[FFmpeg-cvslog] Update for FFmpeg 4.3.4

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Wed Apr  6 20:40:59 2022 +0200| [e681f720f8394b66469f500a0a2aedadc1b01374] | 
committer: Michael Niedermayer

Update for FFmpeg 4.3.4

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e681f720f8394b66469f500a0a2aedadc1b01374
---

 Changelog| 55 +++
 RELEASE  |  2 +-
 doc/Doxyfile |  2 +-
 3 files changed, 57 insertions(+), 2 deletions(-)

diff --git a/Changelog b/Changelog
index 541dfc77bd..430e826369 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,61 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
+version 4.3.4:
+ avcodec/diracdec: avoid signed integer overflow in global mv
+ avcodec/takdsp: Fix integer overflow in decorrelate_sf()
+ avcodec/apedec: fix a integer overflow in long_filter_high_3800()
+ avfilter/vf_subtitles: pass storage size to libass
+ avformat/aqtitledec: Skip unrepresentable durations
+ avformat/cafdec: Do not store empty keys in read_info_chunk()
+ avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before 
writing
+ avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array()
+ avformat/mxfdec: Check count in mxf_read_strong_ref_array()
+ avformat/hls: Check target_duration
+ avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn()
+ avformat/matroskadec: Check pre_ns
+ avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior
+ avcodec/mjpegbdec: Set buf_size
+ avformat/matroskadec: Use rounded down duration in get_cue_desc() check
+ avcodec/g729_parser: Check channels
+ avformat/avidec: Check height
+ avformat/rmdec: Better duplicate tags check
+ avformat/mov: Disallow empty sidx
+ avformat/matroskadec: Check duration
+ avformat/mov: Corner case encryption error cleanup in mov_read_senc()
+ avcodec/jpeglsdec: Fix if( code style
+ avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error
+ avcodec/motion_est: fix indention of ff_get_best_fcode()
+ avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode()
+ avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using 
unsigned
+ avformat/matroskadec: Check desc_bytes
+ avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value()
+ avformat/matroskadec: Fix infinite loop with bz decompression
+ avformat/mov: Check size before subtraction
+ avcodec/apedec: Fix integer overflows in predictor_update_3930()
+ avcodec/apedec: fix integer overflow in 8bit samples
+ avformat/flvdec: timestamps cannot use the full int64 range
+ avcodec/vqavideo: reset accounting on error
+ avcodec/alacdsp: fix integer overflow in decorrelate_stereo()
+ avformat/4xm: Check for duplicate track ids
+ avformat/4xm: Consider max_streams on reallocating tracks array
+ avformat/mov: Check next offset in mov_read_dref()
+ avformat/vivo: Favor setting fps from explicit fractions
+ avformat/vivo: Do not use the general expression evaluator for parsing a 
floating point value
+ avformat/mxfdec: Check for duplicate mxf_read_index_entry_array()
+ avcodec/apedec: Change avg to uint32_t
+ avformat/mov: Disallow duplicate smdm
+ avformat/mov: Check for EOF in mov_read_glbl()
+ avcodec/vp3: Check version in all cases when VP4 code is not built
+ avformat/mov: Check channels for mov_parse_stsd_audio()
+ avformat/avidec: Check read_odml_index() for failure
+ avformat/aiffdec: Use av_rescale() for bitrate
+ avformat/aiffdec: sanity check block_align
+ avformat/aiffdec: Check sample_rate
+ avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE
+ avcodec/libdav1d: free the Dav1dData packet on dav1d_send_data() failure
+ configure: Add missing libshine->mpegaudioheader dependency
+
 version 4.3.3:
  avcodec/ttadsp: Fix integer overflows in tta_filter_process_c()
  avutil/mathematics: Document av_rescale_rnd() behavior on non int64 results
diff --git a/RELEASE b/RELEASE
index e91d9be2a8..eda862a98c 100644
--- a/RELEASE
+++ b/RELEASE
@@ -1 +1 @@
-4.3.3
+4.3.4
diff --git a/doc/Doxyfile b/doc/Doxyfile
index ff426797ca..5d357c2b57 100644
--- a/doc/Doxyfile
+++ b/doc/Doxyfile
@@ -38,7 +38,7 @@ PROJECT_NAME   = FFmpeg
 # could be handy for archiving the generated documentation or if some version
 # control system is used.
 
-PROJECT_NUMBER = 4.3.3
+PROJECT_NUMBER = 4.3.4
 
 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/diracdec: avoid signed integer overflow in global mv

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Mon Mar 21 20:51:47 2022 +0100| [a671e181286785d8fdd69f8ec17c5814727d32f7] | 
committer: Michael Niedermayer

avcodec/diracdec: avoid signed integer overflow in global mv

Fixes: signed integer overflow: -128275513086 * -76056576 cannot be represented 
in type 'long'
Fixes: 
45818/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5129799149944832

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7f1279684e8e1e33c78577b7f0265c062e4e6232)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a671e181286785d8fdd69f8ec17c5814727d32f7
---

 libavcodec/diracdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index ed42bc366a..b1d82ed3e1 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1431,8 +1431,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, 
int x, int y, int ref)
 int *c  = s->globalmc[ref].perspective;
 
 int64_t m   = (1> (ez+ep);
 block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/takdsp: Fix integer overflow in decorrelate_sf()

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Mon Mar 28 00:26:06 2022 +0200| [5359c1ceda217b1bcb5b8579873a1107f211528f] | 
committer: Michael Niedermayer

avcodec/takdsp: Fix integer overflow in decorrelate_sf()

Fixes: signed integer overflow: -101 * 71041254 cannot be represented in type 
'int'
Fixes: 
45938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-4687974320701440

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 01d8c887f63bcb1f870034ed441504b3daffc645)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5359c1ceda217b1bcb5b8579873a1107f211528f
---

 libavcodec/takdsp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c
index 9cb8052596..a8f9dba342 100644
--- a/libavcodec/takdsp.c
+++ b/libavcodec/takdsp.c
@@ -65,7 +65,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int 
length, int dshift, int
 for (i = 0; i < length; i++) {
 int32_t a = p1[i];
 int32_t b = p2[i];
-b = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift;
+b = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) 
>> 8) << dshift;
 p1[i] = b - a;
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/apedec: fix a integer overflow in long_filter_high_3800()

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Mon Mar 28 00:12:17 2022 +0200| [d909850308eb08f7ade9b1585ef30d997091f740] | 
committer: Michael Niedermayer

avcodec/apedec: fix a integer overflow in long_filter_high_3800()

Fixes: signed integer overflow: -2146549696 - 3923884 cannot be represented in 
type 'int'
Fixes: 
45907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5992380584558592

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b085b400becb93ccc68d786ab738b1fc50408b89)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d909850308eb08f7ade9b1585ef30d997091f740
---

 libavcodec/apedec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index 43d7110c57..23f4d3a093 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -928,7 +928,7 @@ static void long_filter_high_3800(int32_t *buffer, int 
order, int shift, int len
 dotprod += delay[j] * (unsigned)coeffs[j];
 coeffs[j] += ((delay[j] >> 31) | 1) * sign;
 }
-buffer[i] -= dotprod >> shift;
+buffer[i] -= (unsigned)(dotprod >> shift);
 for (j = 0; j < order - 1; j++)
 delay[j] = delay[j + 1];
 delay[order - 1] = buffer[i];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avfilter/vf_subtitles: pass storage size to libass

[Oneric]

ffmpeg | branch: release/4.3 | Oneric  | Wed Mar 23 20:43:54 
2022 +0100| [f160c24f77353f8049b66ce76f235afc08922f3a] | committer: Michael 
Niedermayer

avfilter/vf_subtitles: pass storage size to libass

Due to a quirk of the ASS format some tags depend on the exact storage
resolution of the video, so tell libass via ass_set_storage_size.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f160c24f77353f8049b66ce76f235afc08922f3a
---

 libavfilter/vf_subtitles.c | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/libavfilter/vf_subtitles.c b/libavfilter/vf_subtitles.c
index 61f8d90990..64ddc5fa9c 100644
--- a/libavfilter/vf_subtitles.c
+++ b/libavfilter/vf_subtitles.c
@@ -145,9 +145,16 @@ static int config_input(AVFilterLink *inlink)
 ff_draw_init(>draw, inlink->format, ass->alpha ? 
FF_DRAW_PROCESS_ALPHA : 0);
 
 ass_set_frame_size  (ass->renderer, inlink->w, inlink->h);
-if (ass->original_w && ass->original_h)
+if (ass->original_w && ass->original_h) {
 ass_set_aspect_ratio(ass->renderer, (double)inlink->w / inlink->h,
  (double)ass->original_w / ass->original_h);
+#if LIBASS_VERSION > 0x0101
+ass_set_storage_size(ass->renderer, ass->original_w, ass->original_h);
+} else {
+ass_set_storage_size(ass->renderer, inlink->w, inlink->h);
+#endif
+}
+
 if (ass->shaping != -1)
 ass_set_shaper(ass->renderer, ass->shaping);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/aqtitledec: Skip unrepresentable durations

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sun Mar 20 00:07:50 2022 +0100| [e1a5738b73b7136fcc118c4528409d34c54e7e4f] | 
committer: Michael Niedermayer

avformat/aqtitledec: Skip unrepresentable durations

Fixes: signed integer overflow: -5 - 9223372036854775807 cannot be represented 
in type 'long'
Fixes: 
45665/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-475618463934054

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c2d1597a8a6470045a8da241d4f65c81f26c3107)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e1a5738b73b7136fcc118c4528409d34c54e7e4f
---

 libavformat/aqtitledec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/aqtitledec.c b/libavformat/aqtitledec.c
index 81630d73b0..960a5d8ef5 100644
--- a/libavformat/aqtitledec.c
+++ b/libavformat/aqtitledec.c
@@ -74,7 +74,8 @@ static int aqt_read_header(AVFormatContext *s)
 new_event = 1;
 pos = avio_tell(s->pb);
 if (sub) {
-sub->duration = frame - sub->pts;
+if (frame >= sub->pts && (uint64_t)frame - sub->pts < 
INT64_MAX)
+sub->duration = frame - sub->pts;
 sub = NULL;
 }
 } else if (*line) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/cafdec: Do not store empty keys in read_info_chunk()

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sat Mar 19 23:36:22 2022 +0100| [4d1674cccf3bf855e7e3970efcff5d8c4bc55904] | 
committer: Michael Niedermayer

avformat/cafdec: Do not store empty keys in read_info_chunk()

Fixes: Timeout
Fixes: 
45543/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5684953164152832

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7ec28e1d4cef723485f50f7a08859752b79b570c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4d1674cccf3bf855e7e3970efcff5d8c4bc55904
---

 libavformat/cafdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
index e5d6fbf39c..5c22678a38 100644
--- a/libavformat/cafdec.c
+++ b/libavformat/cafdec.c
@@ -241,6 +241,8 @@ static void read_info_chunk(AVFormatContext *s, int64_t 
size)
 char value[1024];
 avio_get_str(pb, INT_MAX, key, sizeof(key));
 avio_get_str(pb, INT_MAX, value, sizeof(value));
+if (!*key)
+continue;
 av_dict_set(>metadata, key, value, 0);
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before writing

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sun Mar 13 00:37:35 2022 +0100| [a9045143da8c75f051acab71a2f0046b9c473e9e] | 
committer: Michael Niedermayer

avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before 
writing

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7aebdb8bf1fc3e09263617a7f49101cba2d43804)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a9045143da8c75f051acab71a2f0046b9c473e9e
---

 libavformat/mxfdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 34e4cc984b..be6f6b6e27 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -861,7 +861,7 @@ static int mxf_read_strong_ref_array(AVIOContext *pb, UID 
**refs, int *count)
 *count = c;
 
 av_free(*refs);
-*refs = av_calloc(*count, sizeof(UID));
+*refs = av_malloc_array(*count, sizeof(UID));
 if (!*refs) {
 *count = 0;
 return AVERROR(ENOMEM);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array()

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sun Mar 13 00:36:55 2022 +0100| [565bb5fe7be9fbf58b98654684cfed08e43f1fdf] | 
committer: Michael Niedermayer

avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array()

Fixes: 
42827/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4900528511909888

Reviewed-by: Tomas Härdin 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8d6f49cfc339825f3f3f8a910e4bb4c0f822db1f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=565bb5fe7be9fbf58b98654684cfed08e43f1fdf
---

 libavformat/mxfdec.c | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 9e52e60595..34e4cc984b 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -852,6 +852,7 @@ static int mxf_read_cryptographic_context(void *arg, 
AVIOContext *pb, int tag, i
 
 static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count)
 {
+int64_t ret;
 unsigned c = avio_rb32(pb);
 
 //avio_read() used int
@@ -866,7 +867,12 @@ static int mxf_read_strong_ref_array(AVIOContext *pb, UID 
**refs, int *count)
 return AVERROR(ENOMEM);
 }
 avio_skip(pb, 4); /* useless size of objects, always 16 according to specs 
*/
-avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID));
+ret = avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID));
+if (ret != *count * sizeof(UID)) {
+*count = ret < 0 ? 0   : ret / sizeof(UID);
+return   ret < 0 ? ret : AVERROR_INVALIDDATA;
+}
+
 return 0;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mxfdec: Check count in mxf_read_strong_ref_array()

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sun Mar 13 00:34:52 2022 +0100| [b88abd3ac2e824ac216c8d607dd46dc1a5ee4161] | 
committer: Michael Niedermayer

avformat/mxfdec: Check count in mxf_read_strong_ref_array()

Reviewed-by: Tomas Härdin 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3015c556f316d4ab364ed55e8bc97cc0f2cc57a3)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b88abd3ac2e824ac216c8d607dd46dc1a5ee4161
---

 libavformat/mxfdec.c | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 442d652cf6..9e52e60595 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -852,7 +852,13 @@ static int mxf_read_cryptographic_context(void *arg, 
AVIOContext *pb, int tag, i
 
 static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count)
 {
-*count = avio_rb32(pb);
+unsigned c = avio_rb32(pb);
+
+//avio_read() used int
+if (c > INT_MAX / sizeof(UID))
+return AVERROR_PATCHWELCOME;
+*count = c;
+
 av_free(*refs);
 *refs = av_calloc(*count, sizeof(UID));
 if (!*refs) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/hls: Check target_duration

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sun Mar 20 22:54:31 2022 +0100| [023b7e79792020af978c1743d565ae4326395dc6] | 
committer: Michael Niedermayer

avformat/hls: Check target_duration

Fixes: signed integer overflow: 77 * 100 cannot be represented 
in type 'long long'
Fixes: 
45545/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-6438101247983616

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Steven Liu 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a8fd3f7fab83e1beea1c441e1a2e538e7aa431a5)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=023b7e79792020af978c1743d565ae4326395dc6
---

 libavformat/hls.c | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavformat/hls.c b/libavformat/hls.c
index a831e3f10c..a48c081ece 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -813,10 +813,16 @@ static int parse_playlist(HLSContext *c, const char *url,
);
 new_rendition(c, , url);
 } else if (av_strstart(line, "#EXT-X-TARGETDURATION:", )) {
+int64_t t;
 ret = ensure_playlist(c, , url);
 if (ret < 0)
 goto fail;
-pls->target_duration = strtoll(ptr, NULL, 10) * AV_TIME_BASE;
+t = strtoll(ptr, NULL, 10);
+if (t < 0 || t >= INT64_MAX / AV_TIME_BASE) {
+ret = AVERROR_INVALIDDATA;
+goto fail;
+}
+pls->target_duration = t * AV_TIME_BASE;
 } else if (av_strstart(line, "#EXT-X-MEDIA-SEQUENCE:", )) {
 ret = ensure_playlist(c, , url);
 if (ret < 0)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Tue Feb  8 00:43:56 2022 +0100| [2be7eea6486c843767002a56272538650481c059] | 
committer: Michael Niedermayer

avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior

Fixes: signed integer overflow: -1094995529 * 24 cannot be represented in type 
'int'
Fixes: 
44436/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-4874459459223552

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 28008bf95ed9b2ab5945ae6658358ad7c7f1df35)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2be7eea6486c843767002a56272538650481c059
---

 libavcodec/sonic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c
index 2cd0600472..e35ca6743c 100644
--- a/libavcodec/sonic.c
+++ b/libavcodec/sonic.c
@@ -1018,7 +1018,7 @@ static int sonic_decode_frame(AVCodecContext *avctx,
 
 // dequantize
 for (i = 0; i < s->num_taps; i++)
-s->predictor_k[i] *= s->tap_quant[i];
+s->predictor_k[i] *= (unsigned) s->tap_quant[i];
 
 if (s->lossless)
 quant = 1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn()

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Mon Oct 26 21:30:19 2020 +0100| [a1baef131a11bd582196139cdee8892d667481a8] | 
committer: Michael Niedermayer

avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn()

Fixes: signed integer overflow: 11494 * 107374182400 cannot be represented 
in type 'long'
Fixes: 
26586/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PIXLET_fuzzer-5752633970917376

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0c1f20c6c858b753effda274b58ef635d1924915)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a1baef131a11bd582196139cdee8892d667481a8
---

 libavcodec/pixlet.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c
index 78f571cd5f..60075d16ed 100644
--- a/libavcodec/pixlet.c
+++ b/libavcodec/pixlet.c
@@ -404,7 +404,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned 
size, int64_t scale)
 (int64_t) low [i - 1] * -INT64_C(325392907)  +
 (int64_t) high[i + 0] *  INT64_C(1518500249) +
 (int64_t) high[i - 1] *  INT64_C(1518500249);
-dest[i * 2] = av_clip_int16(((value >> 32) * scale) >> 32);
+dest[i * 2] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32);
 }
 
 for (i = 0; i < hsize; i++) {
@@ -415,7 +415,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned 
size, int64_t scale)
 (int64_t) high[i + 1] *  INT64_C(303700064)  +
 (int64_t) high[i + 0] * -INT64_C(3644400640) +
 (int64_t) high[i - 1] *  INT64_C(303700064);
-dest[i * 2 + 1] = av_clip_int16(((value >> 32) * scale) >> 32);
+dest[i * 2 + 1] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 
32);
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/mjpegbdec: Set buf_size

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Fri Mar 11 20:25:48 2022 +0100| [b19cc796eab6020c54bda92157fa5c2e84525a57] | 
committer: Michael Niedermayer

avcodec/mjpegbdec: Set buf_size

Fixes: Timeout
Fixes: 
45170/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEGB_fuzzer-5874820431085568

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b19cc796eab6020c54bda92157fa5c2e84525a57
---

 libavcodec/mjpegbdec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c
index 19875a2ddb..3fab4a66bc 100644
--- a/libavcodec/mjpegbdec.c
+++ b/libavcodec/mjpegbdec.c
@@ -57,6 +57,7 @@ static int mjpegb_decode_frame(AVCodecContext *avctx,
 buf_end = buf + buf_size;
 s->got_picture = 0;
 s->adobe_transform = -1;
+s->buf_size = buf_size;
 
 read_header:
 /* reset on every SOI */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/matroskadec: Check pre_ns

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sun Feb 13 15:20:02 2022 +0100| [90ef9b5139b65dd6b4814f48f7af770fd49ec01f] | 
committer: Michael Niedermayer

avformat/matroskadec: Check pre_ns

Fixes: division by 0
Fixes: 
44615/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6681108677263360

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 710e51677a6f3a5c2b37dc31a597957a22a5e531)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=90ef9b5139b65dd6b4814f48f7af770fd49ec01f
---

 libavformat/matroskadec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index e4f55dd372..422643060c 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -4058,6 +4058,8 @@ static int64_t 
webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t
 // prebuffered.
 pre_bytes = desc_end.end_offset - desc_end.start_offset;
 pre_ns = desc_end.end_time_ns - desc_end.start_time_ns;
+if (pre_ns <= 0)
+return -1;
 pre_sec = pre_ns / nano_seconds_per_second;
 prebuffer_bytes +=
 pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / 
pre_sec);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/matroskadec: Use rounded down duration in get_cue_desc() check

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Thu Mar 10 23:24:49 2022 +0100| [5032883c3473b9d972bc5db57323e5633a6407e6] | 
committer: Michael Niedermayer

avformat/matroskadec: Use rounded down duration in get_cue_desc() check

Floating point is evil, it would be better if duration was not a double

Fixes: Infinite loop
Fixes: 
45123/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6725052291219456

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit bd3a03db9aef72ee36a7cc964171e9f52967f4bc)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5032883c3473b9d972bc5db57323e5633a6407e6
---

 libavformat/matroskadec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 25844ddfc4..e4f55dd372 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -3867,7 +3867,9 @@ static CueDesc get_cue_desc(AVFormatContext *s, int64_t 
ts, int64_t cues_start)
 int i;
 int nb_index_entries = s->streams[0]->nb_index_entries;
 AVIndexEntry *index_entries = s->streams[0]->index_entries;
-if (ts >= matroska->duration * matroska->time_scale) return (CueDesc) {-1, 
-1, -1, -1};
+
+if (ts >= (int64_t)(matroska->duration * matroska->time_scale))
+return (CueDesc) {-1, -1, -1, -1};
 for (i = 1; i < nb_index_entries; i++) {
 if (index_entries[i - 1].timestamp * matroska->time_scale <= ts &&
 index_entries[i].timestamp * matroska->time_scale > ts) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/g729_parser: Check channels

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sun Feb 27 14:43:04 2022 +0100| [fa2e4afe8d0a23fac37392ef6506cfc9841f8d3d] | 
committer: Michael Niedermayer

avcodec/g729_parser: Check channels

Fixes: signed integer overflow: 10 * 808464428 cannot be represented in type 
'int'
Fixes: assertion failure
Fixes: ticket9651

Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 757da974b21833529cc41bdcc9684c29660cdfa8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fa2e4afe8d0a23fac37392ef6506cfc9841f8d3d
---

 libavcodec/g729_parser.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/g729_parser.c b/libavcodec/g729_parser.c
index 010f688104..ef08b48bf3 100644
--- a/libavcodec/g729_parser.c
+++ b/libavcodec/g729_parser.c
@@ -49,6 +49,9 @@ static int g729_parse(AVCodecParserContext *s1, 
AVCodecContext *avctx,
 s->block_size = (avctx->bit_rate < 8000) ? G729D_6K4_BLOCK_SIZE : 
G729_8K_BLOCK_SIZE;
 if (avctx->codec_id == AV_CODEC_ID_ACELP_KELVIN)
 s->block_size++;
+// channels > 2 is invalid, we pass the packet on unchanged
+if (avctx->channels > 2)
+s->block_size = 0;
 s->block_size *= avctx->channels;
 s->duration   = avctx->frame_size;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/avidec: Check height

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sun Feb 27 21:44:29 2022 +0100| [0225b8947b8f0c06441e6e82437968a5e4e7378e] | 
committer: Michael Niedermayer

avformat/avidec: Check height

Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an 
unsigned type to negate this value to itself
Fixes: Ticket8486

Signed-off-by: Michael Niedermayer 
(cherry picked from commit ec8ff659f57786c4cb089b07dfeab7e5cbab8d52)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0225b8947b8f0c06441e6e82437968a5e4e7378e
---

 libavformat/avidec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index 21b234b2de..e7e8126590 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -844,6 +844,8 @@ static int avi_read_header(AVFormatContext *s)
 memcpy(st->codecpar->extradata + 
st->codecpar->extradata_size - 9,
"BottomUp", 9);
 }
+if (st->codecpar->height == INT_MIN)
+return AVERROR_INVALIDDATA;
 st->codecpar->height = FFABS(st->codecpar->height);
 
 //avio_skip(pb, size - 5 * 4);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/rmdec: Better duplicate tags check

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Thu Feb 24 00:26:08 2022 +0100| [7251a22f97f223ac16b9bd1567b9544d1910e63b] | 
committer: Michael Niedermayer

avformat/rmdec: Better duplicate tags check

Fixes: memleaks
Fixes: 
44810/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5619494647627776

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 15a646e5018078a0954918f510f819a5599f0445)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7251a22f97f223ac16b9bd1567b9544d1910e63b
---

 libavformat/rmdec.c | 9 +
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 67a68bb2d0..b0aced5db9 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -128,10 +128,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, 
AVIOContext *pb,
 uint32_t version;
 int ret;
 
-// Duplicate tags
-if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO)
-return AVERROR_INVALIDDATA;
-
 /* ra type header */
 version = avio_rb16(pb); /* version */
 if (version == 3) {
@@ -331,6 +327,11 @@ int ff_rm_read_mdpr_codecdata(AVFormatContext *s, 
AVIOContext *pb,
 if (codec_data_size == 0)
 return 0;
 
+// Duplicate tags
+if (   st->codecpar->codec_type != AVMEDIA_TYPE_UNKNOWN
+&& st->codecpar->codec_type != AVMEDIA_TYPE_DATA)
+return AVERROR_INVALIDDATA;
+
 avpriv_set_pts_info(st, 64, 1, 1000);
 codec_pos = avio_tell(pb);
 v = avio_rb32(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mov: Disallow empty sidx

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Wed Mar  2 13:01:53 2022 +0100| [54a0324ad96e74e82c33e72af7c6b360a7415863] | 
committer: Michael Niedermayer

avformat/mov: Disallow empty sidx

It appears this is not allowed "Each Segment Index box documents how a 
(sub)segment is divided into one or more subsegments
(which may themselves be further subdivided using Segment Index boxes)."
Fixes: Null pointer dereference
Fixes: Ticket9517

Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4419433d77278cb742944c4514be5f72a04103c0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=54a0324ad96e74e82c33e72af7c6b360a7415863
---

 libavformat/mov.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 6418e07c66..cc4a10f1bb 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5104,6 +5104,8 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 avio_rb16(pb); // reserved
 
 item_count = avio_rb16(pb);
+if (item_count == 0)
+return AVERROR_INVALIDDATA;
 
 for (i = 0; i < item_count; i++) {
 int index;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/matroskadec: Check duration

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Mon Feb 14 20:01:35 2022 +0100| [69691dbb3aee0202ea3224f68c7f410db6c23da1] | 
committer: Michael Niedermayer

avformat/matroskadec: Check duration

Fixes: -nan is outside the range of representable values of type 'long'
Fixes: 
44614/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6216204841254912

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Andreas Rheinhardt 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 36680078ca3302496d9b0b8a8d7168ce9eabb2bc)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=69691dbb3aee0202ea3224f68c7f410db6c23da1
---

 libavformat/matroskadec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index faef93a42a..25844ddfc4 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -2906,6 +2906,8 @@ static int matroska_read_header(AVFormatContext *s)
 
 if (!matroska->time_scale)
 matroska->time_scale = 100;
+if (isnan(matroska->duration))
+matroska->duration = 0;
 if (matroska->duration)
 matroska->ctx->duration = matroska->duration * matroska->time_scale *
   1000 / AV_TIME_BASE;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mov: Corner case encryption error cleanup in mov_read_senc()

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Wed Feb  9 22:01:03 2022 +0100| [56c8235332298d548b519cd88e813a7bfec58291] | 
committer: Michael Niedermayer

avformat/mov: Corner case encryption error cleanup in mov_read_senc()

Fixes: memleak
Fixes: 
42341/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4566632823914496

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8ee0e4abcb8af36cae4eb24d4d6229461c1e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=56c8235332298d548b519cd88e813a7bfec58291
---

 libavformat/mov.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index e6785e884e..6418e07c66 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -6108,6 +6108,8 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 }
 if (pb->eof_reached) {
 av_log(c->fc, AV_LOG_ERROR, "Hit EOF while reading senc\n");
+if (ret >= 0)
+
av_encryption_info_free(encryption_index->encrypted_samples[i]);
 ret = AVERROR_INVALIDDATA;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/jpeglsdec: Fix if( code style

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Tue Feb 15 21:01:06 2022 +0100| [2dcc5ef71097a263c0c088dbdce07391b1946809] | 
committer: Michael Niedermayer

avcodec/jpeglsdec: Fix if( code style

Signed-off-by: Michael Niedermayer 
(cherry picked from commit f306b8e80ab04cfd8f6cd577a4484cb791d6e765)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2dcc5ef71097a263c0c088dbdce07391b1946809
---

 libavcodec/jpeglsdec.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index a256f8b22d..b2c77e311e 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -67,7 +67,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
 s->t3 = get_bits(>gb, 16);
 s->reset  = get_bits(>gb, 16);
 
-if(s->avctx->debug & FF_DEBUG_PICT_INFO) {
+if (s->avctx->debug & FF_DEBUG_PICT_INFO) {
 av_log(s->avctx, AV_LOG_DEBUG, "Coding parameters maxval:%d T1:%d 
T2:%d T3:%d reset:%d\n",
s->maxval, s->t1, s->t2, s->t3, s->reset);
 }
@@ -96,7 +96,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
 else
 maxtab = 65530/wt - 1;
 
-if(s->avctx->debug & FF_DEBUG_PICT_INFO) {
+if (s->avctx->debug & FF_DEBUG_PICT_INFO) {
 av_log(s->avctx, AV_LOG_DEBUG, "LSE palette %d tid:%d wt:%d 
maxtab:%d\n", id, tid, wt, maxtab);
 }
 if (maxtab >= 256) {
@@ -211,7 +211,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, 
JLSState *state,
 ret = ret >> 1;
 }
 
-if(FFABS(ret) > 0x)
+if (FFABS(ret) > 0x)
 return -0x1;
 /* update state */
 state->A[Q] += FFABS(ret) - RItype;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sat Feb 12 22:02:13 2022 +0100| [d06715c5c2f02b161ea4663a998d9666a78e2c38] | 
committer: Michael Niedermayer

avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error

Fixes: Timeout
Fixes: Invalid shift
Fixes: 
44548/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-556487680891289
Fixes: 
44569/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMV_fuzzer-6302543246917632
Fixes: 
44570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-4550196556595200
Fixes: 
44592/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5651610385121280
Fixes: 
44571/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5094698987945984
Fixes: 
44607/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5341352013987840

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 151f83584eeb1912c8bdcd0c1ab1296e8664a0de)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d06715c5c2f02b161ea4663a998d9666a78e2c38
---

 libavcodec/jpeglsdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index 6295c03ffa..a256f8b22d 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -195,6 +195,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, 
JLSState *state,
 #endif
 ret = get_ur_golomb_jpegls(gb, k, state->limit - limit_add - 1,
state->qbpp);
+if (ret < 0)
+return -0x1;
 
 /* decode mapped error */
 map = 0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/motion_est: fix indention of ff_get_best_fcode()

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Wed Feb  9 10:31:34 2022 +0100| [ca7ee1cd2687d170c1400d26847b15a39a6bd8b7] | 
committer: Michael Niedermayer

avcodec/motion_est: fix indention of ff_get_best_fcode()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit ce43e1c581b4ed539ab366cc3df458779e8a44b8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ca7ee1cd2687d170c1400d26847b15a39a6bd8b7
---

 libavcodec/motion_est.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c
index ae112d03a3..410c94e901 100644
--- a/libavcodec/motion_est.c
+++ b/libavcodec/motion_est.c
@@ -1622,9 +1622,9 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t 
(*mv_table)[2], int type)
  fcode_tab[my + MAX_MV]);
 int j;
 
-if(mx >= range || mx < -range ||
-   my >= range || my < -range)
-continue;
+if (mx >= range || mx < -range ||
+my >= range || my < -range)
+continue;
 
 for(j=0; jpict_type==AV_PICTURE_TYPE_B || 
s->current_picture.mc_mb_var[xy] < s->current_picture.mb_var[xy])

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode()

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Tue Feb  8 21:38:50 2022 +0100| [9a7effc78d803276494cb1d455392d50a442339e] | 
committer: Michael Niedermayer

avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode()

This codepath seems untested, no testcases change

Found-by: 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 634312a70f4d5afd40058c52b4d8eade1da07a70)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9a7effc78d803276494cb1d455392d50a442339e
---

 libavcodec/motion_est.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c
index 02c75fd470..ae112d03a3 100644
--- a/libavcodec/motion_est.c
+++ b/libavcodec/motion_est.c
@@ -1614,7 +1614,7 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t 
(*mv_table)[2], int type)
 for(y=0; ymb_height; y++){
 int x;
 int xy= y*s->mb_stride;
-for(x=0; xmb_width; x++){
+for(x=0; xmb_width; x++, xy++){
 if(s->mb_type[xy] & type){
 int mx= mv_table[xy][0];
 int my= mv_table[xy][1];
@@ -1631,7 +1631,6 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t 
(*mv_table)[2], int type)
 score[j]-= 170;
 }
 }
-xy++;
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sat Feb  5 20:41:08 2022 +0100| [228d0067903f34054c797907458206d943faf0ab] | 
committer: Michael Niedermayer

avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using 
unsigned

Fixes: left shift of 32768 by 16 places cannot be represented in type 'int'
Fixes: Timeout
Fixes: 
44219/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4679455379947520
Fixes: 
44088/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4885976600674304

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6ee283d7d001cfcfec94a023e172bca731e96514)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=228d0067903f34054c797907458206d943faf0ab
---

 libavcodec/jpeglsdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index df7c5fadae..6295c03ffa 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -186,7 +186,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, 
JLSState *state,
 if (RItype)
 temp += state->N[Q] >> 1;
 
-for (k = 0; (state->N[Q] << k) < temp; k++)
+for (k = 0; ((unsigned)state->N[Q] << k) < temp; k++)
 ;
 
 #ifdef JLS_BROKEN

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/matroskadec: Fix infinite loop with bz decompression

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Thu Feb  3 22:46:55 2022 +0100| [2564ac2764eaf2f7dbf3725b31cadf4f24479a8f] | 
committer: Michael Niedermayer

avformat/matroskadec: Fix infinite loop with bz decompression

The same check is added to zlib too, it seems not needed there though

Fixes: Infinite loop
Fixes: 
43932/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-6175167573786624

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Andreas Rheinhardt 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 9c3d2cbb510674226b0c8fa6b146bf891f83786c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2564ac2764eaf2f7dbf3725b31cadf4f24479a8f
---

 libavformat/matroskadec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 25e629d358..2d57789a59 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1643,7 +1643,7 @@ static int matroska_decode_buffer(uint8_t **buf, int 
*buf_size,
 case MATROSKA_TRACK_ENCODING_COMP_ZLIB:
 {
 z_stream zstream = { 0 };
-if (inflateInit() != Z_OK)
+if (!pkt_size || inflateInit() != Z_OK)
 return -1;
 zstream.next_in  = data;
 zstream.avail_in = isize;
@@ -1676,7 +1676,7 @@ static int matroska_decode_buffer(uint8_t **buf, int 
*buf_size,
 case MATROSKA_TRACK_ENCODING_COMP_BZLIB:
 {
 bz_stream bzstream = { 0 };
-if (BZ2_bzDecompressInit(, 0, 0) != BZ_OK)
+if (!pkt_size || BZ2_bzDecompressInit(, 0, 0) != BZ_OK)
 return -1;
 bzstream.next_in  = data;
 bzstream.avail_in = isize;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/matroskadec: Check desc_bytes

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sat Feb  5 20:37:22 2022 +0100| [f20e08ed58362011e4906989d292fd01b2e028f2] | 
committer: Michael Niedermayer

avformat/matroskadec: Check desc_bytes

Fixes: Division by 0
Fixes: 
44035/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4826721386364928

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5038933977d06d1048b41d71e0ada4d1ac536ddc)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f20e08ed58362011e4906989d292fd01b2e028f2
---

 libavformat/matroskadec.c | 12 
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 2d57789a59..faef93a42a 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -4065,12 +4065,16 @@ static int64_t 
webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t
 do {
 int64_t desc_bytes = desc_end.end_offset - 
desc_beg.start_offset;
 int64_t desc_ns = desc_end.end_time_ns - 
desc_beg.start_time_ns;
-double desc_sec = desc_ns / nano_seconds_per_second;
-double calc_bits_per_second = (desc_bytes * 8) / desc_sec;
+double desc_sec, calc_bits_per_second, percent, 
mod_bits_per_second;
+if (desc_bytes <= 0)
+return -1;
+
+desc_sec = desc_ns / nano_seconds_per_second;
+calc_bits_per_second = (desc_bytes * 8) / desc_sec;
 
 // Drop the bps by the percentage of bytes buffered.
-double percent = (desc_bytes - prebuffer_bytes) / desc_bytes;
-double mod_bits_per_second = calc_bits_per_second * percent;
+percent = (desc_bytes - prebuffer_bytes) / desc_bytes;
+mod_bits_per_second = calc_bits_per_second * percent;
 
 if (prebuffer < desc_sec) {
 double search_sec =

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mov: Check size before subtraction

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Mon Jan 17 14:26:05 2022 +0100| [3a718e3bbb73f3cfb7d8eb5d00795e0c615e1226] | 
committer: Michael Niedermayer

avformat/mov: Check size before subtraction

Fixes: signed integer overflow: -9223372036854775808 - 8 cannot be represented 
in type 'long'
Fixes: 
43542/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5237670148702208

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d8d9d506a3de976b647bcbb8f76c7b8d30eff576)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3a718e3bbb73f3cfb7d8eb5d00795e0c615e1226
---

 libavformat/mov.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index c517830aef..e6785e884e 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -7050,6 +7050,8 @@ static int mov_read_default(MOVContext *c, AVIOContext 
*pb, MOVAtom atom)
 if (a.size == 0) {
 a.size = atom.size - total_size + 8;
 }
+if (a.size < 0)
+break;
 a.size -= 8;
 if (a.size < 0)
 break;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/apedec: Fix integer overflows in predictor_update_3930()

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Mon Jan  3 19:15:18 2022 +0100| [671850fe550b309f6199e1811c59cc548bd21e8a] | 
committer: Michael Niedermayer

avcodec/apedec: Fix integer overflows in predictor_update_3930()

Fixes: signed integer overflow: 1074134419 - -1075212485 cannot be represented 
in type 'int'
Fixes: 
43273/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-4706880883130368

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0c9c9bbd01bd82c35b6a908592d9dd6d9f4bd4a0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=671850fe550b309f6199e1811c59cc548bd21e8a
---

 libavcodec/apedec.c | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index 621db062e6..43d7110c57 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -1061,13 +1061,13 @@ static av_always_inline int 
predictor_update_3930(APEPredictor *p,
   const int delayA)
 {
 int32_t predictionA, sign;
-int32_t d0, d1, d2, d3;
+uint32_t d0, d1, d2, d3;
 
 p->buf[delayA] = p->lastA[filter];
 d0 = p->buf[delayA];
-d1 = p->buf[delayA] - p->buf[delayA - 1];
-d2 = p->buf[delayA - 1] - p->buf[delayA - 2];
-d3 = p->buf[delayA - 2] - p->buf[delayA - 3];
+d1 = p->buf[delayA] - (unsigned)p->buf[delayA - 1];
+d2 = p->buf[delayA - 1] - (unsigned)p->buf[delayA - 2];
+d3 = p->buf[delayA - 2] - (unsigned)p->buf[delayA - 3];
 
 predictionA = d0 * p->coeffsA[filter][0] +
   d1 * p->coeffsA[filter][1] +
@@ -1078,10 +1078,10 @@ static av_always_inline int 
predictor_update_3930(APEPredictor *p,
 p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) 
>> 5);
 
 sign = APESIGN(decoded);
-p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign;
-p->coeffsA[filter][1] += ((d1 < 0) * 2 - 1) * sign;
-p->coeffsA[filter][2] += ((d2 < 0) * 2 - 1) * sign;
-p->coeffsA[filter][3] += ((d3 < 0) * 2 - 1) * sign;
+p->coeffsA[filter][0] += (((int32_t)d0 < 0) * 2 - 1) * sign;
+p->coeffsA[filter][1] += (((int32_t)d1 < 0) * 2 - 1) * sign;
+p->coeffsA[filter][2] += (((int32_t)d2 < 0) * 2 - 1) * sign;
+p->coeffsA[filter][3] += (((int32_t)d3 < 0) * 2 - 1) * sign;
 
 return p->filterA[filter];
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value()

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Fri Feb  4 00:44:32 2022 +0100| [a2932f6e9893c1d4e927eed6eb161133845bcf66] | 
committer: Michael Niedermayer

avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value()

Fixes: pointer index expression with base 0x overflowed to 
0x
Fixes: 
44012/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-5670607746891776

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 59328aabd2c789ae053e18a62a20a7addfd4d069)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a2932f6e9893c1d4e927eed6eb161133845bcf66
---

 libavformat/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 3302651af2..4888aafc29 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -5000,7 +5000,7 @@ void ff_parse_key_value(const char *str, 
ff_parse_key_val_cb callback_get_buf,
 key_len = ptr - key;
 
 callback_get_buf(context, key, key_len, , _len);
-dest_end = dest + dest_len - 1;
+dest_end = dest ? dest + dest_len - 1 : NULL;
 
 if (*ptr == '\"') {
 ptr++;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/apedec: fix integer overflow in 8bit samples

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Thu Dec 23 20:39:14 2021 +0100| [429eaaf16ee3bbb8d10e8c6e204d03b537adba80] | 
committer: Michael Niedermayer

avcodec/apedec: fix integer overflow in 8bit samples

Fixes: signed integer overflow: 2147483542 + 128 cannot be represented in type 
'int'
Fixes: 
42812/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6344057861832704

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7cee3b37187dbf61dbebff023f07ceedfc0129bb)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=429eaaf16ee3bbb8d10e8c6e204d03b537adba80
---

 libavcodec/apedec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index 9d1ad5993f..621db062e6 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -1559,7 +1559,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void 
*data,
 for (ch = 0; ch < s->channels; ch++) {
 sample8 = (uint8_t *)frame->data[ch];
 for (i = 0; i < blockstodecode; i++)
-*sample8++ = (s->decoded[ch][i] + 0x80) & 0xff;
+*sample8++ = (s->decoded[ch][i] + 0x80U) & 0xff;
 }
 break;
 case 16:

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/flvdec: timestamps cannot use the full int64 range

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Thu Dec 23 20:36:16 2021 +0100| [c45013d6c5f1007a9e5de0a008bba05b91575886] | 
committer: Michael Niedermayer

avformat/flvdec: timestamps cannot use the full int64 range

We do not support this as we multiply by 1000
Fixes: signed integer overflow: -45318575073853696 * 1000 cannot be represented 
in type 'long'
Fixes: 
42804/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-4630325425209344

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c217ca7718c8e24905d7ba9ede719ae040899476)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c45013d6c5f1007a9e5de0a008bba05b91575886
---

 libavformat/flvdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
index a7c7192d11..1d10db9278 100644
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -459,6 +459,8 @@ static int parse_keyframes_index(AVFormatContext *s, 
AVIOContext *ioc, int64_t m
 d = av_int2double(avio_rb64(ioc));
 if (isnan(d) || d < INT64_MIN || d > INT64_MAX)
 goto invalid;
+if (current_array ==  && (d <= INT64_MIN / 1000 || d >= 
INT64_MAX / 1000))
+goto invalid;
 current_array[0][i] = d;
 }
 if (times && filepositions) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/vqavideo: reset accounting on error

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sun Dec 19 22:26:00 2021 +0100| [ddc21f54c361ac388055cdfba54918f64f560058] | 
committer: Michael Niedermayer

avcodec/vqavideo: reset accounting on error

Fixes: Timeout (same growing chunk is decoded to failure repeatedly)
Fixes: 
42582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-6531195591065600

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d8ea7a67ba62f5d4520e75e56b9954d80e7ff223)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ddc21f54c361ac388055cdfba54918f64f560058
---

 libavcodec/vqavideo.c | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index f45390cfe5..d0e1927444 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -588,13 +588,14 @@ static int vqa_decode_chunk(VqaContext *s, AVFrame *frame)
 if (s->partial_countdown <= 0) {
 bytestream2_init(>gb, s->next_codebook_buffer, 
s->next_codebook_buffer_index);
 /* decompress codebook */
-if ((res = decode_format80(s, s->next_codebook_buffer_index,
-   s->codebook, s->codebook_size, 0)) < 0)
-return res;
+res = decode_format80(s, s->next_codebook_buffer_index,
+  s->codebook, s->codebook_size, 0);
 
 /* reset accounting */
 s->next_codebook_buffer_index = 0;
 s->partial_countdown = s->partial_count;
+if (res < 0)
+return res;
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/alacdsp: fix integer overflow in decorrelate_stereo()

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Thu Jul 23 23:34:15 2020 +0200| [80940eedf217aba6fe771bb1f05ab1765b9c541c] | 
committer: Michael Niedermayer

avcodec/alacdsp: fix integer overflow in decorrelate_stereo()

Fixes: signed integer overflow: -16777216 * 131 cannot be represented in type 
'int'
Fixes: 
23835/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5669943160078336
Fixes: 
41101/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-4636330705944576

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 68457c1e85122ffcadb0c909070dd210095fd2cd)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=80940eedf217aba6fe771bb1f05ab1765b9c541c
---

 libavcodec/alacdsp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/alacdsp.c b/libavcodec/alacdsp.c
index 9996eb4319..8718d1b6b1 100644
--- a/libavcodec/alacdsp.c
+++ b/libavcodec/alacdsp.c
@@ -34,7 +34,7 @@ static void decorrelate_stereo(int32_t *buffer[2], int 
nb_samples,
 a = buffer[0][i];
 b = buffer[1][i];
 
-a -= (b * decorr_left_weight) >> decorr_shift;
+a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift;
 b += a;
 
 buffer[0][i] = b;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/4xm: Check for duplicate track ids

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Tue Dec  7 09:14:09 2021 +0100| [4a45cd806ed976dfac0a6a9294461497f007ae61] | 
committer: Michael Niedermayer

avformat/4xm: Check for duplicate track ids

Signed-off-by: Michael Niedermayer 
(cherry picked from commit dd949124793c722ed55dead9da245574ace81968)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4a45cd806ed976dfac0a6a9294461497f007ae61
---

 libavformat/4xm.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/4xm.c b/libavformat/4xm.c
index 9dc4f05d3b..cfee8a02f4 100644
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -149,6 +149,9 @@ static int parse_strk(AVFormatContext *s,
 memset(>tracks[fourxm->track_count], 0,
sizeof(AudioTrack) * (track + 1 - fourxm->track_count));
 fourxm->track_count = track + 1;
+} else {
+if (fourxm->tracks[track].bits)
+return AVERROR_INVALIDDATA;
 }
 fourxm->tracks[track].adpcm   = AV_RL32(buf + 12);
 fourxm->tracks[track].channels= AV_RL32(buf + 36);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/4xm: Consider max_streams on reallocating tracks array

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Tue Dec  7 09:14:08 2021 +0100| [75befad4c0d71a0df6b61356db1bc0fc81f8c079] | 
committer: Michael Niedermayer

avformat/4xm: Consider max_streams on reallocating tracks array

Fixes: OOM
Fixes: 
41595/clusterfuzz-testcase-minimized-ffmpeg_dem_FOURXM_fuzzer-6355979363549184

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0dcd95ef8a2e16ed930296567ab1044e33602a34)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=75befad4c0d71a0df6b61356db1bc0fc81f8c079
---

 libavformat/4xm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/4xm.c b/libavformat/4xm.c
index 30f1b05324..9dc4f05d3b 100644
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -137,7 +137,8 @@ static int parse_strk(AVFormatContext *s,
 return AVERROR_INVALIDDATA;
 
 track = AV_RL32(buf + 8);
-if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1) {
+if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1 ||
+track >= s->max_streams) {
 av_log(s, AV_LOG_ERROR, "current_track too large\n");
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mov: Check next offset in mov_read_dref()

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sat Dec  4 20:48:54 2021 +0100| [5a2a340d64d1e4eb6c2eb12d8bc297b55bd579be] | 
committer: Michael Niedermayer

avformat/mov: Check next offset in mov_read_dref()

Fixes: signed integer overflow: 9223372036200463215 + 1109914409 cannot be 
represented in type 'long'
Fixes: 
41480/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6553086177443840

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 562021e2fd4d74589905d9c566c686394d2b0526)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5a2a340d64d1e4eb6c2eb12d8bc297b55bd579be
---

 libavformat/mov.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 07bbebab0e..c517830aef 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -605,11 +605,13 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 for (i = 0; i < entries; i++) {
 MOVDref *dref = >drefs[i];
 uint32_t size = avio_rb32(pb);
-int64_t next = avio_tell(pb) + size - 4;
+int64_t next = avio_tell(pb);
 
-if (size < 12)
+if (size < 12 || next < 0 || next > INT64_MAX - size)
 return AVERROR_INVALIDDATA;
 
+next += size - 4;
+
 dref->type = avio_rl32(pb);
 avio_rb32(pb); // version + flags
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/vivo: Favor setting fps from explicit fractions

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Mon Dec  6 11:38:39 2021 +0100| [480f1a198cbfe72fb8f59a5e664c2af796f4a45c] | 
committer: Michael Niedermayer

avformat/vivo: Favor setting fps from explicit fractions

Signed-off-by: Michael Niedermayer 
(cherry picked from commit bf1e93bdc9aaa4fd5c231030b5368aae0df018ee)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=480f1a198cbfe72fb8f59a5e664c2af796f4a45c
---

 libavformat/vivo.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavformat/vivo.c b/libavformat/vivo.c
index 12bdc05d9e..78d1377e6b 100644
--- a/libavformat/vivo.c
+++ b/libavformat/vivo.c
@@ -121,7 +121,7 @@ static int vivo_get_packet_header(AVFormatContext *s)
 static int vivo_read_header(AVFormatContext *s)
 {
 VivoContext *vivo = s->priv_data;
-AVRational fps = { 1, 25};
+AVRational fps = { 0 };
 AVStream *ast, *vst;
 unsigned char *line, *line_end, *key, *value;
 long value_int;
@@ -212,13 +212,16 @@ static int vivo_read_header(AVFormatContext *s)
 return AVERROR_INVALIDDATA;
 
 value_used = 1;
-fps = av_inv_q(av_d2q(d, 1));
+if (!fps.num && !fps.den)
+fps = av_inv_q(av_d2q(d, 1));
 }
 
 if (!value_used)
 av_dict_set(>metadata, key, value, 0);
 }
 }
+if (!fps.num || !fps.den)
+fps = (AVRational){ 1, 25 };
 
 avpriv_set_pts_info(ast, 64, 1, ast->codecpar->sample_rate);
 avpriv_set_pts_info(vst, 64, fps.num, fps.den);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/vivo: Do not use the general expression evaluator for parsing a floating point value

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sun Dec  5 18:40:03 2021 +0100| [deba3d03723de72c386bdcc2db5ac733bd05adc7] | 
committer: Michael Niedermayer

avformat/vivo: Do not use the general expression evaluator for parsing a 
floating point value

Fixes: Timeout
Fixes: 
41564/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVO_fuzzer-6309014024093696

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7b24615565fd488e7e3a435102979a5ea85fe2fe)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=deba3d03723de72c386bdcc2db5ac733bd05adc7
---

 libavformat/vivo.c | 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/libavformat/vivo.c b/libavformat/vivo.c
index fb58aa6178..12bdc05d9e 100644
--- a/libavformat/vivo.c
+++ b/libavformat/vivo.c
@@ -26,6 +26,7 @@
  * @sa http://wiki.multimedia.cx/index.php?title=Vivo
  */
 
+#include "libavutil/avstring.h"
 #include "libavutil/parseutils.h"
 #include "avformat.h"
 #include "internal.h"
@@ -206,11 +207,12 @@ static int vivo_read_header(AVFormatContext *s)
 return AVERROR_INVALIDDATA;
 value_used = 1;
 } else if (!strcmp(key, "FPS")) {
-AVRational tmp;
+double d;
+if (av_sscanf(value, "%f", ) != 1)
+return AVERROR_INVALIDDATA;
 
 value_used = 1;
-if (!av_parse_ratio(, value, 1, AV_LOG_WARNING, s))
-fps = av_inv_q(tmp);
+fps = av_inv_q(av_d2q(d, 1));
 }
 
 if (!value_used)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mxfdec: Check for duplicate mxf_read_index_entry_array()

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sun Dec  5 22:19:05 2021 +0100| [d80dbe65054cc70c8573a3d62c4492ef5d3962a2] | 
committer: Michael Niedermayer

avformat/mxfdec: Check for duplicate mxf_read_index_entry_array()

Fixes: memleak
Fixes: 
41596/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6439060204290048

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4f44a218e53cd92e64ba10a935bc1e7583c3e218)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d80dbe65054cc70c8573a3d62c4492ef5d3962a2
---

 libavformat/mxfdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index f805ccc36f..442d652cf6 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -1069,6 +1069,9 @@ static int mxf_read_index_entry_array(AVIOContext *pb, 
MXFIndexTableSegment *seg
 {
 int i, length;
 
+if (segment->temporal_offset_entries)
+return AVERROR_INVALIDDATA;
+
 segment->nb_index_entries = avio_rb32(pb);
 
 length = avio_rb32(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/apedec: Change avg to uint32_t

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Fri Dec  3 17:58:50 2021 +0100| [aea824467cf6051c9a316b4c620c723483da38ea] | 
committer: Michael Niedermayer

avcodec/apedec: Change avg to uint32_t

Fixes: Integer overflow
Fixes: 
40973/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6739312704618496

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Suggested-by: Anton Khirnov 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0ec75723a484405eb2f2ec2f9e58161b168ed8b0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aea824467cf6051c9a316b4c620c723483da38ea
---

 libavcodec/apedec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index 3bbb8c1aac..9d1ad5993f 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -102,7 +102,7 @@ typedef struct APEFilter {
 int16_t *historybuffer; ///< filter memory
 int16_t *delay; ///< filtered values
 
-int avg;
+uint32_t avg;
 } APEFilter;
 
 typedef struct APERice {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/vp3: Check version in all cases when VP4 code is not built

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Tue Nov 30 19:46:17 2021 +0100| [a452eddfadd0b98e05a97d5572b3c6b71aa908d2] | 
committer: Michael Niedermayer

avcodec/vp3: Check version in all cases when VP4 code is not built

Fixes: out of array read
Fixes: 
40284/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP3_fuzzer-4599568176644096

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 96caa01f130526cb420d0706a40fb63695153128)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a452eddfadd0b98e05a97d5572b3c6b71aa908d2
---

 libavcodec/vp3.c | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index 0fc64581c6..49d4911fb3 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -2741,7 +2741,14 @@ static int vp3_decode_frame(AVCodecContext *avctx,
 skip_bits(, 4); /* width code */
 skip_bits(, 4); /* height code */
 if (s->version) {
-s->version = get_bits(, 5);
+int version = get_bits(, 5);
+#if !CONFIG_VP4_DECODER
+if (version >= 2) {
+av_log(avctx, AV_LOG_ERROR, "This build does not support 
decoding VP4.\n");
+return AVERROR_DECODER_NOT_FOUND;
+}
+#endif
+s->version = version;
 if (avctx->frame_number == 0)
 av_log(s->avctx, AV_LOG_DEBUG,
"VP version: %d\n", s->version);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mov: Disallow duplicate smdm

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Fri Dec  3 17:42:22 2021 +0100| [58368cc528cd82020be530694c2d8747b73b13f6] | 
committer: Michael Niedermayer

avformat/mov: Disallow duplicate smdm

Fixes: memleak
Fixes: 
39879/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5327819907923968

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b5ba74053c1ef9f38d9e7b3a036675f06d2b2714)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=58368cc528cd82020be530694c2d8747b73b13f6
---

 libavformat/mov.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 309b813ba3..07bbebab0e 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5406,6 +5406,9 @@ static int mov_read_smdm(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 av_log(c->fc, AV_LOG_WARNING, "Unsupported Mastering Display Metadata 
box version %d\n", version);
 return 0;
 }
+if (sc->mastering)
+return AVERROR_INVALIDDATA;
+
 avio_skip(pb, 3); /* flags */
 
 sc->mastering = av_mastering_display_metadata_alloc();

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mov: Check channels for mov_parse_stsd_audio()

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sun Nov  7 13:48:24 2021 +0100| [867b978dc90a8bf3dce2a76620f28d8dc7cb139a] | 
committer: Michael Niedermayer

avformat/mov: Check channels for mov_parse_stsd_audio()

Fixes: signed integer overflow: -776522110086937600 * 16 cannot be represented 
in type 'long'
Fixes: 
40563/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6644829447127040

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3a64a4c58255d45e05eff80c9464ad3bdc2d6463)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=867b978dc90a8bf3dce2a76620f28d8dc7cb139a
---

 libavformat/mov.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index fa720bbb34..414918050b 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -2532,6 +2532,10 @@ int ff_mov_read_stsd_entries(MOVContext *c, AVIOContext 
*pb, int entries)
 av_log(c->fc, AV_LOG_ERROR, "Invalid sample rate %d\n", 
st->codecpar->sample_rate);
 return AVERROR_INVALIDDATA;
 }
+if (st->codecpar->channels < 0) {
+av_log(c->fc, AV_LOG_ERROR, "Invalid channels %d\n", 
st->codecpar->channels);
+return AVERROR_INVALIDDATA;
+}
 } else if (st->codecpar->codec_type==AVMEDIA_TYPE_SUBTITLE){
 mov_parse_stsd_subtitle(c, pb, st, sc,
 size - (avio_tell(pb) - start_pos));

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mov: Check for EOF in mov_read_glbl()

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sat Dec  4 20:11:35 2021 +0100| [784303ca013d4d8de9808472b8e28205ec5f7f7b] | 
committer: Michael Niedermayer

avformat/mov: Check for EOF in mov_read_glbl()

Fixes: Infinite loop
Fixes: 
41351/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5433895854669824

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 59b4e7cbd87889c0bac710ac7f62782b637419a1)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=784303ca013d4d8de9808472b8e28205ec5f7f7b
---

 libavformat/mov.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 414918050b..309b813ba3 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1916,6 +1916,8 @@ static int mov_read_glbl(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 // wrap a whole fiel atom inside of a glbl atom.
 unsigned size = avio_rb32(pb);
 unsigned type = avio_rl32(pb);
+if (avio_feof(pb))
+return AVERROR_INVALIDDATA;
 avio_seek(pb, -8, SEEK_CUR);
 if (type == MKTAG('f','i','e','l') && size == atom.size)
 return mov_read_default(c, pb, atom);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/avidec: Check read_odml_index() for failure

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sun Nov 14 18:23:24 2021 +0100| [0b0d4f141b13b6184b3d8fd727a05c0432bfb04e] | 
committer: Michael Niedermayer

avformat/avidec: Check read_odml_index() for failure

Fixes: Timeout
Fixes: 
40950/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6478873068437504

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 57adb26d058490daf2c5d6ddd3cf0cf2d2212256)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0b0d4f141b13b6184b3d8fd727a05c0432bfb04e
---

 libavformat/avidec.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index cd7bd08567..21b234b2de 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -232,6 +232,8 @@ static int read_odml_index(AVFormatContext *s, int64_t 
frame_num)
 } else {
 int64_t offset, pos;
 int duration;
+int ret;
+
 offset = avio_rl64(pb);
 avio_rl32(pb);   /* size */
 duration = avio_rl32(pb);
@@ -249,7 +251,7 @@ static int read_odml_index(AVFormatContext *s, int64_t 
frame_num)
 if (avio_seek(pb, offset + 8, SEEK_SET) < 0)
 return -1;
 avi->odml_depth++;
-read_odml_index(s, frame_num);
+ret = read_odml_index(s, frame_num);
 avi->odml_depth--;
 frame_num += duration;
 
@@ -257,7 +259,8 @@ static int read_odml_index(AVFormatContext *s, int64_t 
frame_num)
 av_log(s, AV_LOG_ERROR, "Failed to restore position after 
reading index\n");
 return -1;
 }
-
+if (ret < 0)
+return ret;
 }
 }
 avi->index_loaded = 2;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/aiffdec: Use av_rescale() for bitrate

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sun Oct 31 00:11:23 2021 +0200| [00530ff352bf09d5ce64d7af153241fc43e94478] | 
committer: Michael Niedermayer

avformat/aiffdec: Use av_rescale() for bitrate

Fixes: integer overflow
Fixes: 
40313/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-4814761406103552

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 905588df975071c03c00b2e923c311b4de65a8f4)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=00530ff352bf09d5ce64d7af153241fc43e94478
---

 libavformat/aiffdec.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
index ffe47a7711..85e8138133 100644
--- a/libavformat/aiffdec.c
+++ b/libavformat/aiffdec.c
@@ -187,8 +187,10 @@ static int get_aiff_header(AVFormatContext *s, int size,
 par->block_align = (av_get_bits_per_sample(par->codec_id) * 
par->channels) >> 3;
 
 if (aiff->block_duration) {
-par->bit_rate = (int64_t)par->sample_rate * (par->block_align << 3) /
-aiff->block_duration;
+par->bit_rate = av_rescale(par->sample_rate, par->block_align * 8LL,
+   aiff->block_duration);
+if (par->bit_rate < 0)
+par->bit_rate = 0;
 }
 
 /* Chunk is over */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Thu Oct 21 13:25:59 2021 +0200| [e8a3e30a8522a3db73fcdc6ea9279ffefc8708e9] | 
committer: Michael Niedermayer

avcodec/flac_parser: Consider AV_INPUT_BUFFER_PADDING_SIZE

Fixes: out if array read
Fixes: 
40109/clusterfuzz-testcase-minimized-ffmpeg_dem_FLAC_fuzzer-4805686811295744

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Mattias Wadman 
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e8a3e30a8522a3db73fcdc6ea9279ffefc8708e9
---

 libavcodec/flac_parser.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/flac_parser.c b/libavcodec/flac_parser.c
index 3424583c49..b13b3b646a 100644
--- a/libavcodec/flac_parser.c
+++ b/libavcodec/flac_parser.c
@@ -55,6 +55,7 @@
 
 /** largest possible size of flac header */
 #define MAX_FRAME_HEADER_SIZE 16
+#define MAX_FRAME_VERIFY_SIZE (MAX_FRAME_HEADER_SIZE)
 
 typedef struct FLACHeaderMarker {
 int offset;   /**< byte offset from start of FLACParseContext->buffer 
*/
@@ -170,7 +171,7 @@ static int find_headers_search_validate(FLACParseContext 
*fpc, int offset)
 uint8_t *header_buf;
 int size = 0;
 header_buf = flac_fifo_read_wrap(fpc, offset,
- MAX_FRAME_HEADER_SIZE,
+ MAX_FRAME_VERIFY_SIZE + 
AV_INPUT_BUFFER_PADDING_SIZE,
  >wrap_buf,
  >wrap_buf_allocated_size);
 if (frame_header_is_valid(fpc->avctx, header_buf, )) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/aiffdec: sanity check block_align

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sun Oct 31 00:10:39 2021 +0200| [b52cad186c40f2713cf88d062c61d77bfec9c990] | 
committer: Michael Niedermayer

avformat/aiffdec: sanity check block_align

Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 93f7776921ed8c5219732210067016c3457e864d)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b52cad186c40f2713cf88d062c61d77bfec9c990
---

 libavformat/aiffdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
index cb96c02b6f..ffe47a7711 100644
--- a/libavformat/aiffdec.c
+++ b/libavformat/aiffdec.c
@@ -370,7 +370,7 @@ got_sound:
 if (!st->codecpar->block_align && st->codecpar->codec_id == 
AV_CODEC_ID_QCELP) {
 av_log(s, AV_LOG_WARNING, "qcelp without wave chunk, assuming full 
rate\n");
 st->codecpar->block_align = 35;
-} else if (!st->codecpar->block_align) {
+} else if (st->codecpar->block_align <= 0) {
 av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid 
block_align value\n");
 return -1;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/aiffdec: Check sample_rate

[Michael Niedermayer]

ffmpeg | branch: release/4.3 | Michael Niedermayer  | 
Sun Oct 31 00:02:04 2021 +0200| [e3a69dd7a00aa8d377236ec59610052fc7501f7e] | 
committer: Michael Niedermayer

avformat/aiffdec: Check sample_rate

Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1b04836dff9958e8bfdbed2746b8c40b1e119ecc)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e3a69dd7a00aa8d377236ec59610052fc7501f7e
---

 libavformat/aiffdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
index fb5935c746..cb96c02b6f 100644
--- a/libavformat/aiffdec.c
+++ b/libavformat/aiffdec.c
@@ -122,6 +122,9 @@ static int get_aiff_header(AVFormatContext *s, int size,
 sample_rate = val << exp;
 else
 sample_rate = (val + (1ULL<<(-exp-1))) >> -exp;
+if (sample_rate <= 0)
+return AVERROR_INVALIDDATA;
+
 par->sample_rate = sample_rate;
 if (size < 18)
 return AVERROR_INVALIDDATA;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] Update for FFmpeg 4.4.2

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Wed Apr  6 20:29:51 2022 +0200| [dcb2ad91253e4f913acc02b7db2192335e227f70] | 
committer: Michael Niedermayer

Update for FFmpeg 4.4.2

Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dcb2ad91253e4f913acc02b7db2192335e227f70
---

 Changelog| 112 +++
 RELEASE  |   2 +-
 doc/Doxyfile |   2 +-
 3 files changed, 114 insertions(+), 2 deletions(-)

diff --git a/Changelog b/Changelog
index a6508cd8ac..c1c50d7d6b 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,118 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
+version 4.4.2:
+- avcodec/exr: Avoid signed overflow in displayWindow
+- avcodec/diracdec: avoid signed integer overflow in global mv
+- avcodec/takdsp: Fix integer overflow in decorrelate_sf()
+- avcodec/apedec: fix a integer overflow in long_filter_high_3800()
+- avfilter/vf_subtitles: pass storage size to libass
+- avformat/aqtitledec: Skip unrepresentable durations
+- avformat/cafdec: Do not store empty keys in read_info_chunk()
+- avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before 
writing
+- avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array()
+- avformat/mxfdec: Check count in mxf_read_strong_ref_array()
+- avformat/hls: Check target_duration
+- avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn()
+- avformat/matroskadec: Check pre_ns
+- avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior
+- avcodec/libuavs3d: Check ff_set_dimensions() for failure
+- avcodec/mjpegbdec: Set buf_size
+- avformat/matroskadec: Use rounded down duration in get_cue_desc() check
+- avcodec/argo: Check packet size
+- avcodec/g729_parser: Check channels
+- avformat/avidec: Check height
+- avformat/rmdec: Better duplicate tags check
+- avformat/mov: Disallow empty sidx
+- avformat/argo_asf: Fix order of operations in error check in 
argo_asf_write_trailer()
+- avformat/matroskadec: Check duration
+- avformat/mov: Corner case encryption error cleanup in mov_read_senc()
+- avcodec/jpeglsdec: Fix if( code style
+- avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error
+- avcodec/motion_est: fix indention of ff_get_best_fcode()
+- avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode()
+- avformat/hls: Use unsigned for iv computation
+- avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using 
unsigned
+- avformat/matroskadec: Check desc_bytes
+- avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value()
+- avformat/matroskadec: Fix infinite loop with bz decompression
+- avformat/mov: Check size before subtraction
+- avcodec/cfhd: Avoid signed integer overflow in coeff
+- avcodec/apedec: Fix integer overflows in predictor_update_3930()
+- avcodec/apedec: fix integer overflow in 8bit samples
+- avformat/flvdec: timestamps cannot use the full int64 range
+- avcodec/tiff: Remove messing with jpeg context
+- avcodec/tiff: Use ff_set_dimensions() for setting up mjpeg context dimensions
+- avcodec/tiff: Pass max_pixels to mjpeg context
+- avcodec/vqavideo: reset accounting on error
+- avcodec/alacdsp: fix integer overflow in decorrelate_stereo()
+- avformat/4xm: Check for duplicate track ids
+- avformat/4xm: Consider max_streams on reallocating tracks array
+- avformat/mov: Check next offset in mov_read_dref()
+- avformat/vivo: Favor setting fps from explicit fractions
+- avformat/vivo: Do not use the general expression evaluator for parsing a 
floating point value
+- avformat/mxfdec: Check for duplicate mxf_read_index_entry_array()
+- avcodec/apedec: Change avg to uint32_t
+- avformat/mxfdec: Check component_depth in mxf_get_color_range()
+- avformat/mov: Disallow duplicate smdm
+- avformat/mov: Check for EOF in mov_read_glbl()
+- avcodec/vp3: Check version in all cases when VP4 code is not built
+- avformat/mov: Check channels for mov_parse_stsd_audio()
+- avformat/avidec: Check read_odml_index() for failure
+- avformat/aiffdec: Use av_rescale() for bitrate
+- avformat/aiffdec: sanity check block_align
+- avformat/aiffdec: Check sample_rate
+- avcodec/libdav1d: free the Dav1dData packet on dav1d_send_data() failure
+- avcodec/zmbvenc: Fix memleak upon init error
+- avcodec/dnxhdenc: Fix segfault when using too many slice threads
+- avcodec/wma(dec|enc): Fix memleaks upon allocation error
+- avfilter/avfilter: Actually error out on init error
+- avcodec/opus_silk: Remove wrong size information in function declaration
+- avformat/omadec: Don't output uninitialized values
+- avformat/jacosubenc: Fix writing extradata
+- avformat/cafenc: Fix memleak when trailer is never written
+- avformat/cafenc: Don't segfault upon allocation error
+- avformat/cafenc: Fix potential integer overflow
+- avformat/movenc: Limit ism_lookahead to a sane value
+- 

[FFmpeg-cvslog] avcodec/exr: Avoid signed overflow in displayWindow

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Mon Mar 21 21:03:13 2022 +0100| [15006f48cd75fb7c93c06dde50b76ea1309cce00] | 
committer: Michael Niedermayer

avcodec/exr: Avoid signed overflow in displayWindow

The inputs are unused except for this computation so wraparound
does not give an attacker any extra values as they are already fully
controlled

Fixes: signed integer overflow: 0 - -2147483648 cannot be represented in type 
'int'
Fixes: 
45820/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5766159019933696

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1291568c9834c02413ab5d87762308f15b4ae9c6)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=15006f48cd75fb7c93c06dde50b76ea1309cce00
---

 libavcodec/exr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/exr.c b/libavcodec/exr.c
index 49ba7fd6de..b6bf87ab81 100644
--- a/libavcodec/exr.c
+++ b/libavcodec/exr.c
@@ -1829,8 +1829,8 @@ static int decode_header(EXRContext *s, AVFrame *frame)
 dx = bytestream2_get_le32(gb);
 dy = bytestream2_get_le32(gb);
 
-s->w = dx - sx + 1;
-s->h = dy - sy + 1;
+s->w = (unsigned)dx - sx + 1;
+s->h = (unsigned)dy - sy + 1;
 
 continue;
 } else if ((var_size = check_header_variable(s, "lineOrder",

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/diracdec: avoid signed integer overflow in global mv

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Mon Mar 21 20:51:47 2022 +0100| [977cfb719745dab296d748b6304f349b01ce6a08] | 
committer: Michael Niedermayer

avcodec/diracdec: avoid signed integer overflow in global mv

Fixes: signed integer overflow: -128275513086 * -76056576 cannot be represented 
in type 'long'
Fixes: 
45818/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5129799149944832

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7f1279684e8e1e33c78577b7f0265c062e4e6232)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=977cfb719745dab296d748b6304f349b01ce6a08
---

 libavcodec/diracdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index bcde01..cf7fc2c56c 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -1432,8 +1432,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, 
int x, int y, int ref)
 int *c  = s->globalmc[ref].perspective;
 
 int64_t m   = (1> (ez+ep);
 block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/takdsp: Fix integer overflow in decorrelate_sf()

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Mon Mar 28 00:26:06 2022 +0200| [30194a348ec6ed70f4676c405957cd1eead94186] | 
committer: Michael Niedermayer

avcodec/takdsp: Fix integer overflow in decorrelate_sf()

Fixes: signed integer overflow: -101 * 71041254 cannot be represented in type 
'int'
Fixes: 
45938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-4687974320701440

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 01d8c887f63bcb1f870034ed441504b3daffc645)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=30194a348ec6ed70f4676c405957cd1eead94186
---

 libavcodec/takdsp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/takdsp.c b/libavcodec/takdsp.c
index 9cb8052596..a8f9dba342 100644
--- a/libavcodec/takdsp.c
+++ b/libavcodec/takdsp.c
@@ -65,7 +65,7 @@ static void decorrelate_sf(int32_t *p1, int32_t *p2, int 
length, int dshift, int
 for (i = 0; i < length; i++) {
 int32_t a = p1[i];
 int32_t b = p2[i];
-b = (unsigned)(dfactor * (b >> dshift) + 128 >> 8) << dshift;
+b = (unsigned)((int)(dfactor * (unsigned)(b >> dshift) + 128) 
>> 8) << dshift;
 p1[i] = b - a;
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/apedec: fix a integer overflow in long_filter_high_3800()

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Mon Mar 28 00:12:17 2022 +0200| [27a609a8b900a2a7a2c99764c572fb0331c0485a] | 
committer: Michael Niedermayer

avcodec/apedec: fix a integer overflow in long_filter_high_3800()

Fixes: signed integer overflow: -2146549696 - 3923884 cannot be represented in 
type 'int'
Fixes: 
45907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5992380584558592

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit b085b400becb93ccc68d786ab738b1fc50408b89)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=27a609a8b900a2a7a2c99764c572fb0331c0485a
---

 libavcodec/apedec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index f414ec0f74..b65a740f87 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -955,7 +955,7 @@ static void long_filter_high_3800(int32_t *buffer, int 
order, int shift, int len
 dotprod += delay[j] * (unsigned)coeffs[j];
 coeffs[j] += ((delay[j] >> 31) | 1) * sign;
 }
-buffer[i] -= dotprod >> shift;
+buffer[i] -= (unsigned)(dotprod >> shift);
 for (j = 0; j < order - 1; j++)
 delay[j] = delay[j + 1];
 delay[order - 1] = buffer[i];

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/cafdec: Do not store empty keys in read_info_chunk()

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Sat Mar 19 23:36:22 2022 +0100| [fde82db1692a78faee893fda7fb2f844d65b104c] | 
committer: Michael Niedermayer

avformat/cafdec: Do not store empty keys in read_info_chunk()

Fixes: Timeout
Fixes: 
45543/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-5684953164152832

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7ec28e1d4cef723485f50f7a08859752b79b570c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fde82db1692a78faee893fda7fb2f844d65b104c
---

 libavformat/cafdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
index 7f09a27977..d18c3fce75 100644
--- a/libavformat/cafdec.c
+++ b/libavformat/cafdec.c
@@ -241,6 +241,8 @@ static void read_info_chunk(AVFormatContext *s, int64_t 
size)
 char value[1024];
 avio_get_str(pb, INT_MAX, key, sizeof(key));
 avio_get_str(pb, INT_MAX, value, sizeof(value));
+if (!*key)
+continue;
 av_dict_set(>metadata, key, value, 0);
 }
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avfilter/vf_subtitles: pass storage size to libass

[Oneric]

ffmpeg | branch: release/4.4 | Oneric  | Wed Mar 23 20:43:54 
2022 +0100| [7ccd77a8ffbad3d56a86043d17b730a46074f0e9] | committer: Michael 
Niedermayer

avfilter/vf_subtitles: pass storage size to libass

Due to a quirk of the ASS format some tags depend on the exact storage
resolution of the video, so tell libass via ass_set_storage_size.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7ccd77a8ffbad3d56a86043d17b730a46074f0e9
---

 libavfilter/vf_subtitles.c | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/libavfilter/vf_subtitles.c b/libavfilter/vf_subtitles.c
index de74afa2b7..b57dd80b13 100644
--- a/libavfilter/vf_subtitles.c
+++ b/libavfilter/vf_subtitles.c
@@ -145,9 +145,16 @@ static int config_input(AVFilterLink *inlink)
 ff_draw_init(>draw, inlink->format, ass->alpha ? 
FF_DRAW_PROCESS_ALPHA : 0);
 
 ass_set_frame_size  (ass->renderer, inlink->w, inlink->h);
-if (ass->original_w && ass->original_h)
+if (ass->original_w && ass->original_h) {
 ass_set_aspect_ratio(ass->renderer, (double)inlink->w / inlink->h,
  (double)ass->original_w / ass->original_h);
+#if LIBASS_VERSION > 0x0101
+ass_set_storage_size(ass->renderer, ass->original_w, ass->original_h);
+} else {
+ass_set_storage_size(ass->renderer, inlink->w, inlink->h);
+#endif
+}
+
 if (ass->shaping != -1)
 ass_set_shaper(ass->renderer, ass->shaping);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before writing

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Sun Mar 13 00:37:35 2022 +0100| [45a021aba12e32300e50002155d0cafb1ec154ab] | 
committer: Michael Niedermayer

avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before 
writing

Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7aebdb8bf1fc3e09263617a7f49101cba2d43804)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=45a021aba12e32300e50002155d0cafb1ec154ab
---

 libavformat/mxfdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index adc978d64b..6ceaf9c3df 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -884,7 +884,7 @@ static int mxf_read_strong_ref_array(AVIOContext *pb, UID 
**refs, int *count)
 *count = c;
 
 av_free(*refs);
-*refs = av_calloc(*count, sizeof(UID));
+*refs = av_malloc_array(*count, sizeof(UID));
 if (!*refs) {
 *count = 0;
 return AVERROR(ENOMEM);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/aqtitledec: Skip unrepresentable durations

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Sun Mar 20 00:07:50 2022 +0100| [b90c01a501382dce57b5579687e860d428b324dc] | 
committer: Michael Niedermayer

avformat/aqtitledec: Skip unrepresentable durations

Fixes: signed integer overflow: -5 - 9223372036854775807 cannot be represented 
in type 'long'
Fixes: 
45665/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-475618463934054

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c2d1597a8a6470045a8da241d4f65c81f26c3107)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b90c01a501382dce57b5579687e860d428b324dc
---

 libavformat/aqtitledec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/aqtitledec.c b/libavformat/aqtitledec.c
index 81630d73b0..960a5d8ef5 100644
--- a/libavformat/aqtitledec.c
+++ b/libavformat/aqtitledec.c
@@ -74,7 +74,8 @@ static int aqt_read_header(AVFormatContext *s)
 new_event = 1;
 pos = avio_tell(s->pb);
 if (sub) {
-sub->duration = frame - sub->pts;
+if (frame >= sub->pts && (uint64_t)frame - sub->pts < 
INT64_MAX)
+sub->duration = frame - sub->pts;
 sub = NULL;
 }
 } else if (*line) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array()

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Sun Mar 13 00:36:55 2022 +0100| [2ad47d59afaa1684801f0938adcb4a91e7983a67] | 
committer: Michael Niedermayer

avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array()

Fixes: 
42827/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4900528511909888

Reviewed-by: Tomas Härdin 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8d6f49cfc339825f3f3f8a910e4bb4c0f822db1f)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2ad47d59afaa1684801f0938adcb4a91e7983a67
---

 libavformat/mxfdec.c | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index ba7466f960..adc978d64b 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -875,6 +875,7 @@ static int mxf_read_cryptographic_context(void *arg, 
AVIOContext *pb, int tag, i
 
 static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count)
 {
+int64_t ret;
 unsigned c = avio_rb32(pb);
 
 //avio_read() used int
@@ -889,7 +890,12 @@ static int mxf_read_strong_ref_array(AVIOContext *pb, UID 
**refs, int *count)
 return AVERROR(ENOMEM);
 }
 avio_skip(pb, 4); /* useless size of objects, always 16 according to specs 
*/
-avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID));
+ret = avio_read(pb, (uint8_t *)*refs, *count * sizeof(UID));
+if (ret != *count * sizeof(UID)) {
+*count = ret < 0 ? 0   : ret / sizeof(UID);
+return   ret < 0 ? ret : AVERROR_INVALIDDATA;
+}
+
 return 0;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mxfdec: Check count in mxf_read_strong_ref_array()

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Sun Mar 13 00:34:52 2022 +0100| [2a549b2e7d9f3edd4744afe288fcb012daee4a1e] | 
committer: Michael Niedermayer

avformat/mxfdec: Check count in mxf_read_strong_ref_array()

Reviewed-by: Tomas Härdin 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 3015c556f316d4ab364ed55e8bc97cc0f2cc57a3)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2a549b2e7d9f3edd4744afe288fcb012daee4a1e
---

 libavformat/mxfdec.c | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 84ab0cefd7..ba7466f960 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -875,7 +875,13 @@ static int mxf_read_cryptographic_context(void *arg, 
AVIOContext *pb, int tag, i
 
 static int mxf_read_strong_ref_array(AVIOContext *pb, UID **refs, int *count)
 {
-*count = avio_rb32(pb);
+unsigned c = avio_rb32(pb);
+
+//avio_read() used int
+if (c > INT_MAX / sizeof(UID))
+return AVERROR_PATCHWELCOME;
+*count = c;
+
 av_free(*refs);
 *refs = av_calloc(*count, sizeof(UID));
 if (!*refs) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/hls: Check target_duration

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Sun Mar 20 22:54:31 2022 +0100| [79ad18ddbd2f7feee33e24bff02afe4c10928b75] | 
committer: Michael Niedermayer

avformat/hls: Check target_duration

Fixes: signed integer overflow: 77 * 100 cannot be represented 
in type 'long long'
Fixes: 
45545/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-6438101247983616

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Steven Liu 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit a8fd3f7fab83e1beea1c441e1a2e538e7aa431a5)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=79ad18ddbd2f7feee33e24bff02afe4c10928b75
---

 libavformat/hls.c | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavformat/hls.c b/libavformat/hls.c
index 75209906d3..f2ca4f3443 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -810,10 +810,16 @@ static int parse_playlist(HLSContext *c, const char *url,
);
 new_rendition(c, , url);
 } else if (av_strstart(line, "#EXT-X-TARGETDURATION:", )) {
+int64_t t;
 ret = ensure_playlist(c, , url);
 if (ret < 0)
 goto fail;
-pls->target_duration = strtoll(ptr, NULL, 10) * AV_TIME_BASE;
+t = strtoll(ptr, NULL, 10);
+if (t < 0 || t >= INT64_MAX / AV_TIME_BASE) {
+ret = AVERROR_INVALIDDATA;
+goto fail;
+}
+pls->target_duration = t * AV_TIME_BASE;
 } else if (av_strstart(line, "#EXT-X-MEDIA-SEQUENCE:", )) {
 uint64_t seq_no;
 ret = ensure_playlist(c, , url);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn()

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Mon Oct 26 21:30:19 2020 +0100| [b27833f06689eb0e44e2f044d8d4db8b831affed] | 
committer: Michael Niedermayer

avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn()

Fixes: signed integer overflow: 11494 * 107374182400 cannot be represented 
in type 'long'
Fixes: 
26586/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PIXLET_fuzzer-5752633970917376

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0c1f20c6c858b753effda274b58ef635d1924915)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b27833f06689eb0e44e2f044d8d4db8b831affed
---

 libavcodec/pixlet.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/pixlet.c b/libavcodec/pixlet.c
index ad9d830af7..febee5c31d 100644
--- a/libavcodec/pixlet.c
+++ b/libavcodec/pixlet.c
@@ -405,7 +405,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned 
size, int64_t scale)
 (int64_t) low [i - 1] * -INT64_C(325392907)  +
 (int64_t) high[i + 0] *  INT64_C(1518500249) +
 (int64_t) high[i - 1] *  INT64_C(1518500249);
-dest[i * 2] = av_clip_int16(((value >> 32) * scale) >> 32);
+dest[i * 2] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 32);
 }
 
 for (i = 0; i < hsize; i++) {
@@ -416,7 +416,7 @@ static void filterfn(int16_t *dest, int16_t *tmp, unsigned 
size, int64_t scale)
 (int64_t) high[i + 1] *  INT64_C(303700064)  +
 (int64_t) high[i + 0] * -INT64_C(3644400640) +
 (int64_t) high[i - 1] *  INT64_C(303700064);
-dest[i * 2 + 1] = av_clip_int16(((value >> 32) * scale) >> 32);
+dest[i * 2 + 1] = av_clip_int16(((value >> 32) * (uint64_t)scale) >> 
32);
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/matroskadec: Check pre_ns

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Sun Feb 13 15:20:02 2022 +0100| [78eed60822f44205fae364855fec3dbd55b59432] | 
committer: Michael Niedermayer

avformat/matroskadec: Check pre_ns

Fixes: division by 0
Fixes: 
44615/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6681108677263360

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 710e51677a6f3a5c2b37dc31a597957a22a5e531)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=78eed60822f44205fae364855fec3dbd55b59432
---

 libavformat/matroskadec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 78e592cba6..37884934a9 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -4128,6 +4128,8 @@ static int64_t 
webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t
 // prebuffered.
 pre_bytes = desc_end.end_offset - desc_end.start_offset;
 pre_ns = desc_end.end_time_ns - desc_end.start_time_ns;
+if (pre_ns <= 0)
+return -1;
 pre_sec = pre_ns / nano_seconds_per_second;
 prebuffer_bytes +=
 pre_bytes * ((temp_prebuffer_ns / nano_seconds_per_second) / 
pre_sec);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Tue Feb  8 00:43:56 2022 +0100| [cd310f05024de48d69c9ebf5581b42e9307b6c40] | 
committer: Michael Niedermayer

avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior

Fixes: signed integer overflow: -1094995529 * 24 cannot be represented in type 
'int'
Fixes: 
44436/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-4874459459223552

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 28008bf95ed9b2ab5945ae6658358ad7c7f1df35)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cd310f05024de48d69c9ebf5581b42e9307b6c40
---

 libavcodec/sonic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c
index c049f6aedc..8662737837 100644
--- a/libavcodec/sonic.c
+++ b/libavcodec/sonic.c
@@ -1004,7 +1004,7 @@ static int sonic_decode_frame(AVCodecContext *avctx,
 
 // dequantize
 for (i = 0; i < s->num_taps; i++)
-s->predictor_k[i] *= s->tap_quant[i];
+s->predictor_k[i] *= (unsigned) s->tap_quant[i];
 
 if (s->lossless)
 quant = 1;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/libuavs3d: Check ff_set_dimensions() for failure

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Thu Feb 10 00:06:12 2022 +0100| [cc53ce7e5b009921ee80a5974cb978ef112f1148] | 
committer: Michael Niedermayer

avcodec/libuavs3d: Check ff_set_dimensions() for failure

Untested, no testcase

Signed-off-by: Michael Niedermayer 
(cherry picked from commit e88b99afdffce269e7a6a588948c4e00b86536f6)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cc53ce7e5b009921ee80a5974cb978ef112f1148
---

 libavcodec/libuavs3d.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/libuavs3d.c b/libavcodec/libuavs3d.c
index be03da39e2..59b50a2843 100644
--- a/libavcodec/libuavs3d.c
+++ b/libavcodec/libuavs3d.c
@@ -208,7 +208,9 @@ static int libuavs3d_decode_frame(AVCodecContext *avctx, 
void *data, int *got_fr
 }
 avctx->has_b_frames  = !seqh->low_delay;
 avctx->pix_fmt = seqh->bit_depth_internal == 8 ? 
AV_PIX_FMT_YUV420P : AV_PIX_FMT_YUV420P10LE;
-ff_set_dimensions(avctx, seqh->horizontal_size, 
seqh->vertical_size);
+ret = ff_set_dimensions(avctx, seqh->horizontal_size, 
seqh->vertical_size);
+if (ret < 0)
+return ret;
 h->got_seqhdr = 1;
 
 if (seqh->colour_description) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/mjpegbdec: Set buf_size

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Fri Mar 11 20:25:48 2022 +0100| [1064cf413aa68e2d365c910716fb1698f3374968] | 
committer: Michael Niedermayer

avcodec/mjpegbdec: Set buf_size

Fixes: Timeout
Fixes: 
45170/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEGB_fuzzer-5874820431085568

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1064cf413aa68e2d365c910716fb1698f3374968
---

 libavcodec/mjpegbdec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c
index 19875a2ddb..3fab4a66bc 100644
--- a/libavcodec/mjpegbdec.c
+++ b/libavcodec/mjpegbdec.c
@@ -57,6 +57,7 @@ static int mjpegb_decode_frame(AVCodecContext *avctx,
 buf_end = buf + buf_size;
 s->got_picture = 0;
 s->adobe_transform = -1;
+s->buf_size = buf_size;
 
 read_header:
 /* reset on every SOI */

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/matroskadec: Use rounded down duration in get_cue_desc() check

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Thu Mar 10 23:24:49 2022 +0100| [326dafe40afabe604a1ca00fc56eb6e1db897ddd] | 
committer: Michael Niedermayer

avformat/matroskadec: Use rounded down duration in get_cue_desc() check

Floating point is evil, it would be better if duration was not a double

Fixes: Infinite loop
Fixes: 
45123/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6725052291219456

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit bd3a03db9aef72ee36a7cc964171e9f52967f4bc)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=326dafe40afabe604a1ca00fc56eb6e1db897ddd
---

 libavformat/matroskadec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index eb79e0442e..78e592cba6 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -3937,7 +3937,9 @@ static CueDesc get_cue_desc(AVFormatContext *s, int64_t 
ts, int64_t cues_start)
 int i;
 int nb_index_entries = s->streams[0]->nb_index_entries;
 AVIndexEntry *index_entries = s->streams[0]->index_entries;
-if (ts >= matroska->duration * matroska->time_scale) return (CueDesc) {-1, 
-1, -1, -1};
+
+if (ts >= (int64_t)(matroska->duration * matroska->time_scale))
+return (CueDesc) {-1, -1, -1, -1};
 for (i = 1; i < nb_index_entries; i++) {
 if (index_entries[i - 1].timestamp * matroska->time_scale <= ts &&
 index_entries[i].timestamp * matroska->time_scale > ts) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/argo: Check packet size

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Sun Feb 27 00:59:25 2022 +0100| [310a060e77980d92e5fc2c0983d6aa7c3b84a0a7] | 
committer: Michael Niedermayer

avcodec/argo: Check packet size

Fixes: Timeout
Fixes: 
45052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ARGO_fuzzer-6033489206575104

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 1bed27acefaab1b4c1813b8adc6468ca952a43f3)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=310a060e77980d92e5fc2c0983d6aa7c3b84a0a7
---

 libavcodec/argo.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/argo.c b/libavcodec/argo.c
index f633ec2691..8f58e682f6 100644
--- a/libavcodec/argo.c
+++ b/libavcodec/argo.c
@@ -608,6 +608,9 @@ static int decode_frame(AVCodecContext *avctx, void *data,
 uint32_t chunk;
 int ret;
 
+if (avpkt->size < 4)
+return AVERROR_INVALIDDATA;
+
 bytestream2_init(gb, avpkt->data, avpkt->size);
 
 if ((ret = ff_reget_buffer(avctx, frame, 0)) < 0)

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/g729_parser: Check channels

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Sun Feb 27 14:43:04 2022 +0100| [e9e2ddbc6c78cc18b76093617f82c920e58a8d1f] | 
committer: Michael Niedermayer

avcodec/g729_parser: Check channels

Fixes: signed integer overflow: 10 * 808464428 cannot be represented in type 
'int'
Fixes: assertion failure
Fixes: ticket9651

Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 757da974b21833529cc41bdcc9684c29660cdfa8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e9e2ddbc6c78cc18b76093617f82c920e58a8d1f
---

 libavcodec/g729_parser.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/g729_parser.c b/libavcodec/g729_parser.c
index 010f688104..ef08b48bf3 100644
--- a/libavcodec/g729_parser.c
+++ b/libavcodec/g729_parser.c
@@ -49,6 +49,9 @@ static int g729_parse(AVCodecParserContext *s1, 
AVCodecContext *avctx,
 s->block_size = (avctx->bit_rate < 8000) ? G729D_6K4_BLOCK_SIZE : 
G729_8K_BLOCK_SIZE;
 if (avctx->codec_id == AV_CODEC_ID_ACELP_KELVIN)
 s->block_size++;
+// channels > 2 is invalid, we pass the packet on unchanged
+if (avctx->channels > 2)
+s->block_size = 0;
 s->block_size *= avctx->channels;
 s->duration   = avctx->frame_size;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/avidec: Check height

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Sun Feb 27 21:44:29 2022 +0100| [061f8b941e954c3a6313b9084d020550ed609263] | 
committer: Michael Niedermayer

avformat/avidec: Check height

Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an 
unsigned type to negate this value to itself
Fixes: Ticket8486

Signed-off-by: Michael Niedermayer 
(cherry picked from commit ec8ff659f57786c4cb089b07dfeab7e5cbab8d52)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=061f8b941e954c3a6313b9084d020550ed609263
---

 libavformat/avidec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index 4fdce640a1..02a4fd4c47 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -859,6 +859,8 @@ static int avi_read_header(AVFormatContext *s)
 memcpy(st->codecpar->extradata + 
st->codecpar->extradata_size - 9,
"BottomUp", 9);
 }
+if (st->codecpar->height == INT_MIN)
+return AVERROR_INVALIDDATA;
 st->codecpar->height = FFABS(st->codecpar->height);
 
 //avio_skip(pb, size - 5 * 4);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/rmdec: Better duplicate tags check

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Thu Feb 24 00:26:08 2022 +0100| [261557160ff360b4924729c142c45a7a1f86fc13] | 
committer: Michael Niedermayer

avformat/rmdec: Better duplicate tags check

Fixes: memleaks
Fixes: 
44810/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5619494647627776

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 15a646e5018078a0954918f510f819a5599f0445)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=261557160ff360b4924729c142c45a7a1f86fc13
---

 libavformat/rmdec.c | 9 +
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 97378703d1..eaf71de520 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -128,10 +128,6 @@ static int rm_read_audio_stream_info(AVFormatContext *s, 
AVIOContext *pb,
 uint32_t version;
 int ret;
 
-// Duplicate tags
-if (st->codecpar->codec_type == AVMEDIA_TYPE_AUDIO)
-return AVERROR_INVALIDDATA;
-
 /* ra type header */
 version = avio_rb16(pb); /* version */
 if (version == 3) {
@@ -331,6 +327,11 @@ int ff_rm_read_mdpr_codecdata(AVFormatContext *s, 
AVIOContext *pb,
 if (codec_data_size == 0)
 return 0;
 
+// Duplicate tags
+if (   st->codecpar->codec_type != AVMEDIA_TYPE_UNKNOWN
+&& st->codecpar->codec_type != AVMEDIA_TYPE_DATA)
+return AVERROR_INVALIDDATA;
+
 avpriv_set_pts_info(st, 64, 1, 1000);
 codec_pos = avio_tell(pb);
 v = avio_rb32(pb);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mov: Disallow empty sidx

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Wed Mar  2 13:01:53 2022 +0100| [338444c0161e044f1608b4f2780c619f1297512a] | 
committer: Michael Niedermayer

avformat/mov: Disallow empty sidx

It appears this is not allowed "Each Segment Index box documents how a 
(sub)segment is divided into one or more subsegments
(which may themselves be further subdivided using Segment Index boxes)."
Fixes: Null pointer dereference
Fixes: Ticket9517

Reviewed-by: Paul B Mahol 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 4419433d77278cb742944c4514be5f72a04103c0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=338444c0161e044f1608b4f2780c619f1297512a
---

 libavformat/mov.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 4bd4750a21..46d8e628fd 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -5124,6 +5124,8 @@ static int mov_read_sidx(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 avio_rb16(pb); // reserved
 
 item_count = avio_rb16(pb);
+if (item_count == 0)
+return AVERROR_INVALIDDATA;
 
 for (i = 0; i < item_count; i++) {
 int index;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mov: Corner case encryption error cleanup in mov_read_senc()

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Wed Feb  9 22:01:03 2022 +0100| [166ee5fa684855ea0a44995c997cc09120c442a5] | 
committer: Michael Niedermayer

avformat/mov: Corner case encryption error cleanup in mov_read_senc()

Fixes: memleak
Fixes: 
42341/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4566632823914496

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 8ee0e4abcb8af36cae4eb24d4d6229461c1e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=166ee5fa684855ea0a44995c997cc09120c442a5
---

 libavformat/mov.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 092c899fff..4bd4750a21 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -6140,6 +6140,8 @@ static int mov_read_senc(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 }
 if (pb->eof_reached) {
 av_log(c->fc, AV_LOG_ERROR, "Hit EOF while reading senc\n");
+if (ret >= 0)
+
av_encryption_info_free(encryption_index->encrypted_samples[i]);
 ret = AVERROR_INVALIDDATA;
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/argo_asf: Fix order of operations in error check in argo_asf_write_trailer()

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Mon Feb 14 20:24:07 2022 +0100| [811047f7c26f88118ccd2c10c940b7b66b1ebf5d] | 
committer: Michael Niedermayer

avformat/argo_asf: Fix order of operations in error check in 
argo_asf_write_trailer()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit c8c12fb5d69107f94c5a0be14d0f3646861c60d1)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=811047f7c26f88118ccd2c10c940b7b66b1ebf5d
---

 libavformat/argo_asf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/argo_asf.c b/libavformat/argo_asf.c
index 8e2bf21c71..06d62442b3 100644
--- a/libavformat/argo_asf.c
+++ b/libavformat/argo_asf.c
@@ -422,7 +422,7 @@ static int argo_asf_write_trailer(AVFormatContext *s)
 ArgoASFMuxContext *ctx = s->priv_data;
 int64_t ret;
 
-if ((ret = avio_seek(s->pb, ASF_FILE_HEADER_SIZE, SEEK_SET) < 0))
+if ((ret = avio_seek(s->pb, ASF_FILE_HEADER_SIZE, SEEK_SET)) < 0)
 return ret;
 
 avio_wl32(s->pb, (uint32_t)ctx->nb_blocks);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/matroskadec: Check duration

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Mon Feb 14 20:01:35 2022 +0100| [5cdceec2f2a822c683b6c028574fd4c0905fd4b3] | 
committer: Michael Niedermayer

avformat/matroskadec: Check duration

Fixes: -nan is outside the range of representable values of type 'long'
Fixes: 
44614/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-6216204841254912

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Andreas Rheinhardt 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 36680078ca3302496d9b0b8a8d7168ce9eabb2bc)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5cdceec2f2a822c683b6c028574fd4c0905fd4b3
---

 libavformat/matroskadec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 426fe1b67e..eb79e0442e 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -2975,6 +2975,8 @@ static int matroska_read_header(AVFormatContext *s)
 
 if (!matroska->time_scale)
 matroska->time_scale = 100;
+if (isnan(matroska->duration))
+matroska->duration = 0;
 if (matroska->duration)
 matroska->ctx->duration = matroska->duration * matroska->time_scale *
   1000 / AV_TIME_BASE;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/jpeglsdec: Fix if( code style

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Tue Feb 15 21:01:06 2022 +0100| [badf284b529520e51452f62cb16be7cb0c5582bf] | 
committer: Michael Niedermayer

avcodec/jpeglsdec: Fix if( code style

Signed-off-by: Michael Niedermayer 
(cherry picked from commit f306b8e80ab04cfd8f6cd577a4484cb791d6e765)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=badf284b529520e51452f62cb16be7cb0c5582bf
---

 libavcodec/jpeglsdec.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index b1c4a8d48f..2599e840d0 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -67,7 +67,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
 s->t3 = get_bits(>gb, 16);
 s->reset  = get_bits(>gb, 16);
 
-if(s->avctx->debug & FF_DEBUG_PICT_INFO) {
+if (s->avctx->debug & FF_DEBUG_PICT_INFO) {
 av_log(s->avctx, AV_LOG_DEBUG, "Coding parameters maxval:%d T1:%d 
T2:%d T3:%d reset:%d\n",
s->maxval, s->t1, s->t2, s->t3, s->reset);
 }
@@ -96,7 +96,7 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
 else
 maxtab = 65530/wt - 1;
 
-if(s->avctx->debug & FF_DEBUG_PICT_INFO) {
+if (s->avctx->debug & FF_DEBUG_PICT_INFO) {
 av_log(s->avctx, AV_LOG_DEBUG, "LSE palette %d tid:%d wt:%d 
maxtab:%d\n", id, tid, wt, maxtab);
 }
 if (maxtab >= 256) {
@@ -211,7 +211,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, 
JLSState *state,
 ret = ret >> 1;
 }
 
-if(FFABS(ret) > 0x)
+if (FFABS(ret) > 0x)
 return -0x1;
 /* update state */
 state->A[Q] += FFABS(ret) - RItype;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Sat Feb 12 22:02:13 2022 +0100| [1caf4f91fb6caa834b9b89055ddfcadca37eb2b1] | 
committer: Michael Niedermayer

avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error

Fixes: Timeout
Fixes: Invalid shift
Fixes: 
44548/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-556487680891289
Fixes: 
44569/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMV_fuzzer-6302543246917632
Fixes: 
44570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-4550196556595200
Fixes: 
44592/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5651610385121280
Fixes: 
44571/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5094698987945984
Fixes: 
44607/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5341352013987840

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 151f83584eeb1912c8bdcd0c1ab1296e8664a0de)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1caf4f91fb6caa834b9b89055ddfcadca37eb2b1
---

 libavcodec/jpeglsdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index f690fbc5ab..b1c4a8d48f 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -195,6 +195,8 @@ static inline int ls_get_code_runterm(GetBitContext *gb, 
JLSState *state,
 #endif
 ret = get_ur_golomb_jpegls(gb, k, state->limit - limit_add - 1,
state->qbpp);
+if (ret < 0)
+return -0x1;
 
 /* decode mapped error */
 map = 0;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/motion_est: fix indention of ff_get_best_fcode()

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Wed Feb  9 10:31:34 2022 +0100| [1d8caf2e1ffa11c885ebb06ae4967ffa3494346d] | 
committer: Michael Niedermayer

avcodec/motion_est: fix indention of ff_get_best_fcode()

Signed-off-by: Michael Niedermayer 
(cherry picked from commit ce43e1c581b4ed539ab366cc3df458779e8a44b8)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1d8caf2e1ffa11c885ebb06ae4967ffa3494346d
---

 libavcodec/motion_est.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c
index 1f8b9c1b7c..b79e22c422 100644
--- a/libavcodec/motion_est.c
+++ b/libavcodec/motion_est.c
@@ -1622,9 +1622,9 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t 
(*mv_table)[2], int type)
  fcode_tab[my + MAX_MV]);
 int j;
 
-if(mx >= range || mx < -range ||
-   my >= range || my < -range)
-continue;
+if (mx >= range || mx < -range ||
+my >= range || my < -range)
+continue;
 
 for(j=0; jpict_type==AV_PICTURE_TYPE_B || 
s->current_picture.mc_mb_var[xy] < s->current_picture.mb_var[xy])

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode()

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Tue Feb  8 21:38:50 2022 +0100| [f73e9b73ceb644451852176d3dc5566616cc62bc] | 
committer: Michael Niedermayer

avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode()

This codepath seems untested, no testcases change

Found-by: 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 634312a70f4d5afd40058c52b4d8eade1da07a70)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f73e9b73ceb644451852176d3dc5566616cc62bc
---

 libavcodec/motion_est.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/libavcodec/motion_est.c b/libavcodec/motion_est.c
index 5b0958733c..1f8b9c1b7c 100644
--- a/libavcodec/motion_est.c
+++ b/libavcodec/motion_est.c
@@ -1614,7 +1614,7 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t 
(*mv_table)[2], int type)
 for(y=0; ymb_height; y++){
 int x;
 int xy= y*s->mb_stride;
-for(x=0; xmb_width; x++){
+for(x=0; xmb_width; x++, xy++){
 if(s->mb_type[xy] & type){
 int mx= mv_table[xy][0];
 int my= mv_table[xy][1];
@@ -1631,7 +1631,6 @@ int ff_get_best_fcode(MpegEncContext * s, int16_t 
(*mv_table)[2], int type)
 score[j]-= 170;
 }
 }
-xy++;
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/hls: Use unsigned for iv computation

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Tue Feb  8 00:30:59 2022 +0100| [faf66d99c04d0f6eb97ce4b3883e2f55f6d562fd] | 
committer: Michael Niedermayer

avformat/hls: Use unsigned for iv computation

Fixes: signed integer overflow: 9223372036854775748 + 60 cannot be represented 
in type 'long'
Fixes: 
44417/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-5802443881971712

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Steven Liu 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit bf33a384995ac21aa41422c6246ebdc5d9632452)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=faf66d99c04d0f6eb97ce4b3883e2f55f6d562fd
---

 libavformat/hls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/hls.c b/libavformat/hls.c
index 597bea7f25..75209906d3 100644
--- a/libavformat/hls.c
+++ b/libavformat/hls.c
@@ -903,7 +903,7 @@ static int parse_playlist(HLSContext *c, const char *url,
 if (has_iv) {
 memcpy(seg->iv, iv, sizeof(iv));
 } else {
-int64_t seq = pls->start_seq_no + pls->n_segments;
+uint64_t seq = pls->start_seq_no + 
(uint64_t)pls->n_segments;
 memset(seg->iv, 0, sizeof(seg->iv));
 AV_WB64(seg->iv + 8, seq);
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Sat Feb  5 20:41:08 2022 +0100| [b356dcb2fe7145148015fb929e2fb4b35752] | 
committer: Michael Niedermayer

avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using 
unsigned

Fixes: left shift of 32768 by 16 places cannot be represented in type 'int'
Fixes: Timeout
Fixes: 
44219/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4679455379947520
Fixes: 
44088/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4885976600674304

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 6ee283d7d001cfcfec94a023e172bca731e96514)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b356dcb2fe7145148015fb929e2fb4b35752
---

 libavcodec/jpeglsdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index c4ffa81f7d..f690fbc5ab 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -186,7 +186,7 @@ static inline int ls_get_code_runterm(GetBitContext *gb, 
JLSState *state,
 if (RItype)
 temp += state->N[Q] >> 1;
 
-for (k = 0; (state->N[Q] << k) < temp; k++)
+for (k = 0; ((unsigned)state->N[Q] << k) < temp; k++)
 ;
 
 #ifdef JLS_BROKEN

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/matroskadec: Check desc_bytes

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Sat Feb  5 20:37:22 2022 +0100| [cc4707601d74945fb0115c1ce5bc2d4831a4e41a] | 
committer: Michael Niedermayer

avformat/matroskadec: Check desc_bytes

Fixes: Division by 0
Fixes: 
44035/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-4826721386364928

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 5038933977d06d1048b41d71e0ada4d1ac536ddc)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=cc4707601d74945fb0115c1ce5bc2d4831a4e41a
---

 libavformat/matroskadec.c | 12 
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 5cd6699a23..426fe1b67e 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -4135,12 +4135,16 @@ static int64_t 
webm_dash_manifest_compute_bandwidth(AVFormatContext *s, int64_t
 do {
 int64_t desc_bytes = desc_end.end_offset - 
desc_beg.start_offset;
 int64_t desc_ns = desc_end.end_time_ns - 
desc_beg.start_time_ns;
-double desc_sec = desc_ns / nano_seconds_per_second;
-double calc_bits_per_second = (desc_bytes * 8) / desc_sec;
+double desc_sec, calc_bits_per_second, percent, 
mod_bits_per_second;
+if (desc_bytes <= 0)
+return -1;
+
+desc_sec = desc_ns / nano_seconds_per_second;
+calc_bits_per_second = (desc_bytes * 8) / desc_sec;
 
 // Drop the bps by the percentage of bytes buffered.
-double percent = (desc_bytes - prebuffer_bytes) / desc_bytes;
-double mod_bits_per_second = calc_bits_per_second * percent;
+percent = (desc_bytes - prebuffer_bytes) / desc_bytes;
+mod_bits_per_second = calc_bits_per_second * percent;
 
 if (prebuffer < desc_sec) {
 double search_sec =

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/matroskadec: Fix infinite loop with bz decompression

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Thu Feb  3 22:46:55 2022 +0100| [d3456a374d4eff67d3bebc0fcb52c6843a05a816] | 
committer: Michael Niedermayer

avformat/matroskadec: Fix infinite loop with bz decompression

The same check is added to zlib too, it seems not needed there though

Fixes: Infinite loop
Fixes: 
43932/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-6175167573786624

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Andreas Rheinhardt 
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 9c3d2cbb510674226b0c8fa6b146bf891f83786c)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d3456a374d4eff67d3bebc0fcb52c6843a05a816
---

 libavformat/matroskadec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 50e572d5c5..5cd6699a23 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1690,7 +1690,7 @@ static int matroska_decode_buffer(uint8_t **buf, int 
*buf_size,
 case MATROSKA_TRACK_ENCODING_COMP_ZLIB:
 {
 z_stream zstream = { 0 };
-if (inflateInit() != Z_OK)
+if (!pkt_size || inflateInit() != Z_OK)
 return -1;
 zstream.next_in  = data;
 zstream.avail_in = isize;
@@ -1723,7 +1723,7 @@ static int matroska_decode_buffer(uint8_t **buf, int 
*buf_size,
 case MATROSKA_TRACK_ENCODING_COMP_BZLIB:
 {
 bz_stream bzstream = { 0 };
-if (BZ2_bzDecompressInit(, 0, 0) != BZ_OK)
+if (!pkt_size || BZ2_bzDecompressInit(, 0, 0) != BZ_OK)
 return -1;
 bzstream.next_in  = data;
 bzstream.avail_in = isize;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value()

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Fri Feb  4 00:44:32 2022 +0100| [032672a8f1907c518213406ca65c678d9a00ae65] | 
committer: Michael Niedermayer

avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value()

Fixes: pointer index expression with base 0x overflowed to 
0x
Fixes: 
44012/clusterfuzz-testcase-minimized-ffmpeg_dem_HLS_fuzzer-5670607746891776

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 59328aabd2c789ae053e18a62a20a7addfd4d069)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=032672a8f1907c518213406ca65c678d9a00ae65
---

 libavformat/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 75e5350a27..b2d011a0db 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -4997,7 +4997,7 @@ void ff_parse_key_value(const char *str, 
ff_parse_key_val_cb callback_get_buf,
 key_len = ptr - key;
 
 callback_get_buf(context, key, key_len, , _len);
-dest_end = dest + dest_len - 1;
+dest_end = dest ? dest + dest_len - 1 : NULL;
 
 if (*ptr == '\"') {
 ptr++;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mov: Check size before subtraction

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Mon Jan 17 14:26:05 2022 +0100| [673f8d3641ced5c25862815ec458a4c9820c5162] | 
committer: Michael Niedermayer

avformat/mov: Check size before subtraction

Fixes: signed integer overflow: -9223372036854775808 - 8 cannot be represented 
in type 'long'
Fixes: 
43542/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5237670148702208

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d8d9d506a3de976b647bcbb8f76c7b8d30eff576)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=673f8d3641ced5c25862815ec458a4c9820c5162
---

 libavformat/mov.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 47160fd551..092c899fff 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -7078,6 +7078,8 @@ static int mov_read_default(MOVContext *c, AVIOContext 
*pb, MOVAtom atom)
 if (a.size == 0) {
 a.size = atom.size - total_size + 8;
 }
+if (a.size < 0)
+break;
 a.size -= 8;
 if (a.size < 0)
 break;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/cfhd: Avoid signed integer overflow in coeff

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Mon Jan 17 14:16:39 2022 +0100| [447b9a0f030653cc6687905cc642453fa2063284] | 
committer: Michael Niedermayer

avcodec/cfhd: Avoid signed integer overflow in coeff

Fixes: signed integer overflow: 15244032 * 256 cannot be represented in type 
'int'
Fixes: 
43504/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4865014842916864

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit cd6ac013a00373126bf3d313743d39b5edd5428a)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=447b9a0f030653cc6687905cc642453fa2063284
---

 libavcodec/cfhd.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c
index 6f13207cc1..b61d1e7222 100644
--- a/libavcodec/cfhd.c
+++ b/libavcodec/cfhd.c
@@ -838,7 +838,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, 
int *got_frame,
 const uint16_t q = s->quantisation;
 
 for (i = 0; i < run; i++) {
-*coeff_data |= coeff * 256;
+*coeff_data |= coeff * 256U;
 *coeff_data++ *= q;
 }
 } else {
@@ -869,7 +869,7 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, 
int *got_frame,
 const uint16_t q = s->quantisation;
 
 for (i = 0; i < run; i++) {
-*coeff_data |= coeff * 256;
+*coeff_data |= coeff * 256U;
 *coeff_data++ *= q;
 }
 } else {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/apedec: Fix integer overflows in predictor_update_3930()

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Mon Jan  3 19:15:18 2022 +0100| [65d8418e11a710806e61452b41713ef1e076b102] | 
committer: Michael Niedermayer

avcodec/apedec: Fix integer overflows in predictor_update_3930()

Fixes: signed integer overflow: 1074134419 - -1075212485 cannot be represented 
in type 'int'
Fixes: 
43273/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-4706880883130368

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0c9c9bbd01bd82c35b6a908592d9dd6d9f4bd4a0)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=65d8418e11a710806e61452b41713ef1e076b102
---

 libavcodec/apedec.c | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index e2885891a8..f414ec0f74 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -1088,13 +1088,13 @@ static av_always_inline int 
predictor_update_3930(APEPredictor *p,
   const int delayA)
 {
 int32_t predictionA, sign;
-int32_t d0, d1, d2, d3;
+uint32_t d0, d1, d2, d3;
 
 p->buf[delayA] = p->lastA[filter];
 d0 = p->buf[delayA];
-d1 = p->buf[delayA] - p->buf[delayA - 1];
-d2 = p->buf[delayA - 1] - p->buf[delayA - 2];
-d3 = p->buf[delayA - 2] - p->buf[delayA - 3];
+d1 = p->buf[delayA] - (unsigned)p->buf[delayA - 1];
+d2 = p->buf[delayA - 1] - (unsigned)p->buf[delayA - 2];
+d3 = p->buf[delayA - 2] - (unsigned)p->buf[delayA - 3];
 
 predictionA = d0 * p->coeffsA[filter][0] +
   d1 * p->coeffsA[filter][1] +
@@ -1105,10 +1105,10 @@ static av_always_inline int 
predictor_update_3930(APEPredictor *p,
 p->filterA[filter] = p->lastA[filter] + ((int)(p->filterA[filter] * 31U) 
>> 5);
 
 sign = APESIGN(decoded);
-p->coeffsA[filter][0] += ((d0 < 0) * 2 - 1) * sign;
-p->coeffsA[filter][1] += ((d1 < 0) * 2 - 1) * sign;
-p->coeffsA[filter][2] += ((d2 < 0) * 2 - 1) * sign;
-p->coeffsA[filter][3] += ((d3 < 0) * 2 - 1) * sign;
+p->coeffsA[filter][0] += (((int32_t)d0 < 0) * 2 - 1) * sign;
+p->coeffsA[filter][1] += (((int32_t)d1 < 0) * 2 - 1) * sign;
+p->coeffsA[filter][2] += (((int32_t)d2 < 0) * 2 - 1) * sign;
+p->coeffsA[filter][3] += (((int32_t)d3 < 0) * 2 - 1) * sign;
 
 return p->filterA[filter];
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/apedec: fix integer overflow in 8bit samples

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Thu Dec 23 20:39:14 2021 +0100| [6c5e26821e075e55fa398cf8a52f833cc1316148] | 
committer: Michael Niedermayer

avcodec/apedec: fix integer overflow in 8bit samples

Fixes: signed integer overflow: 2147483542 + 128 cannot be represented in type 
'int'
Fixes: 
42812/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6344057861832704

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 7cee3b37187dbf61dbebff023f07ceedfc0129bb)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6c5e26821e075e55fa398cf8a52f833cc1316148
---

 libavcodec/apedec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index 0fb3b04db5..e2885891a8 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -1587,7 +1587,7 @@ static int ape_decode_frame(AVCodecContext *avctx, void 
*data,
 for (ch = 0; ch < s->channels; ch++) {
 sample8 = (uint8_t *)frame->data[ch];
 for (i = 0; i < blockstodecode; i++)
-*sample8++ = (s->decoded[ch][i] + 0x80) & 0xff;
+*sample8++ = (s->decoded[ch][i] + 0x80U) & 0xff;
 }
 break;
 case 16:

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/tiff: Remove messing with jpeg context

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Sat Dec 25 20:14:48 2021 +0100| [3fe61f91b3b27f7a91f2a2f8ae6d7719fcaadafc] | 
committer: Michael Niedermayer

avcodec/tiff: Remove messing with jpeg context

The whole concept is just not correct, also as it seems not to be needed
at all, all dng files i have decode without this.

Fixes: various crashes
Fixes: 
42937/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4625073334517760
Fixes: 
42938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4643368217477120
Fixes: 
42939/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4925325908246528
Fixes: 
42940/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4925378806808576
Fixes: 
42941/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6202009265504256
Fixes: 
42944/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6076860998483968

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit afdbc940c6011b64c1856f88d2b0609369f87406)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3fe61f91b3b27f7a91f2a2f8ae6d7719fcaadafc
---

 libavcodec/tiff.c | 24 ++--
 1 file changed, 2 insertions(+), 22 deletions(-)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 6faf451c68..c127ce146f 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -735,20 +735,6 @@ static int dng_decode_jpeg(AVCodecContext *avctx, AVFrame 
*frame,
 return 0;
 }
 
-static int dng_decode_strip(AVCodecContext *avctx, AVFrame *frame)
-{
-TiffContext *s = avctx->priv_data;
-int ret = ff_set_dimensions(s->avctx_mjpeg, s->width, s->height);
-
-if (ret < 0)
-return ret;
-
-s->jpgframe->width  = s->width;
-s->jpgframe->height = s->height;
-
-return dng_decode_jpeg(avctx, frame, s->stripsize, 0, 0, s->width, 
s->height);
-}
-
 static int tiff_unpack_strip(TiffContext *s, AVFrame *p, uint8_t *dst, int 
stride,
  const uint8_t *src, int size, int strip_start, 
int lines)
 {
@@ -870,7 +856,7 @@ static int tiff_unpack_strip(TiffContext *s, AVFrame *p, 
uint8_t *dst, int strid
 av_log(s->avctx, AV_LOG_ERROR, "More than one DNG JPEG strips 
unsupported\n");
 return AVERROR_PATCHWELCOME;
 }
-if ((ret = dng_decode_strip(s->avctx, p)) < 0)
+if ((ret = dng_decode_jpeg(s->avctx, p, s->stripsize, 0, 0, s->width, 
s->height)) < 0)
 return ret;
 return 0;
 }
@@ -986,13 +972,7 @@ static int dng_decode_tiles(AVCodecContext *avctx, AVFrame 
*frame,
 int has_width_leftover, has_height_leftover;
 int tile_x = 0, tile_y = 0;
 int pos_x = 0, pos_y = 0;
-int ret = ff_set_dimensions(s->avctx_mjpeg, s->tile_width, s->tile_length);
-
-if (ret < 0)
-return ret;
-
-s->jpgframe->width  = s->tile_width;
-s->jpgframe->height = s->tile_length;
+int ret;
 
 has_width_leftover = (s->width % s->tile_width != 0);
 has_height_leftover = (s->height % s->tile_length != 0);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/flvdec: timestamps cannot use the full int64 range

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Thu Dec 23 20:36:16 2021 +0100| [be0109b881e688616ccac6551762e1a692befe11] | 
committer: Michael Niedermayer

avformat/flvdec: timestamps cannot use the full int64 range

We do not support this as we multiply by 1000
Fixes: signed integer overflow: -45318575073853696 * 1000 cannot be represented 
in type 'long'
Fixes: 
42804/clusterfuzz-testcase-minimized-ffmpeg_dem_LIVE_FLV_fuzzer-4630325425209344

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit c217ca7718c8e24905d7ba9ede719ae040899476)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=be0109b881e688616ccac6551762e1a692befe11
---

 libavformat/flvdec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
index 79c810f963..2bbfef53e6 100644
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -459,6 +459,8 @@ static int parse_keyframes_index(AVFormatContext *s, 
AVIOContext *ioc, int64_t m
 d = av_int2double(avio_rb64(ioc));
 if (isnan(d) || d < INT64_MIN || d > INT64_MAX)
 goto invalid;
+if (current_array ==  && (d <= INT64_MIN / 1000 || d >= 
INT64_MAX / 1000))
+goto invalid;
 current_array[0][i] = d;
 }
 if (times && filepositions) {

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/tiff: Use ff_set_dimensions() for setting up mjpeg context dimensions

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Fri Dec 17 20:52:32 2021 +0100| [14249d8a0376ce7d4d40eba0ee81c5973eb4441a] | 
committer: Michael Niedermayer

avcodec/tiff: Use ff_set_dimensions() for setting up mjpeg context dimensions

sets coded_width / coded_height too to keep them consistent with
width / height

Fixes: OOM
Fixes: 
42263/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-565619113984

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit cfa1f0e214d07f0fdc027f2ec760eb9fd3fac85e)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=14249d8a0376ce7d4d40eba0ee81c5973eb4441a
---

 libavcodec/tiff.c | 15 ---
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 7d65da8e9a..6faf451c68 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -738,13 +738,14 @@ static int dng_decode_jpeg(AVCodecContext *avctx, AVFrame 
*frame,
 static int dng_decode_strip(AVCodecContext *avctx, AVFrame *frame)
 {
 TiffContext *s = avctx->priv_data;
+int ret = ff_set_dimensions(s->avctx_mjpeg, s->width, s->height);
+
+if (ret < 0)
+return ret;
 
 s->jpgframe->width  = s->width;
 s->jpgframe->height = s->height;
 
-s->avctx_mjpeg->width = s->width;
-s->avctx_mjpeg->height = s->height;
-
 return dng_decode_jpeg(avctx, frame, s->stripsize, 0, 0, s->width, 
s->height);
 }
 
@@ -985,14 +986,14 @@ static int dng_decode_tiles(AVCodecContext *avctx, 
AVFrame *frame,
 int has_width_leftover, has_height_leftover;
 int tile_x = 0, tile_y = 0;
 int pos_x = 0, pos_y = 0;
-int ret;
+int ret = ff_set_dimensions(s->avctx_mjpeg, s->tile_width, s->tile_length);
+
+if (ret < 0)
+return ret;
 
 s->jpgframe->width  = s->tile_width;
 s->jpgframe->height = s->tile_length;
 
-s->avctx_mjpeg->width = s->tile_width;
-s->avctx_mjpeg->height = s->tile_length;
-
 has_width_leftover = (s->width % s->tile_width != 0);
 has_height_leftover = (s->height % s->tile_length != 0);
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/tiff: Pass max_pixels to mjpeg context

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Fri Dec 17 20:43:15 2021 +0100| [24da8685f00fd8f0da646dd48d3e3103072e8f26] | 
committer: Michael Niedermayer

avcodec/tiff: Pass max_pixels to mjpeg context

Signed-off-by: Michael Niedermayer 
(cherry picked from commit d6c16f42ccebca917bb9861c619abcf71ab25762)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=24da8685f00fd8f0da646dd48d3e3103072e8f26
---

 libavcodec/tiff.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index f8c68f1e7d..7d65da8e9a 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -2169,6 +2169,7 @@ static av_cold int tiff_init(AVCodecContext *avctx)
 s->avctx_mjpeg->flags2 = avctx->flags2;
 s->avctx_mjpeg->dct_algo = avctx->dct_algo;
 s->avctx_mjpeg->idct_algo = avctx->idct_algo;
+s->avctx_mjpeg->max_pixels = avctx->max_pixels;
 ret = avcodec_open2(s->avctx_mjpeg, codec, NULL);
 if (ret < 0) {
 return ret;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/vqavideo: reset accounting on error

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Sun Dec 19 22:26:00 2021 +0100| [e2ae9adbe1c223232fded0e236c103bf26f289e7] | 
committer: Michael Niedermayer

avcodec/vqavideo: reset accounting on error

Fixes: Timeout (same growing chunk is decoded to failure repeatedly)
Fixes: 
42582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-6531195591065600

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit d8ea7a67ba62f5d4520e75e56b9954d80e7ff223)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e2ae9adbe1c223232fded0e236c103bf26f289e7
---

 libavcodec/vqavideo.c | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index f45390cfe5..d0e1927444 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -588,13 +588,14 @@ static int vqa_decode_chunk(VqaContext *s, AVFrame *frame)
 if (s->partial_countdown <= 0) {
 bytestream2_init(>gb, s->next_codebook_buffer, 
s->next_codebook_buffer_index);
 /* decompress codebook */
-if ((res = decode_format80(s, s->next_codebook_buffer_index,
-   s->codebook, s->codebook_size, 0)) < 0)
-return res;
+res = decode_format80(s, s->next_codebook_buffer_index,
+  s->codebook, s->codebook_size, 0);
 
 /* reset accounting */
 s->next_codebook_buffer_index = 0;
 s->partial_countdown = s->partial_count;
+if (res < 0)
+return res;
 }
 }
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/4xm: Check for duplicate track ids

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Tue Dec  7 09:14:09 2021 +0100| [59287d3880966cc70d6080a28649c66025987bc8] | 
committer: Michael Niedermayer

avformat/4xm: Check for duplicate track ids

Signed-off-by: Michael Niedermayer 
(cherry picked from commit dd949124793c722ed55dead9da245574ace81968)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=59287d3880966cc70d6080a28649c66025987bc8
---

 libavformat/4xm.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/4xm.c b/libavformat/4xm.c
index 9dc4f05d3b..cfee8a02f4 100644
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -149,6 +149,9 @@ static int parse_strk(AVFormatContext *s,
 memset(>tracks[fourxm->track_count], 0,
sizeof(AudioTrack) * (track + 1 - fourxm->track_count));
 fourxm->track_count = track + 1;
+} else {
+if (fourxm->tracks[track].bits)
+return AVERROR_INVALIDDATA;
 }
 fourxm->tracks[track].adpcm   = AV_RL32(buf + 12);
 fourxm->tracks[track].channels= AV_RL32(buf + 36);

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avcodec/alacdsp: fix integer overflow in decorrelate_stereo()

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Thu Jul 23 23:34:15 2020 +0200| [02b0143522936b4ee53aa132b5dec35c27bd46ea] | 
committer: Michael Niedermayer

avcodec/alacdsp: fix integer overflow in decorrelate_stereo()

Fixes: signed integer overflow: -16777216 * 131 cannot be represented in type 
'int'
Fixes: 
23835/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5669943160078336
Fixes: 
41101/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-4636330705944576

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 68457c1e85122ffcadb0c909070dd210095fd2cd)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=02b0143522936b4ee53aa132b5dec35c27bd46ea
---

 libavcodec/alacdsp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/alacdsp.c b/libavcodec/alacdsp.c
index 9996eb4319..8718d1b6b1 100644
--- a/libavcodec/alacdsp.c
+++ b/libavcodec/alacdsp.c
@@ -34,7 +34,7 @@ static void decorrelate_stereo(int32_t *buffer[2], int 
nb_samples,
 a = buffer[0][i];
 b = buffer[1][i];
 
-a -= (b * decorr_left_weight) >> decorr_shift;
+a -= (int)(b * (unsigned)decorr_left_weight) >> decorr_shift;
 b += a;
 
 buffer[0][i] = b;

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/4xm: Consider max_streams on reallocating tracks array

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Tue Dec  7 09:14:08 2021 +0100| [8f83d2a94a8113ca61633b3cf7bf04cdeb0466dd] | 
committer: Michael Niedermayer

avformat/4xm: Consider max_streams on reallocating tracks array

Fixes: OOM
Fixes: 
41595/clusterfuzz-testcase-minimized-ffmpeg_dem_FOURXM_fuzzer-6355979363549184

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 0dcd95ef8a2e16ed930296567ab1044e33602a34)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8f83d2a94a8113ca61633b3cf7bf04cdeb0466dd
---

 libavformat/4xm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/4xm.c b/libavformat/4xm.c
index 30f1b05324..9dc4f05d3b 100644
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -137,7 +137,8 @@ static int parse_strk(AVFormatContext *s,
 return AVERROR_INVALIDDATA;
 
 track = AV_RL32(buf + 8);
-if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1) {
+if ((unsigned)track >= UINT_MAX / sizeof(AudioTrack) - 1 ||
+track >= s->max_streams) {
 av_log(s, AV_LOG_ERROR, "current_track too large\n");
 return AVERROR_INVALIDDATA;
 }

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-cvslog] avformat/mov: Check next offset in mov_read_dref()

[Michael Niedermayer]

ffmpeg | branch: release/4.4 | Michael Niedermayer  | 
Sat Dec  4 20:48:54 2021 +0100| [223b5abcb14dd4158890914603dc5619baa198f4] | 
committer: Michael Niedermayer

avformat/mov: Check next offset in mov_read_dref()

Fixes: signed integer overflow: 9223372036200463215 + 1109914409 cannot be 
represented in type 'long'
Fixes: 
41480/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6553086177443840

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer 
(cherry picked from commit 562021e2fd4d74589905d9c566c686394d2b0526)
Signed-off-by: Michael Niedermayer 

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=223b5abcb14dd4158890914603dc5619baa198f4
---

 libavformat/mov.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 8b002d64cb..47160fd551 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -607,11 +607,13 @@ static int mov_read_dref(MOVContext *c, AVIOContext *pb, 
MOVAtom atom)
 for (i = 0; i < entries; i++) {
 MOVDref *dref = >drefs[i];
 uint32_t size = avio_rb32(pb);
-int64_t next = avio_tell(pb) + size - 4;
+int64_t next = avio_tell(pb);
 
-if (size < 12)
+if (size < 12 || next < 0 || next > INT64_MAX - size)
 return AVERROR_INVALIDDATA;
 
+next += size - 4;
+
 dref->type = avio_rl32(pb);
 avio_rb32(pb); // version + flags
 

___
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".