ffmpeg.git
2 years agoUpdate for 2.8.11 n2.8.11
Michael Niedermayer [Wed, 8 Feb 2017 20:45:54 +0000 (21:45 +0100)]
Update for 2.8.11

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/h264_slice: Clear ref_counts on redundant slices
Michael Niedermayer [Wed, 8 Feb 2017 16:55:41 +0000 (17:55 +0100)]
avcodec/h264_slice: Clear ref_counts on redundant slices

Fixes reading freed memory
Fixes: 568/clusterfuzz-testcase-6107186067406848

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c03029a835949fc0e68b4c6558ebcdc3ae137087)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agolavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
Matt Wolenetz [Wed, 14 Dec 2016 23:26:19 +0000 (15:26 -0800)]
lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid

Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643951

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support values beyond INT_MAX
Also the check is moved to a more common place and before integer truncation

(cherry picked from commit 2d453188c2303da641dafb048dc1806790526dfd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agolavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr
Matt Wolenetz [Wed, 14 Dec 2016 23:24:42 +0000 (15:24 -0800)]
lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr

Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643950

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support larger lengths

(cherry picked from commit fd30e4d57fe5841385f845440688505b88c0f4a9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/pictordec: Fix logic error
Michael Niedermayer [Tue, 7 Feb 2017 14:49:09 +0000 (15:49 +0100)]
avcodec/pictordec: Fix logic error

Fixes: 559/clusterfuzz-testcase-6424225917173760

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8c2ea3030af7b40a3c4275696fb5c76cdb80950a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/movtextdec: Fix decode_styl() cleanup
Michael Niedermayer [Mon, 6 Feb 2017 10:17:10 +0000 (11:17 +0100)]
avcodec/movtextdec: Fix decode_styl() cleanup

Fixes: null pointer dereference
Fixes: 555/clusterfuzz-testcase-5986646595993600

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e248522d1b0d6dd8641f382cd5c4338d0ecd98e5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agolavf/matroskadec: fix is_keyframe for early Blocks
Chris Cunningham [Fri, 3 Feb 2017 22:42:44 +0000 (14:42 -0800)]
lavf/matroskadec: fix is_keyframe for early Blocks

Blocks are marked as key frames whenever the "reference" field is
zero. This breaks for non-keyframe Blocks with a reference timestamp
of zero.

The likelihood of reference timestamp being zero is increased by a
longstanding bug in muxing that encodes reference timestamp as the
absolute time of the referenced frame (rather than relative to the
current Block timestamp, as described in MKV spec).

Now using INT64_MIN to denote "no reference".

Reported to chromium at http://crbug.com/497889 (contains sample)

(cherry picked from commit ac25840ee32888f0c13118edeb9404a123cd3a79)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoconfigure: bump year
James Almer [Mon, 2 Jan 2017 04:38:03 +0000 (01:38 -0300)]
configure: bump year

Happy new year!

(cherry picked from commit d800d48fc67208819c2a4ae5eb214ca5e3ad7e82)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/pngdec: Check trns more completely
Michael Niedermayer [Sat, 4 Feb 2017 11:24:14 +0000 (12:24 +0100)]
avcodec/pngdec: Check trns more completely

Fixes out of array access
Fixes: 546/clusterfuzz-testcase-4809433909559296

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e477f09d0b3619f3d29173b2cd593e17e2d1978e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/interplayvideo: Move parameter change check up
Michael Niedermayer [Sat, 4 Feb 2017 01:45:02 +0000 (02:45 +0100)]
avcodec/interplayvideo: Move parameter change check up

Fixes out of array read
Fixes: 544/clusterfuzz-testcase-5936536407244800.f8bd9b24_8ba77916_70c2c7be_3df6a2ea_96cd9f14

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b1e2192007d7026049237c9ab11e05ae71bf4f42)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac()
Michael Niedermayer [Wed, 1 Feb 2017 00:32:37 +0000 (01:32 +0100)]
avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac()

Fixes timeout
Fixes: 496/clusterfuzz-testcase-5805083497332736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3782656631fa8262528c07794acf7e9c2aab000d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/flacdec: Check avio_read result when reading flac block header.
Frank Liberato [Tue, 24 Jan 2017 18:58:17 +0000 (10:58 -0800)]
avformat/flacdec: Check avio_read result when reading flac block header.

Return AVERROR_INVALIDDATA if all four bytes aren't present.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 95bde49982a82bc10470c0adab5969ffe635d064)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/utils: correct align value for interplay
Michael Niedermayer [Tue, 24 Jan 2017 23:20:19 +0000 (00:20 +0100)]
avcodec/utils: correct align value for interplay

Fixes out of array access
Fixes: 452/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_INTERPLAY_VIDEO_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2080bc33717955a0e4268e738acf8c1eeddbf8cb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/vp56: Check for the bitstream end, pass error codes on
Michael Niedermayer [Tue, 24 Jan 2017 21:21:25 +0000 (22:21 +0100)]
avcodec/vp56: Check for the bitstream end, pass error codes on

Fixes timeout
Fixes: 446/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_VP6_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9e6a2427558a718be0c1fffacffd935f630a7a8d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan()
Michael Niedermayer [Tue, 24 Jan 2017 15:13:05 +0000 (16:13 +0100)]
avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan()

Fixes timeout
Fixes: 445/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer
Fixes: 456/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_JPEGLS_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 755933cb5cd17decd1838d3d64e07d4157de5638)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/pngdec: Fix off by 1 size in decode_zbuf()
Michael Niedermayer [Mon, 23 Jan 2017 00:25:27 +0000 (01:25 +0100)]
avcodec/pngdec: Fix off by 1 size in decode_zbuf()

Fixes out of array access
Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e371f031b942d73e02c090170975561fabd5c264)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/avidec: skip odml master index chunks in avi_sync
Tobias Rapp [Fri, 23 Dec 2016 13:50:16 +0000 (14:50 +0100)]
avformat/avidec: skip odml master index chunks in avi_sync

Fixes pts gaps when reading AVI files > 256GiB generated by FFmpeg.

Signed-off-by: Tobias Rapp <t.rapp@noa-archive.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6d579d7c1bdc4126955cae7f385208e455685986)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mjpegdec: Check for rgb before flipping
Michael Niedermayer [Sat, 31 Dec 2016 02:08:33 +0000 (03:08 +0100)]
avcodec/mjpegdec: Check for rgb before flipping

Fixes assertion failure due to unsupported case

Fixes: 356/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 25d9643f1172ae6a210c671195ba3135895abaf3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavutil/random_seed: Reduce the time needed on systems with very low precission clock()
Michael Niedermayer [Sat, 24 Dec 2016 13:26:41 +0000 (14:26 +0100)]
avutil/random_seed: Reduce the time needed on systems with very low precission clock()

This should fix issues on BSD
CLOCKS_PER_SEC is 128 on BSD while SUSv2 requires it to be a million

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c4152fc42e480c41efb7f761b1bbe5f0bc43d5bc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavutil/random_seed: Improve get_generic_seed() with higher precission clock()
Michael Niedermayer [Thu, 22 Dec 2016 02:59:03 +0000 (03:59 +0100)]
avutil/random_seed: Improve get_generic_seed() with higher precission clock()

Tested-by: Thomas Turner <thomastdt@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit da73d95bad4736c5e0a6b4b1a811f4dd4525bb4c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/utils: Print verbose error message if stream count exceeds max_streams
Michael Niedermayer [Sat, 10 Dec 2016 19:15:13 +0000 (20:15 +0100)]
avformat/utils: Print verbose error message if stream count exceeds max_streams

Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f0bdd538712d8ed34120ab2b7bd1409fcc99fb45)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/options_table: Set the default maximum number of streams to 1000
Michael Niedermayer [Sat, 10 Dec 2016 19:15:12 +0000 (20:15 +0100)]
avformat/options_table: Set the default maximum number of streams to 1000

Fixes CVE-2016-9561, Note the security relevance of this is disputed as
running out of memory can happen with valid files

Suggested-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 30581c51e72a7a7ea1572c1c6039f6e4c590a55c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavutil: Add av_image_check_size2()
Michael Niedermayer [Sat, 10 Dec 2016 20:05:14 +0000 (21:05 +0100)]
avutil: Add av_image_check_size2()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f542b152aa2086b30d1089162d79f5c136905c0c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat: Add max_streams option
Michael Niedermayer [Fri, 18 Nov 2016 16:00:30 +0000 (17:00 +0100)]
avformat: Add max_streams option

This allows user apps to stop OOM due to excessive number of streams

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1296f844955e513d19051c962656f829479d4fb9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated
Michael Niedermayer [Thu, 8 Dec 2016 22:51:45 +0000 (23:51 +0100)]
avcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated

We are checking during encoding if there is enough space as version 4 needs that
check.

Fixes Ticket6005

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 38a7834bbb24ef62466b076715e0add60e1d6962)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory()
Michael Niedermayer [Fri, 9 Dec 2016 16:01:14 +0000 (17:01 +0100)]
avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory()

Fixes: part of 670190.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8258e363851434ad5662c19d036fddb3e3f27683)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/oggdec: Skip streams in duration correction that did not had their duration...
Michael Niedermayer [Fri, 9 Dec 2016 16:01:14 +0000 (17:01 +0100)]
avformat/oggdec: Skip streams in duration correction that did not had their duration set.

Fixes: part of 670190.ogg
Fixes integer overflow

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ee2a6f5df8c6a151c3e3826872f1b0a07401c62a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ffv1enc: Fix size of first slice
Michael Niedermayer [Thu, 8 Dec 2016 23:19:19 +0000 (00:19 +0100)]
avcodec/ffv1enc: Fix size of first slice

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cff1c0edaa797eca96663d9b83e4b8c1b609ff19)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agopgssubdec: reset rle_data_len/rle_remaining_len on allocation error
Andreas Cadhalpun [Tue, 31 Jan 2017 00:55:44 +0000 (01:55 +0100)]
pgssubdec: reset rle_data_len/rle_remaining_len on allocation error

The code relies on their validity and otherwise can try to access a NULL
object->rle pointer, causing segmentation faults.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 842e98b4d83d8cf297e2bc2761f1f47eb89e49e4)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoupdate for ffmpeg 2.8.10 n2.8.10
Michael Niedermayer [Tue, 6 Dec 2016 02:50:50 +0000 (03:50 +0100)]
update for ffmpeg 2.8.10

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/http: Match chunksize checks to master..3.0
Michael Niedermayer [Tue, 6 Dec 2016 02:06:05 +0000 (03:06 +0100)]
avformat/http: Match chunksize checks to .3.0

Fixes warning about impossible condition

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoChangelog: fix typos
Michael Niedermayer [Tue, 6 Dec 2016 00:19:34 +0000 (01:19 +0100)]
Changelog: fix typos

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoffserver: Check chunk size
Michael Niedermayer [Mon, 5 Dec 2016 16:27:45 +0000 (17:27 +0100)]
ffserver: Check chunk size

Fixes out of array access

Fixes: poc_ffserver.py
Found-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoAvoid using the term "file" and prefer "url" in some docs and comments
Michael Niedermayer [Mon, 5 Dec 2016 11:54:21 +0000 (12:54 +0100)]
Avoid using the term "file" and prefer "url" in some docs and comments

This should make it less ambigous that these are URLs

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5f27a9c3aa973c543bd8bbf2a78363700bbc03e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/rtmppkt: Check for packet size mismatches
Michael Niedermayer [Mon, 5 Dec 2016 10:14:51 +0000 (11:14 +0100)]
avformat/rtmppkt: Check for packet size mismatches

Fixes out of array access

Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7d57ca4d9a75562fa32e40766211de150f8b3ee7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agozmqsend: Initialize ret to 0
Timothy Gu [Mon, 5 Dec 2016 18:04:57 +0000 (10:04 -0800)]
zmqsend: Initialize ret to 0

Fixes CID1396857.

(cherry picked from commit d903b4e3ad4a81b3dd79f12c2f3b9cb16e511173)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoconfigure: check for strtoull on msvc
James Almer [Mon, 5 Dec 2016 16:07:10 +0000 (13:07 -0300)]
configure: check for strtoull on msvc

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit b52d3574d466e745834d1283b55570dee1e2d4cd)

2 years agohttp: move chunk handling from http_read_stream() to http_buf_read().
Ronald S. Bultje [Mon, 5 Dec 2016 15:18:10 +0000 (10:18 -0500)]
http: move chunk handling from http_read_stream() to http_buf_read().

(cherry picked from commit 845bb401781ef04e342bd558df16a8dbf5f800f9)

2 years agohttp: make length/offset-related variables unsigned.
Ronald S. Bultje [Mon, 5 Dec 2016 20:55:26 +0000 (15:55 -0500)]
http: make length/offset-related variables unsigned.

Fixes #5992, reported and found by Paul Cher <paulcher@icloud.com>.

(cherry picked from commit 2a05c8f813de6f2278827734bf8102291e7484aa)

2 years agoChangelog: update n2.8.9
Michael Niedermayer [Sun, 4 Dec 2016 00:42:53 +0000 (01:42 +0100)]
Changelog: update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flacdec: Fix undefined shift in decode_subframe()
Michael Niedermayer [Sat, 3 Dec 2016 23:11:17 +0000 (00:11 +0100)]
avcodec/flacdec: Fix undefined shift in decode_subframe()

Fixes undefined behavior
Fixes: 639961-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1f5630af51f24d79053b6bef5b8b3ba93d637306)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/get_bits: Fix get_sbits_long(0)
Michael Niedermayer [Sat, 3 Dec 2016 22:44:56 +0000 (23:44 +0100)]
avcodec/get_bits: Fix get_sbits_long(0)

Fixes undefined behavior
Fixes: 640889-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c72fa432349881d5a445cd110abf698cc94d490d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/ffmdec: Check media type for chunks
Michael Niedermayer [Sat, 3 Dec 2016 12:39:56 +0000 (13:39 +0100)]
avformat/ffmdec: Check media type for chunks

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e706e2e775730db5dfa9103628cd70704dd13cef)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed()
Michael Niedermayer [Sat, 3 Dec 2016 16:05:43 +0000 (17:05 +0100)]
avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed()

Fixes undefined behavior
Fixes: 640912-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 83a75bf6c31b3c0ce2ca7e1426d1f2e3df634239)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c
Michael Niedermayer [Sat, 3 Dec 2016 15:43:10 +0000 (16:43 +0100)]
avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c

Fixes: left shift of negative value
Fixes: 668346-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit acc163c6ab52d2235767852262c64c7f6b273d1c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/oggparsespeex: Check frames_per_packet and packet_size
Michael Niedermayer [Sat, 3 Dec 2016 02:40:55 +0000 (03:40 +0100)]
avformat/oggparsespeex: Check frames_per_packet and packet_size

The speex specification does not seem to restrict these values, thus
the limits where choosen so as to avoid multiplicative overflow

Fixes undefined behavior
Fixes: 635422.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit afcf15b0dbb4b6429be5083e50b296cdca61875e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/utils: Check start/end before computing duration in update_stream_timings()
Michael Niedermayer [Sat, 3 Dec 2016 02:02:41 +0000 (03:02 +0100)]
avformat/utils: Check start/end before computing duration in update_stream_timings()

Fixes undefined behavior
Fixes: 637428.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 90da187f1d334422477886a19eca3c1da29c59a7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoChangelog: Update
Michael Niedermayer [Thu, 1 Dec 2016 23:47:39 +0000 (00:47 +0100)]
Changelog: Update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flac_parser: Update nb_headers_buffered
Michael Niedermayer [Thu, 24 Nov 2016 14:29:52 +0000 (15:29 +0100)]
avcodec/flac_parser: Update nb_headers_buffered

Fixes infinite loop
Fixes: fuzz.flac

Found-by: Frank Liberato <liberato@google.com>
Reviewed-by: Frank Liberato <liberato@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2475858889cde6221677473b663df6f985add33d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/idroqdec: Check chunk_size for being too large
Michael Niedermayer [Tue, 29 Nov 2016 01:58:34 +0000 (02:58 +0100)]
avformat/idroqdec: Check chunk_size for being too large

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 744a0b5206634e5de04d5c31f08cc3640faf800d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoUpdate Changelog
Andreas Cadhalpun [Sat, 26 Nov 2016 23:47:03 +0000 (00:47 +0100)]
Update Changelog

2 years agofilmstripdec: correctly check image dimensions
Andreas Cadhalpun [Sun, 13 Nov 2016 17:22:12 +0000 (18:22 +0100)]
filmstripdec: correctly check image dimensions

This prevents a division by zero in read_packet.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 25012c56448a48487cdc9699465e640871dbcd60)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agomss2: only use error correction for matching block counts
Andreas Cadhalpun [Thu, 24 Nov 2016 22:57:46 +0000 (23:57 +0100)]
mss2: only use error correction for matching block counts

This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2
with coded_width/coded_height larger than width/height.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 2566ad98b01538ea589e5ee07b69fc566aadc348)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosoftfloat: decrease MIN_EXP to cover full float range
Andreas Cadhalpun [Thu, 24 Nov 2016 23:26:51 +0000 (00:26 +0100)]
softfloat: decrease MIN_EXP to cover full float range

floats are not necessarily normalized, so a normalized softfloat needs
MIN_EXP lowered by 23 to cover that range.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 2d6f46d801bab990b7e742b8a8e5c5b0cb70a80e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agolibopusdec: default to stereo for invalid number of channels
Andreas Cadhalpun [Mon, 14 Nov 2016 20:41:45 +0000 (21:41 +0100)]
libopusdec: default to stereo for invalid number of channels

This fixes an out-of-bounds read if avc->channels is 0.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 8c8f543b81aa2b50bb6a6cfd370a0061281492a3)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosbgdec: prevent NULL pointer access
Andreas Cadhalpun [Thu, 10 Nov 2016 21:21:20 +0000 (22:21 +0100)]
sbgdec: prevent NULL pointer access

Reviewed-by: Josh de Kock <josh@itanimul.li>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit dbefbb61b785cd77810c032f5cdb499d2a92df07)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosmacker: limit recursion depth of smacker_decode_bigtree
Andreas Cadhalpun [Sat, 19 Nov 2016 13:21:11 +0000 (14:21 +0100)]
smacker: limit recursion depth of smacker_decode_bigtree

This fixes segmentation faults due to stack-overflow caused by too deep
recursion.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 946ecd19ea752399bccc751c9339ff74b815587e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agomxfdec: fix NULL pointer dereference in mxf_read_packet_old
Andreas Cadhalpun [Thu, 17 Nov 2016 21:53:51 +0000 (22:53 +0100)]
mxfdec: fix NULL pointer dereference in mxf_read_packet_old

Metadata streams have priv_data set to NULL.

Reviewed-by: Josh de Kock <josh@itanimul.li>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit fdb8c455b637f86e2e85503b7e090fa448164398)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agolibschroedingerdec: fix leaking of framewithpts
Andreas Cadhalpun [Sun, 13 Nov 2016 22:10:06 +0000 (23:10 +0100)]
libschroedingerdec: fix leaking of framewithpts

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 3c0328d58d98664b05efdd377d3fe66a569d385e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agolibschroedingerdec: don't produce empty frames
Andreas Cadhalpun [Sun, 13 Nov 2016 21:59:47 +0000 (22:59 +0100)]
libschroedingerdec: don't produce empty frames

They are not valid and can cause problems/crashes for API users.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit a86ebbf7f641bc797002ddea7fb517759722cd1b)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosoftfloat: handle -INT_MAX correctly
Andreas Cadhalpun [Sun, 13 Nov 2016 19:52:02 +0000 (20:52 +0100)]
softfloat: handle -INT_MAX correctly

This is similar to commit 9ac61e73d0843ec4b83f4e3d47eded73234e406e.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 0edd569466eb45b134690b9f4efbb57eda86f58d)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agopnmdec: make sure v is capped by maxval
Andreas Cadhalpun [Wed, 9 Nov 2016 00:09:35 +0000 (01:09 +0100)]
pnmdec: make sure v is capped by maxval

Otherwise put_bits can be called with a value that doesn't fit in the
sample_len, causing an assertion failure.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit cdb5479c9ddc886f0b8661db585405ebab343e80)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosmvjpegdec: make sure cur_frame is not negative
Andreas Cadhalpun [Thu, 10 Nov 2016 21:09:03 +0000 (22:09 +0100)]
smvjpegdec: make sure cur_frame is not negative

This fixes a heap-buffer-overflow detected by AddressSanitizer.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 360bc0d90aa66cf21e9f488e77d21db18e01ec9c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoicodec: correctly check avio_read return value
Andreas Cadhalpun [Tue, 8 Nov 2016 22:29:28 +0000 (23:29 +0100)]
icodec: correctly check avio_read return value

It can read less than the requested amount, in which case buf contains
uninitialized data, causing problems like segmentation faults later on.

Also make sure that image->size is positive, so that it can't match a
negative error code.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 89eb398c7fc4cb9a15e55bdf2ab6435b5332e377)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoicodec: fix leaking pkt on error
Andreas Cadhalpun [Tue, 8 Nov 2016 22:53:52 +0000 (23:53 +0100)]
icodec: fix leaking pkt on error

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 467eece1bea5c8325c6974190ba61f1bba88a3f3)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agodvbsubdec: fix division by zero in compute_default_clut
Andreas Cadhalpun [Tue, 8 Nov 2016 21:32:42 +0000 (22:32 +0100)]
dvbsubdec: fix division by zero in compute_default_clut

This problem was introduced in commit
4b90dcb8493552c17a811c8b1e6538dae4061f9d.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit c82b8ef0e4f226423ddd644bfe37e6a15d070924)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoproresdec_lgpl: explicitly check coff[3] against slice_data_size
Andreas Cadhalpun [Wed, 9 Nov 2016 22:49:46 +0000 (23:49 +0100)]
proresdec_lgpl: explicitly check coff[3] against slice_data_size

The implicit checks via v_data_size and a_data_size don't work in the case
'(hdr_size > 7) && !ctx->alpha_info'.

This fixes segmentation faults due to invalid reads.

This problem was introduced in commit
547c2f002a87f4412a83c23b0d60364be5e7ce58.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1e33035ee7a8d9fb7a4b8b6cc54842e72b36ed70)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoescape124: reject codebook size 0
Andreas Cadhalpun [Tue, 8 Nov 2016 23:38:50 +0000 (00:38 +0100)]
escape124: reject codebook size 0

It causes a cb_depth of 32, leading to assertion failures in get_bits.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 226d35c84591f1901c2a13819031549909faa1f5)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agompegts: prevent division by zero
Andreas Cadhalpun [Mon, 7 Nov 2016 22:37:59 +0000 (23:37 +0100)]
mpegts: prevent division by zero

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1bbb18fe82fc77a10d45fa53bd2738d2c54de6c6)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agomatroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header
Andreas Cadhalpun [Mon, 7 Nov 2016 23:42:23 +0000 (00:42 +0100)]
matroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header

The code assumes that s->streams[0] is valid.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ff100c9dd97d2f1f456ff38b192edf84f9744738)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agompegaudio_parser: don't return AVERROR_PATCHWELCOME
Andreas Cadhalpun [Mon, 7 Nov 2016 00:16:14 +0000 (01:16 +0100)]
mpegaudio_parser: don't return AVERROR_PATCHWELCOME

The API does not allow returning AVERROR codes.

It triggers an assert in av_parser_parse2.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 5249706e9d2ec5ed1b07d8ffdbb8fb9104261f6d)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agomxfdec: fix NULL pointer dereference
Andreas Cadhalpun [Fri, 4 Nov 2016 23:17:53 +0000 (00:17 +0100)]
mxfdec: fix NULL pointer dereference

Metadata streams have priv_data set to NULL.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 0efb6106118c17308b3fdc3190f5e5bf84b01d5c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agodiracdec: check return code of get_buffer_with_edge
Andreas Cadhalpun [Fri, 4 Nov 2016 18:00:17 +0000 (19:00 +0100)]
diracdec: check return code of get_buffer_with_edge

If it fails, buffers aren't allocated, causing NULL pointer dereferencing.

Reviewed-by: Rostislav Pehlivanov <atomnuker@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit db79dedb1ae5dd38432eee3f09155e26f3f2d95a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoppc: pixblockdsp: do unaligned block accesses correctly again
Andreas Cadhalpun [Wed, 2 Nov 2016 20:28:49 +0000 (21:28 +0100)]
ppc: pixblockdsp: do unaligned block accesses correctly again

This was broken by the following Libav commit:
4c387c7 ppc: dsputil: do unaligned block accesses correctly

The following tests fail due to this:
fate-checkasm
fate-vsynth1-dnxhd-2k-hr-hq fate-vsynth1-dnxhd-edge1-hr
fate-vsynth1-dnxhd-edge2-hr fate-vsynth1-dnxhd-edge3-hr
fate-vsynth1-dnxhd-hr-sq-mov fate-vsynth1-dnxhd-hr-hq-mov
fate-vsynth2-dnxhd-2k-hr-hq fate-vsynth2-dnxhd-edge1-hr
fate-vsynth2-dnxhd-edge2-hr fate-vsynth2-dnxhd-edge3-hr
fate-vsynth2-dnxhd-hr-sq-mov fate-vsynth2-dnxhd-hr-hq-mov
fate-vsynth3-dnxhd-2k-hr-hq fate-vsynth3-dnxhd-edge1-hr
fate-vsynth3-dnxhd-edge2-hr fate-vsynth3-dnxhd-edge3-hr
fate-vsynth3-dnxhd-hr-sq-mov fate-vsynth3-dnxhd-hr-hq-mov

Fixes trac ticket #5508.

Reviewed-by: Carl Eugen Hoyos <ceffmpeg@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 3932ccc472ad4f4d370dcfc1c2f574b0f3acb88c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agompeg12dec: unref discarded picture from extradata
Andreas Cadhalpun [Thu, 20 Oct 2016 20:51:55 +0000 (22:51 +0200)]
mpeg12dec: unref discarded picture from extradata

Otherwise another frame gets referenced into picture, triggering an assert
(from commit 13aae8) in av_frame_ref.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit a92f8edf0c51781e152651cce2e753ad6e359eb2)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agocavsdec: unref frame before referencing again
Andreas Cadhalpun [Thu, 20 Oct 2016 20:14:22 +0000 (22:14 +0200)]
cavsdec: unref frame before referencing again

This fixes asserts (from commit 13aae8) in av_frame_ref and
av_frame_move_ref.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1966ea012fd72abc8003e95dc3c8ad9e9f197913)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoavformat: prevent triggering request_probe assert in ff_read_packet
Andreas Cadhalpun [Wed, 19 Oct 2016 17:23:49 +0000 (19:23 +0200)]
avformat: prevent triggering request_probe assert in ff_read_packet

If probe_codec is called with pkt == NULL, it sets probe_packets to 0
and request_probe to -1.
However, request_probe can change when calling s->iformat->read_packet
and thus a probe_packets value of 0 doesn't guarantee a request_probe
value of -1.
In that case calling probe_codec again is necessary to prevent
triggering the assert.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit a5b4476a602f31e451b11ca0c18bc92be130a50e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoUpdate for 2.8.9
Michael Niedermayer [Wed, 5 Oct 2016 01:31:38 +0000 (03:31 +0200)]
Update for 2.8.9

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/mpeg: Adjust vid probe threshold to correct mis-detection
Michael Niedermayer [Tue, 15 Nov 2016 19:06:42 +0000 (20:06 +0100)]
avformat/mpeg: Adjust vid probe threshold to correct mis-detection

Fixes: _ij.mp3

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4e5049a2303ae7fe74216a83206239e4de42c965)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/rv40: Test remaining space in loop of get_dimension()
Michael Niedermayer [Tue, 15 Nov 2016 21:50:35 +0000 (22:50 +0100)]
avcodec/rv40: Test remaining space in loop of get_dimension()

Fixes infinite loop
Fixes: 178/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_RV40_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1546d487cf12da37d90a080813f8d57ac33036bf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ituh263dec: Avoid spending a long time in slice sync
Michael Niedermayer [Tue, 15 Nov 2016 17:05:33 +0000 (18:05 +0100)]
avcodec/ituh263dec: Avoid spending a long time in slice sync

Fixes: 177/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_FLV1_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2baf36caed98cfdc7f6a2086fbf26f1a172f16cf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/movtextdec: Add error message for tsmb_size check
Michael Niedermayer [Tue, 15 Nov 2016 13:54:47 +0000 (14:54 +0100)]
avcodec/movtextdec: Add error message for tsmb_size check

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0eb319800567b79ca6b4cf0d90904318641b9e50)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/movtextdec: Fix tsmb_size check==0 check
Michael Niedermayer [Tue, 15 Nov 2016 13:52:21 +0000 (14:52 +0100)]
avcodec/movtextdec: Fix tsmb_size check==0 check

Fixes: 173/fuzz-3-ffmpeg_SUBTITLE_AV_CODEC_ID_MOV_TEXT_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a609905723c01e356d35146425c3d45c090aae7b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/movtextdec: Fix potential integer overflow
Michael Niedermayer [Tue, 15 Nov 2016 13:46:16 +0000 (14:46 +0100)]
avcodec/movtextdec: Fix potential integer overflow

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6ea27157682200e5f78cadcabdb009eccd9dd9b1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/sunrast: Fix input buffer pointer check
Michael Niedermayer [Tue, 1 Nov 2016 18:24:49 +0000 (19:24 +0100)]
avcodec/sunrast: Fix input buffer pointer check

Fixes: out of array read
Fixes: poc.dat

Found-by: Bingchang, Liu @VARAS of IIE
Tested-by: bc L <l.bing.chang.bc@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 37138338ff602803d174b13fecd363a083bc2f9a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/tscc: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/tscc:  Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 979bca513424879ed0c653cb1b55fc4156a89576)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/rawdec: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/rawdec: Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5f0bc0215a0f7099a2bcba5dced2e045e70fee61)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/msvideo1: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/msvideo1: Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 161ccdaa06d1d109e8f77d2535bda11ce02720f5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/qpeg: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/qpeg:  Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 16793504dfba44e738655807db3274301b9bc690)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/qtrle: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/qtrle:  Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7d196f2a5a48faf25fd904b33b1fd239daae9840)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/msrle: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/msrle:  Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a6330119a099840c5279697cf80cb768df97a90a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/kmvc: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/kmvc:  Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2d99101d0964f754822fb4af121c4abc69047dba)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/idcinvideo: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/idcinvideo: Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a2b8dde65947bfabf42269e124ef83ecf9c5974a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/cinepak: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 12:47:38 +0000 (13:47 +0100)]
avcodec/cinepak: Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 121be310607879841d19a34d9f16d4fe9ba7f18c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/8bps: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 12:44:52 +0000 (13:44 +0100)]
avcodec/8bps: Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 042faa847feea820451c474af0034fd3de9cff82)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/dvdsubdec: Fix off by 1 error
Michael Niedermayer [Tue, 25 Oct 2016 22:11:52 +0000 (00:11 +0200)]
avcodec/dvdsubdec: Fix off by 1 error

Fixes out of array read

Found-by: Thomas Garnier using libFuzzer
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c92f55847a3d9cd12db60bfcd0831ff7f089c37c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/dvdsubdec: Fix buf_size check
Michael Niedermayer [Wed, 26 Oct 2016 14:29:57 +0000 (16:29 +0200)]
avcodec/dvdsubdec: Fix buf_size check

Fixes out of array access

Found-by: Thomas Garnier using libFuzzer
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 25ab1a65f3acb5ec67b53fb7a2463a7368f1ad16)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agovp9: change order of operations in adapt_prob().
Ronald S. Bultje [Fri, 14 Oct 2016 17:01:27 +0000 (13:01 -0400)]
vp9: change order of operations in adapt_prob().

This is intended to workaround bug "665 Integer Divide Instruction May
Cause Unpredictable Behavior" on some early AMD CPUs, which causes a
div-by-zero in this codepath, such as reported in Mozilla bug #1293996.

Note that this isn't guaranteed to fix the bug, since a compiler is free
to reorder instructions that don't depend on each other. However, it
appears to fix the bug in Firefox, and a similar patch was applied to
libvpx also (see Chrome bug #599899).

(cherry picked from commit be885da3427c5d9a6fa68229d16318afffe67193)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/interplayvideo: Check side data size before use
Michael Niedermayer [Tue, 25 Oct 2016 01:51:17 +0000 (03:51 +0200)]
avcodec/interplayvideo: Check side data size before use

Fixes out of array read

Found-by: Thomas Garnier using libFuzzer
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 85d23e5cbc9ad6835eef870a5b4247de78febe56)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/mxfdec: Check size to avoid integer overflow in mxf_read_utf16_string()
Michael Niedermayer [Fri, 21 Oct 2016 17:45:21 +0000 (19:45 +0200)]
avformat/mxfdec: Check size to avoid integer overflow in mxf_read_utf16_string()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fecb3e82a4ba09dc11a51ad0961ab491881a53a1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>