[FFmpeg-cvslog] ffbuild: Avoid using the --preprocessor argument to windres
ffmpeg | branch: master | Martin Storsjö | Sat May 15 00:42:38 2021 +0300| [f9626d1065c43f1d51afe66bdf988b9f33729440] | committer: Martin Storsjö ffbuild: Avoid using the --preprocessor argument to windres Instead use --preprocessor-arg; in binutils 2.36, the --preprocessor flag was changed so that it no longer accepts a string containing multiple arguments, but the whole --preprocessor argument is treated as the path to the preprocessor executable (where the path can contain spaces). It's currently unclear whether this behaviour will stay or if it is going to be reverted in the future, see discussion at [1]. Just to be safe, avoid using the --preprocessor argument. Don't redeclare the full preprocessing command, but just add the $(CC_DEPFLAGS) options. Based on a patch by Kyle Schwartz. [1] https://sourceware.org/bugzilla/show_bug.cgi?id=27594 Signed-off-by: Martin Storsjö > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f9626d1065c43f1d51afe66bdf988b9f33729440 --- configure | 1 - ffbuild/common.mak | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/configure b/configure index 6bfd98b384..87c8e85fe6 100755 --- a/configure +++ b/configure @@ -7535,7 +7535,6 @@ LD_LIB=$LD_LIB LD_PATH=$LD_PATH DLLTOOL=$dlltool WINDRES=$windres -DEPWINDRES=$dep_cc DOXYGEN=$doxygen LDFLAGS=$LDFLAGS LDEXEFLAGS=$LDEXEFLAGS diff --git a/ffbuild/common.mak b/ffbuild/common.mak index 32f5b997b5..5d8f3dfc1f 100644 --- a/ffbuild/common.mak +++ b/ffbuild/common.mak @@ -90,7 +90,7 @@ COMPILE_MSA = $(call COMPILE,CC,MSAFLAGS) -$(if $(ASMSTRIPFLAGS), $(STRIP) $(ASMSTRIPFLAGS) $@) %.o: %.rc - $(WINDRES) $(IFLAGS) --preprocessor "$(DEPWINDRES) -E -xc-header -DRC_INVOKED $(CC_DEPFLAGS)" -o $@ $< + $(WINDRES) $(IFLAGS) $(foreach ARG,$(CC_DEPFLAGS),--preprocessor-arg "$(ARG)") -o $@ $< %.i: %.c $(CC) $(CCFLAGS) $(CC_E) $< ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] lavfi/dnn_backend_openvino.c: Fix Memory Leak for RequestItem
ffmpeg | branch: master | Shubhanshu Saxena | Mon
Jun 14 23:44:16 2021 +0530| [2df963b5fa6784ac6f1413c9b1706c20da66e8df] |
committer: Guo Yejun
lavfi/dnn_backend_openvino.c: Fix Memory Leak for RequestItem
Fix memory leak for RequestItem upon error while pushing to the
request_queue in the completion callback.
Signed-off-by: Shubhanshu Saxena
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2df963b5fa6784ac6f1413c9b1706c20da66e8df
---
libavfilter/dnn/dnn_backend_openvino.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavfilter/dnn/dnn_backend_openvino.c
b/libavfilter/dnn/dnn_backend_openvino.c
index 709a772a4d..702c4fb9ee 100644
--- a/libavfilter/dnn/dnn_backend_openvino.c
+++ b/libavfilter/dnn/dnn_backend_openvino.c
@@ -293,6 +293,8 @@ static void infer_completion_callback(void *args)
request->inference_count = 0;
if (ff_safe_queue_push_back(requestq, request) < 0) {
+ie_infer_request_free(&request->infer_request);
+av_freep(&request);
av_log(ctx, AV_LOG_ERROR, "Failed to push back request_queue.\n");
return;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/tta: Check for EOF in index reading loop
ffmpeg | branch: master | Michael Niedermayer | Tue
May 4 18:34:44 2021 +0200| [b72d657b73b2aa4a2a2f72f613199e6080ad48c0] |
committer: Michael Niedermayer
avformat/tta: Check for EOF in index reading loop
Fixes: OOM
Fixes:
33585/clusterfuzz-testcase-minimized-ffmpeg_dem_TTA_fuzzer-4564665830080512
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b72d657b73b2aa4a2a2f72f613199e6080ad48c0
---
libavformat/tta.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavformat/tta.c b/libavformat/tta.c
index 7a95675794..e1f9cf27d8 100644
--- a/libavformat/tta.c
+++ b/libavformat/tta.c
@@ -119,6 +119,8 @@ static int tta_read_header(AVFormatContext *s)
for (i = 0; i < c->totalframes; i++) {
uint32_t size = avio_rl32(s->pb);
int r;
+if (avio_feof(s->pb))
+return AVERROR_INVALIDDATA;
if ((r = av_add_index_entry(st, framepos, i * (int64_t)c->frame_size,
size, 0,
AVINDEX_KEYFRAME)) < 0)
return r;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] Update missed irc links
ffmpeg | branch: master | Michael Niedermayer | Thu
Jun 17 18:37:01 2021 +0200| [c067d20177613e9cf74bcbd2a26e729ef7ababdb] |
committer: Michael Niedermayer
Update missed irc links
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c067d20177613e9cf74bcbd2a26e729ef7ababdb
---
configure | 2 +-
doc/writing_filters.txt | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/configure b/configure
index 87c8e85fe6..dbe66bbc4c 100755
--- a/configure
+++ b/configure
@@ -534,7 +534,7 @@ die(){
If you think configure made a mistake, make sure you are using the latest
version from Git. If the latest version fails, report the problem to the
-ffmpeg-u...@ffmpeg.org mailing list or IRC #ffmpeg on irc.freenode.net.
+ffmpeg-u...@ffmpeg.org mailing list or IRC #ffmpeg on irc.libera.chat.
EOF
if disabled logging; then
cat
[FFmpeg-cvslog] avcodec/iff: Only write palette to plane 1 if its PAL8
ffmpeg | branch: master | Michael Niedermayer | Tue
May 4 22:52:41 2021 +0200| [216eb60b853e9a230c1238ab7d1c63d3fa892d34] |
committer: Michael Niedermayer
avcodec/iff: Only write palette to plane 1 if its PAL8
Fixes: null pointer passed as argument 1, which is declared to never be null
Fixes:
33791/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5107575256383488.fuzz
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=216eb60b853e9a230c1238ab7d1c63d3fa892d34
---
libavcodec/iff.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavcodec/iff.c b/libavcodec/iff.c
index b5f04e7e16..6a4c466b44 100644
--- a/libavcodec/iff.c
+++ b/libavcodec/iff.c
@@ -1847,7 +1847,8 @@ static int decode_frame(AVCodecContext *avctx,
buf += s->planesize;
}
}
-memcpy(frame->data[1], s->pal, 256 * 4);
+if (avctx->pix_fmt == AV_PIX_FMT_PAL8)
+memcpy(frame->data[1], s->pal, 256 * 4);
} else if (s->ham) {
int i, count = 1 << s->ham;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avutil/tx: avoid negative left shifts
ffmpeg | branch: master | Michael Niedermayer | Tue May 4 18:22:40 2021 +0200| [85b883429fb1a8c1be2e39fee510315a92b6cd02] | committer: Michael Niedermayer avutil/tx: avoid negative left shifts Fixes: left shift of negative value -1 Fixes: 33736/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SIREN_fuzzer-6657785795313664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=85b883429fb1a8c1be2e39fee510315a92b6cd02 --- libavutil/tx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/tx.c b/libavutil/tx.c index 8da04e99ca..25adb6b37e 100644 --- a/libavutil/tx.c +++ b/libavutil/tx.c @@ -97,9 +97,9 @@ static inline int split_radix_permutation(int i, int m, int inverse) if (m <= 1) return i & 1; if (!(i & m)) -return (split_radix_permutation(i, m, inverse) << 1); +return split_radix_permutation(i, m, inverse) * 2; m >>= 1; -return (split_radix_permutation(i, m, inverse) << 2) + 1 - 2*(!(i & m) ^ inverse); +return split_radix_permutation(i, m, inverse) * 4 + 1 - 2*(!(i & m) ^ inverse); } int ff_tx_gen_ptwo_revtab(AVTXContext *s, int invert_lookup) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/dxa: Check fps to be within the supported range more precissely
ffmpeg | branch: master | Michael Niedermayer | Sat
Apr 24 13:08:24 2021 +0200| [6ea494befcb5d944ce8275e6f59de1a24c25ffb6] |
committer: Michael Niedermayer
avformat/dxa: Check fps to be within the supported range more precissely
Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka
'int'); cast to an unsigned type to negate this value to itself
Fixes: assertion failure
Fixes:
29102/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-6744985740378112
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6ea494befcb5d944ce8275e6f59de1a24c25ffb6
---
libavformat/dxa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/dxa.c b/libavformat/dxa.c
index 9e5d163db7..16fbb08156 100644
--- a/libavformat/dxa.c
+++ b/libavformat/dxa.c
@@ -79,7 +79,7 @@ static int dxa_read_header(AVFormatContext *s)
if(fps > 0){
den = 1000;
num = fps;
-}else if (fps < 0){
+}else if (fps < 0 && fps > INT_MIN){
den = 10;
num = -fps;
}else{
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/iff: Use 64bit in duration computation
ffmpeg | branch: master | Michael Niedermayer | Sat Apr 24 15:41:16 2021 +0200| [93d964689c3b2bae26e6e3f502c1ffc4c2e46989] | committer: Michael Niedermayer avformat/iff: Use 64bit in duration computation Fixes: signed integer overflow: 588 * 16719904 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6748331936186368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=93d964689c3b2bae26e6e3f502c1ffc4c2e46989 --- libavformat/iff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index 74d96988a7..078406b7e3 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -384,7 +384,7 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 1); pkt->flags |= AV_PKT_FLAG_KEY; pkt->stream_index = 0; -pkt->duration = 588 * s->streams[0]->codecpar->sample_rate / 44100; +pkt->duration = 588LL * s->streams[0]->codecpar->sample_rate / 44100; pkt->pos = chunk_pos; chunk_pos = avio_tell(pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mccdec: Fix overflows in num/den
ffmpeg | branch: master | Michael Niedermayer | Sat
Apr 24 16:37:34 2021 +0200| [ff05326081922059314b8927cf9bbc9c7e73458f] |
committer: Michael Niedermayer
avformat/mccdec: Fix overflows in num/den
Fixes: signed integer overflow: 6365816 * 1000 cannot be represented in type
'int'
Fixes:
29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MCC_fuzzer-6737934184218624
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ff05326081922059314b8927cf9bbc9c7e73458f
---
libavformat/mccdec.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libavformat/mccdec.c b/libavformat/mccdec.c
index a096ac6e93..10ed7c0dc1 100644
--- a/libavformat/mccdec.c
+++ b/libavformat/mccdec.c
@@ -127,8 +127,7 @@ static int mcc_read_header(AVFormatContext *s)
num = strtol(rate_str, &df, 10);
den = 1;
if (df && !av_strncasecmp(df, "DF", 2)) {
-num *= 1000;
-den = 1001;
+av_reduce(&num, &den, num * 1000LL, 1001, INT_MAX);
}
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/msf: Check that channels doesnt overflow during extradata construction
ffmpeg | branch: master | Michael Niedermayer | Sun Apr 25 19:54:19 2021 +0200| [a1a277926b49dad60d9e78c6c7a8c6b5d0d6d7c9] | committer: Michael Niedermayer avformat/msf: Check that channels doesnt overflow during extradata construction Fixes: signed integer overflow: 2048 * 1122336 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MSF_fuzzer-6726959600107520 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a1a277926b49dad60d9e78c6c7a8c6b5d0d6d7c9 --- libavformat/msf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/msf.c b/libavformat/msf.c index 43a7f7b616..7d8add387c 100644 --- a/libavformat/msf.c +++ b/libavformat/msf.c @@ -70,6 +70,8 @@ static int msf_read_header(AVFormatContext *s) case 4: case 5: case 6: st->codecpar->block_align = (codec == 4 ? 96 : codec == 5 ? 152 : 192) * st->codecpar->channels; +if (st->codecpar->channels > UINT16_MAX / 2048) +return AVERROR_INVALIDDATA; ret = ff_alloc_extradata(st->codecpar, 14); if (ret < 0) return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mpc8: Check for position overflow in mpc8_handle_chunk()
ffmpeg | branch: master | Michael Niedermayer | Sat
Apr 24 17:42:19 2021 +0200| [8ef25d118246bf443900033fb3588dba628d11b0] |
committer: Michael Niedermayer
avformat/mpc8: Check for position overflow in mpc8_handle_chunk()
Fixes: signed integer overflow: 15 + 9223372036854775796 cannot be represented
in type 'long'
Fixes:
29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6723520756318208
Fixes:
29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-6739833034768384
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8ef25d118246bf443900033fb3588dba628d11b0
---
libavformat/mpc8.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index 5498ce940d..df5d345f85 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -205,8 +205,11 @@ static void mpc8_handle_chunk(AVFormatContext *s, int tag,
int64_t chunk_pos, in
switch(tag){
case TAG_SEEKTBLOFF:
-pos = avio_tell(pb) + size;
+pos = avio_tell(pb);
off = ffio_read_varlen(pb);
+if (pos > INT64_MAX - size || off < 0 || off > INT64_MAX - chunk_pos)
+return;
+pos += size;
mpc8_parse_seektable(s, chunk_pos + off);
avio_seek(pb, pos, SEEK_SET);
break;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/nutdec: Check tmp_size
ffmpeg | branch: master | Michael Niedermayer | Sun
Apr 25 20:01:03 2021 +0200| [1ca00b5e44f21840b608e238fa135a1aab6e576b] |
committer: Michael Niedermayer
avformat/nutdec: Check tmp_size
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type
'int'
Fixes:
29102/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6739990530883584
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1ca00b5e44f21840b608e238fa135a1aab6e576b
---
libavformat/nutdec.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index e709257135..fc5a6a1542 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -286,6 +286,11 @@ static int decode_main_header(NUTContext *nut)
ret = AVERROR_INVALIDDATA;
goto fail;
}
+if (tmp_size < 0 || tmp_size > INT_MAX - count) {
+av_log(s, AV_LOG_ERROR, "illegal size\n");
+ret = AVERROR_INVALIDDATA;
+goto fail;
+}
for (j = 0; j < count; j++, i++) {
if (i == 'N') {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/subtitles: Check pts difference before use
ffmpeg | branch: master | Michael Niedermayer | Sun Apr 25 19:49:14 2021 +0200| [e7a990164f67108e99ec5adb8b2d636cd4147715] | committer: Michael Niedermayer avformat/subtitles: Check pts difference before use Fixes: signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_MPL2_fuzzer-6747053545881600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e7a990164f67108e99ec5adb8b2d636cd4147715 --- libavformat/subtitles.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/subtitles.c b/libavformat/subtitles.c index 05c07cd852..6368ec74f9 100644 --- a/libavformat/subtitles.c +++ b/libavformat/subtitles.c @@ -206,7 +206,7 @@ void ff_subtitles_queue_finalize(void *log_ctx, FFDemuxSubtitlesQueue *q) q->sort == SUB_SORT_TS_POS ? cmp_pkt_sub_ts_pos : cmp_pkt_sub_pos_ts); for (i = 0; i < q->nb_subs; i++) -if (q->subs[i]->duration < 0 && i < q->nb_subs - 1) +if (q->subs[i]->duration < 0 && i < q->nb_subs - 1 && q->subs[i + 1]->pts - (uint64_t)q->subs[i]->pts <= INT64_MAX) q->subs[i]->duration = q->subs[i + 1]->pts - q->subs[i]->pts; if (!q->keep_duplicates) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/pp_bnk: Use 64bit in bitrate computation
ffmpeg | branch: master | Michael Niedermayer | Sun Apr 25 20:12:13 2021 +0200| [88fc295838b3cf16b43c0bbea5766fe92b18dd17] | committer: Michael Niedermayer avformat/pp_bnk: Use 64bit in bitrate computation Fixes: signed integer overflow: 1207959552 * 4 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_PP_BNK_fuzzer-6747301169201152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=88fc295838b3cf16b43c0bbea5766fe92b18dd17 --- libavformat/pp_bnk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/pp_bnk.c b/libavformat/pp_bnk.c index 9455a575b7..18961e301a 100644 --- a/libavformat/pp_bnk.c +++ b/libavformat/pp_bnk.c @@ -223,7 +223,7 @@ static int pp_bnk_read_header(AVFormatContext *s) par->bits_per_coded_sample = 4; par->bits_per_raw_sample= 16; par->block_align= 1; -par->bit_rate = par->sample_rate * par->bits_per_coded_sample * par->channels; +par->bit_rate = par->sample_rate * (int64_t)par->bits_per_coded_sample * par->channels; avpriv_set_pts_info(st, 64, 1, par->sample_rate); st->start_time = 0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/qcp: Avoid negative nb_rates
ffmpeg | branch: master | Michael Niedermayer | Sun Apr 25 20:16:38 2021 +0200| [1b865cc703d29cb307e1fa628aa02940d54eb42a] | committer: Michael Niedermayer avformat/qcp: Avoid negative nb_rates Fixes: signed integer overflow: 2 * -1725947872 cannot be represented in type 'int' Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_QCP_fuzzer-6726807632084992 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1b865cc703d29cb307e1fa628aa02940d54eb42a --- libavformat/qcp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/qcp.c b/libavformat/qcp.c index 206ee8bdce..7e0d9b9b8c 100644 --- a/libavformat/qcp.c +++ b/libavformat/qcp.c @@ -93,7 +93,8 @@ static int qcp_read_header(AVFormatContext *s) QCPContext*c = s->priv_data; AVStream *st = avformat_new_stream(s, NULL); uint8_t buf[16]; -int i, nb_rates; +int i; +unsigned nb_rates; if (!st) return AVERROR(ENOMEM); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/realtextdec: Check the pts difference before using it for the duration computation
ffmpeg | branch: master | Michael Niedermayer | Sun
Apr 25 20:45:10 2021 +0200| [fe12aa689003db9b07a6e1b837031dcc57a71435] |
committer: Michael Niedermayer
avformat/realtextdec: Check the pts difference before using it for the duration
computation
Fixes: signed integer overflow: 540420 - -9223372031709351616 cannot be
represented in type 'long'
Fixes:
29102/clusterfuzz-testcase-minimized-ffmpeg_dem_REALTEXT_fuzzer-6737340551790592
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fe12aa689003db9b07a6e1b837031dcc57a71435
---
libavformat/realtextdec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavformat/realtextdec.c b/libavformat/realtextdec.c
index 22fc58bc99..3a8d1c 100644
--- a/libavformat/realtextdec.c
+++ b/libavformat/realtextdec.c
@@ -111,10 +111,11 @@ static int realtext_read_header(AVFormatContext *s)
if (!merge) {
const char *begin = ff_smil_get_attr_ptr(buf.str, "begin");
const char *end = ff_smil_get_attr_ptr(buf.str, "end");
+int64_t endi = end ? read_ts(end) : 0;
sub->pos = pos;
sub->pts = begin ? read_ts(begin) : 0;
-sub->duration = end ? (read_ts(end) - sub->pts) : duration;
+sub->duration = (end && endi > sub->pts && endi -
(uint64_t)sub->pts <= INT64_MAX) ? endi - sub->pts : duration;
}
}
av_bprint_clear(&buf);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/rmdec: Check old_format len for overflow
ffmpeg | branch: master | Michael Niedermayer | Mon
Apr 26 22:35:37 2021 +0200| [06d174e289eb185f03a34a738965f0042f39c038] |
committer: Michael Niedermayer
avformat/rmdec: Check old_format len for overflow
Maybe such large values could be disallowed earlier and closer to where
they are set.
Fixes: signed integer overflow: 538976288 * 8224 cannot be represented in type
'int'
Fixes:
29102/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-6704350354341888
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=06d174e289eb185f03a34a738965f0042f39c038
---
libavformat/rmdec.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 68b5c3b75a..ce27bd2299 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -1012,8 +1012,8 @@ static int rm_read_packet(AVFormatContext *s, AVPacket
*pkt)
{
RMDemuxContext *rm = s->priv_data;
AVStream *st = NULL; // init to silence compiler warning
-int i, len, res, seq = 1;
-int64_t timestamp, pos;
+int i, res, seq = 1;
+int64_t timestamp, pos, len;
int flags;
for (;;) {
@@ -1032,7 +1032,9 @@ static int rm_read_packet(AVFormatContext *s, AVPacket
*pkt)
ast = st->priv_data;
timestamp = AV_NOPTS_VALUE;
len = !ast->audio_framesize ? RAW_PACKET_SIZE :
-ast->coded_framesize * ast->sub_packet_h / 2;
+ast->coded_framesize * (int64_t)ast->sub_packet_h / 2;
+if (len > INT_MAX)
+return AVERROR_INVALIDDATA;
flags = (seq++ == 1) ? 2 : 0;
pos = avio_tell(s->pb);
} else {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/exr: increase vlc depth
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Sun Apr 11 21:17:50 2021 +0200| [48be6b27e7e09a9ff5c3b7788e8e74e027a8ce78] |
committer: Michael Niedermayer
avcodec/exr: increase vlc depth
Fixes: shift exponent -4 is negative
Fixes:
32265/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-465133454137753
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 3344079d3065c99563c65277be89ec694a7ca818)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=48be6b27e7e09a9ff5c3b7788e8e74e027a8ce78
---
libavcodec/exr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 65e5203c31..49c4774145 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -418,7 +418,7 @@ static int huf_decode(VLC *vlc, GetByteContext *gb, int
nbits, int run_sym,
init_get_bits(&gbit, gb->buffer, nbits);
while (get_bits_left(&gbit) > 0 && oe < no) {
-uint16_t x = get_vlc2(&gbit, vlc->table, 12, 2);
+uint16_t x = get_vlc2(&gbit, vlc->table, 12, 3);
if (x == run_sym) {
int run = get_bits(&gbit, 8);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/dpx: Check bits_per_color earlier
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sun Apr 11 21:04:12 2021 +0200| [b3f458f89f48ce48add6406609036d46695288d6] | committer: Michael Niedermayer avcodec/dpx: Check bits_per_color earlier Fixes: shift exponent 251 is too large for 32-bit type 'int' Fixes: 32147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DPX_fuzzer-5519111675314176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c093eb30311b7148a4da1c7555498187c8cdf0db) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b3f458f89f48ce48add6406609036d46695288d6 --- libavcodec/dpx.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c index 5372e3d586..b02996f04c 100644 --- a/libavcodec/dpx.c +++ b/libavcodec/dpx.c @@ -242,6 +242,9 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_PATCHWELCOME; } +if (bits_per_color > 32) +return AVERROR_INVALIDDATA; + buf += 820; avctx->sample_aspect_ratio.num = read32(&buf, endian); avctx->sample_aspect_ratio.den = read32(&buf, endian); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mvi: Check audio_data_size to be non negative
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Sat Apr 10 22:55:00 2021 +0200| [b2a94f59374e74c3300b45c8ab34f1dd7cb9643d] |
committer: Michael Niedermayer
avformat/mvi: Check audio_data_size to be non negative
Fixes: left shift of negative value -224
Fixes:
32144/clusterfuzz-testcase-minimized-ffmpeg_dem_MVI_fuzzer-4971479323246592
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 7e241a1b73bcca768f48ff1851e9e9f3f0752000)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b2a94f59374e74c3300b45c8ab34f1dd7cb9643d
---
libavformat/mvi.c | 14 +++---
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/libavformat/mvi.c b/libavformat/mvi.c
index cfdbe5d273..d005001f5a 100644
--- a/libavformat/mvi.c
+++ b/libavformat/mvi.c
@@ -32,7 +32,6 @@
typedef struct MviDemuxContext {
unsigned int (*get_int)(AVIOContext *);
-uint32_t audio_data_size;
uint64_t audio_size_counter;
uint64_t audio_frame_size;
int audio_size_left;
@@ -46,6 +45,7 @@ static int read_header(AVFormatContext *s)
AVStream *ast, *vst;
unsigned int version, frames_count, msecs_per_frame, player_version;
int ret;
+int audio_data_size;
ast = avformat_new_stream(s, NULL);
if (!ast)
@@ -67,13 +67,13 @@ static int read_header(AVFormatContext *s)
vst->codecpar->height = avio_rl16(pb);
avio_r8(pb);
ast->codecpar->sample_rate = avio_rl16(pb);
-mvi->audio_data_size = avio_rl32(pb);
+audio_data_size = avio_rl32(pb);
avio_r8(pb);
player_version = avio_rl32(pb);
avio_rl16(pb);
avio_r8(pb);
-if (frames_count == 0 || mvi->audio_data_size == 0)
+if (frames_count == 0 || audio_data_size <= 0)
return AVERROR_INVALIDDATA;
if (version != 7 || player_version > 213) {
@@ -96,16 +96,16 @@ static int read_header(AVFormatContext *s)
mvi->get_int = (vst->codecpar->width * (int64_t)vst->codecpar->height < (1
<< 16)) ? avio_rl16 : avio_rl24;
-mvi->audio_frame_size = ((uint64_t)mvi->audio_data_size <<
MVI_FRAC_BITS) / frames_count;
+mvi->audio_frame_size = ((uint64_t)audio_data_size << MVI_FRAC_BITS) /
frames_count;
if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) {
av_log(s, AV_LOG_ERROR,
- "Invalid audio_data_size (%"PRIu32") or frames_count (%u)\n",
- mvi->audio_data_size, frames_count);
+ "Invalid audio_data_size (%d) or frames_count (%u)\n",
+ audio_data_size, frames_count);
return AVERROR_INVALIDDATA;
}
mvi->audio_size_counter = (ast->codecpar->sample_rate * 830 /
mvi->audio_frame_size - 1) * mvi->audio_frame_size;
-mvi->audio_size_left= mvi->audio_data_size;
+mvi->audio_size_left= audio_data_size;
return 0;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/cafdec: Check channels
ffmpeg | branch: release/4.4 | Michael Niedermayer | Fri Apr 9 22:46:13 2021 +0200| [3d2af8afefad5c84d53117a99af6964e7d8f4db8] | committer: Michael Niedermayer avformat/cafdec: Check channels Fixes: signed integer overflow: -1184429040541376544 * 32 cannot be represented in type 'long' Fixes: 31788/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6236746338664448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 641c1db22bb27752b925293ad93f68843baa43bf) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3d2af8afefad5c84d53117a99af6964e7d8f4db8 --- libavformat/cafdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 76bc4a4655..7f09a27977 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -79,7 +79,7 @@ static int read_desc_chunk(AVFormatContext *s) st->codecpar->channels= avio_rb32(pb); st->codecpar->bits_per_coded_sample = avio_rb32(pb); -if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0) +if (caf->bytes_per_packet < 0 || caf->frames_per_packet < 0 || st->codecpar->channels < 0) return AVERROR_INVALIDDATA; /* calculate bit rate for constant size packets */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/rv10: Execute whole size check earlier for rv20
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Sat Apr 10 18:43:50 2021 +0200| [f4c5abe2d011f645d12226ec660bf70d94c73e4f] |
committer: Michael Niedermayer
avcodec/rv10: Execute whole size check earlier for rv20
Fixes: Timeout
Fixes:
31380/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV20_fuzzer-5230899257016320
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit f8556b632f4b29e54067ecba6f71ceb8af3806e4)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f4c5abe2d011f645d12226ec660bf70d94c73e4f
---
libavcodec/rv10.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index bd70689cab..9c3a48c251 100644
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -154,7 +154,7 @@ static int rv10_decode_picture_header(MpegEncContext *s)
return mb_count;
}
-static int rv20_decode_picture_header(RVDecContext *rv)
+static int rv20_decode_picture_header(RVDecContext *rv, int whole_size)
{
MpegEncContext *s = &rv->m;
int seq, mb_pos, i, ret;
@@ -232,6 +232,10 @@ static int rv20_decode_picture_header(RVDecContext *rv)
"attempting to change resolution to %dx%d\n", new_w, new_h);
if (av_image_check_size(new_w, new_h, 0, s->avctx) < 0)
return AVERROR_INVALIDDATA;
+
+if (whole_size < (new_w + 15)/16 * ((new_h + 15)/16) / 8)
+return AVERROR_INVALIDDATA;
+
ff_mpv_common_end(s);
// attempt to keep aspect during typical resolution switches
@@ -447,7 +451,7 @@ static int rv10_decode_packet(AVCodecContext *avctx, const
uint8_t *buf,
if (s->codec_id == AV_CODEC_ID_RV10)
mb_count = rv10_decode_picture_header(s);
else
-mb_count = rv20_decode_picture_header(rv);
+mb_count = rv20_decode_picture_header(rv, whole_size);
if (mb_count < 0) {
if (mb_count != ERROR_SKIP_FRAME)
av_log(s->avctx, AV_LOG_ERROR, "HEADER ERROR\n");
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/utils: Check ima wav duration for overflow
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Sat Apr 10 20:32:55 2021 +0200| [246b3d58a956d090b1438b005701608927aca681] |
committer: Michael Niedermayer
avcodec/utils: Check ima wav duration for overflow
Fixes: signed integer overflow: 44331634 * 65 cannot be represented in type
'int'
Fixes:
32120/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-5760221223583744
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit f40e9b13554d88cbdd6cd2b4a3da2cbea9590f5d)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=246b3d58a956d090b1438b005701608927aca681
---
libavcodec/utils.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 896b99dc3f..6cd8b9629a 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -773,11 +773,15 @@ static int get_audio_frame_duration(enum AVCodecID id,
int sr, int ch, int ba,
if (ba > 0) {
/* calc from frame_bytes, channels, and block_align */
int blocks = frame_bytes / ba;
+int64_t tmp;
switch (id) {
case AV_CODEC_ID_ADPCM_IMA_WAV:
if (bps < 2 || bps > 5)
return 0;
-return blocks * (1 + (ba - 4 * ch) / (bps * ch) * 8);
+tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8);
+if (tmp != (int)tmp)
+return 0;
+return tmp;
case AV_CODEC_ID_ADPCM_IMA_DK3:
return blocks * (((ba - 16) * 2 / 3 * 4) / ch);
case AV_CODEC_ID_ADPCM_IMA_DK4:
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/wtvdec: Improve size overflow checks in parse_chunks()
ffmpeg | branch: release/4.4 | Michael Niedermayer | Mon Apr 19 20:23:41 2021 +0200| [c1d3a0638afbb73e5f79faf19618691cd70fb0ab] | committer: Michael Niedermayer avformat/wtvdec: Improve size overflow checks in parse_chunks() Fixes: signed integer overflow: 32 + 2147483647 cannot be represented in type 'int Fixes: 32967/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5132856218222592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit f8ec1da8ac8e3daf2403e744f166ea9557b2d333) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c1d3a0638afbb73e5f79faf19618691cd70fb0ab --- libavformat/wtvdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c index 4b3b7fb407..876256676c 100644 --- a/libavformat/wtvdec.c +++ b/libavformat/wtvdec.c @@ -817,7 +817,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); -if (size < 0 || size > INT_MAX - 92) +if (size < 0 || size > INT_MAX - 92 - consumed) return AVERROR_INVALIDDATA; parse_media_type(s, 0, sid, mediatype, subtype, formattype, size); consumed += 92 + size; @@ -833,7 +833,7 @@ static int parse_chunks(AVFormatContext *s, int mode, int64_t seekts, int *len_p avio_skip(pb, 12); ff_get_guid(pb, &formattype); size = avio_rl32(pb); -if (size < 0 || size > INT_MAX - 76) +if (size < 0 || size > INT_MAX - 76 - consumed) return AVERROR_INVALIDDATA; parse_media_type(s, s->streams[stream_index], sid, mediatype, subtype, formattype, size); consumed += 76 + size; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mov: check for pts overflow in mov_read_sidx()
ffmpeg | branch: release/4.4 | Michael Niedermayer | Thu Apr 15 18:43:25 2021 +0200| [26369e6ca993796ab054270a1bb685583e7c7eb9] | committer: Michael Niedermayer avformat/mov: check for pts overflow in mov_read_sidx() Fixes: signed integer overflow: 9223372036846336888 + 4278255871 cannot be represented in type 'long' Fixes: 32782/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6059216516284416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ee53bb2399d8f387ac93a18ba0600ca7b04ac634) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=26369e6ca993796ab054270a1bb685583e7c7eb9 --- libavformat/mov.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 38a70589be..cd56df5b29 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5124,7 +5124,9 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (frag_stream_info) frag_stream_info->sidx_pts = timestamp; -if (av_sat_add64(offset, size) != offset + size) +if (av_sat_add64(offset, size) != offset + size || +av_sat_add64(pts, duration) != pts + (uint64_t)duration +) return AVERROR_INVALIDDATA; offset += size; pts += duration; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mxfdec: Fix file position addition
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Mon Feb 1 19:59:55 2021 +0100| [f0d9b5899ae4c4f6bd58a1cd662e89d4b10a9619] |
committer: Michael Niedermayer
avformat/mxfdec: Fix file position addition
Fixes: signed integer overflow: 9223372036854775805 + 4 cannot be represented
in type 'long'
Fixes:
29927/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5579985228267520
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit f7c3484b2659063043100e8194d5790d2aa1a73c)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f0d9b5899ae4c4f6bd58a1cd662e89d4b10a9619
---
libavformat/mxfdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 1f372affcb..840484b37e 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -2903,7 +2903,7 @@ static int mxf_read_local_tags(MXFContext *mxf, KLVPacket
*klv, MXFMetadataReadF
meta = NULL;
ctx = mxf;
}
-while (avio_tell(pb) + 4 < klv_end && !avio_feof(pb)) {
+while (avio_tell(pb) + 4ULL < klv_end && !avio_feof(pb)) {
int ret;
int tag = avio_rb16(pb);
int size = avio_rb16(pb); /* KLV specified by 0x53 */
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line()
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Thu Apr 15 20:08:22 2021 +0200| [7f0353bc550f63825f38b68d5451a9721ad053b1] |
committer: Michael Niedermayer
avcodec/faxcompr: Check remaining bits on error in decode_group3_1d_line()
Fixes: Timeout
Fixes:
32886/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4779761466474496
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 7b3881f0da6da00cb6b5b123328e2fbfca936c47)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7f0353bc550f63825f38b68d5451a9721ad053b1
---
libavcodec/faxcompr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c
index 3dd64cf730..7bf11d80ca 100644
--- a/libavcodec/faxcompr.c
+++ b/libavcodec/faxcompr.c
@@ -227,7 +227,7 @@ static int decode_group3_1d_line(AVCodecContext *avctx,
GetBitContext *gb,
run = 0;
mode = !mode;
} else if ((int)t == -1) {
-if (show_bits(gb, 12) == 15) {
+if (get_bits_left(gb) > 12 && show_bits(gb, 12) == 15) {
int ret;
skip_bits(gb, 12);
ret = decode_uncompressed(avctx, gb, &pix_left, &runs, runend,
&mode);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/id3v2: Check end for overflow in id3v2_parse()
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Mon Apr 19 20:23:44 2021 +0200| [6f83f6de0446e02f66c0d2a5f7cd950797d26681] |
committer: Michael Niedermayer
avformat/id3v2: Check end for overflow in id3v2_parse()
Fixes: signed integer overflow: 9223372036840103978 + 67637280 cannot be
represented in type 'long'
Fixes:
33341/clusterfuzz-testcase-minimized-ffmpeg_dem_DSF_fuzzer-6408154041679872
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit efdb56450418933965dc6e27f0b1625d25e44a8c)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6f83f6de0446e02f66c0d2a5f7cd950797d26681
---
libavformat/id3v2.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index f33b7ba93a..1377cef4b8 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -816,7 +816,7 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary
**metadata,
int isv34, unsync;
unsigned tlen;
char tag[5];
-int64_t next, end = avio_tell(pb) + len;
+int64_t next, end = avio_tell(pb);
int taghdrlen;
const char *reason = NULL;
AVIOContext pb_local;
@@ -828,6 +828,10 @@ static void id3v2_parse(AVIOContext *pb, AVDictionary
**metadata,
av_unused int uncompressed_buffer_size = 0;
const char *comm_frame;
+if (end > INT64_MAX - len - 10)
+return;
+end += len;
+
av_log(s, AV_LOG_DEBUG, "id3v2 ver:%d flags:%02X len:%d\n", version,
flags, len);
switch (version) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/asfdec_o: Use ff_get_extradata()
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Fri Apr 23 17:16:20 2021 +0200| [2d177dba88aa23d384efd6cf206759aed6553db1] |
committer: Michael Niedermayer
avformat/asfdec_o: Use ff_get_extradata()
Fixes: OOM
Fixes:
27240/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-5937469859823616
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 098314e1e5142aa2b53dc5371a9d01eb09ddd30f)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2d177dba88aa23d384efd6cf206759aed6553db1
---
libavformat/asfdec_o.c | 21 ++---
1 file changed, 6 insertions(+), 15 deletions(-)
diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
index 7c08565180..f98ffc76fa 100644
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@@ -685,7 +685,7 @@ static int asf_read_properties(AVFormatContext *s, const
GUIDParseTable *g)
return 0;
}
-static int parse_video_info(AVIOContext *pb, AVStream *st)
+static int parse_video_info(AVFormatContext *avfmt, AVIOContext *pb, AVStream
*st)
{
uint16_t size_asf; // ASF-specific Format Data size
uint32_t size_bmp; // BMP_HEADER-specific Format Data size
@@ -700,19 +700,10 @@ static int parse_video_info(AVIOContext *pb, AVStream *st)
st->codecpar->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag);
size_bmp = FFMAX(size_asf, size_bmp);
-if (size_bmp > BMP_HEADER_SIZE &&
-size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
-int ret;
-st->codecpar->extradata_size = size_bmp - BMP_HEADER_SIZE;
-if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size
+
- AV_INPUT_BUFFER_PADDING_SIZE)))
{
-st->codecpar->extradata_size = 0;
-return AVERROR(ENOMEM);
-}
-memset(st->codecpar->extradata + st->codecpar->extradata_size , 0,
- AV_INPUT_BUFFER_PADDING_SIZE);
-if ((ret = avio_read(pb, st->codecpar->extradata,
- st->codecpar->extradata_size)) < 0)
+if (size_bmp > BMP_HEADER_SIZE) {
+int ret = ff_get_extradata(avfmt, st->codecpar, pb, size_bmp -
BMP_HEADER_SIZE);
+
+if (ret < 0)
return ret;
}
return 0;
@@ -795,7 +786,7 @@ static int asf_read_stream_properties(AVFormatContext *s,
const GUIDParseTable *
break;
case AVMEDIA_TYPE_VIDEO:
asf_st->type = AVMEDIA_TYPE_VIDEO;
-if ((ret = parse_video_info(pb, st)) < 0)
+if ((ret = parse_video_info(s, pb, st)) < 0)
return ret;
break;
default:
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/jpeglsdec: Set alpha plane in PAL8 so image is not 100% transparent
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Sun May 2 15:49:55 2021 +0200| [1abd61e006d81503dba61f75c725723e2ebc98f8] |
committer: Michael Niedermayer
avcodec/jpeglsdec: Set alpha plane in PAL8 so image is not 100% transparent
Fixes: tickets/3933/128.jls
Signed-off-by: Michael Niedermayer
(cherry picked from commit 011006874cb46325b6bc83234f81879ff421c05f)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1abd61e006d81503dba61f75c725723e2ebc98f8
---
libavcodec/jpeglsdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index 69980eaa49..c4ffa81f7d 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -122,7 +122,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
s->avctx->pix_fmt = AV_PIX_FMT_PAL8;
for (i=s->palette_index; i<=maxtab; i++) {
uint8_t k = i << shift;
-pal[k] = 0;
+pal[k] = wt < 4 ? 0xFF00 : 0;
for (j=0; jgb, 8) << (8*(wt-j-1));
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/utils: treat PAL8 for jpegs similar to other colorspaces
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Thu Apr 29 21:21:27 2021 +0200| [82de510a59f80fa9b1f8d0150856ff32e1c55778] |
committer: Michael Niedermayer
avcodec/utils: treat PAL8 for jpegs similar to other colorspaces
Fixes: out of array access
Fixes:
33713/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5778775641030656
Fixes:
33717/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-4960397238075392
Fixes:
33718/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-5314270096130048.fuzz
Fixes:
33719/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5352721864589312
Fixes:
33721/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5938892055379968
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit f0ce023ddb8863d16ab650fcc0731851a55db084)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=82de510a59f80fa9b1f8d0150856ff32e1c55778
---
libavcodec/utils.c | 10 ++
1 file changed, 10 insertions(+)
diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 6cd8b9629a..d678355d3c 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -272,6 +272,16 @@ void avcodec_align_dimensions2(AVCodecContext *s, int
*width, int *height,
w_align = 8;
h_align = 8;
}
+if (s->codec_id == AV_CODEC_ID_MJPEG ||
+s->codec_id == AV_CODEC_ID_MJPEGB ||
+s->codec_id == AV_CODEC_ID_LJPEG ||
+s->codec_id == AV_CODEC_ID_SMVJPEG ||
+s->codec_id == AV_CODEC_ID_AMV ||
+s->codec_id == AV_CODEC_ID_SP5X||
+s->codec_id == AV_CODEC_ID_JPEGLS) {
+w_align = 8;
+h_align = 2*8;
+}
break;
case AV_PIX_FMT_BGR24:
if ((s->codec_id == AV_CODEC_ID_MSZH) ||
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/faxcompr: Check for end of bitstream in decode_group3_1d_line() and decode_group3_2d_line()
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Wed Apr 28 16:58:50 2021 +0200| [89d8eae0c618b156361d27200f4629becbdabb1e] |
committer: Michael Niedermayer
avcodec/faxcompr: Check for end of bitstream in decode_group3_1d_line() and
decode_group3_2d_line()
Fixes: infinite loop
Fixes:
33674/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4816457818046464
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 08d2df41538b583932c1a6772e3c8978a2334107)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=89d8eae0c618b156361d27200f4629becbdabb1e
---
libavcodec/faxcompr.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c
index 7bf11d80ca..d44de2485d 100644
--- a/libavcodec/faxcompr.c
+++ b/libavcodec/faxcompr.c
@@ -209,6 +209,8 @@ static int decode_group3_1d_line(AVCodecContext *avctx,
GetBitContext *gb,
unsigned int run = 0;
unsigned int t;
for (;;) {
+if (get_bits_left(gb) <= 0)
+return AVERROR_INVALIDDATA;
t= get_vlc2(gb, ccitt_vlc[mode].table, 9, 2);
run += t;
if (t < 64) {
@@ -254,7 +256,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx,
GetBitContext *gb,
unsigned int offs = 0, run = 0;
while (offs < width) {
-int cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1);
+int cmode;
+if (get_bits_left(gb) <= 0)
+return AVERROR_INVALIDDATA;
+cmode = get_vlc2(gb, ccitt_group3_2d_vlc.table, 9, 1);
if (cmode == -1) {
av_log(avctx, AV_LOG_ERROR, "Incorrect mode VLC\n");
return AVERROR_INVALIDDATA;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mvdec: Check sample rate in parse_audio_var()
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Wed Apr 28 16:44:13 2021 +0200| [5f0c0883c25f398ef23cfbbe82bdd13bb3e3c799] |
committer: Michael Niedermayer
avformat/mvdec: Check sample rate in parse_audio_var()
Fixes: signed integer overflow: -63542400238284 * 16 cannot be represented
in type 'long'
Fixes:
33612/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5704741108711424
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross
Signed-off-by: Michael Niedermayer
(cherry picked from commit 0ff60249a57cba00ab679ca6190a802cc0c7b9c7)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5f0c0883c25f398ef23cfbbe82bdd13bb3e3c799
---
libavformat/mvdec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavformat/mvdec.c b/libavformat/mvdec.c
index 045c66ac3c..b833abfa19 100644
--- a/libavformat/mvdec.c
+++ b/libavformat/mvdec.c
@@ -157,6 +157,8 @@ static int parse_audio_var(AVFormatContext *avctx, AVStream
*st,
return set_channels(avctx, st, var_read_int(pb, size));
} else if (!strcmp(name, "SAMPLE_RATE")) {
st->codecpar->sample_rate = var_read_int(pb, size);
+if (st->codecpar->sample_rate <= 0)
+return AVERROR_INVALIDDATA;
avpriv_set_pts_info(st, 33, 1, st->codecpar->sample_rate);
} else if (!strcmp(name, "SAMPLE_WIDTH")) {
uint64_t bpc = var_read_int(pb, size) * (uint64_t)8;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/alsdec: Fix decoding error with mono audio files
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Fri May 7 10:02:01 2021 +0900| [0dc1c85644d82934e3ebe5153d40a99350dfa0fe] |
committer: Michael Niedermayer
avcodec/alsdec: Fix decoding error with mono audio files
highest_decoded_channel is modified to serve as meant.
Reported-by: Noboru Harada
Regression since: a11aa5f3ed7ee4d2385a7b725d43f6070d790b4c
Fixes: Sin48k16bit1ch.mp4
Reviewed-by: Thilo Borgmann
Signed-off-by: Michael Niedermayer
(cherry picked from commit f7987ce966aaad841d584988e00454c685bff36f)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0dc1c85644d82934e3ebe5153d40a99350dfa0fe
---
libavcodec/alsdec.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index a8c3433fa8..e736905a76 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1632,7 +1632,7 @@ static int read_frame_data(ALSDecContext *ctx, unsigned
int ra_frame)
AVCodecContext *avctx= ctx->avctx;
GetBitContext *gb = &ctx->gb;
unsigned int div_blocks[32];///< block sizes.
-unsigned int c;
+int c;
unsigned int js_blocks[2];
uint32_t bs_info = 0;
int ret;
@@ -1810,14 +1810,17 @@ static int decode_frame(AVCodecContext *avctx, void
*data, int *got_frame_ptr,
else
ctx->cur_frame_length = sconf->frame_length;
-ctx->highest_decoded_channel = 0;
+ctx->highest_decoded_channel = -1;
// decode the frame data
if ((invalid_frame = read_frame_data(ctx, ra_frame)) < 0)
av_log(ctx->avctx, AV_LOG_WARNING,
"Reading frame data failed. Skipping RA unit.\n");
-if (ctx->highest_decoded_channel == 0)
+if (ctx->highest_decoded_channel == -1) {
+av_log(ctx->avctx, AV_LOG_WARNING,
+ "No channel data decoded.\n");
return AVERROR_INVALIDDATA;
+}
ctx->frame_id++;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/utils: Use 64bit earlier in r_frame_rate check
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Mon Apr 12 22:33:06 2021 +0200| [ba1cc675eb2ca7d6298eb5f73376cd675edd7b1d] |
committer: Michael Niedermayer
avformat/utils: Use 64bit earlier in r_frame_rate check
Fixes: signed integer overflow: 1406796319 * 2 cannot be represented in type
'int'
Fixes:
32777/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5632576913014784
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 578633fc1ac8c02a36a706bd71f775550412d1e1)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ba1cc675eb2ca7d6298eb5f73376cd675edd7b1d
---
libavformat/utils.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/utils.c b/libavformat/utils.c
index 1384b56771..f341346200 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -4059,7 +4059,7 @@ FF_ENABLE_DEPRECATION_WARNINGS
if (!st->r_frame_rate.num) {
if (avctx->time_base.den * (int64_t) st->time_base.num
-<= avctx->time_base.num * avctx->ticks_per_frame *
(uint64_t) st->time_base.den) {
+<= avctx->time_base.num * (uint64_t)avctx->ticks_per_frame
* st->time_base.den) {
av_reduce(&st->r_frame_rate.num, &st->r_frame_rate.den,
avctx->time_base.den,
(int64_t)avctx->time_base.num * avctx->ticks_per_frame, INT_MAX);
} else {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mov: Limit nb_chapter_tracks to input size
ffmpeg | branch: release/4.4 | Michael Niedermayer | Mon Apr 19 13:30:17 2021 +0200| [409c33e5f882c7b9013ff7f4e1d1cdd831c65095] | committer: Michael Niedermayer avformat/mov: Limit nb_chapter_tracks to input size Fixes: Timeout (15k loop iterations instead of 400m) Fixes: 31368/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6601583174483968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 299a56c9006b2eb8807c3e3efefb91a78fe6b3b2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=409c33e5f882c7b9013ff7f4e1d1cdd831c65095 --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index cd56df5b29..e6c2dca0ba 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4700,6 +4700,8 @@ static int mov_read_chap(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < num && !pb->eof_reached; i++) c->chapter_tracks[i] = avio_rb32(pb); +c->nb_chapter_tracks = i; + return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mov: Ignore duplicate CoLL
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Mon Apr 19 13:37:26 2021 +0200| [6f7a7b5ffbde6202854a444cbc55302faa7ec1cc] |
committer: Michael Niedermayer
avformat/mov: Ignore duplicate CoLL
Fixes: memleak
Fixes:
32146/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5377612845285376
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 9548dc74d8db2bc002e1195dbd076f621f5c3ea1)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6f7a7b5ffbde6202854a444cbc55302faa7ec1cc
---
libavformat/mov.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index e6c2dca0ba..6c5caa7d04 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5516,6 +5516,11 @@ static int mov_read_coll(MOVContext *c, AVIOContext *pb,
MOVAtom atom)
}
avio_skip(pb, 3); /* flags */
+if (sc->coll){
+av_log(c->fc, AV_LOG_WARNING, "Ignoring duplicate COLL\n");
+return 0;
+}
+
sc->coll = av_content_light_metadata_alloc(&sc->coll_size);
if (!sc->coll)
return AVERROR(ENOMEM);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/vc1: Check remaining bits in ff_vc1_parse_frame_header()
ffmpeg | branch: release/4.4 | Michael Niedermayer | Mon Apr 19 15:50:43 2021 +0200| [3f81371bd43322a6e411d9e66a9bd1f49d4440ce] | committer: Michael Niedermayer avcodec/vc1: Check remaining bits in ff_vc1_parse_frame_header() Fixes: Timeout Fixes: 33156/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3_fuzzer-6259655027326976 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 38c47615880357314ba30727a85bf7b00989706a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3f81371bd43322a6e411d9e66a9bd1f49d4440ce --- libavcodec/vc1.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c index cd9975d8cf..ab5e3008e0 100644 --- a/libavcodec/vc1.c +++ b/libavcodec/vc1.c @@ -672,6 +672,8 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) if (v->s.pict_type == AV_PICTURE_TYPE_P) v->rnd ^= 1; +if (get_bits_left(gb) < 5) +return AVERROR_INVALIDDATA; /* Quantizer stuff */ pqindex = get_bits(gb, 5); if (!pqindex) @@ -764,6 +766,9 @@ int ff_vc1_parse_frame_header(VC1Context *v, GetBitContext* gb) av_log(v->s.avctx, AV_LOG_DEBUG, "MB Skip plane encoding: " "Imode: %i, Invert: %i\n", status>>1, status&1); +if (get_bits_left(gb) < 4) +return AVERROR_INVALIDDATA; + /* Hopefully this is correct for P-frames */ v->s.mv_table_index = get_bits(gb, 2); //but using ff_vc1_ tables v->cbptab = get_bits(gb, 2); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/clearvideo: Check for 0 tile_shift
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Mon Apr 19 16:46:08 2021 +0200| [a6bd1bdd12e95d7a3aa2fbcd57494f0d7b1f6dcb] |
committer: Michael Niedermayer
avcodec/clearvideo: Check for 0 tile_shift
Fixes: shift exponent -1 is negative
Fixes:
33401/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CLEARVIDEO_fuzzer-5908683596890112
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 63e75e09aef5836330a2786f0a9229ed82239e6b)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a6bd1bdd12e95d7a3aa2fbcd57494f0d7b1f6dcb
---
libavcodec/clearvideo.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/clearvideo.c b/libavcodec/clearvideo.c
index 79ba88857c..b3ccb51334 100644
--- a/libavcodec/clearvideo.c
+++ b/libavcodec/clearvideo.c
@@ -722,8 +722,8 @@ static av_cold int clv_decode_init(AVCodecContext *avctx)
}
c->tile_shift = av_log2(c->tile_size);
-if (1U << c->tile_shift != c->tile_size) {
-av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2.\n",
c->tile_size);
+if (1U << c->tile_shift != c->tile_size || c->tile_shift < 1) {
+av_log(avctx, AV_LOG_ERROR, "Tile size: %d, is not power of 2 > 1\n",
c->tile_size);
return AVERROR_INVALIDDATA;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/avio: Check av_opt_copy() for failure
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Thu May 20 21:16:52 2021 +0200| [5d3c96cf11768a127857161e2504c9f60ef4f97d] |
committer: Michael Niedermayer
avformat/avio: Check av_opt_copy() for failure
Fixes: CID1477416 Unchecked return value
Signed-off-by: Michael Niedermayer
(cherry picked from commit f8611ae1efc47fbe1aff140c89bee4fd1d62d3e1)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5d3c96cf11768a127857161e2504c9f60ef4f97d
---
libavformat/avio.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libavformat/avio.c b/libavformat/avio.c
index 8011482e76..cd9b5d9e7f 100644
--- a/libavformat/avio.c
+++ b/libavformat/avio.c
@@ -316,8 +316,11 @@ int ffurl_open_whitelist(URLContext **puc, const char
*filename, int flags,
int ret = ffurl_alloc(puc, filename, flags, int_cb);
if (ret < 0)
return ret;
-if (parent)
-av_opt_copy(*puc, parent);
+if (parent) {
+ret = av_opt_copy(*puc, parent);
+if (ret < 0)
+goto fail;
+}
if (options &&
(ret = av_opt_set_dict(*puc, options)) < 0)
goto fail;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/fifo: check for flushed packets and timeshift
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sun May 16 21:18:09 2021 +0200| [567eacd42ebbc0e9b9164e2783cbda390806f800] | committer: Michael Niedermayer avformat/fifo: check for flushed packets and timeshift Fixes: CID1464151 Dereference after null check Reviewed-by: Marton Balint Signed-off-by: Michael Niedermayer (cherry picked from commit 3e44bd068fc19baeaab3295fce8379c68e4b2b2a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=567eacd42ebbc0e9b9164e2783cbda390806f800 --- libavformat/fifo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/fifo.c b/libavformat/fifo.c index 17748e94ce..a1dca1bc16 100644 --- a/libavformat/fifo.c +++ b/libavformat/fifo.c @@ -593,7 +593,7 @@ static int fifo_write_packet(AVFormatContext *avf, AVPacket *pkt) goto fail; } -if (fifo->timeshift && pkt->dts != AV_NOPTS_VALUE) +if (fifo->timeshift && pkt && pkt->dts != AV_NOPTS_VALUE) atomic_fetch_add_explicit(&fifo->queue_duration, next_duration(avf, pkt, &fifo->last_sent_dts), memory_order_relaxed); return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/exr: x/ymax cannot be INT_MAX
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Tue Apr 20 20:24:21 2021 +0200| [fa38dfc0efaea2fde7002216f62441769bc85ce3] |
committer: Michael Niedermayer
avcodec/exr: x/ymax cannot be INT_MAX
The code uses x/ymax + 1 so the maximum is INT_MAX-1
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type
'int'
Fixes:
33158/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5545462457303040
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 48342aa0750f83006582d1598b5f22297f6dbf83)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fa38dfc0efaea2fde7002216f62441769bc85ce3
---
libavcodec/exr.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 49c4774145..59403fd1f5 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1795,6 +1795,7 @@ static int decode_header(EXRContext *s, AVFrame *frame)
ymax = bytestream2_get_le32(gb);
if (xmin > xmax || ymin > ymax ||
+ymax == INT_MAX || xmax == INT_MAX ||
(unsigned)xmax - xmin >= INT_MAX ||
(unsigned)ymax - ymin >= INT_MAX) {
ret = AVERROR_INVALIDDATA;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/moflex: Remove unneeded format variable
ffmpeg | branch: release/4.4 | Michael Niedermayer | Thu May 20 18:25:47 2021 +0200| [95224c3ffb228bd904ac38e280a06043bbff4d2f] | committer: Michael Niedermayer avformat/moflex: Remove unneeded format variable Fixes: CID1477423 Uninitialized scalar variable Signed-off-by: Michael Niedermayer (cherry picked from commit 36a3a5050a06ed98e34a94caac7f4daf764cf55c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=95224c3ffb228bd904ac38e280a06043bbff4d2f --- libavformat/moflex.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libavformat/moflex.c b/libavformat/moflex.c index 41335ada78..0706f88e64 100644 --- a/libavformat/moflex.c +++ b/libavformat/moflex.c @@ -172,7 +172,6 @@ static int moflex_read_sync(AVFormatContext *s) unsigned type, ssize, codec_id = 0; unsigned codec_type, width = 0, height = 0, sample_rate = 0, channels = 0; int stream_index = -1; -int format; AVRational fps; read_var_byte(s, &type); @@ -213,7 +212,6 @@ static int moflex_read_sync(AVFormatContext *s) fps.den = avio_rb16(pb); width = avio_rb16(pb); height = avio_rb16(pb); -format = AV_PIX_FMT_YUV420P; avio_skip(pb, type == 3 ? 3 : 2); break; case 4: @@ -235,7 +233,6 @@ static int moflex_read_sync(AVFormatContext *s) st->codecpar->height = height; st->codecpar->sample_rate= sample_rate; st->codecpar->channels = channels; -st->codecpar->format = format; st->priv_data= av_packet_alloc(); if (!st->priv_data) return AVERROR(ENOMEM); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/exr: More strictly check dc_count
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Tue May 25 19:29:18 2021 +0200| [43bdf562c3f69261d742dd35dfe5147fb3c007d0] |
committer: Michael Niedermayer
avcodec/exr: More strictly check dc_count
Fixes: out of array access
Fixes: exr/deneme
Found-by: Burak Çarıkçı
Signed-off-by: Michael Niedermayer
(cherry picked from commit 26d3c81bc5ef2f8c3f09d45eaeacfb4b1139a777)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=43bdf562c3f69261d742dd35dfe5147fb3c007d0
---
libavcodec/exr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 59403fd1f5..83e8a58e27 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1059,11 +1059,11 @@ static int dwa_uncompress(EXRContext *s, const uint8_t
*src, int compressed_size
bytestream2_skip(&gb, ac_size);
}
-if (dc_size > 0) {
+{
unsigned long dest_len = dc_count * 2LL;
GetByteContext agb = gb;
-if (dc_count > (6LL * td->xsize * td->ysize + 63) / 64)
+if (dc_count != dc_w * dc_h * 3)
return AVERROR_INVALIDDATA;
av_fast_padded_malloc(&td->dc_data, &td->dc_size, FFALIGN(dest_len,
64) * 2);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/aacenc: Avoid 0 lambda
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Fri May 28 21:37:26 2021 +0200| [05cca35df9df1fcbcd41a9fac77ab2fb70a6b9c7] |
committer: Michael Niedermayer
avcodec/aacenc: Avoid 0 lambda
Fixes: Ticket8003
Fixes: CVE-2020-20453
Signed-off-by: Michael Niedermayer
(cherry picked from commit a7a7f32c8ad0179a1a85d0a8cff35924e6d90be8)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=05cca35df9df1fcbcd41a9fac77ab2fb70a6b9c7
---
libavcodec/aacenc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c
index 070a2e706a..041f242092 100644
--- a/libavcodec/aacenc.c
+++ b/libavcodec/aacenc.c
@@ -28,6 +28,7 @@
* TODOs:
* add sane pulse detection
***/
+#include
#include "libavutil/libm.h"
#include "libavutil/float_dsp.h"
@@ -852,7 +853,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket
*avpkt,
/* Not so fast though */
ratio = sqrtf(ratio);
}
-s->lambda = FFMIN(s->lambda * ratio, 65536.f);
+s->lambda = av_clipf(s->lambda * ratio, FLT_MIN, 65536.f);
/* Keep iterating if we must reduce and lambda is in the sky */
if (ratio > 0.9f && ratio < 1.1f) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/aacpsy: Avoid floating point division by 0 of norm_fac
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Fri May 28 20:18:25 2021 +0200| [5828700d5c70aaec1f10c417975123c76262bd98] |
committer: Michael Niedermayer
avcodec/aacpsy: Avoid floating point division by 0 of norm_fac
Fixes: Ticket7995
Fixes: CVE-2020-20446
Signed-off-by: Michael Niedermayer
(cherry picked from commit 223b5e8ac9f6461bb13ed365419ec485c5b2b002)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5828700d5c70aaec1f10c417975123c76262bd98
---
libavcodec/aacpsy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c
index fca692cb15..bd444fecdc 100644
--- a/libavcodec/aacpsy.c
+++ b/libavcodec/aacpsy.c
@@ -794,7 +794,7 @@ static void psy_3gpp_analyze_channel(FFPsyContext *ctx, int
channel,
if (pe < 1.15f * desired_pe) {
/* 6.6.1.3.6 "Final threshold modification by linearization" */
-norm_fac = 1.0f / norm_fac;
+norm_fac = norm_fac ? 1.0f / norm_fac : 0;
for (w = 0; w < wi->num_windows*16; w += 16) {
for (g = 0; g < num_bands; g++) {
AacPsyBand *band = &pch->band[w+g];
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/lpc: Avoid floating point division by 0
ffmpeg | branch: release/4.4 | Michael Niedermayer | Fri May 28 20:31:19 2021 +0200| [7fbea837fd8584536ba3f4d73e639d84ae6359a1] | committer: Michael Niedermayer avcodec/lpc: Avoid floating point division by 0 Fixes: Ticket7996 Fixes: CVE-2020-20445 Signed-off-by: Michael Niedermayer (cherry picked from commit 38d18fb57863bb9c54e68ae44aa780c5c282a184) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7fbea837fd8584536ba3f4d73e639d84ae6359a1 --- libavcodec/lpc.c | 2 +- libavcodec/lpc.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/lpc.c b/libavcodec/lpc.c index 1d1d04fd80..3ed61563ee 100644 --- a/libavcodec/lpc.c +++ b/libavcodec/lpc.c @@ -189,7 +189,7 @@ double ff_lpc_calc_ref_coefs_f(LPCContext *s, const float *samples, int len, compute_ref_coefs(autoc, order, ref, error); for (i = 0; i < order; i++) avg_err = (avg_err + error[i])/2.0f; -return signal/avg_err; +return avg_err ? signal/avg_err : NAN; } /** diff --git a/libavcodec/lpc.h b/libavcodec/lpc.h index 88ca247f87..52170fd623 100644 --- a/libavcodec/lpc.h +++ b/libavcodec/lpc.h @@ -143,7 +143,7 @@ static inline void compute_ref_coefs(const LPC_TYPE *autoc, int max_order, gen0[i] = gen1[i] = autoc[i + 1]; err= autoc[0]; -ref[0] = -gen1[0] / err; +ref[0] = -gen1[0] / ((USE_FIXED || err) ? err : 1); err += gen1[0] * ref[0]; if (error) error[0] = err; @@ -152,7 +152,7 @@ static inline void compute_ref_coefs(const LPC_TYPE *autoc, int max_order, gen1[j] = gen1[j + 1] + ref[i - 1] * gen0[j]; gen0[j] = gen1[j + 1] * ref[i - 1] + gen0[j]; } -ref[i] = -gen1[0] / err; +ref[i] = -gen1[0] / ((USE_FIXED || err) ? err : 1); err += gen1[0] * ref[i]; if (error) error[i] = err; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/movenc: Check pal_size before use
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Sat May 29 09:22:27 2021 +0200| [5f9f6894970b1c3e4157e695b9d1d7cd08f04be2] |
committer: Michael Niedermayer
avformat/movenc: Check pal_size before use
Fixes: assertion failure
Fixes: out of array read
Fixes: Ticket8190
Fixes: CVE-2020-22015
Signed-off-by: Michael Niedermayer
(cherry picked from commit 4c1afa292520329eecd1cc7631bc59a8cca95c46)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5f9f6894970b1c3e4157e695b9d1d7cd08f04be2
---
libavformat/movenc.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libavformat/movenc.c b/libavformat/movenc.c
index bd1e795a65..2cd5773dc5 100644
--- a/libavformat/movenc.c
+++ b/libavformat/movenc.c
@@ -2177,11 +2177,13 @@ static int mov_write_video_tag(AVFormatContext *s,
AVIOContext *pb, MOVMuxContex
avio_wb16(pb, 0x18); /* Reserved */
if (track->mode == MODE_MOV && track->par->format == AV_PIX_FMT_PAL8) {
-int pal_size = 1 << track->par->bits_per_coded_sample;
-int i;
+int pal_size, i;
avio_wb16(pb, 0); /* Color table ID */
avio_wb32(pb, 0); /* Color table seed */
avio_wb16(pb, 0x8000);/* Color table flags */
+if (track->par->bits_per_coded_sample < 0 ||
track->par->bits_per_coded_sample > 8)
+return AVERROR(EINVAL);
+pal_size = 1 << track->par->bits_per_coded_sample;
avio_wb16(pb, pal_size - 1); /* Color table size (zero-relative) */
for (i = 0; i < pal_size; i++) {
uint32_t rgb = track->palette[i];
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avfilter/vf_vmafmotion: Check dimensions
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sat May 29 09:58:31 2021 +0200| [cea03683b93c1569b33611d71233235933b3cbce] | committer: Michael Niedermayer avfilter/vf_vmafmotion: Check dimensions Fixes: out of array access Fixes: Ticket8241 Fixes: Ticket8246 Fixes: CVE-2020-22019 Fixes: CVE-2020-22033 Signed-off-by: Michael Niedermayer (cherry picked from commit 82ad1b76751bcfad5005440db48c46a4de5d6f02) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cea03683b93c1569b33611d71233235933b3cbce --- libavfilter/vf_vmafmotion.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_vmafmotion.c b/libavfilter/vf_vmafmotion.c index 88d0b35095..0730147e7d 100644 --- a/libavfilter/vf_vmafmotion.c +++ b/libavfilter/vf_vmafmotion.c @@ -238,6 +238,9 @@ int ff_vmafmotion_init(VMAFMotionData *s, int i; const AVPixFmtDescriptor *desc = av_pix_fmt_desc_get(fmt); +if (w < 3 || h < 3) +return AVERROR(EINVAL); + s->width = w; s->height = h; s->stride = FFALIGN(w * sizeof(uint16_t), 32); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avfilter/vf_yadif: Fix handing of tiny images
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sat May 29 11:17:35 2021 +0200| [6e2b18a895ca3d3df9682bbb313d3d1eaf2d7d1f] | committer: Michael Niedermayer avfilter/vf_yadif: Fix handing of tiny images Fixes: out of array access Fixes: Ticket8240 Fixes: CVE-2020-22021 Signed-off-by: Michael Niedermayer (cherry picked from commit 7971f62120a55c141ec437aa3f0bacc1c1a3526b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6e2b18a895ca3d3df9682bbb313d3d1eaf2d7d1f --- libavfilter/vf_yadif.c | 32 ++-- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/libavfilter/vf_yadif.c b/libavfilter/vf_yadif.c index 43dea67add..06fd24ecfa 100644 --- a/libavfilter/vf_yadif.c +++ b/libavfilter/vf_yadif.c @@ -123,20 +123,22 @@ static void filter_edges(void *dst1, void *prev1, void *cur1, void *next1, uint8_t *next2 = parity ? cur : next; const int edge = MAX_ALIGN - 1; +int offset = FFMAX(w - edge, 3); /* Only edge pixels need to be processed here. A constant value of false * for is_not_edge should let the compiler ignore the whole branch. */ -FILTER(0, 3, 0) +FILTER(0, FFMIN(3, w), 0) -dst = (uint8_t*)dst1 + w - edge; -prev = (uint8_t*)prev1 + w - edge; -cur = (uint8_t*)cur1 + w - edge; -next = (uint8_t*)next1 + w - edge; +dst = (uint8_t*)dst1 + offset; +prev = (uint8_t*)prev1 + offset; +cur = (uint8_t*)cur1 + offset; +next = (uint8_t*)next1 + offset; prev2 = (uint8_t*)(parity ? prev : cur); next2 = (uint8_t*)(parity ? cur : next); -FILTER(w - edge, w - 3, 1) -FILTER(w - 3, w, 0) +FILTER(offset, w - 3, 1) +offset = FFMAX(offset, w - 3); +FILTER(offset, w, 0) } @@ -170,21 +172,23 @@ static void filter_edges_16bit(void *dst1, void *prev1, void *cur1, void *next1, uint16_t *next2 = parity ? cur : next; const int edge = MAX_ALIGN / 2 - 1; +int offset = FFMAX(w - edge, 3); mrefs /= 2; prefs /= 2; -FILTER(0, 3, 0) +FILTER(0, FFMIN(3, w), 0) -dst = (uint16_t*)dst1 + w - edge; -prev = (uint16_t*)prev1 + w - edge; -cur = (uint16_t*)cur1 + w - edge; -next = (uint16_t*)next1 + w - edge; +dst = (uint16_t*)dst1 + offset; +prev = (uint16_t*)prev1 + offset; +cur = (uint16_t*)cur1 + offset; +next = (uint16_t*)next1 + offset; prev2 = (uint16_t*)(parity ? prev : cur); next2 = (uint16_t*)(parity ? cur : next); -FILTER(w - edge, w - 3, 1) -FILTER(w - 3, w, 0) +FILTER(offset, w - 3, 1) +offset = FFMAX(offset, w - 3); +FILTER(offset, w, 0) } static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, int nb_jobs) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/aacenc: Use FLT_EPSILON for lambda minimum
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Tue Jun 1 10:07:05 2021 +0200| [2b70d3941f7a25562c95f522b1c16d388b2cbb27] |
committer: Michael Niedermayer
avcodec/aacenc: Use FLT_EPSILON for lambda minimum
(cherry picked from commit 4b89cf7aa49191c7f8a5ae6e9cf6cfc79ff4ee5e)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2b70d3941f7a25562c95f522b1c16d388b2cbb27
---
libavcodec/aacenc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c
index 041f242092..a31da877fb 100644
--- a/libavcodec/aacenc.c
+++ b/libavcodec/aacenc.c
@@ -853,7 +853,7 @@ static int aac_encode_frame(AVCodecContext *avctx, AVPacket
*avpkt,
/* Not so fast though */
ratio = sqrtf(ratio);
}
-s->lambda = av_clipf(s->lambda * ratio, FLT_MIN, 65536.f);
+s->lambda = av_clipf(s->lambda * ratio, FLT_EPSILON, 65536.f);
/* Keep iterating if we must reduce and lambda is in the sky */
if (ratio > 0.9f && ratio < 1.1f) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/aacenc: Do not divide by lambda_count if it is 0
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Sat May 29 17:49:22 2021 +0200| [27727d56bfee30b3a9e74e8c9a7a498823c17cfe] |
committer: Michael Niedermayer
avcodec/aacenc: Do not divide by lambda_count if it is 0
Avoids Floating point division by 0
Fixes: Ticket8011
Signed-off-by: Michael Niedermayer
(cherry picked from commit c520b986915a3fdf3a20f6ce0ad5833eccfb7a91)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=27727d56bfee30b3a9e74e8c9a7a498823c17cfe
---
libavcodec/aacenc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/aacenc.c b/libavcodec/aacenc.c
index a31da877fb..be5e8e2108 100644
--- a/libavcodec/aacenc.c
+++ b/libavcodec/aacenc.c
@@ -898,7 +898,7 @@ static av_cold int aac_encode_end(AVCodecContext *avctx)
{
AACEncContext *s = avctx->priv_data;
-av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_sum /
s->lambda_count);
+av_log(avctx, AV_LOG_INFO, "Qavg: %.3f\n", s->lambda_count ? s->lambda_sum
/ s->lambda_count : NAN);
ff_mdct_end(&s->mdct1024);
ff_mdct_end(&s->mdct128);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/aacpsy: Check bandwidth
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Sat May 29 17:50:27 2021 +0200| [159403fc9f2d80e822b9728040b57dfc3271c1df] |
committer: Michael Niedermayer
avcodec/aacpsy: Check bandwidth
Fixes: Ticket8011
Signed-off-by: Michael Niedermayer
(cherry picked from commit 36dead4bc28ca8aab13c61661f28c68bdefa5e9d)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=159403fc9f2d80e822b9728040b57dfc3271c1df
---
libavcodec/aacpsy.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/aacpsy.c b/libavcodec/aacpsy.c
index bd444fecdc..76458783ce 100644
--- a/libavcodec/aacpsy.c
+++ b/libavcodec/aacpsy.c
@@ -308,6 +308,9 @@ static av_cold int psy_3gpp_init(FFPsyContext *ctx) {
const int bandwidth= ctx->cutoff ? ctx->cutoff :
AAC_CUTOFF(ctx->avctx);
const float num_bark = calc_bark((float)bandwidth);
+if (bandwidth <= 0)
+return AVERROR(EINVAL);
+
ctx->model_priv_data = av_mallocz(sizeof(AacPsyContext));
if (!ctx->model_priv_data)
return AVERROR(ENOMEM);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/rpl: Use 64bit in bitrate computation and check it
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Mon Apr 26 22:43:51 2021 +0200| [5664263561ecd8e2781432bdf99322c7fa195b00] |
committer: Michael Niedermayer
avformat/rpl: Use 64bit in bitrate computation and check it
Fixes: signed integer overflow: 6 * 4 cannot be represented in type
'int'
Fixes:
29102/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-6726188921913344
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 29b244ffc15abe2c24d2145f63048e8b3bdaa303)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5664263561ecd8e2781432bdf99322c7fa195b00
---
libavformat/rpl.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libavformat/rpl.c b/libavformat/rpl.c
index 0f00c03a52..940794606c 100644
--- a/libavformat/rpl.c
+++ b/libavformat/rpl.c
@@ -207,8 +207,10 @@ static int rpl_read_header(AVFormatContext *s)
ast->codecpar->bits_per_coded_sample = 4;
ast->codecpar->bit_rate = ast->codecpar->sample_rate *
- ast->codecpar->bits_per_coded_sample *
- ast->codecpar->channels;
+ (int64_t)ast->codecpar->channels;
+if (ast->codecpar->bit_rate > INT64_MAX /
ast->codecpar->bits_per_coded_sample)
+return AVERROR_INVALIDDATA;
+ast->codecpar->bit_rate *= ast->codecpar->bits_per_coded_sample;
ast->codecpar->codec_id = AV_CODEC_ID_NONE;
switch (audio_format) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/svq1enc: Do not print debug RD value before it has been computed
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sun May 30 18:09:37 2021 +0200| [478c5d838b456508a3b470d9a8aa1b799c71a445] | committer: Michael Niedermayer avcodec/svq1enc: Do not print debug RD value before it has been computed Avoids floating point division by 0 Fixes: Ticket8191 Signed-off-by: Michael Niedermayer (cherry picked from commit c297f7e57a223da9f0d350e30456d60c8c87f902) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=478c5d838b456508a3b470d9a8aa1b799c71a445 --- libavcodec/svq1enc.c | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/svq1enc.c b/libavcodec/svq1enc.c index 4fac0c26e5..1b5da03245 100644 --- a/libavcodec/svq1enc.c +++ b/libavcodec/svq1enc.c @@ -487,9 +487,10 @@ static av_cold int svq1_encode_end(AVCodecContext *avctx) SVQ1EncContext *const s = avctx->priv_data; int i; -av_log(avctx, AV_LOG_DEBUG, "RD: %f\n", - s->rd_total / (double)(avctx->width * avctx->height * - avctx->frame_number)); +if (avctx->frame_number) +av_log(avctx, AV_LOG_DEBUG, "RD: %f\n", + s->rd_total / (double)(avctx->width * avctx->height * + avctx->frame_number)); s->m.mb_type = NULL; ff_mpv_common_end(&s->m); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/vc2enc: Check for non negative slice bounds
ffmpeg | branch: release/4.4 | Michael Niedermayer | Mon May 31 21:40:17 2021 +0200| [350bedf7e2892a1201fdfac8260040d8ec4d4c6c] | committer: Michael Niedermayer avcodec/vc2enc: Check for non negative slice bounds Fixes: invalid shifts Fixes: Ticket 8221 Signed-off-by: Michael Niedermayer (cherry picked from commit f7862e82686b347eb6a9e64fa7ccdf25d5a76b4b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=350bedf7e2892a1201fdfac8260040d8ec4d4c6c --- libavcodec/vc2enc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vc2enc.c b/libavcodec/vc2enc.c index 7bd2e4c2ab..295cc21dfa 100644 --- a/libavcodec/vc2enc.c +++ b/libavcodec/vc2enc.c @@ -982,6 +982,8 @@ static av_cold int vc2_encode_frame(AVCodecContext *avctx, AVPacket *avpkt, } s->slice_min_bytes = s->slice_max_bytes - s->slice_max_bytes*(s->tolerance/100.0f); +if (s->slice_min_bytes < 0) +return AVERROR(EINVAL); ret = encode_frame(s, avpkt, frame, aux_data, header_size, s->interlaced); if (ret) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/mpegvideo_enc: Reset stuffing bits if they are not supported
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sun May 30 18:51:09 2021 +0200| [78b71acab71842317b462786aa26767de9f777f3] | committer: Michael Niedermayer avcodec/mpegvideo_enc: Reset stuffing bits if they are not supported Fixes: Assertion failure Fixes: Ticket8202 Signed-off-by: Michael Niedermayer (cherry picked from commit 996797f8ed06e6ccb5287e18a5de88b2b0db31ec) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=78b71acab71842317b462786aa26767de9f777f3 --- libavcodec/mpegvideo_enc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c index eb13d57d2b..69eabc08fe 100644 --- a/libavcodec/mpegvideo_enc.c +++ b/libavcodec/mpegvideo_enc.c @@ -2016,6 +2016,7 @@ FF_ENABLE_DEPRECATION_WARNINGS break; default: av_log(avctx, AV_LOG_ERROR, "vbv buffer overflow\n"); +s->stuffing_bits = 0; } flush_put_bits(&s->pb); s->frame_bits = put_bits_count(&s->pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/dpx: fix off by 1 in bits_per_color check
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sun May 16 19:44:40 2021 +0200| [f91056a25a7db47e55ae3815c52932eac32803d6] | committer: Michael Niedermayer avcodec/dpx: fix off by 1 in bits_per_color check Fixes: CID1476303 Bad bit shift operation Fixes: 34871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DPX_fuzzer-6331163028357120 Signed-off-by: Michael Niedermayer (cherry picked from commit ca9025f374e4c4632a8a1be623304b78ba6435f6) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f91056a25a7db47e55ae3815c52932eac32803d6 --- libavcodec/dpx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c index b02996f04c..915d94077e 100644 --- a/libavcodec/dpx.c +++ b/libavcodec/dpx.c @@ -242,7 +242,7 @@ static int decode_frame(AVCodecContext *avctx, return AVERROR_PATCHWELCOME; } -if (bits_per_color > 32) +if (bits_per_color > 31) return AVERROR_INVALIDDATA; buf += 820; @@ -319,7 +319,7 @@ static int decode_frame(AVCodecContext *avctx, minCV = av_int2float(i); maxCV = av_int2float(j); if (bits_per_color >= 1 && -minCV == 0.0f && maxCV == ((1= 8 && minCV == (1 <<(bits_per_color - 4)) && ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/rpl: Check for EOF and zero framesize
ffmpeg | branch: release/4.4 | Michael Niedermayer | Thu Jun 3 22:46:05 2021 +0200| [57f68127da4f270967f67975e4e22e2ee36169f3] | committer: Michael Niedermayer avformat/rpl: Check for EOF and zero framesize Fixes: Infinite loop Fixes: 34751/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-5439330800762880 Fixes: 34774/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-5851571660390400 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a0a4a527c3b0819368d9b148542bb7663f39df79) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=57f68127da4f270967f67975e4e22e2ee36169f3 --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index 940794606c..c474b76c45 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -336,7 +336,7 @@ static int rpl_read_packet(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 4); /* flags */ frame_size = avio_rl32(pb); -if (avio_seek(pb, -8, SEEK_CUR) < 0) +if (avio_feof(pb) || avio_seek(pb, -8, SEEK_CUR) < 0 || !frame_size) return AVERROR(EIO); ret = av_get_packet(pb, pkt, frame_size); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avfilter/vf_ciescope: Fix undefined behavior in rgb_to_xy() with black
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sat Jun 5 19:54:45 2021 +0200| [42ae2836527e04e2fbab884cf971987a154b897f] | committer: Michael Niedermayer avfilter/vf_ciescope: Fix undefined behavior in rgb_to_xy() with black Fixes: floating point division by 0 Fixes: undefined behavior in handling NaN Fixes: Ticket 8268 Signed-off-by: Michael Niedermayer (cherry picked from commit 3d500e62f6206ad11308b18976246366aed8c1a5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=42ae2836527e04e2fbab884cf971987a154b897f --- libavfilter/vf_ciescope.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_ciescope.c b/libavfilter/vf_ciescope.c index 719e66ad0f..2ddec3d06b 100644 --- a/libavfilter/vf_ciescope.c +++ b/libavfilter/vf_ciescope.c @@ -849,7 +849,8 @@ rgb_to_xy(double rc, *z = m[2][0] * rc + m[2][1] * gc + m[2][2] * bc; sum = *x + *y + *z; - +if (sum == 0) +sum = 1; *x = *x / sum; *y = *y / sum; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avfilter/vf_dctdnoiz: Check threads
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sat Jun 5 20:00:38 2021 +0200| [79b69b5f4c7f4577972d1dd3accd736b48c91969] | committer: Michael Niedermayer avfilter/vf_dctdnoiz: Check threads Fixes: floating point division by 0 Fixes: Ticket 8269 Signed-off-by: Michael Niedermayer (cherry picked from commit 4a3917c02c428b11128ac3d4a01b780ea44aa53c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79b69b5f4c7f4577972d1dd3accd736b48c91969 --- libavfilter/vf_dctdnoiz.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vf_dctdnoiz.c b/libavfilter/vf_dctdnoiz.c index a89f2631c8..2019a5b456 100644 --- a/libavfilter/vf_dctdnoiz.c +++ b/libavfilter/vf_dctdnoiz.c @@ -564,6 +564,9 @@ static int config_input(AVFilterLink *inlink) inlink->h - s->pr_height); max_slice_h = s->pr_height / ((s->bsize - 1) * 2); +if (max_slice_h == 0) +return AVERROR(EINVAL); + s->nb_threads = FFMIN3(MAX_THREADS, ff_filter_get_nb_threads(ctx), max_slice_h); av_log(ctx, AV_LOG_DEBUG, "threads: [max=%d hmax=%d user=%d] => %d\n", MAX_THREADS, max_slice_h, ff_filter_get_nb_threads(ctx), s->nb_threads); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mov: Check for duplicate mdcv
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Tue Jun 8 18:14:21 2021 +0200| [7af1a73711040b31f567a104dcb7d6c7b17abec7] |
committer: Michael Niedermayer
avformat/mov: Check for duplicate mdcv
Fixes: memleak
Fixes:
34932/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5456227658235904
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit f54d85cee64b98bca5d2bee703f2a266ea75dce7)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7af1a73711040b31f567a104dcb7d6c7b17abec7
---
libavformat/mov.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 6c5caa7d04..d6427b3574 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5468,7 +5468,7 @@ static int mov_read_mdcv(MOVContext *c, AVIOContext *pb,
MOVAtom atom)
sc = c->fc->streams[c->fc->nb_streams - 1]->priv_data;
-if (atom.size < 24) {
+if (atom.size < 24 || sc->mastering) {
av_log(c->fc, AV_LOG_ERROR, "Invalid Mastering Display Color Volume
box\n");
return AVERROR_INVALIDDATA;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/ttadata: Add sentinel at the end of ff_tta_shift_1
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Tue Jun 8 20:10:56 2021 +0200| [93ef1742117b914da8426c66a3cadb545568ce67] |
committer: Michael Niedermayer
avcodec/ttadata: Add sentinel at the end of ff_tta_shift_1
Fixes: out of array access
Fixes:
34933/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5629322560929792
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit dbbcfbcc4e4f0e91f814f2e13ced7b6d99069518)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=93ef1742117b914da8426c66a3cadb545568ce67
---
libavcodec/ttadata.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavcodec/ttadata.c b/libavcodec/ttadata.c
index bf793a4cc8..aa9f418a7d 100644
--- a/libavcodec/ttadata.c
+++ b/libavcodec/ttadata.c
@@ -30,7 +30,8 @@ const uint32_t ff_tta_shift_1[] = {
0x0100, 0x0200, 0x0400, 0x0800,
0x1000, 0x2000, 0x4000, 0x8000,
0x8000, 0x8000, 0x8000, 0x8000,
-0x8000, 0x8000, 0x8000, 0x8000
+0x8000, 0x8000, 0x8000, 0x8000,
+0x
};
const uint32_t * const ff_tta_shift_16 = ff_tta_shift_1 + 4;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/utils: do "calc from frame_bytes, channels, and block_align" in 64bit
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Wed Apr 28 16:50:13 2021 +0200| [a21c64199cddbea0356c98afa756fcf158634fd8] |
committer: Michael Niedermayer
avcodec/utils: do "calc from frame_bytes, channels, and block_align" in 64bit
Fixes: signed integer overflow: 104962766 * 32 cannot be represented in type
'int'
Fixes:
33614/clusterfuzz-testcase-minimized-ffmpeg_dem_RSD_fuzzer-6252129036664832
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 3447979d08d701581a65f7275425cb1a59302319)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a21c64199cddbea0356c98afa756fcf158634fd8
---
libavcodec/utils.c | 26 +-
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index d678355d3c..3f69c9c114 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -783,25 +783,33 @@ static int get_audio_frame_duration(enum AVCodecID id,
int sr, int ch, int ba,
if (ba > 0) {
/* calc from frame_bytes, channels, and block_align */
int blocks = frame_bytes / ba;
-int64_t tmp;
+int64_t tmp = 0;
switch (id) {
case AV_CODEC_ID_ADPCM_IMA_WAV:
if (bps < 2 || bps > 5)
return 0;
tmp = blocks * (1LL + (ba - 4 * ch) / (bps * ch) * 8);
-if (tmp != (int)tmp)
-return 0;
-return tmp;
+break;
case AV_CODEC_ID_ADPCM_IMA_DK3:
-return blocks * (((ba - 16) * 2 / 3 * 4) / ch);
+tmp = blocks * (((ba - 16LL) * 2 / 3 * 4) / ch);
+break;
case AV_CODEC_ID_ADPCM_IMA_DK4:
-return blocks * (1 + (ba - 4 * ch) * 2 / ch);
+tmp = blocks * (1 + (ba - 4LL * ch) * 2 / ch);
+break;
case AV_CODEC_ID_ADPCM_IMA_RAD:
-return blocks * ((ba - 4 * ch) * 2 / ch);
+tmp = blocks * ((ba - 4LL * ch) * 2 / ch);
+break;
case AV_CODEC_ID_ADPCM_MS:
-return blocks * (2 + (ba - 7 * ch) * 2LL / ch);
+tmp = blocks * (2 + (ba - 7LL * ch) * 2LL / ch);
+break;
case AV_CODEC_ID_ADPCM_MTAF:
-return blocks * (ba - 16) * 2 / ch;
+tmp = blocks * (ba - 16LL) * 2 / ch;
+break;
+}
+if (tmp) {
+if (tmp != (int)tmp)
+return 0;
+return tmp;
}
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/utils: check dts/duration to be representable before using them
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Sun Apr 18 22:39:30 2021 +0200| [71b264c8fa70821330df9c71f238d5aa1eef5a7d] |
committer: Michael Niedermayer
avformat/utils: check dts/duration to be representable before using them
Fixes: signed integer overflow: 6854513951393103890 + 3427256975738527712
cannot be represented in type 'long'
Fixes:
32936/clusterfuzz-testcase-minimized-ffmpeg_dem_R3D_fuzzer-5236914752978944
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit bf4e7ec8257fd24a12327c7fa14e322028250be4)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=71b264c8fa70821330df9c71f238d5aa1eef5a7d
---
libavformat/utils.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavformat/utils.c b/libavformat/utils.c
index f341346200..5a70478a57 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -1208,7 +1208,9 @@ static void update_initial_durations(AVFormatContext *s,
AVStream *st,
(pktl->pkt.dts == AV_NOPTS_VALUE ||
pktl->pkt.dts == st->first_dts ||
pktl->pkt.dts == RELATIVE_TS_BASE) &&
-!pktl->pkt.duration) {
+!pktl->pkt.duration &&
+av_sat_add64(cur_dts, duration) == cur_dts + (uint64_t)duration
+) {
pktl->pkt.dts = cur_dts;
if (!st->internal->avctx->has_b_frames)
pktl->pkt.pts = cur_dts;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/utils: Avoid overflow in codec_info_duration computation for subtitles
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Wed Jun 9 21:10:32 2021 +0200| [4afa465eb33263dec1d0ef6e75ff931242447d66] |
committer: Michael Niedermayer
avformat/utils: Avoid overflow in codec_info_duration computation for subtitles
Fixes: signed integer overflow: 9223126845747118112 - -2594073385365397472
cannot be represented in type 'long'
Fixes:
34936/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-6739888002170880
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit ffe4851e2359e17c4406ab05e2e31fc7ef68de95)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4afa465eb33263dec1d0ef6e75ff931242447d66
---
libavformat/utils.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavformat/utils.c b/libavformat/utils.c
index 5a70478a57..20a597a60a 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -3915,7 +3915,9 @@ FF_ENABLE_DEPRECATION_WARNINGS
break;
}
if (pkt->duration) {
-if (avctx->codec_type == AVMEDIA_TYPE_SUBTITLE && pkt->pts !=
AV_NOPTS_VALUE && st->start_time != AV_NOPTS_VALUE && pkt->pts >=
st->start_time) {
+if (avctx->codec_type == AVMEDIA_TYPE_SUBTITLE && pkt->pts !=
AV_NOPTS_VALUE && st->start_time != AV_NOPTS_VALUE && pkt->pts >= st->start_time
+&& (uint64_t)pkt->pts - st->start_time < INT64_MAX
+) {
st->internal->info->codec_info_duration = FFMIN(pkt->pts -
st->start_time, st->internal->info->codec_info_duration + pkt->duration);
} else
st->internal->info->codec_info_duration += pkt->duration;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/faxcompr: Check if bits are available before reading in cmode == 9 || cmode == 10
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Wed Jun 9 21:20:04 2021 +0200| [d91f3644ce3b32adcc31b2f559b6c82f1d5b567e] |
committer: Michael Niedermayer
avcodec/faxcompr: Check if bits are available before reading in cmode == 9 ||
cmode == 10
Fixes: Timeout
Fixes:
34950/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5686764151898112
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 7d8421e3d5bc1300687a65384baccbcb3874b7ac)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d91f3644ce3b32adcc31b2f559b6c82f1d5b567e
---
libavcodec/faxcompr.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c
index d44de2485d..45e0c482d7 100644
--- a/libavcodec/faxcompr.c
+++ b/libavcodec/faxcompr.c
@@ -304,7 +304,10 @@ static int decode_group3_2d_line(AVCodecContext *avctx,
GetBitContext *gb,
mode = !mode;
}
} else if (cmode == 9 || cmode == 10) {
-int xxx = get_bits(gb, 3);
+int xxx;
+if (get_bits_left(gb) < 3)
+return AVERROR_INVALIDDATA;
+xxx = get_bits(gb, 3);
if (cmode == 9 && xxx == 7) {
int ret;
int pix_left = width - offs;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/faxcompr: Check available bits in decode_uncompressed()
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Wed Jun 9 21:25:58 2021 +0200| [29d3e924a666c5837bd3cce48631da66e5ddbc50] |
committer: Michael Niedermayer
avcodec/faxcompr: Check available bits in decode_uncompressed()
Fixes: Timeout
Fixes:
34950/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5686764151898112
Fixes:
34966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4587409334468608
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit ff56c139e07a4de2803b974b6595f6b71fbf53bd)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=29d3e924a666c5837bd3cce48631da66e5ddbc50
---
libavcodec/faxcompr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/faxcompr.c b/libavcodec/faxcompr.c
index 45e0c482d7..44c1f6f6b9 100644
--- a/libavcodec/faxcompr.c
+++ b/libavcodec/faxcompr.c
@@ -144,6 +144,8 @@ static int decode_uncompressed(AVCodecContext *avctx,
GetBitContext *gb,
return AVERROR_INVALIDDATA;
}
cwi = 10 - av_log2(cwi);
+if (get_bits_left(gb) < cwi + 1)
+return AVERROR_INVALIDDATA;
skip_bits(gb, cwi + 1);
if (cwi > 5) {
newmode = get_bits1(gb);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/rpl: The associative law doesnt hold for signed integers in C
ffmpeg | branch: release/4.4 | Michael Niedermayer | Thu Jun 10 20:35:43 2021 +0200| [c5df87e259717b9bb72dd8a72dbf7539f454d281] | committer: Michael Niedermayer avformat/rpl: The associative law doesnt hold for signed integers in C Add () to avoid undefined behavior Fixes: signed integer overflow: 9223372036854775790 + 57 cannot be represented in type 'long' Fixes: 34983/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-5765822923538432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 480f11bdd713c15e4964093be7ef0adf5b619cc1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c5df87e259717b9bb72dd8a72dbf7539f454d281 --- libavformat/rpl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rpl.c b/libavformat/rpl.c index c474b76c45..ad3659e936 100644 --- a/libavformat/rpl.c +++ b/libavformat/rpl.c @@ -103,7 +103,7 @@ static AVRational read_fps(const char* line, int* error) // Truncate any numerator too large to fit into an int64_t if (num > (INT64_MAX - 9) / 10 || den > INT64_MAX / 10) break; -num = 10 * num + *line - '0'; +num = 10 * num + (*line - '0'); den *= 10; } if (!num) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] Update missed irc links
ffmpeg | branch: release/4.4 | Michael Niedermayer |
Thu Jun 17 18:37:01 2021 +0200| [91aa49218e9f62af5eb028848218ad61fb6c87c7] |
committer: Michael Niedermayer
Update missed irc links
Signed-off-by: Michael Niedermayer
(cherry picked from commit c067d20177613e9cf74bcbd2a26e729ef7ababdb)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=91aa49218e9f62af5eb028848218ad61fb6c87c7
---
RELEASE_NOTES | 2 +-
configure | 2 +-
doc/writing_filters.txt | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/RELEASE_NOTES b/RELEASE_NOTES
index 67339dca85..312ec6f219 100644
--- a/RELEASE_NOTES
+++ b/RELEASE_NOTES
@@ -11,5 +11,5 @@
We hope you will like this release as much as we enjoyed working on it, and
as usual, if you have any questions about it, or any FFmpeg related topic,
- feel free to join us on the #ffmpeg IRC channel (on irc.freenode.net) or ask
+ feel free to join us on the #ffmpeg IRC channel (on irc.libera.chat) or ask
on the mailing-lists.
diff --git a/configure b/configure
index 98113c95fd..658db349f4 100755
--- a/configure
+++ b/configure
@@ -536,7 +536,7 @@ die(){
If you think configure made a mistake, make sure you are using the latest
version from Git. If the latest version fails, report the problem to the
-ffmpeg-u...@ffmpeg.org mailing list or IRC #ffmpeg on irc.freenode.net.
+ffmpeg-u...@ffmpeg.org mailing list or IRC #ffmpeg on irc.libera.chat.
EOF
if disabled logging; then
cat
[FFmpeg-cvslog] doc/mailing-list-faq.texi: remove remaining references to Freenode
ffmpeg | branch: master | James Almer | Fri Jun 18 19:21:11
2021 -0300| [73b29807c7ca7470c0c79f9d275e2808b088d4fb] | committer: James Almer
doc/mailing-list-faq.texi: remove remaining references to Freenode
Signed-off-by: James Almer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=73b29807c7ca7470c0c79f9d275e2808b088d4fb
---
doc/mailing-list-faq.texi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/mailing-list-faq.texi b/doc/mailing-list-faq.texi
index 439d783956..534ef3f802 100644
--- a/doc/mailing-list-faq.texi
+++ b/doc/mailing-list-faq.texi
@@ -116,7 +116,7 @@ or is abusive towards others).
@section How long does it take for my message in the moderation queue to be
approved?
The queue is not checked on a regular basis. You can ask on the
-@t{#ffmpeg-devel} IRC channel on Freenode for someone to approve your message.
+@t{#ffmpeg-devel} IRC channel on Libera Chat for someone to approve your
message.
@anchor{How do I delete my message in the moderation queue?}
@section How do I delete my message in the moderation queue?
@@ -155,7 +155,7 @@ Perform a site search using your favorite search engine.
Example:
@section Is there an alternative to the mailing list?
-You can ask for help in the official @t{#ffmpeg} IRC channel on Freenode.
+You can ask for help in the official @t{#ffmpeg} IRC channel on Libera Chat.
Some users prefer the third-party @url{http://www.ffmpeg-archive.org/, Nabble}
interface which presents the mailing lists in a typical forum layout.
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/ccaption_dec: Make real-time latency configurable
ffmpeg | branch: master | Pavel Koshevoy | Fri Jun 18
19:20:03 2021 -0600| [b51c2c48c1fbb4f1ae6f07a1b9c5561a99d39063] | committer:
Pavel Koshevoy
avcodec/ccaption_dec: Make real-time latency configurable
Un-hardcode the 200ms minimum latency between emitting subtitle events
so that those that wish to receive a subtitle event for every screen
change could do so.
The problem with delaying realtime output by any amount is that it is
unknown when the next byte pair that would trigger output will happen.
It may be within 200ms, or it may be several seconds later -- that's
not realtime at all.
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b51c2c48c1fbb4f1ae6f07a1b9c5561a99d39063
---
libavcodec/ccaption_dec.c | 4 +++-
libavcodec/version.h | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/libavcodec/ccaption_dec.c b/libavcodec/ccaption_dec.c
index de05d037a8..27c61527f6 100644
--- a/libavcodec/ccaption_dec.c
+++ b/libavcodec/ccaption_dec.c
@@ -238,6 +238,7 @@ struct Screen {
typedef struct CCaptionSubContext {
AVClass *class;
int real_time;
+int real_time_latency_msec;
int data_field;
struct Screen screen[2];
int active_screen;
@@ -906,7 +907,7 @@ static int decode(AVCodecContext *avctx, void *data, int
*got_sub, AVPacket *avp
}
if (ctx->real_time && ctx->screen_touched &&
-sub->pts > ctx->last_real_time + av_rescale_q(200, ms_tb,
AV_TIME_BASE_Q)) {
+sub->pts >= ctx->last_real_time +
av_rescale_q(ctx->real_time_latency_msec, ms_tb, AV_TIME_BASE_Q)) {
ctx->last_real_time = sub->pts;
ctx->screen_touched = 0;
@@ -927,6 +928,7 @@ static int decode(AVCodecContext *avctx, void *data, int
*got_sub, AVPacket *avp
#define SD AV_OPT_FLAG_SUBTITLE_PARAM | AV_OPT_FLAG_DECODING_PARAM
static const AVOption options[] = {
{ "real_time", "emit subtitle events as they are decoded for real-time
display", OFFSET(real_time), AV_OPT_TYPE_BOOL, { .i64 = 0 }, 0, 1, SD },
+{ "real_time_latency_msec", "minimum elapsed time between emitting
real-time subtitle events", OFFSET(real_time_latency_msec), AV_OPT_TYPE_INT, {
.i64 = 200 }, 0, 500, SD },
{ "data_field", "select data field", OFFSET(data_field), AV_OPT_TYPE_INT,
{ .i64 = -1 }, -1, 1, SD, "data_field" },
{ "auto", "pick first one that appears", 0, AV_OPT_TYPE_CONST, { .i64
=-1 }, 0, 0, SD, "data_field" },
{ "first", NULL, 0, AV_OPT_TYPE_CONST, { .i64 = 0 }, 0, 0, SD,
"data_field" },
diff --git a/libavcodec/version.h b/libavcodec/version.h
index 5b1e9e77f3..4518f697e2 100644
--- a/libavcodec/version.h
+++ b/libavcodec/version.h
@@ -29,7 +29,7 @@
#define LIBAVCODEC_VERSION_MAJOR 59
#define LIBAVCODEC_VERSION_MINOR 1
-#define LIBAVCODEC_VERSION_MICRO 101
+#define LIBAVCODEC_VERSION_MICRO 102
#define LIBAVCODEC_VERSION_INT AV_VERSION_INT(LIBAVCODEC_VERSION_MAJOR, \
LIBAVCODEC_VERSION_MINOR, \
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
