Commit graph

21748 commits

Author SHA1 Message Date
Andreas Rheinhardt
e13e36f322 avformat/aviobuf: Honor avio_open[2] documentation
The documentation of both avio_open() as well as avio_open2() states
that on failure, the pointer to an AVIOContext given to this function
(via a pointer to a pointer to an AVIOContext) will be set to NULL. Yet
it didn't happen upon failure of ffurl_open_whitelist() or when allocating
the internal buffer failed. This commit changes this.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 220846f74f)
2020-05-20 03:59:36 +02:00
Andreas Rheinhardt
d58dab562b avformat/movenc: Fix undefined shift
Fixes the movenc FATE-test.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 646799b42f)
2020-05-20 03:33:45 +02:00
Andreas Rheinhardt
710ad43919 avformat/avidec: Fix memleak with embedded GAB2 subtitles
The code for GAB2 subtitles predates refcounting AVPackets. So in order
to transfer the ownership of a packet's data pkt->data was simply stored
and the packet zeroed; in the end (i.e. in the read_close-function) this
data was then simply freed with av_freep(). This of course leads to a leak
of an AVBufferRef and an AVBuffer. It has been fixed by keeping and
eventually unreferencing the packet's buf instead.

Additionally, the packet is now reset via av_packet_unref().

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit da44bbefaa)
2020-05-20 02:54:39 +02:00
Andreas Rheinhardt
15f051e09a avformat/matroskadec: Don't discard the upper 32bits of TrackNumber
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit ba36a07734)
2020-05-20 02:50:59 +02:00
Andreas Rheinhardt
95d2ae9710 avformat/segafilmenc: Fix undefined left shift of 1 by 31 places
by changing the type to unsigned.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8ae026d74f)
2020-05-20 02:44:52 +02:00
Andreas Rheinhardt
09d777a30e avformat/wtvdec: Fix memleak when reading header fails
Fixes #8314.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 373c1c9b69)
2020-05-20 02:36:58 +02:00
Andreas Rheinhardt
efea91321e avformat/dashenc: Fix leak of AVFormatContext on error
The Dash muxer uses submuxers and when one such submuxer has been allocated,
it is initially only stored in a temporary variable. Therefore it leaks
if an error happens between the allocation and storing it permanently.
This commit changes this.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: "Jeyapal, Karthick" <kjeyapal@akamai.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8aeab0dbc1)
2020-05-20 02:36:02 +02:00
Andreas Rheinhardt
9dad33fcae avformat/fitsdec: Fix potential leak of string in AVBPrint
by freeing it a bit earlier.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bb20f3dd73)
2020-05-20 02:34:46 +02:00
Andreas Rheinhardt
4b93166add avformat/matroskadec: Sanitize SeekHead entries
A Seek element in a Matroska SeekHead should contain a SeekID and a
SeekPosition element and upon reading, they should be sanitized:

Given that IDs are restricted to 32 bit, longer SeekIDs should be treated
as invalid. Instead currently the lower 32 bits have been used.

For SeekPosition, no checks were performed for the element to be
present and if present, whether it was excessively large (i.e. the
absolute file position described by it exceeding INT64_MAX). The
SeekPosition element had a default value of -1 which means that a check
seems to have been intended; but it was not implemented. This commit adds
a check for overflow to the calculation of the absolute file position of
the referenced level 1 elements.
Using -1 (i.e. UINT64_MAX) as default value for SeekPosition implies that
a Seek element without SeekPosition will run afoul of this check.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 7c243eece3)
2020-05-20 02:11:30 +02:00
Andreas Rheinhardt
2dc4034c5a avformat/matroskaenc: Fix memleak upon encountering bogus chapter
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit cb255b616c)
2020-05-20 02:09:19 +02:00
Andreas Rheinhardt
3a971af005 avformat/matroskaenc: Make ebml_num_size() more robust
Matroska (or actually EBML) uses variable-length numbers where only
seven bits of every byte is usable for the length; the other bits encode
the length of the variable-length number. So in order to find out how
many bytes one needs to encode a given number one can use a loop like
while (num >> 7 * bytes) bytes++; the Matroska muxer effectively did this.

Yet it has a disadvantage: It is impossible for the result of a single
right shift of an unsigned number with most significant bit set to be
zero, because one can only shift by 0..(width - 1). On some
architectures like x64 it is not even possible to do it with undefined
right shifts in which case this leads to an infinite loop.

This can be easily avoided by switching to a loop whose condition is
(num >>= 7). The maximum value the so modified function can return
is 10; any value > 8 is invalid and will now lead to an assert in
put_ebml_num() or in start_ebml_master() (or actually in
put_ebml_size_unknown()).

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 9b0f9003df)
2020-05-20 02:05:56 +02:00
Andreas Rheinhardt
f60a1e8d34 avformat/oggenc: Don't free AVStream's priv_data, fix memleak
For FLAC, Speex, Opus and VP8 the Ogg muxer allocates two buffers
for building the headers: The first for extradata in an Ogg-specific
format and the second contains a Vorbiscomment. These buffers are
reachable via pointers in the corresponding AVStream's priv_data.

If an error happens during building the headers, the AVStream's
priv_data would be freed. This is pointless in general as it would be
freed generically anyway, but here it is actively harmful: If the second
of the aforementioned allocations fails, the first buffer would leak
upon freeing priv_data.

This commit stops freeing priv_data manually, which allows the muxer to
properly clean up in the deinit function.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 0fcf74f435)
2020-05-20 02:03:53 +02:00
Andreas Rheinhardt
df88108c97 avformat/utils: Fix memleak when decoding subtitle in find_stream_info
avformat_find_stream_info() may decode some frames to get stream
information. And when it does this for subtitles, the decoded subtitles
leak.

(Decoding subtitles was added in b1511e00f6
for PGS subtitles. When PGS subtitles originate from a container that
exports every segment as a packet of its own, no output will be
generated when decoding a packet, because not enough input is available.
Yet when used with PGS subtitles in the Matroska form a single packet
contains enough data to generate output. Yet said output is not freed,
hence this leak.)

Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit d026fef999)
2020-05-20 01:53:20 +02:00
Andreas Rheinhardt
4b9f3c4323 avformat/mpeg: Don't use unintialized value
vobsub_read_packet() didn't check whether an array of AVPackets was
valid and therefore used uninitialized values.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit a39536caee)
2020-05-20 01:34:36 +02:00
Andreas Rheinhardt
84b2ec226a avformat/webmdashenc: Check codec types
The WebM DASH Manifest muxer only supports VP8, VP9, Vorbis and Opus,
but there was no check for this. The codec type is used to get a pointer
to a string containing the codec name or NULL if it is not one of those
four codecs. Said pointer has then been used without further checks as
string for the %s conversion specifier in an avio_printf()) call which
is undefined behaviour.

This commit adds a check for the supported codec types.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit cbea58b2b3)
2020-05-20 01:22:38 +02:00
Andreas Rheinhardt
e4fd6ef46a avformat/webmdashenc: Fix memleak upon realloc failure
The classical ptr = av_realloc(ptr, size).

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 418e468699)
2020-05-20 01:21:36 +02:00
Andreas Rheinhardt
2765e92731 avformat/subtitles: Don't increment packet counter prematurely
Do it only if the packet has been successfully allocated in
av_new_packet() -- otherwise on error a completely uninitialized packet
would be unreferenced later.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6bd8bcc2ac)
2020-05-20 01:10:43 +02:00
Andreas Rheinhardt
10b1d1d3ca avformat/bethsoftvid: Fix potential memleak upon reallocation failure
The classical ptr = av_realloc(ptr, size), just with av_fast_realloc().

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5acef12061)
2020-05-20 01:09:57 +02:00
Andreas Rheinhardt
5efb7dc2b2 avformat/smoothstreaming: Fix memleaks on errors
If an AVFormatContext could be allocated, but white-/blacklists couldn't
be copied, the AVFormatContext would leak as it was only accessible
through a local variable that goes out of scope when one goes to fail.

Furthermore, in case writing a header of a submuxer failed, the options
used for said call could leak.

Both of these memleaks have been fixed.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit abbb466368)
2020-05-20 01:07:22 +02:00
Andreas Rheinhardt
119ed69bd5 avformat/matroskaenc: Check BlockAdditional size before use
Don't read a 64bit number before having checked that the data is at
least 8 bytes long.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6e9cc96429)
2020-05-20 01:06:28 +02:00
Andreas Rheinhardt
12efc04b3b avformat/matroskaenc: Check functions that can fail
Sometimes it has not been checked whether opening the dynamic buffer for
writing Tags fails; this might have led to segfaults.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b4f300f8ea)
2020-05-20 01:01:12 +02:00
Andreas Rheinhardt
7f2ab227e0 avformat/matroskaenc: Check for reformatting errors
This is needed especially for AV1: If a reformatting error happens (e.g.
if the length field of an OBU contained in the current packet indicates
that said OBU extends beyond the current packet), the data pointer is
still NULL, yet the size is unchanged, so that writing the data leads
to a segmentation fault.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit 58428bef4b)
2020-05-20 00:52:54 +02:00
Andreas Rheinhardt
703473ec04 avformat/matroskadec: Check before allocations
That way one doesn't have to free later. In this case (concerning TTA
extradata), this also fixes a memleak when the output samplerate is
invalid.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit f7bf59b431)
2020-05-20 00:25:30 +02:00
Dale Curtis
d2f5691e96 avformat/mov: Don't allow negative sample sizes.
Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2d8d554f15)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
Michael Niedermayer
b0b8ce0002 avformat/mpegts: Shuffle avio_seek
This avoids accessing an old, no longer valid buffer.
Fixes: out of array access
Fixes: crash_audio-2020

Found-by: le wu <shoulewoba@gmail.com>
Reviewed-by: Marton Balint <cus@passwd.hu>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cd74af1416)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
Michael Niedermayer
2cfb8f35cd avformat/thp: Require a video stream
The demuxer code assumes the existence of a video stream

Fixes: assertion failure
Fixes: 21512/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5699660783288320

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 97c78caf3e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
Michael Niedermayer
68eeca2803 avformat/mpeg: Decrease score by 1 for files with very little valid data
Fixes: 8233/PPY6574574605_cut.mp3

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 20f7b4dfc9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
Michael Niedermayer
33d17d1b53 avformat/oggdec: Check for EOF after page header
Fixes: Infinite loop
Fixes: Ticket8594

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f1589be9fd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
John Rummell
83b2cc152d libavformat/amr.c: Check return value from avio_read()
If the buffer doesn't contain enough bytes when reading a stream,
fail rather than continuing on with initialized data. Caught by
Chromium fuzzeras (crbug.com/1065731).

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 5b967f56b6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
John Rummell
8c73f80276 libavformat/mov.c: Free aes_decrypt to avoid leaking memory
Found by Chromium fuzzers (crbug.com/1057205).

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ad91cf1f2f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
John Rummell
33bdb19d23 libavformat/oggdec.c: Check return value from avio_read()
If the buffer doesn't contain enough bytes when reading a stream,
fail rather than continuing on with unitialized data. Caught by
Chromium fuzzers (crbug.com/1054229).

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b7c67b1ae3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
Michael Niedermayer
52dbafe7b6 avformat/asfdec_f: Fix overflow check in get_tag()
Fixes: signed integer overflow: 2 * 1210064928 cannot be represented in type 'int'
Fixes: 20873/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5761116909338624

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c8140fe732)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
Michael Niedermayer
69ff8871ff avformat/nsvdec: Fix memleaks on errors while reading the header
Fixes: memleaks
Fixes: 21084/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5655975492321280

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 96c0469455)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:36 +02:00
Michael Niedermayer
1756a83aed libavformat/avienc: Check bits per sample for PAL8
Fixes: assertion failure
Fixes: Ticket 8172

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3595878281)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:35 +02:00
Michael Niedermayer
5946d0bafa avformat/mpegts: Improve the position determination for avpriv_mpegts_parse_packet()
Fixes: assertion failure
Fixes: Ticket 8005

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e5bb48ae59)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:35 +02:00
Michael Niedermayer
07ffedc01d avformat/mvdec: Check stream numbers
Fixes: null pointer dereference
Fixes: 20768/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5638648978735104.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 618a9bea65)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:35 +02:00
Michael Niedermayer
f5180c3b9b avformat/utils: Fix integer overflow with complex time bases in avformat_find_stream_info()
Fixes: signed integer overflow: 2045163756 * 2 cannot be represented in type 'int'
Fixes: Ticket5132

Found-by: tsmith
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f3d8f517db)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:35 +02:00
Michael Niedermayer
c7df41ed6b avformat/avidec: Avoid integer overflow in NI switch check
Fixes: signed integer overflow: 0 - -9223372036854775808 cannot be represented in type 'long'
Fixes: Ticket8149

Found-by: Suhwan
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 347920ca21)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:35 +02:00
Dale Curtis
9a6d41e979 avformat/utils: Fix undefined behavior in ff_configure_buffers_for_index()
When e2_pts == INT64_MIN and e1_pts >= 0 the calculation of
e2_pts - e1_pts will overflow an int64_t.

Signed-off-by: Dale Curtis <dalecurtis@chromium.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f15007afa9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:35 +02:00
Michael Niedermayer
913f64e923 avformat/mov: Check STCO location
Fixes: bypassing of checks and assertion failure
Fixes: asan_1003879.mp4

Found-by: Clusterfuzz + asan
Reported-by: Thomas Guilbert <tguilbert@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1cd4184020)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-05-19 17:17:35 +02:00
Carl Eugen Hoyos
d1e8be3411 Revert "avformat/rtp: Pass sources and block filter addresses via sdp file for rtp"
This reverts commit b71685865f.

The commit lead to the use of an uninitialized variable.
Other issues were listed by Andreas Rheinhardt:
https://ffmpeg.org/pipermail/ffmpeg-devel/2020-March/259150.html

(cherry picked from commit 8b1f07ef51)

In addition, it is not understandable why the patch that neither
claims to fix a regression nor a security issue was backported.
2020-04-05 11:59:49 +02:00
Andreas Rheinhardt
5b61639a21 avformat/matroskadec: Fix default value of BlockAddID
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit dbc50f8a93)
2020-04-03 21:12:52 +02:00
Andreas Rheinhardt
3eedf1599b avformat/dashdec: Don't allocate and leak strings that are never used
Since commit e134c203 strdups of several elements of a manifest are kept
in the DASHContext; but said commit completely forgot to free these
strings again (with xmlFree()). Given that these strings are never used
at all, this commit closes this leak by reverting said commit.

This reverts commit e134c20374.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit 3c138e5ceb)
2020-03-30 08:03:58 +02:00
Andreas Rheinhardt
4772757958 avformat/matroskaenc: Write level 1 elements in one go
Up until now, writing level 1 elements proceeded as follows: First, the
element id was written to the ordinary output AVIOContext and a dynamic
buffer was opened for the content of the level 1 element in
start_ebml_master_crc32(). Then this buffer was actually used and after it
was closed (in end_ebml_master_crc32()), the size field corresponding to
the buffer's size was written, after which the actual data was written.

This commit changes this: Nothing is written to the main AVIOContext any
more in start_ebml_master_crc32(). end_ebml_master_crc32() now writes
both the id, the length field as well as the data. This is benefical for
streaming, because a client that receives just a Cluster ID and nothing
more might infer that this is EOF; in certain usecases there is also the
danger of a client receiving the Cluster without the actual Cluster ID
at the beginning.

Addresses #8578.

(cherry picked from commit d9c21ec)

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-03-30 07:56:38 +02:00
phunkyfish
635ca9aa01 avformat/rtp: Pass sources and block filter addresses via sdp file for rtp
Signed-off-by: Aman Gupta <aman@tmm1.net>
(cherry picked from commit b71685865f)
2020-03-27 11:00:50 -07:00
Paul B Mahol
19bfd72126 avformat/bintext: avoid division by zero
Fixes #8335

(cherry picked from commit 9d711a90fd)

Fixes ticket #8484.
2020-01-19 13:47:21 +01:00
Michael Niedermayer
747245ce0e avformat/rmdec: Initialize and sanity check offset in ivr_read_header()
Fixes: signed integer overflow: -9223372036854775808 - 17 cannot be represented in type 'long'
Fixes: 18768/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5674385247830016

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 7e665e4a81)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Andreas Rheinhardt
d39a058707 avformat/id3v2: Fix double-free on error
ff_id3v2_parse_priv_dict() uses av_dict_set() with the flags
AV_DICT_DONT_STRDUP_KEY and AV_DICT_DONT_STRDUP_VAL. In this case both
key and value are freed on error (and owned by the destination
dictionary on success), so that freeing them again on error is a
double-free and therefore forbidden. But it nevertheless happened.

Fixes CID 1452489 and 1452421.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 67d4940a77)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:57 +01:00
Michael Niedermayer
3266d05538 avformat/mxfdec: Clear metadata_sets_count in mxf_read_close()
This avoids problems if the function is called twice

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 13816a1d08)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:56 +01:00
Michael Niedermayer
5f8e1a014f avformat/vividas: Error out on audio packets in the absence of audio streams
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d83002179f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2019-12-31 19:51:56 +01:00