ffmpeg.git
21 months agoavformat/id3v2: fix leak in chapter parsing n3.3.5
Fredrik Hubinette [Tue, 7 Feb 2017 20:19:38 +0000 (12:19 -0800)]
avformat/id3v2: fix leak in chapter parsing

Reviewed-on: https://chromium-review.googlesource.com/439405
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: James Almer <jamrial@gmail.com>
21 months agoUpdate for 3.3.5
Michael Niedermayer [Thu, 26 Oct 2017 15:36:17 +0000 (17:36 +0200)]
Update for 3.3.5

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agotests/ffserver.regression.ref: update checksums to what ffserver currently produces
Michael Niedermayer [Sun, 22 Oct 2017 15:11:21 +0000 (17:11 +0200)]
tests/ffserver.regression.ref: update checksums to what ffserver currently produces

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 431eccd61e155190a7762314938799076cffeb67)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoffserver: Fix off by 1 error in path
Michael Niedermayer [Sun, 22 Oct 2017 15:11:20 +0000 (17:11 +0200)]
ffserver: Fix off by 1 error in path

Code suggested by ubitux

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 617f0c65e1bac8983a5b6521818c1b9b57f0804b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/snowdec: Check mv_scale
Michael Niedermayer [Fri, 13 Oct 2017 01:06:54 +0000 (03:06 +0200)]
avcodec/snowdec: Check mv_scale

Fixes: runtime error: signed integer overflow: 2 * -1094995530 cannot be represented in type 'int'
Fixes: 3512/clusterfuzz-testcase-minimized-4812747210489856

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 393d6fc7395611a38792e3c271b2be42ac45e672)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/pafvideo: Check for bitstream end in decode_0()
Michael Niedermayer [Fri, 13 Oct 2017 01:06:53 +0000 (03:06 +0200)]
avcodec/pafvideo: Check for bitstream end in decode_0()

Fixes: Timeout
Fixes: 3529/clusterfuzz-testcase-5057068371279872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9c85329cd02e9284892bf263ce6133b2fc479792)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/ffv1dec: Fix out of array read in slice counting
Michael Niedermayer [Mon, 9 Oct 2017 09:49:28 +0000 (11:49 +0200)]
avcodec/ffv1dec: Fix out of array read in slice counting

Fixes: test-201710.mp4

Found-by: 连一汉 <lianyihan@360.cn> and Zhibin Hu
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c20f4fcb74da2d0432c7b54499bb98f48236b904)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/dirac_dwt: Fix integer overflow in COMPOSE_53iL0()
Michael Niedermayer [Sun, 8 Oct 2017 23:46:28 +0000 (01:46 +0200)]
avcodec/dirac_dwt: Fix integer overflow in COMPOSE_53iL0()

Fixes: runtime error: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int'
Fixes: 3485/clusterfuzz-testcase-minimized-4940429332054016

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bdee75a4e750735ab3039f004275ac8479072048)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/mpeg_er: Clear mcsel in mpeg_er_decode_mb()
Michael Niedermayer [Sun, 8 Oct 2017 22:32:30 +0000 (00:32 +0200)]
avcodec/mpeg_er: Clear mcsel in mpeg_er_decode_mb()

Fixes out of array read
Should fix: 3516/clusterfuzz-testcase-minimized-4608518562775040 (not reprodoceable)

Found-by: Insu Yun, Georgia Tech.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 127a362630e11fe724e2e63fc871791fdcbcfa64)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/mpeg4videodec: Use 64 bit intermediates for sprite delta
Michael Niedermayer [Sun, 8 Oct 2017 19:41:54 +0000 (21:41 +0200)]
avcodec/mpeg4videodec: Use 64 bit intermediates for sprite delta

Fixes: runtime error: signed integer overflow: -104713 * 65536 cannot be represented in type 'int'
Fixes: 3453/clusterfuzz-testcase-minimized-5555554657239040
Fixes: 3528/clusterfuzz-testcase-minimized-6283628420005888

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e38f280fece38e270a6462a02cc034f4116a7912)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/x86/lossless_videoencdsp: Fix warning: signed dword value exceeds bounds
Michael Niedermayer [Fri, 29 Sep 2017 22:26:51 +0000 (00:26 +0200)]
avcodec/x86/lossless_videoencdsp: Fix warning: signed dword value exceeds bounds

Add () to regsize define

Suggested-by: Henrik Gramner <henrik@gramner.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 26ea142658a8be16d13bb430ced14ef544f8afe9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/x86/lossless_videoencdsp: Fix handling of small widths
Michael Niedermayer [Fri, 29 Sep 2017 22:20:09 +0000 (00:20 +0200)]
avcodec/x86/lossless_videoencdsp: Fix handling of small widths

Fixes out of array access
Fixes: crash-huf.avi

Regression since: 6b41b4414934cc930468ccd5db598dd6ef643987

This could also be fixed by adding checks in the C code that calls the dsp

Found-by: Zhibin Hu and 连一汉 <lianyihan@360.cn>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit df62b70de8aaa285168e72fe8f6e740843ca91fa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/truemotion2: Fix integer overflows in tm2_high_chroma()
Michael Niedermayer [Sat, 30 Sep 2017 16:54:06 +0000 (18:54 +0200)]
avcodec/truemotion2: Fix integer overflows in tm2_high_chroma()

Fixes: runtime error: signed integer overflow: -1408475220 + -1408475220 cannot be represented in type 'int'
Fixes: 3336/clusterfuzz-testcase-minimized-5656839179993088

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 44874b4f5ec2c605c70393573b9d85540ebc2d81)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/aacdec_template: Clear tns present flag on error
Michael Niedermayer [Sat, 30 Sep 2017 16:54:05 +0000 (18:54 +0200)]
avcodec/aacdec_template: Clear tns present flag on error

Fixes: 3444/clusterfuzz-testcase-minimized-6270352105668608

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit dcf9bae4a93f54cb5767bc97db4a809efd396f8b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/proresdec2: SKIP_BITS() does not work with len=32
Michael Niedermayer [Mon, 2 Oct 2017 02:18:22 +0000 (04:18 +0200)]
avcodec/proresdec2: SKIP_BITS() does not work with len=32

Fixes: invalid shift
Fixes: 3482/clusterfuzz-testcase-minimized-5446915875405824

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c37138e01a93da2f9dd2cc5d4b77e5a38581d130)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/hevcdsp_template: Fix undefined shift
Michael Niedermayer [Mon, 2 Oct 2017 02:18:21 +0000 (04:18 +0200)]
avcodec/hevcdsp_template: Fix undefined shift

Fixes: runtime error: left shift of negative value -255
Fixes: 3373/clusterfuzz-testcase-minimized-5604083912146944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fbdab6eca7874fbeba6aa79c269f345e4d43f5d4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/jpeg2000: Check that codsty->log2_prec_widths/heights has been initialized
Michael Niedermayer [Mon, 4 Sep 2017 20:23:26 +0000 (22:23 +0200)]
avcodec/jpeg2000: Check that codsty->log2_prec_widths/heights has been initialized

Fixes: OOM
Fixes: 2225/clusterfuzz-testcase-minimized-5505632079708160

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 64e034da954125ef98fb8f9153f9706cdb8a96fe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/takdec: Fix integer overflow in decode_lpc()
Michael Niedermayer [Fri, 22 Sep 2017 18:45:27 +0000 (20:45 +0200)]
avcodec/takdec: Fix integer overflow in decode_lpc()

Fixes: runtime error: signed integer overflow: 16748560 + 2143729712 cannot be represented in type 'int'
Fixes: 3202/clusterfuzz-testcase-minimized-4988291642294272

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5d31f03a0264cac24434c8108daef4ccba6d28f9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/proresdec2: Check bits in DECODE_CODEWORD(), fixes invalid shift
Michael Niedermayer [Fri, 22 Sep 2017 18:45:28 +0000 (20:45 +0200)]
avcodec/proresdec2: Check bits in DECODE_CODEWORD(), fixes invalid shift

Fixes: runtime error: shift exponent 42 is too large for 32-bit type 'unsigned int'
Fixes: 3410/clusterfuzz-testcase-minimized-5313377960198144

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4f5eaf0b5956e492ee5023929669b1d09aaf6299)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/takdec: Fix integer overflows in decode_subframe()
Michael Niedermayer [Fri, 22 Sep 2017 18:45:26 +0000 (20:45 +0200)]
avcodec/takdec: Fix integer overflows in decode_subframe()

Fixes: runtime error: signed integer overflow: -1562477869 + -691460395 cannot be represented in type 'int'
Fixes: 3196/clusterfuzz-testcase-minimized-4528307146063872

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3dabb9c69db114b1f30c30e0a2788cffc50bac40)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*()
Michael Niedermayer [Mon, 18 Sep 2017 00:53:25 +0000 (02:53 +0200)]
avcodec/dirac_dwt: Fix integer overflow in COMPOSE_FIDELITYi*()

Fixes: runtime error: signed integer overflow: 161 * 13872281 cannot be represented in type 'int'

Fixes: 3295/clusterfuzz-testcase-minimized-4738998142500864

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 67da2685e03805230207daab83ab43a390fbb887)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/ffv1dec: Fix integer overflow in read_quant_table()
Michael Niedermayer [Mon, 18 Sep 2017 15:26:09 +0000 (17:26 +0200)]
avcodec/ffv1dec: Fix integer overflow in read_quant_table()

Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 3361/clusterfuzz-testcase-minimized-5065842955911168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d00fc952b6c261dd8eb0f7552b9ccf985dbc2b20)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/svq3: Fix overflow in svq3_add_idct_c()
Michael Niedermayer [Mon, 18 Sep 2017 15:03:55 +0000 (17:03 +0200)]
avcodec/svq3: Fix overflow in svq3_add_idct_c()

Fixes: runtime error: signed integer overflow: 2147392585 + 524288 cannot be represented in type 'int'
Fixes: 3348/clusterfuzz-testcase-minimized-4809500517203968

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2c933c51687db958d8045d25ed87848342e869f6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
21 months agoavcodec/pngdec: Clean up on av_frame_ref() failure
Michael Niedermayer [Sun, 17 Sep 2017 00:42:11 +0000 (02:42 +0200)]
avcodec/pngdec: Clean up on av_frame_ref() failure

Fixes: memleak
Fixes: 3203/clusterfuzz-testcase-minimized-4514553595428864

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5480e82d77770e81e897a8c217f3c7f0c13a6de1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/extract_extradata: return an error when buffer allocation fails
James Almer [Wed, 13 Sep 2017 20:03:56 +0000 (17:03 -0300)]
avcodec/extract_extradata: return an error when buffer allocation fails

ret is 0 by default.

Reviewed-by: Mark Thompson <sw@jkqxz.net>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 7bae17e37ab63d1cfcea22c68c455f859db3663c)

23 months agoavcodec/hevc_ps: improve check for missing default display window bitstream n3.3.4
James Almer [Fri, 8 Sep 2017 00:23:04 +0000 (21:23 -0300)]
avcodec/hevc_ps: improve check for missing default display window bitstream

Fixes ticket #6644

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit c9a1cd08eafe57d1fecaaf605929b3e68165a6e4)

23 months agoChangelog: update
Michael Niedermayer [Tue, 12 Sep 2017 00:32:11 +0000 (02:32 +0200)]
Changelog: update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/hevc_ps: Fix c?_qp_offset_list size
Michael Niedermayer [Sun, 10 Sep 2017 19:10:17 +0000 (21:10 +0200)]
avcodec/hevc_ps: Fix c?_qp_offset_list size

Fixes: runtime error: index 5 out of bounds for type 'int8_t const[5]'
Fixes:3175/clusterfuzz-testcase-minimized-4736774054084608

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit abf3f9fa232409c00b60041464604a91fa5612c0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/shorten: Move buffer allocation and offset init to end of read_header()
Michael Niedermayer [Sun, 10 Sep 2017 19:10:16 +0000 (21:10 +0200)]
avcodec/shorten: Move buffer allocation and offset init to end of read_header()

They are time consuming operations, performing them after the other checks
improves the speed with damaged input dramatically.

Fixes: Timeout
Fixes: 2928/clusterfuzz-testcase-4992812120539136

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 380659604f2692b625928a3a76a1c046f473c9f6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoUpdate for 3.3.4
Michael Niedermayer [Mon, 11 Sep 2017 12:54:47 +0000 (14:54 +0200)]
Update for 3.3.4

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int()
Michael Niedermayer [Fri, 8 Sep 2017 21:29:12 +0000 (23:29 +0200)]
avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int()

Fixes: runtime error: signed integer overflow: 22553 * -188962 cannot be represented in type 'int'
Fixes: 3042/clusterfuzz-testcase-minimized-5174210131394560

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2d025e742843ca3532bd49ebbfebeacd51337347)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels
Michael Niedermayer [Sat, 9 Sep 2017 23:32:51 +0000 (01:32 +0200)]
avcodec/hevcdsp_template: Fix undefined shift in put_hevc_pel_bi_w_pixels

Fixes: runtime error: left shift of negative value -95
Fixes: 3077/clusterfuzz-testcase-minimized-4684917524922368

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c225da68cffbea11270a758ff42859194c980863)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/diracdec: Fix overflow in DC computation
Michael Niedermayer [Sat, 9 Sep 2017 23:32:50 +0000 (01:32 +0200)]
avcodec/diracdec: Fix overflow in DC computation

Fixes: runtime error: signed integer overflow: 11896 + 2147483646 cannot be represented in type 'int'
Fixes: 3053/clusterfuzz-testcase-minimized-6355082062856192

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b5995856a4236c27f231210bb08d70688e045192)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/scpr: optimize shift loop.
Michael Niedermayer [Fri, 8 Sep 2017 21:29:13 +0000 (23:29 +0200)]
avcodec/scpr: optimize shift loop.

Speeds code up from 50sec to 15sec

Fixes Timeout
Fixes: 3242/clusterfuzz-testcase-5811951672229888

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 981f04b2ae2d6e0355386aaff39840eb5d390a36)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/dirac_vlc: limit res_bits in APPEND_RESIDUE()
Michael Niedermayer [Sat, 9 Sep 2017 13:51:45 +0000 (15:51 +0200)]
avcodec/dirac_vlc: limit res_bits in APPEND_RESIDUE()

Fixes: runtime error: left shift of 1073741838 by 1 places cannot be represented in type 'int32_t' (aka 'int')
Fixes: 3279/clusterfuzz-testcase-minimized-4564805744590848

Suggested-by: <atomnuker>
Reviewed-by: <atomnuker>
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d98d29a775d6de9357731fec872642644e57b233)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agolibavcodec/h264_parse: don't use uninitialized value when chroma_format_idc==0
Mark Wachsler [Thu, 7 Sep 2017 13:42:07 +0000 (09:42 -0400)]
libavcodec/h264_parse: don't use uninitialized value when chroma_format_idc==0

When parsing a monochrome file, chroma_log2_weight_denom was used without
being initialized, which could lead to a bogus error message being printed, e.g.
  [h264 @ 0x61a000026480] chroma_log2_weight_denom 24576 is out of range
It also could led to warnings using AddressSanitizer.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fde5c7dc79eb017790ba232442ad2a4eecea4bf1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavformat/asfdec: Fix DoS in asf_build_simple_index()
Michael Niedermayer [Mon, 4 Sep 2017 22:16:29 +0000 (00:16 +0200)]
avformat/asfdec: Fix DoS in asf_build_simple_index()

Fixes: Missing EOF check in loop
No testcase

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit afc9c683ed9db01edb357bc8c19edad4282b3a97)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavformat/mov: Fix DoS in read_tfra()
Michael Niedermayer [Mon, 4 Sep 2017 22:16:29 +0000 (00:16 +0200)]
avformat/mov: Fix DoS in read_tfra()

Fixes: Missing EOF check in loop
No testcase

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9cb4eb772839c5e1de2855d126bf74ff16d13382)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/dirac_vlc: Fix invalid shift in ff_dirac_golomb_read_32bit()
Michael Niedermayer [Fri, 1 Sep 2017 17:56:12 +0000 (19:56 +0200)]
avcodec/dirac_vlc: Fix invalid shift in ff_dirac_golomb_read_32bit()

Fixes: runtime error: shift exponent 64 is too large for 64-bit type 'residual' (aka 'unsigned long')
Fixes: 2838/clusterfuzz-testcase-minimized-6260066086813696

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c595139f1fdb5ce5ee128c317ed9e4e836282436)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting
Michael Niedermayer [Fri, 1 Sep 2017 17:56:11 +0000 (19:56 +0200)]
avcodec/dirac_dwt: Fix multiple overflows in 9/7 lifting

Fixes: runtime error: signed integer overflow: 1073901567 + 1073901567 cannot be represented in type 'int'
Fixes: 3124/clusterfuzz-testcase-minimized-454643435752652

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f71cd44147e7a914f80fcfacca46c9e7b0374362)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/diracdec: Fix integer overflow in INTRA_DC_PRED()
Michael Niedermayer [Fri, 1 Sep 2017 17:56:10 +0000 (19:56 +0200)]
avcodec/diracdec: Fix integer overflow in INTRA_DC_PRED()

Fixes: runtime error: signed integer overflow: 1168175789 + 1168178473 cannot be represented in type 'int'
Fixes: 3081/clusterfuzz-testcase-minimized-4807564879462400
Fixes: 2844/clusterfuzz-testcase-minimized-5561715838156800

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2a0823ae966be3ad40e5dba6ec4c4dc1e8c6bcad)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavformat/mxfdec: Fix Sign error in mxf_read_primer_pack()
孙浩(晓黑) [Tue, 29 Aug 2017 21:59:21 +0000 (23:59 +0200)]
avformat/mxfdec: Fix Sign error in mxf_read_primer_pack()

Fixes: 20170829B.mxf

Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()
孙浩(晓黑) [Tue, 29 Aug 2017 21:59:21 +0000 (23:59 +0200)]
avformat/mxfdec: Fix DoS issues in mxf_read_index_entry_array()

Fixes: 20170829A.mxf

Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 900f39692ca0337a98a7cf047e4e2611071810c2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop.
孙浩(晓黑) [Tue, 29 Aug 2017 21:59:21 +0000 (23:59 +0200)]
avformat/nsvdec: Fix DoS due to lack of eof check in nsvs_file_offset loop.

Fixes: 20170829.nsv

Co-Author: 张洪亮(望初)" <wangchu.zhl@alibaba-inc.com>
Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c24bcb553650b91e9eff15ef6e54ca73de2453b7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered()
Michael Niedermayer [Sun, 27 Aug 2017 22:30:33 +0000 (00:30 +0200)]
avcodec/snowdec: Fix integer overflow in decode_subband_slice_buffered()

Fixes: runtime error: signed integer overflow: 267 * 8388608 cannot be represented in type 'int'
Fixes: 2743/clusterfuzz-testcase-minimized-5820652076400640

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 732f9764561558a388c05483ed6a722a5c67b05c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/hevc_ps: Fix undefined shift in pcm code
Michael Niedermayer [Sun, 27 Aug 2017 21:59:09 +0000 (23:59 +0200)]
avcodec/hevc_ps: Fix undefined shift in pcm code

Fixes: runtime error: shift exponent -1 is negative
Fixes: 3091/clusterfuzz-testcase-minimized-6229767969832960

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2a83866c9f9531eb096c9b9fe0550e742b931ad1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate()
Michael Niedermayer [Sat, 26 Aug 2017 12:00:55 +0000 (14:00 +0200)]
avcodec/sbrdsp_fixed: Fix undefined overflows in autocorrelate()

Fixes: runtime error: signed integer overflow: 8903997421129740175 + 354481484684609529 cannot be represented in type 'long'
Fixes: 2045/clusterfuzz-testcase-minimized-6751255865065472

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit eefb68c9c335dda423c9115ba11dc4bb3e73e3f9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavformat/mvdec: Fix DoS due to lack of eof check
Michael Niedermayer [Thu, 24 Aug 2017 23:15:30 +0000 (01:15 +0200)]
avformat/mvdec: Fix DoS due to lack of eof check

Fixes: loop.mv

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4f05e2e2dc1a89f38cd9f0960a6561083d714f1e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavformat/rl2: Fix DoS due to lack of eof check
孙浩 and 张洪亮(望初) [Thu, 24 Aug 2017 23:15:29 +0000 (01:15 +0200)]
avformat/rl2: Fix DoS due to lack of eof check

Fixes: loop.rl2

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavformat/rmdec: Fix DoS due to lack of eof check
孙浩 and 张洪亮(望初) [Thu, 24 Aug 2017 23:15:28 +0000 (01:15 +0200)]
avformat/rmdec: Fix DoS due to lack of eof check

Fixes: loop.ivr

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 124eb202e70678539544f6268efc98131f19fa49)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavformat/cinedec: Fix DoS due to lack of eof check
孙浩 and 张洪亮(望初) [Thu, 24 Aug 2017 23:15:27 +0000 (01:15 +0200)]
avformat/cinedec: Fix DoS due to lack of eof check

Fixes: loop.cine

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7e80b63ecd259d69d383623e75b318bf2bd491f6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavformat/asfdec: Fix DoS due to lack of eof check
孙浩 and 张洪亮(望初) [Fri, 25 Aug 2017 10:37:25 +0000 (12:37 +0200)]
avformat/asfdec: Fix DoS due to lack of eof check

Fixes: loop.asf

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7f9ec5593e04827249e7aeb466da06a98a0d7329)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavformat/hls: Fix DoS due to infinite loop
Michael Niedermayer [Fri, 25 Aug 2017 23:26:58 +0000 (01:26 +0200)]
avformat/hls: Fix DoS due to infinite loop

Fixes: loop.m3u

The default max iteration count of 1000 is arbitrary and ideas for a better solution are welcome

Found-by: Xiaohei and Wangchu from Alibaba Security Team
Previous version reviewed-by: Steven Liu <lingjiujianke@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7ec414892ddcad88313848494b6fc5f437c9ca4a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoffprobe: Fix NULL pointer handling in color parameter printing
Michael Niedermayer [Tue, 22 Aug 2017 15:27:17 +0000 (17:27 +0200)]
ffprobe: Fix NULL pointer handling in color parameter printing

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 351e28f9a799d9bbbb33dd10c964dca7219fa13b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoffprobe: Fix null pointer dereference with color primaries
Michael Niedermayer [Tue, 22 Aug 2017 09:02:38 +0000 (11:02 +0200)]
ffprobe: Fix null pointer dereference with color primaries

Found-by: AD-lab of venustech
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 837cb4325b712ff1aab531bf41668933f61d75d2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()
Michael Niedermayer [Sun, 20 Aug 2017 22:18:48 +0000 (00:18 +0200)]
avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()

Fixes: integer overflow
Fixes: 2893/clusterfuzz-testcase-minimized-5809330567774208

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2b44dcbc44e99daf9515753e9fd4c2e1ea53a2fa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavformat/rtpdec_h264: Fix heap-buffer-overflow
Michael Niedermayer [Wed, 23 Aug 2017 19:30:37 +0000 (21:30 +0200)]
avformat/rtpdec_h264: Fix heap-buffer-overflow

Fixes: rtp_sdp/poc.sdp

Found-by: Bingchang <l.bing.chang.bc@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c42a1388a6d1bfd8001bf6a4241d8ca27e49326d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavformat/aviobuf: Fix signed integer overflow in avio_seek()
Vitaly Buka [Sun, 20 Aug 2017 18:56:47 +0000 (11:56 -0700)]
avformat/aviobuf: Fix signed integer overflow in avio_seek()

Signed integer overflow is undefined behavior.
Detected with clang and -fsanitize=signed-integer-overflow

Signed-off-by: Vitaly Buka <vitalybuka@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit eca2a49716ae1f42804dd3545da2f740edf03250)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavformat/mov: Fix signed integer overflows with total_size
Vitaly Buka [Sun, 20 Aug 2017 18:56:47 +0000 (11:56 -0700)]
avformat/mov: Fix signed integer overflows with total_size

Signed integer overflow is undefined behavior.
Detected with clang and -fsanitize=signed-integer-overflow

Signed-off-by: Vitaly Buka <vitalybuka@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4a404cb5b90b878cbe1bb528fac65cf508668cc5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization
Vitaly Buka [Sun, 20 Aug 2017 18:56:47 +0000 (11:56 -0700)]
avcodec/utils: Fix signed integer overflow in rc_initial_buffer_occupancy initialization

Signed integer overflow is undefined behavior.
Detected with clang and -fsanitize=signed-integer-overflow

Signed-off-by: Vitaly Buka <vitalybuka@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8c2bb10ddfef1f151b9455d152c9aca91140a4b0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/aacdec_template: Fix running cleanup in decode_ics_info()
Michael Niedermayer [Mon, 21 Aug 2017 00:15:49 +0000 (02:15 +0200)]
avcodec/aacdec_template: Fix running cleanup in decode_ics_info()

Fixes: out of array read
Fixes: 2873/clusterfuzz-testcase-minimized-5924145713905664

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Previous version reviewed-by: Alex Converse <alex.converse@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6f03ffb47d51368a4bbc87702df8446e4660845d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/me_cmp: Fix crashes on ARM due to misalignment
Michael Niedermayer [Sat, 19 Aug 2017 21:38:58 +0000 (23:38 +0200)]
avcodec/me_cmp: Fix crashes on ARM due to misalignment

Adds a diff_pixels_unaligned()

Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872503

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bc488ec28aec4bc91ba47283c49c9f7f25696eaa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/pixlet: Fixes: undefined shift in av_mod_uintp2()
Michael Niedermayer [Fri, 18 Aug 2017 14:42:59 +0000 (16:42 +0200)]
avcodec/pixlet: Fixes: undefined shift in av_mod_uintp2()

Fixes: runtime error: shift exponent 4294967289 is too large for 32-bit type 'int'
Fixes: 3030/clusterfuzz-testcase-minimized-4649809254285312

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8754ccd3b319fdf4e2beed5657a3e327999c64ce)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0()
Michael Niedermayer [Fri, 18 Aug 2017 14:42:58 +0000 (16:42 +0200)]
avcodec/dirac_dwt_template: Fix integer overflow in vertical_compose53iL0()

Fixes: runtime error: signed integer overflow: 2147483646 + 2 cannot be represented in type 'int'
Fixes: 3013/clusterfuzz-testcase-minimized-4644084197097472

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a165b53daa8a3a526d2328ca72c4aa9e7f163045)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/fic: Fixes signed integer overflow
Michael Niedermayer [Thu, 17 Aug 2017 16:24:37 +0000 (18:24 +0200)]
avcodec/fic: Fixes signed integer overflow

Fixes: runtime error: signed integer overflow: 1037142357 + 1227025305 cannot be represented in type 'int'
Fixes: 3024/clusterfuzz-testcase-minimized-5885660323905536

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0c9d5b015c2022e8deebb93367f8ee8a8eb779e8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/snowdec: Fix off by 1 error
Michael Niedermayer [Thu, 17 Aug 2017 18:32:03 +0000 (20:32 +0200)]
avcodec/snowdec: Fix off by 1 error

Fixes: runtime error: index 4 out of bounds for type 'int8_t [4]'
Fixes: 3023/clusterfuzz-testcase-minimized-6421736130084864

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d132683ddd4050d3fe103ca88c73258c3442dc34)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/pixlet: fixes integer overflow in read_highpass()
Michael Niedermayer [Thu, 17 Aug 2017 01:54:56 +0000 (03:54 +0200)]
avcodec/pixlet: fixes integer overflow in read_highpass()

Fixes: runtime error: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself
Fixes: 2879/clusterfuzz-testcase-minimized-6317542639403008

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cadab5a2a74d715fc16325bd89f8b8091def1083)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/zmbv: Check decomp_size
Michael Niedermayer [Wed, 16 Aug 2017 14:03:23 +0000 (16:03 +0200)]
avcodec/zmbv: Check decomp_size

Fixes: OOM
Fixes: 2710/clusterfuzz-testcase-minimized-4750001420894208

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 931c0ac95cebe62f2bdd53a81bf40e3916be6476)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/diracdec: Fixes integer overflow
Michael Niedermayer [Tue, 15 Aug 2017 01:32:44 +0000 (03:32 +0200)]
avcodec/diracdec: Fixes integer overflow

Fixes: runtime error: signed integer overflow: 340018243 * 27 cannot be represented in type 'int'
Fixes: 2861/clusterfuzz-testcase-minimized-5361070510178304

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 92da23093c784b1d9f0db4db51d28ea80a59e759)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/diracdec: Check perspective_exp and zrs_exp.
Michael Niedermayer [Tue, 15 Aug 2017 01:32:43 +0000 (03:32 +0200)]
avcodec/diracdec: Check perspective_exp and zrs_exp.

Fixes: undefined shift
Fixes: runtime error: shift exponent 264 is too large for 32-bit type 'int'
Fixes: 2860/clusterfuzz-testcase-minimized-4672811689836544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1e6cab874512070b36267a5a53fd053f90072fa2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/ffv1dec_template: Fix undefined shift
Michael Niedermayer [Fri, 11 Aug 2017 16:20:03 +0000 (18:20 +0200)]
avcodec/ffv1dec_template: Fix undefined shift

Fixes: runtime error: left shift of negative value -127
Fixes: 2834/clusterfuzz-testcase-minimized-5988039123795968

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 62702eebded6c6341d214405812a981f80e46ea2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/mpeg4videodec: Clear mcsel before decoding an image
Michael Niedermayer [Sun, 6 Aug 2017 11:32:54 +0000 (13:32 +0200)]
avcodec/mpeg4videodec: Clear mcsel before decoding an image

Fixes: runtime error: signed integer overflow: 2146467840 + 1032192 cannot be represented in type 'int'
Fixes: 2826/clusterfuzz-testcase-minimized-5901511613743104

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7735ed29741d985e1e670249ca56e7a1ce18b729)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97*
Michael Niedermayer [Sun, 6 Aug 2017 03:01:45 +0000 (05:01 +0200)]
avcodec/dirac_dwt: Fixes integer overflows in COMPOSE_DAUB97*

Fix multiple: runtime error: signed integer overflow: 6497 * 3409630 cannot be represented in type 'int'
Fixes: 2819/clusterfuzz-testcase-minimized-4743700301217792

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5380f9c1c460acccb2edaa8609e4a57c0456088)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/aacdec_fixed: fix invalid shift in predict()
Michael Niedermayer [Fri, 4 Aug 2017 01:26:30 +0000 (03:26 +0200)]
avcodec/aacdec_fixed: fix invalid shift in predict()

Fixes: runtime error: shift exponent -2 is negative
Fixes: 2818/clusterfuzz-testcase-minimized-5062943676825600

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1e443051b277f73b94a2f660d3fd31a1a7beab52)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/h264_slice: Fix overflow in slice offset
Michael Niedermayer [Fri, 4 Aug 2017 00:41:05 +0000 (02:41 +0200)]
avcodec/h264_slice: Fix overflow in slice offset

Fixes: runtime error: signed integer overflow: 1610612736 * 2 cannot be represented in type 'int'
Fixes: 2817/clusterfuzz-testcase-minimized-5289691240726528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1f53bde6d817ae13a47748f321adbdfa79e15982)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavformat/utils: fix memory leak in avformat_free_context
Steven Siloti [Tue, 18 Jul 2017 18:26:39 +0000 (11:26 -0700)]
avformat/utils: fix memory leak in avformat_free_context

The pointer to the packet queue is stored in the internal structure
so the queue needs to be flushed before internal is freed.

Signed-off-by: Steven Siloti <ssiloti@bittorrent.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 949debd1d1df3a96315b3a3083831162845c1188)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoswscale: fix gbrap16 alpha channel issues
James Cowgill [Thu, 3 Aug 2017 15:21:54 +0000 (16:21 +0100)]
swscale: fix gbrap16 alpha channel issues

Fixes filter-pixfmts-scale test failing on big-endian systems due to
alpSrc not being cast to (const int32_t**).

Also fixes distortions in the output alpha channel values by copying the
alpha channel code from the rgba64 case found elsewhere in output.c.

Fixes ticket 6555.

Signed-off-by: James Cowgill <James.Cowgill@imgtec.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 013ec23cbe5d78a04b1b6c00c43f45773e45e7e5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/h264idct_template: Fix integer overflow in ff_h264_idct_add()
Michael Niedermayer [Tue, 1 Aug 2017 17:56:07 +0000 (19:56 +0200)]
avcodec/h264idct_template: Fix integer overflow in ff_h264_idct_add()

Fixes: runtime error: signed integer overflow: 26215360 + 2121330944 cannot be represented in type 'int'
Fixes: 2809/clusterfuzz-testcase-minimized-4785181833560064

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
(cherry picked from commit d1bfa80ec464d475a0de3f513bbb62bcd356099a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/diracdsp: fix integer overflow
Michael Niedermayer [Sat, 29 Jul 2017 13:55:36 +0000 (15:55 +0200)]
avcodec/diracdsp: fix integer overflow

Fixes: runtime error: signed integer overflow: 11 * 225726413 cannot be represented in type 'int'
Fixes: 2764/clusterfuzz-testcase-minimized-5382561922547712

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b2d9d7226943d6229a17e31714ce5162bdf88b33)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/diracdec: Check weight_log2denom
Michael Niedermayer [Sat, 29 Jul 2017 13:46:50 +0000 (15:46 +0200)]
avcodec/diracdec: Check weight_log2denom

Fixes: runtime error: shift exponent -1 is negative
Fixes: 2742/clusterfuzz-testcase-minimized-5724322402402304
Fixes: 2744/clusterfuzz-testcase-minimized-4672435653705728
Fixes: 2749/clusterfuzz-testcase-minimized-5298741273690112

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 880f5c59139e1d85d3a0b3433103f3fea17ff2d3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
23 months agoavcodec/nvenc: only push cuda context on encoder close if encoder exists
Timo Rothenpieler [Wed, 30 Aug 2017 19:12:23 +0000 (21:12 +0200)]
avcodec/nvenc: only push cuda context on encoder close if encoder exists

Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
2 years agoavfilter/vf_ssim: fix temp size calculation
Muhammad Faiz [Thu, 3 Aug 2017 00:59:09 +0000 (07:59 +0700)]
avfilter/vf_ssim: fix temp size calculation

Also use av_mallocz_array.
Fix Ticket6519.

Reviewed-by: Tobias Rapp <t.rapp@noa-archive.com>
Signed-off-by: Muhammad Faiz <mfcc64@gmail.com>
(cherry picked from commit f2d23ec03f28c6233059687c65a9124f65f8c312)

2 years agoChangelog:update n3.3.3
Michael Niedermayer [Sat, 29 Jul 2017 17:17:56 +0000 (19:17 +0200)]
Changelog:update

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0()
Michael Niedermayer [Fri, 28 Jul 2017 01:22:40 +0000 (03:22 +0200)]
avcodec/dirac_dwt: Fix multiple integer overflows in COMPOSE_DD97iH0()

Fixes: runtime error: signed integer overflow: 9 * 335544320 cannot be represented in type 'int'
Fixes: 2739/clusterfuzz-testcase-minimized-6737297955356672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bf8ab72ae95bb11f2c281d464594c2f6ba70326b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/diracdec: Fix integer overflow in divide3()
Michael Niedermayer [Thu, 27 Jul 2017 21:49:27 +0000 (23:49 +0200)]
avcodec/diracdec: Fix integer overflow in divide3()

Fixes: runtime error: signed integer overflow: -1073746548 * 21845 cannot be represented in type 'int'
Fixes: 2729/clusterfuzz-testcase-minimized-5902915464069120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c0220c768c7fc933a76c863ebbb0abdf68a88533)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/takdec: Fix integer overflow in decode_subframe()
Michael Niedermayer [Thu, 27 Jul 2017 21:49:26 +0000 (23:49 +0200)]
avcodec/takdec: Fix integer overflow in decode_subframe()

Fixes: runtime error: signed integer overflow: -536870912 - 1972191120 cannot be represented in type 'int'
Fixes: 2711/clusterfuzz-testcase-minimized-4975142398590976

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2c630d159ffe8a9822e81f9c041652762b37e068)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2
Michael Niedermayer [Fri, 28 Jul 2017 12:37:26 +0000 (14:37 +0200)]
avformat/rtmppkt: Convert ff_amf_get_field_value() to bytestream2

Fixes: out of array accesses

Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ffcc82219cef0928bed2d558b19ef6ea35634130)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2
Michael Niedermayer [Fri, 28 Jul 2017 11:41:59 +0000 (13:41 +0200)]
avformat/rtmppkt: Convert ff_amf_tag_size() to bytestream2

Fixes: out of array accesses
Fixes: crash-9238fa9e8d4fde3beda1f279626f53812cb001cb-SEGV

Found-by: JunDong Xie of Ant-financial Light-Year Security Lab
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 08c073434e25cba8c43aae5ed9554fdd594adfb0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/diracdec: Fix integer overflow in signed multiplication in UNPACK_ARITH()
Michael Niedermayer [Wed, 26 Jul 2017 18:26:43 +0000 (20:26 +0200)]
avcodec/diracdec: Fix integer overflow in signed multiplication in UNPACK_ARITH()

Fixes: runtime error: signed integer overflow: 1073741823 * 4 cannot be represented in type 'int'
Fixes: 2729/clusterfuzz-testcase-minimized-5902915464069120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8e275a74b09cc87f4334ed572f919b7647d4bea1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/pixlet: Simplify nbits computation
Michael Niedermayer [Wed, 26 Jul 2017 18:10:28 +0000 (20:10 +0200)]
avcodec/pixlet: Simplify nbits computation

Fixes multiple integer overflows
Fixes: runtime error: signed integer overflow: 1 + 2147483647 cannot be represented in type 'int'

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aeddb3607be94b1d6fef41b602b07f08223ea565)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/dnxhddec: Move mb height check out of non hr branch
Michael Niedermayer [Wed, 26 Jul 2017 01:26:59 +0000 (03:26 +0200)]
avcodec/dnxhddec: Move mb height check out of non hr branch

Fixes: out of array access
Fixes: poc.dnxhd

Found-by: Bingchang, Liu@VARAS of IIE
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 296debd213bd6dce7647cedd34eb64e5b94cdc92)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2
Michael Niedermayer [Mon, 24 Jul 2017 13:48:37 +0000 (15:48 +0200)]
avcodec/hevc_ps: fix integer overflow in log2_parallel_merge_level_minus2

Fixes: runtime error: signed integer overflow: -2147483647 - 2 cannot be represented in type 'int'
Fixes: 2702/clusterfuzz-testcase-minimized-4511932591636480

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 74c1c22d7f0d25f527ed2ebf62493be5ad52c972)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavformat/oggparsecelt: Do not re-allocate os->private
Michael Niedermayer [Tue, 25 Jul 2017 01:19:07 +0000 (03:19 +0200)]
avformat/oggparsecelt: Do not re-allocate os->private

Fixes: double free
Fixes: clusterfuzz-testcase-minimized-5080550145785856

Found-by: ClusterFuzz
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7140761481e4296723a592019a0244ebe6c1a8cf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/ylc: Fix shift overflow
Michael Niedermayer [Sat, 22 Jul 2017 00:57:12 +0000 (02:57 +0200)]
avcodec/ylc: Fix shift overflow

Fixes: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int'
Fixes: 2698/clusterfuzz-testcase-minimized-4713541443518464

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 03a9e6ff303ad82e75b734edbe4917ca5fd60159)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/aacps: Fix multiple integer overflow in map_val_34_to_20()
Michael Niedermayer [Fri, 21 Jul 2017 22:44:14 +0000 (00:44 +0200)]
avcodec/aacps: Fix multiple integer overflow in map_val_34_to_20()

Fixes: avcodec/aacps.c:511:40: runtime error: signed integer overflow: 1509077651 + 758068176 cannot be represented in type 'int'
Fixes: 2678/clusterfuzz-testcase-minimized-4702787684270080

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0764fe1d09833ae4dcf9e427df09378d0d6a3386)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/aacdec_fixed: fix: left shift of negative value -1
Michael Niedermayer [Sun, 23 Jul 2017 14:52:47 +0000 (16:52 +0200)]
avcodec/aacdec_fixed: fix: left shift of negative value -1

Fixes: 2699/clusterfuzz-testcase-minimized-5631303862976512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2dfb8c417891e0cc3670f8e0791ea0c7071314fe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/dirac_vlc: Fix undefined shift
Michael Niedermayer [Tue, 18 Jul 2017 23:43:24 +0000 (01:43 +0200)]
avcodec/dirac_vlc: Fix undefined shift

Fixes: runtime error: shift exponent 64 is too large for 64-bit type 'residual' (aka 'unsigned long')
Fixes: 2674/clusterfuzz-testcase-minimized-4999700518273024

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 69e7daf6ce2a5893936ba18572c58180b29d67f9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agodoc/filters: typo in frei0r
Brice Waegeneire [Fri, 21 Jul 2017 22:09:29 +0000 (00:09 +0200)]
doc/filters: typo in frei0r

Signed-off-by: Brice Waegeneire <brice.wge@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6a6eec485d23b0c47a7cfeb94995db1be91c0e1a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoavcodec/cfhd: Fix decoding regression due to height check
Vodyannikov Aleksandr [Fri, 21 Jul 2017 09:49:45 +0000 (11:49 +0200)]
avcodec/cfhd: Fix decoding regression due to height check

Fixes: Ticket6546

Regression since: 54aaadf648073149f1ac34f56cbde4e6c5aa22ef

Reviewed-by: Muhammad Faiz <mfcc64@gmail.com>
Reviewed-by: Kieran Kunhya <kierank@obe.tv>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 47c93657249f1a4bc8a7aaf2f9f3a33510bee38c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2 years agoUpdate for 3.3.3
Michael Niedermayer [Wed, 19 Jul 2017 13:28:08 +0000 (15:28 +0200)]
Update for 3.3.3

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>