Commit graph

42089 commits

Author SHA1 Message Date
Michael Niedermayer
9b97acef22 avcodec/vc1dec: Limit bits by the actual bitstream size
Fixes: Timeout (350 ->19sec)
Fixes: 19249/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-6566896438870016

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c56a52a82c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:35 +02:00
Michael Niedermayer
ec8c556db8 avcodec/vmdaudio: Check block_align more
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 19788/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMDAUDIO_fuzzer-5743379690553344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 06f6857b54)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:35 +02:00
Michael Niedermayer
f1d84ff4cb avcodec/pgssubdec: Free subtitle on error
Fixes: Assertion failure
Fixes: 19753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGSSUB_fuzzer-5688461843759104

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b0a718923b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:35 +02:00
Zachariah Brown
393eff8917 avcodec/nvenc: use framerate if available
The h264_nvenc and hevc_nvenc encoders aren't respecting the framerate in the codec context.
Instead it was using the timebase which in our use-case was 1/1000 so the encoder was behaving
as if we wanted 1000fps. This resulted in poor encoding results due to an extremely low bitrate.

Both the amf and qsv encoders already contain similar logic to first check the framerate before
falling back to the timebase.

Signed-off-by: Zachariah Brown <zachariah@renewedvision.com>
Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
2020-05-15 00:52:14 +02:00
James Almer
31c523469a avcodec/cbs_h265: fix writing extension_data bits
We only care about the right most bit.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 38d1815cc6)
2020-05-03 18:49:01 -03:00
Timo Rothenpieler
a59b535af4 avcodec/nvenc: offset dts to account for b-frame reordering
Fixes ticket #7303

Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
2020-05-01 21:00:40 +02:00
Andreas Rheinhardt
14644e3322 cbs_mpeg2: Fix parsing the last unit
There is one way to find out if avpriv_find_start_code has found a start
code or not: One has to check whether the state variable contains a
start code, i.e. whether the three most significant bytes are 0x00 00 01.
Checking for whether the return value is the end of the designated
buffer is not enough: If the last four bytes constitute a start code,
the return value is also the end of the buffer. This happens with
sequence_end_codes which have been ignored for exactly this reason,
although e.g. all three files used for fate tests of cbs_mpeg2 contain
sequence_end_codes.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit fd93d5efe6)
2019-12-31 16:57:37 -03:00
Andreas Rheinhardt
c1fb94fcac cbs_mpeg2: Rearrange start code search
1. Currently, cbs_mpeg2_split_fragment uses essentially three variables
to hold the start code values found by avpriv_find_start_code. By
rearranging the code, one of them can be omitted.
2. The return value of avpriv_find_start_code points to the byte after
the byte containing the start code identifier (or to the byte after the
last byte of the fragment's data if no start code was found), but
cbs_mpeg2_split_fragment needs to work with the pointer to the byte
containing the start code identifier; it already did this, but in a
clumsy way. This has been changed.
3. Also use the correct type for the variable holding the
CodedBitstreamUnitType.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 276b21a586)
2019-12-31 16:57:37 -03:00
Andreas Rheinhardt
2852aa5084 cbs_mpeg2: Decompose Sequence End
Sequence End units (or actually, sequence_end_codes) have up until now
not been decomposed; in fact due to a bug in cbs_mpeg2_split_fragment they
have mostly been treated as part of the preceding unit. So implement
decomposing them as preparation for fixing said bug.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 0e66e1b61e)
2019-12-31 16:57:37 -03:00
Andreas Rheinhardt
9db961861a cbs_mpeg2: Fix parsing of picture and slice headers
1. The extra information in slice headers was parsed incorrectly:
In the first reading pass to derive the length of the extra information,
one should look at bits n, n + 9, n + 18, ... and check whether they
equal one (further extra information) or zero (end of extra information),
but instead bits n, n + 8, n + 16, ... were inspected. The second pass
of reading (where the length is already known and the bytes between the
length-determining bits are copied into a buffer) did not record what
was in bits n, n + 9, n + 18, ..., presuming they equal one. And during
writing, the bytes in the buffer are interleaved with set bits and
written. This means that if the detected length of the extra information
was greater than the real length, the output was corrupted. Fortunately
no sample is known that made use of this mechanism: The extra information
in slices is still marked as reserved in the specifications. cbs_mpeg2
is now ready in case this changes.

2. Furthermore, the buffer is now padded and slightly different, but
very similar code for reading resp. writing has been replaced by code
used for both. This was made possible by a new macro, the equivalent
to cbs_h2645's fixed().

3. These changes also made it possible to remove the extra_bit_slice
element from the MPEG2RawSliceHeader structure. Said element was always
zero except when the detected length of the extra information was less
than the real length.

4. The extra information in picture headers (which uses essentially the
same syntax as the extra information in slice headers) has simply been
forgotten. This meant that if this extra information was present, it was
discarded during reading; and unfortunately writing created invalid
bitstreams in this case (an extra_bit_picture - the last set bit of the
whole unit - indicated that there would be a further byte of data,
although the output didn't contain said data).

This has been fixed; both types of extra information are now parsed via
the same code and essentially passed through.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit d9182f04ca)
2019-12-31 16:57:37 -03:00
Andreas Rheinhardt
fd53f6745e cbs: Remove useless initializations
Up until now, a temporary variable was used and initialized every time a
value was read in CBS; if reading turned out to be successfull, this
value was overwritten (without having ever been looked at) with the
value read if reading was successfull; on failure the variable wasn't
touched either. Therefore these initializations can be and have been
removed.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit b71a0367a6)
2019-12-31 16:57:37 -03:00
Andreas Rheinhardt
4bc84f4f7d mpeg2_metadata, cbs_mpeg2: Fix handling of colour_description
If a sequence display extension is read with colour_description equal to
zero, but a user wants to add one or more of the colour_description
elements, then the colour_description elements the user did not explicitly
request to be set are set to zero and not to the value equal to
unknown/unspecified (namely 2). A value of zero is not only inappropriate,
but explicitly forbidden. This is fixed by inferring the right default
values during the reading process if the elements are absent; moreover,
changing any of the colour_description elements to zero is now no longer
possible.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit c2a91645c5)
2019-12-31 16:57:37 -03:00
Andriy Gelman
662accb728 lavc/cbs_h2645_syntax_template: Fix memleak
payload_count is used to track the number of SEI payloads. It is also
used to free the SEIs in cbs_h264_free_sei()/cbs_h265_free_sei().

Currently, payload_count is set after for loop is completed. Hence if
there is an error and the function exits, the payload remains zero
causing a memleak.

This commit keeps track of payload_count inside the for loop to fix the
issue. Note that that the contents of current are initialized with
av_mallocz() so there is no need to zero initialize payload_count.

Found-by: libFuzzer
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Andriy Gelman <andriy.gelman@gmail.com>
(cherry picked from commit c07a772473)
2019-12-31 16:57:37 -03:00
Andreas Rheinhardt
4667920455 avcodec/cbs: Fix potential overflow
The number of bits in a PutBitContext must fit into an int, yet nothing
guaranteed the size argument cbs_write_unit_data() uses in init_put_bits()
to be in the range 0..INT_MAX / 8. This has been changed.

Furthermore, the check 8 * data_size > data_bit_start that there is
data beyond the initial padding when writing mpeg2 or H.264/5 slices
could also overflow, so divide it by 8 to get an equivalent check
without this problem.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit cda3e8ca04)
2019-12-31 16:57:37 -03:00
Andreas Rheinhardt
1cf238d3bf avcodec/cbs: Factor out common code for writing units
All cbs-functions to write units share a common pattern:
1. They check whether they have a write buffer (that is used to store
the unit's data until the needed size becomes known after writing the
unit when a dedicated buffer will be allocated).
2. They use this buffer for a PutBitContext.
3. The (codec-specific) writing takes place through the PutBitContext.
4. The return value is checked. AVERROR(ENOSPC) here always indicates
that the buffer was too small and leads to a reallocation of said
buffer.
5. The final buffer will be allocated and the data copied.

This commit factors this common code out in a single function in cbs.c.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 7c92eaace2)
2019-12-31 16:57:37 -03:00
Michael Niedermayer
cb3a59ca82 avcodec/ffwavesynth: Fix undefined overflow in wavesynth_synth_sample()
Fixes: signed integer overflow: 2147464192 + 21176 cannot be represented in type 'int'
Fixes: 19042/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5719828090585088

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fa47f6412d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
25b5331a1d avcodec/cook: Use 3 stage VLC decoding for channel_coupling
Fixes: shift exponent -1 is negative
Fixes: out of array read
Fixes: 19028/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5759766471376896
Fixes: 19037/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COOK_fuzzer-5734106625474560

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 89fd76db71)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
525a8ee3d8 avcodec/wmalosslessdec: Fixes undefined overflow in dequantization in decode_subframe()
Fixes: signed integer overflow: 47875596 * 45 cannot be represented in type 'int'
Fixes: 19082/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5687766512041984

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 53efab44a9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
9bea771035 avcodec/sonic: Check e in get_symbol()
Fixes: signed integer overflow: 1721520852 + 1721520852 cannot be represented in type 'int'
Fixes: 18346/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5709623893426176
Fixes: 18753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5663299131932672

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aea6755611)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
4abd0e1282 avcodec/twinvqdec: Correct overflow in block align check
Fixes: signed integer overflow: 538976288 * 8 cannot be represented in type 'int'
Fixes: 19126/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TWINVQ_fuzzer-5687464110325760

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4dc93ae3d7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
fd674648a2 avcodec/vc1dec: Fix "return -1" cases
Reviewed-by: "mypopy@gmail.com" <mypopy@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 26f040bcb4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
31e169948d avcodec/vc1dec: Free sprite_output_frame on error
Fixes: memleaks
Fixes: 19471/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5688035714269184

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3ee9240be3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
cb1111b04a avcodec/atrac9dec: Clamp band_ext_data to max that can be read if skipped.
Fixes: out of array read
Fixes: 19327/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5679823087468544

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Lynne <dev@lynne.ee>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 18ff210efb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
067b2c0c28 avcodec/agm: Include block size in the MV check for flags == 3
Fixes: out of array read
Fixes: 19331/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5644115983466496

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1f20969457)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
8681622d7b avcodec/wmadec: Keep track of exponent initialization per channel
Fixes: division by 0
Fixes: 19123/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAV2_fuzzer-5655493121146880

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bf5c850b79)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
3679bda78b avcodec/iff: Check that video_size is large enough for the read parameters
video is allocated before parameters like bpp are read.

Fixes: out of array access
Fixes: 19084/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5718556033679360
Fixes: 19465/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5759908398235648

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f1b97f62f8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
affedbd027 avcodec/cbs_vp9: Check data_size
Fixes: out of array access
Fixes: 19542/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5659498341728256

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4fa2d5a692)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
d7fbabaeb5 avcodec/cbs_vp9: Check index_size
Fixes: out of array read
Fixes: 19300/clusterfuzz-testcase-minimized-ffmpeg_BSF_VP9_METADATA_fuzzer-5653911730126848

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d6553e2e60)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
9511cfe07f avcodec/adpcm: Clip predictor for APC
Fixes: signed integer overflow: -2147483648 - 13 cannot be represented in type 'int'
Fixes: 18893/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_APC_fuzzer-5630760442920960

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9fe07908c3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
5f14ba4776 avcodec/targa: Check colors vs. available space
Fixes: Timeout (37sec -> 52ms)
Fixes: 18892/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TARGA_fuzzer-5739537854889984

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 01593278ce)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
bc17113954 avcodec/dstdec: Use get_ur_golomb_jpegls()
Fixes: shift exponent -4 is negative
Fixes: 17793/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5766088435957760
Fixes: 18989/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5175008116867072

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a76690c02b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
ddb35d510e avcodec/wmavoice: Check remaining input in parse_packet_header()
Fixes: Infinite loop
Fixes: 18914/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAVOICE_fuzzer-5731902946541568

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 19c41969b2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
846c61789c avcodec/wmalosslessdec: Fix 2 overflows in mclms
Fixes: signed integer overflow: 2038337026 + 109343477 cannot be represented in type 'int'
Fixes: 18886/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5673660505653248

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 92455c8c65)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
01f5442b82 avcodec/wmaprodec: Fixes integer overflow with 32bit samples
Fixes: left shift of 1 by 31 places cannot be represented in type 'int'
Fixes: 18860/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAPRO_fuzzer-5755223125786624

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a9cc69c0d5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
090d10ce60 avcodec/adpcm: Fix invalid shift in xa_decode()
Fixes: left shift of negative value -1
Fixes: 18859/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_XA_fuzzer-5748474213040128

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 50db30b47d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
7a1b6aa6ac avcodec/wmalosslessdec: Fix several integer issues
Fixes: shift exponent -1 is negative (and others)
Fixes: 18852/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5660855295541248

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ec3fe67074)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
19691eb4d5 avcodec/wmalosslessdec: Check that padding bits is not more than sample bits
Fixes: left shift of 1 by 31 places cannot be represented in type 'int'
Fixes: 18817/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5713317180211200

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9d42826580)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
ef722f7692 avcodec/iff: Skip overflowing runs in decode_delta_d()
Fixes: Timeout (107sec - 75ms>
Fixes: 18812/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-6295585225441280

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 185f441ba2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
3c0fcc7779 avcodec/pnm: Check that the header is not truncated
Fixes: Ticket8430

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c94cb8d9b2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
60605ffa5c avcodec/mp3_header_decompress_bsf: Check sample_rate_index
Fixes: out of array read
Fixes: 19309/clusterfuzz-testcase-minimized-ffmpeg_BSF_MP3_HEADER_DECOMPRESS_fuzzer-5651002950942720

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f064c7c449)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
075b337798 avcodec/cbs_av1_syntax_template: Check num_y_points
"It is a requirement of bitstream conformance that num_y_points is less than or equal to 14."

Fixes: index 24 out of bounds for type 'uint8_t [24]'
Fixes: 19282/clusterfuzz-testcase-minimized-ffmpeg_BSF_AV1_FRAME_MERGE_fuzzer-5747424845103104

Note, also needs a23dd33606

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: jamrial
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bbe27890ff)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
1f88bbc9f2 avcodec/agm: Do not allow MVs out of the picture area as no edge is allocated
Fixes: out of array access
Fixes: 18499/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AGM_fuzzer-5749038406434816

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7a1b30c871)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
d6cc432751 avcodec/apedec: Fix 2 integer overflows
Fixes: signed integer overflow: 2119056926 - -134217728 cannot be represented in type 'int'
Fixes: 18728/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5747539563511808

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6e15ba2d1f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
96e1ca6e05 avcodec/wmaprodec: Set packet_loss when we error out on a sanity check
Fixes: left shift of negative value -34
Fixes: 18719/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMAPRO_fuzzer-5642658173419520

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a9cbd25d89)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
50ed50a03b avcodec/wmaprodec: Check offset
Fixes: index 33280 out of bounds for type 'float [32768]'
Fixes: 18718/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA2_fuzzer-5635373899710464

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5473c7825e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
6bb2004c82 avcodec/truemotion2: Fix 2 integer overflows in tm2_low_res_block()
Fixes: signed integer overflow: 1778647621 + 574372924 cannot be represented in type 'int'
Fixes: 18692/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TRUEMOTION2_fuzzer-6248679635943424

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 93d52a181e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
7bf4d235c0 avcodec/wmaprodec: Check if the channel sum of all internal contexts match the external
Fixes: NULL pointer dereference
Fixes: 18689/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_XMA1_fuzzer-5715114640015360

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 090ac57997)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
3bd30882b1 avcodec/atrac9dec: Check q_unit_cnt more completely before using it to access at9_tab_band_ext_group
Fixes: index 8 out of bounds for type 'const uint8_t [8][3]'
Fixes: 19127/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5709394985091072

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Lynne <dev@lynne.ee>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e1d836d237)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
573cfcc52b avcodec/fitsdec: Use lrint()
Fixes: fate-fitsdec-bitpix-64

Possibly Fixes: -nan is outside the range of representable values of type 'unsigned short'
Possibly Fixes: 17769/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FITS_fuzzer-5678314672357376

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 37f31f4e50)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
fe04b47cea avcodec/g729dec: Avoid using buf_size
buf_size is not updated as buf is advanced so it is wrong after the first
iteration

Fixes: Timeout (160sec -> 27sec)
Fixes: 18658/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_G729_fuzzer-5729784269373440

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 336f9461df)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00