ffmpeg.git
9 days agolavc/tableprint_vlc: Remove avpriv_request_sample() from included files. release/4.1
Carl Eugen Hoyos [Wed, 19 Jun 2019 11:41:01 +0000 (13:41 +0200)]
lavc/tableprint_vlc: Remove avpriv_request_sample() from included files.

Fixes compilation with --enable-hardcoded-tables.
Fixes ticket #7962.

(cherry picked from commit c8232e50074f6f9f9b0674d0a5433f49d73a4e50)

2 weeks agoavcodec/h263dec: fix hwaccel decoding
Stefan Schoenefeld [Fri, 2 Aug 2019 09:18:10 +0000 (09:18 +0000)]
avcodec/h263dec: fix hwaccel decoding

Recently we encountered an issue when decoding a h.263 file:

FFmpeg will freeze when decoding h.263 video with NVDEC. Turns out this is not directly related to NVDEC but is a problem that shows with several other HW decoders like VDPAU, though the exact kind of error is different (either error messages or freezing[1]). The root cause is that ff_thread_finish_setup() is called twice per frame from ff_h263_decode_frame(). This is not supported by ff_thread_finish_setup() and specifically checked for and warned against in the functions code. The issue is also specific to hw accelerated decoding only as the second call to ff_thread_finish_setup() is only issued when hw acceleration is on. The fix is simple: add a check that the first call is only send when hw acceleration is off, and the second call only when hw acceleration is on (see attached patch). This works fine as far as I was able to test with vdpau and nvdec/nvcuvid hw decoding. The patch also adds NVDEC to the hw config list if available.

I also noticed a secondary issue when browsing through the code which is that, according to documentation, ff_thread_finish_setup() should only be called if the codec implements update_thread_context(), which h263dec does not. The patch does not address this and I'm not sure any action needs to be taken here at all.

[1] This is depending on whether or not the hw decoder sets the  HWACCEL_CAPS_ASYNC_SAFE flag

Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
3 weeks agoavutil/mem: Fix invalid use of av_alloc_size
Mark Harris [Sat, 24 Nov 2018 21:02:02 +0000 (13:02 -0800)]
avutil/mem: Fix invalid use of av_alloc_size

The alloc_size attribute is valid only on functions that return a
pointer.  GCC 9 (not yet released) warns about invalid usage:

./libavutil/mem.h:342:1: warning: 'alloc_size' attribute ignored on a function returning int' [-Wattributes]
  342 | av_alloc_size(2, 3) int av_reallocp_array(void *ptr, size_t nmemb, size_t size);
      | ^~~~~~~~~~~~~

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4361293fcf59edb56879c36edcd25f0a91e0edf8)

4 weeks agocbs_h2645: Fix infinite loop in more_rbsp_data
Andreas Rheinhardt [Wed, 5 Jun 2019 02:18:54 +0000 (04:18 +0200)]
cbs_h2645: Fix infinite loop in more_rbsp_data

cbs_h2645_read_more_rbsp_data does not handle malformed input very well:
1. If there were <= 8 bits left in the bitreader, these bits were read
via show_bits. But show_bits requires the number of bits to be read to
be > 0 (internally it shifts by 32 - number of bits to be read which is
undefined behaviour if said number is zero; there is also an assert for
this, but it is only an av_assert2). Furthermore, in this case a shift
by -1 was performed which is of course undefined behaviour, too.
2. If there were > 0 and <= 8 bits left and all of them were zero
(this can only happen for defective input), it was reported that there
was further RBSP data.

This can lead to an infinite loop in H.265's cbs_h265_read_extension_data
corresponding to the [vsp]ps_extension_data_flag syntax elements. If the
relevant flag indicates the (potential) occurence of these syntax elements,
while all bits after this flag are zero, cbs_h2645_read_more_rbsp_data
always returns 1 on x86. Given that a checked bitstream reader is used,
we are also not "saved" by an overflow in the bitstream reader's index.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit d4035ca849bdb90e95c87e2737a99ea657be0716)

4 weeks agoavformat/aacdec: resync to the next adts frame on invalid data instead of aborting
James Almer [Sun, 21 Jul 2019 00:47:55 +0000 (21:47 -0300)]
avformat/aacdec: resync to the next adts frame on invalid data instead of aborting

Should fix ticket #6634

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 881e1f5a6227a6fbaf67083d4d4b6caf58ff9892)

4 weeks agoavformat/aacdec: factorize the adts frame resync code
James Almer [Sat, 20 Jul 2019 13:13:08 +0000 (10:13 -0300)]
avformat/aacdec: factorize the adts frame resync code

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit a38eab8b7501440f872ff1af8a0c5482b7b3e532)

4 weeks agocbs_mpeg2: Fix storage type for frame_centre_*_offset
Andreas Rheinhardt [Wed, 22 May 2019 01:04:34 +0000 (03:04 +0200)]
cbs_mpeg2: Fix storage type for frame_centre_*_offset

The frame_centre_horizontal/vertical_offset values contained in picture
display extensions are actually signed values (i.e. it is possible to
indicate that the display device should add black bars/pillars).

The files sony-ct3.bs and tcela-6.bits (which are both used in fate
tests for mpeg2_metadata) contain picture display extensions; the former
even contains a negative frame_centre_vertical_offset. Fortunately, the
old code did not damage the picture display extensions when one did a
cycle of reading and writing. For the same reason the fate tests needn't
be updated either.

Furthermore these fields now use the trace output for matrices.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit de5880383967f44927c599ab16fa0f4f96b38365)

4 weeks agocbs_mpeg2: Improve checks for invalid values
Andreas Rheinhardt [Wed, 22 May 2019 01:04:32 +0000 (03:04 +0200)]
cbs_mpeg2: Improve checks for invalid values

MPEG-2 contains several elements that mustn't be zero according to the
specifications: horizontal/vertical_size_value, aspect_ratio_information,
frame_rate_code, the quantiser matrices, the colour_description
elements, picture_coding_type, the f_code[r][s] values and
quantiser_scale_code. It is now checked that the invalid values don't
occur.

The colour_description elements are treated specially in this regard:
Given that there are files in the wild which use illegal values for the
colour_description elements (some of them created by mpeg2_metadata),
they will be corrected to the value meaning "unknown" (namely 2) during
reading. This has been done in such a way that trace_headers will
nevertheless report the original value, together with a message about
the fixup.

Furthermore, the trace_headers output of user_data has been beautified.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 9c3f2a8894a66d6b5b9285caa25f91fbfca7b3bc)

4 weeks agoavcodec/cbs_mpeg2: fix leak of extra_information_slice buffer in cbs_mpeg2_read_slice...
James Almer [Wed, 22 May 2019 01:04:38 +0000 (03:04 +0200)]
avcodec/cbs_mpeg2: fix leak of extra_information_slice buffer in cbs_mpeg2_read_slice_header()

cbs_mpeg2_free_slice() calls av_buffer_unref() on extra_information_ref,
meaning allocating with av_malloc() was not the intention.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit d903c09d9a5c641223f0810d24161520e977544a)

4 weeks agolavc/cbs: Do not use format specifier "z" on Windows.
Carl Eugen Hoyos [Mon, 17 Dec 2018 13:39:41 +0000 (14:39 +0100)]
lavc/cbs: Do not use format specifier "z" on Windows.

(cherry picked from commit 0b7269e62d0345fec5f1ee9ee7b960e8d25c5dd1)

4 weeks agolavc/cbs_vp9: Make variable prob unsigned.
Carl Eugen Hoyos [Mon, 10 Dec 2018 01:18:56 +0000 (02:18 +0100)]
lavc/cbs_vp9: Make variable prob unsigned.

Silences a warning with clang:
libavcodec/cbs_vp9_syntax_template.c:220:17: warning: implicit conversion from 'int' to 'int8_t' (aka 'signed char')
      changes value from 255 to -1

(cherry picked from commit de441ad52a4d9791d93c278b4cf6867815c28b92)

4 weeks agoavcodec/cbs_h264: fix storage type for time_offset in Pic Timing SEI
James Almer [Mon, 15 Apr 2019 20:50:01 +0000 (17:50 -0300)]
avcodec/cbs_h264: fix storage type for time_offset in Pic Timing SEI

The spec defines it as a signed value.

Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 9bf520d04d6137d0772e019356356614bbf7ca82)

4 weeks agoavcodec/cbs_h2645: add helper macros for signed values
James Almer [Mon, 15 Apr 2019 20:48:55 +0000 (17:48 -0300)]
avcodec/cbs_h2645: add helper macros for signed values

Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 3dc6adf326c8cd6c7fc830ccb8def8772835c676)

4 weeks agoavcodec/cbs: add helper functions and macros to read and write signed values
James Almer [Mon, 15 Apr 2019 20:46:53 +0000 (17:46 -0300)]
avcodec/cbs: add helper functions and macros to read and write signed values

Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 5006dcdf9af177444e3e0185640d7d84629e4215)

4 weeks agocbs_h264: Fix handling of auxiliary pictures
Andreas Rheinhardt [Wed, 7 Nov 2018 03:47:51 +0000 (04:47 +0100)]
cbs_h264: Fix handling of auxiliary pictures

The earlier code used the most recent non-auxiliary slice to determine
whether an auxiliary slice has the syntax of an IDR slice, even when
the most recent slice was from a slice of a redundant frame. Now only
slices of the primary coded picture are used, as the specifications
mandate.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@googlemail.com>
(cherry picked from commit 8d1cf2d89481ca986af893425188d065c0f8f857)

5 weeks agoChangelog: fix typo n4.1.4
Michael Niedermayer [Mon, 8 Jul 2019 18:10:55 +0000 (20:10 +0200)]
Changelog: fix typo

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoChangelog: update
Michael Niedermayer [Mon, 8 Jul 2019 09:53:46 +0000 (11:53 +0200)]
Changelog: update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavcodec/ilbcdec: Simplify use of unsigned and fix more undefined overflows
Michael Niedermayer [Sun, 30 Jun 2019 21:28:13 +0000 (23:28 +0200)]
avcodec/ilbcdec: Simplify use of unsigned and fix more undefined overflows

Fixes: signed integer overflow: 2147475672 + 8192 cannot be represented in type 'int'
Fixes: 15415/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ILBC_fuzzer-5712074128228352

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 019d729039aaa164152035864d65d77e53df1c98)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavcodec/golomb: Correct the doxy about get_ue_golomb() and errors
Michael Niedermayer [Sun, 30 Jun 2019 15:54:45 +0000 (17:54 +0200)]
avcodec/golomb: Correct the doxy about get_ue_golomb() and errors

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1bb3b3f11c6960e90bcfe685c0ad1e355a3e787e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavformat/utils: Check timebase before use in estimate_timings()
Michael Niedermayer [Sat, 29 Jun 2019 21:23:25 +0000 (23:23 +0200)]
avformat/utils: Check timebase before use in estimate_timings()

Fixes: division by 0
Fixes: 15480/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5746727434321920

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f57e97dfd9539bc3f4f97a76ebc001f0b055cb88)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavcodec/hq_hqa: Use ff_set_dimensions()
Michael Niedermayer [Sat, 29 Jun 2019 19:53:09 +0000 (21:53 +0200)]
avcodec/hq_hqa: Use ff_set_dimensions()

Fixes: 15530/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5637370344374272
Fixes: signed integer overflow: 65312 * 65312 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a6229fcd405d4135848c83df73634871260de59c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavcodec/rv10: Fix integer overflow in aspect ratio compare
Michael Niedermayer [Fri, 28 Jun 2019 17:20:43 +0000 (19:20 +0200)]
avcodec/rv10: Fix integer overflow in aspect ratio compare

Fixes: signed integer overflow: 2040 * 1187872 cannot be represented in type 'int'
Fixes: 15368/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RV20_fuzzer-5681657136283648

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 14fcf42958608223a0be6558fb6e323419c9fc27)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavcodec/4xm: Fix signed integer overflows in idct()
Michael Niedermayer [Wed, 26 Jun 2019 22:15:03 +0000 (00:15 +0200)]
avcodec/4xm: Fix signed integer overflows in idct()

Fixes: signed integer overflow: 20242 * 121095 cannot be represented in type 'int'
Fixes: 15310/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FOURXM_fuzzer-5737051745419264

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2bbea155bf7c6ce6d5ae53cc41e44798cad2f39c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavcodec/qdm2: Check checksum_size for 0
Michael Niedermayer [Sun, 23 Jun 2019 23:01:04 +0000 (01:01 +0200)]
avcodec/qdm2: Check checksum_size for 0

Fixes: Infinite loop
Fixes: 15337/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5757428949319680

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7b2ebf89a411d957ca999f1e7a919ff617fbfd56)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavcodec/qdm2: error out of qdm2_fft_decode_tones() before entering endless loop
Michael Niedermayer [Sun, 23 Jun 2019 23:01:03 +0000 (01:01 +0200)]
avcodec/qdm2: error out of qdm2_fft_decode_tones() before entering endless loop

Fixes: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int'
Fixes: infinite loop
Fixes: 15396/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5116605501014016

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 694be24bd6c4cc9c62222f4583260bf79056e4c1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavcodec/qdm2: Do not read out of array in fix_coding_method_array()
Michael Niedermayer [Sun, 23 Jun 2019 23:01:02 +0000 (01:01 +0200)]
avcodec/qdm2: Do not read out of array in fix_coding_method_array()

Instead we ask for a sample, its unclear what to do in this case.

Fixes: index 30 out of bounds for type 'int8_t [30][64]'
Fixes: 15339/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5749441484554240

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ae021c1239ec3bc0a30dc5a4720569071599ece4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavcodec/svq3: Use ff_set_dimension()
Michael Niedermayer [Tue, 25 Jun 2019 21:42:43 +0000 (23:42 +0200)]
avcodec/svq3: Use ff_set_dimension()

Fixes: OOM
Fixes: 15410/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ3_fuzzer-5659464805384192

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7b114d76878f1a542bcb75456492cc43e6414f8b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavcodec/iff: Check ham vs bpp
Michael Niedermayer [Sat, 22 Jun 2019 17:21:50 +0000 (19:21 +0200)]
avcodec/iff: Check ham vs bpp

This checks the ham value much stricter and avoids hitting cases which cannot be reached
with data from the libavformat demuxer.

Fixes: out of array access
Fixes: 15320/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5080476840099840
Fixes: 15423/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5630765833912320

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f76d7352e05526fde7c607b9a9db536a5760af29)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavcodec/ffwavesynth: use uint32_t to compute difference, it is enough
Michael Niedermayer [Fri, 21 Jun 2019 20:43:23 +0000 (22:43 +0200)]
avcodec/ffwavesynth: use uint32_t to compute difference, it is enough

Fixes: signed integer overflow: 6494225984479297536 - -6043795377581187040 cannot be represented in type 'long'
Fixes: 15285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5632780307791872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e9dd3c7126097d7c8d4f137db9957b81a219aa2c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavcodec/ffwavesynth: Simplify lcg_seek(), avoid negative case
Michael Niedermayer [Fri, 21 Jun 2019 20:41:25 +0000 (22:41 +0200)]
avcodec/ffwavesynth: Simplify lcg_seek(), avoid negative case

Fixes: negation of -9223372036854775808 cannot be represented in type 'int64_t' (aka 'long'); cast to an unsigned type to negate this value to itself
Fixes: 15289/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5709034499342336

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8c022099351c04ae21e0b8696ea71a690ed03cd2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavcodec/ffwavesynth: Fix backward lcg_seek()
Michael Niedermayer [Fri, 21 Jun 2019 20:08:27 +0000 (22:08 +0200)]
avcodec/ffwavesynth: Fix backward lcg_seek()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cf2bd3ce79b12256d7d129b2ada5ee649b9a27eb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavcodec/flicvideo: Fix off by 1 error in flic_decode_frame_24BPP()
Michael Niedermayer [Fri, 21 Jun 2019 21:45:36 +0000 (23:45 +0200)]
avcodec/flicvideo: Fix off by 1 error in flic_decode_frame_24BPP()

Fixes: out of array access
Fixes: 15360/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-5653837190266880
Fixes: 15412/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-5740537648250880

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 37708cbae8d6887b80f58a70a1dfa01af6ea2c85)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavcodec/vc1_block: Check for vlc error in vc1_decode_ac_coeff()
Michael Niedermayer [Sat, 15 Jun 2019 21:28:25 +0000 (23:28 +0200)]
avcodec/vc1_block: Check for vlc error in vc1_decode_ac_coeff()

Fixes: index -1 out of bounds for type 'const uint8_t [185][2]'
Fixes: 15250/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMV3IMAGE_fuzzer-5648992869810176

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 79204a1fc8f1988f7d7e6cae2c3b68f513444d38)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavcodec/alac: Check lpc_quant
Michael Niedermayer [Tue, 18 Jun 2019 23:04:07 +0000 (01:04 +0200)]
avcodec/alac: Check lpc_quant

lpc_quant of 0 produces undefined behavior, thus disallow this.
If valid samples use this then such a sample would be quite
usefull to confirm the correct&lossles handling of this.

Fixes: libavcodec/alac.c:218:25: runtime error: shift exponent -1 is negative
Fixes: 15273/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5656388535058432
Fixes: 15276/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5761238417539072
Fixes: 15315/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5767260766994432

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a6474b899c1153e3bb95e399b6605c3507aea0d0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
5 weeks agoavcodec/dxv: Initialize tex_funct to NULL
Michael Niedermayer [Mon, 3 Jun 2019 09:22:36 +0000 (11:22 +0200)]
avcodec/dxv: Initialize tex_funct to NULL

Fixes: Various anomalies
Fixes: 14493/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5071018000908288
Fixes: 14630/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5714888963391488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e96b7a8ba62c5e010328b80b647b64dd9cdbdc01)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
6 weeks agoavcodec/alsdec: Add FF_CODEC_CAP_INIT_CLEANUP
Michael Niedermayer [Thu, 20 Jun 2019 22:47:19 +0000 (00:47 +0200)]
avcodec/alsdec: Add FF_CODEC_CAP_INIT_CLEANUP

Fixes: multiple memleaks
Fixes: 15293/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5642409288925184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b7b6ddd59693008c35b3247496ecc946331d0856)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
6 weeks agoavcodec/alsdec: Fix integer overflow with buffer number
Michael Niedermayer [Thu, 20 Jun 2019 22:47:17 +0000 (00:47 +0200)]
avcodec/alsdec: Fix integer overflow with buffer number

Fixes: signed integer overflow: 65313 * 65313 cannot be represented in type 'int'
Fixes: 15290/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5738074249625600

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5f64f6058e0c23641a68ce7dfe47b1f55efd401c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
6 weeks agoavcodec/alsdec: Fixes signed integer overflow in LSB addition
Michael Niedermayer [Thu, 20 Jun 2019 22:47:16 +0000 (00:47 +0200)]
avcodec/alsdec: Fixes signed integer overflow in LSB addition

Fixes: signed integer overflow: 8 * 536870912 cannot be represented in type 'int'
Fixes: 15281/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5744458785619968

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7f527021df73b4792323f38f84a4bf2fbe5a2052)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
6 weeks agoavcodec/alsdec: Check opt_order / sb_length in ra_block handling
Michael Niedermayer [Thu, 20 Jun 2019 22:47:15 +0000 (00:47 +0200)]
avcodec/alsdec: Check opt_order / sb_length in ra_block handling

Fixes: out of array access
Fixes: 15277/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5184853437317120
Fixes: 15280/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5741062137577472

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0794494c8f2f756e3c9384dba21c54f7d4ba9286)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
6 weeks agoavcodec/alsdec: Fix integer overflow with shifting samples
Michael Niedermayer [Wed, 19 Jun 2019 21:27:21 +0000 (23:27 +0200)]
avcodec/alsdec: Fix integer overflow with shifting samples

Fixes: signed integer overflow: -346039050 * 8 cannot be represented in type 'int'
Fixes: 15283/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5692700268953600

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a3bd4b260eb9f0d5817f9b3d672844f127c51a0b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
6 weeks agoavcodec/alsdec: Fix undefined behavior in decode_rice()
Michael Niedermayer [Wed, 19 Jun 2019 21:17:31 +0000 (23:17 +0200)]
avcodec/alsdec: Fix undefined behavior in decode_rice()

Fixes: left shift of 72 by 26 places cannot be represented in type 'int'
Fixes: 15279/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5700665621348352

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 51f6870c37cc29e1ea7e0c66df2fe505938b7561)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
6 weeks agoavcodec/alsdec: Fixes invalid shifts in read_var_block_data() and INTERLEAVE_OUTPUT()
Michael Niedermayer [Wed, 19 Jun 2019 19:53:43 +0000 (21:53 +0200)]
avcodec/alsdec: Fixes invalid shifts in read_var_block_data() and INTERLEAVE_OUTPUT()

Fixes: left shift of negative value -6
Fixes: 15275/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5742361767837696
Fixes: signed integer overflow: 41582592 * 256 cannot be represented in type 'int'
Fixes: 15296/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5739558227935232

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e131568752ad41222946304c61eadb87b0a24791)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/hevc_ps: Change num_tile_rows/columns checks to sps->ctb_height/weight
Michael Niedermayer [Tue, 25 Jun 2019 08:29:57 +0000 (10:29 +0200)]
avcodec/hevc_ps: Change num_tile_rows/columns checks to sps->ctb_height/weight

Suggested-by: James Almer <jamrial@gmail.com>
Reviewed-by: James Almer <jamrial@gmail.com
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3b2082c663dac93fd722289a540c1b1e24a12564)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/hevc_ps: Fix integer overflow with num_tile_rows and num_tile_columns
Michael Niedermayer [Thu, 13 Jun 2019 13:05:54 +0000 (15:05 +0200)]
avcodec/hevc_ps: Fix integer overflow with num_tile_rows and num_tile_columns

Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
Fixes: 14880/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5130977304641536

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c692051252693155c4eecd16f4f8a79caf66cd54)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/apedec: Add k < 24 check to the only k++ case which lacks such a check
Michael Niedermayer [Sun, 16 Jun 2019 09:26:57 +0000 (11:26 +0200)]
avcodec/apedec: Add k < 24 check to the only k++ case which lacks such a check

Fixes: 15255/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5718831688843264
Fixes: left shift of 1 by 31 places cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3d4f4f4a15e79c96c3613e5c252b2f5cc4190e18)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavformat/aviobuf: Delay buffer downsizing until asserts are met
Michael Niedermayer [Sun, 9 Jun 2019 20:04:16 +0000 (22:04 +0200)]
avformat/aviobuf: Delay buffer downsizing until asserts are met

Fixes: Assertion failure
Fixes: 15151/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5757079496687616
Fixes: 15205/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5767573242642432
May fix: Ticket7094

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0334632d5c02720f1829d59cd20c009584b5b163)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/fitsdec: Check data_min/max
Michael Niedermayer [Wed, 12 Jun 2019 22:24:53 +0000 (00:24 +0200)]
avcodec/fitsdec: Check data_min/max

Fixes: division by 0
Fixes: 15206/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5657260212092928

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit eb82d19f035f59edf0aee215f02baaea908875de)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/m101: Fix off be 2 error
Michael Niedermayer [Mon, 17 Jun 2019 19:13:17 +0000 (21:13 +0200)]
avcodec/m101: Fix off be 2 error

Fixes: out of array read
Fixes: 15263/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_M101_fuzzer-5728999453491200

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 89b96900fa7c17d0770c9af26af7c3ae36ae0253)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/qdm2: Move fft_order check up
Michael Niedermayer [Mon, 17 Jun 2019 18:58:47 +0000 (20:58 +0200)]
avcodec/qdm2: Move fft_order check up

This avoids undefined computations with unchecked values

Fixes: shift exponent -21 is negative
Fixes: 15262/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDM2_fuzzer-5651261753393152

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8d8b8c4ac6fb5b5d40bd131f2d2ea9d85b8759a6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/libvorbisdec: Check extradata size
Michael Niedermayer [Mon, 17 Jun 2019 19:26:45 +0000 (21:26 +0200)]
avcodec/libvorbisdec: Check extradata size

Fixes: out of array read
Fixes: 15261/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBVORBIS_fuzzer-5764908467093504

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cf3c245566e8a8d45ed2ad9fdff9ef50327ba2d3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavformat/vqf: Check header_size
Michael Niedermayer [Tue, 18 Jun 2019 21:17:23 +0000 (23:17 +0200)]
avformat/vqf: Check header_size

Fixes: 15271/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5735262606327808
Fixes: signed integer overflow: -2147483648 - 8 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7c30ff38880570377168096417f714b21102b343)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/atrac9dec: Check q_unit_cnt in parse_band_ext()
Michael Niedermayer [Sun, 16 Jun 2019 19:01:50 +0000 (21:01 +0200)]
avcodec/atrac9dec: Check q_unit_cnt in parse_band_ext()

Fixes: global-buffer-overflow
Fixes: 15247/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5671602181636096

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fb4a4557d15bce601e2462207648741600fa273f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/atrac9dec: Check that the reused block has succeeded initilization
Michael Niedermayer [Sun, 16 Jun 2019 18:56:20 +0000 (20:56 +0200)]
avcodec/atrac9dec: Check that the reused block has succeeded initilization

Fixes: global-buffer-overflow
Fixes: 15247/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5671602181636096

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ac9af7e9a5befa8a554bacbcc59ab2f11203d85e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoUpdate for 4.1.4
Michael Niedermayer [Thu, 27 Jun 2019 17:51:59 +0000 (19:51 +0200)]
Update for 4.1.4

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/utils: Check bits_per_coded_sample
Michael Niedermayer [Tue, 18 Jun 2019 21:55:56 +0000 (23:55 +0200)]
avcodec/utils: Check bits_per_coded_sample

This avoids the need for each decoder separately having to handle this case

Fixes: shift exponent -100663046 is negative
Fixes: out of array access
Fixes: 15270/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5727829913763840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d33414d2ad27a5d2193c9ab0948ba7a282c2f910)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/videodsp_template: Fix overflow of addition
Michael Niedermayer [Fri, 14 Jun 2019 22:47:06 +0000 (00:47 +0200)]
avcodec/videodsp_template: Fix overflow of addition

Fixes: addition of unsigned offset to 0x7f56fc26a9b6 overflowed to 0x7f56fc26a8be*
Fixes: clusterfuzz-testcase-minimized-mediasource_MP4_AVC1_pipeline_integration_fuzzer-4917949056679936

Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 247a1de7f7d9c5628cf188e677d10ce9e12bd2f2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/alsdec: Fix invalid shift in multiply()
Michael Niedermayer [Thu, 20 Jun 2019 17:09:11 +0000 (19:09 +0200)]
avcodec/alsdec: Fix invalid shift in multiply()

Fixes: shift exponent -24 is negative
Fixes: 15292/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5768533318828032

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f30be1ec9856551d96f3876eec5f8b8abf456b81)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/ffwavesynth: Check ts_end - ts_start for overflow
Michael Niedermayer [Sun, 16 Jun 2019 14:12:42 +0000 (16:12 +0200)]
avcodec/ffwavesynth: Check ts_end - ts_start for overflow

Fixes: signed integer overflow: 2314885530818453536 - -8926099139098304480 cannot be represented in type 'long'
Fixes: 15259/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5764366093254656

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2db7a3bc4acdd293ed10b71e55f16a45ca28b629)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/vc1dsp: Avoid undefined shifts in vc1_v_s_overlap_c / vc1_h_s_overlap_c
Michael Niedermayer [Sun, 16 Jun 2019 14:17:12 +0000 (16:17 +0200)]
avcodec/vc1dsp: Avoid undefined shifts in vc1_v_s_overlap_c / vc1_h_s_overlap_c

Fixes: left shift of negative value -13
Fixes: 15260/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1_fuzzer-5702076048343040

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 507ca66ee41aa8a95b75654163f77af0a99a25b1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/tta: Fix undefined shift
Michael Niedermayer [Sun, 16 Jun 2019 13:55:55 +0000 (15:55 +0200)]
avcodec/tta: Fix undefined shift

Fixes: left shift of negative value -4483
Fixes: 15256/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5738691617619968

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ebccd2f778a861b41ad38a8464ea120d4f16b2d7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/qdmc: Fix integer overflows in PRNG
Michael Niedermayer [Sun, 16 Jun 2019 13:53:27 +0000 (15:53 +0200)]
avcodec/qdmc: Fix integer overflows in PRNG

Fixes: signed integer overflow: 214013 * 2531011 cannot be represented in type 'int'
Fixes: 15254/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_QDMC_fuzzer-5698137026461696

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2921b45a388a81968d946996bb32e72d7bb5d5b7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/bintext: Check font height
Michael Niedermayer [Sun, 16 Jun 2019 14:01:45 +0000 (16:01 +0200)]
avcodec/bintext: Check font height

Fixes: division by zero
Fixes: 15257/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINTEXT_fuzzer-5757352881422336

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bfb58bdd7015a6df2d130c92cf284d6a2362f3df)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/binkdsp: Fix integer overflows in idct
Michael Niedermayer [Tue, 18 Jun 2019 12:28:17 +0000 (14:28 +0200)]
avcodec/binkdsp: Fix integer overflows in idct

Fixes: signed integer overflow: 3784 * 682038 cannot be represented in type 'int'
Fixes: 15265/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-5088311799971840
Fixes: 15268/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-5666502344179712

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7a072fbcc4c6f8ddbf37b131c2d141589118abcd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/bink: Fix integer overflow in unquantize_dct_coeffs()
Michael Niedermayer [Tue, 18 Jun 2019 12:28:17 +0000 (14:28 +0200)]
avcodec/bink: Fix integer overflow in unquantize_dct_coeffs()

Fixes: signed integer overflow: -3447 * 2883584 cannot be represented in type 'int'
Fixes: 15265/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-5088311799971840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 62ad08cef993f7a103b6d3a5498f6fa49190e085)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/motionpixels: Check for vlc error in mp_get_vlc()
Michael Niedermayer [Sat, 15 Jun 2019 19:08:31 +0000 (21:08 +0200)]
avcodec/motionpixels: Check for vlc error in mp_get_vlc()

Fixes: 15246/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOTIONPIXELS_fuzzer-5168534407086080
Fixes: runtime error: index -1 out of bounds for type 'HuffCode [16]'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 930cdef80ab695132d3de2128c3c23f2d698918b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/loco: Limit lossy parameter so it is sane and does not overflow
Michael Niedermayer [Sat, 15 Jun 2019 19:47:16 +0000 (21:47 +0200)]
avcodec/loco: Limit lossy parameter so it is sane and does not overflow

Fixes: 15248/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5087440458481664
Fixes: signed integer overflow: 3 + 2147483647 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ce3b0b9066b433564ed3ee3eed3a1e8f2c0834a1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavformat/mov: Set fragment.found_tfhd only after TFHD has been parsed
Michael Niedermayer [Fri, 14 Jun 2019 22:12:36 +0000 (00:12 +0200)]
avformat/mov: Set fragment.found_tfhd only after TFHD has been parsed

Fixes: Assertion failure
Fixes: crbug971646.mp4

Reported-by: Matt Wolenetz <wolenetz@google.com>
Reviewed-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 696312c487d9d8c49a087017a829d1cdcbd68651)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/xpmdec: Do not use context dimensions as temporary variables
Michael Niedermayer [Wed, 12 Jun 2019 18:13:34 +0000 (20:13 +0200)]
avcodec/xpmdec: Do not use context dimensions as temporary variables

Fixes: Integer overflow
Fixes: 15134/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XPM_fuzzer-5722635939348480

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5ea7f2050050fd6a9177a9b618f2bb2d4add9230)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/fitsdec: Fix division by 0 in size check
Michael Niedermayer [Thu, 13 Jun 2019 14:08:03 +0000 (16:08 +0200)]
avcodec/fitsdec: Fix division by 0 in size check

Fixes: division by zero
Fixes: 15210/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5746033243455488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 07ffe94c172041cfb03109b9bb6b8bf577332bda)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/aacpsdsp_template: Fix integer overflow in ps_hybrid_analysis_c()
Michael Niedermayer [Thu, 13 Jun 2019 13:00:14 +0000 (15:00 +0200)]
avcodec/aacpsdsp_template: Fix integer overflow in ps_hybrid_analysis_c()

Fixes: signed integer overflow: -1539565182 + -798086761 cannot be represented in type 'int'
Fixes: 14807/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-564925382682214

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f8f5668df590d853429586e1f95cbd9cee38920e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/truemotion2: Fix integer overflow in last loop in tm2_update_block()
Michael Niedermayer [Thu, 13 Jun 2019 17:45:50 +0000 (19:45 +0200)]
avcodec/truemotion2: Fix integer overflow in last loop in tm2_update_block()

Fixes: signed integer overflow: -1727985666 - 538976288 cannot be represented in type 'int'
Fixes: 15031/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5100228035739648

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3aecd0170413c7e56f19de4e34d093a2c4027c2a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/iff: finetune the palette size check in the mask case
Michael Niedermayer [Sat, 22 Jun 2019 19:17:52 +0000 (21:17 +0200)]
avcodec/iff: finetune the palette size check in the mask case

Fixes: out of array access
Fixes: 15381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5668057826983936

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0f9789c8e37eb6d166729e876729beb21b7d5647)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/iff: Fix mask_buf / mask_palbuf leak
Michael Niedermayer [Sat, 22 Jun 2019 18:05:15 +0000 (20:05 +0200)]
avcodec/iff: Fix mask_buf / mask_palbuf leak

Fixes: 15372/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5708881759567872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 92e8db532cdee3c73913174413428ffdc35032e2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavformat/icodec: Free ico->images on error paths
Michael Niedermayer [Sat, 8 Jun 2019 08:48:41 +0000 (10:48 +0200)]
avformat/icodec: Free ico->images on error paths

Fixes: 15116/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5715173567889408
Fixes: memleak

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 54918b51161610a364de697b80acb9583eecf41b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavformat/wsddec: Fix undefined shift
Michael Niedermayer [Sat, 8 Jun 2019 07:27:49 +0000 (09:27 +0200)]
avformat/wsddec: Fix undefined shift

Fixes: left shift of 1 by 31 places cannot be represented in type 'int'
Fixes: 15123/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5738039235575808

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 112eb17a2bbf6d02f81fdf0743b353a6b010aedc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/fmvc: Check if header fields are available before allocating the image
Michael Niedermayer [Sun, 2 Jun 2019 21:16:40 +0000 (23:16 +0200)]
avcodec/fmvc: Check if header fields are available before allocating the image

Fixes: Timeout (15sec -> 0.5sec)
Fixes: 14846/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FMVC_fuzzer-5068322120400896

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 561cc161ca617c1b8d48fef0f02d56c0f1af0486)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/bink: Reorder operations in init to avoid memleak on error
Michael Niedermayer [Sat, 15 Jun 2019 19:52:24 +0000 (21:52 +0200)]
avcodec/bink: Reorder operations in init to avoid memleak on error

Fixes: Direct leak of 536 byte(s) in 1 object(s)
Fixes: 15266/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-5629530426834944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2603f25d326476a83f5d093b522590b05b6e703b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavformat/wtvdec: Avoid (32bit signed) sectors
Michael Niedermayer [Wed, 12 Jun 2019 23:20:19 +0000 (01:20 +0200)]
avformat/wtvdec: Avoid (32bit signed) sectors

Fixes: left shift of negative value -14614752
Fixes: 15174/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5670543606415360

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit dd357d76e5faf3ce6fc46ffb924cf30f1cb54af9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/bitstream: Check for more conflicting codes in build_table()
Michael Niedermayer [Wed, 5 Jun 2019 10:18:54 +0000 (12:18 +0200)]
avcodec/bitstream: Check for more conflicting codes in build_table()

Fixes: out of array read
Fixes: 14563/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5646451545210880

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a7e3b271fc9a91c5d2e4df32e70e525c15c6d3ef)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/bitstream: Check for integer code truncation in build_table()
Michael Niedermayer [Wed, 5 Jun 2019 10:18:54 +0000 (12:18 +0200)]
avcodec/bitstream: Check for integer code truncation in build_table()

Fixes: out of array read
Fixes: 14563/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5646451545210880

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e78b0f83748f92ea9e93b21c36082e0dd04d7cb1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavformat/sbgdec: Fixes integer overflow in str_to_time() with hours
Michael Niedermayer [Thu, 6 Jun 2019 21:20:49 +0000 (23:20 +0200)]
avformat/sbgdec: Fixes integer overflow in str_to_time() with hours

Fixes: signed integer overflow: 904444 * 3600 cannot be represented in type 'int'
Fixes: 15113/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5764083346833408

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2a0f23b9d647ad84e0351b43ca4b552add00c8dc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavformat/vpk: Check offset for validity
Michael Niedermayer [Thu, 6 Jun 2019 21:17:18 +0000 (23:17 +0200)]
avformat/vpk: Check offset for validity

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aa003019ab9ec5ef7e7b3ff9d6262d3472b427eb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavformat/vpk: Fix integer overflow in samples_per_block computation
Michael Niedermayer [Thu, 6 Jun 2019 21:14:13 +0000 (23:14 +0200)]
avformat/vpk: Fix integer overflow in samples_per_block computation

Fixes: signed integer overflow: 84026453 * 28 cannot be represented in type 'int'
Fixes: 15111/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5675630072430592

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8c6c4129b4cc3b9e0b3a527a5a15c904ec6ae3b6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/mjpegdec: Check for non ls PAL8
Michael Niedermayer [Sat, 1 Jun 2019 17:06:07 +0000 (19:06 +0200)]
avcodec/mjpegdec: Check for non ls PAL8

Fixes: Null-dereference READ in av_malloc
Fixes: 15002/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5643474625363968

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 442375fee7f1fb15e42fbc128dc38bdfcc2cc105)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/interplayvideo: check decoding_map_size with video_data_size
Michael Niedermayer [Sun, 26 May 2019 21:18:34 +0000 (23:18 +0200)]
avcodec/interplayvideo: check decoding_map_size with video_data_size

Fixes: Timeout (90543 ms -> 59 ms)
Fixes: 14721/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INTERPLAY_VIDEO_fuzzer-5697492148027392

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 914d6a7c1a7a1850b4053847a784b174c9146c55)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/h264_parse: Use 64bit for expectedpoc and expected_delta_per_poc_cycle
Michael Niedermayer [Thu, 23 May 2019 21:17:35 +0000 (23:17 +0200)]
avcodec/h264_parse: Use 64bit for expectedpoc and expected_delta_per_poc_cycle

Fixes: signed integer overflow: -2142516591 + -267814575 cannot be represented in type 'int'
Fixes: 14450/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5716105319940096

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4896fa18add7636ea9986edde51493331f1fb01e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/mss4: Check input size against skip bits
Michael Niedermayer [Tue, 14 May 2019 12:29:43 +0000 (14:29 +0200)]
avcodec/mss4: Check input size against skip bits

Fixes: Timeout (17sec -> 20ms)
Fixes: 14615/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MTS2_fuzzer-5093007763701760
Fixes: 14797/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MTS2_fuzzer-5651696119709696

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0fef412dffb74fef3494f7fae0c138c32a444484)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/dxv: Check op_offset in dxv_decompress_cocg()
Michael Niedermayer [Mon, 20 May 2019 23:33:03 +0000 (01:33 +0200)]
avcodec/dxv: Check op_offset in dxv_decompress_cocg()

Fixes: signed integer overflow: -2147483648 - 12 cannot be represented in type 'int'
Fixes: 14732/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5735273129836544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8e520843dd76a644c019134ac7b17eba9f1118b3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/diracdec: Fix integer overflow in global_mv()
Michael Niedermayer [Wed, 22 May 2019 00:01:33 +0000 (02:01 +0200)]
avcodec/diracdec: Fix integer overflow in global_mv()

Fixes: signed integer overflow: 16384 * 196607 cannot be represented in type 'int'
Fixes: 14810/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5091232683917312

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a99ffb5bb4454c625748972d9389cfaa5433a342)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/vmnc: Check available space against chunks before reget_buffer()
Michael Niedermayer [Fri, 17 May 2019 21:28:49 +0000 (23:28 +0200)]
avcodec/vmnc: Check available space against chunks before reget_buffer()

Fixes: Timeout (16sec -> 60ms)
Fixes: 14673/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMNC_fuzzer-5640217517621248

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 279d9a84af37cc1a7cf79c1cd667105eeb948611)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/aacdec_template: skip apply_tns() if max_sfb is 0 (from previous header decod...
Michael Niedermayer [Sat, 18 May 2019 08:37:26 +0000 (10:37 +0200)]
avcodec/aacdec_template: skip apply_tns() if max_sfb is 0 (from previous header decode failure)

Fixes: NULL pointer dereference
Fixes: 14723/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5654612436058112
Fixes: 14724/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5712607111020544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cf3156e762bbd3fbaf9da53f3ef1ea6d1bad2ec5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/aacdec_fixed: Handle more extreem cases in noise_scale()
Michael Niedermayer [Thu, 16 May 2019 10:00:18 +0000 (12:00 +0200)]
avcodec/aacdec_fixed: Handle more extreem cases in noise_scale()

Its unclear if these cases have any relevance in real files

Fixes: shift exponent -2 is negative
Fixes: 14489/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5681941631729664

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3d14663f8345a84613b1ec041fd65e4a90057320)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/aacdec_template: Merge 3 #ifs related to noise handling
Michael Niedermayer [Thu, 16 May 2019 09:55:43 +0000 (11:55 +0200)]
avcodec/aacdec_template: Merge 3 #ifs related to noise handling

Fewer #if and fewer lines

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bc33c99d56791fc26ccafb49512b59e38b99ca12)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/aacdec_fixed: ssign seems always -1 in noise_scale(), simplify
Michael Niedermayer [Thu, 16 May 2019 09:03:59 +0000 (11:03 +0200)]
avcodec/aacdec_fixed: ssign seems always -1 in noise_scale(), simplify

(cherry picked from commit 3d5863d73915748013975cac8d2148c5fc3d01c3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavformat/mp3enc: Avoid SEEK_END as it is unsupported
Michael Niedermayer [Tue, 14 May 2019 10:12:29 +0000 (12:12 +0200)]
avformat/mp3enc: Avoid SEEK_END as it is unsupported

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bf3ee6a13053d37a0c5022a324624e89f0bce8c5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/truemotion2: Fix several integer overflows in tm2_update_block()
Michael Niedermayer [Sat, 4 May 2019 22:31:24 +0000 (00:31 +0200)]
avcodec/truemotion2: Fix several integer overflows in tm2_update_block()

Fixes: signed integer overflow: -1877966852 + -469491713 cannot be represented in type 'int'
Fixes: 14561/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-5167608359288832

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8eecf761a65baf4ce6f25c0a149819cc9414c0f0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavformat/webm_chunk: Specify expected argument length of get_chunk_filename()
Michael Niedermayer [Thu, 2 May 2019 18:36:18 +0000 (20:36 +0200)]
avformat/webm_chunk: Specify expected argument length of get_chunk_filename()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1a74b04737f08e2e11a02ada280407889f6cadb1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavformat/webm_chunk: Check header filename length
Michael Niedermayer [Thu, 2 May 2019 18:45:14 +0000 (20:45 +0200)]
avformat/webm_chunk: Check header filename length

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3b5b977c9f96e2c3803317ad75253801bc571791)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoavcodec/cpia: Check input size also against linesizes and EOL
Michael Niedermayer [Sun, 19 May 2019 15:42:04 +0000 (17:42 +0200)]
avcodec/cpia: Check input size also against linesizes and EOL

Fixes: Timeout (14sec -> 29ms)
Fixes: 14733/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CPIA_fuzzer-5707022445576192

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Carl Eugen Hoyos <ceffmpeg@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3c0bfa7d1a90a22d5fe8daa415cc689c111562f1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
7 weeks agoswscale/tests/swscale: Lengthen pixfmt name buffer to 21 bytes
Michael Niedermayer [Mon, 13 May 2019 10:50:38 +0000 (12:50 +0200)]
swscale/tests/swscale: Lengthen pixfmt name buffer to 21 bytes

Some formats use longer names than 12.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9d269301f017657c3ae2e95a411317640acd39a8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>