ffmpeg.git
5 months agoavcodec/pgssubdec: Check for duplicate display segments
Michael Niedermayer [Tue, 29 Jan 2019 00:06:01 +0000 (01:06 +0100)]
avcodec/pgssubdec: Check for duplicate display segments

In such a duplication the previous gets overwritten and leaks

Fixes: memleak
Fixes: 12510/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGSSUB_fuzzer-5694439226343424

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e35c3d887b3e374c6a091342206a42da48785d70)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 months agoavformat/rtsp: Check number of streams in sdp_parse_line()
Michael Niedermayer [Fri, 25 Jan 2019 20:30:04 +0000 (21:30 +0100)]
avformat/rtsp: Check number of streams in sdp_parse_line()

Fixes: OOM

Found-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 497c9b0cce559d43607bbbd679fe42f1d7e9040e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 months agoavformat/rtsp: Clear reply in every iteration in ff_rtsp_connect()
Michael Niedermayer [Sun, 27 Jan 2019 23:53:22 +0000 (00:53 +0100)]
avformat/rtsp: Clear reply in every iteration in ff_rtsp_connect()

Fixes: Infinite loop

Found-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0b50f27635f684ec0526e9975c9979f35bbf486b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 months agoavcodec/fic: Check that there is input left in fic_decode_block()
Michael Niedermayer [Tue, 22 Jan 2019 23:30:53 +0000 (00:30 +0100)]
avcodec/fic: Check that there is input left in fic_decode_block()

Fixes: Timeout
Fixes: 12450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-5661984622641152

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit db1c4acd02af4de5dfbea6012c296470679aa7a6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 months agoavutil/mem: Optimize fill32() by unrolling and using 64bit
Michael Niedermayer [Thu, 17 Jan 2019 21:35:10 +0000 (22:35 +0100)]
avutil/mem: Optimize fill32() by unrolling and using 64bit

Reviewed-by: Marton Balint <cus@passwd.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 12b1338be376a3e5fb606d9fe41b58dc4a9e62c7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 months agoavcodec/hevcdec: decode at most one slice reporting being the first in the picture
James Almer [Mon, 18 Mar 2019 20:25:58 +0000 (17:25 -0300)]
avcodec/hevcdec: decode at most one slice reporting being the first in the picture

Fixes deadlocks when decoding packets containing more than one of the aforementioned
slices when using frame threads.

Tested-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 70c8c8a818f39bc262565ec29fae2baffb3e1660)

7 months agoavfilter/af_silenceremove: fix possible crash if supplied duration is negative
Paul B Mahol [Mon, 27 Nov 2017 15:32:54 +0000 (16:32 +0100)]
avfilter/af_silenceremove: fix possible crash if supplied duration is negative

Signed-off-by: Paul B Mahol <onemda@gmail.com>
Fixes ticket #7697.
(cherry picked from commit 2d1594a8d6a754a426cb53184dccf9cf8c8a94b0)

8 months agoconfigure: bump year n3.2.13
James Almer [Tue, 1 Jan 2019 18:26:31 +0000 (15:26 -0300)]
configure: bump year

Happy new year!

(cherry picked from commit 3209d7b3930bab554bf7d97d8041d9d0b88423a8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoUpdate for 3.2.13
Michael Niedermayer [Mon, 14 Jan 2019 23:41:45 +0000 (00:41 +0100)]
Update for 3.2.13

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavcodec/diracdec: Check component quant
Michael Niedermayer [Wed, 14 Nov 2018 08:42:44 +0000 (09:42 +0100)]
avcodec/diracdec: Check component quant

Fixes: Timeout
Fixes: 10708/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5730140957442048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 28c96c2ce2781c2cd147a9f3c299e18ce1dc7ff8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavcodec/tests/rangecoder: initialize array to avoid valgrind warning
Michael Niedermayer [Fri, 4 Jan 2019 01:46:29 +0000 (02:46 +0100)]
avcodec/tests/rangecoder: initialize array to avoid valgrind warning

Found-by: jamrial
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c15972f0af7679b466dd4a10a54ab2f04f9372c8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavcodec/h264_slice: Fix integer overflow in implicit_weight_table()
Michael Niedermayer [Fri, 4 Jan 2019 19:00:38 +0000 (20:00 +0100)]
avcodec/h264_slice: Fix integer overflow in implicit_weight_table()

Fixes: signed integer overflow: 2 * 2132811760 cannot be represented in type 'int'
Fixes: 11156/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6237685933408256

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 77e56d74f972537aecd5bc2c5c4111e1d6ad0963)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavcodec/exr: set layer_match in all branches
Michael Niedermayer [Tue, 25 Dec 2018 20:30:54 +0000 (21:30 +0100)]
avcodec/exr: set layer_match in all branches

Otherwise it is left to the value from the previous iteration

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 433d2ae4353f3c513a45780845d9d8ca252cd4dc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavcodec/4xm: Fix returned error codes
Michael Niedermayer [Mon, 31 Dec 2018 17:11:44 +0000 (18:11 +0100)]
avcodec/4xm: Fix returned error codes

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 07607a1db879d0d96e2c91e1354bc4e425937d3a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavcodec/mjpegbdec: Fix some misplaced {} and spaces
Michael Niedermayer [Fri, 28 Dec 2018 21:22:56 +0000 (22:22 +0100)]
avcodec/mjpegbdec: Fix some misplaced {} and spaces

Reviewed-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 11a8d2ccab1fe165eef4578c048d38731dbe1d6f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavformat/wvdec: detect and error out on WavPack DSD files
David Bryant [Wed, 21 Nov 2018 05:00:47 +0000 (21:00 -0800)]
avformat/wvdec: detect and error out on WavPack DSD files

Not currently supported.

(cherry picked from commit db109373d87b1fa5fe9f3d027d1bb752f725b74a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavcodec/mips: Fix failed case: hevc-conformance-AMP_A_Samsung_* when enable msa
gxw [Mon, 24 Dec 2018 06:07:44 +0000 (14:07 +0800)]
avcodec/mips: Fix failed case: hevc-conformance-AMP_A_Samsung_* when enable msa

The AV_INPUT_BUFFER_PADDING_SIZE has been increased to 64, but the value is still 32
in function ff_hevc_sao_edge_filter_8_msa. So, use AV_INPUT_BUFFER_PADDING_SIZE directly.
Also, use MAX_PB_SIZE directly instead of 64. Fate tests passed.

Reviewed-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f652c7a45c60427db0a89fae665e63b546af6ebb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavcodec/fic: Fail on invalid slice size/off
Michael Niedermayer [Sun, 16 Dec 2018 20:43:07 +0000 (21:43 +0100)]
avcodec/fic: Fail on invalid slice size/off

Fixes: Timeout
Fixes: 11486/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-5677133863583744

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 30a7a81cdc2ee2eac6d3271439c43f11b7327b3e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agopostproc/postprocess_template: remove FF_REG_sp from clobber list
Michael Niedermayer [Thu, 20 Dec 2018 21:40:06 +0000 (22:40 +0100)]
postproc/postprocess_template: remove FF_REG_sp from clobber list

Future gcc may no longer support this

Tested-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c1cbeb87db4bfc6e281e4254a6c7fdd3854fc9b9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agopostproc/postprocess_template: Avoid using %4 for the threshold compare
Michael Niedermayer [Thu, 20 Dec 2018 21:40:05 +0000 (22:40 +0100)]
postproc/postprocess_template: Avoid using %4 for the threshold compare

This avoids problems if %4 is the stack pointer
the constraints do not allow %4 to be the stack pointer but gcc 9 may
no longer support specifying such constraints

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4325527e1c4fd2da119e81933172065ee1274eda)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavcodec/rpza: Check that there is enough data for all the blocks
Michael Niedermayer [Sun, 16 Dec 2018 18:13:27 +0000 (19:13 +0100)]
avcodec/rpza: Check that there is enough data for all the blocks

Fixes: Timeout
Fixes: 11547/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RPZA_fuzzer-5678435842654208

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e63517e00a1a8375c7fb3b8c4c64c9a7c3da713e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavcodec/rpza: Move frame allocation to a later point
Michael Niedermayer [Sun, 16 Dec 2018 18:04:56 +0000 (19:04 +0100)]
avcodec/rpza: Move frame allocation to a later point

This will allow performing some fast checks before the slow allocation

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8a708aa99cb0e8d76e52117b1fd89d221f0055e9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavcodec/avcodec: Document the data type for AV_PKT_DATA_MPEGTS_STREAM_ID
Michael Niedermayer [Fri, 7 Dec 2018 20:52:30 +0000 (21:52 +0100)]
avcodec/avcodec: Document the data type for AV_PKT_DATA_MPEGTS_STREAM_ID

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 68e011e4103b9cb5ac2d152d73ca8393065a33fb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavformat/mpegts: Fix side data type for stream id
Michael Niedermayer [Fri, 7 Dec 2018 20:51:48 +0000 (21:51 +0100)]
avformat/mpegts: Fix side data type for stream id

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ab1319d82f0c77308792fa2d88cbfc73c3e47cb7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavcodec/mjpegdec: Fix indention of ljpeg_decode_yuv_scan()
Michael Niedermayer [Tue, 18 Dec 2018 13:27:48 +0000 (14:27 +0100)]
avcodec/mjpegdec: Fix indention of ljpeg_decode_yuv_scan()

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ea30ac1e408246382796f61d645d1e087aed390a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agolavf/id3v2: fail read_apic on EOF reading mimetype
chcunningham [Fri, 14 Dec 2018 21:44:07 +0000 (13:44 -0800)]
lavf/id3v2: fail read_apic on EOF reading mimetype

avio_read may return EOF, leaving the mimetype array unitialized. fail
early when this occurs to avoid using the array in an unitialized state.

Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ee1e39a576977fd38c3b94fc56125d31d38833e9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavformat/nutenc: Document trailer index assert better
Michael Niedermayer [Fri, 14 Dec 2018 20:52:09 +0000 (21:52 +0100)]
avformat/nutenc: Document trailer index assert better

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3a95b73abc868995b08ca2b4d8bbf2cda43184f8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agolavf/mov: ensure only one tkhd per trak
chcunningham [Thu, 13 Dec 2018 21:58:40 +0000 (13:58 -0800)]
lavf/mov: ensure only one tkhd per trak

Chromium fuzzing produced a whacky file with extra tkhds. This caused
an AVStream that was already in use to be corrupted by assigning it a
new id, which blows up later in mov_read_trun because the
MOVFragmentStreamInfo.index_entry now points OOB.

Reviewed-by: Baptiste Coudurier <baptiste.coudurier@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c9f7b6f7a9fdffa0ab8f3aa84a1f701cf5b3a6e9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavcodec/msvideo1: Check for too small dimensions
Michael Niedermayer [Sat, 1 Dec 2018 21:16:19 +0000 (22:16 +0100)]
avcodec/msvideo1: Check for too small dimensions

Such low resolution would result in empty output as a minimum of 4x4 is needed
We could also check for multiple of 4 dimensions but that is not needed

Fixes: Timeout
Fixes: 11191/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSVIDEO1_fuzzer-5739529588178944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 953bd58861ad933e614510140b05a61e3d1375be)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavcodec/wmv2dec: Skip I frame if its smaller than 1/8 of the minimal size
Michael Niedermayer [Tue, 27 Nov 2018 22:37:03 +0000 (23:37 +0100)]
avcodec/wmv2dec: Skip I frame if its smaller than 1/8 of the minimal size

Frames that small are not valid and of limited use for error concealment, while
being very computationally intensive to process.

Fixes: Timeout
Fixes: 11168/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV2_fuzzer-5733782032744448

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d6f4341522c3eafb046c47b115d79ce684a899fc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavcodec/msmpeg4dec: Skip frame if its smaller than 1/8 of the minimal size
Michael Niedermayer [Thu, 29 Nov 2018 01:32:10 +0000 (02:32 +0100)]
avcodec/msmpeg4dec: Skip frame if its smaller than 1/8 of the minimal size

Frames that small are not valid and of limited use for error concealment, while
being very computationally intensive to process.

Fixes: Timeout
Fixes: 11318/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSMPEG4V1_fuzzer-5710884555456512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 09ec182864d41c990bc18f620eabb77444aeff57)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
8 months agoavcodec/truemotion2rt: Fix rounding in input size check
Michael Niedermayer [Sat, 17 Nov 2018 08:24:30 +0000 (09:24 +0100)]
avcodec/truemotion2rt: Fix rounding in input size check

Fixes: Timeout
Fixes: 11332/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2RT_fuzzer-5678456612847616

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7f22a4ebc97817fd0968f5ea8295c9a59a6292e0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/truemotion2: fix integer overflows in tm2_low_chroma()
Michael Niedermayer [Fri, 16 Nov 2018 23:38:53 +0000 (00:38 +0100)]
avcodec/truemotion2: fix integer overflows in tm2_low_chroma()

Fixes: 11295/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-4888953459572736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2ae39d795613f3c6925c59852b625029b747fe42)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/pngdec: Check compression method
Michael Niedermayer [Fri, 9 Nov 2018 02:12:45 +0000 (03:12 +0100)]
avcodec/pngdec: Check compression method

method 0 (inflate/deflate) is the only specified in the specification and the only supported

Fixes: Timeout
Fixes: 10976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PNG_fuzzer-5729372588736512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1f99674ddddcc33f4c37def0a206e31ad7c4c1af)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/shorten: Fix integer overflow with offset
Michael Niedermayer [Fri, 9 Nov 2018 18:59:27 +0000 (19:59 +0100)]
avcodec/shorten: Fix integer overflow with offset

Fixes: signed integer overflow: -1625810908 - 582229060 cannot be represented in type 'int'
Fixes: 10977/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5732602018267136

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2f888771cd1ce8d68d4b18a1009650c1f260aaf2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/cavsdec: Propagate error codes inside decode_mb_i()
Michael Niedermayer [Sun, 4 Nov 2018 19:00:16 +0000 (20:00 +0100)]
avcodec/cavsdec: Propagate error codes inside decode_mb_i()

Fixes: Timeout
Fixes: 10702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CAVS_fuzzer-5669940938407936

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c1cee0565692c541f589aefd7f375d37f55b9d94)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu...
Michael Niedermayer [Sun, 28 Oct 2018 20:08:39 +0000 (21:08 +0100)]
avcodec/mpegaudio_parser: Consume more than 0 bytes in case of the unsupported mp3adu case

Fixes: Timeout
Fixes: 10966/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADU_fuzzer-5348695024336896
Fixes: 10969/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5691669402877952

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit df91af140c5543cfbbed187f696e79b554d2c135)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavutil/integer: Fix integer overflow in av_mul_i()
Michael Niedermayer [Tue, 23 Oct 2018 23:44:12 +0000 (01:44 +0200)]
avutil/integer: Fix integer overflow in av_mul_i()

Found-by: fate
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3cc3cb663bf3061e40356392d2f7638de6a479fe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/msrle: Check that the input is large enough to contain a end of picture code
Michael Niedermayer [Sun, 21 Oct 2018 12:40:14 +0000 (14:40 +0200)]
avcodec/msrle: Check that the input is large enough to contain a end of picture code

Fixes: Timeout
Fixes: 10625/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MSRLE_fuzzer-5659651283091456

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 203ccb8746997777ce66beadd53b4631d217b9cd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling
Michael Niedermayer [Sat, 20 Oct 2018 20:35:37 +0000 (22:35 +0200)]
avcodec/jpeg2000dec: Fix off by 1 error in JPEG2000_PGOD_CPRL handling

Fixes: assertion failure
Fixes: 10785/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5672160496975872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 305e523105f6f59e7572050f19edc9f4671c036c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/mpeg4videodec: Fix typo in sprite delta check
Michael Niedermayer [Wed, 17 Oct 2018 23:19:36 +0000 (01:19 +0200)]
avcodec/mpeg4videodec: Fix typo in sprite delta check

Fixes: Integer overflow
Fixes: 10890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5636062181851136

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b737317a8813e671c00b8ac7023c47e48ffeb1c8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/h264_cavlc: Check mb_skip_run
Michael Niedermayer [Thu, 4 Oct 2018 01:13:41 +0000 (03:13 +0200)]
avcodec/h264_cavlc: Check mb_skip_run

Fixes: 10300/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-6292205497483264
Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f72b9904fefa79d799d0f6ecc8bd97ce52658725)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/ra144: Fix integer overflow in add_wav()
Michael Niedermayer [Wed, 10 Oct 2018 02:25:50 +0000 (04:25 +0200)]
avcodec/ra144: Fix integer overflow in add_wav()

Fixes: signed integer overflow: -2144033225 + -5208934 cannot be represented in type 'int'
Fixes: 10633/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-5679133791617024

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c6282141cba20934d9801f31134872fabbd6ba3e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavformat/utils: Never store negative values in last_IP_duration
Michael Niedermayer [Fri, 12 Oct 2018 18:55:25 +0000 (20:55 +0200)]
avformat/utils: Never store negative values in last_IP_duration

Fixes: integer overflow compute_pkt_fields()
Fixes: compute_pkt_usan

Reported-by: Thomas Guilbert <tguilbert@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 079d1a7175c4b881631a7e7f449c4c13b761cdeb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavformat/utils: Fix integer overflow in discontinuity check
Michael Niedermayer [Fri, 12 Oct 2018 01:00:32 +0000 (03:00 +0200)]
avformat/utils: Fix integer overflow in discontinuity check

Fixes: signed integer overflow: 7738135736989908991 - -7954308516317364223 cannot be represented in type 'long'
Fixes: find_stream_info_usan

Reported-by: Thomas Guilbert <tguilbert@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4e19cfcfa3944fe4cf97bea758f72f104dcaebad)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/unary: Improve get_unary() docs
Michael Niedermayer [Sat, 22 Sep 2018 13:18:17 +0000 (15:18 +0200)]
avcodec/unary: Improve get_unary() docs

Found-by: kierank
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ad89e203bfedf25df00e2a6ed9196170d772f25b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/dvdsubdec: Sanity check len in decode_rle()
Michael Niedermayer [Thu, 13 Sep 2018 01:33:50 +0000 (03:33 +0200)]
avcodec/dvdsubdec: Sanity check len in decode_rle()

Fixes: Timeout
Fixes: 9778/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5186007132536832

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e7b023e1db9fb13175929c02a02846d03510ec91)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/mpeg4videodec: Fix undefined shift in get_amv()
Michael Niedermayer [Fri, 14 Sep 2018 22:20:38 +0000 (00:20 +0200)]
avcodec/mpeg4videodec: Fix undefined shift in get_amv()

Fixes: runtime error: shift exponent -1 is negative
Fixes: 9938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5653783529914368

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c88afa44c4823aba7b6f4a1b01fd6a4169643c57)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/zmbv: Check that the decompressed data size is correct
Michael Niedermayer [Mon, 17 Sep 2018 22:28:37 +0000 (00:28 +0200)]
avcodec/zmbv: Check that the decompressed data size is correct

This checks the value exactly for intra frames and checks it against a
minimum for inter frames as they can be variable.

Fixes: Timeout
Fixes: 10182/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ZMBV_fuzzer-6245951174344704

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e33b28cc79d164fff22bfee750c9283587c00bc4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/zmbv: Update decomp_len in raw frames
Michael Niedermayer [Mon, 17 Sep 2018 19:33:59 +0000 (21:33 +0200)]
avcodec/zmbv: Update decomp_len in raw frames

decomp_len is used in raw frames, so it should not be left at the value from
whatever was decoded previously (which may be any other frame)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3d201b83cda03fd9e866acafee82d7ce88260e66)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/shorten: Fix bitstream end check in read_header()
Michael Niedermayer [Sat, 15 Sep 2018 00:08:20 +0000 (02:08 +0200)]
avcodec/shorten: Fix bitstream end check in read_header()

Fixes: Timeout
Fixes: 9961/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5687856176562176

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 28b80c2d52d82eb4f73af5f818dab60946bcf299)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/dvdsubdec: Avoid branch in decode_run_8bit()
Michael Niedermayer [Thu, 13 Sep 2018 02:24:49 +0000 (04:24 +0200)]
avcodec/dvdsubdec: Avoid branch in decode_run_8bit()

Speed improvment 35.5 sec -> 34.7sec

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 71bf0330505e2108935d05c5c018ec65eac4b946)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking()
Michael Niedermayer [Fri, 17 Aug 2018 00:06:27 +0000 (02:06 +0200)]
avcodec/h264_refs: Document last if() in ff_h264_execute_ref_pic_marking()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 697984b9db4d4d199680f43ac3eb662cd1d37eff)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/ra144: Fix undefined integer overflow in add_wav()
Michael Niedermayer [Sun, 26 Aug 2018 00:26:24 +0000 (02:26 +0200)]
avcodec/ra144: Fix undefined integer overflow in add_wav()

Fixes: signed integer overflow: -26884 * 91439 cannot be represented in type 'int'
Fixes: 9687/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RA_144_fuzzer-4995588121690112

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 93a203662f6ff1bb9fd2e966bf7df27e9bdb1916)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavformat/mov: Error on too large stsd entry counts.
Dale Curtis [Thu, 30 Aug 2018 22:18:25 +0000 (15:18 -0700)]
avformat/mov: Error on too large stsd entry counts.

Entries are always at least 8 bytes per the parsing code, so if we
see an impossible entry count avoid massive allocations. This is
similar to an existing check in mov_read_stsc().

Since ff_mov_read_stsd_entries() does eof checks, an alternative
approach could be to clamp the entry count to atom.size / 8.

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 320b631a99a9f759fd1d5460fd4e285d184b8186)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/hq_hqa: Check remaining input bits in hqa_decode_mb()
Michael Niedermayer [Mon, 20 Aug 2018 20:53:32 +0000 (22:53 +0200)]
avcodec/hq_hqa: Check remaining input bits in hqa_decode_mb()

Fixes: Timeout
Fixes: 9634/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-6267852259590144

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c9222b972d6cbdaf6571cf7ae0a6513bffa5ff9f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/vb: Check for end of bytestream before reading blocktype
Michael Niedermayer [Mon, 20 Aug 2018 20:19:23 +0000 (22:19 +0200)]
avcodec/vb: Check for end of bytestream before reading blocktype

Fixes: Timeout
Fixes: 9601/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VB_fuzzer-4550228702134272

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1cbac9ce20d32806febf64cbd9f830e1485695ca)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/snowdec: Fix integer overflow with motion vector residual
Michael Niedermayer [Mon, 20 Aug 2018 18:15:19 +0000 (20:15 +0200)]
avcodec/snowdec: Fix integer overflow with motion vector residual

Fixes: signed integer overflow: -19818 + -2147483648 cannot be represented in type 'int'
Fixes: 9545/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-4928769537081344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit acba153a148782c08f9fd17f0c05b93468f3cbd0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavformat/nsvdec: Do not parse multiple NSVf
Michael Niedermayer [Thu, 16 Aug 2018 10:23:20 +0000 (12:23 +0200)]
avformat/nsvdec: Do not parse multiple NSVf

The specification states "NSV files may contain a single file header. "
Fixes: out of array access
Fixes: nsv-asan-002f473f726a0dcbd3bd53e422c4fc40b3cf3421

Found-by: Paul Ch <paulcher@icloud.com>
Tested-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 78d4b6bd43fc266a2ee926f0555c8782246f9445)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavformat/mlvdec: read_string() received unsigned size, make the argument unsigned
Michael Niedermayer [Thu, 16 Aug 2018 13:36:28 +0000 (15:36 +0200)]
avformat/mlvdec: read_string() received unsigned size, make the argument unsigned

Fixes: infinite loop
Fixes: mlv-timeout-e3b8cab9835edecad6823baa057e029671329d04

Found-by: Paul Ch <paulcher@icloud.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1e71cb2c8edcf3dad657c15a6fb8572862f2afb9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavformat/rmdec: Fix EOF check in the stream loop in ivr_read_header()
Michael Niedermayer [Thu, 16 Aug 2018 13:36:29 +0000 (15:36 +0200)]
avformat/rmdec: Fix EOF check in the stream loop in ivr_read_header()

Fixes: long running loop
Fixes: ivr-timeout-42468cb797f52f025fb329394702f5d4d64322d6

Found-by: Paul Ch <paulcher@icloud.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c2eec1762d372663c35aaf3d6ee419bafb185057)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/shorten: Fix signed 32bit overflow in shift in shorten_decode_frame()
Michael Niedermayer [Sun, 12 Aug 2018 21:06:55 +0000 (23:06 +0200)]
avcodec/shorten: Fix signed 32bit overflow in shift in shorten_decode_frame()

Fixes: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
Fixes: 9480/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-6647324284551168 -rss_limit_mb=2000

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9b604e96a51a1fca92bbabfe4f7ac53f0470ee41)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/shorten: Fix integer overflow in residual/LPC combination
Michael Niedermayer [Sun, 12 Aug 2018 20:55:59 +0000 (22:55 +0200)]
avcodec/shorten: Fix integer overflow in residual/LPC combination

Fixes: signed integer overflow: -540538872 + -2012739576 cannot be represented in type 'int'
Fixes: 9255/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5758630052757504

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit db7e9082e1a1479c6a8844f7adf77eae03cc2aa7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/shorten: Check verbatim length
Michael Niedermayer [Sun, 12 Aug 2018 20:43:33 +0000 (22:43 +0200)]
avcodec/shorten: Check verbatim length

Fixes: Timeout
Fixes: 9252/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5780720709533696

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7007dabec08f2f9f81661e71ef482dde394e17a8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/mpegaudio_parser: Initialize poutbuf*
Michael Niedermayer [Sun, 5 Aug 2018 12:51:36 +0000 (14:51 +0200)]
avcodec/mpegaudio_parser: Initialize poutbuf*

Possibly fixes: null pointer dereference
Possibly fixes: 9352/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5146068961460224
Fixes: Heap-use-after-free
Fixes: 9453/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MP3ADUFLOAT_fuzzer-5137954375729152

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0f4c3b0b8e5435d13fd3b64c91969b31c3c018dc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c()
Michael Niedermayer [Sat, 28 Jul 2018 08:59:09 +0000 (10:59 +0200)]
avcodec/aacpsdsp_template: Fix integer overflow in ps_stereo_interpolate_c()

Fixes: signed integer overflow: -1813244069 + -1407981383 cannot be represented in type 'int'
Fixes: 8823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5643295618236416

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 47db5763e21c5e3b0ddde2430d15938f8d88480d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavformat/flvenc: Check audio packet size
Michael Niedermayer [Sat, 28 Jul 2018 13:03:50 +0000 (15:03 +0200)]
avformat/flvenc: Check audio packet size

Fixes: Assertion failure
Fixes: assert_flvenc.c:941_1.swf

Found-by: #CHEN HONGXU# <HCHEN017@e.ntu.edu.sg>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6b67d7f05918f7a1ee8fc6ff21355d7e8736aa10)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp()
Michael Niedermayer [Sun, 29 Jul 2018 10:40:48 +0000 (12:40 +0200)]
avcodec/qtrle: Check remaining bytestream in qtrle_decode_XYbpp()

Fixes: Timeout
Fixes: 9213/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QTRLE_fuzzer-5649753332252672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7dd836a3f9771e0e44df1b27e67d6866d91e06d7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too
Michael Niedermayer [Sun, 22 Jul 2018 19:42:16 +0000 (21:42 +0200)]
avcodec/diracdec: Check bytes count in else branch in decode_lowdelay() too

Fixes: signed integer overflow: 8 * 340018243 cannot be represented in type 'int'
Fixes: 9441/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5194665207791616

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bed125b7108481574f36fdd6ee699b27354602e8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/diracdec: Check slice numbers for overflows in relation to picture dimensions
Michael Niedermayer [Sun, 22 Jul 2018 19:26:24 +0000 (21:26 +0200)]
avcodec/diracdec: Check slice numbers for overflows in relation to picture dimensions

Fixes: signed integer overflow: 88 * 33685506 cannot be represented in type 'int'
Fixes: 9433/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5725943535501312

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f457c0ad7f73e31e99761f2ad3738cf3b3c24ca0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream...
Michael Niedermayer [Sun, 22 Jul 2018 18:45:39 +0000 (20:45 +0200)]
avcodec/diracdec: Change frame_number to 64bit as its a 32bit from the bitstream and we also have a -1 special case

Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 9291/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6324345860259840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 462d1be6dec5ff4768be8c202f359cbf037db3c6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i()
Michael Niedermayer [Sun, 22 Jul 2018 17:11:04 +0000 (19:11 +0200)]
avcodec/dirac_dwt_template: Fix several integer overflows in horizontal_compose_daub97i()

Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 8926/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6047609228623872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 69cac9e130dc8c9d2a5b8012011df372974adf35)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavcodec/diracdec: Prevent integer overflow in intermediate in global_mv()
Michael Niedermayer [Sun, 22 Jul 2018 16:58:34 +0000 (18:58 +0200)]
avcodec/diracdec: Prevent integer overflow in intermediate in global_mv()

Fixes: signed integer overflow: -393471 * 5460 cannot be represented in type 'int'
Fixes: 8890/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-6299775379963904

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 51290406461ed40b70e0e05b389a461a283f3367)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoswresample/swresample: Fix input channel count in resample_first computation
Michael Niedermayer [Tue, 24 Jul 2018 20:44:12 +0000 (22:44 +0200)]
swresample/swresample: Fix input channel count in resample_first computation

Found-by: Marcin Gorzel <gorzel@google.com>
Reviewed-by: Marcin Gorzel <gorzel@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bce4da85e8110b66040a5fb07ffc724ab4e09a86)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
9 months agoavutil/pixfmt: Document chroma plane size for odd resolutions
Michael Niedermayer [Wed, 18 Jul 2018 20:22:35 +0000 (22:22 +0200)]
avutil/pixfmt: Document chroma plane size for odd resolutions

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit be0b77e6e83b61c2da338201b5ddfae1c9acedc5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13 months agoavformat/asfdec_o: Check size_bmp more fully
Michael Niedermayer [Tue, 3 Jul 2018 19:01:23 +0000 (21:01 +0200)]
avformat/asfdec_o: Check size_bmp more fully

Fixes: integer overflow and out of array access
Fixes: asfo-crash-46080c4341572a7137a162331af77f6ded45cbd7

Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869)
Signed-off-by: James Almer <jamrial@gmail.com>
13 months agoasfdec: Account for different Format Data sizes
Alexandra Hájková [Wed, 8 Feb 2017 11:51:37 +0000 (12:51 +0100)]
asfdec: Account for different Format Data sizes

Some muxers may use the BMP_HEADER Format Data size instead
of the ASF-specific one.

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit 42f27d1b8eab9ea88d2e9faeb35f72dd72eca7b4)
Signed-off-by: James Almer <jamrial@gmail.com>
13 months agoavcodec/bitstream_filters: check the input argument of av_bsf_get_by_name() for NULL
James Almer [Sat, 28 Jul 2018 03:51:57 +0000 (00:51 -0300)]
avcodec/bitstream_filters: check the input argument of av_bsf_get_by_name() for NULL

Fixes crashes like "ffmpeg -h bsf" caused by passing NULL to strcmp()

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 3258cc6507a2012d54889ce5f8efbde7e81d927d)

13 months agoUpdate for 3.2.12 n3.2.12
Michael Niedermayer [Wed, 18 Jul 2018 21:04:10 +0000 (23:04 +0200)]
Update for 3.2.12

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13 months agoavcodec/dvdsub_parser: Allocate input padding
Michael Niedermayer [Fri, 13 Jul 2018 16:56:10 +0000 (18:56 +0200)]
avcodec/dvdsub_parser: Allocate input padding

Fixes: out of array read
Fixes: 9350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5746777750765568

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cd86b5cfe278af79d6b147e122d9a72c270a9fde)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13 months agoavcodec/dvdsub_parser: Init output buf/size
Michael Niedermayer [Fri, 13 Jul 2018 16:54:48 +0000 (18:54 +0200)]
avcodec/dvdsub_parser: Init output buf/size

No testcase

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9e6c8437761661441d836876934314cb2b8fafe7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13 months agoavcodec/dirac_dwt_template: Fix signedness regression in interleave()
Michael Niedermayer [Fri, 13 Jul 2018 16:33:08 +0000 (18:33 +0200)]
avcodec/dirac_dwt_template: Fix signedness regression in interleave()

Found-by: <jdarnley>
Tested-by: James Darnley <james.darnley@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 181435a4de6e38e0a15ddaf16de9a157ef41cb18)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13 months agoavformat/movenc: Write version 2 of audio atom if channels is not known
Michael Niedermayer [Sat, 7 Jul 2018 22:16:42 +0000 (00:16 +0200)]
avformat/movenc: Write version 2 of audio atom if channels is not known

The version 1 needs the channel count and would divide by 0
Fixes: division by 0
Fixes: fpe_movenc.c_1108_1.ogg
Fixes: fpe_movenc.c_1108_2.ogg
Fixes: fpe_movenc.c_1108_3.wav

Found-by: #CHEN HONGXU# <HCHEN017@e.ntu.edu.sg>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fa19fbcf712a6a6cc5a5cfdc3254a97b9bce6582)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13 months agoswresample/arm: rename labels to fix xcode build error
Rahul Chaudhry [Fri, 27 Apr 2018 20:49:52 +0000 (13:49 -0700)]
swresample/arm: rename labels to fix xcode build error

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e84212b78e00df17799e01be1e153a073eb8f689)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
13 months agoavformat/utils: fix mixed declarations and code
James Almer [Fri, 24 Nov 2017 20:46:16 +0000 (17:46 -0300)]
avformat/utils: fix mixed declarations and code

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 31de45d20b1ff90d4baf7c5a65e88f582efdb2a6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14 months agoavcodec/imgconvert: fix possible null pointer dereference
Simon Thelen [Tue, 3 Apr 2018 12:41:33 +0000 (14:41 +0200)]
avcodec/imgconvert: fix possible null pointer dereference

regression since 354b26a3945eadd4ed8fcd801dfefad2566241de

(cherry picked from commit 8c2c97403baf95d0facb53f03e468f023eb943e1)

14 months agoUpdate for 3.2.11 n3.2.11
Michael Niedermayer [Sun, 8 Jul 2018 19:07:45 +0000 (21:07 +0200)]
Update for 3.2.11

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14 months agoavformat/movenc: Check input sample count
Michael Niedermayer [Fri, 6 Jul 2018 20:23:25 +0000 (22:23 +0200)]
avformat/movenc: Check input sample count

Fixes: division by 0
Fixes: fpe_movenc.c_199_1.wav
Fixes: fpe_movenc.c_199_2.wav
Fixes: fpe_movenc.c_199_3.wav
Fixes: fpe_movenc.c_199_4.wav
Fixes: fpe_movenc.c_199_5.wav
Fixes: fpe_movenc.c_199_6.wav
Fixes: fpe_movenc.c_199_7.wav

Found-by: #CHEN HONGXU# <HCHEN017@e.ntu.edu.sg>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3a2d21bc5f97aa0161db3ae731fc2732be6108b8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14 months agoavcodec/mjpegdec: Check for odd progressive RGB
Michael Niedermayer [Fri, 6 Jul 2018 14:28:14 +0000 (16:28 +0200)]
avcodec/mjpegdec: Check for odd progressive RGB

Fixes: out of array access
Fixes: 9225/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEGLS_fuzzer-5684770334834688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ee1e3ca5eb1ec7d34e925d129c893e33847ee0b7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14 months agoavformat/movenc: Check that frame_types other than EAC3_FRAME_TYPE_INDEPENDENT have...
Michael Niedermayer [Wed, 27 Jun 2018 14:51:51 +0000 (16:51 +0200)]
avformat/movenc: Check that frame_types other than EAC3_FRAME_TYPE_INDEPENDENT have a supported substream id

Fixes: out of array access
Fixes: ffmpeg_bof_1.avi

Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ed22dc22216f74c75ee7901f82649e1ff725ba50)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14 months agoavformat/mms: Add missing chunksize check
Michael Niedermayer [Tue, 3 Jul 2018 18:33:04 +0000 (20:33 +0200)]
avformat/mms: Add missing chunksize check

Fixes: out of array read
Fixes: mms-crash-01b6c5d85f9d9f40f4e879896103e9f5b222816a

Found-by: Paul Ch <paulcher@icloud.com>
1st hunk by Paul Ch <paulcher@icloud.com>
Tested-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cced03dd667a5df6df8fd40d8de0bff477ee02e8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14 months agoavformat/pva: Check for EOF before retrying in read_part_of_packet()
Michael Niedermayer [Tue, 3 Jul 2018 20:14:42 +0000 (22:14 +0200)]
avformat/pva: Check for EOF before retrying in read_part_of_packet()

Fixes: Infinite loop
Fixes: pva-4b1835dbc2027bf3c567005dcc78e85199240d06

Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14 months agoavformat/rmdec: Do not pass mime type in rm_read_multi() to ff_rm_read_mdpr_codecdata()
Michael Niedermayer [Tue, 3 Jul 2018 19:37:46 +0000 (21:37 +0200)]
avformat/rmdec: Do not pass mime type in rm_read_multi() to ff_rm_read_mdpr_codecdata()

Fixes: use after free()
Fixes: rmdec-crash-ffe85b4cab1597d1cfea6955705e53f1f5c8a362

Found-by: Paul Ch <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a7e032a277452366771951e29fd0bf2bd5c029f0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14 months agoavcodec/indeo4: Check for end of bitstream in decode_mb_info()
Michael Niedermayer [Sun, 1 Jul 2018 23:26:44 +0000 (01:26 +0200)]
avcodec/indeo4: Check for end of bitstream in decode_mb_info()

Fixes: Timeout
Fixes: 8776/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-5361788798369792

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 267ba2aa96354c5b6a1ea89b2943fbd7a4893862)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14 months agoavcodec/shorten: Fix undefined addition in shorten_decode_frame()
Michael Niedermayer [Mon, 2 Jul 2018 17:11:46 +0000 (19:11 +0200)]
avcodec/shorten: Fix undefined addition in shorten_decode_frame()

Fixes: signed integer overflow: 1139785606 + 1454196085 cannot be represented in type 'int'
Fixes: 8937/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-6202943597445120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3b10bb8772c76177cc47b8d15a6970f19dd11039)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14 months agoavcodec/shorten: Fix undefined integer overflow
Michael Niedermayer [Mon, 2 Jul 2018 17:08:54 +0000 (19:08 +0200)]
avcodec/shorten: Fix undefined integer overflow

Fixes: signed integer overflow: 8454144 * 256 cannot be represented in type 'int'
Fixes: 8788/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SHORTEN_fuzzer-5728205041303552

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 70832333bba3b915040f415548518e136b44280e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14 months agoavcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration()
Michael Niedermayer [Mon, 2 Jul 2018 16:57:05 +0000 (18:57 +0200)]
avcodec/jpeg2000dec: Fixes invalid shifts in jpeg2000_decode_packets_po_iteration()

Fixes: shift exponent 47 is too large for 32-bit type 'int'
Fixes: 9163/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5661750182543360

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 652d7c6348f96181fa69f8e2afb7b27a14c0a88a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14 months agoavcodec/jpeg2000dec: Check that there are enough bytes for all tiles
Michael Niedermayer [Mon, 2 Jul 2018 16:40:08 +0000 (18:40 +0200)]
avcodec/jpeg2000dec: Check that there are enough bytes for all tiles

Fixes: OOM
Fixes: 8781/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5810709081358336

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0898a3d9909960324e27d3a7a4f48c4effbb654a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14 months agoavformat/movenc: Do not pass AVCodecParameters in avpriv_request_sample
Michael Niedermayer [Wed, 27 Jun 2018 15:27:50 +0000 (17:27 +0200)]
avformat/movenc: Do not pass AVCodecParameters in avpriv_request_sample

Fixes: out of array read
Fixes: ffmpeg_crash_8.avi

Found-by: Thuan Pham, Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu with AFLSmart
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 95556e27e2c1d56d9e18f5db34d6f756f3011148)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
14 months agoavcodec/escape124: Fix spelling errors in comment
Michael Niedermayer [Wed, 27 Jun 2018 11:00:28 +0000 (13:00 +0200)]
avcodec/escape124: Fix spelling errors in comment

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f59c4e43915ed0528e2789f27ddb1635b59779df)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>