[FFmpeg-cvslog] Update for FFmpeg 4.3.4
ffmpeg | branch: release/4.3 | Michael Niedermayer | Wed Apr 6 20:40:59 2022 +0200| [e681f720f8394b66469f500a0a2aedadc1b01374] | committer: Michael Niedermayer Update for FFmpeg 4.3.4 Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e681f720f8394b66469f500a0a2aedadc1b01374 --- Changelog| 55 +++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 57 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 541dfc77bd..430e826369 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,61 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.3.4: + avcodec/diracdec: avoid signed integer overflow in global mv + avcodec/takdsp: Fix integer overflow in decorrelate_sf() + avcodec/apedec: fix a integer overflow in long_filter_high_3800() + avfilter/vf_subtitles: pass storage size to libass + avformat/aqtitledec: Skip unrepresentable durations + avformat/cafdec: Do not store empty keys in read_info_chunk() + avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before writing + avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array() + avformat/mxfdec: Check count in mxf_read_strong_ref_array() + avformat/hls: Check target_duration + avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn() + avformat/matroskadec: Check pre_ns + avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior + avcodec/mjpegbdec: Set buf_size + avformat/matroskadec: Use rounded down duration in get_cue_desc() check + avcodec/g729_parser: Check channels + avformat/avidec: Check height + avformat/rmdec: Better duplicate tags check + avformat/mov: Disallow empty sidx + avformat/matroskadec: Check duration + avformat/mov: Corner case encryption error cleanup in mov_read_senc() + avcodec/jpeglsdec: Fix if( code style + avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error + avcodec/motion_est: fix indention of ff_get_best_fcode() + avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode() + avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned + avformat/matroskadec: Check desc_bytes + avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value() + avformat/matroskadec: Fix infinite loop with bz decompression + avformat/mov: Check size before subtraction + avcodec/apedec: Fix integer overflows in predictor_update_3930() + avcodec/apedec: fix integer overflow in 8bit samples + avformat/flvdec: timestamps cannot use the full int64 range + avcodec/vqavideo: reset accounting on error + avcodec/alacdsp: fix integer overflow in decorrelate_stereo() + avformat/4xm: Check for duplicate track ids + avformat/4xm: Consider max_streams on reallocating tracks array + avformat/mov: Check next offset in mov_read_dref() + avformat/vivo: Favor setting fps from explicit fractions + avformat/vivo: Do not use the general expression evaluator for parsing a floating point value + avformat/mxfdec: Check for duplicate mxf_read_index_entry_array() + avcodec/apedec: Change avg to uint32_t + avformat/mov: Disallow duplicate smdm + avformat/mov: Check for EOF in mov_read_glbl() + avcodec/vp3: Check version in all cases when VP4 code is not built + avformat/mov: Check channels for mov_parse_stsd_audio() + avformat/avidec: Check read_odml_index() for failure + avformat/aiffdec: Use av_rescale() for bitrate + avformat/aiffdec: sanity check block_align + avformat/aiffdec: Check sample_rate + avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE + avcodec/libdav1d: free the Dav1dData packet on dav1d_send_data() failure + configure: Add missing libshine->mpegaudioheader dependency + version 4.3.3: avcodec/ttadsp: Fix integer overflows in tta_filter_process_c() avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results diff --git a/RELEASE b/RELEASE index e91d9be2a8..eda862a98c 100644 --- a/RELEASE +++ b/RELEASE @@ -1 +1 @@ -4.3.3 +4.3.4 diff --git a/doc/Doxyfile b/doc/Doxyfile index ff426797ca..5d357c2b57 100644 --- a/doc/Doxyfile +++ b/doc/Doxyfile @@ -38,7 +38,7 @@ PROJECT_NAME = FFmpeg # could be handy for archiving the generated documentation or if some version # control system is used. -PROJECT_NUMBER = 4.3.3 +PROJECT_NUMBER = 4.3.4 # Using the PROJECT_BRIEF tag one can provide an optional one line description # for a project that appears at the top of each page and should give viewer a ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/diracdec: avoid signed integer overflow in global mv
ffmpeg | branch: release/4.3 | Michael Niedermayer | Mon Mar 21 20:51:47 2022 +0100| [a671e181286785d8fdd69f8ec17c5814727d32f7] | committer: Michael Niedermayer avcodec/diracdec: avoid signed integer overflow in global mv Fixes: signed integer overflow: -128275513086 * -76056576 cannot be represented in type 'long' Fixes: 45818/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5129799149944832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f1279684e8e1e33c78577b7f0265c062e4e6232) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a671e181286785d8fdd69f8ec17c5814727d32f7 --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index ed42bc366a..b1d82ed3e1 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1431,8 +1431,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int64_t m = (1> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/takdsp: Fix integer overflow in decorrelate_sf()
ffmpeg | branch: release/4.3 | Michael Niedermayer | Mon Mar 28 00:26:06 2022 +0200| [5359c1ceda217b1bcb5b8579873a1107f211528f] | committer: Michael Niedermayer avcodec/takdsp: Fix integer overflow in decorrelate_sf() Fixes: signed integer overflow: -101 * 71041254 cannot be represented in type 'int' Fixes: 45938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-4687974320701440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01d8c887f63bcb1f870034ed441504b3daffc645) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5359c1ceda217b1bcb5b8579873a1107f211528f --- libavcodec/takdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c index 9cb8052596..a8f9dba342 100644 --- a/libavcodec/takdsp.c +++ b/libavcodec/takdsp.c @@ -65,7 +65,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int for (i = 0; i < length; i++) { int32_t a = p1[i]; int32_t b = p2[i]; -b = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift; +b = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift; p1[i] = b - a; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/apedec: fix a integer overflow in long_filter_high_3800()
ffmpeg | branch: release/4.3 | Michael Niedermayer | Mon Mar 28 00:12:17 2022 +0200| [d909850308eb08f7ade9b1585ef30d997091f740] | committer: Michael Niedermayer avcodec/apedec: fix a integer overflow in long_filter_high_3800() Fixes: signed integer overflow: -2146549696 - 3923884 cannot be represented in type 'int' Fixes: 45907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5992380584558592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b085b400becb93ccc68d786ab738b1fc50408b89) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d909850308eb08f7ade9b1585ef30d997091f740 --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 43d7110c57..23f4d3a093 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -928,7 +928,7 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len dotprod += delay[j] * (unsigned)coeffs[j]; coeffs[j] += ((delay[j] >> 31) | 1) * sign; } -buffer[i] -= dotprod >> shift; +buffer[i] -= (unsigned)(dotprod >> shift); for (j = 0; j < order - 1; j++) delay[j] = delay[j + 1]; delay[order - 1] = buffer[i]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avfilter/vf_subtitles: pass storage size to libass
ffmpeg | branch: release/4.3 | Oneric | Wed Mar 23 20:43:54 2022 +0100| [f160c24f77353f8049b66ce76f235afc08922f3a] | committer: Michael Niedermayer avfilter/vf_subtitles: pass storage size to libass Due to a quirk of the ASS format some tags depend on the exact storage resolution of the video, so tell libass via ass_set_storage_size. > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f160c24f77353f8049b66ce76f235afc08922f3a --- libavfilter/vf_subtitles.c | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_subtitles.c b/libavfilter/vf_subtitles.c index 61f8d90990..64ddc5fa9c 100644 --- a/libavfilter/vf_subtitles.c +++ b/libavfilter/vf_subtitles.c @@ -145,9 +145,16 @@ static int config_input(AVFilterLink *inlink) ff_draw_init(>draw, inlink->format, ass->alpha ? FF_DRAW_PROCESS_ALPHA : 0); ass_set_frame_size (ass->renderer, inlink->w, inlink->h); -if (ass->original_w && ass->original_h) +if (ass->original_w && ass->original_h) { ass_set_aspect_ratio(ass->renderer, (double)inlink->w / inlink->h, (double)ass->original_w / ass->original_h); +#if LIBASS_VERSION > 0x0101 +ass_set_storage_size(ass->renderer, ass->original_w, ass->original_h); +} else { +ass_set_storage_size(ass->renderer, inlink->w, inlink->h); +#endif +} + if (ass->shaping != -1) ass_set_shaper(ass->renderer, ass->shaping); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/aqtitledec: Skip unrepresentable durations
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sun Mar 20 00:07:50 2022 +0100| [e1a5738b73b7136fcc118c4528409d34c54e7e4f] | committer: Michael Niedermayer avformat/aqtitledec: Skip unrepresentable durations Fixes: signed integer overflow: -5 - 9223372036854775807 cannot be represented in type 'long' Fixes: 45665/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-475618463934054 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c2d1597a8a6470045a8da241d4f65c81f26c3107) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e1a5738b73b7136fcc118c4528409d34c54e7e4f --- libavformat/aqtitledec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/aqtitledec.c b/libavformat/aqtitledec.c index 81630d73b0..960a5d8ef5 100644 --- a/libavformat/aqtitledec.c +++ b/libavformat/aqtitledec.c @@ -74,7 +74,8 @@ static int aqt_read_header(AVFormatContext *s) new_event = 1; pos = avio_tell(s->pb); if (sub) { -sub->duration = frame - sub->pts; +if (frame >= sub->pts && (uint64_t)frame - sub->pts < INT64_MAX) +sub->duration = frame - sub->pts; sub = NULL; } } else if (*line) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/cafdec: Do not store empty keys in read_info_chunk()
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sat Mar 19 23:36:22 2022 +0100| [4d1674cccf3bf855e7e3970efcff5d8c4bc55904] | committer: Michael Niedermayer avformat/cafdec: Do not store empty keys in read_info_chunk() Fixes: Timeout Fixes: 45543/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5684953164152832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7ec28e1d4cef723485f50f7a08859752b79b570c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4d1674cccf3bf855e7e3970efcff5d8c4bc55904 --- libavformat/cafdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index e5d6fbf39c..5c22678a38 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -241,6 +241,8 @@ static void read_info_chunk(AVFormatContext *s, int64_t size) char value[1024]; avio_get_str(pb, INT_MAX, key, sizeof(key)); avio_get_str(pb, INT_MAX, value, sizeof(value)); +if (!*key) +continue; av_dict_set(>metadata, key, value, 0); } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before writing
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sun Mar 13 00:37:35 2022 +0100| [a9045143da8c75f051acab71a2f0046b9c473e9e] | committer: Michael Niedermayer avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before writing Signed-off-by: Michael Niedermayer (cherry picked from commit 7aebdb8bf1fc3e09263617a7f49101cba2d43804) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a9045143da8c75f051acab71a2f0046b9c473e9e --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 34e4cc984b..be6f6b6e27 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -861,7 +861,7 @@ static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count) *count = c; av_free(*refs); -*refs = av_calloc(*count, sizeof(UID)); +*refs = av_malloc_array(*count, sizeof(UID)); if (!*refs) { *count = 0; return AVERROR(ENOMEM); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array()
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sun Mar 13 00:36:55 2022 +0100| [565bb5fe7be9fbf58b98654684cfed08e43f1fdf] | committer: Michael Niedermayer avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array() Fixes: 42827/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4900528511909888 Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 8d6f49cfc339825f3f3f8a910e4bb4c0f822db1f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=565bb5fe7be9fbf58b98654684cfed08e43f1fdf --- libavformat/mxfdec.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 9e52e60595..34e4cc984b 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -852,6 +852,7 @@ static int mxf_read_cryptographic_context(void *arg, AVIOContext *pb, int tag, i static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count) { +int64_t ret; unsigned c = avio_rb32(pb); //avio_read() used int @@ -866,7 +867,12 @@ static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count) return AVERROR(ENOMEM); } avio_skip(pb, 4); /* useless size of objects, always 16 according to specs */ -avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID)); +ret = avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID)); +if (ret != *count * sizeof(UID)) { +*count = ret < 0 ? 0 : ret / sizeof(UID); +return ret < 0 ? ret : AVERROR_INVALIDDATA; +} + return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mxfdec: Check count in mxf_read_strong_ref_array()
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sun Mar 13 00:34:52 2022 +0100| [b88abd3ac2e824ac216c8d607dd46dc1a5ee4161] | committer: Michael Niedermayer avformat/mxfdec: Check count in mxf_read_strong_ref_array() Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 3015c556f316d4ab364ed55e8bc97cc0f2cc57a3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b88abd3ac2e824ac216c8d607dd46dc1a5ee4161 --- libavformat/mxfdec.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 442d652cf6..9e52e60595 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -852,7 +852,13 @@ static int mxf_read_cryptographic_context(void *arg, AVIOContext *pb, int tag, i static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count) { -*count = avio_rb32(pb); +unsigned c = avio_rb32(pb); + +//avio_read() used int +if (c > INT_MAX / sizeof(UID)) +return AVERROR_PATCHWELCOME; +*count = c; + av_free(*refs); *refs = av_calloc(*count, sizeof(UID)); if (!*refs) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/hls: Check target_duration
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sun Mar 20 22:54:31 2022 +0100| [023b7e79792020af978c1743d565ae4326395dc6] | committer: Michael Niedermayer avformat/hls: Check target_duration Fixes: signed integer overflow: 77 * 100 cannot be represented in type 'long long' Fixes: 45545/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-6438101247983616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit a8fd3f7fab83e1beea1c441e1a2e538e7aa431a5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=023b7e79792020af978c1743d565ae4326395dc6 --- libavformat/hls.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index a831e3f10c..a48c081ece 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -813,10 +813,16 @@ static int parse_playlist(HLSContext *c, const char *url, ); new_rendition(c, , url); } else if (av_strstart(line, "#EXT-X-TARGETDURATION:", )) { +int64_t t; ret = ensure_playlist(c, , url); if (ret < 0) goto fail; -pls->target_duration = strtoll(ptr, NULL, 10) * AV_TIME_BASE; +t = strtoll(ptr, NULL, 10); +if (t < 0 || t >= INT64_MAX / AV_TIME_BASE) { +ret = AVERROR_INVALIDDATA; +goto fail; +} +pls->target_duration = t * AV_TIME_BASE; } else if (av_strstart(line, "#EXT-X-MEDIA-SEQUENCE:", )) { ret = ensure_playlist(c, , url); if (ret < 0) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior
ffmpeg | branch: release/4.3 | Michael Niedermayer | Tue Feb 8 00:43:56 2022 +0100| [2be7eea6486c843767002a56272538650481c059] | committer: Michael Niedermayer avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior Fixes: signed integer overflow: -1094995529 * 24 cannot be represented in type 'int' Fixes: 44436/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-4874459459223552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 28008bf95ed9b2ab5945ae6658358ad7c7f1df35) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2be7eea6486c843767002a56272538650481c059 --- libavcodec/sonic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 2cd0600472..e35ca6743c 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -1018,7 +1018,7 @@ static int sonic_decode_frame(AVCodecContext *avctx, // dequantize for (i = 0; i < s->num_taps; i++) -s->predictor_k[i] *= s->tap_quant[i]; +s->predictor_k[i] *= (unsigned) s->tap_quant[i]; if (s->lossless) quant = 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn()
ffmpeg | branch: release/4.3 | Michael Niedermayer | Mon Oct 26 21:30:19 2020 +0100| [a1baef131a11bd582196139cdee8892d667481a8] | committer: Michael Niedermayer avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn() Fixes: signed integer overflow: 11494 * 107374182400 cannot be represented in type 'long' Fixes: 26586/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PIXLET_fuzzer-5752633970917376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c1f20c6c858b753effda274b58ef635d1924915) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a1baef131a11bd582196139cdee8892d667481a8 --- libavcodec/pixlet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index 78f571cd5f..60075d16ed 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -404,7 +404,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale) (int64_t) low [i - 1] * -INT64_C(325392907) + (int64_t) high[i + 0] * INT64_C(1518500249) + (int64_t) high[i - 1] * INT64_C(1518500249); -dest[i * 2] = av_clip_int16(((value >> 32) * scale) >> 32); +dest[i * 2] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } for (i = 0; i < hsize; i++) { @@ -415,7 +415,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale) (int64_t) high[i + 1] * INT64_C(303700064) + (int64_t) high[i + 0] * -INT64_C(3644400640) + (int64_t) high[i - 1] * INT64_C(303700064); -dest[i * 2 + 1] = av_clip_int16(((value >> 32) * scale) >> 32); +dest[i * 2 + 1] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/mjpegbdec: Set buf_size
ffmpeg | branch: release/4.3 | Michael Niedermayer | Fri Mar 11 20:25:48 2022 +0100| [b19cc796eab6020c54bda92157fa5c2e84525a57] | committer: Michael Niedermayer avcodec/mjpegbdec: Set buf_size Fixes: Timeout Fixes: 45170/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEGB_fuzzer-5874820431085568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b19cc796eab6020c54bda92157fa5c2e84525a57 --- libavcodec/mjpegbdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c index 19875a2ddb..3fab4a66bc 100644 --- a/libavcodec/mjpegbdec.c +++ b/libavcodec/mjpegbdec.c @@ -57,6 +57,7 @@ static int mjpegb_decode_frame(AVCodecContext *avctx, buf_end = buf + buf_size; s->got_picture = 0; s->adobe_transform = -1; +s->buf_size = buf_size; read_header: /* reset on every SOI */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/matroskadec: Check pre_ns
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sun Feb 13 15:20:02 2022 +0100| [90ef9b5139b65dd6b4814f48f7af770fd49ec01f] | committer: Michael Niedermayer avformat/matroskadec: Check pre_ns Fixes: division by 0 Fixes: 44615/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6681108677263360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 710e51677a6f3a5c2b37dc31a597957a22a5e531) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=90ef9b5139b65dd6b4814f48f7af770fd49ec01f --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index e4f55dd372..422643060c 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4058,6 +4058,8 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t // prebuffered. pre_bytes = desc_end.end_offset - desc_end.start_offset; pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; +if (pre_ns <= 0) +return -1; pre_sec = pre_ns / nano_seconds_per_second; prebuffer_bytes += pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / pre_sec); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/matroskadec: Use rounded down duration in get_cue_desc() check
ffmpeg | branch: release/4.3 | Michael Niedermayer | Thu Mar 10 23:24:49 2022 +0100| [5032883c3473b9d972bc5db57323e5633a6407e6] | committer: Michael Niedermayer avformat/matroskadec: Use rounded down duration in get_cue_desc() check Floating point is evil, it would be better if duration was not a double Fixes: Infinite loop Fixes: 45123/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6725052291219456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bd3a03db9aef72ee36a7cc964171e9f52967f4bc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5032883c3473b9d972bc5db57323e5633a6407e6 --- libavformat/matroskadec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 25844ddfc4..e4f55dd372 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3867,7 +3867,9 @@ static CueDesc get_cue_desc(AVFormatContext *s, int64_t ts, int64_t cues_start) int i; int nb_index_entries = s->streams[0]->nb_index_entries; AVIndexEntry *index_entries = s->streams[0]->index_entries; -if (ts >= matroska->duration * matroska->time_scale) return (CueDesc) {-1, -1, -1, -1}; + +if (ts >= (int64_t)(matroska->duration * matroska->time_scale)) +return (CueDesc) {-1, -1, -1, -1}; for (i = 1; i < nb_index_entries; i++) { if (index_entries[i - 1].timestamp * matroska->time_scale <= ts && index_entries[i].timestamp * matroska->time_scale > ts) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/g729_parser: Check channels
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sun Feb 27 14:43:04 2022 +0100| [fa2e4afe8d0a23fac37392ef6506cfc9841f8d3d] | committer: Michael Niedermayer avcodec/g729_parser: Check channels Fixes: signed integer overflow: 10 * 808464428 cannot be represented in type 'int' Fixes: assertion failure Fixes: ticket9651 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 757da974b21833529cc41bdcc9684c29660cdfa8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fa2e4afe8d0a23fac37392ef6506cfc9841f8d3d --- libavcodec/g729_parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/g729_parser.c b/libavcodec/g729_parser.c index 010f688104..ef08b48bf3 100644 --- a/libavcodec/g729_parser.c +++ b/libavcodec/g729_parser.c @@ -49,6 +49,9 @@ static int g729_parse(AVCodecParserContext *s1, AVCodecContext *avctx, s->block_size = (avctx->bit_rate < 8000) ? G729D_6K4_BLOCK_SIZE : G729_8K_BLOCK_SIZE; if (avctx->codec_id == AV_CODEC_ID_ACELP_KELVIN) s->block_size++; +// channels > 2 is invalid, we pass the packet on unchanged +if (avctx->channels > 2) +s->block_size = 0; s->block_size *= avctx->channels; s->duration = avctx->frame_size; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/avidec: Check height
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sun Feb 27 21:44:29 2022 +0100| [0225b8947b8f0c06441e6e82437968a5e4e7378e] | committer: Michael Niedermayer avformat/avidec: Check height Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: Ticket8486 Signed-off-by: Michael Niedermayer (cherry picked from commit ec8ff659f57786c4cb089b07dfeab7e5cbab8d52) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0225b8947b8f0c06441e6e82437968a5e4e7378e --- libavformat/avidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 21b234b2de..e7e8126590 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -844,6 +844,8 @@ static int avi_read_header(AVFormatContext *s) memcpy(st->codecpar->extradata + st->codecpar->extradata_size - 9, "BottomUp", 9); } +if (st->codecpar->height == INT_MIN) +return AVERROR_INVALIDDATA; st->codecpar->height = FFABS(st->codecpar->height); //avio_skip(pb, size - 5 * 4); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/rmdec: Better duplicate tags check
ffmpeg | branch: release/4.3 | Michael Niedermayer | Thu Feb 24 00:26:08 2022 +0100| [7251a22f97f223ac16b9bd1567b9544d1910e63b] | committer: Michael Niedermayer avformat/rmdec: Better duplicate tags check Fixes: memleaks Fixes: 44810/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5619494647627776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 15a646e5018078a0954918f510f819a5599f0445) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7251a22f97f223ac16b9bd1567b9544d1910e63b --- libavformat/rmdec.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 67a68bb2d0..b0aced5db9 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -128,10 +128,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, uint32_t version; int ret; -// Duplicate tags -if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) -return AVERROR_INVALIDDATA; - /* ra type header */ version = avio_rb16(pb); /* version */ if (version == 3) { @@ -331,6 +327,11 @@ int ff_rm_read_mdpr_codecdata(AVFormatContext *s, AVIOContext *pb, if (codec_data_size == 0) return 0; +// Duplicate tags +if ( st->codecpar->codec_type != AVMEDIA_TYPE_UNKNOWN +&& st->codecpar->codec_type != AVMEDIA_TYPE_DATA) +return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, 1, 1000); codec_pos = avio_tell(pb); v = avio_rb32(pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mov: Disallow empty sidx
ffmpeg | branch: release/4.3 | Michael Niedermayer | Wed Mar 2 13:01:53 2022 +0100| [54a0324ad96e74e82c33e72af7c6b360a7415863] | committer: Michael Niedermayer avformat/mov: Disallow empty sidx It appears this is not allowed "Each Segment Index box documents how a (sub)segment is divided into one or more subsegments (which may themselves be further subdivided using Segment Index boxes)." Fixes: Null pointer dereference Fixes: Ticket9517 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4419433d77278cb742944c4514be5f72a04103c0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=54a0324ad96e74e82c33e72af7c6b360a7415863 --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6418e07c66..cc4a10f1bb 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5104,6 +5104,8 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb16(pb); // reserved item_count = avio_rb16(pb); +if (item_count == 0) +return AVERROR_INVALIDDATA; for (i = 0; i < item_count; i++) { int index; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/matroskadec: Check duration
ffmpeg | branch: release/4.3 | Michael Niedermayer | Mon Feb 14 20:01:35 2022 +0100| [69691dbb3aee0202ea3224f68c7f410db6c23da1] | committer: Michael Niedermayer avformat/matroskadec: Check duration Fixes: -nan is outside the range of representable values of type 'long' Fixes: 44614/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6216204841254912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 36680078ca3302496d9b0b8a8d7168ce9eabb2bc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=69691dbb3aee0202ea3224f68c7f410db6c23da1 --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index faef93a42a..25844ddfc4 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2906,6 +2906,8 @@ static int matroska_read_header(AVFormatContext *s) if (!matroska->time_scale) matroska->time_scale = 100; +if (isnan(matroska->duration)) +matroska->duration = 0; if (matroska->duration) matroska->ctx->duration = matroska->duration * matroska->time_scale * 1000 / AV_TIME_BASE; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mov: Corner case encryption error cleanup in mov_read_senc()
ffmpeg | branch: release/4.3 | Michael Niedermayer | Wed Feb 9 22:01:03 2022 +0100| [56c8235332298d548b519cd88e813a7bfec58291] | committer: Michael Niedermayer avformat/mov: Corner case encryption error cleanup in mov_read_senc() Fixes: memleak Fixes: 42341/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4566632823914496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ee0e4abcb8af36cae4eb24d4d6229461c1e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=56c8235332298d548b519cd88e813a7bfec58291 --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index e6785e884e..6418e07c66 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6108,6 +6108,8 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom) } if (pb->eof_reached) { av_log(c->fc, AV_LOG_ERROR, "Hit EOF while reading senc\n"); +if (ret >= 0) + av_encryption_info_free(encryption_index->encrypted_samples[i]); ret = AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/jpeglsdec: Fix if( code style
ffmpeg | branch: release/4.3 | Michael Niedermayer | Tue Feb 15 21:01:06 2022 +0100| [2dcc5ef71097a263c0c088dbdce07391b1946809] | committer: Michael Niedermayer avcodec/jpeglsdec: Fix if( code style Signed-off-by: Michael Niedermayer (cherry picked from commit f306b8e80ab04cfd8f6cd577a4484cb791d6e765) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2dcc5ef71097a263c0c088dbdce07391b1946809 --- libavcodec/jpeglsdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index a256f8b22d..b2c77e311e 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -67,7 +67,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) s->t3 = get_bits(>gb, 16); s->reset = get_bits(>gb, 16); -if(s->avctx->debug & FF_DEBUG_PICT_INFO) { +if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "Coding parameters maxval:%d T1:%d T2:%d T3:%d reset:%d\n", s->maxval, s->t1, s->t2, s->t3, s->reset); } @@ -96,7 +96,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) else maxtab = 65530/wt - 1; -if(s->avctx->debug & FF_DEBUG_PICT_INFO) { +if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "LSE palette %d tid:%d wt:%d maxtab:%d\n", id, tid, wt, maxtab); } if (maxtab >= 256) { @@ -211,7 +211,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, ret = ret >> 1; } -if(FFABS(ret) > 0x) +if (FFABS(ret) > 0x) return -0x1; /* update state */ state->A[Q] += FFABS(ret) - RItype; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sat Feb 12 22:02:13 2022 +0100| [d06715c5c2f02b161ea4663a998d9666a78e2c38] | committer: Michael Niedermayer avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error Fixes: Timeout Fixes: Invalid shift Fixes: 44548/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-556487680891289 Fixes: 44569/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMV_fuzzer-6302543246917632 Fixes: 44570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-4550196556595200 Fixes: 44592/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5651610385121280 Fixes: 44571/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5094698987945984 Fixes: 44607/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5341352013987840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 151f83584eeb1912c8bdcd0c1ab1296e8664a0de) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d06715c5c2f02b161ea4663a998d9666a78e2c38 --- libavcodec/jpeglsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 6295c03ffa..a256f8b22d 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -195,6 +195,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, #endif ret = get_ur_golomb_jpegls(gb, k, state->limit - limit_add - 1, state->qbpp); +if (ret < 0) +return -0x1; /* decode mapped error */ map = 0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/motion_est: fix indention of ff_get_best_fcode()
ffmpeg | branch: release/4.3 | Michael Niedermayer | Wed Feb 9 10:31:34 2022 +0100| [ca7ee1cd2687d170c1400d26847b15a39a6bd8b7] | committer: Michael Niedermayer avcodec/motion_est: fix indention of ff_get_best_fcode() Signed-off-by: Michael Niedermayer (cherry picked from commit ce43e1c581b4ed539ab366cc3df458779e8a44b8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ca7ee1cd2687d170c1400d26847b15a39a6bd8b7 --- libavcodec/motion_est.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index ae112d03a3..410c94e901 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1622,9 +1622,9 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) fcode_tab[my + MAX_MV]); int j; -if(mx >= range || mx < -range || - my >= range || my < -range) -continue; +if (mx >= range || mx < -range || +my >= range || my < -range) +continue; for(j=0; jpict_type==AV_PICTURE_TYPE_B || s->current_picture.mc_mb_var[xy] < s->current_picture.mb_var[xy]) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode()
ffmpeg | branch: release/4.3 | Michael Niedermayer | Tue Feb 8 21:38:50 2022 +0100| [9a7effc78d803276494cb1d455392d50a442339e] | committer: Michael Niedermayer avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode() This codepath seems untested, no testcases change Found-by: Signed-off-by: Michael Niedermayer (cherry picked from commit 634312a70f4d5afd40058c52b4d8eade1da07a70) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9a7effc78d803276494cb1d455392d50a442339e --- libavcodec/motion_est.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 02c75fd470..ae112d03a3 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1614,7 +1614,7 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) for(y=0; ymb_height; y++){ int x; int xy= y*s->mb_stride; -for(x=0; xmb_width; x++){ +for(x=0; xmb_width; x++, xy++){ if(s->mb_type[xy] & type){ int mx= mv_table[xy][0]; int my= mv_table[xy][1]; @@ -1631,7 +1631,6 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) score[j]-= 170; } } -xy++; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sat Feb 5 20:41:08 2022 +0100| [228d0067903f34054c797907458206d943faf0ab] | committer: Michael Niedermayer avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned Fixes: left shift of 32768 by 16 places cannot be represented in type 'int' Fixes: Timeout Fixes: 44219/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4679455379947520 Fixes: 44088/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4885976600674304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ee283d7d001cfcfec94a023e172bca731e96514) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=228d0067903f34054c797907458206d943faf0ab --- libavcodec/jpeglsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index df7c5fadae..6295c03ffa 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -186,7 +186,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, if (RItype) temp += state->N[Q] >> 1; -for (k = 0; (state->N[Q] << k) < temp; k++) +for (k = 0; ((unsigned)state->N[Q] << k) < temp; k++) ; #ifdef JLS_BROKEN ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/matroskadec: Fix infinite loop with bz decompression
ffmpeg | branch: release/4.3 | Michael Niedermayer | Thu Feb 3 22:46:55 2022 +0100| [2564ac2764eaf2f7dbf3725b31cadf4f24479a8f] | committer: Michael Niedermayer avformat/matroskadec: Fix infinite loop with bz decompression The same check is added to zlib too, it seems not needed there though Fixes: Infinite loop Fixes: 43932/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-6175167573786624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 9c3d2cbb510674226b0c8fa6b146bf891f83786c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2564ac2764eaf2f7dbf3725b31cadf4f24479a8f --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 25e629d358..2d57789a59 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1643,7 +1643,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, case MATROSKA_TRACK_ENCODING_COMP_ZLIB: { z_stream zstream = { 0 }; -if (inflateInit() != Z_OK) +if (!pkt_size || inflateInit() != Z_OK) return -1; zstream.next_in = data; zstream.avail_in = isize; @@ -1676,7 +1676,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, case MATROSKA_TRACK_ENCODING_COMP_BZLIB: { bz_stream bzstream = { 0 }; -if (BZ2_bzDecompressInit(, 0, 0) != BZ_OK) +if (!pkt_size || BZ2_bzDecompressInit(, 0, 0) != BZ_OK) return -1; bzstream.next_in = data; bzstream.avail_in = isize; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/matroskadec: Check desc_bytes
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sat Feb 5 20:37:22 2022 +0100| [f20e08ed58362011e4906989d292fd01b2e028f2] | committer: Michael Niedermayer avformat/matroskadec: Check desc_bytes Fixes: Division by 0 Fixes: 44035/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4826721386364928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5038933977d06d1048b41d71e0ada4d1ac536ddc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f20e08ed58362011e4906989d292fd01b2e028f2 --- libavformat/matroskadec.c | 12 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 2d57789a59..faef93a42a 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4065,12 +4065,16 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t do { int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset; int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns; -double desc_sec = desc_ns / nano_seconds_per_second; -double calc_bits_per_second = (desc_bytes * 8) / desc_sec; +double desc_sec, calc_bits_per_second, percent, mod_bits_per_second; +if (desc_bytes <= 0) +return -1; + +desc_sec = desc_ns / nano_seconds_per_second; +calc_bits_per_second = (desc_bytes * 8) / desc_sec; // Drop the bps by the percentage of bytes buffered. -double percent = (desc_bytes - prebuffer_bytes) / desc_bytes; -double mod_bits_per_second = calc_bits_per_second * percent; +percent = (desc_bytes - prebuffer_bytes) / desc_bytes; +mod_bits_per_second = calc_bits_per_second * percent; if (prebuffer < desc_sec) { double search_sec = ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mov: Check size before subtraction
ffmpeg | branch: release/4.3 | Michael Niedermayer | Mon Jan 17 14:26:05 2022 +0100| [3a718e3bbb73f3cfb7d8eb5d00795e0c615e1226] | committer: Michael Niedermayer avformat/mov: Check size before subtraction Fixes: signed integer overflow: -9223372036854775808 - 8 cannot be represented in type 'long' Fixes: 43542/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5237670148702208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8d9d506a3de976b647bcbb8f76c7b8d30eff576) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3a718e3bbb73f3cfb7d8eb5d00795e0c615e1226 --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index c517830aef..e6785e884e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7050,6 +7050,8 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (a.size == 0) { a.size = atom.size - total_size + 8; } +if (a.size < 0) +break; a.size -= 8; if (a.size < 0) break; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/apedec: Fix integer overflows in predictor_update_3930()
ffmpeg | branch: release/4.3 | Michael Niedermayer | Mon Jan 3 19:15:18 2022 +0100| [671850fe550b309f6199e1811c59cc548bd21e8a] | committer: Michael Niedermayer avcodec/apedec: Fix integer overflows in predictor_update_3930() Fixes: signed integer overflow: 1074134419 - -1075212485 cannot be represented in type 'int' Fixes: 43273/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-4706880883130368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c9c9bbd01bd82c35b6a908592d9dd6d9f4bd4a0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=671850fe550b309f6199e1811c59cc548bd21e8a --- libavcodec/apedec.c | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 621db062e6..43d7110c57 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1061,13 +1061,13 @@ static av_always_inline int predictor_update_3930(APEPredictor *p, const int delayA) { int32_t predictionA, sign; -int32_t d0, d1, d2, d3; +uint32_t d0, d1, d2, d3; p->buf[delayA] = p->lastA[filter]; d0 = p->buf[delayA]; -d1 = p->buf[delayA] - p->buf[delayA - 1]; -d2 = p->buf[delayA - 1] - p->buf[delayA - 2]; -d3 = p->buf[delayA - 2] - p->buf[delayA - 3]; +d1 = p->buf[delayA] - (unsigned)p->buf[delayA - 1]; +d2 = p->buf[delayA - 1] - (unsigned)p->buf[delayA - 2]; +d3 = p->buf[delayA - 2] - (unsigned)p->buf[delayA - 3]; predictionA = d0 * p->coeffsA[filter][0] + d1 * p->coeffsA[filter][1] + @@ -1078,10 +1078,10 @@ static av_always_inline int predictor_update_3930(APEPredictor *p, p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5); sign = APESIGN(decoded); -p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign; -p->coeffsA[filter][1] += ((d1 < 0) * 2 - 1) * sign; -p->coeffsA[filter][2] += ((d2 < 0) * 2 - 1) * sign; -p->coeffsA[filter][3] += ((d3 < 0) * 2 - 1) * sign; +p->coeffsA[filter][0] += (((int32_t)d0 < 0) * 2 - 1) * sign; +p->coeffsA[filter][1] += (((int32_t)d1 < 0) * 2 - 1) * sign; +p->coeffsA[filter][2] += (((int32_t)d2 < 0) * 2 - 1) * sign; +p->coeffsA[filter][3] += (((int32_t)d3 < 0) * 2 - 1) * sign; return p->filterA[filter]; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value()
ffmpeg | branch: release/4.3 | Michael Niedermayer | Fri Feb 4 00:44:32 2022 +0100| [a2932f6e9893c1d4e927eed6eb161133845bcf66] | committer: Michael Niedermayer avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value() Fixes: pointer index expression with base 0x overflowed to 0x Fixes: 44012/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-5670607746891776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 59328aabd2c789ae053e18a62a20a7addfd4d069) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a2932f6e9893c1d4e927eed6eb161133845bcf66 --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 3302651af2..4888aafc29 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -5000,7 +5000,7 @@ void ff_parse_key_value(const char *str, ff_parse_key_val_cb callback_get_buf, key_len = ptr - key; callback_get_buf(context, key, key_len, , _len); -dest_end = dest + dest_len - 1; +dest_end = dest ? dest + dest_len - 1 : NULL; if (*ptr == '\"') { ptr++; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/apedec: fix integer overflow in 8bit samples
ffmpeg | branch: release/4.3 | Michael Niedermayer | Thu Dec 23 20:39:14 2021 +0100| [429eaaf16ee3bbb8d10e8c6e204d03b537adba80] | committer: Michael Niedermayer avcodec/apedec: fix integer overflow in 8bit samples Fixes: signed integer overflow: 2147483542 + 128 cannot be represented in type 'int' Fixes: 42812/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6344057861832704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7cee3b37187dbf61dbebff023f07ceedfc0129bb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=429eaaf16ee3bbb8d10e8c6e204d03b537adba80 --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 9d1ad5993f..621db062e6 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1559,7 +1559,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, for (ch = 0; ch < s->channels; ch++) { sample8 = (uint8_t *)frame->data[ch]; for (i = 0; i < blockstodecode; i++) -*sample8++ = (s->decoded[ch][i] + 0x80) & 0xff; +*sample8++ = (s->decoded[ch][i] + 0x80U) & 0xff; } break; case 16: ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/flvdec: timestamps cannot use the full int64 range
ffmpeg | branch: release/4.3 | Michael Niedermayer | Thu Dec 23 20:36:16 2021 +0100| [c45013d6c5f1007a9e5de0a008bba05b91575886] | committer: Michael Niedermayer avformat/flvdec: timestamps cannot use the full int64 range We do not support this as we multiply by 1000 Fixes: signed integer overflow: -45318575073853696 * 1000 cannot be represented in type 'long' Fixes: 42804/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-4630325425209344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c217ca7718c8e24905d7ba9ede719ae040899476) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c45013d6c5f1007a9e5de0a008bba05b91575886 --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index a7c7192d11..1d10db9278 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -459,6 +459,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m d = av_int2double(avio_rb64(ioc)); if (isnan(d) || d < INT64_MIN || d > INT64_MAX) goto invalid; +if (current_array == && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000)) +goto invalid; current_array[0][i] = d; } if (times && filepositions) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/vqavideo: reset accounting on error
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sun Dec 19 22:26:00 2021 +0100| [ddc21f54c361ac388055cdfba54918f64f560058] | committer: Michael Niedermayer avcodec/vqavideo: reset accounting on error Fixes: Timeout (same growing chunk is decoded to failure repeatedly) Fixes: 42582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-6531195591065600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8ea7a67ba62f5d4520e75e56b9954d80e7ff223) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ddc21f54c361ac388055cdfba54918f64f560058 --- libavcodec/vqavideo.c | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index f45390cfe5..d0e1927444 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -588,13 +588,14 @@ static int vqa_decode_chunk(VqaContext *s, AVFrame *frame) if (s->partial_countdown <= 0) { bytestream2_init(>gb, s->next_codebook_buffer, s->next_codebook_buffer_index); /* decompress codebook */ -if ((res = decode_format80(s, s->next_codebook_buffer_index, - s->codebook, s->codebook_size, 0)) < 0) -return res; +res = decode_format80(s, s->next_codebook_buffer_index, + s->codebook, s->codebook_size, 0); /* reset accounting */ s->next_codebook_buffer_index = 0; s->partial_countdown = s->partial_count; +if (res < 0) +return res; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/alacdsp: fix integer overflow in decorrelate_stereo()
ffmpeg | branch: release/4.3 | Michael Niedermayer | Thu Jul 23 23:34:15 2020 +0200| [80940eedf217aba6fe771bb1f05ab1765b9c541c] | committer: Michael Niedermayer avcodec/alacdsp: fix integer overflow in decorrelate_stereo() Fixes: signed integer overflow: -16777216 * 131 cannot be represented in type 'int' Fixes: 23835/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5669943160078336 Fixes: 41101/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-4636330705944576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 68457c1e85122ffcadb0c909070dd210095fd2cd) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=80940eedf217aba6fe771bb1f05ab1765b9c541c --- libavcodec/alacdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alacdsp.c b/libavcodec/alacdsp.c index 9996eb4319..8718d1b6b1 100644 --- a/libavcodec/alacdsp.c +++ b/libavcodec/alacdsp.c @@ -34,7 +34,7 @@ static void decorrelate_stereo(int32_t *buffer[2], int nb_samples, a = buffer[0][i]; b = buffer[1][i]; -a -= (b * decorr_left_weight) >> decorr_shift; +a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift; b += a; buffer[0][i] = b; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/4xm: Check for duplicate track ids
ffmpeg | branch: release/4.3 | Michael Niedermayer | Tue Dec 7 09:14:09 2021 +0100| [4a45cd806ed976dfac0a6a9294461497f007ae61] | committer: Michael Niedermayer avformat/4xm: Check for duplicate track ids Signed-off-by: Michael Niedermayer (cherry picked from commit dd949124793c722ed55dead9da245574ace81968) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4a45cd806ed976dfac0a6a9294461497f007ae61 --- libavformat/4xm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 9dc4f05d3b..cfee8a02f4 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -149,6 +149,9 @@ static int parse_strk(AVFormatContext *s, memset(>tracks[fourxm->track_count], 0, sizeof(AudioTrack) * (track + 1 - fourxm->track_count)); fourxm->track_count = track + 1; +} else { +if (fourxm->tracks[track].bits) +return AVERROR_INVALIDDATA; } fourxm->tracks[track].adpcm = AV_RL32(buf + 12); fourxm->tracks[track].channels= AV_RL32(buf + 36); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/4xm: Consider max_streams on reallocating tracks array
ffmpeg | branch: release/4.3 | Michael Niedermayer | Tue Dec 7 09:14:08 2021 +0100| [75befad4c0d71a0df6b61356db1bc0fc81f8c079] | committer: Michael Niedermayer avformat/4xm: Consider max_streams on reallocating tracks array Fixes: OOM Fixes: 41595/clusterfuzz-testcase-minimized-ffmpeg_dem_FOURXM_fuzzer-6355979363549184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0dcd95ef8a2e16ed930296567ab1044e33602a34) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=75befad4c0d71a0df6b61356db1bc0fc81f8c079 --- libavformat/4xm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 30f1b05324..9dc4f05d3b 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -137,7 +137,8 @@ static int parse_strk(AVFormatContext *s, return AVERROR_INVALIDDATA; track = AV_RL32(buf + 8); -if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1) { +if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1 || +track >= s->max_streams) { av_log(s, AV_LOG_ERROR, "current_track too large\n"); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mov: Check next offset in mov_read_dref()
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sat Dec 4 20:48:54 2021 +0100| [5a2a340d64d1e4eb6c2eb12d8bc297b55bd579be] | committer: Michael Niedermayer avformat/mov: Check next offset in mov_read_dref() Fixes: signed integer overflow: 9223372036200463215 + 1109914409 cannot be represented in type 'long' Fixes: 41480/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6553086177443840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 562021e2fd4d74589905d9c566c686394d2b0526) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5a2a340d64d1e4eb6c2eb12d8bc297b55bd579be --- libavformat/mov.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 07bbebab0e..c517830aef 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -605,11 +605,13 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries; i++) { MOVDref *dref = >drefs[i]; uint32_t size = avio_rb32(pb); -int64_t next = avio_tell(pb) + size - 4; +int64_t next = avio_tell(pb); -if (size < 12) +if (size < 12 || next < 0 || next > INT64_MAX - size) return AVERROR_INVALIDDATA; +next += size - 4; + dref->type = avio_rl32(pb); avio_rb32(pb); // version + flags ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/vivo: Favor setting fps from explicit fractions
ffmpeg | branch: release/4.3 | Michael Niedermayer | Mon Dec 6 11:38:39 2021 +0100| [480f1a198cbfe72fb8f59a5e664c2af796f4a45c] | committer: Michael Niedermayer avformat/vivo: Favor setting fps from explicit fractions Signed-off-by: Michael Niedermayer (cherry picked from commit bf1e93bdc9aaa4fd5c231030b5368aae0df018ee) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=480f1a198cbfe72fb8f59a5e664c2af796f4a45c --- libavformat/vivo.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/vivo.c b/libavformat/vivo.c index 12bdc05d9e..78d1377e6b 100644 --- a/libavformat/vivo.c +++ b/libavformat/vivo.c @@ -121,7 +121,7 @@ static int vivo_get_packet_header(AVFormatContext *s) static int vivo_read_header(AVFormatContext *s) { VivoContext *vivo = s->priv_data; -AVRational fps = { 1, 25}; +AVRational fps = { 0 }; AVStream *ast, *vst; unsigned char *line, *line_end, *key, *value; long value_int; @@ -212,13 +212,16 @@ static int vivo_read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; value_used = 1; -fps = av_inv_q(av_d2q(d, 1)); +if (!fps.num && !fps.den) +fps = av_inv_q(av_d2q(d, 1)); } if (!value_used) av_dict_set(>metadata, key, value, 0); } } +if (!fps.num || !fps.den) +fps = (AVRational){ 1, 25 }; avpriv_set_pts_info(ast, 64, 1, ast->codecpar->sample_rate); avpriv_set_pts_info(vst, 64, fps.num, fps.den); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/vivo: Do not use the general expression evaluator for parsing a floating point value
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sun Dec 5 18:40:03 2021 +0100| [deba3d03723de72c386bdcc2db5ac733bd05adc7] | committer: Michael Niedermayer avformat/vivo: Do not use the general expression evaluator for parsing a floating point value Fixes: Timeout Fixes: 41564/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVO_fuzzer-6309014024093696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7b24615565fd488e7e3a435102979a5ea85fe2fe) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=deba3d03723de72c386bdcc2db5ac733bd05adc7 --- libavformat/vivo.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavformat/vivo.c b/libavformat/vivo.c index fb58aa6178..12bdc05d9e 100644 --- a/libavformat/vivo.c +++ b/libavformat/vivo.c @@ -26,6 +26,7 @@ * @sa http://wiki.multimedia.cx/index.php?title=Vivo */ +#include "libavutil/avstring.h" #include "libavutil/parseutils.h" #include "avformat.h" #include "internal.h" @@ -206,11 +207,12 @@ static int vivo_read_header(AVFormatContext *s) return AVERROR_INVALIDDATA; value_used = 1; } else if (!strcmp(key, "FPS")) { -AVRational tmp; +double d; +if (av_sscanf(value, "%f", ) != 1) +return AVERROR_INVALIDDATA; value_used = 1; -if (!av_parse_ratio(, value, 1, AV_LOG_WARNING, s)) -fps = av_inv_q(tmp); +fps = av_inv_q(av_d2q(d, 1)); } if (!value_used) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mxfdec: Check for duplicate mxf_read_index_entry_array()
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sun Dec 5 22:19:05 2021 +0100| [d80dbe65054cc70c8573a3d62c4492ef5d3962a2] | committer: Michael Niedermayer avformat/mxfdec: Check for duplicate mxf_read_index_entry_array() Fixes: memleak Fixes: 41596/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6439060204290048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 4f44a218e53cd92e64ba10a935bc1e7583c3e218) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d80dbe65054cc70c8573a3d62c4492ef5d3962a2 --- libavformat/mxfdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index f805ccc36f..442d652cf6 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -1069,6 +1069,9 @@ static int mxf_read_index_entry_array(AVIOContext *pb, MXFIndexTableSegment *seg { int i, length; +if (segment->temporal_offset_entries) +return AVERROR_INVALIDDATA; + segment->nb_index_entries = avio_rb32(pb); length = avio_rb32(pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/apedec: Change avg to uint32_t
ffmpeg | branch: release/4.3 | Michael Niedermayer | Fri Dec 3 17:58:50 2021 +0100| [aea824467cf6051c9a316b4c620c723483da38ea] | committer: Michael Niedermayer avcodec/apedec: Change avg to uint32_t Fixes: Integer overflow Fixes: 40973/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6739312704618496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Suggested-by: Anton Khirnov Signed-off-by: Michael Niedermayer (cherry picked from commit 0ec75723a484405eb2f2ec2f9e58161b168ed8b0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aea824467cf6051c9a316b4c620c723483da38ea --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 3bbb8c1aac..9d1ad5993f 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -102,7 +102,7 @@ typedef struct APEFilter { int16_t *historybuffer; ///< filter memory int16_t *delay; ///< filtered values -int avg; +uint32_t avg; } APEFilter; typedef struct APERice { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/vp3: Check version in all cases when VP4 code is not built
ffmpeg | branch: release/4.3 | Michael Niedermayer | Tue Nov 30 19:46:17 2021 +0100| [a452eddfadd0b98e05a97d5572b3c6b71aa908d2] | committer: Michael Niedermayer avcodec/vp3: Check version in all cases when VP4 code is not built Fixes: out of array read Fixes: 40284/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP3_fuzzer-4599568176644096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross Signed-off-by: Michael Niedermayer (cherry picked from commit 96caa01f130526cb420d0706a40fb63695153128) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a452eddfadd0b98e05a97d5572b3c6b71aa908d2 --- libavcodec/vp3.c | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index 0fc64581c6..49d4911fb3 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -2741,7 +2741,14 @@ static int vp3_decode_frame(AVCodecContext *avctx, skip_bits(, 4); /* width code */ skip_bits(, 4); /* height code */ if (s->version) { -s->version = get_bits(, 5); +int version = get_bits(, 5); +#if !CONFIG_VP4_DECODER +if (version >= 2) { +av_log(avctx, AV_LOG_ERROR, "This build does not support decoding VP4.\n"); +return AVERROR_DECODER_NOT_FOUND; +} +#endif +s->version = version; if (avctx->frame_number == 0) av_log(s->avctx, AV_LOG_DEBUG, "VP version: %d\n", s->version); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mov: Disallow duplicate smdm
ffmpeg | branch: release/4.3 | Michael Niedermayer | Fri Dec 3 17:42:22 2021 +0100| [58368cc528cd82020be530694c2d8747b73b13f6] | committer: Michael Niedermayer avformat/mov: Disallow duplicate smdm Fixes: memleak Fixes: 39879/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5327819907923968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b5ba74053c1ef9f38d9e7b3a036675f06d2b2714) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=58368cc528cd82020be530694c2d8747b73b13f6 --- libavformat/mov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 309b813ba3..07bbebab0e 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5406,6 +5406,9 @@ static int mov_read_smdm(MOVContext *c, AVIOContext *pb, MOVAtom atom) av_log(c->fc, AV_LOG_WARNING, "Unsupported Mastering Display Metadata box version %d\n", version); return 0; } +if (sc->mastering) +return AVERROR_INVALIDDATA; + avio_skip(pb, 3); /* flags */ sc->mastering = av_mastering_display_metadata_alloc(); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mov: Check channels for mov_parse_stsd_audio()
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sun Nov 7 13:48:24 2021 +0100| [867b978dc90a8bf3dce2a76620f28d8dc7cb139a] | committer: Michael Niedermayer avformat/mov: Check channels for mov_parse_stsd_audio() Fixes: signed integer overflow: -776522110086937600 * 16 cannot be represented in type 'long' Fixes: 40563/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6644829447127040 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3a64a4c58255d45e05eff80c9464ad3bdc2d6463) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=867b978dc90a8bf3dce2a76620f28d8dc7cb139a --- libavformat/mov.c | 4 1 file changed, 4 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index fa720bbb34..414918050b 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2532,6 +2532,10 @@ int ff_mov_read_stsd_entries(MOVContext *c, AVIOContext *pb, int entries) av_log(c->fc, AV_LOG_ERROR, "Invalid sample rate %d\n", st->codecpar->sample_rate); return AVERROR_INVALIDDATA; } +if (st->codecpar->channels < 0) { +av_log(c->fc, AV_LOG_ERROR, "Invalid channels %d\n", st->codecpar->channels); +return AVERROR_INVALIDDATA; +} } else if (st->codecpar->codec_type==AVMEDIA_TYPE_SUBTITLE){ mov_parse_stsd_subtitle(c, pb, st, sc, size - (avio_tell(pb) - start_pos)); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mov: Check for EOF in mov_read_glbl()
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sat Dec 4 20:11:35 2021 +0100| [784303ca013d4d8de9808472b8e28205ec5f7f7b] | committer: Michael Niedermayer avformat/mov: Check for EOF in mov_read_glbl() Fixes: Infinite loop Fixes: 41351/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5433895854669824 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 59b4e7cbd87889c0bac710ac7f62782b637419a1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=784303ca013d4d8de9808472b8e28205ec5f7f7b --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 414918050b..309b813ba3 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -1916,6 +1916,8 @@ static int mov_read_glbl(MOVContext *c, AVIOContext *pb, MOVAtom atom) // wrap a whole fiel atom inside of a glbl atom. unsigned size = avio_rb32(pb); unsigned type = avio_rl32(pb); +if (avio_feof(pb)) +return AVERROR_INVALIDDATA; avio_seek(pb, -8, SEEK_CUR); if (type == MKTAG('f','i','e','l') && size == atom.size) return mov_read_default(c, pb, atom); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/avidec: Check read_odml_index() for failure
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sun Nov 14 18:23:24 2021 +0100| [0b0d4f141b13b6184b3d8fd727a05c0432bfb04e] | committer: Michael Niedermayer avformat/avidec: Check read_odml_index() for failure Fixes: Timeout Fixes: 40950/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6478873068437504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 57adb26d058490daf2c5d6ddd3cf0cf2d2212256) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0b0d4f141b13b6184b3d8fd727a05c0432bfb04e --- libavformat/avidec.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index cd7bd08567..21b234b2de 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -232,6 +232,8 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) } else { int64_t offset, pos; int duration; +int ret; + offset = avio_rl64(pb); avio_rl32(pb); /* size */ duration = avio_rl32(pb); @@ -249,7 +251,7 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) if (avio_seek(pb, offset + 8, SEEK_SET) < 0) return -1; avi->odml_depth++; -read_odml_index(s, frame_num); +ret = read_odml_index(s, frame_num); avi->odml_depth--; frame_num += duration; @@ -257,7 +259,8 @@ static int read_odml_index(AVFormatContext *s, int64_t frame_num) av_log(s, AV_LOG_ERROR, "Failed to restore position after reading index\n"); return -1; } - +if (ret < 0) +return ret; } } avi->index_loaded = 2; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/aiffdec: Use av_rescale() for bitrate
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sun Oct 31 00:11:23 2021 +0200| [00530ff352bf09d5ce64d7af153241fc43e94478] | committer: Michael Niedermayer avformat/aiffdec: Use av_rescale() for bitrate Fixes: integer overflow Fixes: 40313/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-4814761406103552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 905588df975071c03c00b2e923c311b4de65a8f4) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=00530ff352bf09d5ce64d7af153241fc43e94478 --- libavformat/aiffdec.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index ffe47a7711..85e8138133 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -187,8 +187,10 @@ static int get_aiff_header(AVFormatContext *s, int size, par->block_align = (av_get_bits_per_sample(par->codec_id) * par->channels) >> 3; if (aiff->block_duration) { -par->bit_rate = (int64_t)par->sample_rate * (par->block_align << 3) / -aiff->block_duration; +par->bit_rate = av_rescale(par->sample_rate, par->block_align * 8LL, + aiff->block_duration); +if (par->bit_rate < 0) +par->bit_rate = 0; } /* Chunk is over */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE
ffmpeg | branch: release/4.3 | Michael Niedermayer | Thu Oct 21 13:25:59 2021 +0200| [e8a3e30a8522a3db73fcdc6ea9279ffefc8708e9] | committer: Michael Niedermayer avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE Fixes: out if array read Fixes: 40109/clusterfuzz-testcase-minimized-ffmpeg_dem_FLAC_fuzzer-4805686811295744 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Mattias Wadman Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e8a3e30a8522a3db73fcdc6ea9279ffefc8708e9 --- libavcodec/flac_parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c index 3424583c49..b13b3b646a 100644 --- a/libavcodec/flac_parser.c +++ b/libavcodec/flac_parser.c @@ -55,6 +55,7 @@ /** largest possible size of flac header */ #define MAX_FRAME_HEADER_SIZE 16 +#define MAX_FRAME_VERIFY_SIZE (MAX_FRAME_HEADER_SIZE) typedef struct FLACHeaderMarker { int offset; /**< byte offset from start of FLACParseContext->buffer */ @@ -170,7 +171,7 @@ static int find_headers_search_validate(FLACParseContext *fpc, int offset) uint8_t *header_buf; int size = 0; header_buf = flac_fifo_read_wrap(fpc, offset, - MAX_FRAME_HEADER_SIZE, + MAX_FRAME_VERIFY_SIZE + AV_INPUT_BUFFER_PADDING_SIZE, >wrap_buf, >wrap_buf_allocated_size); if (frame_header_is_valid(fpc->avctx, header_buf, )) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/aiffdec: sanity check block_align
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sun Oct 31 00:10:39 2021 +0200| [b52cad186c40f2713cf88d062c61d77bfec9c990] | committer: Michael Niedermayer avformat/aiffdec: sanity check block_align Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 93f7776921ed8c5219732210067016c3457e864d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b52cad186c40f2713cf88d062c61d77bfec9c990 --- libavformat/aiffdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index cb96c02b6f..ffe47a7711 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -370,7 +370,7 @@ got_sound: if (!st->codecpar->block_align && st->codecpar->codec_id == AV_CODEC_ID_QCELP) { av_log(s, AV_LOG_WARNING, "qcelp without wave chunk, assuming full rate\n"); st->codecpar->block_align = 35; -} else if (!st->codecpar->block_align) { +} else if (st->codecpar->block_align <= 0) { av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n"); return -1; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/aiffdec: Check sample_rate
ffmpeg | branch: release/4.3 | Michael Niedermayer | Sun Oct 31 00:02:04 2021 +0200| [e3a69dd7a00aa8d377236ec59610052fc7501f7e] | committer: Michael Niedermayer avformat/aiffdec: Check sample_rate Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1b04836dff9958e8bfdbed2746b8c40b1e119ecc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e3a69dd7a00aa8d377236ec59610052fc7501f7e --- libavformat/aiffdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c index fb5935c746..cb96c02b6f 100644 --- a/libavformat/aiffdec.c +++ b/libavformat/aiffdec.c @@ -122,6 +122,9 @@ static int get_aiff_header(AVFormatContext *s, int size, sample_rate = val << exp; else sample_rate = (val + (1ULL<<(-exp-1))) >> -exp; +if (sample_rate <= 0) +return AVERROR_INVALIDDATA; + par->sample_rate = sample_rate; if (size < 18) return AVERROR_INVALIDDATA; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] Update for FFmpeg 4.4.2
ffmpeg | branch: release/4.4 | Michael Niedermayer | Wed Apr 6 20:29:51 2022 +0200| [dcb2ad91253e4f913acc02b7db2192335e227f70] | committer: Michael Niedermayer Update for FFmpeg 4.4.2 Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dcb2ad91253e4f913acc02b7db2192335e227f70 --- Changelog| 112 +++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 114 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index a6508cd8ac..c1c50d7d6b 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,118 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 4.4.2: +- avcodec/exr: Avoid signed overflow in displayWindow +- avcodec/diracdec: avoid signed integer overflow in global mv +- avcodec/takdsp: Fix integer overflow in decorrelate_sf() +- avcodec/apedec: fix a integer overflow in long_filter_high_3800() +- avfilter/vf_subtitles: pass storage size to libass +- avformat/aqtitledec: Skip unrepresentable durations +- avformat/cafdec: Do not store empty keys in read_info_chunk() +- avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before writing +- avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array() +- avformat/mxfdec: Check count in mxf_read_strong_ref_array() +- avformat/hls: Check target_duration +- avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn() +- avformat/matroskadec: Check pre_ns +- avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior +- avcodec/libuavs3d: Check ff_set_dimensions() for failure +- avcodec/mjpegbdec: Set buf_size +- avformat/matroskadec: Use rounded down duration in get_cue_desc() check +- avcodec/argo: Check packet size +- avcodec/g729_parser: Check channels +- avformat/avidec: Check height +- avformat/rmdec: Better duplicate tags check +- avformat/mov: Disallow empty sidx +- avformat/argo_asf: Fix order of operations in error check in argo_asf_write_trailer() +- avformat/matroskadec: Check duration +- avformat/mov: Corner case encryption error cleanup in mov_read_senc() +- avcodec/jpeglsdec: Fix if( code style +- avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error +- avcodec/motion_est: fix indention of ff_get_best_fcode() +- avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode() +- avformat/hls: Use unsigned for iv computation +- avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned +- avformat/matroskadec: Check desc_bytes +- avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value() +- avformat/matroskadec: Fix infinite loop with bz decompression +- avformat/mov: Check size before subtraction +- avcodec/cfhd: Avoid signed integer overflow in coeff +- avcodec/apedec: Fix integer overflows in predictor_update_3930() +- avcodec/apedec: fix integer overflow in 8bit samples +- avformat/flvdec: timestamps cannot use the full int64 range +- avcodec/tiff: Remove messing with jpeg context +- avcodec/tiff: Use ff_set_dimensions() for setting up mjpeg context dimensions +- avcodec/tiff: Pass max_pixels to mjpeg context +- avcodec/vqavideo: reset accounting on error +- avcodec/alacdsp: fix integer overflow in decorrelate_stereo() +- avformat/4xm: Check for duplicate track ids +- avformat/4xm: Consider max_streams on reallocating tracks array +- avformat/mov: Check next offset in mov_read_dref() +- avformat/vivo: Favor setting fps from explicit fractions +- avformat/vivo: Do not use the general expression evaluator for parsing a floating point value +- avformat/mxfdec: Check for duplicate mxf_read_index_entry_array() +- avcodec/apedec: Change avg to uint32_t +- avformat/mxfdec: Check component_depth in mxf_get_color_range() +- avformat/mov: Disallow duplicate smdm +- avformat/mov: Check for EOF in mov_read_glbl() +- avcodec/vp3: Check version in all cases when VP4 code is not built +- avformat/mov: Check channels for mov_parse_stsd_audio() +- avformat/avidec: Check read_odml_index() for failure +- avformat/aiffdec: Use av_rescale() for bitrate +- avformat/aiffdec: sanity check block_align +- avformat/aiffdec: Check sample_rate +- avcodec/libdav1d: free the Dav1dData packet on dav1d_send_data() failure +- avcodec/zmbvenc: Fix memleak upon init error +- avcodec/dnxhdenc: Fix segfault when using too many slice threads +- avcodec/wma(dec|enc): Fix memleaks upon allocation error +- avfilter/avfilter: Actually error out on init error +- avcodec/opus_silk: Remove wrong size information in function declaration +- avformat/omadec: Don't output uninitialized values +- avformat/jacosubenc: Fix writing extradata +- avformat/cafenc: Fix memleak when trailer is never written +- avformat/cafenc: Don't segfault upon allocation error +- avformat/cafenc: Fix potential integer overflow +- avformat/movenc: Limit ism_lookahead to a sane value +-
[FFmpeg-cvslog] avcodec/exr: Avoid signed overflow in displayWindow
ffmpeg | branch: release/4.4 | Michael Niedermayer | Mon Mar 21 21:03:13 2022 +0100| [15006f48cd75fb7c93c06dde50b76ea1309cce00] | committer: Michael Niedermayer avcodec/exr: Avoid signed overflow in displayWindow The inputs are unused except for this computation so wraparound does not give an attacker any extra values as they are already fully controlled Fixes: signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' Fixes: 45820/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5766159019933696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 1291568c9834c02413ab5d87762308f15b4ae9c6) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=15006f48cd75fb7c93c06dde50b76ea1309cce00 --- libavcodec/exr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 49ba7fd6de..b6bf87ab81 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1829,8 +1829,8 @@ static int decode_header(EXRContext *s, AVFrame *frame) dx = bytestream2_get_le32(gb); dy = bytestream2_get_le32(gb); -s->w = dx - sx + 1; -s->h = dy - sy + 1; +s->w = (unsigned)dx - sx + 1; +s->h = (unsigned)dy - sy + 1; continue; } else if ((var_size = check_header_variable(s, "lineOrder", ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/diracdec: avoid signed integer overflow in global mv
ffmpeg | branch: release/4.4 | Michael Niedermayer | Mon Mar 21 20:51:47 2022 +0100| [977cfb719745dab296d748b6304f349b01ce6a08] | committer: Michael Niedermayer avcodec/diracdec: avoid signed integer overflow in global mv Fixes: signed integer overflow: -128275513086 * -76056576 cannot be represented in type 'long' Fixes: 45818/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5129799149944832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7f1279684e8e1e33c78577b7f0265c062e4e6232) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=977cfb719745dab296d748b6304f349b01ce6a08 --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index bcde01..cf7fc2c56c 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1432,8 +1432,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int64_t m = (1> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/takdsp: Fix integer overflow in decorrelate_sf()
ffmpeg | branch: release/4.4 | Michael Niedermayer | Mon Mar 28 00:26:06 2022 +0200| [30194a348ec6ed70f4676c405957cd1eead94186] | committer: Michael Niedermayer avcodec/takdsp: Fix integer overflow in decorrelate_sf() Fixes: signed integer overflow: -101 * 71041254 cannot be represented in type 'int' Fixes: 45938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-4687974320701440 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01d8c887f63bcb1f870034ed441504b3daffc645) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=30194a348ec6ed70f4676c405957cd1eead94186 --- libavcodec/takdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c index 9cb8052596..a8f9dba342 100644 --- a/libavcodec/takdsp.c +++ b/libavcodec/takdsp.c @@ -65,7 +65,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int length, int dshift, int for (i = 0; i < length; i++) { int32_t a = p1[i]; int32_t b = p2[i]; -b = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift; +b = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) >> 8) << dshift; p1[i] = b - a; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/apedec: fix a integer overflow in long_filter_high_3800()
ffmpeg | branch: release/4.4 | Michael Niedermayer | Mon Mar 28 00:12:17 2022 +0200| [27a609a8b900a2a7a2c99764c572fb0331c0485a] | committer: Michael Niedermayer avcodec/apedec: fix a integer overflow in long_filter_high_3800() Fixes: signed integer overflow: -2146549696 - 3923884 cannot be represented in type 'int' Fixes: 45907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5992380584558592 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b085b400becb93ccc68d786ab738b1fc50408b89) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=27a609a8b900a2a7a2c99764c572fb0331c0485a --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index f414ec0f74..b65a740f87 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -955,7 +955,7 @@ static void long_filter_high_3800(int32_t *buffer, int order, int shift, int len dotprod += delay[j] * (unsigned)coeffs[j]; coeffs[j] += ((delay[j] >> 31) | 1) * sign; } -buffer[i] -= dotprod >> shift; +buffer[i] -= (unsigned)(dotprod >> shift); for (j = 0; j < order - 1; j++) delay[j] = delay[j + 1]; delay[order - 1] = buffer[i]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/cafdec: Do not store empty keys in read_info_chunk()
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sat Mar 19 23:36:22 2022 +0100| [fde82db1692a78faee893fda7fb2f844d65b104c] | committer: Michael Niedermayer avformat/cafdec: Do not store empty keys in read_info_chunk() Fixes: Timeout Fixes: 45543/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5684953164152832 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7ec28e1d4cef723485f50f7a08859752b79b570c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fde82db1692a78faee893fda7fb2f844d65b104c --- libavformat/cafdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c index 7f09a27977..d18c3fce75 100644 --- a/libavformat/cafdec.c +++ b/libavformat/cafdec.c @@ -241,6 +241,8 @@ static void read_info_chunk(AVFormatContext *s, int64_t size) char value[1024]; avio_get_str(pb, INT_MAX, key, sizeof(key)); avio_get_str(pb, INT_MAX, value, sizeof(value)); +if (!*key) +continue; av_dict_set(>metadata, key, value, 0); } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avfilter/vf_subtitles: pass storage size to libass
ffmpeg | branch: release/4.4 | Oneric | Wed Mar 23 20:43:54 2022 +0100| [7ccd77a8ffbad3d56a86043d17b730a46074f0e9] | committer: Michael Niedermayer avfilter/vf_subtitles: pass storage size to libass Due to a quirk of the ASS format some tags depend on the exact storage resolution of the video, so tell libass via ass_set_storage_size. > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7ccd77a8ffbad3d56a86043d17b730a46074f0e9 --- libavfilter/vf_subtitles.c | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_subtitles.c b/libavfilter/vf_subtitles.c index de74afa2b7..b57dd80b13 100644 --- a/libavfilter/vf_subtitles.c +++ b/libavfilter/vf_subtitles.c @@ -145,9 +145,16 @@ static int config_input(AVFilterLink *inlink) ff_draw_init(>draw, inlink->format, ass->alpha ? FF_DRAW_PROCESS_ALPHA : 0); ass_set_frame_size (ass->renderer, inlink->w, inlink->h); -if (ass->original_w && ass->original_h) +if (ass->original_w && ass->original_h) { ass_set_aspect_ratio(ass->renderer, (double)inlink->w / inlink->h, (double)ass->original_w / ass->original_h); +#if LIBASS_VERSION > 0x0101 +ass_set_storage_size(ass->renderer, ass->original_w, ass->original_h); +} else { +ass_set_storage_size(ass->renderer, inlink->w, inlink->h); +#endif +} + if (ass->shaping != -1) ass_set_shaper(ass->renderer, ass->shaping); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before writing
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sun Mar 13 00:37:35 2022 +0100| [45a021aba12e32300e50002155d0cafb1ec154ab] | committer: Michael Niedermayer avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before writing Signed-off-by: Michael Niedermayer (cherry picked from commit 7aebdb8bf1fc3e09263617a7f49101cba2d43804) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=45a021aba12e32300e50002155d0cafb1ec154ab --- libavformat/mxfdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index adc978d64b..6ceaf9c3df 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -884,7 +884,7 @@ static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count) *count = c; av_free(*refs); -*refs = av_calloc(*count, sizeof(UID)); +*refs = av_malloc_array(*count, sizeof(UID)); if (!*refs) { *count = 0; return AVERROR(ENOMEM); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/aqtitledec: Skip unrepresentable durations
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sun Mar 20 00:07:50 2022 +0100| [b90c01a501382dce57b5579687e860d428b324dc] | committer: Michael Niedermayer avformat/aqtitledec: Skip unrepresentable durations Fixes: signed integer overflow: -5 - 9223372036854775807 cannot be represented in type 'long' Fixes: 45665/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-475618463934054 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c2d1597a8a6470045a8da241d4f65c81f26c3107) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b90c01a501382dce57b5579687e860d428b324dc --- libavformat/aqtitledec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/aqtitledec.c b/libavformat/aqtitledec.c index 81630d73b0..960a5d8ef5 100644 --- a/libavformat/aqtitledec.c +++ b/libavformat/aqtitledec.c @@ -74,7 +74,8 @@ static int aqt_read_header(AVFormatContext *s) new_event = 1; pos = avio_tell(s->pb); if (sub) { -sub->duration = frame - sub->pts; +if (frame >= sub->pts && (uint64_t)frame - sub->pts < INT64_MAX) +sub->duration = frame - sub->pts; sub = NULL; } } else if (*line) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array()
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sun Mar 13 00:36:55 2022 +0100| [2ad47d59afaa1684801f0938adcb4a91e7983a67] | committer: Michael Niedermayer avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array() Fixes: 42827/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4900528511909888 Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 8d6f49cfc339825f3f3f8a910e4bb4c0f822db1f) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2ad47d59afaa1684801f0938adcb4a91e7983a67 --- libavformat/mxfdec.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index ba7466f960..adc978d64b 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -875,6 +875,7 @@ static int mxf_read_cryptographic_context(void *arg, AVIOContext *pb, int tag, i static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count) { +int64_t ret; unsigned c = avio_rb32(pb); //avio_read() used int @@ -889,7 +890,12 @@ static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count) return AVERROR(ENOMEM); } avio_skip(pb, 4); /* useless size of objects, always 16 according to specs */ -avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID)); +ret = avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID)); +if (ret != *count * sizeof(UID)) { +*count = ret < 0 ? 0 : ret / sizeof(UID); +return ret < 0 ? ret : AVERROR_INVALIDDATA; +} + return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mxfdec: Check count in mxf_read_strong_ref_array()
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sun Mar 13 00:34:52 2022 +0100| [2a549b2e7d9f3edd4744afe288fcb012daee4a1e] | committer: Michael Niedermayer avformat/mxfdec: Check count in mxf_read_strong_ref_array() Reviewed-by: Tomas Härdin Signed-off-by: Michael Niedermayer (cherry picked from commit 3015c556f316d4ab364ed55e8bc97cc0f2cc57a3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2a549b2e7d9f3edd4744afe288fcb012daee4a1e --- libavformat/mxfdec.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c index 84ab0cefd7..ba7466f960 100644 --- a/libavformat/mxfdec.c +++ b/libavformat/mxfdec.c @@ -875,7 +875,13 @@ static int mxf_read_cryptographic_context(void *arg, AVIOContext *pb, int tag, i static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count) { -*count = avio_rb32(pb); +unsigned c = avio_rb32(pb); + +//avio_read() used int +if (c > INT_MAX / sizeof(UID)) +return AVERROR_PATCHWELCOME; +*count = c; + av_free(*refs); *refs = av_calloc(*count, sizeof(UID)); if (!*refs) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/hls: Check target_duration
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sun Mar 20 22:54:31 2022 +0100| [79ad18ddbd2f7feee33e24bff02afe4c10928b75] | committer: Michael Niedermayer avformat/hls: Check target_duration Fixes: signed integer overflow: 77 * 100 cannot be represented in type 'long long' Fixes: 45545/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-6438101247983616 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit a8fd3f7fab83e1beea1c441e1a2e538e7aa431a5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79ad18ddbd2f7feee33e24bff02afe4c10928b75 --- libavformat/hls.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 75209906d3..f2ca4f3443 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -810,10 +810,16 @@ static int parse_playlist(HLSContext *c, const char *url, ); new_rendition(c, , url); } else if (av_strstart(line, "#EXT-X-TARGETDURATION:", )) { +int64_t t; ret = ensure_playlist(c, , url); if (ret < 0) goto fail; -pls->target_duration = strtoll(ptr, NULL, 10) * AV_TIME_BASE; +t = strtoll(ptr, NULL, 10); +if (t < 0 || t >= INT64_MAX / AV_TIME_BASE) { +ret = AVERROR_INVALIDDATA; +goto fail; +} +pls->target_duration = t * AV_TIME_BASE; } else if (av_strstart(line, "#EXT-X-MEDIA-SEQUENCE:", )) { uint64_t seq_no; ret = ensure_playlist(c, , url); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn()
ffmpeg | branch: release/4.4 | Michael Niedermayer | Mon Oct 26 21:30:19 2020 +0100| [b27833f06689eb0e44e2f044d8d4db8b831affed] | committer: Michael Niedermayer avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn() Fixes: signed integer overflow: 11494 * 107374182400 cannot be represented in type 'long' Fixes: 26586/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PIXLET_fuzzer-5752633970917376 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c1f20c6c858b753effda274b58ef635d1924915) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b27833f06689eb0e44e2f044d8d4db8b831affed --- libavcodec/pixlet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c index ad9d830af7..febee5c31d 100644 --- a/libavcodec/pixlet.c +++ b/libavcodec/pixlet.c @@ -405,7 +405,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale) (int64_t) low [i - 1] * -INT64_C(325392907) + (int64_t) high[i + 0] * INT64_C(1518500249) + (int64_t) high[i - 1] * INT64_C(1518500249); -dest[i * 2] = av_clip_int16(((value >> 32) * scale) >> 32); +dest[i * 2] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } for (i = 0; i < hsize; i++) { @@ -416,7 +416,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned size, int64_t scale) (int64_t) high[i + 1] * INT64_C(303700064) + (int64_t) high[i + 0] * -INT64_C(3644400640) + (int64_t) high[i - 1] * INT64_C(303700064); -dest[i * 2 + 1] = av_clip_int16(((value >> 32) * scale) >> 32); +dest[i * 2 + 1] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32); } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/matroskadec: Check pre_ns
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sun Feb 13 15:20:02 2022 +0100| [78eed60822f44205fae364855fec3dbd55b59432] | committer: Michael Niedermayer avformat/matroskadec: Check pre_ns Fixes: division by 0 Fixes: 44615/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6681108677263360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 710e51677a6f3a5c2b37dc31a597957a22a5e531) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=78eed60822f44205fae364855fec3dbd55b59432 --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 78e592cba6..37884934a9 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4128,6 +4128,8 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t // prebuffered. pre_bytes = desc_end.end_offset - desc_end.start_offset; pre_ns = desc_end.end_time_ns - desc_end.start_time_ns; +if (pre_ns <= 0) +return -1; pre_sec = pre_ns / nano_seconds_per_second; prebuffer_bytes += pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / pre_sec); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior
ffmpeg | branch: release/4.4 | Michael Niedermayer | Tue Feb 8 00:43:56 2022 +0100| [cd310f05024de48d69c9ebf5581b42e9307b6c40] | committer: Michael Niedermayer avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior Fixes: signed integer overflow: -1094995529 * 24 cannot be represented in type 'int' Fixes: 44436/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-4874459459223552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 28008bf95ed9b2ab5945ae6658358ad7c7f1df35) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cd310f05024de48d69c9ebf5581b42e9307b6c40 --- libavcodec/sonic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index c049f6aedc..8662737837 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -1004,7 +1004,7 @@ static int sonic_decode_frame(AVCodecContext *avctx, // dequantize for (i = 0; i < s->num_taps; i++) -s->predictor_k[i] *= s->tap_quant[i]; +s->predictor_k[i] *= (unsigned) s->tap_quant[i]; if (s->lossless) quant = 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/libuavs3d: Check ff_set_dimensions() for failure
ffmpeg | branch: release/4.4 | Michael Niedermayer | Thu Feb 10 00:06:12 2022 +0100| [cc53ce7e5b009921ee80a5974cb978ef112f1148] | committer: Michael Niedermayer avcodec/libuavs3d: Check ff_set_dimensions() for failure Untested, no testcase Signed-off-by: Michael Niedermayer (cherry picked from commit e88b99afdffce269e7a6a588948c4e00b86536f6) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cc53ce7e5b009921ee80a5974cb978ef112f1148 --- libavcodec/libuavs3d.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/libuavs3d.c b/libavcodec/libuavs3d.c index be03da39e2..59b50a2843 100644 --- a/libavcodec/libuavs3d.c +++ b/libavcodec/libuavs3d.c @@ -208,7 +208,9 @@ static int libuavs3d_decode_frame(AVCodecContext *avctx, void *data, int *got_fr } avctx->has_b_frames = !seqh->low_delay; avctx->pix_fmt = seqh->bit_depth_internal == 8 ? AV_PIX_FMT_YUV420P : AV_PIX_FMT_YUV420P10LE; -ff_set_dimensions(avctx, seqh->horizontal_size, seqh->vertical_size); +ret = ff_set_dimensions(avctx, seqh->horizontal_size, seqh->vertical_size); +if (ret < 0) +return ret; h->got_seqhdr = 1; if (seqh->colour_description) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/mjpegbdec: Set buf_size
ffmpeg | branch: release/4.4 | Michael Niedermayer | Fri Mar 11 20:25:48 2022 +0100| [1064cf413aa68e2d365c910716fb1698f3374968] | committer: Michael Niedermayer avcodec/mjpegbdec: Set buf_size Fixes: Timeout Fixes: 45170/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEGB_fuzzer-5874820431085568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1064cf413aa68e2d365c910716fb1698f3374968 --- libavcodec/mjpegbdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c index 19875a2ddb..3fab4a66bc 100644 --- a/libavcodec/mjpegbdec.c +++ b/libavcodec/mjpegbdec.c @@ -57,6 +57,7 @@ static int mjpegb_decode_frame(AVCodecContext *avctx, buf_end = buf + buf_size; s->got_picture = 0; s->adobe_transform = -1; +s->buf_size = buf_size; read_header: /* reset on every SOI */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/matroskadec: Use rounded down duration in get_cue_desc() check
ffmpeg | branch: release/4.4 | Michael Niedermayer | Thu Mar 10 23:24:49 2022 +0100| [326dafe40afabe604a1ca00fc56eb6e1db897ddd] | committer: Michael Niedermayer avformat/matroskadec: Use rounded down duration in get_cue_desc() check Floating point is evil, it would be better if duration was not a double Fixes: Infinite loop Fixes: 45123/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6725052291219456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit bd3a03db9aef72ee36a7cc964171e9f52967f4bc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=326dafe40afabe604a1ca00fc56eb6e1db897ddd --- libavformat/matroskadec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index eb79e0442e..78e592cba6 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -3937,7 +3937,9 @@ static CueDesc get_cue_desc(AVFormatContext *s, int64_t ts, int64_t cues_start) int i; int nb_index_entries = s->streams[0]->nb_index_entries; AVIndexEntry *index_entries = s->streams[0]->index_entries; -if (ts >= matroska->duration * matroska->time_scale) return (CueDesc) {-1, -1, -1, -1}; + +if (ts >= (int64_t)(matroska->duration * matroska->time_scale)) +return (CueDesc) {-1, -1, -1, -1}; for (i = 1; i < nb_index_entries; i++) { if (index_entries[i - 1].timestamp * matroska->time_scale <= ts && index_entries[i].timestamp * matroska->time_scale > ts) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/argo: Check packet size
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sun Feb 27 00:59:25 2022 +0100| [310a060e77980d92e5fc2c0983d6aa7c3b84a0a7] | committer: Michael Niedermayer avcodec/argo: Check packet size Fixes: Timeout Fixes: 45052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ARGO_fuzzer-6033489206575104 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1bed27acefaab1b4c1813b8adc6468ca952a43f3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=310a060e77980d92e5fc2c0983d6aa7c3b84a0a7 --- libavcodec/argo.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/argo.c b/libavcodec/argo.c index f633ec2691..8f58e682f6 100644 --- a/libavcodec/argo.c +++ b/libavcodec/argo.c @@ -608,6 +608,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, uint32_t chunk; int ret; +if (avpkt->size < 4) +return AVERROR_INVALIDDATA; + bytestream2_init(gb, avpkt->data, avpkt->size); if ((ret = ff_reget_buffer(avctx, frame, 0)) < 0) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/g729_parser: Check channels
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sun Feb 27 14:43:04 2022 +0100| [e9e2ddbc6c78cc18b76093617f82c920e58a8d1f] | committer: Michael Niedermayer avcodec/g729_parser: Check channels Fixes: signed integer overflow: 10 * 808464428 cannot be represented in type 'int' Fixes: assertion failure Fixes: ticket9651 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 757da974b21833529cc41bdcc9684c29660cdfa8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e9e2ddbc6c78cc18b76093617f82c920e58a8d1f --- libavcodec/g729_parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/g729_parser.c b/libavcodec/g729_parser.c index 010f688104..ef08b48bf3 100644 --- a/libavcodec/g729_parser.c +++ b/libavcodec/g729_parser.c @@ -49,6 +49,9 @@ static int g729_parse(AVCodecParserContext *s1, AVCodecContext *avctx, s->block_size = (avctx->bit_rate < 8000) ? G729D_6K4_BLOCK_SIZE : G729_8K_BLOCK_SIZE; if (avctx->codec_id == AV_CODEC_ID_ACELP_KELVIN) s->block_size++; +// channels > 2 is invalid, we pass the packet on unchanged +if (avctx->channels > 2) +s->block_size = 0; s->block_size *= avctx->channels; s->duration = avctx->frame_size; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/avidec: Check height
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sun Feb 27 21:44:29 2022 +0100| [061f8b941e954c3a6313b9084d020550ed609263] | committer: Michael Niedermayer avformat/avidec: Check height Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: Ticket8486 Signed-off-by: Michael Niedermayer (cherry picked from commit ec8ff659f57786c4cb089b07dfeab7e5cbab8d52) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=061f8b941e954c3a6313b9084d020550ed609263 --- libavformat/avidec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index 4fdce640a1..02a4fd4c47 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -859,6 +859,8 @@ static int avi_read_header(AVFormatContext *s) memcpy(st->codecpar->extradata + st->codecpar->extradata_size - 9, "BottomUp", 9); } +if (st->codecpar->height == INT_MIN) +return AVERROR_INVALIDDATA; st->codecpar->height = FFABS(st->codecpar->height); //avio_skip(pb, size - 5 * 4); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/rmdec: Better duplicate tags check
ffmpeg | branch: release/4.4 | Michael Niedermayer | Thu Feb 24 00:26:08 2022 +0100| [261557160ff360b4924729c142c45a7a1f86fc13] | committer: Michael Niedermayer avformat/rmdec: Better duplicate tags check Fixes: memleaks Fixes: 44810/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5619494647627776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 15a646e5018078a0954918f510f819a5599f0445) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=261557160ff360b4924729c142c45a7a1f86fc13 --- libavformat/rmdec.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c index 97378703d1..eaf71de520 100644 --- a/libavformat/rmdec.c +++ b/libavformat/rmdec.c @@ -128,10 +128,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb, uint32_t version; int ret; -// Duplicate tags -if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO) -return AVERROR_INVALIDDATA; - /* ra type header */ version = avio_rb16(pb); /* version */ if (version == 3) { @@ -331,6 +327,11 @@ int ff_rm_read_mdpr_codecdata(AVFormatContext *s, AVIOContext *pb, if (codec_data_size == 0) return 0; +// Duplicate tags +if ( st->codecpar->codec_type != AVMEDIA_TYPE_UNKNOWN +&& st->codecpar->codec_type != AVMEDIA_TYPE_DATA) +return AVERROR_INVALIDDATA; + avpriv_set_pts_info(st, 64, 1, 1000); codec_pos = avio_tell(pb); v = avio_rb32(pb); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mov: Disallow empty sidx
ffmpeg | branch: release/4.4 | Michael Niedermayer | Wed Mar 2 13:01:53 2022 +0100| [338444c0161e044f1608b4f2780c619f1297512a] | committer: Michael Niedermayer avformat/mov: Disallow empty sidx It appears this is not allowed "Each Segment Index box documents how a (sub)segment is divided into one or more subsegments (which may themselves be further subdivided using Segment Index boxes)." Fixes: Null pointer dereference Fixes: Ticket9517 Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 4419433d77278cb742944c4514be5f72a04103c0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=338444c0161e044f1608b4f2780c619f1297512a --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 4bd4750a21..46d8e628fd 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -5124,6 +5124,8 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, MOVAtom atom) avio_rb16(pb); // reserved item_count = avio_rb16(pb); +if (item_count == 0) +return AVERROR_INVALIDDATA; for (i = 0; i < item_count; i++) { int index; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mov: Corner case encryption error cleanup in mov_read_senc()
ffmpeg | branch: release/4.4 | Michael Niedermayer | Wed Feb 9 22:01:03 2022 +0100| [166ee5fa684855ea0a44995c997cc09120c442a5] | committer: Michael Niedermayer avformat/mov: Corner case encryption error cleanup in mov_read_senc() Fixes: memleak Fixes: 42341/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4566632823914496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ee0e4abcb8af36cae4eb24d4d6229461c1e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=166ee5fa684855ea0a44995c997cc09120c442a5 --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 092c899fff..4bd4750a21 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -6140,6 +6140,8 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, MOVAtom atom) } if (pb->eof_reached) { av_log(c->fc, AV_LOG_ERROR, "Hit EOF while reading senc\n"); +if (ret >= 0) + av_encryption_info_free(encryption_index->encrypted_samples[i]); ret = AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/argo_asf: Fix order of operations in error check in argo_asf_write_trailer()
ffmpeg | branch: release/4.4 | Michael Niedermayer | Mon Feb 14 20:24:07 2022 +0100| [811047f7c26f88118ccd2c10c940b7b66b1ebf5d] | committer: Michael Niedermayer avformat/argo_asf: Fix order of operations in error check in argo_asf_write_trailer() Signed-off-by: Michael Niedermayer (cherry picked from commit c8c12fb5d69107f94c5a0be14d0f3646861c60d1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=811047f7c26f88118ccd2c10c940b7b66b1ebf5d --- libavformat/argo_asf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/argo_asf.c b/libavformat/argo_asf.c index 8e2bf21c71..06d62442b3 100644 --- a/libavformat/argo_asf.c +++ b/libavformat/argo_asf.c @@ -422,7 +422,7 @@ static int argo_asf_write_trailer(AVFormatContext *s) ArgoASFMuxContext *ctx = s->priv_data; int64_t ret; -if ((ret = avio_seek(s->pb, ASF_FILE_HEADER_SIZE, SEEK_SET) < 0)) +if ((ret = avio_seek(s->pb, ASF_FILE_HEADER_SIZE, SEEK_SET)) < 0) return ret; avio_wl32(s->pb, (uint32_t)ctx->nb_blocks); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/matroskadec: Check duration
ffmpeg | branch: release/4.4 | Michael Niedermayer | Mon Feb 14 20:01:35 2022 +0100| [5cdceec2f2a822c683b6c028574fd4c0905fd4b3] | committer: Michael Niedermayer avformat/matroskadec: Check duration Fixes: -nan is outside the range of representable values of type 'long' Fixes: 44614/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6216204841254912 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 36680078ca3302496d9b0b8a8d7168ce9eabb2bc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5cdceec2f2a822c683b6c028574fd4c0905fd4b3 --- libavformat/matroskadec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 426fe1b67e..eb79e0442e 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2975,6 +2975,8 @@ static int matroska_read_header(AVFormatContext *s) if (!matroska->time_scale) matroska->time_scale = 100; +if (isnan(matroska->duration)) +matroska->duration = 0; if (matroska->duration) matroska->ctx->duration = matroska->duration * matroska->time_scale * 1000 / AV_TIME_BASE; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/jpeglsdec: Fix if( code style
ffmpeg | branch: release/4.4 | Michael Niedermayer | Tue Feb 15 21:01:06 2022 +0100| [badf284b529520e51452f62cb16be7cb0c5582bf] | committer: Michael Niedermayer avcodec/jpeglsdec: Fix if( code style Signed-off-by: Michael Niedermayer (cherry picked from commit f306b8e80ab04cfd8f6cd577a4484cb791d6e765) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=badf284b529520e51452f62cb16be7cb0c5582bf --- libavcodec/jpeglsdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index b1c4a8d48f..2599e840d0 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -67,7 +67,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) s->t3 = get_bits(>gb, 16); s->reset = get_bits(>gb, 16); -if(s->avctx->debug & FF_DEBUG_PICT_INFO) { +if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "Coding parameters maxval:%d T1:%d T2:%d T3:%d reset:%d\n", s->maxval, s->t1, s->t2, s->t3, s->reset); } @@ -96,7 +96,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s) else maxtab = 65530/wt - 1; -if(s->avctx->debug & FF_DEBUG_PICT_INFO) { +if (s->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(s->avctx, AV_LOG_DEBUG, "LSE palette %d tid:%d wt:%d maxtab:%d\n", id, tid, wt, maxtab); } if (maxtab >= 256) { @@ -211,7 +211,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, ret = ret >> 1; } -if(FFABS(ret) > 0x) +if (FFABS(ret) > 0x) return -0x1; /* update state */ state->A[Q] += FFABS(ret) - RItype; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sat Feb 12 22:02:13 2022 +0100| [1caf4f91fb6caa834b9b89055ddfcadca37eb2b1] | committer: Michael Niedermayer avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error Fixes: Timeout Fixes: Invalid shift Fixes: 44548/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-556487680891289 Fixes: 44569/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMV_fuzzer-6302543246917632 Fixes: 44570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-4550196556595200 Fixes: 44592/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5651610385121280 Fixes: 44571/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5094698987945984 Fixes: 44607/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5341352013987840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 151f83584eeb1912c8bdcd0c1ab1296e8664a0de) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1caf4f91fb6caa834b9b89055ddfcadca37eb2b1 --- libavcodec/jpeglsdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index f690fbc5ab..b1c4a8d48f 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -195,6 +195,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, #endif ret = get_ur_golomb_jpegls(gb, k, state->limit - limit_add - 1, state->qbpp); +if (ret < 0) +return -0x1; /* decode mapped error */ map = 0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/motion_est: fix indention of ff_get_best_fcode()
ffmpeg | branch: release/4.4 | Michael Niedermayer | Wed Feb 9 10:31:34 2022 +0100| [1d8caf2e1ffa11c885ebb06ae4967ffa3494346d] | committer: Michael Niedermayer avcodec/motion_est: fix indention of ff_get_best_fcode() Signed-off-by: Michael Niedermayer (cherry picked from commit ce43e1c581b4ed539ab366cc3df458779e8a44b8) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1d8caf2e1ffa11c885ebb06ae4967ffa3494346d --- libavcodec/motion_est.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 1f8b9c1b7c..b79e22c422 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1622,9 +1622,9 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) fcode_tab[my + MAX_MV]); int j; -if(mx >= range || mx < -range || - my >= range || my < -range) -continue; +if (mx >= range || mx < -range || +my >= range || my < -range) +continue; for(j=0; jpict_type==AV_PICTURE_TYPE_B || s->current_picture.mc_mb_var[xy] < s->current_picture.mb_var[xy]) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode()
ffmpeg | branch: release/4.4 | Michael Niedermayer | Tue Feb 8 21:38:50 2022 +0100| [f73e9b73ceb644451852176d3dc5566616cc62bc] | committer: Michael Niedermayer avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode() This codepath seems untested, no testcases change Found-by: Signed-off-by: Michael Niedermayer (cherry picked from commit 634312a70f4d5afd40058c52b4d8eade1da07a70) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f73e9b73ceb644451852176d3dc5566616cc62bc --- libavcodec/motion_est.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c index 5b0958733c..1f8b9c1b7c 100644 --- a/libavcodec/motion_est.c +++ b/libavcodec/motion_est.c @@ -1614,7 +1614,7 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) for(y=0; ymb_height; y++){ int x; int xy= y*s->mb_stride; -for(x=0; xmb_width; x++){ +for(x=0; xmb_width; x++, xy++){ if(s->mb_type[xy] & type){ int mx= mv_table[xy][0]; int my= mv_table[xy][1]; @@ -1631,7 +1631,6 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t (*mv_table)[2], int type) score[j]-= 170; } } -xy++; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/hls: Use unsigned for iv computation
ffmpeg | branch: release/4.4 | Michael Niedermayer | Tue Feb 8 00:30:59 2022 +0100| [faf66d99c04d0f6eb97ce4b3883e2f55f6d562fd] | committer: Michael Niedermayer avformat/hls: Use unsigned for iv computation Fixes: signed integer overflow: 9223372036854775748 + 60 cannot be represented in type 'long' Fixes: 44417/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-5802443881971712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Steven Liu Signed-off-by: Michael Niedermayer (cherry picked from commit bf33a384995ac21aa41422c6246ebdc5d9632452) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=faf66d99c04d0f6eb97ce4b3883e2f55f6d562fd --- libavformat/hls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index 597bea7f25..75209906d3 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -903,7 +903,7 @@ static int parse_playlist(HLSContext *c, const char *url, if (has_iv) { memcpy(seg->iv, iv, sizeof(iv)); } else { -int64_t seq = pls->start_seq_no + pls->n_segments; +uint64_t seq = pls->start_seq_no + (uint64_t)pls->n_segments; memset(seg->iv, 0, sizeof(seg->iv)); AV_WB64(seg->iv + 8, seq); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sat Feb 5 20:41:08 2022 +0100| [b356dcb2fe7145148015fb929e2fb4b35752] | committer: Michael Niedermayer avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned Fixes: left shift of 32768 by 16 places cannot be represented in type 'int' Fixes: Timeout Fixes: 44219/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4679455379947520 Fixes: 44088/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4885976600674304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6ee283d7d001cfcfec94a023e172bca731e96514) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b356dcb2fe7145148015fb929e2fb4b35752 --- libavcodec/jpeglsdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index c4ffa81f7d..f690fbc5ab 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -186,7 +186,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, JLSState *state, if (RItype) temp += state->N[Q] >> 1; -for (k = 0; (state->N[Q] << k) < temp; k++) +for (k = 0; ((unsigned)state->N[Q] << k) < temp; k++) ; #ifdef JLS_BROKEN ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/matroskadec: Check desc_bytes
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sat Feb 5 20:37:22 2022 +0100| [cc4707601d74945fb0115c1ce5bc2d4831a4e41a] | committer: Michael Niedermayer avformat/matroskadec: Check desc_bytes Fixes: Division by 0 Fixes: 44035/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4826721386364928 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 5038933977d06d1048b41d71e0ada4d1ac536ddc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cc4707601d74945fb0115c1ce5bc2d4831a4e41a --- libavformat/matroskadec.c | 12 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 5cd6699a23..426fe1b67e 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -4135,12 +4135,16 @@ static int64_t webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t do { int64_t desc_bytes = desc_end.end_offset - desc_beg.start_offset; int64_t desc_ns = desc_end.end_time_ns - desc_beg.start_time_ns; -double desc_sec = desc_ns / nano_seconds_per_second; -double calc_bits_per_second = (desc_bytes * 8) / desc_sec; +double desc_sec, calc_bits_per_second, percent, mod_bits_per_second; +if (desc_bytes <= 0) +return -1; + +desc_sec = desc_ns / nano_seconds_per_second; +calc_bits_per_second = (desc_bytes * 8) / desc_sec; // Drop the bps by the percentage of bytes buffered. -double percent = (desc_bytes - prebuffer_bytes) / desc_bytes; -double mod_bits_per_second = calc_bits_per_second * percent; +percent = (desc_bytes - prebuffer_bytes) / desc_bytes; +mod_bits_per_second = calc_bits_per_second * percent; if (prebuffer < desc_sec) { double search_sec = ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/matroskadec: Fix infinite loop with bz decompression
ffmpeg | branch: release/4.4 | Michael Niedermayer | Thu Feb 3 22:46:55 2022 +0100| [d3456a374d4eff67d3bebc0fcb52c6843a05a816] | committer: Michael Niedermayer avformat/matroskadec: Fix infinite loop with bz decompression The same check is added to zlib too, it seems not needed there though Fixes: Infinite loop Fixes: 43932/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-6175167573786624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Andreas Rheinhardt Signed-off-by: Michael Niedermayer (cherry picked from commit 9c3d2cbb510674226b0c8fa6b146bf891f83786c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d3456a374d4eff67d3bebc0fcb52c6843a05a816 --- libavformat/matroskadec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 50e572d5c5..5cd6699a23 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -1690,7 +1690,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, case MATROSKA_TRACK_ENCODING_COMP_ZLIB: { z_stream zstream = { 0 }; -if (inflateInit() != Z_OK) +if (!pkt_size || inflateInit() != Z_OK) return -1; zstream.next_in = data; zstream.avail_in = isize; @@ -1723,7 +1723,7 @@ static int matroska_decode_buffer(uint8_t **buf, int *buf_size, case MATROSKA_TRACK_ENCODING_COMP_BZLIB: { bz_stream bzstream = { 0 }; -if (BZ2_bzDecompressInit(, 0, 0) != BZ_OK) +if (!pkt_size || BZ2_bzDecompressInit(, 0, 0) != BZ_OK) return -1; bzstream.next_in = data; bzstream.avail_in = isize; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value()
ffmpeg | branch: release/4.4 | Michael Niedermayer | Fri Feb 4 00:44:32 2022 +0100| [032672a8f1907c518213406ca65c678d9a00ae65] | committer: Michael Niedermayer avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value() Fixes: pointer index expression with base 0x overflowed to 0x Fixes: 44012/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-5670607746891776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 59328aabd2c789ae053e18a62a20a7addfd4d069) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=032672a8f1907c518213406ca65c678d9a00ae65 --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 75e5350a27..b2d011a0db 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -4997,7 +4997,7 @@ void ff_parse_key_value(const char *str, ff_parse_key_val_cb callback_get_buf, key_len = ptr - key; callback_get_buf(context, key, key_len, , _len); -dest_end = dest + dest_len - 1; +dest_end = dest ? dest + dest_len - 1 : NULL; if (*ptr == '\"') { ptr++; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mov: Check size before subtraction
ffmpeg | branch: release/4.4 | Michael Niedermayer | Mon Jan 17 14:26:05 2022 +0100| [673f8d3641ced5c25862815ec458a4c9820c5162] | committer: Michael Niedermayer avformat/mov: Check size before subtraction Fixes: signed integer overflow: -9223372036854775808 - 8 cannot be represented in type 'long' Fixes: 43542/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5237670148702208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8d9d506a3de976b647bcbb8f76c7b8d30eff576) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=673f8d3641ced5c25862815ec458a4c9820c5162 --- libavformat/mov.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 47160fd551..092c899fff 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -7078,6 +7078,8 @@ static int mov_read_default(MOVContext *c, AVIOContext *pb, MOVAtom atom) if (a.size == 0) { a.size = atom.size - total_size + 8; } +if (a.size < 0) +break; a.size -= 8; if (a.size < 0) break; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/cfhd: Avoid signed integer overflow in coeff
ffmpeg | branch: release/4.4 | Michael Niedermayer | Mon Jan 17 14:16:39 2022 +0100| [447b9a0f030653cc6687905cc642453fa2063284] | committer: Michael Niedermayer avcodec/cfhd: Avoid signed integer overflow in coeff Fixes: signed integer overflow: 15244032 * 256 cannot be represented in type 'int' Fixes: 43504/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4865014842916864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cd6ac013a00373126bf3d313743d39b5edd5428a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=447b9a0f030653cc6687905cc642453fa2063284 --- libavcodec/cfhd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c index 6f13207cc1..b61d1e7222 100644 --- a/libavcodec/cfhd.c +++ b/libavcodec/cfhd.c @@ -838,7 +838,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, const uint16_t q = s->quantisation; for (i = 0; i < run; i++) { -*coeff_data |= coeff * 256; +*coeff_data |= coeff * 256U; *coeff_data++ *= q; } } else { @@ -869,7 +869,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame, const uint16_t q = s->quantisation; for (i = 0; i < run; i++) { -*coeff_data |= coeff * 256; +*coeff_data |= coeff * 256U; *coeff_data++ *= q; } } else { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/apedec: Fix integer overflows in predictor_update_3930()
ffmpeg | branch: release/4.4 | Michael Niedermayer | Mon Jan 3 19:15:18 2022 +0100| [65d8418e11a710806e61452b41713ef1e076b102] | committer: Michael Niedermayer avcodec/apedec: Fix integer overflows in predictor_update_3930() Fixes: signed integer overflow: 1074134419 - -1075212485 cannot be represented in type 'int' Fixes: 43273/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-4706880883130368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0c9c9bbd01bd82c35b6a908592d9dd6d9f4bd4a0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=65d8418e11a710806e61452b41713ef1e076b102 --- libavcodec/apedec.c | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index e2885891a8..f414ec0f74 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1088,13 +1088,13 @@ static av_always_inline int predictor_update_3930(APEPredictor *p, const int delayA) { int32_t predictionA, sign; -int32_t d0, d1, d2, d3; +uint32_t d0, d1, d2, d3; p->buf[delayA] = p->lastA[filter]; d0 = p->buf[delayA]; -d1 = p->buf[delayA] - p->buf[delayA - 1]; -d2 = p->buf[delayA - 1] - p->buf[delayA - 2]; -d3 = p->buf[delayA - 2] - p->buf[delayA - 3]; +d1 = p->buf[delayA] - (unsigned)p->buf[delayA - 1]; +d2 = p->buf[delayA - 1] - (unsigned)p->buf[delayA - 2]; +d3 = p->buf[delayA - 2] - (unsigned)p->buf[delayA - 3]; predictionA = d0 * p->coeffsA[filter][0] + d1 * p->coeffsA[filter][1] + @@ -1105,10 +1105,10 @@ static av_always_inline int predictor_update_3930(APEPredictor *p, p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) >> 5); sign = APESIGN(decoded); -p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign; -p->coeffsA[filter][1] += ((d1 < 0) * 2 - 1) * sign; -p->coeffsA[filter][2] += ((d2 < 0) * 2 - 1) * sign; -p->coeffsA[filter][3] += ((d3 < 0) * 2 - 1) * sign; +p->coeffsA[filter][0] += (((int32_t)d0 < 0) * 2 - 1) * sign; +p->coeffsA[filter][1] += (((int32_t)d1 < 0) * 2 - 1) * sign; +p->coeffsA[filter][2] += (((int32_t)d2 < 0) * 2 - 1) * sign; +p->coeffsA[filter][3] += (((int32_t)d3 < 0) * 2 - 1) * sign; return p->filterA[filter]; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/apedec: fix integer overflow in 8bit samples
ffmpeg | branch: release/4.4 | Michael Niedermayer | Thu Dec 23 20:39:14 2021 +0100| [6c5e26821e075e55fa398cf8a52f833cc1316148] | committer: Michael Niedermayer avcodec/apedec: fix integer overflow in 8bit samples Fixes: signed integer overflow: 2147483542 + 128 cannot be represented in type 'int' Fixes: 42812/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6344057861832704 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 7cee3b37187dbf61dbebff023f07ceedfc0129bb) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6c5e26821e075e55fa398cf8a52f833cc1316148 --- libavcodec/apedec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index 0fb3b04db5..e2885891a8 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -1587,7 +1587,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void *data, for (ch = 0; ch < s->channels; ch++) { sample8 = (uint8_t *)frame->data[ch]; for (i = 0; i < blockstodecode; i++) -*sample8++ = (s->decoded[ch][i] + 0x80) & 0xff; +*sample8++ = (s->decoded[ch][i] + 0x80U) & 0xff; } break; case 16: ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/tiff: Remove messing with jpeg context
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sat Dec 25 20:14:48 2021 +0100| [3fe61f91b3b27f7a91f2a2f8ae6d7719fcaadafc] | committer: Michael Niedermayer avcodec/tiff: Remove messing with jpeg context The whole concept is just not correct, also as it seems not to be needed at all, all dng files i have decode without this. Fixes: various crashes Fixes: 42937/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4625073334517760 Fixes: 42938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4643368217477120 Fixes: 42939/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4925325908246528 Fixes: 42940/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4925378806808576 Fixes: 42941/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6202009265504256 Fixes: 42944/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6076860998483968 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit afdbc940c6011b64c1856f88d2b0609369f87406) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3fe61f91b3b27f7a91f2a2f8ae6d7719fcaadafc --- libavcodec/tiff.c | 24 ++-- 1 file changed, 2 insertions(+), 22 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 6faf451c68..c127ce146f 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -735,20 +735,6 @@ static int dng_decode_jpeg(AVCodecContext *avctx, AVFrame *frame, return 0; } -static int dng_decode_strip(AVCodecContext *avctx, AVFrame *frame) -{ -TiffContext *s = avctx->priv_data; -int ret = ff_set_dimensions(s->avctx_mjpeg, s->width, s->height); - -if (ret < 0) -return ret; - -s->jpgframe->width = s->width; -s->jpgframe->height = s->height; - -return dng_decode_jpeg(avctx, frame, s->stripsize, 0, 0, s->width, s->height); -} - static int tiff_unpack_strip(TiffContext *s, AVFrame *p, uint8_t *dst, int stride, const uint8_t *src, int size, int strip_start, int lines) { @@ -870,7 +856,7 @@ static int tiff_unpack_strip(TiffContext *s, AVFrame *p, uint8_t *dst, int strid av_log(s->avctx, AV_LOG_ERROR, "More than one DNG JPEG strips unsupported\n"); return AVERROR_PATCHWELCOME; } -if ((ret = dng_decode_strip(s->avctx, p)) < 0) +if ((ret = dng_decode_jpeg(s->avctx, p, s->stripsize, 0, 0, s->width, s->height)) < 0) return ret; return 0; } @@ -986,13 +972,7 @@ static int dng_decode_tiles(AVCodecContext *avctx, AVFrame *frame, int has_width_leftover, has_height_leftover; int tile_x = 0, tile_y = 0; int pos_x = 0, pos_y = 0; -int ret = ff_set_dimensions(s->avctx_mjpeg, s->tile_width, s->tile_length); - -if (ret < 0) -return ret; - -s->jpgframe->width = s->tile_width; -s->jpgframe->height = s->tile_length; +int ret; has_width_leftover = (s->width % s->tile_width != 0); has_height_leftover = (s->height % s->tile_length != 0); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/flvdec: timestamps cannot use the full int64 range
ffmpeg | branch: release/4.4 | Michael Niedermayer | Thu Dec 23 20:36:16 2021 +0100| [be0109b881e688616ccac6551762e1a692befe11] | committer: Michael Niedermayer avformat/flvdec: timestamps cannot use the full int64 range We do not support this as we multiply by 1000 Fixes: signed integer overflow: -45318575073853696 * 1000 cannot be represented in type 'long' Fixes: 42804/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-4630325425209344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c217ca7718c8e24905d7ba9ede719ae040899476) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=be0109b881e688616ccac6551762e1a692befe11 --- libavformat/flvdec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c index 79c810f963..2bbfef53e6 100644 --- a/libavformat/flvdec.c +++ b/libavformat/flvdec.c @@ -459,6 +459,8 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, int64_t m d = av_int2double(avio_rb64(ioc)); if (isnan(d) || d < INT64_MIN || d > INT64_MAX) goto invalid; +if (current_array == && (d <= INT64_MIN / 1000 || d >= INT64_MAX / 1000)) +goto invalid; current_array[0][i] = d; } if (times && filepositions) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/tiff: Use ff_set_dimensions() for setting up mjpeg context dimensions
ffmpeg | branch: release/4.4 | Michael Niedermayer | Fri Dec 17 20:52:32 2021 +0100| [14249d8a0376ce7d4d40eba0ee81c5973eb4441a] | committer: Michael Niedermayer avcodec/tiff: Use ff_set_dimensions() for setting up mjpeg context dimensions sets coded_width / coded_height too to keep them consistent with width / height Fixes: OOM Fixes: 42263/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-565619113984 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cfa1f0e214d07f0fdc027f2ec760eb9fd3fac85e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=14249d8a0376ce7d4d40eba0ee81c5973eb4441a --- libavcodec/tiff.c | 15 --- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index 7d65da8e9a..6faf451c68 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -738,13 +738,14 @@ static int dng_decode_jpeg(AVCodecContext *avctx, AVFrame *frame, static int dng_decode_strip(AVCodecContext *avctx, AVFrame *frame) { TiffContext *s = avctx->priv_data; +int ret = ff_set_dimensions(s->avctx_mjpeg, s->width, s->height); + +if (ret < 0) +return ret; s->jpgframe->width = s->width; s->jpgframe->height = s->height; -s->avctx_mjpeg->width = s->width; -s->avctx_mjpeg->height = s->height; - return dng_decode_jpeg(avctx, frame, s->stripsize, 0, 0, s->width, s->height); } @@ -985,14 +986,14 @@ static int dng_decode_tiles(AVCodecContext *avctx, AVFrame *frame, int has_width_leftover, has_height_leftover; int tile_x = 0, tile_y = 0; int pos_x = 0, pos_y = 0; -int ret; +int ret = ff_set_dimensions(s->avctx_mjpeg, s->tile_width, s->tile_length); + +if (ret < 0) +return ret; s->jpgframe->width = s->tile_width; s->jpgframe->height = s->tile_length; -s->avctx_mjpeg->width = s->tile_width; -s->avctx_mjpeg->height = s->tile_length; - has_width_leftover = (s->width % s->tile_width != 0); has_height_leftover = (s->height % s->tile_length != 0); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/tiff: Pass max_pixels to mjpeg context
ffmpeg | branch: release/4.4 | Michael Niedermayer | Fri Dec 17 20:43:15 2021 +0100| [24da8685f00fd8f0da646dd48d3e3103072e8f26] | committer: Michael Niedermayer avcodec/tiff: Pass max_pixels to mjpeg context Signed-off-by: Michael Niedermayer (cherry picked from commit d6c16f42ccebca917bb9861c619abcf71ab25762) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=24da8685f00fd8f0da646dd48d3e3103072e8f26 --- libavcodec/tiff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c index f8c68f1e7d..7d65da8e9a 100644 --- a/libavcodec/tiff.c +++ b/libavcodec/tiff.c @@ -2169,6 +2169,7 @@ static av_cold int tiff_init(AVCodecContext *avctx) s->avctx_mjpeg->flags2 = avctx->flags2; s->avctx_mjpeg->dct_algo = avctx->dct_algo; s->avctx_mjpeg->idct_algo = avctx->idct_algo; +s->avctx_mjpeg->max_pixels = avctx->max_pixels; ret = avcodec_open2(s->avctx_mjpeg, codec, NULL); if (ret < 0) { return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/vqavideo: reset accounting on error
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sun Dec 19 22:26:00 2021 +0100| [e2ae9adbe1c223232fded0e236c103bf26f289e7] | committer: Michael Niedermayer avcodec/vqavideo: reset accounting on error Fixes: Timeout (same growing chunk is decoded to failure repeatedly) Fixes: 42582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-6531195591065600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d8ea7a67ba62f5d4520e75e56b9954d80e7ff223) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e2ae9adbe1c223232fded0e236c103bf26f289e7 --- libavcodec/vqavideo.c | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c index f45390cfe5..d0e1927444 100644 --- a/libavcodec/vqavideo.c +++ b/libavcodec/vqavideo.c @@ -588,13 +588,14 @@ static int vqa_decode_chunk(VqaContext *s, AVFrame *frame) if (s->partial_countdown <= 0) { bytestream2_init(>gb, s->next_codebook_buffer, s->next_codebook_buffer_index); /* decompress codebook */ -if ((res = decode_format80(s, s->next_codebook_buffer_index, - s->codebook, s->codebook_size, 0)) < 0) -return res; +res = decode_format80(s, s->next_codebook_buffer_index, + s->codebook, s->codebook_size, 0); /* reset accounting */ s->next_codebook_buffer_index = 0; s->partial_countdown = s->partial_count; +if (res < 0) +return res; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/4xm: Check for duplicate track ids
ffmpeg | branch: release/4.4 | Michael Niedermayer | Tue Dec 7 09:14:09 2021 +0100| [59287d3880966cc70d6080a28649c66025987bc8] | committer: Michael Niedermayer avformat/4xm: Check for duplicate track ids Signed-off-by: Michael Niedermayer (cherry picked from commit dd949124793c722ed55dead9da245574ace81968) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=59287d3880966cc70d6080a28649c66025987bc8 --- libavformat/4xm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 9dc4f05d3b..cfee8a02f4 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -149,6 +149,9 @@ static int parse_strk(AVFormatContext *s, memset(>tracks[fourxm->track_count], 0, sizeof(AudioTrack) * (track + 1 - fourxm->track_count)); fourxm->track_count = track + 1; +} else { +if (fourxm->tracks[track].bits) +return AVERROR_INVALIDDATA; } fourxm->tracks[track].adpcm = AV_RL32(buf + 12); fourxm->tracks[track].channels= AV_RL32(buf + 36); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avcodec/alacdsp: fix integer overflow in decorrelate_stereo()
ffmpeg | branch: release/4.4 | Michael Niedermayer | Thu Jul 23 23:34:15 2020 +0200| [02b0143522936b4ee53aa132b5dec35c27bd46ea] | committer: Michael Niedermayer avcodec/alacdsp: fix integer overflow in decorrelate_stereo() Fixes: signed integer overflow: -16777216 * 131 cannot be represented in type 'int' Fixes: 23835/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5669943160078336 Fixes: 41101/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-4636330705944576 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 68457c1e85122ffcadb0c909070dd210095fd2cd) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=02b0143522936b4ee53aa132b5dec35c27bd46ea --- libavcodec/alacdsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/alacdsp.c b/libavcodec/alacdsp.c index 9996eb4319..8718d1b6b1 100644 --- a/libavcodec/alacdsp.c +++ b/libavcodec/alacdsp.c @@ -34,7 +34,7 @@ static void decorrelate_stereo(int32_t *buffer[2], int nb_samples, a = buffer[0][i]; b = buffer[1][i]; -a -= (b * decorr_left_weight) >> decorr_shift; +a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift; b += a; buffer[0][i] = b; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/4xm: Consider max_streams on reallocating tracks array
ffmpeg | branch: release/4.4 | Michael Niedermayer | Tue Dec 7 09:14:08 2021 +0100| [8f83d2a94a8113ca61633b3cf7bf04cdeb0466dd] | committer: Michael Niedermayer avformat/4xm: Consider max_streams on reallocating tracks array Fixes: OOM Fixes: 41595/clusterfuzz-testcase-minimized-ffmpeg_dem_FOURXM_fuzzer-6355979363549184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0dcd95ef8a2e16ed930296567ab1044e33602a34) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8f83d2a94a8113ca61633b3cf7bf04cdeb0466dd --- libavformat/4xm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavformat/4xm.c b/libavformat/4xm.c index 30f1b05324..9dc4f05d3b 100644 --- a/libavformat/4xm.c +++ b/libavformat/4xm.c @@ -137,7 +137,8 @@ static int parse_strk(AVFormatContext *s, return AVERROR_INVALIDDATA; track = AV_RL32(buf + 8); -if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1) { +if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1 || +track >= s->max_streams) { av_log(s, AV_LOG_ERROR, "current_track too large\n"); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-cvslog] avformat/mov: Check next offset in mov_read_dref()
ffmpeg | branch: release/4.4 | Michael Niedermayer | Sat Dec 4 20:48:54 2021 +0100| [223b5abcb14dd4158890914603dc5619baa198f4] | committer: Michael Niedermayer avformat/mov: Check next offset in mov_read_dref() Fixes: signed integer overflow: 9223372036200463215 + 1109914409 cannot be represented in type 'long' Fixes: 41480/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6553086177443840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 562021e2fd4d74589905d9c566c686394d2b0526) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=223b5abcb14dd4158890914603dc5619baa198f4 --- libavformat/mov.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 8b002d64cb..47160fd551 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -607,11 +607,13 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, MOVAtom atom) for (i = 0; i < entries; i++) { MOVDref *dref = >drefs[i]; uint32_t size = avio_rb32(pb); -int64_t next = avio_tell(pb) + size - 4; +int64_t next = avio_tell(pb); -if (size < 12) +if (size < 12 || next < 0 || next > INT64_MAX - size) return AVERROR_INVALIDDATA; +next += size - 4; + dref->type = avio_rl32(pb); avio_rb32(pb); // version + flags ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".