Commit graph

81017 commits

Author SHA1 Message Date
Matt Wolenetz
5cd2fcd0a7 lavf/mov.c: Avoid heap allocation wraps in mov_read_{senc,saiz}()
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643952 (senc,saiz portions)

Signed-off-by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 36aba43bd5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-05-16 16:00:21 +02:00
Matt Wolenetz
0abc88f0fd lavf/mov.c: Avoid OOB in mov_read_udta_string()
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643952 (udta_string portion)

Signed-off-by: Matt Wolenetz <wolenetz@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9bbdf5d921)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-05-16 16:00:21 +02:00
James Almer
b014fa21d4 avformat/apng: fix setting frame delay when max_fps is set to no limit
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 874eb012f7)
2017-03-21 20:21:53 -03:00
James Almer
8e4abfbb9d swresample/resample: free existing ResampleContext on reinit
Fixes memleak.

Reviewed-by: wm4 <nfxjfg@googlemail.com>
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit db7a05dab0)
2017-03-21 12:14:28 -03:00
James Almer
f9083dec0c swresample/resample: move resample_free() higher in the file
Also make it more readable while at it.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 2a8a8a2e98)
2017-03-21 12:14:25 -03:00
Rostislav Pehlivanov
e1ed2291ec lavfi/buffersrc: fix directly setting channel layout
When setting the channel layout directly using AVBufferSrcParameters
the channel layout was correctly set however the init function still
expected the old string format to set the number of channels (when it
hadn't already been specified).

Signed-off-by: Rostislav Pehlivanov <atomnuker@gmail.com>
(cherry picked from commit 42959044ac)
Signed-off-by: Rostislav Pehlivanov <atomnuker@gmail.com>
2017-02-21 19:02:05 +00:00
Carl Eugen Hoyos
007cf1786c lavf/mpeg: Initialize a stack variable used by memcmp().
Silence a valgrind warning.

Fixes ticket #6160.
(cherry picked from commit a5c1c7a8b3)
2017-02-21 02:16:18 +01:00
Carl Eugen Hoyos
401a3ae2cb lavc/avpacket: Initialize a variable in error path.
Fixes ticket #6153.

Tested-by: Tyson Smith
(cherry picked from commit 1d54be2153)
2017-02-17 10:44:32 +01:00
Michael Niedermayer
384d90f268 Update for 3.1.7
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 21:00:39 +01:00
Michael Niedermayer
d20200d303 avcodec/h264_slice: Clear ref_counts on redundant slices
Fixes reading freed memory
Fixes: 568/clusterfuzz-testcase-6107186067406848

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c03029a835)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Matt Wolenetz
02a5e88ebc lavf/mov.c: Avoid heap allocation wrap in mov_read_uuid
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643951

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support values beyond INT_MAX
Also the check is moved to a more common place and before integer truncation

(cherry picked from commit 2d453188c2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Matt Wolenetz
b6efd022b7 lavf/mov.c: Avoid heap allocation wrap in mov_read_hdlr
Core of patch is from paul@paulmehta.com
Reference https://crbug.com/643950

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Check value reduced as the code does not support larger lengths

(cherry picked from commit fd30e4d57f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
68e9caf16f avcodec/pictordec: Fix logic error
Fixes: 559/clusterfuzz-testcase-6424225917173760

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8c2ea3030a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
e34cbd1d2b ffserver_config: Setup codecpar in add_codec()
fixes segfault in the status page code

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 472fee91bc)
2017-02-08 20:32:01 +01:00
Michael Niedermayer
6c1a2e6bc3 avcodec/movtextdec: Fix decode_styl() cleanup
Fixes: null pointer dereference
Fixes: 555/clusterfuzz-testcase-5986646595993600

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e248522d1b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Chris Cunningham
a4fb905a14 lavf/matroskadec: fix is_keyframe for early Blocks
Blocks are marked as key frames whenever the "reference" field is
zero. This breaks for non-keyframe Blocks with a reference timestamp
of zero.

The likelihood of reference timestamp being zero is increased by a
longstanding bug in muxing that encodes reference timestamp as the
absolute time of the referenced frame (rather than relative to the
current Block timestamp, as described in MKV spec).

Now using INT64_MIN to denote "no reference".

Reported to chromium at http://crbug.com/497889 (contains sample)

(cherry picked from commit ac25840ee3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
James Almer
ff7a4df8ac configure: bump year
Happy new year!

(cherry picked from commit d800d48fc6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
9115acb326 avcodec/pngdec: Check trns more completely
Fixes out of array access
Fixes: 546/clusterfuzz-testcase-4809433909559296

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e477f09d0b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
1f35ea813d avcodec/interplayvideo: Move parameter change check up
Fixes out of array read
Fixes: 544/clusterfuzz-testcase-5936536407244800.f8bd9b24_8ba77916_70c2c7be_3df6a2ea_96cd9f14

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b1e2192007)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
c26c8bb23a avcodec/dca_lbr: Fix off by 1 error in freq check
Fixes out of array read
Fixes: 510/clusterfuzz-testcase-5737865715646464

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 61f70416f8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
e23768b8ff avcodec/mjpegdec: Check for for the bitstream end in mjpeg_decode_scan_progressive_ac()
Fixes timeout
Fixes: 496/clusterfuzz-testcase-5805083497332736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3782656631)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Frank Liberato
197e4693f6 avformat/flacdec: Check avio_read result when reading flac block header.
Return AVERROR_INVALIDDATA if all four bytes aren't present.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 95bde49982)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
e6b3f3ff81 avcodec/utils: correct align value for interplay
Fixes out of array access
Fixes: 452/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_INTERPLAY_VIDEO_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2080bc3371)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
c4a0b84b58 avcodec/vp56: Check for the bitstream end, pass error codes on
Fixes timeout
Fixes: 446/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_VP6_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9e6a242755)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
777f8b9fe1 avcodec/mjpegdec: Check remaining bitstream in ljpeg_decode_yuv_scan()
Fixes timeout
Fixes: 445/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer
Fixes: 456/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_JPEGLS_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 755933cb5c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
00bbf3063c avcodec/pngdec: Fix off by 1 size in decode_zbuf()
Fixes out of array access
Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e371f031b9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
25778b2692 avcodec/omx: Do not pass negative value into av_malloc()
Fixes CID1396849

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bd83c295fc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Tobias Rapp
c26cbe6c2e avformat/avidec: skip odml master index chunks in avi_sync
Fixes pts gaps when reading AVI files > 256GiB generated by FFmpeg.

Signed-off-by: Tobias Rapp <t.rapp@noa-archive.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6d579d7c1b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
d5948243f5 avcodec/mjpegdec: Check for rgb before flipping
Fixes assertion failure due to unsupported case

Fixes: 356/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 25d9643f11)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
8c3e90f5ed avutil/random_seed: Reduce the time needed on systems with very low precission clock()
This should fix issues on BSD
CLOCKS_PER_SEC is 128 on BSD while SUSv2 requires it to be a million

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c4152fc42e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
f0862b18c5 avutil/random_seed: Improve get_generic_seed() with higher precission clock()
Tested-by: Thomas Turner <thomastdt@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit da73d95bad)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Chris Cunningham
693288c344 avformat/mp3dec: fix msan warning when verifying mpa header
MPEG Audio frame header must be 4 bytes. If we fail to read
4 bytes bail early to avoid Use-of-uninitialized-value msan error.
Reference https://crbug.com/666874.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ab87df9a47)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
3d9c007b61 avformat/utils: Print verbose error message if stream count exceeds max_streams
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f0bdd53871)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Michael Niedermayer
5b8ee8f013 avformat/options_table: Set the default maximum number of streams to 1000
Fixes CVE-2016-9561, Note the security relevance of this is disputed as
running out of memory can happen with valid files

Suggested-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Reviewed-by: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 30581c51e7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-08 20:32:01 +01:00
Andreas Cadhalpun
f77bb85b08 pgssubdec: reset rle_data_len/rle_remaining_len on allocation error
The code relies on their validity and otherwise can try to access a NULL
object->rle pointer, causing segmentation faults.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 842e98b4d8)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2017-02-01 02:28:36 +01:00
Michael Niedermayer
6c96200ceb avutil: Add av_image_check_size2()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f542b152aa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-11 00:43:29 +01:00
Michael Niedermayer
b18a571e23 avformat: Add max_streams option
This allows user apps to stop OOM due to excessive number of streams

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1296f84495)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-11 00:43:29 +01:00
Michael Niedermayer
0131f5c376 avcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated
We are checking during encoding if there is enough space as version 4 needs that
check.

Fixes Ticket6005

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 38a7834bbb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-11 00:43:29 +01:00
Michael Niedermayer
255e61c25b avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory()
Fixes: part of 670190.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8258e36385)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-11 00:43:29 +01:00
Michael Niedermayer
119301d312 avformat/oggdec: Skip streams in duration correction that did not had their duration set.
Fixes: part of 670190.ogg
Fixes integer overflow

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ee2a6f5df8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-11 00:43:29 +01:00
Michael Niedermayer
0c2d6a219f avcodec/ffv1enc: Fix size of first slice
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cff1c0edaa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-11 00:43:29 +01:00
Srinath K R
8a4b18c639 avfilter/vf_hwupload_cuda: Add min/max limits for the 'device' option
Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
2016-12-08 11:27:36 +01:00
James Almer
a57b701bdc configure: check for strtoull on msvc
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit b52d3574d4)
2016-12-05 19:22:13 -03:00
Michael Niedermayer
e08b1cf2df Update for 3.1.6
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 23:05:26 +01:00
Ronald S. Bultje
ce44100cb0 http: move chunk handling from http_read_stream() to http_buf_read().
(cherry picked from commit 845bb40178)
2016-12-05 16:20:06 -05:00
Ronald S. Bultje
18e3e322b3 http: make length/offset-related variables unsigned.
Fixes #5992, reported and found by Paul Cher <paulcher@icloud.com>.

(cherry picked from commit 2a05c8f813)
2016-12-05 16:20:06 -05:00
Michael Niedermayer
37904d1177 ffserver: Check chunk size
Fixes out of array access

Fixes: poc_ffserver.py
Found-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5d25faa3f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 21:37:48 +01:00
Michael Niedermayer
518934b5f1 Avoid using the term "file" and prefer "url" in some docs and comments
This should make it less ambigous that these are URLs

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a5f27a9c3a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 21:37:48 +01:00
Michael Niedermayer
b0ebef0578 avformat/rtmppkt: Check for packet size mismatches
Fixes out of array access

Found-by: Paul Cher <paulcher@icloud.com>
Reviewed-by: Paul Cher <paulcher@icloud.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7d57ca4d9a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 21:37:48 +01:00
Timothy Gu
540a4433bd zmqsend: Initialize ret to 0
Fixes CID1396857.

(cherry picked from commit d903b4e3ad)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-05 21:37:48 +01:00