The branch, release/8.0 has been updated
via 3b8fe34a3086040edd8f1d018de5af0e4af421c1 (commit)
via ac8cbf2ad7bca6d8c6e5785d840c005aca21bdb1 (commit)
via 30b308f7a81a61ba826b106cea67cfa531951935 (commit)
via afc8c20946979717d5436906918f530394612f4f (commit)
via debbeb006b0afda9e3970b9c8ec2416d666fecbe (commit)
via 8c117d7fec15256a32707ea05c25c5a47c677842 (commit)
via 5f8cb575e83a05bc95b82d7f5f572d8f554f3705 (commit)
via abf123b74467cb7c124df0e83b978eee2b8a93de (commit)
via e97babf6bc2a27efe776475f879f26f356d82d98 (commit)
via 9bc89a260571d8b8226986648a8a80b5256be508 (commit)
via ac5ff0ae895351c5307ae40e2cf726a1eaed1318 (commit)
via a2e445918ef0f1ff12830b7354db232a7095d70e (commit)
via 34c39367aa8a39fb2f26f583de269e762e334787 (commit)
via 3cab0095192aa2bc51f8f8060ed4ccbf9caf3c87 (commit)
via 3e05b895900e2cbfcd2dafb77de8fbcf14c71732 (commit)
via 4a3e5ea8d2ebad2b930c503d08fbca05f6209d89 (commit)
via 263e819aa45cd3c48bf6887be02b4ec504c02048 (commit)
via 23655160ea4acb2601db6a90e1fb40fe7b4cabc4 (commit)
via f2507dba3b4c40c5d2d0135a7847db448d3c3527 (commit)
via da3f5273fce6c5dbb68077fbec346cc4b1a3e9f0 (commit)
via 6049800a106b6ff8c6a0e062c5146e554a54c21f (commit)
via e726f7af17b3ea160b6ce8482f3065e4c36c3f97 (commit)
via de76fb27a6e6da0431154ce9093933281a38a889 (commit)
via 995d329cf9213cc445a2cea31b8f2394d3475d8c (commit)
via 81dcb6781390bd3225fc2250cb0f73ee6487eb00 (commit)
via bde02336a44086d628cb8e577a915fa9a6bf6088 (commit)
via 6b1f994e43b7c0648f91fc6a14ee5c090c99e1fc (commit)
via 5051753833d5123707e58e2571d0831e3f9278be (commit)
via a676267a2c29581346c62dbfdfc9268aa2fd2658 (commit)
via bd55bf8300ef2b97c9316d7b2674b07142163e70 (commit)
via 64c71cbe4eefcd59559238758bf760b3197469ef (commit)
via 2feaad5cb977362610305941c689c8d76a8e80f3 (commit)
from 048f6f4bd57b1f18af5da40d28d506a22daa1338 (commit)
- Log -----------------------------------------------------------------
commit 3b8fe34a3086040edd8f1d018de5af0e4af421c1
Author: Lynne <d...@lynne.ee>
AuthorDate: Mon Aug 11 22:26:35 2025 +0900
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:52 2025 +0200
aacdec_usac: use RefStruct to track unfinished extension buffers
Extensions in AAC USAC can be stored across multiple frames (mainly to keep
CBR compliance).
This means that we need to reallocate a buffer when new data is received,
accumulate the bitstream data,
and so on until the end of extension flag is signalled and the extension
can be decoded.
This is made more complicated by the way in which the AAC channel layout
switching is performed.
After decades of evolution, our AAC decoder evolved to double-buffer its
entire configuration.
All changes are buffered, verified, and applied, on a per-frame basis if
required, in often
random order.
Since we allocate the extension data on heap, this means that if
configuration is applied,
in order to avoid double-freeing, we have to keep track of what we've
allocated.
It should be noted that extensions which are spread in multiple frames are
generally rare,
so an optimization to introduce av_refstruct_realloc() wouldn't generally
be useful across the codebase.
Therefore, a copy is good enough for now.
Thanks to Michael Niedermayer for additional fixing.
Fixes: double free
Fixes:
393523547/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-6740617236905984
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
(cherry picked from commit c05fc27dd33b361eb0105157ab7d3a01c2ffa782)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/aac/aacdec.c b/libavcodec/aac/aacdec.c
index 947079bc3d..9b42014ee8 100644
--- a/libavcodec/aac/aacdec.c
+++ b/libavcodec/aac/aacdec.c
@@ -62,6 +62,7 @@
#include "libavutil/opt.h"
#include "libavutil/tx.h"
#include "libavutil/version.h"
+#include "libavutil/refstruct.h"
/*
* supported tools
@@ -421,6 +422,26 @@ static uint64_t sniff_channel_order(uint8_t
(*layout_map)[3], int tags)
return layout;
}
+static void copy_oc(OutputConfiguration *dst, OutputConfiguration *src)
+{
+ int i;
+
+ for (i = 0; i < src->usac.nb_elems; i++) {
+ AACUsacElemConfig *src_e = &src->usac.elems[i];
+ AACUsacElemConfig *dst_e = &dst->usac.elems[i];
+ /* dst_e->ext.pl_buf is guaranteed to be set to src_e->ext.pl_buf
+ * upon this function's return */
+ av_refstruct_replace(&dst_e->ext.pl_buf, src_e->ext.pl_buf);
+ }
+
+ /* Unref all additional buffers to close leaks */
+ for (; i < dst->usac.nb_elems; i++)
+ av_refstruct_unref(&dst->usac.elems[i].ext.pl_buf);
+
+ /* Set all other properties */
+ *dst = *src;
+}
+
/**
* Save current output configuration if and only if it has been locked.
*/
@@ -429,7 +450,7 @@ static int push_output_configuration(AACDecContext *ac)
int pushed = 0;
if (ac->oc[1].status == OC_LOCKED || ac->oc[0].status == OC_NONE) {
- ac->oc[0] = ac->oc[1];
+ copy_oc(&ac->oc[0], &ac->oc[1]);
pushed = 1;
}
ac->oc[1].status = OC_NONE;
@@ -443,7 +464,8 @@ static int push_output_configuration(AACDecContext *ac)
static void pop_output_configuration(AACDecContext *ac)
{
if (ac->oc[1].status != OC_LOCKED && ac->oc[0].status != OC_NONE) {
- ac->oc[1] = ac->oc[0];
+ copy_oc(&ac->oc[1], &ac->oc[0]);
+
ac->avctx->ch_layout = ac->oc[1].ch_layout;
ff_aac_output_configure(ac, ac->oc[1].layout_map,
ac->oc[1].layout_map_tags,
ac->oc[1].status, 0);
@@ -1110,7 +1132,7 @@ static av_cold int decode_close(AVCodecContext *avctx)
AACUSACConfig *usac = &oc->usac;
for (int j = 0; j < usac->nb_elems; j++) {
AACUsacElemConfig *ec = &usac->elems[j];
- av_freep(&ec->ext.pl_data);
+ av_refstruct_unref(&ec->ext.pl_buf);
}
av_channel_layout_uninit(&ac->oc[i].ch_layout);
diff --git a/libavcodec/aac/aacdec.h b/libavcodec/aac/aacdec.h
index e5a79a7139..b3763fdccc 100644
--- a/libavcodec/aac/aacdec.h
+++ b/libavcodec/aac/aacdec.h
@@ -344,7 +344,7 @@ typedef struct AACUsacElemConfig {
uint8_t payload_frag;
uint32_t default_len;
uint32_t pl_data_offset;
- uint8_t *pl_data;
+ uint8_t *pl_buf;
} ext;
} AACUsacElemConfig;
@@ -353,7 +353,7 @@ typedef struct AACUSACConfig {
uint16_t core_frame_len;
uint16_t stream_identifier;
- AACUsacElemConfig elems[64];
+ AACUsacElemConfig elems[MAX_ELEM_ID];
int nb_elems;
struct {
diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c
index e03e6e015f..c4b821bbba 100644
--- a/libavcodec/aac/aacdec_usac.c
+++ b/libavcodec/aac/aacdec_usac.c
@@ -24,12 +24,13 @@
#include "aacdec_ac.h"
#include "libavcodec/aacsbr.h"
-
#include "libavcodec/aactab.h"
-#include "libavutil/mem.h"
#include "libavcodec/mpeg4audio.h"
#include "libavcodec/unary.h"
+#include "libavutil/mem.h"
+#include "libavutil/refstruct.h"
+
/* Number of scalefactor bands per complex prediction band, equal to 2. */
#define SFB_PER_PRED_BAND 2
@@ -1574,7 +1575,6 @@ static int parse_audio_preroll(AACDecContext *ac,
GetBitContext *gb)
static int parse_ext_ele(AACDecContext *ac, AACUsacElemConfig *e,
GetBitContext *gb)
{
- uint8_t *tmp;
uint8_t pl_frag_start = 1;
uint8_t pl_frag_end = 1;
uint32_t len;
@@ -1601,18 +1601,26 @@ static int parse_ext_ele(AACDecContext *ac,
AACUsacElemConfig *e,
if (pl_frag_start)
e->ext.pl_data_offset = 0;
- /* If an extension starts and ends this packet, we can directly use it */
+ /* If an extension starts and ends this packet, we can directly use it
below.
+ * Otherwise, we have to copy it to a buffer and accumulate it. */
if (!(pl_frag_start && pl_frag_end)) {
- tmp = av_realloc(e->ext.pl_data, e->ext.pl_data_offset + len);
- if (!tmp) {
- av_free(e->ext.pl_data);
+ /* Reallocate the data */
+ uint8_t *tmp_buf = av_refstruct_alloc_ext(e->ext.pl_data_offset + len,
+ AV_REFSTRUCT_FLAG_NO_ZEROING,
+ NULL, NULL);
+ if (!tmp_buf)
return AVERROR(ENOMEM);
- }
- e->ext.pl_data = tmp;
+
+ /* Copy the data over only if we had saved data to begin with */
+ if (e->ext.pl_buf)
+ memcpy(tmp_buf, e->ext.pl_buf, e->ext.pl_data_offset);
+
+ av_refstruct_unref(&e->ext.pl_buf);
+ e->ext.pl_buf = tmp_buf;
/* Readout data to a buffer */
for (int i = 0; i < len; i++)
- e->ext.pl_data[e->ext.pl_data_offset + i] = get_bits(gb, 8);
+ e->ext.pl_buf[e->ext.pl_data_offset + i] = get_bits(gb, 8);
}
e->ext.pl_data_offset += len;
@@ -1624,7 +1632,7 @@ static int parse_ext_ele(AACDecContext *ac,
AACUsacElemConfig *e,
GetBitContext *gb2 = gb;
GetBitContext gbc;
if (!(pl_frag_start && pl_frag_end)) {
- ret = init_get_bits8(&gbc, e->ext.pl_data, pl_len);
+ ret = init_get_bits8(&gbc, e->ext.pl_buf, pl_len);
if (ret < 0)
return ret;
@@ -1642,7 +1650,7 @@ static int parse_ext_ele(AACDecContext *ac,
AACUsacElemConfig *e,
/* This should never happen */
av_assert0(0);
}
- av_freep(&e->ext.pl_data);
+ av_refstruct_unref(&e->ext.pl_buf);
if (ret < 0)
return ret;
commit ac8cbf2ad7bca6d8c6e5785d840c005aca21bdb1
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Tue Aug 19 03:09:14 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:52 2025 +0200
avcode: Use av_fast_realloc() in ff_lzf_uncompress()
Fixes:
438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5850827739955200
Fixes: mixed up realloc() functions
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
Co-Authored-by: James Almer <jamr...@gmail.com>
Signed-off-by: James Almer <jamr...@gmail.com>
(cherry picked from commit 0a5046c09996262d0f8b1802a4b34816f72fff06)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 01e5657075..07eee253e7 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -42,7 +42,7 @@ typedef struct DXVContext {
uint8_t *ctex_data; // Compressed chroma texture
unsigned ctex_data_size;
- int64_t tex_size; // Texture size
+ size_t tex_size; // Texture size
int64_t ctex_size; // Chroma texture size
uint8_t *op_data[4]; // Opcodes
@@ -828,7 +828,7 @@ static int dxv_decompress_dxt5(AVCodecContext *avctx)
static int dxv_decompress_lzf(AVCodecContext *avctx)
{
DXVContext *ctx = avctx->priv_data;
- return ff_lzf_uncompress(&ctx->gbc, &ctx->tex_data, &ctx->tex_size);
+ return ff_lzf_uncompress(&ctx->gbc, &ctx->tex_data, &ctx->tex_size,
&ctx->tex_data_size);
}
static int dxv_decompress_raw(AVCodecContext *avctx)
diff --git a/libavcodec/lzf.c b/libavcodec/lzf.c
index 94b369dd59..8f223b1f42 100644
--- a/libavcodec/lzf.c
+++ b/libavcodec/lzf.c
@@ -37,7 +37,22 @@
#define LZF_LITERAL_MAX (1 << 5)
#define LZF_LONG_BACKREF 7 + 2
-int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size)
+
+static inline int lzf_realloc(uint8_t **buf, size_t *size, int addition,
unsigned *allocated_size)
+{
+ void *ptr = av_fast_realloc(*buf, allocated_size, *size + addition);
+
+ if (!ptr) {
+ av_freep(buf); //probably not needed
+ return AVERROR(ENOMEM);
+ }
+ *buf = ptr;
+ *size += addition;
+
+ return 0;
+}
+
+int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, size_t *size,
unsigned *allocated_size)
{
int ret = 0;
uint8_t *p = *buf;
@@ -49,8 +64,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf,
int64_t *size)
if (s < LZF_LITERAL_MAX) {
s++;
if (s > *size - len) {
- *size += s + *size /2;
- ret = av_reallocp(buf, *size);
+ ret = lzf_realloc(buf, size, s, allocated_size);
if (ret < 0)
return ret;
p = *buf + len;
@@ -75,8 +89,7 @@ int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf,
int64_t *size)
return AVERROR_INVALIDDATA;
if (l > *size - len) {
- *size += l + *size / 2;
- ret = av_reallocp(buf, *size);
+ ret = lzf_realloc(buf, size, l, allocated_size);
if (ret < 0)
return ret;
p = *buf + len;
diff --git a/libavcodec/lzf.h b/libavcodec/lzf.h
index 0ad73d9f79..e61ebff727 100644
--- a/libavcodec/lzf.h
+++ b/libavcodec/lzf.h
@@ -24,6 +24,6 @@
#include "bytestream.h"
-int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, int64_t *size);
+int ff_lzf_uncompress(GetByteContext *gb, uint8_t **buf, size_t *size,
unsigned *allocated_size);
#endif /* AVCODEC_LZF_H */
diff --git a/libavcodec/notchlc.c b/libavcodec/notchlc.c
index 246a3e0174..d99de1810e 100644
--- a/libavcodec/notchlc.c
+++ b/libavcodec/notchlc.c
@@ -40,7 +40,8 @@ typedef struct NotchLCContext {
unsigned uncompressed_size;
uint8_t *lzf_buffer;
- int64_t lzf_size;
+ size_t lzf_size;
+ unsigned lzf_alloc_size;
unsigned texture_size_x;
unsigned texture_size_y;
@@ -490,7 +491,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *p,
return AVERROR_PATCHWELCOME;
if (s->format == 0) {
- ret = ff_lzf_uncompress(gb, &s->lzf_buffer, &s->lzf_size);
+ ret = ff_lzf_uncompress(gb, &s->lzf_buffer, &s->lzf_size,
&s->lzf_alloc_size);
if (ret < 0)
return ret;
commit 30b308f7a81a61ba826b106cea67cfa531951935
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Tue Aug 19 03:12:37 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:51 2025 +0200
avcodec/dxv: Check coded_height, to avoid invalid av_clip()
Fixes: assertion failure
Fixes:
438961582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5850827739955200
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit cdee519d40e61bd65ba5b3fbec00acd50a08d0d9)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index dd82e450b1..01e5657075 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -940,6 +940,8 @@ static int dxv_decode(AVCodecContext *avctx, AVFrame *frame,
}
break;
}
+ if (avctx->coded_height / 2 / TEXTURE_BLOCK_H < 1)
+ return AVERROR_INVALIDDATA;
texdsp_ctx.slice_count = av_clip(avctx->thread_count, 1,
avctx->coded_height / TEXTURE_BLOCK_H);
commit afc8c20946979717d5436906918f530394612f4f
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Wed Aug 13 13:11:23 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:51 2025 +0200
avcodec/aac/aacdec: dont allow ff_aac_output_configure() allocating a new
frame if it has no frame
Fixes: null pointer dereference
Fixes: crash_test.mp4
Found-by: Intel PSIRT
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit fcf180d9ea27b7dc29658c9dc3488ae6fac3ebd9)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/aac/aacdec.c b/libavcodec/aac/aacdec.c
index 6a2aa9dc8e..947079bc3d 100644
--- a/libavcodec/aac/aacdec.c
+++ b/libavcodec/aac/aacdec.c
@@ -466,6 +466,9 @@ int ff_aac_output_configure(AACDecContext *ac,
uint8_t id_map[TYPE_END][MAX_ELEM_ID] = {{ 0 }};
uint8_t type_counts[TYPE_END] = { 0 };
+ if (get_new_frame && !ac->frame)
+ return AVERROR_INVALIDDATA;
+
if (ac->oc[1].layout_map != layout_map) {
memcpy(ac->oc[1].layout_map, layout_map, tags * sizeof(layout_map[0]));
ac->oc[1].layout_map_tags = tags;
commit debbeb006b0afda9e3970b9c8ec2416d666fecbe
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Mon Aug 18 17:20:49 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:51 2025 +0200
avformat/lrcdec: Fix fate-sub-lrc-ms-remux on x86-32
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit 0243cf89b137b093b02a5c61a76e28cec1d69ae9)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c
index e3e091a61a..f4a879954e 100644
--- a/libavformat/lrcdec.c
+++ b/libavformat/lrcdec.c
@@ -92,7 +92,7 @@ static int64_t read_ts(const char *p, int64_t *start)
if (ret != 3 || prefix[0] != '[' || ss < 0 || ss > 60) {
return 0;
}
- *start = (mm * 60 + ss) * AV_TIME_BASE;
+ *start = llrint((mm * 60 + ss) * AV_TIME_BASE);
if (prefix[1] == '-') {
*start = - *start;
}
commit 8c117d7fec15256a32707ea05c25c5a47c677842
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Mon Aug 18 16:31:05 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:50 2025 +0200
swscale/swscale_internal: Use more precisse gamma
Avoids failure of xyz12 fate tests on mingw and linux x86-32
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit ca20d42cd79b12b1f39cc80c758e5492337f2f25)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libswscale/swscale_internal.h b/libswscale/swscale_internal.h
index 32428c56fb..5dd65a8d71 100644
--- a/libswscale/swscale_internal.h
+++ b/libswscale/swscale_internal.h
@@ -545,8 +545,8 @@ struct SwsInternal {
int use_mmx_vfilter;
/* pre defined color-spaces gamma */
-#define XYZ_GAMMA (2.6f)
-#define RGB_GAMMA (2.2f)
+#define XYZ_GAMMA (2.6)
+#define RGB_GAMMA (2.2)
uint16_t *xyzgamma;
uint16_t *rgbgamma;
uint16_t *xyzgammainv;
diff --git a/tests/ref/fate/filter-pixdesc-xyz12be
b/tests/ref/fate/filter-pixdesc-xyz12be
index 6610444e76..3cef4083c7 100644
--- a/tests/ref/fate/filter-pixdesc-xyz12be
+++ b/tests/ref/fate/filter-pixdesc-xyz12be
@@ -1 +1 @@
-pixdesc-xyz12be 1508a33dea936c45d9ee13f7743af00d
+pixdesc-xyz12be 198f43f452bc55f4ca1e0e0171de5c4c
diff --git a/tests/ref/fate/filter-pixdesc-xyz12le
b/tests/ref/fate/filter-pixdesc-xyz12le
index 41b4907923..6193c3193a 100644
--- a/tests/ref/fate/filter-pixdesc-xyz12le
+++ b/tests/ref/fate/filter-pixdesc-xyz12le
@@ -1 +1 @@
-pixdesc-xyz12le da2d1326fa5747a7f6ce5ac1e1494aea
+pixdesc-xyz12le 5ca7d9ab5e01cc1bdc906520926721eb
diff --git a/tests/ref/fate/filter-pixfmts-copy
b/tests/ref/fate/filter-pixfmts-copy
index 84a407c8fa..d42e2f6b33 100644
--- a/tests/ref/fate/filter-pixfmts-copy
+++ b/tests/ref/fate/filter-pixfmts-copy
@@ -117,8 +117,8 @@ xv36be 9f556ee59a672fd8725f0bb36ce3e4b0
xv36le e08dcbde02f1c28a3554f372ad1278e2
xv48be ce34993b4b4411bba1d852b9b86aa39e
xv48le df913a7e61b162aa98303e5393e60c63
-xyz12be f257f86373207af8aed0a1a05171df3b
-xyz12le 7922f99edc44a2c26a25becbea9914cc
+xyz12be d4562ab725e3ab7e5573dd03218bb03c
+xyz12le ce17d867c3fea4c42324e40353b72de4
y210le 04e9487b6cce38e7531437e946cdd586
y212le 825768be8fe92708ae80be84855066ed
y216le 0e99aeddfee304e72d525d72998d9e9b
diff --git a/tests/ref/fate/filter-pixfmts-crop
b/tests/ref/fate/filter-pixfmts-crop
index 05bb5b1b19..a86113c631 100644
--- a/tests/ref/fate/filter-pixfmts-crop
+++ b/tests/ref/fate/filter-pixfmts-crop
@@ -114,8 +114,8 @@ xv36be 23b6f253fcb375e4145cfcb562268c5f
xv36le 778286003497f92b84d0bd8258d6b85d
xv48be c90889b2cf54cc78bd58e8c47d4eb791
xv48le 2c15c1254449ec5f9135ae61bdf4e1d5
-xyz12be e2f9f6a1ec205ab675a5a1c9521dfa6c
-xyz12le fea1da11c07736303b139bc52b7d4759
+xyz12be 05d6fc3fbe70403160ff4e1b8a4aa969
+xyz12le 3c7328a2f8497f0b4635b84df381a2b8
ya16be 071add03126a11dc6a06209e9b409f8d
ya16le b723211dc0647c944768c6e45e066b36
ya8 51a8dd297e35d40b06d3ebe8f4717895
diff --git a/tests/ref/fate/filter-pixfmts-field
b/tests/ref/fate/filter-pixfmts-field
index d8a0d5234a..c05dba55f6 100644
--- a/tests/ref/fate/filter-pixfmts-field
+++ b/tests/ref/fate/filter-pixfmts-field
@@ -117,8 +117,8 @@ xv36be bcc7bda2d0a5d43db4464af6a4cb5d65
xv36le ba99f258370f2a56993e8760e6b30194
xv48be 2abcd986a34789ba4310be3969020d0d
xv48le f6f2e33f260f48334197538f3331f7bc
-xyz12be 3b6eb75517263b9e54b9bfa869de394f
-xyz12le 27d1d6a488cbc5d53e8d12fa0e162ddb
+xyz12be a17930e991ca4ff86de5c2dc3b1e9b51
+xyz12le b134b258a9593bc2019f0493f079f3a1
y210le 4c2fba1dc40322584977d15dd07c9146
y212le ac2a47c45187dd54d0f55293cbffd954
y216le e65b5bfae1b40edbbed2012e9cd45e31
diff --git a/tests/ref/fate/filter-pixfmts-fieldorder
b/tests/ref/fate/filter-pixfmts-fieldorder
index df48d3af34..4c8cffca08 100644
--- a/tests/ref/fate/filter-pixfmts-fieldorder
+++ b/tests/ref/fate/filter-pixfmts-fieldorder
@@ -106,8 +106,8 @@ xv36be 962386c88268f4382004c3a7a82c5eb8
xv36le bcceffc985aaa8414c4b8072aa0889bd
xv48be 4d6e4004b03767f12df8bb4e76c98ddf
xv48le 9e94d82461a2131063157ac0dbe9467b
-xyz12be ba6928f85c202cd77e216934f6bf0698
-xyz12le 964680cd3f3db8a7ef5510f90196961a
+xyz12be 65fe8da4ad44c83855360144eba41853
+xyz12le f13851b3ba4e511ab1436786ec0727bd
y210le 22b1a02a39c4b325726bf8793bf1e8f2
y212le 2f08fb195b948056c844acb1eee8d649
y216le 360cb98ac80b13d3a8ec61c9f1ff3bac
diff --git a/tests/ref/fate/filter-pixfmts-hflip
b/tests/ref/fate/filter-pixfmts-hflip
index cd5dda5ccf..b47087d1f6 100644
--- a/tests/ref/fate/filter-pixfmts-hflip
+++ b/tests/ref/fate/filter-pixfmts-hflip
@@ -114,8 +114,8 @@ xv36be 98f578df965eed369f46cb135e2d1345
xv36le e478b4b54698beb3ce1b9a2dd691d544
xv48be e030a2c7b1b600cfacb691b6e90c2e3d
xv48le fbd7f8c65cd6fc9f9108dc9a1f977dc3
-xyz12be 3c50a51a3c486a0c6853e4bbbcf3f244
-xyz12le e020897d826ea20ded16f30ea1eb018d
+xyz12be c678c7f19c610063f352a0253121441f
+xyz12le 2320702cb1c8ccaad27d7004d4f3a195
ya16be 70fa41c32ecaf3370edc38add6096db2
ya16le 3b2c20f9e80717628ced6c6468507f63
ya8 4ad5920716de3d2fbbc49f95adb60345
diff --git a/tests/ref/fate/filter-pixfmts-il b/tests/ref/fate/filter-pixfmts-il
index 768bf8c06c..490995bbf0 100644
--- a/tests/ref/fate/filter-pixfmts-il
+++ b/tests/ref/fate/filter-pixfmts-il
@@ -116,8 +116,8 @@ xv36be 3bbb949278ea55cc947ee03bd9c27c2d
xv36le 102c0e817d375ddd6b2cfbb4262dec95
xv48be 4d7376651fb7b3e84d00abad6c785aad
xv48le a1a8ff16d9a864568e5e557734bf3d6d
-xyz12be b7d50e283360bf69fd661369110b26ef
-xyz12le d5b1d45c3a136bb3d04f70a619c86c8d
+xyz12be 3d9ae42c65eb645bb8e99dc708716f2d
+xyz12le b27ec91dcff02d2b94b17c136be55001
y210le d4cf9b53cd7ff22f087743d483e88480
y212le d5a2b4677ddb4a3bc3e5cd5cbb20f426
y216le 9e44c6d76b09bcbe71738423b4b3d67a
diff --git a/tests/ref/fate/filter-pixfmts-null
b/tests/ref/fate/filter-pixfmts-null
index 84a407c8fa..d42e2f6b33 100644
--- a/tests/ref/fate/filter-pixfmts-null
+++ b/tests/ref/fate/filter-pixfmts-null
@@ -117,8 +117,8 @@ xv36be 9f556ee59a672fd8725f0bb36ce3e4b0
xv36le e08dcbde02f1c28a3554f372ad1278e2
xv48be ce34993b4b4411bba1d852b9b86aa39e
xv48le df913a7e61b162aa98303e5393e60c63
-xyz12be f257f86373207af8aed0a1a05171df3b
-xyz12le 7922f99edc44a2c26a25becbea9914cc
+xyz12be d4562ab725e3ab7e5573dd03218bb03c
+xyz12le ce17d867c3fea4c42324e40353b72de4
y210le 04e9487b6cce38e7531437e946cdd586
y212le 825768be8fe92708ae80be84855066ed
y216le 0e99aeddfee304e72d525d72998d9e9b
diff --git a/tests/ref/fate/filter-pixfmts-scale
b/tests/ref/fate/filter-pixfmts-scale
index e4ab07104c..66d22e0484 100644
--- a/tests/ref/fate/filter-pixfmts-scale
+++ b/tests/ref/fate/filter-pixfmts-scale
@@ -117,8 +117,8 @@ xv36be 4d084adca0228d7750d1e2e877e0d79b
xv36le de9c74e94dc19c828e1572aa283d8aca
xv48be 9e58d1a045df100b0dec116e13be5b4e
xv48le fd873d53609b2fbdfe99470f515a234c
-xyz12be f1905012d9b845306d9bef68d0fc81d5
-xyz12le cfe1a3bbe391d83d381f590a00e1a16d
+xyz12be 94ed06895d7030b97c36ccb9aae3722a
+xyz12le fcb73d6b6192ab64ca9ff668fe6562f6
y210le 7c2aef142d88ab343ec01acd45f38466
y212le 39a3c0c843041ad4501b3107dd91ef17
y216le 17be2999e97d36b8ed903f07ef428c09
diff --git a/tests/ref/fate/filter-pixfmts-transpose
b/tests/ref/fate/filter-pixfmts-transpose
index 64b45945c7..80b05dbb05 100644
--- a/tests/ref/fate/filter-pixfmts-transpose
+++ b/tests/ref/fate/filter-pixfmts-transpose
@@ -104,8 +104,8 @@ xv36be 2261a0e3db5ee607d37f68d19704ae15
xv36le 9202133de91bf64c76ca27d5cd0c816a
xv48be 14373b7fe123225689e76fe2ce43fb93
xv48le 319df9724a067c7b5efa215f9f54d127
-xyz12be 69737aceb508a73365664d04c340dd3b
-xyz12le 70dd5fab9d8383b0d2e772b3b6569df4
+xyz12be 38ce311e8734b535484c2e2ba70626d0
+xyz12le 24a0e779fce6eaed687cb2c416a61eb9
ya16be 6098f7d2ede0aab6b2d93d2b4f4d915a
ya16le 1fae63e3e320ba9e6c12c29a48c44eff
ya8 d4b7a62f80681fa44c977ff3a64f4ce4
diff --git a/tests/ref/fate/filter-pixfmts-vflip
b/tests/ref/fate/filter-pixfmts-vflip
index 590717399d..6b8c888b9a 100644
--- a/tests/ref/fate/filter-pixfmts-vflip
+++ b/tests/ref/fate/filter-pixfmts-vflip
@@ -117,8 +117,8 @@ xv36be c0272372d3e1a59adb3931ee433a5d5b
xv36le ffe6ab75ebc09134c3451f8f6ef0d501
xv48be bdfc3217ae456b370dbdcf4d52606a3f
xv48le 53dbebab73a66539c04644ef56dc6bbb
-xyz12be 1bffa153a4a3ae61fd18e370f95161d9
-xyz12le a0e93443826621a9d6c48354d949898a
+xyz12be b9b83d36d58f4ad129894207888b3b3c
+xyz12le b9764e43bacbbfc410e4b6558486115f
y210le f8847bedd3ae6e1c0cf84a823f275e31
y212le c801725ae31e3b8f5be269359d49f191
y216le 985db498aedf3fb1c547ad07442b7258
diff --git a/tests/ref/pixfmt/xyz12le b/tests/ref/pixfmt/xyz12le
index 870d5ce683..312bc9ed57 100644
--- a/tests/ref/pixfmt/xyz12le
+++ b/tests/ref/pixfmt/xyz12le
@@ -1,2 +1,2 @@
-47b890678bb9195107c2f7afb2344bbf *tests/data/pixfmt/xyz12le.yuv
+f14b14a12c864408a0115f55eaef9934 *tests/data/pixfmt/xyz12le.yuv
304128 tests/data/pixfmt/xyz12le.yuv
commit 5f8cb575e83a05bc95b82d7f5f572d8f554f3705
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Sun Aug 17 15:31:48 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:50 2025 +0200
avcodec/sanm: Check w,h,left,top
The setup code fow w,h,left,top is complex, the code using it also falls in
at least 2 different classes, one using left/top the other not.
To ensure no out of array access happens we add this clear check.
Fixes: out of array access
Fixes:
439261995/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-5383455572819968
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit 134fbfd1dcb59441e38d870ddd231772f4e8e127)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index a066a864eb..9e99aa9dd9 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -1757,6 +1757,11 @@ static int process_frame_obj(SANMVideoContext *ctx,
GetByteContext *gb)
memset(ctx->fbuf, 0, ctx->frm0_size);
}
+ if (w + FFMAX(left, 0) > ctx->avctx->width || h + FFMAX(top, 0) >
ctx->avctx->height) {
+ avpriv_request_sample(ctx->avctx, "overly large frame\n");
+ return AVERROR_PATCHWELCOME;
+ }
+
switch (codec) {
case 1:
case 3:
commit abf123b74467cb7c124df0e83b978eee2b8a93de
Author: James Almer <jamr...@gmail.com>
AuthorDate: Sat Aug 16 14:16:38 2025 -0300
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:50 2025 +0200
avformat/mov: don't use an allocated array for sample_size with HEIF images
The array is only ever needed for streams where each sample entry may have a
different value. Given that for non animated HEIF there's a single value
that
applies to the image, use the field defined for that.
Fixes: NULL pointer dereference
Fixes:
437528618/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6537287645331456
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamr...@gmail.com>
(cherry picked from commit a28e01a6c16430da689340d0af6eec094020b719)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 86037c6712..b29c41a6b6 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5456,10 +5456,6 @@ static int heif_add_stream(MOVContext *c, HEIFItem *item)
if (!sc->chunk_offsets)
goto fail;
sc->chunk_count = 1;
- sc->sample_sizes = av_malloc_array(1, sizeof(*sc->sample_sizes));
- if (!sc->sample_sizes)
- goto fail;
- sc->sample_count = 1;
sc->stts_data = av_malloc_array(1, sizeof(*sc->stts_data));
if (!sc->stts_data)
goto fail;
@@ -10471,11 +10467,13 @@ static int mov_parse_heif_items(AVFormatContext *s)
st->codecpar->width = item->width;
st->codecpar->height = item->height;
+ sc->sample_size = sc->stsz_sample_size = item->extent_length;
+ sc->sample_count = 1;
+
err = sanity_checks(s, sc, item->item_id);
- if (err || !sc->sample_count)
+ if (err)
return AVERROR_INVALIDDATA;
- sc->sample_sizes[0] = item->extent_length;
sc->chunk_offsets[0] = item->extent_offset + offset;
if (item->item_id == mov->primary_item_id)
commit e97babf6bc2a27efe776475f879f26f356d82d98
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Fri Aug 15 19:49:19 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:49 2025 +0200
avcodec/rv60dec: clear pu_info
pu_info is read uninitialized on damaged input and at that point the
following codepath is dependant
on the uninitialized data. In one of these pathes out of array accesses
happen.
None of this is replicatable
Less uninitialized data also should result in more reproducable reports
Fixes: Use of uninitialized memory
Fixes:
418335931/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV60_fuzzer-5103986067963904
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit 50affd2b09ca7ebf6beb287a087947be887b2417)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/rv60dec.c b/libavcodec/rv60dec.c
index 4a3d9067db..208fbc68f7 100644
--- a/libavcodec/rv60dec.c
+++ b/libavcodec/rv60dec.c
@@ -308,6 +308,8 @@ static int update_dimensions_clear_info(RV60Context *s, int
width, int height)
if ((ret = av_reallocp_array(&s->blk_info, s->blk_stride * (s->cu_height
<< 4), sizeof(s->blk_info[0]))) < 0)
return ret;
+ memset(s->pu_info, 0, s->pu_stride * (s->cu_height << 3) *
sizeof(s->pu_info[0]));
+
for (int j = 0; j < s->cu_height << 4; j++)
for (int i = 0; i < s->cu_width << 4; i++)
s->blk_info[j*s->blk_stride + i].mv.mvref = MVREF_NONE;
commit 9bc89a260571d8b8226986648a8a80b5256be508
Author: Kacper MichajÅow <kaspe...@gmail.com>
AuthorDate: Mon Jul 28 19:07:32 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:49 2025 +0200
avformat/tls_openssl: use ascii - (0x2D) instead of 0x2010 hyphen
Too much AI is bad for you...
Fixes: 167e343bbe75515a80db8ee72ffa0c607c944a00
Signed-off-by: Kacper MichajÅow <kaspe...@gmail.com>
(cherry picked from commit 3a8b3dfeca2ddbee9999262f3240bfe05b55c66a)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavformat/tls_openssl.c b/libavformat/tls_openssl.c
index 9f7b46c3ca..75229ea671 100644
--- a/libavformat/tls_openssl.c
+++ b/libavformat/tls_openssl.c
@@ -34,8 +34,8 @@
#include <openssl/x509v3.h>
/**
- * Returns a heapâallocated nullâterminated string containing
- * the PEMâencoded public key. Caller must free.
+ * Returns a heap-allocated null-terminated string containing
+ * the PEM-encoded public key. Caller must free.
*/
static char *pkey_to_pem_string(EVP_PKEY *pkey) {
BIO *mem = NULL;
@@ -60,7 +60,7 @@ static char *pkey_to_pem_string(EVP_PKEY *pkey) {
if (!pem_str)
goto err;
- // Copy data & NULâterminate
+ // Copy data & NUL-terminate
memcpy(pem_str, bptr->data, bptr->length);
pem_str[bptr->length] = '\0';
@@ -425,7 +425,7 @@ error:
/**
- * Deserialize a PEMâencoded private or public key from a NUL-terminated C
string.
+ * Deserialize a PEM-encoded private or public key from a NUL-terminated C
string.
*
* @param pem_str The PEM text, e.g.
* "-----BEGIN PRIVATE KEY-----\nâ¦\n-----END PRIVATE
KEY-----\n"
@@ -456,7 +456,7 @@ static EVP_PKEY *pkey_from_pem_string(const char *pem_str,
int is_priv)
}
/**
- * Deserialize a PEMâencoded certificate from a NUL-terminated C string.
+ * Deserialize a PEM-encoded certificate from a NUL-terminated C string.
*
* @param pem_str The PEM text, e.g.
* "-----BEGIN CERTIFICATE-----\nâ¦\n-----END
CERTIFICATE-----\n"
commit ac5ff0ae895351c5307ae40e2cf726a1eaed1318
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Fri Aug 15 17:55:05 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:48 2025 +0200
avcodec/utvideodec: Clear plane_start array
in pack mode the array is passed into decode_plane() without being
initialized or used
Fixes: use of uninitialized memory
Fixes:
438780119/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_UTVIDEO_DEC_fuzzer-5464037027807232
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit 2a22972db3b390d82dedbdbb5f44cc09a43912b5)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 934945c1be..bc02ac44d5 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -585,7 +585,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame
*frame,
int buf_size = avpkt->size;
UtvideoContext *c = avctx->priv_data;
int i, j;
- const uint8_t *plane_start[5];
+ const uint8_t *plane_start[5] = {NULL};
int plane_size, max_slice_size = 0, slice_start, slice_end, slice_size;
int ret;
GetByteContext gb;
commit a2e445918ef0f1ff12830b7354db232a7095d70e
Author: Oliver Chang <och...@google.com>
AuthorDate: Thu Aug 14 22:11:41 2025 -0700
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:48 2025 +0200
avcodec/prores_raw: Fix heap buffer overflow
When dimensions differ from context, those were updated using
ff_set_dimensions, however this overwrote the aligned coded_width and
coded_height that were set before, leading to a buffer overflow when
writing the frame data.
Fixes: OssFuzz 438771336
Fixes: Heap-buffer-overflow
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Marvin Scholz <epira...@gmail.com>
Reviewed-by: Marvin Scholz <epira...@gmail.com>
(cherry picked from commit c9e93df4eed93fe0044c52d953688c4180de1d48)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/prores_raw.c b/libavcodec/prores_raw.c
index 748e176815..b2aa97ddda 100644
--- a/libavcodec/prores_raw.c
+++ b/libavcodec/prores_raw.c
@@ -367,9 +367,6 @@ static int decode_frame(AVCodecContext *avctx,
if ((w & 1) || (h & 1))
return AVERROR_INVALIDDATA;
- avctx->coded_width = FFALIGN(w, 16);
- avctx->coded_height = FFALIGN(h, 16);
-
if (w != avctx->width || h != avctx->height) {
av_log(avctx, AV_LOG_WARNING, "picture resolution change: %ix%i ->
%ix%i\n",
avctx->width, avctx->height, w, h);
@@ -377,6 +374,9 @@ static int decode_frame(AVCodecContext *avctx,
return ret;
}
+ avctx->coded_width = FFALIGN(w, 16);
+ avctx->coded_height = FFALIGN(h, 16);
+
enum AVPixelFormat pix_fmt = AV_PIX_FMT_BAYER_RGGB16;
if (pix_fmt != s->pix_fmt) {
s->pix_fmt = pix_fmt;
commit 34c39367aa8a39fb2f26f583de269e762e334787
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Fri Aug 15 00:48:26 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:48 2025 +0200
.forgejo/CODEOWNERS: remove reference to secret apparently uncommited code
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit 7d606ef0ccf2946a4a21ab1ec23486cadc21864b)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/.forgejo/CODEOWNERS b/.forgejo/CODEOWNERS
index c7d41e5485..a4ea6dd50f 100644
--- a/.forgejo/CODEOWNERS
+++ b/.forgejo/CODEOWNERS
@@ -53,7 +53,6 @@ libavutil/.*d3d12va.* @jianhuaw
libavutil/eval.* @michaelni
libavutil/iamf.* @jamrial
libavutil/integer.* @michaelni
-libavutil/kiss99.* @michaelni
libavutil/lfg.* @michaelni
libavutil/lls.* @michaelni
libavutil/md5.* @michaelni
commit 3cab0095192aa2bc51f8f8060ed4ccbf9caf3c87
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Wed Aug 13 00:59:20 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:47 2025 +0200
fftools/ffmpeg_mux_init: Use 64bit for score computation in map_auto_video()
Fixes: signed integer overflow: 10 * 1952737655 cannot be represented in
type 'int'
Fixes: PoC_avi_demux
Found-by: 2ourc3 (Salim LARGO)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit cdbb5f1b93352f9e7eceb1562ad283a78b546091)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/fftools/ffmpeg_mux_init.c b/fftools/ffmpeg_mux_init.c
index 4a973e5286..17977eb07f 100644
--- a/fftools/ffmpeg_mux_init.c
+++ b/fftools/ffmpeg_mux_init.c
@@ -1593,7 +1593,7 @@ static int map_auto_video(Muxer *mux, const
OptionsContext *o)
{
AVFormatContext *oc = mux->fc;
InputStream *best_ist = NULL;
- int best_score = 0;
+ int64_t best_score = 0;
int qcr;
/* video: highest resolution */
@@ -1604,16 +1604,16 @@ static int map_auto_video(Muxer *mux, const
OptionsContext *o)
for (int j = 0; j < nb_input_files; j++) {
InputFile *ifile = input_files[j];
InputStream *file_best_ist = NULL;
- int file_best_score = 0;
+ int64_t file_best_score = 0;
for (int i = 0; i < ifile->nb_streams; i++) {
InputStream *ist = ifile->streams[i];
- int score;
+ int64_t score;
if (ist->user_set_discard == AVDISCARD_ALL ||
ist->st->codecpar->codec_type != AVMEDIA_TYPE_VIDEO)
continue;
- score = ist->st->codecpar->width * ist->st->codecpar->height
+ score = ist->st->codecpar->width *
(int64_t)ist->st->codecpar->height
+ 100000000 * !!(ist->st->event_flags &
AVSTREAM_EVENT_FLAG_NEW_PACKETS)
+ 5000000*!!(ist->st->disposition &
AV_DISPOSITION_DEFAULT);
if((qcr!=MKTAG('A', 'P', 'I', 'C')) && (ist->st->disposition &
AV_DISPOSITION_ATTACHED_PIC))
commit 3e05b895900e2cbfcd2dafb77de8fbcf14c71732
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Mon Aug 11 20:06:25 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:47 2025 +0200
tools/merge-all-source-plugins: Fix merge_internal() return code
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit b5b306ca31ba4cc035f4cea3fd82ae43dccd38f3)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/tools/merge-all-source-plugins b/tools/merge-all-source-plugins
index 911f984624..7af8d45ed7 100755
--- a/tools/merge-all-source-plugins
+++ b/tools/merge-all-source-plugins
@@ -2,8 +2,11 @@
#If a version is set then we only try merging a source plugin with matching
version as a generic one could change the ABI to master HEAD
merge_internal(){ # $1=repository, $2=refspec
- [ -n "$version" ] && git pull --no-rebase --log --stat --commit --no-edit
$1 sourceplugin-$2-$version
- [ -z "$version" ] && git pull --no-rebase --log --stat --commit --no-edit
$1 sourceplugin-$2
+ branch="sourceplugin-$2"
+ if [ -n "$version" ] ; then
+ branch="$branch-$version"
+ fi
+ git pull --no-rebase --log --stat --commit --no-edit "$1" "$branch"
}
unset succeeded failed version
commit 4a3e5ea8d2ebad2b930c503d08fbca05f6209d89
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Tue Aug 12 12:43:06 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:47 2025 +0200
tools: Split the list of source plugins out of "merge-all-source-plugins"
(cherry picked from commit fd31df43067fe21cc1e4fabd07ee9d6a26cb7264)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/tools/merge-all-source-plugins b/tools/merge-all-source-plugins
index a3812a90a6..911f984624 100755
--- a/tools/merge-all-source-plugins
+++ b/tools/merge-all-source-plugins
@@ -31,7 +31,16 @@ git diff --cached --exit-code >/dev/null ||\
version="8.0"
-merge "https://github.com/michaelni/FFmpeg.git"; "libpostproc"
+[ $# -ne 1 ] &&\
+ error "Usage: $0 source-plugins.txt"
+
+while IFS=' ' read -r a b; do
+ case "$a" in
+ ''|'#'*) continue ;;
+ esac
+
+ merge "$a" "$b"
+done < "$1"
[ -n "$version" ] && echo version: $version
[ -n "$succeeded" ] && echo Succeeded merging: $succeeded
diff --git a/tools/source-plugins.txt b/tools/source-plugins.txt
new file mode 100644
index 0000000000..6940140ccc
--- /dev/null
+++ b/tools/source-plugins.txt
@@ -0,0 +1,4 @@
+# List of source plugins
+
+# libpostproc, GPL, maintained by Michael Niedermayer
+https://github.com/michaelni/FFmpeg.git libpostproc
commit 263e819aa45cd3c48bf6887be02b4ec504c02048
Author: Jiasheng Jiang <jiashengjiangc...@gmail.com>
AuthorDate: Thu Aug 7 14:50:10 2025 +0000
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:46 2025 +0200
libavfilter/dnn/dnn_backend_tf: Remove redundant av_freep() to avoid double
free
Remove redundant av_freep() to avoid double free since task will be freed
in dnn_free_model_tf() after the success of ff_queue_push_back().
Fixes: af052f9066 ("lavfi/dnn: fix mem leak in TF backend error handle")
Signed-off-by: Jiasheng Jiang <jiashengjiangc...@gmail.com>
(cherry picked from commit b8d5f65b9e89d893f27cf00799dbc15fc0ca2f8e)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavfilter/dnn/dnn_backend_tf.c b/libavfilter/dnn/dnn_backend_tf.c
index 6ca7fb6910..2c33691f96 100644
--- a/libavfilter/dnn/dnn_backend_tf.c
+++ b/libavfilter/dnn/dnn_backend_tf.c
@@ -833,14 +833,12 @@ static int dnn_execute_model_tf(const DNNModel *model,
DNNExecBaseParams *exec_p
ret = extract_lltask_from_task(task, tf_model->lltask_queue);
if (ret != 0) {
- av_freep(&task);
av_log(ctx, AV_LOG_ERROR, "unable to extract last level task from
task.\n");
return ret;
}
request = ff_safe_queue_pop_front(tf_model->request_queue);
if (!request) {
- av_freep(&task);
av_log(ctx, AV_LOG_ERROR, "unable to get infer request.\n");
return AVERROR(EINVAL);
}
commit 23655160ea4acb2601db6a90e1fb40fe7b4cabc4
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Fri Aug 8 12:43:46 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:46 2025 +0200
avcodec/dxv: Use av_fast_realloc() for op_data
makes things consistent
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit 373bd80b16643e349d229e2479fad565dba129a5)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 052fe0ac6c..dd82e450b1 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -46,6 +46,7 @@ typedef struct DXVContext {
int64_t ctex_size; // Chroma texture size
uint8_t *op_data[4]; // Opcodes
+ unsigned op_data_size[4];
int64_t op_size[4]; // Opcodes size
} DXVContext;
@@ -1003,9 +1004,11 @@ static int dxv_decode(AVCodecContext *avctx, AVFrame
*frame,
memset(ctx->ctex_data + old_size, 0, ctx->ctex_data_size -
old_size);
for (i = 0; i < 4; i++) {
- ret = av_reallocp(&ctx->op_data[i], ctx->op_size[i]);
- if (ret < 0)
- return ret;
+ old_size = ctx->op_data_size[i];
+ ptr = av_fast_realloc(ctx->op_data[i], &ctx->op_data_size[i],
ctx->op_size[i]);
+ if (!ptr)
+ return AVERROR(ENOMEM);
+ ctx->op_data[i] = ptr;
}
}
@@ -1101,6 +1104,7 @@ static av_cold int dxv_close(AVCodecContext *avctx)
av_freep(&ctx->op_data[1]);
av_freep(&ctx->op_data[2]);
av_freep(&ctx->op_data[3]);
+ memset(ctx->op_data_size, 0, sizeof(ctx->op_data_size));
return 0;
}
commit f2507dba3b4c40c5d2d0135a7847db448d3c3527
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Thu Aug 7 19:56:53 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:46 2025 +0200
avcodec/dxv: Use av_fast_realloc() and clear all new space
The code writing in the buffer has a wide range of error checks
which simply leave it partly uninitialized.
Initializing it on allocation ensures no sensitive data leaks and that
bugs are more reliably reproduceable
Fixes: use of uninitialized memory
Fixes:
435225510/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-4521918634196992
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit 4a0b793737ec1a118d2119a677fa17926def01bc)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 0f8de13c25..052fe0ac6c 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -38,6 +38,7 @@ typedef struct DXVContext {
GetByteContext gbc;
uint8_t *tex_data; // Compressed texture
+ unsigned tex_data_size;
uint8_t *ctex_data; // Compressed chroma texture
unsigned ctex_data_size;
@@ -972,9 +973,14 @@ static int dxv_decode(AVCodecContext *avctx, AVFrame
*frame,
ctx->tex_size = avctx->coded_width / (texdsp_ctx.raw_ratio /
(avctx->pix_fmt == AV_PIX_FMT_RGBA ? 4 : 1)) *
avctx->coded_height / TEXTURE_BLOCK_H *
texdsp_ctx.tex_ratio;
- ret = av_reallocp(&ctx->tex_data, ctx->tex_size +
AV_INPUT_BUFFER_PADDING_SIZE);
- if (ret < 0)
- return ret;
+ unsigned old_size = ctx->tex_data_size;
+ void *ptr = av_fast_realloc(ctx->tex_data, &ctx->tex_data_size,
ctx->tex_size + AV_INPUT_BUFFER_PADDING_SIZE);
+ if (!ptr)
+ return AVERROR(ENOMEM);
+ ctx->tex_data = ptr;
+
+ if (ctx->tex_data_size > old_size)
+ memset(ctx->tex_data + old_size, 0, ctx->tex_data_size - old_size);
if (avctx->pix_fmt != AV_PIX_FMT_RGBA) {
int i;
@@ -1086,6 +1092,8 @@ static av_cold int dxv_close(AVCodecContext *avctx)
DXVContext *ctx = avctx->priv_data;
av_freep(&ctx->tex_data);
+ ctx->tex_data_size = 0;
+
av_freep(&ctx->ctex_data);
ctx->ctex_data_size = 0;
commit da3f5273fce6c5dbb68077fbec346cc4b1a3e9f0
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Fri Aug 8 12:25:55 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:45 2025 +0200
avcodec/dxv: Clear ctex
same issue as with tex
Fixes:
431665305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5339599339847680
Fixes: use of uninitialized memory
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit 4e5f25c0a50ac17e20ddc3549dbff0976a5826b9)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 20d353b29b..0f8de13c25 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -39,6 +39,7 @@ typedef struct DXVContext {
uint8_t *tex_data; // Compressed texture
uint8_t *ctex_data; // Compressed chroma texture
+ unsigned ctex_data_size;
int64_t tex_size; // Texture size
int64_t ctex_size; // Chroma texture size
@@ -987,9 +988,14 @@ static int dxv_decode(AVCodecContext *avctx, AVFrame
*frame,
ctx->op_size[2] = avctx->coded_width * avctx->coded_height / 32;
ctx->op_size[3] = avctx->coded_width * avctx->coded_height / 16;
- ret = av_reallocp(&ctx->ctex_data, ctx->ctex_size +
AV_INPUT_BUFFER_PADDING_SIZE);
- if (ret < 0)
- return ret;
+ old_size = ctx->ctex_data_size;
+ ptr = av_fast_realloc(ctx->ctex_data, &ctx->ctex_data_size,
ctx->ctex_size + AV_INPUT_BUFFER_PADDING_SIZE);
+ if (!ptr)
+ return AVERROR(ENOMEM);
+ ctx->ctex_data = ptr;
+ if (old_size < ctx->ctex_data_size)
+ memset(ctx->ctex_data + old_size, 0, ctx->ctex_data_size -
old_size);
+
for (i = 0; i < 4; i++) {
ret = av_reallocp(&ctx->op_data[i], ctx->op_size[i]);
if (ret < 0)
@@ -1081,6 +1087,8 @@ static av_cold int dxv_close(AVCodecContext *avctx)
av_freep(&ctx->tex_data);
av_freep(&ctx->ctex_data);
+ ctx->ctex_data_size = 0;
+
av_freep(&ctx->op_data[0]);
av_freep(&ctx->op_data[1]);
av_freep(&ctx->op_data[2]);
commit 6049800a106b6ff8c6a0e062c5146e554a54c21f
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Fri Aug 8 12:25:55 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:45 2025 +0200
avcodec/dxv: Check that we initialize op_data
Fixes:
431665305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_DEC_fuzzer-5339599339847680
Fixes: use of uninitialized memory
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit 6a8c41dcacbba011e553fbf35518577321d1aadb)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/dxv.c b/libavcodec/dxv.c
index 0b8e077ad6..20d353b29b 100644
--- a/libavcodec/dxv.c
+++ b/libavcodec/dxv.c
@@ -274,7 +274,9 @@ static int dxv_decompress_opcodes(GetByteContext *gb, void
*dstp, size_t op_size
if ((flag & 3) == 0) {
bytestream2_skip(gb, 1);
- bytestream2_get_buffer(gb, dstp, op_size);
+ int read_size = bytestream2_get_buffer(gb, dstp, op_size);
+ if (read_size != op_size)
+ return AVERROR_INVALIDDATA;
} else if ((flag & 3) == 1) {
bytestream2_skip(gb, 1);
memset(dstp, bytestream2_get_byte(gb), op_size);
commit e726f7af17b3ea160b6ce8482f3065e4c36c3f97
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Thu Aug 7 19:38:30 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:45 2025 +0200
avcodec/sanm: Check mv in codec48_block()
Fixes: out of array read
Fixes:
436943287/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SANM_fuzzer-5011037029203968
This issue did oddly enough, not replicate
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit d5bdb0b705ce96739e812ca5317361674359369c)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/sanm.c b/libavcodec/sanm.c
index d345f58846..a066a864eb 100644
--- a/libavcodec/sanm.c
+++ b/libavcodec/sanm.c
@@ -1427,8 +1427,18 @@ static void c48_4to8(uint8_t *dst, const uint8_t *src,
const uint16_t w)
}
}
-static int codec48_block(SANMVideoContext *ctx, uint8_t *dst, uint8_t *db,
- const uint16_t w)
+static int check_mv(int x, int y, const uint16_t w, int h, int blocksize, int
mvofs) {
+ if (mvofs < -x + -y*w)
+ return AVERROR_INVALIDDATA;
+
+ if (mvofs > w-x-blocksize + w*(h-y-blocksize))
+ return AVERROR_INVALIDDATA;
+
+ return 0;
+}
+
+static int codec48_block(SANMVideoContext *ctx, uint8_t *dst, uint8_t *db, int
x, int y,
+ const uint16_t w, int h)
{
uint8_t opc, sb[16];
int i, j, k, l;
@@ -1453,6 +1463,8 @@ static int codec48_block(SANMVideoContext *ctx, uint8_t
*dst, uint8_t *db,
if (bytestream2_get_bytes_left(&ctx->gb) < 2)
return 1;
mvofs = bytestream2_get_le16(&ctx->gb);
+ if (check_mv(x, y, w, h, 8, mvofs))
+ return 1;
for (i = 0; i < 8; i++) {
ofs = w * i;
for (k = 0; k < 8; k++)
@@ -1480,6 +1492,8 @@ static int codec48_block(SANMVideoContext *ctx, uint8_t
*dst, uint8_t *db,
for (k = 0; k < 8; k += 4) {
opc = bytestream2_get_byteu(&ctx->gb);
mvofs = c37_mv[opc * 2] + (c37_mv[opc * 2 + 1] * w);
+ if (check_mv(x+k, y+i, w, h, 4, mvofs))
+ return 1;
for (j = 0; j < 4; j++) {
ofs = (w * (j + i)) + k;
for (l = 0; l < 4; l++)
@@ -1494,6 +1508,8 @@ static int codec48_block(SANMVideoContext *ctx, uint8_t
*dst, uint8_t *db,
for (i = 0; i < 8; i += 4) {
for (k = 0; k < 8; k += 4) {
mvofs = bytestream2_get_le16(&ctx->gb);
+ if (check_mv(x+k, y+i, w, h, 4, mvofs))
+ return 1;
for (j = 0; j < 4; j++) {
ofs = (w * (j + i)) + k;
for (l = 0; l < 4; l++)
@@ -1516,6 +1532,8 @@ static int codec48_block(SANMVideoContext *ctx, uint8_t
*dst, uint8_t *db,
ofs = (w * i) + j;
opc = bytestream2_get_byteu(&ctx->gb);
mvofs = c37_mv[opc * 2] + (c37_mv[opc * 2 + 1] * w);
+ if (check_mv(x+j, y+i, w, h, 2, mvofs))
+ return 1;
for (l = 0; l < 2; l++) {
*(dst + ofs + l + 0) = *(db + ofs + l + 0 + mvofs);
*(dst + ofs + l + w) = *(db + ofs + l + w + mvofs);
@@ -1530,6 +1548,8 @@ static int codec48_block(SANMVideoContext *ctx, uint8_t
*dst, uint8_t *db,
for (j = 0; j < 8; j += 2) {
ofs = w * i + j;
mvofs = bytestream2_get_le16(&ctx->gb);
+ if (check_mv(x+j, y+i, w, h, 2, mvofs))
+ return 1;
for (l = 0; l < 2; l++) {
*(dst + ofs + l + 0) = *(db + ofs + l + 0 + mvofs);
*(dst + ofs + l + w) = *(db + ofs + l + w + mvofs);
@@ -1548,6 +1568,8 @@ static int codec48_block(SANMVideoContext *ctx, uint8_t
*dst, uint8_t *db,
break;
default: // copy 8x8 block from prev, c37_mv from source
mvofs = c37_mv[opc * 2] + (c37_mv[opc * 2 + 1] * w);
+ if (check_mv(x, y, w, h, 8, mvofs))
+ return 1;
for (i = 0; i < 8; i++) {
ofs = i * w;
for (l = 0; l < 8; l++)
@@ -1613,7 +1635,7 @@ static int old_codec48(SANMVideoContext *ctx, int width,
int height)
if (seq == ctx->prev_seq + 1) {
for (j = 0; j < height; j += 8) {
for (i = 0; i < width; i += 8) {
- if (codec48_block(ctx, dst + i, prev + i, width))
+ if (codec48_block(ctx, dst + i, prev + i, i, j, width,
height))
return AVERROR_INVALIDDATA;
}
dst += width * 8;
commit de76fb27a6e6da0431154ce9093933281a38a889
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Sat Aug 9 14:05:19 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:44 2025 +0200
avcodec/exr: Check for pixel type consistency in DWA
Fixes: out of array access
Fixes: BIGSLEEP-436511754/testcase.exr
Found-by: Google Big Sleep
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit 0469d68acb52081ca8385b844b9650398242be0f)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index dea612a42b..67f971ff35 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -2086,6 +2086,17 @@ static int decode_frame(AVCodecContext *avctx, AVFrame
*picture,
if ((ret = decode_header(s, picture)) < 0)
return ret;
+ if (s->compression == EXR_DWAA ||
+ s->compression == EXR_DWAB) {
+ for (int i = 0; i<s->nb_channels; i++) {
+ EXRChannel *channel = &s->channels[i];
+ if (channel->pixel_type != s->pixel_type) {
+ avpriv_request_sample(s->avctx, "mixed pixel type DWA");
+ return AVERROR_PATCHWELCOME;
+ }
+ }
+ }
+
switch (s->pixel_type) {
case EXR_HALF:
if (s->channel_offsets[3] >= 0) {
commit 995d329cf9213cc445a2cea31b8f2394d3475d8c
Author: Kacper MichajÅow <kaspe...@gmail.com>
AuthorDate: Sun Aug 3 16:46:10 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:44 2025 +0200
avcodec/d3d12va_encode: fix label followed by a declaration warning
Fixes: d3d12va_encode.c: warning: label followed by a declaration is a
C23 extension
Signed-off-by: Kacper MichajÅow <kaspe...@gmail.com>
(cherry picked from commit ac6db22e372460f3462d16eacdf9b7611cc3c0af)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/d3d12va_encode.c b/libavcodec/d3d12va_encode.c
index 880002ce55..1ecaee3b6d 100644
--- a/libavcodec/d3d12va_encode.c
+++ b/libavcodec/d3d12va_encode.c
@@ -973,8 +973,7 @@ rc_mode_found:
case RC_MODE_CQP:
// cqp ConfigParams will be updated in ctx->codec->configure.
break;
-
- case RC_MODE_CBR:
+ case RC_MODE_CBR: {
D3D12_VIDEO_ENCODER_RATE_CONTROL_CBR *cbr_ctl;
ctx->rc.ConfigParams.DataSize =
sizeof(D3D12_VIDEO_ENCODER_RATE_CONTROL_CBR);
@@ -995,8 +994,8 @@ rc_mode_found:
ctx->rc.ConfigParams.pConfiguration_CBR = cbr_ctl;
break;
-
- case RC_MODE_VBR:
+ }
+ case RC_MODE_VBR: {
D3D12_VIDEO_ENCODER_RATE_CONTROL_VBR *vbr_ctl;
ctx->rc.ConfigParams.DataSize =
sizeof(D3D12_VIDEO_ENCODER_RATE_CONTROL_VBR);
@@ -1018,8 +1017,8 @@ rc_mode_found:
ctx->rc.ConfigParams.pConfiguration_VBR = vbr_ctl;
break;
-
- case RC_MODE_QVBR:
+ }
+ case RC_MODE_QVBR: {
D3D12_VIDEO_ENCODER_RATE_CONTROL_QVBR *qvbr_ctl;
ctx->rc.ConfigParams.DataSize =
sizeof(D3D12_VIDEO_ENCODER_RATE_CONTROL_QVBR);
@@ -1039,7 +1038,7 @@ rc_mode_found:
ctx->rc.ConfigParams.pConfiguration_QVBR = qvbr_ctl;
break;
-
+ }
default:
break;
}
commit 81dcb6781390bd3225fc2250cb0f73ee6487eb00
Author: Kacper MichajÅow <kaspe...@gmail.com>
AuthorDate: Sat Aug 9 17:15:51 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:44 2025 +0200
avcodec/libvorbisdec: avoid overflow when assinging sample rate from long
to int
Fixes:
416134551/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVORBIS_DEC_fuzzer-6096101407260672
Found-by: OSS-Fuzz
Signed-off-by: Kacper MichajÅow <kaspe...@gmail.com>
(cherry picked from commit 2287a19abbd80d25b411a3028969c55c4b0b8c88)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/libvorbisdec.c b/libavcodec/libvorbisdec.c
index 7922261b2f..326ed4b4fe 100644
--- a/libavcodec/libvorbisdec.c
+++ b/libavcodec/libvorbisdec.c
@@ -114,6 +114,12 @@ static av_cold int oggvorbis_decode_init(AVCodecContext
*avccontext)
}
}
+ if (context->vi.rate <= 0 || context->vi.rate > INT_MAX) {
+ av_log(avccontext, AV_LOG_ERROR, "vorbis rate is invalid\n");
+ ret = AVERROR_INVALIDDATA;
+ goto error;
+ }
+
av_channel_layout_uninit(&avccontext->ch_layout);
avccontext->ch_layout.order = AV_CHANNEL_ORDER_UNSPEC;
avccontext->ch_layout.nb_channels = context->vi.channels;
commit bde02336a44086d628cb8e577a915fa9a6bf6088
Author: Kacper MichajÅow <kaspe...@gmail.com>
AuthorDate: Sat Aug 9 17:09:57 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:43 2025 +0200
avcodec/g726: init missing sample rate
Fixes:
416134551/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_G726_DEC_fuzzer-5695764455292928
Found-by: OSS-Fuzz
Signed-off-by: Kacper MichajÅow <kaspe...@gmail.com>
(cherry picked from commit c2f7dae70d27a8f5ca1e3fa43d96ff5c8bf032fa)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/g726.c b/libavcodec/g726.c
index 5491b7eb7a..f41df3073f 100644
--- a/libavcodec/g726.c
+++ b/libavcodec/g726.c
@@ -455,6 +455,8 @@ static av_cold int g726_decode_init(AVCodecContext *avctx)
g726_reset(c);
avctx->sample_fmt = AV_SAMPLE_FMT_S16;
+ if (!avctx->sample_rate)
+ avctx->sample_rate = 8000;
return 0;
}
commit 6b1f994e43b7c0648f91fc6a14ee5c090c99e1fc
Author: Kacper MichajÅow <kaspe...@gmail.com>
AuthorDate: Sat Aug 9 16:49:17 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:43 2025 +0200
avformat/lrcdec: limit input timestamp range to avoid overflows
Fixes: clusterfuzz-testcase-ffmpeg_dem_LRC_fuzzer-5226140131459072
Found-by: OSS-Fuzz
Signed-off-by: Kacper MichajÅow <kaspe...@gmail.com>
(cherry picked from commit c74bc74398e7a1e235fdf51d0dd2dfb942626c82)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c
index 7941c02c5d..e3e091a61a 100644
--- a/libavformat/lrcdec.c
+++ b/libavformat/lrcdec.c
@@ -78,7 +78,7 @@ static int64_t count_ts(const char *p)
static int64_t read_ts(const char *p, int64_t *start)
{
int64_t offset = 0;
- uint64_t mm;
+ uint32_t mm;
double ss;
char prefix[3];
@@ -88,8 +88,8 @@ static int64_t read_ts(const char *p, int64_t *start)
if(p[offset] != '[') {
return 0;
}
- int ret = sscanf(p, "%2[[-]%"SCNu64":%lf]", prefix, &mm, &ss);
- if (ret != 3 || prefix[0] != '[') {
+ int ret = sscanf(p, "%2[[-]%"SCNu32":%lf]", prefix, &mm, &ss);
+ if (ret != 3 || prefix[0] != '[' || ss < 0 || ss > 60) {
return 0;
}
*start = (mm * 60 + ss) * AV_TIME_BASE;
commit 5051753833d5123707e58e2571d0831e3f9278be
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Fri Aug 8 23:19:03 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:42 2025 +0200
avcodec/scpr3: Clear clr
clr is passing into decode_run_p() its not used when not set
but this possibly triggers msan (it doesnt locally)
Fixes?: use of uninintialized memory
Fixes?:
436997807/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-6253316466606080
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit 354226037646d44701f0f2a84749fb2ea303f043)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/scpr3.c b/libavcodec/scpr3.c
index e91c198308..369d2653c2 100644
--- a/libavcodec/scpr3.c
+++ b/libavcodec/scpr3.c
@@ -1167,7 +1167,7 @@ static int decompress_p3(AVCodecContext *avctx,
}
} else {
int run, bx = x * 16 + sx1, by = y * 16 + sy1;
- uint32_t clr, ptype = 0, r, g, b;
+ uint32_t clr = 0, ptype = 0, r, g, b;
if (bx >= avctx->width)
return AVERROR_INVALIDDATA;
commit a676267a2c29581346c62dbfdfc9268aa2fd2658
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Fri Aug 8 15:03:56 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:42 2025 +0200
avcodec/ilbcdec: Clear cbvec when used with create_augmented_vector()
Fixes: use of uninitialized memory
Fixes:
42538134/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ILBC_fuzzer-6322020827070464
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit 9686fdd729a9caeeac0dc84dca2a65e4c9e5460b)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/ilbcdec.c b/libavcodec/ilbcdec.c
index a9dfa857a2..8b495a2f8e 100644
--- a/libavcodec/ilbcdec.c
+++ b/libavcodec/ilbcdec.c
@@ -675,6 +675,7 @@ static void get_codebook(int16_t * cbvec, /* (o)
Constructed codebook vector *
/* get vector */
memcpy(cbvec, mem + lMem - k, cbveclen * 2);
} else if (index < base_size) {
+ memset(cbvec, 0, cbveclen * 2);
/* Calculate lag */
@@ -701,6 +702,7 @@ static void get_codebook(int16_t * cbvec, /* (o)
Constructed codebook vector *
filter_mafq12(&mem[memIndTest + 4], cbvec, kCbFiltersRev,
CB_FILTERLEN, cbveclen);
} else {
+ memset(cbvec, 0, cbveclen * 2);
/* interpolated vectors */
/* Stuff zeros outside memory buffer */
memIndTest = lMem - cbveclen - CB_FILTERLEN;
commit bd55bf8300ef2b97c9316d7b2674b07142163e70
Author: Kacper MichajÅow <kaspe...@gmail.com>
AuthorDate: Wed Aug 6 00:36:10 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:42 2025 +0200
avformat/mov: clear old name from infe
heif_items are reused and to avoid leaking memory or using stale name,
clear it first.
Fixes:
432505829/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6654363487764480
Found-by: OSS-Fuzz
Signed-off-by: Kacper MichajÅow <kaspe...@gmail.com>
(cherry picked from commit 3bf8bf965fb69f873e52d34a85d1ecb722a9fe7f)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 94b741f056..86037c6712 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -8957,6 +8957,7 @@ static int mov_read_infe(MOVContext *c, AVIOContext *pb,
MOVAtom atom)
return AVERROR(ENOMEM);
}
+ av_freep(&item->name);
av_bprint_finalize(&item_name, ret ? &item->name : NULL);
item->item_id = item_id;
item->type = item_type;
commit 64c71cbe4eefcd59559238758bf760b3197469ef
Author: Leon Grutters <gruttersleonb...@gmail.com>
AuthorDate: Sat Aug 9 18:43:13 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:41 2025 +0200
doc/community.texi: fix spelling error
Fixes: 262d41c804 ("all: fix typos found by codespell")
Signed-off-by: Leon Grutters <gruttersleonb...@gmail.com>
(cherry picked from commit 777408d149b120a730045a71fbed2b8e0ef7807c)
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/doc/community.texi b/doc/community.texi
index 4274da5d63..97a49f15ed 100644
--- a/doc/community.texi
+++ b/doc/community.texi
@@ -123,7 +123,7 @@ Internally, the TC should take decisions with a majority,
or using ranked-choice
Each TC member must vote on such decision according to what is, in their view,
best for the project.
-If a TC member feels they are affected by a conflict of interest with regards
to the case, they should announce it and recurse themselves from the TC
+If a TC member feels they are affected by a conflict of interest with regards
to the case, they should announce it and recuse themselves from the TC
discussion and vote.
A conflict of interest is presumed to occur when a TC member has a personal
interest (e.g. financial) in a specific outcome of the case.
commit 2feaad5cb977362610305941c689c8d76a8e80f3
Author: Michael Niedermayer <mich...@niedermayer.cc>
AuthorDate: Mon Aug 11 19:48:33 2025 +0200
Commit: Michael Niedermayer <mich...@niedermayer.cc>
CommitDate: Tue Aug 19 17:56:41 2025 +0200
tools/merge-all-source-plugins: set version
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/tools/merge-all-source-plugins b/tools/merge-all-source-plugins
index cd030cdabe..a3812a90a6 100755
--- a/tools/merge-all-source-plugins
+++ b/tools/merge-all-source-plugins
@@ -29,7 +29,7 @@ git diff --exit-code >/dev/null ||\
git diff --cached --exit-code >/dev/null ||\
error "Please commit local changes first"
-#version="12.34"
+version="8.0"
merge "https://github.com/michaelni/FFmpeg.git"; "libpostproc"
-----------------------------------------------------------------------
Summary of changes:
.forgejo/CODEOWNERS | 1 -
doc/community.texi | 2 +-
fftools/ffmpeg_mux_init.c | 8 +++---
libavcodec/aac/aacdec.c | 31 +++++++++++++++++++--
libavcodec/aac/aacdec.h | 4 +--
libavcodec/aac/aacdec_usac.c | 32 +++++++++++++--------
libavcodec/d3d12va_encode.c | 13 ++++-----
libavcodec/dxv.c | 48 ++++++++++++++++++++++++--------
libavcodec/exr.c | 11 ++++++++
libavcodec/g726.c | 2 ++
libavcodec/ilbcdec.c | 2 ++
libavcodec/libvorbisdec.c | 6 ++++
libavcodec/lzf.c | 23 +++++++++++----
libavcodec/lzf.h | 2 +-
libavcodec/notchlc.c | 5 ++--
libavcodec/prores_raw.c | 6 ++--
libavcodec/rv60dec.c | 2 ++
libavcodec/sanm.c | 33 ++++++++++++++++++++--
libavcodec/scpr3.c | 2 +-
libavcodec/utvideodec.c | 2 +-
libavfilter/dnn/dnn_backend_tf.c | 2 --
libavformat/lrcdec.c | 8 +++---
libavformat/mov.c | 11 ++++----
libavformat/tls_openssl.c | 10 +++----
libswscale/swscale_internal.h | 4 +--
tests/ref/fate/filter-pixdesc-xyz12be | 2 +-
tests/ref/fate/filter-pixdesc-xyz12le | 2 +-
tests/ref/fate/filter-pixfmts-copy | 4 +--
tests/ref/fate/filter-pixfmts-crop | 4 +--
tests/ref/fate/filter-pixfmts-field | 4 +--
tests/ref/fate/filter-pixfmts-fieldorder | 4 +--
tests/ref/fate/filter-pixfmts-hflip | 4 +--
tests/ref/fate/filter-pixfmts-il | 4 +--
tests/ref/fate/filter-pixfmts-null | 4 +--
tests/ref/fate/filter-pixfmts-scale | 4 +--
tests/ref/fate/filter-pixfmts-transpose | 4 +--
tests/ref/fate/filter-pixfmts-vflip | 4 +--
tests/ref/pixfmt/xyz12le | 2 +-
tools/merge-all-source-plugins | 20 ++++++++++---
tools/source-plugins.txt | 4 +++
40 files changed, 236 insertions(+), 104 deletions(-)
create mode 100644 tools/source-plugins.txt
hooks/post-receive
--
_______________________________________________
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
