ffmpeg.git
2 years agoavcodec/ffv1dec: Fix integer overflow in read_quant_table()
Michael Niedermayer [Mon, 18 Sep 2017 15:26:09 +0000 (17:26 +0200)]
avcodec/ffv1dec: Fix integer overflow in read_quant_table()

Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 3361/clusterfuzz-testcase-minimized-5065842955911168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d00fc952b6c261dd8eb0f7552b9ccf985dbc2b20)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/svq3: Fix overflow in svq3_add_idct_c()
Michael Niedermayer [Mon, 18 Sep 2017 15:03:55 +0000 (17:03 +0200)]
avcodec/svq3: Fix overflow in svq3_add_idct_c()

Fixes: runtime error: signed integer overflow: 2147392585 + 524288 cannot be represented in type 'int'
Fixes: 3348/clusterfuzz-testcase-minimized-4809500517203968

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2c933c51687db958d8045d25ed87848342e869f6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/pngdec: Clean up on av_frame_ref() failure
Michael Niedermayer [Sun, 17 Sep 2017 00:42:11 +0000 (02:42 +0200)]
avcodec/pngdec: Clean up on av_frame_ref() failure

Fixes: memleak
Fixes: 3203/clusterfuzz-testcase-minimized-4514553595428864

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5480e82d77770e81e897a8c217f3c7f0c13a6de1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevc_ps: Fix c?_qp_offset_list size
Michael Niedermayer [Sun, 10 Sep 2017 19:10:17 +0000 (21:10 +0200)]
avcodec/hevc_ps: Fix c?_qp_offset_list size

Fixes: runtime error: index 5 out of bounds for type 'int8_t const[5]'
Fixes:3175/clusterfuzz-testcase-minimized-4736774054084608

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit abf3f9fa232409c00b60041464604a91fa5612c0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels
Michael Niedermayer [Sat, 9 Sep 2017 23:32:51 +0000 (01:32 +0200)]
avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels

Fixes: runtime error: left shift of negative value -95
Fixes: 3077/clusterfuzz-testcase-minimized-4684917524922368

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c225da68cffbea11270a758ff42859194c980863)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/diracdec: Fix overflow in DC computation
Michael Niedermayer [Sat, 9 Sep 2017 23:32:50 +0000 (01:32 +0200)]
avcodec/diracdec: Fix overflow in DC computation

Fixes: runtime error: signed integer overflow: 11896 + 2147483646 cannot be represented in type 'int'
Fixes: 3053/clusterfuzz-testcase-minimized-6355082062856192

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b5995856a4236c27f231210bb08d70688e045192)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/asfdec: Fix DoS in asf_build_simple_index()
Michael Niedermayer [Mon, 4 Sep 2017 22:16:29 +0000 (00:16 +0200)]
avformat/asfdec: Fix DoS in asf_build_simple_index()

Fixes: Missing EOF check in loop
No testcase

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit afc9c683ed9db01edb357bc8c19edad4282b3a97)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting
Michael Niedermayer [Fri, 1 Sep 2017 17:56:11 +0000 (19:56 +0200)]
avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting

Fixes: runtime error: signed integer overflow: 1073901567 + 1073901567 cannot be represented in type 'int'
Fixes: 3124/clusterfuzz-testcase-minimized-454643435752652

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f71cd44147e7a914f80fcfacca46c9e7b0374362)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
孙浩(晓黑) [Tue, 29 Aug 2017 21:59:21 +0000 (23:59 +0200)]
avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()

Fixes: 20170829B.mxf

Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()
孙浩(晓黑) [Tue, 29 Aug 2017 21:59:21 +0000 (23:59 +0200)]
avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()

Fixes: 20170829A.mxf

Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 900f39692ca0337a98a7cf047e4e2611071810c2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop.
孙浩(晓黑) [Tue, 29 Aug 2017 21:59:21 +0000 (23:59 +0200)]
avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop.

Fixes: 20170829.nsv

Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c24bcb553650b91e9eff15ef6e54ca73de2453b7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered()
Michael Niedermayer [Sun, 27 Aug 2017 22:30:33 +0000 (00:30 +0200)]
avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered()

Fixes: runtime error: signed integer overflow: 267 * 8388608 cannot be represented in type 'int'
Fixes: 2743/clusterfuzz-testcase-minimized-5820652076400640

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 732f9764561558a388c05483ed6a722a5c67b05c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/mvdec: Fix DoS due to lack of eof check
Michael Niedermayer [Thu, 24 Aug 2017 23:15:30 +0000 (01:15 +0200)]
avformat/mvdec: Fix DoS due to lack of eof check

Fixes: loop.mv

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/rl2: Fix DoS due to lack of eof check
孙浩 and 张洪亮(望初) [Thu, 24 Aug 2017 23:15:29 +0000 (01:15 +0200)]
avformat/rl2: Fix DoS due to lack of eof check

Fixes: loop.rl2

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/cinedec: Fix DoS due to lack of eof check
孙浩 and 张洪亮(望初) [Thu, 24 Aug 2017 23:15:27 +0000 (01:15 +0200)]
avformat/cinedec: Fix DoS due to lack of eof check

Fixes: loop.cine

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7e80b63ecd259d69d383623e75b318bf2bd491f6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/asfdec: Fix DoS due to lack of eof check
孙浩 and 张洪亮(望初) [Fri, 25 Aug 2017 10:37:25 +0000 (12:37 +0200)]
avformat/asfdec: Fix DoS due to lack of eof check

Fixes: loop.asf

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7f9ec5593e04827249e7aeb466da06a98a0d7329)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/hls: Fix DoS due to infinite loop
Michael Niedermayer [Fri, 25 Aug 2017 23:26:58 +0000 (01:26 +0200)]
avformat/hls: Fix DoS due to infinite loop

Fixes: loop.m3u

The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Previous version reviewed-by: Steven Liu <lingjiujianke@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7ec414892ddcad88313848494b6fc5f437c9ca4a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoffprobe: Fix NULL pointer handling in color parameter printing
Michael Niedermayer [Tue, 22 Aug 2017 15:27:17 +0000 (17:27 +0200)]
ffprobe: Fix NULL pointer handling in color parameter printing

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 351e28f9a799d9bbbb33dd10c964dca7219fa13b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()
Michael Niedermayer [Sun, 20 Aug 2017 22:18:48 +0000 (00:18 +0200)]
avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()

Fixes: integer overflow
Fixes: 2893/clusterfuzz-testcase-minimized-5809330567774208

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2b44dcbc44e99daf9515753e9fd4c2e1ea53a2fa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/aviobuf: Fix signed integer overflow in avio_seek()
Vitaly Buka [Sun, 20 Aug 2017 18:56:47 +0000 (11:56 -0700)]
avformat/aviobuf: Fix signed integer overflow in avio_seek()

Signed integer overflow is undefined behavior.
Detected with clang and -fsanitize=signed-integer-overflow

Signed-off-by: Vitaly Buka <vitalybuka@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit eca2a49716ae1f42804dd3545da2f740edf03250)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/mov: Fix signed integer overflows with total_size
Vitaly Buka [Sun, 20 Aug 2017 18:56:47 +0000 (11:56 -0700)]
avformat/mov: Fix signed integer overflows with total_size

Signed integer overflow is undefined behavior.
Detected with clang and -fsanitize=signed-integer-overflow

Signed-off-by: Vitaly Buka <vitalybuka@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4a404cb5b90b878cbe1bb528fac65cf508668cc5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/aacdec_template: Fix running cleanup in decode_ics_info()
Michael Niedermayer [Mon, 21 Aug 2017 00:15:49 +0000 (02:15 +0200)]
avcodec/aacdec_template: Fix running cleanup in decode_ics_info()

Fixes: out of array read
Fixes: 2873/clusterfuzz-testcase-minimized-5924145713905664

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Previous version reviewed-by: Alex Converse <alex.converse@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6f03ffb47d51368a4bbc87702df8446e4660845d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/me_cmp: Fix crashes on ARM due to misalignment
Michael Niedermayer [Sat, 19 Aug 2017 21:38:58 +0000 (23:38 +0200)]
avcodec/me_cmp: Fix crashes on ARM due to misalignment

Adds a diff_pixels_unaligned()

Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872503

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bc488ec28aec4bc91ba47283c49c9f7f25696eaa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/fic: Fixes signed integer overflow
Michael Niedermayer [Thu, 17 Aug 2017 16:24:37 +0000 (18:24 +0200)]
avcodec/fic: Fixes signed integer overflow

Fixes: runtime error: signed integer overflow: 1037142357 + 1227025305 cannot be represented in type 'int'
Fixes: 3024/clusterfuzz-testcase-minimized-5885660323905536

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0c9d5b015c2022e8deebb93367f8ee8a8eb779e8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/snowdec: Fix off by 1 error
Michael Niedermayer [Thu, 17 Aug 2017 18:32:03 +0000 (20:32 +0200)]
avcodec/snowdec: Fix off by 1 error

Fixes: runtime error: index 4 out of bounds for type 'int8_t [4]'
Fixes: 3023/clusterfuzz-testcase-minimized-6421736130084864

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d132683ddd4050d3fe103ca88c73258c3442dc34)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/diracdec: Check perspective_exp and zrs_exp.
Michael Niedermayer [Tue, 15 Aug 2017 01:32:43 +0000 (03:32 +0200)]
avcodec/diracdec: Check perspective_exp and zrs_exp.

Fixes: undefined shift
Fixes: runtime error: shift exponent 264 is too large for 32-bit type 'int'
Fixes: 2860/clusterfuzz-testcase-minimized-4672811689836544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1e6cab874512070b36267a5a53fd053f90072fa2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mpeg4videodec: Clear mcsel before decoding an image
Michael Niedermayer [Sun, 6 Aug 2017 11:32:54 +0000 (13:32 +0200)]
avcodec/mpeg4videodec: Clear mcsel before decoding an image

Fixes: runtime error: signed integer overflow: 2146467840 + 1032192 cannot be represented in type 'int'
Fixes: 2826/clusterfuzz-testcase-minimized-5901511613743104

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7735ed29741d985e1e670249ca56e7a1ce18b729)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97*
Michael Niedermayer [Sun, 6 Aug 2017 03:01:45 +0000 (05:01 +0200)]
avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97*

Fix multiple: runtime error: signed integer overflow: 6497 * 3409630 cannot be represented in type 'int'
Fixes: 2819/clusterfuzz-testcase-minimized-4743700301217792

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5380f9c1c460acccb2edaa8609e4a57c0456088)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/utils: fix memory leak in avformat_free_context
Steven Siloti [Tue, 18 Jul 2017 18:26:39 +0000 (11:26 -0700)]
avformat/utils: fix memory leak in avformat_free_context

The pointer to the packet queue is stored in the internal structure
so the queue needs to be flushed before internal is freed.

Signed-off-by: Steven Siloti <ssiloti@bittorrent.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 949debd1d1df3a96315b3a3083831162845c1188)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0()
Michael Niedermayer [Fri, 28 Jul 2017 01:22:40 +0000 (03:22 +0200)]
avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0()

Fixes: runtime error: signed integer overflow: 9 * 335544320 cannot be represented in type 'int'
Fixes: 2739/clusterfuzz-testcase-minimized-6737297955356672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bf8ab72ae95bb11f2c281d464594c2f6ba70326b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/diracdec: Fix integer overflow in divide3()
Michael Niedermayer [Thu, 27 Jul 2017 21:49:27 +0000 (23:49 +0200)]
avcodec/diracdec: Fix integer overflow in divide3()

Fixes: runtime error: signed integer overflow: -1073746548 * 21845 cannot be represented in type 'int'
Fixes: 2729/clusterfuzz-testcase-minimized-5902915464069120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c0220c768c7fc933a76c863ebbb0abdf68a88533)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2
Michael Niedermayer [Fri, 28 Jul 2017 12:37:26 +0000 (14:37 +0200)]
avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2

Fixes: out of array accesses

Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ffcc82219cef0928bed2d558b19ef6ea35634130)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2
Michael Niedermayer [Fri, 28 Jul 2017 11:41:59 +0000 (13:41 +0200)]
avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2

Fixes: out of array accesses
Fixes: crash-9238fa9e8d4fde3beda1f279626f53812cb001cb-SEGV

Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 08c073434e25cba8c43aae5ed9554fdd594adfb0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2
Michael Niedermayer [Mon, 24 Jul 2017 13:48:37 +0000 (15:48 +0200)]
avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2

Fixes: runtime error: signed integer overflow: -2147483647 - 2 cannot be represented in type 'int'
Fixes: 2702/clusterfuzz-testcase-minimized-4511932591636480

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 74c1c22d7f0d25f527ed2ebf62493be5ad52c972)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/oggparsecelt: Do not re-allocate os->private
Michael Niedermayer [Tue, 25 Jul 2017 01:19:07 +0000 (03:19 +0200)]
avformat/oggparsecelt: Do not re-allocate os->private

Fixes: double free
Fixes: clusterfuzz-testcase-minimized-5080550145785856

Found-by: ClusterFuzz
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7140761481e4296723a592019a0244ebe6c1a8cf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agodoc/filters: typo in frei0r
Brice Waegeneire [Fri, 21 Jul 2017 22:09:29 +0000 (00:09 +0200)]
doc/filters: typo in frei0r

Signed-off-by: Brice Waegeneire <brice.wge@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6a6eec485d23b0c47a7cfeb94995db1be91c0e1a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/wavpack: Fix invalid shift
Michael Niedermayer [Tue, 27 Jun 2017 11:47:32 +0000 (13:47 +0200)]
avcodec/wavpack: Fix invalid shift

Fixes: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
Fixes: 2377/clusterfuzz-testcase-minimized-6108505935183872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c07af720984acaafaa273369080b458d73975775)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/vb: Check vertical GMC component before multiply
Michael Niedermayer [Wed, 28 Jun 2017 18:29:02 +0000 (20:29 +0200)]
avcodec/vb: Check vertical GMC component before multiply

Fixes: runtime error: signed integer overflow: 8224 * 663584 cannot be represented in type 'int'
Fixes: 2393/clusterfuzz-testcase-minimized-6128334993883136

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bc6ab72bc7af27189e7b524b97e45c6fcadab5cf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/apedec: Fix integer overflow
Michael Niedermayer [Sun, 16 Jul 2017 12:57:20 +0000 (14:57 +0200)]
avcodec/apedec: Fix integer overflow

Fixes: out of array access
Fixes: PoC.ape and others

Found-by: Bingchang, Liu@VARAS of IIE
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ba4beaf6149f7241c8bd85fe853318c2f6837ad0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/wavpack: Fix integer overflow in wv_unpack_stereo()
Michael Niedermayer [Sat, 24 Jun 2017 22:13:53 +0000 (00:13 +0200)]
avcodec/wavpack: Fix integer overflow in wv_unpack_stereo()

Fixes: runtime error: signed integer overflow: 2080374785 + 2080374784 cannot be represented in type 'int'
Fixes: 2351/clusterfuzz-testcase-minimized-5359403240783872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 73ea2a028e12a7d779834f78dc496c8c4b08361f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mpeg4videodec: Fix GMC with videos of dimension 1
Michael Niedermayer [Sat, 24 Jun 2017 11:45:35 +0000 (13:45 +0200)]
avcodec/mpeg4videodec: Fix GMC with videos of dimension 1

Fixes: runtime error: shift exponent -1 is negative
Fixes: 2338/clusterfuzz-testcase-minimized-5153426541379584

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4976a3411f71518d17a57e373b62517f066648fd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/wavpack: Fix integer overflow
Michael Niedermayer [Thu, 22 Jun 2017 23:58:48 +0000 (01:58 +0200)]
avcodec/wavpack: Fix integer overflow

Fixes: runtime error: signed integer overflow: 227511904 + 1964113935 cannot be represented in type 'int'
Fixes: 2331/clusterfuzz-testcase-minimized-6182185830711296

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 24e95f9d4de012f51fdd5767dff0b3142e13ec3a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/takdec: Fix integer overflow
Michael Niedermayer [Thu, 22 Jun 2017 19:21:56 +0000 (21:21 +0200)]
avcodec/takdec: Fix integer overflow

Fixes: runtime error: signed integer overflow: 512 + 2147483146 cannot be represented in type 'int'
Fixes: 2314/clusterfuzz-testcase-minimized-4519333877252096

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0c2ef4f6b4d52a7b7184c747ffea3576926ea1b1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevc_filter: Fix invalid shift
Michael Niedermayer [Tue, 20 Jun 2017 12:38:34 +0000 (14:38 +0200)]
avcodec/hevc_filter: Fix invalid shift

Fixes: runtime error: left shift of negative value -1

Fixes: 2299/clusterfuzz-testcase-minimized-4843509351710720

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d7b3d5c3f2e2ff1994762b5e09c05fbc33790b5b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mpeg4videodec: Fix overflow in virtual_ref computation
Michael Niedermayer [Tue, 20 Jun 2017 11:52:06 +0000 (13:52 +0200)]
avcodec/mpeg4videodec: Fix overflow in virtual_ref computation

Fixes: runtime error: signed integer overflow: 262144 * -16120 cannot be represented in type 'int'
Fixes: 2292/clusterfuzz-testcase-minimized-6156080415506432

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5443c4bdf4828ac5b7b19cf54feb496c2da40079)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/wavpack: Fix undefined integer negation
Michael Niedermayer [Mon, 19 Jun 2017 12:08:58 +0000 (14:08 +0200)]
avcodec/wavpack: Fix undefined integer negation

Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
Fixes: 2291/clusterfuzz-testcase-minimized-5538453481586688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5f89747086af741ddc34e2378cde8519b8faee78)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264
Anton Mitrofanov [Tue, 13 Jun 2017 20:37:29 +0000 (23:37 +0300)]
avcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 06dda70f1e7c69a3b1684af5e6930431c62c527a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4
Anton Mitrofanov [Tue, 30 May 2017 23:37:41 +0000 (02:37 +0300)]
avcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4

Use the correct ctxIdxInc calculation for coded_block_flag.
Keep old behavior for old versions of x264 for backward compatibility.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 840b41b2a643fc8f0617c0370125a19c02c6b586)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output
Michael Niedermayer [Sun, 18 Jun 2017 12:37:19 +0000 (14:37 +0200)]
avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output

Fixes: runtime error: signed integer overflow: 2147483543 + 128 cannot be represented in type 'int'
Fixes: 2234/clusterfuzz-testcase-minimized-6266896041115648

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 27c20068054d8c6786833234f7b6db19f1e98362)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevcpred_template: Fix left shift of negative value
Michael Niedermayer [Sat, 17 Jun 2017 12:54:19 +0000 (14:54 +0200)]
avcodec/hevcpred_template: Fix left shift of negative value

Fixes: runtime error: left shift of negative value -1
Fixes: 2250/clusterfuzz-testcase-minimized-5693382112313344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c94326c1fc2fb5719c6f28fe1b95c0c74417998b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevcdec: Fix signed integer overflow in decode_lt_rps()
Michael Niedermayer [Fri, 16 Jun 2017 22:34:08 +0000 (00:34 +0200)]
avcodec/hevcdec: Fix signed integer overflow in decode_lt_rps()

Fixes: runtime error: signed integer overflow: 2147483647 + 6 cannot be represented in type 'int'
Fixes: 2263/clusterfuzz-testcase-minimized-4800359627227136

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1edbf5e20c75f06d6987bc823e63aa4e649ccddd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/jpeg2000dec: Check nonzerobits more completely
Michael Niedermayer [Fri, 16 Jun 2017 17:57:08 +0000 (19:57 +0200)]
avcodec/jpeg2000dec: Check nonzerobits more completely

Fixes: runtime error: shift exponent 36 is too large for 32-bit type 'int'
Fixes: 2239/clusterfuzz-testcase-minimized-5639766592716800

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit dfb61ea2630029b7aec7911aade769bf1a914eea)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/shorten: Sanity check maxnlpc
Michael Niedermayer [Fri, 9 Jun 2017 00:16:54 +0000 (02:16 +0200)]
avcodec/shorten: Sanity check maxnlpc

Fixes OOM
Fixes: 2131/clusterfuzz-testcase-minimized-4718045157130240

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e77ddd31a8e14bcf5eccd6008d866ae90b4b0d4c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevcdec: Check nb_sps
Michael Niedermayer [Wed, 14 Jun 2017 23:28:28 +0000 (01:28 +0200)]
avcodec/hevcdec: Check nb_sps

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bc406744620710911de9157eafa3e61d0246566f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevc_refs: Check nb_refs in add_candidate_ref()
Michael Niedermayer [Wed, 14 Jun 2017 23:26:01 +0000 (01:26 +0200)]
avcodec/hevc_refs: Check nb_refs in add_candidate_ref()

Fixes: runtime error: index 16 out of bounds for type 'int [16]'
Fixes: 2209/clusterfuzz-testcase-minimized-5012343912136704

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1cb4ef526dd1e5f547d0354efb0831d07e967919)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mpeg4videodec: Check sprite delta upshift against overflowing.
Michael Niedermayer [Wed, 14 Jun 2017 21:55:17 +0000 (23:55 +0200)]
avcodec/mpeg4videodec: Check sprite delta upshift against overflowing.

Fixes: runtime error: signed integer overflow: -268386304 * 16 cannot be represented in type 'int'
Fixes: 2204/clusterfuzz-testcase-minimized-5616756909408256

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 12245ab1f677074b8ff83e87f76a41aba692ccd6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case
Michael Niedermayer [Wed, 14 Jun 2017 21:49:23 +0000 (23:49 +0200)]
avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case

Fixes: runtime error: signed integer overflow: 131072 + 2147352576 cannot be represented in type 'int'
Fixes: 2192/clusterfuzz-testcase-minimized-5370387988742144

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0a87be404ab7e3f47e67e79160dcc9623e36835b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 + 277872640...
Michael Niedermayer [Sun, 11 Jun 2017 18:19:59 +0000 (20:19 +0200)]
avcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 + 277872640 cannot be represented in type 'int'

Fixes: 2181/clusterfuzz-testcase-minimized-6314784322486272

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c996374d4d86e0efbef71812448b4c65656bc667)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/snowdec: Fix runtime error: left shift of negative value -1
Michael Niedermayer [Sun, 11 Jun 2017 12:34:54 +0000 (14:34 +0200)]
avcodec/snowdec: Fix runtime error: left shift of negative value -1

Fixes: 2197/clusterfuzz-testcase-minimized-6010716676947968

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2e44126363bc9e23093ceced5d7bde1ee4bbb338)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/tiff: Fix leak of geotags[].val
Michael Niedermayer [Sat, 10 Jun 2017 23:05:26 +0000 (01:05 +0200)]
avcodec/tiff: Fix leak of geotags[].val

Fixes: 2176/clusterfuzz-testcase-minimized-5908197216878592

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 22a25ab3896cbb8dceebdba4d439e8b2b398ff0e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot...
Michael Niedermayer [Sat, 10 Jun 2017 22:45:20 +0000 (00:45 +0200)]
avcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot be represented in type 'int'

Fixes: 2175/clusterfuzz-testcase-minimized-5809657849315328

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 71da0a5c9750e9fd0c9609470f610d32952923eb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296 cannot...
Michael Niedermayer [Sat, 10 Jun 2017 17:43:25 +0000 (19:43 +0200)]
avcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296 cannot be represented in type 'int'

Fixes: 2174/clusterfuzz-testcase-minimized-5739234533048320

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 90e8317b3b33dcb54ae01e419d85cbbfbd874963)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow: -39271008...
Michael Niedermayer [Thu, 8 Jun 2017 11:44:32 +0000 (13:44 +0200)]
avcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow: -39271008 * 59 cannot be represented in type 'int'

Fixes: 2113/clusterfuzz-testcase-minimized-6510704959946752

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4e3ab1a5c12fe3a88f44b734d3f2e25f4769ec47)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/pafvideo: Fix assertion failure
Michael Niedermayer [Tue, 6 Jun 2017 14:21:37 +0000 (16:21 +0200)]
avcodec/pafvideo: Fix assertion failure

Fixes: 2100/clusterfuzz-testcase-minimized-4522961547558912

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c4360559ee2a6c8c624f24fc7e2a1cf00972ba68)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096...
Michael Niedermayer [Tue, 6 Jun 2017 14:01:16 +0000 (16:01 +0200)]
avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int'

Fixes: 2079/clusterfuzz-testcase-minimized-5345861779324928

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e4efd41b83e78c7f2ee3e74bee90226110743a8e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mjpegdec: Check that reference frame matches the current frame
Michael Niedermayer [Mon, 5 Jun 2017 20:23:15 +0000 (22:23 +0200)]
avcodec/mjpegdec: Check that reference frame matches the current frame

Fixes: out of array read
Fixes: 2097/clusterfuzz-testcase-minimized-5036861833609216

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4705edbbb96e193f51c72248f508ae5693702a48)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/tiff: Avoid loosing allocated geotag values
Michael Niedermayer [Mon, 5 Jun 2017 18:39:21 +0000 (20:39 +0200)]
avcodec/tiff: Avoid loosing allocated geotag values

Fixes memleak
Fixes: 2076/clusterfuzz-testcase-minimized-6542640243802112

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d7cbeab4c1381f95ed0ebf85d7950bee96f66164)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot...
Michael Niedermayer [Mon, 5 Jun 2017 17:33:56 +0000 (19:33 +0200)]
avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int'

Fixes: 2067/clusterfuzz-testcase-minimized-5578430902960128

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1e6ee86d9254e8fd2158cc9a31d3be96b0809411)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/hls: Check local file extensions
Michael Niedermayer [Sat, 3 Jun 2017 19:20:04 +0000 (21:20 +0200)]
avformat/hls: Check local file extensions

This reduces the attack surface of local file-system
information leaking.

It prevents the existing exploit leading to an information leak. As
well as similar hypothetical attacks.

Leaks of information from files and symlinks ending in common multimedia extensions
are still possible. But files with sensitive information like private keys and passwords
generally do not use common multimedia filename extensions.
It does not stop leaks via remote addresses in the LAN.

The existing exploit depends on a specific decoder as well.
It does appear though that the exploit should be possible with any decoder.
The problem is that as long as sensitive information gets into the decoder,
the output of the decoder becomes sensitive as well.
The only obvious solution is to prevent access to sensitive information. Or to
disable hls or possibly some of its feature. More complex solutions like
checking the path to limit access to only subdirectories of the hls path may
work as an alternative. But such solutions are fragile and tricky to implement
portably and would not stop every possible attack nor would they work with all
valid hls files.

Developers have expressed their dislike / objected to disabling hls by default as well
as disabling hls with local files. There also where objections against restricting
remote url file extensions. This here is a less robust but also lower
inconvenience solution.
It can be applied stand alone or together with other solutions.
limiting the check to local files was suggested by nevcairiel

This recommits the security fix without the author name joke which was
originally requested by Nicolas.

Found-by: Emil Lerner and Pavel Cheremushkin
Reported-by: Thierry Foucu <tfoucu@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 189ff4219644532bdfa7bab28dfedaee4d6d4021)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]'
Michael Niedermayer [Sun, 4 Jun 2017 15:06:27 +0000 (17:06 +0200)]
avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]'

Fixes: 2010/clusterfuzz-testcase-minimized-6209288450080768

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 29808fff339da3e0f26131f7a6209b853947a54b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/pafvideo: Check packet size and frame code before ff_reget_buffer()
Michael Niedermayer [Sun, 4 Jun 2017 11:38:02 +0000 (13:38 +0200)]
avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer()

Fixes 1745/clusterfuzz-testcase-minimized-6160693365571584
Fixes: Timeout

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit faa5a2181df53b5226f998a20b735798addcd365)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be...
Michael Niedermayer [Sun, 4 Jun 2017 11:02:51 +0000 (13:02 +0200)]
avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int'

Fixes: 1352/clusterfuzz-testcase-minimized-5757565017260032

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 136ce8baa4fc16cf38690cb457f7356c00e00a28)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type...
Michael Niedermayer [Thu, 1 Jun 2017 16:48:37 +0000 (18:48 +0200)]
avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int'

Fixes: 1967/clusterfuzz-testcase-minimized-5757031199801344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8b3e580b7f436206e84dac89415e057fa9abdab8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694...
Michael Niedermayer [Wed, 31 May 2017 20:53:02 +0000 (22:53 +0200)]
avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int'

Fixes: 1922/clusterfuzz-testcase-minimized-5561194112876544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a47273c803edfbc43793349b74429ae29b05c003)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/cinepak: Check input packet size before frame reallocation
Michael Niedermayer [Wed, 31 May 2017 20:18:23 +0000 (22:18 +0200)]
avcodec/cinepak: Check input packet size before frame reallocation

Reduces time spend decoding 1917/clusterfuzz-testcase-minimized-5023221273329664

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e47057e932ff9a071d52fa1d5d4a956340eb2475)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot...
Michael Niedermayer [Wed, 31 May 2017 20:02:07 +0000 (22:02 +0200)]
avcodec/hevc_ps: Fix runtime error: signed integer overflow: 2147483628 + 256 cannot be represented in type 'int'

Fixes: 1909/clusterfuzz-testcase-minimized-6732072662073344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6726328f7940a76c43b4d97ac37ababf363d042f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot...
Michael Niedermayer [Wed, 31 May 2017 13:52:56 +0000 (15:52 +0200)]
avcodec/ra144: Fixes runtime error: signed integer overflow: 7160 * 327138 cannot be represented in type 'int'

Fixes: 1908/clusterfuzz-testcase-minimized-5392712477966336

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 08cb69e870c1b2fdc3574780a3662b92bfd6ef79)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/pnm: Use ff_set_dimensions()
Michael Niedermayer [Wed, 31 May 2017 11:39:45 +0000 (13:39 +0200)]
avcodec/pnm: Use ff_set_dimensions()

Fixes: OOM
Fixes: 1906/clusterfuzz-testcase-minimized-4599315114754048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a1c0d1d906d27d3f9e1b058bb065f897f90c1c7c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot...
Michael Niedermayer [Wed, 31 May 2017 11:21:58 +0000 (13:21 +0200)]
avcodec/cavsdec: Fix runtime error: signed integer overflow: 59 + 2147483600 cannot be represented in type 'int'

Fixes: 1903/clusterfuzz-testcase-minimized-5359318167715840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 58f8cd4ac576028ef492a005bd06b1f22c3a6879)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/avidec: Limit formats in gab2 to srt and ass/ssa
Michael Niedermayer [Tue, 30 May 2017 19:29:20 +0000 (21:29 +0200)]
avformat/avidec: Limit formats in gab2 to srt and ass/ssa

This prevents part of one exploit leading to an information leak

Found-by: Emil Lerner and Pavel Cheremushkin
Reported-by: Thierry Foucu <tfoucu@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5d849b149ca67ced2d271dc84db0bc95a548abb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range...
Michael Niedermayer [Tue, 30 May 2017 02:03:09 +0000 (04:03 +0200)]
avcodec/acelp_pitch_delay: Fix runtime error: value 4.83233e+39 is outside the range of representable values of type 'float'

Fixes: 1902/clusterfuzz-testcase-minimized-4762451407011840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 87bddba43b725d43767f2a387cdea0936ac1b549)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/wavpack: Check float_shift
Michael Niedermayer [Tue, 30 May 2017 01:13:21 +0000 (03:13 +0200)]
avcodec/wavpack: Check float_shift

Fixes: runtime error: shift exponent 40 is too large for 32-bit type 'unsigned int'
Fixes: 1898/clusterfuzz-testcase-minimized-5970744880136192

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4020b009d1e88ff10abd25fb768165afa546851d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot...
Michael Niedermayer [Tue, 30 May 2017 01:09:11 +0000 (03:09 +0200)]
avcodec/wavpack: Fix runtime error: signed integer overflow: 24 * -2147483648 cannot be represented in type 'int'

Fixes: 1894/clusterfuzz-testcase-minimized-4716739789062144

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d90c5bf10559554d6f9cd1dfb90767b991b76d5d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ansi: Fix frame memleak
Michael Niedermayer [Mon, 29 May 2017 12:07:33 +0000 (14:07 +0200)]
avcodec/ansi: Fix frame memleak

Fixes: 1892/clusterfuzz-testcase-minimized-4519341733183488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e091b9b3c7859030f2896ca2ae96faa3afc694a1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/jpeg2000dec: Use ff_set_dimensions()
Michael Niedermayer [Mon, 29 May 2017 11:45:29 +0000 (13:45 +0200)]
avcodec/jpeg2000dec: Use ff_set_dimensions()

Fixes: OOM
Fixes: 1890/clusterfuzz-testcase-minimized-6329019509243904

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f3da6fbff864e05e8871dd04222143abdee9e77b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/truemotion2: Fix passing null pointer to memset()
Michael Niedermayer [Sun, 28 May 2017 19:54:02 +0000 (21:54 +0200)]
avcodec/truemotion2: Fix passing null pointer to memset()

Fixes part of: 1888/clusterfuzz-testcase-minimized-5237704826552320

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c901627918ff7480c1bb6f9cae507ee2c7c933d8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be repres...
Michael Niedermayer [Sun, 28 May 2017 19:54:02 +0000 (21:54 +0200)]
avcodec/truemotion2: Fix runtime error: left shift of 1 by 31 places cannot be represented in type 'int'

Fixes part of: 1888/clusterfuzz-testcase-minimized-5237704826552320

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c9e884f3d98df85bf7f2cf30d71877b22929fdcb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot...
Michael Niedermayer [Sun, 28 May 2017 19:44:32 +0000 (21:44 +0200)]
avcodec/ra144: Fix runtime error: signed integer overflow: -2449 * 1398101 cannot be represented in type 'int'

Fixes: 1885/clusterfuzz-testcase-minimized-5336328549957632

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7c845450d2daa0d066045cf94ab51cb496f1b824)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot...
Michael Niedermayer [Sun, 28 May 2017 19:38:24 +0000 (21:38 +0200)]
avcodec/ra144: Fix runtime error: signed integer overflow: 11184810 * 404 cannot be represented in type 'int'

Fixes: 1884/clusterfuzz-testcase-minimized-4637425835966464

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4c472c52525fcab4c80cdbc98b4625d318c84fcb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/webp: Fixes null pointer dereference
Michael Niedermayer [Wed, 10 May 2017 16:37:50 +0000 (18:37 +0200)]
avcodec/webp: Fixes null pointer dereference

Fixes: 1470/clusterfuzz-testcase-minimized-5404421666111488
Fixes: 1472/clusterfuzz-testcase-minimized-5677426430443520
Fixes: 1875/clusterfuzz-testcase-minimized-5536474562822144

Approved-by: BBB
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 67020711b7d45afa073ef671f755765035a64373)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994...
Michael Niedermayer [Sun, 28 May 2017 15:12:35 +0000 (17:12 +0200)]
avcodec/snow: Fix runtime error: signed integer overflow: 1086573993 + 1086573994 cannot be represented in type 'int'

Fixes: 1871/clusterfuzz-testcase-minimized-5719950331215872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b9c032ebc0ad17ac0ffefb915ff96baf9d79cab1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 canno...
Michael Niedermayer [Sun, 28 May 2017 12:00:30 +0000 (14:00 +0200)]
avcodec/jpeg2000: Fix runtime error: signed integer overflow: 4185 + 2147483394 cannot be represented in type 'int'

Fixes: 1870/clusterfuzz-testcase-minimized-4686788029317120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 781f88bb26534ececc76eaa972f02536ba2f0f55)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/jpeg2000dec: Check tile offsets more completely
Michael Niedermayer [Sun, 28 May 2017 11:52:13 +0000 (13:52 +0200)]
avcodec/jpeg2000dec: Check tile offsets more completely

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9c1812491f7be2730351969f4abd9b99d300d604)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/wnv1: More strict buffer size check
Michael Niedermayer [Sun, 28 May 2017 01:18:02 +0000 (03:18 +0200)]
avcodec/wnv1: More strict buffer size check

This requires at least 25% of a picture to allocate and decode it

Fixes: Timeout
Fixes: 1845/clusterfuzz-testcase-minimized-5075974343360512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7f50c25124a015a539823077bb302ff0c7ce8963)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/libfdk-aacdec: Correct buffer_size parameter
Michael Niedermayer [Thu, 25 May 2017 01:21:50 +0000 (03:21 +0200)]
avcodec/libfdk-aacdec: Correct buffer_size parameter

the timeDataSize argument to aacDecoder_DecodeFrame() seems undocumented and until
2016 04 (203e3f28fbebec7011342017fafc2a0bda0ce530) unused.
after that commit libfdk-aacdec interprets it as size in sample units and memsets that on error.
FFmpeg as well as others (like GStreamer) did interpret it as size in bytes

Fixes: 1442/clusterfuzz-testcase-minimized-4540199973421056 (This requires recent libfdk to reproduce)

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ca6776a993903dbcfef5ae8a18556c40ecf83e1c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ivi_dsp: Fix runtime error: left shift of negative value -2
Michael Niedermayer [Sun, 28 May 2017 01:03:46 +0000 (03:03 +0200)]
avcodec/ivi_dsp: Fix runtime error: left shift of negative value -2

Fixes: 1839/clusterfuzz-testcase-minimized-6238490993885184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 357f2316a08478a4442e8051978c7b161e10281c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error
Michael Niedermayer [Sat, 27 May 2017 11:17:34 +0000 (13:17 +0200)]
avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error

Fixes: runtime error: index 12 out of bounds for type 'uint8_t [8]'
Fixes: 1832/clusterfuzz-testcase-minimized-6574546079449088

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ac8dfcbd89a818b786d05ebc1af70f7bf6aeb86e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ra144dec: Fix runtime error: left shift of negative value -17
Michael Niedermayer [Sat, 27 May 2017 11:07:00 +0000 (13:07 +0200)]
avcodec/ra144dec: Fix runtime error: left shift of negative value -17

Fixes: 1830/clusterfuzz-testcase-minimized-5828293733384192

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 53c0c637d36c1de9ea461a8d863e8703da090894)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavutil/internal: Do not enable CHECKED with DEBUG
Michael Niedermayer [Fri, 7 Apr 2017 11:49:09 +0000 (13:49 +0200)]
avutil/internal: Do not enable CHECKED with DEBUG

This avoids potential undefined behavior in debug mode while still allowing
developers which want to check for potential additional overflows to do so
by manually enabling this.

Reviewed-by: wm4
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a44b3abb4cf922e379fbac55452d0482a8223597)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/smc: Check remaining input
Michael Niedermayer [Thu, 25 May 2017 18:07:49 +0000 (20:07 +0200)]
avcodec/smc: Check remaining input

Fixes: Timeout
Fixes: 1818/clusterfuzz-testcase-minimized-5039166473633792

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 356194fcb17375de2472f4cbff6ede48d6a374b2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>