[FFmpeg-cvslog] fate-api-h264-slice: use the heap for nal buffer
ffmpeg | branch: master | Peter Ross | Wed Nov 21 01:31:44 2018 +1100| [3fc7b69496fd586a609f9c8a2f1ed17e46bf5fff] | committer: Michael Niedermayer fate-api-h264-slice: use the heap for nal buffer nal buffer is 512 kilobytes Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3fc7b69496fd586a609f9c8a2f1ed17e46bf5fff --- tests/api/api-h264-slice-test.c | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/tests/api/api-h264-slice-test.c b/tests/api/api-h264-slice-test.c index c6614da34d..b893737bca 100644 --- a/tests/api/api-h264-slice-test.c +++ b/tests/api/api-h264-slice-test.c @@ -117,9 +117,9 @@ int main(int argc, char **argv) unsigned int threads; AVPacket *pkt; FILE *file = NULL; -char nal[MAX_SLICES * UINT16_MAX + AV_INPUT_BUFFER_PADDING_SIZE]; +char * nal = NULL; int nals = 0, ret = 0; -char *p = nal; +char *p; if (argc < 4) { fprintf(stderr, "Usage: %s \n", argv[0]); @@ -139,6 +139,11 @@ int main(int argc, char **argv) return -1; } +nal = av_malloc(MAX_SLICES * UINT16_MAX + AV_INPUT_BUFFER_PADDING_SIZE); +if (!nal) +goto err; +p = nal; + if (!(codec = avcodec_find_decoder(AV_CODEC_ID_H264))) { fprintf(stderr, "Codec not found\n"); ret = -1; @@ -223,6 +228,8 @@ int main(int argc, char **argv) ret = decode(c, frame, NULL); err: +if (nal) +av_free(nal); if (file) fclose(file); av_frame_free(); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/truemotion2: Check huffman code max bits
ffmpeg | branch: master | Michael Niedermayer | Mon Nov 19 23:47:13 2018 +0100| [77bf85515e59f7b17685fbbec943ff46f6217719] | committer: Michael Niedermayer avcodec/truemotion2: Check huffman code max bits Fixes: Timeout Fixes: 10984/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-6643310750859264 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=77bf85515e59f7b17685fbbec943ff46f6217719 --- libavcodec/truemotion2.c | 19 ++- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index 58a577f53c..6d58483a77 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -112,9 +112,13 @@ typedef struct TM2Huff { int *lens; ///< codelengths } TM2Huff; +/** + * + * @returns the length of the longest code or an AVERROR code + */ static int tm2_read_tree(TM2Context *ctx, uint32_t prefix, int length, TM2Huff *huff) { -int ret; +int ret, ret2; if (length > huff->max_bits) { av_log(ctx->avctx, AV_LOG_ERROR, "Tree exceeded its given depth (%i)\n", huff->max_bits); @@ -133,14 +137,14 @@ static int tm2_read_tree(TM2Context *ctx, uint32_t prefix, int length, TM2Huff * huff->bits[huff->num] = prefix; huff->lens[huff->num] = length; huff->num++; -return 0; +return length; } else { /* non-terminal node */ -if ((ret = tm2_read_tree(ctx, prefix << 1, length + 1, huff)) < 0) -return ret; +if ((ret2 = tm2_read_tree(ctx, prefix << 1, length + 1, huff)) < 0) +return ret2; if ((ret = tm2_read_tree(ctx, (prefix << 1) | 1, length + 1, huff)) < 0) return ret; } -return 0; +return FFMAX(ret, ret2); } static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code) @@ -183,6 +187,11 @@ static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code) res = tm2_read_tree(ctx, 0, 0, ); +if (res >= 0 && res != huff.max_bits) { +av_log(ctx->avctx, AV_LOG_ERROR, "Got less bits than expected: %i of %i\n", + res, huff.max_bits); +res = AVERROR_INVALIDDATA; +} if (huff.num != huff.max_num) { av_log(ctx->avctx, AV_LOG_ERROR, "Got less codes than expected: %i of %i\n", huff.num, huff.max_num); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] api-h264-slice-test: use av_be2ne16 instead of ntohs
ffmpeg | branch: master | Peter Ross | Tue Nov 20 18:51:52 2018 +1100| [7cda7d217cd0e9eaa38cc0d5dbbb6204b92fce97] | committer: Michael Niedermayer api-h264-slice-test: use av_be2ne16 instead of ntohs avformat/network.h is not required here. Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7cda7d217cd0e9eaa38cc0d5dbbb6204b92fce97 --- tests/api/api-h264-slice-test.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/api/api-h264-slice-test.c b/tests/api/api-h264-slice-test.c index be03e80049..c6614da34d 100644 --- a/tests/api/api-h264-slice-test.c +++ b/tests/api/api-h264-slice-test.c @@ -41,10 +41,10 @@ #include #include -#include "libavformat/network.h" #include "libavcodec/avcodec.h" #include "libavutil/pixdesc.h" #include "libavutil/hash.h" +#include "libavutil/bswap.h" static int header = 0; @@ -191,7 +191,7 @@ int main(int argc, char **argv) if (ret != sizeof(uint16_t)) break; -size = ntohs(size); +size = av_be2ne16(size); ret = fread(p, 1, size, file); if (ret != size) { perror("Couldn't read data"); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avfilter/vf_overlay: fix crash with negative y
ffmpeg | branch: master | Paul B Mahol | Tue Nov 20 23:18:47 2018 +0100| [57815cfad5c5d6beb6f3fc0ae86b050a970d3a08] | committer: Paul B Mahol avfilter/vf_overlay: fix crash with negative y > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=57815cfad5c5d6beb6f3fc0ae86b050a970d3a08 --- libavfilter/vf_overlay.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavfilter/vf_overlay.c b/libavfilter/vf_overlay.c index ba25893739..a12e7a793f 100644 --- a/libavfilter/vf_overlay.c +++ b/libavfilter/vf_overlay.c @@ -473,12 +473,12 @@ static av_always_inline void blend_plane(AVFilterContext *ctx, slice_start = (jmax * jobnr) / nb_jobs; slice_end = (jmax * (jobnr+1)) / nb_jobs; -sp = src->data[i] + slice_start * src->linesize[i]; +sp = src->data[i] + (j + slice_start) * src->linesize[i]; dp = dst->data[dst_plane] - + (yp + slice_start) * dst->linesize[dst_plane] + + (yp + j + slice_start) * dst->linesize[dst_plane] + dst_offset; -ap = src->data[3] + (slice_start << vsub) * src->linesize[3]; -dap = dst->data[3] + ((yp + slice_start) << vsub) * dst->linesize[3]; +ap = src->data[3] + (j + slice_start << vsub) * src->linesize[3]; +dap = dst->data[3] + ((yp + j + slice_start) << vsub) * dst->linesize[3]; for (j = j + slice_start; j < slice_end; j++) { k = FFMAX(-xp, 0); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Fix integer overflow with offset
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Nov 9 19:59:27 2018 +0100| [0728911951100305e8b2379ac37c44f5ac0c1c75] | committer: Michael Niedermayer avcodec/shorten: Fix integer overflow with offset Fixes: signed integer overflow: -1625810908 - 582229060 cannot be represented in type 'int' Fixes: 10977/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5732602018267136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f888771cd1ce8d68d4b18a1009650c1f260aaf2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0728911951100305e8b2379ac37c44f5ac0c1c75 --- libavcodec/shorten.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 6ec1632aac..33a99158f9 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -306,7 +306,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* subtract offset from previous samples to use in prediction */ if (command == FN_QLPC && coffset) for (i = -pred_order; i < 0; i++) -s->decoded[channel][i] -= coffset; +s->decoded[channel][i] -= (unsigned)coffset; /* decode residual and do LPC prediction */ init_sum = pred_order ? (command == FN_QLPC ? s->lpcqoffset : 0) : coffset; @@ -321,7 +321,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* add offset to current samples */ if (command == FN_QLPC && coffset) for (i = 0; i < s->blocksize; i++) -s->decoded[channel][i] += coffset; +s->decoded[channel][i] += (unsigned)coffset; return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/pngdec: Check compression method
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Nov 9 03:12:45 2018 +0100| [3ae8a4cf060e5eda6c5192879131301c94dddc70] | committer: Michael Niedermayer avcodec/pngdec: Check compression method method 0 (inflate/deflate) is the only specified in the specification and the only supported Fixes: Timeout Fixes: 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f99674cc33f4c37def0a206e31ad7c4c1af) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3ae8a4cf060e5eda6c5192879131301c94dddc70 --- libavcodec/pngdec.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index ac49954ad0..c5dad0c154 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -564,6 +564,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, } s->color_type = bytestream2_get_byte(>gb); s->compression_type = bytestream2_get_byte(>gb); +if (s->compression_type) { +av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n", s->compression_type); +goto error; +} s->filter_type = bytestream2_get_byte(>gb); s->interlace_type = bytestream2_get_byte(>gb); bytestream2_skip(>gb, 4); /* crc */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cavsdec: Propagate error codes inside decode_mb_i()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Nov 4 20:00:16 2018 +0100| [0acb6f692ef247bbf6612cc1212897613c175a06] | committer: Michael Niedermayer avcodec/cavsdec: Propagate error codes inside decode_mb_i() Fixes: Timeout Fixes: 10702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5669940938407936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c1cee0565692c541f589aefd7f375d37f55b9d94) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0acb6f692ef247bbf6612cc1212897613c175a06 --- libavcodec/cavsdec.c | 29 + 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 289ed1b242..2d64f9d7cc 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -592,14 +592,21 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb, } -static inline void decode_residual_chroma(AVSContext *h) +static inline int decode_residual_chroma(AVSContext *h) { -if (h->cbp & (1 << 4)) -decode_residual_block(h, >gb, chroma_dec, 0, +if (h->cbp & (1 << 4)) { +int ret = decode_residual_block(h, >gb, chroma_dec, 0, ff_cavs_chroma_qp[h->qp], h->cu, h->c_stride); -if (h->cbp & (1 << 5)) -decode_residual_block(h, >gb, chroma_dec, 0, +if (ret < 0) +return ret; +} +if (h->cbp & (1 << 5)) { +int ret = decode_residual_block(h, >gb, chroma_dec, 0, ff_cavs_chroma_qp[h->qp], h->cv, h->c_stride); +if (ret < 0) +return ret; +} +return 0; } static inline int decode_residual_inter(AVSContext *h) @@ -650,6 +657,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) uint8_t top[18]; uint8_t *left = NULL; uint8_t *d; +int ret; ff_cavs_init_mb(h); @@ -693,8 +701,11 @@ static int decode_mb_i(AVSContext *h, int cbp_code) ff_cavs_load_intra_pred_luma(h, top, , block); h->intra_pred_l[h->pred_mode_Y[scan3x3[block]]] (d, top, left, h->l_stride); -if (h->cbp & (1l_stride); +if (h->cbp & (1 l_stride); +if (ret < 0) +return ret; +} } /* chroma intra prediction */ @@ -704,7 +715,9 @@ static int decode_mb_i(AVSContext *h, int cbp_code) h->intra_pred_c[pred_mode_uv](h->cv, >top_border_v[h->mbx * 10], h->left_border_v, h->c_stride); -decode_residual_chroma(h); +ret = decode_residual_chroma(h); +if (ret < 0) +return ret; ff_cavs_filter(h, I_8X8); set_mv_intra(h); return 0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/integer: Fix integer overflow in av_mul_i()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Wed Oct 24 01:44:12 2018 +0200| [6f84b1c458c6aafc9f1ba5d5a6da8792fc60ec8b] | committer: Michael Niedermayer avutil/integer: Fix integer overflow in av_mul_i() Found-by: fate Signed-off-by: Michael Niedermayer (cherry picked from commit 3cc3cb663bf3061e40356392d2f7638de6a479fe) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6f84b1c458c6aafc9f1ba5d5a6da8792fc60ec8b --- libavutil/integer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/integer.c b/libavutil/integer.c index 6d6855fa1b..ba4aa778c9 100644 --- a/libavutil/integer.c +++ b/libavutil/integer.c @@ -74,7 +74,7 @@ AVInteger av_mul_i(AVInteger a, AVInteger b){ if(a.v[i]) for(j=i; j>16) + out.v[j] + a.v[i]*b.v[j-i]; +carry= (carry>>16) + out.v[j] + a.v[i]*(unsigned)b.v[j-i]; out.v[j]= carry; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sat Oct 20 22:35:37 2018 +0200| [bdd3c7af5ee18c3bcc71525f7062234eaf95b164] | committer: Michael Niedermayer avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling Fixes: assertion failure Fixes: 10785/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5672160496975872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 305e523105f6f59e7572050f19edc9f4671c036c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bdd3c7af5ee18c3bcc71525f7062234eaf95b164 --- libavcodec/jpeg2000dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 83b418925c..8714399cbd 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1127,7 +1127,7 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 step_x = 32; step_y = 32; -if (RSpoc > FFMIN(codsty->nreslevels, REpoc)) +if (RSpoc >= FFMIN(codsty->nreslevels, REpoc)) continue; for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, REpoc); reslevelno++) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Oct 28 21:08:39 2018 +0100| [cf21323dd4600a76cd9cb78563999733571ebdbd] | committer: Michael Niedermayer avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case Fixes: Timeout Fixes: 10966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADU_fuzzer-5348695024336896 Fixes: 10969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5691669402877952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit df91af140c5543cfbbed187f696e79b554d2c135) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cf21323dd4600a76cd9cb78563999733571ebdbd --- libavcodec/mpegaudio_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index a358069dab..a512e08ce9 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -100,7 +100,7 @@ static int mpegaudio_parse(AVCodecParserContext *s1, "MP3ADU full parser"); *poutbuf = NULL; *poutbuf_size = 0; -return 0; /* parsers must not return error codes */ +return buf_size; /* parsers must not return error codes */ } break; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/msrle: Check that the input is large enough to contain a end of picture code
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Oct 21 14:40:14 2018 +0200| [3049d6d8219b517020de0f0a1759e96fed49ef37] | committer: Michael Niedermayer avcodec/msrle: Check that the input is large enough to contain a end of picture code Fixes: Timeout Fixes: 10625/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSRLE_fuzzer-5659651283091456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 203ccb874699ce66beadd53b4631d217b9cd) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3049d6d8219b517020de0f0a1759e96fed49ef37 --- libavcodec/msrle.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c index 4032d0840a..154c3df1f9 100644 --- a/libavcodec/msrle.c +++ b/libavcodec/msrle.c @@ -95,6 +95,9 @@ static int msrle_decode_frame(AVCodecContext *avctx, s->buf = buf; s->size = buf_size; +if (buf_size < 2) //Minimally a end of picture code should be there +return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/flvenc: Check audio packet size
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sat Jul 28 15:03:50 2018 +0200| [d8ecb335fe4852bbc172c7b79e66944d158b4d92] | committer: Michael Niedermayer avformat/flvenc: Check audio packet size Fixes: Assertion failure Fixes: assert_flvenc.c:941_1.swf Found-by: #CHEN HONGXU# Signed-off-by: Michael Niedermayer (cherry picked from commit 6b67d7f05918f7a1ee8fc6ff21355d7e8736aa10) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d8ecb335fe4852bbc172c7b79e66944d158b4d92 --- libavformat/flvenc.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index e217ba8a82..9e732fcf9f 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -514,6 +514,11 @@ static int flv_write_packet(AVFormatContext *s, AVPacket *pkt) uint8_t *data = NULL; int flags = -1, flags_size, ret; +if (enc->codec_type == AVMEDIA_TYPE_AUDIO && !pkt->size) { +av_log(s, AV_LOG_WARNING, "Empty audio Packet\n"); +return AVERROR(EINVAL); +} + if (enc->codec_id == AV_CODEC_ID_VP6F || enc->codec_id == AV_CODEC_ID_VP6A || enc->codec_id == AV_CODEC_ID_VP6 || enc->codec_id == AV_CODEC_ID_AAC) flags_size = 2; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dvdsubdec: Sanity check len in decode_rle()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Thu Sep 13 03:33:50 2018 +0200| [c2f02af6968498b482d12cc27d0c91891c444a0a] | committer: Michael Niedermayer avcodec/dvdsubdec: Sanity check len in decode_rle() Fixes: Timeout Fixes: 9778/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5186007132536832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e7b023e1db9fb13175929c02a02846d03510ec91) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c2f02af6968498b482d12cc27d0c91891c444a0a --- libavcodec/dvdsubdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index d017e771fc..4bdffeb700 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -124,6 +124,8 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, len = decode_run_8bit(, ); else len = decode_run_2bit(, ); +if (len != INT_MAX && len > w - x) +return AVERROR_INVALIDDATA; len = FFMIN(len, w - x); memset(d + x, color, len); x += len; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/utils: Never store negative values in last_IP_duration
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Oct 12 20:55:25 2018 +0200| [dc13bac6deaa3ee3641d331556ac41556993e07e] | committer: Michael Niedermayer avformat/utils: Never store negative values in last_IP_duration Fixes: integer overflow compute_pkt_fields() Fixes: compute_pkt_usan Reported-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 079d1a7175c4b881631a7e7f449c4c13b761cdeb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dc13bac6deaa3ee3641d331556ac41556993e07e --- libavformat/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index fa4b06ffd6..b0d330ba9f 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1114,7 +1114,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, /* This is tricky: the dts must be incremented by the duration * of the frame we are displaying, i.e. the last I- or P-frame. */ -if (st->last_IP_duration == 0) +if (st->last_IP_duration == 0 && (uint64_t)pkt->duration <= INT32_MAX) st->last_IP_duration = pkt->duration; if (pkt->dts != AV_NOPTS_VALUE) st->cur_dts = pkt->dts + st->last_IP_duration; @@ -1126,7 +1126,8 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, next_pts != AV_NOPTS_VALUE) pkt->pts = next_dts; -st->last_IP_duration = pkt->duration; +if ((uint64_t)pkt->duration <= INT32_MAX) +st->last_IP_duration = pkt->duration; st->last_IP_pts = pkt->pts; /* Cannot compute PTS if not present (we can compute it only * by knowing the future. */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/unary: Improve get_unary() docs
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sat Sep 22 15:18:17 2018 +0200| [604957c557dfbbb1a8e913519b0aa266b5b3dbc0] | committer: Michael Niedermayer avcodec/unary: Improve get_unary() docs Found-by: kierank Signed-off-by: Michael Niedermayer (cherry picked from commit ad89e203bfedf25df00e2a6ed9196170d772f25b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=604957c557dfbbb1a8e913519b0aa266b5b3dbc0 --- libavcodec/unary.h | 15 ++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/libavcodec/unary.h b/libavcodec/unary.h index 908dc93507..d57f9f70c5 100644 --- a/libavcodec/unary.h +++ b/libavcodec/unary.h @@ -28,7 +28,20 @@ * @param gb GetBitContext * @param[in] stop The bitstop value (unary code of 1's or 0's) * @param[in] len Maximum length - * @return Unary length/index + * @return unary 0 based code index. This is also the length in bits of the + * code excluding the stop bit. + * (in case len=1) + * 10 + * 01 + * (in case len=2) + * 10 + * 01 1 + * 00 2 + * (in case len=3) + * 10 + * 01 1 + * 001 2 + * 000 3 */ static inline int get_unary(GetBitContext *gb, int stop, int len) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/utils: Fix integer overflow in discontinuity check
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Oct 12 03:00:32 2018 +0200| [6ce3fee455d66c2a51f9a5551a9356efde28e193] | committer: Michael Niedermayer avformat/utils: Fix integer overflow in discontinuity check Fixes: signed integer overflow: 7738135736989908991 - -7954308516317364223 cannot be represented in type 'long' Fixes: find_stream_info_usan Reported-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 4e19cfcfa3944fe4cf97bea758f72f104dcaebad) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6ce3fee455d66c2a51f9a5551a9356efde28e193 --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index c228bc90dc..fa4b06ffd6 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3326,7 +3326,7 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) * sequence, we treat it as a discontinuity. */ if (st->info->fps_last_dts != AV_NOPTS_VALUE && st->info->fps_last_dts_idx > st->info->fps_first_dts_idx && -(pkt->dts - st->info->fps_last_dts) / 1000 > +(pkt->dts - (uint64_t)st->info->fps_last_dts) / 1000 > (st->info->fps_last_dts - (uint64_t)st->info->fps_first_dts) / (st->info->fps_last_dts_idx - st->info->fps_first_dts_idx)) { av_log(ic, AV_LOG_WARNING, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_cavlc: Check mb_skip_run
ffmpeg | branch: release/2.8 | Michael Niedermayer | Thu Oct 4 03:13:41 2018 +0200| [89a8b69e9bf658383aacbda7f372191385ae2bd4] | committer: Michael Niedermayer avcodec/h264_cavlc: Check mb_skip_run Fixes: 10300/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6292205497483264 Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f72b9904fefa79d799d0f6ecc8bd97ce52658725) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=89a8b69e9bf658383aacbda7f372191385ae2bd4 --- libavcodec/h264_cavlc.c | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index 97ec6fd4ae..250e93bc8e 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -721,8 +721,14 @@ int ff_h264_decode_mb_cavlc(const H264Context *h, H264SliceContext *sl) cbp = 0; /* avoid warning. FIXME: find a solution without slowing down the code */ if (sl->slice_type_nos != AV_PICTURE_TYPE_I) { -if (sl->mb_skip_run == -1) -sl->mb_skip_run = get_ue_golomb_long(>gb); +if (sl->mb_skip_run == -1) { +unsigned mb_skip_run = get_ue_golomb_long(>gb); +if (mb_skip_run > h->mb_num) { +av_log(h->avctx, AV_LOG_ERROR, "mb_skip_run %d is invalid\n", mb_skip_run); +return AVERROR_INVALIDDATA; +} +sl->mb_skip_run = mb_skip_run; +} if (sl->mb_skip_run--) { if (FRAME_MBAFF(h) && (sl->mb_y & 1) == 0) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ra144: Fix integer overflow in add_wav()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Wed Oct 10 04:25:50 2018 +0200| [e42f2eb165e7a4242e9c09d2286351cd0bd79ca6] | committer: Michael Niedermayer avcodec/ra144: Fix integer overflow in add_wav() Fixes: signed integer overflow: -2144033225 + -5208934 cannot be represented in type 'int' Fixes: 10633/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5679133791617024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c6282141cba20934d9801f31134872fabbd6ba3e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e42f2eb165e7a4242e9c09d2286351cd0bd79ca6 --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 054d275354..3393d7a87f 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m, if (v[0]) { for (i=0; i < BLOCKSIZE; i++) -dest[i] = ((int)(s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) >> 12; +dest[i] = (int)((s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) >> 12; } else { for (i=0; i < BLOCKSIZE; i++) dest[i] = ( s2[i]*v[1] + s3[i]*v[2]) >> 12; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dvdsubdec: Avoid branch in decode_run_8bit()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Thu Sep 13 04:24:49 2018 +0200| [6645783a3aa46107405c2f7aca65e7a7f13cf5a6] | committer: Michael Niedermayer avcodec/dvdsubdec: Avoid branch in decode_run_8bit() Speed improvment 35.5 sec -> 34.7sec Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 71bf0330505e2108935d05c5c018ec65eac4b946) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6645783a3aa46107405c2f7aca65e7a7f13cf5a6 --- libavcodec/dvdsubdec.c | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 5e0820e697..d017e771fc 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -82,10 +82,7 @@ static int decode_run_8bit(GetBitContext *gb, int *color) { int len; int has_run = get_bits1(gb); -if (get_bits1(gb)) -*color = get_bits(gb, 8); -else -*color = get_bits(gb, 2); +*color = get_bits(gb, 2 + 6*get_bits1(gb)); if (has_run) { if (get_bits1(gb)) { len = get_bits(gb, 7); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Fix undefined shift in get_amv()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sat Sep 15 00:20:38 2018 +0200| [49023147c7fcb8319830be698b280e65e82ddf22] | committer: Michael Niedermayer avcodec/mpeg4videodec: Fix undefined shift in get_amv() Fixes: runtime error: shift exponent -1 is negative Fixes: 9938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5653783529914368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c88afa44c4823aba7b6f4a1b01fd6a4169643c57) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=49023147c7fcb8319830be698b280e65e82ddf22 --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 23dde9ee85..936406d2d1 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -537,7 +537,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) len >>= s->quarter_sample; if (s->real_sprite_warping_points == 1) { -if (ctx->divx_version == 500 && ctx->divx_build == 413) +if (ctx->divx_version == 500 && ctx->divx_build == 413 && a >= s->quarter_sample) sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample)); else sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/zmbv: Update decomp_len in raw frames
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon Sep 17 21:33:59 2018 +0200| [edae5259c05506a0923f709ce080144c4846ca28] | committer: Michael Niedermayer avcodec/zmbv: Update decomp_len in raw frames decomp_len is used in raw frames, so it should not be left at the value from whatever was decoded previously (which may be any other frame) Signed-off-by: Michael Niedermayer (cherry picked from commit 3d201b83cda03fd9e866acafee82d7ce88260e66) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=edae5259c05506a0923f709ce080144c4846ca28 --- libavcodec/zmbv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index 39a08db0eb..b12c3615b4 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -519,6 +519,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac return AVERROR_INVALIDDATA; } memcpy(c->decomp_buf, buf, len); +c->decomp_len = len; } else { // ZLIB-compressed data c->zstream.total_in = c->zstream.total_out = 0; c->zstream.next_in = (uint8_t*)buf; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/zmbv: Check that the decompressed data size is correct
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue Sep 18 00:28:37 2018 +0200| [79c018351e6e0a3e3f58b4b7831a6642c3a4f42c] | committer: Michael Niedermayer avcodec/zmbv: Check that the decompressed data size is correct This checks the value exactly for intra frames and checks it against a minimum for inter frames as they can be variable. Fixes: Timeout Fixes: 10182/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-6245951174344704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e33b28cc79d164fff22bfee750c9283587c00bc4) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79c018351e6e0a3e3f58b4b7831a6642c3a4f42c --- libavcodec/zmbv.c | 14 ++ 1 file changed, 14 insertions(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index b12c3615b4..41525cc08c 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -408,6 +408,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int zret = Z_OK; // Zlib return code int len = buf_size; int hi_ver, lo_ver, ret; +int expected_size; /* parse header */ if (len < 1) @@ -504,6 +505,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac memset(c->prev, 0, avctx->width * avctx->height * (c->bpp / 8)); c->decode_intra= decode_intra; } +if (c->flags & ZMBV_KEYFRAME) { +expected_size = avctx->width * avctx->height * (c->bpp / 8); +} else { +expected_size = (c->bx * c->by * 2 + 3) & ~3; +} +if (avctx->pix_fmt == AV_PIX_FMT_PAL8 && +(c->flags & (ZMBV_DELTAPAL | ZMBV_KEYFRAME))) +expected_size += 768; if (!c->decode_intra) { av_log(avctx, AV_LOG_ERROR, "Error! Got no format or no keyframe!\n"); @@ -533,6 +542,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } c->decomp_len = c->zstream.total_out; } +if (expected_size > c->decomp_len || +(c->flags & ZMBV_KEYFRAME) && expected_size < c->decomp_len) { +av_log(avctx, AV_LOG_ERROR, "decompressed size %d is incorrect, expected %d\n", c->decomp_len, expected_size); +return AVERROR_INVALIDDATA; +} if (c->flags & ZMBV_KEYFRAME) { frame->key_frame = 1; frame->pict_type = AV_PICTURE_TYPE_I; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Fix bitstream end check in read_header()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sat Sep 15 02:08:20 2018 +0200| [f2640f76489464f4a0016c729aa04d46d3638abb] | committer: Michael Niedermayer avcodec/shorten: Fix bitstream end check in read_header() Fixes: Timeout Fixes: 9961/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5687856176562176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 28b80c2d52d82eb4f73af5f818dab60946bcf299) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f2640f76489464f4a0016c729aa04d46d3638abb --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index de2be90e77..6ec1632aac 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -380,7 +380,7 @@ static int read_header(ShortenContext *s) } skip_bytes = get_uint(s, NSKIPSIZE); -if ((unsigned)skip_bytes > get_bits_left(>gb)/8) { +if ((unsigned)skip_bytes > FFMAX(get_bits_left(>gb), 0)/8) { av_log(s->avctx, AV_LOG_ERROR, "invalid skip_bytes: %d\n", skip_bytes); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Check verbatim length
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Aug 12 22:43:33 2018 +0200| [ed0f21a89a416e3b53754dc6fc6eba100695431a] | committer: Michael Niedermayer avcodec/shorten: Check verbatim length Fixes: Timeout Fixes: 9252/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5780720709533696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7007dabec08f2f9f81661e71ef482dde394e17a8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ed0f21a89a416e3b53754dc6fc6eba100695431a --- libavcodec/shorten.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index f481a84fed..047fb05a9b 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -518,6 +518,11 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, switch (cmd) { case FN_VERBATIM: len = get_ur_golomb_shorten(>gb, VERBATIM_CKSIZE_SIZE); +if (len < 0 || len > get_bits_left(>gb)) { +av_log(avctx, AV_LOG_ERROR, "verbatim length %d invalid\n", + len); +return AVERROR_INVALIDDATA; +} while (len--) get_ur_golomb_shorten(>gb, VERBATIM_BYTE_SIZE); break; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon Aug 20 22:53:32 2018 +0200| [db39404c1581b16a307ca2089346267a98a28b91] | committer: Michael Niedermayer avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb() Fixes: Timeout Fixes: 9634/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-6267852259590144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c9222b972d6cbdaf6571cf7ae0a6513bffa5ff9f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=db39404c1581b16a307ca2089346267a98a28b91 --- libavcodec/hq_hqa.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index d18464769d..7ae58e0985 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -180,6 +180,9 @@ static int hqa_decode_mb(HQContext *c, AVFrame *pic, int qgroup, int flag = 0; int i, ret, cbp; +if (get_bits_left(gb) < 1) +return AVERROR_INVALIDDATA; + cbp = get_vlc2(gb, c->hqa_cbp_vlc.table, 5, 1); for (i = 0; i < 12; i++) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vb: Check for end of bytestream before reading blocktype
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon Aug 20 22:19:23 2018 +0200| [8717129d58e987d0a7516a731e39969eed71a27e] | committer: Michael Niedermayer avcodec/vb: Check for end of bytestream before reading blocktype Fixes: Timeout Fixes: 9601/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VB_fuzzer-4550228702134272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1cbac9ce20d32806febf64cbd9f830e1485695ca) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8717129d58e987d0a7516a731e39969eed71a27e --- libavcodec/vb.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/vb.c b/libavcodec/vb.c index 021657f7d8..c6dd6fb456 100644 --- a/libavcodec/vb.c +++ b/libavcodec/vb.c @@ -107,6 +107,10 @@ static int vb_decode_framedata(VBDecContext *c, int offset) blk2 = 0; for (blk = 0; blk < blocks; blk++) { if (!(blk & 3)) { +if (bytestream2_get_bytes_left() < 1) { +av_log(c->avctx, AV_LOG_ERROR, "Insufficient data\n"); +return AVERROR_INVALIDDATA; +} blocktypes = bytestream2_get_byte(); } switch (blocktypes & 0xC0) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ra144: Fix undefined integer overflow in add_wav()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Aug 26 02:26:24 2018 +0200| [2d65c44f220c57cd5afcddee8430ded2177288eb] | committer: Michael Niedermayer avcodec/ra144: Fix undefined integer overflow in add_wav() Fixes: signed integer overflow: -26884 * 91439 cannot be represented in type 'int' Fixes: 9687/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-4995588121690112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93a203662f6ff1bb9fd2e966bf7df27e9bdb1916) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2d65c44f220c57cd5afcddee8430ded2177288eb --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index c399304ea1..054d275354 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m, if (v[0]) { for (i=0; i < BLOCKSIZE; i++) -dest[i] = (s1[i]*v[0] + s2[i]*v[1] + s3[i]*v[2]) >> 12; +dest[i] = ((int)(s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) >> 12; } else { for (i=0; i < BLOCKSIZE; i++) dest[i] = ( s2[i]*v[1] + s3[i]*v[2]) >> 12; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/snowdec: Fix integer overflow with motion vector residual
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon Aug 20 20:15:19 2018 +0200| [7ddcb02809f958adb0b4348d48678a1459c99857] | committer: Michael Niedermayer avcodec/snowdec: Fix integer overflow with motion vector residual Fixes: signed integer overflow: -19818 + -2147483648 cannot be represented in type 'int' Fixes: 9545/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4928769537081344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit acba153a148782c08f9fd17f0c05b93468f3cbd0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7ddcb02809f958adb0b4348d48678a1459c99857 --- libavcodec/snowdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index fc917e0c35..84e98afe4c 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -205,8 +205,8 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ return AVERROR_INVALIDDATA; } pred_mv(s, , , ref, left, top, tr); -mx+= get_symbol(>c, >block_state[128 + 32*(mx_context + 16*!!ref)], 1); -my+= get_symbol(>c, >block_state[128 + 32*(my_context + 16*!!ref)], 1); +mx+= (unsigned)get_symbol(>c, >block_state[128 + 32*(mx_context + 16*!!ref)], 1); +my+= (unsigned)get_symbol(>c, >block_state[128 + 32*(my_context + 16*!!ref)], 1); } set_blocks(s, level, x, y, l, cb, cr, mx, my, ref, type); }else{ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Fix integer overflow in residual/LPC combination
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Aug 12 22:55:59 2018 +0200| [bb070fc4684dd80a82983469ccf685dfeb3e1c4e] | committer: Michael Niedermayer avcodec/shorten: Fix integer overflow in residual/LPC combination Fixes: signed integer overflow: -540538872 + -2012739576 cannot be represented in type 'int' Fixes: 9255/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5758630052757504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db7e9082e1a1479c6a8844f7adf77eae03cc2aa7) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bb070fc4684dd80a82983469ccf685dfeb3e1c4e --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 047fb05a9b..de2be90e77 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -315,7 +315,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, for (j = 0; j < pred_order; j++) sum += coeffs[j] * (unsigned)s->decoded[channel][i - j - 1]; s->decoded[channel][i] = get_sr_golomb_shorten(>gb, residual_size) + - (sum >> qshift); + (unsigned)(sum >> qshift); } /* add offset to current samples */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Aug 17 02:06:27 2018 +0200| [fb0cd972a704fbe8100837c16b18e2cbde3d5215] | committer: Michael Niedermayer avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking() Signed-off-by: Michael Niedermayer (cherry picked from commit 697984b9db4d4d199680f43ac3eb662cd1d37eff) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fb0cd972a704fbe8100837c16b18e2cbde3d5215 --- libavcodec/h264_refs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index a3de6b2f35..5ec7f2d061 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -813,6 +813,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count) pps_ref_count[1] = FFMAX(pps_ref_count[1], h->pps.ref_count[1]); } +// Detect unmarked random access points if ( err >= 0 && h->long_ref_count==0 && ( h->short_ref_count<=2 ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mlvdec: read_string() received unsigned size, make the argument unsigned
ffmpeg | branch: release/2.8 | Michael Niedermayer | Thu Aug 16 15:36:28 2018 +0200| [b671ebfd61b64b5e336f747b8a6abd59a535454d] | committer: Michael Niedermayer avformat/mlvdec: read_string() received unsigned size, make the argument unsigned Fixes: infinite loop Fixes: mlv-timeout-e3b8cab9835edecad6823baa057e029671329d04 Found-by: Paul Ch Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1e71cb2c8edcf3dad657c15a6fb8572862f2afb9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b671ebfd61b64b5e336f747b8a6abd59a535454d --- libavformat/mlvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 4b3bdc1eca..84b916844c 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -76,7 +76,7 @@ static int check_file_header(AVIOContext *pb, uint64_t guid) return 0; } -static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, int size) +static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, unsigned size) { char * value = av_malloc(size + 1); if (!value) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpegaudio_parser: Initialize poutbuf*
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Aug 5 14:51:36 2018 +0200| [a36d649ffce62932b4a1ae59a0403568fa648c2a] | committer: Michael Niedermayer avcodec/mpegaudio_parser: Initialize poutbuf* Possibly fixes: null pointer dereference Possibly fixes: 9352/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5146068961460224 Fixes: Heap-use-after-free Fixes: 9453/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5137954375729152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0f4c3b0b8e5435d13fd3b64c91969b31c3c018dc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a36d649ffce62932b4a1ae59a0403568fa648c2a --- libavcodec/mpegaudio_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index b66e8b0561..a358069dab 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -98,6 +98,8 @@ static int mpegaudio_parse(AVCodecParserContext *s1, } else if (codec_id == AV_CODEC_ID_MP3ADU) { avpriv_report_missing_feature(avctx, "MP3ADU full parser"); +*poutbuf = NULL; +*poutbuf_size = 0; return 0; /* parsers must not return error codes */ } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/nsvdec: Do not parse multiple NSVf
ffmpeg | branch: release/2.8 | Michael Niedermayer | Thu Aug 16 12:23:20 2018 +0200| [898f83386354c88c15515c4ae74658d5b123c72b] | committer: Michael Niedermayer avformat/nsvdec: Do not parse multiple NSVf The specification states "NSV files may contain a single file header. " Fixes: out of array access Fixes: nsv-asan-002f473f726a0dcbd3bd53e422c4fc40b3cf3421 Found-by: Paul Ch Tested-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit 78d4b6bd43fc266a2ee926f0555c8782246f9445) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=898f83386354c88c15515c4ae74658d5b123c72b --- libavformat/nsvdec.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index c6c3592345..9727aafcca 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -177,6 +177,7 @@ typedef struct NSVContext { AVRational framerate; uint32_t *nsvs_timestamps; //DVDemuxContext* dv_demux; +int nsvf; } NSVContext; static const AVCodecTag nsv_codec_video_tags[] = { @@ -280,6 +281,12 @@ static int nsv_parse_NSVf_header(AVFormatContext *s) nsv->state = NSV_UNSYNC; /* in case we fail */ +if (nsv->nsvf) { +av_log(s, AV_LOG_TRACE, "Multiple NSVf\n"); +return 0; +} +nsv->nsvf = 1; + size = avio_rl32(pb); if (size < 28) return -1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Jul 29 12:40:48 2018 +0200| [b12e1618a39ab0d82ecaa301e7cceade71b7c9e3] | committer: Michael Niedermayer avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp() Fixes: Timeout Fixes: 9213/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QTRLE_fuzzer-5649753332252672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7dd836a3f9771e0e44df1b27e67d6866d91e06d7) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b12e1618a39ab0d82ecaa301e7cceade71b7c9e3 --- libavcodec/qtrle.c | 10 ++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index a2f89039a8..5b35a5ef20 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -132,6 +132,8 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int row_ptr, CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) { +if (bytestream2_get_bytes_left(>g) < 1) +return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (num_pixels * (bytestream2_get_byte(>g) - 1)); @@ -187,6 +189,8 @@ static void qtrle_decode_8bpp(QtrleContext *s, int row_ptr, int lines_to_change) CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) { +if (bytestream2_get_bytes_left(>g) < 1) +return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (4 * (bytestream2_get_byte(>g) - 1)); @@ -236,6 +240,8 @@ static void qtrle_decode_16bpp(QtrleContext *s, int row_ptr, int lines_to_change CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) { +if (bytestream2_get_bytes_left(>g) < 1) +return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (bytestream2_get_byte(>g) - 1) * 2; @@ -280,6 +286,8 @@ static void qtrle_decode_24bpp(QtrleContext *s, int row_ptr, int lines_to_change CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) { +if (bytestream2_get_bytes_left(>g) < 1) +return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (bytestream2_get_byte(>g) - 1) * 3; @@ -327,6 +335,8 @@ static void qtrle_decode_32bpp(QtrleContext *s, int row_ptr, int lines_to_change CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) { +if (bytestream2_get_bytes_left(>g) < 1) +return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (bytestream2_get_byte(>g) - 1) * 4; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Jul 22 20:45:39 2018 +0200| [1c05c6bd91f1ba08f9955213fea6c7c9f1b4aac5] | committer: Michael Niedermayer avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 9291/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6324345860259840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 462d1be6dec5ff4768be8c202f359cbf037db3c6) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1c05c6bd91f1ba08f9955213fea6c7c9f1b4aac5 --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index c345acfc85..610143d614 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -142,7 +142,7 @@ typedef struct DiracContext { GetBitContext gb; dirac_source_params source; int seen_sequence_header; -int frame_number; /* number of the next frame to display */ +int64_t frame_number; /* number of the next frame to display */ Plane plane[3]; int chroma_x_shift; int chroma_y_shift; @@ -2040,7 +2040,7 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } if (*got_frame) -s->frame_number = picture->display_picture_number + 1; +s->frame_number = picture->display_picture_number + 1LL; return buf_idx; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/pixfmt: Document chroma plane size for odd resolutions
ffmpeg | branch: release/2.8 | Michael Niedermayer | Wed Jul 18 22:22:35 2018 +0200| [56b188941fd34d1d139f77c330d36baf66c9bc09] | committer: Michael Niedermayer avutil/pixfmt: Document chroma plane size for odd resolutions Signed-off-by: Michael Niedermayer (cherry picked from commit be0b77e6e83b61c2da338201b5ddfae1c9acedc5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=56b188941fd34d1d139f77c330d36baf66c9bc09 --- libavutil/pixfmt.h | 4 1 file changed, 4 insertions(+) diff --git a/libavutil/pixfmt.h b/libavutil/pixfmt.h index 029c911d49..025f96be88 100644 --- a/libavutil/pixfmt.h +++ b/libavutil/pixfmt.h @@ -43,6 +43,10 @@ * This is stored as BGRA on little-endian CPU architectures and ARGB on * big-endian CPUs. * + * @note + * If the resolution is not a multiple of the chroma subsampling factor + * then the chroma plane resolution must be rounded up. + * * @par * When the pixel format is palettized RGB32 (AV_PIX_FMT_PAL8), the palettized * image data is stored in AVFrame.data[0]. The palette is transported in ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] swresample/swresample: Fix input channel count in resample_first computation
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue Jul 24 22:44:12 2018 +0200| [83ffda78ddb1f8f44fe964551bc27355b4a3a695] | committer: Michael Niedermayer swresample/swresample: Fix input channel count in resample_first computation Found-by: Marcin Gorzel Reviewed-by: Marcin Gorzel Signed-off-by: Michael Niedermayer (cherry picked from commit bce4da85e8110b66040a5fb07ffc724ab4e09a86) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=83ffda78ddb1f8f44fe964551bc27355b4a3a695 --- libswresample/swresample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 47d4f0dd0b..54180e220c 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -316,7 +316,7 @@ av_cold int swr_init(struct SwrContext *s){ av_assert0(s->used_ch_count); av_assert0(s->out.ch_count); -s->resample_first= RSC*s->out.ch_count/s->in.ch_count - RSC < s->out_sample_rate/(float)s-> in_sample_rate - 1.0; +s->resample_first= RSC*s->out.ch_count/s->used_ch_count - RSC < s->out_sample_rate/(float)s-> in_sample_rate - 1.0; s->in_buffer= s->in; s->silence = s->in; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Prevent integer overflow in intermediate in global_mv()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Jul 22 18:58:34 2018 +0200| [00c3f178a8e52c353091013e09378cd37b3e4aa1] | committer: Michael Niedermayer avcodec/diracdec: Prevent integer overflow in intermediate in global_mv() Fixes: signed integer overflow: -393471 * 5460 cannot be represented in type 'int' Fixes: 8890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6299775379963904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51290406461ed40b70e0e05b389a461a283f3367) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=00c3f178a8e52c353091013e09378cd37b3e4aa1 --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 9801eb2c85..c345acfc85 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1186,8 +1186,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int m = (1> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog