[FFmpeg-cvslog] Tag n2.8.15 : FFmpeg 2.8.15 release
[ffmpeg] [branch: refs/tags/n2.8.15] Tag:7158ecf7abf6880ad3711e72a635c608461e3ef2 > http://git.videolan.org/gitweb.cgi/ffmpeg.git?a=tag;h=7158ecf7abf6880ad3711e72a635c608461e3ef2 Tagger: Michael Niedermayer Date: Mon Jul 16 12:59:25 2018 +0200 FFmpeg 2.8.15 release ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] [ffmpeg-web] branch master updated. 1a6a3f4 web/download: add 2.8.15
The branch, master has been updated via 1a6a3f48d2e0dc7a7bba9f9b1fe995b8d006b0f8 (commit) from cad0c11dd6447fb729a33df08053a5f806ce52a6 (commit) - Log - commit 1a6a3f48d2e0dc7a7bba9f9b1fe995b8d006b0f8 Author: Michael Niedermayer AuthorDate: Mon Jul 16 13:15:27 2018 +0200 Commit: Michael Niedermayer CommitDate: Mon Jul 16 13:15:27 2018 +0200 web/download: add 2.8.15 diff --git a/src/download b/src/download index 2444a70..bcb7f68 100644 --- a/src/download +++ b/src/download @@ -462,10 +462,10 @@ libpostproc54. 0.100 - FFmpeg 2.8.14 "Feynman" + FFmpeg 2.8.15 "Feynman" -2.8.14 was released on 2018-02-18. It is the latest stable FFmpeg release +2.8.15 was released on 2018-07-16. It is the latest stable FFmpeg release from the 2.8 release branch, which was cut from master on 2015-09-05. Amongst lots of other changes, it includes all changes from ffmpeg-mt, libav master of 2015-08-28, libav 11 as of 2015-08-28. @@ -485,19 +485,19 @@ libpostproc53. 3.100 - Download xz tarball - PGP signature + Download xz tarball + PGP signature - Download bzip2 tarball - PGP signature + Download bzip2 tarball + PGP signature - Download gzip tarball - PGP signature + Download gzip tarball + PGP signature - https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n2.8.14";>Changelog + https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n2.8.15";>Changelog https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/refs/heads/release/2.8:/RELEASE_NOTES";>Release Notes --- Summary of changes: src/download | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) hooks/post-receive -- ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: only set handler_name from mdia->hdlr
ffmpeg | branch: master | Gyan Doshi | Sat Jul 14 14:17:51 2018 +0530| [8aa6d9a8d37b365c8989d11e0d1b0e8aee493ece] | committer: Gyan Doshi avformat/mov: only set handler_name from mdia->hdlr 6 FATE references updated. Fixes #7104 > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8aa6d9a8d37b365c8989d11e0d1b0e8aee493ece --- libavformat/mov.c | 3 ++- tests/ref/fate/copy-trac236 | 4 ++-- tests/ref/fate/hapqa-extract-nosnappy-to-hapalphaonly-mov | 2 +- tests/ref/fate/hapqa-extract-nosnappy-to-hapq-mov | 2 +- tests/ref/fate/mov-zombie | 2 +- tests/ref/fate/rgb24-mkv | 4 ++-- tests/ref/lavf-fate/mov_qtrle_mace6 | 2 +- 7 files changed, 10 insertions(+), 9 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index bdd6f64108..eda3fff6d5 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -765,7 +765,8 @@ static int mov_read_hdlr(MOVContext *c, AVIOContext *pb, MOVAtom atom) title_str[title_size] = 0; if (title_str[0]) { int off = (!c->isom && title_str[0] == title_size - 1); -av_dict_set(&st->metadata, "handler_name", title_str + off, 0); +// flag added so as to not set stream handler name if already set from mdia->hdlr +av_dict_set(&st->metadata, "handler_name", title_str + off, AV_DICT_DONT_OVERWRITE); } av_freep(&title_str); } diff --git a/tests/ref/fate/copy-trac236 b/tests/ref/fate/copy-trac236 index 6470c05a05..2ac05e63e6 100644 --- a/tests/ref/fate/copy-trac236 +++ b/tests/ref/fate/copy-trac236 @@ -1,5 +1,5 @@ -8b57d14c14bb4cdaca660d161e08eb8f *tests/data/fate/copy-trac236.mov -630861 tests/data/fate/copy-trac236.mov +959a4d78c6c11936e361fc3101a013eb *tests/data/fate/copy-trac236.mov +630860 tests/data/fate/copy-trac236.mov #tb 0: 100/2997 #media_type 0: video #codec_id 0: rawvideo diff --git a/tests/ref/fate/hapqa-extract-nosnappy-to-hapalphaonly-mov b/tests/ref/fate/hapqa-extract-nosnappy-to-hapalphaonly-mov index f5ecdd4311..cde9f2ff9e 100644 --- a/tests/ref/fate/hapqa-extract-nosnappy-to-hapalphaonly-mov +++ b/tests/ref/fate/hapqa-extract-nosnappy-to-hapalphaonly-mov @@ -68,6 +68,6 @@ DISPOSITION:clean_effects=0 DISPOSITION:attached_pic=0 DISPOSITION:timed_thumbnails=0 TAG:language=eng -TAG:handler_name=DataHandler +TAG:handler_name=Module de gestion video TAG:encoder=HAPAlpha Only [/STREAM] diff --git a/tests/ref/fate/hapqa-extract-nosnappy-to-hapq-mov b/tests/ref/fate/hapqa-extract-nosnappy-to-hapq-mov index c3a0a599fd..dd85e68d9e 100644 --- a/tests/ref/fate/hapqa-extract-nosnappy-to-hapq-mov +++ b/tests/ref/fate/hapqa-extract-nosnappy-to-hapq-mov @@ -68,6 +68,6 @@ DISPOSITION:clean_effects=0 DISPOSITION:attached_pic=0 DISPOSITION:timed_thumbnails=0 TAG:language=eng -TAG:handler_name=DataHandler +TAG:handler_name=Module de gestion video TAG:encoder=HAPQ [/STREAM] diff --git a/tests/ref/fate/mov-zombie b/tests/ref/fate/mov-zombie index fef2adc354..f45fa59637 100644 --- a/tests/ref/fate/mov-zombie +++ b/tests/ref/fate/mov-zombie @@ -129,5 +129,5 @@ packet|codec_type=video|stream_index=0|pts=188623|pts_time=2.095811|dts=188622|d frame|media_type=video|stream_index=0|key_frame=0|pkt_pts=188623|pkt_pts_time=2.095811|pkt_dts=188622|pkt_dts_time=2.095800|best_effort_timestamp=188623|best_effort_timestamp_time=2.095811|pkt_duration=3003|pkt_duration_time=0.033367|pkt_pos=100846|pkt_size=974|width=160|height=240|pix_fmt=yuv420p|sample_aspect_ratio=2:1|pict_type=B|coded_picture_number=64|display_picture_number=0|interlaced_frame=0|top_field_first=0|repeat_pict=0|color_range=tv|color_space=smpte170m|color_primaries=smpte170m|color_transfer=bt709|chroma_location=topleft packet|codec_type=video|stream_index=0|pts=197632|pts_time=2.195911|dts=191625|dts_time=2.129167|duration=3003|duration_time=0.033367|convergence_duration=N/A|convergence_duration_time=N/A|size=580|pos=101820|flags=__ frame|media_type=video|stream_index=0|key_frame=0|pkt_pts=191626|pkt_pts_time=2.129178|pkt_dts=N/A|pkt_dts_time=N/A|best_effort_timestamp=191626|best_effort_timestamp_time=2.129178|pkt_duration=3003|pkt_duration_time=0.033367|pkt_pos=99180|pkt_size=1666|width=160|height=240|pix_fmt=yuv420p|sample_aspect_ratio=2:1|pict_type=P|coded_picture_number=63|display_picture_number=0|interlaced_frame=0|top_field_first=0|repeat_pict=0|color_range=tv|color_space=smpte170m|color_primaries=smpte170m|color_transfer=bt709|chroma_location=topleft -stream|index=0|codec_name=h264|profile=77|codec_type=video|codec_time_base=212521/12744000|codec_tag_string=avc1|codec_tag=0x31637661|width=160|height=240|coded_width=160|coded_height=240|has_b_frames=1|sample_aspect_ratio=2:1|display_aspect_ratio=4:3|pix_fmt=yuv420p|level=12|color_range=tv|color_space=smpte170m|color_transfer=bt709|color_primaries=smpte170m|chroma_location=topleft|field_orde
[FFmpeg-cvslog] avcodec/h264_parser: Reduce needed history for parsing mb index
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Jun 22 21:45:59 2018 +0200| [10e5302db413dc1ae5fd5e49597bd2356b02b1d1] | committer: Michael Niedermayer avcodec/h264_parser: Reduce needed history for parsing mb index This fixes a bug/regression with very small packets Fixes: output_file Regression since: 0782fb6bcb32fe3ab956a99af4cc472ff81da0c2 Reported-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit d25c945247979a88fac6bb3b7a26370262b96ef1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=10e5302db413dc1ae5fd5e49597bd2356b02b1d1 --- libavcodec/h264_parser.c | 19 +++ 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index 1a9840a62c..5f9a9c46ef 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -121,20 +121,23 @@ static int h264_find_frame_end(H264ParseContext *p, const uint8_t *buf, } state = 7; } else { +unsigned int mb, last_mb = p->parse_last_mb; +GetBitContext gb; p->parse_history[p->parse_history_count++] = buf[i]; -if (p->parse_history_count > 5) { -unsigned int mb, last_mb = p->parse_last_mb; -GetBitContext gb; -init_get_bits(&gb, p->parse_history, 8*p->parse_history_count); -p->parse_history_count = 0; -mb= get_ue_golomb_long(&gb); +init_get_bits(&gb, p->parse_history, 8*p->parse_history_count); +mb= get_ue_golomb_long(&gb); +if (get_bits_left(&gb) > 0 || p->parse_history_count > 5) { p->parse_last_mb = mb; if (pc->frame_start_found) { -if (mb <= last_mb) +if (mb <= last_mb) { +i -= p->parse_history_count - 1; +p->parse_history_count = 0; goto found; +} } else pc->frame_start_found = 1; +p->parse_history_count = 0; state = 7; } } @@ -149,7 +152,7 @@ found: pc->frame_start_found = 0; if (p->is_avc) return next_avc; -return i - (state & 5) - 5 * (state > 7); +return i - (state & 5); } static int scan_mmco_reset(AVCodecParserContext *s, GetBitContext *gb, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/magicyuv: Check bits left in flags&1 branch
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sat Jun 23 23:37:10 2018 +0200| [84280dc7cfa4d512061d6a5c6574a289b59eaf00] | committer: Michael Niedermayer avcodec/magicyuv: Check bits left in flags&1 branch Fixes: Timeout Fixes: 8690/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MAGICYUV_fuzzer-6542020913922048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 7719b8ccc790b6e1325af0afe2b65e2334a7173c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=84280dc7cfa4d512061d6a5c6574a289b59eaf00 --- libavcodec/magicyuv.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/magicyuv.c b/libavcodec/magicyuv.c index 9c6e1ba1b1..1a129c2619 100644 --- a/libavcodec/magicyuv.c +++ b/libavcodec/magicyuv.c @@ -240,6 +240,8 @@ static int magy_decode_slice10(AVCodecContext *avctx, void *tdata, dst = (uint16_t *)p->data[i] + j * sheight * stride; if (flags & 1) { +if (get_bits_left(&gb) < bps * width * height) +return AVERROR_INVALIDDATA; for (k = 0; k < height; k++) { for (x = 0; x < width; x++) dst[x] = get_bits(&gb, bps); @@ -368,6 +370,8 @@ static int magy_decode_slice(AVCodecContext *avctx, void *tdata, dst = p->data[i] + j * sheight * stride; if (flags & 1) { +if (get_bits_left(&gb) < 8* width * height) +return AVERROR_INVALIDDATA; for (k = 0; k < height; k++) { for (x = 0; x < width; x++) dst[x] = get_bits(&gb, 8); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Thu Jun 21 22:48:54 2018 +0200| [2c404cc11a02d8b4368080fe3268f652fb2d998b] | committer: Michael Niedermayer avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan() Fixes: Timeout Fixes: 8648/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5108395525799936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 540e8c2d641bf90fc28e47e170f8c0b1962197e9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2c404cc11a02d8b4368080fe3268f652fb2d998b --- libavcodec/mjpegdec.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index d1dca84d36..00cfdd7151 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1055,6 +1055,11 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p for (mb_x = 0; mb_x < s->mb_width; mb_x++) { int modified_predictor = predictor; +if (get_bits_left(&s->gb) < 1) { +av_log(s->avctx, AV_LOG_ERROR, "bitstream end in rgb_scan\n"); +return AVERROR_INVALIDDATA; +} + if (s->restart_interval && !s->restart_count){ s->restart_count = s->restart_interval; resync_mb_x = mb_x; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dpx: Check elements in 12bps planar path
ffmpeg | branch: release/4.0 | Michael Niedermayer | Wed Jun 27 16:12:39 2018 +0200| [841e1399e6d0db35fb4d1f75c87a6f467323d64d] | committer: Michael Niedermayer avcodec/dpx: Check elements in 12bps planar path Fixes: null pointer dereference Fixes: 8946/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DPX_fuzzer-5078915222601728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Carl Eugen Hoyos Signed-off-by: Michael Niedermayer (cherry picked from commit 75a2db552423295b509546f3b0f8b2b46d3424b1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=841e1399e6d0db35fb4d1f75c87a6f467323d64d --- libavcodec/dpx.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/dpx.c b/libavcodec/dpx.c index 026fb10e90..720a9b8506 100644 --- a/libavcodec/dpx.c +++ b/libavcodec/dpx.c @@ -408,12 +408,14 @@ static int decode_frame(AVCodecContext *avctx, if (elements == 4) *dst[3]++ = read16(&buf, endian) >> 4; } else { -*dst[2]++ = read12in32(&buf, &rgbBuffer, - &n_datum, endian); +if (elements >= 3) +*dst[2]++ = read12in32(&buf, &rgbBuffer, + &n_datum, endian); *dst[0]++ = read12in32(&buf, &rgbBuffer, &n_datum, endian); -*dst[1]++ = read12in32(&buf, &rgbBuffer, - &n_datum, endian); +if (elements >= 2) +*dst[1]++ = read12in32(&buf, &rgbBuffer, + &n_datum, endian); if (elements == 4) *dst[3]++ = read12in32(&buf, &rgbBuffer, &n_datum, endian); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/escape124: Fix spelling errors in comment
ffmpeg | branch: release/4.0 | Michael Niedermayer | Wed Jun 27 13:00:28 2018 +0200| [9f76f0fab80cfff92d2d94cb4a8e981a8181f7d4] | committer: Michael Niedermayer avcodec/escape124: Fix spelling errors in comment Signed-off-by: Michael Niedermayer (cherry picked from commit f59c4e43915ed0528e2789f27ddb1635b59779df) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9f76f0fab80cfff92d2d94cb4a8e981a8181f7d4 --- libavcodec/escape124.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 14f9396332..cffd3e12b1 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -222,8 +222,8 @@ static int escape124_decode_frame(AVCodecContext *avctx, // This call also guards the potential depth reads for the // codebook unpacking. // Check if the amount we will read minimally is available on input. -// The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320 -// represent a lower bound of the space needed for skiped superblocks. Non +// The 64 represent the immediately next 2 frame_* elements read, the 23/4320 +// represent a lower bound of the space needed for skipped superblocks. Non // skipped SBs need more space. if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320) return -1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/escape124: Check buf_size against num_superblocks
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sun Jun 24 19:23:02 2018 +0200| [d00548f2c1500466f786bc31260f66f6f68025f1] | committer: Michael Niedermayer avcodec/escape124: Check buf_size against num_superblocks Fixes: Timeout Fixes: 8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6677c98626489edfdb4b49b4f66ca91867768a9f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d00548f2c1500466f786bc31260f66f6f68025f1 --- libavcodec/escape124.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index eb051eba54..14f9396332 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -221,7 +221,11 @@ static int escape124_decode_frame(AVCodecContext *avctx, // This call also guards the potential depth reads for the // codebook unpacking. -if (get_bits_left(&gb) < 64) +// Check if the amount we will read minimally is available on input. +// The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320 +// represent a lower bound of the space needed for skiped superblocks. Non +// skipped SBs need more space. +if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320) return -1; frame_flags = get_bits_long(&gb, 32); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/movenc: Check that frame_types other than EAC3_FRAME_TYPE_INDEPENDENT have a supported substream id
ffmpeg | branch: release/4.0 | Michael Niedermayer | Wed Jun 27 16:51:51 2018 +0200| [20c5fb972101fa25dedaf35a9c0ce2bf02fa6b52] | committer: Michael Niedermayer avformat/movenc: Check that frame_types other than EAC3_FRAME_TYPE_INDEPENDENT have a supported substream id Fixes: out of array access Fixes: ffmpeg_bof_1.avi Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit ed22dc22216f74c75ee7901f82649e1ff725ba50) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=20c5fb972101fa25dedaf35a9c0ce2bf02fa6b52 --- libavformat/movenc.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 44f468d19f..3d2905648b 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -433,6 +433,12 @@ static int handle_eac3(MOVMuxContext *mov, AVPacket *pkt, MOVTrack *track) info->ec3_done = 1; goto concatenate; } +} else { +if (hdr->substreamid != 0) { +avpriv_request_sample(mov->fc, "Multiple non EAC3 independent substreams"); +ret = AVERROR_PATCHWELCOME; +goto end; +} } /* fill the info needed for the "dec3" atom */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/movenc: Use mov->fc consistently for av_log()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Wed Jun 27 23:41:52 2018 +0200| [d3536ce8393d03f90ab9355a5b32693b00c23f3a] | committer: Michael Niedermayer avformat/movenc: Use mov->fc consistently for av_log() Signed-off-by: Michael Niedermayer (cherry picked from commit 872ea3dfe565098570ad213a6f1eb00a805aec5d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d3536ce8393d03f90ab9355a5b32693b00c23f3a --- libavformat/movenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 4ee423caa8..efddaaf720 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -397,7 +397,7 @@ static int handle_eac3(MOVMuxContext *mov, AVPacket *pkt, MOVTrack *track) if (avpriv_ac3_parse_header(&hdr, pkt->data, pkt->size) < 0) { /* drop the packets until we see a good one */ if (!track->entry) { -av_log(mov, AV_LOG_WARNING, "Dropping invalid packet from start of the stream\n"); +av_log(mov->fc, AV_LOG_WARNING, "Dropping invalid packet from start of the stream\n"); ret = 0; } else ret = AVERROR_INVALIDDATA; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Check read profile before setting it
ffmpeg | branch: release/4.0 | Michael Niedermayer | Wed Jun 27 19:37:09 2018 +0200| [679d749eaba9e5a8b8a9ea22500ab559f5be8940] | committer: Michael Niedermayer avcodec/mpeg4videodec: Check read profile before setting it Fixes: null pointer dereference Fixes: ffmpeg_crash_7.avi Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit 2aa9047486dbff12d9e040f917e5f799ed2fd78b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=679d749eaba9e5a8b8a9ea22500ab559f5be8940 --- libavcodec/mpeg4videodec.c | 23 +++ 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index d0ebaac6e8..54a8496244 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1980,15 +1980,15 @@ static int mpeg4_decode_gop_header(MpegEncContext *s, GetBitContext *gb) return 0; } -static int mpeg4_decode_profile_level(MpegEncContext *s, GetBitContext *gb) +static int mpeg4_decode_profile_level(MpegEncContext *s, GetBitContext *gb, int *profile, int *level) { -s->avctx->profile = get_bits(gb, 4); -s->avctx->level = get_bits(gb, 4); +*profile = get_bits(gb, 4); +*level = get_bits(gb, 4); // for Simple profile, level 0 -if (s->avctx->profile == 0 && s->avctx->level == 8) { -s->avctx->level = 0; +if (*profile == 0 && *level == 8) { +*level = 0; } return 0; @@ -3211,13 +3211,19 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb) } else if (startcode == GOP_STARTCODE) { mpeg4_decode_gop_header(s, gb); } else if (startcode == VOS_STARTCODE) { -mpeg4_decode_profile_level(s, gb); -if (s->avctx->profile == FF_PROFILE_MPEG4_SIMPLE_STUDIO && -(s->avctx->level > 0 && s->avctx->level < 9)) { +int profile, level; +mpeg4_decode_profile_level(s, gb, &profile, &level); +if (profile == FF_PROFILE_MPEG4_SIMPLE_STUDIO && +(level > 0 && level < 9)) { s->studio_profile = 1; next_start_code_studio(gb); extension_and_user_data(s, gb, 0); +} else if (s->studio_profile) { +avpriv_request_sample(s->avctx, "Mixes studio and non studio profile\n"); +return AVERROR_PATCHWELCOME; } +s->avctx->profile = profile; +s->avctx->level = level; } else if (startcode == VISUAL_OBJ_STARTCODE) { if (s->studio_profile) { if ((ret = decode_studiovisualobject(ctx, gb)) < 0) @@ -3238,6 +3244,7 @@ end: s->avctx->has_b_frames = !s->low_delay; if (s->studio_profile) { +av_assert0(s->avctx->profile == FF_PROFILE_MPEG4_SIMPLE_STUDIO); if (!s->avctx->bits_per_raw_sample) { av_log(s->avctx, AV_LOG_ERROR, "Missing VOL header\n"); return AVERROR_INVALIDDATA; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Check that there are enough bytes for all tiles
ffmpeg | branch: release/4.0 | Michael Niedermayer | Mon Jul 2 18:40:08 2018 +0200| [2b13c136c4c6a743c92c773fdfaa1ef3945c86bf] | committer: Michael Niedermayer avcodec/jpeg2000dec: Check that there are enough bytes for all tiles Fixes: OOM Fixes: 8781/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5810709081358336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0898a3d9909960324e27d3a7a4f48c4effbb654a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2b13c136c4c6a743c92c773fdfaa1ef3945c86bf --- libavcodec/jpeg2000dec.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 08c190c9f4..652b7a5437 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -343,7 +343,10 @@ static int get_siz(Jpeg2000DecoderContext *s) s->numXtiles = ff_jpeg2000_ceildiv(s->width - s->tile_offset_x, s->tile_width); s->numYtiles = ff_jpeg2000_ceildiv(s->height - s->tile_offset_y, s->tile_height); -if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile)) { +// There must be at least a SOT and SOD per tile, their minimum size is 14 +if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile) || +s->numXtiles * s->numYtiles * 14LL > bytestream2_size(&s->g) +) { s->numXtiles = s->numYtiles = 0; return AVERROR(EINVAL); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ac3_parser: Check init_get_bits8() for failure
ffmpeg | branch: release/4.0 | Michael Niedermayer | Wed Jun 27 16:59:13 2018 +0200| [0003ace83b18f68c981c8ad401bee75315edf9f5] | committer: Michael Niedermayer avcodec/ac3_parser: Check init_get_bits8() for failure Fixes: null pointer dereference Fixes: ffmpeg_crash_6.avi Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 00e8181bd97c834fe60751b0c511d4bb97875f78) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0003ace83b18f68c981c8ad401bee75315edf9f5 --- libavcodec/ac3_parser.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/ac3_parser.c b/libavcodec/ac3_parser.c index f4618bf215..1e203ae6ac 100644 --- a/libavcodec/ac3_parser.c +++ b/libavcodec/ac3_parser.c @@ -162,7 +162,9 @@ int avpriv_ac3_parse_header(AC3HeaderInfo **phdr, const uint8_t *buf, return AVERROR(ENOMEM); hdr = *phdr; -init_get_bits8(&gb, buf, size); +err = init_get_bits8(&gb, buf, size); +if (err < 0) +return AVERROR_INVALIDDATA; err = ff_ac3_parse_header(&gb, hdr); if (err < 0) return AVERROR_INVALIDDATA; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/movenc: Do not pass AVCodecParameters in avpriv_request_sample
ffmpeg | branch: release/4.0 | Michael Niedermayer | Wed Jun 27 17:27:50 2018 +0200| [76105382244e79d072e7b993c7caf584151b0694] | committer: Michael Niedermayer avformat/movenc: Do not pass AVCodecParameters in avpriv_request_sample Fixes: out of array read Fixes: ffmpeg_crash_8.avi Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit 95556e27e2c1d56d9e18f5db34d6f756f3011148) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=76105382244e79d072e7b993c7caf584151b0694 --- libavformat/movenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 3d2905648b..4ee423caa8 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -425,7 +425,7 @@ static int handle_eac3(MOVMuxContext *mov, AVPacket *pkt, MOVTrack *track) if (hdr->substreamid == info->num_ind_sub + 1) { //info->num_ind_sub++; -avpriv_request_sample(track->par, "Multiple independent substreams"); +avpriv_request_sample(mov->fc, "Multiple independent substreams"); ret = AVERROR_PATCHWELCOME; goto end; } else if (hdr->substreamid < info->num_ind_sub || ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ra144: Fix integer overflow in ff_eval_refl()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Thu Jun 21 23:08:32 2018 +0200| [bf3e331b7633ca9cc28e8b90db357221d0481abc] | committer: Michael Niedermayer avcodec/ra144: Fix integer overflow in ff_eval_refl() Fixes: signed integer overflow: -4096 * -524288 cannot be represented in type 'int' Fixes: 8650/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5734816036159488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b31189881a4cf54b0057ecf3eab917ad56eecfea) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bf3e331b7633ca9cc28e8b90db357221d0481abc --- libavcodec/ra144.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index c077b7b327..cf8127c236 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1569,11 +1569,11 @@ int ff_eval_refl(int *refl, const int16_t *coefs, AVCodecContext *avctx) b = 0x100 / b; for (j=0; j <= i; j++) { #if CONFIG_FTRAPV -int a = bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12); +int a = bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12); if((int)(a*(unsigned)b) != a*(int64_t)b) return 1; #endif -bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12; +bp1[j] = (int)((bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12)) * (unsigned)b) >> 12; } if ((unsigned) bp1[i] + 0x1000 > 0x1fff) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ac3dec: Check channel_map index
ffmpeg | branch: release/4.0 | Michael Niedermayer | Wed Jun 27 15:56:18 2018 +0200| [1361e4abb81f28ac73cc41ae6bf94c045bbb7eee] | committer: Michael Niedermayer avcodec/ac3dec: Check channel_map index Fixes: out of array read Fixes: 8924/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EAC3_fuzzer-5851861780267008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 00f98d23b1462afb97116b947334db3754516207) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1361e4abb81f28ac73cc41ae6bf94c045bbb7eee --- libavcodec/ac3dec.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/ac3dec.c b/libavcodec/ac3dec.c index dfa025cbcc..ea7e052f8b 100644 --- a/libavcodec/ac3dec.c +++ b/libavcodec/ac3dec.c @@ -1690,6 +1690,7 @@ dependent_frame: if (s->frame_type == EAC3_FRAME_TYPE_DEPENDENT) { uint64_t ich_layout = avpriv_ac3_channel_layout_tab[s->prev_output_mode & ~AC3_OUTPUT_LFEON]; +int channel_map_size = ff_ac3_channels_tab[s->output_mode & ~AC3_OUTPUT_LFEON] + s->lfe_on; uint64_t channel_layout; int extend = 0; @@ -1718,6 +1719,9 @@ dependent_frame: custom_channel_map_locations[ch][1]); if (index < 0) return AVERROR_INVALIDDATA; +if (extend >= channel_map_size) +return AVERROR_INVALIDDATA; + extended_channel_map[index] = offset + channel_map[extend++]; } else { int i; @@ -1728,6 +1732,9 @@ dependent_frame: 1LL << i); if (index < 0) return AVERROR_INVALIDDATA; +if (extend >= channel_map_size) +return AVERROR_INVALIDDATA; + extended_channel_map[index] = offset + channel_map[extend++]; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Fix undefined addition in shorten_decode_frame()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Mon Jul 2 19:11:46 2018 +0200| [de0a1d01baae5fe40b3d6c0b3357f49654968f13] | committer: Michael Niedermayer avcodec/shorten: Fix undefined addition in shorten_decode_frame() Fixes: signed integer overflow: 1139785606 + 1454196085 cannot be represented in type 'int' Fixes: 8937/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-6202943597445120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3b10bb8772c76177cc47b8d15a6970f19dd11039) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=de0a1d01baae5fe40b3d6c0b3357f49654968f13 --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 79656e7757..0f491090fd 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -682,7 +682,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, else { int32_t sum = (s->version < 2) ? 0 : s->nmean / 2; for (i = 0; i < s->nmean; i++) -sum += s->offset[channel][i]; +sum += (unsigned)s->offset[channel][i]; coffset = sum / s->nmean; if (s->version >= 2) coffset = s->bitshift == 0 ? coffset : coffset >> s->bitshift - 1 >> 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Remove use of FF_PROFILE_MPEG4_SIMPLE_STUDIO as indicator of studio profile
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Jul 3 00:27:04 2018 +0200| [5fd1dce39a70340b9fd508154e48985902602e25] | committer: Michael Niedermayer avcodec/mpeg4videodec: Remove use of FF_PROFILE_MPEG4_SIMPLE_STUDIO as indicator of studio profile The profile field is changed by code inside and outside the decoder, its not a reliable indicator of the internal codec state. Maintaining it consistency with studio_profile is messy. Its easier to just avoid it and use only studio_profile Fixes: assertion failure Fixes: ffmpeg_crash_9.avi Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit bd27a9364ca274ca97f1df6d984e88a0700fb235) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5fd1dce39a70340b9fd508154e48985902602e25 --- libavcodec/error_resilience.c | 3 +-- libavcodec/h263dec.c | 6 -- libavcodec/mpeg4videodec.c| 1 - 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index 339042e206..1abae53f41 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -814,8 +814,7 @@ static int er_supported(ERContext *s) { if(s->avctx->hwaccel && s->avctx->hwaccel->decode_slice || !s->cur_pic.f || - s->cur_pic.field_picture || - s->avctx->profile == FF_PROFILE_MPEG4_SIMPLE_STUDIO + s->cur_pic.field_picture ) return 0; return 1; diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 5b6f834d5a..a2326ac1ab 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -47,9 +47,10 @@ static enum AVPixelFormat h263_get_format(AVCodecContext *avctx) { +MpegEncContext *s = avctx->priv_data; /* MPEG-4 Studio Profile only, not supported by hardware */ if (avctx->bits_per_raw_sample > 8) { -av_assert1(avctx->profile == FF_PROFILE_MPEG4_SIMPLE_STUDIO); +av_assert1(s->studio_profile); return avctx->pix_fmt; } @@ -669,7 +670,8 @@ retry: av_assert1(s->bitstream_buffer_size == 0); frame_end: -ff_er_frame_end(&s->er); +if (!s->studio_profile) +ff_er_frame_end(&s->er); if (avctx->hwaccel) { ret = avctx->hwaccel->end_frame(avctx); diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 54a8496244..2df525e03a 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -3244,7 +3244,6 @@ end: s->avctx->has_b_frames = !s->low_delay; if (s->studio_profile) { -av_assert0(s->avctx->profile == FF_PROFILE_MPEG4_SIMPLE_STUDIO); if (!s->avctx->bits_per_raw_sample) { av_log(s->avctx, AV_LOG_ERROR, "Missing VOL header\n"); return AVERROR_INVALIDDATA; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/indeo4: Check for end of bitstream in decode_mb_info()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Mon Jul 2 01:26:44 2018 +0200| [3bf80c7b223ed06b32e215fd743fbe2eb5d61459] | committer: Michael Niedermayer avcodec/indeo4: Check for end of bitstream in decode_mb_info() Fixes: Timeout Fixes: 8776/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-5361788798369792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 267ba2aa96354c5b6a1ea89b2943fbd7a4893862) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3bf80c7b223ed06b32e215fd743fbe2eb5d61459 --- libavcodec/indeo4.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 7dff9db877..15ad6f8afc 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -492,6 +492,11 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, mb->b_mv_x = mb->b_mv_y = 0; +if (get_bits_left(&ctx->gb) < 1) { +av_log(avctx, AV_LOG_ERROR, "Insufficient input for mb info\n"); +return AVERROR_INVALIDDATA; +} + if (get_bits1(&ctx->gb)) { if (ctx->frame_type == IVI4_FRAMETYPE_INTRA) { av_log(avctx, AV_LOG_ERROR, "Empty macroblock in an INTRA picture!\n"); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Fix undefined integer overflow
ffmpeg | branch: release/4.0 | Michael Niedermayer | Mon Jul 2 19:08:54 2018 +0200| [c4b23793d4fe679168ffba993ef1469491521233] | committer: Michael Niedermayer avcodec/shorten: Fix undefined integer overflow Fixes: signed integer overflow: 8454144 * 256 cannot be represented in type 'int' Fixes: 8788/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5728205041303552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 70832333bba3b915040f415548518e136b44280e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c4b23793d4fe679168ffba993ef1469491521233 --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 18a12d0b97..79656e7757 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -177,7 +177,7 @@ static void fix_bitshift(ShortenContext *s, int32_t *buffer) buffer[i] = 0; } else if (s->bitshift != 0) { for (i = 0; i < s->blocksize; i++) -buffer[i] *= 1 << s->bitshift; +buffer[i] *= 1U << s->bitshift; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cscd: Check output buffer size for lzo.
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Jun 22 01:18:20 2018 +0200| [21732c1adc3d9ea1f0fb98166189a1ec558fd728] | committer: Michael Niedermayer avcodec/cscd: Check output buffer size for lzo. Fixes: Timeout Fixes: 8665/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-5768442610188288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit 78167b498f53c36c31105a2bf11e90b03637598f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=21732c1adc3d9ea1f0fb98166189a1ec558fd728 --- libavcodec/cscd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index 35c4ee08c3..5eb511a565 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -81,7 +81,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, switch ((buf[0] >> 1) & 7) { case 0: { // lzo compression int outlen = c->decomp_size, inlen = buf_size - 2; -if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen)) { +if (av_lzo1x_decode(c->decomp_buf, &outlen, &buf[2], &inlen) || outlen) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Mon Jul 2 18:57:05 2018 +0200| [e21e5c95c1ceeaf7ca2dd818fd334074ff0148f8] | committer: Michael Niedermayer avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration() Fixes: shift exponent 47 is too large for 32-bit type 'int' Fixes: 9163/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5661750182543360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 652d7c6348f96181fa69f8e2afb7b27a14c0a88a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e21e5c95c1ceeaf7ca2dd818fd334074ff0148f8 --- libavcodec/jpeg2000dec.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 652b7a5437..78db783616 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1251,10 +1251,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 if (reslevelno >= codsty->nreslevels) continue; -if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check +if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check continue; -if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check +if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check continue; // check if a precinct exists @@ -1322,10 +1322,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; // ==> N_L - r Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno; -if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check +if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check continue; -if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check +if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check continue; // check if a precinct exists ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Check for bitstream end in read_quant_matrix_ext()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Jul 3 22:48:32 2018 +0200| [4439d6aa6956453f6f5479020ee71baebbec4287] | committer: Michael Niedermayer avcodec/mpeg4videodec: Check for bitstream end in read_quant_matrix_ext() Fixes: out of array read Fixes: asff-crash-0e53d0dc491dfdd507530b66562812fbd4c36678 Found-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit 5aba5b89d0b1d73164d3b81764828bb8b20ff32a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4439d6aa6956453f6f5479020ee71baebbec4287 --- libavcodec/mpeg4videodec.c | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 2df525e03a..24c280df46 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2867,11 +2867,13 @@ static int decode_vop_header(Mpeg4DecContext *ctx, GetBitContext *gb) return 0; } -static void read_quant_matrix_ext(MpegEncContext *s, GetBitContext *gb) +static int read_quant_matrix_ext(MpegEncContext *s, GetBitContext *gb) { int i, j, v; if (get_bits1(gb)) { +if (get_bits_left(gb) < 64*8) +return AVERROR_INVALIDDATA; /* intra_quantiser_matrix */ for (i = 0; i < 64; i++) { v = get_bits(gb, 8); @@ -2882,6 +2884,8 @@ static void read_quant_matrix_ext(MpegEncContext *s, GetBitContext *gb) } if (get_bits1(gb)) { +if (get_bits_left(gb) < 64*8) +return AVERROR_INVALIDDATA; /* non_intra_quantiser_matrix */ for (i = 0; i < 64; i++) { get_bits(gb, 8); @@ -2889,6 +2893,8 @@ static void read_quant_matrix_ext(MpegEncContext *s, GetBitContext *gb) } if (get_bits1(gb)) { +if (get_bits_left(gb) < 64*8) +return AVERROR_INVALIDDATA; /* chroma_intra_quantiser_matrix */ for (i = 0; i < 64; i++) { v = get_bits(gb, 8); @@ -2898,6 +2904,8 @@ static void read_quant_matrix_ext(MpegEncContext *s, GetBitContext *gb) } if (get_bits1(gb)) { +if (get_bits_left(gb) < 64*8) +return AVERROR_INVALIDDATA; /* chroma_non_intra_quantiser_matrix */ for (i = 0; i < 64; i++) { get_bits(gb, 8); @@ -2905,6 +2913,7 @@ static void read_quant_matrix_ext(MpegEncContext *s, GetBitContext *gb) } next_start_code_studio(gb); +return 0; } static void extension_and_user_data(MpegEncContext *s, GetBitContext *gb, int id) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mxfdec: Fix av_log context
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Jul 3 20:38:06 2018 +0200| [a28ab09e2a2ac3fcc61e77ff5d702d9157eb37bc] | committer: Michael Niedermayer avformat/mxfdec: Fix av_log context Fixes: out of array access Fixes: mxf-crash-1c2e59bf07a34675bfb3ada5e1ec22fa9f38f923 Found-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit bab0716c7f4793ec42e05a5aa7e80d82a0dd4e75) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a28ab09e2a2ac3fcc61e77ff5d702d9157eb37bc --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 7a4262..c78e272a7e 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -2085,7 +2085,7 @@ static int mxf_parse_structural_metadata(MXFContext *mxf) MXFEssenceContainerData *essence_data; if (!(essence_data = mxf_resolve_strong_ref(mxf, &mxf->essence_container_data_refs[k], EssenceContainerData))) { -av_log(mxf, AV_LOG_TRACE, "could not resolve essence container data strong ref\n"); +av_log(mxf->fc, AV_LOG_TRACE, "could not resolve essence container data strong ref\n"); continue; } if (!memcmp(component->source_package_ul, essence_data->package_ul, sizeof(UID)) && !memcmp(component->source_package_uid, essence_data->package_uid, sizeof(UID))) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mms: Add missing chunksize check
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Jul 3 20:33:04 2018 +0200| [6d992a51c75aafba6e21bff95cddae9d717bc7e3] | committer: Michael Niedermayer avformat/mms: Add missing chunksize check Fixes: out of array read Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a Found-by: Paul Ch 1st hunk by Paul Ch Tested-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit cced03dd667a5df6df8fd40d8de0bff477ee02e8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6d992a51c75aafba6e21bff95cddae9d717bc7e3 --- libavformat/mms.c | 44 ++-- 1 file changed, 26 insertions(+), 18 deletions(-) diff --git a/libavformat/mms.c b/libavformat/mms.c index 17fa76a8d4..768fda6525 100644 --- a/libavformat/mms.c +++ b/libavformat/mms.c @@ -94,24 +94,26 @@ int ff_mms_asf_header_parser(MMSContext *mms) } } } else if (!memcmp(p, ff_asf_stream_header, sizeof(ff_asf_guid))) { -flags = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24); -stream_id = flags & 0x7F; -//The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size, -//we can calculate the packet size by stream_num. -//Please see function send_stream_selection_request(). -if (mms->stream_num < MMS_MAX_STREAMS && -46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) { -mms->streams = av_fast_realloc(mms->streams, - &mms->nb_streams_allocated, - (mms->stream_num + 1) * sizeof(MMSStream)); -if (!mms->streams) -return AVERROR(ENOMEM); -mms->streams[mms->stream_num].id = stream_id; -mms->stream_num++; -} else { -av_log(NULL, AV_LOG_ERROR, - "Corrupt stream (too many A/V streams)\n"); -return AVERROR_INVALIDDATA; +if (end - p >= (sizeof(ff_asf_guid) * 3 + 26)) { +flags = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24); +stream_id = flags & 0x7F; +//The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size, +//we can calculate the packet size by stream_num. +//Please see function send_stream_selection_request(). +if (mms->stream_num < MMS_MAX_STREAMS && +46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) { +mms->streams = av_fast_realloc(mms->streams, + &mms->nb_streams_allocated, + (mms->stream_num + 1) * sizeof(MMSStream)); +if (!mms->streams) +return AVERROR(ENOMEM); +mms->streams[mms->stream_num].id = stream_id; +mms->stream_num++; +} else { +av_log(NULL, AV_LOG_ERROR, + "Corrupt stream (too many A/V streams)\n"); +return AVERROR_INVALIDDATA; +} } } else if (!memcmp(p, ff_asf_ext_stream_header, sizeof(ff_asf_guid))) { if (end - p >= 88) { @@ -143,6 +145,12 @@ int ff_mms_asf_header_parser(MMSContext *mms) } } else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) { chunksize = 46; // see references [2] section 3.4. This should be set 46. +if (chunksize > end - p) { +av_log(NULL, AV_LOG_ERROR, +"Corrupt stream (header chunksize %"PRId64" is invalid)\n", +chunksize); +return AVERROR_INVALIDDATA; +} } p += chunksize; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/rmdec: Do not pass mime type in rm_read_multi() to ff_rm_read_mdpr_codecdata()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Jul 3 21:37:46 2018 +0200| [37f505cc853f592d93b6285c8a91eece2e5b8b07] | committer: Michael Niedermayer avformat/rmdec: Do not pass mime type in rm_read_multi() to ff_rm_read_mdpr_codecdata() Fixes: use after free() Fixes: rmdec-crash-ffe85b4cab1597d1cfea6955705e53f1f5c8a362 Found-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit a7e032a277452366771951e29fd0bf2bd5c029f0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=37f505cc853f592d93b6285c8a91eece2e5b8b07 --- libavformat/rmdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index ac61723c66..0216003e88 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -522,7 +522,7 @@ static int rm_read_multi(AVFormatContext *s, AVIOContext *pb, size2 = avio_rb32(pb); ret = ff_rm_read_mdpr_codecdata(s, s->pb, st2, st2->priv_data, -size2, mime); +size2, NULL); if (ret < 0) return ret; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/movenc: Check input sample count
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Jul 6 22:23:25 2018 +0200| [0981dfee7d413ec6f30f00ddb109e3959c05bebd] | committer: Michael Niedermayer avformat/movenc: Check input sample count Fixes: division by 0 Fixes: fpe_movenc.c_199_1.wav Fixes: fpe_movenc.c_199_2.wav Fixes: fpe_movenc.c_199_3.wav Fixes: fpe_movenc.c_199_4.wav Fixes: fpe_movenc.c_199_5.wav Fixes: fpe_movenc.c_199_6.wav Fixes: fpe_movenc.c_199_7.wav Found-by: #CHEN HONGXU# Signed-off-by: Michael Niedermayer (cherry picked from commit 3a2d21bc5f97aa0161db3ae731fc2732be6108b8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0981dfee7d413ec6f30f00ddb109e3959c05bebd --- libavformat/movenc.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index efddaaf720..ef76c6a5a5 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -5215,6 +5215,11 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) else samples_in_chunk = 1; +if (samples_in_chunk < 1) { +av_log(s, AV_LOG_ERROR, "fatal error, input packet contains no samples\n"); +return AVERROR_PATCHWELCOME; +} + /* copy extradata if it exists */ if (trk->vos_len == 0 && par->extradata_size > 0 && !TAG_IS_AVCI(trk->tag) && ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] swresample/arm: rename labels to fix xcode build error
ffmpeg | branch: release/4.0 | Rahul Chaudhry | Fri Apr 27 13:49:52 2018 -0700| [5db47b3983ef23c1676ddcd7a88c22b5f38b0230] | committer: Michael Niedermayer swresample/arm: rename labels to fix xcode build error Signed-off-by: Michael Niedermayer (cherry picked from commit e84212b78e00df17799e01be1e153a073eb8f689) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5db47b3983ef23c1676ddcd7a88c22b5f38b0230 --- libswresample/arm/audio_convert_neon.S | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libswresample/arm/audio_convert_neon.S b/libswresample/arm/audio_convert_neon.S index 7729514701..085d50aafa 100644 --- a/libswresample/arm/audio_convert_neon.S +++ b/libswresample/arm/audio_convert_neon.S @@ -22,7 +22,7 @@ #include "libavutil/arm/asm.S" function swri_oldapi_conv_flt_to_s16_neon, export=1 -_swri_oldapi_conv_flt_to_s16_neon: +.L_swri_oldapi_conv_flt_to_s16_neon: subsr2, r2, #8 vld1.32 {q0}, [r1,:128]! vcvt.s32.f32q8, q0, #31 @@ -67,7 +67,7 @@ _swri_oldapi_conv_flt_to_s16_neon: endfunc function swri_oldapi_conv_fltp_to_s16_2ch_neon, export=1 -_swri_oldapi_conv_fltp_to_s16_2ch_neon: +.L_swri_oldapi_conv_fltp_to_s16_2ch_neon: ldm r1, {r1, r3} subsr2, r2, #8 vld1.32 {q0}, [r1,:128]! @@ -135,8 +135,8 @@ function swri_oldapi_conv_fltp_to_s16_nch_neon, export=1 cmp r3, #2 itt lt ldrlt r1, [r1] -blt _swri_oldapi_conv_flt_to_s16_neon -beq _swri_oldapi_conv_fltp_to_s16_2ch_neon +blt .L_swri_oldapi_conv_flt_to_s16_neon +beq .L_swri_oldapi_conv_fltp_to_s16_2ch_neon push{r4-r8, lr} cmp r3, #4 ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/asfdec_o: Check size_bmp more fully
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Jul 3 21:01:23 2018 +0200| [a21703ca5d42e91b3a218e755020e90ef3af2eae] | committer: Michael Niedermayer avformat/asfdec_o: Check size_bmp more fully Fixes: integer overflow and out of array access Fixes: asfo-crash-46080c4341572a7137a162331af77f6ded45cbd7 Found-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a21703ca5d42e91b3a218e755020e90ef3af2eae --- libavformat/asfdec_o.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/asfdec_o.c b/libavformat/asfdec_o.c index 5122e33c78..b4b2698368 100644 --- a/libavformat/asfdec_o.c +++ b/libavformat/asfdec_o.c @@ -706,7 +706,8 @@ static int parse_video_info(AVIOContext *pb, AVStream *st) st->codecpar->codec_id = ff_codec_get_id(ff_codec_bmp_tags, tag); size_bmp = FFMAX(size_asf, size_bmp); -if (size_bmp > BMP_HEADER_SIZE) { +if (size_bmp > BMP_HEADER_SIZE && +size_bmp < INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) { int ret; st->codecpar->extradata_size = size_bmp - BMP_HEADER_SIZE; if (!(st->codecpar->extradata = av_malloc(st->codecpar->extradata_size + ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Eliminate variable buf_size from mov_estimate_video_delay()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Wed Jul 11 02:17:56 2018 +0200| [052edeec55fdcc977f1e3e7d89c9b616ae461a82] | committer: Michael Niedermayer avformat/mov: Eliminate variable buf_size from mov_estimate_video_delay() Reviewed-by: Derek Buitenhuis Reviewed-by: Sasi Inguva Signed-off-by: Michael Niedermayer (cherry picked from commit 3ce4034308a3726395a2c1b18a3dff3554e0b619) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=052edeec55fdcc977f1e3e7d89c9b616ae461a82 --- libavformat/mov.c | 19 --- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 1df6b3781f..b01d533eb4 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3299,25 +3299,22 @@ static void mov_estimate_video_delay(MOVContext *c, AVStream* st) { int ctts_sample = 0; int64_t pts_buf[MAX_REORDER_DELAY + 1]; // Circular buffer to sort pts. int buf_start = 0; -int buf_size = 0; int j, r, num_swaps; +for (j = 0; j < MAX_REORDER_DELAY + 1; j++) +pts_buf[j] = INT64_MIN; + if (st->codecpar->video_delay <= 0 && msc->ctts_data && st->codecpar->codec_id == AV_CODEC_ID_H264) { st->codecpar->video_delay = 0; for(ind = 0; ind < st->nb_index_entries && ctts_ind < msc->ctts_count; ++ind) { -if (buf_size == (MAX_REORDER_DELAY + 1)) { -// If circular buffer is full, then move the first element forward. -buf_start = (buf_start + 1); -if (buf_start == MAX_REORDER_DELAY + 1) -buf_start = 0; -} else { -++buf_size; -} +buf_start = (buf_start + 1); +if (buf_start == MAX_REORDER_DELAY + 1) +buf_start = 0; // Point j to the last elem of the buffer and insert the current pts there. j = buf_start - 1; -if (j < 0) j = buf_size - 1; +if (j < 0) j = MAX_REORDER_DELAY; pts_buf[j] = st->index_entries[ind].timestamp + msc->ctts_data[ctts_ind].duration; // The timestamps that are already in the sorted buffer, and are greater than the @@ -3329,7 +3326,7 @@ static void mov_estimate_video_delay(MOVContext *c, AVStream* st) { num_swaps = 0; while (j != buf_start) { r = j - 1; -if (r < 0) r = buf_size - 1; +if (r < 0) r = MAX_REORDER_DELAY; if (pts_buf[j] < pts_buf[r]) { FFSWAP(int64_t, pts_buf[j], pts_buf[r]); ++num_swaps; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/pva: Check for EOF before retrying in read_part_of_packet()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Tue Jul 3 22:14:42 2018 +0200| [6f4b82cc3a879f5d3f9a4738bfd7d93757221958] | committer: Michael Niedermayer avformat/pva: Check for EOF before retrying in read_part_of_packet() Fixes: Infinite loop Fixes: pva-4b1835dbc2027bf3c567005dcc78e85199240d06 Found-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6f4b82cc3a879f5d3f9a4738bfd7d93757221958 --- libavformat/pva.c | 4 1 file changed, 4 insertions(+) diff --git a/libavformat/pva.c b/libavformat/pva.c index 16381db905..04ae8e2800 100644 --- a/libavformat/pva.c +++ b/libavformat/pva.c @@ -134,6 +134,10 @@ recover: pes_flags = avio_rb16(pb); pes_header_data_length = avio_r8(pb); +if (avio_feof(pb)) { +return AVERROR_EOF; +} + if (pes_signal != 1 || pes_header_data_length == 0) { pva_log(s, AV_LOG_WARNING, "expected non empty signaled PES packet, " "trying to recover\n"); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/movenc: Write version 2 of audio atom if channels is not known
ffmpeg | branch: release/4.0 | Michael Niedermayer | Sun Jul 8 00:16:42 2018 +0200| [fd53179f4a71e0acd807bdfff112a55e204fa4ba] | committer: Michael Niedermayer avformat/movenc: Write version 2 of audio atom if channels is not known The version 1 needs the channel count and would divide by 0 Fixes: division by 0 Fixes: fpe_movenc.c_1108_1.ogg Fixes: fpe_movenc.c_1108_2.ogg Fixes: fpe_movenc.c_1108_3.wav Found-by: #CHEN HONGXU# Signed-off-by: Michael Niedermayer (cherry picked from commit fa19fbcf712a6a6cc5a5cfdc3254a97b9bce6582) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fd53179f4a71e0acd807bdfff112a55e204fa4ba --- libavformat/movenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index ef76c6a5a5..415637d46f 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -1018,7 +1018,7 @@ static int mov_write_audio_tag(AVFormatContext *s, AVIOContext *pb, MOVMuxContex uint32_t tag = track->tag; if (track->mode == MODE_MOV) { -if (track->timescale > UINT16_MAX) { +if (track->timescale > UINT16_MAX || !track->par->channels) { if (mov_get_lpcm_flags(track->par->codec_id)) tag = AV_RL32("lpcm"); version = 2; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: remove modulo operations from mov_estimate_video_delay()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Wed Jul 11 02:17:55 2018 +0200| [48479937c3e92cf0056ab99e215e29e29b61f929] | committer: Michael Niedermayer avformat/mov: remove modulo operations from mov_estimate_video_delay() 0.324 <-0.491 sec Reviewed-by: Derek Buitenhuis Reviewed-by: Sasi Inguva Signed-off-by: Michael Niedermayer (cherry picked from commit c995e01b1e01ac11cf2545b3ce86569a482ff434) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=48479937c3e92cf0056ab99e215e29e29b61f929 --- libavformat/mov.c | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index a44a90ca71..1df6b3781f 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3308,13 +3308,16 @@ static void mov_estimate_video_delay(MOVContext *c, AVStream* st) { for(ind = 0; ind < st->nb_index_entries && ctts_ind < msc->ctts_count; ++ind) { if (buf_size == (MAX_REORDER_DELAY + 1)) { // If circular buffer is full, then move the first element forward. -buf_start = (buf_start + 1) % buf_size; +buf_start = (buf_start + 1); +if (buf_start == MAX_REORDER_DELAY + 1) +buf_start = 0; } else { ++buf_size; } // Point j to the last elem of the buffer and insert the current pts there. -j = (buf_start + buf_size - 1) % buf_size; +j = buf_start - 1; +if (j < 0) j = buf_size - 1; pts_buf[j] = st->index_entries[ind].timestamp + msc->ctts_data[ctts_ind].duration; // The timestamps that are already in the sorted buffer, and are greater than the @@ -3325,7 +3328,8 @@ static void mov_estimate_video_delay(MOVContext *c, AVStream* st) { // go through, to keep this buffer in sorted order. num_swaps = 0; while (j != buf_start) { -r = (j - 1 + buf_size) % buf_size; +r = j - 1; +if (r < 0) r = buf_size - 1; if (pts_buf[j] < pts_buf[r]) { FFSWAP(int64_t, pts_buf[j], pts_buf[r]); ++num_swaps; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Simplify last element computation in mov_estimate_video_delay()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Wed Jul 11 02:17:57 2018 +0200| [670b565ba2b1074290b4a5bcf6f4c6ff55e9c68c] | committer: Michael Niedermayer avformat/mov: Simplify last element computation in mov_estimate_video_delay() Reviewed-by: Derek Buitenhuis Reviewed-by: Sasi Inguva Signed-off-by: Michael Niedermayer (cherry picked from commit b0644f7f72a9ae64c7285d26ec720441c25d4cf5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=670b565ba2b1074290b4a5bcf6f4c6ff55e9c68c --- libavformat/mov.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index b0a50fbc54..ff95154e60 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3308,13 +3308,12 @@ static void mov_estimate_video_delay(MOVContext *c, AVStream* st) { st->codecpar->codec_id == AV_CODEC_ID_H264) { st->codecpar->video_delay = 0; for(ind = 0; ind < st->nb_index_entries && ctts_ind < msc->ctts_count; ++ind) { +// Point j to the last elem of the buffer and insert the current pts there. +j = buf_start; buf_start = (buf_start + 1); if (buf_start == MAX_REORDER_DELAY + 1) buf_start = 0; -// Point j to the last elem of the buffer and insert the current pts there. -j = buf_start - 1; -if (j < 0) j = MAX_REORDER_DELAY; pts_buf[j] = st->index_entries[ind].timestamp + msc->ctts_data[ctts_ind].duration; // The timestamps that are already in the sorted buffer, and are greater than the ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt_template: Fix signedness regression in interleave()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Jul 13 18:33:08 2018 +0200| [0561cde1289b35272ce1913bd5cb024ade22d6c4] | committer: Michael Niedermayer avcodec/dirac_dwt_template: Fix signedness regression in interleave() Found-by: Tested-by: James Darnley Signed-off-by: Michael Niedermayer (cherry picked from commit 181435a4de6e38e0a15ddaf16de9a157ef41cb18) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0561cde1289b35272ce1913bd5cb024ade22d6c4 --- libavcodec/dirac_dwt_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 528fc7e9e7..2369c8d15b 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -57,8 +57,8 @@ static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src { int i; for (i = 0; i < w2; i++) { -dst[2*i ] = (src0[i] + (unsigned)add) >> shift; -dst[2*i+1] = (src1[i] + (unsigned)add) >> shift; +dst[2*i ] = ((int)(src0[i] + (unsigned)add)) >> shift; +dst[2*i+1] = ((int)(src1[i] + (unsigned)add)) >> shift; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Break out of inner loop early in mov_estimate_video_delay()
ffmpeg | branch: release/4.0 | Michael Niedermayer | Wed Jul 11 02:17:58 2018 +0200| [6b65f46673d8efa3d9323307f000ba32c95f94d8] | committer: Michael Niedermayer avformat/mov: Break out of inner loop early in mov_estimate_video_delay() 0.266 <- 0.299 sec (this is time ffmpeg so containing alot other things) Sample for benchmark was: ffmpeg -f rawvideo -pix_fmt yuv420p -s 32x32 -i /dev/zero -t 24:00:00.00 out.mp4 Reviewed-by: Derek Buitenhuis Reviewed-by: Sasi Inguva Signed-off-by: Michael Niedermayer (cherry picked from commit aba13dc13e5233545bdd06f514e0addbb0155c69) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6b65f46673d8efa3d9323307f000ba32c95f94d8 --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index b01d533eb4..b0a50fbc54 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3330,6 +3330,8 @@ static void mov_estimate_video_delay(MOVContext *c, AVStream* st) { if (pts_buf[j] < pts_buf[r]) { FFSWAP(int64_t, pts_buf[j], pts_buf[r]); ++num_swaps; +} else { +break; } j = r; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vp8_parser: Do not leave data/size uninitialized
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Jul 6 12:01:46 2018 +0200| [fc92ca5b8e3bf5110f89f37c5abf213ce75f5266] | committer: Michael Niedermayer avcodec/vp8_parser: Do not leave data/size uninitialized This is identical to what the VP9 parser does Fixes: 9215/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVPX_VP8_fuzzer-5768227253649408 Fixes: out of memory access This may also fix oss fuzz issue 9212 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 284dde24dab30225ed3e233b0e5908d67d7e13e7) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fc92ca5b8e3bf5110f89f37c5abf213ce75f5266 --- libavcodec/vp8_parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vp8_parser.c b/libavcodec/vp8_parser.c index 609f5077d1..e2d91b271f 100644 --- a/libavcodec/vp8_parser.c +++ b/libavcodec/vp8_parser.c @@ -28,6 +28,9 @@ static int parse(AVCodecParserContext *s, unsigned int frame_type; unsigned int profile; +*poutbuf = buf; +*poutbuf_size = buf_size; + if (buf_size < 3) return buf_size; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dvdsub_parser: Init output buf/size
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Jul 13 18:54:48 2018 +0200| [40ed40902ade1fa6294e12d853cf06f30f85b8cb] | committer: Michael Niedermayer avcodec/dvdsub_parser: Init output buf/size No testcase Signed-off-by: Michael Niedermayer (cherry picked from commit 9e6c8437761661441d836876934314cb2b8fafe7) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=40ed40902ade1fa6294e12d853cf06f30f85b8cb --- libavcodec/dvdsub_parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index 32a945ed65..8e1c48bef6 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -44,6 +44,9 @@ static int dvdsub_parse(AVCodecParserContext *s, { DVDSubParseContext *pc = s->priv_data; +*poutbuf = buf; +*poutbuf_size = buf_size; + if (pc->packet_index == 0) { if (buf_size < 2 || AV_RB16(buf) && buf_size < 6) { if (buf_size) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mjpegdec: Check for odd progressive RGB
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Jul 6 16:28:14 2018 +0200| [d8c4b2ae57e0035c07bc8ed8ea2fe21ae9619699] | committer: Michael Niedermayer avcodec/mjpegdec: Check for odd progressive RGB Fixes: out of array access Fixes: 9225/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5684770334834688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ee1e3ca5eb1ec7d34e925d129c893e33847ee0b7) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d8c4b2ae57e0035c07bc8ed8ea2fe21ae9619699 --- libavcodec/mjpegdec.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 00cfdd7151..5e784d980c 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -626,6 +626,10 @@ unk_pixfmt: avpriv_report_missing_feature(s->avctx, "Lowres for weird subsampling"); return AVERROR_PATCHWELCOME; } +if ((AV_RB32(s->upscale_h) || AV_RB32(s->upscale_v)) && s->progressive && s->avctx->pix_fmt == AV_PIX_FMT_GBRP) { +avpriv_report_missing_feature(s->avctx, "progressive for weird subsampling"); +return AVERROR_PATCHWELCOME; +} if (s->ls) { memset(s->upscale_h, 0, sizeof(s->upscale_h)); memset(s->upscale_v, 0, sizeof(s->upscale_v)); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dvdsub_parser: Allocate input padding
ffmpeg | branch: release/4.0 | Michael Niedermayer | Fri Jul 13 18:56:10 2018 +0200| [3ef38c414e7908b2f66552081efe485bce52037c] | committer: Michael Niedermayer avcodec/dvdsub_parser: Allocate input padding Fixes: out of array read Fixes: 9350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-574650765568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cd86b5cfe278af79d6b147e122d9a72c270a9fde) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3ef38c414e7908b2f66552081efe485bce52037c --- libavcodec/dvdsub_parser.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c index 8e1c48bef6..698ccb6987 100644 --- a/libavcodec/dvdsub_parser.c +++ b/libavcodec/dvdsub_parser.c @@ -57,7 +57,11 @@ static int dvdsub_parse(AVCodecParserContext *s, if (pc->packet_len == 0) /* HD-DVD subpicture packet */ pc->packet_len = AV_RB32(buf+2); av_freep(&pc->packet); -pc->packet = av_malloc(pc->packet_len); +if ((unsigned)pc->packet_len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) { +av_log(avctx, AV_LOG_ERROR, "packet length %d is invalid\n", pc->packet_len); +return buf_size; +} +pc->packet = av_malloc(pc->packet_len + AV_INPUT_BUFFER_PADDING_SIZE); } if (pc->packet) { if (pc->packet_index + buf_size <= pc->packet_len) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Fri Apr 27 21:44:07 2018 +0200| [bb7b9238b4121e608d98b6cef9272276ea74d59d] | committer: Michael Niedermayer avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED() Fixes: runtime error: signed integer overflow: 2147483637 + 128 cannot be represented in type 'int' Fixes: 6701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5358324934508544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e95d80e6fae978f8a44afc24b0c5097a062719f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bb7b9238b4121e608d98b6cef9272276ea74d59d --- libavcodec/wavpack.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.h b/libavcodec/wavpack.h index 053b1c575d..bf4ddb59f6 100644 --- a/libavcodec/wavpack.h +++ b/libavcodec/wavpack.h @@ -99,8 +99,8 @@ typedef struct WvChannel { // macros for manipulating median values #define GET_MED(n) ((c->median[n] >> 4) + 1) -#define DEC_MED(n) c->median[n] -= ((c->median[n] + (128 >> (n)) - 2) / (128 >> (n))) * 2U -#define INC_MED(n) c->median[n] += ((c->median[n] + (128 >> (n))) / (128 >> (n))) * 5U +#define DEC_MED(n) c->median[n] -= ((int)(c->median[n] + (128U >> (n)) - 2) / (128 >> (n))) * 2U +#define INC_MED(n) c->median[n] += ((int)(c->median[n] + (128U >> (n))) / (128 >> (n))) * 5U // macros for applying weight #define UPDATE_WEIGHT_CLIP(weight, delta, samples, in) \ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done
ffmpeg | branch: release/3.3 | Michael Niedermayer | Fri May 4 19:11:36 2018 +0200| [083c48e6d9dbc1c390146422ddcdc2d25278e3a4] | committer: Michael Niedermayer avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done Fixes: assertion failure Fixes: 7949/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-4819602782552064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a96c131eb53b00de154f4773d96a3b323ea3daed) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=083c48e6d9dbc1c390146422ddcdc2d25278e3a4 --- libavcodec/jpeg2000dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 404cf06ddc..2eb66bb921 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1125,6 +1125,9 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 step_x = 32; step_y = 32; +if (RSpoc > FFMIN(codsty->nreslevels, REpoc)) +continue; + for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, REpoc); reslevelno++) { uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; // ==> N_L - r Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration() CPRL case
ffmpeg | branch: release/3.3 | Michael Niedermayer | Fri May 4 19:18:25 2018 +0200| [716ab0f2f4567ad1838be7c69f7b5e0ae783fc04] | committer: Michael Niedermayer avcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration() CPRL case Fixes: shift exponent 47 is too large for 32-bit type 'int' Fixes: 7955/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6016721977606144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 652ba72ed3124f201f98eea9bafb2232b535f549) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=716ab0f2f4567ad1838be7c69f7b5e0ae783fc04 --- libavcodec/jpeg2000dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 2eb66bb921..4a7a0d7387 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1147,10 +1147,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 int xc = x / s->cdx[compno]; int yc = y / s->cdy[compno]; -if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check +if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check continue; -if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check +if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check continue; // check if a precinct exists ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] lavf/http.c: Free allocated client URLContext in case of error.
ffmpeg | branch: release/3.3 | Stephan Holljes | Fri Jan 12 19:16:29 2018 +0100| [2d975fff05488e64999360eb775c5a8219a05958] | committer: Michael Niedermayer lavf/http.c: Free allocated client URLContext in case of error. Signed-off-by: Stephan Holljes Signed-off-by: Michael Niedermayer (cherry picked from commit 7b6b8c92652d6683d97515352e4a9a4147b7da7c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2d975fff05488e64999360eb775c5a8219a05958 --- libavformat/http.c | 4 1 file changed, 4 insertions(+) diff --git a/libavformat/http.c b/libavformat/http.c index d06103ab6d..a1fdd1dd56 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -538,7 +538,11 @@ static int http_accept(URLContext *s, URLContext **c) goto fail; cc->hd = cl; cc->is_multi_client = 1; +return 0; fail: +if (c) { +ffurl_closep(c); +} return ret; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ffv1enc: Check that the crc + version combination is supported
ffmpeg | branch: release/3.3 | Michael Niedermayer | Sat Apr 21 22:19:31 2018 +0200| [bcc47312d4fd7b4ccedca400e9ea9d650a77f4bb] | committer: Michael Niedermayer avcodec/ffv1enc: Check that the crc + version combination is supported The crc flag is only stored since version 3 thus before this crcs do not work. We increase the version as needed same as we do with pix_fmts Signed-off-by: Michael Niedermayer (cherry picked from commit d9706f79c17a33bf97e51a7d6ab211ce83a463ee) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bcc47312d4fd7b4ccedca400e9ea9d650a77f4bb --- libavcodec/ffv1enc.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 7f31606775..62d295b4f8 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -539,6 +539,10 @@ static av_cold int encode_init(AVCodecContext *avctx) s->ec = (s->version >= 3); } +// CRC requires version 3+ +if (s->ec) +s->version = FFMAX(s->version, 3); + if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) { av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features but version 2 is experimental and not enabled\n"); return AVERROR_INVALIDDATA; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cinepak: Skip empty frames
ffmpeg | branch: release/3.3 | Michael Niedermayer | Tue Apr 17 02:13:43 2018 +0200| [5d42300731b1ffdd52c27e198bb724f2c3918f23] | committer: Michael Niedermayer avcodec/cinepak: Skip empty frames Speeds up decoding from 3 to 0.1 seconds for 6302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5626371985375232 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9033920bec9ccf17de205fc17c2b330906b200f5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5d42300731b1ffdd52c27e198bb724f2c3918f23 --- libavcodec/cinepak.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index ba0589582f..9b0077402f 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -444,6 +444,7 @@ static int cinepak_decode_frame(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int ret = 0, buf_size = avpkt->size; CinepakContext *s = avctx->priv_data; +int num_strips; s->data = buf; s->size = buf_size; @@ -451,6 +452,12 @@ static int cinepak_decode_frame(AVCodecContext *avctx, if (s->size < 10) return AVERROR_INVALIDDATA; +num_strips = AV_RB16 (&s->data[8]); + +//Empty frame, do not waste time +if (!num_strips && (!s->palette_video || !av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL))) +return buf_size; + if ((ret = cinepak_predecode_check(s)) < 0) { av_log(avctx, AV_LOG_ERROR, "cinepak_predecode_check failed\n"); return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/flac_parser: Fix infinite loop
ffmpeg | branch: release/3.3 | Michael Niedermayer | Mon Apr 30 22:20:28 2018 +0200| [90e9b76d3a9b4e220e7636fdc7672f1e91924a6c] | committer: Michael Niedermayer avcodec/flac_parser: Fix infinite loop Fixes: crbug/827204 Reported-by: Frank Liberato Reviewed-by: Frank Liberato Signed-off-by: Michael Niedermayer (cherry picked from commit 15a2e35e9e74bba5a27e39c26da5be2361f27945) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=90e9b76d3a9b4e220e7636fdc7672f1e91924a6c --- libavcodec/flac_parser.c | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 84da23f327..2721286464 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -686,12 +686,17 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, } for (curr = fpc->headers; curr; curr = curr->next) { -if (curr->max_score > 0 && -(!fpc->best_header || curr->max_score > fpc->best_header->max_score)) { +if (!fpc->best_header || curr->max_score > fpc->best_header->max_score) { fpc->best_header = curr; } } +if (fpc->best_header && fpc->best_header->max_score <= 0) { +// Only accept a bad header if there is no other option to continue +if (!buf_size || !buf || read_end != buf || fpc->nb_headers_buffered < FLAC_MIN_HEADERS) +fpc->best_header = NULL; +} + if (fpc->best_header) { fpc->best_header_valid = 1; if (fpc->best_header->offset > 0) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dsicinvideo: Fail if there is only a small fraction of the data available that comprises a full frame
ffmpeg | branch: release/3.3 | Michael Niedermayer | Mon Apr 16 22:29:09 2018 +0200| [7784a7c1d8df7364a01436a7c90f483db596be78] | committer: Michael Niedermayer avcodec/dsicinvideo: Fail if there is only a small fraction of the data available that comprises a full frame Fixes: Timeout Fixes: 6306/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DSICINVIDEO_fuzzer-5079253549842432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5549488bbf3a23c0fb9833cefc6354f97055dd96) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7784a7c1d8df7364a01436a7c90f483db596be78 --- libavcodec/dsicinvideo.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/dsicinvideo.c b/libavcodec/dsicinvideo.c index add7afa383..aa080417d2 100644 --- a/libavcodec/dsicinvideo.c +++ b/libavcodec/dsicinvideo.c @@ -158,6 +158,9 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, } } +if (dst_end - dst > dst_size - dst_size/10) +return AVERROR_INVALIDDATA; + return 0; } @@ -184,6 +187,10 @@ static int cin_decode_rle(const unsigned char *src, int src_size, } dst += len; } + +if (dst_end - dst > dst_size - dst_size/10) +return AVERROR_INVALIDDATA; + return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/elsdec: Fix memleaks
ffmpeg | branch: release/3.3 | Michael Niedermayer | Wed Apr 25 01:54:17 2018 +0200| [3d29170013b1e28770082d660e8695fe26ba4e2f] | committer: Michael Niedermayer avcodec/elsdec: Fix memleaks Fixes: 6798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5135899701542912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0bd0401336df4e4ca7f3da6a7e226904fd7d5add) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3d29170013b1e28770082d660e8695fe26ba4e2f --- libavcodec/elsdec.c | 8 +++- libavcodec/g2meet.c | 1 + 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/libavcodec/elsdec.c b/libavcodec/elsdec.c index 4797965457..cb0e9c6534 100644 --- a/libavcodec/elsdec.c +++ b/libavcodec/elsdec.c @@ -271,7 +271,7 @@ void ff_els_decoder_init(ElsDecCtx *ctx, const uint8_t *in, size_t data_size) void ff_els_decoder_uninit(ElsUnsignedRung *rung) { -av_free(rung->rem_rung_list); +av_freep(&rung->rem_rung_list); } static int els_import_byte(ElsDecCtx *ctx) @@ -391,12 +391,10 @@ unsigned ff_els_decode_unsigned(ElsDecCtx *ctx, ElsUnsignedRung *ur) if (ur->rung_list_size <= (ur->avail_index + 2) * sizeof(ElsRungNode)) { // remember rung_node position ptrdiff_t pos = rung_node - ur->rem_rung_list; -ur->rem_rung_list = av_realloc(ur->rem_rung_list, +ctx->err = av_reallocp(&ur->rem_rung_list, ur->rung_list_size + RUNG_SPACE); -if (!ur->rem_rung_list) { -av_free(ur->rem_rung_list); -ctx->err = AVERROR(ENOMEM); +if (ctx->err < 0) { return 0; } memset((uint8_t *) ur->rem_rung_list + ur->rung_list_size, 0, diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 3b8b97ab41..b4adce03a2 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -927,6 +927,7 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y, if (c->ec.els_ctx.err != 0) { av_log(avctx, AV_LOG_ERROR, "ePIC: couldn't decode transparency pixel!\n"); +ff_els_decoder_uninit(&c->ec.unsigned_rung); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] doc/APIchanges: Fix typos in hashes
ffmpeg | branch: release/3.3 | Michael Niedermayer | Mon Apr 16 18:23:12 2018 +0200| [f4e2ac296dac85bad5f42beb18bc29e39b51d29d] | committer: Michael Niedermayer doc/APIchanges: Fix typos in hashes Thanks-to: Moritz Barsnick for finding the correct ones Signed-off-by: Michael Niedermayer (cherry picked from commit ec8a5262b03f85158d722dbc8b8f30cb6bd67e0f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f4e2ac296dac85bad5f42beb18bc29e39b51d29d --- doc/APIchanges | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index b344e098c8..5522d18726 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -626,7 +626,7 @@ API changes, most recent first: Add av_opt_get_dict_val/set_dict_val with AV_OPT_TYPE_DICT to support dictionary types being set as options. -2014-08-13 - afbd4b8 - lavf 56.01.0 - avformat.h +2014-08-13 - afbd4b7e09 - lavf 56.01.0 - avformat.h Add AVFormatContext.event_flags and AVStream.event_flags for signaling to the user when events happen in the file/stream. @@ -643,7 +643,7 @@ API changes, most recent first: 2014-08-08 - 5c3c671 - lavf 55.53.100 - avio.h Add avio_feof() and deprecate url_feof(). -2014-08-07 - bb78903 - lsws 2.1.3 - swscale.h +2014-08-07 - bb789016d4 - lsws 2.1.3 - swscale.h sws_getContext is not going to be removed in the future. 2014-08-07 - a561662 / ad1ee5f - lavc 55.73.101 / 55.57.3 - avcodec.h ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dsicinvideo: Propagate errors from cin_decode_rle()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Mon Apr 16 22:28:23 2018 +0200| [bd6a181d5a4998d0eb54c67845d64b52b9a74dca] | committer: Michael Niedermayer avcodec/dsicinvideo: Propagate errors from cin_decode_rle() Signed-off-by: Michael Niedermayer (cherry picked from commit 942217b153a9bff2d17463957abd772fcd72b400) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bd6a181d5a4998d0eb54c67845d64b52b9a74dca --- libavcodec/dsicinvideo.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/dsicinvideo.c b/libavcodec/dsicinvideo.c index f95cbc74a0..add7afa383 100644 --- a/libavcodec/dsicinvideo.c +++ b/libavcodec/dsicinvideo.c @@ -226,27 +226,35 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, * surface.width = surface.pitch */ switch (bitmap_frame_type) { case 9: -cin_decode_rle(buf, bitmap_frame_size, +res = cin_decode_rle(buf, bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); +if (res < 0) +return res; break; case 34: -cin_decode_rle(buf, bitmap_frame_size, +res = cin_decode_rle(buf, bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); +if (res < 0) +return res; cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 35: bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size, cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); -cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, +res = cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); +if (res < 0) +return res; break; case 36: bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size, cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); -cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, +res = cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); +if (res < 0) +return res; cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] swresample/arm: remove unintentional relocation.
ffmpeg | branch: release/3.3 | Rahul Chaudhry | Wed Apr 18 16:29:39 2018 -0700| [f322de901d2d76af952385cadbaf2181b7cc3986] | committer: Michael Niedermayer swresample/arm: remove unintentional relocation. Branch to global symbol results in reference to PLT, and when compiling for THUMB-2 - in a R_ARM_THM_JUMP19 relocation. Some linkers don't support this relocation (ld.gold), while others can end up truncating the relocation to fit (ld.bfd). Convert this branch through PLT into a direct branch that the assembler can resolve locally. See https://github.com/android-ndk/ndk/issues/337 for background. The current workaround is to disable neon during gstreamer build, which is not optimal and can be reverted after this patch: https://github.com/freedesktop/gstreamer-cerbero/commit/41556c415739fbc3a72c7eaee7e70a565b719b2f Signed-off-by: Michael Niedermayer (cherry picked from commit b22db4f465c9adb2cf1489e04f7b65ef6bb55b8b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f322de901d2d76af952385cadbaf2181b7cc3986 --- libswresample/arm/audio_convert_neon.S | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libswresample/arm/audio_convert_neon.S b/libswresample/arm/audio_convert_neon.S index 1f88316dde..7729514701 100644 --- a/libswresample/arm/audio_convert_neon.S +++ b/libswresample/arm/audio_convert_neon.S @@ -22,6 +22,7 @@ #include "libavutil/arm/asm.S" function swri_oldapi_conv_flt_to_s16_neon, export=1 +_swri_oldapi_conv_flt_to_s16_neon: subsr2, r2, #8 vld1.32 {q0}, [r1,:128]! vcvt.s32.f32q8, q0, #31 @@ -66,6 +67,7 @@ function swri_oldapi_conv_flt_to_s16_neon, export=1 endfunc function swri_oldapi_conv_fltp_to_s16_2ch_neon, export=1 +_swri_oldapi_conv_fltp_to_s16_2ch_neon: ldm r1, {r1, r3} subsr2, r2, #8 vld1.32 {q0}, [r1,:128]! @@ -133,8 +135,8 @@ function swri_oldapi_conv_fltp_to_s16_nch_neon, export=1 cmp r3, #2 itt lt ldrlt r1, [r1] -blt X(swri_oldapi_conv_flt_to_s16_neon) -beq X(swri_oldapi_conv_fltp_to_s16_2ch_neon) +blt _swri_oldapi_conv_flt_to_s16_neon +beq _swri_oldapi_conv_fltp_to_s16_2ch_neon push{r4-r8, lr} cmp r3, #4 ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/error_resilience: Fix integer overflow in filter181()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Sun Apr 22 21:46:05 2018 +0200| [986747c9e25db3ac45bb4d8f6c73044080768b56] | committer: Michael Niedermayer avcodec/error_resilience: Fix integer overflow in filter181() Fixes: runtime error: signed integer overflow: 197710 * 10923 cannot be represented in type 'int' Fixes: 7010/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5667127596941312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1c97035e3b1677d6f0c5b6161ebfeffcf7bb638d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=986747c9e25db3ac45bb4d8f6c73044080768b56 --- libavcodec/error_resilience.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index 5364940e94..d7f94c10c2 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -108,7 +108,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride) dc = -prev_dc + data[x + y * stride] * 8 - data[x + 1 + y * stride]; -dc = (dc * 10923 + 32768) >> 16; +dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16; prev_dc = data[x + y * stride]; data[x + y * stride] = dc; } @@ -124,7 +124,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride) dc = -prev_dc + data[x + y * stride] * 8 - data[x + (y + 1) * stride]; -dc = (dc * 10923 + 32768) >> 16; +dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16; prev_dc = data[x + y * stride]; data[x + y * stride] = dc; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h263dec: Check slice_ret in mspeg4 slice loop
ffmpeg | branch: release/3.3 | Michael Niedermayer | Sun Apr 22 21:07:45 2018 +0200| [69f861be42ecb07e1deac86757760ec36a8e7bef] | committer: Michael Niedermayer avcodec/h263dec: Check slice_ret in mspeg4 slice loop Fixes infinite loop Fixes: 6858/clusterfuzz-testcase-ffmpeg_AV_CODEC_ID_MSMPEG4V3_fuzzer-4681563766784000 Fixes: 6890/clusterfuzz-testcase-ffmpeg_AV_CODEC_ID_WMV1_fuzzer-4756103142309888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de841fbea7655b74a9663001e01008a86c88779a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=69f861be42ecb07e1deac86757760ec36a8e7bef --- libavcodec/h263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 077666470d..8491db0ed6 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -637,7 +637,7 @@ retry: slice_ret = decode_slice(s); while (s->mb_y < s->mb_height) { if (s->msmpeg4_version) { -if (s->slice_height == 0 || s->mb_x != 0 || +if (s->slice_height == 0 || s->mb_x != 0 || slice_ret < 0 || (s->mb_y % s->slice_height) != 0 || get_bits_left(&s->gb) < 0) break; } else { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dfa: Check dimension against maximum
ffmpeg | branch: release/3.3 | Michael Niedermayer | Mon Apr 16 22:04:53 2018 +0200| [45f03502c93dc09e6f9410f601cea4b00c7827d4] | committer: Michael Niedermayer avcodec/dfa: Check dimension against maximum The headers from where the dimensions are read in actual files are limited to 16bit per component. Fixes: Timeout Fixes: 6305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DFA_fuzzer-4824270749302784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9d5a4fcfbb51edc871bdb1c67a88223cbfb1c0e4) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=45f03502c93dc09e6f9410f601cea4b00c7827d4 --- libavcodec/dfa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 8067ac94e5..b8500a4995 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -41,7 +41,7 @@ static av_cold int dfa_decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_PAL8; -if (!avctx->width || !avctx->height) +if (!avctx->width || !avctx->height || FFMAX(avctx->width, avctx->height) >= (1<<16)) return AVERROR_INVALIDDATA; av_assert0(av_image_check_size(avctx->width, avctx->height, 0, avctx) >= 0); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/g2meet: Check RGB upper limit
ffmpeg | branch: release/3.3 | Michael Niedermayer | Fri Apr 27 20:16:13 2018 +0200| [d48738bd674f70131df4581936ef0125f1c26c5c] | committer: Michael Niedermayer avcodec/g2meet: Check RGB upper limit Fixes: runtime error: left shift of 1876744317 by 16 places cannot be represented in type 'int' Fixes: 6799/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5115274731716608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4dd2c8b9ea46b4e008a8bfc2077834428cd5a17c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d48738bd674f70131df4581936ef0125f1c26c5c --- libavcodec/g2meet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index e3f43bcf32..89d269751e 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -556,7 +556,7 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int x, int y, B = ((pred >> B_shift) & 0xFF) - TOSIGNED(delta); } -if (R<0 || G<0 || B<0) { +if (R<0 || G<0 || B<0 || R > 255 || G > 255 || B > 255) { av_log(NULL, AV_LOG_ERROR, "RGB %d %d %d is out of range\n", R, G, B); return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/g2meet: Change order of operations to avoid undefined behavior
ffmpeg | branch: release/3.3 | Michael Niedermayer | Fri May 4 18:16:08 2018 +0200| [6315215e5c0b4052f66f5f0f4311acd2031fb43c] | committer: Michael Niedermayer avcodec/g2meet: Change order of operations to avoid undefined behavior Fixes: signed integer overflow: 65280 * 196032 cannot be represented in type 'int' Fixes: 7279/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5977332473921536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a4745145840d97619c424961c1b5c625dbf516c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6315215e5c0b4052f66f5f0f4311acd2031fb43c --- libavcodec/g2meet.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index b4adce03a2..e3f43bcf32 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -1356,14 +1356,16 @@ static void g2m_paint_cursor(G2MContext *c, uint8_t *dst, int stride) } else { dst+= x * 3; } -if (y < 0) { + +if (y < 0) h += y; +if (w < 0 || h < 0) +return; +if (y < 0) { cursor += -y * c->cursor_stride; } else { dst+= y * stride; } -if (w < 0 || h < 0) -return; for (j = 0; j < h; j++) { for (i = 0; i < w; i++) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cinepak: move some checks prior to frame allocation
ffmpeg | branch: release/3.3 | Michael Niedermayer | Tue Apr 17 02:13:42 2018 +0200| [4b0181dc009df6e8791417b6f7e7fd65bd284bf0] | committer: Michael Niedermayer avcodec/cinepak: move some checks prior to frame allocation Speeds up decoding from 8 to 3 seconds for 6302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5626371985375232 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2324ef1ff32e5effd6f295bca80580ae4816be0b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4b0181dc009df6e8791417b6f7e7fd65bd284bf0 --- libavcodec/cinepak.c | 27 ++- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index 89e940ae0d..ba0589582f 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -315,14 +315,11 @@ static int cinepak_decode_strip (CinepakContext *s, return AVERROR_INVALIDDATA; } -static int cinepak_decode (CinepakContext *s) +static int cinepak_predecode_check (CinepakContext *s) { -const uint8_t *eod = (s->data + s->size); -int i, result, strip_size, frame_flags, num_strips; -int y0 = 0; +int num_strips; int encoded_buf_size; -frame_flags = s->data[0]; num_strips = AV_RB16 (&s->data[8]); encoded_buf_size = AV_RB24(&s->data[1]); @@ -353,6 +350,21 @@ static int cinepak_decode (CinepakContext *s) s->sega_film_skip_bytes = 0; } +if (s->size < 10 + s->sega_film_skip_bytes + num_strips * 12) +return AVERROR_INVALIDDATA; + +return 0; +} + +static int cinepak_decode (CinepakContext *s) +{ +const uint8_t *eod = (s->data + s->size); +int i, result, strip_size, frame_flags, num_strips; +int y0 = 0; + +frame_flags = s->data[0]; +num_strips = AV_RB16 (&s->data[8]); + s->data += 10 + s->sega_film_skip_bytes; num_strips = FFMIN(num_strips, MAX_STRIPS); @@ -439,6 +451,11 @@ static int cinepak_decode_frame(AVCodecContext *avctx, if (s->size < 10) return AVERROR_INVALIDDATA; +if ((ret = cinepak_predecode_check(s)) < 0) { +av_log(avctx, AV_LOG_ERROR, "cinepak_predecode_check failed\n"); +return ret; +} + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vc1_block: simplify ac_val computation
ffmpeg | branch: release/3.3 | Michael Niedermayer | Mon Apr 23 02:08:10 2018 +0200| [77121f6bff4dd08bffae2d9f94fc144636678100] | committer: Michael Niedermayer avcodec/vc1_block: simplify ac_val computation also fixes: runtime error: index 1456 out of bounds for type 'int16_t [16]' Found-by: durandal_1707 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d06b01fc2d4f5e031d45f9460d1eea610d23d6c5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=77121f6bff4dd08bffae2d9f94fc144636678100 --- libavcodec/vc1_block.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index f9f26f7e42..b06ee9fce7 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -594,7 +594,7 @@ static int vc1_decode_i_block(VC1Context *v, int16_t block[64], int n, scale = s->c_dc_scale; block[0] = dcdiff * scale; -ac_val = s->ac_val[0][0] + s->block_index[n] * 16; +ac_val = s->ac_val[0][s->block_index[n]]; ac_val2 = ac_val; if (dc_pred_dir) // left ac_val -= 16; @@ -745,7 +745,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n, scale = mquant * 2 + ((mquant == v->pq) ? v->halfpq : 0); -ac_val = s->ac_val[0][0] + s->block_index[n] * 16; +ac_val = s->ac_val[0][s->block_index[n]]; ac_val2 = ac_val; if (dc_pred_dir) // left ac_val -= 16; @@ -946,7 +946,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, if (!a_avail) dc_pred_dir = 1; if (!c_avail) dc_pred_dir = 0; if (!a_avail && !c_avail) use_pred = 0; -ac_val = s->ac_val[0][0] + s->block_index[n] * 16; +ac_val = s->ac_val[0][s->block_index[n]]; ac_val2 = ac_val; scale = mquant * 2 + v->halfpq; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coupling_fixed()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Fri May 25 22:06:48 2018 +0200| [6d8859e23474181f291a7b030b1ea04d4fa9ed05] | committer: Michael Niedermayer avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coupling_fixed() Fixes: signed integer overflow: -2141499320 + -14469590 cannot be represented in type 'int' Fixes: 7351/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-6351214791884800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 90475db97e2e5931d295df6ab86519fa2e14d259) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6d8859e23474181f291a7b030b1ea04d4fa9ed05 --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index b19a622403..e4152bea6a 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -385,7 +385,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac, for (k = offsets[i]; k < offsets[i + 1]; k++) { tmp = (int)(((int64_t)src[group * 128 + k] * c + \ (int64_t)0x10) >> 37); -dest[group * 128 + k] += (tmp + round) >> shift; +dest[group * 128 + k] += (tmp + (int64_t)round) >> shift; } } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/g723_1dec: Clip bits2 in both directions
ffmpeg | branch: release/3.3 | Michael Niedermayer | Fri May 25 21:56:04 2018 +0200| [45ce622f909354847bbbab9b650b2264d33f2d58] | committer: Michael Niedermayer avcodec/g723_1dec: Clip bits2 in both directions Fixes: shift exponent 33 is too large for 32-bit type 'int' Fixes: 6743/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G723_1_fuzzer-5823772687859712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 53f241218d9eac368e2e1c58bcca9bbdf10fd0e1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=45ce622f909354847bbbab9b650b2264d33f2d58 --- libavcodec/g723_1dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c index aaa26c24ef..3522c91bd6 100644 --- a/libavcodec/g723_1dec.c +++ b/libavcodec/g723_1dec.c @@ -549,7 +549,7 @@ static void gain_scale(G723_1_Context *p, int16_t * buf, int energy) denom <<= bits2; bits2 = 5 + bits1 - bits2; -bits2 = FFMAX(0, bits2); +bits2 = av_clip_uintp2(bits2, 5); gain = (num >> 1) / (denom >> 16); gain = square_root(gain << 16 >> bits2); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] oavcodec/aacpsdsp_template: Use unsigned for hs0X to prevent undefined behavior
ffmpeg | branch: release/3.3 | Michael Niedermayer | Fri May 25 22:02:20 2018 +0200| [e95a0e261fe92d73130ed5c5cc6e01b4f96c6c53] | committer: Michael Niedermayer oavcodec/aacpsdsp_template: Use unsigned for hs0X to prevent undefined behavior Fixes: signed integer overflow: 1073741842 + 1784008138 cannot be represented in type 'int' Fixes: 6792/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5677589835284480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 62cb6fadf33de6db386deac92853d4b95c930015) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e95a0e261fe92d73130ed5c5cc6e01b4f96c6c53 --- libavcodec/aacpsdsp_template.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c index 0e532fcf84..8f72624559 100644 --- a/libavcodec/aacpsdsp_template.c +++ b/libavcodec/aacpsdsp_template.c @@ -180,10 +180,10 @@ static void ps_stereo_interpolate_ipdopd_c(INTFLOAT (*l)[2], INTFLOAT (*r)[2], INTFLOAT h01 = h[0][1], h11 = h[1][1]; INTFLOAT h02 = h[0][2], h12 = h[1][2]; INTFLOAT h03 = h[0][3], h13 = h[1][3]; -INTFLOAT hs00 = h_step[0][0], hs10 = h_step[1][0]; -INTFLOAT hs01 = h_step[0][1], hs11 = h_step[1][1]; -INTFLOAT hs02 = h_step[0][2], hs12 = h_step[1][2]; -INTFLOAT hs03 = h_step[0][3], hs13 = h_step[1][3]; +UINTFLOAT hs00 = h_step[0][0], hs10 = h_step[1][0]; +UINTFLOAT hs01 = h_step[0][1], hs11 = h_step[1][1]; +UINTFLOAT hs02 = h_step[0][2], hs12 = h_step[1][2]; +UINTFLOAT hs03 = h_step[0][3], hs13 = h_step[1][3]; int n; for (n = 0; n < len; n++) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Mon May 21 23:08:05 2018 +0200| [d1bac7f2a68e164385d7018f2c2562e0d219] | committer: Michael Niedermayer avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header() Fixes truncation Fixes Assertion n <= 31 && value < (1U << n) failed at libavcodec/put_bits.h:169 Fixes: ffmpeg_crash_2.avi Found-by: Thuan Pham , Marcel Böhme, Andrew Santosa and Alexandru RazvanCaciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit e1182fac1afba92a4975917823a5f644bee7e6e8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d1bac7f2a68e164385d7018f2c2562e0d219 --- libavcodec/mpeg4videoenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index 494452c938..f6a5992df7 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -882,7 +882,7 @@ void ff_set_mpeg4_time(MpegEncContext *s) static void mpeg4_encode_gop_header(MpegEncContext *s) { -int hours, minutes, seconds; +int64_t hours, minutes, seconds; int64_t time; put_bits(&s->pb, 16, 0); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0
ffmpeg | branch: release/3.3 | Michael Niedermayer | Mon May 14 00:10:33 2018 +0200| [8283586dce95cf66de744b35d37e5ea4b8c12405] | committer: Michael Niedermayer avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0 Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); Fixes: 6500/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-4523620274536448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cb944fc7f1327443a0cf449afbce5a3e8712f90f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8283586dce95cf66de744b35d37e5ea4b8c12405 --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 68ebd19560..994dc21d70 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -99,10 +99,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b1 + (unsigned)((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ -(int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) +(int)(((unsigned)(b2) + ((int)(9U*b1 + 9U*b3 - b4 - b0 + 8) >> 4))) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ -(int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) +(int)(((unsigned)(b2) - ((int)(9U*b1 + 9U*b3 - b4 - b0 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ ((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1))) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Only fail for STCO/STSC contradictions if both exist
ffmpeg | branch: release/3.3 | Michael Niedermayer | Tue May 15 17:07:00 2018 +0200| [c48ac14c067d1b41650df785499c657361a0590b] | committer: Michael Niedermayer avformat/mov: Only fail for STCO/STSC contradictions if both exist Fixes regression with playback of GF9720Repeal20the20Eighth20with20Helen20Linehan.m4a See: crbug 822666 Found-by: "Mattias Wadman Signed-off-by: Michael Niedermayer (cherry picked from commit 2c2d689c56646cce64d02a3b75f61c12c5589260) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c48ac14c067d1b41650df785499c657361a0590b --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 921db588ef..11526346be 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3758,7 +3758,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->index); return 0; } -if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { +if (sc->chunk_count && sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n", st->index); return AVERROR_INVALIDDATA; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Tue Jun 5 02:17:24 2018 +0200| [bb6d47cf35836640309cf933a3d6a4bf1eec3ced] | committer: Michael Niedermayer avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan() Fixes: signed integer overflow: 32768 + 2147450880 cannot be represented in type 'int' Fixes: 7885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5298834394578944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 936f4a2c2e14ec753e8835f2e820b4cd9aec9a56) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bb6d47cf35836640309cf933a3d6a4bf1eec3ced --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index ab326b8e9a..5d3ccbea6d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1012,7 +1012,7 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p return -1; left[i] = buffer[mb_x][i] = -mask & (pred + (dc * (1 << point_transform))); +mask & (pred + (unsigned)(dc * (1 << point_transform))); } if (s->restart_interval && !--s->restart_count) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c
ffmpeg | branch: release/3.3 | Michael Niedermayer | Sun Jun 3 01:33:54 2018 +0200| [412872e6cbf6313bc8eeccb9f5978861c8f044a2] | committer: Michael Niedermayer avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c Fixes: runtime error: signed integer overflow: -1440457022 - 785819492 cannot be represented in type 'int' Fixes: 7700/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OPUS_fuzzer-6595838684954624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e7dda51150b73e5fbdccf4c2d3a72e356980fba3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=412872e6cbf6313bc8eeccb9f5978861c8f044a2 --- libavcodec/opus_silk.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index dbf6756864..ce8c3e507f 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -232,8 +232,10 @@ static void silk_lsf2lpc(const int16_t nlsf[16], float lpcf[16], int order) /* reconstruct A(z) */ for (k = 0; k < order>>1; k++) { -lpc32[k] = -p[k + 1] - p[k] - q[k + 1] + q[k]; -lpc32[order-k-1] = -p[k + 1] - p[k] + q[k + 1] - q[k]; +int32_t p_tmp = p[k + 1] + p[k]; +int32_t q_tmp = q[k + 1] - q[k]; +lpc32[k] = -q_tmp - p_tmp; +lpc32[order-k-1] = q_tmp - p_tmp; } /* limit the range of the LPC coefficients to each fit within an int16_t */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/truemotion2: Fix overflow in tm2_apply_deltas()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Tue Jun 5 02:09:59 2018 +0200| [0f1e6771d03c4f5b998bced9c8dfc8cf4180a999] | committer: Michael Niedermayer avcodec/truemotion2: Fix overflow in tm2_apply_deltas() Fixes: signed integer overflow: 1077952576 + 1077952576 cannot be represented in type 'int' Fixes: 7712/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5056281753681920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79c6047c3668c639f717b3a7001a34dddba0ede2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0f1e6771d03c4f5b998bced9c8dfc8cf4180a999 --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index f7dbe047c7..b689efdb99 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -451,7 +451,7 @@ static inline int GET_TOK(TM2Context *ctx,int type) /* common operations - add deltas to 4x4 block of luma or 2x2 blocks of chroma */ static inline void tm2_apply_deltas(TM2Context *ctx, int* Y, int stride, int *deltas, int *last) { -int ct, d; +unsigned ct, d; int i, j; for (j = 0; j < 4; j++){ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: replace a value error by clipping into valid range in mov_read_stsc()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Mon May 21 03:16:58 2018 +0200| [9ecb1998b034cf53bf3812eb1d3427cb82e41a21] | committer: Michael Niedermayer avformat/mov: replace a value error by clipping into valid range in mov_read_stsc() Fixes: #7165 Signed-off-by: Michael Niedermayer (cherry picked from commit fe84f70819d6f5aab3c4823290e0d32b99d6de78) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9ecb1998b034cf53bf3812eb1d3427cb82e41a21 --- libavformat/mov.c | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index c4d3863de9..66fce34f3a 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2440,14 +2440,22 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc->stsc_count = i; for (i = sc->stsc_count - 1; i < UINT_MAX; i--) { +int64_t first_min = i + 1; if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= sc->stsc_data[i+1].first) || (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) || -sc->stsc_data[i].first < 1 || +sc->stsc_data[i].first < first_min || sc->stsc_data[i].count < 1 || sc->stsc_data[i].id < 1) { av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, sc->stsc_data[i].id); -if (i+1 >= sc->stsc_count || sc->stsc_data[i+1].first < 2) -return AVERROR_INVALIDDATA; +if (i+1 >= sc->stsc_count) { +sc->stsc_data[i].first = FFMAX(sc->stsc_data[i].first, first_min); +if (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) +sc->stsc_data[i].first = FFMIN(sc->stsc_data[i-1].first + 1LL, INT_MAX); +sc->stsc_data[i].count = FFMAX(sc->stsc_data[i].count, 1); +sc->stsc_data[i].id= FFMAX(sc->stsc_data[i].id, 1); +continue; +} +av_assert0(sc->stsc_data[i+1].first >= 2); // We replace this entry by the next valid sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1; sc->stsc_data[i].count = sc->stsc_data[i+1].count; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mlpdec: Only change noise_type if the related fields are valid
ffmpeg | branch: release/3.3 | Michael Niedermayer | Thu May 17 13:58:46 2018 +0200| [fdab123c031250742ea84c188999a855baa4bf30] | committer: Michael Niedermayer avcodec/mlpdec: Only change noise_type if the related fields are valid Fixes: inconsistency Fixes:runtime error: index 8 out of bounds for type 'int32_t [8]' Fixes: 6686/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-5191383498358784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 63c4a4b0d692bc86142790276358ba35129f2290) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fdab123c031250742ea84c188999a855baa4bf30 --- libavcodec/mlpdec.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index f60f14cc71..c50dc73e25 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -474,7 +474,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, uint8_t checksum; uint8_t lossless_check; int start_count = get_bits_count(gbp); -int min_channel, max_channel, max_matrix_channel; +int min_channel, max_channel, max_matrix_channel, noise_type; const int std_max_matrix_channel = m->avctx->codec_id == AV_CODEC_ID_MLP ? MAX_MATRIX_CHANNEL_MLP : MAX_MATRIX_CHANNEL_TRUEHD; @@ -487,9 +487,9 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, return AVERROR_INVALIDDATA; } -s->noise_type = get_bits1(gbp); +noise_type = get_bits1(gbp); -if (m->avctx->codec_id == AV_CODEC_ID_MLP && s->noise_type) { +if (m->avctx->codec_id == AV_CODEC_ID_MLP && noise_type) { av_log(m->avctx, AV_LOG_ERROR, "MLP must have 0x31ea sync word.\n"); return AVERROR_INVALIDDATA; } @@ -515,7 +515,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, /* This should happen for TrueHD streams with >6 channels and MLP's noise * type. It is not yet known if this is allowed. */ -if (max_channel > MAX_MATRIX_CHANNEL_MLP && !s->noise_type) { +if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) { avpriv_request_sample(m->avctx, "%d channels (more than the " "maximum supported by the decoder)", @@ -532,6 +532,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, s->min_channel= min_channel; s->max_channel= max_channel; s->max_matrix_channel = max_matrix_channel; +s->noise_type = noise_type; if (m->avctx->request_channel_layout && (s->ch_layout & m->avctx->request_channel_layout) == m->avctx->request_channel_layout && m->max_decoded_substream > substr) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/fic: Check available input space for cursor
ffmpeg | branch: release/3.3 | Michael Niedermayer | Sat May 5 22:00:01 2018 +0200| [38fd80c656b4550ac6a7aef0bf3d83027784226f] | committer: Michael Niedermayer avcodec/fic: Check available input space for cursor Fixes: out of array read Fixes: 6546/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-6317064647081984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cb2f7ea96b4f6e03ebf0c0563677745fc65f148e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=38fd80c656b4550ac6a7aef0bf3d83027784226f --- libavcodec/fic.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 8691d49932..b7e0da6ce9 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -333,6 +333,10 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, skip_cursor = 1; } +if (!skip_cursor && avpkt->size < CURSOR_OFFSET + sizeof(ctx->cursor_buf)) { +skip_cursor = 1; +} + /* Slice height for all but the last slice. */ ctx->slice_h = 16 * (ctx->aligned_height >> 4) / nslices; if (ctx->slice_h % 16) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/xwddec: Use ff_set_dimensions()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Fri Jun 8 00:42:31 2018 +0200| [a16a4fefb6d1dee75d329012c0e3ecaa7769ebd6] | committer: Michael Niedermayer avcodec/xwddec: Use ff_set_dimensions() Fixes: OOM Fixes: 8178/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XWD_fuzzer-4844793342459904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c2852e4e00de4073ff7de82d41cb3368702686e8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a16a4fefb6d1dee75d329012c0e3ecaa7769ebd6 --- libavcodec/xwddec.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 8b0845fc01..25c64e0e14 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -39,6 +39,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, uint32_t pixformat, pixdepth, bunit, bitorder, bpad; uint32_t rgb[3]; uint8_t *ptr; +int width, height; GetByteContext gb; if (buf_size < XWD_HEADER_SIZE) @@ -60,8 +61,8 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, pixformat = bytestream2_get_be32u(&gb); pixdepth = bytestream2_get_be32u(&gb); -avctx->width = bytestream2_get_be32u(&gb); -avctx->height = bytestream2_get_be32u(&gb); +width = bytestream2_get_be32u(&gb); +height= bytestream2_get_be32u(&gb); xoffset = bytestream2_get_be32u(&gb); be= bytestream2_get_be32u(&gb); bunit = bytestream2_get_be32u(&gb); @@ -77,6 +78,9 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, ncolors = bytestream2_get_be32u(&gb); bytestream2_skipu(&gb, header_size - (XWD_HEADER_SIZE - 20)); +if ((ret = ff_set_dimensions(avctx, width, height)) < 0) +return ret; + av_log(avctx, AV_LOG_DEBUG, "pixformat %"PRIu32", pixdepth %"PRIu32", bunit %"PRIu32", bitorder %"PRIu32", bpad %"PRIu32"\n", pixformat, pixdepth, bunit, bitorder, bpad); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Fix undefined shift in fix_bitshift()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Tue Jun 5 13:15:34 2018 +0200| [c2d16aafbb1527d4b47ecfad659a381c22a017ba] | committer: Michael Niedermayer avcodec/shorten: Fix undefined shift in fix_bitshift() Fixes: left shift of negative value -9 Fixes: 8571/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5715966875926528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 606c7148231404544005c0827b83c165dd6b39a8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c2d16aafbb1527d4b47ecfad659a381c22a017ba --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 5f4e5ed9bc..5a14e8e5bf 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -177,7 +177,7 @@ static void fix_bitshift(ShortenContext *s, int32_t *buffer) buffer[i] = 0; } else if (s->bitshift != 0) { for (i = 0; i < s->blocksize; i++) -buffer[i] <<= s->bitshift; +buffer[i] *= 1 << s->bitshift; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Check non COMM chunk len before skip in decode_aiff_header()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Tue Jun 5 02:33:43 2018 +0200| [8da3d6916316588ad7c1f6d66e4133b51af9ea94] | committer: Michael Niedermayer avcodec/shorten: Check non COMM chunk len before skip in decode_aiff_header() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 8024/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5109204648984576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 424a81df107b63a166894a4aee3d27702ae3f459) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8da3d6916316588ad7c1f6d66e4133b51af9ea94 --- libavcodec/shorten.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 3b0fa272e7..7157bb0cae 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -234,11 +234,11 @@ static int decode_aiff_header(AVCodecContext *avctx, const uint8_t *header, while (bytestream2_get_le32(&gb) != MKTAG('C', 'O', 'M', 'M')) { len = bytestream2_get_be32(&gb); -bytestream2_skip(&gb, len + (len & 1)); -if (len < 0 || bytestream2_get_bytes_left(&gb) < 18) { +if (len < 0 || bytestream2_get_bytes_left(&gb) < 18LL + len + (len&1)) { av_log(avctx, AV_LOG_ERROR, "no COMM chunk found\n"); return AVERROR_INVALIDDATA; } +bytestream2_skip(&gb, len + (len & 1)); } len = bytestream2_get_be32(&gb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Sanity check nmeans
ffmpeg | branch: release/3.3 | Michael Niedermayer | Tue Jun 5 13:03:48 2018 +0200| [f51163b1666e0d43fc94ac839e80f044ecb8b7c5] | committer: Michael Niedermayer avcodec/shorten: Sanity check nmeans Fixes: OOM Fixes: 8195/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5179785826271232 The reference software appears to use longs for 32bits and it uses int for nmeans hinting that the intended maximum size was not 32bit. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d91a0b503d7a886587281bc1ee42476aa5e89f85) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f51163b1666e0d43fc94ac839e80f044ecb8b7c5 --- libavcodec/shorten.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 7157bb0cae..0c29275df2 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -450,6 +450,10 @@ static int read_header(ShortenContext *s) return AVERROR_INVALIDDATA; } s->nmean = get_uint(s, 0); +if (s->nmean > 32768U) { +av_log(s->avctx, AV_LOG_ERROR, "nmean is: %d\n", s->nmean); +return AVERROR_INVALIDDATA; +} skip_bytes = get_uint(s, NSKIPSIZE); if ((unsigned)skip_bytes > get_bits_left(&s->gb)/8) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/amrwbdec: Fix division by 0 in find_hb_gain()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Sun Jun 3 00:48:06 2018 +0200| [6577ae7119ebf326a1af25fb90c1afde74602633] | committer: Michael Niedermayer avcodec/amrwbdec: Fix division by 0 in find_hb_gain() This restructures the code slightly toward D_UTIL_dec_synthesis() Fixes: 7420/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMRWB_fuzzer-6577305112543232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dce80a4b47efaba97707bda781a9ee57f5a26974) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6577ae7119ebf326a1af25fb90c1afde74602633 --- libavcodec/amrwbdec.c | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index 7f2874d35f..47fe7eb55e 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -862,15 +862,20 @@ static float find_hb_gain(AMRWBContext *ctx, const float *synth, { int wsp = (vad > 0); float tilt; +float tmp; if (ctx->fr_cur_mode == MODE_23k85) return qua_hb_gain[hb_idx] * (1.0f / (1 << 14)); -tilt = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1) / - ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE); +tmp = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1); + +if (tmp > 0) { +tilt = tmp / ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE); +} else +tilt = 0; /* return gain bounded by [0.1, 1.0] */ -return av_clipf((1.0 - FFMAX(0.0, tilt)) * (1.25 - 0.25 * wsp), 0.1, 1.0); +return av_clipf((1.0 - tilt) * (1.25 - 0.25 * wsp), 0.1, 1.0); } /** ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wavpack: Fix overflow in adding tail
ffmpeg | branch: release/3.3 | Michael Niedermayer | Fri Jun 8 00:07:04 2018 +0200| [719931c036e7ace5bd0cf4f4027648f196e3f06e] | committer: Michael Niedermayer avcodec/wavpack: Fix overflow in adding tail Fixes: signed integer overflow: 2146907204 + 26846088 cannot be represented in type 'int' Fixes: 8105/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-6233036682166272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d13379fb79708f550460dd6d698023bf26f968d5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=719931c036e7ace5bd0cf4f4027648f196e3f06e --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index e0440959ff..2427962a92 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -85,7 +85,7 @@ typedef struct WavpackContext { #define LEVEL_DECAY(a) (((a) + 0x80) >> 8) -static av_always_inline int get_tail(GetBitContext *gb, int k) +static av_always_inline unsigned get_tail(GetBitContext *gb, int k) { int p, e, res; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] indeo4: Decode all or nothing of a band header.
ffmpeg | branch: release/3.3 | Michael Niedermayer | Thu May 17 13:40:38 2018 +0200| [b0207c5b2a82cc9a7c80640977a004053e2d6ecf] | committer: Michael Niedermayer indeo4: Decode all or nothing of a band header. This avoids inconsistent value combinations. Alternatively it would be possible to add more checks and careful use of temporary variables, but my try of this quickly seemed to become a rather large change. The disadvantage of this, is that the struct is copied back and forth. Fixes: index 6 out of bounds for type 'const uint16_t [5][16]' Fixes: 6557/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-4787296550256640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 10c8521265da86118597336c5589e26de377a374) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b0207c5b2a82cc9a7c80640977a004053e2d6ecf --- libavcodec/indeo4.c | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 85d5fa3e7a..5809052cf8 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -260,12 +260,14 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) * @param[in] avctx pointer to the AVCodecContext * @returnresult code: 0 = OK, negative number = error */ -static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, +static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *arg_band, AVCodecContext *avctx) { int plane, band_num, indx, transform_id, scan_indx; int i; int quant_mat; +IVIBandDesc temp_band, *band = &temp_band; +memcpy(&temp_band, arg_band, sizeof(temp_band)); plane= get_bits(&ctx->gb, 2); band_num = get_bits(&ctx->gb, 4); @@ -395,10 +397,10 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, /* decode block huffman codebook */ if (!get_bits1(&ctx->gb)) -band->blk_vlc.tab = ctx->blk_vlc.tab; +arg_band->blk_vlc.tab = ctx->blk_vlc.tab; else if (ff_ivi_dec_huff_desc(&ctx->gb, 1, IVI_BLK_HUFF, - &band->blk_vlc, avctx)) + &arg_band->blk_vlc, avctx)) return AVERROR_INVALIDDATA; /* select appropriate rvmap table for this band */ @@ -439,6 +441,9 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, return AVERROR_INVALIDDATA; } +band->blk_vlc = arg_band->blk_vlc; +memcpy(arg_band, band, sizeof(*arg_band)); + return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/g2meet: ask for sample with overflowing RGB
ffmpeg | branch: release/3.3 | Michael Niedermayer | Wed May 16 22:50:19 2018 +0200| [3be0bcbef6aa9b8b77766ce1e4f7320b1d33b2d7] | committer: Michael Niedermayer avcodec/g2meet: ask for sample with overflowing RGB Suggested-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit ab834b8f36c8157b7015e849405cbf6ae21e672f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3be0bcbef6aa9b8b77766ce1e4f7320b1d33b2d7 --- libavcodec/g2meet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 89d269751e..8bf04b3d49 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -557,7 +557,7 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int x, int y, } if (R<0 || G<0 || B<0 || R > 255 || G > 255 || B > 255) { -av_log(NULL, AV_LOG_ERROR, "RGB %d %d %d is out of range\n", R, G, B); +avpriv_request_sample(NULL, "RGB %d %d %d is out of range\n", R, G, B); return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Fix a negative left shift in shorten_decode_frame()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Tue Jun 5 13:12:54 2018 +0200| [b7134d7fb679df78069648d0fb7bc54a59f9f557] | committer: Michael Niedermayer avcodec/shorten: Fix a negative left shift in shorten_decode_frame() Fixes: left shift of negative value -9057 Fixes: 8527/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5666853924896768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a711efe922b2bf1d363bdf7f8357656c3e35021e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b7134d7fb679df78069648d0fb7bc54a59f9f557 --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 0c29275df2..5f4e5ed9bc 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -706,7 +706,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, if (s->version < 2) s->offset[channel][s->nmean - 1] = sum / s->blocksize; else -s->offset[channel][s->nmean - 1] = s->bitshift == 32 ? 0 : (sum / s->blocksize) << s->bitshift; +s->offset[channel][s->nmean - 1] = s->bitshift == 32 ? 0 : (sum / s->blocksize) * (1 << s->bitshift); } /* copy wrap samples for use with next block */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/fic: Avoid some magic numbers related to cursors
ffmpeg | branch: release/3.3 | Michael Niedermayer | Sat May 5 23:42:36 2018 +0200| [05e253684ebc2985b0c4662a9f86e4475c20a5e4] | committer: Michael Niedermayer avcodec/fic: Avoid some magic numbers related to cursors Signed-off-by: Michael Niedermayer (cherry picked from commit c6a11714c4b1227be62cbc36651ccfc415e8e623) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=05e253684ebc2985b0c4662a9f86e4475c20a5e4 --- libavcodec/fic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index b7e0da6ce9..e1b72b9448 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -82,6 +82,7 @@ static const uint8_t fic_qmat_lq[64] = { static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' }; #define FIC_HEADER_SIZE 27 +#define CURSOR_OFFSET 59 static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd) { @@ -416,7 +417,7 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, /* Draw cursor. */ if (!skip_cursor) { -memcpy(ctx->cursor_buf, src + 59, 32 * 32 * 4); +memcpy(ctx->cursor_buf, src + CURSOR_OFFSET, sizeof(ctx->cursor_buf)); fic_draw_cursor(avctx, cur_x, cur_y); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Only set pkt->duration to non negative values
ffmpeg | branch: release/3.3 | Michael Niedermayer | Wed May 16 23:35:58 2018 +0200| [98f10ca12ccc1accafbf26d9eeb6e7c91bd650eb] | committer: Michael Niedermayer avformat/mov: Only set pkt->duration to non negative values Reviewed-by: Sasi Inguva Signed-off-by: Michael Niedermayer (cherry picked from commit 8176799f31b23849382623f0f9001acc5edf7c76) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=98f10ca12ccc1accafbf26d9eeb6e7c91bd650eb --- libavformat/mov.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 66fce34f3a..f6db8a47b7 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6384,7 +6384,9 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) } else { int64_t next_dts = (sc->current_sample < st->nb_index_entries) ? st->index_entries[sc->current_sample].timestamp : st->duration; -pkt->duration = next_dts - pkt->dts; + +if (next_dts >= pkt->dts) +pkt->duration = next_dts - pkt->dts; pkt->pts = pkt->dts; } if (st->discard == AVDISCARD_ALL) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_ps: Move MAX_LOG2_MAX_FRAME_NUM to header so it can be used in h264_sei
ffmpeg | branch: release/3.3 | Michael Niedermayer | Sun Jun 10 17:02:47 2018 +0200| [f4f9bd655d4254d3c9ef093efff1afbaeefbb219] | committer: Michael Niedermayer avcodec/h264_ps: Move MAX_LOG2_MAX_FRAME_NUM to header so it can be used in h264_sei Signed-off-by: Michael Niedermayer (cherry picked from commit b796c5ae9299c795cba0d16ce1d8eef05488953b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f4f9bd655d4254d3c9ef093efff1afbaeefbb219 --- libavcodec/h264_ps.c | 1 - libavcodec/h264_ps.h | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 7e66ed7224..6affaaf917 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -35,7 +35,6 @@ #include "h264_ps.h" #include "golomb.h" -#define MAX_LOG2_MAX_FRAME_NUM(12 + 4) #define MIN_LOG2_MAX_FRAME_NUM4 #define EXTENDED_SAR 255 diff --git a/libavcodec/h264_ps.h b/libavcodec/h264_ps.h index 51b6694b5f..e967b9cbcf 100644 --- a/libavcodec/h264_ps.h +++ b/libavcodec/h264_ps.h @@ -36,6 +36,7 @@ #define MAX_SPS_COUNT 32 #define MAX_PPS_COUNT 256 +#define MAX_LOG2_MAX_FRAME_NUM(12 + 4) /** * Sequence parameter set ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Fix multiple integer overflows
ffmpeg | branch: release/3.3 | Michael Niedermayer | Tue Jun 5 13:19:35 2018 +0200| [3f66c3386c2466c13562b8b0ac3943dac22bbfa1] | committer: Michael Niedermayer avcodec/shorten: Fix multiple integer overflows Fixes: signed integer overflow: 3 * 1006632960 cannot be represented in type 'int' Fixes: 8278/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5692857166856192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f2abd36b3863188894fd21964c662b6c17268bfb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3f66c3386c2466c13562b8b0ac3943dac22bbfa1 --- libavcodec/shorten.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 5a14e8e5bf..42d91a4636 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -389,7 +389,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, for (i = 0; i < s->blocksize; i++) { sum = init_sum; for (j = 0; j < pred_order; j++) -sum += coeffs[j] * s->decoded[channel][i - j - 1]; +sum += coeffs[j] * (unsigned)s->decoded[channel][i - j - 1]; s->decoded[channel][i] = get_sr_golomb_shorten(&s->gb, residual_size) + (sum >> qshift); } @@ -696,7 +696,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, /* update means with info from the current block */ if (s->nmean > 0) { -int32_t sum = (s->version < 2) ? 0 : s->blocksize / 2; +int64_t sum = (s->version < 2) ? 0 : s->blocksize / 2; for (i = 0; i < s->blocksize; i++) sum += s->decoded[channel][i]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Break out early if chunk_count is 0 in mov_build_index()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Tue May 15 17:06:59 2018 +0200| [aa50d67cc7d07278ce39d395871bc6a0dc7cfe32] | committer: Michael Niedermayer avformat/mov: Break out early if chunk_count is 0 in mov_build_index() Without this some operations might overflow (undefined behavior) even though the index adding loop would never execute No testcase known Signed-off-by: Michael Niedermayer (cherry picked from commit 56e76bd0579cc7f7b28860885d9e569a39daf41b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aa50d67cc7d07278ce39d395871bc6a0dc7cfe32 --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 11526346be..c4d3863de9 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3516,6 +3516,9 @@ static void mov_build_index(MOVContext *mov, AVStream *st) } else { unsigned chunk_samples, total = 0; +if (!sc->chunk_count) +return; + // compute total chunk count for (i = 0; i < sc->stsc_count; i++) { unsigned count, chunk_count; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] fftools/ffmpeg: Fallback to duration if sample rate is unavailable
ffmpeg | branch: release/3.3 | Michael Niedermayer | Tue May 1 22:44:07 2018 +0200| [b5d51d23a068f7511662acd363b39d2f922dff0e] | committer: Michael Niedermayer fftools/ffmpeg: Fallback to duration if sample rate is unavailable Regression since: af1761f7 Fixes: Division by 0 Fixes: ffmpeg_crash_1 Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit 16d8b13b3b26c19d7f8856e039fe6662d96b4ff3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b5d51d23a068f7511662acd363b39d2f922dff0e --- ffmpeg.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 4b4dae47fe..eb0f8b7c9c 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2725,8 +2725,12 @@ static int process_input_packet(InputStream *ist, const AVPacket *pkt, int no_eo ist->dts = ist->next_dts; switch (ist->dec_ctx->codec_type) { case AVMEDIA_TYPE_AUDIO: -ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) / - ist->dec_ctx->sample_rate; +if (ist->dec_ctx->sample_rate) { +ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) / + ist->dec_ctx->sample_rate; +} else { +ist->next_dts += av_rescale_q(pkt->duration, ist->st->time_base, AV_TIME_BASE_Q); +} break; case AVMEDIA_TYPE_VIDEO: if (ist->framerate.num) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Thu Jun 21 22:48:54 2018 +0200| [4fb69a60f6c0bdb335c2e86a2f1d2a8bd147ead6] | committer: Michael Niedermayer avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan() Fixes: Timeout Fixes: 8648/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5108395525799936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 540e8c2d641bf90fc28e47e170f8c0b1962197e9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4fb69a60f6c0bdb335c2e86a2f1d2a8bd147ead6 --- libavcodec/mjpegdec.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 5d3ccbea6d..e944e29a7a 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -989,6 +989,11 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p for (mb_x = 0; mb_x < s->mb_width; mb_x++) { int modified_predictor = predictor; +if (get_bits_left(&s->gb) < 1) { +av_log(s->avctx, AV_LOG_ERROR, "bitstream end in rgb_scan\n"); +return AVERROR_INVALIDDATA; +} + if (s->restart_interval && !s->restart_count){ s->restart_count = s->restart_interval; resync_mb_x = mb_x; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/common: Fix undefined behavior in av_clip_uintp2_c()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Thu Jun 14 15:41:33 2018 +0200| [96cf8a9cf993db44007dd438edbbbdf69279943e] | committer: Michael Niedermayer avutil/common: Fix undefined behavior in av_clip_uintp2_c() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 8521/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5639024952737792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa41d322be71106ce147445f2b42bb763f1eff86) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=96cf8a9cf993db44007dd438edbbbdf69279943e --- libavutil/common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/common.h b/libavutil/common.h index 53e43feb3a..58ead80514 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -228,7 +228,7 @@ static av_always_inline av_const int av_clip_intp2_c(int a, int p) */ static av_always_inline av_const unsigned av_clip_uintp2_c(int a, int p) { -if (a & ~((1<> 31 & ((1<> 31 & ((1
[FFmpeg-cvslog] avcodec/h264_mc_template: Only prefetch motion if the list is used.
ffmpeg | branch: release/3.3 | Michael Niedermayer | Fri Jun 8 18:25:14 2018 +0200| [5f771a74b23f83edbcc6f0cae79e458ac7931e1e] | committer: Michael Niedermayer avcodec/h264_mc_template: Only prefetch motion if the list is used. Fixes: index 59 out of bounds for type 'H264Ref [48]' Fixes: 8232/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5703295145345024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b55591757244d8244a2be369c2b54c9ae79b02a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5f771a74b23f83edbcc6f0cae79e458ac7931e1e --- libavcodec/h264_mc_template.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_mc_template.c b/libavcodec/h264_mc_template.c index 58c05044c1..d02e2bf580 100644 --- a/libavcodec/h264_mc_template.c +++ b/libavcodec/h264_mc_template.c @@ -78,7 +78,8 @@ static void MCFUNC(hl_motion)(const H264Context *h, H264SliceContext *sl, if (HAVE_THREADS && (h->avctx->active_thread_type & FF_THREAD_FRAME)) await_references(h, sl); -prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC); +if (USES_LIST(mb_type, 0)) +prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC); if (IS_16X16(mb_type)) { mc_part(h, sl, 0, 1, 16, 0, dest_y, dest_cb, dest_cr, 0, 0, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ra144: Fix integer overflow in ff_eval_refl()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Thu Jun 21 23:08:32 2018 +0200| [eedde18f1a8f5cb32883d0bf529f400b82d80d1c] | committer: Michael Niedermayer avcodec/ra144: Fix integer overflow in ff_eval_refl() Fixes: signed integer overflow: -4096 * -524288 cannot be represented in type 'int' Fixes: 8650/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5734816036159488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b31189881a4cf54b0057ecf3eab917ad56eecfea) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eedde18f1a8f5cb32883d0bf529f400b82d80d1c --- libavcodec/ra144.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index c077b7b327..cf8127c236 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1569,11 +1569,11 @@ int ff_eval_refl(int *refl, const int16_t *coefs, AVCodecContext *avctx) b = 0x100 / b; for (j=0; j <= i; j++) { #if CONFIG_FTRAPV -int a = bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12); +int a = bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12); if((int)(a*(unsigned)b) != a*(int64_t)b) return 1; #endif -bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12; +bp1[j] = (int)((bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12)) * (unsigned)b) >> 12; } if ((unsigned) bp1[i] + 0x1000 > 0x1fff) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/escape124: Fix spelling errors in comment
ffmpeg | branch: release/3.3 | Michael Niedermayer | Wed Jun 27 13:00:28 2018 +0200| [228c05ee547d99e7aae5c895172d99581b03eed9] | committer: Michael Niedermayer avcodec/escape124: Fix spelling errors in comment Signed-off-by: Michael Niedermayer (cherry picked from commit f59c4e43915ed0528e2789f27ddb1635b59779df) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=228c05ee547d99e7aae5c895172d99581b03eed9 --- libavcodec/escape124.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 186f0cb8af..26fa2da5e8 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -222,8 +222,8 @@ static int escape124_decode_frame(AVCodecContext *avctx, // This call also guards the potential depth reads for the // codebook unpacking. // Check if the amount we will read minimally is available on input. -// The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320 -// represent a lower bound of the space needed for skiped superblocks. Non +// The 64 represent the immediately next 2 frame_* elements read, the 23/4320 +// represent a lower bound of the space needed for skipped superblocks. Non // skipped SBs need more space. if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320) return -1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt_template: Fix undefined behavior in interleave()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Thu Jun 14 16:37:32 2018 +0200| [c66723ec498019ab14139905d0b5f0c9af6e377b] | committer: Michael Niedermayer avcodec/dirac_dwt_template: Fix undefined behavior in interleave() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 8697/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5197148130902016 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 575d8ca0260fabac29e5b3541154633569ce2b5d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c66723ec498019ab14139905d0b5f0c9af6e377b --- libavcodec/dirac_dwt_template.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 8c25c1f822..528fc7e9e7 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -57,8 +57,8 @@ static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src { int i; for (i = 0; i < w2; i++) { -dst[2*i ] = (src0[i] + add) >> shift; -dst[2*i+1] = (src1[i] + add) >> shift; +dst[2*i ] = (src0[i] + (unsigned)add) >> shift; +dst[2*i+1] = (src1[i] + (unsigned)add) >> shift; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fixed()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Thu Jun 14 16:41:49 2018 +0200| [516f8dbc58a2777b23065e83157f8462d00600dd] | committer: Michael Niedermayer avcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fixed() Fixes: signed integer overflow: 1195517 * 2048 cannot be represented in type 'int' Fixes: 8636/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-4695836326887424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8bd514d9343746566b123275f8b6d0e9c11ec2b0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=516f8dbc58a2777b23065e83157f8462d00600dd --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index e4152bea6a..c92f873335 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -434,7 +434,7 @@ static void apply_independent_coupling_fixed(AACContext *ac, else { for (i = 0; i < len; i++) { tmp = (int)(((int64_t)src[i] * c + (int64_t)0x10) >> 37); - dest[i] += tmp * (1 << shift); + dest[i] += tmp * (1U << shift); } } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_parser: Reduce needed history for parsing mb index
ffmpeg | branch: release/3.3 | Michael Niedermayer | Fri Jun 22 21:45:59 2018 +0200| [76c4838a11a61fb0cfed5defff7e683f64068692] | committer: Michael Niedermayer avcodec/h264_parser: Reduce needed history for parsing mb index This fixes a bug/regression with very small packets Fixes: output_file Regression since: 0782fb6bcb32fe3ab956a99af4cc472ff81da0c2 Reported-by: Thierry Foucu Signed-off-by: Michael Niedermayer (cherry picked from commit d25c945247979a88fac6bb3b7a26370262b96ef1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=76c4838a11a61fb0cfed5defff7e683f64068692 --- libavcodec/h264_parser.c | 19 +++ 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c index 2564c6c6c3..74961ddcda 100644 --- a/libavcodec/h264_parser.c +++ b/libavcodec/h264_parser.c @@ -121,20 +121,23 @@ static int h264_find_frame_end(H264ParseContext *p, const uint8_t *buf, } state = 7; } else { +unsigned int mb, last_mb = p->parse_last_mb; +GetBitContext gb; p->parse_history[p->parse_history_count++] = buf[i]; -if (p->parse_history_count > 5) { -unsigned int mb, last_mb = p->parse_last_mb; -GetBitContext gb; -init_get_bits(&gb, p->parse_history, 8*p->parse_history_count); -p->parse_history_count = 0; -mb= get_ue_golomb_long(&gb); +init_get_bits(&gb, p->parse_history, 8*p->parse_history_count); +mb= get_ue_golomb_long(&gb); +if (get_bits_left(&gb) > 0 || p->parse_history_count > 5) { p->parse_last_mb = mb; if (pc->frame_start_found) { -if (mb <= last_mb) +if (mb <= last_mb) { +i -= p->parse_history_count - 1; +p->parse_history_count = 0; goto found; +} } else pc->frame_start_found = 1; +p->parse_history_count = 0; state = 7; } } @@ -149,7 +152,7 @@ found: pc->frame_start_found = 0; if (p->is_avc) return next_avc; -return i - (state & 5) - 5 * (state > 7); +return i - (state & 5); } static int scan_mmco_reset(AVCodecParserContext *s, GetBitContext *gb, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Check that there are enough bytes for all tiles
ffmpeg | branch: release/3.3 | Michael Niedermayer | Mon Jul 2 18:40:08 2018 +0200| [0bc74532a94716217ab43f20a65764cd4f019e52] | committer: Michael Niedermayer avcodec/jpeg2000dec: Check that there are enough bytes for all tiles Fixes: OOM Fixes: 8781/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5810709081358336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0898a3d9909960324e27d3a7a4f48c4effbb654a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0bc74532a94716217ab43f20a65764cd4f019e52 --- libavcodec/jpeg2000dec.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 4a7a0d7387..8aeec3328c 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -340,7 +340,10 @@ static int get_siz(Jpeg2000DecoderContext *s) s->numXtiles = ff_jpeg2000_ceildiv(s->width - s->tile_offset_x, s->tile_width); s->numYtiles = ff_jpeg2000_ceildiv(s->height - s->tile_offset_y, s->tile_height); -if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile)) { +// There must be at least a SOT and SOD per tile, their minimum size is 14 +if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile) || +s->numXtiles * s->numYtiles * 14LL > bytestream2_size(&s->g) +) { s->numXtiles = s->numYtiles = 0; return AVERROR(EINVAL); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Mon Jul 2 18:57:05 2018 +0200| [bba9bb735a535c9e6bf21fd3457913d7fe831e2e] | committer: Michael Niedermayer avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration() Fixes: shift exponent 47 is too large for 32-bit type 'int' Fixes: 9163/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5661750182543360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 652d7c6348f96181fa69f8e2afb7b27a14c0a88a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bba9bb735a535c9e6bf21fd3457913d7fe831e2e --- libavcodec/jpeg2000dec.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 8aeec3328c..f844d032a9 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1220,10 +1220,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 if (reslevelno >= codsty->nreslevels) continue; -if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check +if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check continue; -if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check +if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check continue; // check if a precinct exists @@ -1291,10 +1291,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; // ==> N_L - r Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno; -if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check +if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check continue; -if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check +if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check continue; // check if a precinct exists ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Fix undefined integer overflow
ffmpeg | branch: release/3.3 | Michael Niedermayer | Mon Jul 2 19:08:54 2018 +0200| [739e3ff47533746a72fd212eae4af009144921c6] | committer: Michael Niedermayer avcodec/shorten: Fix undefined integer overflow Fixes: signed integer overflow: 8454144 * 256 cannot be represented in type 'int' Fixes: 8788/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5728205041303552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 70832333bba3b915040f415548518e136b44280e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=739e3ff47533746a72fd212eae4af009144921c6 --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 42d91a4636..609ff0e26f 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -177,7 +177,7 @@ static void fix_bitshift(ShortenContext *s, int32_t *buffer) buffer[i] = 0; } else if (s->bitshift != 0) { for (i = 0; i < s->blocksize; i++) -buffer[i] *= 1 << s->bitshift; +buffer[i] *= 1U << s->bitshift; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/escape124: Check buf_size against num_superblocks
ffmpeg | branch: release/3.3 | Michael Niedermayer | Sun Jun 24 19:23:02 2018 +0200| [b0c14b02b0570a2edd7054bf7dd6b6e9b00e5858] | committer: Michael Niedermayer avcodec/escape124: Check buf_size against num_superblocks Fixes: Timeout Fixes: 8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6677c98626489edfdb4b49b4f66ca91867768a9f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b0c14b02b0570a2edd7054bf7dd6b6e9b00e5858 --- libavcodec/escape124.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index c3174ce6ef..186f0cb8af 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -221,7 +221,11 @@ static int escape124_decode_frame(AVCodecContext *avctx, // This call also guards the potential depth reads for the // codebook unpacking. -if (get_bits_left(&gb) < 64) +// Check if the amount we will read minimally is available on input. +// The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320 +// represent a lower bound of the space needed for skiped superblocks. Non +// skipped SBs need more space. +if (get_bits_left(&gb) < 64 + s->num_superblocks * 23LL / 4320) return -1; frame_flags = get_bits_long(&gb, 32); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/movenc: Do not pass AVCodecParameters in avpriv_request_sample
ffmpeg | branch: release/3.3 | Michael Niedermayer | Wed Jun 27 17:27:50 2018 +0200| [672ada0f179b3ef45e52987d8c96716d23aa0722] | committer: Michael Niedermayer avformat/movenc: Do not pass AVCodecParameters in avpriv_request_sample Fixes: out of array read Fixes: ffmpeg_crash_8.avi Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit 95556e27e2c1d56d9e18f5db34d6f756f3011148) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=672ada0f179b3ef45e52987d8c96716d23aa0722 --- libavformat/movenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 9280dc8d23..4b110f 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -378,7 +378,7 @@ static int handle_eac3(MOVMuxContext *mov, AVPacket *pkt, MOVTrack *track) if (hdr->substreamid == info->num_ind_sub + 1) { //info->num_ind_sub++; -avpriv_request_sample(track->par, "Multiple independent substreams"); +avpriv_request_sample(mov->fc, "Multiple independent substreams"); return AVERROR_PATCHWELCOME; } else if (hdr->substreamid < info->num_ind_sub || hdr->substreamid == 0 && info->substream[0].bsid) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog