Commit graph

21729 commits

Author SHA1 Message Date
Andreas Rheinhardt
119ed69bd5 avformat/matroskaenc: Check BlockAdditional size before use
Don't read a 64bit number before having checked that the data is at
least 8 bytes long.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6e9cc96429)
2020-05-20 01:06:28 +02:00
Andreas Rheinhardt
12efc04b3b avformat/matroskaenc: Check functions that can fail
Sometimes it has not been checked whether opening the dynamic buffer for
writing Tags fails; this might have led to segfaults.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b4f300f8ea)
2020-05-20 01:01:12 +02:00
Andreas Rheinhardt
7f2ab227e0 avformat/matroskaenc: Check for reformatting errors
This is needed especially for AV1: If a reformatting error happens (e.g.
if the length field of an OBU contained in the current packet indicates
that said OBU extends beyond the current packet), the data pointer is
still NULL, yet the size is unchanged, so that writing the data leads
to a segmentation fault.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 58428bef4b)
2020-05-20 00:52:54 +02:00
Andreas Rheinhardt
703473ec04 avformat/matroskadec: Check before allocations
That way one doesn't have to free later. In this case (concerning TTA
extradata), this also fixes a memleak when the output samplerate is
invalid.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit f7bf59b431)
2020-05-20 00:25:30 +02:00
Dale Curtis
d2f5691e96 avformat/mov: Don't allow negative sample sizes.
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2d8d554f15)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
Michael Niedermayer
b0b8ce0002 avformat/mpegts: Shuffle avio_seek
This avoids accessing an old, no longer valid buffer.
Fixes: out of array access
Fixes: crash_audio-2020

Found-by: le wu <shoulewoba@gmail.com>
Reviewed-by: Marton Balint <cus@passwd.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cd74af1416)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
Michael Niedermayer
2cfb8f35cd avformat/thp: Require a video stream
The demuxer code assumes the existence of a video stream

Fixes: assertion failure
Fixes: 21512/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5699660783288320

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 97c78caf3e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
Michael Niedermayer
68eeca2803 avformat/mpeg: Decrease score by 1 for files with very little valid data
Fixes: 8233/PPY6574574605_cut.mp3

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 20f7b4dfc9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
Michael Niedermayer
33d17d1b53 avformat/oggdec: Check for EOF after page header
Fixes: Infinite loop
Fixes: Ticket8594

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f1589be9fd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
John Rummell
83b2cc152d libavformat/amr.c: Check return value from avio_read()
If the buffer doesn't contain enough bytes when reading a stream,
fail rather than continuing on with initialized data. Caught by
Chromium fuzzeras (crbug.com/1065731).

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5b967f56b6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
John Rummell
8c73f80276 libavformat/mov.c: Free aes_decrypt to avoid leaking memory
Found by Chromium fuzzers (crbug.com/1057205).

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ad91cf1f2f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
John Rummell
33bdb19d23 libavformat/oggdec.c: Check return value from avio_read()
If the buffer doesn't contain enough bytes when reading a stream,
fail rather than continuing on with unitialized data. Caught by
Chromium fuzzers (crbug.com/1054229).

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b7c67b1ae3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
Michael Niedermayer
52dbafe7b6 avformat/asfdec_f: Fix overflow check in get_tag()
Fixes: signed integer overflow: 2 * 1210064928 cannot be represented in type 'int'
Fixes: 20873/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5761116909338624

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c8140fe732)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
Michael Niedermayer
69ff8871ff avformat/nsvdec: Fix memleaks on errors while reading the header
Fixes: memleaks
Fixes: 21084/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5655975492321280

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 96c0469455)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
Michael Niedermayer
1756a83aed libavformat/avienc: Check bits per sample for PAL8
Fixes: assertion failure
Fixes: Ticket 8172

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3595878281)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:35 +02:00
Michael Niedermayer
5946d0bafa avformat/mpegts: Improve the position determination for avpriv_mpegts_parse_packet()
Fixes: assertion failure
Fixes: Ticket 8005

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e5bb48ae59)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:35 +02:00
Michael Niedermayer
07ffedc01d avformat/mvdec: Check stream numbers
Fixes: null pointer dereference
Fixes: 20768/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5638648978735104.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 618a9bea65)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:35 +02:00
Michael Niedermayer
f5180c3b9b avformat/utils: Fix integer overflow with complex time bases in avformat_find_stream_info()
Fixes: signed integer overflow: 2045163756 * 2 cannot be represented in type 'int'
Fixes: Ticket5132

Found-by: tsmith
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f3d8f517db)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:35 +02:00
Michael Niedermayer
c7df41ed6b avformat/avidec: Avoid integer overflow in NI switch check
Fixes: signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long'
Fixes: Ticket8149

Found-by: Suhwan
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 347920ca21)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:35 +02:00
Dale Curtis
9a6d41e979 avformat/utils: Fix undefined behavior in ff_configure_buffers_for_index()
When e2_pts == INT64_MIN and e1_pts >= 0 the calculation of
e2_pts - e1_pts will overflow an int64_t.

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f15007afa9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:35 +02:00
Michael Niedermayer
913f64e923 avformat/mov: Check STCO location
Fixes: bypassing of checks and assertion failure
Fixes: asan_1003879.mp4

Found-by: Clusterfuzz + asan
Reported-by: Thomas Guilbert <tguilbert@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1cd4184020)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:35 +02:00
Carl Eugen Hoyos
d1e8be3411 Revert "avformat/rtp: Pass sources and block filter addresses via sdp file for rtp"
This reverts commit b71685865f.

The commit lead to the use of an uninitialized variable.
Other issues were listed by Andreas Rheinhardt:
https://ffmpeg.org/pipermail/ffmpeg-devel/2020-March/259150.html

(cherry picked from commit 8b1f07ef51)

In addition, it is not understandable why the patch that neither
claims to fix a regression nor a security issue was backported.
2020-04-05 11:59:49 +02:00
Andreas Rheinhardt
5b61639a21 avformat/matroskadec: Fix default value of BlockAddID
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit dbc50f8a93)
2020-04-03 21:12:52 +02:00
Andreas Rheinhardt
3eedf1599b avformat/dashdec: Don't allocate and leak strings that are never used
Since commit e134c203 strdups of several elements of a manifest are kept
in the DASHContext; but said commit completely forgot to free these
strings again (with xmlFree()). Given that these strings are never used
at all, this commit closes this leak by reverting said commit.

This reverts commit e134c20374.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 3c138e5ceb)
2020-03-30 08:03:58 +02:00
Andreas Rheinhardt
4772757958 avformat/matroskaenc: Write level 1 elements in one go
Up until now, writing level 1 elements proceeded as follows: First, the
element id was written to the ordinary output AVIOContext and a dynamic
buffer was opened for the content of the level 1 element in
start_ebml_master_crc32(). Then this buffer was actually used and after it
was closed (in end_ebml_master_crc32()), the size field corresponding to
the buffer's size was written, after which the actual data was written.

This commit changes this: Nothing is written to the main AVIOContext any
more in start_ebml_master_crc32(). end_ebml_master_crc32() now writes
both the id, the length field as well as the data. This is benefical for
streaming, because a client that receives just a Cluster ID and nothing
more might infer that this is EOF; in certain usecases there is also the
danger of a client receiving the Cluster without the actual Cluster ID
at the beginning.

Addresses #8578.

(cherry picked from commit d9c21ec)

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-03-30 07:56:38 +02:00
phunkyfish
635ca9aa01 avformat/rtp: Pass sources and block filter addresses via sdp file for rtp
Signed-off-by: Aman Gupta <aman@tmm1.net>
(cherry picked from commit b71685865f)
2020-03-27 11:00:50 -07:00
Paul B Mahol
19bfd72126 avformat/bintext: avoid division by zero
Fixes #8335

(cherry picked from commit 9d711a90fd)

Fixes ticket #8484.
2020-01-19 13:47:21 +01:00
Michael Niedermayer
747245ce0e avformat/rmdec: Initialize and sanity check offset in ivr_read_header()
Fixes: signed integer overflow: -9223372036854775808 - 17 cannot be represented in type 'long'
Fixes: 18768/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5674385247830016

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7e665e4a81)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Andreas Rheinhardt
d39a058707 avformat/id3v2: Fix double-free on error
ff_id3v2_parse_priv_dict() uses av_dict_set() with the flags
AV_DICT_DONT_STRDUP_KEY and AV_DICT_DONT_STRDUP_VAL. In this case both
key and value are freed on error (and owned by the destination
dictionary on success), so that freeing them again on error is a
double-free and therefore forbidden. But it nevertheless happened.

Fixes CID 1452489 and 1452421.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 67d4940a77)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
3266d05538 avformat/mxfdec: Clear metadata_sets_count in mxf_read_close()
This avoids problems if the function is called twice

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 13816a1d08)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:56 +01:00
Michael Niedermayer
5f8e1a014f avformat/vividas: Error out on audio packets in the absence of audio streams
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d83002179f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:56 +01:00
Michael Niedermayer
f21ef41c14 avformat/vividas: Check and require 1 video stream
The decoder hardcodes that audio is stream_id = 1 so it does not
currently work with more or less than 1 video stream at st=0

Fixes: assertion failure
Fixes: 18602/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6259277199310848

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3e5a528bbe)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:56 +01:00
Michael Niedermayer
b0c18a836a avformat/vividas: Add EOF check in val_1 loop in track_header()
Fixes: Timeout (148sec -> 0.1sec)
Fixes: 18427/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5682124627116032

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit faea5b4462)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:56 +01:00
Michael Niedermayer
3a91eb37c4 avformat/mp3dec: Check that the frame fits within the probe buffer
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e9a335150a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:56 +01:00
Michael Niedermayer
c609312a47 avformat/vividas: Fix n_sb_blocks Check
Fixes: signed integer overflow: 1540265776 * 2 cannot be represented in type 'int'
Fixes: 18160/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5758808818712576

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 114ddf6430)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:56 +01:00
Michael Niedermayer
e634dc98b2 avformat/nutenc: Do not pass NULL to memcmp() in get_needed_flags()
This compared to the other suggestions is cleaner and easier to understand
keeping the condition in the if() simple.

This affects alot of fate tests.

See: [FFmpeg-devel] [PATCH 05/11] avformat/nutenc: Don't pass NULL to memcmp
See: [FFmpeg-devel] [PATCH]lavf/nutenc: Do not call memcmp() with NULL argument

Fixes: Ticket 7980

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e4fdeb3fce)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:56 +01:00
Michael Niedermayer
f2457bd115 avformat/pjsdec: Check duration for overflow
Fixes: signed integer overflow: -3 - 9223372036854775807 cannot be represented in type 'long'
Fixes: 17828/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5645915116797952

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1efaac6932)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:56 +01:00
Michael Niedermayer
90e449a690 avformat/shortendec: Check k in probe
Fixes: Assertion failure
Fixes: 17640/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5708767475269632

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ea770eb559)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:56 +01:00
Michael Niedermayer
71f3bb58df avformat/mpsubdec: Clear queue on error
Fixes: Memleaks
Fixes: 17219/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5720539124989952

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9a0d36e562)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:56 +01:00
Michael Niedermayer
292c492271 avformat/subtitles: Check nb_subs in ff_subtitles_queue_finalize()
Fixes: null pointer dereference
Fixes: 17828/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5645915116797952
Fixes: Ticket8147

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 81b53913bb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:56 +01:00
Michael Niedermayer
9c3ae17cc1 avformat/electronicarts: If no packet has been read at the end do not treat it as if theres a packet
Fixes: Assertion failure
Fixes: 17770/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5700606668308480

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c4de49edc4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:55 +01:00
Michael Niedermayer
c7d53daf9a avformat/vividas: Test size and packet numbers a bit more
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 27a2f65948)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:55 +01:00
Michael Niedermayer
1beae222db avformat/vividas: Check n_sb_blocks against input space
Fixes: OOM
Fixes: 16726/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5719320750981120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8e51f35f81)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:55 +01:00
Michael Niedermayer
75cd59ec21 avformat/mov: Check for EOF in mov_read_meta()
Fixes: Timeout (195sec -> 2ms)
Fixes: 16735/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5090676403863552

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 093d1f4250)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:55 +01:00
Michael Niedermayer
69e32fd0b1 avformat/vividas: Remove align offset which is always masked off
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8e8fd25272)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:55 +01:00
Michael Niedermayer
372f9254c3 avformat/vividas: remove dead assignment
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 08dc354ef7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:55 +01:00
Michael Niedermayer
8ae4a2915a avformat/cdxl: Fix integer overflow in intermediate
Fixes: signed integer overflow: 65535 * 65312 cannot be represented in type 'int'
Fixes: 16704/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6294115603447808

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5c5575c8dc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:55 +01:00
Michael Niedermayer
315362028e repeat an even number of characters in occured
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fccc37ca85)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:55 +01:00
Andreas Rheinhardt
48ae235848 avformat/matroskadec: Fix use-after-free when demuxing ProRes
ProRes in Matroska is supposed to not contain the first atom header
(containing a size field and the tag "icpf") and therefore the Matroska
demuxer has to recreate it; this involves an allocation and copy, of
course. Whether the old buffer (containing the data without the atom
header) needs to be freed or not depends upon whether it is what was
directly read (in which case it is owned by an AVBuffer) or whether it
has been allocated when reversing the track's content compression (e.g.
zlib compression) that Matroska supports.

So there are three pointers involved: The one pointing to the directly
read data (owned by the AVBuffer), the one pointing to the currently
valid data (which coincides with the former if no content compression
needed to be reverted) and the one pointing to the new data with the
first atom header. The check for whether to free the second of these is
simply whether the first two are different.

This works mostly, but there is a complication: Some muxers don't strip
the first atom header away and in this case, it is also not reinserted
and no new buffer is allocated; instead, the second and the third
pointers agree. In this case, one must never free the second buffer.
Yet it is currently done if the track is e.g. zlib compressed.
This commit fixes this.

This is a regression since b8e75a2a.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit af50f0a515)
2019-12-13 12:01:20 -03:00
Andreas Rheinhardt
2f89f24eb9 avformat/matroskadec: Fix demuxing ProRes
The structure of a ProRes frame in mov/mp4 is that of a typical atom:
First a 32 bit BE size field, then a tag detailling the content. Said
size field includes the eight bytes of the atom header.

This header is actually redundant, as the size of the atom is already
known from the containing atom. It is therefore stripped away when muxed
into Matroska and so the Matroska demuxer has to recreate upon demuxing.
But it did not account for the fact that the size field includes the
size of the header and this can lead to problems when a decoder uses the
in-band size field.

Fixes ticket #8210.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 581419ea39)
2019-12-13 12:01:16 -03:00