[FFmpeg-cvslog] lavu/avsscanf: Do not mix declaration and code.
ffmpeg | branch: master | Carl Eugen Hoyos | Sun Nov 18 03:51:42 2018 +0100| [529debc98776f94651cc927c2c27cc6de611697f] | committer: Carl Eugen Hoyos lavu/avsscanf: Do not mix declaration and code. Fixes the following warning: libavutil/avsscanf.c: In function 'decfloat': libavutil/avsscanf.c:354:9: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement] int bitlim = bits-3*(int)(rp-9); ^~~ > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=529debc98776f94651cc927c2c27cc6de611697f --- libavutil/avsscanf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavutil/avsscanf.c b/libavutil/avsscanf.c index 7c61b860ae..9b3685f34b 100644 --- a/libavutil/avsscanf.c +++ b/libavutil/avsscanf.c @@ -349,9 +349,10 @@ static double decfloat(FFFILE *f, int c, int bits, int emin, int sign, int pok) /* Optimize small to mid-size integers (even in exp. notation) */ if (lnz<9 && lnz<=rp && rp < 18) { +int bitlim; if (rp == 9) return sign * (double)x[0]; if (rp < 9) return sign * (double)x[0] / p10s[8-rp]; -int bitlim = bits-3*(int)(rp-9); +bitlim = bits-3*(int)(rp-9); if (bitlim>30 || x[0]>>bitlim==0) return sign * (double)x[0] * p10s[rp-10]; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/pngdec: Check compression method
ffmpeg | branch: release/3.2 | Michael Niedermayer | Fri Nov 9 03:12:45 2018 +0100| [de1d2ea6b20ac6c2a2bf23e67d07a86b87836386] | committer: Michael Niedermayer avcodec/pngdec: Check compression method method 0 (inflate/deflate) is the only specified in the specification and the only supported Fixes: Timeout Fixes: 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f99674cc33f4c37def0a206e31ad7c4c1af) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=de1d2ea6b20ac6c2a2bf23e67d07a86b87836386 --- libavcodec/pngdec.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 7f0d416683..10d0575f70 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -566,6 +566,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, } s->color_type = bytestream2_get_byte(>gb); s->compression_type = bytestream2_get_byte(>gb); +if (s->compression_type) { +av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n", s->compression_type); +goto error; +} s->filter_type = bytestream2_get_byte(>gb); s->interlace_type = bytestream2_get_byte(>gb); bytestream2_skip(>gb, 4); /* crc */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/msrle: Check that the input is large enough to contain a end of picture code
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sun Oct 21 14:40:14 2018 +0200| [e6f8f6a7eefd1fb29db17a86bba4434117eaab08] | committer: Michael Niedermayer avcodec/msrle: Check that the input is large enough to contain a end of picture code Fixes: Timeout Fixes: 10625/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSRLE_fuzzer-5659651283091456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 203ccb874699ce66beadd53b4631d217b9cd) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e6f8f6a7eefd1fb29db17a86bba4434117eaab08 --- libavcodec/msrle.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/msrle.c b/libavcodec/msrle.c index adb55b1302..1ab8a41985 100644 --- a/libavcodec/msrle.c +++ b/libavcodec/msrle.c @@ -95,6 +95,9 @@ static int msrle_decode_frame(AVCodecContext *avctx, s->buf = buf; s->size = buf_size; +if (buf_size < 2) //Minimally a end of picture code should be there +return AVERROR_INVALIDDATA; + if ((ret = ff_reget_buffer(avctx, s->frame)) < 0) return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sun Oct 28 21:08:39 2018 +0100| [875a5d055b4ccbe9b9dabab2899ed425f73afcd3] | committer: Michael Niedermayer avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case Fixes: Timeout Fixes: 10966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADU_fuzzer-5348695024336896 Fixes: 10969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5691669402877952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit df91af140c5543cfbbed187f696e79b554d2c135) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=875a5d055b4ccbe9b9dabab2899ed425f73afcd3 --- libavcodec/mpegaudio_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index a072851ecf..04400a44e7 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -100,7 +100,7 @@ static int mpegaudio_parse(AVCodecParserContext *s1, "MP3ADU full parser"); *poutbuf = NULL; *poutbuf_size = 0; -return 0; /* parsers must not return error codes */ +return buf_size; /* parsers must not return error codes */ } break; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Fix integer overflow with offset
ffmpeg | branch: release/3.2 | Michael Niedermayer | Fri Nov 9 19:59:27 2018 +0100| [0612e6a0d7dea838211e60c53491a0caff1842d4] | committer: Michael Niedermayer avcodec/shorten: Fix integer overflow with offset Fixes: signed integer overflow: -1625810908 - 582229060 cannot be represented in type 'int' Fixes: 10977/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5732602018267136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f888771cd1ce8d68d4b18a1009650c1f260aaf2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0612e6a0d7dea838211e60c53491a0caff1842d4 --- libavcodec/shorten.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 9d591bd668..35e22359be 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -373,7 +373,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* subtract offset from previous samples to use in prediction */ if (command == FN_QLPC && coffset) for (i = -pred_order; i < 0; i++) -s->decoded[channel][i] -= coffset; +s->decoded[channel][i] -= (unsigned)coffset; /* decode residual and do LPC prediction */ init_sum = pred_order ? (command == FN_QLPC ? s->lpcqoffset : 0) : coffset; @@ -388,7 +388,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* add offset to current samples */ if (command == FN_QLPC && coffset) for (i = 0; i < s->blocksize; i++) -s->decoded[channel][i] += coffset; +s->decoded[channel][i] += (unsigned)coffset; return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cavsdec: Propagate error codes inside decode_mb_i()
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sun Nov 4 20:00:16 2018 +0100| [d10266a96f28824a9248b096a01de5a944d261b2] | committer: Michael Niedermayer avcodec/cavsdec: Propagate error codes inside decode_mb_i() Fixes: Timeout Fixes: 10702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5669940938407936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c1cee0565692c541f589aefd7f375d37f55b9d94) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d10266a96f28824a9248b096a01de5a944d261b2 --- libavcodec/cavsdec.c | 29 + 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index cb1aea2a9f..4d051c5ba0 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -591,14 +591,21 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb, } -static inline void decode_residual_chroma(AVSContext *h) +static inline int decode_residual_chroma(AVSContext *h) { -if (h->cbp & (1 << 4)) -decode_residual_block(h, >gb, chroma_dec, 0, +if (h->cbp & (1 << 4)) { +int ret = decode_residual_block(h, >gb, chroma_dec, 0, ff_cavs_chroma_qp[h->qp], h->cu, h->c_stride); -if (h->cbp & (1 << 5)) -decode_residual_block(h, >gb, chroma_dec, 0, +if (ret < 0) +return ret; +} +if (h->cbp & (1 << 5)) { +int ret = decode_residual_block(h, >gb, chroma_dec, 0, ff_cavs_chroma_qp[h->qp], h->cv, h->c_stride); +if (ret < 0) +return ret; +} +return 0; } static inline int decode_residual_inter(AVSContext *h) @@ -649,6 +656,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) uint8_t top[18]; uint8_t *left = NULL; uint8_t *d; +int ret; ff_cavs_init_mb(h); @@ -692,8 +700,11 @@ static int decode_mb_i(AVSContext *h, int cbp_code) ff_cavs_load_intra_pred_luma(h, top, , block); h->intra_pred_l[h->pred_mode_Y[scan3x3[block]]] (d, top, left, h->l_stride); -if (h->cbp & (1l_stride); +if (h->cbp & (1 l_stride); +if (ret < 0) +return ret; +} } /* chroma intra prediction */ @@ -703,7 +714,9 @@ static int decode_mb_i(AVSContext *h, int cbp_code) h->intra_pred_c[pred_mode_uv](h->cv, >top_border_v[h->mbx * 10], h->left_border_v, h->c_stride); -decode_residual_chroma(h); +ret = decode_residual_chroma(h); +if (ret < 0) +return ret; ff_cavs_filter(h, I_8X8); set_mv_intra(h); return 0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Fix typo in sprite delta check
ffmpeg | branch: release/3.2 | Michael Niedermayer | Thu Oct 18 01:19:36 2018 +0200| [1effc4baa19de9ee203c7bc4b55a71270aeb3eef] | committer: Michael Niedermayer avcodec/mpeg4videodec: Fix typo in sprite delta check Fixes: Integer overflow Fixes: 10890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5636062181851136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b737317a8813e671c00b8ac7023c47e48ffeb1c8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1effc4baa19de9ee203c7bc4b55a71270aeb3eef --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 4d0db3dc73..caad104934 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -392,7 +392,7 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g llabs(sprite_offset[0][i] + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(sprite_offset[0][i] + sprite_delta[i][0] * (w+16LL) + sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(sprite_delta[i][0] * (w+16LL)) >= INT_MAX || -llabs(sprite_delta[i][1] * (w+16LL)) >= INT_MAX || +llabs(sprite_delta[i][1] * (h+16LL)) >= INT_MAX || llabs(sd[0]) >= INT_MAX || llabs(sd[1]) >= INT_MAX || llabs(sprite_offset[0][i] + sd[0] * (w+16LL)) >= INT_MAX || ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ra144: Fix integer overflow in add_wav()
ffmpeg | branch: release/3.2 | Michael Niedermayer | Wed Oct 10 04:25:50 2018 +0200| [f266eca585f0e570350cc54578c762aa8ebd86c7] | committer: Michael Niedermayer avcodec/ra144: Fix integer overflow in add_wav() Fixes: signed integer overflow: -2144033225 + -5208934 cannot be represented in type 'int' Fixes: 10633/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5679133791617024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c6282141cba20934d9801f31134872fabbd6ba3e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f266eca585f0e570350cc54578c762aa8ebd86c7 --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index 573703d70b..65a744876c 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m, if (v[0]) { for (i=0; i < BLOCKSIZE; i++) -dest[i] = ((int)(s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) >> 12; +dest[i] = (int)((s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) >> 12; } else { for (i=0; i < BLOCKSIZE; i++) dest[i] = ( s2[i]*v[1] + s3[i]*v[2]) >> 12; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb()
ffmpeg | branch: release/3.2 | Michael Niedermayer | Mon Aug 20 22:53:32 2018 +0200| [368e7a0994222442a46be577f38aedc18f97aeac] | committer: Michael Niedermayer avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb() Fixes: Timeout Fixes: 9634/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-6267852259590144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c9222b972d6cbdaf6571cf7ae0a6513bffa5ff9f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=368e7a0994222442a46be577f38aedc18f97aeac --- libavcodec/hq_hqa.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/hq_hqa.c b/libavcodec/hq_hqa.c index f88ad7d5f5..ec9da3e04f 100644 --- a/libavcodec/hq_hqa.c +++ b/libavcodec/hq_hqa.c @@ -181,6 +181,9 @@ static int hqa_decode_mb(HQContext *c, AVFrame *pic, int qgroup, int flag = 0; int i, ret, cbp; +if (get_bits_left(gb) < 1) +return AVERROR_INVALIDDATA; + cbp = get_vlc2(gb, c->hqa_cbp_vlc.table, 5, 1); for (i = 0; i < 12; i++) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_cavlc: Check mb_skip_run
ffmpeg | branch: release/3.2 | Michael Niedermayer | Thu Oct 4 03:13:41 2018 +0200| [72268fbdc37ea692f01e0afbddae3939a9c02eb7] | committer: Michael Niedermayer avcodec/h264_cavlc: Check mb_skip_run Fixes: 10300/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6292205497483264 Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f72b9904fefa79d799d0f6ecc8bd97ce52658725) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=72268fbdc37ea692f01e0afbddae3939a9c02eb7 --- libavcodec/h264_cavlc.c | 10 -- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index ffed204441..c88140650a 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -714,8 +714,14 @@ int ff_h264_decode_mb_cavlc(const H264Context *h, H264SliceContext *sl) cbp = 0; /* avoid warning. FIXME: find a solution without slowing down the code */ if (sl->slice_type_nos != AV_PICTURE_TYPE_I) { -if (sl->mb_skip_run == -1) -sl->mb_skip_run = get_ue_golomb_long(>gb); +if (sl->mb_skip_run == -1) { +unsigned mb_skip_run = get_ue_golomb_long(>gb); +if (mb_skip_run > h->mb_num) { +av_log(h->avctx, AV_LOG_ERROR, "mb_skip_run %d is invalid\n", mb_skip_run); +return AVERROR_INVALIDDATA; +} +sl->mb_skip_run = mb_skip_run; +} if (sl->mb_skip_run--) { if (FRAME_MBAFF(h) && (sl->mb_y & 1) == 0) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mlvdec: read_string() received unsigned size, make the argument unsigned
ffmpeg | branch: release/3.2 | Michael Niedermayer | Thu Aug 16 15:36:28 2018 +0200| [949995b2252124b0abd8cd414a854e62bd241290] | committer: Michael Niedermayer avformat/mlvdec: read_string() received unsigned size, make the argument unsigned Fixes: infinite loop Fixes: mlv-timeout-e3b8cab9835edecad6823baa057e029671329d04 Found-by: Paul Ch Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1e71cb2c8edcf3dad657c15a6fb8572862f2afb9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=949995b2252124b0abd8cd414a854e62bd241290 --- libavformat/mlvdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mlvdec.c b/libavformat/mlvdec.c index 665b28d4f8..de8f217dad 100644 --- a/libavformat/mlvdec.c +++ b/libavformat/mlvdec.c @@ -77,7 +77,7 @@ static int check_file_header(AVIOContext *pb, uint64_t guid) return 0; } -static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, int size) +static void read_string(AVFormatContext *avctx, AVIOContext *pb, const char *tag, unsigned size) { char * value = av_malloc(size + 1); if (!value) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Fix bitstream end check in read_header()
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sat Sep 15 02:08:20 2018 +0200| [3b20cd4f6576a18776252ee96ece0946557cbe7d] | committer: Michael Niedermayer avcodec/shorten: Fix bitstream end check in read_header() Fixes: Timeout Fixes: 9961/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5687856176562176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 28b80c2d52d82eb4f73af5f818dab60946bcf299) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3b20cd4f6576a18776252ee96ece0946557cbe7d --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index c1a6df3802..9d591bd668 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -447,7 +447,7 @@ static int read_header(ShortenContext *s) } skip_bytes = get_uint(s, NSKIPSIZE); -if ((unsigned)skip_bytes > get_bits_left(>gb)/8) { +if ((unsigned)skip_bytes > FFMAX(get_bits_left(>gb), 0)/8) { av_log(s->avctx, AV_LOG_ERROR, "invalid skip_bytes: %d\n", skip_bytes); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header()
ffmpeg | branch: release/3.2 | Michael Niedermayer | Thu Aug 16 15:36:29 2018 +0200| [b535e8936b7285e23f2f007682be94cde4e8b857] | committer: Michael Niedermayer avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header() Fixes: long running loop Fixes: ivr-timeout-42468cb797f52f025fb329394702f5d4d64322d6 Found-by: Paul Ch Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit c2eec1762d372663c35aaf3d6ee419bafb185057) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b535e8936b7285e23f2f007682be94cde4e8b857 --- libavformat/rmdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 59e27b026d..0b823b7b87 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -1285,6 +1285,8 @@ static int ivr_read_header(AVFormatContext *s) if (avio_rb32(pb) == MKBETAG('M', 'L', 'T', 'I')) { ret = rm_read_multi(s, pb, st, NULL); } else { +if (avio_feof(pb)) +return AVERROR_INVALIDDATA; avio_seek(pb, -4, SEEK_CUR); ret = ff_rm_read_mdpr_codecdata(s, pb, st, st->priv_data, len, NULL); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/zmbv: Check that the decompressed data size is correct
ffmpeg | branch: release/3.2 | Michael Niedermayer | Tue Sep 18 00:28:37 2018 +0200| [2baee6dd1b9e33d88c7a6621a00a487f9c3fd95e] | committer: Michael Niedermayer avcodec/zmbv: Check that the decompressed data size is correct This checks the value exactly for intra frames and checks it against a minimum for inter frames as they can be variable. Fixes: Timeout Fixes: 10182/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-6245951174344704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit e33b28cc79d164fff22bfee750c9283587c00bc4) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2baee6dd1b9e33d88c7a6621a00a487f9c3fd95e --- libavcodec/zmbv.c | 14 ++ 1 file changed, 14 insertions(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index 0ffeea502c..46f59583c9 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -408,6 +408,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac int zret = Z_OK; // Zlib return code int len = buf_size; int hi_ver, lo_ver, ret; +int expected_size; /* parse header */ if (len < 1) @@ -504,6 +505,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac memset(c->prev, 0, avctx->width * avctx->height * (c->bpp / 8)); c->decode_intra= decode_intra; } +if (c->flags & ZMBV_KEYFRAME) { +expected_size = avctx->width * avctx->height * (c->bpp / 8); +} else { +expected_size = (c->bx * c->by * 2 + 3) & ~3; +} +if (avctx->pix_fmt == AV_PIX_FMT_PAL8 && +(c->flags & (ZMBV_DELTAPAL | ZMBV_KEYFRAME))) +expected_size += 768; if (!c->decode_intra) { av_log(avctx, AV_LOG_ERROR, "Error! Got no format or no keyframe!\n"); @@ -533,6 +542,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac } c->decomp_len = c->zstream.total_out; } +if (expected_size > c->decomp_len || +(c->flags & ZMBV_KEYFRAME) && expected_size < c->decomp_len) { +av_log(avctx, AV_LOG_ERROR, "decompressed size %d is incorrect, expected %d\n", c->decomp_len, expected_size); +return AVERROR_INVALIDDATA; +} if (c->flags & ZMBV_KEYFRAME) { frame->key_frame = 1; frame->pict_type = AV_PICTURE_TYPE_I; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/utils: Never store negative values in last_IP_duration
ffmpeg | branch: release/3.2 | Michael Niedermayer | Fri Oct 12 20:55:25 2018 +0200| [77d35ab73435a9c847f387621f066c1f98733580] | committer: Michael Niedermayer avformat/utils: Never store negative values in last_IP_duration Fixes: integer overflow compute_pkt_fields() Fixes: compute_pkt_usan Reported-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 079d1a7175c4b881631a7e7f449c4c13b761cdeb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=77d35ab73435a9c847f387621f066c1f98733580 --- libavformat/utils.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 8cdad78659..dc867a96a3 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1293,7 +1293,7 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, /* This is tricky: the dts must be incremented by the duration * of the frame we are displaying, i.e. the last I- or P-frame. */ -if (st->last_IP_duration == 0) +if (st->last_IP_duration == 0 && (uint64_t)pkt->duration <= INT32_MAX) st->last_IP_duration = pkt->duration; if (pkt->dts != AV_NOPTS_VALUE) st->cur_dts = pkt->dts + st->last_IP_duration; @@ -1305,7 +1305,8 @@ static void compute_pkt_fields(AVFormatContext *s, AVStream *st, next_pts != AV_NOPTS_VALUE) pkt->pts = next_dts; -st->last_IP_duration = pkt->duration; +if ((uint64_t)pkt->duration <= INT32_MAX) +st->last_IP_duration = pkt->duration; st->last_IP_pts = pkt->pts; /* Cannot compute PTS if not present (we can compute it only * by knowing the future. */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sat Oct 20 22:35:37 2018 +0200| [353ef58a8279d3c3a45fe18d1245d84cb843eb18] | committer: Michael Niedermayer avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling Fixes: assertion failure Fixes: 10785/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5672160496975872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 305e523105f6f59e7572050f19edc9f4671c036c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=353ef58a8279d3c3a45fe18d1245d84cb843eb18 --- libavcodec/jpeg2000dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index ba62aa7b10..9e0a0cb933 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1128,7 +1128,7 @@ static int jpeg2000_decode_packets_po_iteration(Jpeg2000DecoderContext *s, Jpeg2 step_x = 32; step_y = 32; -if (RSpoc > FFMIN(codsty->nreslevels, REpoc)) +if (RSpoc >= FFMIN(codsty->nreslevels, REpoc)) continue; for (reslevelno = RSpoc; reslevelno < FFMIN(codsty->nreslevels, REpoc); reslevelno++) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/zmbv: Update decomp_len in raw frames
ffmpeg | branch: release/3.2 | Michael Niedermayer | Mon Sep 17 21:33:59 2018 +0200| [5fe92631fc2015ced579da5fe4efa8fc52042911] | committer: Michael Niedermayer avcodec/zmbv: Update decomp_len in raw frames decomp_len is used in raw frames, so it should not be left at the value from whatever was decoded previously (which may be any other frame) Signed-off-by: Michael Niedermayer (cherry picked from commit 3d201b83cda03fd9e866acafee82d7ce88260e66) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5fe92631fc2015ced579da5fe4efa8fc52042911 --- libavcodec/zmbv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c index 5deef804bc..0ffeea502c 100644 --- a/libavcodec/zmbv.c +++ b/libavcodec/zmbv.c @@ -519,6 +519,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac return AVERROR_INVALIDDATA; } memcpy(c->decomp_buf, buf, len); +c->decomp_len = len; } else { // ZLIB-compressed data c->zstream.total_in = c->zstream.total_out = 0; c->zstream.next_in = (uint8_t*)buf; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/integer: Fix integer overflow in av_mul_i()
ffmpeg | branch: release/3.2 | Michael Niedermayer | Wed Oct 24 01:44:12 2018 +0200| [c2af767c3e288b63eab873e60c3376b0adcb0186] | committer: Michael Niedermayer avutil/integer: Fix integer overflow in av_mul_i() Found-by: fate Signed-off-by: Michael Niedermayer (cherry picked from commit 3cc3cb663bf3061e40356392d2f7638de6a479fe) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c2af767c3e288b63eab873e60c3376b0adcb0186 --- libavutil/integer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavutil/integer.c b/libavutil/integer.c index 6d6855fa1b..ba4aa778c9 100644 --- a/libavutil/integer.c +++ b/libavutil/integer.c @@ -74,7 +74,7 @@ AVInteger av_mul_i(AVInteger a, AVInteger b){ if(a.v[i]) for(j=i; j>16) + out.v[j] + a.v[i]*b.v[j-i]; +carry= (carry>>16) + out.v[j] + a.v[i]*(unsigned)b.v[j-i]; out.v[j]= carry; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dvdsubdec: Avoid branch in decode_run_8bit()
ffmpeg | branch: release/3.2 | Michael Niedermayer | Thu Sep 13 04:24:49 2018 +0200| [9f0e0a4cf29c860e85a7f1c47ec6418923abbeb3] | committer: Michael Niedermayer avcodec/dvdsubdec: Avoid branch in decode_run_8bit() Speed improvment 35.5 sec -> 34.7sec Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 71bf0330505e2108935d05c5c018ec65eac4b946) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9f0e0a4cf29c860e85a7f1c47ec6418923abbeb3 --- libavcodec/dvdsubdec.c | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 0c73fb2bbd..79cb0c4046 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -82,10 +82,7 @@ static int decode_run_8bit(GetBitContext *gb, int *color) { int len; int has_run = get_bits1(gb); -if (get_bits1(gb)) -*color = get_bits(gb, 8); -else -*color = get_bits(gb, 2); +*color = get_bits(gb, 2 + 6*get_bits1(gb)); if (has_run) { if (get_bits1(gb)) { len = get_bits(gb, 7); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/utils: Fix integer overflow in discontinuity check
ffmpeg | branch: release/3.2 | Michael Niedermayer | Fri Oct 12 03:00:32 2018 +0200| [9181ecd2e60285136f77c655d87ec7538cdfded1] | committer: Michael Niedermayer avformat/utils: Fix integer overflow in discontinuity check Fixes: signed integer overflow: 7738135736989908991 - -7954308516317364223 cannot be represented in type 'long' Fixes: find_stream_info_usan Reported-by: Thomas Guilbert Signed-off-by: Michael Niedermayer (cherry picked from commit 4e19cfcfa3944fe4cf97bea758f72f104dcaebad) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9181ecd2e60285136f77c655d87ec7538cdfded1 --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index eda9220923..8cdad78659 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3600,7 +3600,7 @@ FF_ENABLE_DEPRECATION_WARNINGS * sequence, we treat it as a discontinuity. */ if (st->info->fps_last_dts != AV_NOPTS_VALUE && st->info->fps_last_dts_idx > st->info->fps_first_dts_idx && -(pkt->dts - st->info->fps_last_dts) / 1000 > +(pkt->dts - (uint64_t)st->info->fps_last_dts) / 1000 > (st->info->fps_last_dts - (uint64_t)st->info->fps_first_dts) / (st->info->fps_last_dts_idx - st->info->fps_first_dts_idx)) { av_log(ic, AV_LOG_WARNING, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/unary: Improve get_unary() docs
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sat Sep 22 15:18:17 2018 +0200| [72babd45c81e7760e02040f0a29a07042004bb52] | committer: Michael Niedermayer avcodec/unary: Improve get_unary() docs Found-by: kierank Signed-off-by: Michael Niedermayer (cherry picked from commit ad89e203bfedf25df00e2a6ed9196170d772f25b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=72babd45c81e7760e02040f0a29a07042004bb52 --- libavcodec/unary.h | 15 ++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/libavcodec/unary.h b/libavcodec/unary.h index 908dc93507..d57f9f70c5 100644 --- a/libavcodec/unary.h +++ b/libavcodec/unary.h @@ -28,7 +28,20 @@ * @param gb GetBitContext * @param[in] stop The bitstop value (unary code of 1's or 0's) * @param[in] len Maximum length - * @return Unary length/index + * @return unary 0 based code index. This is also the length in bits of the + * code excluding the stop bit. + * (in case len=1) + * 10 + * 01 + * (in case len=2) + * 10 + * 01 1 + * 00 2 + * (in case len=3) + * 10 + * 01 1 + * 001 2 + * 000 3 */ static inline int get_unary(GetBitContext *gb, int stop, int len) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/nsvdec: Do not parse multiple NSVf
ffmpeg | branch: release/3.2 | Michael Niedermayer | Thu Aug 16 12:23:20 2018 +0200| [5d7bab77de261dd70218ac311a8536b4d42b98e8] | committer: Michael Niedermayer avformat/nsvdec: Do not parse multiple NSVf The specification states "NSV files may contain a single file header. " Fixes: out of array access Fixes: nsv-asan-002f473f726a0dcbd3bd53e422c4fc40b3cf3421 Found-by: Paul Ch Tested-by: Paul Ch Signed-off-by: Michael Niedermayer (cherry picked from commit 78d4b6bd43fc266a2ee926f0555c8782246f9445) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5d7bab77de261dd70218ac311a8536b4d42b98e8 --- libavformat/nsvdec.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/libavformat/nsvdec.c b/libavformat/nsvdec.c index 16d2fa59e2..3e7d815295 100644 --- a/libavformat/nsvdec.c +++ b/libavformat/nsvdec.c @@ -177,6 +177,7 @@ typedef struct NSVContext { AVRational framerate; uint32_t *nsvs_timestamps; //DVDemuxContext* dv_demux; +int nsvf; } NSVContext; static const AVCodecTag nsv_codec_video_tags[] = { @@ -280,6 +281,12 @@ static int nsv_parse_NSVf_header(AVFormatContext *s) nsv->state = NSV_UNSYNC; /* in case we fail */ +if (nsv->nsvf) { +av_log(s, AV_LOG_TRACE, "Multiple NSVf\n"); +return 0; +} +nsv->nsvf = 1; + size = avio_rl32(pb); if (size < 28) return -1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Fix undefined shift in get_amv()
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sat Sep 15 00:20:38 2018 +0200| [64bccfd11dde05f9bac18d0df8a34f03adb86ce9] | committer: Michael Niedermayer avcodec/mpeg4videodec: Fix undefined shift in get_amv() Fixes: runtime error: shift exponent -1 is negative Fixes: 9938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5653783529914368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c88afa44c4823aba7b6f4a1b01fd6a4169643c57) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=64bccfd11dde05f9bac18d0df8a34f03adb86ce9 --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index def1df3f99..4d0db3dc73 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -539,7 +539,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n) len >>= s->quarter_sample; if (s->real_sprite_warping_points == 1) { -if (ctx->divx_version == 500 && ctx->divx_build == 413) +if (ctx->divx_version == 500 && ctx->divx_build == 413 && a >= s->quarter_sample) sum = s->sprite_offset[0][n] / (1 << (a - s->quarter_sample)); else sum = RSHIFT(s->sprite_offset[0][n] * (1 << s->quarter_sample), a); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vb: Check for end of bytestream before reading blocktype
ffmpeg | branch: release/3.2 | Michael Niedermayer | Mon Aug 20 22:19:23 2018 +0200| [2df51ffcb7f2f1ee14715e28793ef549b0a7f565] | committer: Michael Niedermayer avcodec/vb: Check for end of bytestream before reading blocktype Fixes: Timeout Fixes: 9601/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VB_fuzzer-4550228702134272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1cbac9ce20d32806febf64cbd9f830e1485695ca) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2df51ffcb7f2f1ee14715e28793ef549b0a7f565 --- libavcodec/vb.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/vb.c b/libavcodec/vb.c index 021657f7d8..c6dd6fb456 100644 --- a/libavcodec/vb.c +++ b/libavcodec/vb.c @@ -107,6 +107,10 @@ static int vb_decode_framedata(VBDecContext *c, int offset) blk2 = 0; for (blk = 0; blk < blocks; blk++) { if (!(blk & 3)) { +if (bytestream2_get_bytes_left() < 1) { +av_log(c->avctx, AV_LOG_ERROR, "Insufficient data\n"); +return AVERROR_INVALIDDATA; +} blocktypes = bytestream2_get_byte(); } switch (blocktypes & 0xC0) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/snowdec: Fix integer overflow with motion vector residual
ffmpeg | branch: release/3.2 | Michael Niedermayer | Mon Aug 20 20:15:19 2018 +0200| [c6b7060137cfdf5536df95bb8e58bd30acc90b89] | committer: Michael Niedermayer avcodec/snowdec: Fix integer overflow with motion vector residual Fixes: signed integer overflow: -19818 + -2147483648 cannot be represented in type 'int' Fixes: 9545/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4928769537081344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit acba153a148782c08f9fd17f0c05b93468f3cbd0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c6b7060137cfdf5536df95bb8e58bd30acc90b89 --- libavcodec/snowdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index 00fa064102..a9fe91d251 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -208,8 +208,8 @@ static int decode_q_branch(SnowContext *s, int level, int x, int y){ return AVERROR_INVALIDDATA; } pred_mv(s, , , ref, left, top, tr); -mx+= get_symbol(>c, >block_state[128 + 32*(mx_context + 16*!!ref)], 1); -my+= get_symbol(>c, >block_state[128 + 32*(my_context + 16*!!ref)], 1); +mx+= (unsigned)get_symbol(>c, >block_state[128 + 32*(mx_context + 16*!!ref)], 1); +my+= (unsigned)get_symbol(>c, >block_state[128 + 32*(my_context + 16*!!ref)], 1); } set_blocks(s, level, x, y, l, cb, cr, mx, my, ref, type); }else{ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking()
ffmpeg | branch: release/3.2 | Michael Niedermayer | Fri Aug 17 02:06:27 2018 +0200| [59c463f4ccb0067545086dc986998f07e209d069] | committer: Michael Niedermayer avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking() Signed-off-by: Michael Niedermayer (cherry picked from commit 697984b9db4d4d199680f43ac3eb662cd1d37eff) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=59c463f4ccb0067545086dc986998f07e209d069 --- libavcodec/h264_refs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 97bf588b51..8c4e0fe725 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -807,6 +807,7 @@ int ff_h264_execute_ref_pic_marking(H264Context *h) } } +// Detect unmarked random access points if ( err >= 0 && h->long_ref_count==0 && ( h->short_ref_count<=2 ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Check verbatim length
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sun Aug 12 22:43:33 2018 +0200| [f20a35a13e4b789ccdc0c4dba27025984792a623] | committer: Michael Niedermayer avcodec/shorten: Check verbatim length Fixes: Timeout Fixes: 9252/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5780720709533696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7007dabec08f2f9f81661e71ef482dde394e17a8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f20a35a13e4b789ccdc0c4dba27025984792a623 --- libavcodec/shorten.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 94deb0a316..77d66189e4 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -613,6 +613,11 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, switch (cmd) { case FN_VERBATIM: len = get_ur_golomb_shorten(>gb, VERBATIM_CKSIZE_SIZE); +if (len < 0 || len > get_bits_left(>gb)) { +av_log(avctx, AV_LOG_ERROR, "verbatim length %d invalid\n", + len); +return AVERROR_INVALIDDATA; +} while (len--) get_ur_golomb_shorten(>gb, VERBATIM_BYTE_SIZE); break; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ra144: Fix undefined integer overflow in add_wav()
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sun Aug 26 02:26:24 2018 +0200| [a90f6d3e908b4cfff1387316131a5ac476dbb6d6] | committer: Michael Niedermayer avcodec/ra144: Fix undefined integer overflow in add_wav() Fixes: signed integer overflow: -26884 * 91439 cannot be represented in type 'int' Fixes: 9687/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-4995588121690112 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 93a203662f6ff1bb9fd2e966bf7df27e9bdb1916) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a90f6d3e908b4cfff1387316131a5ac476dbb6d6 --- libavcodec/ra144.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/ra144.c b/libavcodec/ra144.c index cf8127c236..573703d70b 100644 --- a/libavcodec/ra144.c +++ b/libavcodec/ra144.c @@ -1516,7 +1516,7 @@ static void add_wav(int16_t *dest, int n, int skip_first, int *m, if (v[0]) { for (i=0; i < BLOCKSIZE; i++) -dest[i] = (s1[i]*v[0] + s2[i]*v[1] + s3[i]*v[2]) >> 12; +dest[i] = ((int)(s1[i]*(unsigned)v[0]) + s2[i]*v[1] + s3[i]*v[2]) >> 12; } else { for (i=0; i < BLOCKSIZE; i++) dest[i] = ( s2[i]*v[1] + s3[i]*v[2]) >> 12; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Check slice numbers for overflows in relation to picture dimensions
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sun Jul 22 21:26:24 2018 +0200| [ec7cf0c74f75089617696f7f6e6787760997dcc0] | committer: Michael Niedermayer avcodec/diracdec: Check slice numbers for overflows in relation to picture dimensions Fixes: signed integer overflow: 88 * 33685506 cannot be represented in type 'int' Fixes: 9433/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5725943535501312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f457c0ad7f73e31e99761f2ad3738cf3b3c24ca0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ec7cf0c74f75089617696f7f6e6787760997dcc0 --- libavcodec/diracdec.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index bc8aabecda..081a3118be 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1236,7 +1236,10 @@ static int dirac_unpack_idwt_params(DiracContext *s) else { s->num_x= get_interleaved_ue_golomb(gb); s->num_y= get_interleaved_ue_golomb(gb); -if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX) { +if (s->num_x * s->num_y == 0 || s->num_x * (uint64_t)s->num_y > INT_MAX || +s->num_x * (uint64_t)s->avctx->width > INT_MAX || +s->num_y * (uint64_t)s->avctx->height > INT_MAX +) { av_log(s->avctx,AV_LOG_ERROR,"Invalid numx/y\n"); s->num_x = s->num_y = 0; return AVERROR_INVALIDDATA; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Error on too large stsd entry counts.
ffmpeg | branch: release/3.2 | Dale Curtis | Thu Aug 30 15:18:25 2018 -0700| [a72d42b80ff4a9220cb20b2231d55ada0d6b0b3b] | committer: Michael Niedermayer avformat/mov: Error on too large stsd entry counts. Entries are always at least 8 bytes per the parsing code, so if we see an impossible entry count avoid massive allocations. This is similar to an existing check in mov_read_stsc(). Since ff_mov_read_stsd_entries() does eof checks, an alternative approach could be to clamp the entry count to atom.size / 8. Signed-off-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 320b631a99a9f759fd1d5460fd4e285d184b8186) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a72d42b80ff4a9220cb20b2231d55ada0d6b0b3b --- libavformat/mov.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 672a218bb0..272ef7b503 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2335,7 +2335,8 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb24(pb); /* flags */ entries = avio_rb32(pb); /* entries */ -if (entries <= 0) { +/* Each entry contains a size (4 bytes) and format (4 bytes). */ +if (entries <= 0 || entries > atom.size / 8) { av_log(c->fc, AV_LOG_ERROR, "invalid STSD entries %d\n", entries); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dvdsubdec: Sanity check len in decode_rle()
ffmpeg | branch: release/3.2 | Michael Niedermayer | Thu Sep 13 03:33:50 2018 +0200| [7bcc4d7ea7b2a167dfa6cb9063bd452af4dce8f7] | committer: Michael Niedermayer avcodec/dvdsubdec: Sanity check len in decode_rle() Fixes: Timeout Fixes: 9778/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5186007132536832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit e7b023e1db9fb13175929c02a02846d03510ec91) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7bcc4d7ea7b2a167dfa6cb9063bd452af4dce8f7 --- libavcodec/dvdsubdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 79cb0c4046..7bfd03a019 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -124,6 +124,8 @@ static int decode_rle(uint8_t *bitmap, int linesize, int w, int h, len = decode_run_8bit(, ); else len = decode_run_2bit(, ); +if (len != INT_MAX && len > w - x) +return AVERROR_INVALIDDATA; len = FFMIN(len, w - x); memset(d + x, color, len); x += len; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sun Jul 22 21:42:16 2018 +0200| [7a7a6bf8e25054f599d274831f6993ac86267cf2] | committer: Michael Niedermayer avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too Fixes: signed integer overflow: 8 * 340018243 cannot be represented in type 'int' Fixes: 9441/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5194665207791616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bed125b7108481574f36fdd6ee699b27354602e8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7a7a6bf8e25054f599d274831f6993ac86267cf2 --- libavcodec/diracdec.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 081a3118be..33927c26b3 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -979,6 +979,10 @@ static int decode_lowdelay(DiracContext *s) for (slice_x = 0; bufsize > 0 && slice_x < s->num_x; slice_x++) { bytes = (slice_num+1) * (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den - slice_num* (int64_t)s->lowdelay.bytes.num / s->lowdelay.bytes.den; +if (bytes >= INT_MAX || bytes*8 > bufsize) { +av_log(s->avctx, AV_LOG_ERROR, "too many bytes\n"); +return AVERROR_INVALIDDATA; +} slices[slice_num].bytes = bytes; slices[slice_num].slice_x = slice_x; slices[slice_num].slice_y = slice_y; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpegaudio_parser: Initialize poutbuf*
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sun Aug 5 14:51:36 2018 +0200| [1a9810dde019dba2fc4c11b7ac56533f85963ac7] | committer: Michael Niedermayer avcodec/mpegaudio_parser: Initialize poutbuf* Possibly fixes: null pointer dereference Possibly fixes: 9352/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5146068961460224 Fixes: Heap-use-after-free Fixes: 9453/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5137954375729152 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0f4c3b0b8e5435d13fd3b64c91969b31c3c018dc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1a9810dde019dba2fc4c11b7ac56533f85963ac7 --- libavcodec/mpegaudio_parser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index 8c39825792..a072851ecf 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -98,6 +98,8 @@ static int mpegaudio_parse(AVCodecParserContext *s1, } else if (codec_id == AV_CODEC_ID_MP3ADU) { avpriv_report_missing_feature(avctx, "MP3ADU full parser"); +*poutbuf = NULL; +*poutbuf_size = 0; return 0; /* parsers must not return error codes */ } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp()
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sun Jul 29 12:40:48 2018 +0200| [09800cbc0105d734c9974f7a5c835f2346026d5e] | committer: Michael Niedermayer avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp() Fixes: Timeout Fixes: 9213/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QTRLE_fuzzer-5649753332252672 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7dd836a3f9771e0e44df1b27e67d6866d91e06d7) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=09800cbc0105d734c9974f7a5c835f2346026d5e --- libavcodec/qtrle.c | 10 ++ 1 file changed, 10 insertions(+) diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c index 1b0d2016b5..cd8301d143 100644 --- a/libavcodec/qtrle.c +++ b/libavcodec/qtrle.c @@ -155,6 +155,8 @@ static inline void qtrle_decode_2n4bpp(QtrleContext *s, int row_ptr, CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) { +if (bytestream2_get_bytes_left(>g) < 1) +return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (num_pixels * (bytestream2_get_byte(>g) - 1)); @@ -210,6 +212,8 @@ static void qtrle_decode_8bpp(QtrleContext *s, int row_ptr, int lines_to_change) CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) { +if (bytestream2_get_bytes_left(>g) < 1) +return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (4 * (bytestream2_get_byte(>g) - 1)); @@ -259,6 +263,8 @@ static void qtrle_decode_16bpp(QtrleContext *s, int row_ptr, int lines_to_change CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) { +if (bytestream2_get_bytes_left(>g) < 1) +return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (bytestream2_get_byte(>g) - 1) * 2; @@ -303,6 +309,8 @@ static void qtrle_decode_24bpp(QtrleContext *s, int row_ptr, int lines_to_change CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) { +if (bytestream2_get_bytes_left(>g) < 1) +return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (bytestream2_get_byte(>g) - 1) * 3; @@ -350,6 +358,8 @@ static void qtrle_decode_32bpp(QtrleContext *s, int row_ptr, int lines_to_change CHECK_PIXEL_PTR(0); while ((rle_code = (int8_t)bytestream2_get_byte(>g)) != -1) { +if (bytestream2_get_bytes_left(>g) < 1) +return; if (rle_code == 0) { /* there's another skip code in the stream */ pixel_ptr += (bytestream2_get_byte(>g) - 1) * 4; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sun Jul 22 20:45:39 2018 +0200| [6ebb8f5ab5663dc55f5fd8b66b54d30bab7b79f6] | committer: Michael Niedermayer avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 9291/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6324345860259840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 462d1be6dec5ff4768be8c202f359cbf037db3c6) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6ebb8f5ab5663dc55f5fd8b66b54d30bab7b79f6 --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index f2bc8e6959..bc8aabecda 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -139,7 +139,7 @@ typedef struct DiracContext { GetBitContext gb; AVDiracSeqHeader seq; int seen_sequence_header; -int frame_number; /* number of the next frame to display */ +int64_t frame_number; /* number of the next frame to display */ Plane plane[3]; int chroma_x_shift; int chroma_y_shift; @@ -2294,7 +2294,7 @@ static int dirac_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, } if (*got_frame) -s->frame_number = picture->display_picture_number + 1; +s->frame_number = picture->display_picture_number + 1LL; return buf_idx; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c()
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sat Jul 28 10:59:09 2018 +0200| [cc9263c2e165c4c46a55ee643aae1a6da14f4a96] | committer: Michael Niedermayer avcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c() Fixes: signed integer overflow: -1813244069 + -1407981383 cannot be represented in type 'int' Fixes: 8823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5643295618236416 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 47db5763e21c5e3b0ddde2430d15938f8d88480d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cc9263c2e165c4c46a55ee643aae1a6da14f4a96 --- libavcodec/aacpsdsp_template.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacpsdsp_template.c b/libavcodec/aacpsdsp_template.c index 8f72624559..b924148e0f 100644 --- a/libavcodec/aacpsdsp_template.c +++ b/libavcodec/aacpsdsp_template.c @@ -149,10 +149,10 @@ static void ps_stereo_interpolate_c(INTFLOAT (*l)[2], INTFLOAT (*r)[2], INTFLOAT h1 = h[0][1]; INTFLOAT h2 = h[0][2]; INTFLOAT h3 = h[0][3]; -INTFLOAT hs0 = h_step[0][0]; -INTFLOAT hs1 = h_step[0][1]; -INTFLOAT hs2 = h_step[0][2]; -INTFLOAT hs3 = h_step[0][3]; +UINTFLOAT hs0 = h_step[0][0]; +UINTFLOAT hs1 = h_step[0][1]; +UINTFLOAT hs2 = h_step[0][2]; +UINTFLOAT hs3 = h_step[0][3]; int n; for (n = 0; n < len; n++) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Fix integer overflow in residual/LPC combination
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sun Aug 12 22:55:59 2018 +0200| [eba99acdf2673c07b43617f60b449f29b0a6177e] | committer: Michael Niedermayer avcodec/shorten: Fix integer overflow in residual/LPC combination Fixes: signed integer overflow: -540538872 + -2012739576 cannot be represented in type 'int' Fixes: 9255/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5758630052757504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit db7e9082e1a1479c6a8844f7adf77eae03cc2aa7) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eba99acdf2673c07b43617f60b449f29b0a6177e --- libavcodec/shorten.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 77d66189e4..17a3cce0df 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -382,7 +382,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, for (j = 0; j < pred_order; j++) sum += coeffs[j] * (unsigned)s->decoded[channel][i - j - 1]; s->decoded[channel][i] = get_sr_golomb_shorten(>gb, residual_size) + - (sum >> qshift); + (unsigned)(sum >> qshift); } /* add offset to current samples */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/flvenc: Check audio packet size
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sat Jul 28 15:03:50 2018 +0200| [1b283238226bf2ff1f328ab4811375240224b346] | committer: Michael Niedermayer avformat/flvenc: Check audio packet size Fixes: Assertion failure Fixes: assert_flvenc.c:941_1.swf Found-by: #CHEN HONGXU# Signed-off-by: Michael Niedermayer (cherry picked from commit 6b67d7f05918f7a1ee8fc6ff21355d7e8736aa10) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1b283238226bf2ff1f328ab4811375240224b346 --- libavformat/flvenc.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c index e50f8e4519..3bb7a216a4 100644 --- a/libavformat/flvenc.c +++ b/libavformat/flvenc.c @@ -575,6 +575,11 @@ static int flv_write_packet(AVFormatContext *s, AVPacket *pkt) uint8_t *data = NULL; int flags = -1, flags_size, ret; +if (par->codec_type == AVMEDIA_TYPE_AUDIO && !pkt->size) { +av_log(s, AV_LOG_WARNING, "Empty audio Packet\n"); +return AVERROR(EINVAL); +} + if (par->codec_id == AV_CODEC_ID_VP6F || par->codec_id == AV_CODEC_ID_VP6A || par->codec_id == AV_CODEC_ID_VP6 || par->codec_id == AV_CODEC_ID_AAC) flags_size = 2; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Prevent integer overflow in intermediate in global_mv()
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sun Jul 22 18:58:34 2018 +0200| [8ed1874dab710b06227aa87241b7f56b27140883] | committer: Michael Niedermayer avcodec/diracdec: Prevent integer overflow in intermediate in global_mv() Fixes: signed integer overflow: -393471 * 5460 cannot be represented in type 'int' Fixes: 8890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6299775379963904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 51290406461ed40b70e0e05b389a461a283f3367) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8ed1874dab710b06227aa87241b7f56b27140883 --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 9739886854..f2bc8e6959 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1393,8 +1393,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int m = (1> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] swresample/swresample: Fix input channel count in resample_first computation
ffmpeg | branch: release/3.2 | Michael Niedermayer | Tue Jul 24 22:44:12 2018 +0200| [430405eb0bd0135bb1efafac06aeddae44c02ae6] | committer: Michael Niedermayer swresample/swresample: Fix input channel count in resample_first computation Found-by: Marcin Gorzel Reviewed-by: Marcin Gorzel Signed-off-by: Michael Niedermayer (cherry picked from commit bce4da85e8110b66040a5fb07ffc724ab4e09a86) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=430405eb0bd0135bb1efafac06aeddae44c02ae6 --- libswresample/swresample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index a7010c391e..d2dbe75238 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -319,7 +319,7 @@ av_cold int swr_init(struct SwrContext *s){ av_assert0(s->used_ch_count); av_assert0(s->out.ch_count); -s->resample_first= RSC*s->out.ch_count/s->in.ch_count - RSC < s->out_sample_rate/(float)s-> in_sample_rate - 1.0; +s->resample_first= RSC*s->out.ch_count/s->used_ch_count - RSC < s->out_sample_rate/(float)s-> in_sample_rate - 1.0; s->in_buffer= s->in; s->silence = s->in; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i()
ffmpeg | branch: release/3.2 | Michael Niedermayer | Sun Jul 22 19:11:04 2018 +0200| [33ee198cdbb2c3b844513e7290709c85dd86fbea] | committer: Michael Niedermayer avcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i() Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 8926/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6047609228623872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 69cac9e130dc8c9d2a5b8012011df372974adf35) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=33ee198cdbb2c3b844513e7290709c85dd86fbea --- libavcodec/dirac_dwt_template.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index 2369c8d15b..5d55d932a1 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -190,15 +190,15 @@ static void RENAME(horizontal_compose_daub97i)(uint8_t *_b, uint8_t *_temp, int // second stage combined with interleave and shift b0 = b2 = COMPOSE_DAUB97iL0(temp[w2], temp[0], temp[w2]); -b[0] = (b0 + 1) >> 1; +b[0] = ~((~b0) >> 1); for (x = 1; x < w2; x++) { b2 = COMPOSE_DAUB97iL0(temp[x+w2-1], temp[x ], temp[x+w2]); b1 = COMPOSE_DAUB97iH0( b0, temp[x+w2-1], b2); -b[2*x-1] = (b1 + 1) >> 1; -b[2*x ] = (b2 + 1) >> 1; +b[2*x-1] = ~((~b1) >> 1); +b[2*x ] = ~((~b2) >> 1); b0 = b2; } -b[w-1] = (COMPOSE_DAUB97iH0(b2, temp[w-1], b2) + 1) >> 1; +b[w-1] = ~((~COMPOSE_DAUB97iH0(b2, temp[w-1], b2)) >> 1); } static void RENAME(vertical_compose_dirac53iH0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_b2, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/pixfmt: Document chroma plane size for odd resolutions
ffmpeg | branch: release/3.2 | Michael Niedermayer | Wed Jul 18 22:22:35 2018 +0200| [b130cdb92332f94f9006544f8a47970d85013b46] | committer: Michael Niedermayer avutil/pixfmt: Document chroma plane size for odd resolutions Signed-off-by: Michael Niedermayer (cherry picked from commit be0b77e6e83b61c2da338201b5ddfae1c9acedc5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b130cdb92332f94f9006544f8a47970d85013b46 --- libavutil/pixfmt.h | 4 1 file changed, 4 insertions(+) diff --git a/libavutil/pixfmt.h b/libavutil/pixfmt.h index 7a3f68be7e..2b8f8129eb 100644 --- a/libavutil/pixfmt.h +++ b/libavutil/pixfmt.h @@ -42,6 +42,10 @@ * This is stored as BGRA on little-endian CPU architectures and ARGB on * big-endian CPUs. * + * @note + * If the resolution is not a multiple of the chroma subsampling factor + * then the chroma plane resolution must be rounded up. + * * @par * When the pixel format is palettized RGB32 (AV_PIX_FMT_PAL8), the palettized * image data is stored in AVFrame.data[0]. The palette is transported in ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] [ffmpeg-web] branch master updated. f17e468 web: Add FFmpeg 3.3.9
The branch, master has been updated via f17e4685e464ed07a201c59d7bfc5ff6ca9497bb (commit) from b847b31d71105bd0e537c119899f7284d1442a47 (commit) - Log - commit f17e4685e464ed07a201c59d7bfc5ff6ca9497bb Author: Michael Niedermayer AuthorDate: Sun Nov 18 02:18:56 2018 +0100 Commit: Michael Niedermayer CommitDate: Sun Nov 18 02:19:21 2018 +0100 web: Add FFmpeg 3.3.9 diff --git a/src/download b/src/download index d4ef0d0..cf05273 100644 --- a/src/download +++ b/src/download @@ -381,10 +381,10 @@ libpostproc54. 7.100 - FFmpeg 3.3.8 "Hilbert" + FFmpeg 3.3.9 "Hilbert" -3.3.8 was released on 2018-07-17. It is the latest stable FFmpeg release +3.3.9 was released on 2018-11-18. It is the latest stable FFmpeg release from the 3.3 release branch, which was cut from master on 2017-04-02. It includes the following library versions: @@ -402,19 +402,19 @@ libpostproc54. 5.100 - Download xz tarball - PGP signature + Download xz tarball + PGP signature - Download bzip2 tarball - PGP signature + Download bzip2 tarball + PGP signature - Download gzip tarball - PGP signature + Download gzip tarball + PGP signature - https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n3.3.8;>Changelog + https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n3.3.9;>Changelog https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/refs/heads/release/3.3:/RELEASE_NOTES;>Release Notes diff --git a/src/security b/src/security index 748a447..3ed5880 100644 --- a/src/security +++ b/src/security @@ -129,6 +129,14 @@ CVE-2017-17081, 127a362630e11fe724e2e63fc871791fdcbcfa64 FFmpeg 3.3 +3.3.9 + +Fixes following vulnerabilities: + + +CVE-2018-15822, 0026d007428a1ef5cd4e8f54bafc54c0306beab9 / 6b67d7f05918f7a1ee8fc6ff21355d7e8736aa10 + + 3.3.8 Fixes following vulnerabilities: --- Summary of changes: src/download | 18 +- src/security | 8 2 files changed, 17 insertions(+), 9 deletions(-) hooks/post-receive -- ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Tag n3.3.9 : FFmpeg 3.3.9 release
[ffmpeg] [branch: refs/tags/n3.3.9] Tag:cc75da0e05c3981062b2e90a9ea9c609651df39b > http://git.videolan.org/gitweb.cgi/ffmpeg.git?a=tag;h=cc75da0e05c3981062b2e90a9ea9c609651df39b Tagger: Michael Niedermayer Date: Sun Nov 18 02:02:36 2018 +0100 FFmpeg 3.3.9 release ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] fftools/ffmpeg: Repair reinit_filter feature
ffmpeg | branch: release/3.3 | Michael Niedermayer | Tue Nov 13 20:29:40 2018 +0100| [3c4a874388a903abc03954c9d5220a47a5e11df6] | committer: Michael Niedermayer fftools/ffmpeg: Repair reinit_filter feature Signed-off-by: Michael Niedermayer (cherry picked from commit 35040048793bc5d19942277fe17d1235e915a7d8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3c4a874388a903abc03954c9d5220a47a5e11df6 --- ffmpeg.c | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/ffmpeg.c b/ffmpeg.c index eb0f8b7c9c..b0ac1c6708 100644 --- a/ffmpeg.c +++ b/ffmpeg.c @@ -2154,9 +2154,6 @@ static int ifilter_send_frame(InputFilter *ifilter, AVFrame *frame) /* determine if the parameters for this input changed */ need_reinit = ifilter->format != frame->format; -if (!!ifilter->hw_frames_ctx != !!frame->hw_frames_ctx || -(ifilter->hw_frames_ctx && ifilter->hw_frames_ctx->data != frame->hw_frames_ctx->data)) -need_reinit = 1; switch (ifilter->ist->st->codecpar->codec_type) { case AVMEDIA_TYPE_AUDIO: @@ -2170,6 +2167,13 @@ static int ifilter_send_frame(InputFilter *ifilter, AVFrame *frame) break; } +if (!ifilter->ist->reinit_filters && fg->graph) +need_reinit = 0; + +if (!!ifilter->hw_frames_ctx != !!frame->hw_frames_ctx || +(ifilter->hw_frames_ctx && ifilter->hw_frames_ctx->data != frame->hw_frames_ctx->data)) +need_reinit = 1; + if (need_reinit) { ret = ifilter_parameters_from_frame(ifilter, frame); if (ret < 0) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/shorten: Fix integer overflow with offset
ffmpeg | branch: release/3.3 | Michael Niedermayer | Fri Nov 9 19:59:27 2018 +0100| [26610256798174b0216ae807d92af3e712b99040] | committer: Michael Niedermayer avcodec/shorten: Fix integer overflow with offset Fixes: signed integer overflow: -1625810908 - 582229060 cannot be represented in type 'int' Fixes: 10977/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5732602018267136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2f888771cd1ce8d68d4b18a1009650c1f260aaf2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=26610256798174b0216ae807d92af3e712b99040 --- libavcodec/shorten.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index fa5ed3b64b..181d89f021 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -382,7 +382,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* subtract offset from previous samples to use in prediction */ if (command == FN_QLPC && coffset) for (i = -pred_order; i < 0; i++) -s->decoded[channel][i] -= coffset; +s->decoded[channel][i] -= (unsigned)coffset; /* decode residual and do LPC prediction */ init_sum = pred_order ? (command == FN_QLPC ? s->lpcqoffset : 0) : coffset; @@ -397,7 +397,7 @@ static int decode_subframe_lpc(ShortenContext *s, int command, int channel, /* add offset to current samples */ if (command == FN_QLPC && coffset) for (i = 0; i < s->blocksize; i++) -s->decoded[channel][i] += coffset; +s->decoded[channel][i] += (unsigned)coffset; return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case
ffmpeg | branch: release/3.3 | Michael Niedermayer | Sun Oct 28 21:08:39 2018 +0100| [ecbf42e13a682481deb83eb4e63d56fe87a4b356] | committer: Michael Niedermayer avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case Fixes: Timeout Fixes: 10966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADU_fuzzer-5348695024336896 Fixes: 10969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5691669402877952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit df91af140c5543cfbbed187f696e79b554d2c135) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ecbf42e13a682481deb83eb4e63d56fe87a4b356 --- libavcodec/mpegaudio_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpegaudio_parser.c b/libavcodec/mpegaudio_parser.c index a072851ecf..04400a44e7 100644 --- a/libavcodec/mpegaudio_parser.c +++ b/libavcodec/mpegaudio_parser.c @@ -100,7 +100,7 @@ static int mpegaudio_parse(AVCodecParserContext *s1, "MP3ADU full parser"); *poutbuf = NULL; *poutbuf_size = 0; -return 0; /* parsers must not return error codes */ +return buf_size; /* parsers must not return error codes */ } break; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Changelog: update
ffmpeg | branch: release/3.3 | Michael Niedermayer | Sun Nov 18 01:33:38 2018 +0100| [9cba90e5ef03f741074d45e3e68741d26c6c1741] | committer: Michael Niedermayer Changelog: update Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9cba90e5ef03f741074d45e3e68741d26c6c1741 --- Changelog | 5 + 1 file changed, 5 insertions(+) diff --git a/Changelog b/Changelog index ea75538f17..126772a013 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,11 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. version 3.3.9: +- avcodec/pngdec: Check compression method +- fftools/ffmpeg: Repair reinit_filter feature +- avcodec/shorten: Fix integer overflow with offset +- avcodec/cavsdec: Propagate error codes inside decode_mb_i() +- avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case - avutil/integer: Fix integer overflow in av_mul_i() - avcodec/msrle: Check that the input is large enough to contain a end of picture code - avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cavsdec: Propagate error codes inside decode_mb_i()
ffmpeg | branch: release/3.3 | Michael Niedermayer | Sun Nov 4 20:00:16 2018 +0100| [14c8795361a8b59c575cdce60961d9086aedd2b4] | committer: Michael Niedermayer avcodec/cavsdec: Propagate error codes inside decode_mb_i() Fixes: Timeout Fixes: 10702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5669940938407936 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c1cee0565692c541f589aefd7f375d37f55b9d94) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=14c8795361a8b59c575cdce60961d9086aedd2b4 --- libavcodec/cavsdec.c | 29 + 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 79349b5005..b4ec6e996a 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -591,14 +591,21 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb, } -static inline void decode_residual_chroma(AVSContext *h) +static inline int decode_residual_chroma(AVSContext *h) { -if (h->cbp & (1 << 4)) -decode_residual_block(h, >gb, chroma_dec, 0, +if (h->cbp & (1 << 4)) { +int ret = decode_residual_block(h, >gb, chroma_dec, 0, ff_cavs_chroma_qp[h->qp], h->cu, h->c_stride); -if (h->cbp & (1 << 5)) -decode_residual_block(h, >gb, chroma_dec, 0, +if (ret < 0) +return ret; +} +if (h->cbp & (1 << 5)) { +int ret = decode_residual_block(h, >gb, chroma_dec, 0, ff_cavs_chroma_qp[h->qp], h->cv, h->c_stride); +if (ret < 0) +return ret; +} +return 0; } static inline int decode_residual_inter(AVSContext *h) @@ -649,6 +656,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) uint8_t top[18]; uint8_t *left = NULL; uint8_t *d; +int ret; ff_cavs_init_mb(h); @@ -692,8 +700,11 @@ static int decode_mb_i(AVSContext *h, int cbp_code) ff_cavs_load_intra_pred_luma(h, top, , block); h->intra_pred_l[h->pred_mode_Y[scan3x3[block]]] (d, top, left, h->l_stride); -if (h->cbp & (1l_stride); +if (h->cbp & (1 l_stride); +if (ret < 0) +return ret; +} } /* chroma intra prediction */ @@ -703,7 +714,9 @@ static int decode_mb_i(AVSContext *h, int cbp_code) h->intra_pred_c[pred_mode_uv](h->cv, >top_border_v[h->mbx * 10], h->left_border_v, h->c_stride); -decode_residual_chroma(h); +ret = decode_residual_chroma(h); +if (ret < 0) +return ret; ff_cavs_filter(h, I_8X8); set_mv_intra(h); return 0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/pngdec: Check compression method
ffmpeg | branch: release/3.3 | Michael Niedermayer | Fri Nov 9 03:12:45 2018 +0100| [14778d3fda0a1fe83d6f40cd8ee1dcf4199b1f98] | committer: Michael Niedermayer avcodec/pngdec: Check compression method method 0 (inflate/deflate) is the only specified in the specification and the only supported Fixes: Timeout Fixes: 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1f99674cc33f4c37def0a206e31ad7c4c1af) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=14778d3fda0a1fe83d6f40cd8ee1dcf4199b1f98 --- libavcodec/pngdec.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 67a6e3f9d0..e25239780a 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -577,6 +577,10 @@ static int decode_ihdr_chunk(AVCodecContext *avctx, PNGDecContext *s, } s->color_type = bytestream2_get_byte(>gb); s->compression_type = bytestream2_get_byte(>gb); +if (s->compression_type) { +av_log(avctx, AV_LOG_ERROR, "Invalid compression method %d\n", s->compression_type); +goto error; +} s->filter_type = bytestream2_get_byte(>gb); s->interlace_type = bytestream2_get_byte(>gb); bytestream2_skip(>gb, 4); /* crc */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avfilter: use av_clip_uintp2 instead of av_clip for 10b and 12b
ffmpeg | branch: master | Martin Vignali | Sat Nov 17 17:57:27 2018 +0100| [d3621b232142165d6641708de14c51b78bf2b2df] | committer: Paul B Mahol avfilter: use av_clip_uintp2 instead of av_clip for 10b and 12b > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d3621b232142165d6641708de14c51b78bf2b2df --- libavfilter/vf_blend.c | 20 ++-- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavfilter/vf_blend.c b/libavfilter/vf_blend.c index c00773c924..80d3e24699 100644 --- a/libavfilter/vf_blend.c +++ b/libavfilter/vf_blend.c @@ -326,15 +326,15 @@ DEFINE_BLEND16(linearlight,av_clip_uint16((B < 32768) ? B + 2 * A - 65535 : B + #define DODGE(a, b) (((a) == 1023) ? (a) : FFMIN(1023, (((b) << 10) / (1023 - (a) DEFINE_BLEND16(addition, FFMIN(1023, A + B), 10) -DEFINE_BLEND16(grainmerge, av_clip(A + B - 512, 0, 1023), 10) +DEFINE_BLEND16(grainmerge, (int)av_clip_uintp2(A + B - 512, 10), 10) DEFINE_BLEND16(average,(A + B) / 2, 10) DEFINE_BLEND16(subtract, FFMAX(0, A - B), 10) DEFINE_BLEND16(multiply, MULTIPLY(1, A, B), 10) -DEFINE_BLEND16(multiply128, av_clip((A - 512) * B / 128. + 512, 0, 1023), 10) +DEFINE_BLEND16(multiply128, (int)av_clip_uintp2((A - 512) * B / 128. + 512, 10), 10) DEFINE_BLEND16(negation, 1023 - FFABS(1023 - A - B), 10) DEFINE_BLEND16(extremity, FFABS(1023 - A - B), 10) DEFINE_BLEND16(difference, FFABS(A - B), 10) -DEFINE_BLEND16(grainextract, av_clip(512 + A - B, 0, 1023), 10) +DEFINE_BLEND16(grainextract, (int)av_clip_uintp2(512 + A - B, 10), 10) DEFINE_BLEND16(screen, SCREEN(1, A, B), 10) DEFINE_BLEND16(overlay,(A < 512) ? MULTIPLY(2, A, B) : SCREEN(2, A, B), 10) DEFINE_BLEND16(hardlight, (B < 512) ? MULTIPLY(2, B, A) : SCREEN(2, B, A), 10) @@ -343,7 +343,7 @@ DEFINE_BLEND16(heat, (A == 0) ? 0 : 1023 - FFMIN(((1023 - B) * (1023 - B)) DEFINE_BLEND16(freeze, (B == 0) ? 0 : 1023 - FFMIN(((1023 - A) * (1023 - A)) / B, 1023), 10) DEFINE_BLEND16(darken, FFMIN(A, B), 10) DEFINE_BLEND16(lighten,FFMAX(A, B), 10) -DEFINE_BLEND16(divide, av_clip(B == 0 ? 1023 : 1023 * A / B, 0, 1023), 10) +DEFINE_BLEND16(divide, (int)av_clip_uintp2(B == 0 ? 1023 : 1023 * A / B, 10), 10) DEFINE_BLEND16(dodge, DODGE(A, B), 10) DEFINE_BLEND16(burn, BURN(A, B), 10) DEFINE_BLEND16(softlight, (A > 511) ? B + (1023 - B) * (A - 511.5) / 511.5 * (0.5 - fabs(B - 511.5) / 1023): B - B * ((511.5 - A) / 511.5) * (0.5 - fabs(B - 511.5)/1023), 10) @@ -356,7 +356,7 @@ DEFINE_BLEND16(and,A & B, 10) DEFINE_BLEND16(or, A | B, 10) DEFINE_BLEND16(xor,A ^ B, 10) DEFINE_BLEND16(vividlight, (A < 512) ? BURN(2 * A, B) : DODGE(2 * (A - 512), B), 10) -DEFINE_BLEND16(linearlight,av_clip((B < 512) ? B + 2 * A - 1023 : B + 2 * (A - 512), 0, 1023), 10) +DEFINE_BLEND16(linearlight,(int)av_clip_uintp2((B < 512) ? B + 2 * A - 1023 : B + 2 * (A - 512), 10), 10) #undef MULTIPLY #undef SCREEN @@ -369,15 +369,15 @@ DEFINE_BLEND16(linearlight,av_clip((B < 512) ? B + 2 * A - 1023 : B + 2 * (A - 5 #define DODGE(a, b) (((a) == 4095) ? (a) : FFMIN(4095, (((b) << 12) / (4095 - (a) DEFINE_BLEND16(addition, FFMIN(4095, A + B), 12) -DEFINE_BLEND16(grainmerge, av_clip(A + B - 2048, 0, 4095), 12) +DEFINE_BLEND16(grainmerge, (int)av_clip_uintp2(A + B - 2048, 12), 12) DEFINE_BLEND16(average,(A + B) / 2, 12) DEFINE_BLEND16(subtract, FFMAX(0, A - B), 12) DEFINE_BLEND16(multiply, MULTIPLY(1, A, B), 12) -DEFINE_BLEND16(multiply128, av_clip((A - 2048) * B / 512. + 2048, 0, 4095), 12) +DEFINE_BLEND16(multiply128, (int)av_clip_uintp2((A - 2048) * B / 512. + 2048, 12), 12) DEFINE_BLEND16(negation, 4095 - FFABS(4095 - A - B), 12) DEFINE_BLEND16(extremity, FFABS(4095 - A - B), 12) DEFINE_BLEND16(difference, FFABS(A - B), 12) -DEFINE_BLEND16(grainextract, av_clip(2048 + A - B, 0, 4095), 12) +DEFINE_BLEND16(grainextract, (int)av_clip_uintp2(2048 + A - B, 12), 12) DEFINE_BLEND16(screen, SCREEN(1, A, B), 12) DEFINE_BLEND16(overlay,(A < 2048) ? MULTIPLY(2, A, B) : SCREEN(2, A, B), 12) DEFINE_BLEND16(hardlight, (B < 2048) ? MULTIPLY(2, B, A) : SCREEN(2, B, A), 12) @@ -386,7 +386,7 @@ DEFINE_BLEND16(heat, (A == 0) ? 0 : 4095 - FFMIN(((4095 - B) * (4095 - B)) DEFINE_BLEND16(freeze, (B == 0) ? 0 : 4095 - FFMIN(((4095 - A) * (4095 - A)) / B, 4095), 12) DEFINE_BLEND16(darken, FFMIN(A, B), 12) DEFINE_BLEND16(lighten,FFMAX(A, B), 12) -DEFINE_BLEND16(divide, av_clip(B == 0 ? 4095 : 4095 * A / B, 0, 4095), 12) +DEFINE_BLEND16(divide, (int)av_clip_uintp2(B == 0 ? 4095 : 4095 * A / B, 12), 12) DEFINE_BLEND16(dodge, DODGE(A, B), 12) DEFINE_BLEND16(burn, BURN(A, B), 12) DEFINE_BLEND16(softlight, (A > 2047) ? B + (4095 - B) * (A - 2047.5) / 2047.5 * (0.5 - fabs(B - 2047.5) / 4095): B - B * ((2047.5 - A) / 2047.5) * (0.5 - fabs(B - 2047.5)/4095), 12) @@ -399,7 +399,7 @@ DEFINE_BLEND16(and,A & B, 12) DEFINE_BLEND16(or,
[FFmpeg-cvslog] avutil/cuda_check: Make sure this passes make fate-source
ffmpeg | branch: master | Philip Langdale | Sat Nov 17 08:16:28 2018 -0800| [420ab946ace27e4b4bfb6c2be0a65a4ffd6e05a1] | committer: Philip Langdale avutil/cuda_check: Make sure this passes make fate-source The header guards were unnecessarily non-standard and the c file inclusion trick means the files dont't have standard licence headers. Based on a patch by: Martin Vignali > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=420ab946ace27e4b4bfb6c2be0a65a4ffd6e05a1 --- libavutil/cuda_check.h | 6 +++--- tests/ref/fate/source | 2 ++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/libavutil/cuda_check.h b/libavutil/cuda_check.h index 0d45538c2f..b8e5f65cbb 100644 --- a/libavutil/cuda_check.h +++ b/libavutil/cuda_check.h @@ -17,8 +17,8 @@ */ -#ifndef FF_CUDA_CHECK_H -#define FF_CUDA_CHECK_H +#ifndef AVUTIL_CUDA_CHECK_H +#define AVUTIL_CUDA_CHECK_H /** * Wrap a CUDA function call and print error information if it fails. @@ -40,4 +40,4 @@ int ff_cuda_check(void *avctx, #define FF_CUDA_CHECK_DL(avclass, cudl, x) ff_cuda_check(avclass, cudl->cuGetErrorName, cudl->cuGetErrorString, (x), #x) -#endif /* FF_CUDA_CHECK_H */ +#endif /* AVUTIL_CUDA_CHECK_H */ diff --git a/tests/ref/fate/source b/tests/ref/fate/source index 4b9467aa77..b35f016127 100644 --- a/tests/ref/fate/source +++ b/tests/ref/fate/source @@ -1,6 +1,7 @@ Files without standard license headers: compat/avisynth/windowsPorts/basicDataTypeConversions.h compat/avisynth/windowsPorts/windows2linux.h +libavcodec/cuda_check.c libavcodec/file_open.c libavcodec/ilbcdata.h libavcodec/ilbcdec.c @@ -9,6 +10,7 @@ libavcodec/log2_tab.c libavcodec/reverse.c libavdevice/file_open.c libavdevice/reverse.c +libavfilter/cuda_check.c libavfilter/log2_tab.c libavformat/file_open.c libavformat/golomb_tab.c ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avfilter/vf_neighbor: fix >8 bit deflate/inflate
ffmpeg | branch: master | Paul B Mahol | Sat Nov 17 11:07:58 2018 +0100| [fbea2ea76ef9ec7119e91783bd7e460b2404df12] | committer: Paul B Mahol avfilter/vf_neighbor: fix >8 bit deflate/inflate > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fbea2ea76ef9ec7119e91783bd7e460b2404df12 --- libavfilter/vf_neighbor.c | 43 +++ 1 file changed, 27 insertions(+), 16 deletions(-) diff --git a/libavfilter/vf_neighbor.c b/libavfilter/vf_neighbor.c index 2db1e5e57c..e50d4b4ed0 100644 --- a/libavfilter/vf_neighbor.c +++ b/libavfilter/vf_neighbor.c @@ -41,10 +41,12 @@ typedef struct NContext { int coordinates; int depth; +int max; int bpc; void (*filter)(uint8_t *dst, const uint8_t *p1, int width, - int threshold, const uint8_t *coordinates[], int coord); + int threshold, const uint8_t *coordinates[], int coord, + int maxc); } NContext; static int query_formats(AVFilterContext *ctx) @@ -74,7 +76,8 @@ static int query_formats(AVFilterContext *ctx) } static void erosion(uint8_t *dst, const uint8_t *p1, int width, -int threshold, const uint8_t *coordinates[], int coord) +int threshold, const uint8_t *coordinates[], int coord, +int maxc) { int x, i; @@ -94,7 +97,8 @@ static void erosion(uint8_t *dst, const uint8_t *p1, int width, } static void erosion16(uint8_t *dstp, const uint8_t *p1, int width, - int threshold, const uint8_t *coordinates[], int coord) + int threshold, const uint8_t *coordinates[], int coord, + int maxc) { uint16_t *dst = (uint16_t *)dstp; int x, i; @@ -115,7 +119,8 @@ static void erosion16(uint8_t *dstp, const uint8_t *p1, int width, } static void dilation(uint8_t *dst, const uint8_t *p1, int width, - int threshold, const uint8_t *coordinates[], int coord) + int threshold, const uint8_t *coordinates[], int coord, + int maxc) { int x, i; @@ -135,14 +140,15 @@ static void dilation(uint8_t *dst, const uint8_t *p1, int width, } static void dilation16(uint8_t *dstp, const uint8_t *p1, int width, - int threshold, const uint8_t *coordinates[], int coord) + int threshold, const uint8_t *coordinates[], int coord, + int maxc) { uint16_t *dst = (uint16_t *)dstp; int x, i; for (x = 0; x < width; x++) { int max = AV_RN16A([x * 2]); -int limit = FFMIN(max + threshold, 255); +int limit = FFMIN(max + threshold, maxc); for (i = 0; i < 8; i++) { if (coord & (1 << i)) { @@ -156,7 +162,8 @@ static void dilation16(uint8_t *dstp, const uint8_t *p1, int width, } static void deflate(uint8_t *dst, const uint8_t *p1, int width, -int threshold, const uint8_t *coordinates[], int coord) +int threshold, const uint8_t *coordinates[], int coord, +int maxc) { int x, i; @@ -171,7 +178,8 @@ static void deflate(uint8_t *dst, const uint8_t *p1, int width, } static void deflate16(uint8_t *dstp, const uint8_t *p1, int width, - int threshold, const uint8_t *coordinates[], int coord) + int threshold, const uint8_t *coordinates[], int coord, + int maxc) { uint16_t *dst = (uint16_t *)dstp; int x, i; @@ -182,12 +190,13 @@ static void deflate16(uint8_t *dstp, const uint8_t *p1, int width, for (i = 0; i < 8; sum += AV_RN16A(coordinates[i++] + x * 2)); -dst[x] = FFMAX(FFMIN(sum / 8, p1[x]), limit); +dst[x] = FFMAX(FFMIN(sum / 8, AV_RN16A([2 * x])), limit); } } static void inflate(uint8_t *dst, const uint8_t *p1, int width, -int threshold, const uint8_t *coordinates[], int coord) +int threshold, const uint8_t *coordinates[], int coord, +int maxc) { int x, i; @@ -202,18 +211,19 @@ static void inflate(uint8_t *dst, const uint8_t *p1, int width, } static void inflate16(uint8_t *dstp, const uint8_t *p1, int width, - int threshold, const uint8_t *coordinates[], int coord) + int threshold, const uint8_t *coordinates[], int coord, + int maxc) { uint16_t *dst = (uint16_t *)dstp; int x, i; for (x = 0; x < width; x++) { int sum = 0; -int limit = FFMIN(AV_RN16A([2 * x]) + threshold, 255); +int limit = FFMIN(AV_RN16A([2 * x]) + threshold, maxc); for (i = 0; i < 8; sum += AV_RN16A(coordinates[i++] + x * 2)); -dst[x] = FFMIN(FFMAX(sum / 8, p1[x]), limit); +dst[x] = FFMIN(FFMAX(sum / 8, AV_RN16A([x * 2])), limit); } } @@ -224,6 +234,7 @@ static int