[FFmpeg-cvslog] libwebpenc_animencoder: add missing braces to struct initialization

[James Almer]

ffmpeg | branch: release/2.8 | James Almer  | Thu Mar 17 
21:46:06 2016 -0300| [81997136995e795ee6c9e7643d03247f5dd5fdf9] | committer: 
Michael Niedermayer

libwebpenc_animencoder: add missing braces to struct initialization

The first member of the WebPAnimEncoderOptions struct is non scalar

Signed-off-by: James Almer 
(cherry picked from commit 488e6409df2487a2aedbd5adb5ac3f7e74216588)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=81997136995e795ee6c9e7643d03247f5dd5fdf9
---

 libavcodec/libwebpenc_animencoder.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/libwebpenc_animencoder.c 
b/libavcodec/libwebpenc_animencoder.c
index 61ecae8a8a..91bf64ca8b 100644
--- a/libavcodec/libwebpenc_animencoder.c
+++ b/libavcodec/libwebpenc_animencoder.c
@@ -41,7 +41,7 @@ static av_cold int libwebp_anim_encode_init(AVCodecContext 
*avctx)
 int ret = ff_libwebp_encode_init_common(avctx);
 if (!ret) {
 LibWebPAnimContext *s = avctx->priv_data;
-WebPAnimEncoderOptions enc_options = { 0 };
+WebPAnimEncoderOptions enc_options = { { 0 } };
 WebPAnimEncoderOptionsInit(_options);
 enc_options.verbose = av_log_get_level() >= AV_LOG_VERBOSE;
 // TODO(urvang): Expose some options on command-line perhaps.

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon Jul  2 18:57:05 2018 +0200| [b6af5c8880e1b60e5008326329d2e83b3901d638] | 
committer: Michael Niedermayer

avcodec/jpeg2000dec: Fixes invalid shifts in 
jpeg2000_decode_packets_po_iteration()

Fixes: shift exponent 47 is too large for 32-bit type 'int'
Fixes: 
9163/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5661750182543360

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 652d7c6348f96181fa69f8e2afb7b27a14c0a88a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b6af5c8880e1b60e5008326329d2e83b3901d638
---

 libavcodec/jpeg2000dec.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index f91109ca75..83b418925c 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1219,10 +1219,10 @@ static int 
jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
 if (reslevelno >= codsty->nreslevels)
 continue;
 
-if (yc % (1 << (rlevel->log2_prec_height + 
reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
+if (yc % (1LL << (rlevel->log2_prec_height + 
reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
 continue;
 
-if (xc % (1 << (rlevel->log2_prec_width + 
reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
+if (xc % (1LL << (rlevel->log2_prec_width + 
reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
 continue;
 
 // check if a precinct exists
@@ -1286,10 +1286,10 @@ static int 
jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
 uint8_t reducedresno = codsty->nreslevels - 1 
-reslevelno; //  ==> N_L - r
 Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno;
 
-if (yc % (1 << (rlevel->log2_prec_height + 
reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
+if (yc % (1LL << (rlevel->log2_prec_height + 
reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
 continue;
 
-if (xc % (1 << (rlevel->log2_prec_width + 
reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
+if (xc % (1LL << (rlevel->log2_prec_width + 
reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
 continue;
 
 // check if a precinct exists

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/utils: fix mixed declarations and code

[James Almer]

ffmpeg | branch: release/2.8 | James Almer  | Fri Nov 24 
17:46:16 2017 -0300| [7ae182e0b7dea18c2c682021dabf3542af5e04c1] | committer: 
Michael Niedermayer

avformat/utils: fix mixed declarations and code

Signed-off-by: James Almer 
(cherry picked from commit 31de45d20b1ff90d4baf7c5a65e88f582efdb2a6)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7ae182e0b7dea18c2c682021dabf3542af5e04c1
---

 libavformat/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 33a4aade64..c228bc90dc 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -1502,10 +1502,10 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt)
 
 if (next_pkt->dts != AV_NOPTS_VALUE) {
 int wrap_bits = 
s->streams[next_pkt->stream_index]->pts_wrap_bits;
-av_assert2(wrap_bits <= 64);
 // last dts seen for this stream. if any of packets following
 // current one had no dts, we will set this to AV_NOPTS_VALUE.
 int64_t last_dts = next_pkt->dts;
+av_assert2(wrap_bits <= 64);
 while (pktl && next_pkt->pts == AV_NOPTS_VALUE) {
 if (pktl->pkt.stream_index == next_pkt->stream_index &&
 av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2ULL << 
(wrap_bits - 1)) < 0) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mms: Add missing chunksize check

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue Jul  3 20:33:04 2018 +0200| [feb31c7ade15719d292c20da60763173e2ba3991] | 
committer: Michael Niedermayer

avformat/mms: Add missing chunksize check

Fixes: out of array read
Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a

Found-by: Paul Ch 
1st hunk by Paul Ch 
Tested-by: Paul Ch 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit cced03dd667a5df6df8fd40d8de0bff477ee02e8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=feb31c7ade15719d292c20da60763173e2ba3991
---

 libavformat/mms.c | 44 ++--
 1 file changed, 26 insertions(+), 18 deletions(-)

diff --git a/libavformat/mms.c b/libavformat/mms.c
index 807aadef0f..9f675f2dd0 100644
--- a/libavformat/mms.c
+++ b/libavformat/mms.c
@@ -94,24 +94,26 @@ int ff_mms_asf_header_parser(MMSContext *mms)
 }
 }
 } else if (!memcmp(p, ff_asf_stream_header, sizeof(ff_asf_guid))) {
-flags = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24);
-stream_id = flags & 0x7F;
-//The second condition is for checking CS_PKT_STREAM_ID_REQUEST 
packet size,
-//we can calcuate the packet size by stream_num.
-//Please see function send_stream_selection_request().
-if (mms->stream_num < MMS_MAX_STREAMS &&
-46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) {
-mms->streams = av_fast_realloc(mms->streams,
-   >nb_streams_allocated,
-   (mms->stream_num + 1) * sizeof(MMSStream));
-if (!mms->streams)
-return AVERROR(ENOMEM);
-mms->streams[mms->stream_num].id = stream_id;
-mms->stream_num++;
-} else {
-av_log(NULL, AV_LOG_ERROR,
-   "Corrupt stream (too many A/V streams)\n");
-return AVERROR_INVALIDDATA;
+if (end - p >= (sizeof(ff_asf_guid) * 3 + 26)) {
+flags = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24);
+stream_id = flags & 0x7F;
+//The second condition is for checking 
CS_PKT_STREAM_ID_REQUEST packet size,
+//we can calcuate the packet size by stream_num.
+//Please see function send_stream_selection_request().
+if (mms->stream_num < MMS_MAX_STREAMS &&
+46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) {
+mms->streams = av_fast_realloc(mms->streams,
+   >nb_streams_allocated,
+   (mms->stream_num + 1) * 
sizeof(MMSStream));
+if (!mms->streams)
+return AVERROR(ENOMEM);
+mms->streams[mms->stream_num].id = stream_id;
+mms->stream_num++;
+} else {
+av_log(NULL, AV_LOG_ERROR,
+   "Corrupt stream (too many A/V streams)\n");
+return AVERROR_INVALIDDATA;
+}
 }
 } else if (!memcmp(p, ff_asf_ext_stream_header, sizeof(ff_asf_guid))) {
 if (end - p >= 88) {
@@ -143,6 +145,12 @@ int ff_mms_asf_header_parser(MMSContext *mms)
 }
 } else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) {
 chunksize = 46; // see references [2] section 3.4. This should be 
set 46.
+if (chunksize > end - p) {
+av_log(NULL, AV_LOG_ERROR,
+"Corrupt stream (header chunksize %"PRId64" is invalid)\n",
+chunksize);
+return AVERROR_INVALIDDATA;
+}
 }
 p += chunksize;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mjpegdec: Check for odd progressive RGB

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Jul  6 16:28:14 2018 +0200| [270a7ff111aa95793ba156b797f1d1e4caaa7efd] | 
committer: Michael Niedermayer

avcodec/mjpegdec: Check for odd progressive RGB

Fixes: out of array access
Fixes: 
9225/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5684770334834688

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit ee1e3ca5eb1ec7d34e925d129c893e33847ee0b7)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=270a7ff111aa95793ba156b797f1d1e4caaa7efd
---

 libavcodec/mjpegdec.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 8f6fa35233..14896cb1ab 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -594,6 +594,10 @@ unk_pixfmt:
 av_log(s->avctx, AV_LOG_ERROR, "lowres not supported for weird 
subsampling\n");
 return AVERROR_PATCHWELCOME;
 }
+if ((AV_RB32(s->upscale_h) || AV_RB32(s->upscale_v)) && s->progressive && 
s->avctx->pix_fmt == AV_PIX_FMT_GBRP) {
+avpriv_report_missing_feature(s->avctx, "progressive for weird 
subsampling");
+return AVERROR_PATCHWELCOME;
+}
 if (s->ls) {
 memset(s->upscale_h, 0, sizeof(s->upscale_h));
 memset(s->upscale_v, 0, sizeof(s->upscale_v));

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/movenc: Check input sample count

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Jul  6 22:23:25 2018 +0200| [5775f837963dcf178876ca7d618e6d7dead830c0] | 
committer: Michael Niedermayer

avformat/movenc: Check input sample count

Fixes: division by 0
Fixes: fpe_movenc.c_199_1.wav
Fixes: fpe_movenc.c_199_2.wav
Fixes: fpe_movenc.c_199_3.wav
Fixes: fpe_movenc.c_199_4.wav
Fixes: fpe_movenc.c_199_5.wav
Fixes: fpe_movenc.c_199_6.wav
Fixes: fpe_movenc.c_199_7.wav

Found-by: #CHEN HONGXU# 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3a2d21bc5f97aa0161db3ae731fc2732be6108b8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5775f837963dcf178876ca7d618e6d7dead830c0
---

 libavformat/movenc.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavformat/movenc.c b/libavformat/movenc.c
index 315839154a..26401c903d 100644
--- a/libavformat/movenc.c
+++ b/libavformat/movenc.c
@@ -4384,6 +4384,11 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket 
*pkt)
 else
 samples_in_chunk = 1;
 
+if (samples_in_chunk < 1) {
+av_log(s, AV_LOG_ERROR, "fatal error, input packet contains no 
samples\n");
+return AVERROR_PATCHWELCOME;
+}
+
 /* copy extradata if it exists */
 if (trk->vos_len == 0 && enc->extradata_size > 0 &&
 !TAG_IS_AVCI(trk->tag) &&

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/pva: Check for EOF before retrying in read_part_of_packet()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue Jul  3 22:14:42 2018 +0200| [c75b8c9733efce84304a2dcec1bbfe806ab2e90f] | 
committer: Michael Niedermayer

avformat/pva: Check for EOF before retrying in read_part_of_packet()

Fixes: Infinite loop
Fixes: pva-4b1835dbc2027bf3c567005dcc78e85199240d06

Found-by: Paul Ch 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c75b8c9733efce84304a2dcec1bbfe806ab2e90f
---

 libavformat/pva.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavformat/pva.c b/libavformat/pva.c
index 900ad6133d..9714fb186c 100644
--- a/libavformat/pva.c
+++ b/libavformat/pva.c
@@ -134,6 +134,10 @@ recover:
 pes_flags  = avio_rb16(pb);
 pes_header_data_length = avio_r8(pb);
 
+if (avio_feof(pb)) {
+return AVERROR_EOF;
+}
+
 if (pes_signal != 1 || pes_header_data_length == 0) {
 pva_log(s, AV_LOG_WARNING, "expected non empty signaled PES 
packet, "
   "trying to recover\n");

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dec: Check that there are enough bytes for all tiles

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon Jul  2 18:40:08 2018 +0200| [76e10cd327b3070af6df4a581727ba6602776175] | 
committer: Michael Niedermayer

avcodec/jpeg2000dec: Check that there are enough bytes for all tiles

Fixes: OOM
Fixes: 
8781/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5810709081358336

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0898a3d9909960324e27d3a7a4f48c4effbb654a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=76e10cd327b3070af6df4a581727ba6602776175
---

 libavcodec/jpeg2000dec.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index bbb873bb15..f91109ca75 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -339,7 +339,10 @@ static int get_siz(Jpeg2000DecoderContext *s)
 s->numXtiles = ff_jpeg2000_ceildiv(s->width  - s->tile_offset_x, 
s->tile_width);
 s->numYtiles = ff_jpeg2000_ceildiv(s->height - s->tile_offset_y, 
s->tile_height);
 
-if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile)) {
+// There must be at least a SOT and SOD per tile, their minimum size is 14
+if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile) ||
+s->numXtiles * s->numYtiles * 14LL > bytestream2_size(>g)
+) {
 s->numXtiles = s->numYtiles = 0;
 return AVERROR(EINVAL);
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/indeo4: Check for end of bitstream in decode_mb_info()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon Jul  2 01:26:44 2018 +0200| [4652b0f8fe8a444619f695bc1921d0d8133e1203] | 
committer: Michael Niedermayer

avcodec/indeo4: Check for end of bitstream in decode_mb_info()

Fixes: Timeout
Fixes: 
8776/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-5361788798369792

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 267ba2aa96354c5b6a1ea89b2943fbd7a4893862)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4652b0f8fe8a444619f695bc1921d0d8133e1203
---

 libavcodec/indeo4.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c
index 13fc42ecde..b2d3cd5f4b 100644
--- a/libavcodec/indeo4.c
+++ b/libavcodec/indeo4.c
@@ -505,6 +505,11 @@ static int decode_mb_info(IVI45DecContext *ctx, 
IVIBandDesc *band,
 mb->b_mv_x   =
 mb->b_mv_y   = 0;
 
+if (get_bits_left(>gb) < 1) {
+av_log(avctx, AV_LOG_ERROR, "Insufficient input for mb 
info\n");
+return AVERROR_INVALIDDATA;
+}
+
 if (get_bits1(>gb)) {
 if (ctx->frame_type == IVI4_FRAMETYPE_INTRA) {
 av_log(avctx, AV_LOG_ERROR, "Empty macroblock in an INTRA 
picture!\n");

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ra144: Fix integer overflow in ff_eval_refl()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Thu Jun 21 23:08:32 2018 +0200| [65c9c1b061db7eaf2559f4f984de679751803665] | 
committer: Michael Niedermayer

avcodec/ra144: Fix integer overflow in ff_eval_refl()

Fixes: signed integer overflow: -4096 * -524288 cannot be represented in type 
'int'
Fixes: 
8650/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5734816036159488

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b31189881a4cf54b0057ecf3eab917ad56eecfea)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=65c9c1b061db7eaf2559f4f984de679751803665
---

 libavcodec/ra144.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c
index 67f0e84469..c399304ea1 100644
--- a/libavcodec/ra144.c
+++ b/libavcodec/ra144.c
@@ -1569,11 +1569,11 @@ int ff_eval_refl(int *refl, const int16_t *coefs, 
AVCodecContext *avctx)
 b = 0x100 / b;
 for (j=0; j <= i; j++) {
 #if CONFIG_FTRAPV
-int a = bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12);
+int a = bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12);
 if((int)(a*(unsigned)b) != a*(int64_t)b)
 return 1;
 #endif
-bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * 
(unsigned)b) >> 12;
+bp1[j] = (int)((bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 
12)) * (unsigned)b) >> 12;
 }
 
 if ((unsigned) bp1[i] + 0x1000 > 0x1fff)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/escape124: Check buf_size against num_superblocks

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Jun 24 19:23:02 2018 +0200| [9bfdb49b74026f380488cd857f0dddf7bb3834ca] | 
committer: Michael Niedermayer

avcodec/escape124: Check buf_size against num_superblocks

Fixes: Timeout
Fixes: 
8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6677c98626489edfdb4b49b4f66ca91867768a9f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9bfdb49b74026f380488cd857f0dddf7bb3834ca
---

 libavcodec/escape124.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c
index d8a89a934c..9080a1fdff 100644
--- a/libavcodec/escape124.c
+++ b/libavcodec/escape124.c
@@ -222,7 +222,11 @@ static int escape124_decode_frame(AVCodecContext *avctx,
 
 // This call also guards the potential depth reads for the
 // codebook unpacking.
-if (get_bits_left() < 64)
+// Check if the amount we will read minimally is available on input.
+// The 64 represent the immedeatly next 2 frame_* elements read, the 
23/4320
+// represent a lower bound of the space needed for skiped superblocks. Non
+// skipped SBs need more space.
+if (get_bits_left() < 64 + s->num_superblocks * 23LL / 4320)
 return -1;
 
 frame_flags = get_bits_long(, 32);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/escape124: Fix spelling errors in comment

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Wed Jun 27 13:00:28 2018 +0200| [f780dabc501921448b11d2e1800255ff54df5ee5] | 
committer: Michael Niedermayer

avcodec/escape124: Fix spelling errors in comment

Signed-off-by: Michael Niedermayer 
(cherry picked from commit f59c4e43915ed0528e2789f27ddb1635b59779df)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f780dabc501921448b11d2e1800255ff54df5ee5
---

 libavcodec/escape124.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c
index 9080a1fdff..fab56b59e0 100644
--- a/libavcodec/escape124.c
+++ b/libavcodec/escape124.c
@@ -223,8 +223,8 @@ static int escape124_decode_frame(AVCodecContext *avctx,
 // This call also guards the potential depth reads for the
 // codebook unpacking.
 // Check if the amount we will read minimally is available on input.
-// The 64 represent the immedeatly next 2 frame_* elements read, the 
23/4320
-// represent a lower bound of the space needed for skiped superblocks. Non
+// The 64 represent the immediately next 2 frame_* elements read, the 
23/4320
+// represent a lower bound of the space needed for skipped superblocks. Non
 // skipped SBs need more space.
 if (get_bits_left() < 64 + s->num_superblocks * 23LL / 4320)
 return -1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Fix undefined addition in shorten_decode_frame()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon Jul  2 19:11:46 2018 +0200| [29c7a02bb2858e669441c642af3230db5f147f50] | 
committer: Michael Niedermayer

avcodec/shorten: Fix undefined addition in shorten_decode_frame()

Fixes: signed integer overflow: 1139785606 + 1454196085 cannot be represented 
in type 'int'
Fixes: 
8937/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-6202943597445120

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3b10bb8772c76177cc47b8d15a6970f19dd11039)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=29c7a02bb2858e669441c642af3230db5f147f50
---

 libavcodec/shorten.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index cbd8a78bc4..f481a84fed 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -575,7 +575,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void 
*data,
 else {
 int32_t sum = (s->version < 2) ? 0 : s->nmean / 2;
 for (i = 0; i < s->nmean; i++)
-sum += s->offset[channel][i];
+sum += (unsigned)s->offset[channel][i];
 coffset = sum / s->nmean;
 if (s->version >= 2)
 coffset = s->bitshift == 0 ? coffset : coffset >> 
s->bitshift - 1 >> 1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/cscd: Check output buffer size for lzo.

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Jun 22 01:18:20 2018 +0200| [3b02b9ad2b81fb536587d45ee7463aaf1fa93a4c] | 
committer: Michael Niedermayer

avcodec/cscd: Check output buffer size for lzo.

Fixes: Timeout
Fixes: 
8665/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-5768442610188288

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
(cherry picked from commit 78167b498f53c36c31105a2bf11e90b03637598f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3b02b9ad2b81fb536587d45ee7463aaf1fa93a4c
---

 libavcodec/cscd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c
index 8cb193de56..8fd121a2c7 100644
--- a/libavcodec/cscd.c
+++ b/libavcodec/cscd.c
@@ -81,7 +81,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame,
 switch ((buf[0] >> 1) & 7) {
 case 0: { // lzo compression
 int outlen = c->decomp_size, inlen = buf_size - 2;
-if (av_lzo1x_decode(c->decomp_buf, , [2], )) {
+if (av_lzo1x_decode(c->decomp_buf, , [2], ) || 
outlen) {
 av_log(avctx, AV_LOG_ERROR, "error during lzo 
decompression\n");
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] fftools/ffmpeg: Fallback to duration if sample rate is unavailable

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue May  1 22:44:07 2018 +0200| [83260729955b9249599a23be5f9ad4e9051db002] | 
committer: Michael Niedermayer

fftools/ffmpeg: Fallback to duration if sample rate is unavailable

Regression since: af1761f7
Fixes: Division by 0
Fixes: ffmpeg_crash_1

Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan 
Caciulescu with AFLSmart
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 16d8b13b3b26c19d7f8856e039fe6662d96b4ff3)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=83260729955b9249599a23be5f9ad4e9051db002
---

 ffmpeg.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/ffmpeg.c b/ffmpeg.c
index 2887e91d1a..5282027895 100644
--- a/ffmpeg.c
+++ b/ffmpeg.c
@@ -2396,8 +2396,12 @@ static int process_input_packet(InputStream *ist, const 
AVPacket *pkt)
 ist->dts = ist->next_dts;
 switch (ist->dec_ctx->codec_type) {
 case AVMEDIA_TYPE_AUDIO:
-ist->next_dts += ((int64_t)AV_TIME_BASE * 
ist->dec_ctx->frame_size) /
- ist->dec_ctx->sample_rate;
+if (ist->dec_ctx->sample_rate) {
+ist->next_dts += ((int64_t)AV_TIME_BASE * 
ist->dec_ctx->frame_size) /
+  ist->dec_ctx->sample_rate;
+} else {
+ist->next_dts += av_rescale_q(pkt->duration, 
ist->st->time_base, AV_TIME_BASE_Q);
+}
 break;
 case AVMEDIA_TYPE_VIDEO:
 if (ist->framerate.num) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/xwddec: Use ff_set_dimensions()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Jun  8 00:42:31 2018 +0200| [2b60986513c98b35fecdf75663bc014b7344b572] | 
committer: Michael Niedermayer

avcodec/xwddec: Use ff_set_dimensions()

Fixes: OOM
Fixes: 
8178/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XWD_fuzzer-4844793342459904

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c2852e4e00de4073ff7de82d41cb3368702686e8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2b60986513c98b35fecdf75663bc014b7344b572
---

 libavcodec/xwddec.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c
index 8b0845fc01..25c64e0e14 100644
--- a/libavcodec/xwddec.c
+++ b/libavcodec/xwddec.c
@@ -39,6 +39,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data,
 uint32_t pixformat, pixdepth, bunit, bitorder, bpad;
 uint32_t rgb[3];
 uint8_t *ptr;
+int width, height;
 GetByteContext gb;
 
 if (buf_size < XWD_HEADER_SIZE)
@@ -60,8 +61,8 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data,
 
 pixformat = bytestream2_get_be32u();
 pixdepth  = bytestream2_get_be32u();
-avctx->width  = bytestream2_get_be32u();
-avctx->height = bytestream2_get_be32u();
+width = bytestream2_get_be32u();
+height= bytestream2_get_be32u();
 xoffset   = bytestream2_get_be32u();
 be= bytestream2_get_be32u();
 bunit = bytestream2_get_be32u();
@@ -77,6 +78,9 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data,
 ncolors   = bytestream2_get_be32u();
 bytestream2_skipu(, header_size - (XWD_HEADER_SIZE - 20));
 
+if ((ret = ff_set_dimensions(avctx, width, height)) < 0)
+return ret;
+
 av_log(avctx, AV_LOG_DEBUG,
"pixformat %"PRIu32", pixdepth %"PRIu32", bunit %"PRIu32", bitorder 
%"PRIu32", bpad %"PRIu32"\n",
pixformat, pixdepth, bunit, bitorder, bpad);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Thu Jun 21 22:48:54 2018 +0200| [8db6c2993bb58937167dd2d4b8014ea4ab784846] | 
committer: Michael Niedermayer

avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan()

Fixes: Timeout
Fixes: 
8648/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5108395525799936

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 540e8c2d641bf90fc28e47e170f8c0b1962197e9)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8db6c2993bb58937167dd2d4b8014ea4ab784846
---

 libavcodec/mjpegdec.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index e061742ad2..8f6fa35233 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -979,6 +979,11 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, 
int nb_components, int p
 for (mb_x = 0; mb_x < s->mb_width; mb_x++) {
 int modified_predictor = predictor;
 
+if (get_bits_left(>gb) < 1) {
+av_log(s->avctx, AV_LOG_ERROR, "bitstream end in rgb_scan\n");
+return AVERROR_INVALIDDATA;
+}
+
 if (s->restart_interval && !s->restart_count){
 s->restart_count = s->restart_interval;
 resync_mb_x = mb_x;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fixed()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Thu Jun 14 16:41:49 2018 +0200| [e495910d4ca368be51fdc2ecc056ed0fb0ff2526] | 
committer: Michael Niedermayer

avcodec/aacdec_fixed: Fix undefined integer overflow in 
apply_independent_coupling_fixed()

Fixes: signed integer overflow: 1195517 * 2048 cannot be represented in type 
'int'
Fixes: 
8636/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-4695836326887424

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8bd514d9343746566b123275f8b6d0e9c11ec2b0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e495910d4ca368be51fdc2ecc056ed0fb0ff2526
---

 libavcodec/aacdec_fixed.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index e0a54fffb4..40363ba6bb 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -433,7 +433,7 @@ static void apply_independent_coupling_fixed(AACContext *ac,
 else {
   for (i = 0; i < len; i++) {
   tmp = (int)(((int64_t)src[i] * c + (int64_t)0x10) >> 37);
-  dest[i] += tmp * (1 << shift);
+  dest[i] += tmp * (1U << shift);
   }
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue Jun  5 02:17:24 2018 +0200| [ce4cb475a3714def0ad80a5ad74f2c9c90683f88] | 
committer: Michael Niedermayer

avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan()

Fixes: signed integer overflow: 32768 + 2147450880 cannot be represented in 
type 'int'
Fixes: 
7885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5298834394578944

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 936f4a2c2e14ec753e8835f2e820b4cd9aec9a56)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ce4cb475a3714def0ad80a5ad74f2c9c90683f88
---

 libavcodec/mjpegdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 2e101225b6..e061742ad2 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1002,7 +1002,7 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, 
int nb_components, int p
 return -1;
 
 left[i] = buffer[mb_x][i] =
-mask & (pred + (dc * (1 << point_transform)));
+mask & (pred + (unsigned)(dc * (1 << point_transform)));
 }
 
 if (s->restart_interval && !--s->restart_count) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Only set pkt->duration to non negative values

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Wed May 16 23:35:58 2018 +0200| [ed4e35a0fdef551041a2d0e412e90321dbd6bf3e] | 
committer: Michael Niedermayer

avformat/mov: Only set pkt->duration to non negative values

Reviewed-by: Sasi Inguva 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8176799f31b23849382623f0f9001acc5edf7c76)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ed4e35a0fdef551041a2d0e412e90321dbd6bf3e
---

 libavformat/mov.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 4f1662fc30..e48938e5b5 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -4840,7 +4840,9 @@ static int mov_read_packet(AVFormatContext *s, AVPacket 
*pkt)
 } else {
 int64_t next_dts = (sc->current_sample < st->nb_index_entries) ?
 st->index_entries[sc->current_sample].timestamp : st->duration;
-pkt->duration = next_dts - pkt->dts;
+
+if (next_dts >= pkt->dts)
+pkt->duration = next_dts - pkt->dts;
 pkt->pts = pkt->dts;
 }
 if (st->discard == AVDISCARD_ALL)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/wavpack: Fix overflow in adding tail

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Jun  8 00:07:04 2018 +0200| [acfdaa463e7c7ab5d8603b6e8aa31eaf9e8a555e] | 
committer: Michael Niedermayer

avcodec/wavpack: Fix overflow in adding tail

Fixes: signed integer overflow: 2146907204 + 26846088 cannot be represented in 
type 'int'
Fixes: 
8105/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-6233036682166272

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d13379fb79708f550460dd6d698023bf26f968d5)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=acfdaa463e7c7ab5d8603b6e8aa31eaf9e8a555e
---

 libavcodec/wavpack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 50b5db55ff..3748ac89cc 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -85,7 +85,7 @@ typedef struct WavpackContext {
 
 #define LEVEL_DECAY(a)  (((a) + 0x80) >> 8)
 
-static av_always_inline int get_tail(GetBitContext *gb, int k)
+static av_always_inline unsigned get_tail(GetBitContext *gb, int k)
 {
 int p, e, res;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h264_mc_template: Only prefetch motion if the list is used.

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Jun  8 18:25:14 2018 +0200| [cc65755a0ddbc8985462ac8f961188e08d89110f] | 
committer: Michael Niedermayer

avcodec/h264_mc_template: Only prefetch motion if the list is used.

Fixes: index 59 out of bounds for type 'H264Ref [48]'
Fixes: 
8232/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5703295145345024

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8b55591757244d8244a2be369c2b54c9ae79b02a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cc65755a0ddbc8985462ac8f961188e08d89110f
---

 libavcodec/h264_mc_template.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/h264_mc_template.c b/libavcodec/h264_mc_template.c
index e4333a733c..acdf4d126c 100644
--- a/libavcodec/h264_mc_template.c
+++ b/libavcodec/h264_mc_template.c
@@ -78,7 +78,8 @@ static void MCFUNC(hl_motion)(const H264Context *h, 
H264SliceContext *sl,
 
 if (HAVE_THREADS && (h->avctx->active_thread_type & FF_THREAD_FRAME))
 await_references(h, sl);
-prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC);
+if (USES_LIST(mb_type, 0))
+prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC);
 
 if (IS_16X16(mb_type)) {
 mc_part(h, sl, 0, 1, 16, 0, dest_y, dest_cb, dest_cr, 0, 0,

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Fix multiple integer overflows

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue Jun  5 13:19:35 2018 +0200| [6fdc61b8f6f1a8f7ded6fa858dd5b5fe69e0237e] | 
committer: Michael Niedermayer

avcodec/shorten: Fix multiple integer overflows

Fixes: signed integer overflow: 3 * 1006632960 cannot be represented in type 
'int'
Fixes: 
8278/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5692857166856192

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit f2abd36b3863188894fd21964c662b6c17268bfb)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6fdc61b8f6f1a8f7ded6fa858dd5b5fe69e0237e
---

 libavcodec/shorten.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index b8a5664ce9..cbd8a78bc4 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -313,7 +313,7 @@ static int decode_subframe_lpc(ShortenContext *s, int 
command, int channel,
 for (i = 0; i < s->blocksize; i++) {
 sum = init_sum;
 for (j = 0; j < pred_order; j++)
-sum += coeffs[j] * s->decoded[channel][i - j - 1];
+sum += coeffs[j] * (unsigned)s->decoded[channel][i - j - 1];
 s->decoded[channel][i] = get_sr_golomb_shorten(>gb, residual_size) +
  (sum >> qshift);
 }
@@ -593,7 +593,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void 
*data,
 
 /* update means with info from the current block */
 if (s->nmean > 0) {
-int32_t sum = (s->version < 2) ? 0 : s->blocksize / 2;
+int64_t sum = (s->version < 2) ? 0 : s->blocksize / 2;
 for (i = 0; i < s->blocksize; i++)
 sum += s->decoded[channel][i];
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/truemotion2: Fix overflow in tm2_apply_deltas()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue Jun  5 02:09:59 2018 +0200| [ea0734e3f011964e12da5f7d8dacf4a86670cbf0] | 
committer: Michael Niedermayer

avcodec/truemotion2: Fix overflow in tm2_apply_deltas()

Fixes: signed integer overflow: 1077952576 + 1077952576 cannot be represented 
in type 'int'
Fixes: 
7712/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5056281753681920

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 79c6047c3668c639f717b3a7001a34dddba0ede2)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ea0734e3f011964e12da5f7d8dacf4a86670cbf0
---

 libavcodec/truemotion2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index dbcef42462..d290326bf5 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -443,7 +443,7 @@ static inline int GET_TOK(TM2Context *ctx,int type)
 /* common operations - add deltas to 4x4 block of luma or 2x2 blocks of chroma 
*/
 static inline void tm2_apply_deltas(TM2Context *ctx, int* Y, int stride, int 
*deltas, int *last)
 {
-int ct, d;
+unsigned ct, d;
 int i, j;
 
 for (j = 0; j < 4; j++){

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/shorten: Sanity check nmeans

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue Jun  5 13:03:48 2018 +0200| [f41da2bd5ff7d9d6b1141284dbd526d8b232e29b] | 
committer: Michael Niedermayer

avcodec/shorten: Sanity check nmeans

Fixes: OOM
Fixes: 
8195/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5179785826271232

The reference software appears to use longs for 32bits and it uses int for 
nmeans
hinting that the intended maximum size was not 32bit.

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d91a0b503d7a886587281bc1ee42476aa5e89f85)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f41da2bd5ff7d9d6b1141284dbd526d8b232e29b
---

 libavcodec/shorten.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index e4bf2e0035..b8a5664ce9 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -374,6 +374,10 @@ static int read_header(ShortenContext *s)
 return AVERROR_INVALIDDATA;
 }
 s->nmean = get_uint(s, 0);
+if (s->nmean > 32768U) {
+av_log(s->avctx, AV_LOG_ERROR, "nmean is: %d\n", s->nmean);
+return AVERROR_INVALIDDATA;
+}
 
 skip_bytes = get_uint(s, NSKIPSIZE);
 if ((unsigned)skip_bytes > get_bits_left(>gb)/8) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avutil/common: Fix undefined behavior in av_clip_uintp2_c()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Thu Jun 14 15:41:33 2018 +0200| [c1121e7ec29b78bf96a4411ca378e2336a32dbcd] | 
committer: Michael Niedermayer

avutil/common: Fix undefined behavior in av_clip_uintp2_c()

Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an 
unsigned type to negate this value to itself
Fixes: 
8521/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5639024952737792

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit aa41d322be71106ce147445f2b42bb763f1eff86)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c1121e7ec29b78bf96a4411ca378e2336a32dbcd
---

 libavutil/common.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavutil/common.h b/libavutil/common.h
index 81f5fedf29..ee7028e1fb 100644
--- a/libavutil/common.h
+++ b/libavutil/common.h
@@ -232,7 +232,7 @@ static av_always_inline av_const int av_clip_intp2_c(int a, 
int p)
  */
 static av_always_inline av_const unsigned av_clip_uintp2_c(int a, int p)
 {
-if (a & ~((1<> 31 & ((1<> 31 & ((1

[FFmpeg-cvslog] avformat/mov: replace a value error by clipping into valid range in mov_read_stsc()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon May 21 03:16:58 2018 +0200| [17ed3c809da5852c3d5c41df14f0d44a8d7c10a9] | 
committer: Michael Niedermayer

avformat/mov: replace a value error by clipping into valid range in 
mov_read_stsc()

Fixes: #7165

Signed-off-by: Michael Niedermayer 
(cherry picked from commit fe84f70819d6f5aab3c4823290e0d32b99d6de78)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=17ed3c809da5852c3d5c41df14f0d44a8d7c10a9
---

 libavformat/mov.c | 14 +++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index c85d3a6eda..4f1662fc30 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2229,14 +2229,22 @@ static int mov_read_stsc(MOVContext *c, AVIOContext 
*pb, MOVAtom atom)
 
 sc->stsc_count = i;
 for (i = sc->stsc_count - 1; i < UINT_MAX; i--) {
+int64_t first_min = i + 1;
 if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= 
sc->stsc_data[i+1].first) ||
 (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) ||
-sc->stsc_data[i].first < 1 ||
+sc->stsc_data[i].first < first_min ||
 sc->stsc_data[i].count < 1 ||
 sc->stsc_data[i].id < 1) {
 av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d 
count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, 
sc->stsc_data[i].id);
-if (i+1 >= sc->stsc_count || sc->stsc_data[i+1].first < 2)
-return AVERROR_INVALIDDATA;
+if (i+1 >= sc->stsc_count) {
+sc->stsc_data[i].first = FFMAX(sc->stsc_data[i].first, 
first_min);
+if (i > 0 && sc->stsc_data[i].first <= 
sc->stsc_data[i-1].first)
+sc->stsc_data[i].first = FFMIN(sc->stsc_data[i-1].first + 
1LL, INT_MAX);
+sc->stsc_data[i].count = FFMAX(sc->stsc_data[i].count, 1);
+sc->stsc_data[i].id= FFMAX(sc->stsc_data[i].id, 1);
+continue;
+}
+av_assert0(sc->stsc_data[i+1].first >= 2);
 // We replace this entry by the next valid
 sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1;
 sc->stsc_data[i].count = sc->stsc_data[i+1].count;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/fic: Avoid some magic numbers related to cursors

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sat May  5 23:42:36 2018 +0200| [f98794c73a7f90da43e06126e60a7bbda530fba7] | 
committer: Michael Niedermayer

avcodec/fic: Avoid some magic numbers related to cursors

Signed-off-by: Michael Niedermayer 
(cherry picked from commit c6a11714c4b1227be62cbc36651ccfc415e8e623)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f98794c73a7f90da43e06126e60a7bbda530fba7
---

 libavcodec/fic.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/fic.c b/libavcodec/fic.c
index 7bfb998a55..14887d94a0 100644
--- a/libavcodec/fic.c
+++ b/libavcodec/fic.c
@@ -81,6 +81,7 @@ static const uint8_t fic_qmat_lq[64] = {
 static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' };
 
 #define FIC_HEADER_SIZE 27
+#define CURSOR_OFFSET 59
 
 static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int 
rnd)
 {
@@ -417,7 +418,7 @@ static int fic_decode_frame(AVCodecContext *avctx, void 
*data,
 
 /* Draw cursor. */
 if (!skip_cursor) {
-memcpy(ctx->cursor_buf, src + 59, 32 * 32 * 4);
+memcpy(ctx->cursor_buf, src + CURSOR_OFFSET, sizeof(ctx->cursor_buf));
 fic_draw_cursor(avctx, cur_x, cur_y);
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Jun  3 01:33:54 2018 +0200| [4c3a7aaea8ba76225780bd867a053bb0084503d6] | 
committer: Michael Niedermayer

avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c

Fixes: runtime error: signed integer overflow: -1440457022 - 785819492 cannot 
be represented in type 'int'
Fixes: 
7700/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OPUS_fuzzer-6595838684954624

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit e7dda51150b73e5fbdccf4c2d3a72e356980fba3)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4c3a7aaea8ba76225780bd867a053bb0084503d6
---

 libavcodec/opus_silk.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c
index 408e4bf43c..6418743b6b 100644
--- a/libavcodec/opus_silk.c
+++ b/libavcodec/opus_silk.c
@@ -955,8 +955,10 @@ static void silk_lsf2lpc(const int16_t nlsf[16], float 
lpcf[16], int order)
 
 /* reconstruct A(z) */
 for (k = 0; k < order>>1; k++) {
-lpc32[k] = -p[k + 1] - p[k] - q[k + 1] + q[k];
-lpc32[order-k-1] = -p[k + 1] - p[k] + q[k + 1] - q[k];
+int32_t p_tmp = p[k + 1] + p[k];
+int32_t q_tmp = q[k + 1] - q[k];
+lpc32[k] = -q_tmp - p_tmp;
+lpc32[order-k-1] =  q_tmp - p_tmp;
 }
 
 /* limit the range of the LPC coefficients to each fit within an int16_t */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/g2meet: ask for sample with overflowing RGB

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Wed May 16 22:50:19 2018 +0200| [781dcd5db6ac7597a8c2e7ad165a4ef6b0d1697a] | 
committer: Michael Niedermayer

avcodec/g2meet: ask for sample with overflowing RGB

Suggested-by: Tomas Härdin 

Signed-off-by: Michael Niedermayer 
(cherry picked from commit ab834b8f36c8157b7015e849405cbf6ae21e672f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=781dcd5db6ac7597a8c2e7ad165a4ef6b0d1697a
---

 libavcodec/g2meet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c
index fed35a271b..fcfb42bbb7 100644
--- a/libavcodec/g2meet.c
+++ b/libavcodec/g2meet.c
@@ -556,7 +556,7 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int 
x, int y,
 }
 
 if (R<0 || G<0 || B<0 || R > 255 || G > 255 || B > 255) {
-av_log(NULL, AV_LOG_ERROR, "RGB %d %d %d is out of range\n", R, G, B);
+avpriv_request_sample(NULL, "RGB %d %d %d is out of range\n", R, G, B);
 return 0;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/amrwbdec: Fix division by 0 in find_hb_gain()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Jun  3 00:48:06 2018 +0200| [832d9accfc23b837a3c6e10fd92c9a5a6129bf0b] | 
committer: Michael Niedermayer

avcodec/amrwbdec: Fix division by 0 in find_hb_gain()

This restructures the code slightly toward D_UTIL_dec_synthesis()

Fixes: 
7420/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMRWB_fuzzer-6577305112543232

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit dce80a4b47efaba97707bda781a9ee57f5a26974)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=832d9accfc23b837a3c6e10fd92c9a5a6129bf0b
---

 libavcodec/amrwbdec.c | 11 ---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c
index d5e0431f30..bc5e157210 100644
--- a/libavcodec/amrwbdec.c
+++ b/libavcodec/amrwbdec.c
@@ -865,15 +865,20 @@ static float find_hb_gain(AMRWBContext *ctx, const float 
*synth,
 {
 int wsp = (vad > 0);
 float tilt;
+float tmp;
 
 if (ctx->fr_cur_mode == MODE_23k85)
 return qua_hb_gain[hb_idx] * (1.0f / (1 << 14));
 
-tilt = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1) /
-   ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE);
+tmp = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1);
+
+if (tmp > 0) {
+tilt = tmp / ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE);
+} else
+tilt = 0;
 
 /* return gain bounded by [0.1, 1.0] */
-return av_clipf((1.0 - FFMAX(0.0, tilt)) * (1.25 - 0.25 * wsp), 0.1, 1.0);
+return av_clipf((1.0 - tilt) * (1.25 - 0.25 * wsp), 0.1, 1.0);
 }
 
 /**

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Break out early if chunk_count is 0 in mov_build_index()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue May 15 17:06:59 2018 +0200| [674929cd46c76285f4d739c0436a75a5402dee61] | 
committer: Michael Niedermayer

avformat/mov: Break out early if chunk_count is 0 in mov_build_index()

Without this some operations might overflow (undefined behavior)
even though the index adding loop would never execute

No testcase known

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 56e76bd0579cc7f7b28860885d9e569a39daf41b)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=674929cd46c76285f4d739c0436a75a5402dee61
---

 libavformat/mov.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 5a2ab732d3..c85d3a6eda 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2783,6 +2783,9 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
 } else {
 unsigned chunk_samples, total = 0;
 
+if (!sc->chunk_count)
+return;
+
 // compute total chunk count
 for (i = 0; i < sc->stsc_count; i++) {
 unsigned count, chunk_count;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/g2meet: Check RGB upper limit

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Apr 27 20:16:13 2018 +0200| [fc097bf1cd0af7bbab09e2f1af4ae39eb0ca4eea] | 
committer: Michael Niedermayer

avcodec/g2meet: Check RGB upper limit

Fixes: runtime error: left shift of 1876744317 by 16 places cannot be 
represented in type 'int'
Fixes: 
6799/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5115274731716608

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4dd2c8b9ea46b4e008a8bfc2077834428cd5a17c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fc097bf1cd0af7bbab09e2f1af4ae39eb0ca4eea
---

 libavcodec/g2meet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c
index 14dd05babc..fed35a271b 100644
--- a/libavcodec/g2meet.c
+++ b/libavcodec/g2meet.c
@@ -555,7 +555,7 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int 
x, int y,
 B = ((pred >> B_shift) & 0xFF) - TOSIGNED(delta);
 }
 
-if (R<0 || G<0 || B<0) {
+if (R<0 || G<0 || B<0 || R > 255 || G > 255 || B > 255) {
 av_log(NULL, AV_LOG_ERROR, "RGB %d %d %d is out of range\n", R, G, B);
 return 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] lavf/http.c: Free allocated client URLContext in case of error.

[Stephan Holljes]

ffmpeg | branch: release/2.8 | Stephan Holljes  | Fri 
Jan 12 19:16:29 2018 +0100| [18772823239094cb23df43ceb01152a9bcf80710] | 
committer: Michael Niedermayer

lavf/http.c: Free allocated client URLContext in case of error.

Signed-off-by: Stephan Holljes 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7b6b8c92652d6683d97515352e4a9a4147b7da7c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=18772823239094cb23df43ceb01152a9bcf80710
---

 libavformat/http.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavformat/http.c b/libavformat/http.c
index 7686c92742..a64ad693e1 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -513,7 +513,11 @@ static int http_accept(URLContext *s, URLContext **c)
 goto fail;
 cc->hd = cl;
 cc->is_multi_client = 1;
+return 0;
 fail:
+if (c) {
+ffurl_closep(c);
+}
 return ret;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] swresample/arm: remove unintentional relocation.

[Rahul Chaudhry]

ffmpeg | branch: release/2.8 | Rahul Chaudhry  | 
Wed Apr 18 16:29:39 2018 -0700| [e5b29c60f02fa03a69b047ebc5d35737dd77ed1d] | 
committer: Michael Niedermayer

swresample/arm: remove unintentional relocation.

Branch to global symbol results in reference to PLT, and when compiling
for THUMB-2 - in a R_ARM_THM_JUMP19 relocation. Some linkers don't
support this relocation (ld.gold), while others can end up truncating
the relocation to fit (ld.bfd).

Convert this branch through PLT into a direct branch that the assembler
can resolve locally.

See https://github.com/android-ndk/ndk/issues/337 for background.

The current workaround is to disable neon during gstreamer build,
which is not optimal and can be reverted after this patch:
https://github.com/freedesktop/gstreamer-cerbero/commit/41556c415739fbc3a72c7eaee7e70a565b719b2f

Signed-off-by: Michael Niedermayer 
(cherry picked from commit b22db4f465c9adb2cf1489e04f7b65ef6bb55b8b)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e5b29c60f02fa03a69b047ebc5d35737dd77ed1d
---

 libswresample/arm/audio_convert_neon.S | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libswresample/arm/audio_convert_neon.S 
b/libswresample/arm/audio_convert_neon.S
index 1f88316dde..7729514701 100644
--- a/libswresample/arm/audio_convert_neon.S
+++ b/libswresample/arm/audio_convert_neon.S
@@ -22,6 +22,7 @@
 #include "libavutil/arm/asm.S"
 
 function swri_oldapi_conv_flt_to_s16_neon, export=1
+_swri_oldapi_conv_flt_to_s16_neon:
 subsr2,  r2,  #8
 vld1.32 {q0}, [r1,:128]!
 vcvt.s32.f32q8,  q0,  #31
@@ -66,6 +67,7 @@ function swri_oldapi_conv_flt_to_s16_neon, export=1
 endfunc
 
 function swri_oldapi_conv_fltp_to_s16_2ch_neon, export=1
+_swri_oldapi_conv_fltp_to_s16_2ch_neon:
 ldm r1,  {r1, r3}
 subsr2,  r2,  #8
 vld1.32 {q0}, [r1,:128]!
@@ -133,8 +135,8 @@ function swri_oldapi_conv_fltp_to_s16_nch_neon, export=1
 cmp r3,  #2
 itt lt
 ldrlt   r1,  [r1]
-blt X(swri_oldapi_conv_flt_to_s16_neon)
-beq X(swri_oldapi_conv_fltp_to_s16_2ch_neon)
+blt _swri_oldapi_conv_flt_to_s16_neon
+beq _swri_oldapi_conv_fltp_to_s16_2ch_neon
 
 push{r4-r8, lr}
 cmp r3,  #4

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/vc1_block: simplify ac_val computation

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon Apr 23 02:08:10 2018 +0200| [60e7be58d996b8f14e99876472fdbdbc4db370d8] | 
committer: Michael Niedermayer

avcodec/vc1_block: simplify ac_val computation

also fixes: runtime error: index 1456 out of bounds for type 'int16_t [16]'

Found-by: durandal_1707
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d06b01fc2d4f5e031d45f9460d1eea610d23d6c5)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=60e7be58d996b8f14e99876472fdbdbc4db370d8
---

 libavcodec/vc1_block.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c
index 255ba1da70..1b219c9adf 100644
--- a/libavcodec/vc1_block.c
+++ b/libavcodec/vc1_block.c
@@ -594,7 +594,7 @@ static int vc1_decode_i_block(VC1Context *v, int16_t 
block[64], int n,
 scale = s->c_dc_scale;
 block[0] = dcdiff * scale;
 
-ac_val  = s->ac_val[0][0] + s->block_index[n] * 16;
+ac_val  = s->ac_val[0][s->block_index[n]];
 ac_val2 = ac_val;
 if (dc_pred_dir) // left
 ac_val -= 16;
@@ -745,7 +745,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t 
block[64], int n,
 
 scale = mquant * 2 + ((mquant == v->pq) ? v->halfpq : 0);
 
-ac_val  = s->ac_val[0][0] + s->block_index[n] * 16;
+ac_val  = s->ac_val[0][s->block_index[n]];
 ac_val2 = ac_val;
 if (dc_pred_dir) // left
 ac_val -= 16;
@@ -946,7 +946,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t 
block[64], int n,
 if (!a_avail) dc_pred_dir = 1;
 if (!c_avail) dc_pred_dir = 0;
 if (!a_avail && !c_avail) use_pred = 0;
-ac_val = s->ac_val[0][0] + s->block_index[n] * 16;
+ac_val = s->ac_val[0][s->block_index[n]];
 ac_val2 = ac_val;
 
 scale = mquant * 2 + v->halfpq;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mlpdec: Only change noise_type if the related fields are valid

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Thu May 17 13:58:46 2018 +0200| [3d4e0858d68bce81f25bbab4ac912d971175daaf] | 
committer: Michael Niedermayer

avcodec/mlpdec: Only change noise_type if the related fields are valid

Fixes: inconsistency
Fixes:runtime error: index 8 out of bounds for type 'int32_t [8]'
Fixes: 
6686/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-5191383498358784

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 63c4a4b0d692bc86142790276358ba35129f2290)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3d4e0858d68bce81f25bbab4ac912d971175daaf
---

 libavcodec/mlpdec.c | 9 +
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c
index b339d1189e..b8b78b88e3 100644
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -474,7 +474,7 @@ static int read_restart_header(MLPDecodeContext *m, 
GetBitContext *gbp,
 uint8_t checksum;
 uint8_t lossless_check;
 int start_count = get_bits_count(gbp);
-int min_channel, max_channel, max_matrix_channel;
+int min_channel, max_channel, max_matrix_channel, noise_type;
 const int std_max_matrix_channel = m->avctx->codec_id == AV_CODEC_ID_MLP
  ? MAX_MATRIX_CHANNEL_MLP
  : MAX_MATRIX_CHANNEL_TRUEHD;
@@ -487,9 +487,9 @@ static int read_restart_header(MLPDecodeContext *m, 
GetBitContext *gbp,
 return AVERROR_INVALIDDATA;
 }
 
-s->noise_type = get_bits1(gbp);
+noise_type = get_bits1(gbp);
 
-if (m->avctx->codec_id == AV_CODEC_ID_MLP && s->noise_type) {
+if (m->avctx->codec_id == AV_CODEC_ID_MLP && noise_type) {
 av_log(m->avctx, AV_LOG_ERROR, "MLP must have 0x31ea sync word.\n");
 return AVERROR_INVALIDDATA;
 }
@@ -515,7 +515,7 @@ static int read_restart_header(MLPDecodeContext *m, 
GetBitContext *gbp,
 
 /* This should happen for TrueHD streams with >6 channels and MLP's noise
  * type. It is not yet known if this is allowed. */
-if (max_channel > MAX_MATRIX_CHANNEL_MLP && !s->noise_type) {
+if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) {
 avpriv_request_sample(m->avctx,
   "%d channels (more than the "
   "maximum supported by the decoder)",
@@ -532,6 +532,7 @@ static int read_restart_header(MLPDecodeContext *m, 
GetBitContext *gbp,
 s->min_channel= min_channel;
 s->max_channel= max_channel;
 s->max_matrix_channel = max_matrix_channel;
+s->noise_type = noise_type;
 
 #if FF_API_REQUEST_CHANNELS
 FF_DISABLE_DEPRECATION_WARNINGS

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/flac_parser: Fix infinite loop

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon Apr 30 22:20:28 2018 +0200| [8e3918f1db50544b5f2255c41323de6cf6258e81] | 
committer: Michael Niedermayer

avcodec/flac_parser: Fix infinite loop

Fixes: crbug/827204

Reported-by: Frank Liberato 
Reviewed-by: Frank Liberato 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 15a2e35e9e74bba5a27e39c26da5be2361f27945)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8e3918f1db50544b5f2255c41323de6cf6258e81
---

 libavcodec/flac_parser.c | 9 +++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c
index 6df531b7b3..00181f279a 100644
--- a/libavcodec/flac_parser.c
+++ b/libavcodec/flac_parser.c
@@ -686,12 +686,17 @@ static int flac_parse(AVCodecParserContext *s, 
AVCodecContext *avctx,
 }
 
 for (curr = fpc->headers; curr; curr = curr->next) {
-if (curr->max_score > 0 &&
-(!fpc->best_header || curr->max_score > 
fpc->best_header->max_score)) {
+if (!fpc->best_header || curr->max_score > 
fpc->best_header->max_score) {
 fpc->best_header = curr;
 }
 }
 
+if (fpc->best_header && fpc->best_header->max_score <= 0) {
+// Only accept a bad header if there is no other option to continue
+if (!buf_size || !buf || read_end != buf || fpc->nb_headers_buffered < 
FLAC_MIN_HEADERS)
+fpc->best_header = NULL;
+}
+
 if (fpc->best_header) {
 fpc->best_header_valid = 1;
 if (fpc->best_header->offset > 0) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon May 21 23:08:05 2018 +0200| [6bbef938839adc55e8e048bc9cc2e0fafe2064df] | 
committer: Michael Niedermayer

avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header()

Fixes truncation
Fixes Assertion n <= 31 && value < (1U << n) failed at libavcodec/put_bits.h:169
Fixes: ffmpeg_crash_2.avi

Found-by: Thuan Pham , Marcel Böhme, Andrew Santosa 
and Alexandru RazvanCaciulescu with AFLSmart

Signed-off-by: Michael Niedermayer 
(cherry picked from commit e1182fac1afba92a4975917823a5f644bee7e6e8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6bbef938839adc55e8e048bc9cc2e0fafe2064df
---

 libavcodec/mpeg4videoenc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c
index b3ad4f9042..0cde63ba4e 100644
--- a/libavcodec/mpeg4videoenc.c
+++ b/libavcodec/mpeg4videoenc.c
@@ -910,7 +910,7 @@ void ff_set_mpeg4_time(MpegEncContext *s)
 
 static void mpeg4_encode_gop_header(MpegEncContext *s)
 {
-int hours, minutes, seconds;
+int64_t hours, minutes, seconds;
 int64_t time;
 
 put_bits(>pb, 16, 0);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dsicinvideo: Propagate errors from cin_decode_rle()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon Apr 16 22:28:23 2018 +0200| [a868e804d92fbc973c585c5e56e7e382004ce538] | 
committer: Michael Niedermayer

avcodec/dsicinvideo: Propagate errors from cin_decode_rle()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 942217b153a9bff2d17463957abd772fcd72b400)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a868e804d92fbc973c585c5e56e7e382004ce538
---

 libavcodec/dsicinvideo.c | 16 
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dsicinvideo.c b/libavcodec/dsicinvideo.c
index f95cbc74a0..add7afa383 100644
--- a/libavcodec/dsicinvideo.c
+++ b/libavcodec/dsicinvideo.c
@@ -226,27 +226,35 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
  * surface.width = surface.pitch */
 switch (bitmap_frame_type) {
 case 9:
-cin_decode_rle(buf, bitmap_frame_size,
+res =  cin_decode_rle(buf, bitmap_frame_size,
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+if (res < 0)
+return res;
 break;
 case 34:
-cin_decode_rle(buf, bitmap_frame_size,
+res =  cin_decode_rle(buf, bitmap_frame_size,
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+if (res < 0)
+return res;
 cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
  cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
 break;
 case 35:
 bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size,
cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size);
-cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
+res =  cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], 
bitmap_frame_size,
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+if (res < 0)
+return res;
 break;
 case 36:
 bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size,
cin->bitmap_table[CIN_INT_BMP],
cin->bitmap_size);
-cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
+res = cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
+if (res < 0)
+return res;
 cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP],
  cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
 break;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coupling_fixed()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri May 25 22:06:48 2018 +0200| [4c2bb473d3f9a04bf3eafeb64b93c745ae44db6a] | 
committer: Michael Niedermayer

avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in 
apply_dependent_coupling_fixed()

Fixes: signed integer overflow: -2141499320 + -14469590 cannot be represented 
in type 'int'
Fixes: 
7351/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-6351214791884800

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 90475db97e2e5931d295df6ab86519fa2e14d259)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4c2bb473d3f9a04bf3eafeb64b93c745ae44db6a
---

 libavcodec/aacdec_fixed.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index a37ed2aaa1..e0a54fffb4 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -384,7 +384,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac,
 for (k = offsets[i]; k < offsets[i + 1]; k++) {
 tmp = (int)(((int64_t)src[group * 128 + k] * c + \
(int64_t)0x10) >> 37);
-dest[group * 128 + k] += (tmp + round) >> shift;
+dest[group * 128 + k] += (tmp + (int64_t)round) >> 
shift;
 }
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Only fail for STCO/STSC contradictions if both exist

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue May 15 17:07:00 2018 +0200| [854835966b33ce70ea61d0701b0e88b7700438fd] | 
committer: Michael Niedermayer

avformat/mov: Only fail for STCO/STSC contradictions if both exist

Fixes regression with playback of 
GF9720Repeal20the20Eighth20with20Helen20Linehan.m4a
See: crbug 822666

Found-by: "Mattias Wadman 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2c2d689c56646cce64d02a3b75f61c12c5589260)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=854835966b33ce70ea61d0701b0e88b7700438fd
---

 libavformat/mov.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index a6eb773021..5a2ab732d3 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -3026,7 +3026,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
st->index);
 return 0;
 }
-if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > 
sc->chunk_count) {
+if (sc->chunk_count && sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 
].first > sc->chunk_count) {
 av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and 
STCO\n",
st->index);
 return AVERROR_INVALIDDATA;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dfa: Check dimension against maximum

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon Apr 16 22:04:53 2018 +0200| [79cc326baba5ed80e752d9d03f110e7d3a15354b] | 
committer: Michael Niedermayer

avcodec/dfa: Check dimension against maximum

The headers from where the dimensions are read in actual files
are limited to 16bit per component.

Fixes: Timeout
Fixes: 
6305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DFA_fuzzer-4824270749302784

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 9d5a4fcfbb51edc871bdb1c67a88223cbfb1c0e4)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79cc326baba5ed80e752d9d03f110e7d3a15354b
---

 libavcodec/dfa.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c
index 8067ac94e5..b8500a4995 100644
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -41,7 +41,7 @@ static av_cold int dfa_decode_init(AVCodecContext *avctx)
 
 avctx->pix_fmt = AV_PIX_FMT_PAL8;
 
-if (!avctx->width || !avctx->height)
+if (!avctx->width || !avctx->height || FFMAX(avctx->width, avctx->height) 
>= (1<<16))
 return AVERROR_INVALIDDATA;
 
 av_assert0(av_image_check_size(avctx->width, avctx->height, 0, avctx) >= 
0);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri May  4 19:11:36 2018 +0200| [4e9e1ab815c525471bf51f31e05a708bd6c74a82] | 
committer: Michael Niedermayer

avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done

Fixes: assertion failure
Fixes: 
7949/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-4819602782552064

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a96c131eb53b00de154f4773d96a3b323ea3daed)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4e9e1ab815c525471bf51f31e05a708bd6c74a82
---

 libavcodec/jpeg2000dec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 9c2aae6d75..1fc0006674 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1124,6 +1124,9 @@ static int 
jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
 step_x = 32;
 step_y = 32;
 
+if (RSpoc > FFMIN(codsty->nreslevels, REpoc))
+continue;
+
 for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, 
REpoc); reslevelno++) {
 uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; //  
==> N_L - r
 Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/utils: Enforce minimum width also for VP5/6

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Wed Apr 11 19:50:52 2018 +0200| [9af1e014f788a9c8700c4415130475f27a35e3db] | 
committer: Michael Niedermayer

avcodec/utils: Enforce minimum width also for VP5/6

Fixes: out of array access
Fixes: poc_0411

Found-by: GwanYeong Kim 
Tested-by: GwanYeong Kim 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 544324827e0131e43af1a54fb790a48a25fd7ba4)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9af1e014f788a9c8700c4415130475f27a35e3db
---

 libavcodec/utils.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/utils.c b/libavcodec/utils.c
index 6f54f530a1..1f3768dc0f 100644
--- a/libavcodec/utils.c
+++ b/libavcodec/utils.c
@@ -420,7 +420,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int 
*width, int *height,
 
 *width  = FFALIGN(*width, w_align);
 *height = FFALIGN(*height, h_align);
-if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) {
+if (s->codec_id == AV_CODEC_ID_H264 || s->lowres ||
+s->codec_id == AV_CODEC_ID_VP5  || s->codec_id == AV_CODEC_ID_VP6 ||
+s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A
+) {
 // some of the optimized chroma MC reads one line too much
 // which is also done in mpeg decoders with lowres > 0
 *height += 2;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dsicinvideo: Fail if there is only a small fraction of the data available that comprises a full frame

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon Apr 16 22:29:09 2018 +0200| [c7329c733cb3dc2350a2df430feb55c37209f95b] | 
committer: Michael Niedermayer

avcodec/dsicinvideo: Fail if there is only a small fraction of the data 
available that comprises a full frame

Fixes: Timeout
Fixes: 
6306/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DSICINVIDEO_fuzzer-5079253549842432

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5549488bbf3a23c0fb9833cefc6354f97055dd96)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c7329c733cb3dc2350a2df430feb55c37209f95b
---

 libavcodec/dsicinvideo.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/libavcodec/dsicinvideo.c b/libavcodec/dsicinvideo.c
index add7afa383..aa080417d2 100644
--- a/libavcodec/dsicinvideo.c
+++ b/libavcodec/dsicinvideo.c
@@ -158,6 +158,9 @@ static int cin_decode_lzss(const unsigned char *src, int 
src_size,
 }
 }
 
+if (dst_end - dst > dst_size - dst_size/10)
+return AVERROR_INVALIDDATA;
+
 return 0;
 }
 
@@ -184,6 +187,10 @@ static int cin_decode_rle(const unsigned char *src, int 
src_size,
 }
 dst += len;
 }
+
+if (dst_end - dst > dst_size - dst_size/10)
+return AVERROR_INVALIDDATA;
+
 return 0;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/cinepak: Skip empty frames

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue Apr 17 02:13:43 2018 +0200| [bd7231cad119894d79c4f05c2e5471caee66d197] | 
committer: Michael Niedermayer

avcodec/cinepak: Skip empty frames

Speeds up decoding from 3 to 0.1 seconds for 
6302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5626371985375232
Fixes: Timeout

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 9033920bec9ccf17de205fc17c2b330906b200f5)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bd7231cad119894d79c4f05c2e5471caee66d197
---

 libavcodec/cinepak.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c
index 908c248ef0..9060e31fb1 100644
--- a/libavcodec/cinepak.c
+++ b/libavcodec/cinepak.c
@@ -444,6 +444,7 @@ static int cinepak_decode_frame(AVCodecContext *avctx,
 const uint8_t *buf = avpkt->data;
 int ret = 0, buf_size = avpkt->size;
 CinepakContext *s = avctx->priv_data;
+int num_strips;
 
 s->data = buf;
 s->size = buf_size;
@@ -451,6 +452,12 @@ static int cinepak_decode_frame(AVCodecContext *avctx,
 if (s->size < 10)
 return AVERROR_INVALIDDATA;
 
+num_strips = AV_RB16 (>data[8]);
+
+//Empty frame, do not waste time
+if (!num_strips && (!s->palette_video || !av_packet_get_side_data(avpkt, 
AV_PKT_DATA_PALETTE, NULL)))
+return buf_size;
+
 if ((ret = cinepak_predecode_check(s)) < 0) {
 av_log(avctx, AV_LOG_ERROR, "cinepak_predecode_check failed\n");
 return ret;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] indeo4: Decode all or nothing of a band header.

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Thu May 17 13:40:38 2018 +0200| [931f83773119649a975ddeea727950fbc36810a3] | 
committer: Michael Niedermayer

indeo4: Decode all or nothing of a band header.

This avoids inconsistent value combinations.
Alternatively it would be possible to add more checks and careful use of
temporary variables, but my try of this quickly seemed to become
a rather large change.
The disadvantage of this, is that the struct is copied back and forth.

Fixes: index 6 out of bounds for type 'const uint16_t [5][16]'
Fixes: 
6557/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-4787296550256640

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 10c8521265da86118597336c5589e26de377a374)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=931f83773119649a975ddeea727950fbc36810a3
---

 libavcodec/indeo4.c | 11 ---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c
index 1bf402551b..13fc42ecde 100644
--- a/libavcodec/indeo4.c
+++ b/libavcodec/indeo4.c
@@ -269,12 +269,14 @@ static int decode_pic_hdr(IVI45DecContext *ctx, 
AVCodecContext *avctx)
  *  @param[in] avctx pointer to the AVCodecContext
  *  @returnresult code: 0 = OK, negative number = error
  */
-static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
+static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *arg_band,
AVCodecContext *avctx)
 {
 int plane, band_num, indx, transform_id, scan_indx;
 int i;
 int quant_mat;
+IVIBandDesc temp_band, *band = _band;
+memcpy(_band, arg_band, sizeof(temp_band));
 
 plane= get_bits(>gb, 2);
 band_num = get_bits(>gb, 4);
@@ -408,10 +410,10 @@ static int decode_band_hdr(IVI45DecContext *ctx, 
IVIBandDesc *band,
 
 /* decode block huffman codebook */
 if (!get_bits1(>gb))
-band->blk_vlc.tab = ctx->blk_vlc.tab;
+arg_band->blk_vlc.tab = ctx->blk_vlc.tab;
 else
 if (ff_ivi_dec_huff_desc(>gb, 1, IVI_BLK_HUFF,
- >blk_vlc, avctx))
+ _band->blk_vlc, avctx))
 return AVERROR_INVALIDDATA;
 
 /* select appropriate rvmap table for this band */
@@ -452,6 +454,9 @@ static int decode_band_hdr(IVI45DecContext *ctx, 
IVIBandDesc *band,
 return AVERROR_INVALIDDATA;
 }
 
+band->blk_vlc = arg_band->blk_vlc;
+memcpy(arg_band, band, sizeof(*arg_band));
+
 return 0;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/truemotion2: Propagate out of bounds error from GET_TOK()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue Apr 10 22:24:03 2018 +0200| [6186bfad387042f36a6fbf7c38dafaeec6cc774a] | 
committer: Michael Niedermayer

avcodec/truemotion2: Propagate out of bounds error from GET_TOK()

Fixes: Timeout
Fixes: 
6389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5695918121680896

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit f6304af2341d0cee51c2116766622e3ac567b7a0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6186bfad387042f36a6fbf7c38dafaeec6cc774a
---

 libavcodec/truemotion2.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index b77df57baa..dbcef42462 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -63,6 +63,7 @@ typedef struct TM2Context {
 AVFrame *pic;
 
 GetBitContext gb;
+int error;
 BswapDSPContext bdsp;
 
 uint8_t *buffer;
@@ -390,6 +391,7 @@ static inline int GET_TOK(TM2Context *ctx,int type)
 {
 if (ctx->tok_ptrs[type] >= ctx->tok_lens[type]) {
 av_log(ctx->avctx, AV_LOG_ERROR, "Read token from stream %i out of 
bounds (%i>=%i)\n", type, ctx->tok_ptrs[type], ctx->tok_lens[type]);
+ctx->error = 1;
 return 0;
 }
 if (type <= TM2_MOT) {
@@ -801,6 +803,8 @@ static int tm2_decode_blocks(TM2Context *ctx, AVFrame *p)
 default:
 av_log(ctx->avctx, AV_LOG_ERROR, "Skipping unknown block type 
%i\n", type);
 }
+if (ctx->error)
+return AVERROR_INVALIDDATA;
 }
 }
 
@@ -881,6 +885,8 @@ static int decode_frame(AVCodecContext *avctx,
 int offset   = TM2_HEADER_SIZE;
 int i, t, ret;
 
+l->error = 0;
+
 av_fast_padded_malloc(>buffer, >buffer_size, buf_size);
 if (!l->buffer) {
 av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n");

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration() CPRL case

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri May  4 19:18:25 2018 +0200| [c10babcadc341b8bec6b16572e4373ae571af7e7] | 
committer: Michael Niedermayer

avcodec/jpeg2000dec: Fix undefined shift in the 
jpeg2000_decode_packets_po_iteration() CPRL case

Fixes: shift exponent 47 is too large for 32-bit type 'int'
Fixes: 
7955/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6016721977606144

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 652ba72ed3124f201f98eea9bafb2232b535f549)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c10babcadc341b8bec6b16572e4373ae571af7e7
---

 libavcodec/jpeg2000dec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 1fc0006674..bbb873bb15 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -1146,10 +1146,10 @@ static int 
jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2
 int xc = x / s->cdx[compno];
 int yc = y / s->cdy[compno];
 
-if (yc % (1 << (rlevel->log2_prec_height + 
reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
+if (yc % (1LL << (rlevel->log2_prec_height + 
reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check
 continue;
 
-if (xc % (1 << (rlevel->log2_prec_width + 
reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
+if (xc % (1LL << (rlevel->log2_prec_width + 
reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check
 continue;
 
 // check if a precinct exists

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/fic: Check available input space for cursor

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sat May  5 22:00:01 2018 +0200| [888bdb127b545731148d7f678f69c863a55889a8] | 
committer: Michael Niedermayer

avcodec/fic: Check available input space for cursor

Fixes: out of array read
Fixes: 
6546/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-6317064647081984

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit cb2f7ea96b4f6e03ebf0c0563677745fc65f148e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=888bdb127b545731148d7f678f69c863a55889a8
---

 libavcodec/fic.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/fic.c b/libavcodec/fic.c
index 6940cb6231..7bfb998a55 100644
--- a/libavcodec/fic.c
+++ b/libavcodec/fic.c
@@ -334,6 +334,10 @@ static int fic_decode_frame(AVCodecContext *avctx, void 
*data,
 skip_cursor = 1;
 }
 
+if (!skip_cursor && avpkt->size < CURSOR_OFFSET + sizeof(ctx->cursor_buf)) 
{
+skip_cursor = 1;
+}
+
 /* Slice height for all but the last slice. */
 ctx->slice_h = 16 * (ctx->aligned_height >> 4) / nslices;
 if (ctx->slice_h % 16)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/ffv1enc: Check that the crc + version combination is supported

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sat Apr 21 22:19:31 2018 +0200| [8eee712737c2aa2f643998e752f480ad42bb0612] | 
committer: Michael Niedermayer

avcodec/ffv1enc: Check that the crc + version combination is supported

The crc flag is only stored since version 3 thus before this crcs do not
work. We increase the version as needed same as we do with pix_fmts

Signed-off-by: Michael Niedermayer 
(cherry picked from commit d9706f79c17a33bf97e51a7d6ab211ce83a463ee)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8eee712737c2aa2f643998e752f480ad42bb0612
---

 libavcodec/ffv1enc.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c
index 3b425d68ed..b27c3a1328 100644
--- a/libavcodec/ffv1enc.c
+++ b/libavcodec/ffv1enc.c
@@ -690,6 +690,10 @@ static av_cold int encode_init(AVCodecContext *avctx)
 s->ec = (s->version >= 3);
 }
 
+// CRC requires version 3+
+if (s->ec)
+s->version = FFMAX(s->version, 3);
+
 if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > 
FF_COMPLIANCE_EXPERIMENTAL) {
 av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features 
but version 2 is experimental and not enabled\n");
 return AVERROR_INVALIDDATA;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/cinepak: move some checks prior to frame allocation

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue Apr 17 02:13:42 2018 +0200| [173e04ee85a8de7475eecb486e27adefc01847d3] | 
committer: Michael Niedermayer

avcodec/cinepak: move some checks prior to frame allocation

Speeds up decoding from 8 to 3 seconds for 
6302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5626371985375232
Fixes: Timeout

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2324ef1ff32e5effd6f295bca80580ae4816be0b)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=173e04ee85a8de7475eecb486e27adefc01847d3
---

 libavcodec/cinepak.c | 27 ++-
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c
index 7a7466204a..908c248ef0 100644
--- a/libavcodec/cinepak.c
+++ b/libavcodec/cinepak.c
@@ -315,14 +315,11 @@ static int cinepak_decode_strip (CinepakContext *s,
 return AVERROR_INVALIDDATA;
 }
 
-static int cinepak_decode (CinepakContext *s)
+static int cinepak_predecode_check (CinepakContext *s)
 {
-const uint8_t  *eod = (s->data + s->size);
-int   i, result, strip_size, frame_flags, num_strips;
-int   y0 = 0;
+int   num_strips;
 int   encoded_buf_size;
 
-frame_flags = s->data[0];
 num_strips  = AV_RB16 (>data[8]);
 encoded_buf_size = AV_RB24(>data[1]);
 
@@ -353,6 +350,21 @@ static int cinepak_decode (CinepakContext *s)
 s->sega_film_skip_bytes = 0;
 }
 
+if (s->size < 10 + s->sega_film_skip_bytes + num_strips * 12)
+return AVERROR_INVALIDDATA;
+
+return 0;
+}
+
+static int cinepak_decode (CinepakContext *s)
+{
+const uint8_t  *eod = (s->data + s->size);
+int   i, result, strip_size, frame_flags, num_strips;
+int   y0 = 0;
+
+frame_flags = s->data[0];
+num_strips  = AV_RB16 (>data[8]);
+
 s->data += 10 + s->sega_film_skip_bytes;
 
 num_strips = FFMIN(num_strips, MAX_STRIPS);
@@ -439,6 +451,11 @@ static int cinepak_decode_frame(AVCodecContext *avctx,
 if (s->size < 10)
 return AVERROR_INVALIDDATA;
 
+if ((ret = cinepak_predecode_check(s)) < 0) {
+av_log(avctx, AV_LOG_ERROR, "cinepak_predecode_check failed\n");
+return ret;
+}
+
 if ((ret = ff_reget_buffer(avctx, s->frame)) < 0)
 return ret;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon May 14 00:10:33 2018 +0200| [a89f074d895324af8b7da911a1727197684b40cb] | 
committer: Michael Niedermayer

avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0

Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 
'int');
Fixes: 
6500/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-4523620274536448

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit cb944fc7f1327443a0cf449afbce5a3e8712f90f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a89f074d895324af8b7da911a1727197684b40cb
---

 libavcodec/dirac_dwt.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h
index 0744c5797c..d0495cd5e7 100644
--- a/libavcodec/dirac_dwt.h
+++ b/libavcodec/dirac_dwt.h
@@ -90,10 +90,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y);
 (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1))
 
 #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\
-(int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4)))
+(int)(((unsigned)(b2) + ((int)(9U*b1 + 9U*b3 - b4 - b0 +  8) >> 4)))
 
 #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\
-(int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5)))
+(int)(((unsigned)(b2) - ((int)(9U*b1 + 9U*b3 - b4 - b0 + 16) >> 5)))
 
 #define COMPOSE_HAARiL0(b0, b1)\
 ((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1)))

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/error_resilience: Fix integer overflow in filter181()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Apr 22 21:46:05 2018 +0200| [9a7a3b22625e361097579fc4183e1c1167c7ac5c] | 
committer: Michael Niedermayer

avcodec/error_resilience: Fix integer overflow in filter181()

Fixes: runtime error: signed integer overflow: 197710 * 10923 cannot be 
represented in type 'int'
Fixes: 
7010/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5667127596941312

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1c97035e3b1677d6f0c5b6161ebfeffcf7bb638d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9a7a3b22625e361097579fc4183e1c1167c7ac5c
---

 libavcodec/error_resilience.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c
index 5a75faddf5..6bea0bf6ea 100644
--- a/libavcodec/error_resilience.c
+++ b/libavcodec/error_resilience.c
@@ -108,7 +108,7 @@ static void filter181(int16_t *data, int width, int height, 
int stride)
 dc = -prev_dc +
  data[x + y * stride] * 8 -
  data[x + 1 + y * stride];
-dc = (dc * 10923 + 32768) >> 16;
+dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 
32768) >> 16;
 prev_dc = data[x + y * stride];
 data[x + y * stride] = dc;
 }
@@ -124,7 +124,7 @@ static void filter181(int16_t *data, int width, int height, 
int stride)
 dc = -prev_dc +
  data[x +  y  * stride] * 8 -
  data[x + (y + 1) * stride];
-dc = (dc * 10923 + 32768) >> 16;
+dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 
32768) >> 16;
 prev_dc = data[x + y * stride];
 data[x + y * stride] = dc;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/g2meet: Change order of operations to avoid undefined behavior

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri May  4 18:16:08 2018 +0200| [02f4e846d2883871a2bb19175875f58e1d700cc2] | 
committer: Michael Niedermayer

avcodec/g2meet: Change order of operations to avoid undefined behavior

Fixes: signed integer overflow: 65280 * 196032 cannot be represented in type 
'int'
Fixes: 
7279/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5977332473921536

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0a4745145840d97619c424961c1b5c625dbf516c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=02f4e846d2883871a2bb19175875f58e1d700cc2
---

 libavcodec/g2meet.c | 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c
index f22daa72ee..14dd05babc 100644
--- a/libavcodec/g2meet.c
+++ b/libavcodec/g2meet.c
@@ -1355,14 +1355,16 @@ static void g2m_paint_cursor(G2MContext *c, uint8_t 
*dst, int stride)
 } else {
 dst+=  x * 3;
 }
-if (y < 0) {
+
+if (y < 0)
 h  +=  y;
+if (w < 0 || h < 0)
+return;
+if (y < 0) {
 cursor += -y * c->cursor_stride;
 } else {
 dst+=  y * stride;
 }
-if (w < 0 || h < 0)
-return;
 
 for (j = 0; j < h; j++) {
 for (i = 0; i < w; i++) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Apr 27 21:44:07 2018 +0200| [f20c62538b03bd211360c8501c4e13c227266e33] | 
committer: Michael Niedermayer

avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED()

Fixes: runtime error: signed integer overflow: 2147483637 + 128 cannot be 
represented in type 'int'
Fixes: 
6701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5358324934508544

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6e95d80e6fae978f8a44afc24b0c5097a062719f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f20c62538b03bd211360c8501c4e13c227266e33
---

 libavcodec/wavpack.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/wavpack.h b/libavcodec/wavpack.h
index c71006112a..7fd366a73b 100644
--- a/libavcodec/wavpack.h
+++ b/libavcodec/wavpack.h
@@ -99,8 +99,8 @@ typedef struct WvChannel {
 
 // macros for manipulating median values
 #define GET_MED(n) ((c->median[n] >> 4) + 1)
-#define DEC_MED(n) c->median[n] -= ((c->median[n] + (128 >> (n)) - 2) / (128 
>> (n))) * 2
-#define INC_MED(n) c->median[n] += ((c->median[n] + (128 >> (n))) / (128 
>> (n))) * 5
+#define DEC_MED(n) c->median[n] -= ((int)(c->median[n] + (128U >> (n)) - 2) / 
(128 >> (n))) * 2U
+#define INC_MED(n) c->median[n] += ((int)(c->median[n] + (128U >> (n))) / 
(128 >> (n))) * 5U
 
 // macros for applying weight
 #define UPDATE_WEIGHT_CLIP(weight, delta, samples, in) \

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/h263dec: Check slice_ret in mspeg4 slice loop

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Apr 22 21:07:45 2018 +0200| [1f057b23c70c249a7432dd493f7fd3c9104aae9f] | 
committer: Michael Niedermayer

avcodec/h263dec: Check slice_ret in mspeg4 slice loop

Fixes infinite loop
Fixes: 
6858/clusterfuzz-testcase-ffmpeg_AV_CODEC_ID_MSMPEG4V3_fuzzer-4681563766784000
Fixes: 6890/clusterfuzz-testcase-ffmpeg_AV_CODEC_ID_WMV1_fuzzer-4756103142309888

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit de841fbea7655b74a9663001e01008a86c88779a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1f057b23c70c249a7432dd493f7fd3c9104aae9f
---

 libavcodec/h263dec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c
index c85ea9d6cd..0b91e5d266 100644
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@@ -637,7 +637,7 @@ retry:
 slice_ret = decode_slice(s);
 while (s->mb_y < s->mb_height) {
 if (s->msmpeg4_version) {
-if (s->slice_height == 0 || s->mb_x != 0 ||
+if (s->slice_height == 0 || s->mb_x != 0 || slice_ret < 0 ||
 (s->mb_y % s->slice_height) != 0 || get_bits_left(>gb) < 0)
 break;
 } else {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/elsdec: Fix memleaks

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Wed Apr 25 01:54:17 2018 +0200| [6f68d2ca0b04731eed95aa4993fdee1f68359702] | 
committer: Michael Niedermayer

avcodec/elsdec: Fix memleaks

Fixes: 
6798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5135899701542912

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0bd0401336df4e4ca7f3da6a7e226904fd7d5add)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6f68d2ca0b04731eed95aa4993fdee1f68359702
---

 libavcodec/elsdec.c | 8 +++-
 libavcodec/g2meet.c | 1 +
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/libavcodec/elsdec.c b/libavcodec/elsdec.c
index 4797965457..cb0e9c6534 100644
--- a/libavcodec/elsdec.c
+++ b/libavcodec/elsdec.c
@@ -271,7 +271,7 @@ void ff_els_decoder_init(ElsDecCtx *ctx, const uint8_t *in, 
size_t data_size)
 
 void ff_els_decoder_uninit(ElsUnsignedRung *rung)
 {
-av_free(rung->rem_rung_list);
+av_freep(>rem_rung_list);
 }
 
 static int els_import_byte(ElsDecCtx *ctx)
@@ -391,12 +391,10 @@ unsigned ff_els_decode_unsigned(ElsDecCtx *ctx, 
ElsUnsignedRung *ur)
 if (ur->rung_list_size <= (ur->avail_index + 2) * 
sizeof(ElsRungNode)) {
 // remember rung_node position
 ptrdiff_t pos = rung_node - ur->rem_rung_list;
-ur->rem_rung_list = av_realloc(ur->rem_rung_list,
+ctx->err = av_reallocp(>rem_rung_list,
ur->rung_list_size +
RUNG_SPACE);
-if (!ur->rem_rung_list) {
-av_free(ur->rem_rung_list);
-ctx->err = AVERROR(ENOMEM);
+if (ctx->err < 0) {
 return 0;
 }
 memset((uint8_t *) ur->rem_rung_list + ur->rung_list_size, 
0,
diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c
index 7d052224c9..f22daa72ee 100644
--- a/libavcodec/g2meet.c
+++ b/libavcodec/g2meet.c
@@ -926,6 +926,7 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, 
int tile_y,
 if (c->ec.els_ctx.err != 0) {
 av_log(avctx, AV_LOG_ERROR,
"ePIC: couldn't decode transparency pixel!\n");
+ff_els_decoder_uninit(>ec.unsigned_rung);
 return AVERROR_INVALIDDATA;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] lavc/libopusdec: Allow avcodec_open2 to call .close

[Matt Wolenetz]

ffmpeg | branch: release/2.8 | Matt Wolenetz  | Tue Apr 10 
13:59:25 2018 -0700| [54bde32f37fd69c556c1c65047f9d27c2a6da229] | committer: 
Michael Niedermayer

lavc/libopusdec: Allow avcodec_open2 to call .close

If there is a decoder initialization failure detected in avcodec_open2
after .init is called, allow graceful decoder .close to prevent leaking
libopus decoder allocations.

BUG=828526

Signed-off-by: Michael Niedermayer 
(cherry picked from commit e43e97f0e0f0596b56ceb2f887fe7414f202f081)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=54bde32f37fd69c556c1c65047f9d27c2a6da229
---

 libavcodec/libopusdec.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c
index 7a198c46a0..4b8167d394 100644
--- a/libavcodec/libopusdec.c
+++ b/libavcodec/libopusdec.c
@@ -125,7 +125,10 @@ static av_cold int libopus_decode_close(AVCodecContext 
*avc)
 {
 struct libopus_context *opus = avc->priv_data;
 
-opus_multistream_decoder_destroy(opus->dec);
+if (opus->dec) {
+opus_multistream_decoder_destroy(opus->dec);
+opus->dec = NULL;
+}
 return 0;
 }
 
@@ -199,6 +202,7 @@ AVCodec ff_libopus_decoder = {
 .decode = libopus_decode,
 .flush  = libopus_flush,
 .capabilities   = AV_CODEC_CAP_DR1,
+.caps_internal  = FF_CODEC_CAP_INIT_CLEANUP,
 .sample_fmts= (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_FLT,
  AV_SAMPLE_FMT_S16,
  AV_SAMPLE_FMT_NONE },

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/cscd: Error out when LZ* decompression fails

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon Mar 12 00:05:04 2018 +0100| [704bebc91fa573dd770e49b805e1a9d7f68fea6f] | 
committer: Michael Niedermayer

avcodec/cscd: Error out when LZ* decompression fails

Fixes: Timeout
Fixes: 
6304/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-5754772461191168

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d52be5d4e91871a22dac70af3e0ab429e95a2d10)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=704bebc91fa573dd770e49b805e1a9d7f68fea6f
---

 libavcodec/cscd.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c
index 278093fdb3..8cb193de56 100644
--- a/libavcodec/cscd.c
+++ b/libavcodec/cscd.c
@@ -81,15 +81,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame,
 switch ((buf[0] >> 1) & 7) {
 case 0: { // lzo compression
 int outlen = c->decomp_size, inlen = buf_size - 2;
-if (av_lzo1x_decode(c->decomp_buf, , [2], ))
+if (av_lzo1x_decode(c->decomp_buf, , [2], )) {
 av_log(avctx, AV_LOG_ERROR, "error during lzo 
decompression\n");
+return AVERROR_INVALIDDATA;
+}
 break;
 }
 case 1: { // zlib compression
 #if CONFIG_ZLIB
 unsigned long dlen = c->decomp_size;
-if (uncompress(c->decomp_buf, , [2], buf_size - 2) != 
Z_OK)
+if (uncompress(c->decomp_buf, , [2], buf_size - 2) != 
Z_OK) {
 av_log(avctx, AV_LOG_ERROR, "error during zlib 
decompression\n");
+return AVERROR_INVALIDDATA;
+}
 break;
 #else
 av_log(avctx, AV_LOG_ERROR, "compiled without zlib support\n");

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] doc/APIchanges: Fix typos in hashes

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon Apr 16 18:23:12 2018 +0200| [f337adcd28de23aa551e8c0ffc3cde73fdd4c80f] | 
committer: Michael Niedermayer

doc/APIchanges: Fix typos in hashes

Thanks-to: Moritz Barsnick  for finding the correct ones

Signed-off-by: Michael Niedermayer 
(cherry picked from commit ec8a5262b03f85158d722dbc8b8f30cb6bd67e0f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f337adcd28de23aa551e8c0ffc3cde73fdd4c80f
---

 doc/APIchanges | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/APIchanges b/doc/APIchanges
index 459fa5bc54..2dba53320f 100644
--- a/doc/APIchanges
+++ b/doc/APIchanges
@@ -232,7 +232,7 @@ API changes, most recent first:
   Add av_opt_get_dict_val/set_dict_val with AV_OPT_TYPE_DICT to support
   dictionary types being set as options.
 
-2014-08-13 - afbd4b8 - lavf 56.01.0 - avformat.h
+2014-08-13 - afbd4b7e09 - lavf 56.01.0 - avformat.h
   Add AVFormatContext.event_flags and AVStream.event_flags for signaling to
   the user when events happen in the file/stream.
 
@@ -249,7 +249,7 @@ API changes, most recent first:
 2014-08-08 - 5c3c671 - lavf 55.53.100 - avio.h
   Add avio_feof() and deprecate url_feof().
 
-2014-08-07 - bb78903 - lsws 2.1.3 - swscale.h
+2014-08-07 - bb789016d4 - lsws 2.1.3 - swscale.h
   sws_getContext is not going to be removed in the future.
 
 2014-08-07 - a561662 / ad1ee5f - lavc 55.73.101 / 55.57.3 - avcodec.h

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/mjpegdec: Check input buffer size.

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue Apr 10 16:12:15 2018 +0200| [23dcc9ff7c37e8da1808802be66de89d70b06599] | 
committer: Michael Niedermayer

avcodec/mjpegdec: Check input buffer size.

Fixes: Timeout
Fixes: 
6381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5665032743419904

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8d381b57fd9d17fb5c3a851ca46c738b3afc33a2)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=23dcc9ff7c37e8da1808802be66de89d70b06599
---

 libavcodec/mjpegdec.c | 4 
 libavcodec/mjpegdec.h | 1 +
 2 files changed, 5 insertions(+)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index befbb0a25a..2e101225b6 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -306,6 +306,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
 av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height);
 if (av_image_check_size(width, height, 0, s->avctx))
 return AVERROR_INVALIDDATA;
+if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size * 
4LL)
+return AVERROR_INVALIDDATA;
 
 nb_components = get_bits(>gb, 8);
 if (nb_components <= 0 ||
@@ -2044,6 +2046,8 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void 
*data, int *got_frame,
 int ret = 0;
 int is16bit;
 
+s->buf_size = buf_size;
+
 av_dict_free(>exif_metadata);
 av_freep(>stereo3d);
 s->adobe_transform = -1;
diff --git a/libavcodec/mjpegdec.h b/libavcodec/mjpegdec.h
index fb811294a1..6781c7c03a 100644
--- a/libavcodec/mjpegdec.h
+++ b/libavcodec/mjpegdec.h
@@ -45,6 +45,7 @@ typedef struct MJpegDecodeContext {
 AVClass *class;
 AVCodecContext *avctx;
 GetBitContext gb;
+int buf_size;
 
 int start_code; /* current start code */
 int buffer_size;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/utils: Check cur_dts in update_initial_timestamps() more

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Apr 13 11:38:48 2018 +0200| [25ecdac8beca8978ff09da97dbd5e1bda9675253] | 
committer: Michael Niedermayer

avformat/utils: Check cur_dts in update_initial_timestamps() more

Fixes: runtime error: signed integer overflow: 18133149658382192 - 
-9223090561878065151 cannot be represented in type 'long long'
Fixes: crbug 831552

Reported-by: Matt Wolenetz 
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 37d46dc21d708192b12aa13617ebe6a117b07363)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=25ecdac8beca8978ff09da97dbd5e1bda9675253
---

 libavformat/utils.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index a658eb22c0..33a4aade64 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -894,6 +894,7 @@ static void update_initial_timestamps(AVFormatContext *s, 
int stream_index,
 if (st->first_dts != AV_NOPTS_VALUE ||
 dts   == AV_NOPTS_VALUE ||
 st->cur_dts   == AV_NOPTS_VALUE ||
+st->cur_dts < INT_MIN + RELATIVE_TS_BASE ||
 is_relative(dts))
 return;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/movtextdec: Check style_start/end

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Apr  8 03:29:44 2018 +0200| [07cd51f10e96a4b9208d3aa99caea1068f89041b] | 
committer: Michael Niedermayer

avcodec/movtextdec: Check style_start/end

Limits based on 3GPP TS 26.245 V14.0.0
Fixes: Timeout
Fixes: 
6377/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOVTEXT_fuzzer-5175929115508736

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Philip Langdale 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 249aca8f98ff7fb09c12ea68e23c862c62203b95)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=07cd51f10e96a4b9208d3aa99caea1068f89041b
---

 libavcodec/movtextdec.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c
index 2f3ef7d02e..7d3dfae469 100644
--- a/libavcodec/movtextdec.c
+++ b/libavcodec/movtextdec.c
@@ -298,6 +298,14 @@ static int decode_styl(const uint8_t *tsmb, MovTextContext 
*m, AVPacket *avpkt)
 m->s_temp->style_start = AV_RB16(tsmb);
 tsmb += 2;
 m->s_temp->style_end = AV_RB16(tsmb);
+
+if (   m->s_temp->style_end < m->s_temp->style_start
+|| (m->count_s && m->s_temp->style_start < m->s[m->count_s - 
1]->style_end)) {
+av_freep(>s_temp);
+mov_text_cleanup(m);
+return AVERROR(ENOMEM);
+}
+
 tsmb += 2;
 m->s_temp->style_fontID = AV_RB16(tsmb);
 tsmb += 2;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sat Apr  7 21:55:06 2018 +0200| [01f124da7f797eb62c71ce5e655f81a4867bcbfe] | 
committer: Michael Niedermayer

avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble()

Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be 
represented in type 'int'

This was missed in b1bef755f617af9685b592d866b3eb7f3c4b02b1
Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c837918f50a7bbd6150afd340857ea43fe4717c7)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=01f124da7f797eb62c71ce5e655f81a4867bcbfe
---

 libavcodec/aacsbr_fixed.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c
index 44c899a7f1..2addbafb5f 100644
--- a/libavcodec/aacsbr_fixed.c
+++ b/libavcodec/aacsbr_fixed.c
@@ -574,7 +574,7 @@ static void sbr_hf_assemble(int Y1[38][64][2],
 int idx = indexsine&1;
 int A = (1-((indexsine+(kx & 1))&2));
 int B = (A^(-idx)) + idx;
-int *out = [i][kx][idx];
+unsigned *out = [i][kx][idx];
 int shift;
 unsigned round;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sat Mar 31 21:19:19 2018 +0200| [d3d5382dadcd1b6dbc09da02d9958f027e38] | 
committer: Michael Niedermayer

avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed()

I was not able to reproduce this, this fix is based on just the fuzzer log.
Fixes: 4959/clusterfuzz-testcase-minimized-6035350934781952

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 197a4e8feed45b2e5868760240e83636818f32a9)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d3d5382dadcd1b6dbc09da02d9958f027e38
---

 libavcodec/aacdec_fixed.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c
index 539f9eefbc..a37ed2aaa1 100644
--- a/libavcodec/aacdec_fixed.c
+++ b/libavcodec/aacdec_fixed.c
@@ -416,7 +416,7 @@ static void apply_independent_coupling_fixed(AACContext *ac,
 int i, c, shift, round, tmp;
 const int gain = cce->coup.gain[index][0];
 const int *src = cce->ch[0].ret;
-int *dest = target->ret;
+unsigned int *dest = target->ret;
 const int len = 1024 << (ac->oc[1].m4ac.sbr == 1);
 
 c = cce_scale_fixed[gain & 7];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering.

[Hendrik Schreiber]

ffmpeg | branch: release/2.8 | Hendrik Schreiber  | Thu Apr  
5 13:58:37 2018 +0200| [fe4e35e202d36e51e0a638827e810a2d5a9ec812] | committer: 
Michael Niedermayer

swresample/swresample: Fix for seg fault in swr_convert_internal() -> 
sum2_float during dithering.

Removed +len1 in call to s->mix_2_1_f() as I found no logical explanation for 
it. After removal, problem was gone.

Signed-off-by: Hendrik Schreiber 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 647fd4b8292e3bfae30b1086aa842a5ee47ee868)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fe4e35e202d36e51e0a638827e810a2d5a9ec812
---

 libswresample/swresample.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libswresample/swresample.c b/libswresample/swresample.c
index 8e238998e9..47d4f0dd0b 100644
--- a/libswresample/swresample.c
+++ b/libswresample/swresample.c
@@ -667,7 +667,7 @@ static int swr_convert_internal(struct SwrContext *s, 
AudioData *out, int out_co
 s->mix_2_1_simd(conv_src->ch[ch], preout->ch[ch], 
s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos, 
s->native_simd_one, 0, 0, len1);
 if(out_count != len1)
 for(ch=0; chch_count; ch++)
-s->mix_2_1_f(conv_src->ch[ch] + off, 
preout->ch[ch] + off, s->dither.noise.ch[ch] + s->dither.noise.bps * 
s->dither.noise_pos + off + len1, s->native_one, 0, 0, out_count - len1);
+s->mix_2_1_f(conv_src->ch[ch] + off, 
preout->ch[ch] + off, s->dither.noise.ch[ch] + s->dither.noise.bps * 
s->dither.noise_pos + off, s->native_one, 0, 0, out_count - len1);
 } else {
 for(ch=0; chch_count; ch++)
 s->mix_2_1_f(conv_src->ch[ch], preout->ch[ch], 
s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos, 
s->native_one, 0, 0, out_count);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/bintext: sanity check dimensions

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon Feb 26 21:17:08 2018 +0100| [6d3f8992acc9de0af0bfae5a8844c87747d92ad0] | 
committer: Michael Niedermayer

avcodec/bintext: sanity check dimensions

Fixes: Timeout
Fixes: 
6277/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XBIN_fuzzer-6047202288861184

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 090c0abff9c8b27304614f15d9464dbf4ea59833)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6d3f8992acc9de0af0bfae5a8844c87747d92ad0
---

 libavcodec/bintext.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/bintext.c b/libavcodec/bintext.c
index 90bbe67b59..d967317671 100644
--- a/libavcodec/bintext.c
+++ b/libavcodec/bintext.c
@@ -35,6 +35,8 @@
 #include "bintext.h"
 #include "internal.h"
 
+#define FONT_WIDTH 8
+
 typedef struct XbinContext {
 AVFrame *frame;
 int palette[16];
@@ -91,6 +93,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
 break;
 }
 }
+if (avctx->width < FONT_WIDTH || avctx->height < s->font_height)
+return AVERROR_INVALIDDATA;
+
 
 s->frame = av_frame_alloc();
 if (!s->frame)
@@ -113,8 +118,6 @@ av_unused static void hscroll(AVCodecContext *avctx)
 }
 }
 
-#define FONT_WIDTH 8
-
 /**
  * Draw character to screen
  */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Fix integer overflow in mv computation

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Feb 18 21:51:38 2018 +0100| [84bf347ff054a928e69debb3d84b7c4f9d1a832e] | 
committer: Michael Niedermayer

avcodec/diracdec: Fix integer overflow in mv computation

Fixes: signed integer overflow: -2072 + -2147483646 cannot be represented in 
type 'int'
Fixes: 6097/clusterfuzz-testcase-minimized-5034145253163008

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 47e65ad63b3d067445c4de41a7718b83fc07767c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=84bf347ff054a928e69debb3d84b7c4f9d1a832e
---

 libavcodec/diracdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index fb54312c49..9801eb2c85 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1224,8 +1224,8 @@ static void decode_block_params(DiracContext *s, 
DiracArith arith[8], DiracBlock
 global_mv(s, block, x, y, i);
 } else {
 pred_mv(block, stride, x, y, i);
-block->u.mv[i][0] += dirac_get_arith_int(arith + 4 + 2 * i, 
CTX_MV_F1, CTX_MV_DATA);
-block->u.mv[i][1] += dirac_get_arith_int(arith + 5 + 2 * i, 
CTX_MV_F1, CTX_MV_DATA);
+block->u.mv[i][0] += (unsigned)dirac_get_arith_int(arith + 4 + 
2 * i, CTX_MV_F1, CTX_MV_DATA);
+block->u.mv[i][1] += (unsigned)dirac_get_arith_int(arith + 5 + 
2 * i, CTX_MV_F1, CTX_MV_DATA);
 }
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Thu Mar 29 01:07:24 2018 +0200| [e1aec9bb8d80e4e88225a527da5c8c3b32301f4f] | 
committer: Michael Niedermayer

avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables

Found-by: James Almer 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5c75438b893539dd17998c489fb4c540fc5a6e48)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e1aec9bb8d80e4e88225a527da5c8c3b32301f4f
---

 libavcodec/tableprint_vlc.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/tableprint_vlc.h b/libavcodec/tableprint_vlc.h
index 675251a836..3004be3f9c 100644
--- a/libavcodec/tableprint_vlc.h
+++ b/libavcodec/tableprint_vlc.h
@@ -35,6 +35,7 @@
 #define av_freep(p) while(0)
 #define AVCODEC_AVCODEC_H
 #define AVCODEC_INTERNAL_H
+#define AV_INPUT_BUFFER_PADDING_SIZE 64 // the value does not matter for this
 #include "tableprint.h"
 #include "get_bits.h"
 #include "mathtables.c"

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/wmalosslessdec: Reset num_saved_bits on error path

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Mar 11 00:13:57 2018 +0100| [1c0914e4f34edb02a242d58d3929fdd07a59f211] | 
committer: Michael Niedermayer

avcodec/wmalosslessdec: Reset num_saved_bits on error path

Fixes: NULL pointer dereference
Fixes: poc-201803.wav
Found-by: GwanYeong Kim 
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 64c9ce0abc0fd8774b523afda3ddb17c86caa86a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1c0914e4f34edb02a242d58d3929fdd07a59f211
---

 libavcodec/wmalosslessdec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c
index 601ea3c93a..7e2d5da4bf 100644
--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -1129,6 +1129,7 @@ static void save_bits(WmallDecodeCtx *s, GetBitContext* 
gb, int len,
 if (len <= 0 || buflen > MAX_FRAMESIZE) {
 avpriv_request_sample(s->avctx, "Too small input buffer");
 s->packet_loss = 1;
+s->num_saved_bits = 0;
 return;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Thu Mar  8 17:28:36 2018 +0100| [7d915afd23aabe58c0d8fe260960263d7665703a] | 
committer: Michael Niedermayer

avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE

Fixes: Chromium bug 795653
Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented 
in type 'long'
Reported-by: Matt Wolenetz 
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 02ecda4aba69670ca744ccc640391b7621f01fb0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7d915afd23aabe58c0d8fe260960263d7665703a
---

 libavformat/oggparsetheora.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavformat/oggparsetheora.c b/libavformat/oggparsetheora.c
index e92d4c5170..9adc19710d 100644
--- a/libavformat/oggparsetheora.c
+++ b/libavformat/oggparsetheora.c
@@ -181,6 +181,7 @@ static int theora_packet(AVFormatContext *s, int idx)
 
 if ((!os->lastpts || os->lastpts == AV_NOPTS_VALUE) && !(os->flags & 
OGG_FLAG_EOS)) {
 int seg;
+int64_t pts;
 
 duration = 1;
 for (seg = os->segp; seg < os->nsegs; seg++) {
@@ -188,7 +189,10 @@ static int theora_packet(AVFormatContext *s, int idx)
 duration ++;
 }
 
-os->lastpts = os->lastdts   = theora_gptopts(s, idx, os->granule, 
NULL) - duration;
+pts = theora_gptopts(s, idx, os->granule, NULL);
+if (pts != AV_NOPTS_VALUE)
+pts -= duration;
+os->lastpts = os->lastdts = pts;
 if(s->streams[idx]->start_time == AV_NOPTS_VALUE) {
 s->streams[idx]->start_time = os->lastpts;
 if (s->streams[idx]->duration)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Fix integer overflows related to sample_duration

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Mar  9 16:43:29 2018 +0100| [5770793dec3af51a513174c87aad95b44a7e00e0] | 
committer: Michael Niedermayer

avformat/mov: Fix integer overflows related to sample_duration

Fixes: runtime error: signed integer overflow: -9166684017437101870 + 
-2495066639299164439 cannot be represented in type

Fixes: Chromium bug 791349

Reported-by: Matt Wolenetz 
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 2f37082827a405430c40408ee2db19ea2866ce64)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5770793dec3af51a513174c87aad95b44a7e00e0
---

 libavformat/mov.c | 20 +++-
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 4ed4af3923..39ad697f53 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2454,14 +2454,19 @@ static int mov_read_stts(MOVContext *c, AVIOContext 
*pb, MOVAtom atom)
 && total_sample_count > 100
 && sample_duration/10 > duration / total_sample_count)
 sample_duration = duration / total_sample_count;
-duration+=(int64_t)sample_duration*sample_count;
+duration+=(int64_t)sample_duration*(uint64_t)sample_count;
 total_sample_count+=sample_count;
 }
 
 sc->stts_count = i;
 
-sc->duration_for_fps  += duration;
-sc->nb_frames_for_fps += total_sample_count;
+if (duration > 0 &&
+duration <= INT64_MAX - sc->duration_for_fps &&
+total_sample_count <= INT64_MAX - sc->nb_frames_for_fps
+) {
+sc->duration_for_fps  += duration;
+sc->nb_frames_for_fps += total_sample_count;
+}
 
 if (pb->eof_reached)
 return AVERROR_EOF;
@@ -3562,8 +3567,13 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 dts += sample_duration;
 offset += sample_size;
 sc->data_size += sample_size;
-sc->duration_for_fps += sample_duration;
-sc->nb_frames_for_fps ++;
+
+if (sample_duration <= INT64_MAX - sc->duration_for_fps &&
+1 <= INT64_MAX - sc->nb_frames_for_fps
+) {
+sc->duration_for_fps += sample_duration;
+sc->nb_frames_for_fps ++;
+}
 }
 
 if (pb->eof_reached)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list()

[heimdallr]

ffmpeg | branch: release/2.8 | heimdallr  | Sat Mar 31 
19:37:23 2018 +0700| [eb8654610927dc3dcacf777b0a8bd52ce6c02431] | committer: 
Michael Niedermayer

avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list()

example:

AVPixelFormat pixFmts[] = { AV_PIX_FMT_RGB24, AV_PIX_FMT_RGBA };
int loss = 0;
AVPixelFormat best = avcodec_find_best_pix_fmt_of_list(pixFmts, 
AV_PIX_FMT_BGRA, 1, );

best is AV_PIX_FMT_RGB24. But AV_PIX_FMT_RGBA is better.

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 354b26a3945eadd4ed8fcd801dfefad2566241de)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eb8654610927dc3dcacf777b0a8bd52ce6c02431
---

 libavcodec/imgconvert.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c
index 39cf58a2d2..0abe6cdf48 100644
--- a/libavcodec/imgconvert.c
+++ b/libavcodec/imgconvert.c
@@ -81,10 +81,14 @@ enum AVPixelFormat avcodec_find_best_pix_fmt_of_list(const 
enum AVPixelFormat *p
 int i;
 
 enum AVPixelFormat best = AV_PIX_FMT_NONE;
+int loss;
 
-for(i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++)
-best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], 
src_pix_fmt, has_alpha, loss_ptr);
+for (i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) {
+loss = *loss_ptr;
+best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], 
src_pix_fmt, has_alpha, );
+}
 
+*loss_ptr = loss;
 return best;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/mov: Check STSC and remove invalid entries

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Mar 16 19:53:36 2018 +0100| [17f626528a2913fa5b449cdad70f3796f2deacf2] | 
committer: Michael Niedermayer

avformat/mov: Check STSC and remove invalid entries

Fixes assertion failure
Fixes: crbug 822547, crbug 822666 and crbug 823009

Affects: aark15sd_9A62E2FA.mp4

Found-by: ClusterFuzz
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 9e67447a4ffacf28af8bace33faf3ea432ddc43e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=17f626528a2913fa5b449cdad70f3796f2deacf2
---

 libavformat/mov.c | 20 
 1 file changed, 20 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 39ad697f53..a6eb773021 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2228,6 +2228,21 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 }
 
 sc->stsc_count = i;
+for (i = sc->stsc_count - 1; i < UINT_MAX; i--) {
+if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= 
sc->stsc_data[i+1].first) ||
+(i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) ||
+sc->stsc_data[i].first < 1 ||
+sc->stsc_data[i].count < 1 ||
+sc->stsc_data[i].id < 1) {
+av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d 
count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, 
sc->stsc_data[i].id);
+if (i+1 >= sc->stsc_count || sc->stsc_data[i+1].first < 2)
+return AVERROR_INVALIDDATA;
+// We replace this entry by the next valid
+sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1;
+sc->stsc_data[i].count = sc->stsc_data[i+1].count;
+sc->stsc_data[i].id= sc->stsc_data[i+1].id;
+}
+}
 
 if (pb->eof_reached)
 return AVERROR_EOF;
@@ -3011,6 +3026,11 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
st->index);
 return 0;
 }
+if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > 
sc->chunk_count) {
+av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and 
STCO\n",
+   st->index);
+return AVERROR_INVALIDDATA;
+}
 
 fix_timescale(c, sc);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/cavsdec: Check alpha/beta offset

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue Feb 20 23:11:01 2018 +0100| [d81e0f925a94a3d4f2a1c85447dc1d938e1e4fe5] | 
committer: Michael Niedermayer

avcodec/cavsdec: Check alpha/beta offset

Fixes: Integer overflow
Fixes: 6183/clusterfuzz-testcase-minimized-6269224436629504

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit ae2eb04648839bfc6c61c32cb0f124e91bb7ff8e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d81e0f925a94a3d4f2a1c85447dc1d938e1e4fe5
---

 libavcodec/cavsdec.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 3aec0dd5e5..289ed1b242 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -1068,6 +1068,11 @@ static int decode_pic(AVSContext *h)
 if (!h->loop_filter_disable && get_bits1(>gb)) {
 h->alpha_offset= get_se_golomb(>gb);
 h->beta_offset = get_se_golomb(>gb);
+if (   h->alpha_offset < -64 || h->alpha_offset > 64
+|| h-> beta_offset < -64 || h-> beta_offset > 64) {
+h->alpha_offset = h->beta_offset  = 0;
+return AVERROR_INVALIDDATA;
+}
 } else {
 h->alpha_offset = h->beta_offset  = 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/oggparseogm: Fix undefined shift in ogm_packet()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Thu Mar  8 23:14:04 2018 +0100| [31783dc5fe00335f82df16ba37f83a9b9751c004] | 
committer: Michael Niedermayer

avformat/oggparseogm: Fix undefined shift in ogm_packet()

Fixes: shift exponent 48 is too large for 32-bit type 'int'
Fixes: Chromium bug 786793
Reported-by: Matt Wolenetz 
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 010b7b30b721b90993e05e9ee6338e88bb8debb3)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=31783dc5fe00335f82df16ba37f83a9b9751c004
---

 libavformat/oggparseogm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c
index ae8c3c850c..f03dedaf2c 100644
--- a/libavformat/oggparseogm.c
+++ b/libavformat/oggparseogm.c
@@ -174,7 +174,7 @@ ogm_packet(AVFormatContext *s, int idx)
 os->psize -= lb + 1;
 
 while (lb--)
-os->pduration += p[lb+1] << (lb*8);
+os->pduration += (uint64_t)p[lb+1] << (lb*8);
 
 return 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/utils: Fix integer overflow of fps_first/last_dts

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Wed Mar  7 00:10:11 2018 +0100| [4bcfe9f19c8edf469158e0da6ef8d6e3ba6eec28] | 
committer: Michael Niedermayer

avformat/utils: Fix integer overflow of fps_first/last_dts

Fixes: runtime error: signed integer overflow: 7738135736989908991 - 
-7898362169240453118 cannot be represented in type 'long'
Fixes: Chromium bug 796778
Reported-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1b1362e408cd6acb63fef126b814b0d16562aa8e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4bcfe9f19c8edf469158e0da6ef8d6e3ba6eec28
---

 libavformat/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 2f68cf35f0..a658eb22c0 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -3326,7 +3326,7 @@ int avformat_find_stream_info(AVFormatContext *ic, 
AVDictionary **options)
 if (st->info->fps_last_dts != AV_NOPTS_VALUE &&
 st->info->fps_last_dts_idx > st->info->fps_first_dts_idx &&
 (pkt->dts - st->info->fps_last_dts) / 1000 >
-(st->info->fps_last_dts - st->info->fps_first_dts) /
+(st->info->fps_last_dts - 
(uint64_t)st->info->fps_first_dts) /
 (st->info->fps_last_dts_idx - st->info->fps_first_dts_idx)) {
 av_log(ic, AV_LOG_WARNING,
"DTS discontinuity in stream %d: packet %d with DTS "

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/oggparseogm: Check lb against psize

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Mar  9 01:05:20 2018 +0100| [6b51dc9223460b40b14c2c61187b135fb690ebb7] | 
committer: Michael Niedermayer

avformat/oggparseogm: Check lb against psize

No testcase, this was found during code review

Found-by: Matt Wolenetz 
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3e7c847aaf5a298b62afae12b4ecfb8e12385998)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6b51dc9223460b40b14c2c61187b135fb690ebb7
---

 libavformat/oggparseogm.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c
index f03dedaf2c..573fb99dd0 100644
--- a/libavformat/oggparseogm.c
+++ b/libavformat/oggparseogm.c
@@ -170,6 +170,9 @@ ogm_packet(AVFormatContext *s, int idx)
 os->pflags |= AV_PKT_FLAG_KEY;
 
 lb = ((*p & 2) << 1) | ((*p >> 6) & 3);
+if (os->psize < lb + 1)
+return AVERROR_INVALIDDATA;
+
 os->pstart += lb + 1;
 os->psize -= lb + 1;
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/diracdec: Use int64 in global mv to prevent overflow

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sat Feb 17 23:54:44 2018 +0100| [299b981382725c1befb56c8f324ce067783220d6] | 
committer: Michael Niedermayer

avcodec/diracdec: Use int64 in global mv to prevent overflow

Fixes: runtime error: signed integer overflow: 361 * -6295541 cannot be 
represented in type 'int'
Fixes: 5911/clusterfuzz-testcase-minimized-6450382197751808

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit cbcbefdc3b4cbc917d2f8b2dd216fb12121a838b)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=299b981382725c1befb56c8f324ce067783220d6
---

 libavcodec/diracdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 7c7a31e830..fb54312c49 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1186,8 +1186,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, 
int x, int y, int ref)
 int *c  = s->globalmc[ref].perspective;
 
 int m   = (1> (ez+ep);
 block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avformat/avidec: Fix integer overflow in cum_len check

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Thu Mar  8 22:40:50 2018 +0100| [3b5645a72928e3eab7594205bab2d8aed8c114e8] | 
committer: Michael Niedermayer

avformat/avidec: Fix integer overflow in cum_len check

Fixes: signed integer overflow: 3775922176 * 4278190080 cannot be represented 
in type 'long'
Fixes: Chromium bug 791237

Reported-by: Matt Wolenetz 
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 06e092e7819b9437da32925200e7c369f93d82e7)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3b5645a72928e3eab7594205bab2d8aed8c114e8
---

 libavformat/avidec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index 223ddd0530..81a43632bb 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -665,7 +665,7 @@ static int avi_read_header(AVFormatContext *s)
 st->start_time = 0;
 avio_rl32(pb); /* buffer size */
 avio_rl32(pb); /* quality */
-if (ast->cum_len*ast->scale/ast->rate > 3600) {
+if (ast->cum_len > 3600LL * ast->rate / ast->scale) {
 av_log(s, AV_LOG_ERROR, "crazy start time, iam scared, giving 
up\n");
 ast->cum_len = 0;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] libavformat/oggparsevorbis: Fix memleak on multiple headers

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue Mar  6 18:14:12 2018 +0100| [5279e865961f6eb7bf05c46c6c59835000f5bd50] | 
committer: Michael Niedermayer

libavformat/oggparsevorbis: Fix memleak on multiple headers

Fixes: Chromium bug 800123
Reported-by: Matt Wolenetz 
Reviewed-by: Matt Wolenetz 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3934aa495d786845d9f541c84ee405c096938f76)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5279e865961f6eb7bf05c46c6c59835000f5bd50
---

 libavformat/oggparsevorbis.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c
index 59e7b75522..5ca3b9eeeb 100644
--- a/libavformat/oggparsevorbis.c
+++ b/libavformat/oggparsevorbis.c
@@ -228,6 +228,10 @@ static int fixup_vorbis_headers(AVFormatContext *as,
 
 len = priv->len[0] + priv->len[1] + priv->len[2];
 buf_len = len + len / 255 + 64;
+
+if (*buf)
+return AVERROR_INVALIDDATA;
+
 ptr = *buf = av_realloc(NULL, buf_len);
 if (!ptr)
 return AVERROR(ENOMEM);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/smc: Check input packet size

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Fri Feb 23 03:40:02 2018 +0100| [11d0464565d1cac24c57ad7c6822fc9db046a057] | 
committer: Michael Niedermayer

avcodec/smc: Check input packet size

Fixes: Timeout
Fixes: 
6261/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMC_fuzzer-5811309653262336

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0293663483ab5dbfff23602a62800d84e021b33c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=11d0464565d1cac24c57ad7c6822fc9db046a057
---

 libavcodec/smc.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/smc.c b/libavcodec/smc.c
index 18174fa57e..66de691e2c 100644
--- a/libavcodec/smc.c
+++ b/libavcodec/smc.c
@@ -437,6 +437,10 @@ static int smc_decode_frame(AVCodecContext *avctx,
 SmcContext *s = avctx->priv_data;
 const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, 
NULL);
 int ret;
+int total_blocks = ((s->avctx->width + 3) / 4) * ((s->avctx->height + 3) / 
4);
+
+if (total_blocks / 1024 > avpkt->size)
+return AVERROR_INVALIDDATA;
 
 bytestream2_init(>gb, buf, buf_size);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/utvideodec: Check subsample factors

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Mon Feb 26 03:02:48 2018 +0100| [e724bd1dd9efea3abb8586d6644ec07694afceae] | 
committer: Michael Niedermayer

avcodec/utvideodec: Check subsample factors

Fixes: Out of array read
Fixes: heap_poc

Found-by: GwanYeong Kim 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7414d0bda7763f9bd69c26c068e482ab297c1c96)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e724bd1dd9efea3abb8586d6644ec07694afceae
---

 libavcodec/utvideodec.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 760d9e5a7f..160528e007 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -28,6 +28,7 @@
 #include 
 
 #include "libavutil/intreadwrite.h"
+#include "libavutil/pixdesc.h"
 #include "avcodec.h"
 #include "bswapdsp.h"
 #include "bytestream.h"
@@ -474,6 +475,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame,
 static av_cold int decode_init(AVCodecContext *avctx)
 {
 UtvideoContext * const c = avctx->priv_data;
+int h_shift, v_shift;
 
 c->avctx = avctx;
 
@@ -538,6 +540,13 @@ static av_cold int decode_init(AVCodecContext *avctx)
 return AVERROR_INVALIDDATA;
 }
 
+av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, _shift, _shift);
+if ((avctx->width  & ((1

[FFmpeg-cvslog] avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue Feb 27 15:17:12 2018 +0100| [ff587292238c4f35036c5208492f34a546bcc6c7] | 
committer: Michael Niedermayer

avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg

Fixes: Timeout
Fixes: 
6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8ee3265dbe2e85537affe3b3055b00ba8646aa70)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ff587292238c4f35036c5208492f34a546bcc6c7
---

 libavcodec/nuv.c | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c
index f3270cb19d..1dfa399630 100644
--- a/libavcodec/nuv.c
+++ b/libavcodec/nuv.c
@@ -158,6 +158,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame,
 int orig_size  = buf_size;
 int keyframe, ret;
 int size_change = 0;
+int minsize = 0;
 int result, init_frame = !avctx->frame_number;
 enum {
 NUV_UNCOMPRESSED  = '0',
@@ -203,6 +204,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame,
 keyframe = 1;
 break;
 }
+switch (comptype) {
+case NUV_UNCOMPRESSED:
+minsize = c->width * c->height * 3 / 2;
+break;
+case NUV_RTJPEG:
+minsize = c->width/16 * (c->height/16) * 6;
+break;
+}
+if (buf_size < minsize / 4)
+return AVERROR_INVALIDDATA;
 retry:
 // skip rest of the frameheader.
 buf   = [12];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Mar 25 01:51:28 2018 +0100| [367d459f78c1cecce1d1a8e5bbe6a8b908de3e2f] | 
committer: Michael Niedermayer

avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame()

Fixes: 2018_03_23_poc.wav
Found-by: GwanYeong Kim 

Signed-off-by: Michael Niedermayer 
(cherry picked from commit ea15915b2dc5aaa80c91879fbd183475a7e66e54)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=367d459f78c1cecce1d1a8e5bbe6a8b908de3e2f
---

 libavcodec/wmalosslessdec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c
index 7e2d5da4bf..5d82f0e74c 100644
--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -1238,7 +1238,9 @@ static int decode_packet(AVCodecContext *avctx, void 
*data, int *got_frame_ptr,
 (frame_size = show_bits(gb, s->log2_frame_size)) &&
 frame_size <= remaining_bits(s, gb)) {
 save_bits(s, gb, frame_size, 0);
-s->packet_done = !decode_frame(s);
+
+if (!s->packet_loss)
+s->packet_done = !decode_frame(s);
 } else if (!s->len_prefix
&& s->num_saved_bits > get_bits_count(>gb)) {
 /* when the frames do not have a length prefix, we don't know the

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/get_bits: Make sure the input bitstream with padding can be addressed

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sat Mar 24 01:38:53 2018 +0100| [20e6a8dee8f82e38fc9c51ae7960fc01cf2fbea8] | 
committer: Michael Niedermayer

avcodec/get_bits: Make sure the input bitstream with padding can be addressed

Signed-off-by: Michael Niedermayer 
(cherry picked from commit e529fe7633762cb26a665fb6dee3be29b15285cc)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=20e6a8dee8f82e38fc9c51ae7960fc01cf2fbea8
---

 libavcodec/get_bits.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h
index 72f8b5f29d..5a71795910 100644
--- a/libavcodec/get_bits.h
+++ b/libavcodec/get_bits.h
@@ -32,6 +32,7 @@
 #include "libavutil/intreadwrite.h"
 #include "libavutil/log.h"
 #include "libavutil/avassert.h"
+#include "avcodec.h"
 #include "mathops.h"
 
 /*
@@ -417,7 +418,7 @@ static inline int init_get_bits(GetBitContext *s, const 
uint8_t *buffer,
 int buffer_size;
 int ret = 0;
 
-if (bit_size >= INT_MAX - 7 || bit_size < 0 || !buffer) {
+if (bit_size >= INT_MAX - FFMAX(7, AV_INPUT_BUFFER_PADDING_SIZE*8) || 
bit_size < 0 || !buffer) {
 bit_size= 0;
 buffer  = NULL;
 ret = AVERROR_INVALIDDATA;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Tue Feb 27 15:17:12 2018 +0100| [b4e66382c207a3fd1e5e1aee0882b367c65e18c8] | 
committer: Michael Niedermayer

avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded 
pixels thus reject it

Fixes: Timeout
Fixes: 
6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 939440ad1aa820bed51f54d273b4fa6c5016d9f9)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b4e66382c207a3fd1e5e1aee0882b367c65e18c8
---

 libavcodec/nuv.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c
index 1dfa399630..5294167034 100644
--- a/libavcodec/nuv.c
+++ b/libavcodec/nuv.c
@@ -196,6 +196,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, 
int *got_frame,
 case NUV_RTJPEG_IN_LZO:
 case NUV_RTJPEG:
 keyframe = !buf[2];
+if (c->width < 16 || c->height < 16) {
+return AVERROR_INVALIDDATA;
+}
 break;
 case NUV_COPY_LAST:
 keyframe = 0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

[FFmpeg-cvslog] avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53()

[Michael Niedermayer]

ffmpeg | branch: release/2.8 | Michael Niedermayer  | 
Sun Feb 18 00:11:33 2018 +0100| [36a1e9be5a1d16a6b006eccaa043ac7fd2ebce32] | 
committer: Michael Niedermayer

avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53()

Fixes: 5918/clusterfuzz-testcase-minimized-5120505435652096

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 793347a54579ee954b58d336b82eed4a1786de21)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=36a1e9be5a1d16a6b006eccaa043ac7fd2ebce32
---

 libavcodec/jpeg2000dwt.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c
index 38a578af3d..5a72335d91 100644
--- a/libavcodec/jpeg2000dwt.c
+++ b/libavcodec/jpeg2000dwt.c
@@ -305,22 +305,22 @@ static void dwt_encode97_int(DWTContext *s, int *t)
 t[i] = (t[i] + ((1<>1)) >> I_PRESHIFT;
 }
 
-static void sr_1d53(int *p, int i0, int i1)
+static void sr_1d53(unsigned *p, int i0, int i1)
 {
 int i;
 
 if (i1 <= i0 + 1) {
 if (i0 == 1)
-p[1] >>= 1;
+p[1] = (int)p[1] >> 1;
 return;
 }
 
 extend53(p, i0, i1);
 
 for (i = (i0 >> 1); i < (i1 >> 1) + 1; i++)
-p[2 * i] -= (p[2 * i - 1] + p[2 * i + 1] + 2) >> 2;
+p[2 * i] -= (int)(p[2 * i - 1] + p[2 * i + 1] + 2) >> 2;
 for (i = (i0 >> 1); i < (i1 >> 1); i++)
-p[2 * i + 1] += (p[2 * i] + p[2 * i + 2]) >> 1;
+p[2 * i + 1] += (int)(p[2 * i] + p[2 * i + 2]) >> 1;
 }
 
 static void dwt_decode53(DWTContext *s, int *t)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog