[FFmpeg-cvslog] avcodec/h2645_sei: validate Mastering Display Colour Volume SEI values

2024-04-13 Thread Kacper Michajłow 
ffmpeg | branch: master | Kacper Michajłow  | Sat Apr 13 
17:21:08 2024 +0200| [1c45104f74e59beb25ce7451c98527f7a3c518f6] | committer: 
Niklas Haas

avcodec/h2645_sei: validate Mastering Display Colour Volume SEI values

As we can read in ST 2086:

Values outside the specified ranges of luminance and chromaticity values
are not reserved by SMPTE, and can be used for purposes outside the
scope of this standard.

This is further acknowledged by ITU-T H.264 and ITU-T H.265. Which says
that values out of range are unknown or unspecified or specified by
other means not specified in this Specification.

Signed-off-by: Kacper Michajłow 
Signed-off-by: Niklas Haas 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1c45104f74e59beb25ce7451c98527f7a3c518f6
---

 libavcodec/h2645_sei.c | 55 +++---
 1 file changed, 39 insertions(+), 16 deletions(-)

diff --git a/libavcodec/h2645_sei.c b/libavcodec/h2645_sei.c
index 933975f076..96a22e7cf6 100644
--- a/libavcodec/h2645_sei.c
+++ b/libavcodec/h2645_sei.c
@@ -587,38 +587,61 @@ static int h2645_sei_to_side_data(AVCodecContext *avctx, 
H2645SEI *sei,
 return ret;
 
 if (metadata) {
+metadata->has_luminance = 1;
+metadata->has_primaries = 1;
+
 for (i = 0; i < 3; i++) {
 const int j = mapping[i];
 metadata->display_primaries[i][0].num = 
sei->mastering_display.display_primaries[j][0];
 metadata->display_primaries[i][0].den = chroma_den;
+metadata->has_primaries &= 
sei->mastering_display.display_primaries[j][0] >= 5 &&
+   
sei->mastering_display.display_primaries[j][0] <= 37000;
+
 metadata->display_primaries[i][1].num = 
sei->mastering_display.display_primaries[j][1];
 metadata->display_primaries[i][1].den = chroma_den;
+metadata->has_primaries &= 
sei->mastering_display.display_primaries[j][1] >= 5 &&
+   
sei->mastering_display.display_primaries[j][1] <= 42000;
 }
 metadata->white_point[0].num = 
sei->mastering_display.white_point[0];
 metadata->white_point[0].den = chroma_den;
+metadata->has_primaries &= sei->mastering_display.white_point[0] 
>= 5 &&
+   sei->mastering_display.white_point[0] 
<= 37000;
+
 metadata->white_point[1].num = 
sei->mastering_display.white_point[1];
 metadata->white_point[1].den = chroma_den;
+metadata->has_primaries &= sei->mastering_display.white_point[1] 
>= 5 &&
+   sei->mastering_display.white_point[1] 
<= 42000;
 
 metadata->max_luminance.num = sei->mastering_display.max_luminance;
 metadata->max_luminance.den = luma_den;
+metadata->has_luminance &= sei->mastering_display.max_luminance >= 
5 &&
+   sei->mastering_display.max_luminance <= 
1;
+
 metadata->min_luminance.num = sei->mastering_display.min_luminance;
 metadata->min_luminance.den = luma_den;
-metadata->has_luminance = 1;
-metadata->has_primaries = 1;
-
-av_log(avctx, AV_LOG_DEBUG, "Mastering Display Metadata:\n");
-av_log(avctx, AV_LOG_DEBUG,
-   "r(%5.4f,%5.4f) g(%5.4f,%5.4f) b(%5.4f %5.4f) wp(%5.4f, 
%5.4f)\n",
-   av_q2d(metadata->display_primaries[0][0]),
-   av_q2d(metadata->display_primaries[0][1]),
-   av_q2d(metadata->display_primaries[1][0]),
-   av_q2d(metadata->display_primaries[1][1]),
-   av_q2d(metadata->display_primaries[2][0]),
-   av_q2d(metadata->display_primaries[2][1]),
-   av_q2d(metadata->white_point[0]), 
av_q2d(metadata->white_point[1]));
-av_log(avctx, AV_LOG_DEBUG,
-   "min_luminance=%f, max_luminance=%f\n",
-   av_q2d(metadata->min_luminance), 
av_q2d(metadata->max_luminance));
+metadata->has_luminance &= sei->mastering_display.min_luminance >= 
1 &&
+   sei->mastering_display.min_luminance <= 
5 &&
+   sei->mastering_display.min_luminance <
+   sei->mastering_display.max_luminance;
+
+if (metadata->has_luminance || metadata->has_primaries)
+av_log(avctx, AV_LOG_DEBUG, "Mastering Display Metadata:\n");
+if (metadata->has_primaries) {
+av_log(avctx, AV_LOG_DEBUG,
+   "r(%5.4f,%5.4f) g(%5.4f,%5.4f) b(%5.4f %5.4f) wp(%5.4f, 
%5.4f)\n",
+   av_q2d(metadata->display_primaries[0][0]),
+   av_q2d(metadata->display_primaries[0][1]),
+

[FFmpeg-cvslog] avcodec/nvenc: Multi NVENC Split Frame Encoding in HEVC and AV1

2024-04-13 Thread Diego Felix de Souza 
ffmpeg | branch: master | Diego Felix de Souza  | Fri Apr 
12 20:08:12 2024 +| [1f265aa91d6ce11fbf499ee867eae13bc7117e9d] | committer: 
Timo Rothenpieler

avcodec/nvenc: Multi NVENC Split Frame Encoding in HEVC and AV1

When Split frame encoding is enabled, each input frame is partitioned into
horizontal strips which are encoded independently and simultaneously by
separate NVENCs, usually resulting in increased encoding speed compared to
single NVENC encoding.

Signed-off-by: Diego Felix de Souza 
Signed-off-by: Timo Rothenpieler 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1f265aa91d6ce11fbf499ee867eae13bc7117e9d
---

 libavcodec/nvenc.c  | 9 +
 libavcodec/nvenc.h  | 2 ++
 libavcodec/nvenc_av1.c  | 8 
 libavcodec/nvenc_hevc.c | 8 
 libavcodec/version.h| 2 +-
 5 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/libavcodec/nvenc.c b/libavcodec/nvenc.c
index b6c5ed3e6b..794174a53f 100644
--- a/libavcodec/nvenc.c
+++ b/libavcodec/nvenc.c
@@ -1696,6 +1696,15 @@ FF_ENABLE_DEPRECATION_WARNINGS
 if (ctx->weighted_pred == 1)
 ctx->init_encode_params.enableWeightedPrediction = 1;
 
+#ifdef NVENC_HAVE_SPLIT_FRAME_ENCODING
+ctx->init_encode_params.splitEncodeMode = ctx->split_encode_mode;
+
+if (ctx->split_encode_mode != NV_ENC_SPLIT_DISABLE_MODE) {
+if (avctx->codec->id == AV_CODEC_ID_HEVC && ctx->weighted_pred == 1)
+av_log(avctx, AV_LOG_WARNING, "Split encoding not supported with 
weighted prediction enabled.\n");
+}
+#endif
+
 if (ctx->bluray_compat) {
 ctx->aud = 1;
 ctx->dpb_size = FFMIN(FFMAX(avctx->refs, 0), 6);
diff --git a/libavcodec/nvenc.h b/libavcodec/nvenc.h
index 85ecaf1b5f..09de00badc 100644
--- a/libavcodec/nvenc.h
+++ b/libavcodec/nvenc.h
@@ -81,6 +81,7 @@ typedef void ID3D11Device;
 // SDK 12.1 compile time feature checks
 #if NVENCAPI_CHECK_VERSION(12, 1)
 #define NVENC_NO_DEPRECATED_RC
+#define NVENC_HAVE_SPLIT_FRAME_ENCODING
 #endif
 
 // SDK 12.2 compile time feature checks
@@ -280,6 +281,7 @@ typedef struct NvencContext
 int tf_level;
 int lookahead_level;
 int unidir_b;
+int split_encode_mode;
 } NvencContext;
 
 int ff_nvenc_encode_init(AVCodecContext *avctx);
diff --git a/libavcodec/nvenc_av1.c b/libavcodec/nvenc_av1.c
index d37ee07bff..a9e065e3b9 100644
--- a/libavcodec/nvenc_av1.c
+++ b/libavcodec/nvenc_av1.c
@@ -157,6 +157,14 @@ static const AVOption options[] = {
 { "1","",   0, 
   AV_OPT_TYPE_CONST, { .i64 = NV_ENC_LOOKAHEAD_LEVEL_1 }, 0, 0, VE, .unit = 
"lookahead_level" },
 { "2","",   0, 
   AV_OPT_TYPE_CONST, { .i64 = NV_ENC_LOOKAHEAD_LEVEL_2 }, 0, 0, VE, .unit = 
"lookahead_level" },
 { "3","",   0, 
   AV_OPT_TYPE_CONST, { .i64 = NV_ENC_LOOKAHEAD_LEVEL_3 }, 0, 0, VE, .unit = 
"lookahead_level" },
+#endif
+#ifdef NVENC_HAVE_SPLIT_FRAME_ENCODING
+{ "split_encode_mode", "Specifies the split encoding mode", 
OFFSET(split_encode_mode), AV_OPT_TYPE_INT, { .i64 = NV_ENC_SPLIT_AUTO_MODE }, 
0, NV_ENC_SPLIT_DISABLE_MODE, VE, .unit = "split_encode_mode" },
+{ "disabled",  "Disabled for all configurations",  
  0, AV_OPT_TYPE_CONST, { .i64 = 
NV_ENC_SPLIT_DISABLE_MODE },  0, 0, VE, .unit = "split_encode_mode" },
+{ "auto",  "Enabled or disabled depending on the preset and 
tuning info",0, AV_OPT_TYPE_CONST, { .i64 = 
NV_ENC_SPLIT_AUTO_MODE }, 0, 0, VE, .unit = "split_encode_mode" },
+{ "forced","Enabled with number of horizontal strips selected 
by the driver",0, AV_OPT_TYPE_CONST, { .i64 = 
NV_ENC_SPLIT_AUTO_FORCED_MODE },  0, 0, VE, .unit = "split_encode_mode" },
+{ "2", "Enabled with number of horizontal strips forced to 
2 when number of NVENCs > 1", 0, AV_OPT_TYPE_CONST, { .i64 = 
NV_ENC_SPLIT_TWO_FORCED_MODE },   0, 0, VE, .unit = "split_encode_mode" },
+{ "3", "Enabled with number of horizontal strips forced to 
3 when number of NVENCs > 2", 0, AV_OPT_TYPE_CONST, { .i64 = 
NV_ENC_SPLIT_THREE_FORCED_MODE }, 0, 0, VE, .unit = "split_encode_mode" },
 #endif
 { NULL }
 };
diff --git a/libavcodec/nvenc_hevc.c b/libavcodec/nvenc_hevc.c
index bd8b6153f3..b949cb1bd7 100644
--- a/libavcodec/nvenc_hevc.c
+++ b/libavcodec/nvenc_hevc.c
@@ -216,6 +216,14 @@ static const AVOption options[] = {
 #endif
 #ifdef NVENC_HAVE_UNIDIR_B
 { "unidir_b", "Enable use of unidirectional B-Frames.", 
OFFSET(unidir_b), AV_OPT_TYPE_BOOL,  { .i64 = 0 }, 0, 1, VE },
+#endif
+#ifdef NVENC_HAVE_SPLIT_FRAME_ENCODING
+{ "split_encode_mode", "Specifies the split encoding mode", 
OFFSET(split_encode_mode), AV_OPT_TYPE_INT, { .i64 = NV_ENC_SPLIT_AUTO_MODE }, 
0, NV_ENC_SPLIT_DISABLE_MODE, VE, .un

[FFmpeg-cvslog] libavformat/hlsenc.c: Populate OTI using AAC profile in write_codec_attr.

2024-04-13 Thread Romain Beauxis 
ffmpeg | branch: release/6.1 | Romain Beauxis  | Mon Jan  
1 09:52:50 2024 -0600| [adfa69aaa9977aeb884b4c021c9f562f72f0e4ba] | committer: 
Michael Niedermayer

libavformat/hlsenc.c: Populate OTI using AAC profile in write_codec_attr.

This patch populates the third entry for HLS codec attribute using the
AAC profile.

The HLS specifications[1] require this value to be the Object Type ID as
referred to in table 1.3 of ISO/IEC 14496-3:2009[2].

The numerical constants in the code refer to these OTIs minus one, as
documented in commit 372597e[3], confirmed by comparing the values in the
code with the values in the table mentioned above.

Links:
1: https://datatracker.ietf.org/doc/html/rfc6381#section-3.3
2: https://csclub.uwaterloo.ca/~ehashman/ISO14496-3-2009.pdf
3: 
https://github.com/FFmpeg/FFmpeg/commit/372597e5381c097455a7b73849254d56083eb056

Changes in this version:
- Default value set to "mp4a.40.2" when profile is unknown for backward
  compatibility.

Signed-off-by: Steven Liu 
(cherry picked from commit 797f0b27c175022d896e46db4ac2873e3e0a70af)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=adfa69aaa9977aeb884b4c021c9f562f72f0e4ba
---

 libavformat/hlsenc.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavformat/hlsenc.c b/libavformat/hlsenc.c
index 4ef84c05c1..0b89a7f508 100644
--- a/libavformat/hlsenc.c
+++ b/libavformat/hlsenc.c
@@ -418,8 +418,11 @@ static void write_codec_attr(AVStream *st, VariantStream 
*vs)
 } else if (st->codecpar->codec_id == AV_CODEC_ID_MP3) {
 snprintf(attr, sizeof(attr), "mp4a.40.34");
 } else if (st->codecpar->codec_id == AV_CODEC_ID_AAC) {
-/* TODO : For HE-AAC, HE-AACv2, the last digit needs to be set to 5 
and 29 respectively */
-snprintf(attr, sizeof(attr), "mp4a.40.2");
+if (st->codecpar->profile != AV_PROFILE_UNKNOWN)
+snprintf(attr, sizeof(attr), "mp4a.40.%d", 
st->codecpar->profile+1);
+else
+// This is for backward compatibility with the previous 
implementation.
+snprintf(attr, sizeof(attr), "mp4a.40.2");
 } else if (st->codecpar->codec_id == AV_CODEC_ID_AC3) {
 snprintf(attr, sizeof(attr), "ac-3");
 } else if (st->codecpar->codec_id == AV_CODEC_ID_EAC3) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avutil/rational: Document what is to be expected from av_d2q() of doubles representing rational numbers

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Wed Jan 31 02:37:57 2024 +0100| [e97660783143347daeadd700731f1da309a4e554] | 
committer: Michael Niedermayer

avutil/rational: Document what is to be expected from av_d2q() of doubles 
representing rational numbers

Signed-off-by: Michael Niedermayer 
(cherry picked from commit f465badb062c8023bc245f4878e7a6a082afc416)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e97660783143347daeadd700731f1da309a4e554
---

 libavutil/rational.h | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavutil/rational.h b/libavutil/rational.h
index 8cbfc8e066..849f47f38d 100644
--- a/libavutil/rational.h
+++ b/libavutil/rational.h
@@ -168,6 +168,10 @@ static av_always_inline AVRational av_inv_q(AVRational q)
  * In case of infinity, the returned value is expressed as `{1, 0}` or
  * `{-1, 0}` depending on the sign.
  *
+ * In general rational numbers with |num| <= 1<<26 && |den| <= 1<<26
+ * can be recovered exactly from their double representation.
+ * (no exceptions were found within 1B random ones)
+ *
  * @param d   `double` to convert
  * @param max Maximum allowed numerator and denominator
  * @return `d` in AVRational form

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/mpegvideo_enc: Use ptrdiff_t for stride

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Sat Dec 30 03:09:52 2023 +0100| [16bef72c508637bd9cf7eb4b7342270567ec9312] | 
committer: Michael Niedermayer

avcodec/mpegvideo_enc: Use ptrdiff_t for stride

Signed-off-by: Michael Niedermayer 
(cherry picked from commit e063c1d079086150580ed7a9ad076da122e27f76)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=16bef72c508637bd9cf7eb4b7342270567ec9312
---

 libavcodec/mpegvideo_enc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c
index e460ca407c..c20e364cac 100644
--- a/libavcodec/mpegvideo_enc.c
+++ b/libavcodec/mpegvideo_enc.c
@@ -1194,8 +1194,8 @@ static int load_input_picture(MpegEncContext *s, const 
AVFrame *pic_arg)
 }
 
 for (int i = 0; i < 3; i++) {
-int src_stride = pic_arg->linesize[i];
-int dst_stride = i ? s->uvlinesize : s->linesize;
+ptrdiff_t src_stride = pic_arg->linesize[i];
+ptrdiff_t dst_stride = i ? s->uvlinesize : s->linesize;
 int h_shift = i ? s->chroma_x_shift : 0;
 int v_shift = i ? s->chroma_y_shift : 0;
 int w = s->width  >> h_shift;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/indeo3: Round dimensions up in allocate_frame_buffers()

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Sat Feb  3 20:11:56 2024 +0100| [7dbea8ef0b2c958b8b27defc1055a0d703b463f3] | 
committer: Michael Niedermayer

avcodec/indeo3: Round dimensions up in allocate_frame_buffers()

Fixes: Ticket6581

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3be80ce299d0073118ae42f5d99c14f912751d93)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7dbea8ef0b2c958b8b27defc1055a0d703b463f3
---

 libavcodec/indeo3.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index 5f1014f0d4..7bb0235bdb 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -171,6 +171,9 @@ static av_cold int 
allocate_frame_buffers(Indeo3DecodeContext *ctx,
 int luma_size, chroma_size;
 ptrdiff_t luma_pitch, chroma_pitch;
 
+luma_width  = FFALIGN(luma_width , 2);
+luma_height = FFALIGN(luma_height, 2);
+
 if (luma_width  < 16 || luma_width  > 640 ||
 luma_height < 16 || luma_height > 480 ||
 luma_width  &  1 || luma_height &   1) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avfilter/signature_lookup: dont leave uncleared pointers in sll_free()

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Mon Feb  5 12:10:41 2024 +0100| [c5dcf99399aa4b02dcdd846771217c413b51b046] | 
committer: Michael Niedermayer

avfilter/signature_lookup: dont leave uncleared pointers in sll_free()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6c504829514333439d15deb5717567fb4bdbbee0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c5dcf99399aa4b02dcdd846771217c413b51b046
---

 libavfilter/signature_lookup.c | 22 +++---
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c
index 86dd0c6675..3c7006c9d6 100644
--- a/libavfilter/signature_lookup.c
+++ b/libavfilter/signature_lookup.c
@@ -37,6 +37,16 @@
 #define STATUS_END_REACHED 1
 #define STATUS_BEGIN_REACHED 2
 
+static void sll_free(MatchingInfo **sll)
+{
+while (*sll) {
+MatchingInfo *tmp = *sll;
+*sll = tmp->next;
+tmp->next = NULL;
+av_free(tmp);
+}
+}
+
 static void fill_l1distlut(uint8_t lut[])
 {
 int i, j, tmp_i, tmp_j,count;
@@ -520,16 +530,6 @@ static MatchingInfo evaluate_parameters(AVFilterContext 
*ctx, SignatureContext *
 return bestmatch;
 }
 
-static void sll_free(MatchingInfo *sll)
-{
-void *tmp;
-while (sll) {
-tmp = sll;
-sll = sll->next;
-av_freep(&tmp);
-}
-}
-
 static MatchingInfo lookup_signatures(AVFilterContext *ctx, SignatureContext 
*sc, StreamContext *first, StreamContext *second, int mode)
 {
 CoarseSignature *cs, *cs2;
@@ -572,7 +572,7 @@ static MatchingInfo lookup_signatures(AVFilterContext *ctx, 
SignatureContext *sc
"ratio %f, offset %d, score %d, %d frames matching\n",
bestmatch.first->index, bestmatch.second->index,
bestmatch.framerateratio, bestmatch.offset, 
bestmatch.score, bestmatch.matchframes);
-sll_free(infos);
+sll_free(&infos);
 }
 } while (find_next_coarsecandidate(sc, second->coarsesiglist, &cs, &cs2, 
0) && !bestmatch.whole);
 return bestmatch;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avfilter/signature_lookup: Do not dereference NULL pointers after malloc failure

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Mon Feb  5 12:40:30 2024 +0100| [fdc5b25f19fae6615cc9d7139175c0de58115185] | 
committer: Michael Niedermayer

avfilter/signature_lookup: Do not dereference NULL pointers after malloc failure

Fixes: CID 1403229 Dereference after null check

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 98ae1ad7cf16bd10a4fa79f676439edc4da7cba6)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fdc5b25f19fae6615cc9d7139175c0de58115185
---

 libavfilter/signature_lookup.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/libavfilter/signature_lookup.c b/libavfilter/signature_lookup.c
index 3c7006c9d6..ad012ecced 100644
--- a/libavfilter/signature_lookup.c
+++ b/libavfilter/signature_lookup.c
@@ -299,6 +299,11 @@ static MatchingInfo* 
get_matching_parameters(AVFilterContext *ctx, SignatureCont
 if (!c->next)
 av_log(ctx, AV_LOG_FATAL, "Could not allocate 
memory");
 c = c->next;
+
+}
+if (!c) {
+sll_free(&cands);
+goto error;
 }
 c->framerateratio = (i+1.0) / 30;
 c->score = hspace[i][j].score;
@@ -315,6 +320,7 @@ static MatchingInfo* 
get_matching_parameters(AVFilterContext *ctx, SignatureCont
 }
 }
 }
+error:
 for (i = 0; i < MAX_FRAMERATE; i++) {
 av_freep(&hspace[i]);
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/concatdec: Check in and outpoints to be to produce a positive representable duration

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Sun Feb 25 23:11:40 2024 +0100| [13f0a85c2ca0eba278b2153ff4f27ad5f232b7a2] | 
committer: Michael Niedermayer

avformat/concatdec: Check in and outpoints to be to produce a positive 
representable duration

Fixes: signed integer overflow: -9300 - 922337203683900 cannot be 
represented in type 'long'
Fixes: 
64546/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5110813828186112

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b2d7cbc378fa276d62fd676c037b9df59fc319a0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=13f0a85c2ca0eba278b2153ff4f27ad5f232b7a2
---

 libavformat/concatdec.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c
index ffa8ade25b..7abe03c26d 100644
--- a/libavformat/concatdec.c
+++ b/libavformat/concatdec.c
@@ -638,6 +638,12 @@ static int concat_parse_script(AVFormatContext *avf)
 }
 }
 
+if (file->inpoint != AV_NOPTS_VALUE && file->outpoint != AV_NOPTS_VALUE) {
+if (file->inpoint  > file->outpoint ||
+file->outpoint - (uint64_t)file->inpoint > INT64_MAX)
+ret = AVERROR_INVALIDDATA;
+}
+
 fail:
 for (arg = 0; arg < MAX_ARGS; arg++)
 av_freep(&arg_str[arg]);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] libswscale/utils: Fix bayer to yuvj

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Feb 20 03:32:38 2024 +0100| [abd835bec748c0a39fa47bab75c14250e537a7cf] | 
committer: Michael Niedermayer

libswscale/utils: Fix bayer to yuvj

Fixes: out of array access.

Earlier code assumes that a unscaled bayer to yuvj420 converter exists
but the later code then skips yuvj420

Signed-off-by: Michael Niedermayer 
(cherry picked from commit e9cc9e492f987ce23ce8c514258a17952dd20401)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=abd835bec748c0a39fa47bab75c14250e537a7cf
---

 libswscale/utils.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libswscale/utils.c b/libswscale/utils.c
index e6eab0c4c1..d78a6d50ff 100644
--- a/libswscale/utils.c
+++ b/libswscale/utils.c
@@ -1730,7 +1730,8 @@ static av_cold int sws_init_single_context(SwsContext *c, 
SwsFilter *srcFilter,
 /* unscaled special cases */
 if (unscaled && !usesHFilter && !usesVFilter &&
 (c->srcRange == c->dstRange || isAnyRGB(dstFormat) ||
- isFloat(srcFormat) || isFloat(dstFormat))){
+ isFloat(srcFormat) || isFloat(dstFormat) || isBayer(srcFormat))){
+
 ff_get_unscaled_swscale(c);
 
 if (c->convert_unscaled) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] swscale/utils: Allocate more dithererror

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Sat Feb 17 01:04:13 2024 +0100| [ce355905622f8ea78979d43575faedf6e89282d3] | 
committer: Michael Niedermayer

swscale/utils: Allocate more dithererror

Fixes: out of array read
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 18f26f8a2f8dc3b9ec3ac3ab8e03fce15cc8c88d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ce355905622f8ea78979d43575faedf6e89282d3
---

 libswscale/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libswscale/utils.c b/libswscale/utils.c
index e1ad685972..e6eab0c4c1 100644
--- a/libswscale/utils.c
+++ b/libswscale/utils.c
@@ -1891,7 +1891,7 @@ static av_cold int sws_init_single_context(SwsContext *c, 
SwsFilter *srcFilter,
 }
 
 for (i = 0; i < 4; i++)
-if (!FF_ALLOCZ_TYPED_ARRAY(c->dither_error[i], c->dstW + 2))
+if (!FF_ALLOCZ_TYPED_ARRAY(c->dither_error[i], c->dstW + 3))
 goto nomem;
 
 c->needAlpha = (CONFIG_SWSCALE_ALPHA && isALPHA(c->srcFormat) && 
isALPHA(c->dstFormat)) ? 1 : 0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/proresenc_kostya: Remove bug similarity text

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Wed Feb 28 19:38:41 2024 +0100| [24367ad563800f5edcaa229e3cf00081102dfab6] | 
committer: Michael Niedermayer

avcodec/proresenc_kostya: Remove bug similarity text

According to kostya, it is not based on Wassermans encoder

CC: Kostya Shishkov 
CC: Anatoliy Wasserman 

Signed-off-by: Michael Niedermayer 
(cherry picked from commit e0e30e07a1755c4f7829f64d35dc07e399c02c6e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=24367ad563800f5edcaa229e3cf00081102dfab6
---

 libavcodec/proresenc_kostya.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/libavcodec/proresenc_kostya.c b/libavcodec/proresenc_kostya.c
index 52fe5639b1..0bee01e157 100644
--- a/libavcodec/proresenc_kostya.c
+++ b/libavcodec/proresenc_kostya.c
@@ -3,9 +3,6 @@
  *
  * Copyright (c) 2012 Konstantin Shishkov
  *
- * This encoder appears to be based on Anatoliy Wassermans considering
- * similarities in the bugs.
- *
  * This file is part of FFmpeg.
  *
  * FFmpeg is free software; you can redistribute it and/or

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] swscale/swscale: Check srcSliceH for bayer

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Sat Feb 17 01:34:25 2024 +0100| [b88210ba04fc7a050fbc45c0cd84fae328e8dd50] | 
committer: Michael Niedermayer

swscale/swscale: Check srcSliceH for bayer

Fixes: Assertion srcSliceH > 1 failed at libswscale/swscale_unscaled.c:1359
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 64098d0cd8ab1d27f78a335ca684f00a419b2160)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b88210ba04fc7a050fbc45c0cd84fae328e8dd50
---

 libswscale/swscale.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libswscale/swscale.c b/libswscale/swscale.c
index 90e5b299ab..fe0e74f871 100644
--- a/libswscale/swscale.c
+++ b/libswscale/swscale.c
@@ -904,7 +904,8 @@ static int scale_internal(SwsContext *c,
 
 if ((srcSliceY  & (macro_height_src - 1)) ||
 ((srcSliceH & (macro_height_src - 1)) && srcSliceY + srcSliceH != 
c->srcH) ||
-srcSliceY + srcSliceH > c->srcH) {
+srcSliceY + srcSliceH > c->srcH ||
+(isBayer(c->srcFormat) && srcSliceH <= 1)) {
 av_log(c, AV_LOG_ERROR, "Slice parameters %d, %d are invalid\n", 
srcSliceY, srcSliceH);
 return AVERROR(EINVAL);
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/8bps: Consider width in the minimal size check

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Sun Feb 25 22:06:48 2024 +0100| [ae0e91150cc3158f89a10fcd8baaf8b5c3f46d43] | 
committer: Michael Niedermayer

avcodec/8bps: Consider width in the minimal size check

Fixes: Timeout
Fixes: 
64479/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EIGHTBPS_fuzzer-5434435386081280

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5db09574dfd40d3e15db9336a34398405a1c601b)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ae0e91150cc3158f89a10fcd8baaf8b5c3f46d43
---

 libavcodec/8bps.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/8bps.c b/libavcodec/8bps.c
index 0becaa9320..a7ef3e085e 100644
--- a/libavcodec/8bps.c
+++ b/libavcodec/8bps.c
@@ -61,7 +61,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *frame,
 unsigned int planes = c->planes;
 int ret;
 
-if (buf_size < planes * height * 2)
+if (buf_size < planes * height * (2 + 2*((avctx->width+128)/129)))
 return AVERROR_INVALIDDATA;
 
 if ((ret = ff_get_buffer(avctx, frame, 0)) < 0)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/cbs_h266_syntax_template: Check tile_y

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Thu Mar 21 02:15:16 2024 +0100| [a2ceca5cf6d402ec9d79d415dba116cad8677555] | 
committer: Michael Niedermayer

avcodec/cbs_h266_syntax_template: Check tile_y

Fixes: out of array access
Fixes: 
67021/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4883576579489792

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 57f252b2d10c3dbb422f5ddc4e8625bf56e27a9c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a2ceca5cf6d402ec9d79d415dba116cad8677555
---

 libavcodec/cbs_h266_syntax_template.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/cbs_h266_syntax_template.c 
b/libavcodec/cbs_h266_syntax_template.c
index 2c9988341b..439d863b8f 100644
--- a/libavcodec/cbs_h266_syntax_template.c
+++ b/libavcodec/cbs_h266_syntax_template.c
@@ -2072,6 +2072,8 @@ static int FUNC(pps) (CodedBitstreamContext *ctx, 
RWContext *rw,
 
 tile_x = tile_idx % current->num_tile_columns;
 tile_y = tile_idx / current->num_tile_columns;
+if (tile_y >= current->num_tile_rows)
+return AVERROR_INVALIDDATA;
 
 ctu_x = 0, ctu_y = 0;
 for (j = 0; j < tile_x; j++) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/vorbisdec: Check remaining data in vorbis_residue_decode_internal()

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Feb 27 22:27:03 2024 +0100| [d2f57db3ab12479c60d98828c3634868e68b7259] | 
committer: Michael Niedermayer

avcodec/vorbisdec: Check remaining data in vorbis_residue_decode_internal()

Fixes: timeout
Fixes: 
66326/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-629529186304

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit dc89cf804a811c0d25f4649a99f7fab4b5b416fa)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d2f57db3ab12479c60d98828c3634868e68b7259
---

 libavcodec/vorbisdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c
index faeaeadde7..bf26b13b83 100644
--- a/libavcodec/vorbisdec.c
+++ b/libavcodec/vorbisdec.c
@@ -1468,6 +1468,9 @@ static av_always_inline int 
vorbis_residue_decode_internal(vorbis_context *vc,
 unsigned step = FASTDIV(vr->partition_size << 1, 
dim << 1);
 vorbis_codebook codebook = vc->codebooks[vqbook];
 
+if (get_bits_left(gb) <= 0)
+return AVERROR_INVALIDDATA;
+
 if (vr_type == 0) {
 
 voffs = voffset+j*vlen;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/wady: Check >0 samplerate and channels 1 || 2.

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Mar 19 23:24:11 2024 +0100| [8464563b80f0d28e1e10e5b9de177ac37fa715f6] | 
committer: Michael Niedermayer

avformat/wady: Check >0 samplerate and channels 1 || 2.

The WADY decoder only supports mono and stereo

This fixes a probetest failure

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6f9e90ab0bede36cc960a099e8f19998345e7164)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8464563b80f0d28e1e10e5b9de177ac37fa715f6
---

 libavformat/wady.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/wady.c b/libavformat/wady.c
index bd9b64f514..ce9c0237d7 100644
--- a/libavformat/wady.c
+++ b/libavformat/wady.c
@@ -32,7 +32,8 @@ static int wady_probe(const AVProbeData *p)
 return 0;
 if (p->buf[4] != 0 || p->buf[5] == 0 ||
 AV_RL16(p->buf+6) == 0 ||
-AV_RL32(p->buf+8) == 0)
+AV_RL16(p->buf+6) > 2 ||
+(int32_t)AV_RL32(p->buf+8) <= 0)
 return 0;
 
 return AVPROBE_SCORE_MAX / 3 * 2;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mov: Check sample_count and auxiliary_info_default_size to be 0

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Wed Mar 20 02:06:34 2024 +0100| [b171edca3c990fc2858f028bc01ffd828e762b2f] | 
committer: Michael Niedermayer

avformat/mov: Check sample_count and auxiliary_info_default_size to be 0

This combination causes 0 size arrays to be allocated and to leak later

Fixes: memleak
Fixes: 
64342/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4520993686945792

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3c43299e9e642e73b31be7ac7c49700949946e13)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b171edca3c990fc2858f028bc01ffd828e762b2f
---

 libavformat/mov.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 55bafaa26a..20b6ef3dac 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -6754,6 +6754,9 @@ static int mov_read_saiz(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 sample_count = avio_rb32(pb);
 
 if (encryption_index->auxiliary_info_default_size == 0) {
+if (sample_count == 0)
+return AVERROR_INVALIDDATA;
+
 encryption_index->auxiliary_info_sizes = av_malloc(sample_count);
 if (!encryption_index->auxiliary_info_sizes)
 return AVERROR(ENOMEM);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/dxa: Adjust order of operations around block align

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Sat Sep 30 00:51:29 2023 +0200| [521347ee0bffd3603d3251b391e487cb3d7625d8] | 
committer: Michael Niedermayer

avformat/dxa: Adjust order of operations around block align

Fixes: 
51896/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-5730576523198464
Fixes: signed integer overflow: 2147483566 + 82 cannot be represented in type 
'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 50d8e4f27398fd5778485a827d7a2817921f8540)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=521347ee0bffd3603d3251b391e487cb3d7625d8
---

 libavformat/dxa.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/dxa.c b/libavformat/dxa.c
index 474b85270a..b4d9d00529 100644
--- a/libavformat/dxa.c
+++ b/libavformat/dxa.c
@@ -122,7 +122,7 @@ static int dxa_read_header(AVFormatContext *s)
 if(ast->codecpar->block_align) {
 if (c->bpc > INT_MAX - ast->codecpar->block_align + 1)
 return AVERROR_INVALIDDATA;
-c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / 
ast->codecpar->block_align) * ast->codecpar->block_align;
+c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / 
ast->codecpar->block_align) * ast->codecpar->block_align;
 }
 c->bytes_left = fsize;
 c->wavpos = avio_tell(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/vmixdec: Check shift before use

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Wed Mar 20 03:30:56 2024 +0100| [e2a58916b1bde8de18c8216d4d7f9d49e01ae612] | 
committer: Michael Niedermayer

avcodec/vmixdec: Check shift before use

Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int'
Fixes: 
65909/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMIX_fuzzer-519459745831321

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 70b26b693e9e06bcd9fe83ee5063ee40e32ce02f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e2a58916b1bde8de18c8216d4d7f9d49e01ae612
---

 libavcodec/vmixdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/vmixdec.c b/libavcodec/vmixdec.c
index d6b6e3557f..ab283d13db 100644
--- a/libavcodec/vmixdec.c
+++ b/libavcodec/vmixdec.c
@@ -235,6 +235,9 @@ static int decode_frame(AVCodecContext *avctx,
 else if (offset != 3)
 return AVERROR_INVALIDDATA;
 
+if (s->lshift > 31)
+return AVERROR_INVALIDDATA;
+
 q = quality[FFMIN(avpkt->data[offset - 2], FF_ARRAY_ELEMS(quality)-1)];
 for (int n = 0; n < 64; n++)
 s->factors[n] = quant[n] * q;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/id3v2: read_uslt() check for the amount read

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Wed Mar 20 03:51:05 2024 +0100| [19ea7b0409a56e37ab478695f6953433b2e9b827] | 
committer: Michael Niedermayer

avformat/id3v2: read_uslt() check for the amount read

Fixes: timeout
Fixes: 
66783/clusterfuzz-testcase-minimized-ffmpeg_dem_GENH_fuzzer-5356884892647424

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c0f4abe2aa0117a10fb651f2c1c030d4cd516081)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=19ea7b0409a56e37ab478695f6953433b2e9b827
---

 libavformat/id3v2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index d83716dcf4..e0a7e3f3ea 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -370,7 +370,7 @@ static void read_uslt(AVFormatContext *s, AVIOContext *pb, 
int taglen,
 int encoding;
 int ok = 0;
 
-if (taglen < 1)
+if (taglen < 4)
 goto error;
 
 encoding = avio_r8(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/cafdec: dont seek beyond 64bit

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Sat Sep 30 00:38:17 2023 +0200| [d66b1af8df7902a3b6226f13410112d9ff27bfc4] | 
committer: Michael Niedermayer

avformat/cafdec: dont seek beyond 64bit

Fixes: signed integer overflow: 64 + 9223372036854775807 cannot be represented 
in type 'long long'
Fixes: 
51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064
Fixes: 
62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d973fcbcc2f944752ff10e6a76b0b2d9329937a7)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d66b1af8df7902a3b6226f13410112d9ff27bfc4
---

 libavformat/cafdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
index f5ba0f4108..e92e3279fc 100644
--- a/libavformat/cafdec.c
+++ b/libavformat/cafdec.c
@@ -271,7 +271,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size)
 }
 }
 
-if (avio_tell(pb) - ccount > size) {
+if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) {
 av_log(s, AV_LOG_ERROR, "error reading packet table\n");
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/iff: Saturate avio_tell() + 12

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Sat Sep 30 00:56:06 2023 +0200| [9459a4503609cf9eb8aaea4ccc53a8a55dd0a6a4] | 
committer: Michael Niedermayer

avformat/iff: Saturate avio_tell() + 12

Fixes: signed integer overflow: 9223372036854775796 + 12 cannot be represented 
in type 'long long'
Fixes: 
51896/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4898373660704768

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b8e754525ca3d3fd835f7360e11f29b02b39cd62)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9459a4503609cf9eb8aaea4ccc53a8a55dd0a6a4
---

 libavformat/iff.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/iff.c b/libavformat/iff.c
index b8e8bffe03..5bff0e9b6c 100644
--- a/libavformat/iff.c
+++ b/libavformat/iff.c
@@ -217,7 +217,7 @@ static int parse_dsd_diin(AVFormatContext *s, AVStream *st, 
uint64_t eof)
 {
 AVIOContext *pb = s->pb;
 
-while (avio_tell(pb) + 12 <= eof && !avio_feof(pb)) {
+while (av_sat_add64(avio_tell(pb), 12) <= eof && !avio_feof(pb)) {
 uint32_t tag  = avio_rl32(pb);
 uint64_t size = avio_rb64(pb);
 uint64_t orig_pos = avio_tell(pb);
@@ -254,7 +254,7 @@ static int parse_dsd_prop(AVFormatContext *s, AVStream *st, 
uint64_t eof)
 int dsd_layout[6];
 ID3v2ExtraMeta *id3v2_extra_meta;
 
-while (avio_tell(pb) + 12 <= eof && !avio_feof(pb)) {
+while (av_sat_add64(avio_tell(pb), 12) <= eof && !avio_feof(pb)) {
 uint32_t tag  = avio_rl32(pb);
 uint64_t size = avio_rb64(pb);
 uint64_t orig_pos = avio_tell(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/cafdec: Check that data chunk end fits within 64bit

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Sat Sep 30 00:45:33 2023 +0200| [356251d750358f1d2431a99ab31980e496d0cd70] | 
committer: Michael Niedermayer

avformat/cafdec: Check that data chunk end fits within 64bit

Fixes: signed integer overflow: 64 + 9223372036854775803 cannot be represented 
in type 'long long'
Fixes: 
51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464
Fixes: 
62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6536881135550464

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b792e4d4c772b7b5ef8ea32be187a871000e50c2)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=356251d750358f1d2431a99ab31980e496d0cd70
---

 libavformat/cafdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
index e92e3279fc..7a0b754697 100644
--- a/libavformat/cafdec.c
+++ b/libavformat/cafdec.c
@@ -343,6 +343,9 @@ static int read_header(AVFormatContext *s)
 avio_skip(pb, 4); /* edit count */
 caf->data_start = avio_tell(pb);
 caf->data_size  = size < 0 ? -1 : size - 4;
+if (caf->data_start < 0 || caf->data_size > INT64_MAX - 
caf->data_start)
+return AVERROR_INVALIDDATA;
+
 if (caf->data_size > 0 && (pb->seekable & AVIO_SEEKABLE_NORMAL))
 avio_skip(pb, caf->data_size);
 found_data = 1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/hcadec: do not set hfr_group_count to invalid values

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Mar 26 01:46:02 2024 +0100| [30fe9d3511a6025719c477cb7f3a3143593a03ef] | 
committer: Michael Niedermayer

avcodec/hcadec: do not set hfr_group_count to invalid values

Fixes: 
62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HCA_fuzzer-6247136417087488
Fixes: out of array write

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit addb85ea39300c36010ffb6dc0d28b2ea62b4805)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=30fe9d3511a6025719c477cb7f3a3143593a03ef
---

 libavcodec/hcadec.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavcodec/hcadec.c b/libavcodec/hcadec.c
index 026b998341..8c8c235f7b 100644
--- a/libavcodec/hcadec.c
+++ b/libavcodec/hcadec.c
@@ -212,6 +212,7 @@ static int init_hca(AVCodecContext *avctx, const uint8_t 
*extradata,
 int8_t r[16] = { 0 };
 unsigned b, chunk;
 int version, ret;
+unsigned hfr_group_count;
 
 init_flush(avctx);
 
@@ -336,11 +337,12 @@ static int init_hca(AVCodecContext *avctx, const uint8_t 
*extradata,
 if (c->total_band_count < c->base_band_count)
 return AVERROR_INVALIDDATA;
 
-c->hfr_group_count = ceil2(c->total_band_count - (c->base_band_count + 
c->stereo_band_count),
+hfr_group_count = ceil2(c->total_band_count - (c->base_band_count + 
c->stereo_band_count),
c->bands_per_hfr_group);
 
-if (c->base_band_count + c->stereo_band_count + (unsigned 
long)c->hfr_group_count > 128ULL)
+if (c->base_band_count + c->stereo_band_count + (uint64_t)hfr_group_count 
> 128ULL)
 return AVERROR_INVALIDDATA;
+c->hfr_group_count = hfr_group_count;
 
 for (int i = 0; i < avctx->ch_layout.nb_channels; i++) {
 c->ch[i].chan_type = r[i];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/hcadec: do not allow code to continue after failed init

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Mar 26 01:46:02 2024 +0100| [aa4cf7a584dd326eb404f3ade4050bc67130e6e0] | 
committer: Michael Niedermayer

avcodec/hcadec: do not allow code to continue after failed init

Fixes: 
62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HCA_fuzzer-6247136417087488
Fixes: out of array write

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 48eeb198a55852ccb4b57cb73c4658767252614e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aa4cf7a584dd326eb404f3ade4050bc67130e6e0
---

 libavcodec/hcadec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/hcadec.c b/libavcodec/hcadec.c
index 8c8c235f7b..88146c7cdd 100644
--- a/libavcodec/hcadec.c
+++ b/libavcodec/hcadec.c
@@ -538,8 +538,10 @@ static int decode_frame(AVCodecContext *avctx, AVFrame 
*frame,
 return AVERROR_INVALIDDATA;
 } else if (AV_RB16(avpkt->data + 6) <= avpkt->size) {
 ret = init_hca(avctx, avpkt->data, AV_RB16(avpkt->data + 6));
-if (ret < 0)
+if (ret < 0) {
+c->crc_table = NULL; // signal that init has not finished
 return ret;
+}
 offset = AV_RB16(avpkt->data + 6);
 if (offset == avpkt->size)
 return avpkt->size;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/jacosubdec: clarify code

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Oct 10 19:52:33 2023 +0200| [f0c08506f5f253e3233460a8b84988c8a20369ce] | 
committer: Michael Niedermayer

avformat/jacosubdec: clarify code

add comments, rename variables and indent things differently

Signed-off-by: Michael Niedermayer 
(cherry picked from commit e83e8d443b5b86aabf17d1cfb7fba9abf15e24fd)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f0c08506f5f253e3233460a8b84988c8a20369ce
---

 libavformat/jacosubdec.c | 18 +-
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c
index c6e5b4aa6d..60fe72d5d7 100644
--- a/libavformat/jacosubdec.c
+++ b/libavformat/jacosubdec.c
@@ -127,28 +127,28 @@ shift_and_ret:
 static int get_shift(unsigned timeres, const char *buf)
 {
 int sign = 1;
-int a = 0, b = 0, c = 0, d = 0;
+int h = 0, m = 0, s = 0, d = 0;
 int64_t ret;
 #define SSEP "%*1[.:]"
-int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &a, &b, &c, &d);
+int n = sscanf(buf, "%d"SSEP"%d"SSEP"%d"SSEP"%d", &h, &m, &s, &d);
 #undef SSEP
 
-if (a == INT_MIN)
+if (h == INT_MIN)
 return 0;
 
-if (*buf == '-' || a < 0) {
+if (*buf == '-' || h < 0) {
 sign = -1;
-a = FFABS(a);
+h = FFABS(h);
 }
 
 ret = 0;
 switch (n) {
-case 1:  a = 0;
-case 2:c = b; b = a; a = 0;
-case 3: d = c; c = b; b = a; a = 0;
+case 1:h = 0;   //clear all in case of a single 
parameter
+case 2: s = m; m = h; h = 0;//shift into second subsecondd
+case 3: d = s; s = m; m = h; h = 0; //shift into minute second 
subsecond
 }
 
-ret = (int64_t)a*3600 + (int64_t)b*60 + c;
+ret = (int64_t)h*3600 + (int64_t)m*60 + s;
 if (FFABS(ret) > (INT64_MAX - FFABS(d)) / timeres)
 return 0;
 ret = sign * (ret * timeres + d);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/osq: avoid several signed integer overflows

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Dec 26 00:33:02 2023 +0100| [21ff582aecc32c8126c90621712134ead631c4dd] | 
committer: Michael Niedermayer

avcodec/osq: avoid several signed integer overflows

Fixes: signed integer overflow: 178459578 + 2009763270 cannot be represented in 
type 'int'
Fixes: 
62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-5013423686287360

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b54c9a9c8f44a9272dc0ee3c9f11ce54cba74008)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=21ff582aecc32c8126c90621712134ead631c4dd
---

 libavcodec/osq.c | 24 
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/libavcodec/osq.c b/libavcodec/osq.c
index f47213bf0c..650cfcd98c 100644
--- a/libavcodec/osq.c
+++ b/libavcodec/osq.c
@@ -221,8 +221,8 @@ static int osq_channel_parameters(AVCodecContext *avctx, 
int ch)
 #define C (-3)
 #define D (-4)
 #define E (-5)
-#define P2 ((dst[A] + dst[A]) - dst[B])
-#define P3 ((dst[A] - dst[B]) * 3 + dst[C])
+#define P2 (((unsigned)dst[A] + dst[A]) - dst[B])
+#define P3 (((unsigned)dst[A] - dst[B]) * 3 + dst[C])
 
 static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, 
int downsample)
 {
@@ -272,10 +272,10 @@ static int do_decode(AVCodecContext *avctx, AVFrame 
*frame, int decorrelate, int
 case 0:
 break;
 case 1:
-dst[n] += dst[A];
+dst[n] += (unsigned)dst[A];
 break;
 case 2:
-dst[n] += dst[A] + p;
+dst[n] += (unsigned)dst[A] + p;
 break;
 case 3:
 dst[n] += P2;
@@ -290,28 +290,28 @@ static int do_decode(AVCodecContext *avctx, AVFrame 
*frame, int decorrelate, int
 dst[n] += P3 + p;
 break;
 case 7:
-dst[n] += (P2 + P3) / 2 + p;
+dst[n] += (int)(P2 + P3) / 2 + (unsigned)p;
 break;
 case 8:
-dst[n] += (P2 + P3) / 2;
+dst[n] += (int)(P2 + P3) / 2;
 break;
 case 9:
-dst[n] += (P2 * 2 + P3) / 3 + p;
+dst[n] += (int)(P2 * 2 + P3) / 3 + (unsigned)p;
 break;
 case 10:
-dst[n] += (P2 + P3 * 2) / 3 + p;
+dst[n] += (int)(P2 + P3 * 2) / 3 + (unsigned)p;
 break;
 case 11:
-dst[n] += (dst[A] + dst[B]) / 2;
+dst[n] += (int)((unsigned)dst[A] + dst[B]) / 2;
 break;
 case 12:
-dst[n] += dst[B];
+dst[n] += (unsigned)dst[B];
 break;
 case 13:
-dst[n] += (dst[D] + dst[B]) / 2;
+dst[n] += (int)(unsigned)(dst[D] + dst[B]) / 2;
 break;
 case 14:
-dst[n] += (P2 + dst[A]) / 2 + p;
+dst[n] += (int)((unsigned)P2 + dst[A]) / 2 + (unsigned)p;
 break;
 default:
 return AVERROR_INVALIDDATA;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/truemotion1: Height not being a multiple of 4 is unsupported

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Mar 26 02:52:04 2024 +0100| [4cbc9bb2c9622f082c07829822fdc4d91e65a65c] | 
committer: Michael Niedermayer

avcodec/truemotion1: Height not being a multiple of 4 is unsupported

mb_change_bits is given space based on height >> 2, while more data is read

Fixes: out of array access
Fixes: 
62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION1_fuzzer-5201925062590464.fuzz

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit ebdcf9849905fdd67dcd3ab93e55e47ded35fda2)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4cbc9bb2c9622f082c07829822fdc4d91e65a65c
---

 libavcodec/truemotion1.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/truemotion1.c b/libavcodec/truemotion1.c
index 6b0ee22569..784576d01b 100644
--- a/libavcodec/truemotion1.c
+++ b/libavcodec/truemotion1.c
@@ -408,6 +408,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s)
 return AVERROR_PATCHWELCOME;
 }
 
+if (s->h & 3) {
+avpriv_request_sample(s->avctx, "Frame with height not being a 
multiple of 4");
+return AVERROR_PATCHWELCOME;
+}
+
 if (s->w != s->avctx->width || s->h != s->avctx->height ||
 new_pix_fmt != s->avctx->pix_fmt) {
 av_frame_unref(s->frame);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/concatdec: clip outpoint - inpoint overflow in get_best_effort_duration()

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Dec 26 03:51:23 2023 +0100| [435f172b5d507b2c447a63a732e63cb16e1752a5] | 
committer: Michael Niedermayer

avformat/concatdec: clip outpoint - inpoint overflow in 
get_best_effort_duration()

An alternative would be to limit all time/duration fields to below 64bit

Fixes: signed integer overflow: -9300 - 922337203683900 cannot be 
represented in type 'long long'
Fixes: 
64546/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-5110813828186112

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit dd733b2be472cea766c62984237533b239e9a93d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=435f172b5d507b2c447a63a732e63cb16e1752a5
---

 libavformat/concatdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c
index 7abe03c26d..2e0f22f4df 100644
--- a/libavformat/concatdec.c
+++ b/libavformat/concatdec.c
@@ -323,7 +323,7 @@ static int64_t get_best_effort_duration(ConcatFile *file, 
AVFormatContext *avf)
 if (file->user_duration != AV_NOPTS_VALUE)
 return file->user_duration;
 if (file->outpoint != AV_NOPTS_VALUE)
-return file->outpoint - file->file_inpoint;
+return av_sat_sub64(file->outpoint, file->file_inpoint);
 if (avf->duration > 0)
 return avf->duration - (file->file_inpoint - file->file_start_time);
 if (file->next_dts != AV_NOPTS_VALUE)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/rtv1: fix undefined FFALIGN

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Mar 26 02:30:57 2024 +0100| [9a5f191bfb49f66cbe2f5f4b178b2144960028cc] | 
committer: Michael Niedermayer

avcodec/rtv1: fix undefined FFALIGN

Fixes: signed integer overflow: 2147483647 + 4 cannot be represented in type 
'int'
Fixes: 
62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RTV1_fuzzer-6324303861514240

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d188a867302fd745b5980a90a0b5cad9016c477c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9a5f191bfb49f66cbe2f5f4b178b2144960028cc
---

 libavcodec/rtv1.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/rtv1.c b/libavcodec/rtv1.c
index 06afe9e873..807c8a3466 100644
--- a/libavcodec/rtv1.c
+++ b/libavcodec/rtv1.c
@@ -113,6 +113,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p,
 
 width = bytestream2_get_le32(&gb);
 height = bytestream2_get_le32(&gb);
+if (width > INT_MAX-4U || height > INT_MAX-4U)
+return AVERROR_INVALIDDATA;
 ret = ff_set_dimensions(avctx, FFALIGN(width, 4), FFALIGN(height, 4));
 if (ret < 0)
 return ret;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/wavarc: avoid signed integer overflow in AC code

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Mar 26 03:14:08 2024 +0100| [e7093154883e7cfc017b4ab71625ed0ca4aab3be] | 
committer: Michael Niedermayer

avcodec/wavarc: avoid signed integer overflow in AC code

Fixes: 
62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-659847401740697
Fixes: signed integer overflow: 65312 * 34078 cannot be represented in type 
'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1eb8cbd09c5f22d7ba9e0d443712a6ab80648637)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e7093154883e7cfc017b4ab71625ed0ca4aab3be
---

 libavcodec/wavarc.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c
index 99cbaf0109..aa1af6330b 100644
--- a/libavcodec/wavarc.c
+++ b/libavcodec/wavarc.c
@@ -414,7 +414,7 @@ static int ac_init(AVCodecContext *avctx,
 
 static uint16_t ac_get_prob(WavArcContext *s)
 {
-return ((s->freq_range - 1) + (s->ac_value - s->ac_low) * s->freq_range) /
+return ((s->freq_range - 1) + (s->ac_value - s->ac_low) * 
(unsigned)s->freq_range) /
((s->ac_high - s->ac_low) + 1U);
 }
 
@@ -439,8 +439,8 @@ static int ac_normalize(AVCodecContext *avctx, 
WavArcContext *s, GetBitContext *
 goto fail;
 
 range = (s->ac_high - s->ac_low) + 1;
-s->ac_high = (range * s->range_high) / s->freq_range + s->ac_low - 1;
-s->ac_low += (range * s->range_low)  / s->freq_range;
+s->ac_high = (range * (unsigned)s->range_high) / s->freq_range + s->ac_low 
- 1;
+s->ac_low += (range * (unsigned)s->range_low)  / s->freq_range;
 
 if (s->ac_high < s->ac_low)
 goto fail;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/wavarc: Avoid signed integer overflow in sample

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Mar 26 03:10:14 2024 +0100| [9062d898490d09d93fd9677c269e6aef19af6d08] | 
committer: Michael Niedermayer

avcodec/wavarc: Avoid signed integer overflow in sample

Fixes: signed integer overflow: -2147483648 + -25122315 cannot be represented 
in type 'int'
Fixes: 
62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6199806972198912

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6009dd07bd2bde72f2e01723678c1994ecef035e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9062d898490d09d93fd9677c269e6aef19af6d08
---

 libavcodec/wavarc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c
index 09ed4d473a..99cbaf0109 100644
--- a/libavcodec/wavarc.c
+++ b/libavcodec/wavarc.c
@@ -374,7 +374,7 @@ static int decode_2slp(AVCodecContext *avctx,
 for (int o = 0; o < order; o++)
 sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 
1];
 
-samples[n + 70] = get_srice(gb, k) + (sum >> 4);
+samples[n + 70] = get_srice(gb, k) + (unsigned)(sum >> 4);
 }
 finished = 1;
 break;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/jacosubdec: Use 64bit for abs

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Mar 26 00:21:28 2024 +0100| [6cc785c255adb35c46890e271094134529d7947f] | 
committer: Michael Niedermayer

avformat/jacosubdec: Use 64bit for abs

Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an 
unsigned type to negate this value to itself
Fixes: 
62276/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5401294942371840

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 746203af3116288b1dd4442e46a5724ba759e831)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6cc785c255adb35c46890e271094134529d7947f
---

 libavformat/jacosubdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/jacosubdec.c b/libavformat/jacosubdec.c
index 60fe72d5d7..e22bbd788c 100644
--- a/libavformat/jacosubdec.c
+++ b/libavformat/jacosubdec.c
@@ -149,7 +149,7 @@ static int get_shift(unsigned timeres, const char *buf)
 }
 
 ret = (int64_t)h*3600 + (int64_t)m*60 + s;
-if (FFABS(ret) > (INT64_MAX - FFABS(d)) / timeres)
+if (FFABS(ret) > (INT64_MAX - FFABS((int64_t)d)) / timeres)
 return 0;
 ret = sign * (ret * timeres + d);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mov: use 64bit for intermediate for rounding

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Mar 26 00:27:39 2024 +0100| [db7a80c3ca7b5abede367e49ff3e21eb20caa2d2] | 
committer: Michael Niedermayer

avformat/mov: use 64bit for intermediate for rounding

Fixes: signed integer overflow: 1768972133 + 968491058 cannot be represented in 
type 'int'
Fixes: 
62276/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4802790784303104

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit f01a89c5a378cb7b55a0bcb5763cfb1da83b81f1)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=db7a80c3ca7b5abede367e49ff3e21eb20caa2d2
---

 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 20b6ef3dac..d5ec35c99c 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -8366,7 +8366,7 @@ static int mov_read_timecode_track(AVFormatContext *s, 
AVStream *st)
 /* 60 fps content have tmcd_nb_frames set to 30 but tc_rate set to 60, so
  * we multiply the frame number with the quotient.
  * See tickets #9492, #9710. */
-rounded_tc_rate = (tc_rate.num + tc_rate.den / 2) / tc_rate.den;
+rounded_tc_rate = (tc_rate.num + tc_rate.den / 2LL) / tc_rate.den;
 /* Work around files where tmcd_nb_frames is rounded down from frame rate
  * instead of up. See ticket #5978. */
 if (tmcd_nb_frames == tc_rate.num / tc_rate.den &&

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/concatdec: Check user_duration sum

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Mar 26 00:16:39 2024 +0100| [0a64d77be93c243bdd93e2c02d74c3cd725067f9] | 
committer: Michael Niedermayer

avformat/concatdec: Check user_duration sum

Fixes: 
62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CONCAT_fuzzer-6434245599690752
Fixes: signed integer overflow: 922337202677300 + 2233700 cannot be 
represented in type 'long'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 007486058c2eb7a7518450a2ddb4fa98845887a3)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0a64d77be93c243bdd93e2c02d74c3cd725067f9
---

 libavformat/concatdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/concatdec.c b/libavformat/concatdec.c
index 2e0f22f4df..11c7f75fc0 100644
--- a/libavformat/concatdec.c
+++ b/libavformat/concatdec.c
@@ -679,6 +679,8 @@ static int concat_read_header(AVFormatContext *avf)
 cat->files[i].user_duration = cat->files[i].outpoint - 
cat->files[i].inpoint;
 }
 cat->files[i].duration = cat->files[i].user_duration;
+if (time + (uint64_t)cat->files[i].user_duration > INT64_MAX)
+return AVERROR_INVALIDDATA;
 time += cat->files[i].user_duration;
 }
 if (i == cat->nb_files) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/timecode: use 64bit for intermediate for rounding in fps_from_frame_rate()

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Mar 26 00:27:39 2024 +0100| [7af16852cbf118d6dd563e864e91969c9f94a69e] | 
committer: Michael Niedermayer

avformat/timecode: use 64bit for intermediate for rounding in 
fps_from_frame_rate()

Fixes: 
62276/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4802790784303104
Fixes: signed integer overflow: 1768972133 + 968491058 cannot be represented in 
type 'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3d8d778a68531b406455f8090d81216ef374ab75)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7af16852cbf118d6dd563e864e91969c9f94a69e
---

 libavutil/timecode.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavutil/timecode.c b/libavutil/timecode.c
index b93f05b4b8..bd879bd3cc 100644
--- a/libavutil/timecode.c
+++ b/libavutil/timecode.c
@@ -210,7 +210,7 @@ static int fps_from_frame_rate(AVRational rate)
 {
 if (!rate.den || !rate.num)
 return -1;
-return (rate.num + rate.den/2) / rate.den;
+return (rate.num + rate.den/2LL) / rate.den;
 }
 
 int av_timecode_check_frame_rate(AVRational rate)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/rpl: Use 64bit for total_audio_size and check it

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Mar 26 00:36:40 2024 +0100| [4a618246cd849a73aef0f44ee59e19ec38d8b8ce] | 
committer: Michael Niedermayer

avformat/rpl: Use 64bit for total_audio_size and check it

Fixes: 
62276/clusterfuzz-testcase-minimized-ffmpeg_dem_RPL_fuzzer-4677434693517312
Fixes: signed integer overflow: 556 * 8 cannot be represented 
in type 'long long'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 878625812f164fbb733f442965235656d9eaccc8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4a618246cd849a73aef0f44ee59e19ec38d8b8ce
---

 libavformat/rpl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavformat/rpl.c b/libavformat/rpl.c
index eae0da891b..427738bbdb 100644
--- a/libavformat/rpl.c
+++ b/libavformat/rpl.c
@@ -117,7 +117,7 @@ static int rpl_read_header(AVFormatContext *s)
 AVIOContext *pb = s->pb;
 RPLContext *rpl = s->priv_data;
 AVStream *vst = NULL, *ast = NULL;
-int total_audio_size;
+int64_t total_audio_size;
 int error = 0;
 const char *endptr;
 char audio_type[RPL_LINE_LENGTH];
@@ -302,6 +302,8 @@ static int rpl_read_header(AVFormatContext *s)
 if (ast)
 av_add_index_entry(ast, offset + video_size, total_audio_size,
audio_size, audio_size * 8, 0);
+if (total_audio_size/8 + (uint64_t)audio_size >= INT64_MAX/8)
+return AVERROR_INVALIDDATA;
 total_audio_size += audio_size * 8;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/sbgdec: Check for negative duration

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Mar 26 00:39:49 2024 +0100| [d492fc3e5ea49078b847d1f9f7b55fc597bf6232] | 
committer: Michael Niedermayer

avformat/sbgdec: Check for negative duration

Fixes: signed integer overflow: 9223372036854775807 - -800 cannot be 
represented in type 'long'
Fixes: 
62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0bed22d597b78999151e3bde0768b7fe763fc2a6)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d492fc3e5ea49078b847d1f9f7b55fc597bf6232
---

 libavformat/sbgdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
index b2662ea418..281fe6272e 100644
--- a/libavformat/sbgdec.c
+++ b/libavformat/sbgdec.c
@@ -386,7 +386,7 @@ static int parse_options(struct sbg_parser *p)
 case 'L':
 FORWARD_ERROR(parse_optarg(p, opt, &oarg));
 r = str_to_time(oarg.s, &p->scs.opt_duration);
-if (oarg.e != oarg.s + r) {
+if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) {
 snprintf(p->err_msg, sizeof(p->err_msg),
  "syntax error for option -L");
 return AVERROR_INVALIDDATA;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/wavdec: sanity check channels and bps before using them for block_align

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Mar 26 00:45:09 2024 +0100| [6d92f9a85eb17435f7a6fcdfa19dee2d82ceedb4] | 
committer: Michael Niedermayer

avformat/wavdec: sanity check channels and bps before using them for block_align

Fixes: 
62276/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-4704044498944000
Fixes: signed integer overflow: 520464 * 8224 cannot be represented in type 
'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 75317ec4420d9853526291e8aa18f3ea17321525)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6d92f9a85eb17435f7a6fcdfa19dee2d82ceedb4
---

 libavformat/wavdec.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c
index 0c6629b157..a4afbc11fd 100644
--- a/libavformat/wavdec.c
+++ b/libavformat/wavdec.c
@@ -34,6 +34,7 @@
 #include "libavutil/log.h"
 #include "libavutil/mathematics.h"
 #include "libavutil/opt.h"
+#include "libavcodec/internal.h"
 #include "avformat.h"
 #include "avio.h"
 #include "avio_internal.h"
@@ -899,7 +900,9 @@ static int w64_read_header(AVFormatContext *s)
 if (ret < 0)
 return ret;
 avio_skip(pb, FFALIGN(size, INT64_C(8)) - size);
-if (st->codecpar->block_align) {
+if (st->codecpar->block_align &&
+st->codecpar->ch_layout.nb_channels < FF_SANE_NB_CHANNELS &&
+st->codecpar->bits_per_coded_sample < 128) {
 int block_align = st->codecpar->block_align;
 
 block_align = FFMAX(block_align,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/westwood_vqa: Fix 2g packets

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Mar 26 01:00:13 2024 +0100| [243359fc78f099fe177dde004f2ee96c8f2edee8] | 
committer: Michael Niedermayer

avformat/westwood_vqa: Fix 2g packets

Fixes: signed integer overflow: 2147483424 * 2 cannot be represented in type 
'int'
Fixes: 
62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4576211411795968

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 86f73277bf014e2ce36dd2594f1e0fb8b3bd6661)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=243359fc78f099fe177dde004f2ee96c8f2edee8
---

 libavformat/westwood_vqa.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c
index 03b2d9e03c..024f5d3652 100644
--- a/libavformat/westwood_vqa.c
+++ b/libavformat/westwood_vqa.c
@@ -262,7 +262,7 @@ static int wsvqa_read_packet(AVFormatContext *s,
 break;
 case SND2_TAG:
 /* 2 samples/byte, 1 or 2 samples per frame depending on 
stereo */
-pkt->duration = (chunk_size * 2) / wsvqa->channels;
+pkt->duration = (chunk_size * 2LL) / wsvqa->channels;
 break;
 }
 break;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avfilter/vf_signature: Dont crash on no frames

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Mon Feb 12 19:40:07 2024 +0100| [5bb9d8affe128f071083695c88a58ddf5ce4fddf] | 
committer: Michael Niedermayer

avfilter/vf_signature: Dont crash on no frames

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3d5f03bbc8bba2929cc09b07d2731ae5d392e772)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5bb9d8affe128f071083695c88a58ddf5ce4fddf
---

 libavfilter/vf_signature.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c
index 4896e8f2c1..53ed413a4c 100644
--- a/libavfilter/vf_signature.c
+++ b/libavfilter/vf_signature.c
@@ -384,6 +384,9 @@ static int xml_export(AVFilterContext *ctx, StreamContext 
*sc, const char* filen
 FILE* f;
 unsigned int pot3[5] = { 3*3*3*3, 3*3*3, 3*3, 3, 1 };
 
+if (!sc->coarseend->last)
+return AVERROR(EINVAL); // No frames ?
+
 f = avpriv_fopen_utf8(filename, "w");
 if (!f) {
 int err = AVERROR(EINVAL);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/matroskadec: Check timescale

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Mar 26 00:57:33 2024 +0100| [41f91568568b339195ba328ab8c649197dc4933c] | 
committer: Michael Niedermayer

avformat/matroskadec: Check timescale

Fixes: 3.82046e+18 is outside the range of representable values of type 
'unsigned int'
Fixes: 
62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6381436594421760

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit e849eb23432e45d0a1fda3901bb84eff0ce91282)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=41f91568568b339195ba328ab8c649197dc4933c
---

 libavformat/matroskadec.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 8f000f86be..57d2038635 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -3186,6 +3186,10 @@ static int matroska_parse_tracks(AVFormatContext *s)
track->time_scale);
 track->time_scale = 1.0;
 }
+
+if (matroska->time_scale * track->time_scale > UINT_MAX)
+return AVERROR_INVALIDDATA;
+
 avpriv_set_pts_info(st, 64, matroska->time_scale * track->time_scale,
 1000 * 1000 * 1000);/* 64 bit pts in ns */
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/jpeg2000htdec: Check magp before using it in a shift

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Wed Mar 20 03:27:13 2024 +0100| [78e54e1361b8e0548770b1549377f275e5429b09] | 
committer: Michael Niedermayer

avcodec/jpeg2000htdec: Check magp before using it in a shift

Fixes: shift exponent -1 is negative
Fixes: 
65378/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5457678193197056

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 19ad05e9e0f045b13de8de7300ca3bd34ea8ca53)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=78e54e1361b8e0548770b1549377f275e5429b09
---

 libavcodec/jpeg2000dec.c | 16 
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 691cfbd891..bedc9bc73e 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1887,7 +1887,7 @@ static inline void roi_scale_cblk(Jpeg2000Cblk *cblk,
 }
 }
 
-static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, 
Jpeg2000Tile *tile)
+static inline int tile_codeblocks(const Jpeg2000DecoderContext *s, 
Jpeg2000Tile *tile)
 {
 Jpeg2000T1Context t1;
 
@@ -1912,6 +1912,8 @@ static inline void tile_codeblocks(const 
Jpeg2000DecoderContext *s, Jpeg2000Tile
 int nb_precincts, precno;
 Jpeg2000Band *band = rlevel->band + bandno;
 int cblkno = 0, bandpos;
+/* See Rec. ITU-T T.800, Equation E-2 */
+int magp = quantsty->expn[subbandno] + quantsty->nguardbits - 
1;
 
 bandpos = bandno + (reslevelno > 0);
 
@@ -1919,6 +1921,11 @@ static inline void tile_codeblocks(const 
Jpeg2000DecoderContext *s, Jpeg2000Tile
 band->coord[1][0] == band->coord[1][1])
 continue;
 
+if ((codsty->cblk_style & JPEG2000_CTSY_HTJ2K_F) && magp >= 
31) {
+avpriv_request_sample(s->avctx, "JPEG2000_CTSY_HTJ2K_F and 
magp >= 31");
+return AVERROR_PATCHWELCOME;
+}
+
 nb_precincts = rlevel->num_precincts_x * 
rlevel->num_precincts_y;
 /* Loop on precincts */
 for (precno = 0; precno < nb_precincts; precno++) {
@@ -1929,8 +1936,6 @@ static inline void tile_codeblocks(const 
Jpeg2000DecoderContext *s, Jpeg2000Tile
  cblkno < prec->nb_codeblocks_width * 
prec->nb_codeblocks_height;
  cblkno++) {
 int x, y, ret;
-/* See Rec. ITU-T T.800, Equation E-2 */
-int magp = quantsty->expn[subbandno] + 
quantsty->nguardbits - 1;
 
 Jpeg2000Cblk *cblk = prec->cblk + cblkno;
 
@@ -1970,6 +1975,7 @@ static inline void tile_codeblocks(const 
Jpeg2000DecoderContext *s, Jpeg2000Tile
 ff_dwt_decode(&comp->dwt, codsty->transform == FF_DWT97 ? 
(void*)comp->f_data : (void*)comp->i_data);
 
 } /*end comp */
+return 0;
 }
 
 #define WRITE_FRAME(D, PIXEL)  
   \
@@ -2046,7 +2052,9 @@ static int jpeg2000_decode_tile(AVCodecContext *avctx, 
void *td,
 AVFrame *picture = td;
 Jpeg2000Tile *tile = s->tile + jobnr;
 
-tile_codeblocks(s, tile);
+int ret = tile_codeblocks(s, tile);
+if (ret < 0)
+return ret;
 
 /* inverse MCT transformation */
 if (tile->codsty[0].mct)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/wavdec: satuarte next_tag_ofs, data_end

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Mar 26 00:50:36 2024 +0100| [a42a5e692dcb32f503433194c306fe29ba337388] | 
committer: Michael Niedermayer

avformat/wavdec: satuarte next_tag_ofs, data_end

Fixes: signed integer overflow: 5053074104798691550 + 5053074104259715104 
cannot be represented in type 'long'
Fixes: 
62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6515315309936640

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 61dca9e150b723a160d4a570885f3e5326c3d276)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a42a5e692dcb32f503433194c306fe29ba337388
---

 libavformat/wavdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/wavdec.c b/libavformat/wavdec.c
index a4afbc11fd..4639f849b5 100644
--- a/libavformat/wavdec.c
+++ b/libavformat/wavdec.c
@@ -445,7 +445,7 @@ static int wav_read_header(AVFormatContext *s)
 }
 
 if (rf64 || bw64) {
-next_tag_ofs = wav->data_end = avio_tell(pb) + data_size;
+next_tag_ofs = wav->data_end = av_sat_add64(avio_tell(pb), 
data_size);
 } else if (size != 0x) {
 data_size= size;
 next_tag_ofs = wav->data_end = size ? next_tag_ofs : INT64_MAX;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mxfdec: Check first case of offset_temp computation for overflow

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Fri Mar 29 03:35:18 2024 +0100| [38261d8cbd65f971e9047a5880976cea86f3a4de] | 
committer: Michael Niedermayer

avformat/mxfdec: Check first case of offset_temp computation for overflow

This is kind of ugly
Fixes: signed integer overflow: 255 * 1157565362826411919 cannot be represented 
in type 'long'
Fixes: 
67313/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6250434245230592

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d6ed6f6e8dffcf777c336869f56002da588e2de8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=38261d8cbd65f971e9047a5880976cea86f3a4de
---

 libavformat/mxfdec.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index b7b9207a5b..283b0616ed 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -1900,9 +1900,13 @@ static int mxf_edit_unit_absolute_offset(MXFContext 
*mxf, MXFIndexTable *index_t
 if (edit_unit < s->index_start_position + s->index_duration) {
 int64_t index = edit_unit - s->index_start_position;
 
-if (s->edit_unit_byte_count)
+if (s->edit_unit_byte_count) {
+if (index > INT64_MAX / s->edit_unit_byte_count ||
+s->edit_unit_byte_count * index > INT64_MAX - offset_temp)
+return AVERROR_INVALIDDATA;
+
 offset_temp += s->edit_unit_byte_count * index;
-else {
+} else {
 if (s->nb_index_entries == 2 * s->index_duration + 1)
 index *= 2; /* Avid index */
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mxfdec: Make edit_unit_byte_count unsigned

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Mon Apr  1 18:29:46 2024 +0200| [27d48ddd8f20d8c0c469d0ecaebbd321e48b9143] | 
committer: Michael Niedermayer

avformat/mxfdec: Make edit_unit_byte_count unsigned

Suggested-by: Marton Balint 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit f30fe5e8d002e15f07eaacf720c5654097cb62df)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=27d48ddd8f20d8c0c469d0ecaebbd321e48b9143
---

 libavformat/mxfdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 283b0616ed..89fb49180c 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -248,7 +248,7 @@ typedef struct MXFFFV1SubDescriptor {
 
 typedef struct MXFIndexTableSegment {
 MXFMetadataSet meta;
-int edit_unit_byte_count;
+unsigned edit_unit_byte_count;
 int index_sid;
 int body_sid;
 AVRational index_edit_rate;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/jpeg2000htdec: warn about non zero roi shift

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Fri Mar 29 02:51:29 2024 +0100| [ab84c37d63f31383bf3c4db537be954a7bf5b6d8] | 
committer: Michael Niedermayer

avcodec/jpeg2000htdec: warn about non zero roi shift

Suggested-by: Tomas Härdin 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7b7eea8e63f761a0d0611d15c24170e40c62402c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ab84c37d63f31383bf3c4db537be954a7bf5b6d8
---

 libavcodec/jpeg2000htdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/jpeg2000htdec.c b/libavcodec/jpeg2000htdec.c
index 6b9898d3ff..4f0b10b429 100644
--- a/libavcodec/jpeg2000htdec.c
+++ b/libavcodec/jpeg2000htdec.c
@@ -1198,6 +1198,9 @@ ff_jpeg2000_decode_htj2k(const Jpeg2000DecoderContext *s, 
Jpeg2000CodingStyle *c
 av_assert0(width * height <= 4096);
 av_assert0(width * height > 0);
 
+if (roi_shift)
+avpriv_report_missing_feature(s->avctx, "ROI shift");
+
 memset(t1->data, 0, t1->stride * height * sizeof(*t1->data));
 memset(t1->flags, 0, t1->stride * (height + 2) * sizeof(*t1->flags));
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/aiffdec: Check for previously set channels

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Fri Mar 22 23:07:01 2024 +0100| [93d6513bbece6d632e711289cc04212ebb80601b] | 
committer: Michael Niedermayer

avformat/aiffdec: Check for previously set channels

Fixes: out of array access (av_channel_layout_copy())
Fixes: 
67087/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-4920720268263424

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 23b29f72eeb2ff6f2176ee74b9abe78aec4cd1f4)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=93d6513bbece6d632e711289cc04212ebb80601b
---

 libavformat/aiffdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
index 5314d159ef..5b38c65cd6 100644
--- a/libavformat/aiffdec.c
+++ b/libavformat/aiffdec.c
@@ -106,6 +106,8 @@ static int get_aiff_header(AVFormatContext *s, int64_t size,
 size++;
 par->codec_type = AVMEDIA_TYPE_AUDIO;
 channels = avio_rb16(pb);
+if (par->ch_layout.nb_channels && par->ch_layout.nb_channels != channels)
+return AVERROR_INVALIDDATA;
 par->ch_layout.nb_channels = channels;
 num_frames = avio_rb32(pb);
 par->bits_per_coded_sample = avio_rb16(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/movenc: Check that cts fits in 32bit

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Sat Mar 30 19:51:43 2024 +0100| [56999f9353c0980e76d771f2988cdc41ff40cb26] | 
committer: Michael Niedermayer

avformat/movenc: Check that cts fits in 32bit

Fixes: Assertion av_rescale_rnd(start_dts, mov->movie_timescale, 
track->timescale, AV_ROUND_DOWN) <= 0 failed at libavformat/movenc.c:3694
Fixes: poc2

Found-by: Wang Dawei and Zhou Geng, from Zhongguancun Laboratory
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d88c284c18bf6cd3dd24a7c86b5e496dd3037405)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=56999f9353c0980e76d771f2988cdc41ff40cb26
---

 libavformat/movenc.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/libavformat/movenc.c b/libavformat/movenc.c
index e39f1ac987..6604b019b4 100644
--- a/libavformat/movenc.c
+++ b/libavformat/movenc.c
@@ -6102,6 +6102,12 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket 
*pkt)
 if (ret < 0)
 return ret;
 
+if (pkt->pts != AV_NOPTS_VALUE &&
+(uint64_t)pkt->dts - pkt->pts != (int32_t)((uint64_t)pkt->dts - 
pkt->pts)) {
+av_log(s, AV_LOG_WARNING, "pts/dts pair unsupported\n");
+return AVERROR_PATCHWELCOME;
+}
+
 if (mov->flags & FF_MOV_FLAG_FRAGMENT || mov->mode == MODE_AVIF) {
 int ret;
 if (mov->moov_written || mov->flags & FF_MOV_FLAG_EMPTY_MOOV) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/apedec: Use NABS to avoid undefined negation

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Mon Apr  1 22:11:54 2024 +0200| [72b27f4f70fc81e9ee28dab325d2d203dfa231e5] | 
committer: Michael Niedermayer

avcodec/apedec: Use NABS to avoid undefined negation

Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 
'int'); cast to an unsigned type to negate this value to itself
Fixes: 
67738/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5444313212321792

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1887ff250cfd1e69c08bca21cc53e30a39e26818)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=72b27f4f70fc81e9ee28dab325d2d203dfa231e5
---

 libavcodec/apedec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index d31c067152..4f4fd54833 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -1286,7 +1286,7 @@ static void predictor_decode_stereo_3950(APEContext *ctx, 
int count)
 int32_t left  = a1 - (unsigned)(a0 / 2);
 int32_t right = left + (unsigned)a0;
 
-if (FFMAX(FFABS(left), FFABS(right)) > (1<<23)) {
+if (FFMIN(FFNABS(left), FFNABS(right)) < -(1<<23)) {
 ctx->interim_mode = !interim_mode;
 av_log(ctx->avctx, AV_LOG_VERBOSE, "Interim mode: %d\n", 
ctx->interim_mode);
 break;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mpegts: Reset local nb_prg on add_program() failure

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Tue Feb 27 02:07:28 2024 +0100| [2da196b39a16e2c7244d61c04d9a123e1cb5a78e] | 
committer: Michael Niedermayer

avformat/mpegts: Reset local nb_prg on add_program() failure

add_program() will deallocate the whole array on failure so
we must clear nb_prgs

Fixes: null pointer dereference
Fixes: crash-35a3b39ddcc5babeeb005b7399a3a1217c8781bc

Found-by: Catena cyber
Signed-off-by: Michael Niedermayer 
(cherry picked from commit cb9752d897de17212a7a3ce54ad3e16b377b22c0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2da196b39a16e2c7244d61c04d9a123e1cb5a78e
---

 libavformat/mpegts.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index 9babe68126..e70fe90f06 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -2604,7 +2604,8 @@ static void pat_cb(MpegTSFilter *filter, const uint8_t 
*section, int section_len
 FFSWAP(struct Program, ts->prg[nb_prg], ts->prg[prg_idx]);
 if (prg_idx >= nb_prg)
 nb_prg++;
-}
+} else
+nb_prg = 0;
 }
 }
 ts->nb_prg = nb_prg;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/exr: Check for remaining bits in huf_unpack_enc_table()

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Mon Apr  1 02:15:07 2024 +0200| [e85ea8baaa6681a4181cf81703ee726317a5878a] | 
committer: Michael Niedermayer

avcodec/exr: Check for remaining bits in huf_unpack_enc_table()

Fixes: Timeout
Fixes: 
67645/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6308760977997824

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 589fa8a027f3b1707d78d7c45335acc498a5e887)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e85ea8baaa6681a4181cf81703ee726317a5878a
---

 libavcodec/exr.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index b30d3b7404..9f8a015a45 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -334,7 +334,10 @@ static int huf_unpack_enc_table(GetByteContext *gb,
 return ret;
 
 for (; im <= iM; im++) {
-uint64_t l = freq[im] = get_bits(&gbit, 6);
+uint64_t l;
+if (get_bits_left(&gbit) < 6)
+return AVERROR_INVALIDDATA;
+l = freq[im] = get_bits(&gbit, 6);
 
 if (l == LONG_ZEROCODE_RUN) {
 int zerun = get_bits(&gbit, 8) + SHORTEST_LONG_RUN;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/exr: Dont use 64bits to hold 6bits

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Mon Apr  1 02:18:57 2024 +0200| [58475c6988cc51c3c49814aa60c90d37046b0aae] | 
committer: Michael Niedermayer

avcodec/exr: Dont use 64bits to hold 6bits

Signed-off-by: Michael Niedermayer 
(cherry picked from commit e3984de6ffd6068efcfb5c576f1ec788211608fe)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=58475c6988cc51c3c49814aa60c90d37046b0aae
---

 libavcodec/exr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 9f8a015a45..207d687a4b 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -334,7 +334,7 @@ static int huf_unpack_enc_table(GetByteContext *gb,
 return ret;
 
 for (; im <= iM; im++) {
-uint64_t l;
+int l;
 if (get_bits_left(&gbit) < 6)
 return AVERROR_INVALIDDATA;
 l = freq[im] = get_bits(&gbit, 6);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/isom: Uninit layout in ff_mp4_read_dec_config_descr()

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Mon Apr  1 22:56:02 2024 +0200| [7c8c94279c6fbc107eb4091c3cc96365c59115e6] | 
committer: Michael Niedermayer

avformat/isom: Uninit layout in ff_mp4_read_dec_config_descr()

Fixes: memleak
Fixes: 
67442/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5068813261406208

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
Signed-off-by: James Almer 
(cherry picked from commit d157725cf726adc29385d264eaf79ae430b1f3e5)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7c8c94279c6fbc107eb4091c3cc96365c59115e6
---

 libavformat/isom.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavformat/isom.c b/libavformat/isom.c
index 6d019881e5..954ba1ec4f 100644
--- a/libavformat/isom.c
+++ b/libavformat/isom.c
@@ -358,6 +358,7 @@ int ff_mp4_read_dec_config_descr(AVFormatContext *fc, 
AVStream *st, AVIOContext
 st->codecpar->extradata_size, 
1, fc);
 if (ret < 0)
 return ret;
+av_channel_layout_uninit(&st->codecpar->ch_layout);
 st->codecpar->ch_layout.order = AV_CHANNEL_ORDER_UNSPEC;
 st->codecpar->ch_layout.nb_channels = cfg.channels;
 if (cfg.object_type == 29 && cfg.sampling_index < 3) // old mp3on4

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] doc/developer: (security) researchers should be credited

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Wed Apr  3 02:13:05 2024 +0200| [b38902646c83a9bf656928765dc18d6d066e0653] | 
committer: Michael Niedermayer

doc/developer: (security) researchers should be credited

Reviewed-by: Tomas Härdin 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5a5422196d0283918a1aa996a81bd51522f34fda)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b38902646c83a9bf656928765dc18d6d066e0653
---

 doc/developer.texi | 4 
 1 file changed, 4 insertions(+)

diff --git a/doc/developer.texi b/doc/developer.texi
index 26dc5b9749..a55599d4fa 100644
--- a/doc/developer.texi
+++ b/doc/developer.texi
@@ -396,6 +396,10 @@ If you apply a patch, send an
 answer to ffmpeg-devel (or wherever you got the patch from) saying that
 you applied the patch.
 
+@subheading Credit any researchers
+If a commit/patch fixes an issues found by some researcher, always credit the
+researcher in the commit message for finding/reporting the issue.
+
 @subheading Always wait long enough before pushing changes
 Do NOT commit to code actively maintained by others without permission.
 Send a patch to ffmpeg-devel. If no one answers within a reasonable

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mxfdec: Check index_edit_rate

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Thu Apr  4 00:38:20 2024 +0200| [eb480d18722e4602935e93f75295efed3b76840b] | 
committer: Michael Niedermayer

avformat/mxfdec: Check index_edit_rate

Fixes: Assertion b >=0 failed at libavutil/mathematics.c:62
Fixes: 
67811/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5108429687422976

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit ed49391961999f028e0bc55767d0eef6eeb15e49)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eb480d18722e4602935e93f75295efed3b76840b
---

 libavformat/mxfdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 89fb49180c..f5215b0163 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -1266,6 +1266,9 @@ static int mxf_read_index_table_segment(void *arg, 
AVIOContext *pb, int tag, int
 case 0x3F0B:
 segment->index_edit_rate.num = avio_rb32(pb);
 segment->index_edit_rate.den = avio_rb32(pb);
+if (segment->index_edit_rate.num <= 0 ||
+segment->index_edit_rate.den <= 0)
+return AVERROR_INVALIDDATA;
 av_log(NULL, AV_LOG_TRACE, "IndexEditRate %d/%d\n", 
segment->index_edit_rate.num,
 segment->index_edit_rate.den);
 break;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/wavarc: fix signed integer overflow in block type 6/19

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Thu Apr  4 00:15:27 2024 +0200| [b94d2dd59a217ab224a3a54d4f9d5e362eb284eb] | 
committer: Michael Niedermayer

avcodec/wavarc: fix signed integer overflow in block type 6/19

Fixes: signed integer overflow: -2088796289 + -91276551 cannot be represented 
in type 'int'
Fixes: 
67772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6533568953122816

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 28c7094b25b689185155a6833caf2747b94774a4)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b94d2dd59a217ab224a3a54d4f9d5e362eb284eb
---

 libavcodec/wavarc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c
index aa1af6330b..e121f1bc61 100644
--- a/libavcodec/wavarc.c
+++ b/libavcodec/wavarc.c
@@ -648,7 +648,7 @@ static int decode_5elp(AVCodecContext *avctx,
 for (int o = 0; o < order; o++)
 sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 
1];
 
-samples[n + 70] += ac_out[n] + (sum >> 4);
+samples[n + 70] += ac_out[n] + (unsigned)(sum >> 4);
 }
 
 for (int n = 0; n < 70; n++)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] fate/subtitles: Ignore line endings for sub-scc test

2024-04-13 Thread Andreas Rheinhardt 
ffmpeg | branch: release/6.1 | Andreas Rheinhardt 
 | Tue Feb 13 14:20:55 2024 +0100| 
[fce939153240a4952ecbb41e131347bcdcbda565] | committer: Michael Niedermayer

fate/subtitles: Ignore line endings for sub-scc test

Since 7bf1b9b35769b37684dd2f18a54f01d852a540c8,
the test produces ordinary \n, yet this is not what the reference
file used for the most time, leading to test failures.

Reviewed-by: Martin Storsjö 
Signed-off-by: Andreas Rheinhardt 
(cherry picked from commit 99d33cc661fbd04e8657831b818042b11f1862a2)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fce939153240a4952ecbb41e131347bcdcbda565
---

 tests/fate/subtitles.mak | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/fate/subtitles.mak b/tests/fate/subtitles.mak
index 59595b9cc1..d5895bc914 100644
--- a/tests/fate/subtitles.mak
+++ b/tests/fate/subtitles.mak
@@ -114,6 +114,7 @@ fate-sub-charenc: CMD = fmtstdout ass -sub_charenc cp1251 
-i $(TARGET_SAMPLES)/s
 
 FATE_SUBTITLES-$(call DEMDEC, SCC, CCAPTION) += fate-sub-scc
 fate-sub-scc: CMD = fmtstdout ass -ss 57 -i $(TARGET_SAMPLES)/sub/witch.scc
+fate-sub-scc: CMP = diff
 
 FATE_SUBTITLES-$(call DEMMUX, SCC, SCC) += fate-sub-scc-remux
 fate-sub-scc-remux: CMD = fmtstdout scc -i $(TARGET_SAMPLES)/sub/witch.scc -ss 
4:00 -map 0 -c copy

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] swscale/utils: Fix xInc overflow

2024-04-13 Thread Michael Niedermayer 
ffmpeg | branch: release/6.1 | Michael Niedermayer  | 
Thu Apr  4 00:31:40 2024 +0200| [610da8475f838230c40e7c1f94fd103e961684a8] | 
committer: Michael Niedermayer

swscale/utils: Fix xInc overflow

Fixes: signed integer overflow: 2 * 1073741824 cannot be represented in type 
'int'
Fixes: 67802/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-6249515855183872

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1a9eda65d027e0167f7363e0514f71311ac5d8d1)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=610da8475f838230c40e7c1f94fd103e961684a8
---

 libswscale/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libswscale/utils.c b/libswscale/utils.c
index d78a6d50ff..d50b437a62 100644
--- a/libswscale/utils.c
+++ b/libswscale/utils.c
@@ -564,7 +564,7 @@ static av_cold int initFilter(int16_t **outFilter, int32_t 
**filterPos,
 filter[i * filterSize + j] = coeff;
 xx++;
 }
-xDstInSrc += 2 * xInc;
+xDstInSrc += 2LL * xInc;
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".