date:20181120

[FFmpeg-cvslog] fate-api-h264-slice: use the heap for nal buffer

2018-11-20 Thread Peter Ross

ffmpeg | branch: master | Peter Ross  | Wed Nov 21 01:31:44 
2018 +1100| [3fc7b69496fd586a609f9c8a2f1ed17e46bf5fff] | committer: Michael 
Niedermayer

fate-api-h264-slice: use the heap for nal buffer

nal buffer is 512 kilobytes

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3fc7b69496fd586a609f9c8a2f1ed17e46bf5fff
---

 tests/api/api-h264-slice-test.c | 11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/tests/api/api-h264-slice-test.c b/tests/api/api-h264-slice-test.c
index c6614da34d..b893737bca 100644
--- a/tests/api/api-h264-slice-test.c
+++ b/tests/api/api-h264-slice-test.c
@@ -117,9 +117,9 @@ int main(int argc, char **argv)
 unsigned int threads;
 AVPacket *pkt;
 FILE *file = NULL;
-char nal[MAX_SLICES * UINT16_MAX + AV_INPUT_BUFFER_PADDING_SIZE];
+char * nal = NULL;
 int nals = 0, ret = 0;
-char *p = nal;
+char *p;
 
 if (argc < 4) {
 fprintf(stderr, "Usage: %s   \n", 
argv[0]);
@@ -139,6 +139,11 @@ int main(int argc, char **argv)
 return -1;
 }
 
+nal = av_malloc(MAX_SLICES * UINT16_MAX + AV_INPUT_BUFFER_PADDING_SIZE);
+if (!nal)
+goto err;
+p = nal;
+
 if (!(codec = avcodec_find_decoder(AV_CODEC_ID_H264))) {
 fprintf(stderr, "Codec not found\n");
 ret = -1;
@@ -223,6 +228,8 @@ int main(int argc, char **argv)
 ret = decode(c, frame, NULL);
 
 err:
+if (nal)
+av_free(nal);
 if (file)
 fclose(file);
 av_frame_free();

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/truemotion2: Check huffman code max bits

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: master | Michael Niedermayer  | Mon 
Nov 19 23:47:13 2018 +0100| [77bf85515e59f7b17685fbbec943ff46f6217719] | 
committer: Michael Niedermayer

avcodec/truemotion2: Check huffman code max bits

Fixes: Timeout
Fixes: 
10984/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-6643310750859264

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin 
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=77bf85515e59f7b17685fbbec943ff46f6217719
---

 libavcodec/truemotion2.c | 19 ++-
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index 58a577f53c..6d58483a77 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -112,9 +112,13 @@ typedef struct TM2Huff {
 int *lens; ///< codelengths
 } TM2Huff;
 
+/**
+ *
+ * @returns the length of the longest code or an AVERROR code
+ */
 static int tm2_read_tree(TM2Context *ctx, uint32_t prefix, int length, TM2Huff 
*huff)
 {
-int ret;
+int ret, ret2;
 if (length > huff->max_bits) {
 av_log(ctx->avctx, AV_LOG_ERROR, "Tree exceeded its given depth 
(%i)\n",
huff->max_bits);
@@ -133,14 +137,14 @@ static int tm2_read_tree(TM2Context *ctx, uint32_t 
prefix, int length, TM2Huff *
 huff->bits[huff->num] = prefix;
 huff->lens[huff->num] = length;
 huff->num++;
-return 0;
+return length;
 } else { /* non-terminal node */
-if ((ret = tm2_read_tree(ctx, prefix << 1, length + 1, huff)) < 0)
-return ret;
+if ((ret2 = tm2_read_tree(ctx, prefix << 1, length + 1, huff)) < 0)
+return ret2;
 if ((ret = tm2_read_tree(ctx, (prefix << 1) | 1, length + 1, huff)) < 
0)
 return ret;
 }
-return 0;
+return FFMAX(ret, ret2);
 }
 
 static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code)
@@ -183,6 +187,11 @@ static int tm2_build_huff_table(TM2Context *ctx, TM2Codes 
*code)
 
 res = tm2_read_tree(ctx, 0, 0, );
 
+if (res >= 0 && res != huff.max_bits) {
+av_log(ctx->avctx, AV_LOG_ERROR, "Got less bits than expected: %i of 
%i\n",
+   res, huff.max_bits);
+res = AVERROR_INVALIDDATA;
+}
 if (huff.num != huff.max_num) {
 av_log(ctx->avctx, AV_LOG_ERROR, "Got less codes than expected: %i of 
%i\n",
huff.num, huff.max_num);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] api-h264-slice-test: use av_be2ne16 instead of ntohs

2018-11-20 Thread Peter Ross

ffmpeg | branch: master | Peter Ross  | Tue Nov 20 18:51:52 
2018 +1100| [7cda7d217cd0e9eaa38cc0d5dbbb6204b92fce97] | committer: Michael 
Niedermayer

api-h264-slice-test: use av_be2ne16 instead of ntohs

avformat/network.h is not required here.

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7cda7d217cd0e9eaa38cc0d5dbbb6204b92fce97
---

 tests/api/api-h264-slice-test.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/api/api-h264-slice-test.c b/tests/api/api-h264-slice-test.c
index be03e80049..c6614da34d 100644
--- a/tests/api/api-h264-slice-test.c
+++ b/tests/api/api-h264-slice-test.c
@@ -41,10 +41,10 @@
 #include 
 #include 
 
-#include "libavformat/network.h"
 #include "libavcodec/avcodec.h"
 #include "libavutil/pixdesc.h"
 #include "libavutil/hash.h"
+#include "libavutil/bswap.h"
 
 static int header = 0;
 
@@ -191,7 +191,7 @@ int main(int argc, char **argv)
 if (ret != sizeof(uint16_t))
 break;
 
-size = ntohs(size);
+size = av_be2ne16(size);
 ret = fread(p, 1, size, file);
 if (ret != size) {
 perror("Couldn't read data");

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avfilter/vf_overlay: fix crash with negative y

2018-11-20 Thread Paul B Mahol

ffmpeg | branch: master | Paul B Mahol  | Tue Nov 20 23:18:47 
2018 +0100| [57815cfad5c5d6beb6f3fc0ae86b050a970d3a08] | committer: Paul B Mahol

avfilter/vf_overlay: fix crash with negative y

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=57815cfad5c5d6beb6f3fc0ae86b050a970d3a08
---

 libavfilter/vf_overlay.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavfilter/vf_overlay.c b/libavfilter/vf_overlay.c
index ba25893739..a12e7a793f 100644
--- a/libavfilter/vf_overlay.c
+++ b/libavfilter/vf_overlay.c
@@ -473,12 +473,12 @@ static av_always_inline void blend_plane(AVFilterContext 
*ctx,
 slice_start = (jmax * jobnr) / nb_jobs;
 slice_end = (jmax * (jobnr+1)) / nb_jobs;
 
-sp = src->data[i] + slice_start * src->linesize[i];
+sp = src->data[i] + (j + slice_start) * src->linesize[i];
 dp = dst->data[dst_plane]
-  + (yp + slice_start) * dst->linesize[dst_plane]
+  + (yp + j + slice_start) * dst->linesize[dst_plane]
   + dst_offset;
-ap = src->data[3] + (slice_start << vsub) * src->linesize[3];
-dap = dst->data[3] + ((yp + slice_start) << vsub) * dst->linesize[3];
+ap = src->data[3] + (j + slice_start << vsub) * src->linesize[3];
+dap = dst->data[3] + ((yp + j + slice_start) << vsub) * dst->linesize[3];
 
 for (j = j + slice_start; j < slice_end; j++) {
 k = FFMAX(-xp, 0);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Fix integer overflow with offset

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Nov  9 19:59:27 2018 +0100| [0728911951100305e8b2379ac37c44f5ac0c1c75] | 
committer: Michael Niedermayer

avcodec/shorten: Fix integer overflow with offset

Fixes: signed integer overflow: -1625810908 - 582229060 cannot be represented 
in type 'int'
Fixes: 
10977/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5732602018267136

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2f888771cd1ce8d68d4b18a1009650c1f260aaf2)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0728911951100305e8b2379ac37c44f5ac0c1c75
---

 libavcodec/shorten.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 6ec1632aac..33a99158f9 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -306,7 +306,7 @@ static int decode_subframe_lpc(ShortenContext *s, int 
command, int channel,
 /* subtract offset from previous samples to use in prediction */
 if (command == FN_QLPC && coffset)
 for (i = -pred_order; i < 0; i++)
-s->decoded[channel][i] -= coffset;
+s->decoded[channel][i] -= (unsigned)coffset;
 
 /* decode residual and do LPC prediction */
 init_sum = pred_order ? (command == FN_QLPC ? s->lpcqoffset : 0) : coffset;
@@ -321,7 +321,7 @@ static int decode_subframe_lpc(ShortenContext *s, int 
command, int channel,
 /* add offset to current samples */
 if (command == FN_QLPC && coffset)
 for (i = 0; i < s->blocksize; i++)
-s->decoded[channel][i] += coffset;
+s->decoded[channel][i] += (unsigned)coffset;
 
 return 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/pngdec: Check compression method

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Nov  9 03:12:45 2018 +0100| [3ae8a4cf060e5eda6c5192879131301c94dddc70] | 
committer: Michael Niedermayer

avcodec/pngdec: Check compression method

method 0 (inflate/deflate) is the only specified in the specification and the 
only supported

Fixes: Timeout
Fixes: 
10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1f99674cc33f4c37def0a206e31ad7c4c1af)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3ae8a4cf060e5eda6c5192879131301c94dddc70
---

 libavcodec/pngdec.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index ac49954ad0..c5dad0c154 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -564,6 +564,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, 
PNGDecContext *s,
 }
 s->color_type   = bytestream2_get_byte(>gb);
 s->compression_type = bytestream2_get_byte(>gb);
+if (s->compression_type) {
+av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n", 
s->compression_type);
+goto error;
+}
 s->filter_type  = bytestream2_get_byte(>gb);
 s->interlace_type   = bytestream2_get_byte(>gb);
 bytestream2_skip(>gb, 4); /* crc */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/cavsdec: Propagate error codes inside decode_mb_i()

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Nov  4 20:00:16 2018 +0100| [0acb6f692ef247bbf6612cc1212897613c175a06] | 
committer: Michael Niedermayer

avcodec/cavsdec: Propagate error codes inside decode_mb_i()

Fixes: Timeout
Fixes: 
10702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5669940938407936

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c1cee0565692c541f589aefd7f375d37f55b9d94)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0acb6f692ef247bbf6612cc1212897613c175a06
---

 libavcodec/cavsdec.c | 29 +
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 289ed1b242..2d64f9d7cc 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -592,14 +592,21 @@ static int decode_residual_block(AVSContext *h, 
GetBitContext *gb,
 }
 
 
-static inline void decode_residual_chroma(AVSContext *h)
+static inline int decode_residual_chroma(AVSContext *h)
 {
-if (h->cbp & (1 << 4))
-decode_residual_block(h, >gb, chroma_dec, 0,
+if (h->cbp & (1 << 4)) {
+int ret = decode_residual_block(h, >gb, chroma_dec, 0,
   ff_cavs_chroma_qp[h->qp], h->cu, h->c_stride);
-if (h->cbp & (1 << 5))
-decode_residual_block(h, >gb, chroma_dec, 0,
+if (ret < 0)
+return ret;
+}
+if (h->cbp & (1 << 5)) {
+int ret = decode_residual_block(h, >gb, chroma_dec, 0,
   ff_cavs_chroma_qp[h->qp], h->cv, h->c_stride);
+if (ret < 0)
+return ret;
+}
+return 0;
 }
 
 static inline int decode_residual_inter(AVSContext *h)
@@ -650,6 +657,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
 uint8_t top[18];
 uint8_t *left = NULL;
 uint8_t *d;
+int ret;
 
 ff_cavs_init_mb(h);
 
@@ -693,8 +701,11 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
 ff_cavs_load_intra_pred_luma(h, top, , block);
 h->intra_pred_l[h->pred_mode_Y[scan3x3[block]]]
 (d, top, left, h->l_stride);
-if (h->cbp & (1l_stride);
+if (h->cbp & (1l_stride);
+if (ret < 0)
+return ret;
+}
 }
 
 /* chroma intra prediction */
@@ -704,7 +715,9 @@ static int decode_mb_i(AVSContext *h, int cbp_code)
 h->intra_pred_c[pred_mode_uv](h->cv, >top_border_v[h->mbx * 10],
   h->left_border_v, h->c_stride);
 
-decode_residual_chroma(h);
+ret = decode_residual_chroma(h);
+if (ret < 0)
+return ret;
 ff_cavs_filter(h, I_8X8);
 set_mv_intra(h);
 return 0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/integer: Fix integer overflow in av_mul_i()

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Wed Oct 24 01:44:12 2018 +0200| [6f84b1c458c6aafc9f1ba5d5a6da8792fc60ec8b] | 
committer: Michael Niedermayer

avutil/integer: Fix integer overflow in av_mul_i()

Found-by: fate
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3cc3cb663bf3061e40356392d2f7638de6a479fe)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6f84b1c458c6aafc9f1ba5d5a6da8792fc60ec8b
---

 libavutil/integer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavutil/integer.c b/libavutil/integer.c
index 6d6855fa1b..ba4aa778c9 100644
--- a/libavutil/integer.c
+++ b/libavutil/integer.c
@@ -74,7 +74,7 @@ AVInteger av_mul_i(AVInteger a, AVInteger b){
 
 if(a.v[i])
 for(j=i; j>16) + out.v[j] + a.v[i]*b.v[j-i];
+carry= (carry>>16) + out.v[j] + a.v[i]*(unsigned)b.v[j-i];
 out.v[j]= carry;
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sat Oct 20 22:35:37 2018 +0200| [bdd3c7af5ee18c3bcc71525f7062234eaf95b164] | 
committer: Michael Niedermayer

avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling

Fixes: assertion failure
Fixes: 
10785/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5672160496975872

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 305e523105f6f59e7572050f19edc9f4671c036c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bdd3c7af5ee18c3bcc71525f7062234eaf95b164
---

 libavcodec/jpeg2000dec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 83b418925c..8714399cbd 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1127,7 +1127,7 @@ static int 
jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
 step_x = 32;
 step_y = 32;
 
-if (RSpoc > FFMIN(codsty->nreslevels, REpoc))
+if (RSpoc >= FFMIN(codsty->nreslevels, REpoc))
 continue;
 
 for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, 
REpoc); reslevelno++) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Oct 28 21:08:39 2018 +0100| [cf21323dd4600a76cd9cb78563999733571ebdbd] | 
committer: Michael Niedermayer

avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported 
mp3adu case

Fixes: Timeout
Fixes: 
10966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADU_fuzzer-5348695024336896
Fixes: 
10969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5691669402877952

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit df91af140c5543cfbbed187f696e79b554d2c135)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cf21323dd4600a76cd9cb78563999733571ebdbd
---

 libavcodec/mpegaudio_parser.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c
index a358069dab..a512e08ce9 100644
--- a/libavcodec/mpegaudio_parser.c
+++ b/libavcodec/mpegaudio_parser.c
@@ -100,7 +100,7 @@ static int mpegaudio_parse(AVCodecParserContext *s1,
 "MP3ADU full parser");
 *poutbuf = NULL;
 *poutbuf_size = 0;
-return 0; /* parsers must not return error codes */
+return buf_size; /* parsers must not return error 
codes */
 }
 
 break;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/msrle: Check that the input is large enough to contain a end of picture code

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Oct 21 14:40:14 2018 +0200| [3049d6d8219b517020de0f0a1759e96fed49ef37] | 
committer: Michael Niedermayer

avcodec/msrle: Check that the input is large enough to contain a end of picture 
code

Fixes: Timeout
Fixes: 
10625/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSRLE_fuzzer-5659651283091456

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 203ccb874699ce66beadd53b4631d217b9cd)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3049d6d8219b517020de0f0a1759e96fed49ef37
---

 libavcodec/msrle.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c
index 4032d0840a..154c3df1f9 100644
--- a/libavcodec/msrle.c
+++ b/libavcodec/msrle.c
@@ -95,6 +95,9 @@ static int msrle_decode_frame(AVCodecContext *avctx,
 s->buf = buf;
 s->size = buf_size;
 
+if (buf_size < 2) //Minimally a end of picture code should be there
+return AVERROR_INVALIDDATA;
+
 if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
 return ret;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/flvenc: Check audio packet size

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sat Jul 28 15:03:50 2018 +0200| [d8ecb335fe4852bbc172c7b79e66944d158b4d92] | 
committer: Michael Niedermayer

avformat/flvenc: Check audio packet size

Fixes: Assertion failure
Fixes: assert_flvenc.c:941_1.swf

Found-by: #CHEN HONGXU# 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6b67d7f05918f7a1ee8fc6ff21355d7e8736aa10)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d8ecb335fe4852bbc172c7b79e66944d158b4d92
---

 libavformat/flvenc.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c
index e217ba8a82..9e732fcf9f 100644
--- a/libavformat/flvenc.c
+++ b/libavformat/flvenc.c
@@ -514,6 +514,11 @@ static int flv_write_packet(AVFormatContext *s, AVPacket 
*pkt)
 uint8_t *data = NULL;
 int flags = -1, flags_size, ret;
 
+if (enc->codec_type == AVMEDIA_TYPE_AUDIO && !pkt->size) {
+av_log(s, AV_LOG_WARNING, "Empty audio Packet\n");
+return AVERROR(EINVAL);
+}
+
 if (enc->codec_id == AV_CODEC_ID_VP6F || enc->codec_id == AV_CODEC_ID_VP6A 
||
 enc->codec_id == AV_CODEC_ID_VP6  || enc->codec_id == AV_CODEC_ID_AAC)
 flags_size = 2;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dvdsubdec: Sanity check len in decode_rle()

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Thu Sep 13 03:33:50 2018 +0200| [c2f02af6968498b482d12cc27d0c91891c444a0a] | 
committer: Michael Niedermayer

avcodec/dvdsubdec: Sanity check len in decode_rle()

Fixes: Timeout
Fixes: 
9778/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5186007132536832

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit e7b023e1db9fb13175929c02a02846d03510ec91)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c2f02af6968498b482d12cc27d0c91891c444a0a
---

 libavcodec/dvdsubdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index d017e771fc..4bdffeb700 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -124,6 +124,8 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, 
int h,
 len = decode_run_8bit(, );
 else
 len = decode_run_2bit(, );
+if (len != INT_MAX && len > w - x)
+return AVERROR_INVALIDDATA;
 len = FFMIN(len, w - x);
 memset(d + x, color, len);
 x += len;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/utils: Never store negative values in last_IP_duration

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Oct 12 20:55:25 2018 +0200| [dc13bac6deaa3ee3641d331556ac41556993e07e] | 
committer: Michael Niedermayer

avformat/utils: Never store negative values in last_IP_duration

Fixes: integer overflow compute_pkt_fields()
Fixes: compute_pkt_usan

Reported-by: Thomas Guilbert 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 079d1a7175c4b881631a7e7f449c4c13b761cdeb)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dc13bac6deaa3ee3641d331556ac41556993e07e
---

 libavformat/utils.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index fa4b06ffd6..b0d330ba9f 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -1114,7 +1114,7 @@ static void compute_pkt_fields(AVFormatContext *s, 
AVStream *st,
 
 /* This is tricky: the dts must be incremented by the duration
  * of the frame we are displaying, i.e. the last I- or P-frame. */
-if (st->last_IP_duration == 0)
+if (st->last_IP_duration == 0 && (uint64_t)pkt->duration <= 
INT32_MAX)
 st->last_IP_duration = pkt->duration;
 if (pkt->dts != AV_NOPTS_VALUE)
 st->cur_dts = pkt->dts + st->last_IP_duration;
@@ -1126,7 +1126,8 @@ static void compute_pkt_fields(AVFormatContext *s, 
AVStream *st,
 next_pts != AV_NOPTS_VALUE)
 pkt->pts = next_dts;
 
-st->last_IP_duration = pkt->duration;
+if ((uint64_t)pkt->duration <= INT32_MAX)
+st->last_IP_duration = pkt->duration;
 st->last_IP_pts  = pkt->pts;
 /* Cannot compute PTS if not present (we can compute it only
  * by knowing the future. */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/unary: Improve get_unary() docs

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sat Sep 22 15:18:17 2018 +0200| [604957c557dfbbb1a8e913519b0aa266b5b3dbc0] | 
committer: Michael Niedermayer

avcodec/unary: Improve get_unary() docs

Found-by: kierank
Signed-off-by: Michael Niedermayer 
(cherry picked from commit ad89e203bfedf25df00e2a6ed9196170d772f25b)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=604957c557dfbbb1a8e913519b0aa266b5b3dbc0
---

 libavcodec/unary.h | 15 ++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/libavcodec/unary.h b/libavcodec/unary.h
index 908dc93507..d57f9f70c5 100644
--- a/libavcodec/unary.h
+++ b/libavcodec/unary.h
@@ -28,7 +28,20 @@
  * @param gb GetBitContext
  * @param[in] stop The bitstop value (unary code of 1's or 0's)
  * @param[in] len Maximum length
- * @return Unary length/index
+ * @return unary 0 based code index. This is also the length in bits of the
+ * code excluding the stop bit.
+ * (in case len=1)
+ * 10
+ * 01
+ * (in case len=2)
+ * 10
+ * 01   1
+ * 00   2
+ * (in case len=3)
+ * 10
+ * 01   1
+ * 001  2
+ * 000  3
  */
 static inline int get_unary(GetBitContext *gb, int stop, int len)
 {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/utils: Fix integer overflow in discontinuity check

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Oct 12 03:00:32 2018 +0200| [6ce3fee455d66c2a51f9a5551a9356efde28e193] | 
committer: Michael Niedermayer

avformat/utils: Fix integer overflow in discontinuity check

Fixes: signed integer overflow: 7738135736989908991 - -7954308516317364223 
cannot be represented in type 'long'
Fixes: find_stream_info_usan

Reported-by: Thomas Guilbert 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4e19cfcfa3944fe4cf97bea758f72f104dcaebad)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6ce3fee455d66c2a51f9a5551a9356efde28e193
---

 libavformat/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index c228bc90dc..fa4b06ffd6 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -3326,7 +3326,7 @@ int avformat_find_stream_info(AVFormatContext *ic, 
AVDictionary **options)
  * sequence, we treat it as a discontinuity. */
 if (st->info->fps_last_dts != AV_NOPTS_VALUE &&
 st->info->fps_last_dts_idx > st->info->fps_first_dts_idx &&
-(pkt->dts - st->info->fps_last_dts) / 1000 >
+(pkt->dts - (uint64_t)st->info->fps_last_dts) / 1000 >
 (st->info->fps_last_dts - 
(uint64_t)st->info->fps_first_dts) /
 (st->info->fps_last_dts_idx - st->info->fps_first_dts_idx)) {
 av_log(ic, AV_LOG_WARNING,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_cavlc: Check mb_skip_run

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Thu Oct  4 03:13:41 2018 +0200| [89a8b69e9bf658383aacbda7f372191385ae2bd4] | 
committer: Michael Niedermayer

avcodec/h264_cavlc: Check mb_skip_run

Fixes: 
10300/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6292205497483264
Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 
'int'

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit f72b9904fefa79d799d0f6ecc8bd97ce52658725)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=89a8b69e9bf658383aacbda7f372191385ae2bd4
---

 libavcodec/h264_cavlc.c | 10 --
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index 97ec6fd4ae..250e93bc8e 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -721,8 +721,14 @@ int ff_h264_decode_mb_cavlc(const H264Context *h, 
H264SliceContext *sl)
 cbp = 0; /* avoid warning. FIXME: find a solution without slowing
 down the code */
 if (sl->slice_type_nos != AV_PICTURE_TYPE_I) {
-if (sl->mb_skip_run == -1)
-sl->mb_skip_run = get_ue_golomb_long(>gb);
+if (sl->mb_skip_run == -1) {
+unsigned mb_skip_run = get_ue_golomb_long(>gb);
+if (mb_skip_run > h->mb_num) {
+av_log(h->avctx, AV_LOG_ERROR, "mb_skip_run %d is invalid\n", 
mb_skip_run);
+return AVERROR_INVALIDDATA;
+}
+sl->mb_skip_run = mb_skip_run;
+}
 
 if (sl->mb_skip_run--) {
 if (FRAME_MBAFF(h) && (sl->mb_y & 1) == 0) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ra144: Fix integer overflow in add_wav()

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Wed Oct 10 04:25:50 2018 +0200| [e42f2eb165e7a4242e9c09d2286351cd0bd79ca6] | 
committer: Michael Niedermayer

avcodec/ra144: Fix integer overflow in add_wav()

Fixes: signed integer overflow: -2144033225 + -5208934 cannot be represented in 
type 'int'
Fixes: 
10633/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5679133791617024

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c6282141cba20934d9801f31134872fabbd6ba3e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e42f2eb165e7a4242e9c09d2286351cd0bd79ca6
---

 libavcodec/ra144.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c
index 054d275354..3393d7a87f 100644
--- a/libavcodec/ra144.c
+++ b/libavcodec/ra144.c
@@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, 
int *m,
 
 if (v[0]) {
 for (i=0; i < BLOCKSIZE; i++)
-dest[i] = ((int)(s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) 
>> 12;
+dest[i] = (int)((s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) 
>> 12;
 } else {
 for (i=0; i < BLOCKSIZE; i++)
 dest[i] = ( s2[i]*v[1] + s3[i]*v[2]) >> 12;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dvdsubdec: Avoid branch in decode_run_8bit()

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Thu Sep 13 04:24:49 2018 +0200| [6645783a3aa46107405c2f7aca65e7a7f13cf5a6] | 
committer: Michael Niedermayer

avcodec/dvdsubdec: Avoid branch in decode_run_8bit()

Speed improvment 35.5 sec -> 34.7sec

Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 71bf0330505e2108935d05c5c018ec65eac4b946)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6645783a3aa46107405c2f7aca65e7a7f13cf5a6
---

 libavcodec/dvdsubdec.c | 5 +
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index 5e0820e697..d017e771fc 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -82,10 +82,7 @@ static int decode_run_8bit(GetBitContext *gb, int *color)
 {
 int len;
 int has_run = get_bits1(gb);
-if (get_bits1(gb))
-*color = get_bits(gb, 8);
-else
-*color = get_bits(gb, 2);
+*color = get_bits(gb, 2 + 6*get_bits1(gb));
 if (has_run) {
 if (get_bits1(gb)) {
 len = get_bits(gb, 7);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videodec: Fix undefined shift in get_amv()

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sat Sep 15 00:20:38 2018 +0200| [49023147c7fcb8319830be698b280e65e82ddf22] | 
committer: Michael Niedermayer

avcodec/mpeg4videodec: Fix undefined shift in get_amv()

Fixes: runtime error: shift exponent -1 is negative
Fixes: 
9938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5653783529914368

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c88afa44c4823aba7b6f4a1b01fd6a4169643c57)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=49023147c7fcb8319830be698b280e65e82ddf22
---

 libavcodec/mpeg4videodec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index 23dde9ee85..936406d2d1 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -537,7 +537,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n)
 len >>= s->quarter_sample;
 
 if (s->real_sprite_warping_points == 1) {
-if (ctx->divx_version == 500 && ctx->divx_build == 413)
+if (ctx->divx_version == 500 && ctx->divx_build == 413 && a >= 
s->quarter_sample)
 sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample));
 else
 sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/zmbv: Update decomp_len in raw frames

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon Sep 17 21:33:59 2018 +0200| [edae5259c05506a0923f709ce080144c4846ca28] | 
committer: Michael Niedermayer

avcodec/zmbv: Update decomp_len in raw frames

decomp_len is used in raw frames, so it should not be left at the value from
whatever was decoded previously (which may be any other frame)

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3d201b83cda03fd9e866acafee82d7ce88260e66)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=edae5259c05506a0923f709ce080144c4846ca28
---

 libavcodec/zmbv.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c
index 39a08db0eb..b12c3615b4 100644
--- a/libavcodec/zmbv.c
+++ b/libavcodec/zmbv.c
@@ -519,6 +519,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame, AVPac
 return AVERROR_INVALIDDATA;
 }
 memcpy(c->decomp_buf, buf, len);
+c->decomp_len = len;
 } else { // ZLIB-compressed data
 c->zstream.total_in = c->zstream.total_out = 0;
 c->zstream.next_in = (uint8_t*)buf;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/zmbv: Check that the decompressed data size is correct

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue Sep 18 00:28:37 2018 +0200| [79c018351e6e0a3e3f58b4b7831a6642c3a4f42c] | 
committer: Michael Niedermayer

avcodec/zmbv: Check that the decompressed data size is correct

This checks the value exactly for intra frames and checks it against a
minimum for inter frames as they can be variable.

Fixes: Timeout
Fixes: 
10182/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-6245951174344704

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit e33b28cc79d164fff22bfee750c9283587c00bc4)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79c018351e6e0a3e3f58b4b7831a6642c3a4f42c
---

 libavcodec/zmbv.c | 14 ++
 1 file changed, 14 insertions(+)

diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c
index b12c3615b4..41525cc08c 100644
--- a/libavcodec/zmbv.c
+++ b/libavcodec/zmbv.c
@@ -408,6 +408,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame, AVPac
 int zret = Z_OK; // Zlib return code
 int len = buf_size;
 int hi_ver, lo_ver, ret;
+int expected_size;
 
 /* parse header */
 if (len < 1)
@@ -504,6 +505,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame, AVPac
 memset(c->prev, 0, avctx->width * avctx->height * (c->bpp / 8));
 c->decode_intra= decode_intra;
 }
+if (c->flags & ZMBV_KEYFRAME) {
+expected_size = avctx->width * avctx->height * (c->bpp / 8);
+} else {
+expected_size = (c->bx * c->by * 2 + 3) & ~3;
+}
+if (avctx->pix_fmt == AV_PIX_FMT_PAL8 &&
+(c->flags & (ZMBV_DELTAPAL | ZMBV_KEYFRAME)))
+expected_size += 768;
 
 if (!c->decode_intra) {
 av_log(avctx, AV_LOG_ERROR, "Error! Got no format or no keyframe!\n");
@@ -533,6 +542,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame, AVPac
 }
 c->decomp_len = c->zstream.total_out;
 }
+if (expected_size > c->decomp_len ||
+(c->flags & ZMBV_KEYFRAME) && expected_size < c->decomp_len) {
+av_log(avctx, AV_LOG_ERROR, "decompressed size %d is incorrect, 
expected %d\n", c->decomp_len, expected_size);
+return AVERROR_INVALIDDATA;
+}
 if (c->flags & ZMBV_KEYFRAME) {
 frame->key_frame = 1;
 frame->pict_type = AV_PICTURE_TYPE_I;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Fix bitstream end check in read_header()

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sat Sep 15 02:08:20 2018 +0200| [f2640f76489464f4a0016c729aa04d46d3638abb] | 
committer: Michael Niedermayer

avcodec/shorten: Fix bitstream end check in read_header()

Fixes: Timeout
Fixes: 
9961/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5687856176562176

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 28b80c2d52d82eb4f73af5f818dab60946bcf299)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f2640f76489464f4a0016c729aa04d46d3638abb
---

 libavcodec/shorten.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index de2be90e77..6ec1632aac 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -380,7 +380,7 @@ static int read_header(ShortenContext *s)
 }
 
 skip_bytes = get_uint(s, NSKIPSIZE);
-if ((unsigned)skip_bytes > get_bits_left(>gb)/8) {
+if ((unsigned)skip_bytes > FFMAX(get_bits_left(>gb), 0)/8) {
 av_log(s->avctx, AV_LOG_ERROR, "invalid skip_bytes: %d\n", 
skip_bytes);
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Check verbatim length

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Aug 12 22:43:33 2018 +0200| [ed0f21a89a416e3b53754dc6fc6eba100695431a] | 
committer: Michael Niedermayer

avcodec/shorten: Check verbatim length

Fixes: Timeout
Fixes: 
9252/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5780720709533696

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7007dabec08f2f9f81661e71ef482dde394e17a8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ed0f21a89a416e3b53754dc6fc6eba100695431a
---

 libavcodec/shorten.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index f481a84fed..047fb05a9b 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -518,6 +518,11 @@ static int shorten_decode_frame(AVCodecContext *avctx, 
void *data,
 switch (cmd) {
 case FN_VERBATIM:
 len = get_ur_golomb_shorten(>gb, VERBATIM_CKSIZE_SIZE);
+if (len < 0 || len > get_bits_left(>gb)) {
+av_log(avctx, AV_LOG_ERROR, "verbatim length %d invalid\n",
+   len);
+return AVERROR_INVALIDDATA;
+}
 while (len--)
 get_ur_golomb_shorten(>gb, VERBATIM_BYTE_SIZE);
 break;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb()

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon Aug 20 22:53:32 2018 +0200| [db39404c1581b16a307ca2089346267a98a28b91] | 
committer: Michael Niedermayer

avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb()

Fixes: Timeout
Fixes: 
9634/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-6267852259590144

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c9222b972d6cbdaf6571cf7ae0a6513bffa5ff9f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=db39404c1581b16a307ca2089346267a98a28b91
---

 libavcodec/hq_hqa.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c
index d18464769d..7ae58e0985 100644
--- a/libavcodec/hq_hqa.c
+++ b/libavcodec/hq_hqa.c
@@ -180,6 +180,9 @@ static int hqa_decode_mb(HQContext *c, AVFrame *pic, int 
qgroup,
 int flag = 0;
 int i, ret, cbp;
 
+if (get_bits_left(gb) < 1)
+return AVERROR_INVALIDDATA;
+
 cbp = get_vlc2(gb, c->hqa_cbp_vlc.table, 5, 1);
 
 for (i = 0; i < 12; i++)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vb: Check for end of bytestream before reading blocktype

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon Aug 20 22:19:23 2018 +0200| [8717129d58e987d0a7516a731e39969eed71a27e] | 
committer: Michael Niedermayer

avcodec/vb: Check for end of bytestream before reading blocktype

Fixes: Timeout
Fixes: 
9601/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VB_fuzzer-4550228702134272

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1cbac9ce20d32806febf64cbd9f830e1485695ca)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8717129d58e987d0a7516a731e39969eed71a27e
---

 libavcodec/vb.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/vb.c b/libavcodec/vb.c
index 021657f7d8..c6dd6fb456 100644
--- a/libavcodec/vb.c
+++ b/libavcodec/vb.c
@@ -107,6 +107,10 @@ static int vb_decode_framedata(VBDecContext *c, int offset)
 blk2   = 0;
 for (blk = 0; blk < blocks; blk++) {
 if (!(blk & 3)) {
+if (bytestream2_get_bytes_left() < 1) {
+av_log(c->avctx, AV_LOG_ERROR, "Insufficient data\n");
+return AVERROR_INVALIDDATA;
+}
 blocktypes = bytestream2_get_byte();
 }
 switch (blocktypes & 0xC0) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ra144: Fix undefined integer overflow in add_wav()

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Aug 26 02:26:24 2018 +0200| [2d65c44f220c57cd5afcddee8430ded2177288eb] | 
committer: Michael Niedermayer

avcodec/ra144: Fix undefined integer overflow in add_wav()

Fixes: signed integer overflow: -26884 * 91439 cannot be represented in type 
'int'
Fixes: 
9687/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-4995588121690112

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 93a203662f6ff1bb9fd2e966bf7df27e9bdb1916)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2d65c44f220c57cd5afcddee8430ded2177288eb
---

 libavcodec/ra144.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c
index c399304ea1..054d275354 100644
--- a/libavcodec/ra144.c
+++ b/libavcodec/ra144.c
@@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, 
int *m,
 
 if (v[0]) {
 for (i=0; i < BLOCKSIZE; i++)
-dest[i] = (s1[i]*v[0] + s2[i]*v[1] + s3[i]*v[2]) >> 12;
+dest[i] = ((int)(s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) 
>> 12;
 } else {
 for (i=0; i < BLOCKSIZE; i++)
 dest[i] = ( s2[i]*v[1] + s3[i]*v[2]) >> 12;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/snowdec: Fix integer overflow with motion vector residual

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon Aug 20 20:15:19 2018 +0200| [7ddcb02809f958adb0b4348d48678a1459c99857] | 
committer: Michael Niedermayer

avcodec/snowdec: Fix integer overflow with motion vector residual

Fixes: signed integer overflow: -19818 + -2147483648 cannot be represented in 
type 'int'
Fixes: 
9545/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4928769537081344

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit acba153a148782c08f9fd17f0c05b93468f3cbd0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7ddcb02809f958adb0b4348d48678a1459c99857
---

 libavcodec/snowdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index fc917e0c35..84e98afe4c 100644
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -205,8 +205,8 @@ static int decode_q_branch(SnowContext *s, int level, int 
x, int y){
 return AVERROR_INVALIDDATA;
 }
 pred_mv(s, , , ref, left, top, tr);
-mx+= get_symbol(>c, >block_state[128 + 32*(mx_context + 
16*!!ref)], 1);
-my+= get_symbol(>c, >block_state[128 + 32*(my_context + 
16*!!ref)], 1);
+mx+= (unsigned)get_symbol(>c, >block_state[128 + 
32*(mx_context + 16*!!ref)], 1);
+my+= (unsigned)get_symbol(>c, >block_state[128 + 
32*(my_context + 16*!!ref)], 1);
 }
 set_blocks(s, level, x, y, l, cb, cr, mx, my, ref, type);
 }else{

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Fix integer overflow in residual/LPC combination

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Aug 12 22:55:59 2018 +0200| [bb070fc4684dd80a82983469ccf685dfeb3e1c4e] | 
committer: Michael Niedermayer

avcodec/shorten: Fix integer overflow in residual/LPC combination

Fixes: signed integer overflow: -540538872 + -2012739576 cannot be represented 
in type 'int'
Fixes: 
9255/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5758630052757504

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit db7e9082e1a1479c6a8844f7adf77eae03cc2aa7)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bb070fc4684dd80a82983469ccf685dfeb3e1c4e
---

 libavcodec/shorten.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 047fb05a9b..de2be90e77 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -315,7 +315,7 @@ static int decode_subframe_lpc(ShortenContext *s, int 
command, int channel,
 for (j = 0; j < pred_order; j++)
 sum += coeffs[j] * (unsigned)s->decoded[channel][i - j - 1];
 s->decoded[channel][i] = get_sr_golomb_shorten(>gb, residual_size) +
- (sum >> qshift);
+ (unsigned)(sum >> qshift);
 }
 
 /* add offset to current samples */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking()

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Aug 17 02:06:27 2018 +0200| [fb0cd972a704fbe8100837c16b18e2cbde3d5215] | 
committer: Michael Niedermayer

avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 697984b9db4d4d199680f43ac3eb662cd1d37eff)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fb0cd972a704fbe8100837c16b18e2cbde3d5215
---

 libavcodec/h264_refs.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c
index a3de6b2f35..5ec7f2d061 100644
--- a/libavcodec/h264_refs.c
+++ b/libavcodec/h264_refs.c
@@ -813,6 +813,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO 
*mmco, int mmco_count)
 pps_ref_count[1] = FFMAX(pps_ref_count[1], h->pps.ref_count[1]);
 }
 
+// Detect unmarked random access points
 if (   err >= 0
 && h->long_ref_count==0
 && (   h->short_ref_count<=2

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mlvdec: read_string() received unsigned size, make the argument unsigned

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Thu Aug 16 15:36:28 2018 +0200| [b671ebfd61b64b5e336f747b8a6abd59a535454d] | 
committer: Michael Niedermayer

avformat/mlvdec: read_string() received unsigned size, make the argument 
unsigned

Fixes: infinite loop
Fixes: mlv-timeout-e3b8cab9835edecad6823baa057e029671329d04

Found-by: Paul Ch 
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1e71cb2c8edcf3dad657c15a6fb8572862f2afb9)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b671ebfd61b64b5e336f747b8a6abd59a535454d
---

 libavformat/mlvdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c
index 4b3bdc1eca..84b916844c 100644
--- a/libavformat/mlvdec.c
+++ b/libavformat/mlvdec.c
@@ -76,7 +76,7 @@ static int check_file_header(AVIOContext *pb, uint64_t guid)
 return 0;
 }
 
-static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char 
*tag, int size)
+static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char 
*tag, unsigned size)
 {
 char * value = av_malloc(size + 1);
 if (!value) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpegaudio_parser: Initialize poutbuf*

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Aug  5 14:51:36 2018 +0200| [a36d649ffce62932b4a1ae59a0403568fa648c2a] | 
committer: Michael Niedermayer

avcodec/mpegaudio_parser: Initialize poutbuf*

Possibly fixes: null pointer dereference
Possibly fixes: 
9352/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5146068961460224
Fixes: Heap-use-after-free
Fixes: 
9453/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5137954375729152

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0f4c3b0b8e5435d13fd3b64c91969b31c3c018dc)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a36d649ffce62932b4a1ae59a0403568fa648c2a
---

 libavcodec/mpegaudio_parser.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c
index b66e8b0561..a358069dab 100644
--- a/libavcodec/mpegaudio_parser.c
+++ b/libavcodec/mpegaudio_parser.c
@@ -98,6 +98,8 @@ static int mpegaudio_parse(AVCodecParserContext *s1,
 } else if (codec_id == AV_CODEC_ID_MP3ADU) {
 avpriv_report_missing_feature(avctx,
 "MP3ADU full parser");
+*poutbuf = NULL;
+*poutbuf_size = 0;
 return 0; /* parsers must not return error codes */
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/nsvdec: Do not parse multiple NSVf

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Thu Aug 16 12:23:20 2018 +0200| [898f83386354c88c15515c4ae74658d5b123c72b] | 
committer: Michael Niedermayer

avformat/nsvdec: Do not parse multiple NSVf

The specification states "NSV files may contain a single file header. "
Fixes: out of array access
Fixes: nsv-asan-002f473f726a0dcbd3bd53e422c4fc40b3cf3421

Found-by: Paul Ch 
Tested-by: Paul Ch 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 78d4b6bd43fc266a2ee926f0555c8782246f9445)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=898f83386354c88c15515c4ae74658d5b123c72b
---

 libavformat/nsvdec.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c
index c6c3592345..9727aafcca 100644
--- a/libavformat/nsvdec.c
+++ b/libavformat/nsvdec.c
@@ -177,6 +177,7 @@ typedef struct NSVContext {
 AVRational framerate;
 uint32_t *nsvs_timestamps;
 //DVDemuxContext* dv_demux;
+int nsvf;
 } NSVContext;
 
 static const AVCodecTag nsv_codec_video_tags[] = {
@@ -280,6 +281,12 @@ static int nsv_parse_NSVf_header(AVFormatContext *s)
 
 nsv->state = NSV_UNSYNC; /* in case we fail */
 
+if (nsv->nsvf) {
+av_log(s, AV_LOG_TRACE, "Multiple NSVf\n");
+return 0;
+}
+nsv->nsvf = 1;
+
 size = avio_rl32(pb);
 if (size < 28)
 return -1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp()

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Jul 29 12:40:48 2018 +0200| [b12e1618a39ab0d82ecaa301e7cceade71b7c9e3] | 
committer: Michael Niedermayer

avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp()

Fixes: Timeout
Fixes: 
9213/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QTRLE_fuzzer-5649753332252672

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7dd836a3f9771e0e44df1b27e67d6866d91e06d7)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b12e1618a39ab0d82ecaa301e7cceade71b7c9e3
---

 libavcodec/qtrle.c | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c
index a2f89039a8..5b35a5ef20 100644
--- a/libavcodec/qtrle.c
+++ b/libavcodec/qtrle.c
@@ -132,6 +132,8 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int 
row_ptr,
 CHECK_PIXEL_PTR(0);
 
 while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) {
+if (bytestream2_get_bytes_left(>g) < 1)
+return;
 if (rle_code == 0) {
 /* there's another skip code in the stream */
 pixel_ptr += (num_pixels * (bytestream2_get_byte(>g) - 1));
@@ -187,6 +189,8 @@ static void qtrle_decode_8bpp(QtrleContext *s, int row_ptr, 
int lines_to_change)
 CHECK_PIXEL_PTR(0);
 
 while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) {
+if (bytestream2_get_bytes_left(>g) < 1)
+return;
 if (rle_code == 0) {
 /* there's another skip code in the stream */
 pixel_ptr += (4 * (bytestream2_get_byte(>g) - 1));
@@ -236,6 +240,8 @@ static void qtrle_decode_16bpp(QtrleContext *s, int 
row_ptr, int lines_to_change
 CHECK_PIXEL_PTR(0);
 
 while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) {
+if (bytestream2_get_bytes_left(>g) < 1)
+return;
 if (rle_code == 0) {
 /* there's another skip code in the stream */
 pixel_ptr += (bytestream2_get_byte(>g) - 1) * 2;
@@ -280,6 +286,8 @@ static void qtrle_decode_24bpp(QtrleContext *s, int 
row_ptr, int lines_to_change
 CHECK_PIXEL_PTR(0);
 
 while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) {
+if (bytestream2_get_bytes_left(>g) < 1)
+return;
 if (rle_code == 0) {
 /* there's another skip code in the stream */
 pixel_ptr += (bytestream2_get_byte(>g) - 1) * 3;
@@ -327,6 +335,8 @@ static void qtrle_decode_32bpp(QtrleContext *s, int 
row_ptr, int lines_to_change
 CHECK_PIXEL_PTR(0);
 
 while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) {
+if (bytestream2_get_bytes_left(>g) < 1)
+return;
 if (rle_code == 0) {
 /* there's another skip code in the stream */
 pixel_ptr += (bytestream2_get_byte(>g) - 1) * 4;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Jul 22 20:45:39 2018 +0200| [1c05c6bd91f1ba08f9955213fea6c7c9f1b4aac5] | 
committer: Michael Niedermayer

avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the 
bitstream and we also have a -1 special case

Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 
'int'
Fixes: 
9291/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6324345860259840

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 462d1be6dec5ff4768be8c202f359cbf037db3c6)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1c05c6bd91f1ba08f9955213fea6c7c9f1b4aac5
---

 libavcodec/diracdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index c345acfc85..610143d614 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -142,7 +142,7 @@ typedef struct DiracContext {
 GetBitContext gb;
 dirac_source_params source;
 int seen_sequence_header;
-int frame_number;   /* number of the next frame to display   */
+int64_t frame_number;   /* number of the next frame to display   */
 Plane plane[3];
 int chroma_x_shift;
 int chroma_y_shift;
@@ -2040,7 +2040,7 @@ static int dirac_decode_frame(AVCodecContext *avctx, void 
*data, int *got_frame,
 }
 
 if (*got_frame)
-s->frame_number = picture->display_picture_number + 1;
+s->frame_number = picture->display_picture_number + 1LL;
 
 return buf_idx;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/pixfmt: Document chroma plane size for odd resolutions

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Wed Jul 18 22:22:35 2018 +0200| [56b188941fd34d1d139f77c330d36baf66c9bc09] | 
committer: Michael Niedermayer

avutil/pixfmt: Document chroma plane size for odd resolutions

Signed-off-by: Michael Niedermayer 
(cherry picked from commit be0b77e6e83b61c2da338201b5ddfae1c9acedc5)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=56b188941fd34d1d139f77c330d36baf66c9bc09
---

 libavutil/pixfmt.h | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavutil/pixfmt.h b/libavutil/pixfmt.h
index 029c911d49..025f96be88 100644
--- a/libavutil/pixfmt.h
+++ b/libavutil/pixfmt.h
@@ -43,6 +43,10 @@
  * This is stored as BGRA on little-endian CPU architectures and ARGB on
  * big-endian CPUs.
  *
+ * @note
+ * If the resolution is not a multiple of the chroma subsampling factor
+ * then the chroma plane resolution must be rounded up.
+ *
  * @par
  * When the pixel format is palettized RGB32 (AV_PIX_FMT_PAL8), the palettized
  * image data is stored in AVFrame.data[0]. The palette is transported in

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] swresample/swresample: Fix input channel count in resample_first computation

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue Jul 24 22:44:12 2018 +0200| [83ffda78ddb1f8f44fe964551bc27355b4a3a695] | 
committer: Michael Niedermayer

swresample/swresample: Fix input channel count in resample_first computation

Found-by: Marcin Gorzel 
Reviewed-by: Marcin Gorzel 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit bce4da85e8110b66040a5fb07ffc724ab4e09a86)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=83ffda78ddb1f8f44fe964551bc27355b4a3a695
---

 libswresample/swresample.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libswresample/swresample.c b/libswresample/swresample.c
index 47d4f0dd0b..54180e220c 100644
--- a/libswresample/swresample.c
+++ b/libswresample/swresample.c
@@ -316,7 +316,7 @@ av_cold int swr_init(struct SwrContext *s){
 
 av_assert0(s->used_ch_count);
 av_assert0(s->out.ch_count);
-s->resample_first= RSC*s->out.ch_count/s->in.ch_count - RSC < 
s->out_sample_rate/(float)s-> in_sample_rate - 1.0;
+s->resample_first= RSC*s->out.ch_count/s->used_ch_count - RSC < 
s->out_sample_rate/(float)s-> in_sample_rate - 1.0;
 
 s->in_buffer= s->in;
 s->silence  = s->in;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Prevent integer overflow in intermediate in global_mv()

2018-11-20 Thread Michael Niedermayer

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Jul 22 18:58:34 2018 +0200| [00c3f178a8e52c353091013e09378cd37b3e4aa1] | 
committer: Michael Niedermayer

avcodec/diracdec: Prevent integer overflow in intermediate in global_mv()

Fixes: signed integer overflow: -393471 * 5460 cannot be represented in type 
'int'
Fixes: 
8890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6299775379963904

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 51290406461ed40b70e0e05b389a461a283f3367)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=00c3f178a8e52c353091013e09378cd37b3e4aa1
---

 libavcodec/diracdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 9801eb2c85..c345acfc85 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1186,8 +1186,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, 
int x, int y, int ref)
 int *c  = s->globalmc[ref].perspective;
 
 int m   = (1> (ez+ep);
 block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

38 matches

Mail list logo