Commit graph

35028 commits

Author SHA1 Message Date
Michael Niedermayer
99c78466ff avcodec/pngdec: Fix off by 1 size in decode_zbuf()
Fixes out of array access
Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e371f031b9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-03 15:59:14 +01:00
Michael Niedermayer
72d5addc0b avcodec/mjpegdec: Check for rgb before flipping
Fixes assertion failure due to unsupported case

Fixes: 356/fuzz-1-ffmpeg_VIDEO_AV_CODEC_ID_MJPEG_fuzzer
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 25d9643f11)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-03 15:59:14 +01:00
Andreas Cadhalpun
1a168061da pgssubdec: reset rle_data_len/rle_remaining_len on allocation error
The code relies on their validity and otherwise can try to access a NULL
object->rle pointer, causing segmentation faults.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 842e98b4d8)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2017-02-01 02:28:56 +01:00
Michael Niedermayer
667c9ed1f1 avcodec/ffv1enc: Allocate smaller packet if the worst case size cannot be allocated
We are checking during encoding if there is enough space as version 4 needs that
check.

Fixes Ticket6005

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 38a7834bbb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-09 21:39:14 +01:00
Michael Niedermayer
efa164aa68 avcodec/mpeg4videodec: Fix undefined shifts in mpeg4_decode_sprite_trajectory()
Fixes: part of 670190.ogg

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8258e36385)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-09 17:46:31 +01:00
Michael Niedermayer
0bcc7ea5dc avcodec/ffv1enc: Fix size of first slice
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cff1c0edaa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-09 02:04:58 +01:00
James Almer
d111c9ce13 avcodec/rawdec: check for side data before checking its size
Fixes valgrind warnings about usage of uninitialized values.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 51e329918d)
2016-12-04 17:27:07 -03:00
Michael Niedermayer
2c6792b0c6 avcodec/flacdec: Fix undefined shift in decode_subframe()
Fixes undefined behavior
Fixes: 639961-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1f5630af51)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
66bf84e2c4 avcodec/get_bits: Fix get_sbits_long(0)
Fixes undefined behavior
Fixes: 640889-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c72fa43234)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
2d66fbc853 avcodec/flacdec: Fix signed integer overflow in decode_subframe_fixed()
Fixes undefined behavior
Fixes: 640912-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 83a75bf6c3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
2f26f3de78 avcodec/flacdsp_template: Fix undefined shift in flac_decorrelate_indep_c
Fixes: left shift of negative value
Fixes: 668346-media

Found-by: Matt Wolenetz <wolenetz@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit acc163c6ab)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
6bee6ef0c2 avcodec/flac_parser: Update nb_headers_buffered
Fixes infinite loop
Fixes: fuzz.flac

Found-by: Frank Liberato <liberato@google.com>
Reviewed-by: Frank Liberato <liberato@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2475858889)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
63caf18787 avcodec/rv40: Test remaining space in loop of get_dimension()
Fixes infinite loop
Fixes: 178/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_RV40_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1546d487cf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
8ad4e1c1cb avcodec/ituh263dec: Avoid spending a long time in slice sync
Fixes: 177/fuzz-3-ffmpeg_VIDEO_AV_CODEC_ID_FLV1_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2baf36caed)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
27fbf8f110 avcodec/movtextdec: Add error message for tsmb_size check
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0eb3198005)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
3f9a24f06d avcodec/movtextdec: Fix tsmb_size check==0 check
Fixes: 173/fuzz-3-ffmpeg_SUBTITLE_AV_CODEC_ID_MOV_TEXT_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a609905723)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
083919e9c4 avcodec/movtextdec: Fix potential integer overflow
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6ea2715768)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
bc63205ae2 avcodec/sunrast: Fix input buffer pointer check
Fixes: out of array read
Fixes: poc.dat

Found-by: Bingchang, Liu @VARAS of IIE
Tested-by: bc L <l.bing.chang.bc@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 37138338ff)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
4251dc6d7e avcodec/tscc: Check side data size before use
Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 979bca5134)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
8fd3293fa1 avcodec/rawdec: Check side data size before use
Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5f0bc0215a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
7affe32738 avcodec/msvideo1: Check side data size before use
Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 161ccdaa06)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
1bc7215e8a avcodec/qpeg: Check side data size before use
Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 16793504df)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
51aa6d0987 avcodec/qtrle: Check side data size before use
Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7d196f2a5a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
136fc7084e avcodec/msrle: Check side data size before use
Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a6330119a0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
adc86ad32f avcodec/kmvc: Check side data size before use
Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2d99101d09)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
e0dd617ed7 avcodec/idcinvideo: Check side data size before use
Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a2b8dde659)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
9cab9b878f avcodec/cinepak: Check side data size before use
Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 121be31060)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
3549871847 avcodec/8bps: Check side data size before use
Fixes out of array read

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 042faa847f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
9ec40eacb1 avcodec/dvdsubdec: Fix off by 1 error
Fixes out of array read

Found-by: Thomas Garnier using libFuzzer
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c92f55847a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
8cca6b06ec avcodec/dvdsubdec: Fix buf_size check
Fixes out of array access

Found-by: Thomas Garnier using libFuzzer
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 25ab1a65f3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Ronald S. Bultje
642cd5de4d vp9: change order of operations in adapt_prob().
This is intended to workaround bug "665 Integer Divide Instruction May
Cause Unpredictable Behavior" on some early AMD CPUs, which causes a
div-by-zero in this codepath, such as reported in Mozilla bug #1293996.

Note that this isn't guaranteed to fix the bug, since a compiler is free
to reorder instructions that don't depend on each other. However, it
appears to fix the bug in Firefox, and a similar patch was applied to
libvpx also (see Chrome bug #599899).

(cherry picked from commit be885da342)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
d54aa2de17 avcodec/interplayvideo: Check side data size before use
Fixes out of array read

Found-by: Thomas Garnier using libFuzzer
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 85d23e5cbc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
9128ef0302 avcodec/mpegvideo_enc: Clear mmx state in ff_mpv_reallocate_putbitbuffer()
This function must be called from the mb or slice encoding loop and MMX state may not
be clean there

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 03ec6b780c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Michael Niedermayer
86f5b73429 avcodec/utils: Clear MMX state before returning from avcodec_default_execute*()
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4f96f9d111)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2016-12-04 20:25:15 +01:00
Andreas Cadhalpun
0496403c08 mss2: only use error correction for matching block counts
This fixes a heap-buffer-overflow in ff_er_frame_end when decoding mss2
with coded_width/coded_height larger than width/height.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 2566ad98b0)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:58 +01:00
Andreas Cadhalpun
dbad792487 libopusdec: default to stereo for invalid number of channels
This fixes an out-of-bounds read if avc->channels is 0.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 8c8f543b81)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:57 +01:00
Andreas Cadhalpun
5d2f1ffef1 pgssubdec: only set w/h/linesize when allocating data
Rects with positive w/h/linesize but no data are invalid.

Reviewed-by: Petri Hintukainen <phintuka@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 995512328e)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:57 +01:00
Andreas Cadhalpun
48d24cca13 smacker: limit recursion depth of smacker_decode_bigtree
This fixes segmentation faults due to stack-overflow caused by too deep
recursion.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 946ecd19ea)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:57 +01:00
Andreas Cadhalpun
4ffd5805af libschroedingerdec: fix leaking of framewithpts
Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 3c0328d58d)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:57 +01:00
Andreas Cadhalpun
57665e04e2 libschroedingerdec: don't produce empty frames
They are not valid and can cause problems/crashes for API users.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit a86ebbf7f6)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:57 +01:00
Andreas Cadhalpun
b32c9941a2 pnmdec: make sure v is capped by maxval
Otherwise put_bits can be called with a value that doesn't fit in the
sample_len, causing an assertion failure.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit cdb5479c9d)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:57 +01:00
Andreas Cadhalpun
69673d0279 smvjpegdec: make sure cur_frame is not negative
This fixes a heap-buffer-overflow detected by AddressSanitizer.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 360bc0d90a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:57 +01:00
Andreas Cadhalpun
27888d13b8 dvbsubdec: fix division by zero in compute_default_clut
This problem was introduced in commit
4b90dcb849.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit c82b8ef0e4)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:56 +01:00
Andreas Cadhalpun
416a8a06b9 proresdec_lgpl: explicitly check coff[3] against slice_data_size
The implicit checks via v_data_size and a_data_size don't work in the case
'(hdr_size > 7) && !ctx->alpha_info'.

This fixes segmentation faults due to invalid reads.

This problem was introduced in commit
547c2f002a.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 1e33035ee7)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:56 +01:00
Andreas Cadhalpun
e14cc2f197 escape124: reject codebook size 0
It causes a cb_depth of 32, leading to assertion failures in get_bits.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 226d35c845)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:56 +01:00
Andreas Cadhalpun
e6197a6ce9 mpegaudio_parser: don't return AVERROR_PATCHWELCOME
The API does not allow returning AVERROR codes.

It triggers an assert in av_parser_parse2.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 5249706e9d)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:56 +01:00
Andreas Cadhalpun
ef2d91e9c3 lzf: update pointer p after realloc
This fixes heap-use-after-free detected by AddressSanitizer.

Reviewed-by: Luca Barbato <lu_zero@gentoo.org>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit bb6a7b6f75)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:55 +01:00
Andreas Cadhalpun
dcc8d2418a diracdec: check return code of get_buffer_with_edge
If it fails, buffers aren't allocated, causing NULL pointer dereferencing.

Reviewed-by: Rostislav Pehlivanov <atomnuker@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit db79dedb1a)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:55 +01:00
Andreas Cadhalpun
087b777415 ppc: pixblockdsp: do unaligned block accesses correctly again
This was broken by the following Libav commit:
4c387c7 ppc: dsputil: do unaligned block accesses correctly

The following tests fail due to this:
fate-checkasm
fate-vsynth1-dnxhd-2k-hr-hq fate-vsynth1-dnxhd-edge1-hr
fate-vsynth1-dnxhd-edge2-hr fate-vsynth1-dnxhd-edge3-hr
fate-vsynth1-dnxhd-hr-sq-mov fate-vsynth1-dnxhd-hr-hq-mov
fate-vsynth2-dnxhd-2k-hr-hq fate-vsynth2-dnxhd-edge1-hr
fate-vsynth2-dnxhd-edge2-hr fate-vsynth2-dnxhd-edge3-hr
fate-vsynth2-dnxhd-hr-sq-mov fate-vsynth2-dnxhd-hr-hq-mov
fate-vsynth3-dnxhd-2k-hr-hq fate-vsynth3-dnxhd-edge1-hr
fate-vsynth3-dnxhd-edge2-hr fate-vsynth3-dnxhd-edge3-hr
fate-vsynth3-dnxhd-hr-sq-mov fate-vsynth3-dnxhd-hr-hq-mov

Fixes trac ticket #5508.

Reviewed-by: Carl Eugen Hoyos <ceffmpeg@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 3932ccc472)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:55 +01:00
Andreas Cadhalpun
aca7f5f060 interplayacm: increase bitstream buffer size by AV_INPUT_BUFFER_PADDING_SIZE
This fixes out-of-bounds reads by the bitstream reader.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 60178e78f2)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
2016-11-27 00:38:55 +01:00