[FFmpeg-cvslog] avformat/utils: fix mixed declarations and code
ffmpeg | branch: release/3.3 | James Almer| Fri Nov 24 17:46:16 2017 -0300| [3e3704da0c71d5254b986300f610b0f0217f2023] | committer: Michael Niedermayer avformat/utils: fix mixed declarations and code Signed-off-by: James Almer (cherry picked from commit 31de45d20b1ff90d4baf7c5a65e88f582efdb2a6) > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3e3704da0c71d5254b986300f610b0f0217f2023 --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 2053c3f755..0749151ee3 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -1732,10 +1732,10 @@ int av_read_frame(AVFormatContext *s, AVPacket *pkt) if (next_pkt->dts != AV_NOPTS_VALUE) { int wrap_bits = s->streams[next_pkt->stream_index]->pts_wrap_bits; -av_assert2(wrap_bits <= 64); // last dts seen for this stream. if any of packets following // current one had no dts, we will set this to AV_NOPTS_VALUE. int64_t last_dts = next_pkt->dts; +av_assert2(wrap_bits <= 64); while (pktl && next_pkt->pts == AV_NOPTS_VALUE) { if (pktl->pkt.stream_index == next_pkt->stream_index && av_compare_mod(next_pkt->dts, pktl->pkt.dts, 2ULL << (wrap_bits - 1)) < 0) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] Update for 3.3.7
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Apr 13 01:22:06 2018 +0200| [7af6fba1455afb19e12b19119665b97f4fd032dd] | committer: Michael Niedermayer Update for 3.3.7 Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7af6fba1455afb19e12b19119665b97f4fd032dd --- Changelog| 103 +++ RELEASE | 2 +- doc/Doxyfile | 2 +- 3 files changed, 105 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index cd95ddab50..24337668ed 100644 --- a/Changelog +++ b/Changelog @@ -1,6 +1,109 @@ Entries are sorted chronologically from oldest to youngest within each release, releases are sorted from youngest to oldest. +version 3.3.7: +- avformat/utils: fix mixed declarations and code +- avcodec/mjpegdec: Check input buffer size. +- avcodec/h264_slice: Fix integer overflow with last_poc +- avformat/mov: Fix extradata memleak +- lavc/libopusdec: Allow avcodec_open2 to call .close +- avcodec/movtextdec: Check style_start/end +- avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble() +- libavcodec/rv34: error out earlier on missing references +- swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering. +- avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed() +- avcodec/cscd: Error out when LZ* decompression fails +- avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list() +- avfilter/vf_signature: use av_strlcpy() +- avcodec/utvideodec: Set pro flag based on fourcc +- avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame() +- avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables +- avformat/mov: Move +1 in check to avoid hypothetical overflow in add_ctts_entry() +- avcodec/get_bits: Make sure the input bitstream with padding can be addressed +- avformat/mov: Check STSC and remove invalid entries +- avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it +- avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg +- avcodec/wmalosslessdec: Reset num_saved_bits on error path +- avformat/mov: Fix integer overflows related to sample_duration +- avformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE +- avformat/oggparseogm: Check lb against psize +- avformat/oggparseogm: Fix undefined shift in ogm_packet() +- avformat/avidec: Fix integer overflow in cum_len check +- avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE +- avformat/utils: Fix integer overflow of fps_first/last_dts +- avformat/oggdec: Fix metadata memleak on multiple headers +- libavformat/oggparsevorbis: Fix memleak on multiple headers +- avcodec/truemotion2rt: Check input buffer size +- avcodec/g2meet: Check tile dimensions with av_image_check_size2() +- avcodec/exr: fix invalid shift in unpack_14() +- avcodec/bintext: sanity check dimensions +- avcodec/utvideodec: Check subsample factors +- avcodec/smc: Check input packet size +- avcodec/cavsdec: Check alpha/beta offset +- avcodec/diracdec: Fix integer overflow in mv computation +- avcodec/h264_parse: Clear invalid chroma weights in ff_h264_pred_weight_table() +- avcodec/aacdec_templat: Fix integer overflow in apply_ltp() +- avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53() +- avcodec/diracdec: Use int64 in global mv to prevent overflow +- avcodec/dxtory: Remove code that corrupts dimensions +- avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i() +- avcodec/hevcdec: Check luma/chroma_log2_weight_denom +- avcodec/jpeg2000dec: Use av_image_check_size2() +- avcodec/vp8: Check for bitstream end before vp7_fade_frame() +- avcodec/exr: Check remaining bits in last get code loop +- avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c() +- avcodec/h264_cabac: Tighten allowed coeff_abs range +- avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc() +- avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs() +- avcodec/mpeg4videodec: Ignore multiple VOL headers +- avcodec/vp3: Check eob_run +- avcodec/pafvideo: Check allocated frame size +- avcodec/scpr: Fix reading a pixel before the first +- avcodec/mpeg2dec: Fix field selection for skipped macroblocks +- avcodec/huffyuvdec: Check input buffer size +- avcodec/utvideodec: Fix bytes left check in decode_frame() +- avcodec/wavpack: Fix integer overflow in FFABS +- avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble() +- avcodec/exr: Fix memleaks in decode_header() +- avcodec/dirac_dwt: Fix several integer overflows +- avcodec/indeo5: Do not leave frame_type set to an invalid value +- avcodec/hevc_ps: Check log2_sao_offset_scale_* +- avcodec/hevc_ps: extract SPS fields required for hvcC construction +- avcodec/mpeg4videodec: Avoid possibly aliasing violating casts +- avcodec/get_bits: Document the return
[FFmpeg-cvslog] avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Apr 7 21:55:06 2018 +0200| [0e5946d5b247d0f9d59096629ccae3bf01b9d40d] | committer: Michael Niedermayer avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble() Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be represented in type 'int' This was missed in b1bef755f617af9685b592d866b3eb7f3c4b02b1 Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit c837918f50a7bbd6150afd340857ea43fe4717c7) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0e5946d5b247d0f9d59096629ccae3bf01b9d40d --- libavcodec/aacsbr_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 0622d2ff7c..a25605800f 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -571,7 +571,7 @@ static void sbr_hf_assemble(int Y1[38][64][2], int idx = indexsine&1; int A = (1-((indexsine+(kx & 1))&2)); int B = (A^(-idx)) + idx; -int *out = [i][kx][idx]; +unsigned *out = [i][kx][idx]; int shift; unsigned round; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables
ffmpeg | branch: release/3.3 | Michael Niedermayer| Thu Mar 29 01:07:24 2018 +0200| [769cb8973817674c65542efed68aadacb867828b] | committer: Michael Niedermayer avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables Found-by: James Almer Signed-off-by: Michael Niedermayer (cherry picked from commit 5c75438b893539dd17998c489fb4c540fc5a6e48) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=769cb8973817674c65542efed68aadacb867828b --- libavcodec/tableprint_vlc.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/tableprint_vlc.h b/libavcodec/tableprint_vlc.h index 675251a836..3004be3f9c 100644 --- a/libavcodec/tableprint_vlc.h +++ b/libavcodec/tableprint_vlc.h @@ -35,6 +35,7 @@ #define av_freep(p) while(0) #define AVCODEC_AVCODEC_H #define AVCODEC_INTERNAL_H +#define AV_INPUT_BUFFER_PADDING_SIZE 64 // the value does not matter for this #include "tableprint.h" #include "get_bits.h" #include "mathtables.c" ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_slice: Fix integer overflow with last_poc
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Apr 7 00:34:25 2018 +0200| [41458534aa8890810b678bcdb4c1c04f38b72231] | committer: Michael Niedermayer avcodec/h264_slice: Fix integer overflow with last_poc Fixes: signed integer overflow: 2147483646 - -2816 cannot be represented in type 'int' Fixes: crbug 823145 Reported-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 8c02cd8ca097871dcd00cf8e08ce51660873f405) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=41458534aa8890810b678bcdb4c1c04f38b72231 --- libavcodec/h264_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index d83ba000ce..4d24ac6d66 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1297,7 +1297,7 @@ static int h264_select_output_frame(H264Context *h) } out_of_order = MAX_DELAYED_PIC_COUNT - i; if( cur->f->pict_type == AV_PICTURE_TYPE_B - || (h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > INT_MIN && h->last_pocs[MAX_DELAYED_PIC_COUNT-1] - h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > 2)) + || (h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > INT_MIN && h->last_pocs[MAX_DELAYED_PIC_COUNT-1] - (int64_t)h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > 2)) out_of_order = FFMAX(out_of_order, 1); if (out_of_order == MAX_DELAYED_PIC_COUNT) { av_log(h->avctx, AV_LOG_VERBOSE, "Invalid POC %d<%d\n", cur->poc, h->last_pocs[0]); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mjpegdec: Check input buffer size.
ffmpeg | branch: release/3.3 | Michael Niedermayer| Tue Apr 10 16:12:15 2018 +0200| [6de499caed33f26cfce32f0ddd74b2a518f60402] | committer: Michael Niedermayer avcodec/mjpegdec: Check input buffer size. Fixes: Timeout Fixes: 6381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5665032743419904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8d381b57fd9d17fb5c3a851ca46c738b3afc33a2) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6de499caed33f26cfce32f0ddd74b2a518f60402 --- libavcodec/mjpegdec.c | 4 libavcodec/mjpegdec.h | 1 + 2 files changed, 5 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 31c8fb422d..ab326b8e9a 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -309,6 +309,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height); if (av_image_check_size(width, height, 0, s->avctx)) return AVERROR_INVALIDDATA; +if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size * 4LL) +return AVERROR_INVALIDDATA; nb_components = get_bits(>gb, 8); if (nb_components <= 0 || @@ -2091,6 +2093,8 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int ret = 0; int is16bit; +s->buf_size = buf_size; + av_dict_free(>exif_metadata); av_freep(>stereo3d); s->adobe_transform = -1; diff --git a/libavcodec/mjpegdec.h b/libavcodec/mjpegdec.h index 024cedcb5a..0fa5a748a1 100644 --- a/libavcodec/mjpegdec.h +++ b/libavcodec/mjpegdec.h @@ -45,6 +45,7 @@ typedef struct MJpegDecodeContext { AVClass *class; AVCodecContext *avctx; GetBitContext gb; +int buf_size; int start_code; /* current start code */ int buffer_size; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Fix extradata memleak
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Apr 6 23:56:57 2018 +0200| [9b56e65e8c124cb2972295f8d80519c8409ab190] | committer: Michael Niedermayer avformat/mov: Fix extradata memleak Fixes: crbug 822705 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 0a8133119ca5d087c7c7140d100406ff84c477ee) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9b56e65e8c124cb2972295f8d80519c8409ab190 --- libavformat/mov.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index b60f8f0eac..921db588ef 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2391,6 +2391,12 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, MOVAtom atom) return mov_finalize_stsd_codec(c, pb, st, sc); fail: +if (sc->extradata) { +int j; +for (j = 0; j < sc->stsd_count; j++) +av_freep(>extradata[j]); +} + av_freep(>extradata); av_freep(>extradata_size); return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cscd: Error out when LZ* decompression fails
ffmpeg | branch: release/3.3 | Michael Niedermayer| Mon Mar 12 00:05:04 2018 +0100| [1d3c141af4f0fa693cf86d0d7a70265beace4cb5] | committer: Michael Niedermayer avcodec/cscd: Error out when LZ* decompression fails Fixes: Timeout Fixes: 6304/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-5754772461191168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d52be5d4e91871a22dac70af3e0ab429e95a2d10) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1d3c141af4f0fa693cf86d0d7a70265beace4cb5 --- libavcodec/cscd.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c index 9e1dec9d96..35c4ee08c3 100644 --- a/libavcodec/cscd.c +++ b/libavcodec/cscd.c @@ -81,15 +81,19 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, switch ((buf[0] >> 1) & 7) { case 0: { // lzo compression int outlen = c->decomp_size, inlen = buf_size - 2; -if (av_lzo1x_decode(c->decomp_buf, , [2], )) +if (av_lzo1x_decode(c->decomp_buf, , [2], )) { av_log(avctx, AV_LOG_ERROR, "error during lzo decompression\n"); +return AVERROR_INVALIDDATA; +} break; } case 1: { // zlib compression #if CONFIG_ZLIB unsigned long dlen = c->decomp_size; -if (uncompress(c->decomp_buf, , [2], buf_size - 2) != Z_OK) +if (uncompress(c->decomp_buf, , [2], buf_size - 2) != Z_OK) { av_log(avctx, AV_LOG_ERROR, "error during zlib decompression\n"); +return AVERROR_INVALIDDATA; +} break; #else av_log(avctx, AV_LOG_ERROR, "compiled without zlib support\n"); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/utvideodec: Set pro flag based on fourcc
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Mar 31 03:10:43 2018 +0200| [15d4dc0da1e9f2450b5f9e748e1704fc0e6ef3a4] | committer: Michael Niedermayer avcodec/utvideodec: Set pro flag based on fourcc This avoids mixing 8bit variants with pro and 10bit with non pro mode. Fixes: out of array read Fixes: poc_03_30.avi Found-by: GwanYeong Kim Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 47b7c68ae54560e2308bdb6be4fb076c73b93081) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=15d4dc0da1e9f2450b5f9e748e1704fc0e6ef3a4 --- libavcodec/utvideodec.c | 64 + 1 file changed, 33 insertions(+), 31 deletions(-) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 2cf9ce2855..50dede6de3 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -832,37 +832,6 @@ static av_cold int decode_init(AVCodecContext *avctx) ff_bswapdsp_init(>bdsp); ff_llviddsp_init(>llviddsp); -if (avctx->extradata_size >= 16) { -av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n", - avctx->extradata[3], avctx->extradata[2], - avctx->extradata[1], avctx->extradata[0]); -av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n", - AV_RB32(avctx->extradata + 4)); -c->frame_info_size = AV_RL32(avctx->extradata + 8); -c->flags = AV_RL32(avctx->extradata + 12); - -if (c->frame_info_size != 4) -avpriv_request_sample(avctx, "Frame info not 4 bytes"); -av_log(avctx, AV_LOG_DEBUG, "Encoding parameters %08"PRIX32"\n", c->flags); -c->slices = (c->flags >> 24) + 1; -c->compression = c->flags & 1; -c->interlaced = c->flags & 0x800; -} else if (avctx->extradata_size == 8) { -av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n", - avctx->extradata[3], avctx->extradata[2], - avctx->extradata[1], avctx->extradata[0]); -av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n", - AV_RB32(avctx->extradata + 4)); -c->interlaced = 0; -c->pro = 1; -c->frame_info_size = 4; -} else { -av_log(avctx, AV_LOG_ERROR, - "Insufficient extradata size %d, should be at least 16\n", - avctx->extradata_size); -return AVERROR_INVALIDDATA; -} - c->slice_bits_size = 0; switch (avctx->codec_tag) { @@ -891,14 +860,17 @@ static av_cold int decode_init(AVCodecContext *avctx) break; case MKTAG('U', 'Q', 'Y', '2'): c->planes = 3; +c->pro = 1; avctx->pix_fmt = AV_PIX_FMT_YUV422P10; break; case MKTAG('U', 'Q', 'R', 'G'): c->planes = 3; +c->pro = 1; avctx->pix_fmt = AV_PIX_FMT_GBRP10; break; case MKTAG('U', 'Q', 'R', 'A'): c->planes = 4; +c->pro = 1; avctx->pix_fmt = AV_PIX_FMT_GBRAP10; break; case MKTAG('U', 'L', 'H', '0'): @@ -929,6 +901,36 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_PATCHWELCOME; } +if (!c->pro && avctx->extradata_size >= 16) { +av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n", + avctx->extradata[3], avctx->extradata[2], + avctx->extradata[1], avctx->extradata[0]); +av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n", + AV_RB32(avctx->extradata + 4)); +c->frame_info_size = AV_RL32(avctx->extradata + 8); +c->flags = AV_RL32(avctx->extradata + 12); + +if (c->frame_info_size != 4) +avpriv_request_sample(avctx, "Frame info not 4 bytes"); +av_log(avctx, AV_LOG_DEBUG, "Encoding parameters %08"PRIX32"\n", c->flags); +c->slices = (c->flags >> 24) + 1; +c->compression = c->flags & 1; +c->interlaced = c->flags & 0x800; +} else if (c->pro && avctx->extradata_size == 8) { +av_log(avctx, AV_LOG_DEBUG, "Encoder version %d.%d.%d.%d\n", + avctx->extradata[3], avctx->extradata[2], + avctx->extradata[1], avctx->extradata[0]); +av_log(avctx, AV_LOG_DEBUG, "Original format %"PRIX32"\n", + AV_RB32(avctx->extradata + 4)); +c->interlaced = 0; +c->frame_info_size = 4; +} else { +av_log(avctx, AV_LOG_ERROR, + "Insufficient extradata size %d, should be at least 16\n", + avctx->extradata_size); +return AVERROR_INVALIDDATA; +} + return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org
[FFmpeg-cvslog] avformat/oggdec: Fix metadata memleak on multiple headers
ffmpeg | branch: release/3.3 | Michael Niedermayer| Tue Mar 6 18:14:12 2018 +0100| [fef832c188c07245c7b9a44432a89f49a4c0d2ff] | committer: Michael Niedermayer avformat/oggdec: Fix metadata memleak on multiple headers Fixes: Chromium bug 800123 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit da069e9c68ec1a54e618940dcb9ebae9bf179a32) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fef832c188c07245c7b9a44432a89f49a4c0d2ff --- libavformat/oggdec.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c index 193a286e43..6a05278b52 100644 --- a/libavformat/oggdec.c +++ b/libavformat/oggdec.c @@ -128,7 +128,10 @@ static int ogg_restore(AVFormatContext *s) ogg->state = ost->next; for (i = 0; i < ogg->nstreams; i++) { -av_freep(>streams[i].buf); +struct ogg_stream *stream = >streams[i]; +av_freep(>buf); +av_freep(>new_metadata); + if (i >= ost->nstreams || !ost->streams[i].private) { free_stream(s, i); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Mar 31 21:19:19 2018 +0200| [ae2c159b87f2ee5c12c9403deadf3ccdeb2503c4] | committer: Michael Niedermayer avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed() I was not able to reproduce this, this fix is based on just the fuzzer log. Fixes: 4959/clusterfuzz-testcase-minimized-6035350934781952 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 197a4e8feed45b2e5868760240e83636818f32a9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ae2c159b87f2ee5c12c9403deadf3ccdeb2503c4 --- libavcodec/aacdec_fixed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index 6ba0e63325..b19a622403 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -417,7 +417,7 @@ static void apply_independent_coupling_fixed(AACContext *ac, int i, c, shift, round, tmp; const int gain = cce->coup.gain[index][0]; const int *src = cce->ch[0].ret; -int *dest = target->ret; +unsigned int *dest = target->ret; const int len = 1024 << (ac->oc[1].m4ac.sbr == 1); c = cce_scale_fixed[gain & 7]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avfilter/vf_signature: use av_strlcpy()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Mar 30 02:16:31 2018 +0200| [49336482fd04541623e9418264644dd80640dbfe] | committer: Michael Niedermayer avfilter/vf_signature: use av_strlcpy() Fixes: out of array access Found-by: Kira Signed-off-by: Michael Niedermayer (cherry picked from commit 35eeff30caf34df835206f1c12bcf4b7c2bd6758) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=49336482fd04541623e9418264644dd80640dbfe --- libavfilter/vf_signature.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_signature.c b/libavfilter/vf_signature.c index 06b1b910d4..3b117e7735 100644 --- a/libavfilter/vf_signature.c +++ b/libavfilter/vf_signature.c @@ -573,7 +573,8 @@ static int export(AVFilterContext *ctx, StreamContext *sc, int input) /* error already handled */ av_assert0(av_get_frame_filename(filename, sizeof(filename), sic->filename, input) == 0); } else { -strcpy(filename, sic->filename); +if (av_strlcpy(filename, sic->filename, sizeof(filename)) >= sizeof(filename)) +return AVERROR(EINVAL); } if (sic->format == FORMAT_XML) { return xml_export(ctx, sc, filename); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Fix integer overflows related to sample_duration
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Mar 9 16:43:29 2018 +0100| [edfe9ae63b191ea435f23628904094fdba3f1364] | committer: Michael Niedermayer avformat/mov: Fix integer overflows related to sample_duration Fixes: runtime error: signed integer overflow: -9166684017437101870 + -2495066639299164439 cannot be represented in type Fixes: Chromium bug 791349 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 2f37082827a405430c40408ee2db19ea2866ce64) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=edfe9ae63b191ea435f23628904094fdba3f1364 --- libavformat/mov.c | 20 +++- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index f2eb22eb3d..5381dbb704 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2672,14 +2672,19 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom) && total_sample_count > 100 && sample_duration/10 > duration / total_sample_count) sample_duration = duration / total_sample_count; -duration+=(int64_t)sample_duration*sample_count; +duration+=(int64_t)sample_duration*(uint64_t)sample_count; total_sample_count+=sample_count; } sc->stts_count = i; -sc->duration_for_fps += duration; -sc->nb_frames_for_fps += total_sample_count; +if (duration > 0 && +duration <= INT64_MAX - sc->duration_for_fps && +total_sample_count <= INT64_MAX - sc->nb_frames_for_fps +) { +sc->duration_for_fps += duration; +sc->nb_frames_for_fps += total_sample_count; +} if (pb->eof_reached) return AVERROR_EOF; @@ -4340,8 +4345,13 @@ static int mov_read_trun(MOVContext *c, AVIOContext *pb, MOVAtom atom) dts += sample_duration; offset += sample_size; sc->data_size += sample_size; -sc->duration_for_fps += sample_duration; -sc->nb_frames_for_fps ++; + +if (sample_duration <= INT64_MAX - sc->duration_for_fps && +1 <= INT64_MAX - sc->nb_frames_for_fps +) { +sc->duration_for_fps += sample_duration; +sc->nb_frames_for_fps ++; +} } if (pb->eof_reached) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] libavformat/oggparsevorbis: Fix memleak on multiple headers
ffmpeg | branch: release/3.3 | Michael Niedermayer| Tue Mar 6 18:14:12 2018 +0100| [6daa205cd3fe32dcf6eb61c8949fab33a3501498] | committer: Michael Niedermayer libavformat/oggparsevorbis: Fix memleak on multiple headers Fixes: Chromium bug 800123 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 3934aa495d786845d9f541c84ee405c096938f76) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6daa205cd3fe32dcf6eb61c8949fab33a3501498 --- libavformat/oggparsevorbis.c | 4 1 file changed, 4 insertions(+) diff --git a/libavformat/oggparsevorbis.c b/libavformat/oggparsevorbis.c index 65b1998a02..572e5169ca 100644 --- a/libavformat/oggparsevorbis.c +++ b/libavformat/oggparsevorbis.c @@ -230,6 +230,10 @@ static int fixup_vorbis_headers(AVFormatContext *as, len = priv->len[0] + priv->len[1] + priv->len[2]; buf_len = len + len / 255 + 64; + +if (*buf) +return AVERROR_INVALIDDATA; + ptr = *buf = av_realloc(NULL, buf_len); if (!ptr) return AVERROR(ENOMEM); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wmalosslessdec: Reset num_saved_bits on error path
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Mar 11 00:13:57 2018 +0100| [02bf1c617cdd34a80a290963c23f92a7e01630dc] | committer: Michael Niedermayer avcodec/wmalosslessdec: Reset num_saved_bits on error path Fixes: NULL pointer dereference Fixes: poc-201803.wav Found-by: GwanYeong Kim Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 64c9ce0abc0fd8774b523afda3ddb17c86caa86a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=02bf1c617cdd34a80a290963c23f92a7e01630dc --- libavcodec/wmalosslessdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 133a3e92d1..59e8929586 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1148,6 +1148,7 @@ static void save_bits(WmallDecodeCtx *s, GetBitContext* gb, int len, if (len <= 0 || buflen > s->max_frame_size) { avpriv_request_sample(s->avctx, "Too small input buffer"); s->packet_loss = 1; +s->num_saved_bits = 0; return; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/oggparseogm: Check lb against psize
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Mar 9 01:05:20 2018 +0100| [e61cdbe27167434b87ff814769b54178c5a3d2a6] | committer: Michael Niedermayer avformat/oggparseogm: Check lb against psize No testcase, this was found during code review Found-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 3e7c847aaf5a298b62afae12b4ecfb8e12385998) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e61cdbe27167434b87ff814769b54178c5a3d2a6 --- libavformat/oggparseogm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index 4d09d174b8..03499486f7 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -177,6 +177,9 @@ ogm_packet(AVFormatContext *s, int idx) os->pflags |= AV_PKT_FLAG_KEY; lb = ((*p & 2) << 1) | ((*p >> 6) & 3); +if (os->psize < lb + 1) +return AVERROR_INVALIDDATA; + os->pstart += lb + 1; os->psize -= lb + 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list()
ffmpeg | branch: release/3.3 | heimdallr| Sat Mar 31 19:37:23 2018 +0700| [3f949b7a6461679204159eb7a9fbcd206484649b] | committer: Michael Niedermayer avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list() example: AVPixelFormat pixFmts[] = { AV_PIX_FMT_RGB24, AV_PIX_FMT_RGBA }; int loss = 0; AVPixelFormat best = avcodec_find_best_pix_fmt_of_list(pixFmts, AV_PIX_FMT_BGRA, 1, ); best is AV_PIX_FMT_RGB24. But AV_PIX_FMT_RGBA is better. Signed-off-by: Michael Niedermayer (cherry picked from commit 354b26a3945eadd4ed8fcd801dfefad2566241de) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3f949b7a6461679204159eb7a9fbcd206484649b --- libavcodec/imgconvert.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libavcodec/imgconvert.c b/libavcodec/imgconvert.c index 1547f18966..7b0005b308 100644 --- a/libavcodec/imgconvert.c +++ b/libavcodec/imgconvert.c @@ -69,10 +69,14 @@ enum AVPixelFormat avcodec_find_best_pix_fmt_of_list(const enum AVPixelFormat *p int i; enum AVPixelFormat best = AV_PIX_FMT_NONE; +int loss; -for(i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) -best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, loss_ptr); +for (i=0; pix_fmt_list[i] != AV_PIX_FMT_NONE; i++) { +loss = *loss_ptr; +best = avcodec_find_best_pix_fmt_of_2(best, pix_fmt_list[i], src_pix_fmt, has_alpha, ); +} +*loss_ptr = loss; return best; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Move +1 in check to avoid hypothetical overflow in add_ctts_entry()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Feb 3 21:36:22 2018 +0100| [8a89cce372884c38c6f22eede59c43f486b83394] | committer: Michael Niedermayer avformat/mov: Move +1 in check to avoid hypothetical overflow in add_ctts_entry() Signed-off-by: Michael Niedermayer (cherry picked from commit eb60b9d342265fb1960be6fff6383cfdbf37) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8a89cce372884c38c6f22eede59c43f486b83394 --- libavformat/mov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/mov.c b/libavformat/mov.c index 6124b0b573..b60f8f0eac 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2970,7 +2970,7 @@ static int64_t add_ctts_entry(MOVStts** ctts_data, unsigned int* ctts_count, uns FFMAX(min_size_needed, 2 * (*allocated_size)) : min_size_needed; -if((unsigned)(*ctts_count) + 1 >= UINT_MAX / sizeof(MOVStts)) +if((unsigned)(*ctts_count) >= UINT_MAX / sizeof(MOVStts) - 1) return -1; ctts_buf_new = av_fast_realloc(*ctts_data, allocated_size, requested_size); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE
ffmpeg | branch: release/3.3 | Michael Niedermayer| Thu Mar 8 17:28:36 2018 +0100| [3a29fda42ab7da12102d8990859554abfe13996a] | committer: Michael Niedermayer avformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE Fixes: potential signed integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit f655ddfb47e8484b205b14c7f871c643ad24d701) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3a29fda42ab7da12102d8990859554abfe13996a --- libavformat/oggparsedaala.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsedaala.c b/libavformat/oggparsedaala.c index a373b41b4c..e944470aca 100644 --- a/libavformat/oggparsedaala.c +++ b/libavformat/oggparsedaala.c @@ -218,6 +218,7 @@ static int daala_packet(AVFormatContext *s, int idx) int seg, duration = 1; struct ogg *ogg = s->priv_data; struct ogg_stream *os = ogg->streams + idx; +int64_t pts; /* * first packet handling: here we parse the duration of each packet in the @@ -230,7 +231,10 @@ static int daala_packet(AVFormatContext *s, int idx) if (os->segments[seg] < 255) duration++; -os->lastpts = os->lastdts = daala_gptopts(s, idx, os->granule, NULL) - duration; +pts = daala_gptopts(s, idx, os->granule, NULL); +if (pts != AV_NOPTS_VALUE) +pts -= duration; +os->lastpts = os->lastdts = pts; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; if (s->streams[idx]->duration != AV_NOPTS_VALUE) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] lavc/libopusdec: Allow avcodec_open2 to call .close
ffmpeg | branch: release/3.3 | Matt Wolenetz| Tue Apr 10 13:59:25 2018 -0700| [9b1a4da668999c0bd4d78b370872b9448cf746c3] | committer: Michael Niedermayer lavc/libopusdec: Allow avcodec_open2 to call .close If there is a decoder initialization failure detected in avcodec_open2 after .init is called, allow graceful decoder .close to prevent leaking libopus decoder allocations. BUG=828526 Signed-off-by: Michael Niedermayer (cherry picked from commit e43e97f0e0f0596b56ceb2f887fe7414f202f081) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9b1a4da668999c0bd4d78b370872b9448cf746c3 --- libavcodec/libopusdec.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/libopusdec.c b/libavcodec/libopusdec.c index e6ca61a78f..806ca1863d 100644 --- a/libavcodec/libopusdec.c +++ b/libavcodec/libopusdec.c @@ -126,7 +126,10 @@ static av_cold int libopus_decode_close(AVCodecContext *avc) { struct libopus_context *opus = avc->priv_data; -opus_multistream_decoder_destroy(opus->dec); +if (opus->dec) { +opus_multistream_decoder_destroy(opus->dec); +opus->dec = NULL; +} return 0; } @@ -200,6 +203,7 @@ AVCodec ff_libopus_decoder = { .decode = libopus_decode, .flush = libopus_flush, .capabilities = AV_CODEC_CAP_DR1, +.caps_internal = FF_CODEC_CAP_INIT_CLEANUP, .sample_fmts= (const enum AVSampleFormat[]){ AV_SAMPLE_FMT_FLT, AV_SAMPLE_FMT_S16, AV_SAMPLE_FMT_NONE }, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] libavcodec/rv34: error out earlier on missing references
ffmpeg | branch: release/3.3 | Michael Niedermayer| Mon Apr 2 20:01:07 2018 +0200| [23f13130f12a269b9b721cf233c3343ffc2ed3bc] | committer: Michael Niedermayer libavcodec/rv34: error out earlier on missing references Fixes visual corruption on seeking Fixes: downloadTest_clip_24M.rmvb Signed-off-by: Michael Niedermayer (cherry picked from commit 6cd81d68c5e4b0ff00288970c4151ff4031c0ea9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=23f13130f12a269b9b721cf233c3343ffc2ed3bc --- libavcodec/rv34.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index d2d676a86d..d65ab41552 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1585,7 +1585,7 @@ int ff_rv34_decode_update_thread_context(AVCodecContext *dst, const AVCodecConte // Do no call ff_mpeg_update_thread_context on a partially initialized // decoder context. -if (!s1->linesize) +if (!s1->context_initialized) return 0; return ff_mpeg_update_thread_context(dst, src); @@ -1733,6 +1733,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, if ((err = rv34_decoder_realloc(r)) < 0) return err; } +if (faulty_b) +return AVERROR_INVALIDDATA; s->pict_type = si.type ? si.type : AV_PICTURE_TYPE_I; if (ff_mpv_frame_start(s, s->avctx) < 0) return -1; @@ -1783,8 +1785,6 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, "multithreading mode (start MB is %d).\n", si.start); return AVERROR_INVALIDDATA; } -if (faulty_b) -return AVERROR_INVALIDDATA; for(i = 0; i < slice_count; i++){ int offset = get_slice_offset(avctx, slices_hdr, i , slice_count, buf_size); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/movtextdec: Check style_start/end
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Apr 8 03:29:44 2018 +0200| [c9452899db109d0fe2238d9162a8fd1b315b78c4] | committer: Michael Niedermayer avcodec/movtextdec: Check style_start/end Limits based on 3GPP TS 26.245 V14.0.0 Fixes: Timeout Fixes: 6377/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOVTEXT_fuzzer-5175929115508736 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Philip Langdale Signed-off-by: Michael Niedermayer (cherry picked from commit 249aca8f98ff7fb09c12ea68e23c862c62203b95) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c9452899db109d0fe2238d9162a8fd1b315b78c4 --- libavcodec/movtextdec.c | 8 1 file changed, 8 insertions(+) diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c index fb5085c3e8..73e83f2f2c 100644 --- a/libavcodec/movtextdec.c +++ b/libavcodec/movtextdec.c @@ -299,6 +299,14 @@ static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt) m->s_temp->style_start = AV_RB16(tsmb); tsmb += 2; m->s_temp->style_end = AV_RB16(tsmb); + +if ( m->s_temp->style_end < m->s_temp->style_start +|| (m->count_s && m->s_temp->style_start < m->s[m->count_s - 1]->style_end)) { +av_freep(>s_temp); +mov_text_cleanup(m); +return AVERROR(ENOMEM); +} + tsmb += 2; m->s_temp->style_fontID = AV_RB16(tsmb); tsmb += 2; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/avidec: Fix integer overflow in cum_len check
ffmpeg | branch: release/3.3 | Michael Niedermayer| Thu Mar 8 22:40:50 2018 +0100| [8cf7205a72f5a330781470a28485584f7d08054d] | committer: Michael Niedermayer avformat/avidec: Fix integer overflow in cum_len check Fixes: signed integer overflow: 3775922176 * 4278190080 cannot be represented in type 'long' Fixes: Chromium bug 791237 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 06e092e7819b9437da32925200e7c369f93d82e7) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8cf7205a72f5a330781470a28485584f7d08054d --- libavformat/avidec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/avidec.c b/libavformat/avidec.c index ed043470f0..64a129af82 100644 --- a/libavformat/avidec.c +++ b/libavformat/avidec.c @@ -670,7 +670,7 @@ FF_ENABLE_DEPRECATION_WARNINGS st->start_time = 0; avio_rl32(pb); /* buffer size */ avio_rl32(pb); /* quality */ -if (ast->cum_len*ast->scale/ast->rate > 3600) { +if (ast->cum_len > 3600LL * ast->rate / ast->scale) { av_log(s, AV_LOG_ERROR, "crazy start time, iam scared, giving up\n"); ast->cum_len = 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Mar 25 01:51:28 2018 +0100| [d79b274acc3a608358c0cd1ffe8ebd92bf108480] | committer: Michael Niedermayer avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame() Fixes: 2018_03_23_poc.wav Found-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit ea15915b2dc5aaa80c91879fbd183475a7e66e54) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d79b274acc3a608358c0cd1ffe8ebd92bf108480 --- libavcodec/wmalosslessdec.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c index 59e8929586..eb1db615ae 100644 --- a/libavcodec/wmalosslessdec.c +++ b/libavcodec/wmalosslessdec.c @@ -1256,7 +1256,9 @@ static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr, (frame_size = show_bits(gb, s->log2_frame_size)) && frame_size <= remaining_bits(s, gb)) { save_bits(s, gb, frame_size, 0); -s->packet_done = !decode_frame(s); + +if (!s->packet_loss) +s->packet_done = !decode_frame(s); } else if (!s->len_prefix && s->num_saved_bits > get_bits_count(>gb)) { /* when the frames do not have a length prefix, we don't know the ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/utils: Fix integer overflow of fps_first/last_dts
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Mar 7 00:10:11 2018 +0100| [e89d8ed7cb3fc0dd1e108a5919b2c6f4f454fe60] | committer: Michael Niedermayer avformat/utils: Fix integer overflow of fps_first/last_dts Fixes: runtime error: signed integer overflow: 7738135736989908991 - -7898362169240453118 cannot be represented in type 'long' Fixes: Chromium bug 796778 Reported-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 1b1362e408cd6acb63fef126b814b0d16562aa8e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e89d8ed7cb3fc0dd1e108a5919b2c6f4f454fe60 --- libavformat/utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/utils.c b/libavformat/utils.c index 2c622d2c56..2053c3f755 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -3622,7 +3622,7 @@ FF_ENABLE_DEPRECATION_WARNINGS if (st->info->fps_last_dts != AV_NOPTS_VALUE && st->info->fps_last_dts_idx > st->info->fps_first_dts_idx && (pkt->dts - st->info->fps_last_dts) / 1000 > -(st->info->fps_last_dts - st->info->fps_first_dts) / +(st->info->fps_last_dts - (uint64_t)st->info->fps_first_dts) / (st->info->fps_last_dts_idx - st->info->fps_first_dts_idx)) { av_log(ic, AV_LOG_WARNING, "DTS discontinuity in stream %d: packet %d with DTS " ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering.
ffmpeg | branch: release/3.3 | Hendrik Schreiber| Thu Apr 5 13:58:37 2018 +0200| [30c26bb78f6a7d347c05d0b175593e095ae312ea] | committer: Michael Niedermayer swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering. Removed +len1 in call to s->mix_2_1_f() as I found no logical explanation for it. After removal, problem was gone. Signed-off-by: Hendrik Schreiber Signed-off-by: Michael Niedermayer (cherry picked from commit 647fd4b8292e3bfae30b1086aa842a5ee47ee868) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=30c26bb78f6a7d347c05d0b175593e095ae312ea --- libswresample/swresample.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libswresample/swresample.c b/libswresample/swresample.c index 74c96dce60..170f76bc56 100644 --- a/libswresample/swresample.c +++ b/libswresample/swresample.c @@ -678,7 +678,7 @@ static int swr_convert_internal(struct SwrContext *s, AudioData *out, int out_co s->mix_2_1_simd(conv_src->ch[ch], preout->ch[ch], s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos, s->native_simd_one, 0, 0, len1); if(out_count != len1) for(ch=0; chch_count; ch++) -s->mix_2_1_f(conv_src->ch[ch] + off, preout->ch[ch] + off, s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos + off + len1, s->native_one, 0, 0, out_count - len1); +s->mix_2_1_f(conv_src->ch[ch] + off, preout->ch[ch] + off, s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos + off, s->native_one, 0, 0, out_count - len1); } else { for(ch=0; chch_count; ch++) s->mix_2_1_f(conv_src->ch[ch], preout->ch[ch], s->dither.noise.ch[ch] + s->dither.noise.bps * s->dither.noise_pos, s->native_one, 0, 0, out_count); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/truemotion2rt: Check input buffer size
ffmpeg | branch: release/3.3 | Michael Niedermayer| Thu Feb 22 03:04:40 2018 +0100| [e908a595db8e254629cb1275fb9e17099dd2efab] | committer: Michael Niedermayer avcodec/truemotion2rt: Check input buffer size Fixes: Timeout Fixes: 6250/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2RT_fuzzer-5479814011027456 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8b5c29b6c2ab00f8fb545475238a99f575b5d81d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e908a595db8e254629cb1275fb9e17099dd2efab --- libavcodec/truemotion2rt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/truemotion2rt.c b/libavcodec/truemotion2rt.c index d63918742d..9df0b527bb 100644 --- a/libavcodec/truemotion2rt.c +++ b/libavcodec/truemotion2rt.c @@ -116,6 +116,9 @@ static int truemotion2rt_decode_frame(AVCodecContext *avctx, void *data, if (ret < 0) return ret; +if (avctx->width / s->hscale * avctx->height * s->delta_size > avpkt->size * 8LL * 4) +return AVERROR_INVALIDDATA; + ret = init_get_bits8(gb, avpkt->data + ret, avpkt->size - ret); if (ret < 0) return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it
ffmpeg | branch: release/3.3 | Michael Niedermayer| Tue Feb 27 15:17:12 2018 +0100| [5b586f0bc87dc1c19bc722ea7386d670c33eeb71] | committer: Michael Niedermayer avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it Fixes: Timeout Fixes: 6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 939440ad1aa820bed51f54d273b4fa6c5016d9f9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5b586f0bc87dc1c19bc722ea7386d670c33eeb71 --- libavcodec/nuv.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index 8d806dbbff..32ed65899b 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -199,6 +199,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, case NUV_RTJPEG_IN_LZO: case NUV_RTJPEG: keyframe = !buf[2]; +if (c->width < 16 || c->height < 16) { +return AVERROR_INVALIDDATA; +} break; case NUV_COPY_LAST: keyframe = 0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE
ffmpeg | branch: release/3.3 | Michael Niedermayer| Thu Mar 8 17:28:36 2018 +0100| [42bd425205f464e95b2bfc1def239ee31e2becfe] | committer: Michael Niedermayer avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE Fixes: Chromium bug 795653 Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long' Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 02ecda4aba69670ca744ccc640391b7621f01fb0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=42bd425205f464e95b2bfc1def239ee31e2becfe --- libavformat/oggparsetheora.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavformat/oggparsetheora.c b/libavformat/oggparsetheora.c index b14f9f0669..b0c0edc7a5 100644 --- a/libavformat/oggparsetheora.c +++ b/libavformat/oggparsetheora.c @@ -181,6 +181,7 @@ static int theora_packet(AVFormatContext *s, int idx) if ((!os->lastpts || os->lastpts == AV_NOPTS_VALUE) && !(os->flags & OGG_FLAG_EOS)) { int seg; +int64_t pts; duration = 1; for (seg = os->segp; seg < os->nsegs; seg++) { @@ -188,7 +189,10 @@ static int theora_packet(AVFormatContext *s, int idx) duration ++; } -os->lastpts = os->lastdts = theora_gptopts(s, idx, os->granule, NULL) - duration; +pts = theora_gptopts(s, idx, os->granule, NULL); +if (pts != AV_NOPTS_VALUE) +pts -= duration; +os->lastpts = os->lastdts = pts; if(s->streams[idx]->start_time == AV_NOPTS_VALUE) { s->streams[idx]->start_time = os->lastpts; if (s->streams[idx]->duration > 0) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/get_bits: Make sure the input bitstream with padding can be addressed
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Mar 24 01:38:53 2018 +0100| [899d40c17fefe7f7a0ba7f7a95ae61be81b6d0ad] | committer: Michael Niedermayer avcodec/get_bits: Make sure the input bitstream with padding can be addressed Signed-off-by: Michael Niedermayer (cherry picked from commit e529fe7633762cb26a665fb6dee3be29b15285cc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=899d40c17fefe7f7a0ba7f7a95ae61be81b6d0ad --- libavcodec/get_bits.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index 0c7f5ff0c6..d7cf286378 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -32,6 +32,7 @@ #include "libavutil/intreadwrite.h" #include "libavutil/log.h" #include "libavutil/avassert.h" +#include "avcodec.h" #include "mathops.h" #include "vlc.h" @@ -428,7 +429,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer, int buffer_size; int ret = 0; -if (bit_size >= INT_MAX - 7 || bit_size < 0 || !buffer) { +if (bit_size >= INT_MAX - FFMAX(7, AV_INPUT_BUFFER_PADDING_SIZE*8) || bit_size < 0 || !buffer) { bit_size= 0; buffer = NULL; ret = AVERROR_INVALIDDATA; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg
ffmpeg | branch: release/3.3 | Michael Niedermayer| Tue Feb 27 15:17:12 2018 +0100| [719b9b673cfb723234c614a4ff8cfad7c0c4499a] | committer: Michael Niedermayer avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg Fixes: Timeout Fixes: 6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8ee3265dbe2e85537affe3b3055b00ba8646aa70) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=719b9b673cfb723234c614a4ff8cfad7c0c4499a --- libavcodec/nuv.c | 11 +++ 1 file changed, 11 insertions(+) diff --git a/libavcodec/nuv.c b/libavcodec/nuv.c index ad6c029e50..8d806dbbff 100644 --- a/libavcodec/nuv.c +++ b/libavcodec/nuv.c @@ -161,6 +161,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int orig_size = buf_size; int keyframe, ret; int size_change = 0; +int minsize = 0; int result, init_frame = !avctx->frame_number; enum { NUV_UNCOMPRESSED = '0', @@ -206,6 +207,16 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, keyframe = 1; break; } +switch (comptype) { +case NUV_UNCOMPRESSED: +minsize = c->width * c->height * 3 / 2; +break; +case NUV_RTJPEG: +minsize = c->width/16 * (c->height/16) * 6; +break; +} +if (buf_size < minsize / 4) +return AVERROR_INVALIDDATA; retry: // Skip the rest of the frame header. buf = [12]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/bintext: sanity check dimensions
ffmpeg | branch: release/3.3 | Michael Niedermayer| Mon Feb 26 21:17:08 2018 +0100| [5909508e8df3bd762efc0dbd10b5e5a16ed2993e] | committer: Michael Niedermayer avcodec/bintext: sanity check dimensions Fixes: Timeout Fixes: 6277/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XBIN_fuzzer-6047202288861184 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 090c0abff9c8b27304614f15d9464dbf4ea59833) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=5909508e8df3bd762efc0dbd10b5e5a16ed2993e --- libavcodec/bintext.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/bintext.c b/libavcodec/bintext.c index 90bbe67b59..d967317671 100644 --- a/libavcodec/bintext.c +++ b/libavcodec/bintext.c @@ -35,6 +35,8 @@ #include "bintext.h" #include "internal.h" +#define FONT_WIDTH 8 + typedef struct XbinContext { AVFrame *frame; int palette[16]; @@ -91,6 +93,9 @@ static av_cold int decode_init(AVCodecContext *avctx) break; } } +if (avctx->width < FONT_WIDTH || avctx->height < s->font_height) +return AVERROR_INVALIDDATA; + s->frame = av_frame_alloc(); if (!s->frame) @@ -113,8 +118,6 @@ av_unused static void hscroll(AVCodecContext *avctx) } } -#define FONT_WIDTH 8 - /** * Draw character to screen */ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/oggparseogm: Fix undefined shift in ogm_packet()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Thu Mar 8 23:14:04 2018 +0100| [e0a08c833dd8fafa18f4f7133c2e81df22606ab5] | committer: Michael Niedermayer avformat/oggparseogm: Fix undefined shift in ogm_packet() Fixes: shift exponent 48 is too large for 32-bit type 'int' Fixes: Chromium bug 786793 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 010b7b30b721b90993e05e9ee6338e88bb8debb3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e0a08c833dd8fafa18f4f7133c2e81df22606ab5 --- libavformat/oggparseogm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c index e7a501b5a7..4d09d174b8 100644 --- a/libavformat/oggparseogm.c +++ b/libavformat/oggparseogm.c @@ -181,7 +181,7 @@ ogm_packet(AVFormatContext *s, int idx) os->psize -= lb + 1; while (lb--) -os->pduration += p[lb+1] << (lb*8); +os->pduration += (uint64_t)p[lb+1] << (lb*8); return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dxtory: Remove code that corrupts dimensions
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Feb 17 21:27:16 2018 +0100| [af5c12c0290b6269d178dcded041f2201a8532b4] | committer: Michael Niedermayer avcodec/dxtory: Remove code that corrupts dimensions Fixes: Timeout Fixes: 5796/clusterfuzz-testcase-minimized-5206729085157376 Does someone have a valid sample that triggers this path ? Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3748746a4d6988484d34516f7a3c6febf7bdf488) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=af5c12c0290b6269d178dcded041f2201a8532b4 --- libavcodec/dxtory.c | 6 +- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index e736cec8db..285ca38efb 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -305,11 +305,7 @@ static int dxtory_decode_v2(AVCodecContext *avctx, AVFrame *pic, } if (avctx->height - line) { -av_log(avctx, AV_LOG_VERBOSE, - "Not enough slice data available, " - "cropping the frame by %d pixels\n", -avctx->height - line); -avctx->height = line; +avpriv_request_sample(avctx, "Not enough slice data available"); } return 0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/exr: fix invalid shift in unpack_14()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Feb 21 04:29:44 2018 +0100| [4d45d5b606a11f6f401d7694df08e7e47989af32] | committer: Michael Niedermayer avcodec/exr: fix invalid shift in unpack_14() Fixes: 6154/clusterfuzz-testcase-minimized-5762231061970944 Fixes: runtime error: shift exponent 63 is too large for 32-bit type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 49062a90174b6e4104876c0257dc673a0da854ca) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4d45d5b606a11f6f401d7694df08e7e47989af32 --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index b27132d6bb..2481959a21 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -910,7 +910,7 @@ static int pxr24_uncompress(EXRContext *s, const uint8_t *src, static void unpack_14(const uint8_t b[14], uint16_t s[16]) { -unsigned short shift = (b[ 2] >> 2); +unsigned short shift = (b[ 2] >> 2) & 15; unsigned short bias = (0x20 << shift); int i; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_parse: Clear invalid chroma weights in ff_h264_pred_weight_table()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Feb 18 17:12:28 2018 +0100| [4018d8586ffe1fc8d5f7f28df6c010c748d3fb75] | committer: Michael Niedermayer avcodec/h264_parse: Clear invalid chroma weights in ff_h264_pred_weight_table() Fixes: 6037/clusterfuzz-testcase-minimized-5030249784934400 Fixes: signed integer overflow: 256 * 16992036 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 85c85f3f9c75301db3eba1bd5f2fb1e6285d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4018d8586ffe1fc8d5f7f28df6c010c748d3fb75 --- libavcodec/h264_parse.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c index a7c71d9bbb..dfc57076d1 100644 --- a/libavcodec/h264_parse.c +++ b/libavcodec/h264_parse.c @@ -82,8 +82,11 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, pwt->chroma_weight[i][list][j][0] = get_se_golomb(gb); pwt->chroma_weight[i][list][j][1] = get_se_golomb(gb); if ((int8_t)pwt->chroma_weight[i][list][j][0] != pwt->chroma_weight[i][list][j][0] || -(int8_t)pwt->chroma_weight[i][list][j][1] != pwt->chroma_weight[i][list][j][1]) +(int8_t)pwt->chroma_weight[i][list][j][1] != pwt->chroma_weight[i][list][j][1]) { +pwt->chroma_weight[i][list][j][0] = chroma_def; +pwt->chroma_weight[i][list][j][1] = 0; goto out_range_weight; +} if (pwt->chroma_weight[i][list][j][0] != chroma_def || pwt->chroma_weight[i][list][j][1] != 0) { pwt->use_weight_chroma= 1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/cavsdec: Check alpha/beta offset
ffmpeg | branch: release/3.3 | Michael Niedermayer| Tue Feb 20 23:11:01 2018 +0100| [f3562ee6fc847db3162fccfa98449ce21404608e] | committer: Michael Niedermayer avcodec/cavsdec: Check alpha/beta offset Fixes: Integer overflow Fixes: 6183/clusterfuzz-testcase-minimized-6269224436629504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ae2eb04648839bfc6c61c32cb0f124e91bb7ff8e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f3562ee6fc847db3162fccfa98449ce21404608e --- libavcodec/cavsdec.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c index 2bcb42a6eb..79349b5005 100644 --- a/libavcodec/cavsdec.c +++ b/libavcodec/cavsdec.c @@ -1067,6 +1067,11 @@ static int decode_pic(AVSContext *h) if (!h->loop_filter_disable && get_bits1(>gb)) { h->alpha_offset= get_se_golomb(>gb); h->beta_offset = get_se_golomb(>gb); +if ( h->alpha_offset < -64 || h->alpha_offset > 64 +|| h-> beta_offset < -64 || h-> beta_offset > 64) { +h->alpha_offset = h->beta_offset = 0; +return AVERROR_INVALIDDATA; +} } else { h->alpha_offset = h->beta_offset = 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Feb 18 00:11:33 2018 +0100| [1a387f1ce6ec8a8b57849adac5ffbb53c1d07c83] | committer: Michael Niedermayer avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53() Fixes: 5918/clusterfuzz-testcase-minimized-5120505435652096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 793347a54579ee954b58d336b82eed4a1786de21) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1a387f1ce6ec8a8b57849adac5ffbb53c1d07c83 --- libavcodec/jpeg2000dwt.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeg2000dwt.c b/libavcodec/jpeg2000dwt.c index e4aa2e4a3d..8092297b8c 100644 --- a/libavcodec/jpeg2000dwt.c +++ b/libavcodec/jpeg2000dwt.c @@ -305,22 +305,22 @@ static void dwt_encode97_int(DWTContext *s, int *t) t[i] = (t[i] + ((1< >1)) >> I_PRESHIFT; } -static void sr_1d53(int *p, int i0, int i1) +static void sr_1d53(unsigned *p, int i0, int i1) { int i; if (i1 <= i0 + 1) { if (i0 == 1) -p[1] >>= 1; +p[1] = (int)p[1] >> 1; return; } extend53(p, i0, i1); for (i = (i0 >> 1); i < (i1 >> 1) + 1; i++) -p[2 * i] -= (p[2 * i - 1] + p[2 * i + 1] + 2) >> 2; +p[2 * i] -= (int)(p[2 * i - 1] + p[2 * i + 1] + 2) >> 2; for (i = (i0 >> 1); i < (i1 >> 1); i++) -p[2 * i + 1] += (p[2 * i] + p[2 * i + 2]) >> 1; +p[2 * i + 1] += (int)(p[2 * i] + p[2 * i + 2]) >> 1; } static void dwt_decode53(DWTContext *s, int *t) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Check STSC and remove invalid entries
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Mar 16 19:53:36 2018 +0100| [a89b45b492dd3c82d9aab1d67dac21bf56bcf43d] | committer: Michael Niedermayer avformat/mov: Check STSC and remove invalid entries Fixes assertion failure Fixes: crbug 822547, crbug 822666 and crbug 823009 Affects: aark15sd_9A62E2FA.mp4 Found-by: ClusterFuzz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 9e67447a4ffacf28af8bace33faf3ea432ddc43e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a89b45b492dd3c82d9aab1d67dac21bf56bcf43d --- libavformat/mov.c | 20 1 file changed, 20 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 5381dbb704..6124b0b573 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2433,6 +2433,21 @@ static int mov_read_stsc(MOVContext *c, AVIOContext *pb, MOVAtom atom) } sc->stsc_count = i; +for (i = sc->stsc_count - 1; i < UINT_MAX; i--) { +if ((i+1 < sc->stsc_count && sc->stsc_data[i].first >= sc->stsc_data[i+1].first) || +(i > 0 && sc->stsc_data[i].first <= sc->stsc_data[i-1].first) || +sc->stsc_data[i].first < 1 || +sc->stsc_data[i].count < 1 || +sc->stsc_data[i].id < 1) { +av_log(c->fc, AV_LOG_WARNING, "STSC entry %d is invalid (first=%d count=%d id=%d)\n", i, sc->stsc_data[i].first, sc->stsc_data[i].count, sc->stsc_data[i].id); +if (i+1 >= sc->stsc_count || sc->stsc_data[i+1].first < 2) +return AVERROR_INVALIDDATA; +// We replace this entry by the next valid +sc->stsc_data[i].first = sc->stsc_data[i+1].first - 1; +sc->stsc_data[i].count = sc->stsc_data[i+1].count; +sc->stsc_data[i].id= sc->stsc_data[i+1].id; +} +} if (pb->eof_reached) return AVERROR_EOF; @@ -3737,6 +3752,11 @@ static int mov_read_trak(MOVContext *c, AVIOContext *pb, MOVAtom atom) st->index); return 0; } +if (sc->stsc_count && sc->stsc_data[ sc->stsc_count - 1 ].first > sc->chunk_count) { +av_log(c->fc, AV_LOG_ERROR, "stream %d, contradictionary STSC and STCO\n", + st->index); +return AVERROR_INVALIDDATA; +} fix_timescale(c, sc); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Fix integer overflow in mv computation
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Feb 18 21:51:38 2018 +0100| [b9d5b1f05dadf6ab3062f59e7a2cbc482e655cb8] | committer: Michael Niedermayer avcodec/diracdec: Fix integer overflow in mv computation Fixes: signed integer overflow: -2072 + -2147483646 cannot be represented in type 'int' Fixes: 6097/clusterfuzz-testcase-minimized-5034145253163008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 47e65ad63b3d067445c4de41a7718b83fc07767c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b9d5b1f05dadf6ab3062f59e7a2cbc482e655cb8 --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 3b5eb16d87..fee2b7787c 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1437,8 +1437,8 @@ static void decode_block_params(DiracContext *s, DiracArith arith[8], DiracBlock global_mv(s, block, x, y, i); } else { pred_mv(block, stride, x, y, i); -block->u.mv[i][0] += dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA); -block->u.mv[i][1] += dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA); +block->u.mv[i][0] += (unsigned)dirac_get_arith_int(arith + 4 + 2 * i, CTX_MV_F1, CTX_MV_DATA); +block->u.mv[i][1] += (unsigned)dirac_get_arith_int(arith + 5 + 2 * i, CTX_MV_F1, CTX_MV_DATA); } } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/g2meet: Check tile dimensions with av_image_check_size2()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Thu Feb 22 02:34:05 2018 +0100| [c3e774784bac7930743d47cbd37e0e9f06fa6e30] | committer: Michael Niedermayer avcodec/g2meet: Check tile dimensions with av_image_check_size2() Fixes: OOM Fixes: 6216/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-4983807968018432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 3981fb8d2a03cdb3399590da8621a7bcc22e2964) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c3e774784bac7930743d47cbd37e0e9f06fa6e30 --- libavcodec/g2meet.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/g2meet.c b/libavcodec/g2meet.c index 10b6808f81..3b8b97ab41 100644 --- a/libavcodec/g2meet.c +++ b/libavcodec/g2meet.c @@ -28,6 +28,7 @@ #include #include +#include "libavutil/imgutils.h" #include "libavutil/intreadwrite.h" #include "avcodec.h" @@ -1451,7 +1452,8 @@ static int g2m_decode_frame(AVCodecContext *avctx, void *data, c->tile_height = bytestream2_get_be32(); if (c->tile_width <= 0 || c->tile_height <= 0 || ((c->tile_width | c->tile_height) & 0xF) || -c->tile_width * (uint64_t)c->tile_height >= INT_MAX / 4 +c->tile_width * (uint64_t)c->tile_height >= INT_MAX / 4 || +av_image_check_size2(c->tile_width, c->tile_height, avctx->max_pixels, avctx->pix_fmt, 0, avctx) < 0 ) { av_log(avctx, AV_LOG_ERROR, "Invalid tile dimensions %dx%d\n", ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/utvideodec: Check subsample factors
ffmpeg | branch: release/3.3 | Michael Niedermayer| Mon Feb 26 03:02:48 2018 +0100| [bafb13dc0fd60f49f613bf4c52ce88b91176755c] | committer: Michael Niedermayer avcodec/utvideodec: Check subsample factors Fixes: Out of array read Fixes: heap_poc Found-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit 7414d0bda7763f9bd69c26c068e482ab297c1c96) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bafb13dc0fd60f49f613bf4c52ce88b91176755c --- libavcodec/utvideodec.c | 9 + 1 file changed, 9 insertions(+) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index fda5de0732..2cf9ce2855 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -28,6 +28,7 @@ #include #include "libavutil/intreadwrite.h" +#include "libavutil/pixdesc.h" #include "avcodec.h" #include "bswapdsp.h" #include "bytestream.h" @@ -824,6 +825,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, static av_cold int decode_init(AVCodecContext *avctx) { UtvideoContext * const c = avctx->priv_data; +int h_shift, v_shift; c->avctx = avctx; @@ -920,6 +922,13 @@ static av_cold int decode_init(AVCodecContext *avctx) return AVERROR_INVALIDDATA; } +av_pix_fmt_get_chroma_sub_sample(avctx->pix_fmt, _shift, _shift); +if ((avctx->width & ((1< height & ((1<
[FFmpeg-cvslog] avcodec/hevcdec: Check luma/chroma_log2_weight_denom
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Feb 17 21:42:34 2018 +0100| [37cd7f3375302b2c8e35946a53db13a8bd123b8b] | committer: Michael Niedermayer avcodec/hevcdec: Check luma/chroma_log2_weight_denom Fixes: signed integer overflow: 3 + 2147483647 cannot be represented in type 'int' Fixes: 5888/clusterfuzz-testcase-minimized-5634701067812864 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit f82dd4c09b2decb033f1e339d4be81efd38554f1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=37cd7f3375302b2c8e35946a53db13a8bd123b8b --- libavcodec/hevcdec.c | 12 +--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c index 5579a4df43..db0bebfa49 100644 --- a/libavcodec/hevcdec.c +++ b/libavcodec/hevcdec.c @@ -149,12 +149,18 @@ static int pred_weight_table(HEVCContext *s, GetBitContext *gb) int luma_log2_weight_denom; luma_log2_weight_denom = get_ue_golomb_long(gb); -if (luma_log2_weight_denom < 0 || luma_log2_weight_denom > 7) +if (luma_log2_weight_denom < 0 || luma_log2_weight_denom > 7) { av_log(s->avctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is invalid\n", luma_log2_weight_denom); +return AVERROR_INVALIDDATA; +} s->sh.luma_log2_weight_denom = av_clip_uintp2(luma_log2_weight_denom, 3); if (s->ps.sps->chroma_format_idc != 0) { -int delta = get_se_golomb(gb); -s->sh.chroma_log2_weight_denom = av_clip_uintp2(s->sh.luma_log2_weight_denom + delta, 3); +int64_t chroma_log2_weight_denom = luma_log2_weight_denom + (int64_t)get_se_golomb(gb); +if (chroma_log2_weight_denom < 0 || chroma_log2_weight_denom > 7) { +av_log(s->avctx, AV_LOG_ERROR, "chroma_log2_weight_denom %"PRId64" is invalid\n", chroma_log2_weight_denom); +return AVERROR_INVALIDDATA; +} +s->sh.chroma_log2_weight_denom = chroma_log2_weight_denom; } for (i = 0; i < s->sh.nb_refs[L0]; i++) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/smc: Check input packet size
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Feb 23 03:40:02 2018 +0100| [bcc6d409283aebc114d674ace998016d04523ce3] | committer: Michael Niedermayer avcodec/smc: Check input packet size Fixes: Timeout Fixes: 6261/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMC_fuzzer-5811309653262336 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0293663483ab5dbfff23602a62800d84e021b33c) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bcc6d409283aebc114d674ace998016d04523ce3 --- libavcodec/smc.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/smc.c b/libavcodec/smc.c index 79f9a757a0..3cb4834737 100644 --- a/libavcodec/smc.c +++ b/libavcodec/smc.c @@ -438,6 +438,10 @@ static int smc_decode_frame(AVCodecContext *avctx, int pal_size; const uint8_t *pal = av_packet_get_side_data(avpkt, AV_PKT_DATA_PALETTE, _size); int ret; +int total_blocks = ((s->avctx->width + 3) / 4) * ((s->avctx->height + 3) / 4); + +if (total_blocks / 1024 > avpkt->size) +return AVERROR_INVALIDDATA; bytestream2_init(>gb, buf, buf_size); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacdec_templat: Fix integer overflow in apply_ltp()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Feb 18 16:55:52 2018 +0100| [b172815c3c9bb7dcaa88e388418bbbefd5aa978e] | committer: Michael Niedermayer avcodec/aacdec_templat: Fix integer overflow in apply_ltp() Fixes: signed integer overflow: -1625276744 + -1041893960 cannot be represented in type 'int' Fixes: 5948/clusterfuzz-testcase-minimized-5791479856365568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 33fe17bdc88d51a8e0c87aa1e8011aaaf38a7a90) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b172815c3c9bb7dcaa88e388418bbbefd5aa978e --- libavcodec/aacdec_template.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index 6a93aed2e8..659b6e5a31 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2522,7 +2522,7 @@ static void apply_ltp(AACContext *ac, SingleChannelElement *sce) for (sfb = 0; sfb < FFMIN(sce->ics.max_sfb, MAX_LTP_LONG_SFB); sfb++) if (ltp->used[sfb]) for (i = offsets[sfb]; i < offsets[sfb + 1]; i++) -sce->coeffs[i] += predFreq[i]; +sce->coeffs[i] += (UINTFLOAT)predFreq[i]; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/exr: Check remaining bits in last get code loop
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Feb 14 13:01:46 2018 +0100| [659a23e89fbaf649f8984a9d5dfd5479e5a37386] | committer: Michael Niedermayer avcodec/exr: Check remaining bits in last get code loop Fixes: runtime error: shift exponent -7 is negative Fixes: 3902/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6081926122176512 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit dd8351b1184b8054925c28ecc5fcb6dbbc177fad) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=659a23e89fbaf649f8984a9d5dfd5479e5a37386 --- libavcodec/exr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index fe978805c5..b27132d6bb 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -574,7 +574,7 @@ static int huf_decode(const uint64_t *hcode, const HufDec *hdecod, while (lc > 0) { const HufDec pl = hdecod[(c << (HUF_DECBITS - lc)) & HUF_DECMASK]; -if (pl.len) { +if (pl.len && lc >= pl.len) { lc -= pl.len; get_code(pl.lit, rlc, c, lc, gb, out, oe, outb); } else { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Feb 17 21:47:09 2018 +0100| [93a16aebf2ac0b29956bd831417e4dbc2477dacf] | committer: Michael Niedermayer avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i() Fixes: 5894/clusterfuzz-testcase-minimized-5315325420634112 Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 647fa49495c39a48b7ccb92acd8fb975b1575456) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=93a16aebf2ac0b29956bd831417e4dbc2477dacf --- libavcodec/dirac_dwt_template.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index e68cc4d530..8c25c1f822 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -95,8 +95,8 @@ static void RENAME(horizontal_compose_dd97i)(uint8_t *_b, uint8_t *_tmp, int w) tmp[w2+1] = tmp[w2] = tmp[w2-1]; for (x = 0; x < w2; x++) { -b[2*x ] = (tmp[x] + 1)>>1; -b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1)>>1; +b[2*x ] = ((int)(tmp[x] + 1U))>>1; +b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1U))>>1; } } @@ -118,8 +118,8 @@ static void RENAME(horizontal_compose_dd137i)(uint8_t *_b, uint8_t *_tmp, int w) tmp[w2+1] = tmp[w2] = tmp[w2-1]; for (x = 0; x < w2; x++) { -b[2*x ] = (tmp[x] + 1)>>1; -b[2*x+1] = (COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1)>>1; +b[2*x ] = ((int)(tmp[x] + 1U))>>1; +b[2*x+1] = ((int)(COMPOSE_DD97iH0(tmp[x-1], tmp[x], b[x+w2], tmp[x+1], tmp[x+2]) + 1U))>>1; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dec: Use av_image_check_size2()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Feb 17 04:20:53 2018 +0100| [1a4f8de03d57490b6344ec2eeba3aa816cd1eb62] | committer: Michael Niedermayer avcodec/jpeg2000dec: Use av_image_check_size2() Fixes: OOM Fixes: 5733/clusterfuzz-testcase-minimized-4906757966004224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 01370b31aced784593f2bc0836f4ba6fd8e7f6b3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1a4f8de03d57490b6344ec2eeba3aa816cd1eb62 --- libavcodec/jpeg2000dec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index f1abc9a5ef..404cf06ddc 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -282,7 +282,7 @@ static int get_siz(Jpeg2000DecoderContext *s) avpriv_request_sample(s->avctx, "Support for image offsets"); return AVERROR_PATCHWELCOME; } -if (av_image_check_size(s->width, s->height, 0, s->avctx)) { +if (av_image_check_size2(s->width, s->height, s->avctx->max_pixels, AV_PIX_FMT_NONE, 0, s->avctx)) { avpriv_request_sample(s->avctx, "Large Dimensions"); return AVERROR_PATCHWELCOME; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Use int64 in global mv to prevent overflow
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Feb 17 23:54:44 2018 +0100| [205689ae8a5e00ce2d39e9559252c020cb784e56] | committer: Michael Niedermayer avcodec/diracdec: Use int64 in global mv to prevent overflow Fixes: runtime error: signed integer overflow: 361 * -6295541 cannot be represented in type 'int' Fixes: 5911/clusterfuzz-testcase-minimized-6450382197751808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit cbcbefdc3b4cbc917d2f8b2dd216fb12121a838b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=205689ae8a5e00ce2d39e9559252c020cb784e56 --- libavcodec/diracdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 9df70c3f7a..3b5eb16d87 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -1399,8 +1399,8 @@ static void global_mv(DiracContext *s, DiracBlock *block, int x, int y, int ref) int *c = s->globalmc[ref].perspective; int m = (1< u.mv[ref][0] = (mx + (1<<(ez+ep))) >> (ez+ep); block->u.mv[ref][1] = (my + (1<<(ez+ep))) >> (ez+ep); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vp8: Check for bitstream end before vp7_fade_frame()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Feb 17 04:20:52 2018 +0100| [2a85ead5a374f37bc52d716da9237f4e722dee58] | committer: Michael Niedermayer avcodec/vp8: Check for bitstream end before vp7_fade_frame() Fixes: Timeout Fixes: 5653/clusterfuzz-testcase-5497680018014208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit de675648cef7e451ca82fabaee0d8ec1fe653311) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2a85ead5a374f37bc52d716da9237f4e722dee58 --- libavcodec/vp8.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vp8.c b/libavcodec/vp8.c index 5bf601a8ef..fd036538e0 100644 --- a/libavcodec/vp8.c +++ b/libavcodec/vp8.c @@ -606,6 +606,8 @@ static int vp7_decode_frame_header(VP8Context *s, const uint8_t *buf, int buf_si s->fade_present = vp8_rac_get(c); } +if (c->end <= c->buffer && c->bits >= 0) +return AVERROR_INVALIDDATA; /* E. Fading information for previous frame */ if (s->fade_present && vp8_rac_get(c)) { if ((ret = vp7_fade_frame(s ,c)) < 0) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_cabac: Tighten allowed coeff_abs range
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Feb 14 00:32:30 2018 +0100| [878fc42a906d13cd6a78b0820eed75f4fd8e26e5] | committer: Michael Niedermayer avcodec/h264_cabac: Tighten allowed coeff_abs range Fixes: integer overflows Reported-by: "Xiaohan Wang (王消寒)" Based on limits in "8.5 Transform coefficient decoding process and picture construction process prior to deblocking filter process" Signed-off-by: Michael Niedermayer (cherry picked from commit f26a63c4ee1bdbe21d7ab462cd66f8ba20b14244) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=878fc42a906d13cd6a78b0820eed75f4fd8e26e5 --- libavcodec/h264_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c index 04b77f284f..1e05c04680 100644 --- a/libavcodec/h264_cabac.c +++ b/libavcodec/h264_cabac.c @@ -1735,7 +1735,7 @@ decode_cabac_residual_internal(const H264Context *h, H264SliceContext *sl, \ if( coeff_abs >= 15 ) { \ int j = 0; \ -while (get_cabac_bypass(CC) && j < 30) { \ +while (get_cabac_bypass(CC) && j < 16+7) { \ j++; \ } \ \ ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Feb 14 03:54:13 2018 +0100| [519d48c861a91f3c458e37478d0e408aa608117c] | committer: Michael Niedermayer avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c() Fixes: 5567/clusterfuzz-testcase-minimized-5769966247739392 Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ab6f571ef71967da7c7c1cfba483d3597c7357d5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=519d48c861a91f3c458e37478d0e408aa608117c --- libavutil/common.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavutil/common.h b/libavutil/common.h index 8142b31fdb..53e43feb3a 100644 --- a/libavutil/common.h +++ b/libavutil/common.h @@ -158,7 +158,7 @@ static av_always_inline av_const int64_t av_clip64_c(int64_t a, int64_t amin, in */ static av_always_inline av_const uint8_t av_clip_uint8_c(int a) { -if (a&(~0xFF)) return (-a)>>31; +if (a&(~0xFF)) return (~a)>>31; else return a; } @@ -180,7 +180,7 @@ static av_always_inline av_const int8_t av_clip_int8_c(int a) */ static av_always_inline av_const uint16_t av_clip_uint16_c(int a) { -if (a&(~0x)) return (-a)>>31; +if (a&(~0x)) return (~a)>>31; else return a; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg2dec: Fix field selection for skipped macroblocks
ffmpeg | branch: release/3.3 | Nekopanda| Sat Feb 10 18:36:32 2018 +0900| [66881cf2b58b8021e9e7f4271e30deeba0c6cb7f] | committer: Michael Niedermayer avcodec/mpeg2dec: Fix field selection for skipped macroblocks For B field pictures, the spec says, > The prediction shall be made from the field of the same parity as the field > being predicted. I did it. Signed-off-by: Michael Niedermayer (cherry picked from commit 8b154cb3e90a3e599cadf477d815a9854b7bb4e1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=66881cf2b58b8021e9e7f4271e30deeba0c6cb7f --- libavcodec/mpeg12dec.c | 2 + tests/ref/fate/mpeg2-ticket186 | 328 - 2 files changed, 166 insertions(+), 164 deletions(-) diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c index 186fbd27b6..3786dc61b3 100644 --- a/libavcodec/mpeg12dec.c +++ b/libavcodec/mpeg12dec.c @@ -1983,6 +1983,8 @@ static int mpeg_decode_slice(MpegEncContext *s, int mb_y, s->mv[0][0][1] = s->last_mv[0][0][1]; s->mv[1][0][0] = s->last_mv[1][0][0]; s->mv[1][0][1] = s->last_mv[1][0][1]; +s->field_select[0][0] = (s->picture_structure - 1) & 1; +s->field_select[1][0] = (s->picture_structure - 1) & 1; } } } diff --git a/tests/ref/fate/mpeg2-ticket186 b/tests/ref/fate/mpeg2-ticket186 index b716ca5611..31afda15e8 100644 --- a/tests/ref/fate/mpeg2-ticket186 +++ b/tests/ref/fate/mpeg2-ticket186 @@ -3,354 +3,354 @@ #codec_id 0: rawvideo #dimensions 0: 352x288 #sar 0: 12/11 -0, 0, 0,1, 152064, 0xd23ffc59 +0, 0, 0,1, 152064, 0x8f9d00c1 0, 1, 1,1, 152064, 0x899fb8b1 -0, 2, 2,1, 152064, 0x5958d070 +0, 2, 2,1, 152064, 0x7225cb39 0, 3, 3,1, 152064, 0xf2becd8f -0, 4, 4,1, 152064, 0xb47bbed7 +0, 4, 4,1, 152064, 0xd56bc556 0, 5, 5,1, 152064, 0x7ca54f36 -0, 6, 6,1, 152064, 0x02389610 +0, 6, 6,1, 152064, 0x06d7805c 0, 7, 7,1, 152064, 0x469f3f87 -0, 8, 8,1, 152064, 0x935a780e +0, 8, 8,1, 152064, 0xdb2f57d5 0, 9, 9,1, 152064, 0x3876c20c -0, 10, 10,1, 152064, 0x49df265f +0, 10, 10,1, 152064, 0x5b670e79 0, 11, 11,1, 152064, 0xdfe420e0 -0, 12, 12,1, 152064, 0x6e34a0c4 +0, 12, 12,1, 152064, 0x17578222 0, 13, 13,1, 152064, 0x47e1cb26 -0, 14, 14,1, 152064, 0x68e74188 +0, 14, 14,1, 152064, 0x168e35d6 0, 15, 15,1, 152064, 0xe9d34b4e -0, 16, 16,1, 152064, 0xa8665e1a +0, 16, 16,1, 152064, 0x5e395308 0, 17, 17,1, 152064, 0x88e3b39f -0, 18, 18,1, 152064, 0x1c1ab2c3 +0, 18, 18,1, 152064, 0x6b099c51 0, 19, 19,1, 152064, 0xb1a24ddf -0, 20, 20,1, 152064, 0x030d5afc +0, 20, 20,1, 152064, 0xcea840fc 0, 21, 21,1, 152064, 0x98306d64 -0, 22, 22,1, 152064, 0x5ce0548d +0, 22, 22,1, 152064, 0xb05354d3 0, 23, 23,1, 152064, 0xacac26f3 -0, 24, 24,1, 152064, 0xf167f698 +0, 24, 24,1, 152064, 0xbccdf14b 0, 25, 25,1, 152064, 0xd9398539 -0, 26, 26,1, 152064, 0xd7aec2c4 +0, 26, 26,1, 152064, 0x07aec13a 0, 27, 27,1, 152064, 0xa6ef9440 -0, 28, 28,1, 152064, 0xc289b278 +0, 28, 28,1, 152064, 0x0e7ab64e 0, 29, 29,1, 152064, 0x3796939d -0, 30, 30,1, 152064, 0x48c09366 +0, 30, 30,1, 152064, 0xcc219365 0, 31, 31,1, 152064, 0xf4cc815a -0, 32, 32,1, 152064, 0x1c63cdc2 +0, 32, 32,1, 152064, 0x8b91c622 0, 33, 33,1, 152064, 0xd3a8ad8e -0, 34, 34,1, 152064, 0x70f94bc0 +0, 34, 34,1, 152064, 0x658e498f 0, 35, 35,1, 152064, 0xf9c115ea -0, 36, 36,1, 152064,
[FFmpeg-cvslog] avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Feb 11 03:38:54 2018 +0100| [76a886dae364c665ee83d3eac44e28062b687baa] | committer: Michael Niedermayer avcodec/vp3: Error out on invalid num_coeffs in unpack_vlcs() This fixes a hypothetical integer overflow Signed-off-by: Michael Niedermayer (cherry picked from commit f2318aee8ca8df1c84092f7d6691a2d0df02c474) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=76a886dae364c665ee83d3eac44e28062b687baa --- libavcodec/vp3.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index e46a9e6971..bb4e554dde 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -951,9 +951,11 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, Vp3Fragment *all_fragments = s->all_fragments; VLC_TYPE(*vlc_table)[2] = table->table; -if (num_coeffs < 0) +if (num_coeffs < 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid number of coefficients at level %d\n", coeff_index); +return AVERROR_INVALIDDATA; +} if (eob_run > num_coeffs) { coeff_i = ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/huffyuvdec: Check input buffer size
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Jan 31 19:20:10 2018 +0100| [838d02fcff8d08dfe138db572eaff01193f388ab] | committer: Michael Niedermayer avcodec/huffyuvdec: Check input buffer size Fixes: Timeout Fixes: 5487/clusterfuzz-testcase-4696837035393024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 08c220d26cff51ca2f6896b65aebfa3accc67290) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=838d02fcff8d08dfe138db572eaff01193f388ab --- libavcodec/huffyuvdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c index 979c4b9d5c..66357bfb40 100644 --- a/libavcodec/huffyuvdec.c +++ b/libavcodec/huffyuvdec.c @@ -919,6 +919,9 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVFrame *const p = data; int table_size = 0, ret; +if (buf_size < (width * height + 7)/8) +return AVERROR_INVALIDDATA; + av_fast_padded_malloc(>bitstream_buffer, >bitstream_buffer_size, buf_size); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/pafvideo: Check allocated frame size
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Feb 4 02:14:49 2018 +0100| [65fc03589fb48ee1d24797ad3984199b01feec82] | committer: Michael Niedermayer avcodec/pafvideo: Check allocated frame size Fixes: OOM Fixes: 5549/clusterfuzz-testcase-minimized-5390553567985664 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 66acb630286cf1bf03bfbdab6c7c784ff20bde61) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=65fc03589fb48ee1d24797ad3984199b01feec82 --- libavcodec/pafvideo.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/pafvideo.c b/libavcodec/pafvideo.c index 6980ae1b35..7c5861dfaf 100644 --- a/libavcodec/pafvideo.c +++ b/libavcodec/pafvideo.c @@ -78,6 +78,7 @@ static av_cold int paf_video_init(AVCodecContext *avctx) { PAFVideoDecContext *c = avctx->priv_data; int i; +int ret; c->width = avctx->width; c->height = avctx->height; @@ -90,6 +91,9 @@ static av_cold int paf_video_init(AVCodecContext *avctx) } avctx->pix_fmt = AV_PIX_FMT_PAL8; +ret = av_image_check_size2(avctx->width, FFALIGN(avctx->height, 256), avctx->max_pixels, avctx->pix_fmt, 0, avctx); +if (ret < 0) +return ret; c->pic = av_frame_alloc(); if (!c->pic) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc()
ffmpeg | branch: release/3.3 | Xiaohan Wang| Sat Feb 3 01:43:35 2018 -0800| [e8fb74c0c9cd3bad7f990b8cf98b56ab54ae3a9c] | committer: Michael Niedermayer avcodec/h264_cavlc: Set valid qscale value in ff_h264_decode_mb_cavlc() When ff_h264_decode_mb_cavlc() failed due to wrong sl->qscale values, e.g. dquant out of range, set the qscale to be a valid value before returning -1 and exiting the function. The qscale value can be used later e.g. in loop filter. BUG=806122 Signed-off-by: Michael Niedermayer (cherry picked from commit 71f39de2a57efc8db1d607b09c162c3b806cd45d) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e8fb74c0c9cd3bad7f990b8cf98b56ab54ae3a9c --- libavcodec/h264_cavlc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c index cd2e97af7e..ffed204441 100644 --- a/libavcodec/h264_cavlc.c +++ b/libavcodec/h264_cavlc.c @@ -,6 +,7 @@ decode_intra_mb: elsesl->qscale -= max_qp+1; if (((unsigned)sl->qscale) > max_qp){ av_log(h->avctx, AV_LOG_ERROR, "dquant out of range (%d) at %d %d\n", dquant, sl->mb_x, sl->mb_y); +sl->qscale = max_qp; return -1; } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/utvideodec: Fix bytes left check in decode_frame()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Feb 2 21:44:57 2018 +0100| [0322f781777d4413bd57815ee9b5a7d6a0cfe716] | committer: Michael Niedermayer avcodec/utvideodec: Fix bytes left check in decode_frame() Fixes: out of array read Fixes: poc-2017.avi Found-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit 118e1b0b3370dd1c0da442901b486689efd1654b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0322f781777d4413bd57815ee9b5a7d6a0cfe716 --- libavcodec/utvideodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c index 7c65d779c3..fda5de0732 100644 --- a/libavcodec/utvideodec.c +++ b/libavcodec/utvideodec.c @@ -638,7 +638,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, for (j = 0; j < c->slices; j++) { slice_end = bytestream2_get_le32u(); if (slice_end < 0 || slice_end < slice_start || -bytestream2_get_bytes_left() < slice_end) { +bytestream2_get_bytes_left() < slice_end + 1024LL) { av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n"); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Jan 31 18:13:07 2018 +0100| [a97335b1b3aec9fb449ddf1a8b33cdaf418bf1a2] | committer: Michael Niedermayer avcodec/aacsbr_fixed: Fix overflows in rounding in sbr_hf_assemble() Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be represented in type 'int' Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b1bef755f617af9685b592d866b3eb7f3c4b02b1) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a97335b1b3aec9fb449ddf1a8b33cdaf418bf1a2 --- libavcodec/aacsbr_fixed.c | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index 2a679491b0..0622d2ff7c 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -572,7 +572,8 @@ static void sbr_hf_assemble(int Y1[38][64][2], int A = (1-((indexsine+(kx & 1))&2)); int B = (A^(-idx)) + idx; int *out = [i][kx][idx]; -int shift, round; +int shift; +unsigned round; SoftFloat *in = sbr->s_m[e]; for (m = 0; m+1 < m_max; m+=2) { @@ -585,12 +586,12 @@ static void sbr_hf_assemble(int Y1[38][64][2], } if (shift < 32) { round = 1 << (shift-1); -out[2*m ] += (in[m ].mant * A + round) >> shift; +out[2*m ] += (int)(in[m ].mant * A + round) >> shift; } if (shift2 < 32) { round = 1 << (shift2-1); -out[2*m+2] += (in[m+1].mant * B + round) >> shift2; +out[2*m+2] += (int)(in[m+1].mant * B + round) >> shift2; } } if(m_max&1) @@ -601,7 +602,7 @@ static void sbr_hf_assemble(int Y1[38][64][2], return; } else if (shift < 32) { round = 1 << (shift-1); -out[2*m ] += (in[m ].mant * A + round) >> shift; +out[2*m ] += (int)(in[m ].mant * A + round) >> shift; } } } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Ignore multiple VOL headers
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Feb 9 22:24:58 2018 +0100| [f03616d2a43833cad5bda2fdf6f605aa09aa89e0] | committer: Michael Niedermayer avcodec/mpeg4videodec: Ignore multiple VOL headers Fixes: Ticket7005 Signed-off-by: Michael Niedermayer (cherry picked from commit 63a4bdbf3b732504e54cc2b9ec0886e6242a90bc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f03616d2a43833cad5bda2fdf6f605aa09aa89e0 --- libavcodec/mpeg4videodec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index d0162d1074..319a3809ea 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -2670,8 +2670,8 @@ int ff_mpeg4_decode_picture_header(Mpeg4DecContext *ctx, GetBitContext *gb) if (startcode >= 0x120 && startcode <= 0x12F) { if (vol) { -av_log(s->avctx, AV_LOG_ERROR, "Multiple VOL headers"); -return AVERROR_INVALIDDATA; +av_log(s->avctx, AV_LOG_WARNING, "Ignoring multiple VOL headers\n"); +continue; } vol++; if ((ret = decode_vol_header(ctx, gb)) < 0) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/vp3: Check eob_run
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Feb 9 04:17:16 2018 +0100| [0df3ad79c7d8d8740693deedccf82e7c28bb60b6] | committer: Michael Niedermayer avcodec/vp3: Check eob_run Fixes: out of array access Fixes: 5919/clusterfuzz-testcase-minimized-5859311382167552 Fixes: special case for theora (untested due to lack of sample) Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 570023eab3e2962b4ad8345a157c1e18ca1a6eca) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0df3ad79c7d8d8740693deedccf82e7c28bb60b6 --- libavcodec/vp3.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c index b10cb39f8a..e46a9e6971 100644 --- a/libavcodec/vp3.c +++ b/libavcodec/vp3.c @@ -978,6 +978,9 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb, if (eob_run_get_bits[token]) eob_run += get_bits(gb, eob_run_get_bits[token]); +if (!eob_run) +eob_run = INT_MAX; + // record only the number of blocks ended in this plane, // any spill will be recorded in the next plane. if (eob_run > num_coeffs - coeff_i) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/scpr: Fix reading a pixel before the first
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Feb 3 18:49:07 2018 +0100| [55e6c6b5feb7e2a9110fab1dc06ced23360b14e2] | committer: Michael Niedermayer avcodec/scpr: Fix reading a pixel before the first Fixes: 5540/clusterfuzz-testcase-minimized-6122458273808384 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0fb33a82890753233225c61863fff1fcc9d970d4) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=55e6c6b5feb7e2a9110fab1dc06ced23360b14e2 --- libavcodec/scpr.c | 4 1 file changed, 4 insertions(+) diff --git a/libavcodec/scpr.c b/libavcodec/scpr.c index 78a6d5c0cd..694450abf0 100644 --- a/libavcodec/scpr.c +++ b/libavcodec/scpr.c @@ -679,6 +679,8 @@ static int decompress_p(AVCodecContext *avctx, return AVERROR_INVALIDDATA; if (bx == 0) { +if (by < 2) +return AVERROR_INVALIDDATA; z = backstep; } else { z = 0; @@ -708,6 +710,8 @@ static int decompress_p(AVCodecContext *avctx, return AVERROR_INVALIDDATA; if (bx == 0) { +if (by < 2) +return AVERROR_INVALIDDATA; z = backstep; } else { z = 0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one
ffmpeg | branch: release/3.3 | Michael Niedermayer| Thu Jan 11 22:47:10 2018 +0100| [d8e501de42d9c3dfe4a1f38b23a55f761866a6a1] | committer: Michael Niedermayer avcodec/arm/sbrdsp_neon: Use a free register instead of putting 2 things in one Fixes high pitched shriek Fixes: 25420848_1478428308873746_4255813235963330560_n.mp4 Reported-by: Dale Curtis Reviewed-by: Dale Curtis Signed-off-by: Michael Niedermayer (cherry picked from commit 7dbbb75ee32f87108ca9e15f5551dbbe69fe2641) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d8e501de42d9c3dfe4a1f38b23a55f761866a6a1 --- libavcodec/arm/sbrdsp_neon.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/arm/sbrdsp_neon.S b/libavcodec/arm/sbrdsp_neon.S index e66abd682a..003b04ea05 100644 --- a/libavcodec/arm/sbrdsp_neon.S +++ b/libavcodec/arm/sbrdsp_neon.S @@ -336,11 +336,11 @@ function ff_sbr_hf_apply_noise_0_neon, export=1 vld1.32 {d0}, [r0,:64] vld1.32 {d6}, [lr,:64] vld1.32 {d2[]}, [r1,:32]! -vld1.32 {d3[]}, [r2,:32]! +vld1.32 {d18[]}, [r2,:32]! vceq.f32d4, d2, #0 veord2, d2, d3 vmovd1, d0 -vmla.f32d0, d6, d3 +vmla.f32d0, d6, d18 vadd.f32s2, s2, s4 vbifd0, d1, d4 vst1.32 {d0}, [r0,:64]! ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Avoid possibly aliasing violating casts
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Jan 28 02:29:02 2018 +0100| [90cfaff0bbc79f133a2d8c9f67763ba90072c9f9] | committer: Michael Niedermayer avcodec/mpeg4videodec: Avoid possibly aliasing violating casts Found-by: kierank Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit d4967c04e040b3b2f937cad88599af825147ec94) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=90cfaff0bbc79f133a2d8c9f67763ba90072c9f9 --- libavcodec/mpeg4videodec.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index afa41a8641..d0162d1074 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1251,10 +1251,12 @@ not_coded: */ static int mpeg4_decode_partitioned_mb(MpegEncContext *s, int16_t block[6][64]) { -Mpeg4DecContext *ctx = (Mpeg4DecContext *)s; +Mpeg4DecContext *ctx = s->avctx->priv_data; int cbp, mb_type; const int xy = s->mb_x + s->mb_y * s->mb_stride; +av_assert2(s == (void*)ctx); + mb_type = s->current_picture.mb_type[xy]; cbp = s->cbp_table[xy]; @@ -1336,12 +1338,13 @@ static int mpeg4_decode_partitioned_mb(MpegEncContext *s, int16_t block[6][64]) static int mpeg4_decode_mb(MpegEncContext *s, int16_t block[6][64]) { -Mpeg4DecContext *ctx = (Mpeg4DecContext *)s; +Mpeg4DecContext *ctx = s->avctx->priv_data; int cbpc, cbpy, i, cbp, pred_x, pred_y, mx, my, dquant; int16_t *mot_val; static const int8_t quant_tab[4] = { -1, -2, 1, 2 }; const int xy = s->mb_x + s->mb_y * s->mb_stride; +av_assert2(s == (void*)ctx); av_assert2(s->h263_pred); if (s->pict_type == AV_PICTURE_TYPE_P || ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Jan 14 00:39:39 2018 +0100| [eecb0ecf51ed9f270832a66c85949d5731e626af] | committer: Michael Niedermayer avcodec/ac3dec_fixed: Fix integer overflow in scale_coefs() Fixes: runtime error: signed integer overflow: 2147483520 + 128 cannot be represented in type 'int' Fixes: 4800/clusterfuzz-testcase-minimized-6110372403609600 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a1f38c75893c852cf19dcf3e4553549ba1e70950) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=eecb0ecf51ed9f270832a66c85949d5731e626af --- libavcodec/ac3dec_fixed.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index 9a6d7a08b1..bd66175d50 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -64,8 +64,8 @@ static void scale_coefs ( int dynrng, int len) { -int i, shift, round; -unsigned mul; +int i, shift; +unsigned mul, round; int temp, temp1, temp2, temp3, temp4, temp5, temp6, temp7; mul = (dynrng & 0x1f) + 0x20; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Mon Jan 15 23:46:44 2018 +0100| [aec30d0da9dc66de0d05b0c9d65022611bbf3f9b] | committer: Michael Niedermayer avcodec/hevc_cabac: Check prefix so as to avoid invalid shifts in coeff_abs_level_remaining_decode() I suspect that this can be limited tighter, but i failed to find anything in the spec that would confirm that. Fixes: 4833/clusterfuzz-testcase-minimized-5302840101699584 Fixes: runtime error: left shift of 134217730 by 4 places cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit a026a3efaeb9c2026668dccbbda339a21ab3206b) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=aec30d0da9dc66de0d05b0c9d65022611bbf3f9b --- libavcodec/hevc_cabac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 5e46c59a24..29485dc64c 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -987,7 +987,7 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int } else { int prefix_minus3 = prefix - 3; -if (prefix == CABAC_MAX_BIN) { +if (prefix == CABAC_MAX_BIN || prefix_minus3 + rc_rice_param >= 31) { av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/ulti: Check number of blocks at init
ffmpeg | branch: release/3.3 | Michael Niedermayer| Mon Jan 15 19:03:48 2018 +0100| [a9fb2f8c80d4c76854773bf654175573942312a9] | committer: Michael Niedermayer avcodec/ulti: Check number of blocks at init Fixes: Timeout Fixes: 4832/clusterfuzz-testcase-4699096590843904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 725353525e73bbe5b6b4d01528252675f2417a02) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a9fb2f8c80d4c76854773bf654175573942312a9 --- libavcodec/ulti.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/ulti.c b/libavcodec/ulti.c index e6f4374981..9e4c088b10 100644 --- a/libavcodec/ulti.c +++ b/libavcodec/ulti.c @@ -50,6 +50,8 @@ static av_cold int ulti_decode_init(AVCodecContext *avctx) s->width = avctx->width; s->height = avctx->height; s->blocks = (s->width / 8) * (s->height / 8); +if (s->blocks == 0) +return AVERROR_INVALIDDATA; avctx->pix_fmt = AV_PIX_FMT_YUV410P; s->ulti_codebook = ulti_codebook; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dnxhddec: Check dc vlc
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Jan 3 23:42:00 2018 +0100| [05a92668942f1a7bb04815e88043ed5c24d068c0] | committer: Michael Niedermayer avcodec/dnxhddec: Check dc vlc Fixes: signed integer overflow: 1024 + 2147483640 cannot be represented in type 'int' Fixes: 4671/clusterfuzz-testcase-minimized-6027464343027712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit b2be76c0a472b729756ed7a91225c209d0dd1d2e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=05a92668942f1a7bb04815e88043ed5c24d068c0 --- libavcodec/dnxhddec.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/dnxhddec.c b/libavcodec/dnxhddec.c index 7cb6a75261..cd475bc170 100644 --- a/libavcodec/dnxhddec.c +++ b/libavcodec/dnxhddec.c @@ -377,6 +377,10 @@ static av_always_inline int dnxhd_decode_dct_block(const DNXHDContext *ctx, UPDATE_CACHE(bs, >gb); GET_VLC(len, bs, >gb, ctx->dc_vlc.table, DNXHD_DC_VLC_BITS, 1); +if (len < 0) { +ret = len; +goto error; +} if (len) { level = GET_CACHE(bs, >gb); LAST_SKIP_BITS(bs, >gb, len); @@ -430,7 +434,7 @@ static av_always_inline int dnxhd_decode_dct_block(const DNXHDContext *ctx, GET_VLC(index1, bs, >gb, ctx->ac_vlc.table, DNXHD_VLC_BITS, 2); } - +error: CLOSE_READER(bs, >gb); return ret; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/exr: Fix memleaks in decode_header()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Jan 31 17:50:21 2018 +0100| [d07a0ae1af038ad6d4a4084d22940b4efbea141e] | committer: Michael Niedermayer avcodec/exr: Fix memleaks in decode_header() Fixes: 4793/clusterfuzz-testcase-minimized-5707366629638144 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0a2560a9775be7c5df09c85c9908b05e711a54a3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d07a0ae1af038ad6d4a4084d22940b4efbea141e --- libavcodec/exr.c | 82 ++-- 1 file changed, 56 insertions(+), 26 deletions(-) diff --git a/libavcodec/exr.c b/libavcodec/exr.c index 7fa17ca887..fe978805c5 100644 --- a/libavcodec/exr.c +++ b/libavcodec/exr.c @@ -1317,6 +1317,7 @@ static int decode_header(EXRContext *s, AVFrame *frame) AVDictionary *metadata = NULL; int magic_number, version, i, flags, sar = 0; int layer_match = 0; +int ret; s->current_channel_offset = 0; s->xmin = ~0; @@ -1375,8 +1376,10 @@ static int decode_header(EXRContext *s, AVFrame *frame) if ((var_size = check_header_variable(s, "channels", "chlist", 38)) >= 0) { GetByteContext ch_gb; -if (!var_size) -return AVERROR_INVALIDDATA; +if (!var_size) { +ret = AVERROR_INVALIDDATA; +goto fail; +} bytestream2_init(_gb, s->gb.buffer, var_size); @@ -1435,14 +1438,16 @@ static int decode_header(EXRContext *s, AVFrame *frame) if (bytestream2_get_bytes_left(_gb) < 4) { av_log(s->avctx, AV_LOG_ERROR, "Incomplete header.\n"); -return AVERROR_INVALIDDATA; +ret = AVERROR_INVALIDDATA; +goto fail; } current_pixel_type = bytestream2_get_le32(_gb); if (current_pixel_type >= EXR_UNKNOWN) { avpriv_report_missing_feature(s->avctx, "Pixel type %d", current_pixel_type); -return AVERROR_PATCHWELCOME; +ret = AVERROR_PATCHWELCOME; +goto fail; } bytestream2_skip(_gb, 4); @@ -1453,7 +1458,8 @@ static int decode_header(EXRContext *s, AVFrame *frame) avpriv_report_missing_feature(s->avctx, "Subsampling %dx%d", xsub, ysub); -return AVERROR_PATCHWELCOME; +ret = AVERROR_PATCHWELCOME; +goto fail; } if (channel_index >= 0 && s->channel_offsets[channel_index] == -1) { /* channel has not been previously assigned */ @@ -1461,7 +1467,8 @@ static int decode_header(EXRContext *s, AVFrame *frame) s->pixel_type != current_pixel_type) { av_log(s->avctx, AV_LOG_ERROR, "RGB channels not of the same depth.\n"); -return AVERROR_INVALIDDATA; +ret = AVERROR_INVALIDDATA; +goto fail; } s->pixel_type = current_pixel_type; s->channel_offsets[channel_index] = s->current_channel_offset; @@ -1469,8 +1476,10 @@ static int decode_header(EXRContext *s, AVFrame *frame) s->channels = av_realloc(s->channels, ++s->nb_channels * sizeof(EXRChannel)); -if (!s->channels) -return AVERROR(ENOMEM); +if (!s->channels) { +ret = AVERROR(ENOMEM); +goto fail; +} channel = >channels[s->nb_channels - 1]; channel->pixel_type = current_pixel_type; channel->xsub = xsub; @@ -1495,7 +1504,8 @@ static int decode_header(EXRContext *s, AVFrame *frame) av_log(s->avctx, AV_LOG_ERROR, "Missing green channel.\n"); if (s->channel_offsets[2] < 0) av_log(s->avctx, AV_LOG_ERROR, "Missing blue channel.\n"); -return AVERROR_INVALIDDATA; +ret = AVERROR_INVALIDDATA; +goto fail; } } @@ -1504,8 +1514,10 @@ static int decode_header(EXRContext *s, AVFrame *frame) continue; } else if ((var_size = check_header_variable(s, "dataWindow", "box2i",
[FFmpeg-cvslog] avcodec/h264addpx_template: Fixes integer overflows
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Jan 7 03:48:43 2018 +0100| [014ba5c73758298366feda73e9f6c97a5af860e1] | committer: Michael Niedermayer avcodec/h264addpx_template: Fixes integer overflows Fixes: signed integer overflow: 512 + 2147483491 cannot be represented in type 'int' Fixes: 4780/clusterfuzz-testcase-minimized-4709066174627840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit d6945aeee419a8417b8019c7c92227e12e45b7ad) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=014ba5c73758298366feda73e9f6c97a5af860e1 --- libavcodec/h264addpx_template.c | 24 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/libavcodec/h264addpx_template.c b/libavcodec/h264addpx_template.c index b71aaea439..9a1e6a2f2f 100644 --- a/libavcodec/h264addpx_template.c +++ b/libavcodec/h264addpx_template.c @@ -35,10 +35,10 @@ static void FUNCC(ff_h264_add_pixels4)(uint8_t *_dst, int16_t *_src, int stride) stride /= sizeof(pixel); for (i = 0; i < 4; i++) { -dst[0] += src[0]; -dst[1] += src[1]; -dst[2] += src[2]; -dst[3] += src[3]; +dst[0] += (unsigned)src[0]; +dst[1] += (unsigned)src[1]; +dst[2] += (unsigned)src[2]; +dst[3] += (unsigned)src[3]; dst += stride; src += 4; @@ -55,14 +55,14 @@ static void FUNCC(ff_h264_add_pixels8)(uint8_t *_dst, int16_t *_src, int stride) stride /= sizeof(pixel); for (i = 0; i < 8; i++) { -dst[0] += src[0]; -dst[1] += src[1]; -dst[2] += src[2]; -dst[3] += src[3]; -dst[4] += src[4]; -dst[5] += src[5]; -dst[6] += src[6]; -dst[7] += src[7]; +dst[0] += (unsigned)src[0]; +dst[1] += (unsigned)src[1]; +dst[2] += (unsigned)src[2]; +dst[3] += (unsigned)src[3]; +dst[4] += (unsigned)src[4]; +dst[5] += (unsigned)src[5]; +dst[6] += (unsigned)src[6]; +dst[7] += (unsigned)src[7]; dst += stride; src += 8; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/matroskadec: Fix float-cast-overflow undefined behavior in matroska_parse_tracks()
ffmpeg | branch: release/3.3 | Nikolas Bowe| Thu Jan 18 15:21:56 2018 -0800| [980fe1b7a6fcbfc087dd2580308b565840e4eb6a] | committer: Michael Niedermayer avformat/matroskadec: Fix float-cast-overflow undefined behavior in matroska_parse_tracks() Signed-off-by: Michael Niedermayer (cherry picked from commit e07649e618caedc07eaf2f4d09253de7f77d14f0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=980fe1b7a6fcbfc087dd2580308b565840e4eb6a --- libavformat/matroskadec.c | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c index 3ec1636584..cd6db9ebac 100644 --- a/libavformat/matroskadec.c +++ b/libavformat/matroskadec.c @@ -2071,8 +2071,16 @@ static int matroska_parse_tracks(AVFormatContext *s) } if (track->type == MATROSKA_TRACK_TYPE_VIDEO) { -if (!track->default_duration && track->video.frame_rate > 0) -track->default_duration = 10 / track->video.frame_rate; +if (!track->default_duration && track->video.frame_rate > 0) { +double default_duration = 10 / track->video.frame_rate; +if (default_duration > UINT64_MAX || default_duration < 0) { +av_log(matroska->ctx, AV_LOG_WARNING, + "Invalid frame rate %e. Cannot calculate default duration.\n", + track->video.frame_rate); +} else { +track->default_duration = default_duration; +} +} if (track->video.display_width == -1) track->video.display_width = track->video.pixel_width; if (track->video.display_height == -1) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/indeo5: Do not leave frame_type set to an invalid value
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Jan 26 00:24:49 2018 +0100| [38384cdd991cf6c7d28f365c368523d8c8066d3e] | committer: Michael Niedermayer avcodec/indeo5: Do not leave frame_type set to an invalid value Fixes: null pointer dereference Fixes: 5264/clusterfuzz-testcase-minimized-4621956621008896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2ff9f178519b68d4d1d606eb5451ad81da948efc) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=38384cdd991cf6c7d28f365c368523d8c8066d3e --- libavcodec/indeo5.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/indeo5.c b/libavcodec/indeo5.c index 5f931c8b98..5028def4bc 100644 --- a/libavcodec/indeo5.c +++ b/libavcodec/indeo5.c @@ -324,6 +324,7 @@ static int decode_pic_hdr(IVI45DecContext *ctx, AVCodecContext *avctx) ctx->frame_type = get_bits(>gb, 3); if (ctx->frame_type >= 5) { av_log(avctx, AV_LOG_ERROR, "Invalid frame type: %d \n", ctx->frame_type); +ctx->frame_type = FRAMETYPE_INTRA; return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_slice: Do not attempt to render into frames already output
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Jan 3 23:42:01 2018 +0100| [d81bfc042cea588213d7ce2162d9c7fd1b23b98f] | committer: Michael Niedermayer avcodec/h264_slice: Do not attempt to render into frames already output Fixes: null pointer dereference Fixes: 4698/clusterfuzz-testcase-minimized-5096956322906112 This testcase does not reproduce the issue before 03b82b3ab9883cef017e513c7d0b3b986b3b3e7b Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 476665d4de989dba48ec1195215ccc8db54538f4) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d81bfc042cea588213d7ce2162d9c7fd1b23b98f --- libavcodec/h264_slice.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 3f3a3e4067..d83ba000ce 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1552,6 +1552,12 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl, * one except for reference purposes. */ h->first_field = 1; h->cur_pic_ptr = NULL; +} else if (h->cur_pic_ptr->reference & DELAYED_PIC_REF) { +/* This frame was already output, we cannot draw into it + * anymore. + */ +h->first_field = 1; +h->cur_pic_ptr = NULL; } else { /* Second field in complementary pair */ h->first_field = 0; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt: Fix several integer overflows
ffmpeg | branch: release/3.3 | Michael Niedermayer| Thu Jan 25 23:14:37 2018 +0100| [55f9c21363af98b0f00c927b7d9c9a92f2f378d2] | committer: Michael Niedermayer avcodec/dirac_dwt: Fix several integer overflows Fixes: runtime error: signed integer overflow: -2146071175 + -268479557 cannot be represented in type 'int' Fixes: 5237/clusterfuzz-testcase-minimized-4569895275593728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit fe1e6c06d03432c3e9208f019533c1d701f485d0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=55f9c21363af98b0f00c927b7d9c9a92f2f378d2 --- libavcodec/dirac_dwt.h | 4 ++-- libavcodec/dirac_dwt_template.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index 1af41e0702..68ebd19560 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -93,10 +93,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); // shared stuff for simd optimizations #define COMPOSE_53iL0(b0, b1, b2)\ -(b1 - ((int)(b0 + (unsigned)(b2) + 2) >> 2)) +(b1 - (unsigned)((int)(b0 + (unsigned)(b2) + 2) >> 2)) #define COMPOSE_DIRAC53iH0(b0, b1, b2)\ -(b1 + ((int)(b0 + (unsigned)(b2) + 1) >> 1)) +(b1 + (unsigned)((int)(b0 + (unsigned)(b2) + 1) >> 1)) #define COMPOSE_DD97iH0(b0, b1, b2, b3, b4)\ (int)(((unsigned)(b2) + ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 8) >> 4))) diff --git a/libavcodec/dirac_dwt_template.c b/libavcodec/dirac_dwt_template.c index e436c247a1..e68cc4d530 100644 --- a/libavcodec/dirac_dwt_template.c +++ b/libavcodec/dirac_dwt_template.c @@ -49,7 +49,7 @@ static void RENAME(vertical_compose53iL0)(uint8_t *_b0, uint8_t *_b1, uint8_t *_ TYPE *b1 = (TYPE *)_b1; TYPE *b2 = (TYPE *)_b2; for (i = 0; i < width; i++) -b1[i] -= (int)(b0[i] + (unsigned)b2[i] + 2) >> 2; +b1[i] -= (unsigned)((int)(b0[i] + (unsigned)b2[i] + 2) >> 2); } static av_always_inline void RENAME(interleave)(TYPE *dst, TYPE *src0, TYPE *src1, int w2, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/wavpack: Fix integer overflow in FFABS
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Jan 31 02:50:18 2018 +0100| [4d4656e8cd094188ec2ada7f5bd6dbba14b52dd9] | committer: Michael Niedermayer avcodec/wavpack: Fix integer overflow in FFABS Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself Fixes: 5396/clusterfuzz-testcase-minimized-655829281536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 8e50bd61e4ff97bd7fc6cbd7ec4ca514e17a70c4) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4d4656e8cd094188ec2ada7f5bd6dbba14b52dd9 --- libavcodec/wavpack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index 27d631c4e9..e0440959ff 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -480,7 +480,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, } if (type == AV_SAMPLE_FMT_S16P) { -if (FFABS(L) + (unsigned)FFABS(R) > (1<<19)) { +if (FFABS((int64_t)L) + FFABS((int64_t)R) > (1<<19)) { av_log(s->avctx, AV_LOG_ERROR, "sample %d %d too large\n", L, R); return AVERROR_INVALIDDATA; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/lrcdec: Fix memory leak in lrc_read_header()
ffmpeg | branch: release/3.3 | Nikolas Bowe| Fri Jan 19 13:17:07 2018 -0800| [68f9a9fe4bcba2db62a3cb43b3013bf58368fb6d] | committer: Michael Niedermayer avformat/lrcdec: Fix memory leak in lrc_read_header() Signed-off-by: Michael Niedermayer (cherry picked from commit ef5994e09d07ace62a672fcdc84761231288edad) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=68f9a9fe4bcba2db62a3cb43b3013bf58368fb6d --- libavformat/lrcdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libavformat/lrcdec.c b/libavformat/lrcdec.c index 12f74b22a0..f4e9a4efa9 100644 --- a/libavformat/lrcdec.c +++ b/libavformat/lrcdec.c @@ -212,6 +212,7 @@ static int lrc_read_header(AVFormatContext *s) } ff_subtitles_queue_finalize(s, >q); ff_metadata_conv_ctx(s, NULL, ff_lrc_metadata_conv); +av_bprint_finalize(, NULL); return 0; } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_ps: extract SPS fields required for hvcC construction
ffmpeg | branch: release/3.3 | Aman Gupta| Tue Sep 26 18:04:12 2017 -0700| [bb5748ec9d244e22e783e2914b64abf64c0808e3] | committer: Michael Niedermayer avcodec/hevc_ps: extract SPS fields required for hvcC construction Signed-off-by: Aman Gupta Reviewed-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bb5748ec9d244e22e783e2914b64abf64c0808e3 --- libavcodec/hevc_ps.c | 3 ++- libavcodec/hevc_ps.h | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index f2c26c4598..dc1429fa73 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -891,7 +891,7 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, return AVERROR_INVALIDDATA; } -skip_bits1(gb); // temporal_id_nesting_flag +sps->temporal_id_nesting_flag = get_bits(gb, 1); if ((ret = parse_ptl(gb, avctx, >ptl, sps->max_sub_layers)) < 0) return ret; @@ -954,6 +954,7 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, sps->bit_depth, bit_depth_chroma); return AVERROR_INVALIDDATA; } +sps->bit_depth_chroma = bit_depth_chroma; ret = map_pixel_format(avctx, sps); if (ret < 0) diff --git a/libavcodec/hevc_ps.h b/libavcodec/hevc_ps.h index 44de3980e1..26842ef189 100644 --- a/libavcodec/hevc_ps.h +++ b/libavcodec/hevc_ps.h @@ -151,6 +151,7 @@ typedef struct HEVCSPS { HEVCWindow pic_conf_win; int bit_depth; +int bit_depth_chroma; int pixel_shift; enum AVPixelFormat pix_fmt; @@ -163,6 +164,7 @@ typedef struct HEVCSPS { int num_reorder_pics; int max_latency_increase; } temporal_layer[HEVC_MAX_SUB_LAYERS]; +uint8_t temporal_id_nesting_flag; VUI vui; PTL ptl; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_ps: Check log2_sao_offset_scale_*
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Jan 24 03:15:23 2018 +0100| [4019c2a67c6aafeadb93aa8fc741cc3915817597] | committer: Michael Niedermayer avcodec/hevc_ps: Check log2_sao_offset_scale_* Fixes: 4868/clusterfuzz-testcase-minimized-6236542906400768 Fixes: runtime error: shift exponent 126 is too large for 32-bit type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 4a75a75c62efc645ec28444e4675c325b8f2bb1a) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4019c2a67c6aafeadb93aa8fc741cc3915817597 --- libavcodec/hevc_ps.c | 5 + 1 file changed, 5 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index dc1429fa73..b64dc68919 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1330,6 +1330,11 @@ static int pps_range_extensions(GetBitContext *gb, AVCodecContext *avctx, pps->log2_sao_offset_scale_luma = get_ue_golomb_long(gb); pps->log2_sao_offset_scale_chroma = get_ue_golomb_long(gb); +if ( pps->log2_sao_offset_scale_luma > FFMAX(sps->bit_depth- 10, 0) +|| pps->log2_sao_offset_scale_chroma > FFMAX(sps->bit_depth_chroma - 10, 0) +) +return AVERROR_INVALIDDATA; + return(0); } ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mjpegdec: Fix integer overflow in DC dequantization
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Jan 24 03:28:49 2018 +0100| [dbe356a00974632a18612c7a395366cee4c49118] | committer: Michael Niedermayer avcodec/mjpegdec: Fix integer overflow in DC dequantization Fixes: runtime error: signed integer overflow: -65535 * 65312 cannot be represented in type 'int' Fixes: 4900/clusterfuzz-testcase-minimized-5769019744321536 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 1bfc1aa004950c5ad527d823a08b8a19eef34eb0) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dbe356a00974632a18612c7a395366cee4c49118 --- libavcodec/mjpegdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index bd6dd7ef47..31c8fb422d 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -696,7 +696,7 @@ static int decode_block(MJpegDecodeContext *s, int16_t *block, int component, av_log(s->avctx, AV_LOG_ERROR, "error dc\n"); return AVERROR_INVALIDDATA; } -val = val * quant_matrix[0] + s->last_dc[component]; +val = val * (unsigned)quant_matrix[0] + s->last_dc[component]; val = av_clip_int16(val); s->last_dc[component] = val; block[0] = val; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avfilter/vf_transpose: Fix used plane count.
ffmpeg | branch: release/3.3 | Michael Niedermayer| Wed Jan 24 19:38:05 2018 +0100| [d74839d793ebf8c6c7c4a2a8a22ae2bd695d2c41] | committer: Michael Niedermayer avfilter/vf_transpose: Fix used plane count. Fixes out of array access Fixes: poc.mp4 Found-by: GwanYeong Kim Signed-off-by: Michael Niedermayer (cherry picked from commit c6939f65a116b1ffed345d29d8621ee4ffb32235) (cherry picked from commit 3f621455d62e46745453568d915badd5b1e5bcd5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d74839d793ebf8c6c7c4a2a8a22ae2bd695d2c41 --- libavfilter/vf_transpose.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavfilter/vf_transpose.c b/libavfilter/vf_transpose.c index 75b4dda41f..1e5505b713 100644 --- a/libavfilter/vf_transpose.c +++ b/libavfilter/vf_transpose.c @@ -27,6 +27,7 @@ #include +#include "libavutil/avassert.h" #include "libavutil/imgutils.h" #include "libavutil/internal.h" #include "libavutil/intreadwrite.h" @@ -54,6 +55,7 @@ enum TransposeDir { typedef struct TransContext { const AVClass *class; int hsub, vsub; +int planes; int pixsteps[4]; int passthrough;///< PassthroughType, landscape passthrough mode enabled @@ -106,6 +108,10 @@ static int config_props_output(AVFilterLink *outlink) s->hsub = desc_in->log2_chroma_w; s->vsub = desc_in->log2_chroma_h; +s->planes = av_pix_fmt_count_planes(outlink->format); + +av_assert0(desc_in->nb_components == desc_out->nb_components); + av_image_fill_max_pixsteps(s->pixsteps, NULL, desc_out); @@ -148,7 +154,7 @@ static int filter_slice(AVFilterContext *ctx, void *arg, int jobnr, AVFrame *in = td->in; int plane; -for (plane = 0; out->data[plane]; plane++) { +for (plane = 0; plane < s->planes; plane++) { int hsub= plane == 1 || plane == 2 ? s->hsub : 0; int vsub= plane == 1 || plane == 2 ? s->vsub : 0; int pixstep = s->pixsteps[plane]; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/mpeg4videodec: Check mb_num also against 0
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Jan 28 02:29:00 2018 +0100| [61a911d0073b19974ea289b1594e2bf8bba56007] | committer: Michael Niedermayer avcodec/mpeg4videodec: Check mb_num also against 0 The spec implies that 0 is invalid in addition to the existing checks Found-by: Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit 05f4703a168a336363750e32bcfdd6f303fbdbc3) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=61a911d0073b19974ea289b1594e2bf8bba56007 --- libavcodec/mpeg4videodec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index 8eafc783b8..afa41a8641 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -460,7 +460,7 @@ int ff_mpeg4_decode_video_packet_header(Mpeg4DecContext *ctx) } mb_num = get_bits(>gb, mb_num_bits); -if (mb_num >= s->mb_num) { +if (mb_num >= s->mb_num || !mb_num) { av_log(s->avctx, AV_LOG_ERROR, "illegal mb_num in video packet (%d %d) \n", mb_num, s->mb_num); return -1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/get_bits: Document the return code of get_vlc2()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Jan 28 02:29:01 2018 +0100| [093c80747ba4b3a6ca1a1532d1404dafa421b2b5] | committer: Michael Niedermayer avcodec/get_bits: Document the return code of get_vlc2() Found-by: kierank Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit 4a94ff4ccd4f2329c599e37cabe4152dae60359e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=093c80747ba4b3a6ca1a1532d1404dafa421b2b5 --- libavcodec/get_bits.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h index c530015169..0c7f5ff0c6 100644 --- a/libavcodec/get_bits.h +++ b/libavcodec/get_bits.h @@ -550,6 +550,7 @@ static inline const uint8_t *align_get_bits(GetBitContext *s) * @param max_depth is the number of times bits bits must be read to completely * read the longest vlc code * = (max_vlc_length + bits - 1) / bits + * @returns the code parsed or -1 if no vlc matches */ static av_always_inline int get_vlc2(GetBitContext *s, VLC_TYPE (*table)[2], int bits, int max_depth) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sat Jan 20 04:10:50 2018 +0100| [162bbc22e2032db4bf9fc3aadeb9b4e05924e76b] | committer: Michael Niedermayer avcodec/truemotion2: Fix integer overflow in TM2_RECALC_BLOCK() Fixes: signed integer overflow: 1477974040 - -1877995504 cannot be represented in type 'int' Fixes: 4861/clusterfuzz-testcase-minimized-4570316383715328 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 56a53340ed4cc55898e49c07081311ebb2816630) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=162bbc22e2032db4bf9fc3aadeb9b4e05924e76b --- libavcodec/truemotion2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c index f077f0e4bd..97c38f7f08 100644 --- a/libavcodec/truemotion2.c +++ b/libavcodec/truemotion2.c @@ -441,8 +441,8 @@ static inline int GET_TOK(TM2Context *ctx,int type) /* recalculate last and delta values for next blocks */ #define TM2_RECALC_BLOCK(CHR, stride, last, CD) {\ -CD[0] = CHR[1] - last[1];\ -CD[1] = (int)CHR[stride + 1] - (int)CHR[1];\ +CD[0] = (unsigned)CHR[ 1] - (unsigned)last[1];\ +CD[1] = (unsigned)CHR[stride + 1] - (unsigned) CHR[1];\ last[0] = (int)CHR[stride + 0];\ last[1] = (int)CHR[stride + 1];} ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dxtory: Fix bits left checks
ffmpeg | branch: release/3.3 | Michael Niedermayer| Mon Jan 22 14:02:59 2018 +0100| [ce82d4722bde503f899521519d3a8e8c2200c205] | committer: Michael Niedermayer avcodec/dxtory: Fix bits left checks Fixes: Timeout Fixes: 4863/clusterfuzz-testcase-6347354178322432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6e1a167c5564085385488b4f579e9efb987d4bfa) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ce82d4722bde503f899521519d3a8e8c2200c205 --- libavcodec/dxtory.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/dxtory.c b/libavcodec/dxtory.c index 6f8652ad49..e736cec8db 100644 --- a/libavcodec/dxtory.c +++ b/libavcodec/dxtory.c @@ -326,7 +326,7 @@ static int dx2_decode_slice_5x5(GetBitContext *gb, AVFrame *frame, int stride = frame->linesize[0]; uint8_t *dst = frame->data[0] + stride * line; -for (y = 0; y < left && get_bits_left(gb) > 16; y++) { +for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) { for (x = 0; x < width; x++) { b = decode_sym_565(gb, lru[0], 5); g = decode_sym_565(gb, lru[1], is_565 ? 6 : 5); @@ -392,7 +392,7 @@ static int dx2_decode_slice_rgb(GetBitContext *gb, AVFrame *frame, int stride = frame->linesize[0]; uint8_t *dst = frame->data[0] + stride * line; -for (y = 0; y < left && get_bits_left(gb) > 16; y++) { +for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) { for (x = 0; x < width; x++) { dst[x * 3 + 0] = decode_sym(gb, lru[0]); dst[x * 3 + 1] = decode_sym(gb, lru[1]); @@ -437,7 +437,7 @@ static int dx2_decode_slice_410(GetBitContext *gb, AVFrame *frame, uint8_t *U = frame->data[1] + (ustride >> 2) * line; uint8_t *V = frame->data[2] + (vstride >> 2) * line; -for (y = 0; y < left - 3 && get_bits_left(gb) > 16; y += 4) { +for (y = 0; y < left - 3 && get_bits_left(gb) > 9 * width; y += 4) { for (x = 0; x < width; x += 4) { for (j = 0; j < 4; j++) for (i = 0; i < 4; i++) @@ -481,7 +481,7 @@ static int dx2_decode_slice_420(GetBitContext *gb, AVFrame *frame, uint8_t *V = frame->data[2] + (vstride >> 1) * line; -for (y = 0; y < left - 1 && get_bits_left(gb) > 16; y += 2) { +for (y = 0; y < left - 1 && get_bits_left(gb) > 6 * width; y += 2) { for (x = 0; x < width; x += 2) { Y[x + 0 + 0 * ystride] = decode_sym(gb, lru[0]); Y[x + 1 + 0 * ystride] = decode_sym(gb, lru[0]); @@ -524,7 +524,7 @@ static int dx2_decode_slice_444(GetBitContext *gb, AVFrame *frame, uint8_t *U = frame->data[1] + ustride * line; uint8_t *V = frame->data[2] + vstride * line; -for (y = 0; y < left && get_bits_left(gb) > 16; y++) { +for (y = 0; y < left && get_bits_left(gb) > 6 * width; y++) { for (x = 0; x < width; x++) { Y[x] = decode_sym(gb, lru[0]); U[x] = decode_sym(gb, lru[1]) ^ 0x80; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down
ffmpeg | branch: release/3.3 | Michael Niedermayer| Mon Jan 15 23:42:57 2018 +0100| [fb27cebc93cb2999c31f9a0dc7f843d5b71187a8] | committer: Michael Niedermayer avcodec/hevc_cabac: Move prefix check in coeff_abs_level_remaining_decode() down Signed-off-by: Michael Niedermayer (cherry picked from commit 94d4237a7a294ce80e1e577b38e9c93e8882aff9) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fb27cebc93cb2999c31f9a0dc7f843d5b71187a8 --- libavcodec/hevc_cabac.c | 11 +++ 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c index 3c22e30faa..5e46c59a24 100644 --- a/libavcodec/hevc_cabac.c +++ b/libavcodec/hevc_cabac.c @@ -979,16 +979,19 @@ static av_always_inline int coeff_abs_level_remaining_decode(HEVCContext *s, int while (prefix < CABAC_MAX_BIN && get_cabac_bypass(>HEVClc->cc)) prefix++; -if (prefix == CABAC_MAX_BIN) { -av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); -return 0; -} + if (prefix < 3) { for (i = 0; i < rc_rice_param; i++) suffix = (suffix << 1) | get_cabac_bypass(>HEVClc->cc); last_coeff_abs_level_remaining = (prefix << rc_rice_param) + suffix; } else { int prefix_minus3 = prefix - 3; + +if (prefix == CABAC_MAX_BIN) { +av_log(s->avctx, AV_LOG_ERROR, "CABAC_MAX_BIN : %d\n", prefix); +return 0; +} + for (i = 0; i < prefix_minus3 + rc_rice_param; i++) suffix = (suffix << 1) | get_cabac_bypass(>HEVClc->cc); last_coeff_abs_level_remaining = (((1 << prefix_minus3) + 3 - 1) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/diracdec: Fix integer overflow with quant
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Jan 7 20:43:24 2018 +0100| [347744121bc88c82088234ce8cc086453b077179] | committer: Michael Niedermayer avcodec/diracdec: Fix integer overflow with quant Fixes: signed integer overflow: 2 + 2147483646 cannot be represented in type 'int' Fixes: 4792/clusterfuzz-testcase-minimized-6322450775146496 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit eaa93175895568ef6c2542b13104874907d9c4ef) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=347744121bc88c82088234ce8cc086453b077179 --- libavcodec/diracdec.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c index 791b7f9928..9df70c3f7a 100644 --- a/libavcodec/diracdec.c +++ b/libavcodec/diracdec.c @@ -508,16 +508,16 @@ static inline void codeblock(DiracContext *s, SubBand *b, } if (s->codeblock_mode && !(s->old_delta_quant && blockcnt_one)) { -int quant = b->quant; +int quant; if (is_arith) -quant += dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA); +quant = dirac_get_arith_int(c, CTX_DELTA_Q_F, CTX_DELTA_Q_DATA); else -quant += dirac_get_se_golomb(gb); -if (quant < 0) { +quant = dirac_get_se_golomb(gb); +if (quant > INT_MAX - b->quant || b->quant + quant < 0) { av_log(s->avctx, AV_LOG_ERROR, "Invalid quant\n"); return; } -b->quant = quant; +b->quant += quant; } if (b->quant > (DIRAC_MAX_QUANT_INDEX - 1)) { ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000dsp: Fix integer overflows in ict_int()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Jan 7 04:12:57 2018 +0100| [e4afafaa7effe5086373790639c1d0a962d4d007] | committer: Michael Niedermayer avcodec/jpeg2000dsp: Fix integer overflows in ict_int() Fixes: signed integer overflow: 46802 * -71230 cannot be represented in type 'int' Fixes: 4756/clusterfuzz-testcase-minimized-4812495563784192 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit b3192c64b5bdcb0474cda437d2d5f9421d68811e) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e4afafaa7effe5086373790639c1d0a962d4d007 --- libavcodec/jpeg2000dsp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c index 85a12d0e9b..90e73b1e20 100644 --- a/libavcodec/jpeg2000dsp.c +++ b/libavcodec/jpeg2000dsp.c @@ -64,9 +64,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize) int i; for (i = 0; i < csize; i++) { -i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16); +i0 = *src0 + *src2 + ((int)((26345U * *src2) + (1 << 15)) >> 16); i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16) - - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16); + - ((int)(((unsigned)i_ict_params[2] * *src2) + (1 << 15)) >> 16); i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16); *src0++ = i0; *src1++ = i1; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] configure: bump year
ffmpeg | branch: release/3.3 | Carl Eugen Hoyos| Mon Jan 1 18:05:55 2018 +0100| [68ca7aefb26cba079c9a963235e3d7bbb6001dc0] | committer: Michael Niedermayer configure: bump year Happy new year! (cherry picked from commit bddf31ba7570325dd2c8d033eae3d0dd74127f96) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=68ca7aefb26cba079c9a963235e3d7bbb6001dc0 --- configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure index 97aab62990..a48f7858bf 100755 --- a/configure +++ b/configure @@ -6799,7 +6799,7 @@ cat > $TMPH
[FFmpeg-cvslog] avcodec/opus_parser: Check payload_len in parse_opus_ts_header()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Fri Jan 5 22:12:07 2018 +0100| [ba2f8469ba951db28c7d7ede25908cb8beeacfae] | committer: Michael Niedermayer avcodec/opus_parser: Check payload_len in parse_opus_ts_header() Fixes: clusterfuzz-testcase-minimized-6134545979277312 Fixes: crbug 797469 Reported-by: Matt Wolenetz Signed-off-by: Michael Niedermayer (cherry picked from commit 1bcd7fefcb3c1ec47978fdc64a9e8dfb9512ae62) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ba2f8469ba951db28c7d7ede25908cb8beeacfae --- libavcodec/opus_parser.c | 16 +--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/libavcodec/opus_parser.c b/libavcodec/opus_parser.c index 893573eb82..28b0933900 100644 --- a/libavcodec/opus_parser.c +++ b/libavcodec/opus_parser.c @@ -43,6 +43,7 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le const uint8_t *buf = start + 1; int start_trim_flag, end_trim_flag, control_extension_flag, control_extension_length; uint8_t flags; +uint64_t payload_len_tmp; GetByteContext gb; bytestream2_init(, buf, buf_len); @@ -52,11 +53,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le end_trim_flag = (flags >> 3) & 1; control_extension_flag = (flags >> 2) & 1; -*payload_len = 0; +payload_len_tmp = *payload_len = 0; while (bytestream2_peek_byte() == 0xff) -*payload_len += bytestream2_get_byte(); +payload_len_tmp += bytestream2_get_byte(); -*payload_len += bytestream2_get_byte(); +payload_len_tmp += bytestream2_get_byte(); if (start_trim_flag) bytestream2_skip(, 2); @@ -67,6 +68,11 @@ static const uint8_t *parse_opus_ts_header(const uint8_t *start, int *payload_le bytestream2_skip(, control_extension_length); } +if (bytestream2_tell() + payload_len_tmp > buf_len) +return NULL; + +*payload_len = payload_len_tmp; + return buf + bytestream2_tell(); } @@ -104,6 +110,10 @@ static int opus_find_frame_end(AVCodecParserContext *ctx, AVCodecContext *avctx, state = (state << 8) | payload[i]; if ((state & OPUS_TS_MASK) == OPUS_TS_HEADER) { payload = parse_opus_ts_header(payload, _len, buf_size - i); +if (!payload) { +av_log(avctx, AV_LOG_ERROR, "Error parsing Ogg TS header.\n"); +return AVERROR_INVALIDDATA; +} *header_len = payload - buf; start_found = 1; break; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Jan 7 20:58:49 2018 +0100| [bf7715fd29d5701d68379a37c59465096717ed15] | committer: Michael Niedermayer avcodec/dirac_dwt: Fix overflows in COMPOSE_HAARiH0/COMPOSE_HAARiL0 Fixes: 4830/clusterfuzz-testcase-minimized-5255392054476800 Fixes: signed integer overflow: 2147483646 - -7 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 0e62a2373475f58c72c0faf5568be00b26909585) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=bf7715fd29d5701d68379a37c59465096717ed15 --- libavcodec/dirac_dwt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/dirac_dwt.h b/libavcodec/dirac_dwt.h index f9828d95a4..1af41e0702 100644 --- a/libavcodec/dirac_dwt.h +++ b/libavcodec/dirac_dwt.h @@ -105,10 +105,10 @@ void ff_spatial_idwt_slice2(DWTContext *d, int y); (int)(((unsigned)(b2) - ((int)(-b0 + 9U*b1 + 9U*b3 - b4 + 16) >> 5))) #define COMPOSE_HAARiL0(b0, b1)\ -(b0 - ((b1 + 1) >> 1)) +((int)(b0 - (unsigned)((int)(b1 + 1U) >> 1))) #define COMPOSE_HAARiH0(b0, b1)\ -(b0 + b1) +((int)(b0 + (unsigned)(b1))) #define COMPOSE_FIDELITYiL0(b0, b1, b2, b3, b4, b5, b6, b7, b8)\ ((unsigned)b4 - ((int)(-8*(b0+(unsigned)b8) + 21*(b1+(unsigned)b7) - 46*(b2+(unsigned)b6) + 161*(b3+(unsigned)b5) + 128) >> 8)) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/jpeg2000: Check sum of sizes of band->prec before allocating
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Jan 14 00:39:40 2018 +0100| [488a6ae7e5e8ffbcddcdda62174b898bbe6a8b4d] | committer: Michael Niedermayer avcodec/jpeg2000: Check sum of sizes of band->prec before allocating Fixes: OOM Fixes: 4810/clusterfuzz-testcase-minimized-6034253235093504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 6887e412434776eb260ad3904f565be491dd5726) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=488a6ae7e5e8ffbcddcdda62174b898bbe6a8b4d --- libavcodec/jpeg2000.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpeg2000.c b/libavcodec/jpeg2000.c index afeb9df27c..026b2db56f 100644 --- a/libavcodec/jpeg2000.c +++ b/libavcodec/jpeg2000.c @@ -543,6 +543,9 @@ int ff_jpeg2000_init_component(Jpeg2000Component *comp, if (!reslevel->band) return AVERROR(ENOMEM); +if (reslevel->num_precincts_x * (uint64_t)reslevel->num_precincts_y * reslevel->nbands > avctx->max_pixels / sizeof(*reslevel->band->prec)) +return AVERROR(ENOMEM); + for (bandno = 0; bandno < reslevel->nbands; bandno++, gbandno++) { ret = init_band(avctx, reslevel, comp, codsty, qntsty, ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/snowdec: Fix integer overflow before htaps check
ffmpeg | branch: release/3.3 | Michael Niedermayer| Mon Jan 15 03:03:36 2018 +0100| [60bc7a6ec08a662c02e10eb1660d15e2a65ff0f5] | committer: Michael Niedermayer avcodec/snowdec: Fix integer overflow before htaps check Fixes: runtime error: signed integer overflow: -1094995529 * 2 cannot be represented in type 'int' Fixes: 4828/clusterfuzz-testcase-minimized-5100849937252352 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 2eecf3cf8eeae67697934df326e98df2149881e5) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=60bc7a6ec08a662c02e10eb1660d15e2a65ff0f5 --- libavcodec/snowdec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c index df425b8cf3..00fa064102 100644 --- a/libavcodec/snowdec.c +++ b/libavcodec/snowdec.c @@ -363,9 +363,10 @@ static int decode_header(SnowContext *s){ int htaps, i, sum=0; Plane *p= >plane[plane_index]; p->diag_mc= get_rac(>c, s->header_state); -htaps= get_symbol(>c, s->header_state, 0)*2 + 2; -if((unsigned)htaps >= HTAPS_MAX || htaps==0) +htaps= get_symbol(>c, s->header_state, 0); +if((unsigned)htaps >= HTAPS_MAX/2 - 1) return AVERROR_INVALIDDATA; +htaps = htaps*2 + 2; p->htaps= htaps; for(i= htaps/2; i; i--){ p->hcoeff[i]= get_symbol(>c, s->header_state, 0) * (1-2*(i&1)); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/utils: Avoid hardcoding duplicated types in sizeof()
ffmpeg | branch: release/3.3 | Michael Niedermayer| Sun Jun 4 01:53:58 2017 +0200| [7965ffbeb111af1a8c676ca587e0ab5927c374d4] | committer: Michael Niedermayer avcodec/utils: Avoid hardcoding duplicated types in sizeof() Signed-off-by: Michael Niedermayer (cherry picked from commit 860d991fcd715233b5b9eb1f6c7bf0aadefb6061) Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7965ffbeb111af1a8c676ca587e0ab5927c374d4 --- libavcodec/utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/utils.c b/libavcodec/utils.c index 9363026695..9064cb31d6 100644 --- a/libavcodec/utils.c +++ b/libavcodec/utils.c @@ -1270,7 +1270,7 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, const AVCodec *code if (ret < 0) return ret; -avctx->internal = av_mallocz(sizeof(AVCodecInternal)); +avctx->internal = av_mallocz(sizeof(*avctx->internal)); if (!avctx->internal) { ret = AVERROR(ENOMEM); goto end; @@ -2795,7 +2795,7 @@ void avsubtitle_free(AVSubtitle *sub) av_freep(>rects); -memset(sub, 0, sizeof(AVSubtitle)); +memset(sub, 0, sizeof(*sub)); } static int do_decode(AVCodecContext *avctx, AVPacket *pkt) ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/utils: Stream specifier enhancement
ffmpeg | branch: master | Bela Bodecs| Sun Apr 1 23:29:14 2018 +0200| [37d0213968a2b58499f52dfe09c8d7a27d4c5a86] | committer: Michael Niedermayer avformat/utils: Stream specifier enhancement Currently when specifying the program id you can only decide to select all stream of the specified program (e.g. p:103 will select all streams of program 103) or narrow the selection to a specific stream sub index (e.g. p:145:1 will select 2nd stream of program 145.) But you can not specify like all audio streams of program 145 or 3rd video stream of program 311. In some case, mainly working with multiprogram mpeg-ts containers as input, this feature would be handy. This patch makes it possible to narrow the stream selection among streams of the specified program by stream type and optionally its index. Handled types: a, v, s, d. Examples: p:601:a will select all audio streams of program 601, p:603:a:1 will select 2nd audio streams of program 603, p:604:v:0 will select first video stream of program 604. Signed-off-by: Bela Bodecs Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=37d0213968a2b58499f52dfe09c8d7a27d4c5a86 --- doc/fftools-common-opts.texi | 10 +-- libavformat/utils.c | 65 2 files changed, 67 insertions(+), 8 deletions(-) diff --git a/doc/fftools-common-opts.texi b/doc/fftools-common-opts.texi index 7787e11cda..79feb39ca7 100644 --- a/doc/fftools-common-opts.texi +++ b/doc/fftools-common-opts.texi @@ -42,10 +42,14 @@ streams, 'V' only matches video streams which are not attached pictures, video thumbnails or cover arts. If @var{stream_index} is given, then it matches stream number @var{stream_index} of this type. Otherwise, it matches all streams of this type. -@item p:@var{program_id}[:@var{stream_index}] -If @var{stream_index} is given, then it matches the stream with number @var{stream_index} +@item p:@var{program_id}[:@var{stream_index}] or p:@var{program_id}[:@var{stream_type}[:@var{stream_index}]] +In first version, if @var{stream_index} is given, then it matches the stream with number @var{stream_index} in the program with the id @var{program_id}. Otherwise, it matches all streams in the -program. +program. In the latter version, @var{stream_type} is one of following: 'v' for video, 'a' for audio, 's' +for subtitle, 'd' for data. If @var{stream_index} is also given, then it matches +stream number @var{stream_index} of this type in the program with the id @var{program_id}. +Otherwise, if only @var{stream_type} is given, it matches all +streams of this type in the program with the id @var{program_id}. @item #@var{stream_id} or i:@var{stream_id} Match the stream by stream id (e.g. PID in MPEG-TS container). @item m:@var{key}[:@var{value}] diff --git a/libavformat/utils.c b/libavformat/utils.c index 3e482a3bbc..cc35998336 100644 --- a/libavformat/utils.c +++ b/libavformat/utils.c @@ -5070,11 +5070,66 @@ FF_ENABLE_DEPRECATION_WARNINGS if (s->programs[i]->id != prog_id) continue; -if (*endptr++ == ':') { -int stream_idx = strtol(endptr, NULL, 0); -return stream_idx >= 0 && -stream_idx < s->programs[i]->nb_stream_indexes && -st->index == s->programs[i]->stream_index[stream_idx]; +if (*endptr++ == ':') { // p:: +if ( *endptr == 'a' || *endptr == 'v' || + *endptr == 's' || *endptr == 'd') { // p::[:] +enum AVMediaType type; + +switch (*endptr++) { +case 'v': type = AVMEDIA_TYPE_VIDEO; break; +case 'a': type = AVMEDIA_TYPE_AUDIO; break; +case 's': type = AVMEDIA_TYPE_SUBTITLE; break; +case 'd': type = AVMEDIA_TYPE_DATA; break; +default: av_assert0(0); +} +if (*endptr++ == ':') { // p::: +int stream_idx = strtol(endptr, NULL, 0), type_counter = 0; +for (j = 0; j < s->programs[i]->nb_stream_indexes; j++) { +int stream_index = s->programs[i]->stream_index[j]; +if (st->index == s->programs[i]->stream_index[j]) { +#if FF_API_LAVF_AVCTX +FF_DISABLE_DEPRECATION_WARNINGS +return type_counter == stream_idx && + (type == st->codecpar->codec_type || +type == st->codec->codec_type); +FF_ENABLE_DEPRECATION_WARNINGS +#else +return type_counter == stream_idx && + type == st->codecpar->codec_type; +#endif + } +#if FF_API_LAVF_AVCTX
[FFmpeg-cvslog] avcodec/mjpegdec: Check input buffer size.
ffmpeg | branch: master | Michael Niedermayer| Tue Apr 10 16:12:15 2018 +0200| [8d381b57fd9d17fb5c3a851ca46c738b3afc33a2] | committer: Michael Niedermayer avcodec/mjpegdec: Check input buffer size. Fixes: Timeout Fixes: 6381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5665032743419904 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8d381b57fd9d17fb5c3a851ca46c738b3afc33a2 --- libavcodec/mjpegdec.c | 4 libavcodec/mjpegdec.h | 1 + 2 files changed, 5 insertions(+) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index beef174618..22ca69f841 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -335,6 +335,8 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) av_log(s->avctx, AV_LOG_DEBUG, "sof0: picture: %dx%d\n", width, height); if (av_image_check_size(width, height, 0, s->avctx) < 0) return AVERROR_INVALIDDATA; +if (s->buf_size && (width + 7) / 8 * ((height + 7) / 8) > s->buf_size * 4LL) +return AVERROR_INVALIDDATA; nb_components = get_bits(>gb, 8); if (nb_components <= 0 || @@ -2247,6 +2249,8 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *got_frame, int ret = 0; int is16bit; +s->buf_size = buf_size; + av_dict_free(>exif_metadata); av_freep(>stereo3d); s->adobe_transform = -1; diff --git a/libavcodec/mjpegdec.h b/libavcodec/mjpegdec.h index ff301bcb93..653fe7cae6 100644 --- a/libavcodec/mjpegdec.h +++ b/libavcodec/mjpegdec.h @@ -47,6 +47,7 @@ typedef struct MJpegDecodeContext { AVClass *class; AVCodecContext *avctx; GetBitContext gb; +int buf_size; int start_code; /* current start code */ int buffer_size; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avcodec/h264_slice: Fix integer overflow with last_poc
ffmpeg | branch: master | Michael Niedermayer| Sat Apr 7 00:34:25 2018 +0200| [8c02cd8ca097871dcd00cf8e08ce51660873f405] | committer: Michael Niedermayer avcodec/h264_slice: Fix integer overflow with last_poc Fixes: signed integer overflow: 2147483646 - -2816 cannot be represented in type 'int' Fixes: crbug 823145 Reported-by: Matt Wolenetz Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8c02cd8ca097871dcd00cf8e08ce51660873f405 --- libavcodec/h264_slice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 90e05ed8f1..d71ddbe9ba 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1316,7 +1316,7 @@ static int h264_select_output_frame(H264Context *h) } out_of_order = MAX_DELAYED_PIC_COUNT - i; if( cur->f->pict_type == AV_PICTURE_TYPE_B - || (h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > INT_MIN && h->last_pocs[MAX_DELAYED_PIC_COUNT-1] - h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > 2)) + || (h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > INT_MIN && h->last_pocs[MAX_DELAYED_PIC_COUNT-1] - (int64_t)h->last_pocs[MAX_DELAYED_PIC_COUNT-2] > 2)) out_of_order = FFMAX(out_of_order, 1); if (out_of_order == MAX_DELAYED_PIC_COUNT) { av_log(h->avctx, AV_LOG_VERBOSE, "Invalid POC %d<%d\n", cur->poc, h->last_pocs[0]); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] fate: to test program sub stream selection by its type in mpegts
ffmpeg | branch: master | Bela Bodecs| Wed Apr 11 22:33:02 2018 +0200| [a06175d7392326201a131fc09b3ea52617f310df] | committer: Michael Niedermayer fate: to test program sub stream selection by its type in mpegts Signed-off-by: Bela Bodecs Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a06175d7392326201a131fc09b3ea52617f310df --- tests/fate/mpegts.mak | 6 ++ tests/ref/fate/mpegts-probe-program | 8 2 files changed, 14 insertions(+) diff --git a/tests/fate/mpegts.mak b/tests/fate/mpegts.mak index bb0d9d98a7..2b128492e0 100644 --- a/tests/fate/mpegts.mak +++ b/tests/fate/mpegts.mak @@ -9,6 +9,12 @@ FATE_MPEGTS_PROBE-$(call DEMDEC, MPEGTS, HEVC, AAC_LATM) += fate-mpegts-probe-la fate-mpegts-probe-latm: SRC = $(TARGET_SAMPLES)/mpegts/loewe.ts fate-mpegts-probe-latm: CMD = run $(PROBE_CODEC_NAME_COMMAND) -i "$(SRC)" + +FATE_MPEGTS_PROBE-$(call DEMDEC, MPEGTS, HEVC, AAC_LATM) += fate-mpegts-probe-program +fate-mpegts-probe-program: SRC = $(TARGET_SAMPLES)/mpegts/loewe.ts +fate-mpegts-probe-program: CMD = run $(PROBE_CODEC_NAME_COMMAND) -select_streams p:769:v:0 -i "$(SRC)" + + FATE_SAMPLES_FFPROBE += $(FATE_MPEGTS_PROBE-yes) fate-mpegts: $(FATE_MPEGTS_PROBE-yes) diff --git a/tests/ref/fate/mpegts-probe-program b/tests/ref/fate/mpegts-probe-program new file mode 100644 index 00..bb1012c8c7 --- /dev/null +++ b/tests/ref/fate/mpegts-probe-program @@ -0,0 +1,8 @@ +[PROGRAM] +[STREAM] +codec_name=hevc +[/STREAM] +[/PROGRAM] +[STREAM] +codec_name=hevc +[/STREAM] ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] avformat/mov: Fix extradata memleak
ffmpeg | branch: master | Michael Niedermayer| Fri Apr 6 23:56:57 2018 +0200| [0a8133119ca5d087c7c7140d100406ff84c477ee] | committer: Michael Niedermayer avformat/mov: Fix extradata memleak Fixes: crbug 822705 Reported-by: Matt Wolenetz Reviewed-by: Matt Wolenetz Signed-off-by: Michael Niedermayer > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0a8133119ca5d087c7c7140d100406ff84c477ee --- libavformat/mov.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/libavformat/mov.c b/libavformat/mov.c index 97b1462aab..1340bf3913 100644 --- a/libavformat/mov.c +++ b/libavformat/mov.c @@ -2592,6 +2592,12 @@ static int mov_read_stsd(MOVContext *c, AVIOContext *pb, MOVAtom atom) return mov_finalize_stsd_codec(c, pb, st, sc); fail: +if (sc->extradata) { +int j; +for (j = 0; j < sc->stsd_count; j++) +av_freep(>extradata[j]); +} + av_freep(>extradata); av_freep(>extradata_size); return ret; ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] doc/filters: fix lenscorrection k1 & k2 typo
ffmpeg | branch: master | Lou Logan| Thu Apr 12 12:44:49 2018 -0800| [4d544f608608f69e68136b8333d3649866e2a7ed] | committer: Lou Logan doc/filters: fix lenscorrection k1 & k2 typo 0 means no correction, not 0.5. Also document ranges and defaults for options. Signed-off-by: Lou Logan > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4d544f608608f69e68136b8333d3649866e2a7ed --- doc/filters.texi | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/doc/filters.texi b/doc/filters.texi index b78e05a329..09b07d2a4a 100644 --- a/doc/filters.texi +++ b/doc/filters.texi @@ -10373,15 +10373,17 @@ The filter accepts the following options: @item cx Relative x-coordinate of the focal point of the image, and thereby the center of the distortion. This value has a range [0,1] and is expressed as fractions of the image -width. +width. Default is 0.5. @item cy Relative y-coordinate of the focal point of the image, and thereby the center of the distortion. This value has a range [0,1] and is expressed as fractions of the image -height. +height. Default is 0.5. @item k1 -Coefficient of the quadratic correction term. 0.5 means no correction. +Coefficient of the quadratic correction term. This value has a range [-1,1]. 0 means +no correction. Default is 0. @item k2 -Coefficient of the double quadratic correction term. 0.5 means no correction. +Coefficient of the double quadratic correction term. This value has a range [-1,1]. +0 means no correction. Default is 0. @end table The formula that generates the correction is: ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
[FFmpeg-cvslog] lavf/hls: use ff_get_chomp_line
ffmpeg | branch: master | Jun Zhao| Mon Apr 9 23:11:02 2018 +0800| [0e49118271ce0a3e8911200824032508b5a7de16] | committer: Jun Zhao lavf/hls: use ff_get_chomp_line Signed-off-by: Jun Zhao > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0e49118271ce0a3e8911200824032508b5a7de16 --- libavformat/hls.c | 12 ++-- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/libavformat/hls.c b/libavformat/hls.c index ae0545a086..1257cd101c 100644 --- a/libavformat/hls.c +++ b/libavformat/hls.c @@ -216,14 +216,6 @@ typedef struct HLSContext { AVIOContext *playlist_pb; } HLSContext; -static int read_chomp_line(AVIOContext *s, char *buf, int maxlen) -{ -int len = ff_get_line(s, buf, maxlen); -while (len > 0 && av_isspace(buf[len - 1])) -buf[--len] = '\0'; -return len; -} - static void free_segment_list(struct playlist *pls) { int i; @@ -770,7 +762,7 @@ static int parse_playlist(HLSContext *c, const char *url, if (av_opt_get(in, "location", AV_OPT_SEARCH_CHILDREN, _url) >= 0) url = new_url; -read_chomp_line(in, line, sizeof(line)); +ff_get_chomp_line(in, line, sizeof(line)); if (strcmp(line, "#EXTM3U")) { ret = AVERROR_INVALIDDATA; goto fail; @@ -782,7 +774,7 @@ static int parse_playlist(HLSContext *c, const char *url, pls->type = PLS_TYPE_UNSPECIFIED; } while (!avio_feof(in)) { -read_chomp_line(in, line, sizeof(line)); +ff_get_chomp_line(in, line, sizeof(line)); if (av_strstart(line, "#EXT-X-STREAM-INF:", )) { is_variant = 1; memset(_info, 0, sizeof(variant_info)); ___ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog