ffmpeg.git
10 months agoavcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration()
Michael Niedermayer [Mon, 2 Jul 2018 16:57:05 +0000 (18:57 +0200)]
avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration()

Fixes: shift exponent 47 is too large for 32-bit type 'int'
Fixes: 9163/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5661750182543360

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 652d7c6348f96181fa69f8e2afb7b27a14c0a88a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/jpeg2000dec: Check that there are enough bytes for all tiles
Michael Niedermayer [Mon, 2 Jul 2018 16:40:08 +0000 (18:40 +0200)]
avcodec/jpeg2000dec: Check that there are enough bytes for all tiles

Fixes: OOM
Fixes: 8781/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5810709081358336

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0898a3d9909960324e27d3a7a4f48c4effbb654a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/escape124: Fix spelling errors in comment
Michael Niedermayer [Wed, 27 Jun 2018 11:00:28 +0000 (13:00 +0200)]
avcodec/escape124: Fix spelling errors in comment

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f59c4e43915ed0528e2789f27ddb1635b59779df)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/ra144: Fix integer overflow in ff_eval_refl()
Michael Niedermayer [Thu, 21 Jun 2018 21:08:32 +0000 (23:08 +0200)]
avcodec/ra144: Fix integer overflow in ff_eval_refl()

Fixes: signed integer overflow: -4096 * -524288 cannot be represented in type 'int'
Fixes: 8650/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5734816036159488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b31189881a4cf54b0057ecf3eab917ad56eecfea)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/cscd: Check output buffer size for lzo.
Michael Niedermayer [Thu, 21 Jun 2018 23:18:20 +0000 (01:18 +0200)]
avcodec/cscd: Check output buffer size for lzo.

Fixes: Timeout
Fixes: 8665/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-5768442610188288

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
(cherry picked from commit 78167b498f53c36c31105a2bf11e90b03637598f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/escape124: Check buf_size against num_superblocks
Michael Niedermayer [Sun, 24 Jun 2018 17:23:02 +0000 (19:23 +0200)]
avcodec/escape124: Check buf_size against num_superblocks

Fixes: Timeout
Fixes: 8722/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ESCAPE124_fuzzer-4843268402577408

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6677c98626489edfdb4b49b4f66ca91867768a9f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan()
Michael Niedermayer [Thu, 21 Jun 2018 20:48:54 +0000 (22:48 +0200)]
avcodec/mjpegdec: Check for end of bitstream in ljpeg_decode_rgb_scan()

Fixes: Timeout
Fixes: 8648/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5108395525799936

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 540e8c2d641bf90fc28e47e170f8c0b1962197e9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fi...
Michael Niedermayer [Thu, 14 Jun 2018 14:41:49 +0000 (16:41 +0200)]
avcodec/aacdec_fixed: Fix undefined integer overflow in apply_independent_coupling_fixed()

Fixes: signed integer overflow: 1195517 * 2048 cannot be represented in type 'int'
Fixes: 8636/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-4695836326887424

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8bd514d9343746566b123275f8b6d0e9c11ec2b0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/dirac_dwt_template: Fix undefined behavior in interleave()
Michael Niedermayer [Thu, 14 Jun 2018 14:37:32 +0000 (16:37 +0200)]
avcodec/dirac_dwt_template: Fix undefined behavior in interleave()

Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 8697/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5197148130902016

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 575d8ca0260fabac29e5b3541154633569ce2b5d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavutil/common: Fix undefined behavior in av_clip_uintp2_c()
Michael Niedermayer [Thu, 14 Jun 2018 13:41:33 +0000 (15:41 +0200)]
avutil/common: Fix undefined behavior in av_clip_uintp2_c()

Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
Fixes: 8521/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5639024952737792

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aa41d322be71106ce147445f2b42bb763f1eff86)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agofftools/ffmpeg: Fallback to duration if sample rate is unavailable
Michael Niedermayer [Tue, 1 May 2018 20:44:07 +0000 (22:44 +0200)]
fftools/ffmpeg: Fallback to duration if sample rate is unavailable

Regression since: af1761f7
Fixes: Division by 0
Fixes: ffmpeg_crash_1

Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 16d8b13b3b26c19d7f8856e039fe6662d96b4ff3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavformat/mov: Only set pkt->duration to non negative values
Michael Niedermayer [Wed, 16 May 2018 21:35:58 +0000 (23:35 +0200)]
avformat/mov: Only set pkt->duration to non negative values

Reviewed-by: Sasi Inguva <isasi@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8176799f31b23849382623f0f9001acc5edf7c76)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/h264_mc_template: Only prefetch motion if the list is used.
Michael Niedermayer [Fri, 8 Jun 2018 16:25:14 +0000 (18:25 +0200)]
avcodec/h264_mc_template: Only prefetch motion if the list is used.

Fixes: index 59 out of bounds for type 'H264Ref [48]'
Fixes: 8232/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5703295145345024

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8b55591757244d8244a2be369c2b54c9ae79b02a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/xwddec: Use ff_set_dimensions()
Michael Niedermayer [Thu, 7 Jun 2018 22:42:31 +0000 (00:42 +0200)]
avcodec/xwddec: Use ff_set_dimensions()

Fixes: OOM
Fixes: 8178/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XWD_fuzzer-4844793342459904

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c2852e4e00de4073ff7de82d41cb3368702686e8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/wavpack: Fix overflow in adding tail
Michael Niedermayer [Thu, 7 Jun 2018 22:07:04 +0000 (00:07 +0200)]
avcodec/wavpack: Fix overflow in adding tail

Fixes: signed integer overflow: 2146907204 + 26846088 cannot be represented in type 'int'
Fixes: 8105/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-6233036682166272

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d13379fb79708f550460dd6d698023bf26f968d5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/shorten: Fix multiple integer overflows
Michael Niedermayer [Tue, 5 Jun 2018 11:19:35 +0000 (13:19 +0200)]
avcodec/shorten: Fix multiple integer overflows

Fixes: signed integer overflow: 3 * 1006632960 cannot be represented in type 'int'
Fixes: 8278/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5692857166856192

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f2abd36b3863188894fd21964c662b6c17268bfb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/shorten: Sanity check nmeans
Michael Niedermayer [Tue, 5 Jun 2018 11:03:48 +0000 (13:03 +0200)]
avcodec/shorten: Sanity check nmeans

Fixes: OOM
Fixes: 8195/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5179785826271232

The reference software appears to use longs for 32bits and it uses int for nmeans
hinting that the intended maximum size was not 32bit.

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d91a0b503d7a886587281bc1ee42476aa5e89f85)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan()
Michael Niedermayer [Tue, 5 Jun 2018 00:17:24 +0000 (02:17 +0200)]
avcodec/mjpegdec: Fix integer overflow in ljpeg_decode_rgb_scan()

Fixes: signed integer overflow: 32768 + 2147450880 cannot be represented in type 'int'
Fixes: 7885/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5298834394578944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 936f4a2c2e14ec753e8835f2e820b4cd9aec9a56)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/truemotion2: Fix overflow in tm2_apply_deltas()
Michael Niedermayer [Tue, 5 Jun 2018 00:09:59 +0000 (02:09 +0200)]
avcodec/truemotion2: Fix overflow in tm2_apply_deltas()

Fixes: signed integer overflow: 1077952576 + 1077952576 cannot be represented in type 'int'
Fixes: 7712/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5056281753681920

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 79c6047c3668c639f717b3a7001a34dddba0ede2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c
Michael Niedermayer [Sat, 2 Jun 2018 23:33:54 +0000 (01:33 +0200)]
avcodec/opus_silk: Change silk_lsf2lpc() slightly toward silk/NLSF2A.c

Fixes: runtime error: signed integer overflow: -1440457022 - 785819492 cannot be represented in type 'int'
Fixes: 7700/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OPUS_fuzzer-6595838684954624

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e7dda51150b73e5fbdccf4c2d3a72e356980fba3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/amrwbdec: Fix division by 0 in find_hb_gain()
Michael Niedermayer [Sat, 2 Jun 2018 22:48:06 +0000 (00:48 +0200)]
avcodec/amrwbdec: Fix division by 0 in find_hb_gain()

This restructures the code slightly toward D_UTIL_dec_synthesis()

Fixes: 7420/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMRWB_fuzzer-6577305112543232

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit dce80a4b47efaba97707bda781a9ee57f5a26974)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavformat/mov: replace a value error by clipping into valid range in mov_read_stsc()
Michael Niedermayer [Mon, 21 May 2018 01:16:58 +0000 (03:16 +0200)]
avformat/mov: replace a value error by clipping into valid range in mov_read_stsc()

Fixes: #7165

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fe84f70819d6f5aab3c4823290e0d32b99d6de78)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavformat/mov: Break out early if chunk_count is 0 in mov_build_index()
Michael Niedermayer [Tue, 15 May 2018 15:06:59 +0000 (17:06 +0200)]
avformat/mov: Break out early if chunk_count is 0 in mov_build_index()

Without this some operations might overflow (undefined behavior)
even though the index adding loop would never execute

No testcase known

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 56e76bd0579cc7f7b28860885d9e569a39daf41b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/fic: Avoid some magic numbers related to cursors
Michael Niedermayer [Sat, 5 May 2018 21:42:36 +0000 (23:42 +0200)]
avcodec/fic: Avoid some magic numbers related to cursors

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c6a11714c4b1227be62cbc36651ccfc415e8e623)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/g2meet: ask for sample with overflowing RGB
Michael Niedermayer [Wed, 16 May 2018 20:50:19 +0000 (22:50 +0200)]
avcodec/g2meet: ask for sample with overflowing RGB

Suggested-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ab834b8f36c8157b7015e849405cbf6ae21e672f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coup...
Michael Niedermayer [Fri, 25 May 2018 20:06:48 +0000 (22:06 +0200)]
avcodec/aacdec_fixed: use 64bit to avoid overflow in rounding in apply_dependent_coupling_fixed()

Fixes: signed integer overflow: -2141499320 + -14469590 cannot be represented in type 'int'
Fixes: 7351/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-6351214791884800

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 90475db97e2e5931d295df6ab86519fa2e14d259)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agooavcodec/aacpsdsp_template: Use unsigned for hs0X to prevent undefined behavior
Michael Niedermayer [Fri, 25 May 2018 20:02:20 +0000 (22:02 +0200)]
oavcodec/aacpsdsp_template: Use unsigned for hs0X to prevent undefined behavior

Fixes: signed integer overflow: 1073741842 + 1784008138 cannot be represented in type 'int'
Fixes: 6792/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5677589835284480

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 62cb6fadf33de6db386deac92853d4b95c930015)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/g723_1dec: Clip bits2 in both directions
Michael Niedermayer [Fri, 25 May 2018 19:56:04 +0000 (21:56 +0200)]
avcodec/g723_1dec: Clip bits2 in both directions

Fixes: shift exponent 33 is too large for 32-bit type 'int'
Fixes: 6743/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G723_1_fuzzer-5823772687859712

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 53f241218d9eac368e2e1c58bcca9bbdf10fd0e1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header()
Michael Niedermayer [Mon, 21 May 2018 21:08:05 +0000 (23:08 +0200)]
avcodec/mpeg4videoenc: Use 64 bit for times in mpeg4_encode_gop_header()

Fixes truncation
Fixes Assertion n <= 31 && value < (1U << n) failed at libavcodec/put_bits.h:169
Fixes: ffmpeg_crash_2.avi

Found-by: Thuan Pham <thuanpv@comp.nus.edu.sg>, Marcel Böhme, Andrew Santosa and Alexandru RazvanCaciulescu with AFLSmart
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e1182fac1afba92a4975917823a5f644bee7e6e8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/mlpdec: Only change noise_type if the related fields are valid
Michael Niedermayer [Thu, 17 May 2018 11:58:46 +0000 (13:58 +0200)]
avcodec/mlpdec: Only change noise_type if the related fields are valid

Fixes: inconsistency
Fixes:runtime error: index 8 out of bounds for type 'int32_t [8]'
Fixes: 6686/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEHD_fuzzer-5191383498358784

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 63c4a4b0d692bc86142790276358ba35129f2290)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoindeo4: Decode all or nothing of a band header.
Michael Niedermayer [Thu, 17 May 2018 11:40:38 +0000 (13:40 +0200)]
indeo4: Decode all or nothing of a band header.

This avoids inconsistent value combinations.
Alternatively it would be possible to add more checks and careful use of
temporary variables, but my try of this quickly seemed to become
a rather large change.
The disadvantage of this, is that the struct is copied back and forth.

Fixes: index 6 out of bounds for type 'const uint16_t [5][16]'
Fixes: 6557/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-4787296550256640

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 10c8521265da86118597336c5589e26de377a374)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavformat/mov: Only fail for STCO/STSC contradictions if both exist
Michael Niedermayer [Tue, 15 May 2018 15:07:00 +0000 (17:07 +0200)]
avformat/mov: Only fail for STCO/STSC contradictions if both exist

Fixes regression with playback of GF9720Repeal20the20Eighth20with20Helen20Linehan.m4a
See: crbug 822666

Found-by: "Mattias Wadman <mattias.wadman@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2c2d689c56646cce64d02a3b75f61c12c5589260)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0
Michael Niedermayer [Sun, 13 May 2018 22:10:33 +0000 (00:10 +0200)]
avcodec/dirac_dwt: Fix integer overflow in COMPOSE_DD97iH0 / COMPOSE_DD137iL0

Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int');
Fixes: 6500/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-4523620274536448

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cb944fc7f1327443a0cf449afbce5a3e8712f90f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/fic: Check available input space for cursor
Michael Niedermayer [Sat, 5 May 2018 20:00:01 +0000 (22:00 +0200)]
avcodec/fic: Check available input space for cursor

Fixes: out of array read
Fixes: 6546/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-6317064647081984

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cb2f7ea96b4f6e03ebf0c0563677745fc65f148e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/g2meet: Check RGB upper limit
Michael Niedermayer [Fri, 27 Apr 2018 18:16:13 +0000 (20:16 +0200)]
avcodec/g2meet: Check RGB upper limit

Fixes: runtime error: left shift of 1876744317 by 16 places cannot be represented in type 'int'
Fixes: 6799/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5115274731716608

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4dd2c8b9ea46b4e008a8bfc2077834428cd5a17c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration...
Michael Niedermayer [Fri, 4 May 2018 17:18:25 +0000 (19:18 +0200)]
avcodec/jpeg2000dec: Fix undefined shift in the jpeg2000_decode_packets_po_iteration() CPRL case

Fixes: shift exponent 47 is too large for 32-bit type 'int'
Fixes: 7955/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6016721977606144

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 652ba72ed3124f201f98eea9bafb2232b535f549)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done
Michael Niedermayer [Fri, 4 May 2018 17:11:36 +0000 (19:11 +0200)]
avcodec/jpeg2000dec: Skip init for component in CPRL if nothing is to be done

Fixes: assertion failure
Fixes: 7949/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-4819602782552064

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a96c131eb53b00de154f4773d96a3b323ea3daed)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/g2meet: Change order of operations to avoid undefined behavior
Michael Niedermayer [Fri, 4 May 2018 16:16:08 +0000 (18:16 +0200)]
avcodec/g2meet: Change order of operations to avoid undefined behavior

Fixes: signed integer overflow: 65280 * 196032 cannot be represented in type 'int'
Fixes: 7279/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5977332473921536

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0a4745145840d97619c424961c1b5c625dbf516c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/flac_parser: Fix infinite loop
Michael Niedermayer [Mon, 30 Apr 2018 20:20:28 +0000 (22:20 +0200)]
avcodec/flac_parser: Fix infinite loop

Fixes: crbug/827204

Reported-by: Frank Liberato <liberato@google.com>
Reviewed-by: Frank Liberato <liberato@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 15a2e35e9e74bba5a27e39c26da5be2361f27945)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED()
Michael Niedermayer [Fri, 27 Apr 2018 19:44:07 +0000 (21:44 +0200)]
avcodec/wavpack: Fix integer overflow in DEC_MED() / INC_MED()

Fixes: runtime error: signed integer overflow: 2147483637 + 128 cannot be represented in type 'int'
Fixes: 6701/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVPACK_fuzzer-5358324934508544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6e95d80e6fae978f8a44afc24b0c5097a062719f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/error_resilience: Fix integer overflow in filter181()
Michael Niedermayer [Sun, 22 Apr 2018 19:46:05 +0000 (21:46 +0200)]
avcodec/error_resilience: Fix integer overflow in filter181()

Fixes: runtime error: signed integer overflow: 197710 * 10923 cannot be represented in type 'int'
Fixes: 7010/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5667127596941312

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1c97035e3b1677d6f0c5b6161ebfeffcf7bb638d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/h263dec: Check slice_ret in mspeg4 slice loop
Michael Niedermayer [Sun, 22 Apr 2018 19:07:45 +0000 (21:07 +0200)]
avcodec/h263dec: Check slice_ret in mspeg4 slice loop

Fixes infinite loop
Fixes: 6858/clusterfuzz-testcase-ffmpeg_AV_CODEC_ID_MSMPEG4V3_fuzzer-4681563766784000
Fixes: 6890/clusterfuzz-testcase-ffmpeg_AV_CODEC_ID_WMV1_fuzzer-4756103142309888

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit de841fbea7655b74a9663001e01008a86c88779a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/elsdec: Fix memleaks
Michael Niedermayer [Tue, 24 Apr 2018 23:54:17 +0000 (01:54 +0200)]
avcodec/elsdec: Fix memleaks

Fixes: 6798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G2M_fuzzer-5135899701542912

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0bd0401336df4e4ca7f3da6a7e226904fd7d5add)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/vc1_block: simplify ac_val computation
Michael Niedermayer [Mon, 23 Apr 2018 00:08:10 +0000 (02:08 +0200)]
avcodec/vc1_block: simplify ac_val computation

also fixes: runtime error: index 1456 out of bounds for type 'int16_t [16]'

Found-by: durandal_1707
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d06b01fc2d4f5e031d45f9460d1eea610d23d6c5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/ffv1enc: Check that the crc + version combination is supported
Michael Niedermayer [Sat, 21 Apr 2018 20:19:31 +0000 (22:19 +0200)]
avcodec/ffv1enc: Check that the crc + version combination is supported

The crc flag is only stored since version 3 thus before this crcs do not
work. We increase the version as needed same as we do with pix_fmts

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d9706f79c17a33bf97e51a7d6ab211ce83a463ee)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agolavf/http.c: Free allocated client URLContext in case of error.
Stephan Holljes [Fri, 12 Jan 2018 18:16:29 +0000 (19:16 +0100)]
lavf/http.c: Free allocated client URLContext in case of error.

Signed-off-by: Stephan Holljes <klaxa1337@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7b6b8c92652d6683d97515352e4a9a4147b7da7c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/dsicinvideo: Fail if there is only a small fraction of the data available...
Michael Niedermayer [Mon, 16 Apr 2018 20:29:09 +0000 (22:29 +0200)]
avcodec/dsicinvideo: Fail if there is only a small fraction of the data available that comprises a full frame

Fixes: Timeout
Fixes: 6306/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DSICINVIDEO_fuzzer-5079253549842432

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5549488bbf3a23c0fb9833cefc6354f97055dd96)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/dsicinvideo: Propagate errors from cin_decode_rle()
Michael Niedermayer [Mon, 16 Apr 2018 20:28:23 +0000 (22:28 +0200)]
avcodec/dsicinvideo: Propagate errors from cin_decode_rle()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 942217b153a9bff2d17463957abd772fcd72b400)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/dfa: Check dimension against maximum
Michael Niedermayer [Mon, 16 Apr 2018 20:04:53 +0000 (22:04 +0200)]
avcodec/dfa: Check dimension against maximum

The headers from where the dimensions are read in actual files
are limited to 16bit per component.

Fixes: Timeout
Fixes: 6305/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DFA_fuzzer-4824270749302784

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9d5a4fcfbb51edc871bdb1c67a88223cbfb1c0e4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/cinepak: Skip empty frames
Michael Niedermayer [Tue, 17 Apr 2018 00:13:43 +0000 (02:13 +0200)]
avcodec/cinepak: Skip empty frames

Speeds up decoding from 3 to 0.1 seconds for 6302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5626371985375232
Fixes: Timeout

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9033920bec9ccf17de205fc17c2b330906b200f5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/cinepak: move some checks prior to frame allocation
Michael Niedermayer [Tue, 17 Apr 2018 00:13:42 +0000 (02:13 +0200)]
avcodec/cinepak: move some checks prior to frame allocation

Speeds up decoding from 8 to 3 seconds for 6302/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CINEPAK_fuzzer-5626371985375232
Fixes: Timeout

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2324ef1ff32e5effd6f295bca80580ae4816be0b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoswresample/arm: remove unintentional relocation.
Rahul Chaudhry [Wed, 18 Apr 2018 23:29:39 +0000 (16:29 -0700)]
swresample/arm: remove unintentional relocation.

Branch to global symbol results in reference to PLT, and when compiling
for THUMB-2 - in a R_ARM_THM_JUMP19 relocation. Some linkers don't
support this relocation (ld.gold), while others can end up truncating
the relocation to fit (ld.bfd).

Convert this branch through PLT into a direct branch that the assembler
can resolve locally.

See https://github.com/android-ndk/ndk/issues/337 for background.

The current workaround is to disable neon during gstreamer build,
which is not optimal and can be reverted after this patch:
https://github.com/freedesktop/gstreamer-cerbero/commit/41556c415739fbc3a72c7eaee7e70a565b719b2f

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b22db4f465c9adb2cf1489e04f7b65ef6bb55b8b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agodoc/APIchanges: Fix typos in hashes
Michael Niedermayer [Mon, 16 Apr 2018 16:23:12 +0000 (18:23 +0200)]
doc/APIchanges: Fix typos in hashes

Thanks-to: Moritz Barsnick <barsnick@gmx.net> for finding the correct ones

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ec8a5262b03f85158d722dbc8b8f30cb6bd67e0f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavformat/utils: Check cur_dts in update_initial_timestamps() more
Michael Niedermayer [Fri, 13 Apr 2018 09:38:48 +0000 (11:38 +0200)]
avformat/utils: Check cur_dts in update_initial_timestamps() more

Fixes: runtime error: signed integer overflow: 18133149658382192 - -9223090561878065151 cannot be represented in type 'long long'
Fixes: crbug 831552

Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 37d46dc21d708192b12aa13617ebe6a117b07363)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/utils: Enforce minimum width also for VP5/6
Michael Niedermayer [Wed, 11 Apr 2018 17:50:52 +0000 (19:50 +0200)]
avcodec/utils: Enforce minimum width also for VP5/6

Fixes: out of array access
Fixes: poc_0411

Found-by: GwanYeong Kim <gy741.kim@gmail.com>
Tested-by: GwanYeong Kim <gy741.kim@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 544324827e0131e43af1a54fb790a48a25fd7ba4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/truemotion2: Propagate out of bounds error from GET_TOK()
Michael Niedermayer [Tue, 10 Apr 2018 20:24:03 +0000 (22:24 +0200)]
avcodec/truemotion2: Propagate out of bounds error from GET_TOK()

Fixes: Timeout
Fixes: 6389/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5695918121680896

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f6304af2341d0cee51c2116766622e3ac567b7a0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/mjpegdec: Check input buffer size.
Michael Niedermayer [Tue, 10 Apr 2018 14:12:15 +0000 (16:12 +0200)]
avcodec/mjpegdec: Check input buffer size.

Fixes: Timeout
Fixes: 6381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5665032743419904

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8d381b57fd9d17fb5c3a851ca46c738b3afc33a2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agolavc/libopusdec: Allow avcodec_open2 to call .close
Matt Wolenetz [Tue, 10 Apr 2018 20:59:25 +0000 (13:59 -0700)]
lavc/libopusdec: Allow avcodec_open2 to call .close

If there is a decoder initialization failure detected in avcodec_open2
after .init is called, allow graceful decoder .close to prevent leaking
libopus decoder allocations.

BUG=828526

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e43e97f0e0f0596b56ceb2f887fe7414f202f081)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/movtextdec: Check style_start/end
Michael Niedermayer [Sun, 8 Apr 2018 01:29:44 +0000 (03:29 +0200)]
avcodec/movtextdec: Check style_start/end

Limits based on 3GPP TS 26.245 V14.0.0
Fixes: Timeout
Fixes: 6377/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOVTEXT_fuzzer-5175929115508736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 249aca8f98ff7fb09c12ea68e23c862c62203b95)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble()
Michael Niedermayer [Sat, 7 Apr 2018 19:55:06 +0000 (21:55 +0200)]
avcodec/aacsbr_fixed: Fix integer overflow in sbr_hf_assemble()

Fixes: runtime error: signed integer overflow: 2052929346 + 204817098 cannot be represented in type 'int'

This was missed in b1bef755f617af9685b592d866b3eb7f3c4b02b1
Fixes: 5275/clusterfuzz-testcase-minimized-5367635958038528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c837918f50a7bbd6150afd340857ea43fe4717c7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agolibavcodec/rv34: error out earlier on missing references
Michael Niedermayer [Mon, 2 Apr 2018 18:01:07 +0000 (20:01 +0200)]
libavcodec/rv34: error out earlier on missing references

Fixes visual corruption on seeking

Fixes: downloadTest_clip_24M.rmvb

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6cd81d68c5e4b0ff00288970c4151ff4031c0ea9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoswresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float...
Hendrik Schreiber [Thu, 5 Apr 2018 11:58:37 +0000 (13:58 +0200)]
swresample/swresample: Fix for seg fault in swr_convert_internal() -> sum2_float during dithering.

Removed +len1 in call to s->mix_2_1_f() as I found no logical explanation for it. After removal, problem was gone.

Signed-off-by: Hendrik Schreiber <hs@tagtraum.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 647fd4b8292e3bfae30b1086aa842a5ee47ee868)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed()
Michael Niedermayer [Sat, 31 Mar 2018 19:19:19 +0000 (21:19 +0200)]
avcodec/aacdec_fixed: Fix integer overflow in apply_independent_coupling_fixed()

I was not able to reproduce this, this fix is based on just the fuzzer log.
Fixes: 4959/clusterfuzz-testcase-minimized-6035350934781952

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 197a4e8feed45b2e5868760240e83636818f32a9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/cscd: Error out when LZ* decompression fails
Michael Niedermayer [Sun, 11 Mar 2018 23:05:04 +0000 (00:05 +0100)]
avcodec/cscd: Error out when LZ* decompression fails

Fixes: Timeout
Fixes: 6304/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CSCD_fuzzer-5754772461191168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d52be5d4e91871a22dac70af3e0ab429e95a2d10)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list()
heimdallr [Sat, 31 Mar 2018 12:37:23 +0000 (19:37 +0700)]
avcodec/imgconvert: Fix loss mask bug in avcodec_find_best_pix_fmt_of_list()

example:

AVPixelFormat pixFmts[] = { AV_PIX_FMT_RGB24, AV_PIX_FMT_RGBA };
int loss = 0;
AVPixelFormat best = avcodec_find_best_pix_fmt_of_list(pixFmts, AV_PIX_FMT_BGRA, 1, &loss);

best is AV_PIX_FMT_RGB24. But AV_PIX_FMT_RGBA is better.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 354b26a3945eadd4ed8fcd801dfefad2566241de)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/wmalosslessdec: Fix null pointer dereference in decode_frame()
Michael Niedermayer [Sun, 25 Mar 2018 00:51:28 +0000 (01:51 +0100)]
avcodec/wmalosslessdec: Fix null pointer dereference in decode_frame()

Fixes: 2018_03_23_poc.wav
Found-by: GwanYeong Kim <gy741.kim@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ea15915b2dc5aaa80c91879fbd183475a7e66e54)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables
Michael Niedermayer [Wed, 28 Mar 2018 23:07:24 +0000 (01:07 +0200)]
avcodec/tableprint_vlc: Fix build failure with --enable-hardcoded-tables

Found-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5c75438b893539dd17998c489fb4c540fc5a6e48)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/get_bits: Make sure the input bitstream with padding can be addressed
Michael Niedermayer [Sat, 24 Mar 2018 00:38:53 +0000 (01:38 +0100)]
avcodec/get_bits: Make sure the input bitstream with padding can be addressed

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e529fe7633762cb26a665fb6dee3be29b15285cc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavformat/mov: Check STSC and remove invalid entries
Michael Niedermayer [Fri, 16 Mar 2018 18:53:36 +0000 (19:53 +0100)]
avformat/mov: Check STSC and remove invalid entries

Fixes assertion failure
Fixes: crbug 822547, crbug 822666 and crbug 823009

Affects: aark15sd_9A62E2FA.mp4

Found-by: ClusterFuzz
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9e67447a4ffacf28af8bace33faf3ea432ddc43e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels...
Michael Niedermayer [Tue, 27 Feb 2018 14:17:12 +0000 (15:17 +0100)]
avcodec/nuv: rtjpeg with dimensions less than 16 would result in no decoded pixels thus reject it

Fixes: Timeout
Fixes: 6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 939440ad1aa820bed51f54d273b4fa6c5016d9f9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg
Michael Niedermayer [Tue, 27 Feb 2018 14:17:12 +0000 (15:17 +0100)]
avcodec/nuv: Check for minimum input size for uncomprssed and rtjpeg

Fixes: Timeout
Fixes: 6297/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NUV_fuzzer-4882404863901696

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8ee3265dbe2e85537affe3b3055b00ba8646aa70)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavcodec/wmalosslessdec: Reset num_saved_bits on error path
Michael Niedermayer [Sat, 10 Mar 2018 23:13:57 +0000 (00:13 +0100)]
avcodec/wmalosslessdec: Reset num_saved_bits on error path

Fixes: NULL pointer dereference
Fixes: poc-201803.wav
Found-by: GwanYeong Kim <gy741.kim@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 64c9ce0abc0fd8774b523afda3ddb17c86caa86a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavformat/mov: Fix integer overflows related to sample_duration
Michael Niedermayer [Fri, 9 Mar 2018 15:43:29 +0000 (16:43 +0100)]
avformat/mov: Fix integer overflows related to sample_duration

Fixes: runtime error: signed integer overflow: -9166684017437101870 + -2495066639299164439 cannot be represented in type

Fixes: Chromium bug 791349

Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2f37082827a405430c40408ee2db19ea2866ce64)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE
Michael Niedermayer [Thu, 8 Mar 2018 16:28:36 +0000 (17:28 +0100)]
avformat/oggparsedaala: Do not adjust AV_NOPTS_VALUE

Fixes: potential signed integer overflow

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f655ddfb47e8484b205b14c7f871c643ad24d701)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavformat/oggparseogm: Check lb against psize
Michael Niedermayer [Fri, 9 Mar 2018 00:05:20 +0000 (01:05 +0100)]
avformat/oggparseogm: Check lb against psize

No testcase, this was found during code review

Found-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3e7c847aaf5a298b62afae12b4ecfb8e12385998)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavformat/oggparseogm: Fix undefined shift in ogm_packet()
Michael Niedermayer [Thu, 8 Mar 2018 22:14:04 +0000 (23:14 +0100)]
avformat/oggparseogm: Fix undefined shift in ogm_packet()

Fixes: shift exponent 48 is too large for 32-bit type 'int'
Fixes: Chromium bug 786793
Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 010b7b30b721b90993e05e9ee6338e88bb8debb3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavformat/avidec: Fix integer overflow in cum_len check
Michael Niedermayer [Thu, 8 Mar 2018 21:40:50 +0000 (22:40 +0100)]
avformat/avidec: Fix integer overflow in cum_len check

Fixes: signed integer overflow: 3775922176 * 4278190080 cannot be represented in type 'long'
Fixes: Chromium bug 791237

Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 06e092e7819b9437da32925200e7c369f93d82e7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE
Michael Niedermayer [Thu, 8 Mar 2018 16:28:36 +0000 (17:28 +0100)]
avformat/oggparsetheora: Do not adjust AV_NOPTS_VALUE

Fixes: Chromium bug 795653
Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long'
Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 02ecda4aba69670ca744ccc640391b7621f01fb0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agoavformat/utils: Fix integer overflow of fps_first/last_dts
Michael Niedermayer [Tue, 6 Mar 2018 23:10:11 +0000 (00:10 +0100)]
avformat/utils: Fix integer overflow of fps_first/last_dts

Fixes: runtime error: signed integer overflow: 7738135736989908991 - -7898362169240453118 cannot be represented in type 'long'
Fixes: Chromium bug 796778
Reported-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1b1362e408cd6acb63fef126b814b0d16562aa8e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
10 months agolibavformat/oggparsevorbis: Fix memleak on multiple headers
Michael Niedermayer [Tue, 6 Mar 2018 17:14:12 +0000 (18:14 +0100)]
libavformat/oggparsevorbis: Fix memleak on multiple headers

Fixes: Chromium bug 800123
Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3934aa495d786845d9f541c84ee405c096938f76)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
17 months agoavdevice/iec61883: free the private context at the end
James Almer [Wed, 18 Apr 2018 18:32:10 +0000 (15:32 -0300)]
avdevice/iec61883: free the private context at the end

Fixes part of ticket #7146.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 5079e96bcc7aaa9cae82a58397ce986e124028e4)

17 months agoavdevice/iec61883: return reference counted packets
James Almer [Wed, 18 Apr 2018 18:19:40 +0000 (15:19 -0300)]
avdevice/iec61883: return reference counted packets

Fixes part of ticket #7146, dealing with leaks of packet data since
commit 87c88122703f2befcf96383d05bdf14373c22df9.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit b8629654c6460a28c507f816a977914e3a6f2520)

17 months agoavdevice/iec61883: free packet on buffer allocation error
Marton Balint [Wed, 8 Feb 2017 22:37:42 +0000 (23:37 +0100)]
avdevice/iec61883: free packet on buffer allocation error

Fixes Coverity CID 1396416.

Signed-off-by: Marton Balint <cus@passwd.hu>
(cherry picked from commit 4556dad2b7379a527134db519ab60111abefaf10)

18 months agoChangelog: update n3.0.11
Michael Niedermayer [Tue, 27 Feb 2018 19:00:58 +0000 (20:00 +0100)]
Changelog: update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
18 months agoavcodec/bintext: sanity check dimensions
Michael Niedermayer [Mon, 26 Feb 2018 20:17:08 +0000 (21:17 +0100)]
avcodec/bintext: sanity check dimensions

Fixes: Timeout
Fixes: 6277/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XBIN_fuzzer-6047202288861184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 090c0abff9c8b27304614f15d9464dbf4ea59833)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
18 months agoavcodec/utvideodec: Check subsample factors
Michael Niedermayer [Mon, 26 Feb 2018 02:02:48 +0000 (03:02 +0100)]
avcodec/utvideodec: Check subsample factors

Fixes: Out of array read
Fixes: heap_poc

Found-by: GwanYeong Kim <gy741.kim@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7414d0bda7763f9bd69c26c068e482ab297c1c96)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
18 months agoavcodec/smc: Check input packet size
Michael Niedermayer [Fri, 23 Feb 2018 02:40:02 +0000 (03:40 +0100)]
avcodec/smc: Check input packet size

Fixes: Timeout
Fixes: 6261/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMC_fuzzer-5811309653262336

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0293663483ab5dbfff23602a62800d84e021b33c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
18 months agoavcodec/cavsdec: Check alpha/beta offset
Michael Niedermayer [Tue, 20 Feb 2018 22:11:01 +0000 (23:11 +0100)]
avcodec/cavsdec: Check alpha/beta offset

Fixes: Integer overflow
Fixes: 6183/clusterfuzz-testcase-minimized-6269224436629504

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ae2eb04648839bfc6c61c32cb0f124e91bb7ff8e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
18 months agoavcodec/diracdec: Fix integer overflow in mv computation
Michael Niedermayer [Sun, 18 Feb 2018 20:51:38 +0000 (21:51 +0100)]
avcodec/diracdec: Fix integer overflow in mv computation

Fixes: signed integer overflow: -2072 + -2147483646 cannot be represented in type 'int'
Fixes: 6097/clusterfuzz-testcase-minimized-5034145253163008

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 47e65ad63b3d067445c4de41a7718b83fc07767c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
18 months agoavcodec/aacdec_templat: Fix integer overflow in apply_ltp()
Michael Niedermayer [Sun, 18 Feb 2018 15:55:52 +0000 (16:55 +0100)]
avcodec/aacdec_templat: Fix integer overflow in apply_ltp()

Fixes: signed integer overflow: -1625276744 + -1041893960 cannot be represented in type 'int'
Fixes: 5948/clusterfuzz-testcase-minimized-5791479856365568

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 33fe17bdc88d51a8e0c87aa1e8011aaaf38a7a90)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
18 months agoavcodec/jpeg2000dwt: Fix integer overflows in sr_1d53()
Michael Niedermayer [Sat, 17 Feb 2018 23:11:33 +0000 (00:11 +0100)]
avcodec/jpeg2000dwt: Fix integer overflows in sr_1d53()

Fixes: 5918/clusterfuzz-testcase-minimized-5120505435652096

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 793347a54579ee954b58d336b82eed4a1786de21)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
18 months agoavcodec/diracdec: Use int64 in global mv to prevent overflow
Michael Niedermayer [Sat, 17 Feb 2018 22:54:44 +0000 (23:54 +0100)]
avcodec/diracdec: Use int64 in global mv to prevent overflow

Fixes: runtime error: signed integer overflow: 361 * -6295541 cannot be represented in type 'int'
Fixes: 5911/clusterfuzz-testcase-minimized-6450382197751808

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cbcbefdc3b4cbc917d2f8b2dd216fb12121a838b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
18 months agoavcodec/dxtory: Remove code that corrupts dimensions
Michael Niedermayer [Sat, 17 Feb 2018 20:27:16 +0000 (21:27 +0100)]
avcodec/dxtory: Remove code that corrupts dimensions

Fixes: Timeout
Fixes: 5796/clusterfuzz-testcase-minimized-5206729085157376

Does someone have a valid sample that triggers this path ?

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3748746a4d6988484d34516f7a3c6febf7bdf488)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
18 months agoavformat/hvcc: zero initialize the nal buffers past the last written byte
James Almer [Fri, 23 Feb 2018 03:03:15 +0000 (00:03 -0300)]
avformat/hvcc: zero initialize the nal buffers past the last written byte

Prevents use of uninitialized values.

Fixes ticket #7038.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 9482ec1b203e4cf51d7f60c85d261cc13f9a9d2f)

19 months agoswresample/rematrix: fix update of channel matrix if input or output layout is undefined
Tobias Rapp [Wed, 14 Feb 2018 16:01:08 +0000 (17:01 +0100)]
swresample/rematrix: fix update of channel matrix if input or output layout is undefined

Prefer direct in/out channel count values over channel layout, when
available. Fixes a pan filter bug (ticket #6790).

Signed-off-by: Tobias Rapp <t.rapp@noa-archive.com>
(cherry picked from commit 6325bd3717348615adafb52e4da2fd01a3007d0a)

19 months agoUpdate for 3.0.11
Michael Niedermayer [Mon, 19 Feb 2018 13:44:49 +0000 (14:44 +0100)]
Update for 3.0.11

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
19 months agoavcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i()
Michael Niedermayer [Sat, 17 Feb 2018 20:47:09 +0000 (21:47 +0100)]
avcodec/dirac_dwt_template: Fix Integer overflow in horizontal_compose_dd137i()

Fixes: 5894/clusterfuzz-testcase-minimized-5315325420634112
Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 647fa49495c39a48b7ccb92acd8fb975b1575456)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
19 months agoavcodec/vp8: Check for bitstream end before vp7_fade_frame()
Michael Niedermayer [Sat, 17 Feb 2018 03:20:52 +0000 (04:20 +0100)]
avcodec/vp8: Check for bitstream end before vp7_fade_frame()

Fixes: Timeout
Fixes: 5653/clusterfuzz-testcase-5497680018014208

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit de675648cef7e451ca82fabaee0d8ec1fe653311)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
19 months agoavcodec/exr: Check remaining bits in last get code loop
Michael Niedermayer [Wed, 14 Feb 2018 12:01:46 +0000 (13:01 +0100)]
avcodec/exr: Check remaining bits in last get code loop

Fixes: runtime error: shift exponent -7 is negative
Fixes: 3902/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-6081926122176512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit dd8351b1184b8054925c28ecc5fcb6dbbc177fad)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
19 months agoavutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c()
Michael Niedermayer [Wed, 14 Feb 2018 02:54:13 +0000 (03:54 +0100)]
avutil/common: Fix integer overflow in av_clip_uint8_c() and av_clip_uint16_c()

Fixes: 5567/clusterfuzz-testcase-minimized-5769966247739392
Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ab6f571ef71967da7c7c1cfba483d3597c7357d5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>