[FFmpeg-cvslog] libwebpenc_animencoder: add missing braces to struct initialization
ffmpeg | branch: release/2.8 | James Almer | Thu Mar 17 21:46:06 2016 -0300| [81997136995e795ee6c9e7643d03247f5dd5fdf9] | committer: Michael Niedermayer libwebpenc_animencoder: add missing braces to struct initialization The first member of the WebPAnimEncoderOptions struct is non scalar Signed-off-by: James Almer (cherry picked from commit 488e6409df2487a2aedbd5adb5ac3f7e74216588) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=81997136995e795ee6c9e7643d03247f5dd5fdf9 --- libavcodec/libwebpenc_animencoder.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/libwebpenc_animencoder.c b/libavcodec/libwebpenc_animencoder.c index 61ecae8a8a..91bf64ca8b 100644 --- a/libavcodec/libwebpenc_animencoder.c +++ b/libavcodec/libwebpenc_animencoder.c @@ -41,7 +41,7 @@ static av_cold int libwebp_anim_encode_init(AVCodecContext *avctx) int ret = ff_libwebp_encode_init_common(avctx); if (!ret) { LibWebPAnimContext *s = avctx->priv_data; -WebPAnimEncoderOptions enc_options = { 0 }; +WebPAnimEncoderOptions enc_options = { { 0 } }; WebPAnimEncoderOptionsInit(_options); enc_options.verbose = av_log_get_level() >= AV_LOG_VERBOSE; // TODO(urvang): Expose some options on command-line perhaps. ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon Jul 2 18:57:05 2018 +0200| [b6af5c8880e1b60e5008326329d2e83b3901d638] | committer: Michael Niedermayer avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration() Fixes: shift exponent 47 is too large for 32-bit type 'int' Fixes: 9163/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5661750182543360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 652d7c6348f96181fa69f8e2afb7b27a14c0a88a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b6af5c8880e1b60e5008326329d2e83b3901d638 --- libavcodec/jpeg2000dec.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index f91109ca75..83b418925c 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1219,10 +1219,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 if (reslevelno >= codsty->nreslevels) continue; -if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check +if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check continue; -if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check +if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check continue; // check if a precinct exists @@ -1286,10 +1286,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; // ==> N_L - r Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno; -if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check +if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check continue; -if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check +if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check continue; // check if a precinct exists ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/utils: fix mixed declarations and code
ffmpeg | branch: release/2.8 | James Almer | Fri Nov 24 17:46:16 2017 -0300| [7ae182e0b7dea18c2c682021dabf3542af5e04c1] | committer: Michael Niedermayer avformat/utils: fix mixed declarations and code Signed-off-by: James Almer (cherry picked from commit 31de45d20b1ff90d4baf7c5a65e88f582efdb2a6) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7ae182e0b7dea18c2c682021dabf3542af5e04c1 --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 33a4aade64..c228bc90dc 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1502,10 +1502,10 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt) if (next_pkt->dts != AV_NOPTS_VALUE) { int wrap_bits = s->streams[next_pkt->stream_index]->pts_wrap_bits; -av_assert2(wrap_bits <= 64); // last dts seen for this stream. if any of packets following // current one had no dts, we will set this to AV_NOPTS_VALUE. int64_t last_dts = next_pkt->dts; +av_assert2(wrap_bits <= 64); while (pktl && next_pkt->pts == AV_NOPTS_VALUE) { if (pktl->pkt.stream_index == next_pkt->stream_index && av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2ULL << (wrap_bits - 1)) < 0) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mms: Add missing chunksize check
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue Jul 3 20:33:04 2018 +0200| [feb31c7ade15719d292c20da60763173e2ba3991] | committer: Michael Niedermayer avformat/mms: Add missing chunksize check Fixes: out of array read Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a Found-by: Paul Ch 1st hunk by Paul Ch Tested-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit cced03dd667a5df6df8fd40d8de0bff477ee02e8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=feb31c7ade15719d292c20da60763173e2ba3991 --- libavformat/mms.c | 44 ++-- 1 file changed, 26 insertions(+), 18 deletions(-) diff --git a/libavformat/mms.c b/libavformat/mms.c index 807aadef0f..9f675f2dd0 100644 --- a/libavformat/mms.c +++ b/libavformat/mms.c @@ -94,24 +94,26 @@ int ff_mms_asf_header_parser(MMSContext *mms) } } } else if (!memcmp(p, ff_asf_stream_header, sizeof(ff_asf_guid))) { -flags = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24); -stream_id = flags & 0x7F; -//The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size, -//we can calcuate the packet size by stream_num. -//Please see function send_stream_selection_request(). -if (mms->stream_num < MMS_MAX_STREAMS && -46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) { -mms->streams = av_fast_realloc(mms->streams, - >nb_streams_allocated, - (mms->stream_num + 1) * sizeof(MMSStream)); -if (!mms->streams) -return AVERROR(ENOMEM); -mms->streams[mms->stream_num].id = stream_id; -mms->stream_num++; -} else { -av_log(NULL, AV_LOG_ERROR, - "Corrupt stream (too many A/V streams)\n"); -return AVERROR_INVALIDDATA; +if (end - p >= (sizeof(ff_asf_guid) * 3 + 26)) { +flags = AV_RL16(p + sizeof(ff_asf_guid)*3 + 24); +stream_id = flags & 0x7F; +//The second condition is for checking CS_PKT_STREAM_ID_REQUEST packet size, +//we can calcuate the packet size by stream_num. +//Please see function send_stream_selection_request(). +if (mms->stream_num < MMS_MAX_STREAMS && +46 + mms->stream_num * 6 < sizeof(mms->out_buffer)) { +mms->streams = av_fast_realloc(mms->streams, + >nb_streams_allocated, + (mms->stream_num + 1) * sizeof(MMSStream)); +if (!mms->streams) +return AVERROR(ENOMEM); +mms->streams[mms->stream_num].id = stream_id; +mms->stream_num++; +} else { +av_log(NULL, AV_LOG_ERROR, + "Corrupt stream (too many A/V streams)\n"); +return AVERROR_INVALIDDATA; +} } } else if (!memcmp(p, ff_asf_ext_stream_header, sizeof(ff_asf_guid))) { if (end - p >= 88) { @@ -143,6 +145,12 @@ int ff_mms_asf_header_parser(MMSContext *mms) } } else if (!memcmp(p, ff_asf_head1_guid, sizeof(ff_asf_guid))) { chunksize = 46; // see references [2] section 3.4. This should be set 46. +if (chunksize > end - p) { +av_log(NULL, AV_LOG_ERROR, +"Corrupt stream (header chunksize %"PRId64" is invalid)\n", +chunksize); +return AVERROR_INVALIDDATA; +} } p += chunksize; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mjpegdec: Check for odd progressive RGB
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Jul 6 16:28:14 2018 +0200| [270a7ff111aa95793ba156b797f1d1e4caaa7efd] | committer: Michael Niedermayer avcodec/mjpegdec: Check for odd progressive RGB Fixes: out of array access Fixes: 9225/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5684770334834688 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ee1e3ca5eb1ec7d34e925d129c893e33847ee0b7) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=270a7ff111aa95793ba156b797f1d1e4caaa7efd --- libavcodec/mjpegdec.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 8f6fa35233..14896cb1ab 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -594,6 +594,10 @@ unk_pixfmt: av_log(s->avctx, AV_LOG_ERROR, "lowres not supported for weird subsampling\n"); return AVERROR_PATCHWELCOME; } +if ((AV_RB32(s->upscale_h) || AV_RB32(s->upscale_v)) && s->progressive && s->avctx->pix_fmt == AV_PIX_FMT_GBRP) { +avpriv_report_missing_feature(s->avctx, "progressive for weird subsampling"); +return AVERROR_PATCHWELCOME; +} if (s->ls) { memset(s->upscale_h, 0, sizeof(s->upscale_h)); memset(s->upscale_v, 0, sizeof(s->upscale_v)); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/movenc: Check input sample count
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Jul 6 22:23:25 2018 +0200| [5775f837963dcf178876ca7d618e6d7dead830c0] | committer: Michael Niedermayer avformat/movenc: Check input sample count Fixes: division by 0 Fixes: fpe_movenc.c_199_1.wav Fixes: fpe_movenc.c_199_2.wav Fixes: fpe_movenc.c_199_3.wav Fixes: fpe_movenc.c_199_4.wav Fixes: fpe_movenc.c_199_5.wav Fixes: fpe_movenc.c_199_6.wav Fixes: fpe_movenc.c_199_7.wav Found-by: #CHEN HONGXU# Signed-off-by: Michael Niedermayer (cherry picked from commit 3a2d21bc5f97aa0161db3ae731fc2732be6108b8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5775f837963dcf178876ca7d618e6d7dead830c0 --- libavformat/movenc.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavformat/movenc.c b/libavformat/movenc.c index 315839154a..26401c903d 100644 --- a/libavformat/movenc.c +++ b/libavformat/movenc.c @@ -4384,6 +4384,11 @@ int ff_mov_write_packet(AVFormatContext *s, AVPacket *pkt) else samples_in_chunk = 1; +if (samples_in_chunk < 1) { +av_log(s, AV_LOG_ERROR, "fatal error, input packet contains no samples\n"); +return AVERROR_PATCHWELCOME; +} + /* copy extradata if it exists */ if (trk->vos_len == 0 && enc->extradata_size > 0 && !TAG_IS_AVCI(trk->tag) && ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/pva: Check for EOF before retrying in read_part_of_packet()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue Jul 3 22:14:42 2018 +0200| [c75b8c9733efce84304a2dcec1bbfe806ab2e90f] | committer: Michael Niedermayer avformat/pva: Check for EOF before retrying in read_part_of_packet() Fixes: Infinite loop Fixes: pva-4b1835dbc2027bf3c567005dcc78e85199240d06 Found-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c75b8c9733efce84304a2dcec1bbfe806ab2e90f --- libavformat/pva.c | 4 1 file changed, 4 insertions(+) diff --git a/libavformat/pva.c b/libavformat/pva.c index 900ad6133d..9714fb186c 100644 --- a/libavformat/pva.c +++ b/libavformat/pva.c @@ -134,6 +134,10 @@ recover: pes_flags = avio_rb16(pb); pes_header_data_length = avio_r8(pb); +if (avio_feof(pb)) { +return AVERROR_EOF; +} + if (pes_signal != 1 || pes_header_data_length == 0) { pva_log(s, AV_LOG_WARNING, "expected non empty signaled PES packet, " "trying to recover\n"); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Check that there are enough bytes for all tiles
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon Jul 2 18:40:08 2018 +0200| [76e10cd327b3070af6df4a581727ba6602776175] | committer: Michael Niedermayer avcodec/jpeg2000dec: Check that there are enough bytes for all tiles Fixes: OOM Fixes: 8781/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5810709081358336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0898a3d9909960324e27d3a7a4f48c4effbb654a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=76e10cd327b3070af6df4a581727ba6602776175 --- libavcodec/jpeg2000dec.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index bbb873bb15..f91109ca75 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -339,7 +339,10 @@ static int get_siz(Jpeg2000DecoderContext *s) s->numXtiles = ff_jpeg2000_ceildiv(s->width - s->tile_offset_x, s->tile_width); s->numYtiles = ff_jpeg2000_ceildiv(s->height - s->tile_offset_y, s->tile_height); -if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile)) { +// There must be at least a SOT and SOD per tile, their minimum size is 14 +if (s->numXtiles * (uint64_t)s->numYtiles > INT_MAX/sizeof(*s->tile) || +s->numXtiles * s->numYtiles * 14LL > bytestream2_size(>g) +) { s->numXtiles = s->numYtiles = 0; return AVERROR(EINVAL); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/indeo4: Check for end of bitstream in decode_mb_info()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon Jul 2 01:26:44 2018 +0200| [4652b0f8fe8a444619f695bc1921d0d8133e1203] | committer: Michael Niedermayer avcodec/indeo4: Check for end of bitstream in decode_mb_info() Fixes: Timeout Fixes: 8776/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-5361788798369792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 267ba2aa96354c5b6a1ea89b2943fbd7a4893862) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4652b0f8fe8a444619f695bc1921d0d8133e1203 --- libavcodec/indeo4.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 13fc42ecde..b2d3cd5f4b 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -505,6 +505,11 @@ static int decode_mb_info(IVI45DecContext *ctx, IVIBandDesc *band, mb->b_mv_x = mb->b_mv_y = 0; +if (get_bits_left(>gb) < 1) { +av_log(avctx, AV_LOG_ERROR, "Insufficient input for mb info\n"); +return AVERROR_INVALIDDATA; +} + if (get_bits1(>gb)) { if (ctx->frame_type == IVI4_FRAMETYPE_INTRA) { av_log(avctx, AV_LOG_ERROR, "Empty macroblock in an INTRA picture!\n"); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ra144: Fix integer overflow in ff_eval_refl()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Thu Jun 21 23:08:32 2018 +0200| [65c9c1b061db7eaf2559f4f984de679751803665] | committer: Michael Niedermayer avcodec/ra144: Fix integer overflow in ff_eval_refl() Fixes: signed integer overflow: -4096 * -524288 cannot be represented in type 'int' Fixes: 8650/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5734816036159488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b31189881a4cf54b0057ecf3eab917ad56eecfea) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=65c9c1b061db7eaf2559f4f984de679751803665 --- libavcodec/ra144.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 67f0e84469..c399304ea1 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1569,11 +1569,11 @@ int ff_eval_refl(int *refl, const int16_t *coefs, AVCodecContext *avctx) b = 0x100 / b; for (j=0; j <= i; j++) { #if CONFIG_FTRAPV -int a = bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12); +int a = bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12); if((int)(a*(unsigned)b) != a*(int64_t)b) return 1; #endif -bp1[j] = (int)((bp2[j] - ((refl[i+1] * bp2[i-j]) >> 12)) * (unsigned)b) >> 12; +bp1[j] = (int)((bp2[j] - ((int)(refl[i+1] * (unsigned)bp2[i-j]) >> 12)) * (unsigned)b) >> 12; } if ((unsigned) bp1[i] + 0x1000 > 0x1fff) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/escape124: Check buf_size against num_superblocks
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Jun 24 19:23:02 2018 +0200| [9bfdb49b74026f380488cd857f0dddf7bb3834ca] | committer: Michael Niedermayer avcodec/escape124: Check buf_size against num_superblocks Fixes: Timeout Fixes: 8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6677c98626489edfdb4b49b4f66ca91867768a9f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9bfdb49b74026f380488cd857f0dddf7bb3834ca --- libavcodec/escape124.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index d8a89a934c..9080a1fdff 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -222,7 +222,11 @@ static int escape124_decode_frame(AVCodecContext *avctx, // This call also guards the potential depth reads for the // codebook unpacking. -if (get_bits_left() < 64) +// Check if the amount we will read minimally is available on input. +// The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320 +// represent a lower bound of the space needed for skiped superblocks. Non +// skipped SBs need more space. +if (get_bits_left() < 64 + s->num_superblocks * 23LL / 4320) return -1; frame_flags = get_bits_long(, 32); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/escape124: Fix spelling errors in comment
ffmpeg | branch: release/2.8 | Michael Niedermayer | Wed Jun 27 13:00:28 2018 +0200| [f780dabc501921448b11d2e1800255ff54df5ee5] | committer: Michael Niedermayer avcodec/escape124: Fix spelling errors in comment Signed-off-by: Michael Niedermayer (cherry picked from commit f59c4e43915ed0528e2789f27ddb1635b59779df) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f780dabc501921448b11d2e1800255ff54df5ee5 --- libavcodec/escape124.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/escape124.c b/libavcodec/escape124.c index 9080a1fdff..fab56b59e0 100644 --- a/libavcodec/escape124.c +++ b/libavcodec/escape124.c @@ -223,8 +223,8 @@ static int escape124_decode_frame(AVCodecContext *avctx, // This call also guards the potential depth reads for the // codebook unpacking. // Check if the amount we will read minimally is available on input. -// The 64 represent the immedeatly next 2 frame_* elements read, the 23/4320 -// represent a lower bound of the space needed for skiped superblocks. Non +// The 64 represent the immediately next 2 frame_* elements read, the 23/4320 +// represent a lower bound of the space needed for skipped superblocks. Non // skipped SBs need more space. if (get_bits_left() < 64 + s->num_superblocks * 23LL / 4320) return -1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Fix undefined addition in shorten_decode_frame()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon Jul 2 19:11:46 2018 +0200| [29c7a02bb2858e669441c642af3230db5f147f50] | committer: Michael Niedermayer avcodec/shorten: Fix undefined addition in shorten_decode_frame() Fixes: signed integer overflow: 1139785606 + 1454196085 cannot be represented in type 'int' Fixes: 8937/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-6202943597445120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3b10bb8772c76177cc47b8d15a6970f19dd11039) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=29c7a02bb2858e669441c642af3230db5f147f50 --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index cbd8a78bc4..f481a84fed 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -575,7 +575,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, else { int32_t sum = (s->version < 2) ? 0 : s->nmean / 2; for (i = 0; i < s->nmean; i++) -sum += s->offset[channel][i]; +sum += (unsigned)s->offset[channel][i]; coffset = sum / s->nmean; if (s->version >= 2) coffset = s->bitshift == 0 ? coffset : coffset >> s->bitshift - 1 >> 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cscd: Check output buffer size for lzo.
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Jun 22 01:18:20 2018 +0200| [3b02b9ad2b81fb536587d45ee7463aaf1fa93a4c] | committer: Michael Niedermayer avcodec/cscd: Check output buffer size for lzo. Fixes: Timeout Fixes: 8665/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-5768442610188288 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg (cherry picked from commit 78167b498f53c36c31105a2bf11e90b03637598f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3b02b9ad2b81fb536587d45ee7463aaf1fa93a4c --- libavcodec/cscd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index 8cb193de56..8fd121a2c7 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -81,7 +81,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, switch ((buf[0] >> 1) & 7) { case 0: { // lzo compression int outlen = c->decomp_size, inlen = buf_size - 2; -if (av_lzo1x_decode(c->decomp_buf, , [2], )) { +if (av_lzo1x_decode(c->decomp_buf, , [2], ) || outlen) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] fftools/ffmpeg: Fallback to duration if sample rate is unavailable
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue May 1 22:44:07 2018 +0200| [83260729955b9249599a23be5f9ad4e9051db002] | committer: Michael Niedermayer fftools/ffmpeg: Fallback to duration if sample rate is unavailable Regression since: af1761f7 Fixes: Division by 0 Fixes: ffmpeg_crash_1 Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit 16d8b13b3b26c19d7f8856e039fe6662d96b4ff3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=83260729955b9249599a23be5f9ad4e9051db002 --- ffmpeg.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index 2887e91d1a..5282027895 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2396,8 +2396,12 @@ static int process_input_packet(InputStream *ist, const AVPacket *pkt) ist->dts = ist->next_dts; switch (ist->dec_ctx->codec_type) { case AVMEDIA_TYPE_AUDIO: -ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) / - ist->dec_ctx->sample_rate; +if (ist->dec_ctx->sample_rate) { +ist->next_dts += ((int64_t)AV_TIME_BASE * ist->dec_ctx->frame_size) / + ist->dec_ctx->sample_rate; +} else { +ist->next_dts += av_rescale_q(pkt->duration, ist->st->time_base, AV_TIME_BASE_Q); +} break; case AVMEDIA_TYPE_VIDEO: if (ist->framerate.num) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/xwddec: Use ff_set_dimensions()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Jun 8 00:42:31 2018 +0200| [2b60986513c98b35fecdf75663bc014b7344b572] | committer: Michael Niedermayer avcodec/xwddec: Use ff_set_dimensions() Fixes: OOM Fixes: 8178/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XWD_fuzzer-4844793342459904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c2852e4e00de4073ff7de82d41cb3368702686e8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2b60986513c98b35fecdf75663bc014b7344b572 --- libavcodec/xwddec.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c index 8b0845fc01..25c64e0e14 100644 --- a/libavcodec/xwddec.c +++ b/libavcodec/xwddec.c @@ -39,6 +39,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, uint32_t pixformat, pixdepth, bunit, bitorder, bpad; uint32_t rgb[3]; uint8_t *ptr; +int width, height; GetByteContext gb; if (buf_size < XWD_HEADER_SIZE) @@ -60,8 +61,8 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, pixformat = bytestream2_get_be32u(); pixdepth = bytestream2_get_be32u(); -avctx->width = bytestream2_get_be32u(); -avctx->height = bytestream2_get_be32u(); +width = bytestream2_get_be32u(); +height= bytestream2_get_be32u(); xoffset = bytestream2_get_be32u(); be= bytestream2_get_be32u(); bunit = bytestream2_get_be32u(); @@ -77,6 +78,9 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data, ncolors = bytestream2_get_be32u(); bytestream2_skipu(, header_size - (XWD_HEADER_SIZE - 20)); +if ((ret = ff_set_dimensions(avctx, width, height)) < 0) +return ret; + av_log(avctx, AV_LOG_DEBUG, "pixformat %"PRIu32", pixdepth %"PRIu32", bunit %"PRIu32", bitorder %"PRIu32", bpad %"PRIu32"\n", pixformat, pixdepth, bunit, bitorder, bpad); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Thu Jun 21 22:48:54 2018 +0200| [8db6c2993bb58937167dd2d4b8014ea4ab784846] | committer: Michael Niedermayer avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan() Fixes: Timeout Fixes: 8648/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5108395525799936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 540e8c2d641bf90fc28e47e170f8c0b1962197e9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8db6c2993bb58937167dd2d4b8014ea4ab784846 --- libavcodec/mjpegdec.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index e061742ad2..8f6fa35233 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -979,6 +979,11 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p for (mb_x = 0; mb_x < s->mb_width; mb_x++) { int modified_predictor = predictor; +if (get_bits_left(>gb) < 1) { +av_log(s->avctx, AV_LOG_ERROR, "bitstream end in rgb_scan\n"); +return AVERROR_INVALIDDATA; +} + if (s->restart_interval && !s->restart_count){ s->restart_count = s->restart_interval; resync_mb_x = mb_x; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fixed()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Thu Jun 14 16:41:49 2018 +0200| [e495910d4ca368be51fdc2ecc056ed0fb0ff2526] | committer: Michael Niedermayer avcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fixed() Fixes: signed integer overflow: 1195517 * 2048 cannot be represented in type 'int' Fixes: 8636/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-4695836326887424 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8bd514d9343746566b123275f8b6d0e9c11ec2b0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e495910d4ca368be51fdc2ecc056ed0fb0ff2526 --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index e0a54fffb4..40363ba6bb 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -433,7 +433,7 @@ static void apply_independent_coupling_fixed(AACContext *ac, else { for (i = 0; i < len; i++) { tmp = (int)(((int64_t)src[i] * c + (int64_t)0x10) >> 37); - dest[i] += tmp * (1 << shift); + dest[i] += tmp * (1U << shift); } } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue Jun 5 02:17:24 2018 +0200| [ce4cb475a3714def0ad80a5ad74f2c9c90683f88] | committer: Michael Niedermayer avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan() Fixes: signed integer overflow: 32768 + 2147450880 cannot be represented in type 'int' Fixes: 7885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5298834394578944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 936f4a2c2e14ec753e8835f2e820b4cd9aec9a56) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ce4cb475a3714def0ad80a5ad74f2c9c90683f88 --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 2e101225b6..e061742ad2 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1002,7 +1002,7 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p return -1; left[i] = buffer[mb_x][i] = -mask & (pred + (dc * (1 << point_transform))); +mask & (pred + (unsigned)(dc * (1 << point_transform))); } if (s->restart_interval && !--s->restart_count) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Only set pkt->duration to non negative values
ffmpeg | branch: release/2.8 | Michael Niedermayer | Wed May 16 23:35:58 2018 +0200| [ed4e35a0fdef551041a2d0e412e90321dbd6bf3e] | committer: Michael Niedermayer avformat/mov: Only set pkt->duration to non negative values Reviewed-by: Sasi Inguva Signed-off-by: Michael Niedermayer (cherry picked from commit 8176799f31b23849382623f0f9001acc5edf7c76) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ed4e35a0fdef551041a2d0e412e90321dbd6bf3e --- libavformat/mov.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 4f1662fc30..e48938e5b5 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -4840,7 +4840,9 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt) } else { int64_t next_dts = (sc->current_sample < st->nb_index_entries) ? st->index_entries[sc->current_sample].timestamp : st->duration; -pkt->duration = next_dts - pkt->dts; + +if (next_dts >= pkt->dts) +pkt->duration = next_dts - pkt->dts; pkt->pts = pkt->dts; } if (st->discard == AVDISCARD_ALL) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wavpack: Fix overflow in adding tail
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Jun 8 00:07:04 2018 +0200| [acfdaa463e7c7ab5d8603b6e8aa31eaf9e8a555e] | committer: Michael Niedermayer avcodec/wavpack: Fix overflow in adding tail Fixes: signed integer overflow: 2146907204 + 26846088 cannot be represented in type 'int' Fixes: 8105/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-6233036682166272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d13379fb79708f550460dd6d698023bf26f968d5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=acfdaa463e7c7ab5d8603b6e8aa31eaf9e8a555e --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 50b5db55ff..3748ac89cc 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -85,7 +85,7 @@ typedef struct WavpackContext { #define LEVEL_DECAY(a) (((a) + 0x80) >> 8) -static av_always_inline int get_tail(GetBitContext *gb, int k) +static av_always_inline unsigned get_tail(GetBitContext *gb, int k) { int p, e, res; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_mc_template: Only prefetch motion if the list is used.
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Jun 8 18:25:14 2018 +0200| [cc65755a0ddbc8985462ac8f961188e08d89110f] | committer: Michael Niedermayer avcodec/h264_mc_template: Only prefetch motion if the list is used. Fixes: index 59 out of bounds for type 'H264Ref [48]' Fixes: 8232/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5703295145345024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b55591757244d8244a2be369c2b54c9ae79b02a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cc65755a0ddbc8985462ac8f961188e08d89110f --- libavcodec/h264_mc_template.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_mc_template.c b/libavcodec/h264_mc_template.c index e4333a733c..acdf4d126c 100644 --- a/libavcodec/h264_mc_template.c +++ b/libavcodec/h264_mc_template.c @@ -78,7 +78,8 @@ static void MCFUNC(hl_motion)(const H264Context *h, H264SliceContext *sl, if (HAVE_THREADS && (h->avctx->active_thread_type & FF_THREAD_FRAME)) await_references(h, sl); -prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC); +if (USES_LIST(mb_type, 0)) +prefetch_motion(h, sl, 0, PIXEL_SHIFT, CHROMA_IDC); if (IS_16X16(mb_type)) { mc_part(h, sl, 0, 1, 16, 0, dest_y, dest_cb, dest_cr, 0, 0, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Fix multiple integer overflows
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue Jun 5 13:19:35 2018 +0200| [6fdc61b8f6f1a8f7ded6fa858dd5b5fe69e0237e] | committer: Michael Niedermayer avcodec/shorten: Fix multiple integer overflows Fixes: signed integer overflow: 3 * 1006632960 cannot be represented in type 'int' Fixes: 8278/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5692857166856192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f2abd36b3863188894fd21964c662b6c17268bfb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6fdc61b8f6f1a8f7ded6fa858dd5b5fe69e0237e --- libavcodec/shorten.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index b8a5664ce9..cbd8a78bc4 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -313,7 +313,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, for (i = 0; i < s->blocksize; i++) { sum = init_sum; for (j = 0; j < pred_order; j++) -sum += coeffs[j] * s->decoded[channel][i - j - 1]; +sum += coeffs[j] * (unsigned)s->decoded[channel][i - j - 1]; s->decoded[channel][i] = get_sr_golomb_shorten(>gb, residual_size) + (sum >> qshift); } @@ -593,7 +593,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, /* update means with info from the current block */ if (s->nmean > 0) { -int32_t sum = (s->version < 2) ? 0 : s->blocksize / 2; +int64_t sum = (s->version < 2) ? 0 : s->blocksize / 2; for (i = 0; i < s->blocksize; i++) sum += s->decoded[channel][i]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/truemotion2: Fix overflow in tm2_apply_deltas()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue Jun 5 02:09:59 2018 +0200| [ea0734e3f011964e12da5f7d8dacf4a86670cbf0] | committer: Michael Niedermayer avcodec/truemotion2: Fix overflow in tm2_apply_deltas() Fixes: signed integer overflow: 1077952576 + 1077952576 cannot be represented in type 'int' Fixes: 7712/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5056281753681920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 79c6047c3668c639f717b3a7001a34dddba0ede2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ea0734e3f011964e12da5f7d8dacf4a86670cbf0 --- libavcodec/truemotion2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index dbcef42462..d290326bf5 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -443,7 +443,7 @@ static inline int GET_TOK(TM2Context *ctx,int type) /* common operations - add deltas to 4x4 block of luma or 2x2 blocks of chroma */ static inline void tm2_apply_deltas(TM2Context *ctx, int* Y, int stride, int *deltas, int *last) { -int ct, d; +unsigned ct, d; int i, j; for (j = 0; j < 4; j++){ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Sanity check nmeans
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue Jun 5 13:03:48 2018 +0200| [f41da2bd5ff7d9d6b1141284dbd526d8b232e29b] | committer: Michael Niedermayer avcodec/shorten: Sanity check nmeans Fixes: OOM Fixes: 8195/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5179785826271232 The reference software appears to use longs for 32bits and it uses int for nmeans hinting that the intended maximum size was not 32bit. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d91a0b503d7a886587281bc1ee42476aa5e89f85) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f41da2bd5ff7d9d6b1141284dbd526d8b232e29b --- libavcodec/shorten.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index e4bf2e0035..b8a5664ce9 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -374,6 +374,10 @@ static int read_header(ShortenContext *s) return AVERROR_INVALIDDATA; } s->nmean = get_uint(s, 0); +if (s->nmean > 32768U) { +av_log(s->avctx, AV_LOG_ERROR, "nmean is: %d\n", s->nmean); +return AVERROR_INVALIDDATA; +} skip_bytes = get_uint(s, NSKIPSIZE); if ((unsigned)skip_bytes > get_bits_left(>gb)/8) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/common: Fix undefined behavior in av_clip_uintp2_c()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Thu Jun 14 15:41:33 2018 +0200| [c1121e7ec29b78bf96a4411ca378e2336a32dbcd] | committer: Michael Niedermayer avutil/common: Fix undefined behavior in av_clip_uintp2_c() Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 8521/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5639024952737792 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit aa41d322be71106ce147445f2b42bb763f1eff86) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c1121e7ec29b78bf96a4411ca378e2336a32dbcd --- libavutil/common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/common.h b/libavutil/common.h index 81f5fedf29..ee7028e1fb 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -232,7 +232,7 @@ static av_always_inline av_const int av_clip_intp2_c(int a, int p) */ static av_always_inline av_const unsigned av_clip_uintp2_c(int a, int p) { -if (a & ~((1<> 31 & ((1<> 31 & ((1
[FFmpeg-cvslog] avformat/mov: replace a value error by clipping into valid range in mov_read_stsc()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon May 21 03:16:58 2018 +0200| [17ed3c809da5852c3d5c41df14f0d44a8d7c10a9] | committer: Michael Niedermayer avformat/mov: replace a value error by clipping into valid range in mov_read_stsc() Fixes: #7165 Signed-off-by: Michael Niedermayer (cherry picked from commit fe84f70819d6f5aab3c4823290e0d32b99d6de78) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=17ed3c809da5852c3d5c41df14f0d44a8d7c10a9 --- libavformat/mov.c | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index c85d3a6eda..4f1662fc30 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2229,14 +2229,22 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) sc->stsc_count = i; for (i = sc->stsc_count - 1; i < UINT_MAX; i--) { +int64_t first_min = i + 1; if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= sc->stsc_data[i+1].first) || (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) || -sc->stsc_data[i].first < 1 || +sc->stsc_data[i].first < first_min || sc->stsc_data[i].count < 1 || sc->stsc_data[i].id < 1) { av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, sc->stsc_data[i].id); -if (i+1 >= sc->stsc_count || sc->stsc_data[i+1].first < 2) -return AVERROR_INVALIDDATA; +if (i+1 >= sc->stsc_count) { +sc->stsc_data[i].first = FFMAX(sc->stsc_data[i].first, first_min); +if (i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) +sc->stsc_data[i].first = FFMIN(sc->stsc_data[i-1].first + 1LL, INT_MAX); +sc->stsc_data[i].count = FFMAX(sc->stsc_data[i].count, 1); +sc->stsc_data[i].id= FFMAX(sc->stsc_data[i].id, 1); +continue; +} +av_assert0(sc->stsc_data[i+1].first >= 2); // We replace this entry by the next valid sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1; sc->stsc_data[i].count = sc->stsc_data[i+1].count; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/fic: Avoid some magic numbers related to cursors
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sat May 5 23:42:36 2018 +0200| [f98794c73a7f90da43e06126e60a7bbda530fba7] | committer: Michael Niedermayer avcodec/fic: Avoid some magic numbers related to cursors Signed-off-by: Michael Niedermayer (cherry picked from commit c6a11714c4b1227be62cbc36651ccfc415e8e623) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f98794c73a7f90da43e06126e60a7bbda530fba7 --- libavcodec/fic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 7bfb998a55..14887d94a0 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -81,6 +81,7 @@ static const uint8_t fic_qmat_lq[64] = { static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' }; #define FIC_HEADER_SIZE 27 +#define CURSOR_OFFSET 59 static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd) { @@ -417,7 +418,7 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, /* Draw cursor. */ if (!skip_cursor) { -memcpy(ctx->cursor_buf, src + 59, 32 * 32 * 4); +memcpy(ctx->cursor_buf, src + CURSOR_OFFSET, sizeof(ctx->cursor_buf)); fic_draw_cursor(avctx, cur_x, cur_y); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Jun 3 01:33:54 2018 +0200| [4c3a7aaea8ba76225780bd867a053bb0084503d6] | committer: Michael Niedermayer avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c Fixes: runtime error: signed integer overflow: -1440457022 - 785819492 cannot be represented in type 'int' Fixes: 7700/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OPUS_fuzzer-6595838684954624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e7dda51150b73e5fbdccf4c2d3a72e356980fba3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4c3a7aaea8ba76225780bd867a053bb0084503d6 --- libavcodec/opus_silk.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c index 408e4bf43c..6418743b6b 100644 --- a/libavcodec/opus_silk.c +++ b/libavcodec/opus_silk.c @@ -955,8 +955,10 @@ static void silk_lsf2lpc(const int16_t nlsf[16], float lpcf[16], int order) /* reconstruct A(z) */ for (k = 0; k < order>>1; k++) { -lpc32[k] = -p[k + 1] - p[k] - q[k + 1] + q[k]; -lpc32[order-k-1] = -p[k + 1] - p[k] + q[k + 1] - q[k]; +int32_t p_tmp = p[k + 1] + p[k]; +int32_t q_tmp = q[k + 1] - q[k]; +lpc32[k] = -q_tmp - p_tmp; +lpc32[order-k-1] = q_tmp - p_tmp; } /* limit the range of the LPC coefficients to each fit within an int16_t */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/g2meet: ask for sample with overflowing RGB
ffmpeg | branch: release/2.8 | Michael Niedermayer | Wed May 16 22:50:19 2018 +0200| [781dcd5db6ac7597a8c2e7ad165a4ef6b0d1697a] | committer: Michael Niedermayer avcodec/g2meet: ask for sample with overflowing RGB Suggested-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit ab834b8f36c8157b7015e849405cbf6ae21e672f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=781dcd5db6ac7597a8c2e7ad165a4ef6b0d1697a --- libavcodec/g2meet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index fed35a271b..fcfb42bbb7 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -556,7 +556,7 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int x, int y, } if (R<0 || G<0 || B<0 || R > 255 || G > 255 || B > 255) { -av_log(NULL, AV_LOG_ERROR, "RGB %d %d %d is out of range\n", R, G, B); +avpriv_request_sample(NULL, "RGB %d %d %d is out of range\n", R, G, B); return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/amrwbdec: Fix division by 0 in find_hb_gain()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Jun 3 00:48:06 2018 +0200| [832d9accfc23b837a3c6e10fd92c9a5a6129bf0b] | committer: Michael Niedermayer avcodec/amrwbdec: Fix division by 0 in find_hb_gain() This restructures the code slightly toward D_UTIL_dec_synthesis() Fixes: 7420/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMRWB_fuzzer-6577305112543232 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dce80a4b47efaba97707bda781a9ee57f5a26974) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=832d9accfc23b837a3c6e10fd92c9a5a6129bf0b --- libavcodec/amrwbdec.c | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c index d5e0431f30..bc5e157210 100644 --- a/libavcodec/amrwbdec.c +++ b/libavcodec/amrwbdec.c @@ -865,15 +865,20 @@ static float find_hb_gain(AMRWBContext *ctx, const float *synth, { int wsp = (vad > 0); float tilt; +float tmp; if (ctx->fr_cur_mode == MODE_23k85) return qua_hb_gain[hb_idx] * (1.0f / (1 << 14)); -tilt = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1) / - ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE); +tmp = ctx->celpm_ctx.dot_productf(synth, synth + 1, AMRWB_SFR_SIZE - 1); + +if (tmp > 0) { +tilt = tmp / ctx->celpm_ctx.dot_productf(synth, synth, AMRWB_SFR_SIZE); +} else +tilt = 0; /* return gain bounded by [0.1, 1.0] */ -return av_clipf((1.0 - FFMAX(0.0, tilt)) * (1.25 - 0.25 * wsp), 0.1, 1.0); +return av_clipf((1.0 - tilt) * (1.25 - 0.25 * wsp), 0.1, 1.0); } /** ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Break out early if chunk_count is 0 in mov_build_index()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue May 15 17:06:59 2018 +0200| [674929cd46c76285f4d739c0436a75a5402dee61] | committer: Michael Niedermayer avformat/mov: Break out early if chunk_count is 0 in mov_build_index() Without this some operations might overflow (undefined behavior) even though the index adding loop would never execute No testcase known Signed-off-by: Michael Niedermayer (cherry picked from commit 56e76bd0579cc7f7b28860885d9e569a39daf41b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=674929cd46c76285f4d739c0436a75a5402dee61 --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 5a2ab732d3..c85d3a6eda 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2783,6 +2783,9 @@ static void mov_build_index(MOVContext *mov, AVStream *st) } else { unsigned chunk_samples, total = 0; +if (!sc->chunk_count) +return; + // compute total chunk count for (i = 0; i < sc->stsc_count; i++) { unsigned count, chunk_count; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/g2meet: Check RGB upper limit
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Apr 27 20:16:13 2018 +0200| [fc097bf1cd0af7bbab09e2f1af4ae39eb0ca4eea] | committer: Michael Niedermayer avcodec/g2meet: Check RGB upper limit Fixes: runtime error: left shift of 1876744317 by 16 places cannot be represented in type 'int' Fixes: 6799/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5115274731716608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4dd2c8b9ea46b4e008a8bfc2077834428cd5a17c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fc097bf1cd0af7bbab09e2f1af4ae39eb0ca4eea --- libavcodec/g2meet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 14dd05babc..fed35a271b 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -555,7 +555,7 @@ static uint32_t epic_decode_pixel_pred(ePICContext *dc, int x, int y, B = ((pred >> B_shift) & 0xFF) - TOSIGNED(delta); } -if (R<0 || G<0 || B<0) { +if (R<0 || G<0 || B<0 || R > 255 || G > 255 || B > 255) { av_log(NULL, AV_LOG_ERROR, "RGB %d %d %d is out of range\n", R, G, B); return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] lavf/http.c: Free allocated client URLContext in case of error.
ffmpeg | branch: release/2.8 | Stephan Holljes | Fri Jan 12 19:16:29 2018 +0100| [18772823239094cb23df43ceb01152a9bcf80710] | committer: Michael Niedermayer lavf/http.c: Free allocated client URLContext in case of error. Signed-off-by: Stephan Holljes Signed-off-by: Michael Niedermayer (cherry picked from commit 7b6b8c92652d6683d97515352e4a9a4147b7da7c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=18772823239094cb23df43ceb01152a9bcf80710 --- libavformat/http.c | 4 1 file changed, 4 insertions(+) diff --git a/libavformat/http.c b/libavformat/http.c index 7686c92742..a64ad693e1 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -513,7 +513,11 @@ static int http_accept(URLContext *s, URLContext **c) goto fail; cc->hd = cl; cc->is_multi_client = 1; +return 0; fail: +if (c) { +ffurl_closep(c); +} return ret; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] swresample/arm: remove unintentional relocation.
ffmpeg | branch: release/2.8 | Rahul Chaudhry | Wed Apr 18 16:29:39 2018 -0700| [e5b29c60f02fa03a69b047ebc5d35737dd77ed1d] | committer: Michael Niedermayer swresample/arm: remove unintentional relocation. Branch to global symbol results in reference to PLT, and when compiling for THUMB-2 - in a R_ARM_THM_JUMP19 relocation. Some linkers don't support this relocation (ld.gold), while others can end up truncating the relocation to fit (ld.bfd). Convert this branch through PLT into a direct branch that the assembler can resolve locally. See https://github.com/android-ndk/ndk/issues/337 for background. The current workaround is to disable neon during gstreamer build, which is not optimal and can be reverted after this patch: https://github.com/freedesktop/gstreamer-cerbero/commit/41556c415739fbc3a72c7eaee7e70a565b719b2f Signed-off-by: Michael Niedermayer (cherry picked from commit b22db4f465c9adb2cf1489e04f7b65ef6bb55b8b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e5b29c60f02fa03a69b047ebc5d35737dd77ed1d --- libswresample/arm/audio_convert_neon.S | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libswresample/arm/audio_convert_neon.S b/libswresample/arm/audio_convert_neon.S index 1f88316dde..7729514701 100644 --- a/libswresample/arm/audio_convert_neon.S +++ b/libswresample/arm/audio_convert_neon.S @@ -22,6 +22,7 @@ #include "libavutil/arm/asm.S" function swri_oldapi_conv_flt_to_s16_neon, export=1 +_swri_oldapi_conv_flt_to_s16_neon: subsr2, r2, #8 vld1.32 {q0}, [r1,:128]! vcvt.s32.f32q8, q0, #31 @@ -66,6 +67,7 @@ function swri_oldapi_conv_flt_to_s16_neon, export=1 endfunc function swri_oldapi_conv_fltp_to_s16_2ch_neon, export=1 +_swri_oldapi_conv_fltp_to_s16_2ch_neon: ldm r1, {r1, r3} subsr2, r2, #8 vld1.32 {q0}, [r1,:128]! @@ -133,8 +135,8 @@ function swri_oldapi_conv_fltp_to_s16_nch_neon, export=1 cmp r3, #2 itt lt ldrlt r1, [r1] -blt X(swri_oldapi_conv_flt_to_s16_neon) -beq X(swri_oldapi_conv_fltp_to_s16_2ch_neon) +blt _swri_oldapi_conv_flt_to_s16_neon +beq _swri_oldapi_conv_fltp_to_s16_2ch_neon push{r4-r8, lr} cmp r3, #4 ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vc1_block: simplify ac_val computation
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon Apr 23 02:08:10 2018 +0200| [60e7be58d996b8f14e99876472fdbdbc4db370d8] | committer: Michael Niedermayer avcodec/vc1_block: simplify ac_val computation also fixes: runtime error: index 1456 out of bounds for type 'int16_t [16]' Found-by: durandal_1707 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit d06b01fc2d4f5e031d45f9460d1eea610d23d6c5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=60e7be58d996b8f14e99876472fdbdbc4db370d8 --- libavcodec/vc1_block.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c index 255ba1da70..1b219c9adf 100644 --- a/libavcodec/vc1_block.c +++ b/libavcodec/vc1_block.c @@ -594,7 +594,7 @@ static int vc1_decode_i_block(VC1Context *v, int16_t block[64], int n, scale = s->c_dc_scale; block[0] = dcdiff * scale; -ac_val = s->ac_val[0][0] + s->block_index[n] * 16; +ac_val = s->ac_val[0][s->block_index[n]]; ac_val2 = ac_val; if (dc_pred_dir) // left ac_val -= 16; @@ -745,7 +745,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n, scale = mquant * 2 + ((mquant == v->pq) ? v->halfpq : 0); -ac_val = s->ac_val[0][0] + s->block_index[n] * 16; +ac_val = s->ac_val[0][s->block_index[n]]; ac_val2 = ac_val; if (dc_pred_dir) // left ac_val -= 16; @@ -946,7 +946,7 @@ static int vc1_decode_intra_block(VC1Context *v, int16_t block[64], int n, if (!a_avail) dc_pred_dir = 1; if (!c_avail) dc_pred_dir = 0; if (!a_avail && !c_avail) use_pred = 0; -ac_val = s->ac_val[0][0] + s->block_index[n] * 16; +ac_val = s->ac_val[0][s->block_index[n]]; ac_val2 = ac_val; scale = mquant * 2 + v->halfpq; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mlpdec: Only change noise_type if the related fields are valid
ffmpeg | branch: release/2.8 | Michael Niedermayer | Thu May 17 13:58:46 2018 +0200| [3d4e0858d68bce81f25bbab4ac912d971175daaf] | committer: Michael Niedermayer avcodec/mlpdec: Only change noise_type if the related fields are valid Fixes: inconsistency Fixes:runtime error: index 8 out of bounds for type 'int32_t [8]' Fixes: 6686/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-5191383498358784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 63c4a4b0d692bc86142790276358ba35129f2290) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3d4e0858d68bce81f25bbab4ac912d971175daaf --- libavcodec/mlpdec.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index b339d1189e..b8b78b88e3 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -474,7 +474,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, uint8_t checksum; uint8_t lossless_check; int start_count = get_bits_count(gbp); -int min_channel, max_channel, max_matrix_channel; +int min_channel, max_channel, max_matrix_channel, noise_type; const int std_max_matrix_channel = m->avctx->codec_id == AV_CODEC_ID_MLP ? MAX_MATRIX_CHANNEL_MLP : MAX_MATRIX_CHANNEL_TRUEHD; @@ -487,9 +487,9 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, return AVERROR_INVALIDDATA; } -s->noise_type = get_bits1(gbp); +noise_type = get_bits1(gbp); -if (m->avctx->codec_id == AV_CODEC_ID_MLP && s->noise_type) { +if (m->avctx->codec_id == AV_CODEC_ID_MLP && noise_type) { av_log(m->avctx, AV_LOG_ERROR, "MLP must have 0x31ea sync word.\n"); return AVERROR_INVALIDDATA; } @@ -515,7 +515,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, /* This should happen for TrueHD streams with >6 channels and MLP's noise * type. It is not yet known if this is allowed. */ -if (max_channel > MAX_MATRIX_CHANNEL_MLP && !s->noise_type) { +if (max_channel > MAX_MATRIX_CHANNEL_MLP && !noise_type) { avpriv_request_sample(m->avctx, "%d channels (more than the " "maximum supported by the decoder)", @@ -532,6 +532,7 @@ static int read_restart_header(MLPDecodeContext *m, GetBitContext *gbp, s->min_channel= min_channel; s->max_channel= max_channel; s->max_matrix_channel = max_matrix_channel; +s->noise_type = noise_type; #if FF_API_REQUEST_CHANNELS FF_DISABLE_DEPRECATION_WARNINGS ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/flac_parser: Fix infinite loop
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon Apr 30 22:20:28 2018 +0200| [8e3918f1db50544b5f2255c41323de6cf6258e81] | committer: Michael Niedermayer avcodec/flac_parser: Fix infinite loop Fixes: crbug/827204 Reported-by: Frank Liberato Reviewed-by: Frank Liberato Signed-off-by: Michael Niedermayer (cherry picked from commit 15a2e35e9e74bba5a27e39c26da5be2361f27945) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8e3918f1db50544b5f2255c41323de6cf6258e81 --- libavcodec/flac_parser.c | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 6df531b7b3..00181f279a 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -686,12 +686,17 @@ static int flac_parse(AVCodecParserContext *s, AVCodecContext *avctx, } for (curr = fpc->headers; curr; curr = curr->next) { -if (curr->max_score > 0 && -(!fpc->best_header || curr->max_score > fpc->best_header->max_score)) { +if (!fpc->best_header || curr->max_score > fpc->best_header->max_score) { fpc->best_header = curr; } } +if (fpc->best_header && fpc->best_header->max_score <= 0) { +// Only accept a bad header if there is no other option to continue +if (!buf_size || !buf || read_end != buf || fpc->nb_headers_buffered < FLAC_MIN_HEADERS) +fpc->best_header = NULL; +} + if (fpc->best_header) { fpc->best_header_valid = 1; if (fpc->best_header->offset > 0) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon May 21 23:08:05 2018 +0200| [6bbef938839adc55e8e048bc9cc2e0fafe2064df] | committer: Michael Niedermayer avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header() Fixes truncation Fixes Assertion n <= 31 && value < (1U << n) failed at libavcodec/put_bits.h:169 Fixes: ffmpeg_crash_2.avi Found-by: Thuan Pham , Marcel Böhme, Andrew Santosa and Alexandru RazvanCaciulescu with AFLSmart Signed-off-by: Michael Niedermayer (cherry picked from commit e1182fac1afba92a4975917823a5f644bee7e6e8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6bbef938839adc55e8e048bc9cc2e0fafe2064df --- libavcodec/mpeg4videoenc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videoenc.c b/libavcodec/mpeg4videoenc.c index b3ad4f9042..0cde63ba4e 100644 --- a/libavcodec/mpeg4videoenc.c +++ b/libavcodec/mpeg4videoenc.c @@ -910,7 +910,7 @@ void ff_set_mpeg4_time(MpegEncContext *s) static void mpeg4_encode_gop_header(MpegEncContext *s) { -int hours, minutes, seconds; +int64_t hours, minutes, seconds; int64_t time; put_bits(>pb, 16, 0); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dsicinvideo: Propagate errors from cin_decode_rle()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon Apr 16 22:28:23 2018 +0200| [a868e804d92fbc973c585c5e56e7e382004ce538] | committer: Michael Niedermayer avcodec/dsicinvideo: Propagate errors from cin_decode_rle() Signed-off-by: Michael Niedermayer (cherry picked from commit 942217b153a9bff2d17463957abd772fcd72b400) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a868e804d92fbc973c585c5e56e7e382004ce538 --- libavcodec/dsicinvideo.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libavcodec/dsicinvideo.c b/libavcodec/dsicinvideo.c index f95cbc74a0..add7afa383 100644 --- a/libavcodec/dsicinvideo.c +++ b/libavcodec/dsicinvideo.c @@ -226,27 +226,35 @@ static int cinvideo_decode_frame(AVCodecContext *avctx, * surface.width = surface.pitch */ switch (bitmap_frame_type) { case 9: -cin_decode_rle(buf, bitmap_frame_size, +res = cin_decode_rle(buf, bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); +if (res < 0) +return res; break; case 34: -cin_decode_rle(buf, bitmap_frame_size, +res = cin_decode_rle(buf, bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); +if (res < 0) +return res; cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; case 35: bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size, cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); -cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, +res = cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); +if (res < 0) +return res; break; case 36: bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size, cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size); -cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, +res = cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size, cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); +if (res < 0) +return res; cin_apply_delta_data(cin->bitmap_table[CIN_PRE_BMP], cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size); break; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coupling_fixed()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri May 25 22:06:48 2018 +0200| [4c2bb473d3f9a04bf3eafeb64b93c745ae44db6a] | committer: Michael Niedermayer avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coupling_fixed() Fixes: signed integer overflow: -2141499320 + -14469590 cannot be represented in type 'int' Fixes: 7351/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-6351214791884800 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 90475db97e2e5931d295df6ab86519fa2e14d259) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4c2bb473d3f9a04bf3eafeb64b93c745ae44db6a --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index a37ed2aaa1..e0a54fffb4 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -384,7 +384,7 @@ static void apply_dependent_coupling_fixed(AACContext *ac, for (k = offsets[i]; k < offsets[i + 1]; k++) { tmp = (int)(((int64_t)src[group * 128 + k] * c + \ (int64_t)0x10) >> 37); -dest[group * 128 + k] += (tmp + round) >> shift; +dest[group * 128 + k] += (tmp + (int64_t)round) >> shift; } } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Only fail for STCO/STSC contradictions if both exist
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue May 15 17:07:00 2018 +0200| [854835966b33ce70ea61d0701b0e88b7700438fd] | committer: Michael Niedermayer avformat/mov: Only fail for STCO/STSC contradictions if both exist Fixes regression with playback of GF9720Repeal20the20Eighth20with20Helen20Linehan.m4a See: crbug 822666 Found-by: "Mattias Wadman Signed-off-by: Michael Niedermayer (cherry picked from commit 2c2d689c56646cce64d02a3b75f61c12c5589260) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=854835966b33ce70ea61d0701b0e88b7700438fd --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index a6eb773021..5a2ab732d3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -3026,7 +3026,7 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->index); return 0; } -if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { +if (sc->chunk_count && sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n", st->index); return AVERROR_INVALIDDATA; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dfa: Check dimension against maximum
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon Apr 16 22:04:53 2018 +0200| [79cc326baba5ed80e752d9d03f110e7d3a15354b] | committer: Michael Niedermayer avcodec/dfa: Check dimension against maximum The headers from where the dimensions are read in actual files are limited to 16bit per component. Fixes: Timeout Fixes: 6305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DFA_fuzzer-4824270749302784 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9d5a4fcfbb51edc871bdb1c67a88223cbfb1c0e4) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79cc326baba5ed80e752d9d03f110e7d3a15354b --- libavcodec/dfa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c index 8067ac94e5..b8500a4995 100644 --- a/libavcodec/dfa.c +++ b/libavcodec/dfa.c @@ -41,7 +41,7 @@ static av_cold int dfa_decode_init(AVCodecContext *avctx) avctx->pix_fmt = AV_PIX_FMT_PAL8; -if (!avctx->width || !avctx->height) +if (!avctx->width || !avctx->height || FFMAX(avctx->width, avctx->height) >= (1<<16)) return AVERROR_INVALIDDATA; av_assert0(av_image_check_size(avctx->width, avctx->height, 0, avctx) >= 0); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri May 4 19:11:36 2018 +0200| [4e9e1ab815c525471bf51f31e05a708bd6c74a82] | committer: Michael Niedermayer avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done Fixes: assertion failure Fixes: 7949/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-4819602782552064 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a96c131eb53b00de154f4773d96a3b323ea3daed) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4e9e1ab815c525471bf51f31e05a708bd6c74a82 --- libavcodec/jpeg2000dec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 9c2aae6d75..1fc0006674 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1124,6 +1124,9 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 step_x = 32; step_y = 32; +if (RSpoc > FFMIN(codsty->nreslevels, REpoc)) +continue; + for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, REpoc); reslevelno++) { uint8_t reducedresno = codsty->nreslevels - 1 -reslevelno; // ==> N_L - r Jpeg2000ResLevel *rlevel = comp->reslevel + reslevelno; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/utils: Enforce minimum width also for VP5/6
ffmpeg | branch: release/2.8 | Michael Niedermayer | Wed Apr 11 19:50:52 2018 +0200| [9af1e014f788a9c8700c4415130475f27a35e3db] | committer: Michael Niedermayer avcodec/utils: Enforce minimum width also for VP5/6 Fixes: out of array access Fixes: poc_0411 Found-by: GwanYeong Kim Tested-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit 544324827e0131e43af1a54fb790a48a25fd7ba4) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9af1e014f788a9c8700c4415130475f27a35e3db --- libavcodec/utils.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 6f54f530a1..1f3768dc0f 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -420,7 +420,10 @@ void avcodec_align_dimensions2(AVCodecContext *s, int *width, int *height, *width = FFALIGN(*width, w_align); *height = FFALIGN(*height, h_align); -if (s->codec_id == AV_CODEC_ID_H264 || s->lowres) { +if (s->codec_id == AV_CODEC_ID_H264 || s->lowres || +s->codec_id == AV_CODEC_ID_VP5 || s->codec_id == AV_CODEC_ID_VP6 || +s->codec_id == AV_CODEC_ID_VP6F || s->codec_id == AV_CODEC_ID_VP6A +) { // some of the optimized chroma MC reads one line too much // which is also done in mpeg decoders with lowres > 0 *height += 2; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dsicinvideo: Fail if there is only a small fraction of the data available that comprises a full frame
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon Apr 16 22:29:09 2018 +0200| [c7329c733cb3dc2350a2df430feb55c37209f95b] | committer: Michael Niedermayer avcodec/dsicinvideo: Fail if there is only a small fraction of the data available that comprises a full frame Fixes: Timeout Fixes: 6306/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DSICINVIDEO_fuzzer-5079253549842432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5549488bbf3a23c0fb9833cefc6354f97055dd96) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c7329c733cb3dc2350a2df430feb55c37209f95b --- libavcodec/dsicinvideo.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/dsicinvideo.c b/libavcodec/dsicinvideo.c index add7afa383..aa080417d2 100644 --- a/libavcodec/dsicinvideo.c +++ b/libavcodec/dsicinvideo.c @@ -158,6 +158,9 @@ static int cin_decode_lzss(const unsigned char *src, int src_size, } } +if (dst_end - dst > dst_size - dst_size/10) +return AVERROR_INVALIDDATA; + return 0; } @@ -184,6 +187,10 @@ static int cin_decode_rle(const unsigned char *src, int src_size, } dst += len; } + +if (dst_end - dst > dst_size - dst_size/10) +return AVERROR_INVALIDDATA; + return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cinepak: Skip empty frames
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue Apr 17 02:13:43 2018 +0200| [bd7231cad119894d79c4f05c2e5471caee66d197] | committer: Michael Niedermayer avcodec/cinepak: Skip empty frames Speeds up decoding from 3 to 0.1 seconds for 6302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5626371985375232 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 9033920bec9ccf17de205fc17c2b330906b200f5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bd7231cad119894d79c4f05c2e5471caee66d197 --- libavcodec/cinepak.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index 908c248ef0..9060e31fb1 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -444,6 +444,7 @@ static int cinepak_decode_frame(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int ret = 0, buf_size = avpkt->size; CinepakContext *s = avctx->priv_data; +int num_strips; s->data = buf; s->size = buf_size; @@ -451,6 +452,12 @@ static int cinepak_decode_frame(AVCodecContext *avctx, if (s->size < 10) return AVERROR_INVALIDDATA; +num_strips = AV_RB16 (>data[8]); + +//Empty frame, do not waste time +if (!num_strips && (!s->palette_video || !av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL))) +return buf_size; + if ((ret = cinepak_predecode_check(s)) < 0) { av_log(avctx, AV_LOG_ERROR, "cinepak_predecode_check failed\n"); return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] indeo4: Decode all or nothing of a band header.
ffmpeg | branch: release/2.8 | Michael Niedermayer | Thu May 17 13:40:38 2018 +0200| [931f83773119649a975ddeea727950fbc36810a3] | committer: Michael Niedermayer indeo4: Decode all or nothing of a band header. This avoids inconsistent value combinations. Alternatively it would be possible to add more checks and careful use of temporary variables, but my try of this quickly seemed to become a rather large change. The disadvantage of this, is that the struct is copied back and forth. Fixes: index 6 out of bounds for type 'const uint16_t [5][16]' Fixes: 6557/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-4787296550256640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 10c8521265da86118597336c5589e26de377a374) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=931f83773119649a975ddeea727950fbc36810a3 --- libavcodec/indeo4.c | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c index 1bf402551b..13fc42ecde 100644 --- a/libavcodec/indeo4.c +++ b/libavcodec/indeo4.c @@ -269,12 +269,14 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) * @param[in] avctx pointer to the AVCodecContext * @returnresult code: 0 = OK, negative number = error */ -static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, +static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *arg_band, AVCodecContext *avctx) { int plane, band_num, indx, transform_id, scan_indx; int i; int quant_mat; +IVIBandDesc temp_band, *band = _band; +memcpy(_band, arg_band, sizeof(temp_band)); plane= get_bits(>gb, 2); band_num = get_bits(>gb, 4); @@ -408,10 +410,10 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, /* decode block huffman codebook */ if (!get_bits1(>gb)) -band->blk_vlc.tab = ctx->blk_vlc.tab; +arg_band->blk_vlc.tab = ctx->blk_vlc.tab; else if (ff_ivi_dec_huff_desc(>gb, 1, IVI_BLK_HUFF, - >blk_vlc, avctx)) + _band->blk_vlc, avctx)) return AVERROR_INVALIDDATA; /* select appropriate rvmap table for this band */ @@ -452,6 +454,9 @@ static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band, return AVERROR_INVALIDDATA; } +band->blk_vlc = arg_band->blk_vlc; +memcpy(arg_band, band, sizeof(*arg_band)); + return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/truemotion2: Propagate out of bounds error from GET_TOK()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue Apr 10 22:24:03 2018 +0200| [6186bfad387042f36a6fbf7c38dafaeec6cc774a] | committer: Michael Niedermayer avcodec/truemotion2: Propagate out of bounds error from GET_TOK() Fixes: Timeout Fixes: 6389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5695918121680896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f6304af2341d0cee51c2116766622e3ac567b7a0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6186bfad387042f36a6fbf7c38dafaeec6cc774a --- libavcodec/truemotion2.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index b77df57baa..dbcef42462 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -63,6 +63,7 @@ typedef struct TM2Context { AVFrame *pic; GetBitContext gb; +int error; BswapDSPContext bdsp; uint8_t *buffer; @@ -390,6 +391,7 @@ static inline int GET_TOK(TM2Context *ctx,int type) { if (ctx->tok_ptrs[type] >= ctx->tok_lens[type]) { av_log(ctx->avctx, AV_LOG_ERROR, "Read token from stream %i out of bounds (%i>=%i)\n", type, ctx->tok_ptrs[type], ctx->tok_lens[type]); +ctx->error = 1; return 0; } if (type <= TM2_MOT) { @@ -801,6 +803,8 @@ static int tm2_decode_blocks(TM2Context *ctx, AVFrame *p) default: av_log(ctx->avctx, AV_LOG_ERROR, "Skipping unknown block type %i\n", type); } +if (ctx->error) +return AVERROR_INVALIDDATA; } } @@ -881,6 +885,8 @@ static int decode_frame(AVCodecContext *avctx, int offset = TM2_HEADER_SIZE; int i, t, ret; +l->error = 0; + av_fast_padded_malloc(>buffer, >buffer_size, buf_size); if (!l->buffer) { av_log(avctx, AV_LOG_ERROR, "Cannot allocate temporary buffer\n"); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration() CPRL case
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri May 4 19:18:25 2018 +0200| [c10babcadc341b8bec6b16572e4373ae571af7e7] | committer: Michael Niedermayer avcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration() CPRL case Fixes: shift exponent 47 is too large for 32-bit type 'int' Fixes: 7955/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6016721977606144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 652ba72ed3124f201f98eea9bafb2232b535f549) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c10babcadc341b8bec6b16572e4373ae571af7e7 --- libavcodec/jpeg2000dec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 1fc0006674..bbb873bb15 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1146,10 +1146,10 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 int xc = x / s->cdx[compno]; int yc = y / s->cdy[compno]; -if (yc % (1 << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check +if (yc % (1LL << (rlevel->log2_prec_height + reducedresno)) && y != tile->coord[1][0]) //FIXME this is a subset of the check continue; -if (xc % (1 << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check +if (xc % (1LL << (rlevel->log2_prec_width + reducedresno)) && x != tile->coord[0][0]) //FIXME this is a subset of the check continue; // check if a precinct exists ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/fic: Check available input space for cursor
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sat May 5 22:00:01 2018 +0200| [888bdb127b545731148d7f678f69c863a55889a8] | committer: Michael Niedermayer avcodec/fic: Check available input space for cursor Fixes: out of array read Fixes: 6546/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-6317064647081984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cb2f7ea96b4f6e03ebf0c0563677745fc65f148e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=888bdb127b545731148d7f678f69c863a55889a8 --- libavcodec/fic.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 6940cb6231..7bfb998a55 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -334,6 +334,10 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, skip_cursor = 1; } +if (!skip_cursor && avpkt->size < CURSOR_OFFSET + sizeof(ctx->cursor_buf)) { +skip_cursor = 1; +} + /* Slice height for all but the last slice. */ ctx->slice_h = 16 * (ctx->aligned_height >> 4) / nslices; if (ctx->slice_h % 16) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ffv1enc: Check that the crc + version combination is supported
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sat Apr 21 22:19:31 2018 +0200| [8eee712737c2aa2f643998e752f480ad42bb0612] | committer: Michael Niedermayer avcodec/ffv1enc: Check that the crc + version combination is supported The crc flag is only stored since version 3 thus before this crcs do not work. We increase the version as needed same as we do with pix_fmts Signed-off-by: Michael Niedermayer (cherry picked from commit d9706f79c17a33bf97e51a7d6ab211ce83a463ee) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8eee712737c2aa2f643998e752f480ad42bb0612 --- libavcodec/ffv1enc.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c index 3b425d68ed..b27c3a1328 100644 --- a/libavcodec/ffv1enc.c +++ b/libavcodec/ffv1enc.c @@ -690,6 +690,10 @@ static av_cold int encode_init(AVCodecContext *avctx) s->ec = (s->version >= 3); } +// CRC requires version 3+ +if (s->ec) +s->version = FFMAX(s->version, 3); + if ((s->version == 2 || s->version>3) && avctx->strict_std_compliance > FF_COMPLIANCE_EXPERIMENTAL) { av_log(avctx, AV_LOG_ERROR, "Version 2 needed for requested features but version 2 is experimental and not enabled\n"); return AVERROR_INVALIDDATA; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cinepak: move some checks prior to frame allocation
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue Apr 17 02:13:42 2018 +0200| [173e04ee85a8de7475eecb486e27adefc01847d3] | committer: Michael Niedermayer avcodec/cinepak: move some checks prior to frame allocation Speeds up decoding from 8 to 3 seconds for 6302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5626371985375232 Fixes: Timeout Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2324ef1ff32e5effd6f295bca80580ae4816be0b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=173e04ee85a8de7475eecb486e27adefc01847d3 --- libavcodec/cinepak.c | 27 ++- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c index 7a7466204a..908c248ef0 100644 --- a/libavcodec/cinepak.c +++ b/libavcodec/cinepak.c @@ -315,14 +315,11 @@ static int cinepak_decode_strip (CinepakContext *s, return AVERROR_INVALIDDATA; } -static int cinepak_decode (CinepakContext *s) +static int cinepak_predecode_check (CinepakContext *s) { -const uint8_t *eod = (s->data + s->size); -int i, result, strip_size, frame_flags, num_strips; -int y0 = 0; +int num_strips; int encoded_buf_size; -frame_flags = s->data[0]; num_strips = AV_RB16 (>data[8]); encoded_buf_size = AV_RB24(>data[1]); @@ -353,6 +350,21 @@ static int cinepak_decode (CinepakContext *s) s->sega_film_skip_bytes = 0; } +if (s->size < 10 + s->sega_film_skip_bytes + num_strips * 12) +return AVERROR_INVALIDDATA; + +return 0; +} + +static int cinepak_decode (CinepakContext *s) +{ +const uint8_t *eod = (s->data + s->size); +int i, result, strip_size, frame_flags, num_strips; +int y0 = 0; + +frame_flags = s->data[0]; +num_strips = AV_RB16 (>data[8]); + s->data += 10 + s->sega_film_skip_bytes; num_strips = FFMIN(num_strips, MAX_STRIPS); @@ -439,6 +451,11 @@ static int cinepak_decode_frame(AVCodecContext *avctx, if (s->size < 10) return AVERROR_INVALIDDATA; +if ((ret = cinepak_predecode_check(s)) < 0) { +av_log(avctx, AV_LOG_ERROR, "cinepak_predecode_check failed\n"); +return ret; +} + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon May 14 00:10:33 2018 +0200| [a89f074d895324af8b7da911a1727197684b40cb] | committer: Michael Niedermayer avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0 Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); Fixes: 6500/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-4523620274536448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cb944fc7f1327443a0cf449afbce5a3e8712f90f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a89f074d895324af8b7da911a1727197684b40cb --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 0744c5797c..d0495cd5e7 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -90,10 +90,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ -(int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) +(int)(((unsigned)(b2) + ((int)(9U*b1 + 9U*b3 - b4 - b0 + 8) >> 4))) #define COMPOSE_DD137iL0(b0, b1, b2, b3, b4)\ -(int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) +(int)(((unsigned)(b2) - ((int)(9U*b1 + 9U*b3 - b4 - b0 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ ((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1))) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/error_resilience: Fix integer overflow in filter181()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Apr 22 21:46:05 2018 +0200| [9a7a3b22625e361097579fc4183e1c1167c7ac5c] | committer: Michael Niedermayer avcodec/error_resilience: Fix integer overflow in filter181() Fixes: runtime error: signed integer overflow: 197710 * 10923 cannot be represented in type 'int' Fixes: 7010/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5667127596941312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1c97035e3b1677d6f0c5b6161ebfeffcf7bb638d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9a7a3b22625e361097579fc4183e1c1167c7ac5c --- libavcodec/error_resilience.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index 5a75faddf5..6bea0bf6ea 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -108,7 +108,7 @@ static void filter181(int16_t *data, int width, int height, int stride) dc = -prev_dc + data[x + y * stride] * 8 - data[x + 1 + y * stride]; -dc = (dc * 10923 + 32768) >> 16; +dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16; prev_dc = data[x + y * stride]; data[x + y * stride] = dc; } @@ -124,7 +124,7 @@ static void filter181(int16_t *data, int width, int height, int stride) dc = -prev_dc + data[x + y * stride] * 8 - data[x + (y + 1) * stride]; -dc = (dc * 10923 + 32768) >> 16; +dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16; prev_dc = data[x + y * stride]; data[x + y * stride] = dc; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/g2meet: Change order of operations to avoid undefined behavior
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri May 4 18:16:08 2018 +0200| [02f4e846d2883871a2bb19175875f58e1d700cc2] | committer: Michael Niedermayer avcodec/g2meet: Change order of operations to avoid undefined behavior Fixes: signed integer overflow: 65280 * 196032 cannot be represented in type 'int' Fixes: 7279/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5977332473921536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a4745145840d97619c424961c1b5c625dbf516c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=02f4e846d2883871a2bb19175875f58e1d700cc2 --- libavcodec/g2meet.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index f22daa72ee..14dd05babc 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -1355,14 +1355,16 @@ static void g2m_paint_cursor(G2MContext *c, uint8_t *dst, int stride) } else { dst+= x * 3; } -if (y < 0) { + +if (y < 0) h += y; +if (w < 0 || h < 0) +return; +if (y < 0) { cursor += -y * c->cursor_stride; } else { dst+= y * stride; } -if (w < 0 || h < 0) -return; for (j = 0; j < h; j++) { for (i = 0; i < w; i++) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Apr 27 21:44:07 2018 +0200| [f20c62538b03bd211360c8501c4e13c227266e33] | committer: Michael Niedermayer avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED() Fixes: runtime error: signed integer overflow: 2147483637 + 128 cannot be represented in type 'int' Fixes: 6701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5358324934508544 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e95d80e6fae978f8a44afc24b0c5097a062719f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f20c62538b03bd211360c8501c4e13c227266e33 --- libavcodec/wavpack.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/wavpack.h b/libavcodec/wavpack.h index c71006112a..7fd366a73b 100644 --- a/libavcodec/wavpack.h +++ b/libavcodec/wavpack.h @@ -99,8 +99,8 @@ typedef struct WvChannel { // macros for manipulating median values #define GET_MED(n) ((c->median[n] >> 4) + 1) -#define DEC_MED(n) c->median[n] -= ((c->median[n] + (128 >> (n)) - 2) / (128 >> (n))) * 2 -#define INC_MED(n) c->median[n] += ((c->median[n] + (128 >> (n))) / (128 >> (n))) * 5 +#define DEC_MED(n) c->median[n] -= ((int)(c->median[n] + (128U >> (n)) - 2) / (128 >> (n))) * 2U +#define INC_MED(n) c->median[n] += ((int)(c->median[n] + (128U >> (n))) / (128 >> (n))) * 5U // macros for applying weight #define UPDATE_WEIGHT_CLIP(weight, delta, samples, in) \ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h263dec: Check slice_ret in mspeg4 slice loop
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Apr 22 21:07:45 2018 +0200| [1f057b23c70c249a7432dd493f7fd3c9104aae9f] | committer: Michael Niedermayer avcodec/h263dec: Check slice_ret in mspeg4 slice loop Fixes infinite loop Fixes: 6858/clusterfuzz-testcase-ffmpeg_AV_CODEC_ID_MSMPEG4V3_fuzzer-4681563766784000 Fixes: 6890/clusterfuzz-testcase-ffmpeg_AV_CODEC_ID_WMV1_fuzzer-4756103142309888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de841fbea7655b74a9663001e01008a86c88779a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1f057b23c70c249a7432dd493f7fd3c9104aae9f --- libavcodec/h263dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index c85ea9d6cd..0b91e5d266 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -637,7 +637,7 @@ retry: slice_ret = decode_slice(s); while (s->mb_y < s->mb_height) { if (s->msmpeg4_version) { -if (s->slice_height == 0 || s->mb_x != 0 || +if (s->slice_height == 0 || s->mb_x != 0 || slice_ret < 0 || (s->mb_y % s->slice_height) != 0 || get_bits_left(>gb) < 0) break; } else { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/elsdec: Fix memleaks
ffmpeg | branch: release/2.8 | Michael Niedermayer | Wed Apr 25 01:54:17 2018 +0200| [6f68d2ca0b04731eed95aa4993fdee1f68359702] | committer: Michael Niedermayer avcodec/elsdec: Fix memleaks Fixes: 6798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5135899701542912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0bd0401336df4e4ca7f3da6a7e226904fd7d5add) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6f68d2ca0b04731eed95aa4993fdee1f68359702 --- libavcodec/elsdec.c | 8 +++- libavcodec/g2meet.c | 1 + 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/libavcodec/elsdec.c b/libavcodec/elsdec.c index 4797965457..cb0e9c6534 100644 --- a/libavcodec/elsdec.c +++ b/libavcodec/elsdec.c @@ -271,7 +271,7 @@ void ff_els_decoder_init(ElsDecCtx *ctx, const uint8_t *in, size_t data_size) void ff_els_decoder_uninit(ElsUnsignedRung *rung) { -av_free(rung->rem_rung_list); +av_freep(>rem_rung_list); } static int els_import_byte(ElsDecCtx *ctx) @@ -391,12 +391,10 @@ unsigned ff_els_decode_unsigned(ElsDecCtx *ctx, ElsUnsignedRung *ur) if (ur->rung_list_size <= (ur->avail_index + 2) * sizeof(ElsRungNode)) { // remember rung_node position ptrdiff_t pos = rung_node - ur->rem_rung_list; -ur->rem_rung_list = av_realloc(ur->rem_rung_list, +ctx->err = av_reallocp(>rem_rung_list, ur->rung_list_size + RUNG_SPACE); -if (!ur->rem_rung_list) { -av_free(ur->rem_rung_list); -ctx->err = AVERROR(ENOMEM); +if (ctx->err < 0) { return 0; } memset((uint8_t *) ur->rem_rung_list + ur->rung_list_size, 0, diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 7d052224c9..f22daa72ee 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -926,6 +926,7 @@ static int epic_jb_decode_tile(G2MContext *c, int tile_x, int tile_y, if (c->ec.els_ctx.err != 0) { av_log(avctx, AV_LOG_ERROR, "ePIC: couldn't decode transparency pixel!\n"); +ff_els_decoder_uninit(>ec.unsigned_rung); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] lavc/libopusdec: Allow avcodec_open2 to call .close
ffmpeg | branch: release/2.8 | Matt Wolenetz | Tue Apr 10 13:59:25 2018 -0700| [54bde32f37fd69c556c1c65047f9d27c2a6da229] | committer: Michael Niedermayer lavc/libopusdec: Allow avcodec_open2 to call .close If there is a decoder initialization failure detected in avcodec_open2 after .init is called, allow graceful decoder .close to prevent leaking libopus decoder allocations. BUG=828526 Signed-off-by: Michael Niedermayer (cherry picked from commit e43e97f0e0f0596b56ceb2f887fe7414f202f081) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=54bde32f37fd69c556c1c65047f9d27c2a6da229 --- libavcodec/libopusdec.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c index 7a198c46a0..4b8167d394 100644 --- a/libavcodec/libopusdec.c +++ b/libavcodec/libopusdec.c @@ -125,7 +125,10 @@ static av_cold int libopus_decode_close(AVCodecContext *avc) { struct libopus_context *opus = avc->priv_data; -opus_multistream_decoder_destroy(opus->dec); +if (opus->dec) { +opus_multistream_decoder_destroy(opus->dec); +opus->dec = NULL; +} return 0; } @@ -199,6 +202,7 @@ AVCodec ff_libopus_decoder = { .decode = libopus_decode, .flush = libopus_flush, .capabilities = AV_CODEC_CAP_DR1, +.caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .sample_fmts= (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_FLT, AV_SAMPLE_FMT_S16, AV_SAMPLE_FMT_NONE }, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cscd: Error out when LZ* decompression fails
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon Mar 12 00:05:04 2018 +0100| [704bebc91fa573dd770e49b805e1a9d7f68fea6f] | committer: Michael Niedermayer avcodec/cscd: Error out when LZ* decompression fails Fixes: Timeout Fixes: 6304/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-5754772461191168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d52be5d4e91871a22dac70af3e0ab429e95a2d10) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=704bebc91fa573dd770e49b805e1a9d7f68fea6f --- libavcodec/cscd.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index 278093fdb3..8cb193de56 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -81,15 +81,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, switch ((buf[0] >> 1) & 7) { case 0: { // lzo compression int outlen = c->decomp_size, inlen = buf_size - 2; -if (av_lzo1x_decode(c->decomp_buf, , [2], )) +if (av_lzo1x_decode(c->decomp_buf, , [2], )) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); +return AVERROR_INVALIDDATA; +} break; } case 1: { // zlib compression #if CONFIG_ZLIB unsigned long dlen = c->decomp_size; -if (uncompress(c->decomp_buf, , [2], buf_size - 2) != Z_OK) +if (uncompress(c->decomp_buf, , [2], buf_size - 2) != Z_OK) { av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n"); +return AVERROR_INVALIDDATA; +} break; #else av_log(avctx, AV_LOG_ERROR, "compiled without zlib support\n"); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] doc/APIchanges: Fix typos in hashes
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon Apr 16 18:23:12 2018 +0200| [f337adcd28de23aa551e8c0ffc3cde73fdd4c80f] | committer: Michael Niedermayer doc/APIchanges: Fix typos in hashes Thanks-to: Moritz Barsnick for finding the correct ones Signed-off-by: Michael Niedermayer (cherry picked from commit ec8a5262b03f85158d722dbc8b8f30cb6bd67e0f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f337adcd28de23aa551e8c0ffc3cde73fdd4c80f --- doc/APIchanges | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/APIchanges b/doc/APIchanges index 459fa5bc54..2dba53320f 100644 --- a/doc/APIchanges +++ b/doc/APIchanges @@ -232,7 +232,7 @@ API changes, most recent first: Add av_opt_get_dict_val/set_dict_val with AV_OPT_TYPE_DICT to support dictionary types being set as options. -2014-08-13 - afbd4b8 - lavf 56.01.0 - avformat.h +2014-08-13 - afbd4b7e09 - lavf 56.01.0 - avformat.h Add AVFormatContext.event_flags and AVStream.event_flags for signaling to the user when events happen in the file/stream. @@ -249,7 +249,7 @@ API changes, most recent first: 2014-08-08 - 5c3c671 - lavf 55.53.100 - avio.h Add avio_feof() and deprecate url_feof(). -2014-08-07 - bb78903 - lsws 2.1.3 - swscale.h +2014-08-07 - bb789016d4 - lsws 2.1.3 - swscale.h sws_getContext is not going to be removed in the future. 2014-08-07 - a561662 / ad1ee5f - lavc 55.73.101 / 55.57.3 - avcodec.h ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mjpegdec: Check input buffer size.
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue Apr 10 16:12:15 2018 +0200| [23dcc9ff7c37e8da1808802be66de89d70b06599] | committer: Michael Niedermayer avcodec/mjpegdec: Check input buffer size. Fixes: Timeout Fixes: 6381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5665032743419904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8d381b57fd9d17fb5c3a851ca46c738b3afc33a2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=23dcc9ff7c37e8da1808802be66de89d70b06599 --- libavcodec/mjpegdec.c | 4 libavcodec/mjpegdec.h | 1 + 2 files changed, 5 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index befbb0a25a..2e101225b6 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -306,6 +306,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height); if (av_image_check_size(width, height, 0, s->avctx)) return AVERROR_INVALIDDATA; +if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size * 4LL) +return AVERROR_INVALIDDATA; nb_components = get_bits(>gb, 8); if (nb_components <= 0 || @@ -2044,6 +2046,8 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int ret = 0; int is16bit; +s->buf_size = buf_size; + av_dict_free(>exif_metadata); av_freep(>stereo3d); s->adobe_transform = -1; diff --git a/libavcodec/mjpegdec.h b/libavcodec/mjpegdec.h index fb811294a1..6781c7c03a 100644 --- a/libavcodec/mjpegdec.h +++ b/libavcodec/mjpegdec.h @@ -45,6 +45,7 @@ typedef struct MJpegDecodeContext { AVClass *class; AVCodecContext *avctx; GetBitContext gb; +int buf_size; int start_code; /* current start code */ int buffer_size; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/utils: Check cur_dts in update_initial_timestamps() more
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Apr 13 11:38:48 2018 +0200| [25ecdac8beca8978ff09da97dbd5e1bda9675253] | committer: Michael Niedermayer avformat/utils: Check cur_dts in update_initial_timestamps() more Fixes: runtime error: signed integer overflow: 18133149658382192 - -9223090561878065151 cannot be represented in type 'long long' Fixes: crbug 831552 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 37d46dc21d708192b12aa13617ebe6a117b07363) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=25ecdac8beca8978ff09da97dbd5e1bda9675253 --- libavformat/utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/utils.c b/libavformat/utils.c index a658eb22c0..33a4aade64 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -894,6 +894,7 @@ static void update_initial_timestamps(AVFormatContext *s, int stream_index, if (st->first_dts != AV_NOPTS_VALUE || dts == AV_NOPTS_VALUE || st->cur_dts == AV_NOPTS_VALUE || +st->cur_dts < INT_MIN + RELATIVE_TS_BASE || is_relative(dts)) return; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/movtextdec: Check style_start/end
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Apr 8 03:29:44 2018 +0200| [07cd51f10e96a4b9208d3aa99caea1068f89041b] | committer: Michael Niedermayer avcodec/movtextdec: Check style_start/end Limits based on 3GPP TS 26.245 V14.0.0 Fixes: Timeout Fixes: 6377/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOVTEXT_fuzzer-5175929115508736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Philip Langdale Signed-off-by: Michael Niedermayer (cherry picked from commit 249aca8f98ff7fb09c12ea68e23c862c62203b95) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=07cd51f10e96a4b9208d3aa99caea1068f89041b --- libavcodec/movtextdec.c | 8 1 file changed, 8 insertions(+) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index 2f3ef7d02e..7d3dfae469 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -298,6 +298,14 @@ static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt) m->s_temp->style_start = AV_RB16(tsmb); tsmb += 2; m->s_temp->style_end = AV_RB16(tsmb); + +if ( m->s_temp->style_end < m->s_temp->style_start +|| (m->count_s && m->s_temp->style_start < m->s[m->count_s - 1]->style_end)) { +av_freep(>s_temp); +mov_text_cleanup(m); +return AVERROR(ENOMEM); +} + tsmb += 2; m->s_temp->style_fontID = AV_RB16(tsmb); tsmb += 2; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sat Apr 7 21:55:06 2018 +0200| [01f124da7f797eb62c71ce5e655f81a4867bcbfe] | committer: Michael Niedermayer avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble() Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be represented in type 'int' This was missed in b1bef755f617af9685b592d866b3eb7f3c4b02b1 Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c837918f50a7bbd6150afd340857ea43fe4717c7) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=01f124da7f797eb62c71ce5e655f81a4867bcbfe --- libavcodec/aacsbr_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 44c899a7f1..2addbafb5f 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -574,7 +574,7 @@ static void sbr_hf_assemble(int Y1[38][64][2], int idx = indexsine&1; int A = (1-((indexsine+(kx & 1))&2)); int B = (A^(-idx)) + idx; -int *out = [i][kx][idx]; +unsigned *out = [i][kx][idx]; int shift; unsigned round; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sat Mar 31 21:19:19 2018 +0200| [d3d5382dadcd1b6dbc09da02d9958f027e38] | committer: Michael Niedermayer avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed() I was not able to reproduce this, this fix is based on just the fuzzer log. Fixes: 4959/clusterfuzz-testcase-minimized-6035350934781952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 197a4e8feed45b2e5868760240e83636818f32a9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d3d5382dadcd1b6dbc09da02d9958f027e38 --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 539f9eefbc..a37ed2aaa1 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -416,7 +416,7 @@ static void apply_independent_coupling_fixed(AACContext *ac, int i, c, shift, round, tmp; const int gain = cce->coup.gain[index][0]; const int *src = cce->ch[0].ret; -int *dest = target->ret; +unsigned int *dest = target->ret; const int len = 1024 << (ac->oc[1].m4ac.sbr == 1); c = cce_scale_fixed[gain & 7]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering.
ffmpeg | branch: release/2.8 | Hendrik Schreiber | Thu Apr 5 13:58:37 2018 +0200| [fe4e35e202d36e51e0a638827e810a2d5a9ec812] | committer: Michael Niedermayer swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering. Removed +len1 in call to s->mix_2_1_f() as I found no logical explanation for it. After removal, problem was gone. Signed-off-by: Hendrik Schreiber Signed-off-by: Michael Niedermayer (cherry picked from commit 647fd4b8292e3bfae30b1086aa842a5ee47ee868) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fe4e35e202d36e51e0a638827e810a2d5a9ec812 --- libswresample/swresample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 8e238998e9..47d4f0dd0b 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -667,7 +667,7 @@ static int swr_convert_internal(struct SwrContext *s, AudioData *out, int out_co s->mix_2_1_simd(conv_src->ch[ch], preout->ch[ch], s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos, s->native_simd_one, 0, 0, len1); if(out_count != len1) for(ch=0; chch_count; ch++) -s->mix_2_1_f(conv_src->ch[ch] + off, preout->ch[ch] + off, s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos + off + len1, s->native_one, 0, 0, out_count - len1); +s->mix_2_1_f(conv_src->ch[ch] + off, preout->ch[ch] + off, s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos + off, s->native_one, 0, 0, out_count - len1); } else { for(ch=0; chch_count; ch++) s->mix_2_1_f(conv_src->ch[ch], preout->ch[ch], s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos, s->native_one, 0, 0, out_count); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/bintext: sanity check dimensions
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon Feb 26 21:17:08 2018 +0100| [6d3f8992acc9de0af0bfae5a8844c87747d92ad0] | committer: Michael Niedermayer avcodec/bintext: sanity check dimensions Fixes: Timeout Fixes: 6277/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XBIN_fuzzer-6047202288861184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 090c0abff9c8b27304614f15d9464dbf4ea59833) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6d3f8992acc9de0af0bfae5a8844c87747d92ad0 --- libavcodec/bintext.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/bintext.c b/libavcodec/bintext.c index 90bbe67b59..d967317671 100644 --- a/libavcodec/bintext.c +++ b/libavcodec/bintext.c @@ -35,6 +35,8 @@ #include "bintext.h" #include "internal.h" +#define FONT_WIDTH 8 + typedef struct XbinContext { AVFrame *frame; int palette[16]; @@ -91,6 +93,9 @@ static av_cold int decode_init(AVCodecContext *avctx) break; } } +if (avctx->width < FONT_WIDTH || avctx->height < s->font_height) +return AVERROR_INVALIDDATA; + s->frame = av_frame_alloc(); if (!s->frame) @@ -113,8 +118,6 @@ av_unused static void hscroll(AVCodecContext *avctx) } } -#define FONT_WIDTH 8 - /** * Draw character to screen */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Fix integer overflow in mv computation
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Feb 18 21:51:38 2018 +0100| [84bf347ff054a928e69debb3d84b7c4f9d1a832e] | committer: Michael Niedermayer avcodec/diracdec: Fix integer overflow in mv computation Fixes: signed integer overflow: -2072 + -2147483646 cannot be represented in type 'int' Fixes: 6097/clusterfuzz-testcase-minimized-5034145253163008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 47e65ad63b3d067445c4de41a7718b83fc07767c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=84bf347ff054a928e69debb3d84b7c4f9d1a832e --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index fb54312c49..9801eb2c85 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1224,8 +1224,8 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock global_mv(s, block, x, y, i); } else { pred_mv(block, stride, x, y, i); -block->u.mv[i][0] += dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA); -block->u.mv[i][1] += dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA); +block->u.mv[i][0] += (unsigned)dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA); +block->u.mv[i][1] += (unsigned)dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA); } } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables
ffmpeg | branch: release/2.8 | Michael Niedermayer | Thu Mar 29 01:07:24 2018 +0200| [e1aec9bb8d80e4e88225a527da5c8c3b32301f4f] | committer: Michael Niedermayer avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables Found-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 5c75438b893539dd17998c489fb4c540fc5a6e48) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e1aec9bb8d80e4e88225a527da5c8c3b32301f4f --- libavcodec/tableprint_vlc.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/tableprint_vlc.h b/libavcodec/tableprint_vlc.h index 675251a836..3004be3f9c 100644 --- a/libavcodec/tableprint_vlc.h +++ b/libavcodec/tableprint_vlc.h @@ -35,6 +35,7 @@ #define av_freep(p) while(0) #define AVCODEC_AVCODEC_H #define AVCODEC_INTERNAL_H +#define AV_INPUT_BUFFER_PADDING_SIZE 64 // the value does not matter for this #include "tableprint.h" #include "get_bits.h" #include "mathtables.c" ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wmalosslessdec: Reset num_saved_bits on error path
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Mar 11 00:13:57 2018 +0100| [1c0914e4f34edb02a242d58d3929fdd07a59f211] | committer: Michael Niedermayer avcodec/wmalosslessdec: Reset num_saved_bits on error path Fixes: NULL pointer dereference Fixes: poc-201803.wav Found-by: GwanYeong Kim Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 64c9ce0abc0fd8774b523afda3ddb17c86caa86a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1c0914e4f34edb02a242d58d3929fdd07a59f211 --- libavcodec/wmalosslessdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 601ea3c93a..7e2d5da4bf 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1129,6 +1129,7 @@ static void save_bits(WmallDecodeCtx *s, GetBitContext* gb, int len, if (len <= 0 || buflen > MAX_FRAMESIZE) { avpriv_request_sample(s->avctx, "Too small input buffer"); s->packet_loss = 1; +s->num_saved_bits = 0; return; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE
ffmpeg | branch: release/2.8 | Michael Niedermayer | Thu Mar 8 17:28:36 2018 +0100| [7d915afd23aabe58c0d8fe260960263d7665703a] | committer: Michael Niedermayer avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE Fixes: Chromium bug 795653 Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long' Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 02ecda4aba69670ca744ccc640391b7621f01fb0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7d915afd23aabe58c0d8fe260960263d7665703a --- libavformat/oggparsetheora.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsetheora.c b/libavformat/oggparsetheora.c index e92d4c5170..9adc19710d 100644 --- a/libavformat/oggparsetheora.c +++ b/libavformat/oggparsetheora.c @@ -181,6 +181,7 @@ static int theora_packet(AVFormatContext *s, int idx) if ((!os->lastpts || os->lastpts == AV_NOPTS_VALUE) && !(os->flags & OGG_FLAG_EOS)) { int seg; +int64_t pts; duration = 1; for (seg = os->segp; seg < os->nsegs; seg++) { @@ -188,7 +189,10 @@ static int theora_packet(AVFormatContext *s, int idx) duration ++; } -os->lastpts = os->lastdts = theora_gptopts(s, idx, os->granule, NULL) - duration; +pts = theora_gptopts(s, idx, os->granule, NULL); +if (pts != AV_NOPTS_VALUE) +pts -= duration; +os->lastpts = os->lastdts = pts; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; if (s->streams[idx]->duration) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Fix integer overflows related to sample_duration
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Mar 9 16:43:29 2018 +0100| [5770793dec3af51a513174c87aad95b44a7e00e0] | committer: Michael Niedermayer avformat/mov: Fix integer overflows related to sample_duration Fixes: runtime error: signed integer overflow: -9166684017437101870 + -2495066639299164439 cannot be represented in type Fixes: Chromium bug 791349 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 2f37082827a405430c40408ee2db19ea2866ce64) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5770793dec3af51a513174c87aad95b44a7e00e0 --- libavformat/mov.c | 20 +++- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 4ed4af3923..39ad697f53 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2454,14 +2454,19 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) && total_sample_count > 100 && sample_duration/10 > duration / total_sample_count) sample_duration = duration / total_sample_count; -duration+=(int64_t)sample_duration*sample_count; +duration+=(int64_t)sample_duration*(uint64_t)sample_count; total_sample_count+=sample_count; } sc->stts_count = i; -sc->duration_for_fps += duration; -sc->nb_frames_for_fps += total_sample_count; +if (duration > 0 && +duration <= INT64_MAX - sc->duration_for_fps && +total_sample_count <= INT64_MAX - sc->nb_frames_for_fps +) { +sc->duration_for_fps += duration; +sc->nb_frames_for_fps += total_sample_count; +} if (pb->eof_reached) return AVERROR_EOF; @@ -3562,8 +3567,13 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) dts += sample_duration; offset += sample_size; sc->data_size += sample_size; -sc->duration_for_fps += sample_duration; -sc->nb_frames_for_fps ++; + +if (sample_duration <= INT64_MAX - sc->duration_for_fps && +1 <= INT64_MAX - sc->nb_frames_for_fps +) { +sc->duration_for_fps += sample_duration; +sc->nb_frames_for_fps ++; +} } if (pb->eof_reached) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list()
ffmpeg | branch: release/2.8 | heimdallr | Sat Mar 31 19:37:23 2018 +0700| [eb8654610927dc3dcacf777b0a8bd52ce6c02431] | committer: Michael Niedermayer avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list() example: AVPixelFormat pixFmts[] = { AV_PIX_FMT_RGB24, AV_PIX_FMT_RGBA }; int loss = 0; AVPixelFormat best = avcodec_find_best_pix_fmt_of_list(pixFmts, AV_PIX_FMT_BGRA, 1, ); best is AV_PIX_FMT_RGB24. But AV_PIX_FMT_RGBA is better. Signed-off-by: Michael Niedermayer (cherry picked from commit 354b26a3945eadd4ed8fcd801dfefad2566241de) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eb8654610927dc3dcacf777b0a8bd52ce6c02431 --- libavcodec/imgconvert.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 39cf58a2d2..0abe6cdf48 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -81,10 +81,14 @@ enum AVPixelFormat avcodec_find_best_pix_fmt_of_list(const enum AVPixelFormat *p int i; enum AVPixelFormat best = AV_PIX_FMT_NONE; +int loss; -for(i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) -best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, loss_ptr); +for (i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) { +loss = *loss_ptr; +best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, ); +} +*loss_ptr = loss; return best; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Check STSC and remove invalid entries
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Mar 16 19:53:36 2018 +0100| [17f626528a2913fa5b449cdad70f3796f2deacf2] | committer: Michael Niedermayer avformat/mov: Check STSC and remove invalid entries Fixes assertion failure Fixes: crbug 822547, crbug 822666 and crbug 823009 Affects: aark15sd_9A62E2FA.mp4 Found-by: ClusterFuzz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 9e67447a4ffacf28af8bace33faf3ea432ddc43e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=17f626528a2913fa5b449cdad70f3796f2deacf2 --- libavformat/mov.c | 20 1 file changed, 20 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 39ad697f53..a6eb773021 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2228,6 +2228,21 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) } sc->stsc_count = i; +for (i = sc->stsc_count - 1; i < UINT_MAX; i--) { +if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= sc->stsc_data[i+1].first) || +(i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) || +sc->stsc_data[i].first < 1 || +sc->stsc_data[i].count < 1 || +sc->stsc_data[i].id < 1) { +av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, sc->stsc_data[i].id); +if (i+1 >= sc->stsc_count || sc->stsc_data[i+1].first < 2) +return AVERROR_INVALIDDATA; +// We replace this entry by the next valid +sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1; +sc->stsc_data[i].count = sc->stsc_data[i+1].count; +sc->stsc_data[i].id= sc->stsc_data[i+1].id; +} +} if (pb->eof_reached) return AVERROR_EOF; @@ -3011,6 +3026,11 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->index); return 0; } +if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { +av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n", + st->index); +return AVERROR_INVALIDDATA; +} fix_timescale(c, sc); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cavsdec: Check alpha/beta offset
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue Feb 20 23:11:01 2018 +0100| [d81e0f925a94a3d4f2a1c85447dc1d938e1e4fe5] | committer: Michael Niedermayer avcodec/cavsdec: Check alpha/beta offset Fixes: Integer overflow Fixes: 6183/clusterfuzz-testcase-minimized-6269224436629504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ae2eb04648839bfc6c61c32cb0f124e91bb7ff8e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d81e0f925a94a3d4f2a1c85447dc1d938e1e4fe5 --- libavcodec/cavsdec.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 3aec0dd5e5..289ed1b242 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1068,6 +1068,11 @@ static int decode_pic(AVSContext *h) if (!h->loop_filter_disable && get_bits1(>gb)) { h->alpha_offset= get_se_golomb(>gb); h->beta_offset = get_se_golomb(>gb); +if ( h->alpha_offset < -64 || h->alpha_offset > 64 +|| h-> beta_offset < -64 || h-> beta_offset > 64) { +h->alpha_offset = h->beta_offset = 0; +return AVERROR_INVALIDDATA; +} } else { h->alpha_offset = h->beta_offset = 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/oggparseogm: Fix undefined shift in ogm_packet()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Thu Mar 8 23:14:04 2018 +0100| [31783dc5fe00335f82df16ba37f83a9b9751c004] | committer: Michael Niedermayer avformat/oggparseogm: Fix undefined shift in ogm_packet() Fixes: shift exponent 48 is too large for 32-bit type 'int' Fixes: Chromium bug 786793 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 010b7b30b721b90993e05e9ee6338e88bb8debb3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=31783dc5fe00335f82df16ba37f83a9b9751c004 --- libavformat/oggparseogm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index ae8c3c850c..f03dedaf2c 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -174,7 +174,7 @@ ogm_packet(AVFormatContext *s, int idx) os->psize -= lb + 1; while (lb--) -os->pduration += p[lb+1] << (lb*8); +os->pduration += (uint64_t)p[lb+1] << (lb*8); return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/utils: Fix integer overflow of fps_first/last_dts
ffmpeg | branch: release/2.8 | Michael Niedermayer | Wed Mar 7 00:10:11 2018 +0100| [4bcfe9f19c8edf469158e0da6ef8d6e3ba6eec28] | committer: Michael Niedermayer avformat/utils: Fix integer overflow of fps_first/last_dts Fixes: runtime error: signed integer overflow: 7738135736989908991 - -7898362169240453118 cannot be represented in type 'long' Fixes: Chromium bug 796778 Reported-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 1b1362e408cd6acb63fef126b814b0d16562aa8e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4bcfe9f19c8edf469158e0da6ef8d6e3ba6eec28 --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 2f68cf35f0..a658eb22c0 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3326,7 +3326,7 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options) if (st->info->fps_last_dts != AV_NOPTS_VALUE && st->info->fps_last_dts_idx > st->info->fps_first_dts_idx && (pkt->dts - st->info->fps_last_dts) / 1000 > -(st->info->fps_last_dts - st->info->fps_first_dts) / +(st->info->fps_last_dts - (uint64_t)st->info->fps_first_dts) / (st->info->fps_last_dts_idx - st->info->fps_first_dts_idx)) { av_log(ic, AV_LOG_WARNING, "DTS discontinuity in stream %d: packet %d with DTS " ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/oggparseogm: Check lb against psize
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Mar 9 01:05:20 2018 +0100| [6b51dc9223460b40b14c2c61187b135fb690ebb7] | committer: Michael Niedermayer avformat/oggparseogm: Check lb against psize No testcase, this was found during code review Found-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 3e7c847aaf5a298b62afae12b4ecfb8e12385998) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6b51dc9223460b40b14c2c61187b135fb690ebb7 --- libavformat/oggparseogm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index f03dedaf2c..573fb99dd0 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -170,6 +170,9 @@ ogm_packet(AVFormatContext *s, int idx) os->pflags |= AV_PKT_FLAG_KEY; lb = ((*p & 2) << 1) | ((*p >> 6) & 3); +if (os->psize < lb + 1) +return AVERROR_INVALIDDATA; + os->pstart += lb + 1; os->psize -= lb + 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Use int64 in global mv to prevent overflow
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sat Feb 17 23:54:44 2018 +0100| [299b981382725c1befb56c8f324ce067783220d6] | committer: Michael Niedermayer avcodec/diracdec: Use int64 in global mv to prevent overflow Fixes: runtime error: signed integer overflow: 361 * -6295541 cannot be represented in type 'int' Fixes: 5911/clusterfuzz-testcase-minimized-6450382197751808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cbcbefdc3b4cbc917d2f8b2dd216fb12121a838b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=299b981382725c1befb56c8f324ce067783220d6 --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 7c7a31e830..fb54312c49 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1186,8 +1186,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int m = (1> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/avidec: Fix integer overflow in cum_len check
ffmpeg | branch: release/2.8 | Michael Niedermayer | Thu Mar 8 22:40:50 2018 +0100| [3b5645a72928e3eab7594205bab2d8aed8c114e8] | committer: Michael Niedermayer avformat/avidec: Fix integer overflow in cum_len check Fixes: signed integer overflow: 3775922176 * 4278190080 cannot be represented in type 'long' Fixes: Chromium bug 791237 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 06e092e7819b9437da32925200e7c369f93d82e7) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3b5645a72928e3eab7594205bab2d8aed8c114e8 --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 223ddd0530..81a43632bb 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -665,7 +665,7 @@ static int avi_read_header(AVFormatContext *s) st->start_time = 0; avio_rl32(pb); /* buffer size */ avio_rl32(pb); /* quality */ -if (ast->cum_len*ast->scale/ast->rate > 3600) { +if (ast->cum_len > 3600LL * ast->rate / ast->scale) { av_log(s, AV_LOG_ERROR, "crazy start time, iam scared, giving up\n"); ast->cum_len = 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] libavformat/oggparsevorbis: Fix memleak on multiple headers
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue Mar 6 18:14:12 2018 +0100| [5279e865961f6eb7bf05c46c6c59835000f5bd50] | committer: Michael Niedermayer libavformat/oggparsevorbis: Fix memleak on multiple headers Fixes: Chromium bug 800123 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 3934aa495d786845d9f541c84ee405c096938f76) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5279e865961f6eb7bf05c46c6c59835000f5bd50 --- libavformat/oggparsevorbis.c | 4 1 file changed, 4 insertions(+) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index 59e7b75522..5ca3b9eeeb 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -228,6 +228,10 @@ static int fixup_vorbis_headers(AVFormatContext *as, len = priv->len[0] + priv->len[1] + priv->len[2]; buf_len = len + len / 255 + 64; + +if (*buf) +return AVERROR_INVALIDDATA; + ptr = *buf = av_realloc(NULL, buf_len); if (!ptr) return AVERROR(ENOMEM); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/smc: Check input packet size
ffmpeg | branch: release/2.8 | Michael Niedermayer | Fri Feb 23 03:40:02 2018 +0100| [11d0464565d1cac24c57ad7c6822fc9db046a057] | committer: Michael Niedermayer avcodec/smc: Check input packet size Fixes: Timeout Fixes: 6261/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMC_fuzzer-5811309653262336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0293663483ab5dbfff23602a62800d84e021b33c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=11d0464565d1cac24c57ad7c6822fc9db046a057 --- libavcodec/smc.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/smc.c b/libavcodec/smc.c index 18174fa57e..66de691e2c 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -437,6 +437,10 @@ static int smc_decode_frame(AVCodecContext *avctx, SmcContext *s = avctx->priv_data; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, NULL); int ret; +int total_blocks = ((s->avctx->width + 3) / 4) * ((s->avctx->height + 3) / 4); + +if (total_blocks / 1024 > avpkt->size) +return AVERROR_INVALIDDATA; bytestream2_init(>gb, buf, buf_size); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/utvideodec: Check subsample factors
ffmpeg | branch: release/2.8 | Michael Niedermayer | Mon Feb 26 03:02:48 2018 +0100| [e724bd1dd9efea3abb8586d6644ec07694afceae] | committer: Michael Niedermayer avcodec/utvideodec: Check subsample factors Fixes: Out of array read Fixes: heap_poc Found-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit 7414d0bda7763f9bd69c26c068e482ab297c1c96) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e724bd1dd9efea3abb8586d6644ec07694afceae --- libavcodec/utvideodec.c | 9 + 1 file changed, 9 insertions(+) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 760d9e5a7f..160528e007 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -28,6 +28,7 @@ #include #include "libavutil/intreadwrite.h" +#include "libavutil/pixdesc.h" #include "avcodec.h" #include "bswapdsp.h" #include "bytestream.h" @@ -474,6 +475,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, static av_cold int decode_init(AVCodecContext *avctx) { UtvideoContext * const c = avctx->priv_data; +int h_shift, v_shift; c->avctx = avctx; @@ -538,6 +540,13 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } +av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, _shift, _shift); +if ((avctx->width & ((1
[FFmpeg-cvslog] avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue Feb 27 15:17:12 2018 +0100| [ff587292238c4f35036c5208492f34a546bcc6c7] | committer: Michael Niedermayer avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg Fixes: Timeout Fixes: 6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ee3265dbe2e85537affe3b3055b00ba8646aa70) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ff587292238c4f35036c5208492f34a546bcc6c7 --- libavcodec/nuv.c | 11 +++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index f3270cb19d..1dfa399630 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -158,6 +158,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int orig_size = buf_size; int keyframe, ret; int size_change = 0; +int minsize = 0; int result, init_frame = !avctx->frame_number; enum { NUV_UNCOMPRESSED = '0', @@ -203,6 +204,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, keyframe = 1; break; } +switch (comptype) { +case NUV_UNCOMPRESSED: +minsize = c->width * c->height * 3 / 2; +break; +case NUV_RTJPEG: +minsize = c->width/16 * (c->height/16) * 6; +break; +} +if (buf_size < minsize / 4) +return AVERROR_INVALIDDATA; retry: // skip rest of the frameheader. buf = [12]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Mar 25 01:51:28 2018 +0100| [367d459f78c1cecce1d1a8e5bbe6a8b908de3e2f] | committer: Michael Niedermayer avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame() Fixes: 2018_03_23_poc.wav Found-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit ea15915b2dc5aaa80c91879fbd183475a7e66e54) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=367d459f78c1cecce1d1a8e5bbe6a8b908de3e2f --- libavcodec/wmalosslessdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 7e2d5da4bf..5d82f0e74c 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1238,7 +1238,9 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, (frame_size = show_bits(gb, s->log2_frame_size)) && frame_size <= remaining_bits(s, gb)) { save_bits(s, gb, frame_size, 0); -s->packet_done = !decode_frame(s); + +if (!s->packet_loss) +s->packet_done = !decode_frame(s); } else if (!s->len_prefix && s->num_saved_bits > get_bits_count(>gb)) { /* when the frames do not have a length prefix, we don't know the ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/get_bits: Make sure the input bitstream with padding can be addressed
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sat Mar 24 01:38:53 2018 +0100| [20e6a8dee8f82e38fc9c51ae7960fc01cf2fbea8] | committer: Michael Niedermayer avcodec/get_bits: Make sure the input bitstream with padding can be addressed Signed-off-by: Michael Niedermayer (cherry picked from commit e529fe7633762cb26a665fb6dee3be29b15285cc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=20e6a8dee8f82e38fc9c51ae7960fc01cf2fbea8 --- libavcodec/get_bits.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index 72f8b5f29d..5a71795910 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -32,6 +32,7 @@ #include "libavutil/intreadwrite.h" #include "libavutil/log.h" #include "libavutil/avassert.h" +#include "avcodec.h" #include "mathops.h" /* @@ -417,7 +418,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer, int buffer_size; int ret = 0; -if (bit_size >= INT_MAX - 7 || bit_size < 0 || !buffer) { +if (bit_size >= INT_MAX - FFMAX(7, AV_INPUT_BUFFER_PADDING_SIZE*8) || bit_size < 0 || !buffer) { bit_size= 0; buffer = NULL; ret = AVERROR_INVALIDDATA; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it
ffmpeg | branch: release/2.8 | Michael Niedermayer | Tue Feb 27 15:17:12 2018 +0100| [b4e66382c207a3fd1e5e1aee0882b367c65e18c8] | committer: Michael Niedermayer avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it Fixes: Timeout Fixes: 6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 939440ad1aa820bed51f54d273b4fa6c5016d9f9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b4e66382c207a3fd1e5e1aee0882b367c65e18c8 --- libavcodec/nuv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 1dfa399630..5294167034 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -196,6 +196,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case NUV_RTJPEG_IN_LZO: case NUV_RTJPEG: keyframe = !buf[2]; +if (c->width < 16 || c->height < 16) { +return AVERROR_INVALIDDATA; +} break; case NUV_COPY_LAST: keyframe = 0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53()
ffmpeg | branch: release/2.8 | Michael Niedermayer | Sun Feb 18 00:11:33 2018 +0100| [36a1e9be5a1d16a6b006eccaa043ac7fd2ebce32] | committer: Michael Niedermayer avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53() Fixes: 5918/clusterfuzz-testcase-minimized-5120505435652096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 793347a54579ee954b58d336b82eed4a1786de21) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=36a1e9be5a1d16a6b006eccaa043ac7fd2ebce32 --- libavcodec/jpeg2000dwt.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index 38a578af3d..5a72335d91 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -305,22 +305,22 @@ static void dwt_encode97_int(DWTContext *s, int *t) t[i] = (t[i] + ((1<>1)) >> I_PRESHIFT; } -static void sr_1d53(int *p, int i0, int i1) +static void sr_1d53(unsigned *p, int i0, int i1) { int i; if (i1 <= i0 + 1) { if (i0 == 1) -p[1] >>= 1; +p[1] = (int)p[1] >> 1; return; } extend53(p, i0, i1); for (i = (i0 >> 1); i < (i1 >> 1) + 1; i++) -p[2 * i] -= (p[2 * i - 1] + p[2 * i + 1] + 2) >> 2; +p[2 * i] -= (int)(p[2 * i - 1] + p[2 * i + 1] + 2) >> 2; for (i = (i0 >> 1); i < (i1 >> 1); i++) -p[2 * i + 1] += (p[2 * i] + p[2 * i + 2]) >> 1; +p[2 * i + 1] += (int)(p[2 * i] + p[2 * i + 2]) >> 1; } static void dwt_decode53(DWTContext *s, int *t) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog