Commit graph

41530 commits

Author SHA1 Message Date
Michael Niedermayer
f4d75810b4 avcodec/ansi: Check nb_args for overflow
Fixes: Integer overflow (no testcase)

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bc0e776c9a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-09 13:37:20 +02:00
Michael Niedermayer
6afbda6ce8 avcodec/diracdsp: Fix integer anomaly in dequant_subband_*
Fixes: negation of -2147483648 cannot be represented in type 'int32_t' (aka 'int'); cast to an unsigned type to negate this value to itself
Fixes: 23760/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DIRAC_fuzzer-604209011412172

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ca3c6c981a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-09 13:37:20 +02:00
Michael Niedermayer
2fee883f52 avcodec/wmalosslessdec: Check remaining space before padding and channel residue
Fixes: Timeout (1101sec -> 0.4sec)
Fixes: 24491/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5725337036783616

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c467adf3bf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-09 13:37:20 +02:00
Michael Niedermayer
d5e57e7496 avcodec/mpc: Fix multiple numerical overflows in ff_mpc_dequantize_and_synth()
Fixes: -2.4187e+09 is outside the range of representable values of type 'int'
Fixes: signed integer overflow: -14512205 + -2147483648 cannot be represented in type 'int'
Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC7_fuzzer-5747263166480384
Fixes: 23528/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC7_fuzzer-5747263166480384

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2b9f39689a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-09 13:37:20 +02:00
Michael Niedermayer
df67250903 avcodec/ffwavesynth: Fix integer overflow in wavesynth_synth_sample / WS_SINE
Fixes: signed integer overflow: -1429092 * -32596 cannot be represented in type 'int'
Fixes: 24419/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5157849974702080

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Nicolas George <george@nsup.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a0da95df77)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-09 13:37:20 +02:00
Michael Niedermayer
de79966a44 avcodec/vp9dsp_template: Fix integer overflow in iadst8_1d()
Fixes: signed integer overflow: 998938090 + 1169275991 cannot be represented in type 'int'
Fixes: 23411/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-4644692330545152

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d182d8f10c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-09 13:37:20 +02:00
Michael Niedermayer
9474d161c2 avcodec/cfhd: Check transform type
Fixes: out of array access
Fixes: 24823/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4855119863349248

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 659658d08b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-09 13:37:20 +02:00
Michael Niedermayer
a4f01dfad9 avcodec/tiff: Restrict tag order based on specification
"The entries in an IFD must be sorted in ascending order by Tag. Note that this is
 not the order in which the fields are described in this document."

This way various dimensions, sample and bit sizes cannot be changed at
arbitrary times which reduces the potential for bugs.
The tag reading code also on various places assumes that numerically previous
tags have already been parsed, so this needs to be enforced one way or another.

If this commit causes problems with real world files which are not easy to fix
then some other form of checks are needed to ensure the various dependencies
in the tag reading are not violated.

Fixes: out of array access
Fixes: 24825/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6326925027704832

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ad29f9e47c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-09 13:37:20 +02:00
Michael Niedermayer
b0fd8d6b15 avcodec/tiff: Check bpp/bppcount for 0
Fixes: division by zero
Fixes: 24253/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TIFF_fuzzer-6250318007107584

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit be090da25f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-09 13:37:20 +02:00
Michael Niedermayer
2dc9462462 avcodec/snowdec: Sanity check hcoeff
Fixes: signed integer overflow: -2147483648 * -1 cannot be represented in type 'int'
Fixes: 24011/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5486376610168832

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d51d569cf6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-09 13:37:20 +02:00
Michael Niedermayer
8636ff4bdf avcodec/alac: Check decorr_shift to avoid invalid shift
Later the decorrelate_stereo call is guarded by channels == 2
and non-zero decorr_left_weight. Make sure decorr_shift is in
the expected shift range for that case.

Fixes: shift exponent 128 is too large for 32-bit type 'int'
Fixes: 23860/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALAC_fuzzer-5751138914402304

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Alexander Strasser <eclipse7@gmx.net>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4333718b35)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-09 13:37:20 +02:00
Michael Niedermayer
bd5e97fd6b avcodec/tdsc: Fix tile checks
Fixes: out of array access
Fixes: crash.asf

Found-by: anton listov <greyfarn7@yandex.ru>
Reviewed-by: anton listov <greyfarn7@yandex.ru>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 081e3001ed)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-09 13:37:20 +02:00
Michael Niedermayer
14a4be8fb4 avcodec/cbs_jpeg: Fix uninitialized end index in cbs_jpeg_split_fragment()
Fixes: Out of array read
Fixes: 24043/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5084566275751936.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4a10bc8f6f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-09 13:37:20 +02:00
Michael Niedermayer
41049b0d76 avcodec/apedec: Fix undefined integer overflow with 24bit
Fixes: signed integer overflow: 8683744 * 256 cannot be represented in type 'int'
Fixes: 23527/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5679885932822528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 9f7b252cdf)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-09 13:37:20 +02:00
Michael Niedermayer
bf0b15d76a avcodec/loco: Fix integer overflow with large values from loco_get_rice()
Fixes: signed integer overflow: 155 + 2147483647 cannot be represented in type 'int'
Fixes: 23421/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5652849097965568

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 3ddc5e1f3c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-09 13:37:20 +02:00
Michael Niedermayer
34f9c735ad avcodec/pnmdec: Fix misaligned reads
Found-by: "Steinar H. Gunderson" <steinar+ffmpeg@gunderson.no>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ea28ce9bc1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2021-09-09 13:37:20 +02:00
James Almer
347bcf6054 avcodec/h264_slice: clear old slice POC values on parsing failure
If a slice header fails to parse, and the next one uses different Sequence and
Picture parameter sets, certain values may not be read if they are not coded,
resulting in the previous slice values being used.

Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit ce4a31cd1f)
2021-08-11 12:01:14 -03:00
Timo Rothenpieler
d44da66fac avcodec/cuviddec: backport extradata fixes 2020-10-01 22:09:25 +02:00
Timo Rothenpieler
7f0db52c53 avcodec/cuviddec: handle arbitrarily sized extradata 2020-09-30 14:14:30 +02:00
Andreas Rheinhardt
3df2eab778 avcodec/hevc_mp4toannexb_bsf: Check NAL size against available input
The hevc_mp4toannexb bsf does not explicitly check whether a NAL unit
is so big that it extends beyond the end of the input packet; it does so
only implicitly by using the checked version of the bytestream2 API.
But this has downsides compared to real checks: It can lead to huge
allocations (up to 2GiB) even when the input packet is just a few bytes.
And furthermore it leads to uninitialized data being output.
So add a check to error out early if it happens.

Also check directly whether there is enough data for the length field.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit ea1b71e82f)
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
2020-07-03 17:11:15 +02:00
Michael Niedermayer
850bbc0f78 avcodec/dstdec: Replace AC overread check by sample rate check
Real files do skip coding 0 bits at the end, thus this kind of check
does not work reliable.

Fixes: Ticket 8770
Fixes: dst-256fs44-6ch-refdstencoder.dff

The samplerate is specified in ISO/IEC 14496-3:2005(E) as one of 3 fixed
values, this also can be used to limit the duration and avoid the timeout

This reverts commit f6df99dba1.

(cherry picked from commit 1679f23beb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
c095e870d8 avcodec/pngdec: Check for fctl after idat
Fixes: out of array access
Fixes: 23554/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-4796622520451072.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 65b1ba680f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
55e76ddb7a avcodec/wmalosslessdec: fix overflow with pred in revert_cdlms
Fixes: signed integer overflow: 2048 + 2147483646 cannot be represented in type 'int'
Fixes: 23538/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5227567073460224

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 21598d711d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
1f64119c8a avcodec/ffwavesynth: Avoid undefined operation on ts overflow
Alternatively these conditions could be treated as errors
Fixes: 23147/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5639254549200896
Fixes: signed integer overflow: 9223372036854775807 + 1 cannot be represented in type 'int64_t' (aka 'long')

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 584d334afd)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
0e5ac35745 avcodec/mpeg4videodec: Fix 2 integer overflows in get_amv()
Fixes: signed integer overflow: -144876608 * 16 cannot be represented in type 'int'
Fixes: 22782/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-6039584977977344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e361785ee0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
0c0c9d15ce avcodec/lossless_audiodsp: Fix undefined overflows in scalarproduct_and_madd_int16_c()
Fixes: signed integer overflow: 2142077091 + 6881070 cannot be represented in type 'int'
Fixes: 22737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5958388889681920

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c0dfe134be)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
ba6fc75d5a avcodec/sonic: Fix several integer overflows
Fixes: signed integer overflow: 2129689466 + 2129689466 cannot be represented in type 'int'
Fixes: 20715/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5155263109922816

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 75d520e337)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
f1e0ca3709 avcodec/mpeg4videodec: avoid invalid values and reinitialize in format changes for studio profile
Fixes: out of array access
Fixes: 23327/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5134822992510976

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e53235f06c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
b02ff15402 avcodec/pixlet: Fix log(0) check
Fixes: passing zero to clz(), which is not a valid argument
Fixes: 23337/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PIXLET_fuzzer-5179131989065728

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bd0f81526d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
99d2024b18 avcodec/iff: Fix off by x error
Fixes: out of array access
Fixes: 23245/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-5723121327013888.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 51225dee0a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
c15b6bfd79 avcodec/wmalosslessdec: Check block_align maximum
Fixes: Assertion failure
Fixes: 22737/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5958388889681920

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 314d10f7a6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
24fd6136df avcodec/loco: Fix signed integer overflow in loco_get_rice()
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 22975/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LOCO_fuzzer-5658160970072064

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit aa88cdfd90)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
c5535532f8 avcodec/mpeg12dec: remove outdated comments
Found-by: Kieran
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 48de8f5816)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
86ae1ff10f avcodec/snowdec: Avoid integer overflow with huge qlog
Fixes: integer overflow
Fixes: 22285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SNOW_fuzzer-5682428762128384

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 38fbf33c72)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
4fdf23df7d avcodec/mpeg12dec: Fix got_output
This makes got_output consistent with the code in slice_end() which sets the output

in slice_end()
 if (s->pict_type == AV_PICTURE_TYPE_B || s->low_delay) {
     int ret = av_frame_ref(pict, s->current_picture_ptr->f);
     ...
 } else {

Fixes: assertion failure
Fixes: 22178/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG1VIDEO_fuzzer-5664234440753152

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4f33a9803a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
c3eaff820a avcodec/lzf: Consider the needed size in reallocation
Fixes: NULL pointer dereference
Fixes: 22381/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_NOTCHLC_fuzzer-5659879921680384.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 292b9b93a5)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
dd6147888c avcodec/adpcm: XA: Check shift similar to filter
Fixes: negative shift
Fixes: 22499/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_XA_fuzzer-5765452130418688

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6d96bae9c4)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
8935ae4395 avcodec/huffyuvdec: Test vertical coordinate more often
Fixes: out of array access
Fixes: 22892/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5135996772679680.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a1223ddc56)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
011c9cfab1 avcodec/hq_hqa: Check info size
Fixes: assertion failure
Fixes: 21079/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HQ_HQA_fuzzer-5737046523248640

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cf28521fee)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
9ff5fd6537 avcodec/wmalosslessdec: Fix integer overflow in mclms_predict()
Fixes: signed integer overflow: 2147483636 + 2048 cannot be represented in type 'int'
Fixes: 22016/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5109395618004992

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c42ed06695)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
1ba97da44b avcodec/vp9dsp_template: Fix integer overflow(s) in iadst16_1d()
Fixes: signed integer overflow: 1080285923 - -1130879337 cannot be represented in type 'int'
Fixes: 22002/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VP9_fuzzer-6260237310099456

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 071e293723)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
6be68e6994 avcodec/h264dec: Disable forced small_padding on flag2 fast
Fixes: 20978/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5746381832847360

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
d1eb5516bb avcodec/pnmdec: Use unsigned for maxval rescaling
Fixes: signed integer overflow: 65535 * 55335 cannot be represented in type 'int'
Fixes: 21955/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-5669206981083136

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 49459aca47)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
dad19158aa avcodec/ivi: Clear got_p_frame before decoding a new frame using it
Fixes: assertion failure
Fixes: 21666/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-5706468994318336

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1d633e6a0a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
e7262c1f19 avcodec/dsddec: Check channels
Fixes: division by zero
Fixes: 21677/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DSD_MSBF_fuzzer-5712547983654912
Fixes: 21751/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DSD_LSBF_fuzzer-5197097180856320

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2570a8777e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
05e2de8291 avcodec/xvididct: Fix integer overflow in idct_row()
Fixes: signed integer overflow: -1238335488 + -1003634688 cannot be represented in type 'int'
Fixes: 21649/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MJPEG_fuzzer-5112005765890048

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 620236e4d2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
296d4bf22e avcodec/wmalosslessdec: Fix integer overflows in revert_inter_ch_decorr()
Fixes: signed integer overflow: -717241856 + -1434459904 cannot be represented in type 'int'
Fixes: 21405/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5677143666458624

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e9a4c4fe99)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
02656f5570 avcodec/cbs_jpeg: Fix infinite loop in cbs_jpeg_split_fragment()
Fixes: Timeout
Fixes: 21104/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5129580475318272

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a3dc67c984)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Michael Niedermayer
6f582f69df avcodec/cbs_h265_syntax_template: Limit num_long_term_pics more strictly
The limit is based on hevcdec.c
Fixes: 20854/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-5160442882424832
Fixes: out of array access

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 435fa373d1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00
Vitaly Buka
13adaa31a9 mpeg4videoenc: Don't crash with -fsanitize=bounds
Also the patch makes this code consistent with mpeg4videodec.c

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f163d30de2)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2020-07-03 12:10:24 +02:00