ffmpeg.git
2 years agoconfigure: bump year n3.0.6
James Almer [Mon, 2 Jan 2017 04:38:03 +0000 (01:38 -0300)]
configure: bump year

Happy new year!

(cherry picked from commit d800d48fc67208819c2a4ae5eb214ca5e3ad7e82)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoChangelog: Update
Michael Niedermayer [Sun, 5 Feb 2017 00:05:58 +0000 (01:05 +0100)]
Changelog: Update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/pngdec: Check trns more completely
Michael Niedermayer [Sat, 4 Feb 2017 11:24:14 +0000 (12:24 +0100)]
avcodec/pngdec: Check trns more completely

Fixes out of array access
Fixes: 546/clusterfuzz-testcase-4809433909559296

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e477f09d0b3619f3d29173b2cd593e17e2d1978e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/interplayvideo: Move parameter change check up
Michael Niedermayer [Sat, 4 Feb 2017 01:45:02 +0000 (02:45 +0100)]
avcodec/interplayvideo: Move parameter change check up

Fixes out of array read
Fixes: 544/clusterfuzz-testcase-5936536407244800.f8bd9b24_8ba77916_70c2c7be_3df6a2ea_96cd9f14

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b1e2192007d7026049237c9ab11e05ae71bf4f42)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoUpdate for 3.0.6
Michael Niedermayer [Fri, 3 Feb 2017 15:43:36 +0000 (16:43 +0100)]
Update for 3.0.6

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac()
Michael Niedermayer [Wed, 1 Feb 2017 00:32:37 +0000 (01:32 +0100)]
avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac()

Fixes timeout
Fixes: 496/clusterfuzz-testcase-5805083497332736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3782656631fa8262528c07794acf7e9c2aab000d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/flacdec: Check avio_read result when reading flac block header.
Frank Liberato [Tue, 24 Jan 2017 18:58:17 +0000 (10:58 -0800)]
avformat/flacdec: Check avio_read result when reading flac block header.

Return AVERROR_INVALIDDATA if all four bytes aren't present.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 95bde49982a82bc10470c0adab5969ffe635d064)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/utils: correct align value for interplay
Michael Niedermayer [Tue, 24 Jan 2017 23:20:19 +0000 (00:20 +0100)]
avcodec/utils: correct align value for interplay

Fixes out of array access
Fixes: 452/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_INTERPLAY_VIDEO_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2080bc33717955a0e4268e738acf8c1eeddbf8cb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/vp56: Check for the bitstream end, pass error codes on
Michael Niedermayer [Tue, 24 Jan 2017 21:21:25 +0000 (22:21 +0100)]
avcodec/vp56: Check for the bitstream end, pass error codes on

Fixes timeout
Fixes: 446/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_VP6_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9e6a2427558a718be0c1fffacffd935f630a7a8d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan()
Michael Niedermayer [Tue, 24 Jan 2017 15:13:05 +0000 (16:13 +0100)]
avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan()

Fixes timeout
Fixes: 445/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer
Fixes: 456/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_JPEGLS_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 755933cb5cd17decd1838d3d64e07d4157de5638)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/pngdec: Fix off by 1 size in decode_zbuf()
Michael Niedermayer [Mon, 23 Jan 2017 00:25:27 +0000 (01:25 +0100)]
avcodec/pngdec: Fix off by 1 size in decode_zbuf()

Fixes out of array access
Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e371f031b942d73e02c090170975561fabd5c264)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/avidec: skip odml master index chunks in avi_sync
Tobias Rapp [Fri, 23 Dec 2016 13:50:16 +0000 (14:50 +0100)]
avformat/avidec: skip odml master index chunks in avi_sync

Fixes pts gaps when reading AVI files > 256GiB generated by FFmpeg.

Signed-off-by: Tobias Rapp <t.rapp@noa-archive.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6d579d7c1bdc4126955cae7f385208e455685986)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mjpegdec: Check for rgb before flipping
Michael Niedermayer [Sat, 31 Dec 2016 02:08:33 +0000 (03:08 +0100)]
avcodec/mjpegdec: Check for rgb before flipping

Fixes assertion failure due to unsupported case

Fixes: 356/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 25d9643f1172ae6a210c671195ba3135895abaf3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavutil/random_seed: Reduce the time needed on systems with very low precission clock()
Michael Niedermayer [Sat, 24 Dec 2016 13:26:41 +0000 (14:26 +0100)]
avutil/random_seed: Reduce the time needed on systems with very low precission clock()

This should fix issues on BSD
CLOCKS_PER_SEC is 128 on BSD while SUSv2 requires it to be a million

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c4152fc42e480c41efb7f761b1bbe5f0bc43d5bc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavutil/random_seed: Improve get_generic_seed() with higher precission clock()
Michael Niedermayer [Thu, 22 Dec 2016 02:59:03 +0000 (03:59 +0100)]
avutil/random_seed: Improve get_generic_seed() with higher precission clock()

Tested-by: Thomas Turner <thomastdt@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit da73d95bad4736c5e0a6b4b1a811f4dd4525bb4c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/utils: Print verbose error message if stream count exceeds max_streams
Michael Niedermayer [Sat, 10 Dec 2016 19:15:13 +0000 (20:15 +0100)]
avformat/utils: Print verbose error message if stream count exceeds max_streams

Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f0bdd538712d8ed34120ab2b7bd1409fcc99fb45)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/options_table: Set the default maximum number of streams to 1000
Michael Niedermayer [Sat, 10 Dec 2016 19:15:12 +0000 (20:15 +0100)]
avformat/options_table: Set the default maximum number of streams to 1000

Fixes CVE-2016-9561, Note the security relevance of this is disputed as
running out of memory can happen with valid files

Suggested-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 30581c51e72a7a7ea1572c1c6039f6e4c590a55c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agopgssubdec: reset rle_data_len/rle_remaining_len on allocation error
Andreas Cadhalpun [Tue, 31 Jan 2017 00:55:44 +0000 (01:55 +0100)]
pgssubdec: reset rle_data_len/rle_remaining_len on allocation error

The code relies on their validity and otherwise can try to access a NULL
object->rle pointer, causing segmentation faults.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 842e98b4d83d8cf297e2bc2761f1f47eb89e49e4)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoavutil: Add av_image_check_size2()
Michael Niedermayer [Sat, 10 Dec 2016 20:05:14 +0000 (21:05 +0100)]
avutil: Add av_image_check_size2()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f542b152aa2086b30d1089162d79f5c136905c0c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat: Add max_streams option
Michael Niedermayer [Fri, 18 Nov 2016 16:00:30 +0000 (17:00 +0100)]
avformat: Add max_streams option

This allows user apps to stop OOM due to excessive number of streams

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1296f844955e513d19051c962656f829479d4fb9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated
Michael Niedermayer [Thu, 8 Dec 2016 22:51:45 +0000 (23:51 +0100)]
avcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated

We are checking during encoding if there is enough space as version 4 needs that
check.

Fixes Ticket6005

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 38a7834bbb24ef62466b076715e0add60e1d6962)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory()
Michael Niedermayer [Fri, 9 Dec 2016 16:01:14 +0000 (17:01 +0100)]
avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory()

Fixes: part of 670190.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8258e363851434ad5662c19d036fddb3e3f27683)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/oggdec: Skip streams in duration correction that did not had their duration...
Michael Niedermayer [Fri, 9 Dec 2016 16:01:14 +0000 (17:01 +0100)]
avformat/oggdec: Skip streams in duration correction that did not had their duration set.

Fixes: part of 670190.ogg
Fixes integer overflow

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ee2a6f5df8c6a151c3e3826872f1b0a07401c62a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ffv1enc: Fix size of first slice
Michael Niedermayer [Thu, 8 Dec 2016 23:19:19 +0000 (00:19 +0100)]
avcodec/ffv1enc: Fix size of first slice

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cff1c0edaa797eca96663d9b83e4b8c1b609ff19)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoChagelog: update n3.0.5
Michael Niedermayer [Mon, 5 Dec 2016 22:32:35 +0000 (23:32 +0100)]
Chagelog: update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoconfigure: check for strtoull on msvc
James Almer [Mon, 5 Dec 2016 16:07:10 +0000 (13:07 -0300)]
configure: check for strtoull on msvc

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit b52d3574d466e745834d1283b55570dee1e2d4cd)

2 years agohttp: move chunk handling from http_read_stream() to http_buf_read().
Ronald S. Bultje [Mon, 5 Dec 2016 15:18:10 +0000 (10:18 -0500)]
http: move chunk handling from http_read_stream() to http_buf_read().

(cherry picked from commit 845bb401781ef04e342bd558df16a8dbf5f800f9)

2 years agohttp: make length/offset-related variables unsigned.
Ronald S. Bultje [Mon, 5 Dec 2016 13:02:33 +0000 (08:02 -0500)]
http: make length/offset-related variables unsigned.

Fixes #5992, reported and found by Paul Cher <paulcher@icloud.com>.

(cherry picked from commit 2a05c8f813de6f2278827734bf8102291e7484aa)

2 years agoffserver: Check chunk size
Michael Niedermayer [Mon, 5 Dec 2016 16:27:45 +0000 (17:27 +0100)]
ffserver: Check chunk size

Fixes out of array access

Fixes: poc_ffserver.py
Found-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5d25faa3f4b18dac737fdb35d0dd68eb0dc2156)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoAvoid using the term "file" and prefer "url" in some docs and comments
Michael Niedermayer [Mon, 5 Dec 2016 11:54:21 +0000 (12:54 +0100)]
Avoid using the term "file" and prefer "url" in some docs and comments

This should make it less ambigous that these are URLs

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5f27a9c3aa973c543bd8bbf2a78363700bbc03e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/rtmppkt: Check for packet size mismatches
Michael Niedermayer [Mon, 5 Dec 2016 10:14:51 +0000 (11:14 +0100)]
avformat/rtmppkt: Check for packet size mismatches

Fixes out of array access

Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7d57ca4d9a75562fa32e40766211de150f8b3ee7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agozmqsend: Initialize ret to 0
Timothy Gu [Mon, 5 Dec 2016 18:04:57 +0000 (10:04 -0800)]
zmqsend: Initialize ret to 0

Fixes CID1396857.

(cherry picked from commit d903b4e3ad4a81b3dd79f12c2f3b9cb16e511173)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/rawdec: check for side data before checking its size
James Almer [Fri, 4 Nov 2016 01:34:58 +0000 (22:34 -0300)]
avcodec/rawdec: check for side data before checking its size

Fixes valgrind warnings about usage of uninitialized values.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 51e329918dc1826de7451541cb15bef3b9bfe138)

2 years agoUpdate for version 3.0.5
Michael Niedermayer [Sun, 4 Dec 2016 20:15:15 +0000 (21:15 +0100)]
Update for version 3.0.5

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flacdec: Fix undefined shift in decode_subframe()
Michael Niedermayer [Sat, 3 Dec 2016 23:11:17 +0000 (00:11 +0100)]
avcodec/flacdec: Fix undefined shift in decode_subframe()

Fixes undefined behavior
Fixes: 639961-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1f5630af51f24d79053b6bef5b8b3ba93d637306)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/get_bits: Fix get_sbits_long(0)
Michael Niedermayer [Sat, 3 Dec 2016 22:44:56 +0000 (23:44 +0100)]
avcodec/get_bits: Fix get_sbits_long(0)

Fixes undefined behavior
Fixes: 640889-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c72fa432349881d5a445cd110abf698cc94d490d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/ffmdec: Check media type for chunks
Michael Niedermayer [Sat, 3 Dec 2016 12:39:56 +0000 (13:39 +0100)]
avformat/ffmdec: Check media type for chunks

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e706e2e775730db5dfa9103628cd70704dd13cef)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed()
Michael Niedermayer [Sat, 3 Dec 2016 16:05:43 +0000 (17:05 +0100)]
avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed()

Fixes undefined behavior
Fixes: 640912-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 83a75bf6c31b3c0ce2ca7e1426d1f2e3df634239)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c
Michael Niedermayer [Sat, 3 Dec 2016 15:43:10 +0000 (16:43 +0100)]
avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c

Fixes: left shift of negative value
Fixes: 668346-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit acc163c6ab52d2235767852262c64c7f6b273d1c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/oggparsespeex: Check frames_per_packet and packet_size
Michael Niedermayer [Sat, 3 Dec 2016 02:40:55 +0000 (03:40 +0100)]
avformat/oggparsespeex: Check frames_per_packet and packet_size

The speex specification does not seem to restrict these values, thus
the limits where choosen so as to avoid multiplicative overflow

Fixes undefined behavior
Fixes: 635422.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit afcf15b0dbb4b6429be5083e50b296cdca61875e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/utils: Check start/end before computing duration in update_stream_timings()
Michael Niedermayer [Sat, 3 Dec 2016 02:02:41 +0000 (03:02 +0100)]
avformat/utils: Check start/end before computing duration in update_stream_timings()

Fixes undefined behavior
Fixes: 637428.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 90da187f1d334422477886a19eca3c1da29c59a7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flac_parser: Update nb_headers_buffered
Michael Niedermayer [Thu, 24 Nov 2016 14:29:52 +0000 (15:29 +0100)]
avcodec/flac_parser: Update nb_headers_buffered

Fixes infinite loop
Fixes: fuzz.flac

Found-by: Frank Liberato <liberato@google.com>
Reviewed-by: Frank Liberato <liberato@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2475858889cde6221677473b663df6f985add33d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/idroqdec: Check chunk_size for being too large
Michael Niedermayer [Tue, 29 Nov 2016 01:58:34 +0000 (02:58 +0100)]
avformat/idroqdec: Check chunk_size for being too large

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 744a0b5206634e5de04d5c31f08cc3640faf800d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/mpeg: Adjust vid probe threshold to correct mis-detection
Michael Niedermayer [Tue, 15 Nov 2016 19:06:42 +0000 (20:06 +0100)]
avformat/mpeg: Adjust vid probe threshold to correct mis-detection

Fixes: _ij.mp3

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4e5049a2303ae7fe74216a83206239e4de42c965)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/rv40: Test remaining space in loop of get_dimension()
Michael Niedermayer [Tue, 15 Nov 2016 21:50:35 +0000 (22:50 +0100)]
avcodec/rv40: Test remaining space in loop of get_dimension()

Fixes infinite loop
Fixes: 178/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_RV40_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1546d487cf12da37d90a080813f8d57ac33036bf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ituh263dec: Avoid spending a long time in slice sync
Michael Niedermayer [Tue, 15 Nov 2016 17:05:33 +0000 (18:05 +0100)]
avcodec/ituh263dec: Avoid spending a long time in slice sync

Fixes: 177/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_FLV1_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2baf36caed98cfdc7f6a2086fbf26f1a172f16cf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/movtextdec: Add error message for tsmb_size check
Michael Niedermayer [Tue, 15 Nov 2016 13:54:47 +0000 (14:54 +0100)]
avcodec/movtextdec: Add error message for tsmb_size check

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0eb319800567b79ca6b4cf0d90904318641b9e50)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/movtextdec: Fix tsmb_size check==0 check
Michael Niedermayer [Tue, 15 Nov 2016 13:52:21 +0000 (14:52 +0100)]
avcodec/movtextdec: Fix tsmb_size check==0 check

Fixes: 173/fuzz-3-ffmpeg_SUBTITLE_AV_CODEC_ID_MOV_TEXT_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a609905723c01e356d35146425c3d45c090aae7b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/movtextdec: Fix potential integer overflow
Michael Niedermayer [Tue, 15 Nov 2016 13:46:16 +0000 (14:46 +0100)]
avcodec/movtextdec: Fix potential integer overflow

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6ea27157682200e5f78cadcabdb009eccd9dd9b1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/sunrast: Fix input buffer pointer check
Michael Niedermayer [Tue, 1 Nov 2016 18:24:49 +0000 (19:24 +0100)]
avcodec/sunrast: Fix input buffer pointer check

Fixes: out of array read
Fixes: poc.dat

Found-by: Bingchang, Liu @VARAS of IIE
Tested-by: bc L <l.bing.chang.bc@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 37138338ff602803d174b13fecd363a083bc2f9a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/tscc: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/tscc:  Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 979bca513424879ed0c653cb1b55fc4156a89576)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/rawdec: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/rawdec: Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5f0bc0215a0f7099a2bcba5dced2e045e70fee61)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/msvideo1: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/msvideo1: Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 161ccdaa06d1d109e8f77d2535bda11ce02720f5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/qpeg: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/qpeg:  Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 16793504dfba44e738655807db3274301b9bc690)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/qtrle: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/qtrle:  Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7d196f2a5a48faf25fd904b33b1fd239daae9840)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/msrle: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/msrle:  Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a6330119a099840c5279697cf80cb768df97a90a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/kmvc: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/kmvc:  Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2d99101d0964f754822fb4af121c4abc69047dba)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/idcinvideo: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 14:12:12 +0000 (15:12 +0100)]
avcodec/idcinvideo: Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a2b8dde65947bfabf42269e124ef83ecf9c5974a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/cinepak: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 12:47:38 +0000 (13:47 +0100)]
avcodec/cinepak: Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 121be310607879841d19a34d9f16d4fe9ba7f18c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/8bps: Check side data size before use
Michael Niedermayer [Sun, 30 Oct 2016 12:44:52 +0000 (13:44 +0100)]
avcodec/8bps: Check side data size before use

Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 042faa847feea820451c474af0034fd3de9cff82)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/dvdsubdec: Fix off by 1 error
Michael Niedermayer [Tue, 25 Oct 2016 22:11:52 +0000 (00:11 +0200)]
avcodec/dvdsubdec: Fix off by 1 error

Fixes out of array read

Found-by: Thomas Garnier using libFuzzer
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c92f55847a3d9cd12db60bfcd0831ff7f089c37c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/dvdsubdec: Fix buf_size check
Michael Niedermayer [Wed, 26 Oct 2016 14:29:57 +0000 (16:29 +0200)]
avcodec/dvdsubdec: Fix buf_size check

Fixes out of array access

Found-by: Thomas Garnier using libFuzzer
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 25ab1a65f3acb5ec67b53fb7a2463a7368f1ad16)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agovp9: change order of operations in adapt_prob().
Ronald S. Bultje [Fri, 14 Oct 2016 17:01:27 +0000 (13:01 -0400)]
vp9: change order of operations in adapt_prob().

This is intended to workaround bug "665 Integer Divide Instruction May
Cause Unpredictable Behavior" on some early AMD CPUs, which causes a
div-by-zero in this codepath, such as reported in Mozilla bug #1293996.

Note that this isn't guaranteed to fix the bug, since a compiler is free
to reorder instructions that don't depend on each other. However, it
appears to fix the bug in Firefox, and a similar patch was applied to
libvpx also (see Chrome bug #599899).

(cherry picked from commit be885da3427c5d9a6fa68229d16318afffe67193)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/interplayvideo: Check side data size before use
Michael Niedermayer [Tue, 25 Oct 2016 01:51:17 +0000 (03:51 +0200)]
avcodec/interplayvideo: Check side data size before use

Fixes out of array read

Found-by: Thomas Garnier using libFuzzer
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 85d23e5cbc9ad6835eef870a5b4247de78febe56)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/mxfdec: Check size to avoid integer overflow in mxf_read_utf16_string()
Michael Niedermayer [Fri, 21 Oct 2016 17:45:21 +0000 (19:45 +0200)]
avformat/mxfdec: Check size to avoid integer overflow in mxf_read_utf16_string()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fecb3e82a4ba09dc11a51ad0961ab491881a53a1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mpegvideo_enc: Clear mmx state in ff_mpv_reallocate_putbitbuffer()
Michael Niedermayer [Fri, 21 Oct 2016 12:05:00 +0000 (14:05 +0200)]
avcodec/mpegvideo_enc: Clear mmx state in ff_mpv_reallocate_putbitbuffer()

This function must be called from the mb or slice encoding loop and MMX state may not
be clean there

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 03ec6b780cfae85b8bf0f32b2eda201063ad061b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/utils: Clear MMX state before returning from avcodec_default_execute*()
Michael Niedermayer [Fri, 21 Oct 2016 11:40:18 +0000 (13:40 +0200)]
avcodec/utils: Clear MMX state before returning from avcodec_default_execute*()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4f96f9d1118e073d346d16be157fa5075434e7f2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/icodec: Fix crash probing fuzzed file
Mark Harris [Tue, 16 Feb 2016 07:52:13 +0000 (23:52 -0800)]
avformat/icodec: Fix crash probing fuzzed file

Avoid invalid memory read/crash when frame offset >= 0xfffffff8.
Base64-encoded example: AAABADAwMDAwMAAAMAAwMDAw/P///w==
(The previous commit verifies that p->buf_size >= 22.)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 56e2cd9c042e05255aa28487694c29aaec023263)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agodcstr: fix division by zero
Andreas Cadhalpun [Thu, 20 Oct 2016 18:13:54 +0000 (20:13 +0200)]
dcstr: fix division by zero

Also check for possible overflows.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit b0a043f51b8cc3b420dc3ceaa38fe9aa344799aa)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agorsd: limit number of channels
Andreas Cadhalpun [Wed, 19 Oct 2016 21:40:41 +0000 (23:40 +0200)]
rsd: limit number of channels

Negative values don't make sense and too large values can cause
overflows. For AV_CODEC_ID_ADPCM_THP this leads to a too small extradata
buffer being allocated, causing out-of-bounds writes.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ee5f0f1d355fa0fd9194ac97a2c8598c93ed328b)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agomss2: only use error correction for matching block counts
Andreas Cadhalpun [Thu, 24 Nov 2016 22:57:46 +0000 (23:57 +0100)]
mss2: only use error correction for matching block counts

This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2
with coded_width/coded_height larger than width/height.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 2566ad98b01538ea589e5ee07b69fc566aadc348)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosoftfloat: decrease MIN_EXP to cover full float range
Andreas Cadhalpun [Thu, 24 Nov 2016 23:26:51 +0000 (00:26 +0100)]
softfloat: decrease MIN_EXP to cover full float range

floats are not necessarily normalized, so a normalized softfloat needs
MIN_EXP lowered by 23 to cover that range.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 2d6f46d801bab990b7e742b8a8e5c5b0cb70a80e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agolibopusdec: default to stereo for invalid number of channels
Andreas Cadhalpun [Mon, 14 Nov 2016 20:41:45 +0000 (21:41 +0100)]
libopusdec: default to stereo for invalid number of channels

This fixes an out-of-bounds read if avc->channels is 0.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 8c8f543b81aa2b50bb6a6cfd370a0061281492a3)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agopgssubdec: only set w/h/linesize when allocating data
Andreas Cadhalpun [Wed, 9 Nov 2016 22:23:16 +0000 (23:23 +0100)]
pgssubdec: only set w/h/linesize when allocating data

Rects with positive w/h/linesize but no data are invalid.

Reviewed-by: Petri Hintukainen <phintuka@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 995512328ed84bb737bc364e4ef6fba1994f062a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosbgdec: prevent NULL pointer access
Andreas Cadhalpun [Thu, 10 Nov 2016 21:21:20 +0000 (22:21 +0100)]
sbgdec: prevent NULL pointer access

Reviewed-by: Josh de Kock <josh@itanimul.li>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit dbefbb61b785cd77810c032f5cdb499d2a92df07)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosmacker: limit recursion depth of smacker_decode_bigtree
Andreas Cadhalpun [Sat, 19 Nov 2016 13:21:11 +0000 (14:21 +0100)]
smacker: limit recursion depth of smacker_decode_bigtree

This fixes segmentation faults due to stack-overflow caused by too deep
recursion.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 946ecd19ea752399bccc751c9339ff74b815587e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agomxfdec: fix NULL pointer dereference in mxf_read_packet_old
Andreas Cadhalpun [Thu, 17 Nov 2016 21:53:51 +0000 (22:53 +0100)]
mxfdec: fix NULL pointer dereference in mxf_read_packet_old

Metadata streams have priv_data set to NULL.

Reviewed-by: Josh de Kock <josh@itanimul.li>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit fdb8c455b637f86e2e85503b7e090fa448164398)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agolibschroedingerdec: fix leaking of framewithpts
Andreas Cadhalpun [Sun, 13 Nov 2016 22:10:06 +0000 (23:10 +0100)]
libschroedingerdec: fix leaking of framewithpts

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 3c0328d58d98664b05efdd377d3fe66a569d385e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agolibschroedingerdec: don't produce empty frames
Andreas Cadhalpun [Sun, 13 Nov 2016 21:59:47 +0000 (22:59 +0100)]
libschroedingerdec: don't produce empty frames

They are not valid and can cause problems/crashes for API users.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit a86ebbf7f641bc797002ddea7fb517759722cd1b)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosoftfloat: handle -INT_MAX correctly
Andreas Cadhalpun [Sun, 13 Nov 2016 19:52:02 +0000 (20:52 +0100)]
softfloat: handle -INT_MAX correctly

This is similar to commit 9ac61e73d0843ec4b83f4e3d47eded73234e406e.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 0edd569466eb45b134690b9f4efbb57eda86f58d)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agofilmstripdec: correctly check image dimensions
Andreas Cadhalpun [Sun, 13 Nov 2016 17:22:12 +0000 (18:22 +0100)]
filmstripdec: correctly check image dimensions

This prevents a division by zero in read_packet.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 25012c56448a48487cdc9699465e640871dbcd60)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agopnmdec: make sure v is capped by maxval
Andreas Cadhalpun [Wed, 9 Nov 2016 00:09:35 +0000 (01:09 +0100)]
pnmdec: make sure v is capped by maxval

Otherwise put_bits can be called with a value that doesn't fit in the
sample_len, causing an assertion failure.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit cdb5479c9ddc886f0b8661db585405ebab343e80)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agosmvjpegdec: make sure cur_frame is not negative
Andreas Cadhalpun [Thu, 10 Nov 2016 21:09:03 +0000 (22:09 +0100)]
smvjpegdec: make sure cur_frame is not negative

This fixes a heap-buffer-overflow detected by AddressSanitizer.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 360bc0d90aa66cf21e9f488e77d21db18e01ec9c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoicodec: correctly check avio_read return value
Andreas Cadhalpun [Tue, 8 Nov 2016 22:29:28 +0000 (23:29 +0100)]
icodec: correctly check avio_read return value

It can read less than the requested amount, in which case buf contains
uninitialized data, causing problems like segmentation faults later on.

Also make sure that image->size is positive, so that it can't match a
negative error code.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 89eb398c7fc4cb9a15e55bdf2ab6435b5332e377)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agodvbsubdec: fix division by zero in compute_default_clut
Andreas Cadhalpun [Tue, 8 Nov 2016 21:32:42 +0000 (22:32 +0100)]
dvbsubdec: fix division by zero in compute_default_clut

This problem was introduced in commit
4b90dcb8493552c17a811c8b1e6538dae4061f9d.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit c82b8ef0e4f226423ddd644bfe37e6a15d070924)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoproresdec_lgpl: explicitly check coff[3] against slice_data_size
Andreas Cadhalpun [Wed, 9 Nov 2016 22:49:46 +0000 (23:49 +0100)]
proresdec_lgpl: explicitly check coff[3] against slice_data_size

The implicit checks via v_data_size and a_data_size don't work in the case
'(hdr_size > 7) && !ctx->alpha_info'.

This fixes segmentation faults due to invalid reads.

This problem was introduced in commit
547c2f002a87f4412a83c23b0d60364be5e7ce58.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1e33035ee7a8d9fb7a4b8b6cc54842e72b36ed70)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoescape124: reject codebook size 0
Andreas Cadhalpun [Tue, 8 Nov 2016 23:38:50 +0000 (00:38 +0100)]
escape124: reject codebook size 0

It causes a cb_depth of 32, leading to assertion failures in get_bits.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 226d35c84591f1901c2a13819031549909faa1f5)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoicodec: add ico_read_close to fix leaking ico->images
Andreas Cadhalpun [Tue, 8 Nov 2016 22:54:41 +0000 (23:54 +0100)]
icodec: add ico_read_close to fix leaking ico->images

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit d54c95a1435a8a3fcd599108ec85b7f56a0fcbf9)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoicodec: fix leaking pkt on error
Andreas Cadhalpun [Tue, 8 Nov 2016 22:53:52 +0000 (23:53 +0100)]
icodec: fix leaking pkt on error

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 467eece1bea5c8325c6974190ba61f1bba88a3f3)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agompegts: prevent division by zero
Andreas Cadhalpun [Mon, 7 Nov 2016 22:37:59 +0000 (23:37 +0100)]
mpegts: prevent division by zero

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1bbb18fe82fc77a10d45fa53bd2738d2c54de6c6)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agomatroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header
Andreas Cadhalpun [Mon, 7 Nov 2016 23:42:23 +0000 (00:42 +0100)]
matroskadec: fix NULL pointer dereference in webm_dash_manifest_read_header

The code assumes that s->streams[0] is valid.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit ff100c9dd97d2f1f456ff38b192edf84f9744738)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agompegaudio_parser: don't return AVERROR_PATCHWELCOME
Andreas Cadhalpun [Mon, 7 Nov 2016 00:16:14 +0000 (01:16 +0100)]
mpegaudio_parser: don't return AVERROR_PATCHWELCOME

The API does not allow returning AVERROR codes.

It triggers an assert in av_parser_parse2.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 5249706e9d2ec5ed1b07d8ffdbb8fb9104261f6d)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agomxfdec: fix NULL pointer dereference
Andreas Cadhalpun [Fri, 4 Nov 2016 23:17:53 +0000 (00:17 +0100)]
mxfdec: fix NULL pointer dereference

Metadata streams have priv_data set to NULL.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 0efb6106118c17308b3fdc3190f5e5bf84b01d5c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agolzf: update pointer p after realloc
Andreas Cadhalpun [Fri, 4 Nov 2016 21:58:49 +0000 (22:58 +0100)]
lzf: update pointer p after realloc

This fixes heap-use-after-free detected by AddressSanitizer.

Reviewed-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit bb6a7b6f75ac544c956e3eefee297700ef4d3468)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agodiracdec: check return code of get_buffer_with_edge
Andreas Cadhalpun [Fri, 4 Nov 2016 18:00:17 +0000 (19:00 +0100)]
diracdec: check return code of get_buffer_with_edge

If it fails, buffers aren't allocated, causing NULL pointer dereferencing.

Reviewed-by: Rostislav Pehlivanov <atomnuker@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit db79dedb1ae5dd38432eee3f09155e26f3f2d95a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agoppc: pixblockdsp: do unaligned block accesses correctly again
Andreas Cadhalpun [Wed, 2 Nov 2016 20:28:49 +0000 (21:28 +0100)]
ppc: pixblockdsp: do unaligned block accesses correctly again

This was broken by the following Libav commit:
4c387c7 ppc: dsputil: do unaligned block accesses correctly

The following tests fail due to this:
fate-checkasm
fate-vsynth1-dnxhd-2k-hr-hq fate-vsynth1-dnxhd-edge1-hr
fate-vsynth1-dnxhd-edge2-hr fate-vsynth1-dnxhd-edge3-hr
fate-vsynth1-dnxhd-hr-sq-mov fate-vsynth1-dnxhd-hr-hq-mov
fate-vsynth2-dnxhd-2k-hr-hq fate-vsynth2-dnxhd-edge1-hr
fate-vsynth2-dnxhd-edge2-hr fate-vsynth2-dnxhd-edge3-hr
fate-vsynth2-dnxhd-hr-sq-mov fate-vsynth2-dnxhd-hr-hq-mov
fate-vsynth3-dnxhd-2k-hr-hq fate-vsynth3-dnxhd-edge1-hr
fate-vsynth3-dnxhd-edge2-hr fate-vsynth3-dnxhd-edge3-hr
fate-vsynth3-dnxhd-hr-sq-mov fate-vsynth3-dnxhd-hr-hq-mov

Fixes trac ticket #5508.

Reviewed-by: Carl Eugen Hoyos <ceffmpeg@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 3932ccc472ad4f4d370dcfc1c2f574b0f3acb88c)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agointerplayacm: increase bitstream buffer size by AV_INPUT_BUFFER_PADDING_SIZE
Andreas Cadhalpun [Sun, 30 Oct 2016 20:18:20 +0000 (21:18 +0100)]
interplayacm: increase bitstream buffer size by AV_INPUT_BUFFER_PADDING_SIZE

This fixes out-of-bounds reads by the bitstream reader.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 60178e78f2fe9a7bfb9da0abc985835e2ebfd2f1)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agointerplayacm: validate number of channels
Andreas Cadhalpun [Sun, 30 Oct 2016 20:41:11 +0000 (21:41 +0100)]
interplayacm: validate number of channels

The number of channels is used as divisor in decode_frame, so it must
not be zero to avoid SIGFPE crashes.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 5540d6c1343e6d1e06d6601b7d35884761711e3e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agointerplayacm: check for too large b
Andreas Cadhalpun [Sun, 30 Oct 2016 19:47:22 +0000 (20:47 +0100)]
interplayacm: check for too large b

This fixes out-of-bounds reads.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 14e4e26559697cfdea584767be4e68474a0a9c7f)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2 years agompeg12dec: unref discarded picture from extradata
Andreas Cadhalpun [Thu, 20 Oct 2016 20:51:55 +0000 (22:51 +0200)]
mpeg12dec: unref discarded picture from extradata

Otherwise another frame gets referenced into picture, triggering an assert
(from commit 13aae8) in av_frame_ref.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit a92f8edf0c51781e152651cce2e753ad6e359eb2)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>