ffmpeg.git
2 years agoChangelog:update n3.3.3
Michael Niedermayer [Sat, 29 Jul 2017 17:17:56 +0000 (19:17 +0200)]
Changelog:update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0()
Michael Niedermayer [Fri, 28 Jul 2017 01:22:40 +0000 (03:22 +0200)]
avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0()

Fixes: runtime error: signed integer overflow: 9 * 335544320 cannot be represented in type 'int'
Fixes: 2739/clusterfuzz-testcase-minimized-6737297955356672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bf8ab72ae95bb11f2c281d464594c2f6ba70326b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/diracdec: Fix integer overflow in divide3()
Michael Niedermayer [Thu, 27 Jul 2017 21:49:27 +0000 (23:49 +0200)]
avcodec/diracdec: Fix integer overflow in divide3()

Fixes: runtime error: signed integer overflow: -1073746548 * 21845 cannot be represented in type 'int'
Fixes: 2729/clusterfuzz-testcase-minimized-5902915464069120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c0220c768c7fc933a76c863ebbb0abdf68a88533)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/takdec: Fix integer overflow in decode_subframe()
Michael Niedermayer [Thu, 27 Jul 2017 21:49:26 +0000 (23:49 +0200)]
avcodec/takdec: Fix integer overflow in decode_subframe()

Fixes: runtime error: signed integer overflow: -536870912 - 1972191120 cannot be represented in type 'int'
Fixes: 2711/clusterfuzz-testcase-minimized-4975142398590976

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2c630d159ffe8a9822e81f9c041652762b37e068)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2
Michael Niedermayer [Fri, 28 Jul 2017 12:37:26 +0000 (14:37 +0200)]
avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2

Fixes: out of array accesses

Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ffcc82219cef0928bed2d558b19ef6ea35634130)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2
Michael Niedermayer [Fri, 28 Jul 2017 11:41:59 +0000 (13:41 +0200)]
avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2

Fixes: out of array accesses
Fixes: crash-9238fa9e8d4fde3beda1f279626f53812cb001cb-SEGV

Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 08c073434e25cba8c43aae5ed9554fdd594adfb0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/diracdec: Fix integer overflow in signed multiplication in UNPACK_ARITH()
Michael Niedermayer [Wed, 26 Jul 2017 18:26:43 +0000 (20:26 +0200)]
avcodec/diracdec: Fix integer overflow in signed multiplication in UNPACK_ARITH()

Fixes: runtime error: signed integer overflow: 1073741823 * 4 cannot be represented in type 'int'
Fixes: 2729/clusterfuzz-testcase-minimized-5902915464069120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8e275a74b09cc87f4334ed572f919b7647d4bea1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/pixlet: Simplify nbits computation
Michael Niedermayer [Wed, 26 Jul 2017 18:10:28 +0000 (20:10 +0200)]
avcodec/pixlet: Simplify nbits computation

Fixes multiple integer overflows
Fixes: runtime error: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aeddb3607be94b1d6fef41b602b07f08223ea565)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/dnxhddec: Move mb height check out of non hr branch
Michael Niedermayer [Wed, 26 Jul 2017 01:26:59 +0000 (03:26 +0200)]
avcodec/dnxhddec: Move mb height check out of non hr branch

Fixes: out of array access
Fixes: poc.dnxhd

Found-by: Bingchang, Liu@VARAS of IIE
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 296debd213bd6dce7647cedd34eb64e5b94cdc92)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2
Michael Niedermayer [Mon, 24 Jul 2017 13:48:37 +0000 (15:48 +0200)]
avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2

Fixes: runtime error: signed integer overflow: -2147483647 - 2 cannot be represented in type 'int'
Fixes: 2702/clusterfuzz-testcase-minimized-4511932591636480

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 74c1c22d7f0d25f527ed2ebf62493be5ad52c972)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/oggparsecelt: Do not re-allocate os->private
Michael Niedermayer [Tue, 25 Jul 2017 01:19:07 +0000 (03:19 +0200)]
avformat/oggparsecelt: Do not re-allocate os->private

Fixes: double free
Fixes: clusterfuzz-testcase-minimized-5080550145785856

Found-by: ClusterFuzz
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7140761481e4296723a592019a0244ebe6c1a8cf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ylc: Fix shift overflow
Michael Niedermayer [Sat, 22 Jul 2017 00:57:12 +0000 (02:57 +0200)]
avcodec/ylc: Fix shift overflow

Fixes: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int'
Fixes: 2698/clusterfuzz-testcase-minimized-4713541443518464

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 03a9e6ff303ad82e75b734edbe4917ca5fd60159)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/aacps: Fix multiple integer overflow in map_val_34_to_20()
Michael Niedermayer [Fri, 21 Jul 2017 22:44:14 +0000 (00:44 +0200)]
avcodec/aacps: Fix multiple integer overflow in map_val_34_to_20()

Fixes: avcodec/aacps.c:511:40: runtime error: signed integer overflow: 1509077651 + 758068176 cannot be represented in type 'int'
Fixes: 2678/clusterfuzz-testcase-minimized-4702787684270080

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0764fe1d09833ae4dcf9e427df09378d0d6a3386)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/aacdec_fixed: fix: left shift of negative value -1
Michael Niedermayer [Sun, 23 Jul 2017 14:52:47 +0000 (16:52 +0200)]
avcodec/aacdec_fixed: fix: left shift of negative value -1

Fixes: 2699/clusterfuzz-testcase-minimized-5631303862976512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2dfb8c417891e0cc3670f8e0791ea0c7071314fe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/dirac_vlc: Fix undefined shift
Michael Niedermayer [Tue, 18 Jul 2017 23:43:24 +0000 (01:43 +0200)]
avcodec/dirac_vlc: Fix undefined shift

Fixes: runtime error: shift exponent 64 is too large for 64-bit type 'residual' (aka 'unsigned long')
Fixes: 2674/clusterfuzz-testcase-minimized-4999700518273024

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 69e7daf6ce2a5893936ba18572c58180b29d67f9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agodoc/filters: typo in frei0r
Brice Waegeneire [Fri, 21 Jul 2017 22:09:29 +0000 (00:09 +0200)]
doc/filters: typo in frei0r

Signed-off-by: Brice Waegeneire <brice.wge@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6a6eec485d23b0c47a7cfeb94995db1be91c0e1a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/cfhd: Fix decoding regression due to height check
Vodyannikov Aleksandr [Fri, 21 Jul 2017 09:49:45 +0000 (11:49 +0200)]
avcodec/cfhd: Fix decoding regression due to height check

Fixes: Ticket6546

Regression since: 54aaadf648073149f1ac34f56cbde4e6c5aa22ef

Reviewed-by: Muhammad Faiz <mfcc64@gmail.com>
Reviewed-by: Kieran Kunhya <kierank@obe.tv>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 47c93657249f1a4bc8a7aaf2f9f3a33510bee38c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoUpdate for 3.3.3
Michael Niedermayer [Wed, 19 Jul 2017 13:28:08 +0000 (15:28 +0200)]
Update for 3.3.3

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/aacdec_template (fixed point): Check gain in decode_cce() to avoid undefined...
Michael Niedermayer [Sat, 15 Jul 2017 20:22:52 +0000 (22:22 +0200)]
avcodec/aacdec_template (fixed point): Check gain in decode_cce() to avoid undefined shifts later

Fixes: runtime error: shift exponent 47 is too large for 32-bit type 'int'
Fixes: 2581/clusterfuzz-testcase-minimized-4681474395602944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2886142e0c3b5f4304c6e2a2bd282770a8a47f93)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ffv1dec_template: Fix signed integer overflow
Michael Niedermayer [Sun, 16 Jul 2017 00:08:50 +0000 (02:08 +0200)]
avcodec/ffv1dec_template: Fix signed integer overflow

Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
Fixes: 2634/clusterfuzz-testcase-minimized-4540890636877824

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4de4308d2aa3bfaa286ab566caf087d523cf9a85)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/aacdec_template: Fix undefined integer overflow in apply_tns()
Michael Niedermayer [Thu, 13 Jul 2017 22:45:29 +0000 (00:45 +0200)]
avcodec/aacdec_template: Fix undefined integer overflow in apply_tns()

Fixes: runtime error: signed integer overflow: -2147483648 - 1202286525 cannot be represented in type 'int'
Fixes: 2071/clusterfuzz-testcase-minimized-6036414271586304

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0ef8f03133a0bd83c74200a8cf30982c0f574016)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/magicyuv: Check that vlc len is not too large
Michael Niedermayer [Wed, 12 Jul 2017 15:25:16 +0000 (17:25 +0200)]
avcodec/magicyuv: Check that vlc len is not too large

Fixes: runtime error: shift exponent -95 is negative
Fixes: 2568/clusterfuzz-testcase-minimized-4926115716005888

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 341f01290c2353669ed2263f56e1a9f4c67cc597)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mjpegdec: Clip DC also on the negative side.
Michael Niedermayer [Wed, 12 Jul 2017 14:24:18 +0000 (16:24 +0200)]
avcodec/mjpegdec: Clip DC also on the negative side.

Fixes: runtime error: signed integer overflow: -16711425 + -2130772346 cannot be represented in type 'int'
Fixes: 2533/clusterfuzz-testcase-minimized-5372857678823424

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c28f648b19dd36ff9bc869ad527a1569a0b623e2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/aacps (fixed point): Fix multiple signed integer overflows
Michael Niedermayer [Sun, 9 Jul 2017 13:19:18 +0000 (15:19 +0200)]
avcodec/aacps (fixed point): Fix multiple signed integer overflows

Fixes: runtime error: signed integer overflow: 1421978265 - -1810326882 cannot be represented in type 'int'
Fixes: 2527/clusterfuzz-testcase-minimized-5260915396050944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 80b9e40b6f1e15db9f36c195e7375e65f6b4924f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ylc: Fix vlc of 31 bits
Michael Niedermayer [Sat, 8 Jul 2017 20:51:57 +0000 (22:51 +0200)]
avcodec/ylc: Fix vlc of 31 bits

Fixes: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
Fixes: 2515/clusterfuzz-testcase-minimized-6197200012967936

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fe9242204d33db070b8a9d907d93c9ead8a6f3ee)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/sbrdsp_fixed: Fix integer overflow in sbr_hf_apply_noise()
Michael Niedermayer [Sun, 2 Jul 2017 01:30:54 +0000 (03:30 +0200)]
avcodec/sbrdsp_fixed: Fix integer overflow in sbr_hf_apply_noise()

Fixes: runtime error: signed integer overflow: -2049425300 + -117591631 cannot be represented in type 'int'
Fixes: part of 2096/clusterfuzz-testcase-minimized-4901566068817920

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2061de8a3f73f14806e5f6ccaf9a635f740a54e6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevcdec: do not let updated extradata corrupt state
Michael Niedermayer [Tue, 4 Jul 2017 20:33:52 +0000 (22:33 +0200)]
avcodec/hevcdec: do not let updated extradata corrupt state

Fixes: out of array access
Fixes: 2451/clusterfuzz-testcase-minimized-4781613957251072

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Hendrik Leppkes <h.leppkes@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c8cfbc6629c1fe5755b59a3bcfd95ad08b843a07)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/wavpack: Fix invalid shift
Michael Niedermayer [Tue, 27 Jun 2017 11:47:32 +0000 (13:47 +0200)]
avcodec/wavpack: Fix invalid shift

Fixes: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
Fixes: 2377/clusterfuzz-testcase-minimized-6108505935183872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c07af720984acaafaa273369080b458d73975775)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/h264_slice: Fix signed integer overflow
Michael Niedermayer [Tue, 4 Jul 2017 22:05:11 +0000 (00:05 +0200)]
avcodec/h264_slice: Fix signed integer overflow

Fixes: runtime error: signed integer overflow: 26 + 2147483644 cannot be represented in type 'int'
Fixes: 2456/clusterfuzz-testcase-minimized-4822695051001856

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7592d97f10134422d4509ab1287796af70e003ba)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevc_ps: Fix integer overflow with beta/tc offsets
Michael Niedermayer [Fri, 30 Jun 2017 14:23:32 +0000 (16:23 +0200)]
avcodec/hevc_ps: Fix integer overflow with beta/tc offsets

Fixes: runtime error: signed integer overflow: 2113929216 * 2 cannot be represented in type 'int'
Fixes: 2422/clusterfuzz-testcase-minimized-5242114713583616

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit de54a37c1dfa2817b5838720fac44e82312ccbfd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/cfhd: Fix invalid left shift of negative value
Michael Niedermayer [Wed, 28 Jun 2017 18:47:59 +0000 (20:47 +0200)]
avcodec/cfhd: Fix invalid left shift of negative value

Fixes: runtime error: left shift of negative value -1
Fixes: 2395/clusterfuzz-testcase-minimized-6540529313513472

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c709f009dad20d99b28918f4f8d7cd394b838def)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/vb: Check vertical GMC component before multiply
Michael Niedermayer [Wed, 28 Jun 2017 18:29:02 +0000 (20:29 +0200)]
avcodec/vb: Check vertical GMC component before multiply

Fixes: runtime error: signed integer overflow: 8224 * 663584 cannot be represented in type 'int'
Fixes: 2393/clusterfuzz-testcase-minimized-6128334993883136

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bc6ab72bc7af27189e7b524b97e45c6fcadab5cf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevcdec: do basic validity check on delta_chroma_weight and offset
Michael Niedermayer [Tue, 27 Jun 2017 12:11:00 +0000 (14:11 +0200)]
avcodec/hevcdec: do basic validity check on delta_chroma_weight and offset

Fixes: runtime error: signed integer overflow: 2147483520 + 128 cannot be represented in type 'int'
Fixes: 2385/clusterfuzz-testcase-minimized-6594333576790016

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2c874548d663225a61b9c25a8b2ce490d26b65fa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int()
Michael Niedermayer [Mon, 26 Jun 2017 13:05:08 +0000 (15:05 +0200)]
avcodec/jpeg2000dwt: Fix integer overflow in dwt_decode97_int()

Fixes: runtime error: signed integer overflow: -163654656 * 256 cannot be represented in type 'int'
Fixes: 2367/clusterfuzz-testcase-minimized-4648678897745920

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ea5366670e26b2c6c396e6a5f49827a2b71e6dd6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/apedec: Fix integer overflow
Michael Niedermayer [Sun, 16 Jul 2017 12:57:20 +0000 (14:57 +0200)]
avcodec/apedec: Fix integer overflow

Fixes: out of array access
Fixes: PoC.ape and others

Found-by: Bingchang, Liu@VARAS of IIE
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ba4beaf6149f7241c8bd85fe853318c2f6837ad0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/wavpack: Fix integer overflow in wv_unpack_stereo()
Michael Niedermayer [Sat, 24 Jun 2017 22:13:53 +0000 (00:13 +0200)]
avcodec/wavpack: Fix integer overflow in wv_unpack_stereo()

Fixes: runtime error: signed integer overflow: 2080374785 + 2080374784 cannot be represented in type 'int'
Fixes: 2351/clusterfuzz-testcase-minimized-5359403240783872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 73ea2a028e12a7d779834f78dc496c8c4b08361f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevc_ps: Fix max_dec_buffer check
Michael Niedermayer [Sat, 24 Jun 2017 22:00:13 +0000 (00:00 +0200)]
avcodec/hevc_ps: Fix max_dec_buffer check

Fixes: runtime error: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
Fixes: 2339/clusterfuzz-testcase-minimized-6663164320022528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 63e7bfe78e6d764097e845248f6d77b28b2b235c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mpeg4videodec: Fix GMC with videos of dimension 1
Michael Niedermayer [Sat, 24 Jun 2017 11:45:35 +0000 (13:45 +0200)]
avcodec/mpeg4videodec: Fix GMC with videos of dimension 1

Fixes: runtime error: shift exponent -1 is negative
Fixes: 2338/clusterfuzz-testcase-minimized-5153426541379584

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4976a3411f71518d17a57e373b62517f066648fd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/wavpack: Fix integer overflow
Michael Niedermayer [Thu, 22 Jun 2017 23:58:48 +0000 (01:58 +0200)]
avcodec/wavpack: Fix integer overflow

Fixes: runtime error: signed integer overflow: 227511904 + 1964113935 cannot be represented in type 'int'
Fixes: 2331/clusterfuzz-testcase-minimized-6182185830711296

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 24e95f9d4de012f51fdd5767dff0b3142e13ec3a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/takdec: Fix integer overflow
Michael Niedermayer [Thu, 22 Jun 2017 19:21:56 +0000 (21:21 +0200)]
avcodec/takdec: Fix integer overflow

Fixes: runtime error: signed integer overflow: 512 + 2147483146 cannot be represented in type 'int'
Fixes: 2314/clusterfuzz-testcase-minimized-4519333877252096

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0c2ef4f6b4d52a7b7184c747ffea3576926ea1b1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/tiff: Update pointer only when the result is used
Michael Niedermayer [Thu, 22 Jun 2017 18:21:05 +0000 (20:21 +0200)]
avcodec/tiff: Update pointer only when the result is used

Fixes: runtime error: signed integer overflow: 538976288 * 32 cannot be represented in type 'int'
Fixes: 2310/clusterfuzz-testcase-minimized-4534784887881728

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 27f80ab0160d2e64007e1c9799ffd4504cc13eb5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/cfhd: Check bpc before setting bpc in context
Michael Niedermayer [Wed, 21 Jun 2017 17:34:31 +0000 (19:34 +0200)]
avcodec/cfhd: Check bpc before setting bpc in context

Fixes: runtime error: shift exponent 32 is too large for 32-bit type 'int'
Fixes: 2306/clusterfuzz-testcase-minimized-5002997392211968

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6f1d2355a7e4d681bea82b4cf4280272d9fe8af3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/cfhd: Fix undefined shift
Michael Niedermayer [Wed, 21 Jun 2017 15:56:34 +0000 (17:56 +0200)]
avcodec/cfhd: Fix undefined shift

Fixes: runtime error: left shift of negative value -1
Fixes: 2303/clusterfuzz-testcase-minimized-5529675273076736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5a950f4e32a9756391f81987246d96b6549dd447)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevc_filter: Fix invalid shift
Michael Niedermayer [Tue, 20 Jun 2017 12:38:34 +0000 (14:38 +0200)]
avcodec/hevc_filter: Fix invalid shift

Fixes: runtime error: left shift of negative value -1

Fixes: 2299/clusterfuzz-testcase-minimized-4843509351710720

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d7b3d5c3f2e2ff1994762b5e09c05fbc33790b5b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mpeg4videodec: Fix overflow in virtual_ref computation
Michael Niedermayer [Tue, 20 Jun 2017 11:52:06 +0000 (13:52 +0200)]
avcodec/mpeg4videodec: Fix overflow in virtual_ref computation

Fixes: runtime error: signed integer overflow: 262144 * -16120 cannot be represented in type 'int'
Fixes: 2292/clusterfuzz-testcase-minimized-6156080415506432

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5443c4bdf4828ac5b7b19cf54feb496c2da40079)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/lpc: signed integer overflow in compute_lpc_coefs() (aacdec_fixed)
Michael Niedermayer [Wed, 14 Jun 2017 23:35:49 +0000 (01:35 +0200)]
avcodec/lpc: signed integer overflow in compute_lpc_coefs() (aacdec_fixed)

Fixes: runtime error: signed integer overflow: -1575818955 + -915383657 cannot be represented in type 'int'
Fixes: 2224/clusterfuzz-testcase-minimized-6208559949807616

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e95fcfe8fb28fdfdaecec465c60aad79bc340a3d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/wavpack: Fix undefined integer negation
Michael Niedermayer [Mon, 19 Jun 2017 12:08:58 +0000 (14:08 +0200)]
avcodec/wavpack: Fix undefined integer negation

Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
Fixes: 2291/clusterfuzz-testcase-minimized-5538453481586688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5f89747086af741ddc34e2378cde8519b8faee78)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/aacdec_fixed: Check s for being too small
Michael Niedermayer [Mon, 19 Jun 2017 12:04:32 +0000 (14:04 +0200)]
avcodec/aacdec_fixed: Check s for being too small

Fixes: runtime error: shift exponent -8 is negative
Fixes: 2286/clusterfuzz-testcase-minimized-5711764169687040

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cf7edbd6c5d48d7302877352f7b60092d5b65243)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/htmlsubtitles: Replace very slow redundant sscanf() calls by cleaner and...
Michael Niedermayer [Sun, 11 Jun 2017 15:58:45 +0000 (17:58 +0200)]
avcodec/htmlsubtitles: Replace very slow redundant sscanf() calls by cleaner and faster code

This reduces the worst case from O(n²) to O(n) time

Fixes Timeout
Fixes: 2127/clusterfuzz-testcase-minimized-6595787859427328

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4132218b87cd6fb13abd162e3037ef4563286baa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/h264: Fix mix of lossless and lossy MBs decoding
Anton Mitrofanov [Wed, 14 Jun 2017 00:01:56 +0000 (03:01 +0300)]
avcodec/h264: Fix mix of lossless and lossy MBs decoding

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit cf231b68da1150c100114f2c5671b7ed740f917a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264
Anton Mitrofanov [Tue, 13 Jun 2017 20:37:29 +0000 (23:37 +0300)]
avcodec/h264_mb: Fix 8x8dct in lossless for new versions of x264

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 06dda70f1e7c69a3b1684af5e6930431c62c527a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4
Anton Mitrofanov [Tue, 30 May 2017 23:37:41 +0000 (02:37 +0300)]
avcodec/h264_cabac: Fix CABAC+8x8dct in 4:4:4

Use the correct ctxIdxInc calculation for coded_block_flag.
Keep old behavior for old versions of x264 for backward compatibility.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 840b41b2a643fc8f0617c0370125a19c02c6b586)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output
Michael Niedermayer [Sun, 18 Jun 2017 12:37:19 +0000 (14:37 +0200)]
avcodec/takdec: Fixes: integer overflow in AV_SAMPLE_FMT_U8P output

Fixes: runtime error: signed integer overflow: 2147483543 + 128 cannot be represented in type 'int'
Fixes: 2234/clusterfuzz-testcase-minimized-6266896041115648

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 27c20068054d8c6786833234f7b6db19f1e98362)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/jpeg2000dsp: Reorder operations in ict_int() to avoid 2 integer overflows
Michael Niedermayer [Sat, 17 Jun 2017 13:06:21 +0000 (15:06 +0200)]
avcodec/jpeg2000dsp: Reorder operations in ict_int() to avoid 2 integer overflows

Fixes: runtime error: signed integer overflow: 58065 * 51981 cannot be represented in type 'int'
Fixes: 2271/clusterfuzz-testcase-minimized-5778297776504832

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c746f92a8e03d5a062359fba836eba4b3530687e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevcpred_template: Fix left shift of negative value
Michael Niedermayer [Sat, 17 Jun 2017 12:54:19 +0000 (14:54 +0200)]
avcodec/hevcpred_template: Fix left shift of negative value

Fixes: runtime error: left shift of negative value -1
Fixes: 2250/clusterfuzz-testcase-minimized-5693382112313344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c94326c1fc2fb5719c6f28fe1b95c0c74417998b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevcdec: Fix signed integer overflow in decode_lt_rps()
Michael Niedermayer [Fri, 16 Jun 2017 22:34:08 +0000 (00:34 +0200)]
avcodec/hevcdec: Fix signed integer overflow in decode_lt_rps()

Fixes: runtime error: signed integer overflow: 2147483647 + 6 cannot be represented in type 'int'
Fixes: 2263/clusterfuzz-testcase-minimized-4800359627227136

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1edbf5e20c75f06d6987bc823e63aa4e649ccddd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/jpeg2000dec: Check nonzerobits more completely
Michael Niedermayer [Fri, 16 Jun 2017 17:57:08 +0000 (19:57 +0200)]
avcodec/jpeg2000dec: Check nonzerobits more completely

Fixes: runtime error: shift exponent 36 is too large for 32-bit type 'int'
Fixes: 2239/clusterfuzz-testcase-minimized-5639766592716800

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit dfb61ea2630029b7aec7911aade769bf1a914eea)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/shorten: Sanity check maxnlpc
Michael Niedermayer [Fri, 9 Jun 2017 00:16:54 +0000 (02:16 +0200)]
avcodec/shorten: Sanity check maxnlpc

Fixes OOM
Fixes: 2131/clusterfuzz-testcase-minimized-4718045157130240

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e77ddd31a8e14bcf5eccd6008d866ae90b4b0d4c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/truemotion2: Move skip computation after checks
Michael Niedermayer [Thu, 15 Jun 2017 21:41:46 +0000 (23:41 +0200)]
avcodec/truemotion2: Move skip computation after checks

Fixes: runtime error: signed integer overflow: 630067357 * 4 cannot be represented in type 'int'
Fixes: 2233/clusterfuzz-testcase-minimized-5943031318446080

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3c716682a8b69e6644a385a663aaf0e5dc808ae8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/jpeg2000: Fixes integer overflow in ff_jpeg2000_ceildivpow2()
Michael Niedermayer [Thu, 15 Jun 2017 21:26:18 +0000 (23:26 +0200)]
avcodec/jpeg2000: Fixes integer overflow in ff_jpeg2000_ceildivpow2()

Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
Fixes: 2231/clusterfuzz-testcase-minimized-4565181982048256

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e3fadc57c5c170f31455abacbcbd67115d7321d7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/dnxhd_parser: Do not return invalid value from dnxhd_find_frame_end() on...
Michael Niedermayer [Wed, 14 Jun 2017 14:58:20 +0000 (16:58 +0200)]
avcodec/dnxhd_parser: Do not return invalid value from dnxhd_find_frame_end() on error

Fixes: Null pointer dereference

Fixes: CVE-2017-9608
Found-by: Yihan Lian
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 611b35627488a8d0763e75c25ee0875c5b7987dd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevcdec: Check nb_sps
Michael Niedermayer [Wed, 14 Jun 2017 23:28:28 +0000 (01:28 +0200)]
avcodec/hevcdec: Check nb_sps

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bc406744620710911de9157eafa3e61d0246566f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevc_refs: Check nb_refs in add_candidate_ref()
Michael Niedermayer [Wed, 14 Jun 2017 23:26:01 +0000 (01:26 +0200)]
avcodec/hevc_refs: Check nb_refs in add_candidate_ref()

Fixes: runtime error: index 16 out of bounds for type 'int [16]'
Fixes: 2209/clusterfuzz-testcase-minimized-5012343912136704

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1cb4ef526dd1e5f547d0354efb0831d07e967919)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mpeg4videodec: Check sprite delta upshift against overflowing.
Michael Niedermayer [Wed, 14 Jun 2017 21:55:17 +0000 (23:55 +0200)]
avcodec/mpeg4videodec: Check sprite delta upshift against overflowing.

Fixes: runtime error: signed integer overflow: -268386304 * 16 cannot be represented in type 'int'
Fixes: 2204/clusterfuzz-testcase-minimized-5616756909408256

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 12245ab1f677074b8ff83e87f76a41aba692ccd6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case
Michael Niedermayer [Wed, 14 Jun 2017 21:49:23 +0000 (23:49 +0200)]
avcodec/mpeg4videodec: Fix integer overflow in num_sprite_warping_points=2 case

Fixes: runtime error: signed integer overflow: 131072 + 2147352576 cannot be represented in type 'int'
Fixes: 2192/clusterfuzz-testcase-minimized-5370387988742144

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0a87be404ab7e3f47e67e79160dcc9623e36835b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/aacsbr_fixed: Check shift in sbr_hf_assemble()
Michael Niedermayer [Tue, 13 Jun 2017 14:25:59 +0000 (16:25 +0200)]
avcodec/aacsbr_fixed: Check shift in sbr_hf_assemble()

Fixes: runtime error: shift exponent -10 is negative

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d1992448d37f7cfa2acda5cc729dc0ff1b019390)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/sbrdsp_fixed: Return an error from sbr_hf_apply_noise() if operations are...
Michael Niedermayer [Tue, 13 Jun 2017 11:28:23 +0000 (13:28 +0200)]
avcodec/sbrdsp_fixed: Return an error from sbr_hf_apply_noise() if operations are impossible

Fixes: 1775/clusterfuzz-testcase-minimized-5330288148217856

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d549f026d8b64b879c3ce3b8c7d153c82aa5eb52)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/libvpxdec: Check that display dimensions fit in the storage dimensions
Michael Niedermayer [Wed, 7 Jun 2017 17:17:30 +0000 (19:17 +0200)]
avcodec/libvpxdec: Check that display dimensions fit in the storage dimensions

Fixes assertion failure
Fixes: 2112/clusterfuzz-testcase-minimized-4526878557732864

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f8593c2f492a514b67533a877b716a25d3770418)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/jpeg2000dwt: Fix runtime error: left shift of negative value -123
Michael Niedermayer [Sun, 11 Jun 2017 18:28:46 +0000 (20:28 +0200)]
avcodec/jpeg2000dwt: Fix runtime error: left shift of negative value -123

Fixes: 2208/clusterfuzz-testcase-minimized-5976593765761024

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d24043e1a2f93f206a2ad59054f24f45ff023e5c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 + 277872640...
Michael Niedermayer [Sun, 11 Jun 2017 18:19:59 +0000 (20:19 +0200)]
avcodec/wavpack: Fix runtime error: signed integer overflow: 1886191616 + 277872640 cannot be represented in type 'int'

Fixes: 2181/clusterfuzz-testcase-minimized-6314784322486272

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c996374d4d86e0efbef71812448b4c65656bc667)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/snowdec: Fix runtime error: left shift of negative value -1
Michael Niedermayer [Sun, 11 Jun 2017 12:34:54 +0000 (14:34 +0200)]
avcodec/snowdec: Fix runtime error: left shift of negative value -1

Fixes: 2197/clusterfuzz-testcase-minimized-6010716676947968

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2e44126363bc9e23093ceced5d7bde1ee4bbb338)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1297616
Michael Niedermayer [Sun, 11 Jun 2017 12:32:35 +0000 (14:32 +0200)]
avcodec/aacdec_fixed: Fix runtime error: left shift of negative value -1297616

Fixes: 2195/clusterfuzz-testcase-minimized-4736721533009920

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6d499ecef9c2467772b6066176ffda0b7ab27cc2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/tiff: Fix leak of geotags[].val
Michael Niedermayer [Sat, 10 Jun 2017 23:05:26 +0000 (01:05 +0200)]
avcodec/tiff: Fix leak of geotags[].val

Fixes: 2176/clusterfuzz-testcase-minimized-5908197216878592

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 22a25ab3896cbb8dceebdba4d439e8b2b398ff0e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot...
Michael Niedermayer [Sat, 10 Jun 2017 22:45:20 +0000 (00:45 +0200)]
avcodec/ra144: Fix runtime error: signed integer overflow: -2200 * 1033073 cannot be represented in type 'int'

Fixes: 2175/clusterfuzz-testcase-minimized-5809657849315328

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 71da0a5c9750e9fd0c9609470f610d32952923eb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296 cannot...
Michael Niedermayer [Sat, 10 Jun 2017 17:43:25 +0000 (19:43 +0200)]
avcodec/flicvideo: Fix runtime error: signed integer overflow: 4864 * 459296 cannot be represented in type 'int'

Fixes: 2174/clusterfuzz-testcase-minimized-5739234533048320

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 90e8317b3b33dcb54ae01e419d85cbbfbd874963)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/cfhd: Check band parameters before storing them
Michael Niedermayer [Sat, 10 Jun 2017 16:45:08 +0000 (18:45 +0200)]
avcodec/cfhd: Check band parameters before storing them

Fixes out of array read
Fixes: 2169/clusterfuzz-testcase-minimized-5688641642823680

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 54aaadf648073149f1ac34f56cbde4e6c5aa22ef)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/h264_parse: Check picture structure when initializig weight table
Michael Niedermayer [Fri, 9 Jun 2017 22:13:07 +0000 (00:13 +0200)]
avcodec/h264_parse: Check picture structure when initializig weight table

Fixes: runtime error: index 49 out of bounds for type 'int [48][2][2]'
Fixes: 2159/clusterfuzz-testcase-minimized-5267945972301824

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3a1ad368a78b153b63ccc07af864b3611e2a4ac3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/indeo4: Check remaining data in Pic hdr extension parsing code
Michael Niedermayer [Thu, 8 Jun 2017 11:58:47 +0000 (13:58 +0200)]
avcodec/indeo4: Check remaining data in Pic hdr extension parsing code

Fixes: Timeout
Fixes: 2115/clusterfuzz-testcase-minimized-6594111748440064

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a3b5b60bdf451faefeeec07c4e684a251968bf2d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow: -39271008...
Michael Niedermayer [Thu, 8 Jun 2017 11:44:32 +0000 (13:44 +0200)]
avcodec/ac3dec_fixed: Fix multiple runtime error: signed integer overflow: -39271008 * 59 cannot be represented in type 'int'

Fixes: 2113/clusterfuzz-testcase-minimized-6510704959946752

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4e3ab1a5c12fe3a88f44b734d3f2e25f4769ec47)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agolavc/aarch64/simple_idct: fix idct_col4_top coefficient
Matthieu Bouron [Tue, 13 Jun 2017 15:19:51 +0000 (17:19 +0200)]
lavc/aarch64/simple_idct: fix idct_col4_top coefficient

Fixes regression introduced by 5d0b8b1ae307951310c7d9a8fa282fbca9b997cd.

2 years agoUpdate for 3.3.2 n3.3.2
Michael Niedermayer [Tue, 6 Jun 2017 20:11:21 +0000 (22:11 +0200)]
Update for 3.3.2

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448...
Michael Niedermayer [Tue, 6 Jun 2017 14:28:57 +0000 (16:28 +0200)]
avcodec/mpeg4videodec: Fix runtime error: signed integer overflow: 53098 * 40448 cannot be represented in type 'int'

Fixes: 2106/clusterfuzz-testcase-minimized-6136503639998464

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 18bca25adbae9d010d75f9fc197c0af656af758d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/pafvideo: Fix assertion failure
Michael Niedermayer [Tue, 6 Jun 2017 14:21:37 +0000 (16:21 +0200)]
avcodec/pafvideo: Fix assertion failure

Fixes: 2100/clusterfuzz-testcase-minimized-4522961547558912

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c4360559ee2a6c8c624f24fc7e2a1cf00972ba68)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096...
Michael Niedermayer [Tue, 6 Jun 2017 14:01:16 +0000 (16:01 +0200)]
avcodec/takdec: Fix multiple runtime error: signed integer overflow: 637072 * 4096 cannot be represented in type 'int'

Fixes: 2079/clusterfuzz-testcase-minimized-5345861779324928

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e4efd41b83e78c7f2ee3e74bee90226110743a8e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/mjpegdec: Check that reference frame matches the current frame
Michael Niedermayer [Mon, 5 Jun 2017 20:23:15 +0000 (22:23 +0200)]
avcodec/mjpegdec: Check that reference frame matches the current frame

Fixes: out of array read
Fixes: 2097/clusterfuzz-testcase-minimized-5036861833609216

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4705edbbb96e193f51c72248f508ae5693702a48)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/tiff: Avoid loosing allocated geotag values
Michael Niedermayer [Mon, 5 Jun 2017 18:39:21 +0000 (20:39 +0200)]
avcodec/tiff: Avoid loosing allocated geotag values

Fixes memleak
Fixes: 2076/clusterfuzz-testcase-minimized-6542640243802112

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d7cbeab4c1381f95ed0ebf85d7950bee96f66164)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot...
Michael Niedermayer [Mon, 5 Jun 2017 17:33:56 +0000 (19:33 +0200)]
avcodec/cavs: Fix runtime error: signed integer overflow: -12648062 * 256 cannot be represented in type 'int'

Fixes: 2067/clusterfuzz-testcase-minimized-5578430902960128

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1e6ee86d9254e8fd2158cc9a31d3be96b0809411)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/hls: Check local file extensions
Michael Niedermayer [Sat, 3 Jun 2017 19:20:04 +0000 (21:20 +0200)]
avformat/hls: Check local file extensions

This reduces the attack surface of local file-system
information leaking.

It prevents the existing exploit leading to an information leak. As
well as similar hypothetical attacks.

Leaks of information from files and symlinks ending in common multimedia extensions
are still possible. But files with sensitive information like private keys and passwords
generally do not use common multimedia filename extensions.
It does not stop leaks via remote addresses in the LAN.

The existing exploit depends on a specific decoder as well.
It does appear though that the exploit should be possible with any decoder.
The problem is that as long as sensitive information gets into the decoder,
the output of the decoder becomes sensitive as well.
The only obvious solution is to prevent access to sensitive information. Or to
disable hls or possibly some of its feature. More complex solutions like
checking the path to limit access to only subdirectories of the hls path may
work as an alternative. But such solutions are fragile and tricky to implement
portably and would not stop every possible attack nor would they work with all
valid hls files.

Developers have expressed their dislike / objected to disabling hls by default as well
as disabling hls with local files. There also where objections against restricting
remote url file extensions. This here is a less robust but also lower
inconvenience solution.
It can be applied stand alone or together with other solutions.
limiting the check to local files was suggested by nevcairiel

This recommits the security fix without the author name joke which was
originally requested by Nicolas.

Found-by: Emil Lerner and Pavel Cheremushkin
Reported-by: Thierry Foucu <tfoucu@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 189ff4219644532bdfa7bab28dfedaee4d6d4021)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/qdrw: Fix null pointer dereference
Michael Niedermayer [Sun, 4 Jun 2017 19:37:47 +0000 (21:37 +0200)]
avcodec/qdrw: Fix null pointer dereference

The RGB555 PACKBITSRGN case tries to read a palette, if such
palette is actually stored then it accesses a null pointer.
All 16bit samples i could find use DIRECTBITSRGN.

Fixes: 2065/clusterfuzz-testcase-minimized-6298930457346048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 46b865ea9f86cbd12e1bf701913263c7932cccb0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavutil/softfloat: Fix sign error in and improve documentation of av_int2sf()
Michael Niedermayer [Sun, 4 Jun 2017 18:45:09 +0000 (20:45 +0200)]
avutil/softfloat: Fix sign error in and improve documentation of av_int2sf()

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6019d721d4c10bf73018d68511d9d0a914c0a389)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]'
Michael Niedermayer [Sun, 4 Jun 2017 15:06:27 +0000 (17:06 +0200)]
avcodec/hevc_ps: Fix runtime error: index 32 out of bounds for type 'uint8_t [32]'

Fixes: 2010/clusterfuzz-testcase-minimized-6209288450080768

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 29808fff339da3e0f26131f7a6209b853947a54b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/dxv: Check remaining bytes in dxv_decompress_raw()
Michael Niedermayer [Sun, 4 Jun 2017 13:41:18 +0000 (15:41 +0200)]
avcodec/dxv: Check remaining bytes in dxv_decompress_raw()

Fixes: Timeout
Fixes: 2006/clusterfuzz-testcase-minimized-5766515037044736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit eb5049227033d946add93c0714bb8a28d94166f1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/pafvideo: Check packet size and frame code before ff_reget_buffer()
Michael Niedermayer [Sun, 4 Jun 2017 11:38:02 +0000 (13:38 +0200)]
avcodec/pafvideo: Check packet size and frame code before ff_reget_buffer()

Fixes 1745/clusterfuzz-testcase-minimized-6160693365571584
Fixes: Timeout

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit faa5a2181df53b5226f998a20b735798addcd365)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be...
Michael Niedermayer [Sun, 4 Jun 2017 11:02:51 +0000 (13:02 +0200)]
avcodec/ac3dec_fixed: Fix runtime error: left shift of 419 by 23 places cannot be represented in type 'int'

Fixes: 1352/clusterfuzz-testcase-minimized-5757565017260032

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 136ce8baa4fc16cf38690cb457f7356c00e00a28)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/options: log filename on open
Michael Niedermayer [Fri, 2 Jun 2017 12:47:16 +0000 (14:47 +0200)]
avformat/options: log filename on open

The loglevel is choosen so that the main filename and any images of
multi image sequences are shown only at debug level to avoid
clutter.

This makes exploits in playlists more visible. As they would show
accesses to private/sensitive files

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 53e0d5d7247548743e13c59c35e59fc2161e9582)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/aacps: Fix runtime error: left shift of 1073741824 by 1 places cannot be...
Michael Niedermayer [Fri, 2 Jun 2017 20:31:02 +0000 (22:31 +0200)]
avcodec/aacps: Fix runtime error: left shift of 1073741824 by 1 places cannot be represented in type 'INTFLOAT' (aka 'int')

Fixes: 2005/clusterfuzz-testcase-minimized-5744226438479872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9faf098163b33e7b0f5baafa3371ef5401f4105d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type...
Michael Niedermayer [Thu, 1 Jun 2017 16:48:37 +0000 (18:48 +0200)]
avcodec/wavpack: Fix runtime error: shift exponent 32 is too large for 32-bit type 'int'

Fixes: 1967/clusterfuzz-testcase-minimized-5757031199801344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8b3e580b7f436206e84dac89415e057fa9abdab8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/cfhd: Fix runtime error: signed integer overflow: 65280 * 65288 cannot be...
Michael Niedermayer [Thu, 1 Jun 2017 16:32:52 +0000 (18:32 +0200)]
avcodec/cfhd: Fix runtime error: signed integer overflow: 65280 * 65288 cannot be represented in type 'int'

Fixes: 1925/clusterfuzz-testcase-minimized-5564569688735744

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cd6f319a7470394044627d1bd900e21b9aca5f4a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694...
Michael Niedermayer [Wed, 31 May 2017 20:53:02 +0000 (22:53 +0200)]
avcodec/wavpack: Fix runtime error: signed integer overflow: 2013265955 - -134217694 cannot be represented in type 'int'

Fixes: 1922/clusterfuzz-testcase-minimized-5561194112876544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a47273c803edfbc43793349b74429ae29b05c003)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/cinepak: Check input packet size before frame reallocation
Michael Niedermayer [Wed, 31 May 2017 20:18:23 +0000 (22:18 +0200)]
avcodec/cinepak: Check input packet size before frame reallocation

Reduces time spend decoding 1917/clusterfuzz-testcase-minimized-5023221273329664

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e47057e932ff9a071d52fa1d5d4a956340eb2475)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>