This state is not refcounted, so make sure it always has a well-defined
owner.
Remove the block added in 091341f2ab, as
this commit also solves that issue in a more general way.
(cherry picked from commit cc867f2c09)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 35aa7e70e7)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 3bc28e9d1a)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
The inputs are unused except for this computation so wraparound
does not give an attacker any extra values as they are already fully
controlled
Fixes: signed integer overflow: 0 - -2147483648 cannot be represented in type 'int'
Fixes: 45820/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5766159019933696
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1291568c98)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -128275513086 * -76056576 cannot be represented in type 'long'
Fixes: 45818/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-5129799149944832
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7f1279684e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -101 * 71041254 cannot be represented in type 'int'
Fixes: 45938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TAK_fuzzer-4687974320701440
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 01d8c887f6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -2146549696 - 3923884 cannot be represented in type 'int'
Fixes: 45907/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5992380584558592
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b085b400be)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 11494 * 1073741824000000 cannot be represented in type 'long'
Fixes: 26586/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PIXLET_fuzzer-5752633970917376
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0c1f20c6c8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -1094995529 * 24 cannot be represented in type 'int'
Fixes: 44436/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-4874459459223552
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 28008bf95e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Untested, no testcase
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e88b99afdf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 10 * 808464428 cannot be represented in type 'int'
Fixes: assertion failure
Fixes: ticket9651
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 757da974b2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f306b8e80a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ce43e1c581)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This codepath seems untested, no testcases change
Found-by: <mkver>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 634312a70f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: left shift of 32768 by 16 places cannot be represented in type 'int'
Fixes: Timeout
Fixes: 44219/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4679455379947520
Fixes: 44088/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMVJPEG_fuzzer-4885976600674304
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6ee283d7d0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 15244032 * 256 cannot be represented in type 'int'
Fixes: 43504/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4865014842916864
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cd6ac013a0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 1074134419 - -1075212485 cannot be represented in type 'int'
Fixes: 43273/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-4706880883130368
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0c9c9bbd01)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 2147483542 + 128 cannot be represented in type 'int'
Fixes: 42812/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6344057861832704
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7cee3b3718)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
The whole concept is just not correct, also as it seems not to be needed
at all, all dng files i have decode without this.
Fixes: various crashes
Fixes: 42937/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4625073334517760
Fixes: 42938/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4643368217477120
Fixes: 42939/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4925325908246528
Fixes: 42940/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-4925378806808576
Fixes: 42941/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6202009265504256
Fixes: 42944/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6076860998483968
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit afdbc940c6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
sets coded_width / coded_height too to keep them consistent with
width / height
Fixes: OOM
Fixes: 42263/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-5653333619113984
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cfa1f0e214)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d6c16f42cc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Timeout (same growing chunk is decoded to failure repeatedly)
Fixes: 42582/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQA_fuzzer-6531195591065600
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d8ea7a67ba)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -16777216 * 131 cannot be represented in type 'int'
Fixes: 23835/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5669943160078336
Fixes: 41101/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-4636330705944576
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 68457c1e85)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: out of array read
Fixes: 40284/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP3_fuzzer-4599568176644096
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 96caa01f13)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
We still own it on failure, and there's no point trying to feed it again.
This should address the issue reported in dav1d #383 and part of VLC #26259.
Signed-off-by: James Almer <jamrial@gmail.com>
Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 141f3053ba)
The DNXHD encoder's context contains an array of 32 pointers to
DNXHDEncContexts used in case of slice threading; when trying
to use more than 32 threads with slice threading, the encoder's init
function errors out, but the close function takes avctx->thread_count
at face value and tries to free inexistent elements of the array,
leading to potential crashes.
Fix this by modifying the check used to decide whether the slice
contexts should be freed.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit eb583b3cb9)
ff_wma_init() can fail without freeing everything it has allocated;
so add the FF_CODEC_CAP_INIT_CLEANUP to the codecs using it.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit fcdb012a10)
silk_lsp2poly()'s declaration contained arrays with array sizes;
yet these array sizes exceeded the number of actually accessed array
elements (which is related to another parameter) and this leads to
-Wstringop-overflow= warnings from GCC 11, because the arrays provided
by callers are only large enough for the actually used elements.
So replace the incorrect array sizes with comments containing
the correct array sizes. Given that these sizes are not compile-time
constants, they can only be communicated via a comment.
Reported by Paul B Mahol.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 4b15474316)
h263_get_motion_length() forgot to take an absolute value;
as a consequence, a negative index was used to access an array.
This leads to potential crashes, but mostly it just accesses what
is to the left of ff_mvtab (unless one uses ASAN), thereby defeating
the purpose of the AV_CODEC_FLAG2_NO_OUTPUT because the sizes of
the returned packets differ from the sizes the encoder would actually
have produced.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit 9207dc3b0d)
Fixes ticket #9537.
Probably a regression since 2b32068916.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit d1b47f3bfc)
Regression since af043b839c.
Fixes ticket #9409.
Reviewed-by: Philip Langdale <philipl@overt.org>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit bb89a2f64f)
av_image_copy() expects an array of four pointers and linesizes
according to its declaration; it currently only pointers that are
actually in use (depending upon the pixel format), but this might
change at any time. It has already happened for the linesizes in
d7bc52bf45 and so increasing their
array fixes a stack-buffer overread.
This fixes a -Wstringop-overflow= and -Wstringop-overread warning
from GCC 11.2.
Reviewed-by: Linjie Fu <linjie.justin.fu@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit b0b90100bf)
av_image_copy() expects an array of four pointers according to its
declaration; although it currently only touches pointers that
are actually in use (depending upon the pixel format) this might
change at any time (as has already happened for the linesizes
in d7bc52bf45).
This fixes a -Wstringop-overflow= warning with GCC 11.2.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit b09ea67b40)
Forgotten in 555f5c1fc5.
Reviewed-by: Zane van Iperen <zane@zanevaniperen.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
(cherry picked from commit df4cb384fb)
This fixes compilation errors in case nvenc is enabled
(e.g. autodected) with both nvenc-based encoders disabled
because nvenc uses ff_alloc_a53_sei(), yet only the nvenc-based
encoders require atsc_a53.
(This error does not manifest itself in case of static linking
(nothing pulls in nvenc.o), but it exists with shared builds.)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Signed-off-by: Timo Rothenpieler <timo@rothenpieler.org>
- quantizer delta and matrix level specific.
- support loop filter delta.
- support use superres.
Signed-off-by: Fei Wang <fei.w.wang@intel.com>
(cherry picked from commit 84c73102d9)
VAAPI needs 2 output surface for film grain frame. One used for
reference and the other used for applying film grain and pushing
to downstream.
Signed-off-by: Fei Wang <fei.w.wang@intel.com>
(cherry picked from commit 7871144cf8)
For film grain clip, vaapi_av1 decoder will cache additional 8
surfaces that will be used to store frames which apply film grain.
So increase the pool size by plus 8 to avoid leak of surface.
Signed-off-by: Fei Wang <fei.w.wang@intel.com>
(cherry picked from commit 53403158cc)
Defined in spec 5.9.24/5.9.25. Since function void
global_motion_params(AV1DecContext *s) already updates
gm type/params, the wminvalid parameter only need to get
the value from cur_frame.gm_invalid.
Signed-off-by: Tong Wu <tong1.wu@intel.com>
(cherry picked from commit 4e7a7d75e3)
Since order_hint_bits_minus_1 range is 0~7, cur_frame_hint can be
most 128. And similar return value for cbs_av1_get_relative_dist.
So if plus them and use int8_t for the result may lose its precision.
Signed-off-by: Fei Wang <fei.w.wang@intel.com>
(cherry picked from commit e7ff5722b1)