The threshold of 5 is arbitrary, both smaller and larger should work fine
Fixes: Stack overflow
Fixes: 50603/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_O_fuzzer-6049302564175872
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1f1a368169)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: ffmpeg.md
Fixes: Out of array access
Fixes: CVE-2022-2566
Found-by: Andy Nguyen <theflow@google.com>
Found-by: 3pvd <3pvd@google.com>
Reviewed-by: Andy Nguyen <theflow@google.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c953baa084)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -6322983228386819992 - 5557477266266529857 cannot be represented in type 'long'
Fixes: 50112/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-6329186221948928
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit bcb4690304)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: Timeout
Fixes no testcase, this is the same idea as similar attacks against XML parsers
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit f3e823c2aa)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: -1948269928 * 10 cannot be represented in type 'int'
Fixes: 49451/clusterfuzz-testcase-minimized-ffmpeg_dem_SUBVIEWER_fuzzer-6344614822412288
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
(cherry picked from commit 58a8e739ef)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
A gateway can see everything, and we should not be shipping a hardcoded
default from a third party company; it's a security risk.
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>
(cherry picked from commit 412922cc6f)
Fixes: signed integer overflow: 2147483647 + 32 cannot be represented in type 'int'
Fixes: 49014/clusterfuzz-testcase-minimized-ffmpeg_dem_ASF_fuzzer-6314973315334144
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8ed78486fc)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This function needs more cleanup and it lacks error handling
Fixes: use of uninitialized memory
Fixes: CID700776
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Fixes: signed integer overflow: 315680096256 * 134215943 cannot be represented in type 'long long'
Fixes: 48713/clusterfuzz-testcase-minimized-ffmpeg_dem_IFF_fuzzer-5886272312311808
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Data does not have to be decrypted in 16-byte blocks for AES-CTR mode, so
existing buggy code can be hugely simplified.
Fixes ticket #9829.
Signed-off-by: Marton Balint <cus@passwd.hu>
Fixes memleaks when the trailer is never written or when shift_data()
fails when writing the trailer.
Reviewed-by: Steven Liu <lingjiujianke@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
The packets given to muxers need not be writable,
so it is best to access them via const uint8_t*.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Some files I have from circa year 2000 are 16:9 NTSC DV video
encoded as QuickTime with Radius SoftDV. This marked 4:3 videos
with the box 'dvc ' for NTSC or 'dvcp' for PAL, which are already
supported, but 16:9 videos as 'dvl ' or 'dvlp', which were not.
Adding these to the list for DV codec processing gives the
expected metadata and playback.
I have not tested PAL as I have no sample data, only NTSC.
Signed-off-by: Marton Balint <cus@passwd.hu>
Fixes: signed integer overflow: 9223372036848019263 + 134232320 cannot be represented in type 'long'
Fixes: 48155/clusterfuzz-testcase-minimized-ffmpeg_dem_CINE_fuzzer-5751429207293952
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Also warn the user that for single images -update should be used, for sequences
a proper pattern should be specified.
Fixes ticket #9748.
Signed-off-by: Marton Balint <cus@passwd.hu>
In order to not generate 0 sized packets or create a huge index table
needlessly.
Fixes: Timeout
Fixes: 43717/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-5206008287330304
Fixes: 45738/clusterfuzz-testcase-minimized-ffmpeg_IO_DEMUXER_fuzzer-6142535657979904
Signed-off-by: Marton Balint <cus@passwd.hu>
Modifying avformat_find_stream_info() behaviour based on the number of EAGAINs
it encounters is a hack which usually only hides the real issue if such thing
happen.
This reverts commit b0cac7082d.
If the stream's channel layout is first set into a native layout using codec
private parameters, this code here could potentially result in an invalid
native layout where popcnt(ch_layout.u.mask) != ch_layout.nb_channels being
propagated.
Fixes: Timeout printing a billion channels
Fixes: 48099/clusterfuzz-testcase-minimized-ffmpeg_dem_MATROSKA_fuzzer-6754782204788736
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Tested-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
The packets muxers receive are not guaranteed to be writable,
so they must not be modified. Ergo only access the packet's data
via a const uint8_t*.
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Regression since c9de096851.
Fixes Coverity ID 1506839.
Reviewed-by: Jan Ekström <jeebjp@gmail.com>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
This leaves out RealAudio DolbyNet, which utilizes bsids 9 and 10,
It is not clear whether the interpreted bit rate value (divided by
2 or 4 depending on the variant), or the original bit rate value
should be utilized to receive the bit_rate_code index.
Signed-off-by: Jan Ekström <jan.ekstrom@24i.com>
Add the AC-3 frame type, as well as early exit from additional packet
parsing in case of AC-3, as only a single packet is required to get
the required information.
Additionally, expose ac3_bit_rate_code via the eac3_info struct as
it is required for AC3SpecificBox.
Signed-off-by: Jan Ekström <jan.ekstrom@24i.com>
This simplifies the code to no longer have #ifs in a manner which
does not require handling avpriv_ac3_parse_header returning ENOSYS.
As an existing example, the MPEG-TS muxer already requires the AC-3
parser, and in order to fix existing issues with the current AC-3
movenc code, switching to use the AC-3 parser is required, so this
is an enabling change for that.
Signed-off-by: Jan Ekström <jan.ekstrom@24i.com>
Update the still AVIF parser to only read the primary item. With this
patch, AVIF still images with exif/icc/alpha channel will no longer
fail to parse.
For example, this patch enables parsing of files in:
https://github.com/AOMediaCodec/av1-avif/tree/master/testFiles/Microsoft
Adding two fate tests:
1) demuxing of still image with 1 item - this test will pass regardless
of this patch.
2) demuxing of still image with 2 items - this test will fail without
this patch and will pass with patch applied.
Partially fixes trac ticket #7621
Signed-off-by: Vignesh Venkatasubramanian <vigneshv@google.com>
Signed-off-by: James Zern <jzern@google.com>
Add pat and pmt table at start of each segment in single_file mode enhanced
compatibility of hls stream. Because some hls clients separate parsing segment
of hls stream, the absence of pat/pmt will cause parsing to fail.
Reviewed-by: Steven Liu <liuqi05@kuaishou.com>
Signed-off-by: huheng <heng.hu.1989@gmail.com>