Commit graph

23716 commits

Author SHA1 Message Date
Michael Niedermayer
8f83d2a94a avformat/4xm: Consider max_streams on reallocating tracks array
Fixes: OOM
Fixes: 41595/clusterfuzz-testcase-minimized-ffmpeg_dem_FOURXM_fuzzer-6355979363549184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0dcd95ef8a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-04-06 20:27:35 +02:00
Michael Niedermayer
223b5abcb1 avformat/mov: Check next offset in mov_read_dref()
Fixes: signed integer overflow: 9223372036200463215 + 1109914409 cannot be represented in type 'long'
Fixes: 41480/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6553086177443840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 562021e2fd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-04-06 20:27:35 +02:00
Michael Niedermayer
bbea2c47c7 avformat/vivo: Favor setting fps from explicit fractions
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bf1e93bdc9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-04-06 20:27:35 +02:00
Michael Niedermayer
88f619726c avformat/vivo: Do not use the general expression evaluator for parsing a floating point value
Fixes: Timeout
Fixes: 41564/clusterfuzz-testcase-minimized-ffmpeg_dem_VIVO_fuzzer-6309014024093696

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7b24615565)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-04-06 20:27:35 +02:00
Michael Niedermayer
f4f397ebc1 avformat/mxfdec: Check for duplicate mxf_read_index_entry_array()
Fixes: memleak
Fixes: 41596/clusterfuzz-testcase-minimized-ffmpeg_dem_MXF_fuzzer-6439060204290048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4f44a218e5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-04-06 20:27:35 +02:00
Michael Niedermayer
8720b1b480 avformat/mxfdec: Check component_depth in mxf_get_color_range()
Fixes: shift exponent 4294967163 is too large for 32-bit type 'int'
Fixes: 41449/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6183636217495552

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a4af92d7cb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-04-06 20:27:35 +02:00
Michael Niedermayer
4846536e67 avformat/mov: Disallow duplicate smdm
Fixes: memleak
Fixes: 39879/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5327819907923968

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b5ba74053c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-04-06 20:27:35 +02:00
Michael Niedermayer
a2b5ffb4ac avformat/mov: Check for EOF in mov_read_glbl()
Fixes: Infinite loop
Fixes: 41351/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-5433895854669824

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 59b4e7cbd8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-04-06 20:27:35 +02:00
Michael Niedermayer
4ff9f77240 avformat/mov: Check channels for mov_parse_stsd_audio()
Fixes: signed integer overflow: -776522110086937600 * 16 cannot be represented in type 'long'
Fixes: 40563/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6644829447127040

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3a64a4c582)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-04-06 20:27:35 +02:00
Michael Niedermayer
d4ff904e30 avformat/avidec: Check read_odml_index() for failure
Fixes: Timeout
Fixes: 40950/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-6478873068437504

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 57adb26d05)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-04-06 20:27:35 +02:00
Michael Niedermayer
a4015d432b avformat/aiffdec: Use av_rescale() for bitrate
Fixes: integer overflow
Fixes: 40313/clusterfuzz-testcase-minimized-ffmpeg_dem_AIFF_fuzzer-4814761406103552

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 905588df97)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-04-06 20:27:35 +02:00
Michael Niedermayer
d0a99fdfc6 avformat/aiffdec: sanity check block_align
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 93f7776921)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-04-06 20:27:35 +02:00
Michael Niedermayer
287389faec avformat/aiffdec: Check sample_rate
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1b04836dff)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2022-04-06 20:27:35 +02:00
Andreas Rheinhardt
953ad7b362 avformat/omadec: Don't output uninitialized values
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 874f03fae7)
2022-01-11 22:37:58 +01:00
Andreas Rheinhardt
9abd7d144d avformat/jacosubenc: Fix writing extradata
The terminating '\0' is no longer included in the size of
the extradata output by the demuxer since commit
36e61e24e7.
E.g. if one remuxes the JACOsub sample JACOsub_capability_tester.jss
from the FATE suite, one receives a file not recognized as JACOsub
before this patch.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 54e8dcce8e)
2022-01-11 22:37:58 +01:00
Andreas Rheinhardt
86487300ce avformat/cafenc: Fix memleak when trailer is never written
Do this by using the AVStream's priv_data for the buffer holding
the packet size data.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit d94b641b4a)
2022-01-11 22:37:45 +01:00
Andreas Rheinhardt
4d8beeaa8f avformat/cafenc: Don't segfault upon allocation error
If an array for the packet sizes could not be successfully reallocated
when writing a packet, the CAF muxer frees said array, but does not
reset the number of valid bytes. As a result, when the trailer is
written later, avio_write tries to read that many bytes from NULL,
which segfaults.

Fix this by not freeing the array in case of error; also, postpone
writing the packet data after having successfully (re)allocated the
array, so that even on allocation error the file can be correctly
finalized.

Also remove an unnecessary resetting of the number of size entries
used at the end.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 19a6b51fe6)
2022-01-11 15:15:53 +01:00
Andreas Rheinhardt
71eee0d4dc avformat/cafenc: Fix potential integer overflow
(As long as avio_write() only accepts an int, it makes no sense
to try to support sizes that don't fit into an int.)

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 42fe438482)
2022-01-11 15:15:53 +01:00
Andreas Rheinhardt
8c1899a71b avformat/movenc: Limit ism_lookahead to a sane value
There can only be a maximum of 255 entries in a tfrf tag, so using
more makes no sense; moreover, several size computations can overflow
in this case. Fix this by limiting it to 255.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 1cf3c59b58)
2022-01-11 15:15:53 +01:00
Andreas Rheinhardt
eb998e33ef avformat/sccdec: Don't use uninitialized data, fix crash, simplify logic
Up until now, the scc demuxer not only read the line that it intends
to process, but also the next line, in order to be able to calculate
the duration of the current line. This approach leads to unnecessary
complexity and also to bugs: For the last line, the timing of the
next subtitle is not only logically indeterminate, but also
uninitialized and the same applies to the duration of the last packet
derived from it.* Worse yet, in case of e.g. an empty file, it is not
only the duration that is uninitialized, but the whole timing as well
as the line buffer itself.** The latter is used in av_strtok(), which
could lead to crashes. Furthermore, the current code always outputs
at least one packet, even for empty files.

This commit fixes all of this: It stops using two lines at a time;
instead only the current line is dealt with and in case there is
a packet after that, the duration of the last packet is fixed up
after having already parsed it; consequently the duration of the
last packet is left in its default state (meaning "unknown/up until
the next subtitle"). If no further line could be read, processing
is stopped; in particular, no packet is output for an empty file.

*: Due to stack reuse it seems to be zero quite often; for the same
reason Valgrind does not report any errors for a normal input file.
**: While ff_subtitles_read_line() claims to always zero-terminate
the buffer like snprintf(), it doesn't do so if it didn't read anything.
And even if it did, it would not necessarily help here: The current
code jumps over 12 bytes that it deems to have read even when it
hasn't.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 60e12318bb)
2022-01-11 15:15:53 +01:00
Andreas Rheinhardt
fd5726a226 avformat/subtitles: Honour ff_subtitles_read_line() documentation
It claims to always zero-terminate its buffer like snprintf(),
yet it does it not on EOF. Because of this the mcc demuxer
used uninitialized values when reading an empty input file.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 8766361fc1)
2022-01-11 15:15:53 +01:00
Andreas Rheinhardt
91b0684024 avformat/tee: Fix leak of FIFO-options dictionary
Happened for all slaves which didn't use the FIFO.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 3a27fcb168)
2022-01-11 15:15:53 +01:00
Andreas Rheinhardt
e7201aa246 avformat/tee: Fix leak of strings
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 4df34df642)
2022-01-11 15:15:53 +01:00
Andreas Rheinhardt
2e850412d3 avformat/matroskadec: Don't unnecessarily reduce aspect ratio
Fixes ticket #9497.

Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 9139dc6140)
2022-01-11 15:15:53 +01:00
Andreas Rheinhardt
ab8830e348 avformat/aadec: Don't use the same loop counter in inner and outer loop
Due to this bush.aa (from the FATE suite) exported garbage metadata
with key "_040930".

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 0a76f8217e)
2022-01-11 15:15:52 +01:00
Andreas Rheinhardt
703937c494 avformat/moflex: Don't use uninitialized timebase for data stream
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 38e5ca9310)
2022-01-11 15:15:52 +01:00
Anton Khirnov
91aa03952a lavf/udp: do not return an uninitialized value from udp_open()
(cherry picked from commit 3c2b674468)
Signed-off-by: Anton Khirnov <anton@khirnov.net>

Conflicts:
        libavformat/udp.c
2022-01-11 09:17:23 +01:00
Michael Niedermayer
bac4bb747a avformat/matroskadec: Reset state also on failure in matroska_reset_status()
The calling code does not handle failures and will fail with assertion failures later.
Seeking can always fail even when the position was previously read.

Fixes: Assertion failure
Fixes: 35253/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-4693059982983168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d115eec979)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-10-21 19:21:14 +02:00
Michael Niedermayer
ea190a10d3 avformat/wavdec: Check smv_block_size
Fixes: Timeout
Fixes: 39554/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-4915221701984256

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 849138f476)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-10-21 19:21:14 +02:00
Michael Niedermayer
6de9986c78 avformat/rmdec: Check for multiple audio_stream_info
Fixes: memleak
Fixes: 39166/clusterfuzz-testcase-minimized-ffmpeg_dem_IVR_fuzzer-5153276690038784

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8fe3566b8f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-10-21 19:21:14 +02:00
Michael Niedermayer
cb92d65a5b oavformat/avidec: Check offset in odml
Fixes: signed integer overflow: 9223372036854775807 + 8 cannot be represented in type 'long'
Fixes: 38787/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-4859845799444480

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 255a7b423e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-10-21 19:21:14 +02:00
Michael Niedermayer
4ae804b6fb avformat/mpegts: use actually read packet size in mpegts_resync special case
Fixes: infinite loop
Fixes: 37986/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGTSRAW_fuzzer-5292311517462528 -

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Marton Balint <cus@passwd.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 83b2e4c8f1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-10-21 19:21:14 +02:00
Steven Liu
9738990542 Revert "avformat/hlsenc: compute video_keyframe_size after write keyframe"
This reverts commit b5ca8f2c66.

This commit will make new problem about tickets: 9193,9205
It flush data into file with init file context together,
and it can get keyframe size, maybe need more method to get keyframe
size.

Signed-off-by: Steven Liu <liuqi05@kuaishou.com>
(cherry picked from commit 59032494e8)
2021-10-07 22:08:08 +08:00
Michael Niedermayer
71d776740c avformat/mov: Fix last mfra check
Fixes: signed integer overflow: 9223372036854775360 + 536870912 cannot be represented in type 'long'
Fixes: 37940/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-6095637855207424

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 451ceb5131)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-10-05 23:19:40 +02:00
Michael Niedermayer
2a7b3e62e0 avformat/mvdec: Do not set invalid sample rate
Fixes: signed integer overflow: -682581959642593728 * 16 cannot be represented in type 'long'
Fixes: 37883/clusterfuzz-testcase-minimized-ffmpeg_dem_MV_fuzzer-5311691517198336

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 737e6bf216)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-10-05 23:19:39 +02:00
Michael Niedermayer
1d2a398827 avformat/sbgdec: Check for t0 overflow in expand_tseq()
Fixes: signed integer overflow: 4611686025627387904 + 4611686025627387904 cannot be represented in type 'long'
Fixes: 35489/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-4862678601433088

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f624c92d4c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-10-05 23:19:39 +02:00
Michael Niedermayer
598d3614fd avformat/rmdec: Use 64bit for intermediate for DEINT_ID_INT4
Fixes: runtime error: signed integer overflow: 65312 * 65535 cannot be represented in type 'int'
Fixes: 32832/clusterfuzz-testcase-minimized-ffmpeg_dem_RM_fuzzer-4817710040088576

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e2c2872393)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-10-05 23:19:39 +02:00
Michael Niedermayer
09e0a12202 avformat/sbgdec: Check opt_duration and start for overflow
Fixes: signed integer overflow: 2788626175500000000 + 7118941284000000000 cannot be represented in type 'long'
Fixes: 35215/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6123272247836672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2768928624)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-10-05 23:19:39 +02:00
Michael Niedermayer
65d6de52f1 avformat/mov: Check for duplicate clli
Fixes: memleak
Fixes: 35261/clusterfuzz-testcase-minimized-ffmpeg_dem_MOV_fuzzer-4869656287510528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9a222f140e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-10-05 23:19:39 +02:00
Michael Niedermayer
e075bc192d avformat/utils: Ignore negative duration in codec_info_duration computation
Fixes: signed integer overflow: -5994697211974418462 + -3255307777713450286 cannot be represented in type 'long'
Fixes: 35332/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-5868035117285376

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4d81550df9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-10-05 23:19:39 +02:00
Michael Niedermayer
d482bf35eb avformat/jacosubdec: Check for min in t overflow in get_shift()
Fixes: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself
Fixes: 34651/clusterfuzz-testcase-minimized-ffmpeg_dem_JACOSUB_fuzzer-5157941012463616

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 989febfbd0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-10-05 23:19:39 +02:00
Michael Niedermayer
26083824d7 avformat/mxfdec: check channel number in mxf_get_d10_aes3_packet()
Fixes: Out of array access
Fixes: 37030/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5387719147651072

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3dd5a8a135)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-10-05 23:19:39 +02:00
Michael Niedermayer
3d5f361290 avformat/mov: Check dts for overflow in mov_read_trun()
Fixes: signed integer overflow: 9223372034248226491 + 3275247799 cannot be represented in type 'long'
Fixes: clusterfuzz-testcase-minimized-audio_decoder_fuzzer-4538729166077952

Reported-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4de4bc06fd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-08 21:31:50 +02:00
Michael Niedermayer
e64b4a75bd avformat/avidec: Use 64bit for frame number in odml index parsing
Fixes: signed integer overflow: 1179337772 + 1392508928 cannot be represented in type 'int'
Fixes: 34088/clusterfuzz-testcase-minimized-ffmpeg_dem_AVI_fuzzer-5846945303232512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a4c98c507e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-08 21:31:50 +02:00
maryam ebrahimzadeh
fb993619d1 avformat/adtsenc: return value check for init_get_bits in adts_decode_extradata
As the second argument for init_get_bits (buf) can be crafted, a return value check for this function call is necessary.
'buf' is  part of  'AVPacket pkt'.
replace init_get_bits with init_get_bits8.

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9ffa49496d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-08 21:31:50 +02:00
Michael Niedermayer
88264f84c9 avformat/wtvdec: Check for EOF before seeking back in parse_media_type()
Fixes: Infinite loop
Fixes: 36311/clusterfuzz-testcase-minimized-ffmpeg_dem_WTV_fuzzer-4889181296918528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 89505d38de)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-08 21:31:50 +02:00
Michael Niedermayer
58477f42a2 avformat/mpc8: Check first keyframe position for overflow
Fixes: signed integer overflow: 9223372036854775791 + 18 cannot be represented in type 'long'
Fixes: 36307/clusterfuzz-testcase-minimized-ffmpeg_dem_MPC8_fuzzer-4917863877050368

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2bbef69b0b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-08 21:31:50 +02:00
Michael Niedermayer
8a3eb4498b avformat/wavdec: Use 64bit in new_pos computation
Fixes: signed integer overflow: 129 * 16711680 cannot be represented in type 'int'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_WAV_fuzzer-6742285317439488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9b57d2f0a9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-08 21:31:50 +02:00
Michael Niedermayer
3a18a6acc4 avformat/sbgdec: Check for overflow in timestamp preparation
Fixes: signed integer overflow: 9223372036854775807 + 86400000000 cannot be represented in type 'long'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-6731040263634944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9dbed90840)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-08 21:31:50 +02:00
Michael Niedermayer
a09127eacd avformat/dsicin: Check packet size for overflow
Fixes: signed integer overflow: 24672 + 2147483424 cannot be represented in type 'int'
Fixes: 29102/clusterfuzz-testcase-minimized-ffmpeg_dem_DSICIN_fuzzer-6731325979623424

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9d1c47ec03)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-08 21:31:50 +02:00