + 88, compressed_size - 88);
skip = bytestream2_get_le16(&gb);
if (skip < 2)
@@ -1092,6 +1098,9 @@ static int dwa_uncompress(EXRContext *s, const uint8_t
*src, int compressed_size
if (rle_raw_size > 0 && rle_csize > 0 && rle_usize > 0) {
unsigned long dest_len = rle_usize;
+ if (2LL * td->xsize * td->ysize > rle_raw_size)
+ return AVERROR_INVALIDDATA;
+
av_fast_padded_malloc(&td->rle_data, &td->rle_size, rle_usize);
if (!td->rle_data)
return AVERROR(ENOMEM);
@@ -1108,6 +1117,8 @@ static int dwa_uncompress(EXRContext *s, const uint8_t
*src, int compressed_size
if (ret < 0)
return ret;
bytestream2_skip(&gb, rle_csize);
+
+ have_rle = 1;
}
bytestream2_init(&agb, td->ac_data, ac_count * 2);
@@ -1168,7 +1179,7 @@ static int dwa_uncompress(EXRContext *s, const uint8_t
*src, int compressed_size
if (s->nb_channels < 4)
return 0;
- for (int y = 0; y < td->ysize && td->rle_raw_data; y++) {
+ for (int y = 0; y < td->ysize && have_rle; y++) {
uint32_t *ao = ((uint32_t *)td->uncompressed_data) + y * td->xsize *
s->nb_channels;
uint8_t *ai0 = td->rle_raw_data + y * td->xsize;
uint8_t *ai1 = td->rle_raw_data + y * td->xsize + rle_raw_size / 2;
commit 713e086aff3a83eb357c69a4909cac379d4b37dc
Author: Michael Niedermayer <[email protected]>
AuthorDate: Wed Aug 6 10:35:15 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:19 2025 +0100
avcodec/exr: Dont access outside xsize/ysize
Fixes: out of array access
Fixes: BIGSLEEP-436510316/dwa_uncompress_write.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit f45da79b2c336c5f8f3e563d72b8a22fecdcde0c)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index e3585e85fa..93528084a6 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1114,6 +1114,9 @@ static int dwa_uncompress(EXRContext *s, const uint8_t
*src, int compressed_size
for (int y = 0; y < td->ysize; y += 8) {
for (int x = 0; x < td->xsize; x += 8) {
+ int bw = FFMIN(8, td->xsize - x);
+ int bh = FFMIN(8, td->ysize - y);
+
memset(td->block, 0, sizeof(td->block));
for (int j = 0; j < 3; j++) {
@@ -1143,8 +1146,8 @@ static int dwa_uncompress(EXRContext *s, const uint8_t
*src, int compressed_size
float *ub = td->block[1];
float *vb = td->block[2];
- for (int yy = 0; yy < 8; yy++) {
- for (int xx = 0; xx < 8; xx++) {
+ for (int yy = 0; yy < bh; yy++) {
+ for (int xx = 0; xx < bw; xx++) {
const int idx = xx + yy * 8;
convert(yb[idx], ub[idx], vb[idx], &bo[xx], &go[xx],
&ro[xx]);
commit 013d39a06cddaa177ed7d0ec8df5d0dfb69e0a9d
Author: Jiasheng Jiang <[email protected]>
AuthorDate: Wed Aug 6 14:54:22 2025 +0000
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:19 2025 +0100
examples: Add check and replace av_free() to avoid potential memory errors
Add check for the return value of av_packet_alloc() to avoid potential NULL
pointer dereference.
Moreover, replace redundant av_free() with fprintf().
Fixes: 9a38184a14 ("examples/decode_audio: allocate the packet dynamically")
Signed-off-by: Jiasheng Jiang <[email protected]>
Reviewed-by: Nicolas George <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit c64cff64a22a59c0c02281ee9fd9d89963d14d16)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/doc/examples/decode_audio.c b/doc/examples/decode_audio.c
index 6c2a8ed550..36fc3668e2 100644
--- a/doc/examples/decode_audio.c
+++ b/doc/examples/decode_audio.c
@@ -127,6 +127,10 @@ int main(int argc, char **argv)
outfilename = argv[2];
pkt = av_packet_alloc();
+ if (!pkt) {
+ fprintf(stderr, "Could not allocate AVPacket\n");
+ exit(1); /* or proper cleanup and returning */
+ }
/* find the MPEG audio decoder */
codec = avcodec_find_decoder(AV_CODEC_ID_MP2);
@@ -160,7 +164,7 @@ int main(int argc, char **argv)
}
outfile = fopen(outfilename, "wb");
if (!outfile) {
- av_free(c);
+ fprintf(stderr, "Could not open %s\n", outfilename);
exit(1);
}
commit dc9780ac6850ddf839f1ac6cb7cfcf4d70e38a15
Author: Jiasheng Jiang <[email protected]>
AuthorDate: Sun Aug 3 23:31:27 2025 +0000
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:19 2025 +0100
libavcodec/tests/snowenc: Add av_free() to avoid memory leak
Add av_free() to free s.temp_dwt_buffer and s.temp_idwt_buffer at the end
of the function to avoid memory leak.
Fixes: 5d48e4eafa ("Merge commit
'a6a750c7ef240b72ce01e9653343a0ddf247d196'")
Signed-off-by: Jiasheng Jiang <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 446cfbfb7446208bd1592bbc0ac18ac744543563)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/tests/snowenc.c b/libavcodec/tests/snowenc.c
index 65699158ca..c90933be3b 100644
--- a/libavcodec/tests/snowenc.c
+++ b/libavcodec/tests/snowenc.c
@@ -44,7 +44,8 @@ int main(void){
if (!s.temp_dwt_buffer || !s.temp_idwt_buffer) {
fprintf(stderr, "Failed to allocate memory\n");
- return 1;
+ ret = 1;
+ goto end;
}
av_lfg_init(&prng, 1);
@@ -155,5 +156,9 @@ int main(void){
}
}
+
+end:
+ av_free(s.temp_dwt_buffer);
+ av_free(s.temp_idwt_buffer);
return ret;
}
commit c1a253b002c83f276ad9407b2257c3e7c1b5e3f7
Author: Kacper MichajÅow <[email protected]>
AuthorDate: Wed Aug 6 19:49:11 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:18 2025 +0100
avcodec/mpc8: init avctx->sample_rate
Fixes frame validation.
Fixes:
416134551/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC8_fuzzer-5765557242888192
Found-by: OSS-Fuzz
Signed-off-by: Kacper MichajÅow <[email protected]>
(cherry picked from commit 09cb2d41d1862c2f9b3b66311ede28527d703700)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c
index e9919aea62..5c5a26f315 100644
--- a/libavcodec/mpc8.c
+++ b/libavcodec/mpc8.c
@@ -154,7 +154,13 @@ static av_cold int mpc8_decode_init(AVCodecContext * avctx)
init_get_bits(&gb, avctx->extradata, 16);
- skip_bits(&gb, 3);//sample rate
+ uint8_t sample_rate_idx = get_bits(&gb, 3);
+ static const int sample_rates[] = { 44100, 48000, 37800, 32000 };
+ if (sample_rate_idx >= FF_ARRAY_ELEMS(sample_rates)) {
+ av_log(avctx, AV_LOG_ERROR, "invalid sample rate index (%u)\n",
sample_rate_idx);
+ return AVERROR_INVALIDDATA;
+ }
+ avctx->sample_rate = sample_rates[sample_rate_idx];
c->maxbands = get_bits(&gb, 5) + 1;
if (c->maxbands >= BANDS) {
av_log(avctx,AV_LOG_ERROR, "maxbands %d too high\n", c->maxbands);
commit 5bcb05cc16846edfc54cd20cff0ff4aa187d0aec
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Aug 2 18:55:26 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:18 2025 +0100
avformat/hls: add cmfv/cmfa exceptions
Fixes: Ticket11526
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit f3c3a6ecfb230c56a8ff9d219d79d5981b2aa4f3)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/hls.c b/libavformat/hls.c
index fdec350a4d..f98504df2c 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -735,8 +735,8 @@ static int test_segment(AVFormatContext *s, const
AVInputFormat *in_fmt, struct
+ 2*(ff_match_url_ext(seg->url, in_fmt->extensions) > 0);
// Youtube uses aac files with .ts extension
if(av_match_name("mp4", in_fmt->name) || av_match_name("aac",
in_fmt->name)) {
- matchF |= av_match_ext( seg->url,
"ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts")
- + 2*(ff_match_url_ext(seg->url,
"ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts") > 0);
+ matchF |= av_match_ext( seg->url,
"ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts,cmfv,cmfa")
+ + 2*(ff_match_url_ext(seg->url,
"ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts,cmfv,cmfa") > 0);
}
} else if (!strcmp(in_fmt->name, "mpegts")) {
const char *str = "ts,m2t,m2ts,mts,mpg,m4s,mpeg,mpegts"
commit 972d098319ededd2ea94c5103b2d347faa0e2118
Author: Kacper MichajÅow <[email protected]>
AuthorDate: Wed Jul 23 20:04:53 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:18 2025 +0100
avformat/lrcdec: support arbitrary precision timestamp
Apparently files with milliseconds exist in the wild. And since it cost
nothing to support arbitrary number of digits, extend format to support
that.
Depending on number of digits, the time base of fractional part is
changing. Most LRCs use 2 digits and centiseconds base, but subs with 3
digits and miliseconds exist too.
Set internal time base to AV_TIME_BASE, which in parcitice allows to
hold microseconds with 6 digits. Totally artificial, but who knows maybe
someone wants that.
Fixes: #11677
Signed-off-by: Kacper MichajÅow <[email protected]>
(cherry picked from commit bc3cc0a6af44adc63caf4e5097fcfebd7a7475b4)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c
index ca23a60f84..6273d88ae7 100644
--- a/libavformat/lrcdec.c
+++ b/libavformat/lrcdec.c
@@ -77,7 +77,9 @@ static int64_t count_ts(const char *p)
static int64_t read_ts(const char *p, int64_t *start)
{
int64_t offset = 0;
- uint64_t mm, ss, cs;
+ uint64_t mm;
+ double ss;
+ char prefix[3];
while(p[offset] == ' ' || p[offset] == '\t') {
offset++;
@@ -85,14 +87,14 @@ static int64_t read_ts(const char *p, int64_t *start)
if(p[offset] != '[') {
return 0;
}
- if(sscanf(p, "[-%"SCNu64":%"SCNu64".%"SCNu64"]", &mm, &ss, &cs) == 3) {
- /* Just in case negative pts, players may drop it but we won't. */
- *start = -(int64_t) (mm*60000 + ss*1000 + cs*10);
- } else if(sscanf(p, "[%"SCNu64":%"SCNu64".%"SCNu64"]", &mm, &ss, &cs) ==
3) {
- *start = mm*60000 + ss*1000 + cs*10;
- } else {
+ int ret = sscanf(p, "%2[[-]%"SCNu64":%lf]", prefix, &mm, &ss);
+ if (ret != 3 || prefix[0] != '[') {
return 0;
}
+ *start = (mm * 60 + ss) * AV_TIME_BASE;
+ if (prefix[1] == '-') {
+ *start = - *start;
+ }
do {
offset++;
} while(p[offset] && p[offset-1] != ']');
@@ -163,7 +165,7 @@ static int lrc_read_header(AVFormatContext *s)
if(!st) {
return AVERROR(ENOMEM);
}
- avpriv_set_pts_info(st, 64, 1, 1000);
+ avpriv_set_pts_info(st, 64, 1, AV_TIME_BASE);
lrc->ts_offset = 0;
st->codecpar->codec_type = AVMEDIA_TYPE_SUBTITLE;
st->codecpar->codec_id = AV_CODEC_ID_TEXT;
commit 902c725b2cfce8126c8f397e8a7a794ab1cd932e
Author: Michael Niedermayer <[email protected]>
AuthorDate: Mon Aug 4 21:08:47 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:18 2025 +0100
avcodec/ffv1dec: Disable frame threading due to race condition
Slice threading remains available!
The race condition fix is in 8d5efc218245c3f0559f48837b3e63e2932525e0
and bcf08c11710cab5db8eb3d0774e1a93e322fb821
Backport of these is welcome
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index eb2f29989a..8fb1509f16 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -1091,6 +1091,6 @@ AVCodec ff_ffv1_decoder = {
.decode = decode_frame,
.update_thread_context = ONLY_IF_THREADS_ENABLED(update_thread_context),
.capabilities = AV_CODEC_CAP_DR1 /*| AV_CODEC_CAP_DRAW_HORIZ_BAND*/ |
- AV_CODEC_CAP_FRAME_THREADS | AV_CODEC_CAP_SLICE_THREADS,
- .caps_internal = FF_CODEC_CAP_INIT_CLEANUP |
FF_CODEC_CAP_ALLOCATE_PROGRESS,
+ AV_CODEC_CAP_SLICE_THREADS,
+ .caps_internal = FF_CODEC_CAP_INIT_CLEANUP,
};
commit 8c03e1112beef9e251b46c14fe7b1baa1225a12f
Author: Jiasheng Jiang <[email protected]>
AuthorDate: Sun Aug 3 20:32:23 2025 +0000
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:18 2025 +0100
libavcodec/tests/motion: Add check for avcodec_alloc_context3()
Add check for the return value of avcodec_alloc_context3() to avoid
potential NULL pointer dereference.
Fixes: 5d48e4eafa ("Merge commit
'a6a750c7ef240b72ce01e9653343a0ddf247d196'")
Signed-off-by: Jiasheng Jiang <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 55d234b4330d1588eb127cf2283a442ee341f2c2)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/tests/motion.c b/libavcodec/tests/motion.c
index d89f9408c2..321e03d4f6 100644
--- a/libavcodec/tests/motion.c
+++ b/libavcodec/tests/motion.c
@@ -127,6 +127,10 @@ int main(int argc, char **argv)
printf("ffmpeg motion test\n");
ctx = avcodec_alloc_context3(NULL);
+ if (!ctx) {
+ return 1;
+ }
+
ctx->flags |= AV_CODEC_FLAG_BITEXACT;
av_force_cpu_flags(0);
memset(&cctx, 0, sizeof(cctx));
commit 74f0280dca9f8e9b4b3b2f627f440ba5c59f7406
Author: Jiasheng Jiang <[email protected]>
AuthorDate: Sun Aug 3 19:14:38 2025 +0000
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:18 2025 +0100
avcodec/tests/avpacket: Add av_free() to avoid memory leak
Add av_free() to free extra_data if av_packet_add_side_data() fails.
Fixes: da3c69a5a9 ("Added test for libavcodec/avpacket.c")
Signed-off-by: Jiasheng Jiang <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 008679ec162d1769afd706af5b1ce7a593f13f2b)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/tests/avpacket.c b/libavcodec/tests/avpacket.c
index 8b209f52f7..1d7cc8c450 100644
--- a/libavcodec/tests/avpacket.c
+++ b/libavcodec/tests/avpacket.c
@@ -50,6 +50,7 @@ static int setup_side_data_entry(AVPacket* avpkt)
ret = av_packet_add_side_data(avpkt, AV_PKT_DATA_NEW_EXTRADATA,
extra_data, bytes);
if(ret < 0){
+ av_free(extra_data);
fprintf(stderr,
"Error occurred in av_packet_add_side_data: %s\n",
av_err2str(ret));
commit 4ee4b85123b50a6c57d6bc6c63dc0617e78a75e0
Author: Jiasheng Jiang <[email protected]>
AuthorDate: Sat Aug 2 23:28:48 2025 +0000
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:17 2025 +0100
examples: Add av_freep to avoid potential memory leak
Add av_freep() to free avio_ctx_buffer if avio_alloc_context fails
to avoid potential memory leak.
Fixes: 5fc4dea39c ("examples: add avio_reading.c example")
Signed-off-by: Jiasheng Jiang <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 9ca58424ded24e931fed329174c28244b67d5670)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/doc/examples/avio_reading.c b/doc/examples/avio_reading.c
index 36ee02afa5..0840e77f2e 100644
--- a/doc/examples/avio_reading.c
+++ b/doc/examples/avio_reading.c
@@ -96,6 +96,7 @@ int main(int argc, char *argv[])
avio_ctx = avio_alloc_context(avio_ctx_buffer, avio_ctx_buffer_size,
0, &bd, &read_packet, NULL, NULL);
if (!avio_ctx) {
+ av_freep(&avio_ctx_buffer);
ret = AVERROR(ENOMEM);
goto end;
}
commit 78dfb98f7d670b7a25bd00db4965151eabced39c
Author: Jiasheng Jiang <[email protected]>
AuthorDate: Sun Aug 3 20:09:38 2025 +0000
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:17 2025 +0100
avcodec/tests/avpacket: Add av_packet_free() to avoid memory leak
Add av_packet_free() to free avpkt_clone and avpkt in the error paths to
avoid potential memory leak.
Fixes: da3c69a5a9 ("Added test for libavcodec/avpacket.c")
Signed-off-by: Jiasheng Jiang <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit ab040e25657436e88a62624b3751a583dfe4e123)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/tests/avpacket.c b/libavcodec/tests/avpacket.c
index 7a70ade4c3..8b209f52f7 100644
--- a/libavcodec/tests/avpacket.c
+++ b/libavcodec/tests/avpacket.c
@@ -100,11 +100,14 @@ int main(void)
if(!avpkt_clone) {
av_log(NULL, AV_LOG_ERROR,"av_packet_clone failed to clone
AVPacket\n");
+ av_packet_free(&avpkt);
return 1;
}
/*test av_grow_packet*/
if(av_grow_packet(avpkt_clone, 20) < 0){
av_log(NULL, AV_LOG_ERROR, "av_grow_packet failed\n");
+ av_packet_free(&avpkt_clone);
+ av_packet_free(&avpkt);
return 1;
}
if(av_grow_packet(avpkt_clone, INT_MAX) == 0){
commit bd715593734bc7fc92b478e3b3d9a9104e9451ff
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sun Aug 3 01:47:54 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:17 2025 +0100
avcodec/fits: Clear naxis
Fixes: Use of uninitialized memory
Fixes:
423673969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_DEC_fuzzer-5602250833854464
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 1687daa93c131f929495c7ab0509d2e5c98b40f5)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/fits.c b/libavcodec/fits.c
index 97fa7abe80..c14856c27e 100644
--- a/libavcodec/fits.c
+++ b/libavcodec/fits.c
@@ -27,6 +27,8 @@ int avpriv_fits_header_init(FITSHeader *header,
FITSHeaderState state)
{
header->state = state;
header->naxis_index = 0;
+ header->naxis = 0;
+ memset(header->naxisn, 0, sizeof(header->naxisn));
header->blank_found = 0;
header->pcount = 0;
header->gcount = 1;
commit 4c41f132f411aae967a990d94a0dd47f91aa355c
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sun Aug 3 14:52:36 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:17 2025 +0100
avcodec/vqavideo; Check bytestream2_get_buffer() reading
next_codebook_buffer
Fixes: use of uninintilaized memory
Fixes:
423673969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-6235973619351552
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 44864dbbb9b87d13d8f4ec92fb8536be0f9dbbc4)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index d0e1927444..4fae3449f8 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -551,8 +551,9 @@ static int vqa_decode_chunk(VqaContext *s, AVFrame *frame)
}
/* accumulate partial codebook */
- bytestream2_get_buffer(&s->gb,
&s->next_codebook_buffer[s->next_codebook_buffer_index],
- chunk_size);
+ if (chunk_size != bytestream2_get_buffer(&s->gb,
&s->next_codebook_buffer[s->next_codebook_buffer_index],
+ chunk_size))
+ return AVERROR_INVALIDDATA;
s->next_codebook_buffer_index += chunk_size;
s->partial_countdown--;
@@ -580,8 +581,9 @@ static int vqa_decode_chunk(VqaContext *s, AVFrame *frame)
}
/* accumulate partial codebook */
- bytestream2_get_buffer(&s->gb,
&s->next_codebook_buffer[s->next_codebook_buffer_index],
- chunk_size);
+ if (chunk_size != bytestream2_get_buffer(&s->gb,
&s->next_codebook_buffer[s->next_codebook_buffer_index],
+ chunk_size))
+ return AVERROR_INVALIDDATA;
s->next_codebook_buffer_index += chunk_size;
s->partial_countdown--;
commit 50a56ba2ee9984d124a93afdb4f3a5d13bb5617d
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sun Aug 3 08:33:40 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:17 2025 +0100
avcodec/lzf: Check for input space
Fixes: use of uninitialized memory
Fixes:
423673969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NOTCHLC_fuzzer-5597015691296768
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 610d368d9bc3f1b7073a0b33e352f8bd7db24c7e)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c
index 1e3c86c88c..94b369dd59 100644
--- a/libavcodec/lzf.c
+++ b/libavcodec/lzf.c
@@ -56,7 +56,10 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf,
int64_t *size)
p = *buf + len;
}
- bytestream2_get_buffer(gb, p, s);
+ int s2 = bytestream2_get_buffer(gb, p, s);
+ if (s2 != s)
+ return AVERROR_INVALIDDATA;
+
p += s;
len += s;
} else {
commit 12a3bca16f317e52d79ac0eaa3217dd5986638db
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sun Aug 3 14:39:53 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:16 2025 +0100
avcodec/imc: Clear padding of buf16
Fixes: use of uninitialized memory
Fixes:
423673969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IAC_fuzzer-6685890556788736
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 715df4b1ff398758ca1b8a82c3d16940bc63fc56)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/imc.c b/libavcodec/imc.c
index 51e7c1b2e1..7630776c11 100644
--- a/libavcodec/imc.c
+++ b/libavcodec/imc.c
@@ -1031,6 +1031,8 @@ static int imc_decode_frame(AVCodecContext *avctx, void
*data,
LOCAL_ALIGNED_16(uint16_t, buf16, [(IMC_BLOCK_SIZE +
AV_INPUT_BUFFER_PADDING_SIZE) / 2]);
+ memset(buf16 + IMC_BLOCK_SIZE/2, 0, AV_INPUT_BUFFER_PADDING_SIZE);
+
q->avctx = avctx;
if (buf_size < IMC_BLOCK_SIZE * avctx->channels) {
commit 736acc71a70a7c04f0d2afa0c277fb012fb0a5b6
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sun Aug 3 14:34:59 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:16 2025 +0100
avcodec/cri: Check bytestream2_get_buffer() for end
Fixes: use of uninintialized memory
Fixes:
423673969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CRI_fuzzer-5910856640823296
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit ea3851bebf91a96b11d16be2b36bf88111e30e36)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/cri.c b/libavcodec/cri.c
index f6e8a4455d..3059336932 100644
--- a/libavcodec/cri.c
+++ b/libavcodec/cri.c
@@ -224,7 +224,8 @@ static int cri_decode_frame(AVCodecContext *avctx, void
*data,
break;
case 102:;
int read_len = FFMIN(length, sizeof(codec_name) - 1);
- bytestream2_get_buffer(gb, codec_name, read_len))
+ if (read_len != bytestream2_get_buffer(gb, codec_name, read_len))
+ return AVERROR_INVALIDDATA;
length -= read_len;
if (strncmp(codec_name, "cintel_craw", read_len))
return AVERROR_INVALIDDATA;
commit da19447883a39d0469f75e4cd1d064c184d5e992
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sun Aug 3 14:34:25 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:16 2025 +0100
avcodec/cri: Factor read_len out
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit d9bf3c141bb96dd285477278400b8349e9f964b0)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/cri.c b/libavcodec/cri.c
index d2d80b6f1c..f6e8a4455d 100644
--- a/libavcodec/cri.c
+++ b/libavcodec/cri.c
@@ -222,10 +222,11 @@ static int cri_decode_frame(AVCodecContext *avctx, void
*data,
if (bytestream2_get_le32(gb) != 0)
return AVERROR_INVALIDDATA;
break;
- case 102:
- bytestream2_get_buffer(gb, codec_name, FFMIN(length,
sizeof(codec_name) - 1));
- length -= FFMIN(length, sizeof(codec_name) - 1);
- if (strncmp(codec_name, "cintel_craw", FFMIN(length,
sizeof(codec_name) - 1)))
+ case 102:;
+ int read_len = FFMIN(length, sizeof(codec_name) - 1);
+ bytestream2_get_buffer(gb, codec_name, read_len))
+ length -= read_len;
+ if (strncmp(codec_name, "cintel_craw", read_len))
return AVERROR_INVALIDDATA;
compressed = 1;
goto skip;
commit 8c3bc258e34993d3dcc52ff1c1b2fa725f63891f
Author: Michael Niedermayer <[email protected]>
AuthorDate: Mon Jul 28 23:41:56 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:16 2025 +0100
avformat/dashdec: Allocate space for appended "/"
Fixes: writing 1 byte over the end of the array
Fixes: BIGSLEEP-433502298/test.xml
Found-by: Google Big Sleep
A prettier solution is welcome!
A testcase exists only for the baseurl case
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit ce0a655f85c1144d19a4acad59afbb92e4997e30)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/dashdec.c b/libavformat/dashdec.c
index c9871aaf9a..1126fdd987 100644
--- a/libavformat/dashdec.c
+++ b/libavformat/dashdec.c
@@ -730,7 +730,7 @@ static int resolve_content_path(AVFormatContext *s, const
char *url, int *max_ur
}
tmp_max_url_size = aligned(tmp_max_url_size);
- text = av_mallocz(tmp_max_url_size);
+ text = av_mallocz(tmp_max_url_size + 1);
if (!text) {
updated = AVERROR(ENOMEM);
goto end;
@@ -742,7 +742,7 @@ static int resolve_content_path(AVFormatContext *s, const
char *url, int *max_ur
}
av_free(text);
- path = av_mallocz(tmp_max_url_size);
+ path = av_mallocz(tmp_max_url_size + 2);
tmp_str = av_mallocz(tmp_max_url_size);
if (!tmp_str || !path) {
updated = AVERROR(ENOMEM);
@@ -764,6 +764,15 @@ static int resolve_content_path(AVFormatContext *s, const
char *url, int *max_ur
node = baseurl_nodes[rootId];
baseurl = xmlNodeGetContent(node);
+ if (baseurl) {
+ size_t len = xmlStrlen(baseurl)+2;
+ char *tmp = xmlRealloc(baseurl, len);
+ if (!tmp) {
+ updated = AVERROR(ENOMEM);
+ goto end;
+ }
+ baseurl = tmp;
+ }
root_url = (av_strcasecmp(baseurl, "")) ? baseurl : path;
if (node) {
xmlNodeSetContent(node, root_url);
commit fcf31af212cf98bf886ca359ab3334b29c358474
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Jul 24 01:05:40 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:16 2025 +0100
avformat/mxg: clear AV_INPUT_BUFFER_PADDING_SIZE
Fixes: use of uninitialized memory
Fixes:
427532813/clusterfuzz-testcase-minimized-ffmpeg_dem_MXG_fuzzer-5661938917113856
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 1b12e919cfe3bf69038225794330d14575fb78d0)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/mxg.c b/libavformat/mxg.c
index fe5879ecf0..6f9a4446d5 100644
--- a/libavformat/mxg.c
+++ b/libavformat/mxg.c
@@ -126,6 +126,8 @@ static int mxg_update_cache(AVFormatContext *s, unsigned
int cache_size)
mxg->cache_size += ret;
+ memset(mxg->buffer_ptr + mxg->cache_size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
+
return ret;
}
commit e3d695473d95fe8e23df6a5dadb1a802854471da
Author: Michael Niedermayer <[email protected]>
AuthorDate: Wed Jul 23 13:16:33 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:16 2025 +0100
avformat/mov: make sure file_checksum is fully initialized
Fixes: use of uninitialized memory
Fixes:
394990189/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6431722199908352
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 8b16e1ddd9c0bc4ca90447d481186216cfdce0fe)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/mov.c b/libavformat/mov.c
index b03a8f8295..414e7fa7c0 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1018,7 +1018,9 @@ static int mov_read_adrm(MOVContext *c, AVIOContext *pb,
MOVAtom atom)
avio_read(pb, output, 8); // go to offset 8, absolute position 0x251
avio_read(pb, input, DRM_BLOB_SIZE);
avio_read(pb, output, 4); // go to offset 4, absolute position 0x28d
- avio_read(pb, file_checksum, 20);
+ ret = ffio_read_size(pb, file_checksum, 20);
+ if (ret < 0)
+ goto fail;
av_log(c->fc, AV_LOG_INFO, "[aax] file checksum == "); // required by
external tools
for (i = 0; i < 20; i++)
commit 5339f20be22d4290876fcfd6b2afb2c35f1f0593
Author: Michael Niedermayer <[email protected]>
AuthorDate: Wed Jul 23 01:57:54 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:15 2025 +0100
avformat/asfdec_f: Check amount of value read
Fixes: use of uninitialized memory
Fixes:
403675492/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-4754281823797248
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit fa197924a66d83106c5d4dadb8610a1c526afd67)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index f0b1639b21..0c451274a9 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -340,8 +340,10 @@ static void get_tag(AVFormatContext *s, const char *key,
int type, int len, int
case ASF_UNICODE:
avio_get_str16le(s->pb, len, value, 2 * len + 1);
break;
- case -1: // ASCI
- avio_read(s->pb, value, len);
+ case -1:; // ASCII
+ int ret = ffio_read_size(s->pb, value, len);
+ if (ret < 0)
+ goto finish;
value[len]=0;
break;
case ASF_BYTE_ARRAY:
commit 75d6f80fd210bbcb6a7979f58f06e9323097ba2e
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sun Jul 13 03:10:27 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:15 2025 +0100
avformat/concatdec: Clip duration in one more case in
get_best_effort_duration()
Fixes: signed integer overflow: 40000 - -9223372036854770000 cannot be
represented in type 'long'
Fixes:
427262541/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-4831506940100608
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 8cdb47e47a7a53a3c635a71bf712d79119eb86b4)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c
index d45e52d7c6..069b5fe2aa 100644
--- a/libavformat/concatdec.c
+++ b/libavformat/concatdec.c
@@ -319,7 +319,7 @@ static int64_t get_best_effort_duration(ConcatFile *file,
AVFormatContext *avf)
if (file->outpoint != AV_NOPTS_VALUE)
return av_sat_sub64(file->outpoint, file->file_inpoint);
if (avf->duration > 0)
- return avf->duration - (file->file_inpoint - file->file_start_time);
+ return av_sat_sub64(avf->duration, file->file_inpoint -
file->file_start_time);
if (file->next_dts != AV_NOPTS_VALUE)
return file->next_dts - file->file_inpoint;
return AV_NOPTS_VALUE;
commit da9ef71013d7b975795a8778f806f1d470c83373
Author: Michael Niedermayer <[email protected]>
AuthorDate: Wed Jul 16 00:01:07 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:15 2025 +0100
avcodec/ffv1dec: Check k in get_vlc_symbol()
The true problem happens in several previous get_vlc_symbol()
but checking that is more expensive (involving FFABS())
here its just a simple check between 2 variables we have.
Fixes: Assertion log >= k failed at libavcodec/golomb.h:406
Fixes:
429296194/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFV1_DEC_fuzzer-4691594622337024
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 051e0d7744dbb45f680bbfa72bfead947b11ef2f)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 0be1c94bb2..eb2f29989a 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -78,6 +78,11 @@ static inline int get_vlc_symbol(GetBitContext *gb, VlcState
*const state,
k++;
i += i;
}
+ if (k > bits) {
+ ff_dlog(NULL, "k-overflow bias:%d error:%d drift:%d count:%d k:%d",
+ state->bias, state->error_sum, state->drift, state->count, k);
+ k = bits;
+ }
v = get_sr_golomb(gb, k, 12, bits);
ff_dlog(NULL, "v:%d bias:%d error:%d drift:%d count:%d k:%d",
commit 916ede06b72a422bbda8b9be254e430139af13de
Author: Michael Niedermayer <[email protected]>
AuthorDate: Tue Jul 15 22:19:24 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:15 2025 +0100
avcodec/cfhd: Check idwt_buf size before allocation
Fixes: OOM
Fixes:
428760799/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_DEC_fuzzer-5685176435015680
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 2d72bf6fe0793c3f069ba181a0e733dcc9f28180)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c
index b61d1e7222..39dd2d7bf2 100644
--- a/libavcodec/cfhd.c
+++ b/libavcodec/cfhd.c
@@ -274,6 +274,9 @@ static int alloc_buffers(AVCodecContext *avctx)
int height = (i || bayer) ? s->coded_height >> chroma_y_shift :
s->coded_height;
ptrdiff_t stride = (FFALIGN(width / 8, 8) + 64) * 8;
+ if ((ret = av_image_check_size2(stride, height, avctx->max_pixels,
s->coded_format, 0, avctx)) < 0)
+ return ret;
+
if (chroma_y_shift && !bayer)
height = FFALIGN(height / 8, 2) * 8;
s->plane[i].width = width;
commit 2bb6fa7c44588c25428aec81a423fec8a3e02fb9
Author: Michael Niedermayer <[email protected]>
AuthorDate: Tue Jul 15 23:28:09 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:15 2025 +0100
avcodec/ivi: Check luma/chroma mb_size
Fixes: shift exponent -1 is negative
Fixes:
429011224/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO5_fuzzer-5031059358285824
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit c0f1c3e18579c249cc729bc6033c034f6a6f7426)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/ivi.c b/libavcodec/ivi.c
index a5074e9980..30cfc5955e 100644
--- a/libavcodec/ivi.c
+++ b/libavcodec/ivi.c
@@ -991,9 +991,11 @@ static int decode_band(IVI45DecContext *ctx,
for (t = 0; t < band->num_tiles; t++) {
tile = &band->tiles[t];
- if (tile->mb_size != band->mb_size) {
- av_log(avctx, AV_LOG_ERROR, "MB sizes mismatch: %d vs. %d\n",
- band->mb_size, tile->mb_size);
+ if (tile->mb_size != band->mb_size ||
+ ctx->planes[0].bands[0].mb_size < band->mb_size
+ ) {
+ av_log(avctx, AV_LOG_ERROR, "MB sizes mismatch: %d vs. %d vs.
%d\n",
+ band->mb_size, tile->mb_size,
ctx->planes[0].bands[0].mb_size);
return AVERROR_INVALIDDATA;
}
tile->is_empty = get_bits1(&ctx->gb);
commit 99bd8a74073603482d7bf64acd54617a908ae36f
Author: James Almer <[email protected]>
AuthorDate: Sun Jul 13 20:01:26 2025 -0300
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:15 2025 +0100
avcodec/motion_est: don't add offsets to NULL pointers
Fixes: libavcodec/motion_est.c:94:31: runtime error: applying zero offset
to null pointer
Signed-off-by: James Almer <[email protected]>
(cherry picked from commit 585a8d53576f19a14394d7728ed2831e1bee8dbf)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c
index 26da3e3a2f..9b7d5e5aee 100644
--- a/libavcodec/motion_est.c
+++ b/libavcodec/motion_est.c
@@ -88,12 +88,12 @@ static inline void init_ref(MotionEstContext *c, uint8_t
*src[3], uint8_t *ref[3
};
int i;
for(i=0; i<3; i++){
- c->src[0][i]= src [i] + offset[i];
- c->ref[0][i]= ref [i] + offset[i];
+ c->src[0][i]= src[i] ? FF_PTR_ADD(src[i], offset[i]) : NULL;
+ c->ref[0][i]= ref[i] ? FF_PTR_ADD(ref[i], offset[i]) : NULL;
}
if(ref_index){
for(i=0; i<3; i++){
- c->ref[ref_index][i]= ref2[i] + offset[i];
+ c->ref[ref_index][i]= ref2[i] ? FF_PTR_ADD(ref2[i], offset[i]) :
NULL;
}
}
}
commit 3f59e8d1fb8d7b9b6c878ddbb17ee21b64af196f
Author: James Almer <[email protected]>
AuthorDate: Sun Jul 13 19:50:57 2025 -0300
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:14 2025 +0100
swscale/swscale_unscaled: don't add offsets to NULL pointers
Fixes: libswscale/swscale_unscaled.c:916:20: runtime error: applying zero
offset to null pointer
Signed-off-by: James Almer <[email protected]>
(cherry picked from commit af9b43455a972841154b194057a79ee8b606e727)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libswscale/swscale_unscaled.c b/libswscale/swscale_unscaled.c
index c4dd8a4d83..b405bcdff8 100644
--- a/libswscale/swscale_unscaled.c
+++ b/libswscale/swscale_unscaled.c
@@ -729,7 +729,7 @@ static int Rgb16ToPlanarRgb16Wrapper(SwsContext *c, const
uint8_t *src[],
return srcSliceH;
}
- for(i=0; i<4; i++) {
+ for (i = 0; i < 4 && dst[i]; i++) {
dst2013[i] += stride2013[i] * srcSliceY / 2;
dst1023[i] += stride1023[i] * srcSliceY / 2;
}
commit 4d6a7843f1e95a6680a629c11f6187a5d36b1385
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Jun 19 23:02:25 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:14 2025 +0100
avcodec/psd: Move frame allocation after RLE processing
Fixes: Timeout
Fixes:
410609448/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PSD_fuzzer-6267226128973824
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 67559760c6636b9c1643e4870bfe8c98244803d1)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/psd.c b/libavcodec/psd.c
index ae7ad4e559..e421ac82f8 100644
--- a/libavcodec/psd.c
+++ b/libavcodec/psd.c
@@ -418,9 +418,6 @@ static int decode_frame(AVCodecContext *avctx, void *data,
s->uncompressed_size = s->line_size * s->height * s->channel_count;
- if ((ret = ff_get_buffer(avctx, picture, 0)) < 0)
- return ret;
-
/* decode picture if need */
if (s->compression == PSD_RLE) {
s->tmp = av_malloc(s->uncompressed_size);
@@ -443,6 +440,9 @@ static int decode_frame(AVCodecContext *avctx, void *data,
ptr_data = s->gb.buffer;
}
+ if ((ret = ff_get_buffer(avctx, picture, 0)) < 0)
+ return ret;
+
/* Store data */
if ((avctx->pix_fmt == AV_PIX_FMT_YA8)||(avctx->pix_fmt ==
AV_PIX_FMT_YA16BE)){/* Interleaved */
ptr = picture->data[0];
commit 777f7e87bc1b80d0754be6cdae7d343045ba69b0
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Jul 3 03:01:11 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:14 2025 +0100
avcodec/smacker: Move buffer allocation to later
Reduces allocations on random input
Fixes:
421650030/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKAUD_fuzzer-6144441767493632
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 9899c8c00bb7674fe3cf5c8483b522c6c78e1248)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index 8db33c9275..a2e61b9603 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -639,10 +639,6 @@ static int smka_decode_frame(AVCodecContext *avctx, void
*data,
"The buffer does not contain an integer number of samples\n");
return AVERROR_INVALIDDATA;
}
- if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
- return ret;
- samples = (int16_t *)frame->data[0];
- samples8 = frame->data[0];
// Initialize
for(i = 0; i < (1 << (bits + stereo)); i++) {
@@ -664,6 +660,12 @@ static int smka_decode_frame(AVCodecContext *avctx, void
*data,
} else
values[i] = h.entries[0].value;
}
+
+ if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)
+ return ret;
+ samples = (int16_t *)frame->data[0];
+ samples8 = frame->data[0];
+
/* this codec relies on wraparound instead of clipping audio */
if(bits) { //decode 16-bit data
for(i = stereo; i >= 0; i--)
commit c6ea1492addb855ef77416492235d50097c3fb45
Author: Kacper MichajÅow <[email protected]>
AuthorDate: Thu Jul 3 23:08:23 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:14 2025 +0100
avcodec/opus: don't materialize buf pointer from null
Fixes: avcodec/opus/dec.c: runtime error: applying non-zero offset 10 to
null pointer
Signed-off-by: Kacper MichajÅow <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 3b6ec5abb5fb3cffdfcd25f834c43e53cab2cabe)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/opusdec.c b/libavcodec/opusdec.c
index f0d7ed62a1..b2a8a16e4d 100644
--- a/libavcodec/opusdec.c
+++ b/libavcodec/opusdec.c
@@ -522,6 +522,9 @@ static int opus_decode_packet(AVCodecContext *avctx, void
*data,
s->decoded_samples = ret;
decoded_samples = FFMIN(decoded_samples, ret);
+ if (!buf)
+ continue;
+
buf += s->packet.packet_size;
buf_size -= s->packet.packet_size;
}
commit 40ef0b1ee1f38cbb7438ac84683a2094e14f2b09
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat Jun 21 02:01:22 2025 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:14 2025 +0100
avformat/iff: Check nb_channels == 0 in CHNL
Fixes: division by 0
Fixes:
418396712/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6104388018176000
Fixes:
418478219/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4569544410857472
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <[email protected]>
Signed-off-by: Michael Niedermayer <[email protected]>
(cherry picked from commit 5b1301004bdade13e3fee22081459e339ddd2637)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/iff.c b/libavformat/iff.c
index 4a46b4b393..46a990aa0e 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -277,7 +277,7 @@ static int parse_dsd_prop(AVFormatContext *s, AVStream *st,
uint64_t eof)
if (size < 2)
return AVERROR_INVALIDDATA;
st->codecpar->channels = avio_rb16(pb);
- if (size < 2 + st->codecpar->channels * 4)
+ if (size < 2 + st->codecpar->channels * 4 ||
!st->codecpar->channels )
return AVERROR_INVALIDDATA;
st->codecpar->channel_layout = 0;
if (st->codecpar->channels > FF_ARRAY_ELEMS(dsd_layout)) {
commit 88a2c540579d6bfd6579346265eadc2797b43dd5
Author: James Almer <[email protected]>
AuthorDate: Sun Jun 22 10:51:06 2025 -0300
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:13 2025 +0100
avcodec/mss2dsp: use FF_PTR_ADD to add offsets to a pointer
Fixes: libavcodec/mss2dsp.c:59:14: runtime error: applying zero offset to
null pointer
Tested-by: Kacper Michajlow <[email protected]>
Signed-off-by: James Almer <[email protected]>
(cherry picked from commit b1172b8cc615a884d4051517d7356d5842939bb6)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/mss2dsp.c b/libavcodec/mss2dsp.c
index cc39dd637f..ace92ef9c7 100644
--- a/libavcodec/mss2dsp.c
+++ b/libavcodec/mss2dsp.c
@@ -56,7 +56,7 @@ static av_always_inline void mss2_blit_wmv9_template(uint8_t
*dst,
}
}
}
- mask += mask_stride;
+ mask = FF_PTR_ADD(mask, mask_stride);
dst += dst_stride;
srcy += srcy_stride;
srcu += srcuv_stride * (r & 1);
commit e3e479d077044175dca0376739eeafde49610573
Author: Marton Balint <[email protected]>
AuthorDate: Sat Apr 10 11:59:00 2021 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:13 2025 +0100
avformat/hls: check return value of new_init_section()
Fixes part of ticket #8931.
Signed-off-by: Marton Balint <[email protected]>
(cherry picked from commit 28c83584e8f3cd747c1476a74cc2841d3d1fa7f3)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavformat/hls.c b/libavformat/hls.c
index d22d06c5ae..fdec350a4d 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -895,6 +895,10 @@ static int parse_playlist(HLSContext *c, const char *url,
ff_parse_key_value(ptr, (ff_parse_key_val_cb)
handle_init_section_args,
&info);
cur_init_section = new_init_section(pls, &info, url);
+ if (!cur_init_section) {
+ ret = AVERROR(ENOMEM);
+ goto fail;
+ }
cur_init_section->key_type = key_type;
if (has_iv) {
memcpy(cur_init_section->iv, iv, sizeof(iv));
commit 4ebd7e4a0888f404fa5f85ff8651d33390916c04
Author: Andreas Rheinhardt <[email protected]>
AuthorDate: Sun Sep 24 13:15:48 2023 +0200
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:13 2025 +0100
avcodec/rkmppdec: Fix double-free on error
After having created the AVBuffer that is put into frame->buf[0],
ownership of several objects (namely an AVDRMFrameDescriptor,
an MppFrame and some AVBufferRefs framecontextref and decoder_ref)
has passed to the AVBuffer and therefore to the frame.
Yet it has nevertheless been freed manually on error
afterwards, which would lead to a double-free as soon
as the AVFrame is unreferenced.
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 4513300989502090c4fd6560544dce399a8cd53c)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/rkmppdec.c b/libavcodec/rkmppdec.c
index a60962dc86..19eff72387 100644
--- a/libavcodec/rkmppdec.c
+++ b/libavcodec/rkmppdec.c
@@ -460,8 +460,8 @@ static int rkmpp_retrieve_frame(AVCodecContext *avctx,
AVFrame *frame)
frame->hw_frames_ctx = av_buffer_ref(decoder->frames_ref);
if (!frame->hw_frames_ctx) {
- ret = AVERROR(ENOMEM);
- goto fail;
+ av_frame_unref(frame);
+ return AVERROR(ENOMEM);
}
return 0;
commit 9e3bb8346c9811d4f9036dd123dd2dad2b58c5ec
Author: Andreas Rheinhardt <[email protected]>
AuthorDate: Wed Mar 13 02:10:26 2024 +0100
Commit: Michael Niedermayer <[email protected]>
CommitDate: Sun Nov 30 21:38:13 2025 +0100
avcodec/ppc/vp8dsp_altivec: Fix out-of-bounds access
h_subpel_filters_inner[i] and h_subpel_filters_outer[i / 2]
belong together and the former allows the range 0..6,
so the latter needs to support 0..3. But it has only three
elements. Add another one.
The value for the last element has been guesstimated
from subpel_filters in libavcodec/vp8dsp.c.
This is also intended to fix FATE-failures with UBSan here:
https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
Tested-by: Sean McGovern <[email protected]>
Signed-off-by: Andreas Rheinhardt <[email protected]>
(cherry picked from commit 09e6840cf7a3ee07a73c3ae88a020bf27ca1a667)
Signed-off-by: Michael Niedermayer <[email protected]>
diff --git a/libavcodec/ppc/vp8dsp_altivec.c b/libavcodec/ppc/vp8dsp_altivec.c
index 64ee703dc7..b8978cb041 100644
--- a/libavcodec/ppc/vp8dsp_altivec.c
+++ b/libavcodec/ppc/vp8dsp_altivec.c
@@ -49,11 +49,12 @@ static const vec_s8 h_subpel_filters_inner[7] =
// for 6tap filters, these are the outer two taps
// The zeros mask off pixels 4-7 when filtering 0-3
// and vice-versa
-static const vec_s8 h_subpel_filters_outer[3] =
+static const vec_s8 h_subpel_filters_outer[4] =
{
REPT4(0, 0, 2, 1),
REPT4(0, 0, 3, 3),
REPT4(0, 0, 1, 2),
+ REPT4(0, 0, 0, 0),
};
#define LOAD_H_SUBPEL_FILTER(i) \
-----------------------------------------------------------------------
Summary of changes:
Changelog | 80 +++++++++++++++++++++++++++++++++++++
RELEASE | 2 +-
doc/Doxyfile | 2 +-
doc/examples/avio_reading.c | 1 +
doc/examples/decode_audio.c | 6 ++-
fftools/ffmpeg_opt.c | 9 ++++-
libavcodec/aacdec_template.c | 3 ++
libavcodec/aacenc_tns.c | 40 +++++++++++++------
libavcodec/aacsbr_template.c | 6 +++
libavcodec/cfhd.c | 3 ++
libavcodec/cri.c | 10 +++--
libavcodec/dxv.c | 6 ++-
libavcodec/exr.c | 87 ++++++++++++++++++++++++++++++++++-------
libavcodec/ffv1.c | 2 +-
libavcodec/ffv1dec.c | 9 ++++-
libavcodec/fits.c | 2 +
libavcodec/g723_1.h | 2 +-
libavcodec/g723_1enc.c | 2 +-
libavcodec/g726.c | 2 +
libavcodec/ilbcdec.c | 2 +
libavcodec/imc.c | 2 +
libavcodec/ivi.c | 8 ++--
libavcodec/jpeg2000dec.c | 24 +++++++++++-
libavcodec/lzf.c | 5 ++-
libavcodec/mjpegdec.c | 2 +
libavcodec/motion_est.c | 6 +--
libavcodec/mpc8.c | 8 +++-
libavcodec/mss2dsp.c | 2 +-
libavcodec/opusdec.c | 3 ++
libavcodec/ppc/vp8dsp_altivec.c | 3 +-
libavcodec/psd.c | 6 +--
libavcodec/rkmppdec.c | 4 +-
libavcodec/sanm.c | 5 +++
libavcodec/scpr3.c | 2 +-
libavcodec/smacker.c | 10 +++--
libavcodec/tests/avpacket.c | 4 ++
libavcodec/tests/motion.c | 4 ++
libavcodec/tests/snowenc.c | 7 +++-
libavcodec/utvideodec.c | 6 +--
libavcodec/vqavideo.c | 10 +++--
libavfilter/avf_showcqt.c | 4 +-
libavformat/asfdec_f.c | 6 ++-
libavformat/avidec.c | 2 +-
libavformat/aviobuf.c | 2 +-
libavformat/concatdec.c | 2 +-
libavformat/dashdec.c | 13 +++++-
libavformat/hls.c | 8 +++-
libavformat/http.c | 2 +-
libavformat/iff.c | 2 +-
libavformat/lrcdec.c | 18 +++++----
libavformat/mov.c | 4 +-
libavformat/mxg.c | 2 +
libavformat/rtmpproto.c | 26 +++++++++++-
libavformat/rtpdec_rfc4175.c | 28 +++++++++----
libavformat/rtpenc_h264_hevc.c | 3 ++
libavformat/sctp.c | 3 ++
libavutil/common.h | 8 ++--
libswscale/output.c | 4 +-
libswscale/swscale_unscaled.c | 2 +-
59 files changed, 427 insertions(+), 109 deletions(-)
hooks/post-receive
--
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
