We may write up to 43 bits, so 5 bytes is not enough.
Fixes: Assertion n>=0 && n<=32 failed at ./libavcodec/get_bits.h:406
Fixes: 398527871/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6602025714647040
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial@gmail.com>
Fixes: signed integer overflow: -1384566925600903168 * 16 cannot be represented in type 'long'
Fixes: 407069502/clusterfuzz-testcase-minimized-ffmpeg_dem_WEBM_DASH_MANIFEST_fuzzer-5159255372267520
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 05f8c8c4c2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: division by 0
Fixes: 395163171/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-542604339373670
Reviewed-by: Peter Ross <pross@xvid.org>
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ce1fd73d63)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 75be669ca1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This allows the user to set only the one that is needed to ALL or a
specific "wrong" extension like html
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f99f223eb1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: yt-dlp/issues/12700
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d82016c730)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes part of Ticket11435
Fixes: Elisa Viihde (Finnish online recording service)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 68644994fd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This fixes mixing up contexts, use of uninitialized data and crashes.
More specifically:
==1001752== Conditional jump or move depends on uninitialised value(s)
==1001752== at 0xA9ED82: avpriv_h264_has_num_reorder_frames (h264dec.c:64)
==1001752== by 0x668C7E: has_decode_delay_been_guessed (demux.c:757)
==1001752== by 0x66AB13: compute_pkt_fields (demux.c:1137)
==1001752== by 0x66B2E9: parse_packet (demux.c:1265)
==1001752== by 0x66BD84: read_frame_internal (demux.c:1449)
==1001752== by 0x67085B: avformat_find_stream_info (demux.c:2692)
==1001752== by 0x25157C: ifile_open (ffmpeg_demux.c:1814)
==1001752== by 0x272B15: open_files (ffmpeg_opt.c:1366)
==1001752== by 0x272D85: ffmpeg_parse_options (ffmpeg_opt.c:1415)
==1001752== by 0x2925C9: main (ffmpeg.c:991)
==1001752== Uninitialised value was created by a heap allocation
==1001752== at 0x483E0F0: memalign (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1001752== by 0x483E212: posix_memalign (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1001752== by 0x14882CE: av_malloc (mem.c:107)
==1001752== by 0x1463785: av_buffer_alloc (buffer.c:82)
==1001752== by 0x146423F: pool_alloc_buffer (buffer.c:369)
==1001752== by 0x14643C4: av_buffer_pool_get (buffer.c:407)
==1001752== by 0x752C4B: buffer_pool_get (mpegts.c:1142)
==1001752== by 0x7538F2: mpegts_push_data (mpegts.c:1407)
==1001752== by 0x758893: handle_packet (mpegts.c:2909)
==1001752== by 0x758E90: handle_packets (mpegts.c:3048)
==1001752== by 0x759B1D: mpegts_read_packet (mpegts.c:3290)
==1001752== by 0x6687A3: ff_read_packet (demux.c:649)
==1001752== by 0x66B594: read_frame_internal (demux.c:1346)
==1001752== by 0x67085B: avformat_find_stream_info (demux.c:2692)
==1001752== by 0x25157C: ifile_open (ffmpeg_demux.c:1814)
==1001752== by 0x272B15: open_files (ffmpeg_opt.c:1366)
==1001752== by 0x272D85: ffmpeg_parse_options (ffmpeg_opt.c:1415)
==1001752== by 0x2925C9: main (ffmpeg.c:991)
Found-by: Alexander A. Shvedov <shvedov@gmx.com>
CC: Pavel Koshevoy <pkoshevoy@gmail.com>
This reverts commit 0021484d05.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Legal since commit 1cd0a9be4b2d1e7c60184ec68404e00e46e3123e
(Jan 4) in the Cellar Matroska specification git repo.
We still hold out on muxing it due to compatibility with
old demuxers.
Reviewed-by: compn <ff@hawaiiantel.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 8a936b8726)
The structure is padded to an even length with an internal
size field to indicate the real size.
The matroska-matroska-display-metadata test (writing FFV1
in VFW mode) was affected by this.
It should also fix ticket #11613.
Reviewed-by: compn <ff@hawaiiantel.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 92e310eb82)
I have several .ts captures where video and audio codec changes even
though the PMT version does not change and the PIDs stay the same.
This happens during transition to/from slate (mpeg2 video and audio)
to network broadcast (hevc video and eac3 audio in private PES).
I've updated fate ts-demux expected results.
Codec probing was primarily added to the wav demuxer to support DTS-in-wav
files, but DTS probing functions return AVPROBE_SCORE_EXTENSION+1, so we can be
a bit more strict with the required score.
This fixes MP3 misdetections for some wav files.
Fixes ticket #11581.
Signed-off-by: Marton Balint <cus@passwd.hu>
(cherry picked from commit ce01c7fb58)
The offset and end_offset options are meant for segment, not for key.
Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
(cherry picked from commit bb0c4649fb)
Don't select sample with small dts when interleaved_read is disabled.
Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
(cherry picked from commit ca964ba139)
(setting to 100 as a reasonable compromise)
The change has caused regressions for many users and consumers.
Playlist reloads only happen when a playlist doesn't indicate that it
has ended (via #EXT-X-ENDLIST), which means that the addition of future
segments is still expected.
It is well possible that an HLS server is temporarily unable to serve
further segments but resumes after some time, either indicating a
discontinuity or even by fully catching up.
With a segment length of 3s, a max_reload value of 1000 corresponds to
a duration of 50 minutes which appears to be a reasonable default.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ace9f03a6c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: null pointer dereference
Fixes: 385644864/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-4551049565765632
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8668957ef6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -251517880 * 32 cannot be represented in type 'int'
Fixes: 385224934/clusterfuzz-testcase-minimized-ffmpeg_dem_W64_fuzzer-4909298151915520
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1afbc40875)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'long'
Fixes: 392672068/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6232335892152320
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin <git@haerdin.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8a6ad9eab2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Allow mp4 with all mpegts extensions
Fixes: Ticket11435
Reviewed-by: Steven Liu <lingjiujianke@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cef3422b48)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0113e30806)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d845533130)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This blocks disallowed extensions from probing
It also requires all available segments to have matching extensions to the format
mpegts is treated independent of the extension
It is recommended to set the whitelists correctly
instead of depending on extensions, but this should help a bit,
and this is easier to backport
Fixes: CVE-2023-6602 II. HLS Force TTY Demuxer
Fixes: CVE-2023-6602 IV. HLS XBIN Demuxer DoS Amplification
The other parts of CVE-2023-6602 have been fixed by prior commits
Found-by: Harvey Phillips of Amazon Element55 (element55)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 91d96dc8dd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
When running the cleanup in rtmp_close on failures in rtmp_open,
we can in rare cases end up using rt->playpath, assuming that it
is still set.
The crash could happen if we hit the fail codepath in rtmp_open
while publishing (rt->is_input == 0) with rt->state set to
a value > STATE_FCPUBLISH.
This would normally not happen while publishing; either we have
an error (and rt->state <= STATE_FCPUBLISH) or we reach
rt->state = STATE_PUBLISHING, and then we also return successfully
from rtmp_open.
The unexpected combination of states could happen if the server
responds with e.g. "NetStream.Play.Stop" while expecting
"NetStream.Publish.Start"; this sets rt->state to STATE_STOPPED,
which also fulfills the condition "> STATE_FCPUBLISH".
We don't need to free the rt->playpath/tcurl/flashver strings here;
they're handled via AVOption, and thus are freed automatically when
the protocol instance is freed (that's why they aren't freed
manually within the rtmp_close function either).
We also don't need to free the AVDictionary with options; it's
owned by the caller.
A smaller fix would be to just call rtmp_close before freeing
the strings and dictionary, but as we don't need to free them
at all, let's remove that redundant code.
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 8f4819ce01)
Fixes: signed integer overflow: 7803923888585309955 - -3407677434275325337 cannot be represented in type 'int64_t' (aka 'long')
Fixes: 377736723/clusterfuzz-testcase-minimized-media_pipeline_integration_fuzzer-5052449500889088
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 02958ab715)
Fixes: Use of uninitialized memory
Fixes: 71444/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-5448597561212928
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6ecc96f4d0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Use of uninitialized memory
Fixes: 377642312/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-4554550985424896
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aec2933344)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: use of uninitilaized data
Fixes: 385167047/clusterfuzz-testcase-minimized-ffmpeg_dem_IPMOVIE_fuzzer-5941477505564672
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 788abe0d25)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
ff_parse_mpeg2_descriptor() reads over what is initialized
Fixes: use of uninitialized memory
Fixes: 383825645/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-5144130618982400
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 17b019c517)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: use of uninitialized data
Fixes: 383825642/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5380168801124352
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c43dbecbda)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: undefined NULL pointer use
Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-6363211175493632
This performs equivalent sanity checks as are done in mov_read_trak()
before mov_build_index()
Reported-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit afbc3a1b23)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 16b3d3e3eb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: -nan is outside the range of representable values of type 'int'
Fixes: 377072730/clusterfuzz-testcase-minimized-ffmpeg_dem_IAMF_fuzzer-6545416570601472
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4485a0fd77)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: use of uninitialized value
Fixes: 70992/clusterfuzz-testcase-minimized-ffmpeg_dem_IMAGE2_fuzzer-5735819170611200
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3f0b95bb17)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: use of uninitialized value
Fixes: 70988/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5298245077630976
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9578c135d0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: use of uninitialized value
Fixes: 70932/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-4870202133643264
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4c62cbcae2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
