[FFmpeg-cvslog] fftools/cmdutils: Add function to report error before exit
ffmpeg | branch: master | Andreas Rheinhardt |
Sat Aug 27 14:52:13 2022 +0200| [e157b21a9081e3c4e8e22a4ae764dfbf0cc5b5b3] |
committer: Andreas Rheinhardt
fftools/cmdutils: Add function to report error before exit
This is designed to improve and unify error handling for
allocation failures for the many (often small) allocations that we have
in the fftools. These typically either don't return an error message
or an error message that is not really helpful to the user
and can be replaced by a generic error message without loss of
information.
Reviewed-by: James Almer
Signed-off-by: Andreas Rheinhardt
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e157b21a9081e3c4e8e22a4ae764dfbf0cc5b5b3
---
fftools/cmdutils.c | 6 ++
fftools/cmdutils.h | 11 +++
2 files changed, 17 insertions(+)
diff --git a/fftools/cmdutils.c b/fftools/cmdutils.c
index 18e768b386..da3d391694 100644
--- a/fftools/cmdutils.c
+++ b/fftools/cmdutils.c
@@ -90,6 +90,12 @@ void register_exit(void (*cb)(int ret))
program_exit = cb;
}
+void report_and_exit(int ret)
+{
+av_log(NULL, AV_LOG_FATAL, "%s\n", av_err2str(ret));
+exit_program(AVUNERROR(ret));
+}
+
void exit_program(int ret)
{
if (program_exit)
diff --git a/fftools/cmdutils.h b/fftools/cmdutils.h
index d87e162ccd..4496221983 100644
--- a/fftools/cmdutils.h
+++ b/fftools/cmdutils.h
@@ -54,6 +54,17 @@ extern int hide_banner;
*/
void register_exit(void (*cb)(int ret));
+/**
+ * Reports an error corresponding to the provided
+ * AVERROR code and calls exit_program() with the
+ * corresponding POSIX error code.
+ * @note ret must be an AVERROR-value of a POSIX error code
+ * (i.e. AVERROR(EFOO) and not AVERROR_FOO).
+ * library functions can return both, so call this only
+ * with AVERROR(EFOO) of your own.
+ */
+void report_and_exit(int ret) av_noreturn;
+
/**
* Wraps exit with a program-specific cleanup routine.
*/
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] fftools: Use report_error_then_exit_program() for allocation failures
ffmpeg | branch: master | Andreas Rheinhardt |
Sat Aug 27 15:41:16 2022 +0200| [601faaed92de2fb036463b647d5b26cb7c649002] |
committer: Andreas Rheinhardt
fftools: Use report_error_then_exit_program() for allocation failures
Signed-off-by: Andreas Rheinhardt
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=601faaed92de2fb036463b647d5b26cb7c649002
---
fftools/cmdutils.c | 21 +--
fftools/ffmpeg.c| 25 +++---
fftools/ffmpeg_filter.c | 10 +++
fftools/ffmpeg_opt.c| 70 +++--
fftools/ffprobe.c | 6 ++---
fftools/opt_common.c| 6 ++---
6 files changed, 52 insertions(+), 86 deletions(-)
diff --git a/fftools/cmdutils.c b/fftools/cmdutils.c
index da3d391694..f911c52be2 100644
--- a/fftools/cmdutils.c
+++ b/fftools/cmdutils.c
@@ -656,7 +656,7 @@ static void init_parse_context(OptionParseContext *octx,
octx->nb_groups = nb_groups;
octx->groups= av_calloc(octx->nb_groups, sizeof(*octx->groups));
if (!octx->groups)
-exit_program(1);
+report_and_exit(AVERROR(ENOMEM));
for (i = 0; i < octx->nb_groups; i++)
octx->groups[i].group_def = &groups[i];
@@ -964,11 +964,8 @@ AVDictionary **setup_find_stream_info_opts(AVFormatContext
*s,
if (!s->nb_streams)
return NULL;
opts = av_calloc(s->nb_streams, sizeof(*opts));
-if (!opts) {
-av_log(NULL, AV_LOG_ERROR,
- "Could not alloc memory for stream options.\n");
-exit_program(1);
-}
+if (!opts)
+report_and_exit(AVERROR(ENOMEM));
for (i = 0; i < s->nb_streams; i++)
opts[i] = filter_codec_opts(codec_opts,
s->streams[i]->codecpar->codec_id,
s, s->streams[i], NULL);
@@ -983,10 +980,8 @@ void *grow_array(void *array, int elem_size, int *size,
int new_size)
}
if (*size < new_size) {
uint8_t *tmp = av_realloc_array(array, new_size, elem_size);
-if (!tmp) {
-av_log(NULL, AV_LOG_ERROR, "Could not alloc buffer.\n");
-exit_program(1);
-}
+if (!tmp)
+report_and_exit(AVERROR(ENOMEM));
memset(tmp + *size*elem_size, 0, (new_size-*size) * elem_size);
*size = new_size;
return tmp;
@@ -999,10 +994,8 @@ void *allocate_array_elem(void *ptr, size_t elem_size, int
*nb_elems)
void *new_elem;
if (!(new_elem = av_mallocz(elem_size)) ||
-av_dynarray_add_nofree(ptr, nb_elems, new_elem) < 0) {
-av_log(NULL, AV_LOG_ERROR, "Could not alloc buffer.\n");
-exit_program(1);
-}
+av_dynarray_add_nofree(ptr, nb_elems, new_elem) < 0)
+report_and_exit(AVERROR(ENOMEM));
return new_elem;
}
diff --git a/fftools/ffmpeg.c b/fftools/ffmpeg.c
index fbabbe6ea2..0e1477299d 100644
--- a/fftools/ffmpeg.c
+++ b/fftools/ffmpeg.c
@@ -1096,10 +1096,8 @@ static void do_subtitle_out(OutputFile *of,
return;
ret = av_new_packet(pkt, subtitle_out_max_size);
-if (ret < 0) {
-av_log(NULL, AV_LOG_FATAL, "Failed to allocate subtitle encode
buffer\n");
-exit_program(1);
-}
+if (ret < 0)
+report_and_exit(AVERROR(ENOMEM));
sub->pts = pts;
// start_display_time is required to be 0
@@ -2349,7 +2347,7 @@ static int transcode_subtitles(InputStream *ist, AVPacket
*pkt, int *got_output,
if (!ist->sub2video.sub_queue)
ist->sub2video.sub_queue = av_fifo_alloc2(8, sizeof(AVSubtitle),
AV_FIFO_FLAG_AUTO_GROW);
if (!ist->sub2video.sub_queue)
-exit_program(1);
+report_and_exit(AVERROR(ENOMEM));
ret = av_fifo_write(ist->sub2video.sub_queue, &subtitle, 1);
if (ret < 0)
@@ -2883,7 +2881,7 @@ static void set_encoder_id(OutputFile *of, OutputStream
*ost)
encoder_string_len = sizeof(LIBAVCODEC_IDENT) + strlen(cname) + 2;
encoder_string = av_mallocz(encoder_string_len);
if (!encoder_string)
-exit_program(1);
+report_and_exit(AVERROR(ENOMEM));
if (!of->bitexact && !ost->bitexact)
av_strlcpy(encoder_string, LIBAVCODEC_IDENT " ", encoder_string_len);
@@ -2906,10 +2904,8 @@ static void parse_forced_key_frames(char *kf,
OutputStream *ost,
n++;
size = n;
pts = av_malloc_array(size, sizeof(*pts));
-if (!pts) {
-av_log(NULL, AV_LOG_FATAL, "Could not allocate forced key frames
array.\n");
-exit_program(1);
-}
+if (!pts)
+report_and_exit(AVERROR(ENOMEM));
p = kf;
for (i = 0; i < n; i++) {
@@ -2928,11 +2924,8 @@ static void parse_forced_key_frames(char *kf,
OutputStream *ost,
if (nb_ch > INT_MAX - size ||
!(pts = av_realloc_f(pts, size += nb_ch - 1,
- sizeof(*pts {
-av_log(NULL, AV_LOG_FATAL,
- "Could not alloca
[FFmpeg-cvslog] fftools/ffmpeg_opt: Check creation of new program
ffmpeg | branch: master | Andreas Rheinhardt |
Thu Aug 25 23:11:02 2022 +0200| [90aa2a88f98473810bbbf6514a8327ae8ea9208a] |
committer: Andreas Rheinhardt
fftools/ffmpeg_opt: Check creation of new program
Fixes Coverity issue #1512413.
Signed-off-by: Andreas Rheinhardt
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=90aa2a88f98473810bbbf6514a8327ae8ea9208a
---
fftools/ffmpeg_opt.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c
index c8d3ec3ea6..5febe319e4 100644
--- a/fftools/ffmpeg_opt.c
+++ b/fftools/ffmpeg_opt.c
@@ -2759,6 +2759,8 @@ static void of_add_programs(AVFormatContext *oc, const
OptionsContext *o)
}
program = av_new_program(oc, progid);
+if (!program)
+report_and_exit(AVERROR(ENOMEM));
p = o->program[i].u.str;
while(*p) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avfilter/video: Add ff_default_get_video_buffer2() to set specific alignment
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Mon Apr 11 22:40:59 2022 +0200| [5e821d91436ee47daa674fe58130a4b73c77a719] |
committer: Michael Niedermayer
avfilter/video: Add ff_default_get_video_buffer2() to set specific alignment
Reviewed-by: Paul B Mahol
Signed-off-by: Michael Niedermayer
(cherry picked from commit d74078270198b97fdda258840f0d501a3ffcc693)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5e821d91436ee47daa674fe58130a4b73c77a719
---
libavfilter/video.c | 8 +++-
libavfilter/video.h | 1 +
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/libavfilter/video.c b/libavfilter/video.c
index 7ef04144e4..6e5b7fcb14 100644
--- a/libavfilter/video.c
+++ b/libavfilter/video.c
@@ -24,6 +24,7 @@
#include
#include "libavutil/buffer.h"
+#include "libavutil/cpu.h"
#include "libavutil/hwcontext.h"
#include "libavutil/imgutils.h"
@@ -40,7 +41,7 @@ AVFrame *ff_null_get_video_buffer(AVFilterLink *link, int w,
int h)
return ff_get_video_buffer(link->dst->outputs[0], w, h);
}
-AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h)
+AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int
align)
{
AVFrame *frame = NULL;
int pool_width = 0;
@@ -95,6 +96,11 @@ AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int
w, int h)
return frame;
}
+AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h)
+{
+return ff_default_get_video_buffer2(link, w, h, av_cpu_max_align());
+}
+
AVFrame *ff_get_video_buffer(AVFilterLink *link, int w, int h)
{
AVFrame *ret = NULL;
diff --git a/libavfilter/video.h b/libavfilter/video.h
index f448e4ada4..f37bab9d03 100644
--- a/libavfilter/video.h
+++ b/libavfilter/video.h
@@ -24,6 +24,7 @@
#include "avfilter.h"
AVFrame *ff_default_get_video_buffer(AVFilterLink *link, int w, int h);
+AVFrame *ff_default_get_video_buffer2(AVFilterLink *link, int w, int h, int
align);
AVFrame *ff_null_get_video_buffer(AVFilterLink *link, int w, int h);
/**
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/genh: Check sample rate
ffmpeg | branch: release/5.0 | Michael Niedermayer | Mon Apr 11 22:00:52 2022 +0200| [0af520417b56baa7974cb91bddd8ded069a3198b] | committer: Michael Niedermayer avformat/genh: Check sample rate Fixes: signed integer overflow: -2515507630940093440 * 4 cannot be represented in type 'long' Fixes: 46318/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-5009637474172928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit a3d790f1977ed6c326eb93bb61757297a7905dcc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0af520417b56baa7974cb91bddd8ded069a3198b --- libavformat/genh.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/genh.c b/libavformat/genh.c index f9b222d8cd..eae23e59f2 100644 --- a/libavformat/genh.c +++ b/libavformat/genh.c @@ -68,6 +68,9 @@ static int genh_read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; st->codecpar->block_align = align * st->codecpar->channels; st->codecpar->sample_rate = avio_rl32(s->pb); +if (st->codecpar->sample_rate < 0) +return AVERROR_INVALIDDATA; + avio_skip(s->pb, 4); st->duration = avio_rl32(s->pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/demux: Use unsigned to check duration vs duration_text
ffmpeg | branch: release/5.0 | Michael Niedermayer | Mon Apr 11 21:52:55 2022 +0200| [14d8814edca862895fbf64187c32f2ac61afde90] | committer: Michael Niedermayer avformat/demux: Use unsigned to check duration vs duration_text Fixes: signed integer overflow: 9223371898743775808 - -13811100 cannot be represented in type 'long' Fixes: 46245/clusterfuzz-testcase-minimized-ffmpeg_dem_OGG_fuzzer-5075129786302464 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 6007d5688c8b0efe5bb8489cca3a0e32b2001263) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=14d8814edca862895fbf64187c32f2ac61afde90 --- libavformat/demux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/demux.c b/libavformat/demux.c index f895f0ba85..0aba11e70b 100644 --- a/libavformat/demux.c +++ b/libavformat/demux.c @@ -1586,7 +1586,7 @@ static void update_stream_timings(AVFormatContext *ic) else if (end_time < end_time_text) av_log(ic, AV_LOG_VERBOSE, "Ignoring outlier non primary stream endtime %f\n", end_time_text / (float)AV_TIME_BASE); - if (duration == INT64_MIN || (duration < duration_text && duration_text - duration < AV_TIME_BASE)) + if (duration == INT64_MIN || (duration < duration_text && (uint64_t)duration_text - duration < AV_TIME_BASE)) duration = duration_text; else if (duration < duration_text) av_log(ic, AV_LOG_VERBOSE, "Ignoring outlier non primary stream duration %f\n", duration_text / (float)AV_TIME_BASE); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avfilter/vsrc_mandelbrot: Check for malloc failure
ffmpeg | branch: release/5.0 | Michael Niedermayer | Thu Apr 21 22:45:12 2022 +0200| [e509fa78c1e8d310a81fd8fb16d48db853407d9c] | committer: Michael Niedermayer avfilter/vsrc_mandelbrot: Check for malloc failure Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit fbd22504c4148d2a01ccfe38df26c144f56db76b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e509fa78c1e8d310a81fd8fb16d48db853407d9c --- libavfilter/vsrc_mandelbrot.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavfilter/vsrc_mandelbrot.c b/libavfilter/vsrc_mandelbrot.c index 83e39f1d13..0484b4dab4 100644 --- a/libavfilter/vsrc_mandelbrot.c +++ b/libavfilter/vsrc_mandelbrot.c @@ -134,6 +134,9 @@ static av_cold int init(AVFilterContext *ctx) s-> next_cache= av_malloc_array(s->cache_allocated, sizeof(*s-> next_cache)); s-> zyklus= av_malloc_array(s->maxiter + 16, sizeof(*s->zyklus)); +if (!s->point_cache || !s->next_cache || !s->zyklus) +return AVERROR(ENOMEM); + return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avfilter/vf_frei0r: Copy to frame allocated according to frei0r requirements
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Mon Apr 11 13:49:05 2022 +0200| [6a32a608dc277c4c90fecdd13af65e10fc6ac4c4] |
committer: Michael Niedermayer
avfilter/vf_frei0r: Copy to frame allocated according to frei0r requirements
Fixes: issues with non trivial linesize
Reviewed-by: Paul B Mahol
Signed-off-by: Michael Niedermayer
(cherry picked from commit d353909e773ba8a8201fa13d6c35251351dd567a)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6a32a608dc277c4c90fecdd13af65e10fc6ac4c4
---
libavfilter/vf_frei0r.c | 22 --
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/libavfilter/vf_frei0r.c b/libavfilter/vf_frei0r.c
index 9cd0098e73..f11ae6e55c 100644
--- a/libavfilter/vf_frei0r.c
+++ b/libavfilter/vf_frei0r.c
@@ -353,14 +353,20 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
{
Frei0rContext *s = inlink->dst->priv;
AVFilterLink *outlink = inlink->dst->outputs[0];
-AVFrame *out;
+AVFrame *out = ff_default_get_video_buffer2(outlink, outlink->w,
outlink->h, 16);
+if (!out)
+goto fail;
-out = ff_get_video_buffer(outlink, outlink->w, outlink->h);
-if (!out) {
+av_frame_copy_props(out, in);
+
+if (in->linesize[0] != out->linesize[0]) {
+AVFrame *in2 = ff_default_get_video_buffer2(outlink, outlink->w,
outlink->h, 16);
+if (!in2)
+goto fail;
+av_frame_copy(in2, in);
av_frame_free(&in);
-return AVERROR(ENOMEM);
+in = in2;
}
-av_frame_copy_props(out, in);
s->update(s->instance, in->pts * av_q2d(inlink->time_base) * 1000,
(const uint32_t *)in->data[0],
@@ -369,6 +375,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
av_frame_free(&in);
return ff_filter_frame(outlink, out);
+fail:
+av_frame_free(&in);
+av_frame_free(&out);
+return AVERROR(ENOMEM);
}
static int process_command(AVFilterContext *ctx, const char *cmd, const char
*args,
@@ -465,7 +475,7 @@ static int source_config_props(AVFilterLink *outlink)
static int source_request_frame(AVFilterLink *outlink)
{
Frei0rContext *s = outlink->src->priv;
-AVFrame *frame = ff_get_video_buffer(outlink, outlink->w, outlink->h);
+AVFrame *frame = ff_default_get_video_buffer2(outlink, outlink->w,
outlink->h, 16);
if (!frame)
return AVERROR(ENOMEM);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avfilter/vf_libplacebo: Match AV_OPT_TYPE_FLOAT to dbl
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Tue May 3 22:17:39 2022 +0200| [0327a29c9301e610e7c0ce75b159957d6b2ced60] |
committer: Michael Niedermayer
avfilter/vf_libplacebo: Match AV_OPT_TYPE_FLOAT to dbl
Reviewed-by: "myp...@gmail.com"
Signed-off-by: Michael Niedermayer
(cherry picked from commit 0a3e121798081f40a377951a8c2a847a629ec7e7)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0327a29c9301e610e7c0ce75b159957d6b2ced60
---
libavfilter/vf_libplacebo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavfilter/vf_libplacebo.c b/libavfilter/vf_libplacebo.c
index 31ae28ac38..a8fa341e48 100644
--- a/libavfilter/vf_libplacebo.c
+++ b/libavfilter/vf_libplacebo.c
@@ -652,7 +652,7 @@ static const AVOption libplacebo_options[] = {
/* Performance/quality tradeoff options */
{ "skip_aa", "Skip anti-aliasing", OFFSET(skip_aa), AV_OPT_TYPE_BOOL,
{.i64 = 0}, 0, 0, DYNAMIC },
-{ "polar_cutoff", "Polar LUT cutoff", OFFSET(polar_cutoff),
AV_OPT_TYPE_FLOAT, {.i64 = 0}, 0.0, 1.0, DYNAMIC },
+{ "polar_cutoff", "Polar LUT cutoff", OFFSET(polar_cutoff),
AV_OPT_TYPE_FLOAT, {.dbl = 0}, 0.0, 1.0, DYNAMIC },
{ "disable_linear", "Disable linear scaling", OFFSET(disable_linear),
AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, DYNAMIC },
{ "disable_builtin", "Disable built-in scalers", OFFSET(disable_builtin),
AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, DYNAMIC },
{ "force_icc_lut", "Force the use of a full ICC 3DLUT for color mapping",
OFFSET(force_icc_lut), AV_OPT_TYPE_BOOL, {.i64 = 0}, 0, 1, DYNAMIC },
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/libzmq: Improve r redundancy in occured
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Tue May 3 22:21:32 2022 +0200| [b00df63465c47ddefc8fe06a833d7d22b64f3186] |
committer: Michael Niedermayer
avformat/libzmq: Improve r redundancy in occured
Reviewed-by: "myp...@gmail.com"
(cherry picked from commit e06b1ba7d79ac15f23fb08947949dcfec8bfb408)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b00df63465c47ddefc8fe06a833d7d22b64f3186
---
libavformat/libzmq.c | 18 +-
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/libavformat/libzmq.c b/libavformat/libzmq.c
index 1b0d8638db..04c72ac601 100644
--- a/libavformat/libzmq.c
+++ b/libavformat/libzmq.c
@@ -51,7 +51,7 @@ static int zmq_proto_wait(URLContext *h, void *socket, int
write)
zmq_pollitem_t items = { .socket = socket, .fd = 0, .events = ev, .revents
= 0 };
ret = zmq_poll(&items, 1, POLLING_TIME);
if (ret == -1) {
-av_log(h, AV_LOG_ERROR, "Error occured during zmq_poll(): %s\n",
ZMQ_STRERROR);
+av_log(h, AV_LOG_ERROR, "Error occurred during zmq_poll(): %s\n",
ZMQ_STRERROR);
return AVERROR_EXTERNAL;
}
return items.revents & ev ? 0 : AVERROR(EAGAIN);
@@ -90,7 +90,7 @@ static int zmq_proto_open(URLContext *h, const char *uri, int
flags)
s->context = zmq_ctx_new();
if (!s->context) {
/*errno not set on failure during zmq_ctx_new()*/
-av_log(h, AV_LOG_ERROR, "Error occured during zmq_ctx_new()\n");
+av_log(h, AV_LOG_ERROR, "Error occurred during zmq_ctx_new()\n");
return AVERROR_EXTERNAL;
}
@@ -100,13 +100,13 @@ static int zmq_proto_open(URLContext *h, const char *uri,
int flags)
if (h->flags & AVIO_FLAG_WRITE) {
s->socket = zmq_socket(s->context, ZMQ_PUB);
if (!s->socket) {
-av_log(h, AV_LOG_ERROR, "Error occured during zmq_socket(): %s\n",
ZMQ_STRERROR);
+av_log(h, AV_LOG_ERROR, "Error occurred during zmq_socket():
%s\n", ZMQ_STRERROR);
goto fail_term;
}
ret = zmq_bind(s->socket, uri);
if (ret == -1) {
-av_log(h, AV_LOG_ERROR, "Error occured during zmq_bind(): %s\n",
ZMQ_STRERROR);
+av_log(h, AV_LOG_ERROR, "Error occurred during zmq_bind(): %s\n",
ZMQ_STRERROR);
goto fail_close;
}
}
@@ -115,19 +115,19 @@ static int zmq_proto_open(URLContext *h, const char *uri,
int flags)
if (h->flags & AVIO_FLAG_READ) {
s->socket = zmq_socket(s->context, ZMQ_SUB);
if (!s->socket) {
-av_log(h, AV_LOG_ERROR, "Error occured during zmq_socket(): %s\n",
ZMQ_STRERROR);
+av_log(h, AV_LOG_ERROR, "Error occurred during zmq_socket():
%s\n", ZMQ_STRERROR);
goto fail_term;
}
ret = zmq_setsockopt(s->socket, ZMQ_SUBSCRIBE, "", 0);
if (ret == -1) {
-av_log(h, AV_LOG_ERROR, "Error occured during zmq_setsockopt():
%s\n", ZMQ_STRERROR);
+av_log(h, AV_LOG_ERROR, "Error occurred during zmq_setsockopt():
%s\n", ZMQ_STRERROR);
goto fail_close;
}
ret = zmq_connect(s->socket, uri);
if (ret == -1) {
-av_log(h, AV_LOG_ERROR, "Error occured during zmq_connect():
%s\n", ZMQ_STRERROR);
+av_log(h, AV_LOG_ERROR, "Error occurred during zmq_connect():
%s\n", ZMQ_STRERROR);
goto fail_close;
}
}
@@ -150,7 +150,7 @@ static int zmq_proto_write(URLContext *h, const unsigned
char *buf, int size)
return ret;
ret = zmq_send(s->socket, buf, size, 0);
if (ret == -1) {
-av_log(h, AV_LOG_ERROR, "Error occured during zmq_send(): %s\n",
ZMQ_STRERROR);
+av_log(h, AV_LOG_ERROR, "Error occurred during zmq_send(): %s\n",
ZMQ_STRERROR);
return AVERROR_EXTERNAL;
}
return ret; /*number of bytes sent*/
@@ -166,7 +166,7 @@ static int zmq_proto_read(URLContext *h, unsigned char
*buf, int size)
return ret;
ret = zmq_recv(s->socket, buf, size, 0);
if (ret == -1) {
-av_log(h, AV_LOG_ERROR, "Error occured during zmq_recv(): %s\n",
ZMQ_STRERROR);
+av_log(h, AV_LOG_ERROR, "Error occurred during zmq_recv(): %s\n",
ZMQ_STRERROR);
return AVERROR_EXTERNAL;
}
if (ret > size) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/act: Check ff_get_wav_header() for failure
ffmpeg | branch: release/5.0 | Michael Niedermayer | Sun May 15 22:55:12 2022 +0200| [b9bda06ea5bca8745b9ef471fd80c21be8f498b5] | committer: Michael Niedermayer avformat/act: Check ff_get_wav_header() for failure Fixes: missing error check Fixes: CID717495 Signed-off-by: Michael Niedermayer (cherry picked from commit 5982da87e3464e7df529a169352748560d70ba80) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b9bda06ea5bca8745b9ef471fd80c21be8f498b5 --- libavformat/act.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/act.c b/libavformat/act.c index a369157647..62c9a56e0b 100644 --- a/libavformat/act.c +++ b/libavformat/act.c @@ -67,6 +67,7 @@ static int read_header(AVFormatContext *s) AVIOContext *pb = s->pb; int size; AVStream* st; +int ret; int min,sec,msec; @@ -76,7 +77,9 @@ static int read_header(AVFormatContext *s) avio_skip(pb, 16); size=avio_rl32(pb); -ff_get_wav_header(s, pb, st->codecpar, size, 0); +ret = ff_get_wav_header(s, pb, st->codecpar, size, 0); +if (ret < 0) +return ret; /* 8000Hz (Fine-rec) file format has 10 bytes long ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/texturedspenc: Fix indexing in color distribution determination
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Mon Jan 2 00:28:33 2017 +0100| [bfb365e851ac97fc6881044a87ecabad2383b7fc] |
committer: Michael Niedermayer
avcodec/texturedspenc: Fix indexing in color distribution determination
Fixes CID1396405
MSE and PSNR is slightly improved, and some noticable corruptions disappear as
well.
Signed-off-by: Michael Niedermayer
Signed-off-by: Marton Balint
(cherry picked from commit ade36d61de8ea5a5acb30a05a0cbcda069127143)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bfb365e851ac97fc6881044a87ecabad2383b7fc
---
libavcodec/texturedspenc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libavcodec/texturedspenc.c b/libavcodec/texturedspenc.c
index 3d68e0cf39..5ce72cbd1e 100644
--- a/libavcodec/texturedspenc.c
+++ b/libavcodec/texturedspenc.c
@@ -255,11 +255,11 @@ static void optimize_colors(const uint8_t *block,
ptrdiff_t stride,
muv = minv = maxv = bp[0];
for (y = 0; y < 4; y++) {
-for (x = 4; x < 4; x += 4) {
+for (x = 0; x < 4; x++) {
muv += bp[x * 4 + y * stride];
-if (bp[x] < minv)
+if (bp[x * 4 + y * stride] < minv)
minv = bp[x * 4 + y * stride];
-else if (bp[x] > maxv)
+else if (bp[x * 4 + y * stride] > maxv)
maxv = bp[x * 4 + y * stride];
}
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/libxavs2: Improve r redundancy in occured
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Tue May 3 22:22:00 2022 +0200| [0cbe98cbbef6390596f30fee8d75cc95ac4c4ddf] |
committer: Michael Niedermayer
avcodec/libxavs2: Improve r redundancy in occured
Reviewed-by: "myp...@gmail.com"
Signed-off-by: Michael Niedermayer
(cherry picked from commit f3b7ba21ba49b32b4476a8c7c5a9bcdad15e3943)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0cbe98cbbef6390596f30fee8d75cc95ac4c4ddf
---
libavcodec/libxavs2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/libxavs2.c b/libavcodec/libxavs2.c
index 9c5a576e90..a998191bdf 100644
--- a/libavcodec/libxavs2.c
+++ b/libavcodec/libxavs2.c
@@ -206,7 +206,7 @@ static int xavs2_encode_frame(AVCodecContext *avctx,
AVPacket *pkt,
ret = cae->api->encoder_encode(cae->encoder, &pic, &cae->packet);
if (ret) {
-av_log(avctx, AV_LOG_ERROR, "Encoding error occured.\n");
+av_log(avctx, AV_LOG_ERROR, "Encoding error occurred.\n");
return AVERROR_EXTERNAL;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/asfdec_f: Check packet_frag_timestamp
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Sun Mar 20 23:13:16 2022 +0100| [6a60c92be02aa602f15e678ac1b500b216756c85] |
committer: Michael Niedermayer
avformat/asfdec_f: Check packet_frag_timestamp
Fixes: signed integer overflow: -9223372036854775808 - 4607 cannot be
represented in type 'long'
Fixes:
45685/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5280102802391040
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit ffc877215056e8f0feb1ff23ba7dc4c19277b94b)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6a60c92be02aa602f15e678ac1b500b216756c85
---
libavformat/asfdec_f.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index a8f36ed286..b45118e5d1 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -1216,10 +1216,12 @@ static int asf_parse_packet(AVFormatContext *s,
AVIOContext *pb, AVPacket *pkt)
if ((ret = av_new_packet(&asf_st->pkt, asf_st->packet_obj_size)) <
0)
return ret;
asf_st->seq = asf->packet_seq;
-if (asf->ts_is_pts) {
-asf_st->pkt.pts = asf->packet_frag_timestamp -
asf->hdr.preroll;
-} else
-asf_st->pkt.dts = asf->packet_frag_timestamp -
asf->hdr.preroll;
+if (asf->packet_frag_timestamp != AV_NOPTS_VALUE) {
+if (asf->ts_is_pts) {
+asf_st->pkt.pts = asf->packet_frag_timestamp -
asf->hdr.preroll;
+} else
+asf_st->pkt.dts = asf->packet_frag_timestamp -
asf->hdr.preroll;
+}
asf_st->pkt.stream_index = asf->stream_index;
asf_st->pkt.pos = asf_st->packet_pos = asf->packet_pos;
asf_st->pkt_clean= 0;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/bfi: Check offsets better
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Sun Mar 20 23:24:40 2022 +0100| [25d7f2eed5bfdf6499d674474353011dc4e1029b] |
committer: Michael Niedermayer
avformat/bfi: Check offsets better
Fixes: signed integer overflow: -2145378272 - 538976288 cannot be represented
in type 'int'
Fixes:
45690/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5015496544616448
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 35dc93ab44a57d78956414624c4e011414220e98)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=25d7f2eed5bfdf6499d674474353011dc4e1029b
---
libavformat/bfi.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libavformat/bfi.c b/libavformat/bfi.c
index 69000118fa..f658143cfc 100644
--- a/libavformat/bfi.c
+++ b/libavformat/bfi.c
@@ -140,12 +140,12 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket
* pkt)
audio_offset= avio_rl32(pb);
avio_rl32(pb);
video_offset= avio_rl32(pb);
-audio_size = video_offset - audio_offset;
-bfi->video_size = chunk_size - video_offset;
-if (audio_size < 0 || bfi->video_size < 0) {
+if (audio_offset < 0 || video_offset < audio_offset || chunk_size <
video_offset) {
av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk
size\n");
return AVERROR_INVALIDDATA;
}
+audio_size = video_offset - audio_offset;
+bfi->video_size = chunk_size - video_offset;
//Tossing an audio packet at the audio decoder.
ret = av_get_packet(pb, pkt, audio_size);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/aviobuf: Check buf_size in ffio_ensure_seekback()
ffmpeg | branch: release/5.0 | Michael Niedermayer | Sun Mar 20 23:32:53 2022 +0100| [540ad9ddbde53401e44f7d127bd919ddbabffe66] | committer: Michael Niedermayer avformat/aviobuf: Check buf_size in ffio_ensure_seekback() buffer_size is an int Fixes: signed integer overflow: 9223372036854775754 + 32767 cannot be represented in type 'long' Fixes: 45691/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5263458831040512 Signed-off-by: Michael Niedermayer (cherry picked from commit c4b130e876fe9ac5875a2f2480e96de4fdac7760) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=540ad9ddbde53401e44f7d127bd919ddbabffe66 --- libavformat/aviobuf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aviobuf.c b/libavformat/aviobuf.c index 29d4bd7510..33bc3c2e20 100644 --- a/libavformat/aviobuf.c +++ b/libavformat/aviobuf.c @@ -1062,6 +1062,9 @@ int ffio_ensure_seekback(AVIOContext *s, int64_t buf_size) if (buf_size <= s->buf_end - s->buf_ptr) return 0; +if (buf_size > INT_MAX - max_buffer_size) +return AVERROR(EINVAL); + buf_size += max_buffer_size - 1; if (buf_size + s->buf_ptr - s->buffer <= s->buffer_size || s->seekable || !s->read_packet) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/ape: more bits in size for less overflows
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Sat Apr 2 22:18:49 2022 +0200| [39f15f66638bee5e81c84a817ea599506835df3a] |
committer: Michael Niedermayer
avformat/ape: more bits in size for less overflows
Fixes: signed integer overflow: 2147483647 + 3 cannot be represented in type
'int'
Fixes:
46184/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-4678059519770624
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit e5f6707a7b91664491041526ef3cce7412258b89)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=39f15f66638bee5e81c84a817ea599506835df3a
---
libavformat/ape.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/libavformat/ape.c b/libavformat/ape.c
index b1222d9ce0..3f43055d9f 100644
--- a/libavformat/ape.c
+++ b/libavformat/ape.c
@@ -42,8 +42,8 @@
typedef struct APEFrame {
int64_t pos;
+int64_t size;
int nblocks;
-int size;
int skip;
int64_t pts;
} APEFrame;
@@ -128,7 +128,7 @@ static void ape_dumpinfo(AVFormatContext * s, APEContext *
ape_ctx)
av_log(s, AV_LOG_DEBUG, "\nFrames\n\n");
for (i = 0; i < ape_ctx->totalframes; i++)
-av_log(s, AV_LOG_DEBUG, "%8d %8"PRId64" %8d (%d samples)\n", i,
+av_log(s, AV_LOG_DEBUG, "%8d %8"PRId64" %8"PRId64" (%d samples)\n",
i,
ape_ctx->frames[i].pos, ape_ctx->frames[i].size,
ape_ctx->frames[i].nblocks);
@@ -146,7 +146,8 @@ static int ape_read_header(AVFormatContext * s)
AVStream *st;
uint32_t tag;
int i, ret;
-int total_blocks, final_size = 0;
+int total_blocks;
+int64_t final_size = 0;
int64_t pts, file_size;
/* Skip any leading junk such as id3v2 tags */
@@ -387,7 +388,7 @@ static int ape_read_packet(AVFormatContext * s, AVPacket *
pkt)
if (ape->frames[ape->currentframe].size <= 0 ||
ape->frames[ape->currentframe].size > INT_MAX - extra_size) {
-av_log(s, AV_LOG_ERROR, "invalid packet size: %d\n",
+av_log(s, AV_LOG_ERROR, "invalid packet size: %8"PRId64"\n",
ape->frames[ape->currentframe].size);
ape->currentframe++;
return AVERROR(EIO);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/aaxdec: Check for overlaping segments
ffmpeg | branch: release/5.0 | Michael Niedermayer | Wed Mar 23 00:57:34 2022 +0100| [9db37b02ed3894d6d10b43f00906dfc94d793c73] | committer: Michael Niedermayer avformat/aaxdec: Check for overlaping segments Fixes: Timeout Fixes: 45875/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-6121689903136768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c16a0ed2422a86e0f3286f59281d119c4d8d159a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9db37b02ed3894d6d10b43f00906dfc94d793c73 --- libavformat/aaxdec.c | 4 1 file changed, 4 insertions(+) diff --git a/libavformat/aaxdec.c b/libavformat/aaxdec.c index b08ee036ed..9b1c7933ae 100644 --- a/libavformat/aaxdec.c +++ b/libavformat/aaxdec.c @@ -251,6 +251,10 @@ static int aax_read_header(AVFormatContext *s) size = avio_rb32(pb); a->segments[r].start = start + a->data_offset; a->segments[r].end = a->segments[r].start + size; +if (r && +a->segments[r].start < a->segments[r-1].end && +a->segments[r].end > a->segments[r-1].start) +return AVERROR_INVALIDDATA; } else return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/aiffdec: avoid integer overflow in get_meta()
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Wed Mar 23 01:08:56 2022 +0100| [a9ccfc12100e127979ed019d4a92703666dd1e68] |
committer: Michael Niedermayer
avformat/aiffdec: avoid integer overflow in get_meta()
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type
'int'
Fixes:
45891/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-6159183893889024
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 6a02de21278ec3bea1d2c62665f2629d5a62210f)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a9ccfc12100e127979ed019d4a92703666dd1e68
---
libavformat/aiffdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
index 7afadeb085..7f1f2c88f8 100644
--- a/libavformat/aiffdec.c
+++ b/libavformat/aiffdec.c
@@ -72,7 +72,7 @@ static int get_tag(AVIOContext *pb, uint32_t * tag)
/* Metadata string read */
static void get_meta(AVFormatContext *s, const char *key, int size)
{
-uint8_t *str = av_malloc(size+1);
+uint8_t *str = av_malloc(size+1U);
if (str) {
int res = avio_read(s->pb, str, size);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/hls: Limit start_seq_no to one bit less
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Thu Jun 16 23:02:11 2022 +0200| [40ed3f6e8434bff12835133a14475eb3ed2fd140] |
committer: Michael Niedermayer
avformat/hls: Limit start_seq_no to one bit less
This avoids overflow checks on additions with 32bit numbers
Fixes: signed integer overflow: 9223372036854775806 + 2 cannot be represented
in type 'long'
Fixes:
44012/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-474777073544
Fixes:
48065/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-5372410355908608
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit d8ee01425459aaafe36acc7743b3f9f28a01821b)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=40ed3f6e8434bff12835133a14475eb3ed2fd140
---
libavformat/hls.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libavformat/hls.c b/libavformat/hls.c
index 53be0f591c..53d30d97ad 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -833,10 +833,10 @@ static int parse_playlist(HLSContext *c, const char *url,
if (ret < 0)
goto fail;
seq_no = strtoull(ptr, NULL, 10);
-if (seq_no > INT64_MAX) {
+if (seq_no > INT64_MAX/2) {
av_log(c->ctx, AV_LOG_DEBUG, "MEDIA-SEQUENCE higher than "
-"INT64_MAX, mask out the highest bit\n");
-seq_no &= INT64_MAX;
+"INT64_MAX/2, mask out the highest bit\n");
+seq_no &= INT64_MAX/2;
}
pls->start_seq_no = seq_no;
} else if (av_strstart(line, "#EXT-X-PLAYLIST-TYPE:", &ptr)) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/cdgraphics: limit scrolling to the line
ffmpeg | branch: release/5.0 | Michael Niedermayer | Thu Jun 9 22:36:00 2022 +0200| [ccf14bcbe47b5c42ec51c931441bf48be092e056] | committer: Michael Niedermayer avcodec/cdgraphics: limit scrolling to the line Fixes: out of array access Fixes: 47877/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDGRAPHICS_fuzzer-5690504626438144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b7e30a13d4e4557b87f977b76a6bb5e3cbe5ac78) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ccf14bcbe47b5c42ec51c931441bf48be092e056 --- libavcodec/cdgraphics.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c index a83babdf1e..dad689c696 100644 --- a/libavcodec/cdgraphics.c +++ b/libavcodec/cdgraphics.c @@ -239,7 +239,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data, for (y = FFMAX(0, vinc); y < FFMIN(CDG_FULL_HEIGHT + vinc, CDG_FULL_HEIGHT); y++) memcpy(out + FFMAX(0, hinc) + stride * y, in + FFMAX(0, hinc) - hinc + (y - vinc) * stride, - FFMIN(stride + hinc, stride)); + FFABS(stride) - FFABS(hinc)); if (vinc > 0) cdg_fill_wrapper(0, 0, out, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/jpeglsdec: fix end check for xfrm
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Thu Jun 9 21:13:59 2022 +0200| [bc24cf32f37cefe275d399824d5f802f7bc9ba73] |
committer: Michael Niedermayer
avcodec/jpeglsdec: fix end check for xfrm
Fixes: out of array access
Fixes:
47871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMV_fuzzer-5646305956855808
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 6a82412bf33108111eb3f63076fd5a51349ae114)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bc24cf32f37cefe275d399824d5f802f7bc9ba73
---
libavcodec/jpeglsdec.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index bae8ea89fa..7dc0cf14b7 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -485,19 +485,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int
near,
for (i = 0; i < s->height; i++) {
switch(s->xfrm) {
case 1:
-for (x = off; x < w; x += 3) {
+for (x = off; x + 2 < w; x += 3) {
src[x ] += src[x+1] + 128;
src[x+2] += src[x+1] + 128;
}
break;
case 2:
-for (x = off; x < w; x += 3) {
+for (x = off; x + 2 < w; x += 3) {
src[x ] += src[x+1] + 128;
src[x+2] += ((src[x ] + src[x+1])>>1) + 128;
}
break;
case 3:
-for (x = off; x < w; x += 3) {
+for (x = off; x + 2 < w; x += 3) {
int g = src[x+0] - ((src[x+2]+src[x+1])>>2) + 64;
src[x+0] = src[x+2] + g + 128;
src[x+2] = src[x+1] + g + 128;
@@ -505,7 +505,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int
near,
}
break;
case 4:
-for (x = off; x < w; x += 3) {
+for (x = off; x + 2 < w; x += 3) {
int r= src[x+0] - (( 359 *
(src[x+2]-128) + 490) >> 8);
int g= src[x+0] - (( 88 * (src[x+1]-128) - 183 *
(src[x+2]-128) + 30) >> 8);
int b= src[x+0] + ((454 * (src[x+1]-128)
+ 574) >> 8);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/matroskadec: avoid integer overflows in SAR computation
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Fri Apr 1 12:46:08 2022 +0200| [dccf8c591a5bdee82ceb2ea84a9d4b47525c72b5] |
committer: Michael Niedermayer
avformat/matroskadec: avoid integer overflows in SAR computation
This ignores >64bit
Alternatively we could support that if it occurs in reality
Fixes: negation of -9223372036854775808
Fixes: integer overflows
Fixes:
46072/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-5029840966778880
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit e6cad01122c6dea0435d042d68a56045a214492d)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dccf8c591a5bdee82ceb2ea84a9d4b47525c72b5
---
libavformat/matroskadec.c | 13 -
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 4fd4bb94b4..f9dbc8ce5d 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -2851,11 +2851,14 @@ static int matroska_parse_tracks(AVFormatContext *s)
mkv_stereo_mode_display_mul(track->video.stereo_mode,
&display_width_mul, &display_height_mul);
if (track->video.display_unit <
MATROSKA_VIDEO_DISPLAYUNIT_UNKNOWN) {
-av_reduce(&st->sample_aspect_ratio.num,
- &st->sample_aspect_ratio.den,
- st->codecpar->height * track->video.display_width *
display_width_mul,
- st->codecpar->width * track->video.display_height *
display_height_mul,
- INT_MAX);
+if (track->video.display_width && track->video.display_height
&&
+st->codecpar->height < INT64_MAX /
track->video.display_width / display_width_mul &&
+st->codecpar->width < INT64_MAX /
track->video.display_height / display_height_mul)
+av_reduce(&st->sample_aspect_ratio.num,
+ &st->sample_aspect_ratio.den,
+ st->codecpar->height *
track->video.display_width * display_width_mul,
+ st->codecpar->width *
track->video.display_height * display_height_mul,
+ INT_MAX);
}
if (st->codecpar->codec_id != AV_CODEC_ID_HEVC)
sti->need_parsing = AVSTREAM_PARSE_HEADERS;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/aiffdec: cleanup size handling for extreem cases
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Wed Mar 23 14:30:42 2022 +0100| [9764ec67b25b14c9a44f89e220a820949f637ece] |
committer: Michael Niedermayer
avformat/aiffdec: cleanup size handling for extreem cases
Signed-off-by: Michael Niedermayer
(cherry picked from commit c6f1e48b86471b1cc91c468e78a065075ed409bd)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9764ec67b25b14c9a44f89e220a820949f637ece
---
libavformat/aiffdec.c | 29 -
1 file changed, 12 insertions(+), 17 deletions(-)
diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
index 7f1f2c88f8..321e07a36b 100644
--- a/libavformat/aiffdec.c
+++ b/libavformat/aiffdec.c
@@ -53,9 +53,9 @@ static enum AVCodecID aiff_codec_get_id(int bps)
}
/* returns the size of the found tag */
-static int get_tag(AVIOContext *pb, uint32_t * tag)
+static int64_t get_tag(AVIOContext *pb, uint32_t * tag)
{
-int size;
+int64_t size;
if (avio_feof(pb))
return AVERROR(EIO);
@@ -63,16 +63,16 @@ static int get_tag(AVIOContext *pb, uint32_t * tag)
*tag = avio_rl32(pb);
size = avio_rb32(pb);
-if (size < 0)
-size = 0x7fff;
-
return size;
}
/* Metadata string read */
-static void get_meta(AVFormatContext *s, const char *key, int size)
+static void get_meta(AVFormatContext *s, const char *key, int64_t size)
{
-uint8_t *str = av_malloc(size+1U);
+uint8_t *str = NULL;
+
+if (size < SIZE_MAX)
+str = av_malloc(size+1);
if (str) {
int res = avio_read(s->pb, str, size);
@@ -89,7 +89,7 @@ static void get_meta(AVFormatContext *s, const char *key, int
size)
}
/* Returns the number of sound data frames or negative on error */
-static int get_aiff_header(AVFormatContext *s, int size,
+static int get_aiff_header(AVFormatContext *s, int64_t size,
unsigned version)
{
AVIOContext *pb= s->pb;
@@ -100,9 +100,6 @@ static int get_aiff_header(AVFormatContext *s, int size,
int sample_rate;
unsigned int num_frames;
-if (size == INT_MAX)
-return AVERROR_INVALIDDATA;
-
if (size & 1)
size++;
par->codec_type = AVMEDIA_TYPE_AUDIO;
@@ -213,7 +210,8 @@ static int aiff_probe(const AVProbeData *p)
/* aiff input */
static int aiff_read_header(AVFormatContext *s)
{
-int ret, size, filesize;
+int ret;
+int64_t filesize, size;
int64_t offset = 0, position;
uint32_t tag;
unsigned version = AIFF_C_VERSION1;
@@ -224,7 +222,7 @@ static int aiff_read_header(AVFormatContext *s)
/* check FORM header */
filesize = get_tag(pb, &tag);
-if (filesize < 0 || tag != MKTAG('F', 'O', 'R', 'M'))
+if (filesize < 4 || tag != MKTAG('F', 'O', 'R', 'M'))
return AVERROR_INVALIDDATA;
/* AIFF data type */
@@ -251,10 +249,7 @@ static int aiff_read_header(AVFormatContext *s)
if (size < 0)
return size;
-if (size >= 0x7fff - 8)
-filesize = 0;
-else
-filesize -= size + 8;
+filesize -= size + 8;
switch (tag) {
case MKTAG('C', 'O', 'M', 'M'): /* Common chunk */
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/aasc: Fix indention
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Sat Jun 18 20:54:36 2022 +0200| [ab936ed53e1c8e57a26b90ed07dfa438f086] |
committer: Michael Niedermayer
avcodec/aasc: Fix indention
Signed-off-by: Michael Niedermayer
(cherry picked from commit af2ed09220fe82e0aa479d1b93be6aadc4930efc)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ab936ed53e1c8e57a26b90ed07dfa438f086
---
libavcodec/aasc.c | 34 +-
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c
index 2177aa8f56..79612ce815 100644
--- a/libavcodec/aasc.c
+++ b/libavcodec/aasc.c
@@ -104,26 +104,26 @@ static int aasc_decode_frame(AVCodecContext *avctx,
ff_msrle_decode(avctx, s->frame, 8, &s->gb);
break;
case MKTAG('A', 'A', 'S', 'C'):
-switch (compr) {
-case 0:
-stride = (avctx->width * psize + psize) & ~psize;
-if (buf_size < stride * avctx->height)
+switch (compr) {
+case 0:
+stride = (avctx->width * psize + psize) & ~psize;
+if (buf_size < stride * avctx->height)
+return AVERROR_INVALIDDATA;
+for (i = avctx->height - 1; i >= 0; i--) {
+memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf,
avctx->width * psize);
+buf += stride;
+buf_size -= stride;
+}
+break;
+case 1:
+bytestream2_init(&s->gb, buf, buf_size);
+ff_msrle_decode(avctx, s->frame, 8, &s->gb);
+break;
+default:
+av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n",
compr);
return AVERROR_INVALIDDATA;
-for (i = avctx->height - 1; i >= 0; i--) {
-memcpy(s->frame->data[0] + i * s->frame->linesize[0], buf,
avctx->width * psize);
-buf += stride;
-buf_size -= stride;
}
break;
-case 1:
-bytestream2_init(&s->gb, buf, buf_size);
-ff_msrle_decode(avctx, s->frame, 8, &s->gb);
-break;
-default:
-av_log(avctx, AV_LOG_ERROR, "Unknown compression type %d\n", compr);
-return AVERROR_INVALIDDATA;
-}
-break;
default:
av_log(avctx, AV_LOG_ERROR, "Unknown FourCC: %X\n", avctx->codec_tag);
return -1;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/cinedec: Check size and pos more
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Mon Jun 27 21:13:11 2022 +0200| [abbf22ac637133a69c920db5b316c1888e340e18] |
committer: Michael Niedermayer
avformat/cinedec: Check size and pos more
Fixes: signed integer overflow: 9223372036848019263 + 134232320 cannot be
represented in type 'long'
Fixes:
48155/clusterfuzz-testcase-minimized-ffmpeg_dem_CINE_fuzzer-5751429207293952
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 884a108121d027ee4aa7d5a70247565cf0105afa)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=abbf22ac637133a69c920db5b316c1888e340e18
---
libavformat/cinedec.c | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/libavformat/cinedec.c b/libavformat/cinedec.c
index f4779b2676..e8d9657ee1 100644
--- a/libavformat/cinedec.c
+++ b/libavformat/cinedec.c
@@ -273,10 +273,11 @@ static int cine_read_header(AVFormatContext *avctx)
/* parse image offsets */
avio_seek(pb, offImageOffsets, SEEK_SET);
for (i = 0; i < st->duration; i++) {
-if (avio_feof(pb))
+int64_t pos = avio_rl64(pb);
+if (avio_feof(pb) || pos < 0)
return AVERROR_INVALIDDATA;
-av_add_index_entry(st, avio_rl64(pb), i, 0, 0, AVINDEX_KEYFRAME);
+av_add_index_entry(st, pos, i, 0, 0, AVINDEX_KEYFRAME);
}
return 0;
@@ -302,10 +303,10 @@ static int cine_read_packet(AVFormatContext *avctx,
AVPacket *pkt)
return AVERROR_INVALIDDATA;
avio_skip(pb, n - 8);
size = avio_rl32(pb);
-if (avio_feof(pb))
+if (avio_feof(pb) || size < 0)
return AVERROR_INVALIDDATA;
-if (cine->maxsize && sti->index_entries[cine->pts].pos + size + n >
cine->maxsize)
+if (cine->maxsize && (uint64_t)sti->index_entries[cine->pts].pos + size +
n > cine->maxsize)
size = cine->maxsize - sti->index_entries[cine->pts].pos - n;
ret = av_get_packet(pb, pkt, size);
@@ -313,7 +314,7 @@ static int cine_read_packet(AVFormatContext *avctx,
AVPacket *pkt)
return ret;
if (ret != size)
-cine->maxsize = sti->index_entries[cine->pts].pos + n + ret;
+cine->maxsize = (uint64_t)sti->index_entries[cine->pts].pos + n + ret;
pkt->pts = cine->pts++;
pkt->stream_index = 0;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/alacdsp: Make intermediates unsigned
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Thu Apr 28 23:34:53 2022 +0200| [b03a42587f1e4daa1b58f8e12682e248813956de] |
committer: Michael Niedermayer
avcodec/alacdsp: Make intermediates unsigned
Fixes: signed integer overflow: -14914387 + -2147418648 cannot be represented
in type 'int'
Fixes:
46464/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-474307197311385
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 8709f4c10a216cb3e11564bc392841e832f8e3b1)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b03a42587f1e4daa1b58f8e12682e248813956de
---
libavcodec/alacdsp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/alacdsp.c b/libavcodec/alacdsp.c
index 8718d1b6b1..b3c1c424f3 100644
--- a/libavcodec/alacdsp.c
+++ b/libavcodec/alacdsp.c
@@ -29,12 +29,12 @@ static void decorrelate_stereo(int32_t *buffer[2], int
nb_samples,
int i;
for (i = 0; i < nb_samples; i++) {
-int32_t a, b;
+uint32_t a, b;
a = buffer[0][i];
b = buffer[1][i];
-a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift;
+a -= (int)(b * decorr_left_weight) >> decorr_shift;
b += a;
buffer[0][i] = b;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/qdrw: adjust max colors to array size
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Sun Jul 3 00:43:21 2022 +0200| [0ba8bf701144a480e1ffe03881db255f6b129400] |
committer: Michael Niedermayer
avcodec/qdrw: adjust max colors to array size
Fixes: out of array access
Fixes:
48429/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDRAW_fuzzer-4608329791438848
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol
Signed-off-by: Michael Niedermayer
(cherry picked from commit cd847f86d31f87f0f7733ca6ab7a2c022a1398bd)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0ba8bf701144a480e1ffe03881db255f6b129400
---
libavcodec/qdrw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/qdrw.c b/libavcodec/qdrw.c
index fcc1de0c62..3721ba25ee 100644
--- a/libavcodec/qdrw.c
+++ b/libavcodec/qdrw.c
@@ -369,7 +369,7 @@ static int decode_frame(AVCodecContext *avctx,
bytestream2_skip(&gbc, 18);
colors = bytestream2_get_be16(&gbc);
-if (colors < 0 || colors > 256) {
+if (colors < 0 || colors > 255) {
av_log(avctx, AV_LOG_ERROR,
"Error color count - %i(0x%X)\n", colors, colors);
return AVERROR_INVALIDDATA;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/sctp: close socket on errors
ffmpeg | branch: release/5.0 | Michael Niedermayer | Mon May 23 01:23:22 2022 +0200| [47dc801ec0d54923bbdda5d919cd22e9000d8484] | committer: Michael Niedermayer avformat/sctp: close socket on errors This is untested as i have no testcase Fixes: CID1302709 Signed-off-by: Michael Niedermayer (cherry picked from commit c9a2996544187f67e533bc24f4cf773e50d2362b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=47dc801ec0d54923bbdda5d919cd22e9000d8484 --- libavformat/sctp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/sctp.c b/libavformat/sctp.c index 9a80e9b015..be0cb47865 100644 --- a/libavformat/sctp.c +++ b/libavformat/sctp.c @@ -282,6 +282,8 @@ fail: goto restart; } fail1: +if (fd >= 0) +closesocket(fd); ret = AVERROR(EIO); freeaddrinfo(ai); return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/ffv1dec_template: fix indention
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Mon Jul 4 17:19:02 2022 +0200| [ae8aabe3989480caa1f9e256225f1a512d98ef2c] |
committer: Michael Niedermayer
avcodec/ffv1dec_template: fix indention
Signed-off-by: Michael Niedermayer
(cherry picked from commit eee7364c90699f50a36aaada38c52ccc0d6bf501)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ae8aabe3989480caa1f9e256225f1a512d98ef2c
---
libavcodec/ffv1dec_template.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/libavcodec/ffv1dec_template.c b/libavcodec/ffv1dec_template.c
index 0b1d176ba1..9b1d65e825 100644
--- a/libavcodec/ffv1dec_template.c
+++ b/libavcodec/ffv1dec_template.c
@@ -93,11 +93,11 @@ static av_always_inline int RENAME(decode_line)(FFV1Context
*s, int w,
run_count--;
}
} else {
-while (run_count > 1 && w-x > 1) {
-sample[1][x] = RENAME(predict)(sample[1] + x, sample[0] +
x);
-x++;
-run_count--;
-}
+while (run_count > 1 && w-x > 1) {
+sample[1][x] = RENAME(predict)(sample[1] + x,
sample[0] + x);
+x++;
+run_count--;
+}
}
run_count--;
if (run_count < 0) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/wnv1: Check for width =1
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Sun Jul 3 02:31:47 2022 +0200| [048f3714c2ea2472e8cdd21b9e80ec4b5036c812] |
committer: Michael Niedermayer
avcodec/wnv1: Check for width =1
The decoder only outputs pixels for width >1 images, fail early
Fixes: Timeout
Fixes:
48298/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WNV1_fuzzer-6198626319204352
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit d98d5a436aa70d3cef8f914c0467ef2fb2dd1dfc)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=048f3714c2ea2472e8cdd21b9e80ec4b5036c812
---
libavcodec/wnv1.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c
index 5d6c91d2d2..8fd5a732a5 100644
--- a/libavcodec/wnv1.c
+++ b/libavcodec/wnv1.c
@@ -126,6 +126,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
{
static AVOnce init_static_once = AV_ONCE_INIT;
+if (avctx->width <= 1)
+return AVERROR_INVALIDDATA;
+
avctx->pix_fmt = AV_PIX_FMT_YUV422P;
ff_thread_once(&init_static_once, wnv1_init_static);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/qpeldsp: copy less for the mc0x cases
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Sun Jun 26 00:59:15 2022 +0200| [dac6f854a9b34e04023e58a976fa50ce89756def] |
committer: Michael Niedermayer
avcodec/qpeldsp: copy less for the mc0x cases
Fixes: out of array access
Fixes:
47936/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5745039940124672
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit e690d4edf581c42dbd907c0fafe53fba86a00812)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dac6f854a9b34e04023e58a976fa50ce89756def
---
libavcodec/qpeldsp.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/libavcodec/qpeldsp.c b/libavcodec/qpeldsp.c
index 6e52b33657..d99b8fd0ba 100644
--- a/libavcodec/qpeldsp.c
+++ b/libavcodec/qpeldsp.c
@@ -198,7 +198,7 @@ static void OPNAME ## qpel8_mc01_c(uint8_t *dst, const
uint8_t *src, \
uint8_t full[16 * 9]; \
uint8_t half[64]; \
\
-copy_block9(full, src, 16, stride, 9);\
+copy_block8(full, src, 16, stride, 9);\
put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16); \
OPNAME ## pixels8_l2_8(dst, full, half, stride, 16, 8, 8);\
} \
@@ -208,7 +208,7 @@ static void OPNAME ## qpel8_mc02_c(uint8_t *dst, const
uint8_t *src, \
{ \
uint8_t full[16 * 9]; \
\
-copy_block9(full, src, 16, stride, 9);\
+copy_block8(full, src, 16, stride, 9);\
OPNAME ## mpeg4_qpel8_v_lowpass(dst, full, stride, 16); \
} \
\
@@ -218,7 +218,7 @@ static void OPNAME ## qpel8_mc03_c(uint8_t *dst, const
uint8_t *src, \
uint8_t full[16 * 9]; \
uint8_t half[64]; \
\
-copy_block9(full, src, 16, stride, 9);\
+copy_block8(full, src, 16, stride, 9);\
put ## RND ## mpeg4_qpel8_v_lowpass(half, full, 8, 16); \
OPNAME ## pixels8_l2_8(dst, full + 16, half, stride, 16, 8, 8); \
} \
@@ -458,7 +458,7 @@ static void OPNAME ## qpel16_mc01_c(uint8_t *dst, const
uint8_t *src, \
uint8_t full[24 * 17];\
uint8_t half[256];\
\
-copy_block17(full, src, 24, stride, 17); \
+copy_block16(full, src, 24, stride, 17); \
put ## RND ## mpeg4_qpel16_v_lowpass(half, full, 16, 24); \
OPNAME ## pixels16_l2_8(dst, full, half, stride, 24, 16, 16); \
} \
@@ -468,7 +468,7 @@ static void OPNAME ## qpel16_mc02_c(uint8_t *dst, const
uint8_t *src, \
{ \
uint8_t full[24 * 17];\
\
-copy_block17(full, src, 24, stride, 17); \
+copy_block16(full, src, 24, stride, 17); \
OPNAME ## mpeg4_qpel16_v_lowpass(dst, full, stride, 24); \
} \
\
@@ -478,7 +478,7 @@ static void OPNAME ## qpel16_mc03_c(uint8_t *dst, const
uint8_t *src, \
uint8_t full[24 * 17];\
uint8_t half[256];\
[FFmpeg-cvslog] avcodec/hevcdsp_template: stay within tables in sao_band_filter()
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Thu Jun 9 22:21:55 2022 +0200| [c03f09f6f4a6abd4d85e460763d0d6ffdef45b0e] |
committer: Michael Niedermayer
avcodec/hevcdsp_template: stay within tables in sao_band_filter()
Fixes: out of array read
Fixes:
47875/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5719393113341952
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 9c5250a5612d4b32d79108de0c03945b2017963e)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c03f09f6f4a6abd4d85e460763d0d6ffdef45b0e
---
libavcodec/hevcdsp_template.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/hevcdsp_template.c b/libavcodec/hevcdsp_template.c
index 56cd9e605d..61425975cd 100644
--- a/libavcodec/hevcdsp_template.c
+++ b/libavcodec/hevcdsp_template.c
@@ -313,7 +313,7 @@ static void FUNC(sao_band_filter)(uint8_t *_dst, uint8_t
*_src,
offset_table[(k + sao_left_class) & 31] = sao_offset_val[k + 1];
for (y = 0; y < height; y++) {
for (x = 0; x < width; x++)
-dst[x] = av_clip_pixel(src[x] + offset_table[src[x] >> shift]);
+dst[x] = av_clip_pixel(src[x] + offset_table[(src[x] >> shift) &
31]);
dst += stride_dst;
src += stride_src;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/ffv1dec: Limit golomb rice coded slices to width 8M
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Sun Jul 3 13:31:19 2022 +0200| [89685f280a6b256f798788a7b463daeddf8bf631] |
committer: Michael Niedermayer
avcodec/ffv1dec: Limit golomb rice coded slices to width 8M
This limit is possibly not reachable due to other restrictions on buffers but
the decoder run table is too small beyond this, so explicitly check for it.
Signed-off-by: Michael Niedermayer
(cherry picked from commit b4431399ec1e10afff458cf1ffae2a75987d725a)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=89685f280a6b256f798788a7b463daeddf8bf631
---
libavcodec/ffv1dec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 810b2e18f0..9c2cb37f63 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -185,6 +185,9 @@ static int decode_slice_header(const FFV1Context *f,
FFV1Context *fs)
|| (unsigned)fs->slice_y + (uint64_t)fs->slice_height > f->height)
return -1;
+if (fs->ac == AC_GOLOMB_RICE && fs->slice_width >= (1<<23))
+return AVERROR_INVALIDDATA;
+
for (i = 0; i < f->plane_count; i++) {
PlaneContext * const p = &fs->plane[i];
int idx = get_symbol(c, state, 0);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/aaxdec: Check for empty segments
ffmpeg | branch: release/5.0 | Michael Niedermayer | Mon Jun 27 10:29:25 2022 +0200| [024b94bab3e8960d60025cf155d16cad96dc5ba2] | committer: Michael Niedermayer avformat/aaxdec: Check for empty segments Fixes: Timeout Fixes: 48154/clusterfuzz-testcase-minimized-ffmpeg_dem_AAX_fuzzer-5149094353436672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db31b3ea861c280e7fae282d06957ebd0d37c2d2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=024b94bab3e8960d60025cf155d16cad96dc5ba2 --- libavformat/aaxdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/aaxdec.c b/libavformat/aaxdec.c index 9b1c7933ae..09fe8ebdf7 100644 --- a/libavformat/aaxdec.c +++ b/libavformat/aaxdec.c @@ -249,6 +249,8 @@ static int aax_read_header(AVFormatContext *s) start = avio_rb32(pb); size = avio_rb32(pb); +if (!size) +return AVERROR_INVALIDDATA; a->segments[r].start = start + a->data_offset; a->segments[r].end = a->segments[r].start + size; if (r && ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/iff: simplify duration calculation
ffmpeg | branch: release/5.0 | Michael Niedermayer | Mon Jul 4 23:32:40 2022 +0200| [b5fc01adbe66147767bab98533c9b8bcd784484f] | committer: Michael Niedermayer avformat/iff: simplify duration calculation Fixes: signed integer overflow: 315680096256 * 134215943 cannot be represented in type 'long long' Fixes: 48713/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5886272312311808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0740641e932551342cc1737d981e950ecffa3b63) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b5fc01adbe66147767bab98533c9b8bcd784484f --- libavformat/iff.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/iff.c b/libavformat/iff.c index 078406b7e3..3ab68ffb35 100644 --- a/libavformat/iff.c +++ b/libavformat/iff.c @@ -384,7 +384,7 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) avio_skip(pb, 1); pkt->flags |= AV_PKT_FLAG_KEY; pkt->stream_index = 0; -pkt->duration = 588LL * s->streams[0]->codecpar->sample_rate / 44100; +pkt->duration = s->streams[0]->codecpar->sample_rate / 75; pkt->pos = chunk_pos; chunk_pos = avio_tell(pb); @@ -397,7 +397,8 @@ static int read_dst_frame(AVFormatContext *s, AVPacket *pkt) case ID_FRTE: if (data_size < 4) return AVERROR_INVALIDDATA; -s->streams[0]->duration = avio_rb32(pb) * 588LL * s->streams[0]->codecpar->sample_rate / 44100; +s->streams[0]->duration = avio_rb32(pb) * (uint64_t)s->streams[0]->codecpar->sample_rate / 75; + break; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avfilter/vf_signature: Fix integer overflow in filter_frame()
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Wed May 18 02:10:52 2022 +0200| [e028020213cdfd2d37934fa12e11c586040aca4e] |
committer: Michael Niedermayer
avfilter/vf_signature: Fix integer overflow in filter_frame()
Fixes: CID1403233
The second of the 2 changes may be unneeded but will help coverity
Signed-off-by: Michael Niedermayer
(cherry picked from commit dd6040675ec18d19429f882caea6bb306ed6677a)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e028020213cdfd2d37934fa12e11c586040aca4e
---
libavfilter/vf_signature.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c
index 4ca57ebf1d..66149dcc01 100644
--- a/libavfilter/vf_signature.c
+++ b/libavfilter/vf_signature.c
@@ -219,7 +219,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame
*picref)
dw1 = inlink->w / 32;
if (inlink->w % 32)
dw2 = dw1 + 1;
-denom = (sc->divide) ? dh1 * dh2 * dw1 * dw2 : 1;
+denom = (sc->divide) ? dh1 * (int64_t)dh2 * dw1 * dw2 : 1;
for (i = 0; i < 32; i++) {
rowcount = 0;
@@ -245,7 +245,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame
*picref)
}
}
-denom = (sc->divide) ? 1 : dh1 * dh2 * dw1 * dw2;
+denom = (sc->divide) ? 1 : dh1 * (int64_t)dh2 * dw1 * dw2;
for (i = 0; i < ELEMENT_COUNT; i++) {
const ElemCat* elemcat = elements[i];
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/tiff: Check pixel format types for dng
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Thu Jun 30 00:52:20 2022 +0200| [5bf38f660c70d8726a9a4aef72ec8f8da256319c] |
committer: Michael Niedermayer
avcodec/tiff: Check pixel format types for dng
Fixes: out of array access
Fixes:
48271/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6149705769287680
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 75f3d1b82261f31c6bbcee8046cec6792194355a)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5bf38f660c70d8726a9a4aef72ec8f8da256319c
---
libavcodec/tiff.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index fd85d104dc..7190f48310 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -759,6 +759,7 @@ static int tiff_unpack_strip(TiffContext *s, AVFrame *p,
uint8_t *dst, int strid
if (s->is_bayer) {
av_assert0(width == (s->bpp * s->width + 7) >> 3);
}
+av_assert0(!(s->is_bayer && is_yuv));
if (p->format == AV_PIX_FMT_GRAY12) {
av_fast_padded_malloc(&s->yuv_line, &s->yuv_line_size, width);
if (s->yuv_line == NULL) {
@@ -842,6 +843,8 @@ static int tiff_unpack_strip(TiffContext *s, AVFrame *p,
uint8_t *dst, int strid
av_log(s->avctx, AV_LOG_ERROR, "More than one DNG JPEG strips
unsupported\n");
return AVERROR_PATCHWELCOME;
}
+if (!s->is_bayer)
+return AVERROR_PATCHWELCOME;
if ((ret = dng_decode_jpeg(s->avctx, p, s->stripsize, 0, 0, s->width,
s->height)) < 0)
return ret;
return 0;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/sbrdsp_fixed: Fix integer overflows in sbr_qmf_deint_neg_c()
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Mon May 2 00:51:12 2022 +0200| [1fbd6f8d05f11a171265c51579107f45d33b4b4a] |
committer: Michael Niedermayer
avcodec/sbrdsp_fixed: Fix integer overflows in sbr_qmf_deint_neg_c()
Fixes: signed integer overflow: 2147483645 + 16 cannot be represented in type
'int'
Fixes:
46993/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-4759025234870272
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 1537f40516d625fc5fa57db4fdfb737312fbc500)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1fbd6f8d05f11a171265c51579107f45d33b4b4a
---
libavcodec/sbrdsp_fixed.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c
index 43fcc90ae5..0d34a2a710 100644
--- a/libavcodec/sbrdsp_fixed.c
+++ b/libavcodec/sbrdsp_fixed.c
@@ -114,8 +114,8 @@ static void sbr_qmf_deint_neg_c(int *v, const int *src)
{
int i;
for (i = 0; i < 32; i++) {
-v[ i] = ( src[63 - 2*i] + 0x10) >> 5;
-v[63 - i] = (-src[63 - 2*i - 1] + 0x10) >> 5;
+v[ i] = (int)(0x10U + src[63 - 2*i]) >> 5;
+v[63 - i] = (int)(0x10U - src[63 - 2*i - 1]) >> 5;
}
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] tools/target_dec_fuzzer: Adjust threshold for MMVIDEO
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Tue Jul 19 00:25:45 2022 +0200| [a158789f0dccf9a4784c5772d88dc1c780985b68] |
committer: Michael Niedermayer
tools/target_dec_fuzzer: Adjust threshold for MMVIDEO
Fixes: Timeout
Fixes:
49003/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MMVIDEO_fuzzer-5550368423018496
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross
Signed-off-by: Michael Niedermayer
(cherry picked from commit 3592b05c84958e2723cc026e7649df508de1a9c4)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a158789f0dccf9a4784c5772d88dc1c780985b68
---
tools/target_dec_fuzzer.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/target_dec_fuzzer.c b/tools/target_dec_fuzzer.c
index 13766d22b9..b89eb64729 100644
--- a/tools/target_dec_fuzzer.c
+++ b/tools/target_dec_fuzzer.c
@@ -181,6 +181,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t
size) {
case AV_CODEC_ID_LAGARITH:maxpixels /= 1024; break;
case AV_CODEC_ID_VORBIS: maxsamples /= 1024; break;
case AV_CODEC_ID_LSCR:maxpixels /= 16;break;
+case AV_CODEC_ID_MMVIDEO: maxpixels /= 256; break;
case AV_CODEC_ID_MOTIONPIXELS:maxpixels /= 256; break;
case AV_CODEC_ID_MP4ALS: maxsamples /= 65536; break;
case AV_CODEC_ID_MSA1:maxpixels /= 16384; break;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/exr: Check x/ysize
ffmpeg | branch: release/5.0 | Michael Niedermayer | Mon Jul 18 22:46:45 2022 +0200| [aeaa86aacd6804cf142bbdee280bf089f5c3971b] | committer: Michael Niedermayer avcodec/exr: Check x/ysize Fixes: OOM Fixes: 48911/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6352002510094336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 614a4d1476c6e3561ebab3977cb43b2b4b6406fd) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aeaa86aacd6804cf142bbdee280bf089f5c3971b --- libavcodec/exr.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index ded9d85000..85b0cab36b 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1240,7 +1240,8 @@ static int decode_block(AVCodecContext *avctx, void *tdata, td->ysize = FFMIN(s->tile_attr.ySize, s->ydelta - tile_y * s->tile_attr.ySize); td->xsize = FFMIN(s->tile_attr.xSize, s->xdelta - tile_x * s->tile_attr.xSize); -if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX) +if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX || +av_image_check_size2(td->xsize, td->ysize, s->avctx->max_pixels, AV_PIX_FMT_NONE, 0, s->avctx) < 0) return AVERROR_INVALIDDATA; td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ @@ -1264,7 +1265,8 @@ static int decode_block(AVCodecContext *avctx, void *tdata, td->ysize = FFMIN(s->scan_lines_per_block, s->ymax - line + 1); /* s->ydelta - line ?? */ td->xsize = s->xdelta; -if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX) +if (td->xsize * (uint64_t)s->current_channel_offset > INT_MAX || +av_image_check_size2(td->xsize, td->ysize, s->avctx->max_pixels, AV_PIX_FMT_NONE, 0, s->avctx) < 0) return AVERROR_INVALIDDATA; td->channel_line_size = td->xsize * s->current_channel_offset;/* uncompress size of one line */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/h264dec: Skip late SEI
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Wed Apr 27 22:16:51 2022 +0200| [fe026fd0cba152cad783fe5b370b2dd5101fb2c9] |
committer: Michael Niedermayer
avcodec/h264dec: Skip late SEI
Fixes: Race condition
Fixes:
clusterfuzz-testcase-minimized-mediasource_MP2T_AVC_pipeline_integration_fuzzer-6282675434094592
Found-by: google ClusterFuzz
Tested-by: Dan Sanders
Signed-off-by: Michael Niedermayer
(cherry picked from commit f7dd408d64013ae177c1f8d0e04418e5075db5bc)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fe026fd0cba152cad783fe5b370b2dd5101fb2c9
---
libavcodec/h264dec.c | 4
1 file changed, 4 insertions(+)
diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c
index 6a5bf51f5d..62c4f40517 100644
--- a/libavcodec/h264dec.c
+++ b/libavcodec/h264dec.c
@@ -680,6 +680,10 @@ static int decode_nal_units(H264Context *h, const uint8_t
*buf, int buf_size)
avpriv_request_sample(avctx, "data partitioning");
break;
case H264_NAL_SEI:
+if (h->setup_finished) {
+avpriv_request_sample(avctx, "Late SEI");
+break;
+}
ret = ff_h264_sei_decode(&h->sei, &nal->gb, &h->ps, avctx);
h->has_recovery_point = h->has_recovery_point ||
h->sei.recovery_point.recovery_frame_cnt != -1;
if (avctx->debug & FF_DEBUG_GREEN_MD)
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/rtsp: break on unknown protocols
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Fri May 20 00:50:33 2022 +0200| [273a3c5b8224d5a5e138033ad9bcffbb15b5c631] |
committer: Michael Niedermayer
avformat/rtsp: break on unknown protocols
This function needs more cleanup and it lacks error handling
Fixes: use of uninitialized memory
Fixes: CID700776
Signed-off-by: Michael Niedermayer
(cherry picked from commit 73c0fd27c5c53c42e5060fb3a0c1fc5708b6f670)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=273a3c5b8224d5a5e138033ad9bcffbb15b5c631
---
libavformat/rtsp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavformat/rtsp.c b/libavformat/rtsp.c
index 70c18941ca..970c7b75dc 100644
--- a/libavformat/rtsp.c
+++ b/libavformat/rtsp.c
@@ -946,6 +946,8 @@ static void rtsp_parse_transport(AVFormatContext *s,
";,", &p);
}
th->transport = RTSP_TRANSPORT_RAW;
+} else {
+break;
}
if (!av_strcasecmp(lower_transport, "TCP"))
th->lower_transport = RTSP_LOWER_TRANSPORT_TCP;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/asfdec_f: Use 64bit for packet start time
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Tue Jul 19 00:32:18 2022 +0200| [04dabb241ba63c11b2863d237162985a797624d3] |
committer: Michael Niedermayer
avformat/asfdec_f: Use 64bit for packet start time
Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type
'int'
Fixes:
49014/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6314973315334144
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 8ed78486fcb065b5b459f14d4b1c3242f6d21ec7)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=04dabb241ba63c11b2863d237162985a797624d3
---
libavformat/asfdec_f.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavformat/asfdec_f.c b/libavformat/asfdec_f.c
index b45118e5d1..2166e11649 100644
--- a/libavformat/asfdec_f.c
+++ b/libavformat/asfdec_f.c
@@ -103,7 +103,7 @@ typedef struct ASFContext {
int ts_is_pts;
int packet_multi_size;
int packet_time_delta;
-int packet_time_start;
+int64_t packet_time_start;
int64_t packet_pos;
int stream_index;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/lagarith: Check dst/src in zero run code
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Tue Jul 12 20:43:20 2022 +0200| [f22b7e65c5fb45ab598505200733d3b3fce799fc] |
committer: Michael Niedermayer
avcodec/lagarith: Check dst/src in zero run code
Fixes: out of array access
Fixes:
48799/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-4764457825337344
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol
Signed-off-by: Michael Niedermayer
(cherry picked from commit 9450f759748d02d1d284d2e4afd741cb0fe0c04a)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f22b7e65c5fb45ab598505200733d3b3fce799fc
---
libavcodec/lagarith.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c
index 7220648bc4..ca4ab5cc53 100644
--- a/libavcodec/lagarith.c
+++ b/libavcodec/lagarith.c
@@ -409,6 +409,9 @@ output_zeros:
if (zero_run) {
zero_run = 0;
i += esc_count;
+if (i > end - dst ||
+i >= src_end - src)
+return AVERROR_INVALIDDATA;
memcpy(dst, src, i);
dst += i;
l->zeros_rem = lag_calc_zero_run(src[i]);
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/nutdec: Check get_packetheader() in mainheader
ffmpeg | branch: release/5.0 | Michael Niedermayer | Wed Jul 6 23:54:49 2022 +0200| [c39b1d310afb6633a8af7c70c3976b44383bcb72] | committer: Michael Niedermayer avformat/nutdec: Check get_packetheader() in mainheader Fixes; Timeout Fixes: 48794/clusterfuzz-testcase-minimized-ffmpeg_dem_NUT_fuzzer-6524604713140224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5de084aa63b79586bc445e6a7fea837688b3941) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c39b1d310afb6633a8af7c70c3976b44383bcb72 --- libavformat/nutdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c index 0a8a700acf..c6b9db5cb3 100644 --- a/libavformat/nutdec.c +++ b/libavformat/nutdec.c @@ -199,6 +199,8 @@ static int decode_main_header(NUTContext *nut) int tmp_stream, tmp_mul, tmp_pts, tmp_size, tmp_res, tmp_head_idx; length = get_packetheader(nut, bc, 1, MAIN_STARTCODE); +if (length == (uint64_t)-1) +return AVERROR_INVALIDDATA; end = length + avio_tell(bc); nut->version = ffio_read_varlen(bc); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/flvdec: Check for EOF in index reading
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Mon Jun 20 01:36:29 2022 +0200| [904cb851cef3345d7d9d6434a6fa3998c6802f08] |
committer: Michael Niedermayer
avformat/flvdec: Check for EOF in index reading
Fixes: Timeout
Fixes:
47992/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-6020443879899136
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit ceff5d7b74cd9ae6055957979d27d289c70a9e1b)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=904cb851cef3345d7d9d6434a6fa3998c6802f08
---
libavformat/flvdec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
index b9e36b3ff1..42992d3fb3 100644
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -463,6 +463,8 @@ static int parse_keyframes_index(AVFormatContext *s,
AVIOContext *ioc, int64_t m
goto invalid;
if (current_array == × && (d <= INT64_MIN / 1000 || d >=
INT64_MAX / 1000))
goto invalid;
+if (avio_feof(ioc))
+goto invalid;
current_array[0][i] = d;
}
if (times && filepositions) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/tiff: Check tile_length and tile_width
ffmpeg | branch: release/5.0 | Michael Niedermayer | Thu Jul 21 23:27:59 2022 +0200| [447c1942ced390eaf04267cfa2c41e38c5c2e686] | committer: Michael Niedermayer avcodec/tiff: Check tile_length and tile_width Fixes: Division by 0 Fixes: 49235/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5495613847896064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 76112c2b4167bb3c40503b3334c8b38fd707a8d5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=447c1942ced390eaf04267cfa2c41e38c5c2e686 --- libavcodec/tiff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 7190f48310..34aab924d3 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -963,6 +963,9 @@ static int dng_decode_tiles(AVCodecContext *avctx, AVFrame *frame, int pos_x = 0, pos_y = 0; int ret; +if (s->tile_width <= 0 || s->tile_length <= 0) +return AVERROR_INVALIDDATA; + has_width_leftover = (s->width % s->tile_width != 0); has_height_leftover = (s->height % s->tile_length != 0); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/mss4: Check image size with av_image_check_size2()
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Sun Jul 3 00:34:08 2022 +0200| [b821f224fbc509b9b665af36bfa631cf18cd97c1] |
committer: Michael Niedermayer
avcodec/mss4: Check image size with av_image_check_size2()
Fixes: Timeout
Fixes:
48418/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MTS2_fuzzer-4834851466903552
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 4e145f1dcdcbe19e8f8e98940dab04e9332a8b5b)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b821f224fbc509b9b665af36bfa631cf18cd97c1
---
libavcodec/mss4.c | 4
1 file changed, 4 insertions(+)
diff --git a/libavcodec/mss4.c b/libavcodec/mss4.c
index 216df2852d..51d11f328d 100644
--- a/libavcodec/mss4.c
+++ b/libavcodec/mss4.c
@@ -26,6 +26,7 @@
*/
#include "libavutil/thread.h"
+#include "libavutil/imgutils.h"
#include "avcodec.h"
#include "bytestream.h"
@@ -476,6 +477,9 @@ static int mss4_decode_frame(AVCodecContext *avctx, void
*data, int *got_frame,
width, height);
return AVERROR_INVALIDDATA;
}
+if (av_image_check_size2(width, height, avctx->max_pixels,
AV_PIX_FMT_NONE, 0, avctx) < 0)
+return AVERROR_INVALIDDATA;
+
if (quality < 1 || quality > 100) {
av_log(avctx, AV_LOG_ERROR, "Invalid quality setting %d\n", quality);
return AVERROR_INVALIDDATA;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] MAINTAINERS: Add ED25519 key for signing my commits in the future
ffmpeg | branch: release/5.0 | Michael Niedermayer | Tue Aug 9 21:53:32 2022 +0200| [e9e4d219117e700de231c1468745f675bcc18db7] | committer: Michael Niedermayer MAINTAINERS: Add ED25519 key for signing my commits in the future Signed-off-by: Michael Niedermayer (cherry picked from commit 05225180bea208dfd81efac327e429711a963697) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e9e4d219117e700de231c1468745f675bcc18db7 --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index c065e94498..fcd68d8035 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -618,6 +618,7 @@ Jean Delvare 7CA6 9F44 60F1 BDC4 1FD2 C858 A552 6B9B B3CD 4E6A Loren Merritt ABD9 08F4 C920 3F65 D8BE 35D7 1540 DAA7 060F 56DE Lynne FE50 139C 6805 72CA FD52 1F8D A2FE A5F0 3F03 4464 Michael Niedermayer 9FF2 128B 147E F673 0BAD F133 611E C787 040B 0FAB + DD1E C9E8 DE08 5C62 9B3E 1846 B18E 8928 B394 8D64 Nicolas George24CE 01CE 9ACC 5CEB 74D8 8D9D B063 D997 36E5 4C93 Nikolay Aleksandrov 8978 1D8C FB71 588E 4B27 EAA8 C4F0 B5FC E011 13B1 Panagiotis Issaris6571 13A3 33D9 3726 F728 AA98 F643 B12E ECF3 E029 ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
ffmpeg-cvslog@ffmpeg.org
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Fri Jul 22 00:51:32 2022 +0200| [c2cb656667617ad9591a590fb1c01e0934b3aadd] |
committer: Michael Niedermayer
avcodec/hevc_filter: copy_CTB() only within width&height
Fixes: out of array access
Fixes:
49271/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5424984922652672
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 009ef35d384c3df22d8a8be7416dc9d532e91c52)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c2cb656667617ad9591a590fb1c01e0934b3aadd
---
libavcodec/hevc_filter.c | 13 -
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/libavcodec/hevc_filter.c b/libavcodec/hevc_filter.c
index 3c45b5a39e..c5d9f58bd3 100644
--- a/libavcodec/hevc_filter.c
+++ b/libavcodec/hevc_filter.c
@@ -142,11 +142,22 @@ static void copy_CTB(uint8_t *dst, const uint8_t *src,
int width, int height,
if (((intptr_t)dst | (intptr_t)src | stride_dst | stride_src) & 15) {
for (i = 0; i < height; i++) {
-for (j = 0; j < width; j+=8)
+for (j = 0; j < width - 7; j+=8)
AV_COPY64U(dst+j, src+j);
dst += stride_dst;
src += stride_src;
}
+if (width&7) {
+dst += ((width>>3)<<3) - stride_dst * height;
+src += ((width>>3)<<3) - stride_src * height;
+width &= 7;
+for (i = 0; i < height; i++) {
+for (j = 0; j < width; j++)
+dst[j] = src[j];
+dst += stride_dst;
+src += stride_src;
+}
+}
} else {
for (i = 0; i < height; i++) {
for (j = 0; j < width; j+=16)
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/mjpegdec: bayer and rct are incompatible
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Sat Aug 13 22:47:31 2022 +0200| [7ce588047b2798668fc7d4367e632a0fae910ae0] |
committer: Michael Niedermayer
avcodec/mjpegdec: bayer and rct are incompatible
Fixes: out of array read
Fixes:
49434/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5208501080686592
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit a44f5a521227adc7be2f78b411f56da1a4d98704)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7ce588047b2798668fc7d4367e632a0fae910ae0
---
libavcodec/mjpegdec.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index a735d2337d..c4e8a598eb 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1088,6 +1088,10 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s,
int nb_components, int p
return AVERROR_INVALIDDATA;
if (s->v_max != 1 || s->h_max != 1 || !s->lossless)
return AVERROR_INVALIDDATA;
+if (s->bayer) {
+if (s->rct || s->pegasus_rct)
+return AVERROR_INVALIDDATA;
+}
s->restart_count = s->restart_interval;
@@ -1938,6 +1942,8 @@ static int mjpeg_decode_app(MJpegDecodeContext *s)
}
len -= 9;
+if (s->bayer)
+goto out;
if (s->got_picture)
if (rgb != s->rgb || pegasus_rct != s->pegasus_rct) {
av_log(s->avctx, AV_LOG_WARNING, "Mismatching LJIF tag\n");
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/mpegaudiodec_template: use unsigned shift in handle_crc()
ffmpeg | branch: release/5.0 | Michael Niedermayer | Sun Aug 14 23:30:22 2022 +0200| [a90844d4435edb630945bbe3e7d5bffdf9adef81] | committer: Michael Niedermayer avcodec/mpegaudiodec_template: use unsigned shift in handle_crc() Fixes: left shift of 192 by 24 places cannot be represented in type 'int' Fixes: 49577/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP1FLOAT_fuzzer-5205996678545408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7086491fa0eca4ad647b5c9fae6d07344cc44ec0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a90844d4435edb630945bbe3e7d5bffdf9adef81 --- libavcodec/mpegaudiodec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudiodec_template.c b/libavcodec/mpegaudiodec_template.c index bbb6ff1120..8e214aa8cf 100644 --- a/libavcodec/mpegaudiodec_template.c +++ b/libavcodec/mpegaudiodec_template.c @@ -372,7 +372,7 @@ static int handle_crc(MPADecodeContext *s, int sec_len) crc_val = av_crc(crc_tab, crc_val, &buf[6], sec_byte_len); AV_WB32(tmp_buf, -((buf[6 + sec_byte_len] & (0xFF00 >> sec_rem_bits)) << 24) + +((buf[6 + sec_byte_len] & (0xFF00U >> sec_rem_bits)) << 24) + ((s->crc << 16) >> sec_rem_bits)); crc_val = av_crc(crc_tab, crc_val, tmp_buf, 3); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/subviewerdec: Make read_ts() more flexible
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Sun Mar 22 00:54:58 2020 +0100| [50698086ee05848957ab46cfe2d2ead9013b52dd] |
committer: Michael Niedermayer
avformat/subviewerdec: Make read_ts() more flexible
Fixes: signed integer overflow: -1948269928 * 10 cannot be represented in type
'int'
Fixes:
49451/clusterfuzz-testcase-minimized-ffmpeg_dem_SUBVIEWER_fuzzer-6344614822412288
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
(cherry picked from commit 58a8e739ef93f8b42f8139e73227508256929d20)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=50698086ee05848957ab46cfe2d2ead9013b52dd
---
libavformat/subviewerdec.c | 36 +---
1 file changed, 21 insertions(+), 15 deletions(-)
diff --git a/libavformat/subviewerdec.c b/libavformat/subviewerdec.c
index bcd103bd86..11b4911e9a 100644
--- a/libavformat/subviewerdec.c
+++ b/libavformat/subviewerdec.c
@@ -51,26 +51,32 @@ static int subviewer_probe(const AVProbeData *p)
return 0;
}
+static int get_multiplier(int e) {
+switch (e) {
+case 1 : return 100;
+case 2 : return 10;
+case 3 : return 1;
+default : return -1;
+}
+}
+
static int read_ts(const char *s, int64_t *start, int *duration)
{
int64_t end;
int hh1, mm1, ss1, ms1;
int hh2, mm2, ss2, ms2;
-int multiplier = 1;
-
-if (sscanf(s, "%u:%u:%u.%2u,%u:%u:%u.%2u",
- &hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) {
-multiplier = 10;
-} else if (sscanf(s, "%u:%u:%u.%1u,%u:%u:%u.%1u",
- &hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) {
-multiplier = 100;
-}
-if (sscanf(s, "%u:%u:%u.%u,%u:%u:%u.%u",
- &hh1, &mm1, &ss1, &ms1, &hh2, &mm2, &ss2, &ms2) == 8) {
-ms1 = FFMIN(ms1, 999);
-ms2 = FFMIN(ms2, 999);
-end= (hh2*3600LL + mm2*60LL + ss2) * 1000LL + ms2 * multiplier;
-*start = (hh1*3600LL + mm1*60LL + ss1) * 1000LL + ms1 * multiplier;
+int multiplier1, multiplier2;
+int ms1p1, ms1p2, ms2p1, ms2p2;
+
+if (sscanf(s, "%u:%u:%u.%n%u%n,%u:%u:%u.%n%u%n",
+ &hh1, &mm1, &ss1, &ms1p1, &ms1, &ms1p2, &hh2, &mm2, &ss2,
&ms2p1, &ms2, &ms2p2) == 8) {
+multiplier1 = get_multiplier(ms1p2 - ms1p1);
+multiplier2 = get_multiplier(ms2p2 - ms2p1);
+if (multiplier1 <= 0 ||multiplier2 <= 0)
+return -1;
+
+end= (hh2*3600LL + mm2*60LL + ss2) * 1000LL + ms2 * multiplier2;
+*start = (hh1*3600LL + mm1*60LL + ss1) * 1000LL + ms1 * multiplier1;
*duration = end - *start;
return 0;
}
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Sun Aug 14 23:39:56 2022 +0200| [d246af82c28bdb66064ca7d9c1d22baf2e8467c4] |
committer: Michael Niedermayer
avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel
This is somewhat redundant with the is_decoded check. Maybe
there is a nicer solution
Fixes: Null pointer dereference
Fixes:
49584/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5297367351427072
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 3b51e1992289383aa9f083c88e153e34b6412c89)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d246af82c28bdb66064ca7d9c1d22baf2e8467c4
---
libavcodec/hevcdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index 8d7a4f7147..82f0cc88fe 100644
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -3499,7 +3499,7 @@ static int hevc_decode_frame(AVCodecContext *avctx, void
*data, int *got_output,
}
} else {
/* verify the SEI checksum */
-if (avctx->err_recognition & AV_EF_CRCCHECK && s->is_decoded &&
+if (avctx->err_recognition & AV_EF_CRCCHECK && s->ref && s->is_decoded
&&
s->sei.picture_hash.is_md5) {
ret = verify_md5(s, s->ref->frame);
if (ret < 0 && avctx->err_recognition & AV_EF_EXPLODE) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/h263dec: Sanity check against minimal I/P frame size
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Mon Aug 15 00:02:37 2022 +0200| [408c0c43d7c201a586f76040f2ffcfb28a71d9f1] |
committer: Michael Niedermayer
avcodec/h263dec: Sanity check against minimal I/P frame size
Fixes: Timeout
Fixes:
49718/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-4874987894341632
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit ca4ff9c21cb77e024fa4ff5889826a8bee4d0e0a)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=408c0c43d7c201a586f76040f2ffcfb28a71d9f1
---
libavcodec/h263dec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c
index 2682a7f43a..2d1752d76e 100644
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@@ -551,6 +551,8 @@ retry:
avctx->has_b_frames = !s->low_delay;
if (CONFIG_MPEG4_DECODER && avctx->codec_id == AV_CODEC_ID_MPEG4) {
+if (s->pict_type != AV_PICTURE_TYPE_B && s->mb_num/2 >
get_bits_left(&s->gb))
+return AVERROR_INVALIDDATA;
if (ff_mpeg4_workaround_bugs(avctx) == 1)
goto retry;
if (s->studio_profile != (s->idsp.idct == NULL))
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/avidec: Prevent entity expansion attacks
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Thu Aug 18 00:22:41 2022 +0200| [74f855fed2675384a17be497211445d7639e98ce] |
committer: Michael Niedermayer
avformat/avidec: Prevent entity expansion attacks
Fixes: Timeout
Fixes no testcase, this is the same idea as similar attacks against XML parsers
Signed-off-by: Michael Niedermayer
(cherry picked from commit f3e823c2aa04d4f5571a5e04c27a244890704c8d)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=74f855fed2675384a17be497211445d7639e98ce
---
libavformat/avidec.c | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index 8584b4a882..c1f3294637 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -79,6 +79,8 @@ typedef struct AVIContext {
int stream_index;
DVDemuxContext *dv_demux;
int odml_depth;
+int64_t odml_read;
+int64_t odml_max_pos;
int use_odml;
#define MAX_ODML_DEPTH 1000
int64_t dts_max;
@@ -197,7 +199,7 @@ static int read_odml_index(AVFormatContext *s, int64_t
frame_num)
st = s->streams[stream_id];
ast = st->priv_data;
-if (index_sub_type)
+if (index_sub_type || entries_in_use < 0)
return AVERROR_INVALIDDATA;
avio_rl32(pb);
@@ -218,11 +220,18 @@ static int read_odml_index(AVFormatContext *s, int64_t
frame_num)
}
for (i = 0; i < entries_in_use; i++) {
+avi->odml_max_pos = FFMAX(avi->odml_max_pos, avio_tell(pb));
+
+// If we read more than there are bytes then we must have been reading
something twice
+if (avi->odml_read > avi->odml_max_pos)
+return AVERROR_INVALIDDATA;
+
if (index_type) {
int64_t pos = avio_rl32(pb) + base - 8;
int len = avio_rl32(pb);
int key = len >= 0;
len &= 0x7FFF;
+avi->odml_read += 8;
av_log(s, AV_LOG_TRACE, "pos:%"PRId64", len:%X\n", pos, len);
@@ -241,6 +250,7 @@ static int read_odml_index(AVFormatContext *s, int64_t
frame_num)
int64_t offset, pos;
int duration;
int ret;
+avi->odml_read += 16;
offset = avio_rl64(pb);
avio_rl32(pb); /* size */
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] libavcodec/8bps: Check that line lengths fit within the buffer
ffmpeg | branch: release/5.0 | Michael Niedermayer | Mon Aug 22 22:10:09 2022 +0200| [a221a3bfafb152a9514e185376332b898f20b1c0] | committer: Michael Niedermayer libavcodec/8bps: Check that line lengths fit within the buffer Fixes: Timeout Fixes: undefined pointer arithmetic Fixes: 50330/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EIGHTBPS_fuzzer-5436287485607936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2316d5ec1a95b13ff9a0ce80409fa367a041966d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a221a3bfafb152a9514e185376332b898f20b1c0 --- libavcodec/8bps.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c index 6865b9b12e..a84999b455 100644 --- a/libavcodec/8bps.c +++ b/libavcodec/8bps.c @@ -71,6 +71,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, unsigned char *planemap = c->planemap; int ret; +if (buf_size < planes * height *2) +return AVERROR_INVALIDDATA; + if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] doc/git-howto.texi: Document commit signing
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Tue Aug 9 21:49:04 2022 +0200| [3c293ad92ccb2d9e22f25cef54152d02c258690d] |
committer: Michael Niedermayer
doc/git-howto.texi: Document commit signing
Signed-off-by: Michael Niedermayer
(cherry picked from commit ced0dc807eb67516b341d68f04ce5a87b02820de)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3c293ad92ccb2d9e22f25cef54152d02c258690d
---
doc/git-howto.texi | 22 +-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/doc/git-howto.texi b/doc/git-howto.texi
index 874afabbbc..5bb39bb986 100644
--- a/doc/git-howto.texi
+++ b/doc/git-howto.texi
@@ -187,11 +187,18 @@ to make sure you don't have untracked files or deletions.
git add [-i|-p|-A]
@end example
-Make sure you have told Git your name and email address
+Make sure you have told Git your name, email address and GPG key
@example
git config --global user.name "My Name"
git config --global user.email my@@email.invalid
+git config --global user.signingkey ABCDEF0123245
+@end example
+
+Enable signing all commits or use -S
+
+@example
+git config --global commit.gpgsign true
@end example
Use @option{--global} to set the global configuration for all your Git
checkouts.
@@ -423,6 +430,19 @@ git checkout -b svn_23456 $SHA1
where @var{$SHA1} is the commit hash from the @command{git log} output.
+@chapter gpg key generation
+
+If you have no gpg key yet, we recommend that you create a ed25519 based key
as it
+is small, fast and secure. Especially it results in small signatures in git.
+
+@example
+gpg --default-new-key-algo "ed25519/cert,sign+cv25519/encr"
--quick-generate-key "human@@server.com"
+@end example
+
+When generating a key, make sure the email specified matches the email used in
git as some sites like
+github consider mismatches a reason to declare such commits unverified. After
generating a key you
+can add it to the MAINTAINER file and upload it to a keyserver.
+
@chapter Pre-push checklist
Once you have a set of commits that you feel are ready for pushing,
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/midivid: Perform lzss_uncompress() before ff_reget_buffer()
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Mon Aug 22 21:29:55 2022 +0200| [9e92d14dbf6ae9bbfe48dc8769fa8b30fd63bc59] |
committer: Michael Niedermayer
avcodec/midivid: Perform lzss_uncompress() before ff_reget_buffer()
This would avoid regeting the frame on lzss errors
Signed-off-by: Michael Niedermayer
(cherry picked from commit 628fb97efb0b6202e56fab89670406261bf86d85)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9e92d14dbf6ae9bbfe48dc8769fa8b30fd63bc59
---
libavcodec/midivid.c | 13 ++---
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/libavcodec/midivid.c b/libavcodec/midivid.c
index 4a3ba33f11..e05fb4d4c6 100644
--- a/libavcodec/midivid.c
+++ b/libavcodec/midivid.c
@@ -202,12 +202,7 @@ static int decode_frame(AVCodecContext *avctx, void *data,
bytestream2_skip(gb, 8);
uncompressed = bytestream2_get_le32(gb);
-if ((ret = ff_reget_buffer(avctx, s->frame, 0)) < 0)
-return ret;
-
-if (uncompressed) {
-ret = decode_mvdv(s, avctx, frame);
-} else {
+if (!uncompressed) {
av_fast_padded_malloc(&s->uncompressed, &s->uncompressed_size, 16LL *
(avpkt->size - 12));
if (!s->uncompressed)
return AVERROR(ENOMEM);
@@ -216,9 +211,13 @@ static int decode_frame(AVCodecContext *avctx, void *data,
if (ret < 0)
return ret;
bytestream2_init(gb, s->uncompressed, ret);
-ret = decode_mvdv(s, avctx, frame);
}
+if ((ret = ff_reget_buffer(avctx, s->frame, 0)) < 0)
+return ret;
+
+ret = decode_mvdv(s, avctx, frame);
+
if (ret < 0)
return ret;
key = ret;
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] libavformat/iff: Check for overflow in body_end calculation
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Mon Aug 22 20:31:32 2022 +0200| [b24407a9bac37ef4d672f368211d3b855d5e4d46] |
committer: Michael Niedermayer
libavformat/iff: Check for overflow in body_end calculation
Fixes: signed integer overflow: -6322983228386819992 - 5557477266266529857
cannot be represented in type 'long'
Fixes:
50112/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6329186221948928
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit bcb46903040e5a5199281f4ad0a1fdaf750ebc37)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b24407a9bac37ef4d672f368211d3b855d5e4d46
---
libavformat/iff.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/iff.c b/libavformat/iff.c
index 3ab68ffb35..43c8e89eb9 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -501,6 +501,9 @@ static int iff_read_header(AVFormatContext *s)
case ID_DST:
case ID_MDAT:
iff->body_pos = avio_tell(pb);
+if (iff->body_pos < 0 || iff->body_pos + data_size > INT64_MAX)
+return AVERROR_INVALIDDATA;
+
iff->body_end = iff->body_pos + data_size;
iff->body_size = data_size;
if (chunk_id == ID_DST) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/asfdec_o: limit recursion depth in asf_read_unknown()
ffmpeg | branch: release/5.0 | Michael Niedermayer |
Wed Aug 31 01:21:38 2022 +0200| [9b4f9233c3b9c577dc00364e7dab215bed15c173] |
committer: Michael Niedermayer
avformat/asfdec_o: limit recursion depth in asf_read_unknown()
The threshold of 5 is arbitrary, both smaller and larger should work fine
Fixes: Stack overflow
Fixes:
50603/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6049302564175872
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer
(cherry picked from commit 1f1a368169ef9d945dc4b4764f5c60ba9bbc9134)
Signed-off-by: Michael Niedermayer
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9b4f9233c3b9c577dc00364e7dab215bed15c173
---
libavformat/asfdec_o.c | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c
index fb614d42de..74f283fa51 100644
--- a/libavformat/asfdec_o.c
+++ b/libavformat/asfdec_o.c
@@ -109,6 +109,7 @@ typedef struct ASFContext {
int64_t data_offset;
int64_t first_packet_offset; // packet offset
int64_t unknown_offset; // for top level header objects or subobjects
without specified behavior
+int in_asf_read_unknown;
// ASF file must not contain more than 128 streams according to the
specification
ASFStream *asf_st[ASF_MAX_STREAMS];
@@ -173,7 +174,7 @@ static int asf_read_unknown(AVFormatContext *s, const
GUIDParseTable *g)
uint64_t size = avio_rl64(pb);
int ret;
-if (size > INT64_MAX)
+if (size > INT64_MAX || asf->in_asf_read_unknown > 5)
return AVERROR_INVALIDDATA;
if (asf->is_header)
@@ -182,8 +183,11 @@ static int asf_read_unknown(AVFormatContext *s, const
GUIDParseTable *g)
if (!g->is_subobject) {
if (!(ret = strcmp(g->name, "Header Extension")))
avio_skip(pb, 22); // skip reserved fields and Data Size
-if ((ret = detect_unknown_subobject(s, asf->unknown_offset,
-asf->unknown_size)) < 0)
+asf->in_asf_read_unknown ++;
+ret = detect_unknown_subobject(s, asf->unknown_offset,
+asf->unknown_size);
+asf->in_asf_read_unknown --;
+if (ret < 0)
return ret;
} else {
if (size < 24) {
___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] Update for 5.0.2
ffmpeg | branch: release/5.0 | Michael Niedermayer | Wed Aug 31 21:38:41 2022 +0200| [491bf78721c25fe56ab65a21842e89f5ca501506] | committer: Michael Niedermayer Update for 5.0.2 Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=491bf78721c25fe56ab65a21842e89f5ca501506 --- Changelog| 69 RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 71 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 5a32cf0d5c..f88b70590b 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,75 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 5.0.2: +- avformat/asfdec_o: limit recursion depth in asf_read_unknown() +- doc/git-howto.texi: Document commit signing +- libavcodec/8bps: Check that line lengths fit within the buffer +- avcodec/midivid: Perform lzss_uncompress() before ff_reget_buffer() +- libavformat/iff: Check for overflow in body_end calculation +- avformat/avidec: Prevent entity expansion attacks +- avcodec/h263dec: Sanity check against minimal I/P frame size +- avcodec/hevcdec: Check s->ref in the md5 path similar to hwaccel +- avcodec/mpegaudiodec_template: use unsigned shift in handle_crc() +- avformat/subviewerdec: Make read_ts() more flexible +- avcodec/mjpegdec: bayer and rct are incompatible +- MAINTAINERS: Add ED25519 key for signing my commits in the future +- avcodec/hevc_filter: copy_CTB() only within width&height +- avcodec/tiff: Check tile_length and tile_width +- avcodec/mss4: Check image size with av_image_check_size2() +- avformat/flvdec: Check for EOF in index reading +- avformat/nutdec: Check get_packetheader() in mainheader +- avformat/asfdec_f: Use 64bit for packet start time +- avcodec/exr: Check x/ysize +- tools/target_dec_fuzzer: Adjust threshold for MMVIDEO +- avcodec/lagarith: Check dst/src in zero run code +- avcodec/h264dec: Skip late SEI +- avcodec/sbrdsp_fixed: Fix integer overflows in sbr_qmf_deint_neg_c() +- avfilter/vf_signature: Fix integer overflow in filter_frame() +- avformat/rtsp: break on unknown protocols +- avcodec/hevcdsp_template: stay within tables in sao_band_filter() +- avcodec/tiff: Check pixel format types for dng +- avcodec/qpeldsp: copy less for the mc0x cases +- avformat/aaxdec: Check for empty segments +- avcodec/ffv1dec: Limit golomb rice coded slices to width 8M +- avformat/iff: simplify duration calculation +- avcodec/wnv1: Check for width =1 +- avcodec/ffv1dec_template: fix indention +- avformat/sctp: close socket on errors +- avformat/cinedec: Check size and pos more +- avcodec/aasc: Fix indention +- avcodec/qdrw: adjust max colors to array size +- avcodec/alacdsp: Make intermediates unsigned +- avformat/aiffdec: cleanup size handling for extreem cases +- avformat/matroskadec: avoid integer overflows in SAR computation +- avcodec/jpeglsdec: fix end check for xfrm +- avcodec/cdgraphics: limit scrolling to the line +- avformat/hls: Limit start_seq_no to one bit less +- avformat/aiffdec: avoid integer overflow in get_meta() +- avformat/aaxdec: Check for overlaping segments +- avformat/ape: more bits in size for less overflows +- avformat/aviobuf: Check buf_size in ffio_ensure_seekback() +- avformat/bfi: Check offsets better +- avformat/asfdec_f: Check packet_frag_timestamp +- avcodec/texturedspenc: Fix indexing in color distribution determination +- avformat/act: Check ff_get_wav_header() for failure +- avcodec/libxavs2: Improve r redundancy in occured +- avformat/libzmq: Improve r redundancy in occured +- avfilter/vf_libplacebo: Match AV_OPT_TYPE_FLOAT to dbl +- avfilter/vsrc_mandelbrot: Check for malloc failure +- avfilter/vf_frei0r: Copy to frame allocated according to frei0r requirements +- avfilter/video: Add ff_default_get_video_buffer2() to set specific alignment +- avformat/genh: Check sample rate +- avformat/demux: Use unsigned to check duration vs duration_text +- avutil/hwcontext_d3d11va: fix texture_infos writes on non-fixed-size pools +- avcodec/cuviddec: fix null pointer dereference +- avcodec/cuviddec: fix AV1 decoding error +- configure: extend SDL check to accept all 2.x versions +- lavf/tls_mbedtls: add support for mbedtls version 3 +- fate: update reference files after the recent dash manifest muxer changes +- avformat/webmdashenc: fix on-demand profile string +- avcodec/libdav1d: don't depend on the event flags API to init sequence params the first time + version 5.0.1: - avcodec/exr: Avoid signed overflow in displayWindow - avcodec/diracdec: avoid signed integer overflow in global mv diff --git a/RELEASE b/RELEASE index 6b244dcd69..a1ef0cae18 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -5.0.1 +5.0.2 diff --git a/doc/Doxyfile b/doc/Doxyfile index 620bc31785..79463813eb 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated d
[FFmpeg-cvslog] lavc/tiff: Support multi-component files without RowsPerStrip tag.
ffmpeg | branch: master | Carl Eugen Hoyos | Wed Aug 31 19:37:19 2022 +0200| [ff6044b921ffb59964a126faef5106a391a819eb] | committer: Carl Eugen Hoyos lavc/tiff: Support multi-component files without RowsPerStrip tag. Fixes ticket #9514. > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ff6044b921ffb59964a126faef5106a391a819eb --- libavcodec/tiff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index b0595b56c0..109392ad44 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -1367,7 +1367,7 @@ static int tiff_decode_tag(TiffContext *s, AVFrame *frame) } else s->strippos = off; s->strips = count; -if (s->strips == 1) +if (s->strips == s->bppcount) s->rps = s->height; s->sot = type; break; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
